Professional Documents
Culture Documents
Table of Contents
INTRODUCTION TO CYBER SECURITY .................................................................................. 5
Objectives:- .................................................................................................................................. 5
1.1 DEFINITION OF CYBER SECURITY ................................................................................ 5
1.2 LAYERED APPROACH TO CYBER SECURITY......................................................... 8
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) - ......................... 10
PASSWORDS ................................................................................................................................ 12
Objective:- .................................................................................................................................. 12
2.1 DEFINITION OF PASSWORD .......................................................................................... 12
2.3 TYPES OF PASSWORD ATTACKS ................................................................................ 13
2.4 NEED FOR STRONG PASSWORDS ................................................................................ 13
2.5 USE OF SYSTEM PASSWORDS AND BIOS PASSWORDS ........................................ 14
2.6 TYPES OF PASSWORDS .................................................................................................. 15
2.7 SETTING UP STRONG PASSWORDS ........................................................................ 19
➢ Keep your passwords secrete ............................................................................................. 21
CYBER CRIME ............................................................................................................................. 22
Objectives:- ................................................................................................................................ 22
3.1 DEFINITION OF CYBER CRIME .................................................................................... 22
3.2 TYPES OF CYBER CRIMES ............................................................................................ 23
3.3 CATEGORIES OF CYBER CRIME ................................................................................... 30
3.4 ONLINE BANKING .......................................................................................................... 31
UNIT 4 ....................................................................................................................................... 34
Objectives:- ............................................................................................................................ 34
4.1 DEFINITION OF CYBER LAWS ................................................................................. 34
4.2 EVOLUTION OF CYBER LAWS IN INDIA ............................................................... 35
4.3 JURISDICTION OF IT-ACT .......................................................................................... 36
4.4 PENALTIES UNDER IT–ACT ....................................................................................... 37
4.5 IMPORTANT SECTIONS OF IT-ACT .......................................................................... 37
WEB BROWSER SECURITY ...................................................................................................... 43
Objectives:- ................................................................................................................................ 43
5.2 SECURITY FEATURES OF DIFFERENT BROWSERS ................................................. 45
Page 1
CYBER SECURITY BOOK
Page 2
CYBER SECURITY BOOK
Page 3
CYBER SECURITY BOOK
Page 4
CYBER SECURITY BOOK
UNIT 1
Objectives:-
1.1 Definition of Cyber Security
1.2 Layered Approach to Cyber Security
Cyberspace is an interactive domain made up of digital networks that is used to store, modify and
communicate information. It includes the internet, but also the other information systems that
support our businesses, infrastructure and services.1
Objective of cyber security is protection of sensitive and valuable information and services from
unauthorized access, hacking or natural disaster while allowing it to remain accessible and
productive to its intended users while maintaining Confidentiality, Integrity & Availability (CIA).
Cyber Security is the process of preventing and detecting unauthorized use of your computer and
network. Preventive measures help you to put barriers for unauthorized users also known as
―intruders‖ from accessing any part of your computer system. Cyber security helps you to
determine whether or not someone attempted to break into your system, if they were successful,
and what they may have done and what may be the further security.
1
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/73128/12-1120-10-steps-to-
cybersecurity-executive.pdf
2
https://www.google.co.in/search?q=cyber+security+images-cyber-security-month.html%3B1297%3B1480
In today's highly digitalized world, almost everyone is affected by computers and technology.
Page 5
CYBER SECURITY BOOK
So we use computers for everything from banking and investing to shopping and communicating
with others through email or chat programs. Although you may not consider your communications
top secret, you probably do not want strangers reading your email, using your computer to attack
other systems, sending forged email from your computer, or examining personal information stored
on your computer such as financial statements.
Computer crime can be defined as – Any unlawful activity, where ―cyberspace‖ is used as a tool
or target or both.
Term cyberspace today signifies everything related or connected to computers – desktops, laptops,
PDA‗s, cell phones, smart phones, the internet, networks, data, electronic communication,
software hardware, data storage devices (like hard disks, pen drives, CD-ROM), ATM machines,
data servers, and even cloud servers.
Cyber world is vulnerable because of lack of user awareness; usually victims are inexperienced,
unskilled people, they might be business rivals or professional hacker.Intruders also referred to as
hackers, attackers, or crackers may not care about your identity. Often they want to gain control of
your computer so they can use it to launch attacks on other computer systems.
Having control of your computer gives them the ability to hide their true location as they launch
attacks; often against high-profile computer systems such as government or financial systems. Even
if you have a computer connected to the Internet only to play the latest games or to sendemail to
friends and family, your computer may be a target. Intruders may be able to watch all your actions
on the computer, or cause damage to your computer by reformatting your hard drive or changing
your data.
Intruders are always discovering new vulnerabilities informally called "security loopholes" to
exploit in computer software. The complexity of software makes it increasingly difficult to
thoroughly test the security of computer systems. When loopholes are discovered, computer
vendors will usually develop patches to address the problem. However, it is up to you, the users,
Page 6
CYBER SECURITY BOOK
to obtain and install the patches, or correctly configure the IT Infra/software to operate more
securely.
Application/OS developers always keep a backdoors for themselves to make necessary changes
through patches/hot fixes for the bugs found. Hence it is user‘s responsibility to customize the
security settings according to their nature of business or confidentiality required.
Examples include chat programs that let outsiders execute commands on your computer or web
browsers that could allow someone to place harmful programs on your computer that run when
you click on them.
Now it seems that everything relies on computers and the Internet now — communication (email,
cell phones), entertainment (digital cable, mp3s), transportation (car engine systems, airplane
navigation), shopping (online stores, credit cards), medicine (equipment, medical records), and the
list goes on. How much of your daily life relies on computers? How much of your personal
information is stored either on your own computer or on someone else's system? Cyber security
involves protecting that information by preventing, detecting, and responding to attacks.
Page 7
CYBER SECURITY BOOK
(1) Perimeter
(2) Network
(3) Host
(4) Application
(5) Data
3
http://hackmageddon.com/category/security/cyber-attacks-statistics/
Page 8
CYBER SECURITY BOOK
Perimeter ▪ Firewall
▪ Network-based anti-virus
▪ VPN encryption
▪ Hardware Component
▪ OS Security
▪ Host IDS
▪ Host vulnerability assessment (VA)
▪ Network access control
▪ Anti-virus
▪ Access control/user authentication
Data ▪ Encryption
▪ Access control/user authentication
➢ PERIMETER –
Perimeter is the first line of defense from outside, un-trusted networks. Un-trusted network allow
data to be transferred transparently. The machines using a trusted network are usually administered
by an Administrator to ensure that private and secured data is not leaked. Access to this network is
limited. Computers using trusted networks are more secured and confidential because of strong
firewalls. Perimeter acts as the first and last point of contact for security defense protecting the
network. It is the area where your network ends and the Internet begins. Perimeter consists of one
or more firewalls and a set of strictly controlled servers located in a portion of the perimeter referred
to as Demilitarized Zone (DMZ).
Demilitarize Zone (DMZ): typically contains Web servers, email gateways, network antivirus,
and DNS servers that must be exposed to the Internet. Firewall has strict rules about what can enter
Page 9
CYBER SECURITY BOOK
inside the network as well as rules about how servers in the DMZ can interact with the Internet and
the inside network.
Network perimeter, in short, is your gateway to the internet. A compromised network perimeter
can cripple your ability to conduct business. For example, if your organization relies on your Web
servers for revenue generation and those servers have been hacked and are off-line, you lose money
for every minute they are down.
➢ NETWORK
Network level of the layered-security model refers to your internal LAN and WAN. Your internal
network may include desktops and servers. Most networks today are fairly open behind the
perimeter; once inside, you can travel across the network unimpeded. This is especially true for
most small to medium size organizations, which makes them tempting targets for cyber criminals.
➢ HOST
In the layered-security model, the host level pertains to the individual devices, such as servers,
desktops, switches, routers, etc., on the network. Each device has a number of configurable
parameters that, when set inappropriately, can create exploitable security holes. These parameters
include registry settings, services (applications) operating on the device or patches to the operating
system or important applications. The host-based technologies provide excellent protection
because they are configured to meet the specific operational characteristics of a single device. Their
accuracy and responsiveness to the host environment allow administrators to quickly identify
which device settings require updating to ensure secure operation.
➢ APPLICATION
In Application level security, secure development of application has got lot of importance. Poorly
developed applications can provide easy access to confidential data and records resulting into
breach of Confidentiality, Integrity & Availability (CIA). Most of the times, security is not taken
as the agenda while requirement gathering phase of Software Development. Due to this lack of
knowledge on secured, applications are poorly developed containing various vulnerabilities.
Page 10
CYBER SECURITY BOOK
Especially in case of web-based applications, which are being placed on the Web for access by
customers, partners or even remote employees, it is important to impose a comprehensive security
strategy for each web-based application as such security is mandatory from respective compliances
like Data Privacy Act, PCI DSS etc.
➢ DATA
In Data classification Policy, any data which is accepted as an input, processed given as output or
even stored must be classified. Compliances like Data Protection Act and/or Data Privacy Act, PCI
DSS standard mandate this classification. Hence at Policy level, data classification shall be defined.
Organization has to define the sensitivity of their data.
Depending upon the classification level access shall be assigned based on role based access or dual
authentication mechanism shall be applied. If the data classified is highly sensitive or comes under
any kind of regulatory compliance or standard, it shall be encrypted with an appropriate level of
encryption.
Page 11
CYBER SECURITY BOOK
UNIT 2
PASSWORDS
Objective:-
2.1 Definition of password
2.2 Password storing methods
2.3 Types of passwords attacks
2.4 Need for strong password
2.5 Usage of system password and BIOS password
2.6 Types of passwords
2.7 Setting up strong passwords
Password is a secret word or string of characters, numbers, special characters etc. that is used for
authentication, to prove identity or gain access to a resource. It is a secret combination of
characters, numbers & special characters that enables a user to access a file, computer, or program.
Password is used to identify the user and authenticate them to process the desired input. Password
helps to ensure that unauthorized users do not access the computeror computer network or
computer resource. In addition, data files and programs may require a password.
Page 12
CYBER SECURITY NOTES
are stored using NTLMv2, but they can support all types of authentication protocols like LM,
NTLM, NTLMv2 and Kerberos.
System Accounts Manager (SAM File) is saved as a registry file in windows and stores password
in hashed format. As we know that hash is generated through one way function, so this provides
some level of security for storing passwords.
In Linux, passwords are stored in encrypted format in the file called as ``/etc/passwd''.
• Hybrid Attack:
An attacker uses the combination of the previous two methods or any other. Hybrid Attack also
involves pre-computed rainbow tables which increase the speed of cracking password. These
rainbow tables are generated by using all the character sets, which also increases the success rate.
In order to protect our data, it is important that you should have a strong/complete password policy
in effect. They are the front line of protection for user accounts; it has been proven that computer
hackers are able to guess or gather passwords to accounts, which can enable them to compromise
most systems.
Page 13
CYBER SECURITY NOTES
▪ Users should their change their default password allotted by the administrator, on their first
log-in.
▪ The password should be alphanumeric. The password should be a combination of upper
and lower case letters, special characters and numbers (0-9,!@#$ %^&*()_+|~-
=\`{}[]:";'<>?,./)
▪ The complexity of the password should vary with the level of information that it is used
to protect.
▪ The length of the password should be minimum eight (8) characters. It should not be any
word from the dictionary or formed in any known pattern like a1b2 etc.
▪ The password should be changed every 30 days.
▪ The password should not be disclosed to any other person either over the phone, mail or
any other medium.
▪ The ―remember password‖ feature present in applications and browsers should not be
used.
▪ As good practice passwords for official mail account and non-official mail personal
accounts should be different.
Hence user can enhance the security of host, network, and data by setting strong password policies.
Improve security of your computer by creating strong passwords and reducing your risk from
online predators, email hoaxes. Strong password is important protection while doing online
transactions.
Your passwords are the keys you use to access personal information that you've stored on your
computer and in your online accounts. If criminals or other malicious users steal this password of
yours, they can use your name to open new credit card accounts, apply for a mortgage, or pose as
you in online transactions by using your identity through your password. In many cases you may
not notice these attacks until it was too late. It is not hard to keep a strong password. Strong
Passwords help in protecting your personal information from getting, either by access or
disclosure, to the wrong doers. Other pieces are general user education, good physical security,
plugging network holes, and installing strong firewalls. These provide much more global
protection in the controlled corporate environment than passwords alone, but in areas where the
only method of control users have is a PIN or password, the best thing we can do is be aware of
security risks and keep up with their password controls.
Page 14
CYBER SECURITY NOTES
servers, accessing files, databases, networks, web sites, and even reading the morning newspaper
online.
2. System Password
BIOS is an acronym for basic input/output system. Computers BIOS is the first program that is
runs when computer starts. You can tell the BIOS to ask for a password when it starts, thus
restricting access to your computer.
BIOS is also called Complementary Metal Oxide Semiconductor (CMOS) setup. When PC is
powering up it immediately initiate execution of the BIOS utility. For most systems, this is done
by pressing DEL key on the keyboard within the first 2 - 10 seconds of turning the computer on.
Other systems might use other keys such as F2, F10, CTRL & ENTER, etc. If you don't know the
keystroke sequence for entering the BIOS utility, watch the monitor to see if the computer displays
it. To clear the BIOS settings, look for an option to "Restore Defaults" or "Load FailSafe Defaults".
This may be on the main page of the BIOS utility or on the last page of a tabbed menu. Use the
arrow keys to navigate, and follow the on-screen instructions. When complete, save the settings
and exit the BIOS utility.
When you press DEL at the right time you'll see a menu screen something like the following screen:
-
Page 15
CYBER SECURITY NOTES
As you can see in the below diagram, two options that relate to passwords, Supervisor Password
and User Password, these relate to controlling access to the BIOS Setup Program and the Machine
Boot respectively.
Select USER PASSWORD and you'll be prompted to enter a password: You shallnow enter a
password of up to eight characters; most BIOS's are limited to eight characters unfortunately.
The BIOS will then prompt you to confirm the password, just type the same again.
Page 16
CYBER SECURITY NOTES
Now navigate back to the main menu and select SAVE & EXIT SETUP. Your machine will then
reboot and you'll be prompted to enter your password. Each and every time you boot you'll be
asked for password.
If you forget your BIOS password, refer back to your motherboard manual or if you don't have
one, refer back to the website of the BIOS manufacturer.
System passwords:
It includes –
They are the passwords assigned to the users on a single machine or a domain.
Different users can have different permissions, on the same objects depending upon the role they
play in the organization. Permissions may be granted to a single user or to users group.
Step 1: Click the Windows 7 Start button, and then click the User Icon in the top right corner of
start menu.
Step 2: You will be brought to the User Accounts panel, just click the Manage another account
button to access User Accounts Control Settings.
Page 17
CYBER SECURITY NOTES
Step 3: In this screen, it shows all the accounts currently on your computer. To create a new
account, click on the Create a new account button.
Step 4: Right now, you are at the Create New Account on Windows screen. Enter name of the new
account you would like to use in the new account name box. As there are two types of Windows
user accounts and each provides the user with different levels of control over the computer. Thus,
you need to decide which type of accounts you would like to use.
Step 5: Your new account has been created and it will appear on the Manage Accounts screen.
Now the next step you should do is to create a password for the account.
Administrator password as the name suggests is assigned to the administrator of the machine who
has all the powers to make changes on the machine and privileges to assign different rights to
different users.
Note: - Setting the user and administrator password is mentioned as above in snapshots.
Page 18
CYBER SECURITY NOTES
(i) Make it lengthy: Each character that you add to your password increases the password
strength. Passwords should be minimum8 or more characters in length; 14 characters or longer is
ideal.
(ii) Use of Passphrase: A pass phrase is often easier to remember than a simple password, as
well as longer and harder to guess.
(iii) Constructing Strong Password: Combine letters, numbers, and symbols. The complex
characters that you have in your password, the harder it is to guess. Other important specifics
include:
Page 19
CYBER SECURITY NOTES
• The fewer types of characters in your password, the longer it must be. A 15-character
password composed only of random letters and numbers is about 33,000 times stronger
than an 8-character password composed of characters from the entire keyboard. If you
cannot create a password that contains symbols, you need to make it considerably longer
to get the same degree of protection. An ideal password combines both length and different
types of symbols.
• Use the entire keyboard, not just the most common characters. Symbols typed by holding
down the "Shift" key and typing a number are very common in passwords. Your password
will stronger if you choose from all the symbols on the keyboard, including punctuation
marks not on the upper row of the keyboard, and any symbols unique to your language.
• Use words and phrases that are easy for you to remember, but difficult for others to guess.
The easiest way to remember your passwords and pass phrases is to write them down.
Contrary to popular belief, there is nothing wrong with writing passwords down, but they
need to be adequately protected in order to remain secure and effective.
(iii) Avoid any part of your full name, birthday, car number plate, or similar information.
This is one of the first things criminals will try.
(iv) Avoid dictionary words in any language. Criminals use sophisticated tools that can
rapidly guess passwords that are based on words in multiple dictionaries, including words
spelled backwards, common misspellings, and substitutions. This includes all sorts of
profanity and any word you would not say in front of your children.
(v) Do not use common passwords for multiple applications in case of single sign on? If
any one of the computers or online systems using this password is compromised, all of
your other information protected by that password should be considered compromised as
well. It is critical to use different passwords for different systems.
Page 20
CYBER SECURITY NOTES
(vi) Be careful where you store the passwords that you record or write down. Do not leave
these records of your passwords anywhere that you would not leave the information that
they protect.
(vii) Never provide your password over e-mail or based on an e-mail request. Any e-mail
that requests your password or requests you to go to a web site to verify your password is
a fraud. This includes requests from a trusted company or individual. E-mail can be
intercepted in transit, and e-mail that requests information might not be from the sender it
claims. Internet "phishing" scams use fraudulent e-mail messages to entice you into
revealing your user names and passwords, steal your identity, and more.
(ii) Change your passwords regularly at appropriate intervals. This can help keep criminals
and other malicious users unaware of password change frequency and increase
complexity. The strength of your password will help keep it good for a longer time. A
password that is shorter than 8 characters should be considered only good for a week
or so, while a password that is 14 characters or longer can be good for several years.
(iii) Do not carry out login attempts on unknown devices on computers that you do not control.
Computers such as those in Internet cafes, computer labs, shared systems, kiosk
systems, conferences, and airport lounges should be considered unsafe for any personal
use other than anonymous Internet browsing. Do not use these computers to check
online e-mail, chat rooms, bank balances, business mail, or any other account that
requires a user name and password. Criminals can purchase keystroke logging devices
for cheaper cost and they take only a few moments to install. These devices let
malicious users harvest all the information typed on a computer from across the
Internet—your passwords and pass phrases are worth as much as the information that
they protect.
Page 21
CYBER SECURITY NOTES
UNIT 3
CYBER CRIME
Objectives:-
3.1 Definition of Cyber Crime.
3.2 Types of Cyber Crimes
3.3 Categories of Cyber Crime
3.4 Online Banking
“In a nutshell, we are shocked by cybercrime, but also expect to be shocked by it because we expect
it to be there, but - confusingly - we appear to be shocked if we are not shocked (if we don't find
it)!”David S. Wall1
Cybercrime is defined as a crime in which a computer is the subject or object of the crime (hacking,
phishing, spamming) or is used as a tool or target to commit an offence. Cybercriminals may use
computer technology to access personal information, business trade secrets, or use the Internet for
exploitive or malicious purposes. Criminals can also use computers for communication and
document or data storage. Criminals who perform these illegal activities are often referred to as
hackers.
2
Denial of Service (DoS) Attack is a cybercrime which can also be called a Computer Network
Attack (CNA) is an attack from one computer to another using a network deliberately to alter,
disrupt, deny, degrade, or destroy the data hosted in the attacked system or network. It is done by
producing a malicious code which is directed against a computer processing code or logic. These
attacks are made in a way to steal the relevant information without leaving back any traces of
intrusion.
Common types of cybercrime include identity theft, social engineering, online bank information
theft, use of automated scripts to execute/launch denial of service & unauthorized computer access.
More serious crimes like cyber terrorism, crimes against women etc are also of significant concern.
1
http://theindianschool.in
2
http://cybercrimeindia.org/cyber_attack.php
Page 22
CYBER SECURITY NOTES
A. Passive Online Attack: Passive attacks basically mean that the attacker is eavesdropping. It
is an attack which is the attacker listening in the communication. Some of the examples are
given below:-
(i) Wire Sniffing: -Attackers run packet sniffer tools on the local area network (LAN) to sniff
and record the raw network traffic. The captured data may include sensitive information
such as password and emails. Sniffed credentials are used to gain unauthorized access to
the target system.
(ii) Man-In-The-Middle: -In a MITM attack, the attacker acquires access to the
communication channels between victim and server to extract the information.
B. Active Online Attack: An active attack is an attack in which the attacker attempting to break
into the system. Some of the examples are given below:-
(i) Password Guessing: - The attacker takes a set of dictionary and names, and tries all the
possible combinations to crack the password.
(ii) Trojan: - With the help of a Trojan, an attacker gets access to the stored passwords in the
attacked computer and is able to read personal documents, delete the files and display
pictures.
(iii)Spyware: - Spyware is a type of malware that allows attackers to secretly gather
information about a person or organization.
(iv) Keylogger: - A keylogger is a program that runs in the background and allows remote
attackers to read every keystroke.
C. Offline Attack:
(i) Rainbow Attacks: - Convert huge word lists like dictionary files and brute force lists into
password hashes using techniques such as rainbow tables.
D. Non-Electronic Attacks:
(i) Shoulder Surfing: - In this attack, Attacker looking at either the user‘s keyboard or screen
while he/she is logging in.
Page 23
CYBER SECURITY NOTES
Emails have fast emerged as the world's most preferred form of communication. Billions of
email messages traverse the globe daily. Like any other form of communication, email is also
misused by criminals. The ease, speed and relative anonymity of email has made it a powerful
tool for criminals.
i. Email spoofing
ii. Sending malicious codes through email
iii. Email bombing
iv. Sending threatening emails
v. Defamatory emails
vi. Email frauds
(i) Email Spoofing: - A spoofed email is one that appears to originate from one source but has
actually emerged from another source. Falsifying the name and / or email address of the
originator of the email usually does email spoofing.
(ii) Sending Malicious Code through Email: - Emails are often the fastest and easiest ways to
propagate malicious code over the Internet. The Love Bug virus, for instance, reached
millions of computers within 36 hours of its release from the Philippines thanks to email.
Hackers often bind Trojans, viruses, worms and other computer contaminants with egreeting
cards and then email them to persons. Such contaminants can also be bound with software
that appears to be an anti-virus patch.
(iii) Email Bombing: - Email bombing refers to sending a large amount of emails to the victim
resulting in the victim's email account (in case of an individual) or servers (in case of a
company or an email service provider) crashing. A simple way of achieving this would be to
subscribe the victim's email address to a large number of mailing lists. Mailing lists are
special interest groups that share and exchange information on a common topic of interest
with one another via email. Mailing lists are very popular and can generate a lot of daily
email traffic - depending upon the mailing list. Some generate only a few messages per day
others generate hundreds. If a person has been unknowingly subscribed to hundreds of
mailing lists, his incoming email traffic will be too large and his service provider will
probably delete his account.
Page 24
CYBER SECURITY NOTES
All that one has to do is compose a message, enter the email address of the victim multiple
times in the "To" field, and press the "Send" button many times. Writing the email address
25 times and pressing the "Send" button just 50 times (it will take less than a minute) will
send 1250 email messages to the victim! If a group of 10 people do this for an hour, the result
would be 750,000 emails! There are several scripts available to automate the process of email
bombing. These scripts send multiple emails from different email servers, which make it
very difficult, for the victim to protect himself.
(iv) Sending Threatening Messages Via Emails: - Email is a useful tool for technology savvy
criminals to hide their original identity. It becomes fairly easy for anyone with even a basic
knowledge of computers to become a blackmailer by threatening someone via e-mail.
(v) Email Frauds: - Email spoofing is very often used to commit financial crimes. It becomes
a simple thing not just to assume someone else's identity but also to hide one's own. The
person committing the crime understands that there is very little chance of his actually being
identified.
(i) Desktop Forgery: - This is becoming increasingly common in corporate area. With
computer technology and desktop publishing programs, thieves copy official letterhead,
documents, passports, birth certificates, cash receipts for personal gain.
(ii) Data Theft: - Data theft is a growing problem in outside and inside the network with access
to technology such as desktop computers and USB flash drives, iPods and even memory
cards used in digital cameras. Some employees misuse the confidential data of the company
for their benefits when they leave the company, or while they are still in the company.
A social network service is created to build online communities of people who share common
interests. They provide a variety of ways for users to interact, such as e-mail and instant messaging
services. Social networking has encouraged new ways to communicate and share information.
Such Web sites are used by millions of people every day.
The popularity of social networking sites has grown tremendously in the last few years. They help
people stay in touch. They help small businesses connect with other businesses and clients and
developed concept of ecommerce business through social networking websites. They give people
the chance to network with people, know their interest, design business strategy and plans to attract
customer of common interests and age groups.
However, with the growing popularity and mainstream use of these sites, there's also a dangerous
side. There have been many terrorists, hackers and scammers. People can create fake profiles i.e.
do identity theft and most recently, these sites have become an avenue for crimes.
Page 25
CYBER SECURITY NOTES
(i) Cross Site Scripting (XSS): - XSS flaws occur whenever an application takes user supplied
data and sends it to a web browser without first validating or encoding that content. XSS
allows attackers to execute script in the victim's browser which can hijack user sessions,
deface web sites, possibly introduce worms, etc.
(ii) Website defacement: - It is an attack on a website that changes the visual appearance of the
site or a webpage. These are typically the work of system crackers, who break into a web
server and replace the hosted website with one of their own. Defacement is generally meant
as a kind of electronic graffiti, although recently it has become a means to spread messages
by politically motivated "cyber protesters" or hacktivists.
(iii) Website spoofing: - Website spoofing is the act of creating a website, as a hoax, with the
intention of misleading readers that the website has been created by a different person or
organization. Normally, the spoof website will adopt the design of the target website and
sometimes has a similar URL. A more sophisticated attack results in an attacker creating a
"shadow copy" of the World Wide Web by having all of the victim's traffic go through the
attacker's machine, causing the attacker to obtain the victim's sensitive information.
(iv) SQL Injection: - SQL injection is a very old approach but it's still popular among attackers.
This technique allows an attacker to retrieve crucial information from a Web server's
database. Depending on the application's security measures, the impact of this attack can vary
from basic information disclosure to remote code execution and total system compromise.
(v) Malicious File Execution: - Code vulnerable to remote file inclusion (RFI) allows attackers
to include hostile code and data, resulting in devastating attacks, such as total server
compromise. Malicious file execution attacks affect PHP, XML and any framework which
accepts filenames or files from users.
Page 26
CYBER SECURITY NOTES
There are hundreds of types of network-based attacks that can damage an organization. The most
common forms include:
(i) Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS
Attack):- These attacks are designed to cause an interruption or suspension of services of a
specific host/server by flooding it with large quantities of useless traffic or external
communication requests. When the DoS attack succeeds, the server is not able to answer
even to legitimate requests any more - this can be observed in numbers of ways: slow
response of the server, slow network performance, unavailability of software or web page,
inability to access data, website or other resources. Distributed Denial of Service Attack
(DDoS) occurs where multiple compromised or infected systems (botnet, collection of
compromised system) flood a particular host with traffic simultaneously.
(ii) 3Man-In-The-Middle Attack: - The attack is form of active monitoring or eavesdropping
on victim‘s connections and communication between victim hosts. This form of attack
includes as well interaction between both victim parties of the communication and the
attacker - this is achieved by attacker intercepting all part of the communication, changing
the content of it and sending back as legitimate replies. The both speaking parties are here
not aware of the attacker presence and believing the replies they get are legitimate. For this
attack to success the perpetrator must successfully impersonate at least one of the endpoints
- this can be the case if there are no protocols in place that would secure mutual authentication
or encryption during the communication process.
(iii) Passive Social Engineering- Network Sniffing (Packet sniffing):–It is a process of
capturing the data packets travelling in the network. Network sniffing can be used both by
IT Professionals to analyses and monitor the traffic for example in order to find unexpected
suspicious traffic, but as well by perpetrators to collect data send over clear text that is easily
readable with use of network sniffers (protocol analyzers). Best countermeasure against
sniffing is the use of encrypted communication between the hosts.
(iv) Session Hijacking Attack: - In Session Hijacking attack targeted as exploit of the valid
computer session in order to gain unauthorized access to information on a computer system.
The attack type is often referenced as cookie hijacking as during its progress the attacker uses
the stolen session cookie to gain access and authenticate to remote server by impersonating
legitimate user.
(v) Buffer Overflow Attack: - This type of attack the victim host is being provided with
traffic/data that is out of range of the processing specs of the victim host, protocols or
applications - overflowing the buffer and overwriting the adjacent memory.. One example
can be the mentioned Ping of Death attack - where malformed ICMP packet with size
exceeding the normal value can cause the buffer overflow.
3
http://www.symantec.com/connect/articles/security-11-part-3-various-types-network-attacks
Page 27
CYBER SECURITY NOTES
4
Social engineering is the use of persuasion or deception to gain access to information systems.
The medium is usually a telephone or e-mail message. The attacker usually pretends to be a
director or manager in the company traveling on business with a deadline to get some important
data left on their network drive. They pressure the help desk to give them the toll-free number of
the RAS server to dial and sometimes get their password reset. The main purpose behind social
engineering is to place the human element in the network-breaching loop and use it as a weapon.
The human element has been referred to as the weakest link in network security.
1. Faked Email: The social engineer sends a message to one or more users in a domain that
"this is the system administrator and your password must be reset to user 123‖ for a
temporary period of time. The hacker then continuously monitors for the change and then
exploits the whole system.
2. Fictitious Competition: The social engineer manipulates a group of users to participate in
some fake competition for a jackpot prize, with the ultimate purpose of eventually
extracting confidential information about network and password security.
3. The Helpful Help Desk: The help desk gets a call from the social engineer impersonating
a user reporting a forgotten password. In many cases the help desk will change the user's
password over the phone. The hacker now has a legitimate user name and password to work
with. To avoid problems from the original user, the social engineer will then call the user
who was impersonated and say something like ―This is John from MIS department. We
had some problems with security today, so we have changed your password. Your new
password is ―JohnforU@123."
4
http://www.drtomoconnor.com/3100/3100lect05.htm
Page 28
CYBER SECURITY NOTES
Deciphering packets in WEP is really easy, as WEP‘s security is very low and easily
breakable. Sometimes this technique is also called WAR DRIVING.
(ii) Active Attack: As the attacker does a passive attack in order to get information about the
wireless network, now she/he will do an active attack. Mostly, active attacks are IP spoofing
& Denial of Service attack.
❖ IP Spoofing: In this attack scenario, the attacker accesses the unauthorized wireless network.
Not only that, but also she/he does packet crafting in order to impersonate the authorization
of that server or network.
❖ Denial of Service Attack: Here the attacker makes an attack on a particular target by
flooding the packets to the server. In most cases, SYN packets are used because they have
those capabilities of generating the flood storm.
❖ MITM Attack: Here the attacker accesses the information of the AP of any active SSID.
Here dummy APs are created. The attacker listen the communication between to end points.
Let‘s suppose a client is having a TCP connection with any server, then the attacker will be
the man in the middle and she/he splits that TCP connection into two separate connections,
whose common node will be an attacker himself/herself. So the first connection is from client
to an attacker, and the second connection will be from the attacker to the server. So each and
every request and response will be taking place between client and server via an attacker. So
an attacker can steal information passing in the air between them.
5
http://resources.infosecinstitute.com/wireless-attacks-unleashed/
Page 29
CYBER SECURITY NOTES
❖ Fun – Prevent the legitimate user from receiving any kind of data from the Internet.
❖ Spy – Delay in packet deployment to the legitimate user can give more time to an
attacker for deciphering the packet in order to steal the information.
❖ Attack – Attacker may spoof the packets and send it to the victim in order to take
control over the user‘s machine or network.
(i) Bluesnarfing:- This kind of attack allows the malicious user to gain unauthorized access to
information on a device through its Bluetooth connection. Any device with Bluetooth
turned on and set to "discoverable" state may be prone to bluesnarfing attack.
(ii) Bluejacking: - This kind of attack allows the malicious user to send unsolicited (often
spam) messages over Bluetooth to Bluetooth enabled devices.
(iii) Bluebugging: - Hack attack on a Bluetooth enabled device. Bluebugging enables the
attacker to initiate phone calls on the victim's phone as well read through the address book,
messages and eavesdrop on phone conversations.
Cyber-crimes are broadly categorized into three categories, namely crime against
1. Individual
2. Property
Page 30
CYBER SECURITY NOTES
3. Government
Each category can use a variety of methods and the methods used vary from one criminal to
another:
1. 6Individual: This type of cyber-crime can be in the form of cyber stalking, distributing
pornography, trafficking and ―grooming‖. Today, law enforcement agencies are taking
this category of cyber-crime very seriously and are joining forces internationally to reach
and arrest the perpetrators.
2. Property: Just like in the real world where a criminal can steal and rob, even in the cyber
world criminals resort to stealing and robbing. In this case, they can steal a person‘s bank
details and siphon off money; misuse the credit card to make numerous purchases online;
run a scam to get naïve people to part with their hard earned money; use malicious software
to gain access to an organization‘s website or disrupt the systems of the organization. The
malicious software can also damage software and hardware, just like vandals damage
property in the offline world.
3. Government: Although not as common as the other two categories, crimes against a
government are referred to as cyber terrorism. If successful, this category can wreak havoc
and cause panic amongst the civilian population. In this category, criminals hack
government websites, military websites or circulate propaganda. The perpetrators can be
terrorist outfits or unfriendly governments of other nations.
To access online facility of a financial institution, a customer having personal Internet access must
register with the institution for the service, and set up a password for customer verification. The
password for online banking is normally not the same as for telephone banking. Financial
institutions now routinely allocate customer numbers (also under various names), whether or not
customers intend to access their online banking facility. Customer numbers are normally not the
same as account numbers, because a number of accounts can be linked to the one customer number.
6
http://www.crossdomainsolutions.com/cyber-crime/
7
http://en.wikipedia.org/wiki/User:Rakeshgopal8891763936/sandbox
Page 31
CYBER SECURITY NOTES
The customer will link to the customer number any of those accounts which the customer controls,
which may be cheque, savings, loan, credit card and other accounts.
Internet Banking Fraud is a fraud or theft committed using online technology to illegally remove
money from a bank account and/or transfer money to an account in a different bank. Internet
Banking Fraud is a form of identity theft and is usually made possible through techniques such as
phishing.
▪ Phishing
▪ Pharming
▪ Cross-site scripting
▪ Use of Keyloggers/Trojan horse, etc.
▪ Ensure your computer is protected with the latest anti-virus definitions and firewall
protection turned on at all times. Download updates regularly to ensure you have the latest
upgraded version of protection to deal with zero day attacks.
▪ Choose a Password that is memorable to you but not easy to guess by someone else.
Passwords that contain combinations of alpha and numeric characters are generally harder
to guess (e.g. a7g3cy91).
▪ Do not choose a Password that you use for other services. Your Password should be unique
to Internet Banking.
▪ Change your Internet Banking Password at regular intervals.
▪ Never disclose your Internet Banking Password to anyone. Always remember that Bank
will never ask you for your Password either via phone or email.
▪ Do not write your Internet Banking Username together with your Password. Do not write
your Password in a recognizable format and never leave your logon details with your
Online Security Device.
▪ Disable functionality on your computer or browsers that remembers logon details.
▪ Keep your system and web browser updated. Manufacturers regularly release security
patches when weaknesses are discovered in their systems and browsers.
▪ Check with your software provider for these updates on a regular basis.
Page 32
CYBER SECURITY NOTES
▪ Check the padlock symbol and site certificate. Double-click the padlock symbol at the
bottom of your browser when you log-in to Online Banking website/portal to ensure the
site certificate belongs to your bank. This will ensure you're not being duped into entering
your details on a 'fake' site.
▪ Check your accounts regularly. If in doubt about any transactions, note the details and call
your bank immediately.
On preliminary enquiry MP Cyber police found that it was an act of cheating forgery and fraud
against the bank and not the customers as the customer ever asked for the activation of Internet
banking, Hence a FIR was lodged in the name of ABC BANK LTD.
As per complaint a fake account was opened in the name Gourav Shukla. For the purpose of
cheating the suspect approached the bank and submitted forged document to add mobile in the
account of Poonam Gulati. The bank official matched only PAN number but didn't match the
photocopies with the original. After getting registered the mobile number in the account of Poonam
Gulati the suspect requested to add Internet banking in the account of Poonam Gulati. After getting
Internet banking activated the suspect made request forgot password through Internet banking. He
could obtain the same partial on internet window and partial on registered mobile. The suspect
after getting the internet banking password transferred Rs 17 lacs , one lac each per day from the
account of Poonam Gulati to account of Gourav Shukla. He withdrew money at the rate of one lac
per day from the various ATMs of State Bank of India wearing helmet.
MP State cyber police analyzed the complaint to ascertain the point from where evidences can be
found out. Cyber police got CDRs, IP Login logs and found that suspect entered Cyber cafe with
fake Name and address. Cyber police analyzed the location based on CDRs and tried to look
through Fake ID cards and listed out the suspect list. After getting the profile of suspects built up
Cyber police raided several places and arrested Rahul Sharma, Reetesh Choukse, Shyam Yadav
and Pramod Jaiswal.
Out of these the master mind was the Ex ABC BANK employee Reetesh who conspired with Rahul
to open a account in the name of Fake ID card in the name of Gourav Shukla. The account was
Page 33
CYBER SECURITY NOTES
opened with photo of Shyam Yadav. The fake id was created by the cyber cafe owner Pramod
Jaiswal and Rahul withdrew the money from ATMs wearing Helmet.
Cyber police cracked the case within seven days and seized around Rs 15 lacs which were
deposited in several accounts.8
UNIT 4
CYBER LAW
Objectives:-
8
http://www.mpcyberpolice.nic.in/casestudies.htm
Page 34
CYBER SECURITY NOTES
changes that permeate society that describes the legal issues related to use of inter-networked
information technology.
1. Cyber Crimes
2. Electronic and digital signatures
3. Intellectual Property
4. Data protection and privacy.
UNCITRAL following the UN Resolution India passed the Information Technology Act, 2000
(hereinafter referred to as the IT Act) in May 2000 and notified it for effectiveness on October
17,2000.9
2000 17th The Information Technology Act, 2000 was notified in the
official gazette.
October, 2000
Amendments made in the Indian Penal Code, 1860 (hereinafter
referred to as the IPC) in tune with the IT Act to penalize
several cyber-crimes like, forgery of electronic records, cyber
frauds, destroying electronic evidence, etc.
9
http://www.un.org/documents/ga/res/51/ares51-162.htm.
Page 35
CYBER SECURITY NOTES
SEC. 75 – (1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply
also to any offence or contravention committed outside India by any person irrespective of his
nationality. (2) For the purposes of sub-section (1), this Act shall apply to an offence or
contravention committed outside India by any person if the act or conduct constituting the offence
or contravention involves a computer, computer system or computer network located in
Page 36
CYBER SECURITY NOTES
India.
Comments - Provisions of the IT Act are applicable within the territory of India (incl. Jammu and
Kashmir) as well as to an offence or contravention committed outside India by any person, if the
act or conduct constituting the offence or contravention involves a computer, computer system or
computer network located in India.
Illustration - Andrew, a German citizen, breaks into the computer system located in India and
unauthorized copies sensitive information. Andrew can be held liable under the IT Act.
Cognizance should be Victim should approach law Action can be taken suomotu
taken by enforcement agency by the Police or government
What needs to be proved? Party has suffered loss or Intention, knowledge and
damages motive (Mensrea + Actusreus)
Parties involved Two or more parties in their Two or more parties, usually
individual capacity victim is represented by the
government through
public/police prosecutor
Section 43 (b) Downloads, copies or extracts any data, computer data base or
information from such computer, computer system or computer network
including information or data held or stored in any removable storage
medium
Page 37
CYBER SECURITY NOTES
Section 43 (g) provides any assistance to any person to facilitate access to a computer,
computer system or computer network in contravention of the provisions
of this Act, rules or regulations made hereunder;
Section 43 (h) charges the services availed of by a person to the account of another
person by tampering with or manipulating any computer, computer
system, or computer network, he shall be liable to pay damages by way
of compensation not exceeding one crore rupees to the person so
affected.
SECTION 65:
TAMPERING WITH COMPUTER SOURCE CODE DOCUMENTS
Explanation — for the purposes of this section, "computer source code" means the listing of
programs, computer commands, design and layout and program analysis of computer resource in
any form.
SECTION 66:
Page 38
CYBER SECURITY NOTES
Computer related offences if any person, dishonestly or fraudulently, does any act referred to in
section 43, he shall be punishable with imprisonment for a term which may extend to three years
or with fine which may extend to five lakh rupees or with both.
(a) The word ―dishonestly shall have the meaning assigned to it in section 24 of the
Indian Penal Code.
(b) The word ―fraudulently shall have the meaning assigned to it in section 25 of the
Indian Penal Code.
Illustration-
Meghana is Swapnil's ex-girlfriend. After their break-up, Swapnil uploads his status on a popular
social networking site, describing Meghana to be a woman of a loose character. Swapnil can be
punished under this section.
SECTION 72:
Save as otherwise provided in this Act or any other law for the time being in force, any person
who, in pursuance of any of the powers conferred under this Act, rules or regulations made there
under, has secured access to any electronic record, book, register, correspondence, information,
document or other material without the consent of the person concerned discloses such electronic
record, book, register, correspondence, information, document or other material to any other
person shall be punished with imprisonment for a term which may extend to two years, or with
fine which may extend to one lakh rupees, or with both.
• If any person secures access to some information in pursuance of the power given under
the IT Act or any rules thereof. (E.g. authorities like, adjudicating officers, Inspector of
Police, etc.)
Page 39
CYBER SECURITY NOTES
• If such person discloses such information to a third party without authorization or without
being lawfully permitted.
Intellectual property refers to creations of the mind: inventions; literary and artistic works; and
symbols, names and images used in commerce. The intellectual property system helps strike a
balance between the interests of innovators and the public interest, providing an environment in
which creativity and invention can flourish, for the benefit of all. Intellectual property is divided
into two categories:
• Industrial Property: It includes patents for inventions, trademarks, industrial designs and
geographical indications.
• Copyright covers literary works (such as novels, poems and plays), films, music, artistic
works (e.g., drawings, paintings, photographs and sculptures) and architectural design.
Rights related to copyright include those of performing artists in their performances,
producers of phonograms in their recordings, and broadcasters in their radio and television
programs.
➢ Definition of patent
A patent is an exclusive right granted for an invention – a product or process that provides a new
way of doing something, or that offers a new technical solution to a problem. A patent provides
patent owners with protection for their inventions. Protection is granted for a limited period,
generally 20 years.
Patent protection means an invention cannot be commercially made, used, distributed or sold
without the patent owner‘s consent. Patent rights are usually enforced in courts, in most systems;
hold the authority to stop patent infringement. Conversely, a court can also declare a patent invalid
upon a successful challenge by a third party.
➢ Definition of Trademark
A trademark is a distinctive sign that identifies certain goods or services produced or provided by
an individual or a company. Its origin dates back to ancient times when craftsmen reproduced
their signatures, or ―marks‖, on their artistic works or products of a functional or practical nature.
Page 40
CYBER SECURITY NOTES
Over the years, these marks have evolved into today‘s system of trademark registration and
protection. The system helps consumers to identify and purchase a product or service based on
whether its specific characteristics and quality – as indicated by its unique trademark – meet their
needs.
Trademark protection ensures that the owners of marks have the exclusive right to use them to
identify goods or services, or to authorize others to use them in return for payment. The period of
protection varies, but a trademark can be renewed indefinitely upon payment of the corresponding
fees. Trademark protection is legally enforced by courts that, in most systems, have the authority
to stop trademark infringement.
➢ Industrial Design
An industrial design refers to the ornamental or aesthetic aspects of an article. A design may consist
of three-dimensional features, such as the shape or surface of an article, or twodimensional
features, such as patterns, lines or color.
Industrial designs are applied to a wide variety of industrial products and handicrafts: from
technical and medical instruments to watches, jewelry and other luxury items; from house wares
and electrical appliances to vehicles and architectural structures; from textile designs to leisure
goods.
Generally, ―new‖ means that no identical or very similar design is known to have previously
existed. Once a design is registered, a registration certificate is issued. Following that, the term of
protection granted is generally five years, with the possibility of further renewal, in most cases for
a period of up to 15 years.
The good folks at Opera were the only browser group to actually release a proper official backup
utility for their browser, and as a result – it‘s a top class product called OperaFly. Aside from
Page 41
CYBER SECURITY NOTES
handling the basic backups, it also has the ability to backup and restore to/from an FTP server,
send backups via email, and to restore backups from an http site. It also allows for pre-scheduled
backups and automatic backups when the browser is closed10
The investigating team visited the complainant‘s premises and scanned the logs of e-mails. They
identified the IP address and using tracing software traced the ISP and the address of the place
where the e-mails had been sent.
This address was of a Hyderabad based company. On visiting the company the investigating team
found 13 computers and a server. Using specialized forensic tools the disks were imaged and
analyzed by the team. The analysis revealed that the original source code as well as its tampered
version had been restored from these systems.11
Former employees found guilty was booked under the 65 and 66 of the IT Act 2000, 381, 420 of
the Indian Penal Code.
10
World intellectual property document- WIPO Publication No. 450(E)- ISBN 978-92-805-1555-0 No. 450(E)
WIPO Publication No. 450(E) WWIPO Publication No. 450(E) IPO Publication No. 450(E)
11
http://indiacyberlab.in/know_more/legal-hacking.htm
Page 42
CYBER SECURITY NOTES
UNIT 5
Objectives:-
5.1 Understanding Web Browsers
5.2 Security Features of Different Browsers
5.3 Browsers Add-Ons
5.4 Backups of Different Browsers
Web browser is a software program that interprets the coding language of the World Wide Web in
graphic form, displaying the translation rather than the coding. This allows anyone to ―browse
the Web‖ by simple point and click navigation, bypassing the need to know commands used in
software languages. The World Wide Web is written in Hypertext Markup Language (HTML).
Viewed with software other than a Web browser, HTML looks nothing like its graphic translation.
To take a peek, right-click on any empty space in a webpage. A small pop-up menu will appear.
Page 43
CYBER SECURITY NOTES
Choose View Page Source in Firefox, or View Source in Microsoft‘s Internet Explorer (IE). When
finished viewing the HTML coding, click the window closed to return to the Web browser window.
The first successful graphical Web browser, Mosaic, was written by Marc Andreessen and Eric
Bina in 1992 and released in 1993. At that time, the only popular graphical online services were
offered by Prodigy, America Online (AOL), and CompuServe. These companies were closed
networks that provided their own proprietary content, message boards, email programs, and
interfaces, and did not provide access to the Internet.
The Mosaic Web browser opened the Internet to the general public. It provided a pleasurable
means to navigate the World Wide Web and was free for personal use. To compete with the appeal
of the Internet‘s worldwide network, closed networks had to introduce a pipeline to the Internet
and supply a graphic Web browser to interpret HTML. By the time this occurred in the mid-1990s,
Andreessen had partnered with Jim Clark, former founder of Silicon Graphics, to create a new
flagship Web browser called Netscape.
Netscape remained the Web browser of choice until Microsoft began pre-packaging their own Web
browser into the Windows operating system. Internet Explorer (IE) was inferior to Netscape in
many ways, particularly criticized for ongoing security issues, numerous bugs, and a lack of
conformity to Web standard protocols. While this turned off many in the online community, the
flood of new computer users knew too little to be aware or concerned. By 1998, Internet Explorer
dominated as the most ubiquitous Web browser, due in large part to Microsoft‘s ability to pre-load
it into new computer systems.
At the same time, Netscape, then known as Netscape Communicator, released its source code to
the public. The Web browser went through a massive rewrite over the next few years. It emerged
as the open source Web browser known as Mozilla, under the Mozilla Organization, and then
owned by AOL. By 2003, AOL passed off oversight to the newly formed Mozilla Foundation,
which renamed the Web browser to Phoenix and later to Firefox.
Although IE and Firefox are not the only Web browsers, they are the two most popular. As a third
alternative, Opera Software, located in Oslo, Norway, offers the Opera Web browser, a
proprietary browser released in 1996. Opera was originally offered as shareware, then adware, and
finally, as of September 2005, freeware. After years of using Netscape Navigator and Internet
Explorer for Macintosh computers, Apple developed a Web browser just for Macintosh computers.
Safari was initially included as an optional Web browser on Macintosh computers, because of a
licensing-agreement with Microsoft to package Internet Explorer with new Macintosh computers.
Starting in 2005, Safari became the exclusive Web browser installed on new Macintosh computers.
In 2007, Apple announced that it had developed a Safari browser that was compatible with
Microsoft Windows. After a series of tests, Safari was labeled the fastest web-browser for initial
data loads in Microsoft Windows, although it equaled Microsoft's Internet Explorer in loading
cache memory.
Page 44
CYBER SECURITY NOTES
Google Chrome also a freeware web browser developed by Google that uses the Web Kit layout
engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and
the public stable release was on December 11, 2008. As of May 2012, Google Chrome has
approximately 33% worldwide usage share of web browsers, making it the most widely used web
browser, according to Stat Counter.
Tracking Protection helps you stay in control of your privacy as you browse the web.
Some of the content, images, ads, and analytics that you see on the websites you visit are provided
by third-party websites. While this content can provide value to you and your favorite websites,
these third-party websites have the ability to potentially track your behavior across multiple sites.
Tracking Protection provides you an added level of control and choice about the information that
third-party websites can potentially use to track your browsing activity.
Tracking Protection Lists help enhance your privacy and help protect you from online tracking by
blocking web content that may be used to track you. To use this functionality, you simply have to
add a Tracking Protection List from one of the Tracking Protection List providers. These Tracking
Protection Lists contain domains which Internet Explorer will block as well as domains Internet
Explorer will not block. As you browse to different sites, Internet Explorer helps ensure that
personal information about you, such as your IP address or the site you are currently viewing, is
not sent to the domains that are blocked based on the heuristics of the list. Once you‗ve installed
a Tracking Protection List, the settings apply to all the sites you browse to and are preserved each
time you begin a new browsing session. Tracking Protection stays on until you decide to turn it
off.
The Smart Screen URL filter continues to be a key safety asset of Internet Explorer. Since the
launch of Internet Explorer 8, Smart Screen has blocked over 1.5 billion malware and phishing
attacks and continues to block between 3 and 5 million attacks each day. Microsoft committed to
Page 45
CYBER SECURITY NOTES
continuously improving their intelligence systems and processes so they can continue to provide
industry leading protection from phishing and malware. Microsoft also made improvements to the
Smart Screen block experience in two core scenarios to ensure that you clearly understand the
risks involved.
The new Download Manager blocks download from known malicious websites. When a malicious
download URL is detected, a warning is shown in the new notification bar and in the Download
Manager. At this point, you can continue the download—otherwise the download is cancelled and
removed automatically.
Sometimes we don‗t want to leave a trace of their web browsing activity on their computers.
Whether it‗s shopping for a gift on a shared computer or checking email at an Internet café, there
are times when you don‗t want to leave any evidence of your browsing or search history for others
to see.
Microsoft InPrivate Browsing helps prevent browsing history, temporary Internet files, form data,
cookies, usernames, and passwords from being retained by the browser. You can start InPrivate
Browsing from the New Tab page, from the Internet Explorer Jump List, or by selecting InPrivate
Browsing from the Safety menu. Internet Explorer will launch a new browser session that won‗t
record any information, including WebPages that you visit and searches that you perform. Closing
the browser window ends the InPrivate Browsing session.
ActiveX Filtering in Internet Explorer can help you make an informed decision about every
ActiveX control you run by giving you the ability to block ActiveX controls for all sites, and then
turn them on for only the sites that you trust. This can help improve your protection against risky
and unreliable ActiveX controls. ActiveX is a technology that‗s embedded into many of the top
websites to enrich your browsing experiences. It can be used for things like playing videos,
displaying animations, and viewing certain kinds of files. However, ActiveX can also pose security
risks and slow down your computer
Page 46
CYBER SECURITY NOTES
Internet Explorer can help you avoid deceptive sites and can give you peace of mind. As with older
Internet Explorer, the new Internet Explorer takes domain names which appear in the address bar
and highlights them in black, while the rest of the web address is displayed in gray text. This makes
it easier to confirm the identity of the sites that you visit and helps to alert you about deceptive
websites with misleading addresses, reducing the chances of exposing your personal information
while browsing.
B. MOZILLA FIREFOX - Mozilla Firefox is one of the best browsers out there on the market,
and it's free. Through the unique development methods of Open Source, the Mozilla
Foundation and contributors are able to make a product with impressive speed and fewer
bugs than programs developed by traditional methods. Mozilla Firefox has a number of
unique features, and it is overall a good product.
Whether it‘s buying a gift, paying your bills or simply signing in to Facebook, it‘s important keep
your personal info out of the hands of any online bad guys who might be snooping around.
Fortunately, Firefox is packed with advanced security features to help you stay safe.
The Site Identity Button is a Firefox security feature that gives you more information about the
sites you visit. Using the Site Identity Button, you can find out if the website you are viewing is
encrypted, if it is verified, who owns the website, and who verified it. This should help you avoid
malicious websites that are trying to get you to provide important information.
The Site Identity Button is in the Location bar to the left of the web address.
Page 47
CYBER SECURITY NOTES
When viewing a website, the Site Identity Button will display in one of three colors - gray, blue,
or green. Clicking on the Site Identity Button will display
security information about the website, with a matching gray,
blue, or green "Passport Officer" icon.
When the Site Identity button is gray, that indicates that the site doesn't provide any
identity information at all. Also, the connection between Firefox and the server is
either unencrypted or only partially encrypted, and should not be considered safe
against possible eavesdroppers.
Most websites will have the gray button, because they don't involve passing sensitive information
back and forth and do not really need to have verified identities or encrypted connections. For sites
that don't require any personal information, a lack of identity information is fine.
Note: If you are sending any sort of sensitive information (bank information, credit card data, Social
Security Numbers, etc.) the Site Identity Button should not be gray.
Page 48
CYBER SECURITY NOTES
When the Site Identity button is blue, that indicates that the site's domain has been
verified, and the connection between Firefox and the server is encrypted and therefore
protected against eavesdroppers. When a domain has been verified, it means that the
people who are running the site have bought a certificate proving that
they own the domain and it is not being spoofed. For example, the TD Canada Trust website has
this sort of certificate and an encrypted connection, so the Site Identity Button displays as blue.
When you click on the Site Identity Button, it tells you that the easywebcpo.td.com site is verified
to be part of td.com, as certified by VeriSign Inc. It also assures you that the connection is
encrypted so no one can eavesdrop on the connection and steal your bank login information that
way.
However, it is not verified who actually owns the domain in question. There is no guarantee that
td.com is actually owned by the Toronto Dominion Bank. The only things that are guaranteed are
that the domain is a valid domain, and that the connection to it is encrypted. If you are still leery
about a site's identity when the Site Identity Button is blue, you can see more information about
the site by clicking the More Information... button on the Site Identification dialog. This will open
the Security panel of the View technical details about the page you are on, where you can view the
site's identity certificate, see if you've visited the site before, and if you have any cookies or
passwords stored for the site.
When the Site Identity button is green, that indicates that the site provides fully
verified identity information about its owner, and that the connection is encrypted.
If a site makes the Site Identity Button turn green, it means that it is using a new
Extended Validation (EV) certificate. An EV certificate is a special type of site certificate that
requires a significantly more rigorous identity verification process than other types of certificates.
While the blue Site Identity Button indicates that a site uses a secure connection, the green Site
Page 49
CYBER SECURITY NOTES
Identity Button indicates that the connection is secure and that the owners of the domain are who
you would expect them to be.
With the EV certificate, the Site Identity Button assures you that paypal.com is owned by Paypal
Inc., for example. Not only does the Site Identity Button turn green on the Paypal site, it also
expands and displays the name of the owner in the button itself. The Site Identification dialog
contains further information.
As you browse the web, Firefox remembers lots of information for you: sites you've visited, files
you've downloaded, and more. There may be times, however, when you don't want other users on
your computer to see this information, such as when shopping for a birthday present.
❖ Visited pages: No pages will be added to the list of sites in the History menu, the Library
window's history list, or the Awesome Bar address list.
❖ Form and Search Bar entries: Nothing you enter into text boxes on web pages or the
Search bar - Easily choose your favorite search engine will be saved for Control whether
Firefox automatically fills in forms with your information.
❖ Passwords: No new passwords will be saved.
❖ Download List entries: No files you download will be listed in the Use the Downloads
window to manage downloaded files after you turn off Private Browsing.
❖ Cookies: Cookies - Information that websites store on your computer store information
about websites you visit such as site preferences, login status, and data used by plug-ins
like Adobe Flash. Cookies can also be used by third parties to track you across web sites.
For more info about tracking, see how do I turn on the Do-not-track feature?
Page 50
CYBER SECURITY NOTES
(i) At the top of the Firefox window, click the Firefox button (Tools menu in Windows XP)
and select Start Private Browsing.
(ii) When you turn on Private Browsing, Firefox alerts you that it will save your current
windows and tabs for after you finish using Private Browsing. Click Start Private Browsing
to continue.
(ii) Check the box next to "Do not show this message again" if you don't want to receive this
alert when you turn on Private Browsing.
(iii) The Private Browsing information screen appears to confirm that you're in Private
Browsing mode.
Page 51
CYBER SECURITY NOTES
(v) WHEN browsing in Private Browsing mode, the Firefox button will be purple during your
session.
1. At the top of the Firefox window, click the Firefox button (Tools menu in Windows XP)
and select Stop Private Browsing.
2. The windows and tabs you were using when you enabled Private Browsing will appear,
and you can use Firefox normally. The Firefox button will turn orange again (for Windows
XP the Firefox window title will no longer say (Private Browsing)) when Private Browsing
is off.
Page 52
CYBER SECURITY NOTES
Browsing allows you to browse the Internet without saving any information about which
sites and pages you‘ve visited.
C. GOOGLE CHROME - Google Chrome has been steadily gaining in the browser market
share since its launch 3 years ago. It‘s not without its flaws but it definitely falls in the
―kind a cool‖ category. Its simplicity and minimalistic, yet feature-rich, interface caused
a lot of users to ditch their old and trusted browser in favor of this new tool. Chrome has a
lot of obscure features which could immensely enhance one‘s browsing productivity if he
were to know about them. This post intends to do reveal exactly those features.
I. INCOGNITO MODE
For times when you want to browse in stealth mode, Google Chrome offers the incognito browsing
mode. Here's how the incognito mode works –
WebPages that you open and files downloaded while you are incognito aren't recorded in your
browsing and download histories.
All new cookies are deleted after you close all incognito windows that you've opened.
Changes made to your Google Chrome bookmarks and general settings while in incognito mode
are always saved.
➢ Tip –
If you're using Chrome OS, you can use the guest browsing feature as an alternative to incognito
mode. When browsing as a guest, you can browse the web and download files as normal. Once
you exit your guest session, all of your browsing information from the session is completely erased.
A new window will open with the icon in the corner. You can continue browsing as normal
in the other window.
Page 53
CYBER SECURITY NOTES
You can also use the keyboard shortcuts Ctrl+Shift+N (Windows, Linux, and Chrome OS) and
-Shift-N (Mac) to open an incognito window.
You can control all your privacy preferences for Chrome from the Options dialog, under the
Privacy section located at the top of the Under the Hood tab.
You have full control over your browsing data. This data includes your browsing and download
history, cache, cookies, passwords, and saved form data. Use the "Clear browsing data" dialog to
delete all your data or just a portion of your data, collected during a specific period of time.
Page 54
CYBER SECURITY NOTES
Use the Content Settings dialog to manage the following settings: cookies, images, JavaScript,
plug-ins, pop-ups, location sharing, and notifications. Follow the steps below to adjust these
settings:
❖ Cookies are files created by websites you've visited to store browsing information, such
as your site preferences or profile information. They're allowed by default. It's important
to be aware of your cookie settings because cookies can allow sites to track your
navigation during your visit to those sites.
❖ Images are allowed by default. To prevent images from displaying, select "Do not show
any images."
❖ JavaScript is commonly used by web developers to make their sites more interactive. If
you choose to disable JavaScript, you may find that some sites don't work properly.
❖ Plug-ins is used by websites to enable certain types of web content (such as Flash or
Windows Media files) that browsers can't inherently process. They're allowed by default
❖ Pop-ups are blocked by default from appearing automatically and cluttering your screen.
❖ Location requests: Google Chrome alerts you by default whenever a site wants to use
your location information
❖ Notifications: Some websites, such as Google Calendar, can show notifications on your
computer desktop. Google Chrome alerts you by default whenever a site wants
permission to automatically show notifications.
V. SAFE BROWSING
Chrome will show you a warning message before you visit a site that is suspected of containing
malware or phishing.
A phishing attack takes place when someone masquerades as someone else to trick you into sharing
personal or other sensitive information with them, usually through a fake website. Malware, on
the other hand, is software installed on your machine often without your knowledge, and is
designed to harm your computer or potentially steal information from your computer.
Page 55
CYBER SECURITY NOTES
With Safe Browsing technology enabled in Chrome, if you encounter a website suspected of
containing phishing or malware as you browse the web, you will see a warning page like the one
below.
D. OPERA
It is easy to use your favorite search engine whenever you want — from the search field, the
address field or even the context menu. You can also add any search engine. Simply right-
click in the search field of a search engine‘s website and select ―Create Search‖.
―Find in page‖ is brilliant in Opera. All matching results are highlighted, so they are clearly
visible. You can fine-tune your search to match all the text, just the whole word or only the
links or the page. This feature can be accessed from keyboard shortcuts such as (Period)
for text and, (comma) for links.
Page 56
CYBER SECURITY NOTES
The Opera browser features up-to-the-minute information from leading security agencies on
exploits, viruses and phishing scams. When you visit sites on the web, Opera checks this data
in real time and warns you when a site is identified as dangerous. In addition, Opera supports
Extended Validation certificates (EV) to provide added assurance and trust for secure websites.
An enhanced address field makes it easy to stay safe on the web. The complexity of long
addresses is hidden to make it clear which site you are visiting. A colored badge also indicates
the quality of encryption that is used; clicking it gives you detailed information about the site.
Page 57
CYBER SECURITY NOTES
E. SAFARI
Safari isn‘t just the world‘s most innovative web browser. It changes the way you interact with
the web.
Safari features built-in support for Apple‘s VoiceOver screen reader in OS X. VoiceOver
describes aloud what appears on your screen and reads the text and links of websites. Using
VoiceOver, you can completely control the computer with the keyboard instead of the mouse.
Page 58
CYBER SECURITY NOTES
Thanks to the enhanced keyboard navigation options in Safari, you can navigate the web
without a mouse. Press the Tab key, and Safari jumps to the next password field, pop-up menu,
or input field. For increased keyboard control, you can hold down the Option key while tabbing
to have Safari skip through every link on the page. And if you press the Return key, Safari
opens the highlighted link, letting you ―point and click‖ with just a few keystrokes.
Apply a custom style sheet — that you download or create yourself — that sets default fonts,
font sizes, colors, and contrast, making your favorite websites more readable.
If you find that text on some websites is too small to read (such as photo captions or fine print),
Safari can increase the font size to make it more legible. Just set the minimum font size in the
advanced pane of Safari preferences.
Page 59
CYBER SECURITY NOTES
Most add-ons are available as self-installing packages. This means the user can simply
doubleclick the add-on package to install the files for the corresponding program. Other add-ons
may require the user to manually move files into specific directories. While not all programs
support add-ons, many programs are now developed with add-on support, since it provides a
simple way for other developers to extend the functions of the program.
➢ WOT
WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or
send spam. Protect your computer against online threats by using WOT as your front-line layer of
protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you
ratings for 21 million websites - green to go, yellow for caution and red to stop – helping you avoid
the dangerous sites. Surf safer and add WOT to your Firefox now.
Keep yourself safe from online threats such as –
If you are about to enter a risky website, WOT will warn you and save your computer before you
interact with a harmful site. With safety ratings of 21 million websites, WOT combines evidence
collected from multiple trusted sources, like phishing and spam blacklists, with the ratings
provided by WOT users. The system uses sophisticated algorithms to produce reliable and up-
todate ratings.
▪ Trustworthiness
▪ Vendor reliability
Page 60
CYBER SECURITY NOTES
▪ Privacy
▪ Child safety
WOT lets you customize your level of protection to make your browsing experience safe and
enjoyable. To protect your family, you can even set WOT to block inappropriate content for
children.
Ratings are shown on Google, Yahoo!, Gmail, Wikipedia, dig and other sites. WOT comes in 10
languages.
➢ ADBLOCK
Annoy by all those ads and banners on the internet that often take longer to download than
everything else on the page. Install Adblock Plus now and get rid of them.
Right-click on a banner and choose "Adblock" from the context menu - the banner won't be
downloaded again. Maybe even replace parts of the banner address with star symbols to block
similar banners as well. Or you select a filter subscription when Adblock Plus starts up the first
time, then even this simple task will usually be unnecessary: the filter subscription will block most
advertisements fully automatically.
Page 61
CYBER SECURITY NOTES
➢ NO SCRIPT
The best security you can get in a web browser! Allow active content to run only from sites you
trust, and protect you against.
LastPass is a free online password manager and Form Filler that makes your web browsing easier
and more secure. LastPass supports IE and Firefox as Plugins (Opera, Safari, Chrome, iPhone,
Opera Mini via Bookmarklets), allows you to import from every major password storage vendor
and export too, captures passwords that other managers won't including many AJAX forms, and
allows you to make strong passwords easily. Your sensitive data is encrypted _locally_ before
upload so even LastPass cannot get access to it. One Time Passwords & Screen Keyboard helps
protect your master password.
➢ PANIC BUTTON
Quickly hide all browser windows with a click of a button.
Don't want the boss to catch you surfing the Web on company time? Don't want your teacher,
classmates, roommate or significant other to see the Web sites you're viewing? With Panic Button,
a single click of a toolbar button will quickly hide all Firefox windows -- bring them back by
clicking a button on the Restore Session toolbar. The Panic Button action can also be invoked by
pressing F9 (Command+F9 on the Macintosh).
Page 62
CYBER SECURITY NOTES
Page 63
CYBER SECURITY NOTES
The famous Adblock Plus for Firefox is finally available for Google Chrome. It brings the same
convenience of blocking unwanted ads as you‘re used to.
Page 64
CYBER SECURITY NOTES
Simply install it and forget it. It‘ll block all the ads in the background, update its filters
automatically and never bother you. Google Quick Scroll has this feature you type a search query
on Google, find a site which contains that query and then, when you land on that webpage, you
have a hard time locating the words you searched for? Sounds familiar? Well, Google Quick Scroll,
developed by Google itself, is the solution. It saves you time by helping you quickly locate the
relevant portion of a search result on the landing page.
❖ SPLIT SCREEN
Split Screen, as the name suggests, splits the Chrome screen into two panes so that you can
browse two websites side by side. It will save time when you want to compare the content on two
sites for whatever reason.
Page 65
CYBER SECURITY NOTES
No matter which browser you‘ve picked for everyday use – chances are you‘ve customized your
browser to make it your own. Here are 5 free tools which will let you backup and preserve your
browser profile, so all the tweaking you‘ve done is safe.
Google‘s shiny new browser doesn‘t come with extensions yet – but ‗Google Chrome Backup‘
will help you save all your bookmarks and settings. Not only that, you can easily create
multiple user profiles (each with different settings/bookmarks) and switch between them
quickly.
MozBackup is a cross Mozilla backup utility which allows you to backup and restore
bookmarks, mail, contacts, history, extensions, cache etc.
12
http://www.friedbeef.com/how-to-backup-any-browser-5-tips-for-google-chrome-firefox-safari-internet-
explorerand-opera/
Page 66
CYBER SECURITY NOTES
BackRex Internet Explorer Backup is a backup and restore tool for Internet Explorer. It allows
you to backup favorites, history, proxy settings, fonts, autocomplete passwords and cookies.
Not only that – it supports backups across different versions of IE e.g. IE 6 to IE7 and vice
versa.
UNIT – 6
EMAIL SECURITY
Objectives: -
Page 67
CYBER SECURITY NOTES
Email is shorthand term meaning Electronic Mail. Email much the same as a letter, only that it is
exchanged in a different way. Computers use the TCP/IP protocol suite to send email messages in
the form of packets. The first thing you need to send and receive emails is an email address. When
you create an account with an Internet Service Provider you are usually given an email address to
send from and receive emails. If this isn't the case you can create an email address / account at web
sites such as yahoo, Hotmail and Gmail.
John.Samsung@iqspl.com
The first field is the user name (John.Samsung) which refers to the recipient's mailbox. Then there
is the sign (@) which is the same in every email address. Then come to the next host name (iqspl),
which can also be called the domain name. This refers to the mail server address, most usually
having an individual IP address. The final part of an email address includes the top-level domain
(TLD). For the above address this is 'com', which is for commercial sites.
❖ Convenience- If a desktop computer, laptop or mobile phone is around, you can type
your email message wherever you want, save it for later use and send it at any time
without having to worry about envelopes, stamps and tariffs.
❖ Speed- Emails typically arrive within seconds or minutes — anywhere in the world,
something that can be said only about a negligible number of the letters I've sent via
postal mail.
❖ Attachments - You can attach any file on your computer to an email message easily,
regardless of its type and, mostly, size. It's as easy to send a long master's thesis around
the world as it is to email a spread sheet, a report, pictures, or a saved game of your
favorite game.
❖ Accessibility - Emails can be stored conveniently in your email program. Good programs
make it easy to organize, archive and search your emails, so any information contained
in an email is always readily accessible.
❖ Cost- Safe for the fee you pay for accessing the internet, sending and receiving emails is
typically free.
Page 68
CYBER SECURITY NOTES
Typically, a message becomes available to the recipient within seconds after it is sent—one reason
why Internet mail has transformed the way that we are able to communicate.
1. MESSAGE SENDER uses mail software, called a client, to compose a document, possibly
including attachments such as tables, photographs or even a voice or video recording.
System software, called Transmission Control Protocol (TCP), divides the message into
packets and adds information about how each packet should be handled-for instance, in
what order packets were transmitted from the sender. Packets are sent to a mail submission
server, a computer on the internal network of a company or an Internet service provider.
3. MAIL SUBMISSION SERVER converts the domain name of the recipient‘s mail address
into a numeric Internet Protocol (IP) address. It does this by querying domain name servers
interspersed throughout the Internet. For example, the mail submission server can first
request from the "root" name server the whereabouts of other servers that store information
about ".com" domains. It can then interrogate the ".com" name server for the location of
the specific "iqspl.com" name server. A final request to the "iqspl.com" name server
provides the IP address for the computer that receives the mail for iqspl.com, which is then
attached to each message packet.
4. ROUTERS dispersed throughout the Internet read the IP address on a packet and relay it
toward its destination by the most efficient path. (Because of fluctuating traffic over data
lines, trying to transmit a packet directly to its destination is not always the fastest way.)
The packets of a single message may travel along different routes, shuttling through 10 or
so routers before their journey‘s end.
13
http://www.seniorindian.com/email.htm
Page 69
CYBER SECURITY NOTES
5. DESTINATION MAIL SERVER places the packets in their original order, according to
the instructions contained in each packet, and stores the message in the recipient‘s mailbox.
The recipient‘s client software can then display the message.
Email addresses are commonly assigned by your Internet service provider (ISP), but other can also
obtain an email address through a website service. This is known as web based email.
Most people are familiar with setting up their email clients to receive mail through their ISP. The
client asks for a POP server (Post Office Protocol) in order to receive mail and a SMTP server
(Standard Mail Transfer Protocol) in order to send mail. However, most email clients can also be
used to collect web based email by configuring the client to connect to an IMAP server (Internet
Message Access Protocol). The IMAP server is part of the host's package. That said, the more
common way to access this mail is by using a browser.
Web based email has its advantages, especially for people who travel. Email can be collected by
simply visiting a website, negating the need for an email client, or to logon from home. Wherever
a public terminal with Internet access exists — from the library to a café to the airport or hotel —
one can check, send and receive email quickly and easily.
Another advantage of web based email is that it provides an alternate address allowing you to
reserve your ISP address for personal use. If you would like to subscribe to a newsletter, enter a
drawing, register at a website, participate in chats, or send feedback to a site, a web based email
address is the perfect answer. It will keep non-personal mail on a server for you to check when
you wish, rather than filling up your private email box.
The other use of the word is to describe a Web-based email service: an email service offered
through a web site (a webmail provider) such as Gmail, Yahoo! Mail, Hotmail and AOL Mail.
Practically every webmail provider offers email access using a webmail client, and many of them
also offer email access by a desktop email client using standard email protocols, while many
internet service providers provide a webmail client as part of the email service included in their
internet service package.
Page 70
CYBER SECURITY NOTES
As with any web application, webmail's main advantage over the use of a desktop email client is
the ability to send and receive email anywhere from a web browser. Its main disadvantage is the
need to be connected to the internet while using it (Gmail offers offline use of its webmail client
through the installation of Gears). There exist also other software tools to integrate parts of the
webmail functionality into the OS (e.g. creating messages directly from third party applications
via MAPI).
An email client, email reader, or more formally mail user agent (MUA), is a computer program
used to access and manage a user's email. The term can refer to any system capable of accessing
the user's email mailbox, regardless of it being a mail user agent, a relaying server, or a human
typing on a terminal. In addition, a web application that provides message management,
composition, and reception functions is sometimes also considered an email client, but more
commonly referred to as webmail.
Popular locally installed email clients include Microsoft Outlook, IBM Lotus Notes, Pegasus Mail,
Mozilla's Thunderbird, KMail in the Kontact suite, Evolution and Apple Inc.'s Mail.
14
6.4 EMAIL SECURITY
(A) Set up Spam Filters: - Enable spam filtering and adjust how aggressively you want to filter
under Spam Filtering on a user‘s Overview page. Doing this for a Default User applies these
settings to all new users in any org the Default User is assigned to. Doing this for any other
user applies the settings only to that user. You can set an overall level of aggressiveness for
filtering all types of spam (Bulk Email) and then adjust separate filters for more aggressive
filtering of specific spam categories. In Gmail's filters allow you to manage the flow of
incoming messages. Using filters, you can automatically label, archive, delete, star, or
forward your mail, even keep it out of Spam.
(B) Prevent Yourself from Phishing: - Phishing scams can happen when malicious
organizations or people (also known as cybercriminals) present themselves as an entity you
can trust, then try to trick you, or lure you, into providing them with your personal
information. Phishing scams normally occur via email, websites, text messages, and
sometimes, even phone calls. Cybercriminals will often pose as your bank or financial
institution, your employer, or any other entity that you normally trust with your information.
To protect yourself from phishing scams, you can learn about the methods these
cybercriminals use and the signs that indicate you may be a potential victim.
14
https://www.google.com/support/enterprise/static/postini/docs/admin/en/admin_ee_cu/spam_enable.html
Page 71
CYBER SECURITY NOTES
(ii) Review suspicious emails and text messages for spelling and punctuation errors.
(iii) Call the organization directly to verify the inquiry.
(iv) Examine the website links and logos in suspicious emails you receive.
(v) Examine the email address of the entity that sent you the email.
(vi) Provide your personal information only to websites that are secure.
(C) Email Encryption: - If you want to be sure that your email can be read by no one but you,
then it needs to be encrypted. One of the best encryption systems is called PGP encryption
which is an open-source version of PGP encryption. PGP stand for Pretty Good Privacy and
is actually an understatement made by a programmer who didn't want to be too optimistic
about how secure it is. However, as it turns out, PGP is has actually proven itself to be
extremely good. It's been around for many years, being maintained by the best coders in the
world and it hasn't been cracked.
Dailyhelmsman.com publication reported that on 27th August, 2014 the University of Memphis
recently became victim of phishing as many students received an email from the ―help
desk‖Memphis.edu is the domain of University of Memphis but it is reported that particular email
did not contain that domain at all. The email requested students to click a link and update their
account by filling their online credentials.
The University‘s Help Desk got alerted about the issue when a student called them stating the
receipt of the email and he did not know what to do. The attendant of the help desk asked the
student to send the email to the office which was then sent to abuse.memphis.edu which is the
spam email help line of the University.
Ellen Watson, Chief Information Officer and Vice Provost of Information Technology of the
University advised the students to be very careful when reading unfamiliar emails, as reported
dailyhelmsman.com.
He continued by stating that, ―We have stopped more than 7 million spam messages and on many
occasions different hackers try to steal others‘ identity in different ways.‖ The University has
highlighted some important security tips on its official website to combat phishing attacks.
They include: Never click on links contained in an unsolicited email as such links often lead to
fake Internet sites. For example, a phishing email may contain the link ―Click here to update your
Page 72
CYBER SECURITY NOTES
information‖ as in the above case and then direct you to a fake business website requesting for
personal credentials.15
UNIT 7
Objectives:-
7.1 Definition of Firewall
7.2 Types of Firewall.
7.3 Firewall techniques.
7.4 Unified threat management (UTM).
15
http://alertafrica.com/university-students-targeted-fraudulent-email-scam/
Page 73
CYBER SECURITY NOTES
1. Hardware (external)
2. Software (internal)
While both have their advantages and disadvantages, the decision to use a firewall is far more
important than deciding which type you use.
1. Hardware Firewall
20
Typically called network firewalls, these external devices are positioned between your computer
or network and your cable. Many vendors and some Internet Service Providers (ISPs) offer devices
called "routers" that also include firewall features. Hardware-based firewalls are particularly useful
16
http://www.vicomsoft.com/learning-center
Page 74
CYBER SECURITY NOTES
for protecting multiple computers but also offer a high degree of protection for a single computer.
If you only have one computer behind the firewall, or if you are certain that all of the other
computers on the network are up to date on patches are free from viruses, worms, or other
malicious code, you may not need the extra protection of a software firewall. Hardware based
firewalls have advantage of being separate devices running their own operating systems, so they
provide an additional line of defense against attacks. Their major drawback is cost.
20
http://www.vicomsoft.com/learning-center/firewalls/
➢ Advantages of Hardware Firewall:
▪ Uses very little system resources.
▪ More secure.
▪ Enhanced security control.
▪ Dedicated hardware firewalls are typically more reliable.
▪ Easy to disable or remove.
▪ Work independently of associated computer systems.
3. Software Firewall
Software firewall is a commercial product that is sold as a standalone software package or comes
as part of a security suite where anti-virus and anti-spam or spyware are part of the package.
Software firewalls are a popular choice for home users, depending on the type you buy you could
get some protection against basic Trojans or email worms. A software firewall needs to be installed
on every computer that needs firewall protection.
Page 75
CYBER SECURITY NOTES
21
21
http://www.vicomsoft.com/learning-center/firewalls/
➢ Advantages of Software Firewall:
▪ Considerably cheaper or even free
▪ Simple to install and upgrade
▪ Requires no physical changes to hardware or network
▪ Ideal for home/family use
▪ Takes up no physical space
Page 76
CYBER SECURITY NOTES
All Internet traffic travels in the form of packets. A packet filtering firewall will examine the
information contained in the header of a packet of information which, is attempting to pass through
the network. Information checked includes:
▪ Source IP address
▪ Source port
▪ Destination IP address
▪ Destination port
▪ IP protocol (TCP or UDP)
A packet filter firewall works on the network level of the Open System Interconnection i.e. OSI
definition protocol stack, and so, does not hide the private network topology behind the firewall
from prying eyes. It is important to be aware that this type of firewall only examines the header
information. Its contents and context are ignored. If data with malicious intent is sent from a trusted
source, this type of firewall is no protection. When a packet passes the filtering process, it is passed
on to the destination address. If the packet does not pass, it is simply dropped. Filtering consists
of examining incoming or outgoing packets and allowing or disallowing their transmission or
acceptance on the basis of a set of configurable rules, called policies.
This type of firewall is vulnerable to 'IP spoofing', a practice where a hacker will make his
transmission to the private LAN (Local Area Network) look as though it is coming from a trusted
source, thereby gaining access to the LAN.
Stateless firewalls watch network traffic, and restrict or block packets based on source and
destination addresses or other static values. They are not 'aware' of traffic patterns or data flows.
A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might
be received by the firewall 'pretending' to be something you asked for.
17
http://www.webopedia.com/TERM/F/firewall.html
Page 77
CYBER SECURITY NOTES
Stateless firewalls are typically faster and perform better under heavier traffic loads. Stateful
firewalls are better at identifying unauthorized and forged communications.
It is called "Stateful" because it examines the contents of the packet to determine what the state of
the communication. Stateful firewall may examine not just the header information but also the
contents of the packet up through the application layer in order to determine more about the packet
than just information about its source and destination. It ensures that the stated destination
computer has previously acknowledged the communication from the source computer.
In this way all the communications are initiated by the "receiving" computer and are taking place
only with sources that are known or trusted from previous communication connections. In
addition, Stateful Packet Inspection firewalls are also more rigorous in their packet inspections.
Stateful Packet Inspection firewalls also close off ports until an authorized connection is requested
and acknowledged by the receiving computer. This allows for an added layer of protection from
the threat of "port scanning" a method used by hackers to determine what PC services or
applications are available to be utilized to gain access to the host computer.
Page 78
CYBER SECURITY NOTES
between the proxy server and the destination. Once connected, the proxy makes all packet-
forwarding decisions. Since all communication is conducted through the proxy server, computers
behind the firewall are protected.
This type of firewall works on the application level of the protocol stack, which enables it to
perform with more intelligence than a packet filtering or circuit gateway firewall. In computer
networking, an application layer firewall is a firewall operating at the application layer of a
protocol stack. Generally it is a host using various forms of proxy servers to proxy traffic instead
of routing it. As it works on the application layer, it may inspect the contents of the traffic, blocking
what the firewall administrator views as inappropriate content, such as certain websites, viruses,
and attempts to exploit known logical flaws in client software, and so forth. An application layer
firewall does not route traffic on the network layer. All traffic stops at the firewall which may
initiate its own connections if the traffic satisfies the rules.
Also called a ―Circuit Level Gateway‖ this is a firewall approach that validates connections before
allowing data to be exchanged.
What this means is that the firewall doesn't simply allow or disallow packets but also determines
whether the connection between both ends is valid according to configurable rules, then opens a
session and permits traffic only from the allowed source and possibly only for a limited period of
time. Whether a connection is valid may for examples be based upon:
Every session of data exchange is validated and monitored and all traffic is disallowed unless a
session is open.
Circuit Level Filtering takes control a step further than a Packet Filter. Among the advantages of
a circuit relay is that it can make up for the shortcomings of the ultra-simple and Exploitable UDP
protocol, wherein the source address is never validated as a function of the protocol. IP Spoofing
can be rendered much more difficult.
A disadvantage is that Circuit Level Filtering operates at the Transport Layer and may require
substantial modification of the programming which normally provides transport functions (e.g.
Winsock).
Page 79
CYBER SECURITY NOTES
Hybrid firewall is a combination of two of the above-mentioned firewalls. The first commercial
firewall, the DEC Seal, was a hybrid developed using an application gateway and a filtering packet
firewall. This type of firewall is generally implemented by adding packet filtering to an application
gateway to quickly enable a new service access to and from the private LAN.
A simple firewalling mechanism called packet filtering. In packet filtering, a firewall looks at each
packet and uses the packet's header information to decide if the packet should be delivered or
discarded. The decision most often relies on the packet's port number, which generally indicates
what type of application traffic the packet carries. Packet filtering is simple and fast, but its
simplicity means it is unable to detect attacks that are embedded in the application protocols
themselves. For example, Code Red and Nimda used HTTP messages to infect servers running
Microsoft Internet Information Server. Packet filtering can't stop these worms because it looks in
the wrong places to detect attacks. Not even a "stateful" packet filter keeps track of enough
information to distinguish between legitimate HTTP traffic and that which carries a worm
infection.
Often, the best choice is a firewall that offers a hybrid architecture combining packet filtering and
application layer proxies. This lets organizations tailor their firewall protection to optimize
performance while maintaining the appropriate level of security for the corresponding risk. Hybrid
firewalls use simple packet filtering to provide high throughput for lowest-risk traffic, stateful
inspection for slightly riskier traffic, and the application layer gateway where the risk of data-
driven attacks is highest. 18
Unified Threat Management (UTM) is the approach that many organizations have adopted to
improve visibility and control of their network security while lowering complexity of their
networks. UTM creates an environment in which all network security falls beneath a single,
consistent technology umbrella. UTM enables the consolidation of all traditional as well as next
generation firewall functions into a single device.
18
http://www.webopedia.com/DidYouKnow/Hardware_Software/firewall_types.asp
Page 80
CYBER SECURITY NOTES
UTM is the evolution of the traditional firewall into an all-inclusive security product able to
perform multiple security functions within one single appliance: network firewalls, network
intrusion prevention(IPS) and gateway antivirus (AV), gateway anti-spam, VPN-Virtual Private
Network, content filtering, load balancing, data leak prevention and on-appliance reporting. 19
UTM firewalls offer significant management and cost advantages over single-purpose security
products, but often require feature and functionality tradeoffs. Products dedicated to a single
security application are typically more feature-rich and deliver higher performance.
19
http://www.isarg.org/utm-unified-threat-management.php
Page 81
CYBER SECURITY NOTES
PHYSICAL SECURITY
Objectives: -
8.1 Understanding Physical Security
8.2 Need for Physical Security
8.3 Physical Security Equipment‘s
8.4 Other Elements of Physical Security
21
Physical security is an extremely important part of keeping your computers and data secure if an
experienced hacker can just walk up to your machine, it can be compromised in a matter of
minutes. That may seem like a remote threat, but there are other risks —like theft, data loss, and
physical damage — that make it important to check your physical security posture for holes.
20
http://www.vicomsoft.com/learning-center/firewalls/
21
http://books.google.co.in/
Page 82
CYBER SECURITY NOTES
It deals with such things as personnel, the environment, the facility and its power supply, fire
protection, physical access, and even the protection of software, hardware, and data files.
Physical security is concerned with physical measures designed to safeguard people, to prevent
unauthorized access to equipment, facilities, hardware, materials and documents, and to safeguard
them from damage or loss.
Remember that network security starts at the physical level. All the firewalls in the world won‘t stop an
intruder who is able to gain physical access to your network and computers, so lock up as well as
lock down.
8.2 NEED FOR PHYSICAL SECURITY
The first layer of security you need to take into account is the physical security of your computer
systems. Security is the condition of being protected against danger or loss. As security is essential
in our day to day life it is also essential in the world of computers too. We have already seen the
importance of data stored in computers, its use and the consequences that we have to face if this
data is not protected i.e., if it is not secured.
Computer Security can be defined as ―the measures applied to ensure security and availability of
the information processed, stored and transmitted by the computer‖. It is protection of information
assets through the use of technology, processes and training. The security measures applied differ
with the differing levels of security requirements. As physical security can be achieved through
the use of locks, security guards, closed circuit television, Biometrics, smart cards, fingerprinting,
security tokens etc., the logical security can be achieved through the use of various antivirus
software‘s, firewalls, intrusion detection systems etc.
22
http://whatis.techtarget.com/definition/closed-circuit-television-CCTV
Page 83
CYBER SECURITY NOTES
CCTV relies on strategic placement of cameras and private observation of the camera's input on
monitors. The system is called "closed-circuit" because the cameras, monitors and/or video
recorders communicate across a proprietary coaxial cable run or wireless communication
link. Access to data transmissions is limited by design.
➢ Analog Cameras: - Analog cameras can record straight to a video tape recorder which is
able to record analogue signals as pictures. If the analogue signals are recorded to tape, then
the tape must run at a very slow speed in order to operate continuously. This is because in
order to allow a three hour tape to run for 24 hours, it must be set to run on a time lapse basis
which is usually about four frames a second. In one second, the camera scene can change
dramatically.
➢ Digital Cameras: - These cameras do not require a video capture card because they work
using a digital signal which can be saved directly to a computer. The signal is compressed
5:1, but DVD quality can be achieved with more compression (MPEG-2 is standard for
DVD-video, and has a higher compression ratio than 5:1, with a slightly lower video quality
than 5:1 at best, and is adjustable for the amount of space to be taken up versus the quality
of picture needed or desired). The highest picture quality of DVD is only slightly lower than
the quality of basic 5:1-compression DV.
8.3.2 BIOMETRICS
Biometric come from the Greek words "bio" (life) and "metric" (to measure). Biometrics is
technologies used for measuring and analyzing a person's unique characteristics.
▪ Physiological are related to the shape of the body. Examples include, but are not limited to
fingerprint, face recognition, DNA, hand and palm geometry, iris recognition, which has
largely replaced retina, and odour/scent.
▪ Behavioral are related to the behavior of a person. Examples include, but are not limited to
typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics for
this class of biometrics.
▪ Identification
Page 84
CYBER SECURITY NOTES
Identification is determining who a person is. It involves trying to find a match for a person's
biometric data in a database containing records of people and that characteristic. This method
requires time and a large amount of processing power, especially if the database is very large. ▪
Verification
Verification is determining if a person is who they say they are. It involves comparing a user's
biometric data to the previously recorded data for that person to ensure that this is the same
person. This method requires less processing power and time, and is used for access control
(to buildings or data).
Currently, the prevailing techniques of user authentication are linked to passwords, user IDs,
identification cards and PINs (personal identification numbers). These techniques suffer from
several limitations like Passwords and PINs can be guessed, stolen or illicitly acquired by covert
observation.
In addition, there is no way to positively link the usage of the system or service to the actual user.
A password can be shared, and there is no way for the system to know who the actual user is. A
credit card transaction can only validate the credit card number and the PIN, not if the transaction
is conducted by the rightful owner of the credit card.
• Unique: The various biometrics systems have been developed around unique
characteristics of individuals. The probability of 2 people sharing the same biometric data
is virtually nil.
Page 85
CYBER SECURITY NOTES
• Cannot be lost: A biometric property of an individual can be lost only in case of serious
accident.
(1) Fingerprint
(2) Iris
(3) Retina
(4) Face
(5) Security tokens
(6) Smart Card
There are also a number of behavioral biometric technologies such as voice recognition (analyzing
a speaker's vocal behavior), keystroke (measuring the time spacing of typed words), gait
recognition (manner of walking), or signature (analyzing the way you sign).
Human fingerprints are unique to each person and can be regarded as a sort of signature, certifying
the person's identity. Because no two fingerprints are exactly alike, the process of identifying a
fingerprint involves comparing the ridges and impressions on one fingerprint to those of another.
Page 86
CYBER SECURITY NOTES
The uniqueness of a fingerprint can be determined by the pattern of ridges and furrows as well as
the minutiae points. There are five basic fingerprint patterns: arch, tented arch, left loop, right loop
and whorl. Loops make up 60% of all fingerprints, whorls account for 30%, and arches for 10%.
Fingerprints are usually considered to be unique, with no two fingers having the exact same dermal
ridge characteristics.
Fingerprint Example
(iii) How does fingerprint biometrics work
The main technologies used to capture the fingerprint image with sufficient detail are optical,
silicon, and ultrasound.
a. Minutia matching - It compares specific details within the fingerprint ridges. At registration
(also called enrolment), the minutia points are located, together with their relative positions to
each other and their directions. At the matching stage, the fingerprint image is processed to
extract its minutia points, which are then compared with the registered template.
b. Pattern matching - It compares the overall characteristics of the fingerprints, not only
individual points. Fingerprint characteristics can include sub-areas of certain interest including
ridge thickness, curvature, or density. During enrolment, small sections of the fingerprint and
their relative distances are extracted from the fingerprint. Areas of interest are the area around
a minutia point, areas with low curvature radius, and areas with unusual combinations of
ridges.
Page 87
CYBER SECURITY NOTES
Note -There is some controversy over the uniqueness of fingerprints. The quality of partial prints
is however the limiting factor. As the number of defining points of the fingerprint becomes smaller,
the degree of certainty of identity declines. There have been a few well-documented cases of
people being wrongly accused on the basis of partial fingerprints.
➢ Function:
Iris recognition is a method of biometric authentication that uses pattern-recognition techniques
based on high-resolution images of the irises of an individual's eyes.
Page 88
CYBER SECURITY NOTES
Iris Example
(ii) How does iris biometrics work?
An iris scan will analyze over 200 points of the iris, such as rings, furrows, freckles, the corona
and will compare it a previously recorded template.
Glasses, contact lenses, and even eye surgery does not change the characteristics of the iris.
To prevent an image / photo of the iris from being used instead of a real "live" eye, iris scanning
systems will vary the light and check that the pupil dilates or contracts.
➢ Functions
Page 89
CYBER SECURITY NOTES
The retina biometric analyzes the layer of blood vessels located at the back of the eye. This
technique usually uses a low-intensity light source through an optical coupler and scans the unique
patterns of the layer of blood vessels known as the retina. Retina scanning is quite accurate and
very unique to each individual similar to the iris scan; but unlike the iris scan, it typically requires
the user to look into a receptacle and focus on a given point for the user's retina to be scanned.
This is not particularly convenient for people who wear glasses or are concerned about close
contact with the reading device. This technique is more intrusive than other biometric techniques;
as a result, retina scanning is not very friendly process even though the technology itself is very
accurate for use in identification, verification and authentication.
A retina scan cannot be faked as it is currently impossible to forge a human retina. Furthermore,
the retina of a deceased person decays too rapidly to be used to deceive a retinal scan.
Retina Scan
A retinal scan has an error rate of 1 in 10,000,000, compared to fingerprint identification error
being sometimes as high as 1 in 500.
Page 90
CYBER SECURITY NOTES
Retina biometrics systems are suited for environments requiring maximum security, such as
Government, military and banking. Retina biometric systems have been in use for military
applications since the early seventies
➢ Functions
Face recognition can be an important alternative for selecting and developing an optimal biometric
system. Its advantage is that it does not require physical contact with an image capture device
(camera). A face identification system does not require any advanced hardware, as it can be used
with existing image capture devices (webcams, security cameras etc.).
Like fingerprint biometrics, facial recognition technology is widely used various systems,
including physical access control and computer user accounts security.
Usually these systems extract certain features from face images and then perform face matching
using these features. A face does not have as many uniquely measurable features as fingerprints
and eye irises, so facial recognition reliability is slightly lower than these other biometric
recognition methods. However, it is still suitable for many applications, especially when taking
into account its convenience for user. Facial recognition can also be used together with fingerprint
recognition or another biometric method for developing more security-critical applications.
Page 91
CYBER SECURITY NOTES
Face Recognition
To prevent an image / photo of the face or a mask from being used, face biometric systems
will require the user to smile, blink, or nod their head. Also, facial thermography can be
used to record the heat of the face (which won't be affected by a mask). The main facial
recognition methods are: feature analysis, neural network, Eigen faces, and automatic
face processing.
Page 92
CYBER SECURITY NOTES
Access to restricted areas like buildings, banks, embassies, military sites, airports, law
enforcement.
A security token sometimes called an authentication token. It is a small hardware device that the
owner carries to the authorize access to network service. It is used to prove one's identity
electronically as in the case of a customer trying to access their bank account. The token is used
in addition to or in place of a password to prove that the customer is who they claim to be. The
token acts like an electronic key to access something.
The device may be in the form of a smart card or may be embedded in a commonly used object
such as a key fob. Security tokens provide an extra level of assurance through a method known as
two-factor authentication: the user has a personal identification number (PIN), which authorizes
them as the owner of that particular device; the device then displays a number which uniquely
identifies the user to the service, allowing them to log in. The identification number for each user
is changed frequently, usually every five minutes or so.
Unlike a password, a security token is a physical object. A key fob, for example, is practical and
easy to carry, and thus, easy for the user to protect. Even if the key fob falls into the wrong hands,
however, it can't be used to gain access because the PIN which only the rightful user knows is also
needed.
Page 93
CYBER SECURITY NOTES
A smart card, chip card, or integrated circuit card (ICC), is any pocket-sized card with embedded
integrated circuits. The card may embed a hologram to prevent counterfeiting. Smart cards may
also provide strong security authentication for single sign-on within large organizations. Smart
cards can be used for identification, authentication, data storage and application processing.
▪ Credit cards
▪ Electronic cash
▪ Computer security systems
▪ Wireless communication
▪ Loyalty systems (like frequent flyer points)
▪ Banking
▪ Satellite TV
▪ Government identification
A quickly growing application is in digital identification. In this application, the cards authenticate
identity. The most common example employs PKI. The card stores an encrypted digital certificate
issued from the PKI provider along with other relevant information. Combined with biometrics,
cards can provide two- or three-factor authentication. In 1999 Gujarat was the first Indian state to
introduce a smart card license system. To date it has issued 5 million smart card driving licenses
to its people.
In computers, the Mozilla Firefox web browser can use smart cards to store certificates for use in
secure web browsing. Some disk encryption systems, such as FreeOTFE, True Crypt and
Microsoft Windows 7 Bit Locker, can use smart cards to securely hold encryption keys, and also
Page 94
CYBER SECURITY NOTES
to add another layer of encryption to critical parts of the secured disk. Smart cards are also used
for single sign-on to log on to computers
➢ Gates: - The purpose of a gate is to provide a break in a perimeter fence or wall to allow
entry. Gates are protected by locks, intermittent guard patrols, fixed guard posts, contact
alarms, CCTV, or a combination of these. The number of gates and perimeter entrances
should be limited to those absolutely necessary, but should be sufficient to accommodate the
peak flow of pedestrian and vehicular traffic.
➢ Fencing: - Fences are the most common perimeter barrier or control. Two types normally
used are chain link and barbed wire. The choice is dependent primarily upon the degree of
permanence of the facility and local ordinances. A perimeter fence should be continuous, be
kept free of plant growth, and be maintained in good condition.
➢ Walls: -Walls are not normally considered possible points of entry because of their usual
solid construction. However, they cannot be disregarded because intruders may be able to
break through them to gain entrance. Reinforcement at critical points may be necessary to
deter forced entry.
➢ Doors: - A door is a vulnerable point of the security of any building. A door should be
installed so the hinges are on the inside to preclude removal of the screws or the use of chisels
or cutting devices. Pins in exterior hinges should be welded, flanged, or otherwise secured,
or hinge dowels should be used to preclude the door's removal. The door should be metal or
solid wood. Remember that locks, doors, doorframes, and accessory builder's hardware are
inseparable when evaluating barrier value. Do not put a sturdy lock on a weak door. The best
door is of little value if there are exposed removable hinge pins, breakable vision panels, or
other weaknesses that would allow entry. Transoms should be sealed permanently or locked
from the inside with a sturdy sliding bolt lock or other similar device or equipped with bars
or grills.
➢ Building HVAC Systems: -Ventilation shafts, vents, or ducts, and openings in the building
to accommodate ventilating fans or the air conditioning system can be used to introduce
chemical, biological, and radiological (CBR) agents into a facility. Decisions concerning
protective measures should be implemented based on the perceived risk associated with the
facility and its tenants, engineering and architectural feasibility, and cost.
23
http://www.usgs.gov/usgs-manual/handbook/hb/440-2-h/440-2-h-ch4.html
Page 95
CYBER SECURITY NOTES
➢ Fire Resistance: - Fire resistance means the ability of building components and systems to
perform their intended fire separating and/or loadbearing functions under fire exposure. Fire
resistant building components and systems are those with specified fire resistance ratings
based on fire resistance tests. These ratings, expressed in minutes and hours, describe the
time duration for which a given building component or system maintains specific functions
while exposed to a specific simulated fire event. Various test protocols describe the
procedures to evaluate the performance of doors, windows, walls, floors, beams, columns,
etc. The term ‗fire proof‘ is a misnomer in that nothing is fire proof. All construction
materials, components and systems have limits where they will be irreparably damaged by
fire.
The theft of a laptop computer and digital camera from a high school teacher‘ s locked filing
cabinet, which brought to mind the fact that the physical security of our digital devices is just as
important as having Internet security software. All of the antivirus/antispyware/anti-Internet-
badguy software in the world won‘t protect you from a clever thief stealing your laptop
physically.24
UNIT – 9
MOBILE SECURITY
Objectives: -
24
http://www.normantranscript.com/news/local_news/physical-security-just-as-important-as-antivirus-software
Page 96
CYBER SECURITY NOTES
1. ANDROID: The iPhone dominated technology news in 2007, 2008 and 2009. It's hard to
argue that any other device, software program or piece of technology had more of an impact
on a culture and an industry as each version launched through the years. It's no longer so cut-
and-dry. In 2010, Android displaced the iPhone as the best-selling smartphone platform in
the U.S., powered many of the hottest smartphones including the EVO 4G, Droid X and
Samsung Galaxy S.
The Android Market grew by leaps and bounds and more and more developers indicated that they
see Android as the long-term path to success.
But the real news with Android wasn't just on phones. E-book readers, laptops, tablet and slate
computers, Google TV set-top boxes, car systems, television sets — you name it, an Android-
based variation is either out or probably in the works. Android's rise from second
or third-tier mobile platform to mobile superstar and embedded system of the future is
certainly one of the biggest stories of 2010.
2. IOS: Apple may have faced some tough competition in 2010, but the company didn't let iOS
sit idle. The fourth generation iPhone, the introduction of iOS and of course, the iPad still
showed that Apple is in this game to play.
As a platform, iOS continues to enjoy the largest mobile application store (200,000 apps
and counting) and is the commercial platform of choice for many developers both large and
small. With iOS 4, the company added some new features to bring the OS to parity with
some of the competition, features like folders and multitasking and better notifications,
while still introducing its own special features like FaceTime, Game Center and the iBook
store.
25
http://mashable.com/2010/10/15/defining-mobile-platforms/
Page 97
CYBER SECURITY NOTES
Still, the biggest thing to happen to iOS was the iPad. The iPad is not just one of the biggest
technology stories of the year; it's one of the most successful product launches of all time.
Millions of units have sold in the last six months with supply levels finally reaching the point
that the device can be sold from outlets like Target, Wal-Mart and Amazon.com. The iPad is
helping transform the publishing industry, is being used in education, and is appealing to
users and buyers of all stripes. iOS faces more competition than ever but the platform
continues to remain strong and for many, is still the undisputed champion when it comes to
a consistent, usable user interface.
3. WINDOWS PHONE 7: Microsoft isn't a company that can often be described as the
underdog in any arena. In mobile, however, it's a pretty fair assessment. After ditching its
Windows Mobile platform (now dubbed Windows Phone Classic), Microsoft formally
announced Windows Phone 7 in February of 2010. The phones will be hitting store shelves
in Europe and Asia in a couple of weeks, with North America following soon after. With
Windows Phone 7, Microsoft is doing a very un-Microsoft thing and cutting all ties to its legacy Windows
Mobile platform. Starting from the ground-up, Windows Phone 7 takes a refreshingly different approach
to interface and smartphone user motifs.
Part Zune, part portable Xbox, part minicomputer, Windows Phone 7 is taking a bit of a
different path than its competitors like Android, iOS and BlackBerry. These differences are
how Microsoft hopes it can distinguish itself in the marketplace. Whether Windows Phone 7
is different enough or powerful enough to win back some of the mobile market, we'll have
to wait and see. Still, we wouldn't bet against Microsoft's ability to rally.
4. UNITY: Unity isn't a platform it's an integrated authoring tool for creating 3D video games.
The Unity engine was already acclaimed for its role for making games for the web and Mac
and PC, but it really helped game developers go to the next level when Unity iOS hit the
scene.
Thanks to Unity, game developers can more rapidly create compelling and complex 3D worlds
and do better device testing, without having to know all of the ins and outs of Xcode. More
Page 98
CYBER SECURITY NOTES
than 1,000 iOS games have been built using Unity, including best-sellers like Skee-Ball and
Zombieland USA.Unity is currently in beta for Android and will be available soon. Unity
might be affected by Apple's brief ban on third-party programming tools. Unity was always
confident its platform would be safe, and after Apple relaxed its guidelines in September,
Unity's place in the mobile platform development ecosystem was solidified.
5. APPCELERATOR: Like Unity, Appcelerator isn't a platform per se, it's more of a toolkit
for helping web developers create native applications for the iPhone, iPad, Android and
BlackBerry operating systems.
Appcelerator's Titanium platform has experienced terrific growth over the last year, with
companies big and small turning to the platform as a way to cut down on development time,
while still creating applications that are native, fast and intuitive.
9.2 OPERATING SYSTEMS USED FOR MOBILE
26
en.wikipedia.org/wiki/Symbian
Page 99
CYBER SECURITY NOTES
Symbian has a native graphics toolkit since its inception, known as AVKON (formerly
known as Series 60). S60 was designed to be manipulated by a keyboard-like interface
metaphor, such as the ~15-key augmented telephone keypad, or the mini-QWERTY
keyboards. AVKON-based software is binary-compatible with Symbian versions up to and
including Symbian^3.
Symbian^3 includes the Qt framework, which is now the recommended user interface toolkit for
new applications. Qt can also be installed on older Symbian devices.
Symbian^4 was planned to introduce a new GUI library framework specifically designed for a
touch-based interface, known as "UI Extensions for Mobile" or UIEMO (internal project
name "Orbit"), which was built on top of Qt Widget; a preview was released in
Page 100
CYBER SECURITY BOOK
January 2010, however in October 2010 Nokia announced that Orbit/UIEMO had been
cancelled.
Nokia currently recommends that developers use Qt Quick with QML, the new high-level
declarative UI and scripting framework for creating visually rich touchscreen interfaces that
allows development for both Symbian and MeeGo; it will be delivered to existing Symbian^3
devices as a Qt update. When more applications gradually feature a user interface reworked
in Qt, the legacy S60 framework (AVKON) will be deprecated and no longer included with
new devices at some point, thus breaking binary compatibility with older S60 applications.
The BlackBerry platform is perhaps best known for its native support for corporate email, through
MIDP 1.0 and, more recently, a subset of MIDP 2.0, which allows complete wireless
activation and synchronization with Microsoft Exchange, Lotus Domino, or Novell
GroupWise email, calendar, tasks, notes, and contacts, when used with BlackBerry
Enterprise Server. The operating system also supports WAP 1.2.
Third-party developers can write software using the available BlackBerry API classes, although
applications that make use of certain functionality must be digitally signed. Research from
June 2011 indicates that approximately 45% of mobile developers were using the platform
at the time of publication. BlackBerry OS was discontinued after the release of BlackBerry
10[citation needed], but BlackBerry will continue support for the BlackBerry OS.
27
en.wikipedia.org/wiki/BlackBerry_OS
3. ANDROID28: Android is a mobile operating system (OS) based on the Linux kernel that is
currently developed by Google. With a user interface based on direct manipulation, Android
is designed primarily for touchscreen mobile devices such as smartphones and tablet
computers, with variants for televisions (Android TV), cars (Android Auto), and wrists
(Android Wear). The OS uses touch inputs that loosely correspond to real-world actions, like
swiping, tapping, pinching, and reverse pinching to manipulate on-screen objects, and a
virtual keyboard. Despite being primarily designed for touchscreen input, it also has been
used in games consoles, digital cameras, and other electronics. As of 2011, Android has the
largest installed base of any mobile OS and as of 2013, its devices also sell more than
Windows, iOS, and Mac OS devices combined. As of July 2013 the Google Play store has
had over 1 million Android apps published, and over 50 billion apps downloaded. A
developer survey conducted in April–May 2013 found that 71% of mobile developers
develop for Android. At Google I/O 2014, the company revealed that there were over 1
billion active monthly Android users (that have been active for 30 days), up from 538 million
in June 2013.
Android's source code is released by Google under open source licenses, although most
Android devices ultimately ship with a combination of open source and proprietary software.
Initially developed by Android, Inc., which Google backed financially and later bought in
2005, Android was unveiled in 2007 along with the founding of the Open Handset Alliance—
a consortium of hardware, software, and telecommunication companies devoted to
advancing open standards for mobile devices.
Android is popular with technology companies which require a ready-made, low-cost and
customizable operating system for high-tech devices. Android's open nature has encouraged
a large community of developers and enthusiasts to use the open-source code as a foundation
for community-driven projects, which add new features for advanced users or bring Android
to devices which were officially, released running other operating systems. The operating
28
http://en.wikipedia.org/wiki/Android_operating_system
system's success has made it a target for patent litigation as part of the so-called "smartphone
wars" between technology companies.
4. MICROSOFT 29 : Windows Phone is a smartphone operating system developed by
Microsoft. It is the successor to Windows Mobile, although it is incompatible with the earlier
platform. With Windows Phone, Microsoft created a new user interface, featuring a design
language named "Modern" (which was formerly known as "Metro"). Unlike its predecessor,
it is primarily aimed at the consumer market rather than the enterprise market. It was first
launched in October 2010 with Windows Phone 7.
Windows Phone 8.1, which was released in final form to developers on April 14, 2014 and
will be pushed out to all phones running Windows Phone 8 over the coming months, is the
latest release of the operating system
Most versions of Windows Mobile have a set of standard features, such as multitasking and the
ability to navigate a file system similar to that of Windows 9x and Windows NT, with support
for many of the same file types. Much like its desktop counterpart, it comes bundled with a
set of applications to perform basic tasks. Internet Explorer Mobile is the default web browser
and Windows Media Player is the default media player used for playing digital media.
Microsoft Office Mobile, the mobile versions of Microsoft Office, is the default office suite.
Internet Connection Sharing, supported on compatible devices, allows the phone to share its
Internet connection with computers via USB and Bluetooth. Windows Mobile support virtual
private networking (VPN) over PPTP protocol. Most devices with mobile connectivity
include a Radio Interface Layer (RIL). RIL provides the system interface between the
CellCore layer within the Windows Mobile OS and the radio protocol stack used by the
wireless modem hardware. This allows OEMs to integrate a variety of modems into their
equipment.
29
en.wikipedia.org/wiki/Windows_Mobile
The user interface has changed much between versions but the basic functionality has remained
similar. Today Screen, later called the Home Screen, shows the current date, owner
information, upcoming appointments, e-mail messages, and tasks. Taskbar shows the current
time and the audio volume and of devices with a cellular radio the signal strength. Windows
Mobile has supported the installation of third party software since the original Pocket PC
implementations.
If you're not running some kind of anti-malware app on your smartphone or tablet, then you're
putting yourself at risk of infection from corrupted apps and other kinds of malware.
The good news is that your options are far from limited. The best mobile antivirus apps offer not
only top-notch malware detection and prevention, but also a range of privacy and anti-theft
features, such as the ability to back up your contacts and other data, track your phone or tablet
using its internal GPS chip, or even snap a picture of a phone thief with the device's camera.
Given below are the best Security applications for your mobile30:
1. Avast! Mobile Security & Antivirus: -Its anti-malware protection is excellent, but the
breadth and scope of extra features in Avast! Mobile Security & Antivirus blew us away. Its
free version alone is as comprehensive as some other security apps' paid versions, and Avast's
premium version ($15 per year) has everything from a privacy adviser to a customizable
blacklist, and even options for rooted phones. The app almost does too much, but the well-
organized interface and support keep it user-friendly. Overall, Avast! Mobile Security &
Antivirus is our favorite Android security app.
2. Lookout Mobile Security: - The sole company on this list that makes only mobile security
products, Lookout's focus on smartphones and tablets clearly pays off in its products'
excellent performance speed, beautiful interface design — both in its app and its Web portal
— and wide range of anti-theft and privacy features. For $3 per month or $30 per year for
the premium version, Lookout has everything most users need to feel secure and private on
their mobile devices.
30
www.tomsguide.com/us/best-android-antivirus,review-2102.html
the Data Exposure feature, which helps you keep better tabs on your privacy. McAfee also
boasts an excellent interface full of helpful notes that keeps even its more complex features
simple and understandable. At $29.99 per year for the premium version, McAfee is easily
one of the best mobile security apps for Android.
This is ideal if your phone contains particularly sensitive data. For example, corporations with
sensitive business data on company phones will want to use encryption to help protect that
data from corporate espionage. An attacker won‘t be able to access the data without the
encryption key, although the dreaded freezer attack is always a possibility.
For the average person without sensitive data on their phone, encryption isn‘t likely to matter as
much. If your phone is stolen, most thieves would also be deterred from accessing your data
by a standard unlock code. The thief would likely be more interested in wiping and selling
the phone rather than accessing your personal data.
Some recent legal rulings have suggested that encryption can protect against warrantless searches.
The California Supreme Court has ruled that police officers can lawfully search your cell
phone without a warrant if it‘s taken from you during arrest – but they would require a
31
http://www.howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want-to/
warrant if it was encrypted. A Canadian court has also ruled that phones can be searched
without a warrant as long as they‘re unencrypted.
➢ Encryption Warnings
Before you enable encryption, be aware that there are some drawbacks:
• Slower Performance: Encryption always adds some overhead, so your device will be a
bit slower. The actual speed decrease depends on your phone‘s hardware.
• Encryption is One-Way Only: After encrypting your device‘s storage, you can only
disable encryption by resetting your phone to its factory default settings. This will also
erase all the data stored on your phone, so you‘ll have to set it up from scratch.
A. BLUETOOTH:
Bluetooth is an open wireless protocol for
exchanging data over short distances from fixed
and mobile devices, creating personal area
networks (PANs). Bluetooth is a high-speed,
low-power microwave wireless link technology,
designed to connect phones, laptops, PDAs and
other portable equipment together with little or no
work by the user. It was originally conceived as a
wireless alternative to RS232 data cables. It can
connect several devices, overcoming problems of
synchronization.
Bluetooth is the name for a short-range radio frequency (RF) technology that operates at 2.4
GHz and is capable of transmitting voice and data. The effective range of Bluetooth devices
is 32 feet (10 meters). Bluetooth transfers data at the rate of 1 Mbps, which is from three to
eight times the average speed of parallel and serial ports, respectively. It is also known as the
IEEE 802.15 standards. It was invented to get rid of wires. Bluetooth is more suited for
connecting two point-to-point devices, whereas Wi-Fi is an IEEE standard intended for
networking.
B. MOBILE HOTSOPTS32: -
Mobile hotspots are portable devices or features on smartphones that provide wireless Internet
access on many devices (your laptop, smartphone, MP3 player, tablet, portable gaming
device, etc.).
Like USB modems from wireless carriers, mobile hotspots typically use mobile broadband service
from cellular providers for 3G or 4G Internet access. Unlike those mobile USB sticks,
though, mobile hotspots allow multiple devices to connect at the same time.
One of the earliest mobile hotspots was the MiFi, a small credit-card sized device made by Novatel
and offered first by Verizon. It broadcasts the 3G cellular signal that can be shared wirelessly
by up to 4 devices. Besides the MiFi, which is also carried on AT&T and Virgin Mobile,
there are other similar mobile hotspots, such as Clear's iSpot for Apple iOS devices and
3G/4G Clear Spot.
Besides portable mobile wi-fi hotspots, some smartphones can act as mobile hotspots, sharing
their wireless data connection with several devices. The Palm Pre Plus and PixiPlus had this
feature built-in and Verizon offered the hotspot service for free Verizon introduced a unique
3G mobile hotspot feature with its launch of the iPhone 4.
If you have multiple devices that you use on the go, a mobile wi-fi hotspot can be a critical
accessory. Rather than using your cell phone as a modem and connecting it to your laptop
with a USB wire or via bluetooth for tethering, you can connect to a mobile hotspot (device
32
http://mobileoffice.about.com/od/glossary/g/mobile-hotspot.htm
or your smartphone) for Internet access anywhere you have a cellular signal. The major
downside is that you often need to pay an extra fee for mobile broadband service.
Vendors such as Trend Micro sell anti-virus software and Intrusion Detection Systems (IDS) for
mobile devices. Installing these can protect the mobile devices from known malware. Some
vendors also sell firewalls for mobile devices. However, it is not clear whether common
users would go to the extent of installing such additional software on their devices.
Mobile device manufacturers release updates to the firmware of the devices. These may contain
patches to the vulnerabilities that are exploited by mobile malware. Upgrading to new
firmware may reduce the threat of being infected by mobile malware.
As in the case of PC viruses, it is best not to install applications or to download other software
from entrusted sources.
MMS messages that carry malicious payload can be detected at the service provider based on
their signatures and thus can be filtered out at the service provider itself.
The futuristic threats provided above can be equated to the metaphorical tip of the iceberg. The
possibilities of attacking mobile devices can only be limited by what the technology
permits and hence very strong measure need to be taken for protection against
such attacks. The protection mechanisms can be broadly classified on the basis of the
requirements of the protection systems. They are:-
MOSES Architecture System level security aims to make the system more secure by
restricting the execution of unauthorized applications.
Proactive Approach Network level security aims to provide a basis of filtering out
malware transitioning over the network between various devices.
Check Point Capsule works by first encapsulating an application and then applying governance
policies to any file or document within that application. In effect, that enables IT organizations to
apply the same security policies they use on traditional desktop applications to mobile computing
environments.
Rules, can be extended to the device that an end user shares those documents with because all the
files within the Check Point Capsule environment are encrypted.
Check Point Capsule also provides the ability to scan all traffic coming from iOS, Android,
Windows and MacOS devices in the cloud to prevent malicious files and code from infecting the
rest of the enterprise.
Regardless of who actually owns them, mobile devices have become a major security headache
for IT organizations. To address that issue, many of them have invested in additional mobile
security products that come complete with their own console. In effect, Check Point is now moving
to reunify security management by making it possible to apply a consistent set of rules to all the
applications and devices, which exists throughout the extended enterprise from within the confines
of a single management console.33
33
http://www.itbusinessedge.com/blogs/it-unmasked/check-point-software-rises-to-mobile-security-challenge.html
Question:
I had, in my cell phone some personal photographs taken with my college friends during our
Industrial tour. I recently got a new cell phone after exchanging my old one but not before deleting
all the photos. Am I fully secured by this act of deletion?
Answer:
Good and very relevant question. Cellphone storage consists of the data stored in the SIM or the
hand set or the memory card or all of these. The storage and retrieval technology in cell phones
does not conform to any specific standard. In PCs and servers, we just have mostly Windows or
UNIX or Linux as the O/s. The operating systems in cell phones are diverse and are not
standardized. Technologically, in cell phones, there is nothing like deletion. Almost everything,
which is ‗deleted‘ in the operating system of the cell phone handset, can be recovered by
sophisticated and latest software. The technology or the act of recovering the data from discarded
pieces of hardware like cell phones or surrendered hard disks etc. is called 'Scavenging' and such
data when used for cyber harassment or blackmail etc. become an offence. Hence any cell phone
surrendered under buyback or lost, always exposes the owner to the risk of data retrieval including
photos or text or any other confidential even bank related information if any stored in it. No one
can predict how the surrendered instruments are going to be used and what recovery tools are
going to be run and how much data is going to be recovered from it. It would be always prudent
NOT to store any confidential information or personal data in cell phones and never to surrender
them under payback option.34
UNIT – 10
34
www.Google.com
CRYPTOGRAPHY
Objectives: -
The idea behind concealing written information in a coded list of letters and then transmitting it to
the intended recipient without others being able to understand it has been around for centuries.
Historically, cryptography has been used by governments, empires, or the military to conceal or
encode top secret information.
Safeguarding your data is critical to running your business and protecting the privacy of employees
and customers. The news is rife with reports of data being lost or stolen from laptops left, USB
flash drives dropped, or unencrypted CDs and DVDs.
Cryptology is the practice and study of hiding information. Cryptology is as old as writing itself,
and has been used for thousands of years to safeguard military and diplomatic communications.
Within the field of cryptology one can see two separate divisions:
Cryptography and Cryptanalysis: The cryptographer seeks methods to ensure the safety and
security of conversations while the cryptanalyst tries to undo the former's work by breaking his
systems. The main goals of modern cryptography can be seen as: user authentication, data
authentication data integrity, non-repudiation of origin, and data confidentiality.
❖ Cryptography: derived from the Greek words kryptos, meaning hidden, and graphy,
meaning writing. Cryptography is the art of ―secret writing"; it‘s intend is to provide
secure communication over insecure channels.
1) Confidentially or Privacy: -
The aspect of confidentially is the protection of traffic flow from analysis. This requires
that an attacker not be able to observe to source and destination, frequency, length or any
other characteristics of the traffic on a communication facility.
2) Data Integrity: -
Ensuring the information has not been altered by unauthorized or unknown means. One
must have the ability to detect data manipulation by unauthorized parties. Data
manipulation includes such things as insertion, deletion, and substitution
3) Authentication: -
4) Non-Repudiation: -
Non-repudiation prevents either sender or receiver from denying a message. Thus, when a
message is sent, the receiver can prove that the message was in fact send by the alleged
sender. Similarly, when a message is received, the sender can prove the alleged receiver in
fact received that message.
❖ Rotation: In rotation ciphers letters are rotate by other letters. The transformation can
be represented by aligning two alphabets; the cipher alphabet is the plain alphabet
rotated left or right by some number of positions.
❖ Substitution: The name substitution cipher comes from the fact that each letter that
you want to encipher is substituted by another letter or symbol, but the order in which
these appear is kept the same.
➢ Rotational Ciphers
Rotation ciphers have a long history, a famous example being the Caesar Cipher, a substitution
cipher used to encode messages by substituting letters by other letters a fixed number of positions
(rotating) away in alphabetic location.
Double-encoding ROT13 results in a shift of 26, which is exactly the original message and is the
same as no encoding. This is often humorously termed 2ROT13 or ROT26.
Decrypting a rotationally encrypted message requires no key. It only requires the knowledge that
rotational substitution is being used.
➢ Substitution Cipher
The simple substitution cipher is a cipher that has been in use for many hundreds of years. It
basically consists of substituting every plaintext character for a different cipher text character. It
differs from Caesar cipher in that the cipher alphabet is not simply the alphabet shifted, it is
completely jumbled.
A. Monoalphabetic substitution involves replacing each letter in the message with another
letter of the alphabet
A. Monoalphabetic substitution
The encryption and decryption steps involved with the simple substitution cipher. The text we will
encrypt is ―defend the east wall of the castle‖.
Keys for the simple substitution cipher usually consist of 26 letters (compared to the caser cipher's
single number). An example key is:
It is easy to see how each character in the plaintext is replaced with the Corresponding letter in the
cipher alphabet.
B. Polyalphabetic substitution
Several substitutions are used. It is used to hide the statistics of the plain-text. For example:
Suppose that a Polyalphabetic cipher of period 3 is being used, with the three monoalphabetic
ciphers M1, M2, M3 as defined below.
To encrypt a message, the first 3 letters of the plaintext are enciphered according to ciphers M1,
M2, M3 respectively, with the process being repeated for each subsequent block of 3 plaintext
letters.
a b c d e f g h i j k l m n o p q r s t u v w x y z M1: K
D N H P A W X C Z I M Q J B Y E T U G V R F O S L M2: P
AGUKHJBYDSOEMQNWFZITCVLXR
M3: J M F Z R N L D O W G I A K E S U C Q V H Y X T P B
Example:-
Now is the time for every good man JCQ CZ VXK VCER AQC PCRTX LBQZ QPK
➢ Transposition Cipher
Transposition (or anagram) ciphers are where the letters are jumbled up together. Instead of
replacing characters with other characters, this cipher just changes the order of the characters.
A transposition cipher is a rearrangement of the letters in the plaintext according to some specific
system & key (i.e. a permutation of the plaintext).
Key
Example:-
Plaintext Ciphertext
In cryptographic systems, the term key refers to a numerical value used by an algorithm to alter
information, making that information secure and visible only to individuals who have the
corresponding key to recover the information.
❖ Secret-key encryption uses one key, the secret key, to both encrypt and decrypt messages.
This is also called symmetric encryption. The term "private key" is often used
inappropriately to refer to the secret key.
❖ Public key cryptography, also called asymmetric encryption, uses a pair of keys for
encryption and decryption. With public key cryptography, keys work in pairs of matched
public and private keys. The public key can be freely distributed without compromising
the private key, which must be kept secret by its owner. Because these keys work only
as a pair, encryption initiated with the public key can be decrypted only with the
corresponding private key.
It is also called conventional or private-key or single-key or secret key. Sender and recipient share
a common key. With secret key cryptography, a single key is used for both encryption and
decryption. The sender uses the key (or some set of rules) to encrypt the plaintext and sends the
cipher text to the receiver. The receiver applies the same key (or rule set) to decrypt the message
and recover the plaintext.
Secret key cryptography is also known as symmetric key cryptography. With this type of
cryptography, both the sender and the receiver know the same secret code, called the key.
Messages are encrypted by the sender using the key and decrypted by the receiver using the same
key.
This method works well if you are communicating with only a limited number of people, but it
becomes impractical to exchange secret keys with large numbers of people. In addition, there is
also the problem of how you communicate the secret key securely.
Secret-key cryptography is often used to encrypt data on hard drives. The person encrypting the
data holds the key privately and there is no problem with key distribution. Secret-key cryptography
is also used for communication devices like bridges that encrypt all data that cross the link. A
network administrator programs two devices with the same key, and then personally transports
them to their physical locations.
If secret-key cryptography is used to send secret messages between two parties, both the sender
and receiver must have a copy of the secret key. However, the key may be compromised during
transit. If you know the party you are exchanging messages with, you can give them the key in
advance. However, if you need to send an encrypted message to someone you have never met;
you'll need to figure out a way to exchange keys in a secure way.
Triple DES 128 bits to 192 bits in 64 bit A triple application of DES.
increments.
❖ Alice wants to communicate secretly with Tom. Alice encrypts her message using Tom‘s
public key (which Tom made available to everyone) and Alice sends the scrambled
message to Tom.
❖ When Tom receives the message, he uses his private key to unscramble the message so that
he can read it.
❖ When Tom sends a reply to Alice, he scrambles the message using Alice‘s public key.
❖ When Alice receives Tom‘s reply, she uses her private key to unscramble his message.
35
http://crypto.stackexchange.com/
Hash functions are primarily used to generate fixed-length output data that acts as a shortened
reference to the original data. This is useful when the original data is too cumbersome to use in
its entirety.
One practical use is a data structure called a hash table where the data is stored associatively.
Searching linearly for a person's name in a list becomes cumbersome as the length of the list
increases, but the hashed value can be used to store a reference to the original data and retrieve
constant time (barring collisions). Another use is in cryptography, the science of encoding and
safeguarding data. It is easy to generate hash values from input data and easy to verify that the
data matches the hash, but for certain hash functions hard to 'fake' a hash value to hide malicious
data. This is the principle behind the PGP algorithm for data validation.
Hash functions are also frequently used to accelerate table lookup or data comparison tasks such
as finding items in a database, detecting duplicated or similar records in a large file and finding
similar stretches in DNA sequences.
There is several well-known hash functions used in cryptography. These include the messagedigest
hash functions MD2, MD4, and MD5, used for hashing digital signatures into a shorter value called
a message-digest, and the Secure Hash Algorithm (SHA), a standard algorithm, that makes a larger
(60-bit) message digest and is similar to MD4.
SHA (Secure Hash Algorithm) the algorithm specified in the Secure Hash Standard (SHS), was
developed by NIST. SHA-1 was a revision to SHA that was published in 1994. The revision
corrected an unpublished flaw in SHA. Its design is very similar to the MD4 family of hash
functions developed by Rivest.
The algorithm takes a message of less than 264 bits in length and produces a 160-bit message digest.
The algorithm is slightly slower than MD5, but the larger message digest makes it more secure
against brute-force collision and inversion attacks.
Signatures are commonly used to authenticate documents. When you sign a physical document,
you are authenticating its contents. Similarly, digital signatures are used to authenticate the
contents of electronic documents.
A digital signature is an electronic signature that can be used to authenticate the identity of the
sender of a message or the signer of a document, and possibly to ensure that the original content
of the message or document that has been sent is unchanged. Digital signatures are easily
transportable, cannot be imitated by someone else, and can be automatically time-stamped. The
ability to ensure that the original signed message arrived means that the sender cannot easily
repudiate it later.
Assume you were going to send the draft of a contract to your lawyer in another town. You want
to give your lawyer the assurance that it was unchanged from what you sent and that it is really
from you.
1. You copy-and-paste the contract (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hash (mathematical summary) of the
contract.
3. You then use a private key that you have previously obtained from a public-private key
authority to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message. (Note that it will be
different each time you send a message.)
1. To make sure it's intact and from you, your lawyer makes a hash of the received message.
2. Your lawyer then uses your public key to decrypt the message hash or summary.
3. If the hashes match, the received message is valid.
Sender
• Calculates Message Digest Encrypts digest with own Secret Key Appends it
to message.
Receiver
Just like a passport, a digital certificate provides identifying information is forgery resistant and can be
verified because it was issued by an official, trusted agency. The certificate contains the name of
the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key
(used for encrypting messages and digital signatures) and the digital signature of the certificate-
issuing authority (CA) so that a recipient can verify that the certificate is real.
To provide evidence that a certificate is genuine and valid, it is digitally signed by a root certificate
belonging to a trusted certificate authority. Operating systems and browsers maintain lists of
trusted CA root certificates so they can easily verify certificates that the CAs have issued and
signed. When PKI is deployed internally, digital certificates can be self-signed.
When you download a digital certificate, you will receive both public and private keys. The public
keys are the ones that you will use to sign and encrypt documents. The private keys are the ones
that will be stored on your computer. You should never, ever share the private keys.
36
http://searchsecurity.techtarget.com/definition/digital-certificate
• Encrypt files and/or folders on your computer. This is helpful for lost or stolen mobile
devices and laptops because thieves would need to know your password to access any of
the encrypted files or folders.
• Streamline business processes by allowing people to use digital certificates to
electronically sign documents or approve something at a given stage of the process.
Information security is the process by which an organization protects and secures its systems,
media, and facilities that process and maintains information vital to its operations. On a broad
scale, the financial institution industry has a primary role in protecting the nation's financial
services infrastructure. The security of the industry's systems and information is essential to its
safety and soundness and to the privacy of customer financial information.
37
http://ithandbook.ffiec.gov/it-booklets/information-security
UNIT – 11
ETHICAL HACKING
Objectives: -
➢ In order for hacking to be deemed ethical, the hacker must obey the below rules.
• You have permission to probe the network and attempt to identify potential security
risks. It is recommended that if you are the person performing the tests that you get
written consent.
• You respect the individual's or company's privacy and only go looking for security
issues.
• You report all security vulnerabilities you detect to the company, not leaving anything
open for you or someone else to come in at a later time.
• You let the software developer or hardware manufacturer know of any security
vulnerabilities you locate in their software or hardware if not already known by the
company.
▪ In-depth knowledge about highly targeted platforms (such as Windows, Unix, and Linux)
▪ Criminal mindset
▪ Patience, persistence, and immense perseverance
Following image describes five basic phases that a hacker generally follows while performing an
ethical hacking project.
Passive reconnaissance involves gathering information regarding a potential target without the
targeted individual‘s or company‘s knowledge. Passive reconnaissance can be as simple as
watching a building to identify what time employees enter the building and when they leave.
However, this is usually done by performing Internet searches. This process is generally called
information gathering, Social engineering and dumpster diving are also considered passive
information-gathering methods.
E.g. Sniffing the networks another means of passive reconnaissance and can yield useful
information such as IP address ranges, naming conventions, hidden servers or networks, and other
available services on the system or network. Sniffing network traffic is similar to building
monitoring: A hacker watches the flow of data to see what time certain transactions take place and
where the traffic is going.
Active reconnaissance involves probing the network to discover individual hosts, IP addresses,
and services on the network. This usually involves more risk of detection than passive
reconnaissance and is sometimes called rattling the doorknobs. The drawback to active
reconnaissance, however, is that it is easier to detect. For example, consider a criminal who walks
past a house she wants to burglarize (passive reconnaissance) versus looking into each window of
the house to see what goods are inside (active reconnaissance). Obviously, a burglar peeking into
the windows of a house is much more conspicuous than simply walking past it. The same is true
for active reconnaissance. It reveals more information but is detected easily. 38 Active
reconnaissance can give a hacker an indication of security measures in place (is the front door
locked?), but the process also increases the chance of being caught or at least raising suspicion.
Both passive and active reconnaissance can lead to the discovery of useful information to use in
an attack. For example, it‘s usually easy to find the type of web server and the operating system
(OS) version number that a company is using. This information may enable a hacker to find
vulnerability in that OS version and exploit the vulnerability to gain more access.
PHASE 2 – SCANNING
Scanning involves taking the information discovered during reconnaissance and using it to
examine the network. Tools that a hacker may employ during the scanning phase can include
dialers, port scanners, network mappers, sweepers, and vulnerability scanners. Hackers are seeking
any information that can help them perpetrate attack such as computer names, IP addresses, and
user accounts.
During scanning, the hacker continues to gather information regarding the network and its
individual host systems. Data such as IP addresses, operating system, services, and installed
applications can help the hacker decide which type of exploit to use in hacking a system.
Scanning is the process of locating systems that are alive and responding on the network. Ethical
hackers use it to identify target systems‘ IP addresses.
➢ TYPES OF SCANNING
38
Book: Penetration testing and Network Defense by Andrew Whitaker
Scanning is used to determine whether a system is on the network and available. Scanning tools
are used to gather information about a system such as IP addresses, the operating system, and
services running on the target computer. After the active and passive reconnaissance stages of
system hacking have been completed, scanning is performed.
SCANNING METHODOLOGY
Service Identification
Banner Grabbing /
Vulnerability
Scanning
Draw Network
Diagrams of Vulnerable
Prepare Proxies
Attack
➢ SCANNING TOOLS
▪ Nmap
▪ Nessus
▪ SNMP Scanner
▪ THC-Scan
▪ Netscan
▪ IPSecScan
This is the phase where the real hacking takes place. Vulnerabilities discovered during the
reconnaissance and scanning phase are now exploited to gain access. The method of connection
the hacker uses for an exploit can be a local area network (LAN, either wired or wireless), local
access to a PC, the Internet, or offline. Examples include stack-based buffer overflows, denial of
service (DoS), and session hijacking. These topics will be discussed in later chapters. Gaining
access is known in the hacker world as owning the system.
Once a hacker has gained access, they want to keep that access for future exploitation and attacks.
Sometimes, hackers harden the system from other hackers or security personnel by securing their
exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns the system, they can
use it as a base to launch additional attacks. In this case, the owned systems sometimes referred to
as a zombie system.
Once hackers have been able to gain and maintain access, they cover their tracks to avoid detection
by security personnel, to continue to use the owned system, to remove evidence of hacking, or to
avoid legal action. Hackers try to remove all traces of the attack, such as log files or intrusion
detection system (IDS) alarms. Examples of activities during this phase of the attack include
Steganography, the use of tunneling protocols, and altering log files. Steganography and use of
tunneling for purposes of hacking will be discussed in later chapters.
Google hacking is a computer hacking technique that uses Google Search and other Google
applications to find security holes in the configuration and computer code that websites use.
Google hacking is the use of a search engine, such as Google, to locate a security vulnerability on
the Internet. There are generally two types of vulnerabilities to be found on the Web: software
vulnerabilities and mis-configurations. Although there are some sophisticated intruders who target
a specific system and try to discover vulnerabilities that will allow them access, the vast majority
of intruders start out with a specific software vulnerability or common user misconfiguration that
they already know how to exploit, and simply try to find or scan for systems that have this
vulnerability.
The Acunetix Web Vulnerability Scanner scans for SQL injection, Cross site scripting and many
more vulnerabilities.
➢ ENUMERATION
Enumeration occurs after scanning and is the process of gathering and compiling usernames,
machine names, network resources, shares, and services. It also refers to actively querying or
connecting to a target system to acquire this information.
During the enumeration stage, the hacker connects to computers in the target network and pokes
around these systems to gain more information. While the scanning phase might be compared to a
knock on the door or a turn of the door knob to see if it is locked, enumeration could be compared
to entering an office and rifling through a file cabinet or desk drawer for information. It is definitely
more intrusive.
Many hacking tools are designed for scanning IP networks to locate NetBIOS name information.
For each responding host, the tools list IP address, NetBIOS computer name, logged in username,
and MAC address information. On a Windows 2000 domain, the built-in tool net view can be used
for NetBIOS enumeration. To enumerate NetBIOS names using the net view command, enter the
following at the command prompt –
Another great built-in tool is nbtstat, which calls up the NetBIOS Name Table from a remote
system. The Name Table contains a great deal of information, as seen in the following example:
C:\>nbtstat -A 192.168.202.33
➢ ENUMERATION STEPS
Hackers need to be methodical in their approach to hacking. The following steps are an example
of those a hacker might perform in preparation for hacking a target system:
➢ SQL INJECTION39
Web applications allow legitimate website visitors to submit and retrieve data to/from a database
over the Internet using their preferred web browser. Databases are central to modern websites –
they store data needed for websites to deliver specific content to visitors and render information
to customers, suppliers, employees and a host of stakeholders. User credentials, financial and
payment information, company statistics may all be resident within a database and accessed by
39
https://www.acunetix.com/websitesecurity/sql-injection
legitimate users through off-the-shelf and custom web applications. Web applications and
databases allow you to regularly run your business.
SQL injection is a code injection technique that exploits or bypasses security vulnerability
occurring in the database layer of an application.
The vulnerability is present when user input is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is not strongly typed and thereby
unexpectedly executed.
During a SQL injection attack, malicious code is inserted into a web form field or the website‘s
code to make a system execute a command shell or other arbitrary commands. Just as a legitimate
user enters queries and additions to the SQL database via a web form, the hacker can insert
commands to the SQL server through the same web form field.
SQL Injection is one of the many web attack mechanisms used by hackers to steal data from
organizations. It is perhaps one of the most common application layer attack techniques used
today. It is the type of attack that takes advantage of improper coding of your web applications
that allows hacker to inject SQL commands into say a login form to allow them to gain access to
the data held within your database.
For example, an arbitrary command from a hacker might open a command prompt or display a
table from the database. A database table may contain personal information such as credit card
numbers, social security numbers, or passwords. SQL servers are very common database servers
and used by many organizations to store confidential data. This makes a SQL server a high value
target and therefore a system that is very attractive to hackers.
In essence, SQL Injection arises because the fields available for user input allow SQL statements
to pass through and query the database directly.
Such features as login pages, support and product request forms, feedback forms, search pages,
shopping carts and the general delivery of dynamic content, shape modern websites and provide
businesses with the means necessary to communicate with prospects and customers. These website
features are all susceptible to SQL Injection attacks which arise because the fields available for
user input allow SQL statements to pass through and query the database directly.
Before launching a SQL injection attack, the hacker determines whether the configuration of the
database and related tables and variables is vulnerable. The steps to determine the SQL server‘s
vulnerability are as follows:
(I) Using your web browser, search for a website that uses a login page or other database input
or query fields (such as an ―I forgot my password‖ form). Look for web pages that display the
POST or GET HTML commands by checking the site‘s source code.
(II) Test the SQL server using single quotes (‗). Doing so indicates whether the user-input
variable is sanitized or interpreted literally by the server. If the server responds with an error
message that says use „a‟=„a‟ (or something similar), then it‘s most likely susceptible to a SQL
injection attack.
(III) Use the SELECT command to retrieve data from the database or the INSERT command to
add information to the database.
UNIT 12
MALWARES
Objectives:
12.1 Computer Viruses
12.2 Worms
12.3 Trojan Horse.
12.4 Malware
12.5 Spyware
12.6 Adware
(i) Infection Phase -Some viruses infect programs each time the program is executed
whereas other viruses infect only upon a certain trigger. For example, at a specific
40
http://beastlad.tripod.com/id12.html
date, the virus will infect a program. There are many other kinds of triggers. Some
viruses are called "resident viruses", this means that they reside in the memory of the
computer. The virus is inactive and is only triggered by certain events such as inserting
a disk, copying a file or executing a program.
(ii) Attack Phase –This is when the virus goes into action. It will for example, delete
files, change random data on your disk or slow down the computer. Other kinds of
viruses do less harmful things, such as play music, create messages or animation on
your screen. This might not seem to be a virus but be aware of these kinds of
behaviors. Once a virus infects a computer—by e-mail, disk, or some other
method—the program to which the virus is attached only has to be executed to trigger
the virus into action. On top of mere replication, viruses may include a malicious
payload, a mark that invites the user to perform an operation, such as opening an
email attachment. For example, the tag "ILOVE YOU" in the worm virus of the same
name in 2000 constituted that virus's payload.
Viruses work in a variety of ways to disrupt a system, but the most common method was to simply
overburden it by repeating the same messages over and over via rapid self-replications, resulting
in crashing the system. In addition, a computer virus may not take effect immediately. It can sit
undetected in computer systems for months waiting for the right operation to trigger it into action.
By that time, it may be quite difficult to retrace the steps of how a virus was lodged in a system to
begin with.
41
http://www.studymode.com/essays/Computer-Virus-380631.html
This type of virus is a permanent which dwells in the RAM memory. From there it can
overcome and interrupt all of the operations executed by the system: corrupting file sand
programs that are opened, closed, copied, renamed etc.
Virus of this kind is characterized by the fact that it deletes the information contained in the files
that it infects, rendering them partially or totally useless once they have been infected.
The only way to clean a file infected by an overwrite virus is to delete the file completely, thus
losing the original content. Examples of this virus include: Way, Trj.Reboot, Trivial.88.D.
This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk,
in which information on the disk itself is stored together with a program that makes it possible to
boot (start) the computer from the disk. The best way of avoiding boot viruses is to ensure that
floppy disks are write-protected and never start your computer with an unknown floppy disk in the
disk drive. Examples of boot viruses include: Polyboot.B, AntiEXE, Form, Disk Killer,
Michelangelo and Stone virus
Macro viruses infect files that are created using certain applications or programs that contain
macros. These mini-programs make it possible to automate series of operations so that they are
performed as a single action, thereby saving the user from having to carry them out one by one.
Examples of macro viruses: Relax Melissa.A, Bablas, and O97M/Y2K.
Directory viruses change the paths that indicate the location of a file. By executing a program (file
with the extension .EXE or .COM) which has been infected by a virus, you are unknowingly
running the virus program, while the original file and program have been previously moved by the
virus. Once infected it becomes impossible to locate the original files.
This type of virus infects programs or executable files (files with an .EXE or .COM extension).
When one of these programs is run, directly or indirectly, the virus inactivated, producing the
damaging effects it is programmed to carry out. The majority of existing viruses belongs to this
category, and can be classified depending on the actions that they carry out.
Companion virus can be considered as file infector virus like resident or direct action types. They
are known as companion viruses because once they get into the system they ―accompany" the
other files that already exist. In other words, in order to carry out their infection routines,
companion viruses can wait in memory until a program is run (resident viruses) or act immediately
by making copies of themselves (direct action viruses).Some examples include: Stator,
Asimov.1539, and Terrax.1069
The file allocation table or FAT is the part of a disk used to connect information and is a vital part
of the normal functioning of the computer.
This type of virus attack can be especially dangerous, by preventing access to certain sections of
the disk where important files are stored. Damage caused can result in information losses from
individual files or even entire directories.
(I) 42Anna Kournikova is a famous Russian model and a former professional tennis player.
She is more famous for her beauty and celebrity status than tennis. At the peak of her fame,
she was one of the most common search strings on Google.
In February, 2001, a Dutch programmer Jan de Wit created Anna Kournikova computer virus. It
was designed to trick email users into opening a mail message purportedly containing a picture
of Anna Kournikova, while actually hiding a malicious program. The Kournikova virus tempts
users with the message: "Hi: Check this!‖ with what appears to be a picture file labeled
"AnnaKournikova.jpg.vbs". The worm arrives in an email with the subject line "Here you have,
;0)" and an attached file called AnnaKournikova.jpg.vbs. When launched under Microsoft
Windows OS, the file does not display a picture of Anna Kournikova but launches a viral
Visual Basic Script that forwards itself to everybody in the Microsoft Outlook address book of
the victim.
(II) Autorun
This virus primarily targeted USBs and flash drives and established them as its major source of
movement and propagation. It affected networks and all the computers present on them. Once
affected, the folder options would be disabled, the task manager too would be unavailable and
the virus itself would become the system administrator. The virus would replicate itself in all
the folders, therefore eating up useful space on the hard disk and making it eventually
extremely slow. The loss was in terms of useful data on millions of computers across the world.
(III) Michelangelo
Michelangelo was the first virus the media really got into advertising. The media said that this
virus would wipe out millions of computers on March 6, so many people went out, and bought
antivirus software and that helped to lower the number of affected computer to almost
42
http://www.techopedia.com/definition/16156/anna-kournikova-virus
ten thousand. Michelangelo virus did erase hard drives around the nation. That is one way the
media actually helped to alert the public to a threat that was real, we all know how the media
scared millions of people over the Y2K episode.
12.2 WORMS
Worm is a self-replicating malware that does not alter files but resides
in active memory and duplicates itself. Worms use parts of an
operating system that are automatic and usually invisible to the user.
It is common for worms to be noticed only when their uncontrolled
replication consumes system resources, slowing or halting other tasks.
Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C,
Sobig.D, and Mapson.
Worms can be classified according to the propagation method they use, i.e. how they deliver copies
of themselves to new victim machines. Worms can also be classified by installation method, launch
method etc. Many of the worms which managed to cause significant outbreaks use more than one
propagation method, as well as more than one infection technique. Some of the popular types of
worms are listed below.
Email worms spread via infected email messages. The worm may be in the
form of an attachment or the email may contain a link to an infected website.
However, in both cases, email is the vehicle. In the first case the worm will be
activated when the user clicks on the attachment. In the second case the worm
will be activated when the user clicks on the link leading to the infected site.
43
http://csusm.wordpress.com/
Internet worms are truly autonomous virtual viruses, spreading across the
net, breaking into computers, and replicating without human assistance and
usually without human knowledge. An Internet worm can be contained in
any kind of virus, programmer script. Sometimes their inventor will release
them into the wild.
These worms target chat channels, IRC worms also use the propagation methods listed above -
sending links to infected websites or infected files to contacts harvested from the infected user.
Sending infected files is less effective as the recipient needs to confirm receipt, save the file and
open it before the worm is able to penetrate the victim machine.
P2P worms copy themselves into a shared folder, usually located on the local machine. Once the
worm has successfully placed a copy of itself under a harmless name in a shared folder, the P2P
network takes over: the network informs other users about the new resource and provides the
infrastructure to download and execute the infected file. More complex P2P worms imitate the
network protocol of specific file-sharing networks: they respond affirmatively to all requests and
offer infected files containing the worm body to all comers.
(I) ILOVEYOU
ILOVEYOU, sometimes referred to as Love Letter, was a computer worm that attacked tens of
millions of Windows personal computers on and after 5 May 2000 local time in the Philippines
when it started spreading as an email message with the subject line "ILOVEYOU" and the
attachment "LOVE-LETTER-FOR-YOU.txt.". The first file extension 'VBS' was most often
hidden by default on Windows computers of the time, leading unwitting users to think it was a
normal text file. Opening the attachment activated the Visual Basic script. The worm did damage
on the local machine, overwriting image files, and sent a copy of itself to the first 50 addresses in
the Windows. Address Book used by Microsoft Outlook.
(II) MELISSA
Generated over a decade ago, this clever piece of virtual disease operated through Microsoft
Outlook. This is how it worked: you receive an email titled ―Here is the Document you asked for‖
from an unknown sender, you got infected as soon as you opened the email, and the virus would
replicate and delivers itself to the top 50 people on your list without you getting a hint of it. Some
major US government departments were hit and the damage is thought to be around $1 billion at
least. A 20 month jail sentence well deserved.
(III) My Doom
Spell it backwards and you will understand its prime targets: yes, the "Admin" and servers. It was
basically a worm and has the record of being the fastest ever virus to spread; it took only 22 minutes
to break into the list of top ten most deadly viruses of all times. It basically targeted internet servers
and websites, creating a mass crater through which thousands of computers were affected at the
same time. Once infected, the systems became exposed to open attacks by the outsiders.
The term is derived from the Trojan horse story in Greek mythology. A Trojan, sometimes referred
to as a Trojan horse, is non-self-replicating malware that appears to perform a desirable function
for the user but instead facilitates unauthorized access to the user's computer system. It infects
your computer and allows a hacker to run hidden tasks behind your back. A Trojan infection can
allow total remote access to your computer by a third party.
Trojan horses are designed to allow a hacker remote access to a target computer system. Once a
Trojan horse has been installed on a target computer system, it is possible for a hacker to access it
remotely and perform various operations. The operations that a hacker can perform are limited by
user privileges on the target computer system and the design of the Trojan horse.
➢ Use of the machine as part of a botnet which is used to perform spamming or to perform
Distributed Denial-of-service (DDoS) attacks.
➢ Data theft e.g. passwords, credit card information, etc.
➢ Installation of software including other malware
➢ Downloading or uploading of files
➢ Modification or deletion of files
➢ Keystroke logging
➢ Viewing the user's screen
➢ Wasting computer storage space
➢ Crashing the computer
44
http://bobthepcbuilder.com/virus-removal/
These are probably the most widely used Trojans, just because they give the attackers the power
to do more things on the victim's machine than the victim itself while being in front of the
machine. Most of these Trojans are often a combination of the other variations described below.
The idea of these Trojans is to give the attacker a total access to someone's machine and therefore
access to files, private conversations, accounting data, etc.
The purpose of these Trojans is to rip all the cached passwords and also look for other passwords
you're entering and then send them to a specific mail address without the user noticing anything.
Passwords for ICQ, IRC, FTP, HTTP or any other application that require a user to enter a login
+ password are being sent back to the attacker's email address, which in most cases is located at
some free web based email provider.
These Trojans are very simple. The only thing they do is logging the keystrokes of the victim and
then letting the attacker search for passwords or other sensitive data in the log file. Most of them
come with two functions like online and offline recording. Of course, they could be configured to
send the log file to a specific email address on a scheduled basis.
The interesting feature implemented in many Trojans is turning the victim's computer into a
proxy/Wingate server available to the whole world or to the attacker only. It's used for anonymous
Telnet, ICQ, IRC, etc., and also for registering domains with stolen credit cards and for many other
illegal activities. This gives the attacker complete anonymity and the chance to do everything from
your computer, and if he/she gets caught, the trace leads back to you.
12.4 MALWARE
Malware is a set of instructions that run on your computer and make your system do
something that an attacker wants it to do.
13%
9% Trojan
1%
3% Worm
Other
Adware
74% Spyware
45
http://upload.wikimedia.org/wikipedia/commons/thumb/e/ec/Malware_statics_2011-03-16-en.svg
(I) STUXNET
Lately STUXNET has been the hottest topic mainly because of its unusual nature. For the first
time in the history that a malware bypass the cyberspace to get directly to the physical
environment, the virus not only damages the code and data but also it destroyed the real machine.
The worm drivers certificate were signed with JMicron Technology and Realtek which makes it
bypass HIPS security measures, so if the malware is executed it will not be prevented by HIPS as
the signature of the driver related to an authorized firms.
ZEUS Botnet was active in 2010. On July 14, 2010, security firm Trusteer filed a report which
says that the credit cards of more than 15 unnamed US banks have been compromised. The
outbreak was called Kneber.
On 1 October 2010, FBI announced it had discovered a major international cyber crime network
which had used Zeus to hack into US computers and steal around $70m. More than 90 suspected
members of the ring were arrested in the US, and arrests were also made in UK and Ukraine.
12.5 SPYWARE
Spyware is software that sends your personal information to a third party without your permission
or knowledge. This can include information about Web sites
you visit or something more sensitive like your user name and
password. Unscrupulous companies often use this data to send
you unsolicited targeted advertisements.
Spyware is similar to a Trojan horse in that users unwittingly install the product when they install
something else. A common way to become a victim of spyware is to download certain peer-topeer
file swapping products that are available today.
Aside from the questions of ethics and privacy, spyware steals from the user by using the
computer's memory resources and also by eating bandwidth as it sends information back to the
spyware's home base via the user's Internet connection. Because spyware is using memory and
system resources, the applications running in the background can lead to system crashes or general
system instability.
Because spyware exists as independent executable programs, they have the ability to monitor
keystrokes, scan files on the hard drive, snoop other applications, such as chat programs or word
processors, install other spyware programs, read cookies, change the default home page on the
Web browser, consistently relaying this information back to the spyware author who will either
use it for advertising/marketing purposes or sell the information to another party.
(I) COOLWEBSEARCH
With over 50 variations, this one is a rather typical representative of the vulnerable family of
Internet browser hijackers. If your computer gets infected by this spyware, web browsing becomes
a nightmare. Instead of visiting your favorite social networking website, you will be redirected to
an online gambling outfit and instead of checking your email you will be asked to check out xxx…!
Well, I'm not going to even mention it here.
This is a rather flattering name for a spyware program that redirects your browser to an
advertisement when you try to login to a website where a password is required.
A keylogger is a hardware device or a software program that records the real time activity of a
computer user including the keyboard keys they press.
Keyloggers are used in IT organizations to troubleshoot technical problems with computers and
business networks. Keyloggers can also be used by a family (or business) to monitor the network
usage of people without their direct knowledge. Finally, malicious individuals may use keyloggers
on public computers to steal passwords or credit card information.
Keylogger software is freely available on the Internet. These keyloggers allow not only keyboard
keystrokes to be captured but also are often capable of collecting screen captures from the
computer. Normal keylogging programs store their data on the local hard drive, but some are
programmed to automatically transmit data over the network to a remote computer or Web server.
The tiny size and ideal location ensures it almost never gets found; and if it does get found, nobody
would necessarily know what it was anyway! You can set it up so you can get the data in another
location and you don't need to be able to log on to the person's machine to install it successfully.
Software keylogger can typically be installed remotely. One advantage to this is that depending on
the version you use, you could potentially have screen capture technology in addition to keylogger
capacities. You also never need to be able to physically access the other person's computer.
The downside is that these could potentially slow down the other person's computer, making them
more suspicious. If you use a spy software version, be sure to find one that ensures minimal
memory usage to avoid arousing suspicion and risking being caught.
12.6 ADWARE
46
Adware displays advertisements on your computer, it displays popup ads or other ad related
screens. These are ads that strangely pop up on your display screen, even if you're not browsing
the Internet. Some companies provide "free" software in exchange for advertising on your display.
It's how they make their money.
This can also be spyware since they are very close to spyware in what they do. Although Adware
is strictly tracking and displaying ads, spy ware can alter a lot of things on your PC. The main way
you get Adware is by visiting suspect sites like porn sites where the sites are setup to draw a lot of
traffic, but then they use browser security holes to force your browser to automatically download
and install their software. ActiveX controls through IE have been known to have a lot of security
holes, as have Java in browsers.
Adware can also arrive by downloading freeware software and installing it, as often rogue software
can be installed with it. It is one of the reasons one should always download shareware also called
"free trials" instead. Shareware includes free trials but it is not freeware, since shareware requires
a small fee to be paid to purchase after trying it first. Typically, shareware and "free trial" software
are safe, while you have to be more careful with freeware as they can incorporate adware and
spyware to help make money.
46
www.qbs-pchelp.co.uk/windowstechnicalsupportlist.php
Downloading email attachments is another way adware can arrive, they use this method the same
way virus writers used it so often in the past, although this method is rather remote today compared
to other methods.
IT managers around the world braced themselves Thursday for an unexpected onslaught of
romantic ―e-cards‖ surreptitiously carrying the nastiest virus around: the Strom Worm.
―Once the user clicks on the [e-mail] link, malware id downloaded to the Internet-Connected
device and causes it to become infected and part of the storm Worm botnet,‖ warns a public alert
posted on the FBI‘s Web site Monday.
―The Strom Worm virus has capitalized on various holidays in the last year by sending millions
of e-mail advertising an e-card link within the text of the spam e-mail,‖ says the FBI. ―Valentine‘s
day has been identified as the next target.‖
Haven‘t heard of the Storm Worm? That‘s because it hasn‘t ―struck‖ yet, even though researchers
first noticed it more than a year ago after it cropped up in e-mails showing photos of damage from
European windstorms in January 2007.
Since then, it‘s steadily infected an estimated 10 million Windows- based PCs around the world,
all under the command of unknown ―bot herders‖ who‘ve silently fashioned them in to a
―zombie army‖ or ―botnet‖—a massive network of ―enslaved‖ PCs awaiting the signal to launch
a cyber attack.47
47
http://www.foxnews.com
UNIT – 13 ISO
27001
Objectives: -
13.1 Introduction of ISO 27001
13.2 General Requirements for ISO Standardization
13.3 Establishing and Managing Isms
13.4 Monitor and Review Isms
13.5 Maintain and Improve Isms
ISO 27001 is an information security management standard. It defines a set of information security
management requirements. These requirements are defined later sections
The purpose of ISO IEC 27001 is to help organizations establish and maintain an information
security management system (ISMS). ISO 27001 applies to all types of organizations. It doesn‘t
matter what your organization does or what size it is. ISO 27001 can help your organization meet
its information security management needs and requirements.
ISO 27001 is designed to be used for certification purposes. In other words, once you‘ve
established ISMS that meets both the ISO IEC 27001 requirements and your organization‘s
needs; you can ask a registrar to audit your system. If your registrar likes what it sees, it will
issue an official certificate that states that you‘re ISMS meets the
ISO IEC 27001 requirements. According to ISO 27001, you must meet every requirement if you
wish to claim that your ISMS complies with the standard.
However, while you must meet every requirement, the size and complexity of information security
management systems varies quite a bit. How you meet each of the ISO 27001 requirements, and
to what extent, depends on many factors, including your organizations –
1. METHODOLOGICAL REQUIREMENTS
2. SECURITY CONTROL REQUIREMENTS
According to ISO 27001, you must meet each one of these methodological requirements if you
wish to claim that your ISMS comply with the new standard. As these methodological
requirements tell you how to reach your destination (an ISMS), you can think of them as a general
roadmap.
Since these security control requirements tell you what your ISMS should look like, you can think
of them as a general blueprint.
According to ISO IEC 27001, you may exclude or ignore Annex A control objectives and controls
whenever they address risks that you can live with and whenever doing so will not impair your
ability or obligation to meet all relevant legal and security requirements.
This International Standard covers all types of organizations (e.g. commercial enterprises,
government agencies, non-profit organizations) The ISMS is designed to ensure the selection of
adequate and proportionate security controls that protect information assets and give confidence
to interested parties.
Do (Implement and operate ISMS) Implement and operate the ISMS policy, controls,
processes and procedures.
Check (monitor and review the ISMS) Assess and, where applicable, measure process
performance against ISMS policy, objectives and
practical experience and report the results to
management for review
Act (maintain and Improve the ISMS) Take corrective and preventive actions, based on
the results of the internal ISMS audit and
management review or other relevant information,
to achieve continual improvement of ISMS.
➢ APPLICABILITY
The requirements set out in this International Standard are generic and are intended to be applicable
to all organizations, regardless of type, size and nature. Excluding any of the requirements
specified in Clauses 4,5,6,7 and 8 is not applicable when an organization claims conformity to this
International Standard.
Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be
justified and evidence needs to be provided that the associated risks have been accepted by any
persons who is accountable.
➢ IMPORTANT DEFINITIONS –
1. Assets – anything that has value to the organization
2. Availability – the property of being accessible and usable upon demand by an authorized
entity.
3. Confidentiality – that the information is not made available or disclosed to unauthorized
individuals, entities or processes.
4. Information security – preservation of confidentiality, integrity and availability of
information.
5. Information security event: an identified occurrence of a system, service or network state
indicating a possible breach of information security policy or failure safeguards or a
previously unknown situation that may be security relevant.
6. Information Security Incident: a single or a series of unwanted to unexpected information
security events that have a significant probability of compromising business operations
and threatening information security.
7. Information security management system: that part of the overall management system,
based on a business risk approach, to establish, implement, operate, monitor, review,
maintain and improve information security.
8. Integrity: the property of safeguarding the accuracy and completeness of assets.
9. Residual Risk: the risk remaining after the risk treatment.
10. Risk acceptance: decision to accept the risk.
11. Risk Analysis: systematic use of information to identify sources and to estimate the risk.
12. Risk Assessment: overall process of risk analysis and risk evaluation.
13. Risk Evaluation: process of comparing the estimated risk against given risk criteria to
determine the significance of the risk.
14. Risk Management: coordinated activities to direct and control an organization with
regard to risk.
15. Risk treatment: process of selection and implementation of measures to modify risk
i) ESTABLISHING ISMS: Following are the steps are required to be done by the senior
management for the implementation of ISMS within their organization‘s environment
(a) Define the scope and boundaries of ISMS in terms of the characteristics of the business, its
location, assets and technology etc.
(b) Define the ISMS policy in terms of the characteristics of the business, the organization, its
location and assets. While designing the policy one must take into account of business and
legal or regulatory requirements, and contractual security obligations. Evaluate the criteria
against which risk will be evaluated. This policy has to be approved by the senior management.
(c) Define the risk assessment approach: Identify the risk assessment methodology and business
information security, legal and regulatory requirements. Develop the criteria for accepting the
risk and identify the acceptable level of risk.
(d) Identify the risk: Firstly identify the assets belonging to the organization, identify the
vulnerabilities and threats associated with them. Calculate the impact on confidentiality,
integrity and availability on the assets.
(e) Analyse and evaluate the risks: Estimate the levels of risk. Decide whether the risk should be
accepted or treated.
(f) Identify and evaluate options for the treatment of risks: risk treatment can be done in following
four manners:
1. Apply controls;
2. Accept the risk;
3. Avoid the risk;
4. Transfer the risk.
Finally Management approval must be taken to approve the proposed residual risk and to
implement and operate the ISMS.
(a) Execute and monitoring and reviewing procedures and other controls to detect errors and
identify security breaches.
(b) Undertake regular reviews of effectiveness of the ISMS by taking feed backs, suggestions from
employees, third parties whose vested interest lies within the organization.
(c) Measure the effectiveness of controls to verify that security requirements have been met.
(d) Review the risk assessment at planned intervals and review the residual risk and identified
acceptable levels of risks.
(e) Conduct the internal audits
(f) Update the security plans and policies.
(c) Communicate the actions and improvements to the interested parties (d) Ensure that the
improvements achieve their intended objectives
➢ DOCUMENTATION
Documentation shall include –
Documents required by the ISMS shall be protected and controlled. Records shall be established
and maintained to provide evidence of conformity to requirements and the effective operation of
the ISMS.
48
http://jersey.isle-news.com/archives/calligo-achieves-the-latest-iso-270012013-global-security-
certification/23008/
UNIT – 14
Objectives: -
CERT-In was created by the Indian Department of Information Technology in 2004 and operates
under the auspices of that department. According to the provisions of the Information Technology
Amendment Act 2008, CERT-In is responsible for overseeing administration of the Act.
CERT organizations throughout the world are independent entities, although there may be
coordinated activates among groups.
Computer emergency response teams are the human counterparts to anti-virus software. When new
viruses or computer security threats are discovered, these teams document these problems and
work to fix them. Because these teams are made up of people who can react to new situations, they
are much more capable of dealing with new virus threats than anti-virus programs would be by
themselves. When the computer security experts that make up the response teams discover a new
dangerous virus, they work around the clock to create a remedy for it. They often work closely
with anti-virus software companies to establish virus definitions and solutions, and they work with
other software makers help to patch up any security holes that allowed the virus to propagate.
Incident response is an organized approach to addressing and managing the aftermath of a security
breach or attack also known as an incident. The goal is to handle the situation in a way that limits
damage and reduces recovery time and costs. An incident response plan includes a policy that
defines, in specific terms, what constitutes an incident and provides a step-by-step process that
should be followed when an incident occurs.
Hence, Incident response is the practice of detecting a problem, determining its cause, minimizing
the damage it causes, resolving the problem, and documenting each step of the response for future
reference.
49
http://cs.stanford.edu/people/eroberts/cs181/projects/viruses/cert.html
It is a forensic science applied in a digital environment. But where a traditional forensics specialist
might collect and preserve fingerprints or other physical evidence, the computer forensics
specialist collects and preserves digital evidence.
This collection of digital evidence must be done through carefully prescribed and recognized
procedures so that the probative value of digital evidence is preserved to ensure its admissibility
in a legal proceeding.
As traditional forensics may involve people with different specialties, computer forensics similarly
involves a multitude of professional specialties working together to gather, preserve and analyze
digital evidence.
Computer forensics will help you ensure the overall integrity and survivability of your network
infrastructure. You can help your organization if you consider computer forensics as a new basic
element in what is known as a “defense-in-depth”50 approach to network and computer security.
For instance, understanding the legal and technical aspects of computer forensics will help you
capture vital information if your network is compromised and will help you prosecute the case if
the intruder is caught.
50
―Defense in depth is designed on the principle that multiple layers of different types of protection from
different vendors provide substantially better protection‖
<http://netsecurity.about.com/cs/generalsecurity/a/aa112103.htm>.
The risk of destroying vital evidence or having forensic evidence ruled inadmissible in a court of
law. Also, you or your organization may run afoul of new laws that mandate regulatory compliance
and assign liability if certain type of data is not adequately protected. Recent legislations make it
possible to hold organizations liable in civil or criminal court if they fail to protect customer data.51
Knowledge of Computer forensics is essential for system administrators and security personnel to
enhance ability to recover data that may be critical to the identification and analysis of a security
incident.
The two most prominent types are pulling the plug (dead digital forensics), or exercising the
analysis on a live, running system (live digital forensics).
▪ At times evidence may be only in the computer memory and not in any files on the hard
disk.
▪ The suspect could configure his computer to clear the paging file automatically on
shutdown.
▪ If the suspect is using cryptography to secure his data, then pulling the plug may mean
that the data will no longer be available in an unencrypted format.
▪ Hence it is prudent for an investigator to first carry out preliminary investigations on
the live system and then pull the plug.
Computer Forensic Investigator (CFI) performs a critical role in Forensic investigation. Some of
the duties of CFI are –
51
Laws such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley,
California Act 1798, Sec. 43A of the IT Act, 2000 and others hold businesses liable for breaches in the security or integrity of
computer networks.
❖ Plan preparation
The key to a successful computer forensic project is thorough preparation. Preparation is
necessary not only for the most effective performance of the tasks at hand, but it is also critical
for preserving any and all evidence for potential use in court. If there is even a hint that the
evidence has been contaminated in any way, it cannot be used against the potentially guilty
party at the time of prosecution.
❖ Driving image
Imaging a suspect's hard drive is one of the most important functions of the computer forensic
process. Imaging means attaching the suspect's hard drive to the analysis system and copying
all of its data to a file on the analysis drive. This file contains everything that was originally
stored on the suspect's drive, including the logical file structure and unallocated space. It is
extremely important that no data be written to the suspect's hard drive during this process.
After imaging the suspect hard drives, the next step is reviewing the logical file structure.
Review can be done with the help of software‘s such as EnCase, WinHex, X-Ways etc. With
EnCase we can open each raw data file and begin to analyze. EnCase has the built-in
technology to read the file and present the data as if it were actually connected to a hard drive.
The view that is represented is similar to what an average Windows-based computer user sees
when accessing the Windows Explorer utility.
A review of logical file structure involves both automated and manual procedures. The
computer forensic software being utilized facilitates the automated procedures. By using
Encase, we are able to search through the directories of the suspect's computer system and
quickly locate any files that seemed pertinent to our investigation. As a follow-up method, we
should look through the directories manually to identify any files that might not have been
detected during our automated search with Encase. Each file located that is deemed to be
relevant is copied to the analysis drive, to be included in computer forensic analysis report.
When performing this step it is important to record the logical address of the file.
For example, the full path of the System32 directory on Windows computers is
C:\Winnt\System32.
❖ Report
When analysis is completed, CFI should draft a report. This is another critical step in the
computer forensic process, and investigator should make sure that the report drafted is right.
Each and every part of the information, evidence collected should be drafted in a report. Each
and every activity should be documented. Report drafted should be clear, complete and concise
so that there is no or very little chance of misunderstanding. Reports should be in both in soft
copy and hard copy and should be able to be presented when required.
▪ ―Computer forensics has also been described as the autopsy of a computer hard disk
drive because specialized software tools and techniques are required to analyse the
various levels at which computer data is stored after the fact.‖
▪ Recovering Information which can be considered as evidence in the court at the time of
prosecution.
The course clarifies and explains the common Internet terms encountered during legal cases
where computer evidence is involved, and also identifies the typical online sources of such
evidence.
➢ IMPORTANCE OF EVIDENCE
"Evidence" is anything the judge allows a jury to consider in reaching a verdict. This can include
the testimony of witnesses, photographs of the scene and "demonstrative evidence" such as charts
or sample equipment. The evidence heard by the jury is the most important factor in determining
whether or not you will win your lawsuit and if so, how much compensation you will receive.
The Indian Evidence Act, 1872 deals with procurement, preservation and presentation of the
evidence before the court of law.
Many types of evidence exist that can be offered in court to prove the truth or falsity of a given
fact.
i. DIRECT EVIDENCE
Direct evidence is oral testimony, whereby the knowledge is obtained from any of the witness‘s
five senses and is in itself proof or disproof of a fact in issue. Direct evidence is called to prove a
specific act (e.g., an eyewitness statement). It is evidence which comes from one who speaks
directly of his or her own knowledge on the main or ultimate fact to be proved, or who saw or
heard the factual matters which are the subject of the testimony. It is not necessary that this direct
knowledge be gained through the senses of sight and hearing alone, but it may be obtained from
any of the senses through which outside knowledge is acquired, including the senses of touch or
pain. It is evidence which stands on its own to prove an alleged fact, such as testimony of a witness
who says he/she saw a defendant pointing a gun at a victim during a robbery. Direct proof of a
fact, such as testimony by a witness about what that witness personally saw or heard or did.
As its name suggests, direct evidence relates immediately to the allegation being tested. If the
direct evidence is true, the allegation is established. Direct evidence, on the other hand, is evidence
of a fact based on a witness's personal knowledge or observation of that fact. An example of direct
evidence would be the surveillance video of a person robbing a convenience store, or a witness
who saw a person stealing a car. A person's guilt of a charged crime may be proven by direct
evidence alone, if that evidence satisfies a judge or jury beyond a reasonable doubt of the
defendant's guilt regarding that crime. Direct evidence can have varying degrees of clout (power)
depending on the actual witness delivering the testimony. Direct evidence from a legitimate, trust-
worthy source will have a stronger bearing on the jury than that of a shady character, even under
oath. Bending the truth a little here and there can skew direct evidence and is not uncommon with
defense testimony.
Real evidence also known as associative or physical evidence is made up of tangible objects that
prove or disprove guilt. Physical evidence includes such things as tools used in the crime, fruits of
the crime, or perishable evidence capable of reproduction. The purpose of the physical evidence
is to link the suspect to the scene of the crime. It is the evidence that has material existence and
can be presented to the view of the court and jury for consideration. It consists of objects that were
involved in a case or actually played a part in the incident or transaction in question. Examples
include the written contract, the defective part, the murder weapon, the gloves used by an alleged
murderer. Trace evidence, such as fingerprints is a species of real evidence. Admission of real
evidence requires authentication, a showing of relevance, and a showing that the object is in ―the
same or substantially the same condition‖ now as it was on the relevant date. An object of real
evidence is authenticated through the senses of a witness or by circumstantial evidence called chain
of custody.
Documentary evidence is evidence presented to the court in the form of business records, manuals,
and printouts, for example. Much of the evidence submitted in a computer crime case is
documentary evidence. Documentary evidence is often a kind of real evidence, as for example
where a contract is offered to prove its terms. When a document is used this way it is authenticated
the same way as any other real evidence; by a witness who identifies it or, less commonly, by
witnesses who establish a chain of custody for it. However, because they contain human language,
and because of the historical development of the common law, documents present special problems
not presented by other forms of real evidence, such as when they contain hearsay. When we deal
with documentary evidence, should ask ourselves following four questions:
In addition, some documents, such as certified copies of public records, official documents,
newspapers, periodicals, trade inscriptions, acknowledged documents to prove the
acknowledgment, certificates of the custodians of business records, and certain commercial paper
and related documents are, to one extent or another, self-authenticating.
Demonstrative evidence is just what the name implies; it demonstrates or illustrates the testimony
of a witness. These evidences are used to aid (help) the judge or jury. It will be admissible when,
with accuracy sufficient for the task at hand, it fairly and accurately reflects that testimony and is
otherwise unobjectionable. Typical examples of demonstrative evidence are photographs, model,
maps, diagrams of the scene of an occurrence, animations, experiment, chart, or an illustration
offered as proof. The main purpose of demonstrative evidence is to illustrate the testimony so they
are authenticated by the witness whose testimony is being illustrated. That witness will usually
identify salient features of the exhibit and testify that it fairly and accurately reflects what he saw
or heard on a particular occasion, such as the location of people or things on a diagram. When
seizing evidence from a computer-related crime, the investigator should collect any and all
physical evidence, such as the computer, peripherals, notepads, or documentation, in addition to
computer-generated evidence. Four types of computer-generated evidence are:
Photographs can be either real or demonstrative evidence depending on how they are
authenticated. When a photograph is authenticated by a witness who observed what is
depicted in it and can testify that it accurately reflects what he saw, the photograph is
demonstrative evidence. When it is authenticated by a technician or other witness who
testifies about the operation of the equipment used to take it, it is real evidence and is, in
the language of the courts, a "silent witness."
UNIT 15
PROTECTION OF INFORMATION
ASSETS BC/DR PLANNING &
DEVELOPMENT
Businesses need to embed cyber security in corporate governance processes, treating it like any
other business risk, and establish confidence that the basic controls are in place.
The CES (Cyber Essentials Scheme) identified five essential security controls that organizations
must have within their IT systems to ensure that they started mitigating the risk from internetbased
threats.
―Just by establishing a basic level of cyber hygiene through implementing the basic controls will
solve a lot of problems and protect against most low-level threats‖.
The CES will also offer a way to win customer confidence and competitive advantage by certifying
the level of an organization‘s compliance with the five controls set out in the guidance. 52A wise
enterprise should ask a question to itself or its directors or partners or even senior management
that how much risk their business can afford and what is the best BCDR solution for their
business. This shows the need of BCDR shall be as certain by each and every organization
irrespective of Industry.
According to the American Management Association, ―About50% of businesses that suffer from
a major disaster without a disaster recovery plan in place never re-open for business. ‖Corporate
governance using IT governance has increased a corporate officer‘s liability for business
continuity. The organization need to meet the business needs, so that more senior executives and
security officers are turning to Business Continuity / Disaster Recovery (BC/DR)services that
help them to protect their business in the event of a disaster.
52
http://www.computerweekly.com/news/2240221170/Government-to-help-UK-business-get-cyber-
securitybasicsright?asrc=EM_EDA_29532497&utm_medium=EM&utm_source=EDA&utm_campaign=20140523_
Govern ment%20to%20help%20UK%20business%20get%20cyber%20security%20basics%20right_
employees, vendors, partners and government to ensure the continuity of critical business
functions in the event of a disaster.53
Naturaldisasters:
▪ Tornadoes
▪ Floods
▪ Blizzards
▪ Earthquakes
▪ Fire
Man-Made Disasters:
▪ Labor: strikes, walkouts, and slow-downs that disrupt services and supplies.
▪ Social-political: war, terrorism, vandalism, civil unrest, protests, demonstrations, cyber-
attacks, hacker activities.
▪ Materials: fires, hazardous materials spills
▪ Utilities: power failures, communications outages, water supply shortages, fuel shortages,
and radioactive fallout from power plant accidents.
53
http://www.iim-edu.org/executivejournal/Whitepaper_BCDR_Best_Practices.pdf
Disasters can take several different forms. Some primarily impacts that affect individuals e.g. hard
drive meltdowns while others have a larger, collective impact. Disasters can occur such as power
outages, floods, fires, storms, equipment failure, sabotage, terrorism. Each of these can cause
short-term disruptions in normal business operation. But recovering from the impact of many of
the fore mentioned disasters can take much longer, especially if organizations have not
made preparations in advance. However, if proper preparations have been made, the disaster
recovery process does not have to be exceedingly stressful. Instead the process can be streamlined,
but this facilitation of recovery will only happen where preparations have been made.
Organizations take the time to implement disaster recovery plans ahead of time often ride out
catastrophes with minimal or no loss of data, hardware, or business revenue. This in turn provides
them to maintain the faith and confidence of their customers and investors.54
Some disasters can be insured and loss can be minimized. For Example: Fire in the building will
minimize the loss of entire value of building as well as assets present in it due to Insurance
1150919
Claim. But not all losses can be insured. For For Example: System Administrator while leaving
the job formatted the hard drive and the company lost entire data of last 3 years for which no back
up present. This loss due to human behavior cannot be insured.
Preparedness: Every organization should anticipate all the threats associated with the type of
industry in which they are serving or doing business. For Example: For a petrol pump owner,
he/she can anticipate loss during transport i.e. road accidents, loss due to increase in temperature,
54
http://www.techradar.com/news/software/security-software/the-advantages-of-unified-threat-management-
loss due to fire at the Petrol Pump, loss due to human error, negligence etc. and they have to
implement the necessary precautions.55
Response: With the same above example, the petrol pump should do transit insurance, install
fire extinguishers, train the employees for the emergency procedures, install the smoke detectors,
put the sand buckets ready etc.
Recovery: In case of actual fire, the sand buckets, and fire extinguishers to be used
appropriately. Since all the employees are trained & they know how to execute the emergency
recovery plan, the recovery can be done with minimum damage.
Mitigation: Either from own disasters faced or from the industry to which the organization
belongs, the disasters can be anticipated and accordingly new plans to mitigate such threats.
Business continuity planning (BCP)/ Disaster Recovery Planning (DRP) are the factors that
makes the critical difference between the organizations that can successfully manage crises with
minimal cost and effort, maximum speed, organizations forced to make decision out of
desperation.
Detailed disaster recovery plans can prevent many problems experienced by an organization in
times of disaster. By having practice plans, not only for equipment and network recovery, but also
plans that precisely outline what steps each person involved in recovery efforts should
undertake so that an organization can improve their recovery time and minimize the time
that their normal business functions are disrupted. Thus it is vitally important that disaster recovery
plans be carefully laid out and regularly updated. Organizations need to put systems in place to
regularly train their network engineers and managers.
There are several options available for organizations to use once they decide to begin creating
their disaster recovery plan. The first and often most accessible source a business can draw on
would be to have any experienced managers within the organization who will help to craft a plan
that will fit the recovery needs specific to their unique organization. For organizations that do
not have this type of expertise in house, there are a number of outside options that can be called
on, such as trained consultants and specially designed softwares.
One of the most common practices used by responsible organizations is a disaster recovery plan
template. While templates might not cover every need specific to every organization, they are a
great place from which to start one's preparation. Templates help make the preparation process
more straight forward. They provide guidance and can even reveal aspects of disaster recovery
that might otherwise be forgotten.
55
http://itfirstaid.ca/services/disaster-recovery/
The primary goal of any BCP/disaster recovery plan is to help the organization maintain its
business continuity, minimize damage, and prevent loss. Thus the most important question to
ask when evaluating disaster recovery plan is, "Will the plan work? "The best way to ensure
reliability of one's plan is to practice it regularly. Have the appropriate people actually practice
what they would do to help recover business function, if disaster occurs. Also regular reviews
and updates of recovery plans should be scheduled. Some organizations find it helpful to do this
on a monthly basis. So that the plan stays current and reflects the organizations current scenario.
The unfortunate event in life of mankind i.e. the attack on World Trade Center on 9/11 taught a
big lesson to the entire world as well as all the industries. Business Continuity (BC) and Disaster
Recovery (DR) are the watchwords of businesses in the Information Technology (IT) world.
The predominant role of Wide Area Networks (WANs) in almost all major fields of business
has made it an imperative for IT and Network managers across the globe to accelerate their
network infrastructure, and also devise workable BC/DR plans.
Following are the reasons why management shall have a concrete tested plan for BC/DR:
▪ Customer expects supplies & service to continue or resume rapidly in all situations.
▪ Share holders expect management control to remain operational in any crisis.
▪ Employees expect both their lives & livelihoods to be protected.
▪ Suppliers expect their revenue stream to continue.
▪ Regulate agencies expect their requirements to be met, regardless of circumstances.
56
CISAuditor_Study_Guide.pdf
The primary objective of a Disaster Recovery plan and Business Continuity plan is the
description of how an organization has to deal with potential natural or human-induced
disasters.
15.4 THEDISASTERRECOVERYPLANSTEPS:
Every enterprise incorporates as part of business management includes the guidelines and
procedures to be undertaken to effectively respond to and recover from disaster recovery
scenarios, which adversely impacts information systems and business operations. Plan steps
that are well-constructed and implemented will enable organizations to minimize the effects of the
disaster and resume mission-critical functions quickly.57
• Contingency Plan– To manage an external event that has for- reaching impact on the
business.
57
http://www.iim-edu.org/executivejournal/Whitepaper_BCDR_Best_Practices.pdf
BCDR Plan:
Business Continuity Policy:
BCP policy creation is important. The first step in this is to understand the organization and
identify its mission-critical processes, technology, data & people. The BCP policy designer
should know how the company works. The planner can create process chart to understand the
company. The process chartcoversallprocessesoftheorganizatione.g.operationalprocesses like
stationary supplies to Strategic processes like new product launch. The planner needs
to see following things.
• Data
• Process
• Network
• People
• Time required for process
• Interdependencies of processes
The BCP covers mainly on baking up data and providing system redundancy but this one small
part of BCP. The disaster recovery includes some things like shifting people to proper place,
developing ways of carrying out automated tasks manually documenting needed
configurations, alerting business processes to maintain critical functions.
Business continuity is also part of security policy and program. Every business organization is
there to make profit. This is rational objective of every business organization. So the plans are
prepared to achieve this objective. The main reason to develop the plans is to reduce risk of
financial loss by improving the company‘s ability to recover and restore operations. This includes
the goal of mitigating the effects of the disaster. Many companies feel that they do not have the
time or resources to devote to disaster recovery plan. BCP is ultimately responsibility of
top management. The disruptions in business need to be managed using wisdom and foresight.
The BCP policy can be designed by considering process management and incident management.
Incident Management:
The business activity is dynamic so incidents and crises are also dynamic, so it needs dynamic
management along with proactive action and need. An incident is any unexpected event. It may
cause damage or may not. Depending on as estimation of the level of damage to the organization,
all types of incidents should be categorized. A classification system could include the following
categories: negligible, minor, major and crisis. Any such classification is dynamically provisional
until the incident is resolved.
• Minor events: Minor events are those that are not negligible; produce no negative material or
financial impact.
• Major incidents: Major incidents cause a negative material impact on business processes and
may affect other systems, departments or even outside clients.
• Crisis: Crisis is a major incident that can have serious material impact on the continued
functioning of the business and may also adversely impact other systems or third parties. How
serious they are depends on the industry and circumstances, but severity is generally directly
proportional to the time elapsed from the inception of the incident to incident resolution.
Risk Assessment:
The risk assessment step is critical and has significant bearing on whether business continuity
planning efforts will be successful. If the threat scenarios developed are unreasonably limited,
the resulting BCP may be inadequate. During the risk assessment step, business processes and the
business impact analysis assumptions are stress tested with various threat scenarios. This will
result in a range of outcomes, some that require no action for business processes to be successful
and others that will require significant BCPs to be developed and supported with resources
(financial and personnel).The organization should develop realistic threat scenarios that may
potentially disrupt their business processes and ability to meet their client‘s expectations (internal,
business partners, or customers).
63
63
http://www.google.co.in/imgres?start=154&hl=en&client=firefox-a&rls=org.mozilla:en-
US:official&biw=1366&bih=622&tbm=isch&tbnid=LzCOAAftKkiNlM:&imgrefurl=http://www.spherebase.com/r
isk-
UNIT 16
VIRTUALIZATION
Objectives:-
16.1 Basic Concept of Virtualization
16.2 Data Center Virtualization
16.3 Desktop Virtualization
16.4 Network Virtualization
16.5 Server Virtualization
16.6 Load Balancing with Virtualization
Single OS:
• Hardware + software tightly coupled.
• If Application crashed it will affect whole machine.
• Resource under-utilization.
Virtual Machine:
• Independent of hardware.
• Multiple OS (isolated apps).
• Safely multiplex resources across virtual machines (VMs).
That ―aggregation‖ piece is important because unlike server virtualization that split servers;
network-based application virtualization abstracts applications, making many instances appear to
be one.
Network-based application virtualization resides in the network, in the application delivery tier of
architecture. This tier is normally physically deployed somewhere near the edge of the data center
(the perimeter) and acts as the endpoint for user requests. In other words, a client request to
http://www.example.com is answered by an application delivery controller (load balancer) which
in turn communicates internally with applications that may be virtualized or not, local or in a public
cloud.
❖ TYPES OF VIRTUALIZATION
• Full virtualization
• OS level virtualization
• Para virtualization
➢ Full virtualization
As the name suggests everything in a system is virtualized which includes the processor, storage,
networking components etc. Virtual Box, VMware are examples of ―Full Virtualization‖
solutions.
➢ OS Level virtualization:
In this type of virtualization only applications are run inside the software. In this case the
application is given a platform to work. Isolation is created and the application is made to believe
that it is the only thing running on the system.58
58
www.vmware.com
➢ Paravirtualization:
It‘s a semi-virtualized environment created for the guest OS. A modified guest OS is created using
a hypervisor. ―The intent of the modified interface is to reduce the portion of the guest‘s execution
time spent performing operations which are substantially more difficult to run in a virtual
environment compared to a non-virtualized environment. The Paravirtualization provides specially
defined ‗hooks‘ to allow the guest(s) and host to request and acknowledge these tasks, which
would otherwise be executed in the virtual domain (where execution performance is worst). A
successful Paravirtualized platform may allow the virtual machine monitor (VMM) to be simpler
(by relocating execution of critical tasks from the virtual domain to the host domain), and/or reduce
the overall performance degradation of machine-execution inside the virtual-guest.
Advantages of Virtualization:
• One of the biggest advantages of virtualization is scalability i.e. the ability to expand.
Whenever there is excessive load on some part of application in a server you can easily
create a similar virtual environment on a different server and configure the setup.
• Hardware maintenance cost is reduced because you don‘t need many servers to install
different applications.
• You can save a huge amount of energy by running one physical server instead of many
and less power backup is required.
• You can get faster and safer backups by taking live snapshot while server is running.
• You will get centralized monitoring of your resources as virtualization provides easy way
of connecting and maintaining your virtual servers.59
59
http://www.technofreaky.com/a-beginners-guide-to-virtualization/
A Virtual Datacenter is a pool of cloud infrastructure resources designed specifically for enterprise
business needs. Those resources include compute, memory, storage and bandwidth
Desktop virtualization can be used in conjunction with application virtualization and user profile
management systems, now termed "user virtualization", to provide a comprehensive desktop
environment management system. In this mode, all the components of the desktop are virtualized,
which allows highly flexible and much more secure desktop delivery model. In addition, this
approach supports a more complete desktop disaster recovery strategy as all components are
essentially saved in the data center and backed up through traditional redundant maintenance
systems. If a user's device or hardware is lost, the restore is much more straightforward and simple,
because basically all the components will be present at login from another device. In addition,
because no data is saved to the user's device, if that device is lost, there is much less chance that
any critical data can be retrieved and compromised. Below are more detailed descriptions of the
types of desktop virtualization technologies that will be used in a typical deployment.60
60
www.vmware.com
As companies continue to virtualize their server environment, they are facing new set of
challenges. The increasingly demanding business environment requires application services to be
deployed more quickly and updating and upgrading these services have to be done more rapidly
and efficiently. VM's application driven virtualization approach not only provides the traditional
server virtualization benefits of consolidation, reliability and flexibility but also delivers a unique
integrated solution to addressing critical business needs.
Virtualization technologies are used to enhance the hardware load on server systems and allow a
more efficient use of those servers. Nowadays, there is a wide range of existing High Availability
(HA) solutions which guarantee the availability of all virtual machines. There are just a few
commercial solutions available for allocating virtual machines during their operation time to
optimize the actual server workload (e.g. Distributed Resource Scheduler (DRS), Virtual IronLive
Capacity).Virtualization technologies allow optimizing the actual server workload, but presenting a single
point of failure for all virtualized systems. The Red Hat Cluster Suite is an approved solution for high
availability and can be used in project to combine virtualization and load balancing
L
Load balancing with virtualization
The virtualization project far exceeded the company‘s goals, paying for itself in just six months.
The department experienced significant reductions in hardware, software and operations costs.
Virtualization helped make the company more agile and responsive to business unit needs. The
business units experienced dramatic reductions in the time to procure a new server. One business
unit remarked after the virtualization project that they received a new (virtual) machine in just
three hours from signing off on the internal order. In addition to cost savings, the virtualization
project improved the company‘s test and development environment and disaster recovery ability,
while minimizing planned downtime.
The company is enthusiastic about virtualization and is considering how it can be incorporated into
other aspects of its IT infrastructure. In its near-term projects, the company is looking to expand
its virtual infrastructure as well as engage VMware Capacity Planning Services for its remote
locations. The company plans to move legacy systems onto a virtual infrastructure, migrating these
applications from local storage to fully networked SAN storage. Meanwhile, the company is also
examining the rest of its infrastructure to see where additional servers can be targeted for
consolidation.
UNIT - 17
CLOUD COMPUTING
Objectives:-
17.1 Definition of cloud
17.2 Cloud Architecture
17.3 Advantages of cloud
17.4 Types of Cloud
17.5 Cloud Services
Introduction:
When you store your photos online instead of on your home computer, or use webmail or a social
networking site, you are using a ―cloud computing‖ service. As an organization, we are using an
online invoicing service instead of updating the in-house one, that online invoicing service is a
―cloud computing‖ service.
Cloud services allow individuals and businesses to use software and hardware that are managed
by third parties at remote locations. Examples of cloud services include online file storage, social
networking sites, webmail, and online business applications etc. The cloud computing model
allows access to information and computer resources from anywhere that a network connection is
available. Cloud computing provides a shared pool of resources, including data storage space,
networks, computer processing power, and specialized corporate and user applications.61
For e.g. One way to think of cloud computing is to consider your experience with email. Your
email client, if it is Yahoo!, Gmail, Hotmail, and so on, takes care of housing all of the hardware
and software necessary to support your personal email account. When you want to access your
email you open your web browser, go to the email client, and log in. The most important part of
the equation is having internet access. Your email is not housed on your physical computer; you
access it through an internet connection, and you can access it anywhere. If you are on a trip, at
work, or down the street getting coffee, you can check your email as long as you have access to
the internet. Your email is different than software installed on your computer, such as a word
61
http://csrc.nist.gov/groups/SNS/cloudcomputing/
processing program. When you create a document using word processing software, that document
stays on the device you used to make it unless you physically move it. An email client is similar
to how cloud computing works. Except instead of accessing just your email, you can choose what
information you have access to within the cloud.62
1. Almost zero upfront infrastructure investment: If you have to build a large-scale system it
may cost to invest in real estate, hardware (racks, machines, routers, backup power supplies),
hardware management (power management, cooling), and operations personnel etc. Because
of the upfront costs, it would typically need several rounds of management approvals before
the project could even get started. Now, with utility-style computing, there is no fixed cost or
startup cost.
2. Just-in-time Infrastructure: In the past, if you got famous and your systems or your
infrastructure did not scale you became a victim of your own success. Conversely, if you
invested heavily and did not get famous, you became a victim of your failure. By deploying
applications in-the-cloud with dynamic capacity management software architects do not have
to worry about pre-procuring capacity for large scale systems. The solutions are low risk
because you scale only as you grow. Cloud Architectures can relinquish infrastructure as
quickly as you got them in the first place (in minutes).
3. More efficient resource utilization: System administrators usually worry about hardware
procuring (when they run out of capacity) and better infrastructure utilization (when they have
excess and idle capacity). With Cloud Architectures they can manage resources more
effectively and efficiently by having the applications request and relinquish resources only
what they need (on-demand).
4. Usage-based costing: Utility-style pricing allows billing the customer only for the
infrastructure that has been used. The customer is not liable for the entire infrastructure that
may be in place. This is a subtle difference between desktop applications and web applications.
A desktop application or a traditional client-server application runs on customer‘s own
infrastructure (PC or server), whereas in a Cloud Architectures application, the customer uses
a third party infrastructure and gets billed only for the fraction of it that was used.
5. Potential for shrinking the processing time: Parallelization is the one of the great ways to
speed up processing. If one compute data intensive job that can be run in parallel takes 500
62
http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf.
hours to process on one machine, with Cloud Architectures, it would be possible to spawn and
launch 500 instances and process the same job in 1 hour. Having available an elastic
infrastructure provides the application with the ability to exploit parallelization in a
costeffective manner reducing the total processing time.
There are different types of clouds that you can subscribe to depending on your needs. As a
home user or small business owner, you will most likely use public cloud services.
1. Public Cloud - A public cloud can be accessed by any subscriber with an internet connection
and access to the cloud space.
2. Private Cloud - A private cloud is established for a specific group or organization and limits
access to just that group.
3. Community Cloud - A community cloud is shared among two or more organizations that have
similar cloud requirements.
4. Hybrid Cloud - A hybrid cloud is essentially a combination of at least two clouds, where the
clouds included are a mixture of public, private, or community.
Each provider serves a specific function, giving users more or less control over their cloud
depending on the type. When you choose a provider, compare your needs to the cloud services
available. Your cloud needs will vary depending on how you intend to use the space and resources
associated with the cloud. If it will be for personal home use, you will need a different cloud type
and provider than if you will be using the cloud for business. Keep in mind that your cloud provider
will be pay-as-you-go, means if your technological needs change at any point you can purchase
more storage space (or less for that matter) from your cloud provider.
There are three types of cloud providers that one can subscribe to: Software as a Service (SaaS),
Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). These three types differ in the
amount of control that you have over your information, and conversely, how much you can expect
your provider to do for you. Briefly, here is what you can expect from each type.
➢ Software as a Service - A SaaS provider gives subscribers access to both resources and
applications. In SaaS, it is not unnecessary for you to have a physical copy of software to install
on your devices. SaaS also makes it easier to have the same software on all of your devices at
once by accessing it on the cloud. In a SaaS agreement, you have the least control over the
cloud.
➢ Platform as a Service - A PaaS system goes a level above the Software as a Service setup. A
PaaS provider gives subscribers access to the components that they require to develop and
operate applications over the internet.
➢ Infrastructure as a Service - An IaaS agreement, as the name states, deals primarily with
computational infrastructure. In an IaaS agreement, the subscriber completely outsources the
storage and resources, such as hardware and software, which they need.63
Cloud Architecture
REFERENCES of IMAGES
1. https://www.google.co.in/imghp?
63
http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf.
2. http://www.keycarbon.com/wiki/keyloggers_software_vs_hardware
3. http://www.digitaltrends.com/computing/quick-guide-to-password-manager-apps/
4. http://www.clipartof.com/portfolio/djart/illustration/computer-hacker-at-work-6028.html
5. http://pcsupport.about.com/od/windows7/ht/create-password-windows-7.htm
6. http://vhxn.com/how-to-recover-administrator-password/
7. http://unlimitedzone.org
8. http://buddyard.com/?tag=software
9. http://way4hack.blogspot.in/2011/11/giveawaytop-5-ant-ivirus-softwares.html
10. http://www.cyberlaws.net/
* * *
**Disclaimer: We have mentioned all the links from where we have collected the material to develop this course to the best of
our knowledge & belief.