Cyber Security

Cybersecurity involves tools, policies, and safeguards for protecting

digital assets. Guidelines, risk management, actions, and training
ensure cyber environment security. Assets encompass devices,
personnel, information, infrastructure, and telecommunications
systems. Main goal: Maintain security properties against internet-
related risks. Essential: Technologies shield applications, services,
while countering evolving cyber threats. Focus: Uphold integrity,
availability, confidentiality, safeguarding overall digital landscape.
Cyber crimes
Cyber crimes encompass illegal actions in the digital realm.
Criminal activities span hacking, fraud, data breaches, and online
theft. Targets: Individuals, organizations, systems, sensitive data,
financial assets. Motivations: Financial gain, information theft,
disruption, espionage, and sabotage. Examples: Phishing,
ransomware, identity theft, and distributed denial-of-service
(DDoS) attacks. Combating: Requires law enforcement,
cybersecurity measures, international collaboration, and public
awareness.
Cyber Security Goals
The objective of Cybersecurity is to protect information from being
stolen, compromised or attacked. Cybersecurity can be measured by
at least one of three goals-
1. Protect the confidentiality of data.
2. Preserve the integrity of data.
3. Promote the availability of data for authorized users.
Types of Cyber Attacks
A cyber-attack is an exploitation of computer systems and
networks. It uses malicious code to alter computer code, logic or
data and lead to cybercrimes, such as information and identity theft.
We are living in a digital era. Now a day, most of the people use
computer and internet. Due to the dependency on digital things, the
illegal computer activity is growing and changing like any type of
crime. Cyber-attacks can be classified into the following
categories:
Web-based attacks
These are the attacks which occur on a website or web applications.
Some of the important web-based attacks are as follows-
Injection Attacks:
Sneak data, change apps, access databases, trick application
behavior. Break into databases, steal or corrupt sensitive
information. Examples: SQL, code, log, XML tricks. Use checks,
safe coding, data protection to prevent such attacks.
DNS Spoofing:
Fake DNS data, misguide users to wrong destinations. Divert
traffic, lead to data theft, pose serious threats. Generate wrong IP
addresses, disrupt network integrity. Boost DNS security, vigilant
monitoring to counter spoofing.
Session Hijacking:
Swipe session cookies, unauthorized entry into user accounts.
Impersonate, gain access to sensitive information. Endangers data
and accounts, exploit weak session management. Secure sessions,
encryption, and regular audits for prevention.
Phishing:
Trick with fake emails, websites for private data acquisition. Pose
as trusted entities, deceive users for sensitive information.
Deceptive links, forms mislead, exploit social engineering. Educate
users, employ spam filters, verify sources to deter phishing.
Brute Force:
Repeatedly guess passwords, breach security to gain unauthorized
access. Target weak passwords, compromise system integrity. Uses
trial and error, crack user accounts, assess network security.
Implement account lockouts, CAPTCHAs, and strong
authentication.
Denial of Service:
Overwhelm systems with traffic, making them inaccessible to users.
Disrupt services, causing downtime, exploiting system
vulnerabilities. Volume, protocol, and application-based attacks
disrupt systems. Employ traffic filtering, load balancing, and
network monitoring.
Dictionary Attacks:
Try common passwords, exploit weak passwords for unauthorized
access. Crack user accounts, enhance security awareness. Target
frequently used passwords, enforce password policies. Strengthen
security, multifactor authentication to mitigate risks.
URL Interpretation:
Manipulate URLs, gain unauthorized access to restricted content.
Exploit improper configurations, expose sensitive data. Alter URLs
to access unauthorized resources, cause information leakage.
Ensure proper access controls, validate inputs, and implement URL
filtering.
File Inclusion Attacks:
Sneak malicious files, compromise servers and data integrity.
Unauthorized access, execute harmful code on servers.Exploit
insecure file handling in web applications. Prevent using input
validation, secure file handling, and code reviews.
Man in the Middle Attacks:
Intercept communications, secretly modify or steal exchanged data.
Act as intermediary, tamper or eavesdrop on information.
Compromise sensitive data, prevalent in unencrypted networks.
Employ encryption, secure protocols, and digital signatures to
prevent MITM attacks.
System-based attacks
These are the attacks which are intended to compromise a computer
or a computer network. Some of the important system-based attacks
are as follows-
Virus:Spread malware within files, harm computer systems without
user knowledge. Self-replicating, can alter, delete, or corrupt data,
and software. Transmit through infected files, emails, removable
media. Install antivirus software, update systems to prevent virus
infection.
Worm: Self-replicating malware, spread to uninfected computers
via networks. Similar to viruses, don't require user interaction for
propagation. Often use network vulnerabilities, emails, or shared
resources to spread. Keep systems updated, use firewalls, and
network security measures.
Trojan Horse: Malicious program disguised as legitimate software,
mislead users. Can perform unauthorized actions, steal data, or
grant remote access. Users unknowingly install Trojans, posing
security threats. Beware of suspicious downloads, use reputable
sources, and security software.
Backdoors:
Unauthorized access points created by developers or attackers.
Bypass normal authentication, grant remote control over systems.
Intended for troubleshooting but misused by hackers for attacks.
Regular security audits, strong access controls to prevent backdoor
entry.
Bots:
Automated processes interacting with networks, can be beneficial
or malicious. Examples include web crawlers, chatroom bots, and
harmful bots. Can execute commands, spread malware, and launch
attacks. Employ security measures, monitor network traffic to
detect and mitigate bot activity.
Hacking Techniques:
Usually a hacker deploys multiple techniques to reach their goal,
sometimes the simplest ways are the moste efficient. Using social
engineering techniques exploiting human kindness, greed and
curiosity to gain access is not uncommon
Phishing:
Hacker mimics legit site, sends fake email with link to collect login.
Targets sign in on fake site, giving hacker access to credentials.
Uses human trust, URL similarity to deceive and steal info. Exploits
curiosity, greed, kindness to manipulate users into revealing data.
SQL Injections:
Exploits poorly coded sites, targets user input fields for database
access. Hacker manipulates input, gains unauthorized access to
website database. Attacks applications communicating with SQL
databases through malicious inputs. Takes advantage of coding
flaws, executes database-related attacks for data theft.
DoS/DDoS:
Overwhelms server, causing offline status for all hosted sites.
Hacker uses botnet to flood server with traffic, causing overload.
Utilizes network of hijacked computers, interrupts target server
operations. Massive traffic influx disrupts server, renders websites
temporarily inaccessible.
Brute Force:
Repeatedly guesses passwords to find weak ones for unauthorized
access. Hacker uses trial and error, automated tools to crack
passwords. Targets users with simple passwords, exploiting security
negligence. Persistence and password guessing, commonly used to
breach accounts.
Fake WAP:
Hacker creates fake WiFi, lures users to connect and intercepts data.
Exploits free public WiFi spots, tricks users into connecting.
Uses imitated Access Point to gather login info, sensitive data.
Impersonates legitimate network, captures user data through
deceptive hotspot.
Sniffing/Snooping:
Hacker eavesdrops on unsecured network traffic for future attacks.
Monitors unencrypted networks, gathers information for malicious
use. Exploits lack of encryption, captures data during network
transmission. Gathers relevant data from unsecured connections,
enhancing attack capabilities.
Bait & Switch:
Hacker places malware in appealing ads, infects user upon click.
Buys ad space, redirects target to malicious page after appealing ad.
Entices users with attractive ads, traps them into accessing
malware. Uses legitimate-looking ads to deceive users into clicking
harmful links.
Cookie Theft:
Hacker steals cookies via unsecured connections, impersonates
user. Exploits lack of SSL, captures cookies containing sensitive
data. Targets browser cookies for authentication, uses stolen data to
gain access. Uses unencrypted connections to collect cookies,
hijacks user sessions.
Waterhole Attacks:
Hacker targets favorite spots, combines techniques for trapping
target. Studies routine, uses knowledge of frequented locations to
set traps. Exploits target's habits, combines methods to compromise
security. Lures victim using gathered information, executes attack at
familiar locations.
UI Redress/ClickJacking:Hacker tricks user to click by disguising
link as something else. Deceptive links appear as legitimate buttons,
misleading users' clicks. Misrepresents content, entices clicks for
malicious purposes. Deceives users through link disguises, often on
streaming or download sites.
White Hat Hackers:
Ethical hackers, work to secure systems and find vulnerabilities.
Authorized, protect systems by exposing weaknesses for
improvement.
Professionals, contribute to cybersecurity, often hired by
organizations.
Use skills to prevent cybercrimes, maintain digital safety and
integrity.
Black Hat Hackers:
Malicious hackers, exploit vulnerabilities, and commit cybercrimes.
Unauthorized, breach systems for personal gain, data theft, or
disruption.
Criminal intent, target individuals, organizations, and networks for
harm.
Often engage in illegal activities, pose significant cybersecurity
threats.
Grey Hat Hackers:
Blend of ethical and malicious intent, uncover vulnerabilities but
may not seek permission.
Can expose weaknesses for a cause without consent, operate in gray
area.
Seek recognition, may report findings after unauthorized tests.
Controversial, use skills to reveal issues but not always legally
sanctioned.
Script Kiddies:
Inexperienced hackers, use pre-made tools to execute attacks.
Lack deep technical understanding, target systems without intricate
knowledge.
Typically young, seek attention and cause disruptions, but limited
expertise.
Rely on automated tools, pose nuisance rather than severe threats.
Firewalls:
Security barrier, filters network traffic between trusted and
untrusted zones. Monitors incoming/outgoing data, blocks
unauthorized access, and potential threats. Shields systems from
cyberattacks, malware, and unauthorized communication attempts.
Acts as a gatekeeper, enforces security policies, regulates network
traffic flow. Essential for network protection, prevents unauthorized
access and data breaches.
Types of Firewalls:
1. Packet Filtering Firewall:
Examines packet attributes, permits/denies based on predefined
rules. Filters by IP addresses, ports, protocols, offers basic security.
Fast processing, limited protection against advanced threats.
Stateless, lacks awareness of context or connection state.
Vulnerable to IP spoofing, less suitable for modern complex
networks.
2. Stateful Inspection Firewall:
Maintains connection state, monitors data packets throughout
session. Evaluates context, tracks connections for improved
security. Offers higher security, examines packet history, port states.
Slower processing due to packet tracking, suitable for general
networks. Guards against unauthorized connections and session
hijacking.
3. Proxy Firewall:
Acts as intermediary, hides internal network structure from external
entities. Intercepts requests, forwards traffic, masks real IP
addresses. Enhances security, offers content filtering and caching
capabilities. Manages client-server communication, adds an
additional layer of protection. Reduces direct exposure of internal
resources, mitigates direct attacks.
4. Next-Generation Firewall (NGFW):
Integrates traditional firewall with intrusion prevention, deep packet
inspection. Identifies and blocks applications, provides application-
layer visibility. Offers advanced threat protection, user identity-
based policies. Combines traditional firewall features with modern
security capabilities. Defends against sophisticated attacks, suitable
for complex networks.
5. Application Layer Firewall:
Operates at OSI application layer, inspects full content of packets.
Monitors application-specific traffic, enforces strict security
policies. Detects and prevents application-specific threats, data
leakage. Offers deep inspection, granular control, and content
filtering. Provides strong protection for applications and services,
may affect performance.
VPN (Virtual Private Network):
Secure connection, encrypts data traffic between user and remote
server. Masks user's IP, enhances online privacy, and anonymity.
Enables remote access, secure browsing, and data transmission over
public networks. Commonly used for remote work, accessing
geographically restricted content. Provides a tunnel for secure
communication, protects against cyber threats.
Types of VPN:
1. Remote Access VPN:
Allows users to connect securely to a private network remotely.
Encrypted tunnel ensures safe communication, often used by
employees. Utilizes authentication mechanisms, protects data
during transmission. Offers secure access to company resources
from various locations. Ensures confidentiality of data when
accessing sensitive information.
2. Site-to-Site VPN:
Connects multiple networks, creates a secure link between remote
sites. Encrypts data between sites, facilitates secure
interconnectivity between networks. Often used by businesses with
multiple locations or branches. Ensures secure data transfer
between sites over untrusted networks. Provides a seamless and
private connection between geographically dispersed sites.
3. Client-to-Site VPN:
Connects individual devices to a corporate network securely.
Employees access company resources remotely, similar to remote
access VPN. Offers secure communication, requires client software
or app installation. Utilizes encryption to safeguard data during
transmission over public networks. Enables secure and convenient
remote work for employees.
4. SSL/TLS VPN:
Operates over HTTPS, secures communication via web browsers.
Uses SSL/TLS protocols to create a secure connection. Commonly
used for remote access to web applications. Simplifies setup,
provides remote access to web-based resources securely.Ensures
encrypted data transmission, suitable for accessing online services.
5. IPsec VPN:
Uses IPsec protocol suite for secure communication. Encrypts and
authenticates data packets, ensuring secure transmission. Suitable
for site-to-site and remote access connections. Provides strong
security through encryption and tunneling. Commonly used for
securing network traffic across public networks.
Encryption: Encodes data using an algorithm and a key for secure
communication. Transforms plaintext to ciphertext, protecting
sensitive information from unauthorized access. Provides
confidentiality, authentication, integrity, and non-repudiation of
data. Essential for data protection during transmission and storage,
preventing cyberattacks.
Types of Encryption Algorithms:
1. Symmetric Encryption (Secret Key):
Uses a single key for both encryption and decryption. Fast
processing, commonly used for large amounts of data. Advanced
Encryption Standard (AES) is a widely adopted symmetric cipher.
Suitable for confidentiality and data integrity in closed systems.
2. Asymmetric Encryption (Public Key):
Employs a pair of linked keys: public key for encryption and
private key for decryption. Slower processing, but enables secure
key exchange and digital signatures. RSA and Elliptic Curve
Cryptography (ECC) are popular asymmetric algorithms. Used for
secure communication and authentication in open systems.
3. Quantum Key Distribution (QKD):
Generates encryption keys based on entangled photons. Leverages
quantum entanglement for secure key exchange. Ensures
eavesdropping detection due to quantum characteristics. Enables
truly secure communication in quantum environments.
4. Diffie-Hellman Key Exchange:
Facilitates secure key exchange without direct transmission. Uses
mathematical functions to generate shared secrets. Suitable for
securing key exchange protocols. Used in combination with other
encryption methods for added security.
5. Hash Functions:
Converts data into fixed-size hash values (digests). Used for data
integrity verification and digital signatures. Popular hash functions
include SHA-256 and MD5. Helps prevent tampering and ensures
data integrity in various applications.
Intrusion Detection:
Definition and Purpose:
Identifies unauthorized or malicious activities in systems or
networks.Aims to enhance security by detecting potential breaches
and attacks.
Types: HIDS (Host-based Intrusion Detection System):
Monitors individual host behavior and logs.
Detects anomalies and changes in file integrity.
NIDS (Network-based Intrusion Detection System): Analyzes
network traffic for unusual patterns. Focuses on detecting
suspicious activities at the network level.
Detection Techniques:Signature-based: Compares patterns with
known attack signatures. Effective for detecting well-known
threats.
Anomaly-based:
Identifies deviations from normal baseline behavior.
Useful for detecting new or evolving threats.
Heuristic-based:
Applies predefined rules to identify abnormal patterns.
Balances known signatures with behavioral analysis.
Alert Generation and Response: Generates alerts or notifications
upon detection. Alerts can be manual or automated, sent to
administrators. Responses include isolating affected hosts or
blocking suspicious traffic.
Benefits and Limitations: Benefits:
Real-time threat detection enhances overall cybersecurity.
Aids in incident investigation and prevention of data breaches.
Assists in compliance with security standards and regulations.
Limitations:
False positives can lead to legitimate activities being flagged.
False negatives occur when actual intrusions are missed.
Continuous updates required to address evolving attack methods.
Anti-Malicious Software:
Definition and Purpose:
Protects systems from malware, including viruses, worms, and
ransomware.
Detects, prevents, and removes malicious software to ensure system
security.
Types:
Antivirus Software:
Scans and removes known viruses and malware from files and
software.
Provides real-time protection against threats during system
operation.
Anti-Spyware Software:
Detects and removes spyware and adware that track user activities.
Safeguards privacy by preventing unauthorized data collection.
Firewalls:
Blocks unauthorized network access and traffic from potential
threats.
Monitors and manages incoming and outgoing network
communications.
Anti-Ransomware Software:
Detects and prevents ransomware attacks that encrypt data for
extortion. Blocks ransomware before it can encrypt files and
demand a ransom.
Functionality: Scanning and Removal:
Conducts regular scans to identify and remove malware infections.
Deletes or quarantines infected files to prevent further spread.
Real-time Protection:
Monitors system activity to prevent malware execution in real-time.
Blocks malicious processes and activities before they can cause
harm.
Behavior Analysis:
Identifies suspicious behavior patterns that could indicate malware.
Analyzes activities to detect zero-day threats and new malware
variants.
Updates and Updates:
Regular Updates:
Updates virus definitions and databases to recognize new threats.
Ensures the software is equipped to detect the latest malware.
Security Patches:
Provides patches for vulnerabilities in the operating system or
software.
Prevents exploitation by malware that targets security flaws.
Merits:
Enhanced Security:
Merit: Protects systems from various forms of malware, reducing
the risk of data breaches and unauthorized access.
Merit: Prevents potential financial losses and reputation damage
caused by malware attacks.
Real-time Monitoring:
Merit: Provides continuous monitoring and immediate response to
emerging threats, ensuring timely protection.
Merit: Detects and blocks malware execution before it can
compromise system integrity.
User Privacy:
Merit: Guards against spyware and adware that track user activities
and collect sensitive data.
Merit: Preserves user privacy by preventing unauthorized data
harvesting.
Customizable Protection:
Merit: Allows users to configure settings based on their security
preferences.
Merit: Offers flexibility to scan specific files, folders, or drives for
malware.
Demerits:
Resource Consumption:
Demerit: Anti-malicious software can consume system resources,
leading to slower performance.
Demerit: Heavy scanning processes may disrupt normal system
activities.
False Positives:
Demerit: Occasionally identifies harmless files or software as
malicious (false positives).
Demerit: Users may experience inconvenience and confusion due to
unnecessary alerts.
Dependency on Updates:
Demerit: Requires regular updates to maintain effectiveness against
evolving malware.
Demerit: Outdated definitions may result in inadequate protection
against new threats.
Limited Protection Against Advanced Threats:
Demerit: Some sophisticated malware may evade detection by
traditional anti-malicious software.
Demerit: Zero-day attacks and targeted threats can bypass standard
protection measures.
Complexity and Compatibility:
Demerit: Configuring and managing settings can be complex for
non-technical users. Demerit: Compatibility issues with certain
software or conflicting applications can arise.
Cost and Performance Impact:Demerit: High-quality anti-
malicious software often comes with a subscription cost.
Demerit: The cost and potential system slowdowns may deter users
from investing in robust protection.
Secure Software Definition:
Definition:
Secure Software is designed to function normally despite malicious
attacks.
It safeguards systems, removes attacks, and maintains resource
safety.
Characteristics of Secure Software:
Secure Database Protection:
Prevent SQL injection attacks by isolating databases from running
code.
Ensure back-end database security to prevent unauthorized access
and manipulation.
Data Encoding for Safety:
Encode data before execution to counter injection vulnerabilities.
Transforms data into unrecognizable formats for secure processing.
Input Validation Assurance:
Validate input data accuracy and compliance with field
requirements.
Treat external data as potentially harmful to prevent system
vulnerabilities.
Access Control Implementation:
Implement strict access control rules for resource and functionality
authorization.
Default minimal access levels prevent unauthorized users from
accessing sensitive areas.
Data Security and Encryption:
Enforce encryption (SSL, TLS) for data at rest and in transit.
Enhance privacy and protect data against violations and breaches.
Browser security
Browser security safeguards browsers to prevent data breaches and
malware attacks. Exploits involve JavaScript, cross-site scripting
(XSS), and Adobe Flash vulnerabilities. All browsers, like Firefox,
Chrome, and Safari, are susceptible to security holes. Protection
requires updates, secure coding, and user awareness for safer
browsing. Browser security is vital for safeguarding sensitive data
and ensuring safe internet usage.
Web browsers can be breached in one or more of the following
ways:
Web browsers face various breach risks including OS malware,
memory manipulation. Malware in OS background can modify
browser memory in privileged mode. Hacking main browser
executable and components pose serious threats. Browser plugins
vulnerabilities can lead to unauthorized access and attacks.
Intercepted network communications put user data at risk outside
the machine. Browser unawareness of breaches might mislead users
about safe connections. Secure browser communication methods
include DNSCrypt, HTTP Secure, and SPDY.
SSL:
Secure Sockets Layer, ensures encrypted and secure communication
online. Protects data integrity, authenticity, and confidentiality
between server and client. Uses public-key cryptography to
establish secure connection over HTTP. Verified by SSL certificates
issued by trusted Certificate Authorities (Cas). Prevents
eavesdropping, data tampering, and man-in-the-middle attacks.
Enables HTTPS protocol, crucial for secure transactions and data
exchange. Evolved to TLS (Transport Layer Security), providing
improved security layers. Shields sensitive information during
online transactions and data transfers.
Padlock icon indicates SSL protection; boosts user trust in websites.
Essential for safeguarding user privacy in the modern internet
landscape.
ipsec
IPSec: Internet Protocol Security, secures data transmission across
networks. Offers authentication, encryption, and integrity checks
for IP packets. Ensures confidential and tamper-proof
communication between devices. Implemented in network devices
for VPNs and secure data exchange. Operates in two modes:
transport (end-to-end) and tunnel (network-to-network). Protects
against unauthorized access, eavesdropping, and data alteration.
Uses encryption algorithms and key exchange protocols for robust
security. Enables secure remote access and site-to-site connections
in enterprises. Provides a framework for creating Virtual Private
Networks (VPNs) securely. Crucial for maintaining data privacy
and integrity in interconnected systems.
Classical Encryption Methods:
Historical techniques for secure communication before modern
cryptography era. Employed substitution, transposition, or both for
rudimentary data protection. Lacked robust security against
advanced attacks compared to modern methods. Paved the way for
development of contemporary encryption techniques.
Symmetric Cipher Model:
Same key for encryption and decryption processes. Efficient for
bulk data encryption and processing. Key distribution challenge
requires secure mechanisms. Utilized in DES, AES, and 3DES
algorithms. Demands effective key management practices.
Substitution Techniques:
Replace plaintext with substitutes based on specific algorithms.
Caesar, monoalphabetic, and polyalphabetic ciphers are common
examples. Vulnerable to frequency analysis, particularly
monoalphabetic ciphers. Enhanced security with complex
substitution patterns like polyalphabetic ciphers. Building block for
more advanced encryption methods.
Transposition Techniques:
Rearrange characters' positions in the ciphertext. Rail Fence,
Columnar Transposition are typical techniques. Adds complexity
and confusion, but maintains character frequencies. Combined use
of multiple techniques can enhance overall security. Enhances
classical encryption methods' resistance to attacks.
Product Ciphers:
Blend substitution and transposition techniques in multi-layered
approach.Strengthen security by combining encryption strategies.
Used in modern block cipher designs like DES, AES. Offers
resistance against various attack methods. Represents evolution
from basic classical encryption methods.
Steganography:
Conceals information within seemingly innocuous cover media
(images, audio, etc.). Ensures covert communication by hiding
message presence. Detection necessitates specialized tools or
techniques. Safeguards against unauthorized data interception by
maintaining confidentiality. Used alongside encryption for
enhanced data privacy.
Asymmetric Key Cryptography: Utilizes pairs of keys: public and
private keys. Based on mathematical one-way functions. Public
keys can be openly shared; private keys must remain private.
Enables secure communication and digital signatures. Offers
encryption and decryption using different keys.
Encryption Process: Sender encrypts using recipient's public key.
Only recipient with private key can decrypt the message. Allows
secure transmission of sensitive data.
Key Exchange: Server generates symmetric key for data
encryption. Encrypts symmetric key with client's public key. Client
decrypts using its private key. Both parties securely share
symmetric key.
Data Integrity and Authentication:
Sender creates digital signature with private key. Recipient verifies
authenticity using sender's public key. Ensures message origin and
integrity.
Advantages:
No need for pre-shared symmetric keys. Higher data throughput
compared to symmetric encryption. Provides secure data
transmission and authentication. Enables secure key exchange and
digital signatures.
Confidentiality:
Safeguards sensitive data through encryption and access controls.
Limits information access to authorized users, preserving secrecy.
Prevents unauthorized disclosure or data breaches. Shields personal
and private information from cyber threats. Maintains
confidentiality in data transmission and storage. Ensures privacy
compliance with regulations and standards.
Integrity:
Ensures data accuracy and consistency throughout its lifecycle.
Utilizes hashing and digital signatures to detect tampering attempts.
Protects against unauthorized modifications or alterations. Ensures
the reliability and trustworthiness of digital assets. Guards against
corruption and maintains data quality. Upholds data integrity in
storage, processing, and transmission.
Authentication:
Verifies the identity of users and entities accessing a system. Relies
on passwords, biometrics, tokens, and smart cards for validation.
Enhances security with multi-factor and strong authentication
methods. Prevents unauthorized access and reduces risks of data
breaches.
Confirms user identity before granting access to resources.
Strengthens system protection against unauthorized use or intrusion.
Non-Repudiation:
Ensures accountability by preventing denial of actions or
transactions. Uses digital signatures and timestamps to validate
interactions. Provides evidence in legal disputes and electronic
transactions. Mitigates risks associated with fraud and false claims.
Establishes a reliable record of communication and events.
Enhances trust in digital communications and transactions.
Asymmetric Key Symmetric Key
Aspect
Cryptography Cryptography
Key Uses a pair of keys: Uses a single key for
Types public and private. encryption and decryption.
Key
Public keys can be openly Shared key must be securely
Distributi
shared. exchanged.
on
More secure due to Less secure as same key used
Security
separate keys. for encryption/decryption.
Slower due to complex Faster due to simpler
Speed
mathematical operations. operations.
Digital signatures, key Data encryption in bulk, file
Use Case
exchange. encryption.
Key
Requires management of Easier management of a
Managem
key pairs. single key.
ent
Scalabilit Less scalable for large- More scalable for bulk data
y scale encryption. encryption.
Performa Higher computational Lower computational load,
nce load on systems. faster processing.
Examples RSA, ECC, DSA AES, DES, 3DES
Digital Signature:
Definition: A cryptographic technique to verify the authenticity of
digital messages or documents. Process: Combines sender's private
key with message's hash to create signature. Verification: Recipient
uses sender's public key to verify signature's validity. Purpose:
Ensures message integrity, sender authenticity, and non-repudiation.
Working of Digital Signature:
Hashing: Message hashed to create unique fixed-length value.
Signing: Private key encrypts the hash, generating the digital
signature.
Verification: Recipient decrypts signature with sender's public key,
compares hashes.
Authenticity: If hashes match, message unaltered and sender
verified.
Non-Repudiation: Ensures sender can't deny sending the message.
Merits of Digital Signatures:
Authentication: Validates sender's identity, enhancing trust in
digital communication.
Data Integrity: Guarantees message content remains unchanged
during transmission.
Non-Repudiation: Prevents sender from denying sending a
message.
Efficiency: Faster and more secure than traditional paper-based
signatures.
Demerits of Digital Signatures: Dependence on Keys: Security
relies on safekeeping private keys. Initial Setup: Requires key pair
creation and certificate management. Technical Expertise: Users
may struggle with setup and key management.
Cost: Acquiring digital certificates and implementing infrastructure
can be expensive.
Limited Legal Framework: Some regions lack comprehensive
laws recognizing digital signatures.
Cryptography:
Definition: Cryptography is the practice and study of techniques for
secure communication.n purpose: It ensures confidentiality,
integrity, and authentication of information by transforming data.
Process: Converts plaintext into ciphertext using encryption
algorithms and keys. Application: Used in secure transactions, data
protection, and digital signatures.
Working: Encryption: Converts plaintext into unreadable
ciphertext using encryption algorithms.
Decryption: Reverses encryption, transforming ciphertext back into
readable plaintext.
Key Management: Securely generates, distributes, and stores
encryption/decryption keys.
Security: Algorithms' complexity and key length provide protection
against unauthorized access.
Mathematics: Utilizes mathematical operations like modular
arithmetic and prime numbers.
Merits: Confidentiality: Safeguards sensitive data from
unauthorized access.
Data Integrity: Detects any tampering or unauthorized changes to
data.
Authentication: Verifies the identity of the sender or recipient.
Non-Repudiation: Prevents parties from denying their actions in
communication.
Demerits:Complexity: Cryptographic processes can be complex
and require specialized knowledge.
Encryption/decryption can slow down processing speed.
Secure key distribution and management can be challenging.
Poorly implemented algorithms or weak keys can lead to
vulnerabilities.
Losing encryption keys can result in permanent data loss.
Legal Issues in Information Security
There are many legal issues with regard to information security
1. Breaking into computer is against the law, most of the time.
2. Civil issues of liability and privacy.
3. Risks with regard to employees and other organizations on the
network if internal security is lax.
4. Violations of new laws that address banking customers and
medical privacy.
Cyber Law In Nepal
The Electronic Transaction Act, 2063 is Nepal’s first cyber law. It
was created in response to the growing usage of the internet in
Nepal. It makes provision for the commercial use of computers and
networks; authorizes e-transactions and communication in public
and private sectors; criminalizes different computer-related
unwanted activities:
“Whoever publishes or causes to publish, display any material in
the electronic form including computer, internet which are
prohibited to publish or display by the law in force or which may be
contrary to the public morality or decent behavior or any types of
materials which may spread hate or jealousy against anyone or
which may jeopardize the harmonious relations subsisting among
the peoples of various castes, tribes and communities shall be liable
to be punished with a fine of up to one hundred thousand rupees or
with imprisonment of up to five years or both.”
OR,
Cyber Law in Nepal
This art an overview of cybercrime and cyber laws in Nepal. Nepal
has been ranked 147th in the Human Development Index. Nepal has
been ranked 147th in the Human Development Index. The rate of
crime in Nepal has been high, and cybercrime has especially seen
increased occurrence. During the ongoing pandemic, the number of
cybercrime cases in Nepal has increased, despite the fact that the
disease has not affected the country much.
Important Statistics
There are a total of 10.21 million people in Nepal who used the
internet in 2020. The number of users increased by 315,000
between 2019 and 2020. Around 10 million people in Nepal use
social media. It appears that the country’s citizens have been
reluctant to report cybercrime, with only 53 cases being registered
in 2017. However, 2018 saw a sharp rise in the number of cases to
132. In 2018 and 2019, a total of 180 cases were registered. Out of
these 180, 125 cases were from the capital city, Kathmandu, and the
rest from others.
Different Cyber Laws in Nepal
1.The Electronic Transactions Act, 2008
This was Nepal’s first cyber law. Cybercrimes were dealt with
under the Country’s criminal code before this law came into force.
Since the cases of cybercrime increased, it became necessary to
enact a separate law. Chapter 9 of the Act deals with offenses
relating to computers, the main highlights of which are as follows:
• Pirating or destroying any computer system intentionally
without authority carries imprisonment for three years, or a fine
of two hundred thousand rupees, or both.
• Accessing any computer system without authority results in
imprisonment for three years, or a fine of two hundred thousand
rupees, or both.
• Intentional damage to or deleting data from a computer system
carries imprisonment for three years, or a fine of two hundred
thousand rupees, or both.
• Publication of illegal material in electronic form carries
imprisonment for 5 years, or a fine of one hundred thousand
rupees, or both.
 • Commission of a computer fraud carries imprisonment for two
years, or a fine of one hundred thousand rupees, or both.
2.The Children’s Act, 1992
The aim of this Act is to protect and uphold the rights of children. It
also prohibits child pornography. Section 16(2) of the Act prohibits
individuals from capturing any immoral picture of a child. Section
16(3) of the Act prohibits the publication and distribution of any
such photographs of children.
3.The Copyright Act, 2002
This act protects the copyright of ideas, including a computer
program. It prohibits people from copying and modifying the
original work of others and using it for their own advantage or
economic benefits.
4.The Individual Privacy Act, 2018
This act is the first legislation in Nepal to protect the right to
privacy of its people and define personal information. It protects the
privacy of the body, family life, residence, property, and
communication. It puts the responsibility on public entities to
protect the personal data of individuals. They cannot transfer such
data to anyone without the consent of the owner. The Act prescribes
a general punishment for violation of privacy as three years of
imprisonment, or a fine of NPR 30,000, or both.
Security Policy:
Formal set of rules for information system access and protection.
Defines authorized actions, roles, and data security responsibilities.
Assures compliance, reduces risks, and safeguards sensitive
information.
Guides threat response and incident handling procedures
effectively.
Continuously updated to adapt to evolving technology and
personnel needs.
Need of Security Policy:
Consistency and Efficiency: Security policies provide
standardized rules, enhancing operational efficiency and
minimizing inconsistencies.
Accountability and Discipline: These policies foster a culture of
responsibility, holding personnel accountable for maintaining
security measures.
Risk Mitigation: Security policies help identify and counter
potential threats, reducing the organization's exposure to security
breaches.
Legal and Regulatory Compliance: By adhering to security
policies, companies ensure alignment with industry regulations and
legal requirements.
Awareness and Training: Security policies raise employee
awareness and knowledge about cybersecurity practices, promoting
a stronger security posture.
Cybersecurity Policies:
Virus and Spyware Protection: Detect, remove, and repair viruses
using signatures and behavior analysis.
Firewall Policy: Block unauthorized access, detect attacks, and
manage network traffic.
Intrusion Prevention: Automatically detect and block network and
browser attacks, protecting applications.
LiveUpdate Policy: Manage content updates, defining download
schedules and sources.
Application and Device Control: Protect resources, manage
peripheral devices, and control application behavior.
Exceptions Policy: Exclude certain applications from virus and
spyware scans.
Host Integrity Policy: Enforce security on client computers,
ensuring compliance with company policies.
What is cyber risk management?
Cyber risk management is the process of identifying, analysing,
evaluating and addressing your organisation’s cyber security
threats. The first part of any cyber risk management programme is a
cyber risk assessment. This will give you a snapshot of the threats
that might compromise your organisation’s cyber security and how
severe they are. Based on your organisation’s risk appetite, your
cyber risk management programme then determines how to
prioritise and respond to those risks.
Cyber risk management involves: Identification:
Recognizing potential cyber threats and vulnerabilities in an
organization's systems and processes. Identifying weak points that
could be exploited by cyber attackers.
Assessment:
Evaluating the likelihood and potential impact of identified risks on
business operations and data. Quantifying potential damage and
financial loss resulting from successful cyber attacks.
Mitigation:
Implementing security measures to minimize vulnerabilities and
enhance the organization's security posture.
Strengthening defenses against cyber threats through strategies such
as regular updates and employee training.
Monitoring:
Regularly tracking and analyzing the evolving threat landscape to
stay updated on new risks.
Adapting cyber risk management strategies based on the changing
nature of cyber threats.
Response:
Developing comprehensive plans to quickly address and recover
from cyber incidents.
Reducing the impact of cyber attacks by having well-defined
procedures and coordination.
The information security process involves:
Planning:
Developing a strategy and framework for safeguarding sensitive
data and systems.
Identifying risks, potential threats, and vulnerabilities that could
compromise security.
Implementation:
Putting security measures in place based on the identified risks and
strategies.
Deploying technologies, policies, and procedures to protect
information assets.
Monitoring:
Continuously observing and assessing the security landscape for
any signs of potential breaches.
Using tools and techniques to detect anomalies or unauthorized
access.
Response:
Creating incident response plans to address security breaches or
incidents.
Taking swift action to mitigate the impact of security breaches and
recover normal operations.
Review and Improvement:
Regularly evaluating the effectiveness of security measures and
processes.
Identifying areas for enhancement, updating policies, and adapting
to new threats.
information security best practices:
Consider Biometric Security:Implement biometric authentication
methods like fingerprint or facial recognition. Enhance security by
relying on unique physical traits for user identification. Reduce the
risk of password-related breaches with biometric verification.
Form a Hierarchical Cybersecurity Policy:
Develop a comprehensive cybersecurity policy tailored to your
organization's needs. Define roles and responsibilities for different
teams to ensure coordinated security efforts. Establish clear
guidelines for incident response and communication during security
breaches.
Employ a Risk-Based Approach to Security:
Prioritize security measures based on identified risks and potential
impact. Allocate resources to address vulnerabilities that pose the
greatest threat. Continuously assess and adapt security strategies in
response to evolving risks.
Back Up Your Data:
Regularly back up critical data to prevent loss due to cyber
incidents. Store backups in secure and separate locations to ensure
recovery options. Test data restoration procedures to ensure the
integrity of backups.
Manage IoT Security:
Implement strong security measures for Internet of Things (IoT)
devices. Regularly update firmware and software to address
vulnerabilities. Segregate IoT devices from critical networks to
limit potential impact.
Use Multi-Factor Authentication:
Require multiple forms of verification for accessing systems and
accounts. Combine passwords with additional factors like SMS
codes or biometrics. Enhance authentication security, reducing the
risk of unauthorized access.
Handle Passwords Securely:
Encourage strong password creation with complexity and length
requirements. Enforce regular password updates and discourage
password sharing. Store passwords securely using hashing and
salting techniques.
Use the Principle of Least Privilege:
Limit user access rights to only necessary resources for their roles.
Reduce the potential impact of breaches by minimizing access to
sensitive data.Control user permissions and monitor access
activities.
Keep an Eye on Privileged Users:
Monitor and audit activities of users with elevated privileges.
Detect unusual behavior that may indicate insider threats or misuse
of access. Implement additional controls for privileged accounts.
Monitor Third-Party Access to Your Data:
Regularly assess and audit third-party vendors' security practices.
Implement contractual agreements that ensure vendors meet your
security standards. Monitor vendor access and data interactions for
potential risks.
Be Wary of Phishing:
Educate employees to recognize phishing attempts and suspicious
emails. Implement email filtering and security measures to prevent
phishing attacks. Conduct simulated phishing exercises to enhance
employee awareness.
Raise Employee Awareness:
Provide ongoing cybersecurity training to all employees. Foster a
culture of security awareness and reporting suspicious incidents.
Empower employees to play an active role in maintaining
information security.
WHAT IS COMPUTER FORENSICS?
Definition: Computer forensics involves systematically examining
computer media for evidence, including hard disks and tapes.
Process: It encompasses collection, preservation, analysis, and
presentation of computer-related evidence.
Aliases: Also known as electronic discovery, digital discovery, data
recovery, and computer examination.
USE OF COMPUTER FORENSICS IN LAW
ENFORCEMENT
Data Recovery: Recovers deleted files, graphics, and documents
from computer media.
Unallocated Space: Searches hidden data-rich areas on hard drives
for valuable evidence.
Artifact Tracing: Identifies operating system artifacts, aiding in
evidence discovery.
Expert Evaluation: Forensic experts assess the value of recovered
data and artifacts.
Hidden File Processing: Reconstructs and analyzes hidden files for
past usage information.
String-Search for E-mail: Searches for e-mails even when an e-
mail client isn't obvious.
BENEFITS OF PROFESSIONAL FORENSIC
METHODOLOGY
Evidence Integrity: Ensures evidence is not damaged, destroyed,
or compromised during investigation.
Virus Prevention: Guards against introducing viruses during the
analysis process.
Evidence Protection: Handles and safeguards extracted evidence
from potential damage.
Chain of Custody: Establishes and maintains a traceable record of
evidence handling.
Minimal Impact: Minimizes disruption to business operations
during the forensic examination.
Confidentiality: Ethically and legally respects any sensitive
information acquired during exploration.
steps taken by computer forensics specialists
Evidence Identification: Specialists identify potential sources of
digital evidence, such as devices, storage media, and network logs.
Evidence Collection: Forensics experts gather and preserve
evidence using specialized tools to ensure data integrity.
Evidence Analysis: They meticulously examine collected data,
searching for hidden information, artifacts, and traces of
unauthorized activity. Data Recovery: Specialists use advanced
techniques to recover deleted or damaged files and piece together
fragmented data. Forensic Reporting: They create comprehensive
reports detailing findings, methodologies, and the significance of
discovered evidence. Expert Testimony: Forensics specialists
provide expert testimony in legal proceedings, explaining their
findings and methodologies to support investigations and court
cases.
TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC
TECHNOLOGY ::::Digital Evidence Collection Tools:
Specialized hardware and software tools used to acquire data from
various devices, ensuring its integrity and admissibility in legal
proceedings. Forensic Imaging Software: Software that creates
bit-by-bit copies (forensic images) of digital storage media,
preserving original data for analysis and preventing contamination.
Network Forensics Tools: Software and appliances used to
monitor and analyze network traffic, identifying potential security
breaches, unauthorized access, and data exfiltration.
Mobile Device Forensics Tools: Software designed to extract and
analyze data from smartphones, tablets, and other mobile devices,
uncovering evidence related to communications, location, and
more.
Memory Forensics Tools: Tools that allow specialists to analyze a
computer's volatile memory, uncovering running processes, open
files, and potentially malicious activities.
Data Recovery Software: Software used to recover deleted or lost
data from storage devices, helping investigators retrieve critical
information even when it has been intentionally erased.
Evidence Collection and Data Seizure:
Collecting evidence is vital for future prevention and holding
attackers accountable. Different types of evidence include real
evidence, testimonial evidence, and hearsay. Rules of evidence
include admissibility, authenticity, completeness, reliability, and
believability.
Types of Evidence:
1. Real Evidence:
Self-sufficient: Stands on its own, independent of other evidence.
Electronic example: Uncontaminated audit logs that directly reflect
events.
2. Testimonial Evidence:
Witness-based: Provided by reliable individuals. Strength: Can hold
significant weight if witness credibility is established.
3. Hearsay:
Indirect source: Evidence from a non-direct witness. Court
admissibility: Generally not accepted in court due to potential lack
of reliability.
4. Documentary Evidence:
Written records: Documents, contracts, emails, etc. Establishing
facts: Helps establish facts or events through recorded
communication.
The Rules of Evidence:
Admissible: Evidence should be usable in court proceedings.
Authentic: Evidence must relate directly to the incident.
Complete: Collect comprehensive evidence to present all
perspectives.
Reliable: Ensure collection methods maintain evidence credibility.
Believable: Present evidence in a clear, understandable manner for
a jury.
Methods of Collection:
1. Freezing the Scene:
Snapshot compromised system: Capture the system's state at the
time of compromise.
Data collection: Gather essential data onto removable media in a
standard format.
Data integrity: Maintain data authenticity through cryptographic
message digests and verification.
2. Honeypotting:
Replica system: Create a duplicate system to attract and monitor
attackers.
Misleading information: Insert deceptive data to gauge attacker's
reaction and motives.
Motive identification: Analyze attacker's behavior within the replica
environment.
Collection Steps:
Use a checklist to find and collect evidence systematically.
Identify relevant data within the evidence for the case.
Establish an order of volatility to prioritize evidence preservation.
Prevent external changes to the original data during collection.
Use appropriate tools to collect evidence and document procedures.
Computer Evidence Processing Steps:
Shut down the computer swiftly and document its hardware
configuration. Transport the system to a secure location to prevent
compromise. Create bit stream backups of storage devices for
evidence processing.
Mathematically authenticate data on storage devices for integrity.
Document the system date and time settings for accurate
timestamps.
Compile a list of key search words for efficient automated
searching.
Evidentiary Reporting Summary:
Timely Reporting: Report all incidents promptly to management to
preserve evidence.
Internal Reporting: Swift internal reporting is crucial to gather
and protect potential evidence.
Limited Access: Limit access to investigation details to minimize
the risk of leaks.
Need-to-Know Basis: Share information on a need-to-know basis
to maintain confidentiality.
Out-of-Band Communications: Use separate, secure channels for
incident-related communication.
Avoid Compromised Systems: Refrain from discussing
investigations via compromised email systems.
Notification Considerations: Depending on the type of crime and
organization, notify executive management, infosec, physical
security, internal audit, and legal departments.
Incident Response Definition:
NIST Definition: National Institute of Standards and Technology
defines incident response as mitigating security policy violations.
SANS Institute: SANS defines incident handling as an action plan
for dealing with security incidents.
Incident Response Life Cycle:
Preparation Phase:
Establish necessary tools, resources, and training for incident
response. Identify risks, develop policies, and collaborate with
outsourced IT. Train the incident response team and ensure
communication procedures. Set up the infrastructure, including
asset management and investigative tools.
Detection and Analysis Phase:
Accurately detect and assess incidents to identify potential threats.
Analyze the nature and scope of the incident to understand its
impact. Determine the cause, scope, and severity of the incident for
appropriate response.
Containment, Eradication, and Recovery Phase:
Contain the incident to prevent further spread across the network.
Eradicate the threat by completely removing it from affected
systems. Execute recovery procedures to restore systems to normal
functionality.
Post-Event Activity Phase:
Analyze the incident and response efforts to identify areas of
improvement. Implement measures to prevent similar incidents in
the future. Learn from the incident to enhance future incident
response strategies. Continuously refine and update incident
response procedures based on lessons learned.
Incident Preparation involves:
Identifying risks and vulnerabilities for proactive security measures.
Creating robust security policies for effective incident response
planning. Training the response team to handle various cyber threats
effectively. Allocating resources and tools necessary for rapid
response actions. Ensuring the infrastructure is ready for thorough
incident analysis. Collaborating with outsourced IT partners to
enhance response capabilities.
Incident Detection and Analysis includes:
Accurate identification of security breaches and potential threats.
Analyzing incident details to understand the extent of the
compromise. Determining the impact on systems, data, and
operations. Investigating the attack vector and identifying the
attacker's tactics. Collecting evidence for further action and
response planning. Collaborating with experts to assess the threat's
severity and scope.
Containment, Eradication, and Recovery involve:
Swift containment to prevent further spread of the incident.
Eradicating threats completely from systems and networks.
Recovering affected systems to restore normal operations
efficiently. Implementing security measures to prevent similar
incidents in the future. Regularly assessing the effectiveness of the
recovery process. Collaborating with IT teams to ensure seamless
restoration and security enhancement.
Proactive and Post-Incident Cyber Services encompass:
Identifying vulnerabilities before threats occur for enhanced
security. Establishing a baseline cybersecurity level with necessary
processes and tools. Automating threat reporting and incident
response for real-time actions. Addressing regulatory concerns and
data protection to avoid penalties. Recognizing the growing value
of digital assets for stronger defenses. Balancing proactive
strategies with reactive incident handling for comprehensive
security.
CYBER LAW AND ETHICS
1. Cyber law refers to all the legal and regulatory aspects of
Internet and World Wide Web. It is important because for the
following reasons:
i. It is required to overcome the cybercrime in the internet.
ii. It is important for the eradication of the illegal activities done in
the internet.
iii. It touches all the aspects of transactions and activities on and
concerning the internet and Cyberspace.
2. The provisions provided by the Cyber Law 2061 B.S. are as
follows:
i. It has a strong provision for punishment against cyber-crimes.
The cyber-criminal can be fined up to Rs. 5, 00,000
or liable to imprisonment of up to five years or both.
ii. The act has provision for office of the controllers that issue
license of certification to the IT facilities.
3. Digital Signature is the mathematical scheme for demonstrating
the authenticity of a digital message or document. It is important in
e commerce because it provides a legal framework to facilitate and
safeguard electronic transactions in electric medium.
4. Computer ethics is the branch of practical principles that deals
with how the computer experts should make decisions in regard to
the social and professional behavior. It is a set of moral principles
that regulates the use of computers.
5. The cyber law that enforces the discipline of usage of computer,
world-wide is called the International Cyber Law.
The International Cyber Law is illustrated below:
i. Freedom of Information Act 1970: This act states that, each
individual has the rights to view each information provided by the
state.
ii. Video Privacy Act 1988: This act states that the individual record
cannot be viewed by any other without the permission of the court.
iii. Fair credit reporting Act 1970: This act ensures that each
individual can view rights to view their credit information in free of
cost basis.
iv. Federal Privacy Act 1974: This act states enforces the concept
that a state can view any record if it is needed.
6. Formation of an efficient information technology will place
country's disadvantages as the result of its
geographical conditions towards the minority. There remains the
prominent economic disparity between the countries with and
without sufficient development. So, it is very much possible that the
international community will extend its support to developing
countries for the development of information technology. Such
assistance will definitely be significant for the national development
of a developing country like Nepal. Hence, Information Technology
(IT) policy is essential for the development of information
technology. Development of IT in turn will upgrade the standard of
the national economy.
7.Objectives
i. To make information technology accessible to the general public
and increase employment through this means.
ii. To build a knowledge through this means.
iii. To establish knowledge-based industries.
Strategies
i. Legalize and promote e-commerce.
ii. Assists in e-governance by using information technology.
iii. Include computer education in curriculum from the school level.
Action Plan
i. Infrastructure Development
ii. Promotion Of E-Commerce
iii. Human Resource Development.
8. Computer ethics is the branch of practical principles that deals
with how the computer experts should make decisions in regard to
the social and professional behavior. It is a set of moral principles
that regulates the use of computers.
The computer ethics are as follows:
i. One should not interfere with other computer's work.
ii. One should not provide fake information.
iii. One should not use the computer to steal.
iv. One should not copy or use proprietary software for which they
have not paid.
v. One should not create a virus and use it.
9. Cyber Law was implemented in Nepal in 2061 B.S. It was
implemented to stop cyber-crimes, hacking, piracy,
harassments etc.
10. The points of ethics to be followed by the computer users are as
follows:
i. Hacking: Computer hacking is the transferring illegal items
through the internet (such as encryption technology) that is banned
in some locations. It is the activity of breaking into a computer
system to gain an unauthorized access.
Privacy:
Privacy safeguards personal information from unauthorized access
or use.
Infringement on privacy can lead to cyber-crime if data is misused.
Privacy involves controlling personal information's exposure to
unauthorized parties.
It includes aspects like secrecy, anonymity, and solitude to protect
information.
Secrecy refers to safeguarding personalized data from free
distribution.
Anonymity ensures protection from unwanted attention and identity
exposure.
Solitude maintains physical distance to uphold privacy.
Violation of privacy can lead to cyber-crimes and breaches.
iii. Piracy:
Piracy involves unauthorized copying or distribution of software or
media.
Cyber security extends to customs officers and agencies protecting
consumers.
Piracy involves unauthorized copying or theft of software,
intellectual property, or media.
Examples include software piracy and copying licensed content
without permission.
Security personnel, custom officers, and agencies combat piracy to
protect creators and consumers.
Piracy negatively impacts industries like entertainment, software,
and publishing.
Measures against piracy include digital rights management and
legal actions.
Piracy undermines intellectual property rights and fair
compensation for creators.
iv. Copyright:
Copyright grants exclusive rights to copy an original work.
Limited duration and specific usage are covered by copyright law.
Copyright grants exclusive rights to creators of original works,
limiting their use by others.
Covers literary, artistic, and creative works like books, music, films,
and software.
Provides legal protection against unauthorized copying,
distribution, and use.
Rights are time-limited, encouraging innovation while protecting
creators' interests.
Copyright infringement can lead to legal action, damages, and loss
of revenue.
Balances between protecting creators and promoting the exchange
of knowledge and culture.
Cyber Law Standards (Nepal): i. Facilitates and safeguards
electronic transactions and records. ii. Enables electronic filing and
efficient government services. iii. Regulates Certifying Authorities
under the Controller's oversight. iv. Grants legal status to digital
signatures, supporting e-banking. v. Recognizes electronic
signatures for global economic activities.
Cyber Law Sufficiency (Nepal):
Cyber Law 2061 and IT Policy 2002 may not sufficiently cover all
electronic data transmissions. Effective implementation and
potential law modifications are crucial for combating cyber-crimes.
Cyber Law Subjects: I. Intellectual Property protection. II.
Jurisdiction considerations. III. Privacy preservation. IV.
Combatting Computer Crime. v. Regulation of Digital Signatures.
vi. Safeguarding Freedom of Expression.
Intellectual Property:
Intellectual property (IP) encompasses creations of the mind,
including inventions, designs, art, and symbols.
Protects creators' rights, encouraging innovation and creativity in
various fields. IP can be classified into copyrights, patents,
trademarks, and trade secrets.
Copyrights protect artistic and literary works, patents safeguard
inventions, and trademarks identify products.
Trade secrets safeguard confidential business information,
contributing to a competitive advantage.
IP laws balance protection and dissemination, fostering innovation
and cultural development.
Types of Intellectual Property:
Copyright:
Protects original literary, artistic, and creative expressions.
Grants exclusive rights to creators for a limited time.
Covers works like books, music, software, and artistic creations.
Balances the rights of creators with public access to information.
Patent:
Grants inventors exclusive rights to their inventions for a set period.
Encourages innovation by providing legal protection and incentive.
Different types include utility, design, and plant patents.
Requires public disclosure of the invention's details.
Trademark:
Protects distinctive signs, symbols, names, or designs identifying
products.
Ensures consumers can distinguish between different brands.
Offers brand recognition and prevents confusion in the marketplace.
Must be registered and maintained to retain protection.
Trade Secret:
Protects confidential business information, not publicly disclosed.
Offers competitive advantage by keeping valuable information
hidden. Involves maintaining secrecy through contracts and security
measures.
Does not have a limited duration like patents or copyrights.
Professional Ethics in Cybersecurity:
Uphold integrity, honesty, and transparency in all actions and
decisions. Safeguard client confidentiality and respect agreements
regarding data protection. Maintain competence through ongoing
skill development and accurate service provision. Address conflicts
of interest impartially, prioritizing clients' welfare. Take
accountability for decisions, acknowledge mistakes, and correct
them responsibly. Adhere to legal and regulatory requirements,
abstaining from illicit activities.
Requirements of a Professional:
Expertise and Knowledge:
Possess advanced skills and deep domain knowledge. Blend
practical experience with formal education for proficiency.
Autonomy and Power Balance:
Maintain a power balance in client-service relationships.
Professionals hold more influence due to specialized expertise.
Adherence to Codes of Conduct:
Observe professional, personal, institutional, and community codes.
Professional codes guide ethical behavior for both image and
individual integrity.
Professional Code:Guideline set by the profession, outlining
expected behavior. Protects the profession's reputation and
members' actions.
Personal Morals:
Individual moral guidelines influenced by cultural and religious
beliefs. Complements and enhances the professional code's values.
Institutional Standards: Adhere to the code imposed by
employing institutions. Builds public trust and confidence in both
the professional and the institution.
Community Standards: Abide by local community norms,
influenced by religion or culture. Reflects the societal expectations,
legal requirements, and regional values.
Four Pillars of Professionalism:
1. Commitment:
Demonstrating dedication to one's role and responsibilities in the
profession. Striving for excellence in cybersecurity practices and
continuous self-improvement. Maintaining a strong work ethic and
contributing positively to the field.
2. Integrity:
Upholding honesty and ethical behavior in all professional
interactions. Building trust by adhering to high moral principles and
values. Avoiding conflicts of interest and ensuring transparency in
decision-making.
3. Responsibility:
Acknowledging and fulfilling obligations towards clients, users,
and the community. Taking ownership of one's actions and
decisions in cybersecurity matters. Promoting security awareness
and advocating for responsible digital behavior.
4. Accountability:
Being answerable for the outcomes of cybersecurity actions and
decisions. Taking responsibility for mistakes or oversights and
learning from them. Adhering to professional codes of conduct and
legal regulations to maintain credibility.
Professional Ethics in Cybersecurity:
Integrity and Honesty:
Uphold truthfulness, transparency, and sincerity in all activities.
Avoid deceptive practices and misrepresentation of information.
Client Confidentiality:
Safeguard client's sensitive data and proprietary information.
Respect confidentiality agreements and legal obligations.
Competence and Skill: Maintain proficiency through continuous
learning and skill development. Provide accurate, reliable, and
effective cybersecurity services.
Conflict of Interest:
Disclose and manage conflicts to ensure unbiased decision-making.
Prioritize clients' interests over personal or external influences.
Accountability:
Accept responsibility for actions, decisions, and their consequences.
Acknowledge mistakes and take appropriate corrective actions.
Respect for Law:
Adhere to legal frameworks and regulations governing
cybersecurity practices.
Refrain from engaging in illegal activities or supporting illicit
actions.
Freedom of Speech in Cyberspace:
Embraces online speech and accessing information while raising
governance concerns.
Variation based on laws, culture, society; sparks debate over
control.
National vs. international oversight: a dilemma in digital
governance.
Countries asserting content regulation within their online borders.
Cyber sovereignty and autonomy concerns in the digital landscape.
Advocates argue for global authority due to internet's
boundarylessness.
Legal content disparities across nations highlight internet's legal
complexities.
Struggle to find equilibrium between expression and jurisdictional
restrictions.
Fair Use in Digital Content:
Balances copyright law with limited use for education, criticism,
commentary.
Subject to interpretation; considers factors like purpose, amount,
effect.
Enables transformative works, fostering creativity and cultural
discourse.
Avoids infringing on creators' rights while allowing valuable
derivative works.
Protects free expression, yet legal battles often arise due to
ambiguity.
Essential for innovation, research, education, and public interest
purposes.
Varied interpretations across jurisdictions highlight complex
copyright landscape.
Continual evolution as technology shapes how content is shared and
used.
Ethical Hacking and Cybersecurity:
Authorized hacking to expose vulnerabilities, enhance security, and
prevent breaches.
Protects systems by identifying weaknesses and suggesting
improvements.
Legal, responsible hacking; contrasts with malicious cyberattacks
and cybercrime.
Required skills include coding, networking, and deep understanding
of vulnerabilities.
Enhances digital defense through proactive identification and
mitigation of risks.
Maintains ethical standards; respects privacy and gains explicit
permissions.
Supports organizations' efforts to safeguard sensitive data and user
trust.
Rapidly evolving field, vital in an increasingly digitized and
interconnected world.
Definition of Internet Fraud:the use of a computer or computer
system to help execute a scheme or illegal activity and the targeting
of a computer with the intent to alter, damage, or disable it.
Types of Internet Fraud:
1. Theft of Information: Unauthorized access to secure systems
for data theft (trade secrets, copyrighted content). Targets sensitive
information; government, trade secrets, copyrighted materials.
Includes digital duplication of movies, games, music without
permission.
2. Theft of Service: Unauthorized use of web services or internet
connections without payment. Involves gaining free access to long-
distance systems or services. Often classified as Internet fraud,
includes fake online auctions, offering non-existent goods.
3. Denial of Service: Deliberate overload of target's system to
disrupt services. "Mailbombing": Flooding email account with
excessive messages to disable it. Also used as an extortion tactic,
demanding payment to stop the attack.
4. Hacking and Hardware Damage: Unauthorized access to
computer hardware, often for malicious intent. Hackers steal
passwords, delete data, or create programs to capture sensitive
information. Infiltration through posing as repairmen or spreading
dangerous computer viruses.
5. Online Sex Crimes: Involves stalking, child pornography, and
other illegal activities. Exploits digital platforms for criminal
activities related to sexual offenses.
PUNISHMENTS FOR COMPUTER OR INTERNET FRAUD
A perpetrator of computer or Internet fraud may be found guilty of a
felony and face a fine of up to $250,000 and/or up to 20 years in
jail. Often, those charged with computer and/or Internet fraud are
also charged with wire fraud, mail fraud, conspiracy, identity theft,
or other white collar crimes
Electronic Evidence:
Digital Data: Electronic evidence refers to digital information
collected from electronic devices like computers, smartphones, and
servers. Admissibility: It must meet legal criteria to be admissible
in court, including authenticity, integrity, and relevance. Types:
Examples include emails, text messages, computer logs, social
media posts, and digital documents. Collection: Proper collection
methods ensure preservation and prevent tampering to maintain its
credibility. Legal Proceedings: Electronic evidence is used in
various legal proceedings, such as criminal cases, civil litigation,
and digital forensics investigations.
Laws Governing Electronic Evidence:
Fourth Amendment Protection:
Protects privacy against unreasonable searches and seizures.
Searches with a warrant: Police can seize and search with a valid
search warrant.
Searches without a warrant: Warrantless searches are allowed in
specific cases.
Statutory Privacy Laws:
Electronic Communications Privacy Act (ECPA): Regulates
obtaining stored account records from service providers and limits
electronic surveillance.
The Patriot Act: Expands police power for electronic evidence
collection.
Use of Electronic Evidence:
Crime Elements: Prosecutors use electronic evidence to establish
elements of the charged crime. Emails and conversations as
evidence in cyberbullying or stalking cases. Browser histories to
link research to the crime. Documents for white-collar crime
elements. Visual Evidence: Digital photos or videos can serve as
evidence, e.g., revenge porn cases.
Living Values:
Rediscovering and developing human potential for better living.
Reflects internal self-worth and recognition of the value of human
life. Trains the mind to focus on the positive aspects of individuals.
Faith in Dignity and Potential:
Reaffirms faith in human dignity and worth.
Expands one's potential beyond current limits.
Recognizes inherent worth not dictated by external factors.
Basic Human Values:
Inherent values fundamental to being human.
Include truth, honesty, loyalty, love, peace, etc.
Promote goodness in individuals and society.
Importance of Human Values:
Understanding attitudes, behaviors, and motivation.
Shapes perception of the world and concepts of right and wrong.
Provides insight into individuals and organizations.
Five Essential Human Values: Right Conduct:
Includes self-help, social, and ethical skills.
Embraces values like modesty, good behavior, courage, and
efficiency.
Peace:
Encompasses qualities such as equality, humility, patience, and
optimism.
Truth:
Involves fairness, honesty, quest for knowledge, and determination.
Peaceful Co-existence:
Combines psychological values like compassion and morality.
Social values include brotherhood, equality, and respect for others.
Discipline:
Involves regulation, direction, and order.
Professionalism in Information Technology
Professionalism in Information Technology involves adhering to
accepted principles, including competence, knowledge, and ethical
behavior.
It is crucial not only in IT but also in other fields, emphasizing soft
skills, certification, and reputation building.
Teaching and practicing professionalism and ethics should begin at
the secondary school level to instill these values.
IT professionalism contributes to organizational reputation, ethical
practices, and overall value in various industries.
Professionalism's impact extends beyond IT, playing a vital role in
fostering ethical behavior and enhancing organizational worth.
Code of ethics
Professional ethics encompass accepted standards of behavior and
values established by organizations to guide members in their roles.
These codes ensure consistent ethical principles across professions
and are created by experts within the field.
The purpose of professional ethics is to promote uniform and sound
ethical conduct in various professions.
Notable examples include the Hippocratic Oath for medical
students, reflecting enduring ethical commitments.
Key components of professional ethics include integrity, honesty,
transparency, respectfulness, confidentiality, and objectivity.
Professional ethics serve as a framework for individuals to uphold
while performing their job functions.
Let us look at some of the qualities which describe a
professional (ACM, 2000)
1. Trustworthiness: Professional trusts himself in whatever he does
and trusts other people.
2. Honesty: Professional is honest when working and follows right
code of conduct.
3. Punctuality: It is one of the most important aspects of
professionalism.
4. Responsibility: Professional is responsible towards his work and
handles work effectively.
5. Leadership: Professional has good leadership skills and is a good
team player.
6. Confidentiality: Maintains confidentiality of information in an
organization.
7. Competency: Professional is technically competent in his field
A computing professionalshould...
Strive to achieve high quality in both the processes and products of
professional work.
Maintain high standards of professional competence, conduct, and
ethical practice.
Know and respect existing rules pertaining to professional work.
Accept and provide appropriate professional review.
Give comprehensive and thorough evaluations of computersystems
and their impacts, including analysis of possible risks.
Perform work only in areas of competence.
Foster public awareness and understanding of computing, related
technologies, and their consequences.
Access computing and communication resources only when
authorized or when compelled by the public good.
Design and implementsystemsthat are robustly and usably secure.
Various forms of professional credentialing
Credentialing involves granting designations like licenses or
certificates to assess an individual's competence in a specific field.
Licensure is the strictest form, mandated by governments, allowing
individuals to practice a profession after meeting standardized
criteria (e.g., Licensed Nurse, Professional Engineer).
Certification, a voluntary process by non-governmental bodies,
provides time-limited recognition after verifying predetermined
criteria (e.g., Certified Project Manager, Certified Association
Executive).
Registration, the least restrictive type, requires individuals to apply
for credentials through governmental or private agencies.
These types of credentialing—licensure, certification, and
registration—vary in terms of requirements and governmental
involvement.
Credentialing serves to assure the public of an individual's
competence and adherence to standards within a profession or
occupation.
The role of professionals in public policy involves:
Expertise and Analysis: Professionals provide in-depth expertise
and analysis on complex issues, offering insights into the potential
impacts of policies.
Evidence-Based Recommendations: They contribute evidence-
based recommendations, guiding policymakers toward effective and
informed decisions.
Ethical Considerations: Professionals bring ethical considerations
to the forefront, ensuring policies align with moral principles and
societal values.
Stakeholder Engagement: They facilitate engagement with
diverse stakeholders, fostering inclusive discussions and
incorporating a range of perspectives.
Implementation Planning: Professionals assist in planning policy
implementation, considering logistical challenges and resource
allocation.
Continuous Evaluation: They contribute to ongoing policy
evaluation, identifying areas for improvement and adaptation based
on real-world outcomes.
Maintaining awareness of consequences involves:
Anticipating Effects: Professionals foresee potential outcomes of
decisions, both intended and unintended, to prevent negative
repercussions.
Assessing Impact: They analyze the short-term and long-term
effects of actions, ensuring comprehensive understanding of
consequences.
Accounting for Stakeholders: Professionals consider how
decisions affect various stakeholders, promoting equitable and fair
outcomes.
Addressing Risks: They identify and address potential risks and
challenges associated with choices, aiming to mitigate potential
harm.
Adapting Strategies: Professionals remain adaptable, ready to
modify approaches if consequences deviate from the expected
course.
Learning from Experience: They learn from past successes and
failures, using insights to refine decision-making and anticipate
consequences more effectively.
Ethical dissent and whistle-blowing
ethical dissent is a process, not a single action. Ethical dissent refers
to the act of expressing opposition or disagreement with prevailing
norms, practices, or decisions on moral grounds, emphasizing
ethical principles and promoting critical discourse
The IEEE has guidelines for ethical dissent that include:
1. Establish a clear technical foundation
2. Be professional, impersonal, objective.
3. Catch problems early, keep issues at lowest managerial level
possible
4. Make sure you think the issue is important enough to make your
case
5. Help establish and use organizational dispute resolution
mechanisms
6. Keep records
Whistleblowing
Whistleblowing involves a member or ex-member of an
organization revealing internal wrongdoing or threats to the public.
It includes going outside normal channels to expose ethical
violations knowingly or unknowingly committed.
Whistleblowers face the challenge of breaking with their
organizational group, potentially destabilizing their own lives.
Disclosure can be internal, within the organization's channels, or
public, alerting a wider audience.
The motivation behind whistleblowing is a concern for ethics and
the safety and well-being of both the organization and the public.
Conditions justifying whistleblowing:
Public Harm: When a policy or product poses significant harm to
the public.
Stakeholder Safety: Identifying threats to consumers, employees,
or stakeholders against personal moral concerns.
Exhausted Channels: When internal procedures fail and no action
is taken, even escalating to the board of directors.
Substantial Evidence: Backed by compelling documented
evidence that can withstand legal scrutiny.
Change Catalyst: Belief that public disclosure will prompt
necessary organizational changes, balancing risk with potential
success.
Focus Areas: Avoiding divulging confidential data, maintaining
professional conduct, refraining from personal motives, and
addressing ethical rather than managerial incompetence.
Association of International Certified Professional Accountants
(AICPA):
Represents accountancy profession globally, known for strict
educational requirements and ethical standards.
AICPA's Code of Professional Conduct emphasizes public interest,
requiring state boards to adopt its ethical standards.
Six principles guide CPAs, covering safety, competence, truthful
communication, fiduciary responsibility, and avoiding deception.
National Society of Professional Engineers (NSPE):
Founded in 1934, dedicated to non-technical concerns of licensed
professional engineers.
NSPE's Code of Ethics for engineers includes rules like prioritizing
public welfare, competence, honesty, fiduciary responsibility, and
avoiding deception.
Emphasis on safety, professional competence, truthful
communication, fiduciary duty, and avoiding deceptive practices.
Institute of Electrical and Electronic Engineers (IEEE):
IEEE's Code of Ethics and Code of Conduct ensure respectful, fair,
and lawful behavior.
Guidelines focus on respecting privacy, fairness, preventing harm,
avoiding retaliation, and compliance with laws.
IEEE encourages members to treat others fairly, respect privacy,
prevent harm, and promote lawful and ethical conduct.
Association for Computing Machinery (ACM):
Established in 1947, ACM focuses on computing and ethical
conduct.
ACM's Code of Ethics emphasizes contributing to society, avoiding
harm, honesty, fairness, respecting intellectual property, and
ensuring privacy.
Professional responsibilities include striving for quality, acquiring
competence, adhering to laws, giving comprehensive evaluations,
and authorized resource usage.
Dealing with Harassment and Discrimination:
Harassment:
Harassment involves creating a hostile, offensive, or intimidating
environment based on attributes like race, religion, gender, age, etc.
It is a form of discrimination that negatively impacts individuals
and organizations.
Signs include unhappiness, anxiety, stress, and lifestyle changes in
affected individuals.
Awareness is crucial to identify and address harassment.
Discrimination:
Discrimination involves decisions negatively affecting individuals
due to attributes like race, religion, gender, etc.
It can be difficult to detect, but decisions based on discriminatory
factors signify discrimination.
Both harassment and discrimination are serious human rights
violations.
Prevention and Steps to Address:
Awareness and Education: Recognize signs of harassment and
discrimination such as changes in behavior, stress, or discomfort.
Policy Framework: Organizations should have clear, written
policies outlining procedures for handling harassment and
discrimination cases.
Complaint Process: Establish a structured process for reporting
harassment and discrimination incidents confidentially.
Sanctions: Define appropriate consequences for those found guilty
of harassment or discrimination, promoting accountability.
Redress: Provide mechanisms for affected individuals to seek
resolution and remedy for the harm caused.
Prevention: Create a culture that values diversity and inclusivity,
promoting respect and understanding among all members.
Dealing with Harassment and Discrimination in Nepal:
Legal Awareness: Educate people about Nepal's anti-harassment
and anti-discrimination laws to ensure their rights and protections.
Education and Sensitization: Conduct workshops and training
sessions to raise awareness about recognizing, reporting, and
addressing harassment and discrimination.
Reporting Channels: Establish confidential and accessible
reporting channels for incidents, fostering open dialogue and
protecting whistleblowers.
Policy Implementation: Develop and implement clear policies in
workplaces, schools, and public spaces, outlining reporting
procedures, investigations, and consequences.
Support and Accountability: Offer emotional and legal support
for victims, while holding perpetrators accountable through
thorough investigations and appropriate sanctions.
Public Awareness Campaigns: Launch campaigns to promote
public awareness, discourage discriminatory behaviors, and
encourage collective efforts against harassment and discrimination.
Risk Assessment and Management Summary:
Risk Management Process: Risk management estimates risks'
impact, measuring assets and vulnerabilities, assessing threats, and
monitoring security.
Design and Use: Risk management applies to software during
design and usage phases, focusing on assessment, planning,
implementation, and monitoring.
Components of Risk Management: It comprises assessment and
control, necessitating risk assessment and control evaluation before
project delivery.
Assessment Documentation: Documenting hazards and accidents
helps identify risks, listing potential dangers, their probabilities,
potential losses, and rankings.
Control Documentation: Control involves techniques to mitigate
high-order risks, their implementation, effectiveness monitoring,
and adjusting throughout the design process.
Phases of Risk Management: After design, phases involve
assessment, planning, implementation, and monitoring, adapting to
ongoing changes and new security needs.
Calculation of Risk: Risk can be calculated using the equation:
Risk = Assets X Threats X Vulnerabilities.
Workplace Risks: Workplace systems involve hardware, software,
and humanware components, with accidents resulting from their
intertwined interactions. The risk associated with workplaces
includes commuting, hardware, software, and humanware factors,
and effective training can mitigate humanware-related risks.
Software Risks:
Software risks stem from a range of factors, including human
error, software complexity, and misinterpretation of design
specifications. These factors contribute to poor software
performance and potential failures
Human Error:
Memory lapses and attentional failures due to oversight or
forgetfulness.
Rushing to meet deadlines, leading to incomplete testing and
overlooked issues.
Overconfidence in untested algorithms or approaches.
Malicious intent, where malicious code or malware is inserted by
individuals.
Complacency from previous experience, leading to missing error
control measures.
Complexity of Software:
Software's complexity compared to hardware engineering
contributes to risks.
Unlike hardware, software can have billions of potential outcomes
for the same input sequence.
Difficult testing due to the inability to exhaustively test for all
possible bugs.
Ease of programming encourages untrained individuals to develop
software, often without proper error checks.
Misunderstood Specifications:
Misunderstanding design specifications leads to improper coding,
documentation, and testing. Ambiguous specifications result in
poorly defined internal structures. Improperly chosen design
components affect the overall functionality and performance.
Implications of Software Complexity:
Dealing with software complexity necessitates strategic testing,
skilled professionals, and a focus on user experience and ongoing
improvement.
Unpredictable Outcomes:
Software's intricate nature leads to uncertainty in foreseeing all
potential outcomes.
Incomplete understanding of scenarios can lead to unexpected
errors and issues.
Testing Challenges:
Comprehensive testing for all complex scenarios becomes
impractical.
Certain bugs might go undetected, causing problems post-release.
Resource Intensiveness:
Addressing complex software demands extra time, resources, and
expertise.
Testing and debugging efforts can extend development timelines
and increase costs.
Maintenance Complexity:
Complex software is harder to maintain and update.
Evolving software becomes intricate, making modifications
challenging.
Quality Assurance Strain:
Ensuring software quality becomes tougher due to numerous
potential scenarios.
Issues might arise in real-world usage despite stable testing results.
Skill Requirements:
Developing and managing complex software demands advanced
skills and training.
Proficiency in understanding intricacies is vital for effective
management.
Safety and Engineers:
Primary Responsibility:
Engineers hold a primary responsibility for ensuring the safety of
products, systems, and structures they design.
Risk Assessment:
Engineers must conduct thorough risk assessments to identify
potential hazards and mitigate associated risks.
Adherence to Regulations:
Compliance with safety regulations and industry standards is crucial
to prevent accidents and ensure public welfare.
Continuous Learning:
Engineers should stay updated with the latest safety practices and
technologies to implement effective safety measures.
Ethical Obligations:
Engineers have an ethical duty to prioritize safety over other
considerations during design, development, and operation.
Collaboration and Communication:
Effective communication among engineering teams and
stakeholders is essential to address safety concerns
comprehensively.
Balancing Innovation and Safety:
Engineers must find a balance between innovation and safety,
ensuring that new technologies do not compromise well-established
safety protocols.
Accountability:
Engineers are accountable for the safety outcomes of their designs,
requiring accountability for any potential failures.
Engineers play a critical role in maintaining public safety by
conducting risk assessments, adhering to regulations, and upholding
ethical standards throughout the design, development, and operation
of products and systems.