Among the easy access to the information, there is

some risk associated with that including loss of

valuable information, information getting stolen,
altered or misused.
If the information is available on computer networks,
it’s more vulnerable than if the information is printed
and locked in file locker.
Intruders can steal the information even without
entering an office or home, and also need not be from
the same country. Hence the importance of
information security become more critical to the
owners.
 Common Types of Attacks
Malware is a term used to describe malicious software, including
spyware, ransomware, viruses, and worms. Malware breaches a
network through a vulnerability, typically when a user clicks a
dangerous link or email attachment that then installs risky software.
Once inside the system, malware can do the following:
● Blocks access to key components of the network (ransomware)
● Installs malware or additional harmful software
● Covertly obtains information by transmitting data from the
hard drive (spyware)
● Disrupts certain components and renders the system inoperable
 Phishing
Phishing attacks are the practice of sending
fraudulent communications that appear to
come from a reputable source. It is usually
done through email. The goal is to steal sensitive
data like credit card and login information, or to
install malware on the victim's machine.
 Man in the Middle Attack
Man-in-the-middle (MitM) attacks, also known as eavesdropping
attacks, occur when attackers insert themselves into a two-party
transaction. Once the attackers interrupt the traffic, they can filter and
steal data.
Two common points of entry for MitM attacks:
1. On unsecure public Wi-Fi, attackers can insert themselves between
a visitor’s device and the network. Without knowing, the visitor
passes all information through the attacker.
2. Once malware has breached a device, an attacker can install
software to process all of the victim’s information.
 Denial of service attack
A denial-of-service attack floods systems, servers,
or networks with traffic to exhaust resources and
bandwidth. As a result, the system is unable to
fulfill legitimate requests. Attackers can also use
multiple compromised devices to launch this
attack.
 Hacking
▣ Hacking is an attempt to exploit a computer
system or a private network inside a computer.

▣ Simply put, it is the unauthorised access to or

control over computer network security
systems for some illicit purpose.
 What Types of Hacking can be
done
▣ Website
▣ Network
▣ Ethical
▣ E-mail
▣ Password
▣ Online Banking
▣ Computer
T he picture can't be displayed.
 Intrusion Detection System (IDS)
• An Intrusion Detection System (IDS) is a system that
monitors network traffic for suspicious activity and
issues alerts when such activity is discovered. It is a
software application that scans a network or a system for
harmful activity or policy breaching.
• Any malicious venture or violation is normally reported
either to an administrator or collected centrally using a
security information and event management (SIEM)
system.
• A SIEM system integrates outputs from multiple sources
and uses alarm filtering techniques to differentiate
malicious activity from false alarms.
Intrusion Detection System (IDS)
• Although intrusion detection systems monitor networks for
potentially malicious activity, they are also disposed to false
alarms. Hence, organizations need to fine-tune their IDS
products when they first install them. It means properly
setting up the intrusion detection systems to recognize what
normal traffic on the network looks like as compared to
malicious activity.
• Intrusion prevention systems also monitor network packets
inbound the system to check the malicious activities involved
in it and at once sends the warning notifications.
Classification of Intrusion Detection Systems
Detection Method of IDS
 Selecting an IDS Solution
• An IDS is a valuable component of any organization’s cybersecurity
deployment. A simple firewall provides the foundation for network
security, but many advanced threats can slip past it. An IDS adds an
additional line of defense, making it more difficult for an attacker to gain
access to an organization’s network undetected.
• When selecting an IDS solution, it is important to carefully consider the
deployment scenario. In some cases, an IDS may be the best choice for
the job, while, in others, the integrated protection of an IPS may be a
better option. Using a NGFW that has built-in IDS/IPS functionality
provides an integrated solution, simplifying threat detection and security
management.
IDS vs Firewalls
Cryptography is technique of securing information and communications
through use of codes so that only those person for whom the information is
intended can understand it and process it. Thus preventing unauthorized access
to information. The prefix “crypt” means “hidden” and suffix graphy means
“writing”.

In Cryptography the techniques which are use to protect information are

obtained from mathematical concepts and a set of rule based calculations known
as algorithms to convert messages in ways that make it hard to decode it. These
algorithms are used for cryptographic key generation, digital signing, verification
to protect data privacy, web browsing on internet and to protect confidential
transactions such as credit card and debit card transactions.

Techniques used For Cryptography:

In today’s age of computers cryptography is often associated with the process

where an ordinary plain text is converted to cipher text which is the text made
such that intended receiver of the text can only decode it and hence this process
is known as encryption. The process of conversion of cipher text to plain text this
is known as decryption.

Features Of Cryptography are as follows:

1. Confidentiality:
Information can only be accessed by the person for whom it is intended
and no other person except him can access it.
2. Integrity:
Information cannot be modified in storage or transition between sender
and intended receiver without any addition to information being detected.
3. Non-repudiation:
The creator/sender of information cannot deny his or her intention to send
information at later stage.
4. Authentication:
The identities of sender and receiver are confirmed. As well as
destination/origin of information is confirmed.
Types Of Cryptography:

In general there are three types Of cryptography:

1. Symmetric Key Cryptography:

It is an encryption system where the sender and receiver of message use a
single common key to encrypt and decrypt messages. Symmetric Key
Systems are faster and simpler but the problem is that sender and receiver
have to somehow exchange key in a secure manner. The most popular
symmetric key cryptography system is Data Encryption System(DES).
2. Hash Functions:
There is no usage of any key in this algorithm. A hash value with fixed
length is calculated as per the plain text which makes it impossible for
contents of plain text to be recovered. Many operating systems use hash
functions to encrypt passwords.
3. Asymmetric Key Cryptography:
Under this system a pair of keys is used to encrypt and decrypt
information. A public key is used for encryption and a private key is used
for decryption. Public key and Private Key are different. Even if the public
key is known by everyone the intended receiver can only decode it because
he alone knows the private key.

Internet Security Standards

To make cybersecurity measures explicit, the written norms are required. These
norms are known as cybersecurity standards: the generic sets of prescriptions for
an ideal execution of certain measures. The standards may involve methods,
guidelines, reference frameworks, etc. It ensures efficiency of security, facilitates
integration and interoperability, enables meaningful comparison of measures,
reduces complexity, and provide the structure for new developments.

A security standard is "a published specification that establishes a common

language, and contains a technical specification or other precise criteria and is
designed to be used consistently, as a rule, a guideline, or a definition." The goal
of security standards is to improve the security of information technology (IT)
systems, networks, and critical infrastructures. The Well-Written cybersecurity
standards enable consistency among product developers and serve as a reliable
standard for purchasing security products.

Security standards are generally provided for all organizations regardless of their
size or the industry and sector in which they operate. This section includes
information about each standard that is usually recognized as an essential
component of any cybersecurity strategy.
1. ISO
ISO stands for International Organization for Standardization. International
Standards make things to work. These standards provide a world-class
specification for products, services and computers, to ensure quality, safety and
efficiency. They are instrumental in facilitating international trade.

ISO standard is officially established On 23 February 1947. It is an independent,

non-governmental international organization. Today, it has a membership of 162
national standards bodies and 784 technical committees and subcommittees to
take care of standards development. ISO has published over 22336 International
Standards and its related documents which covers almost every industry, from
information technology, to food safety, to agriculture and healthcare.

ISO 27000 Series

It is the family of information security standards which is developed by the

International Organization for Standardization and the International
Electrotechnical Commission to provide a globally recognized framework for best
information security management. It helps the organization to keep their
information assets secure such as employee details, financial information, and
intellectual property.

The need of ISO 27000 series arises because of the risk of cyber-attacks which the
organization face. The cyber-attacks are growing day by day making hackers a
constant threat to any industry that uses technology.

The ISO 27000 series can be categorized into many types. They are-

ISO 27001- This standard allows us to prove the clients and stakeholders of any
organization to managing the best security of their confidential data and
information. This standard involves a process-based approach for establishing,
implementing, operating, monitoring, maintaining, and improving our ISMS.

ISO 27000- This standard provides an explanation of terminologies used in ISO

27001.

ISO 27002- This standard provides guidelines for organizational information

security standards and information security management practices. It includes
the selection, implementation, operating and management of controls taking into
consideration the organization's information security risk environment(s).

ISO 27005- This standard supports the general concepts specified in 27001. It is
designed to provide the guidelines for implementation of information security
based on a risk management approach. To completely understand the ISO/IEC
27005, the knowledge of the concepts, models, processes, and terminologies
described in ISO/IEC 27001 and ISO/IEC 27002 is required. This standard is
capable for all kind of organizations such as non-government organization,
government agencies, and commercial enterprises.

ISO 27032- It is the international Standard which focuses explicitly on

cybersecurity. This Standard includes guidelines for protecting the information
beyond the borders of an organization such as in collaborations, partnerships or
other information sharing arrangements with clients and suppliers.

2. IT Act
The Information Technology Act also known as ITA-2000, or the IT Act main aims is
to provide the legal infrastructure in India which deal with cybercrime and
e-commerce. The IT Act is based on the United Nations Model Law on
E-Commerce 1996 recommended by the General Assembly of United Nations. This
act is also used to check misuse of cyber network and computer in India. It was
officially passed in 2000 and amended in 2008. It has been designed to give the
boost to Electronic commerce, e-transactions and related activities associated
with commerce and trade. It also facilitate electronic governance by means of
reliable electronic records.

IT Act 2000 has 13 chapters, 94 sections and 4 schedules. The first 14 sections
concerning digital signatures and other sections deal with the certifying
authorities who are licenced to issue digital signature certificates, sections 43 to
47 provides penalties and compensation, section 48 to 64 deal with appeal to
high court, sections 65 to 79 deal with offences, and the remaining section 80 to
94 deal with miscellaneous of the act.

3. Copyright Act
The Copyright Act 1957 amended by the Copyright Amendment Act 2012 governs
the subject of copyright law in India. This Act is applicable from 21 January 1958.
Copyright is a legal term which describes the ownership of control of the rights to
the authors of "original works of authorship" that are fixed in a tangible form of
expression. An original work of authorship is a distribution of certain works of
creative expression including books, video, movies, music, and computer
programs. The copyright law has been enacted to balance the use and reuse of
creative works against the desire of the creators of art, literature, music and
monetize their work by controlling who can make and sell copies of the work.
The copyright act covers the following-

● Rights of copyright owners

● Works eligible for protection
● Duration of copyright
● Who can claim copyright

The copyright act does not covers the following-

● Ideas, procedures, methods, processes, concepts, systems, principles, or

discoveries
● Works that are not fixed in a tangible form (such as a choreographic work
that has not been notated or recorded or an improvisational speech that
has not been written down)
● Familiar symbols or designs
● Titles, names, short phrases, and slogans
● Mere variations of typographic ornamentation, lettering, or coloring

4. Patent Law
Patent law is a law that deals with new inventions. Traditional patent law protect
tangible scientific inventions, such as circuit boards, heating coils, car engines, or
zippers. As time increases patent law have been used to protect a broader variety
of inventions such as business practices, coding algorithms, or genetically
modified organisms. It is the right to exclude others from making, using, selling,
importing, inducing others to infringe, and offering a product specially adapted
for practice of the patent.

In general, a patent is a right that can be granted if an invention is:

● Not a natural object or process

● New
● Useful
● Not obvious.

5. IPR
Intellectual property rights is a right that allows creators, or owners of patents,
trademarks or copyrighted works to benefit from their own plans, ideas, or other
intangible assets or investment in a creation. These IPR rights are outlined in the
Article 27 of the Universal Declaration of Human Rights. It provides for the right to
benefit from the protection of moral and material interests resulting from
authorship of scientific, literary or artistic productions. These property rights
allow the holder to exercise a monopoly on the use of the item for a specified
period.
What is information technology (IT) risk
management?
IT risk management, also called “information security risk management,” consists
of the policies, procedures, and technologies that a company uses to mitigate
threats from malicious actors and reduce information technology vulnerabilities
that negatively impact data confidentiality, integrity, and availability.

What is the importance of IT risk management?

By identifying and analyzing potential vulnerabilities with an enterprise IT
network, organizations can better prepare for cyber attacks and work to minimize
the impact of a cyber incident, should it occur. The procedures and policies
implemented with an IT risk management program can help guide future
decision-making about how to control risk while focusing on company goals.

What are the five steps in the information risk

management process?
Critical steps that organizations engaging in an IT risk management (IRM)
program need to perform include, identifying the location of information,
analyzing the information type, prioritizing risk, establishing a risk tolerance for
each data asset, and continuously monitoring the enterprise’s IT network.

Let’s explore what each of these steps looks like, and why each is relevant for an
effective IT risk management program:

1. Identify potential points of vulnerability

Conceptually, identifying the locations where your data resides seems simple
enough. Most organizations start with their databases or collaborative
applications. However, as more companies embrace cloud-first or cloud-only
strategies, data becomes more dispersed and vulnerable to cyber threats.

Organizations no longer solely store data in on-premises servers. Many now use
serverless or other cloud-based storage locations such as shared drives.
Additionally, many organizations collect data in new ways such as via
customer-facing web portals. New data transmission channels, such as email and
messaging services, also change how organizations share information with
internal and external stakeholders.
Cloud-based data collection, transmission, and storage locations pose a higher
risk of theft because organizations often lack visibility into the effectiveness of
their controls. Thus, server hardware in an on-premises location may be a lower
risk than a cloud-based server. When engaging in an information risk assessment,
you need to identify the myriad of locations and users who “touch” your
information.

2. Analyze data types

Not only do you need to know where your data resides, but you also need to know
what data you collect. Not all types of data are created equally. Personally
identifiable information (PII) includes data such as name, birth date, social
security number, or even IP address. Since malicious actors often target PII
because they can sell it on the Dark Web, the information is a high-risk asset.

Meanwhile, you also store low-risk information, such as marketing copy. If

malicious actors obtain a copy of a blog post, for instance, they can’t sell that
online.

Identifying the types of data your organization stores and aligning that to the
locations where you store your information act as the basis for your risk analysis.

3. Evaluate and prioritize the information risk

Now that you’ve reviewed all data assets and classified them, you need to analyze
the risk. Each data asset type resides in a particular location. You need to
determine how the risk each poses overlaps and impacts the potential for a
malicious actor to attack. The best way to do this is to calculate:

Risk Level = Likelihood of a data breach X Financial impact of a data breach

For example, a low-risk data asset, such as marketing copy, may be in a high-risk
location such as a file-sharing tool. However, the financial impact on your
company if a malicious actor steals the information is minimal. Thus, this might
be categorized as low or moderate risk.

Meanwhile, a high-risk data asset, such as a consumer medical file, in a moderate

risk location, such as a private cloud, would lead to a large financial impact. Thus,
this would almost always be considered a high risk to your organization.
4. Set a risk tolerance and establish IT risk management processes

Setting your risk tolerance means deciding whether to accept, transfer, mitigate,
or refuse the risk. An example of a control for transferring risk might be
purchasing cyber risk liability insurance. An example of a control for mitigating
risk might be to put a firewall in place to prevent access to the location where the
data resides.

Mitigating controls, such as firewalls or encryption, act as roadblocks for

malicious actors. However, even mitigating controls can fail.

5. Continuously monitor your risk

Malicious actors never stop evolving their threat methodologies. As companies

get better at identifying and protecting against new ransomware strains,
malicious actors have responded by focusing more on cryptocurrency and
phishing. In other words, today’s effective controls might be tomorrow’s
weaknesses.

Best practices for information risk management

An effective IT risk management program should use a combination of different
policies and strategies, as attacks can come in many forms and what works for
one data asset might not be successful for another. However, there are
overarching actions that all organizations can take to begin strengthening their
cybersecurity posture. Most importantly, it is imperative that enterprise security
teams have continuous monitoring in place to ensure that cybersecurity efforts
are keeping up with the evolving threat landscape.

Take a look at 3 best practices for managing your organization’s IT risk

management program:

1. Monitor your IT environment

Continuously monitoring your IT environment can help your organization detect

weaknesses, and help you prioritize your remediation activities.

For example, many organizations struggle with cloud resource configuration.

News reports often mention “AWS S3” buckets. These public cloud storage
locations are not inherently risky, but a failure to appropriately configure them
leaves them open to the public, including attackers. Continuously monitoring
your IT environment can help detect misconfigured databases and storage
locations to better secure information.
2. Monitor your supply stream

Third-party vendor risk mitigation also acts as an important part of your IT risk
management strategy. While you can control your vendors, you may not be able
to assert the same contractual obligations against their vendors. As part of your
holistic information risk management strategy, you need visibility into the
cybersecurity posture across your ecosystem.

For example, if your vendor’s vendor uses a cloud database and stores data as
plain text, then your information is at risk. Continuously monitoring your supply
stream for encryption, a way to make the data unreadable even if an attacker
accesses it, provides visibility into your ecosystem’s cyber health.

3. Monitor compliance

As data breaches command more new headlines, legislative bodies, and industry
standards organizations have released more stringent compliance requirements.
Several new laws such as the General Data Protection Regulation (GDPR), the
California Consumer Privacy Act (CCPA), and the New York Stop Hacks and
Improve Electronic Data Security (NY SHIELD) Act require continuous monitoring
as part of a compliance cybersecurity program.

To create a compliant IT risk management program, you need to be monitoring

and documenting your activities to provide assurance to internal and external
auditors. As you continuously monitor your enterprise’s IT ecosystem, you need to
prioritize remediation actions and document your activities, providing your
auditors proof of governance.

What is the Disaster Recovery Plan?

The Disaster Recovery Plan, or DRP, enables the company to resume normal
operations after a disaster. In the context of IT, this disaster generally involves a
cybersecurity breach: loss, theft or disappearance of sensitive data, virus,
cyberattack, cybercrime.

Definition of the Business Recovery Plan

In the context of IT, the DRP has several sub-goals toward a main goal which is
safeguarding the sustainability of your company's activities. Those sub-goals are:

● anticipating and mitigating the impact of any cybercrisis;

● guaranteeing the protection of sensitive digital data in the event of a
disaster;
 ● ensuring the continuity of the structure's activities, in the face of the IT
crisis;
● Setting up a back-up system to resume critical IT applications.

The DRP is a document which lists all the processes your company has to put in
place to maintain or rebuild the IT systems in the aftermath of a cyber crisis:

● It indicates how and when to refer to the back-up system, provided for in
the crisis management plan;
● The Disaster Recovery Plan specifies which backup system to activate in
order to ensure the security of confidential data;
● It details how long each department can afford to be paralysed, namely the
RTO, Recovery Time Objective ;
● This document also determines the maximum acceptable data loss, or RPO
(Recovery Point Objective).

The IT Disaster Recovery Plan in CIO terminology

To summarise, Chief Information Officers (CIO) generally consider that the BCP
describes the measures to ensure the continuity of the activity, while the DRP
details the measures which guarantee the resumption of activity after an IT
shutdown. The Disaster Recovery Plan is indeed activated when the infrastructure
is unavailable.

In the event of a cyber attack, there are generally two execution scenarios for the
DRP:

● Either your company was prepared for IT crises, and had a BCP to mitigate
the impact of the disaster. In this case, your company can reduce the RTO
and RPO to a minimum and apply a “warm restart” of the applications. This
is a quick restart of activities on one or more backup servers, all based on
pre-disaster data saves.
● Either your structure did not have a BCP, nor the technical means to
execute an effective crisis management plan. Then, you have to do a “cold
restart” afterward, that is to say several hours or days after the disaster. In
this scenario it is a recovery based on the latest backups of the company.
However, this cold procedure tends to disappear with the generalisation of
cloud data storage.
When should you set up your IT recovery?

By definition, the DRP is only activated when the company suffers a real shutdown
of its IT activities. If you want this IT recovery plan to perform well and enable you
to quickly resume your activities, you must think it through well in advance of the
actual onset of a cyber crisis. Allow an average of 3 months to design it. This is an
indicative time frame, you might need more or less, depending on the size of your
structure.

Once the cyberattack, computer failure or human error has been recorded at the
expense of your infrastructure, the execution of your DRP should help minimise
your operational downtime. The longer the recovery, the more the company’s
financial results are jeopardised.

Advantages and disadvantages of the DRP

The main mission of the Disaster Recovery Plan is to ensure a rapid restart of your
operations. A too long interruption has an impact on your reputation, and as a
consequence, on your financial value. Moreover, if that one-off stop threatens the
fulfillment of your regulatory and contractual obligations, you incur harmful legal
consequences.

Nevertheless, setting up a DRP does come at a cost. Yet, it pays for itself if you
take into account the harmful consequences that it prevents for the company in
the event of a cyberattack or an IT failure:

● alteration or disappearance of part of the sensitive data;

● loss of turnover due to the shutdown of the IT systems;
● bad reputation with customers, partners and investors;
● legal risks.

The DRP relies on a third-party computer network and on data backups to ensure
satisfactory IT operation. Like the BCP, the advantages of the Disaster Recovery
Plan can only be appreciated if good practices are complied with. This is a plan
that should be thought through and regularly tested. Its development takes time
and a large budget to be effective.