1 Nov 23 Cyber Notes-1

Lecture 0
Introduction: Objective, scope and outcome of the

course.
Cyber crime: Definition and Origins of the World
Reaching consensus on a definition of computer crime is

difficult. One definition that is advocated is, "a crime conducted
in which a computer was directly and significantly instrumental"
This definition is not universally accepted. It, however, initiates
further discussion to narrow the scope of the definition for
"cyber crime" for example, we can propose the following
alternative definitions of computer crime:
 Any illegal act where a special knowledge of computer

technology is essential for its perpetration, investigation or
prosecution.
 Any traditional crime that has acquired a new dimension
or order of magnitude through the aid of a computer, and
abuses that have come into being because of computers.
 Any financial dishonesty that takes place in a computer
environment.
 Any threats to the computer itself, such as theft of
hardware or software, sabotage and demands for ransom.
Here is yet another definition: "cyber crime (computer crime) is

any illegal behavior, directed by means of electronic operations,
that target the security of computer systems and the data
processed by them," Note that in a wider sense,
"computer-related crime" can be any illegal behavior committed
by means of, or in relation to, a computer system or network;
however, this is not cyber crime.
Statute and treaty law both refer to "cybercrime." The term
"cybercrime" relates to a number of other terms that may
sometimes be used interchangeably to describe crimes
committed using computers. Computer related crime,
Computercrime, Internet crime, Ecrime. High-tech crime, etc,
are the other synonymous terms. Cybercrime specifically can be
defined in a number of ways a few definitions are:
1. A crime committed using a computer and the Internet to

steal a person's identity (identity theft) or sell contraband
or stalk victims or disrupt operations with malevolent
programs.
2. Crimes completed either on or with a computer.
3. Any illegal activity done through the Internet or on the
computer.
4. All criminal activities done using the medium of
computers, the Internet, cyberspace and the WWW.
According to one information security glossary cybercrime is

any criminal activity which uses network access to commit a
criminal act. Opportunities for the exploitation due to
weaknesses in information security are multiplying because of
the exponential growth of Internet connection. Cybercrime may
be internal or external, with the former easier to perpetrate. The
term "cybercrime" has evolved over the past few years since the
adoption of internet connection on a global scale with hundreds
of millions of users. Cybercrime refers to the act of performing a
criminal act using cyberspace as the communications vehicle.
Some people argue that a cybercrime is not a crime as it is a
crime against software and not against a person or property.
However, while the legal systems around the world scramble to
introduce laws to combat cyber criminals,two types of attack are
prevalent:
1. Techno-crime: A premeditated act against a system or
systems, with the intent to copy, steed, prevent access, corrupt
or otherwise deface or damage parts of or the complete
computer system. The 24×724×7 connection to the Internet
makes this type of cybercrime a real possibility to engineer from
anywhere in the world, leaving few, if any, "finger prints."
2. Techno-vandalism: These acts of "brainless" defacement of
websites and/or other activities, such as copying files and
publicizing their contents publicly, are usually opportunistic in
nature. Tight internal security, allied to strong technical
safeguards, should prevent the vast majority of such incidents.
There is a very thin line between the two terms "computer crime
"computer fraud"; both are punishable. Cybercrimes (harmful
acts committed from or against a computer or network) differ
from most terrestrial crimes in four ways: (a) how to commit
them is easier to learn, (b) they require few resources relative to
the potential damage caused, (c) they committed in a jurisdiction
without being physically present in it and (d) they are often not
clearly illegal.
The term cyber crime has some stigma attached and is notorious
due to the word "terrorism" or "terrorist" attached with it, that is,
cyberterrorism. Cyber terrorism is defined as "any person, group
or organization who, with terrorist intent, utilizes or aids in
accessing a computer or computer network or electronic system
or electronic device by any available means, and thereby,
knowingly engages in or attempts to engage in a terrorist act
commits the offence of cyberterrorism". Cybercrime, especially
through the Internet, has grown in number as the use of
computer has become central to commerce, entertainment and
government.
The term cyber has some interesting synonyms: fake, replicated,
pretend, imitation, virtual, computer- generated. Cyber means
combining forms relating to Information Technology, the
Internet and Virtual Reality. This term owes its origin to the
word "cybernetics" which deals with information and its use;
furthermore, cybernetics is the science that overlaps the fields of
neurophysiology, information theory, computing machinery and
automation. However, beyond this, there does not seem to be
any further connection to the term "cybernetics" as per other
sources searched. It is closely related to control theory and
systems theory.
People are curious to know how cybercrimes are planned and
how they actually take place. Worldwide, including India,
cyberterrorists usually use computer as a tool, target or both for
their unlawful act to gain information which can result in heavy
loss/damage to the owner of that intangible sensitive
information.
Internet is one of the means by which the offenders can gain
priced sensitive information of companies, firms, individuals,
banks and can lead to intellectual property (IP) crimes (such as
stealing new product, plans, its description, market program
plans, list of customers, etc.), selling illegal articles,
pornography/child pornography, etc. This is done using methods
such as Phishing, Spoofing, Pharming, Internet Phishing, wire
transfer, etc. and use it to their own advantage without the
consent of the individual. "Phishing" refers to an attack using
mail programs to deceive or coax Internet users into disclosing
confidential information that can be then exploited for illegal
purposes. Figure 1 shows the increase in Phishing hosts.
Course Outcome:
1) Introduction to cyber crime
2) Introduction to cyber law
3) Prevention of cyber crime
4) Importance of cyber crime to organizations
5) Cyber crime Tools
6) Law Related to Cyber crime
TEXT BOOK:
1. Cyber Security: Understanding Cyber Crimes, Computer

Forensics and Legal Perspectives, Nina Godbole and Sunil
Belapure, Wiley INDIA.
REFERENCE BOOK:
1. Cyber Security Essentials, James Graham, Richard Howard

and Ryan Otson, CRC Press.
2. Introduction to Cyber Security , Chwan-Hwa(john)
Wu,J.David Irwin.CRC Press T&F Group
Lecture 1
Introduction to Cyber crime
What is cybercrime?
Cybercrime is criminal activity that either targets or uses a

computer, a computer network or a networked device.
Most, but not all, cybercrime is committed by cybercriminals or
hackers who want to make money. Cybercrime is carried out by
individuals or organizations.
Some cybercriminals are organized, use advanced techniques
and are highly technically skilled. Others are novice hackers.
Rarely, cybercrime aims to damage computers for reasons other
than profit. These could be political or personal.
Types of cybercrime
Here are some specific examples of the different types of
cybercrime:
Email and internet fraud.
Identity fraud (where personal information is stolen and used).
Theft of financial or card payment data.
Theft and sale of corporate data.
Cyberextortion (demanding money to prevent a threatened
attack).
Ransomware attacks (a type of cyberextortion).
Cryptojacking (where hackers mine cryptocurrency using
resources they do not own).
Cyberespionage (where hackers access government or company
data).
Most cybercrime falls under two main categories:
Criminal activity that targets
Criminal activity that uses computers to commit other crimes.
Cybercrime that targets computers often involves viruses and
other types of malware.
Cybercriminals may infect computers with viruses and malware
to damage devices or stop them working. They may also use
malware to delete or steal data.
Cybercrime that stops users using a machine or network, or
prevents a business providing a software service to its customers,
is called a Denial-of-Service (DoS) attack.
Cybercrime that uses computers to commit other crimes may

involve using computers or networks to spread malware, illegal
information or illegal images.
Sometimes cybercriminals conduct both categories of
cybercrime at once. They may target computers with viruses
first. Then, use them to spread malware to other machines or
throughout a network.
Cybercriminals may also carry out what is known as a
Distributed-Denial-of-Service (DDos) attack. This is similar to a
DoS attack but cybercriminals use numerous compromised
computers to carry it out.
The US Department of Justice recognizes a third category of
cybercrime which is where a computer is used as an accessory
to crime. An example of this is using a computer to store stolen
data.
The US has signed the European Convention of Cybercrime.
The convention casts a wide net and there are numerous
malicious computer-related crimes which it considers
cybercrime. For example:
Illegally intercepting or stealing data.
Interfering with systems in a way that compromises a network.
Infringing copyright.
Illegal gambling.
Selling illegal items online.
Soliciting, producing or possessing child pornography.
Lack of information security gives rise to cyber crimes. Let us
refer to the amended Indian Information Technology Act (ITA)
2000 in the context of cybercrime. From an Indian perspective,
the new version of the Act (referred to as ITA 2008 ) provides a
new focus on "Information Security in India." "Cyber security"
means protecting information, equipment, devices, computer,
computer resource, communication device and information
stored therein from unauthorized access,use, disclosure,
disruption, modification or destruction. The term incorporates
both the physical security of devices as well as the information
stored therein. It covers protection from unauthorized access,
use, disclosure, disruption, modification and destruction.
Where financial losses to the organization due to insider crimes
are concerned (e.g. leaking customer data), often some difficulty
is faced in estimating the losses because the financial impacts
may not be detected by the victimized organization and no direct
costs may be associated with the data theft. The 2008 CSI
Survey on computer crime and security supports this. Cyber
crimes occupy an important space in information security
domain because of their impact. For anyone trying to compile
data on business impact of cybercrime, there are number of
challenges. One of them comes from the fact that organizations
do not explicitly incorporate rate the cost of the vast majority of
computer security incidents into their accounting as opposed to,
say accounting for the "shrinkage" of goods from retail stores.
The other challenge comes from the difficulty in attaching a
quantifiable monetary value to the corporate data and yet
corporate data get stolen/ lost. Because of these reasons
reporting of financial losses often remains approximate. In an
attempt to avoid negative publicity, most organizations abstain
from revealing facts and figures about "security incidents"
including cybercrime. In general, organizations perception about
"insider attacks" seems to be different that made out by security
solution vendor. However, this perception of an organization
does not seem to be true as revealed by the 2008 CSI Survey.
Awareness about "data privacy" too tends to be low in most
organizations. When we speak of financial losses to the
organization and significant insider crimes, such as leaking
customer data, such "crimes" may not be detected by the
victimized organization and no direct costs may be associated
with the theft.
Figure 1 shows several categories of incidences - viruses, insider
abuse, laptop theft and unauthorized access to systems.Typical
network misuses are for Internet radio/streaming audio,
streaming video, file sharing, instant messaging and online
gaming (such as online poker, online casinos, online betting,
etc.).Online gambling is illegal in some countries - for example,
in India. However, India has yet to pass laws that specifically
deal with the issue, leaving a sort of legal loophole in the
meantime.
Lecture 2
Classifications of Cyber Crime
Examples of cybercrime
So, what exactly counts as cybercrime? And are there any
well-known examples?
In this section, we look at famous examples of different types of
cybercrime attack used by cybercriminals. Read on to
understand what counts as cybercrime.
Malware attacks
A malware attack is where a computer system or network is

infected with a computer virus or other type of malware.
A computer compromised by malware could be used by
cybercriminals for several purposes. These include stealing
confidential data, using the computer to carry out other criminal
acts, or causing damage to data.
A famous example of a malware attack is the WannaCry
ransomware attack, a global cybercrime committed in May
2017.
Ransomware is a type of malware used to extort money by
holding the victim’s data or device to ransom. WannaCry is type
of ransomware which targeted a vulnerability in computers
running Microsoft Windows.
When the WannaCry ransomware attack hit, 230,000 computers
were affected across 150 countries. Users were locked out of
their files and sent a message demanding that they pay a BitCoin
ransom to regain access.
Worldwide, the WannaCry cybercrime is estimated to have
caused $4 billion in financial losses.
Phishing
A phishing campaign is when spam emails, or other forms of
communication, are sent en masse, with the intention of tricking
recipients into doing something that undermines their security or
the security of the organization they work for.
Phishing campaign messages may contain infected attachments
or links to malicious sites. Or they may ask the receiver to
respond with confidential information
A famous example of a phishing scam from 2018 was one
which took place over the World Cup. According to reports
by Inc, the World Cup phishing scam involved emails that were
sent to football fans.
These spam emails tried to entice fans with fake free trips to
Moscow, where the World Cup was being hosted. People who
opened and clicked on the links contained in these emails had
their personal data stolen.
Another type of phishing campaign is known as spear-phishing.
These are targeted phishing campaigns which try to trick
specific individuals into jeopardizing the security of the
organization they work for.
Unlike mass phishing campaigns, which are very general in
style, spear-phishing messages are typically crafted to look like
messages from a trusted source. For example, they are made to
look like they have come from the CEO or the IT manager.
They may not contain any visual clues that they are fake.
Distributed DoS attacks

Distributed DoS attacks (DDoS) are a type of cybercrime attack
that cybercriminals use to bring down a system or network.
Sometimes connected IoT (internet of things) devices are used
to launch DDoS attacks.
A DDoS attack overwhelms a system by using one of the
standard communication protocols it uses to spam the system
with connection requests.
Cybercriminals who are carrying out cyberextortion may use the
threat of a DDoS attack to demand money. Alternatively, a
DDoS may be used as a distraction tactic while other type of
cybercrime takes place.
A famous example of this type of attack is the 2017 DDoS
attack on the UK National Lottery website. This brought the
lottery’s website and mobile app offline, preventing UK citizens
from playing.
How to protect yourself against cybercrime

So, now you understand the threat cybercrime represents, what
are the best ways to protect your computer and your personal
data? Here are our top tips:
Keep software and operating system updated
Keeping your software and operating system up to date ensures

that you benefit from the latest security patches to protect your
computer.
Use anti-virus software and keep it updated
Using anti-virus or a comprehensive internet security solution

like Kaspersky Total Security is a smart way to protect your
system from attacks.
Anti-virus software allows you to scan, detect and remove
threats before they become a problem. Having this protection in
place helps to protect your computer and your data from
cybercrime, giving you piece of mind.
If you use anti-virus software, make sure you keep it updated to
get the best level of protection.
Use strong passwords
Be sure to use strong passwords that people will not guess and
do not record them anywhere. Or use a reputable password
manager to generate strong passwords randomly to make this
easier.
Never open attachments in spam emails
A classic way that computers get infected by malware attacks

and other forms of cybercrime is via email attachments in spam
emails. Never open an attachment from a sender you do not
know.
Lecture 3
The legal Perspective
Emerging Trends of Cyber Law
Reports reveal that upcoming years will experience more

cyber-attacks. So organizations are advised to strengthen their
data supply chains with better inspection methods.
Some of the emerging trends of cyber law are listed below −
Stringent regulatory rules are put in place by many countries to
prevent unauthorized access to networks. Such acts are declared
as penal offences.
Stakeholders of the mobile companies will call upon the
governments of the world to reinforce cyber-legal systems and
administrations to regulate the emerging mobile threats and
crimes.
The growing awareness on privacy is another upcoming trend.
Google’s chief internet expert Vint Cerf has stated that privacy
may actually be an anomaly.
Cloud computing is another major growing trend. With more
advancements in the technology, huge volumes of data will flow
into the cloud which is not completely immune to cyber-crimes.
The growth of Bitcoins and other virtual currency is yet another
trend to watch out for. Bitcoin crimes are likely to multiply in
the near future.
The arrival and acceptance of data analytics, which is another
major trend to be followed, requires that appropriate attention is
given to issues concerning Big Data.
Create Awareness
While the U.S. government has declared October as the

National Cybersecurity Awareness month, India is following
the trend to implement some stringent awareness scheme for the
general public.
The general public is partially aware of the crimes related
to virus transfer. However, they are unaware of the bigger
picture of the threats that could affect their cyber-lives. There is
a huge lack of knowledge on e-commerce and online banking
cyber-crimes among most of the internet users.
Be vigilant and follow the tips given below while you
participate in online activities −
Filter the visibility of personal information in social sites.
Do not keep the "remember password" button active for any
email address and passwords
Make sure your online banking platform is secure.
Keep a watchful eye while shopping online.
Do not save passwords on mobile devices.
Secure the login details for mobile devices and computers, etc.
Areas of Development
The "Cyberlaw Trends in India 2013" and "Cyber law

Developments in India in 2014" are two prominent and
trustworthy cyber-law related research works provided by
Perry4Law Organization (P4LO) for the years 2013 and 2014.
There are some grave cyber law related issues that deserve
immediate consideration by the government of India. The issues
were put forward by the Indian cyber law roundup of 2014
provided by P4LO and Cyber Crimes Investigation Centre of
India (CCICI). Following are some major issues −
A better cyber law and effective cyber-crimes prevention
strategy
Cyber-crimes investigation training requirements
Formulation of dedicated encryption laws
Legal adoption of cloud computing
Formulation and implementation of e-mail policy
Legal issues of online payments
Legality of online gambling and online pharmacies
Legality of Bitcoins
Framework for blocking websites
Regulation of mobile applications
With the formation of cyber-law compulsions, the obligation of
banks for cyber-thefts and cyber-crimes would considerably
increase in the near future. Indian banks would require to keep
a dedicated team of cyber law experts or seek help of external
experts in this regard.
The transactions of cyber-insurance should be increased by the
Indian insurance sector as a consequence of the increasing
cyber-attacks and cyber-crimes.
International Network on Cybersecurity
To create an international network on cybersecurity, a
conference was held in March 2014 in New Delhi, India.
The objectives set in the International Conference on Cyberlaw
& Cybercrime are as follows −
To recognize the developing trends in Cyberlaw and the
legislation impacting cyberspace in the current situation.
To generate better awareness to battle the latest kinds of
cybercrimes impacting all investors in the digital and mobile
network.
Lecture 4
Indian Perspective on cyber crime
To design and implement a secure cyberspace, some stringent

strategies have been put in place. This chapter explains the
major strategies employed to ensure cybersecurity, which
include the following −
Creating a Secure Cyber Ecosystem
Creating an Assurance Framework
Encouraging Open Standards
Strengthening the Regulatory Framework
Creating Mechanisms for IT Security
Securing E-governance Services
Protecting Critical Information Infrastructure
Strategy 1 − Creating a Secure Cyber Ecosystem

The cyber ecosystem involves a wide range of varied entities
like devices (communication technologies and computers),
individuals, governments, private organizations, etc., which
interact with each other for numerous reasons.
This strategy explores the idea of having a strong and robust
cyber-ecosystem where the cyber-devices can work with each
other in the future to prevent cyber-attacks, reduce their
effectiveness, or find solutions to recover from a cyber-attack.
Such a cyber-ecosystem would have the ability built into its
cyber devices to permit secured ways of action to be organized
within and among groups of devices. This cyber-ecosystem can
be supervised by present monitoring techniques where software
products are used to detect and report security weaknesses.
A strong cyber-ecosystem has three symbiotic structures
− Automation, Interoperability, and Authentication.
Automation − It eases the implementation of advanced security
measures, enhances the swiftness, and optimizes the
decision-making processes.
Interoperability − It toughens the collaborative actions,
improves awareness, and accelerates the learning procedure.
There are three types of interoperability −
Semantic (i.e., shared lexicon based on common understanding)
Technical
Policy − Important in assimilating different contributors into an
inclusive cyber-defense structure.
Authentication − It improves the identification and verification
technologies that work in order to provide −
Security
Affordability
Ease of use and administration
Scalability
Interoperability
Comparison of Attacks
The following table shows the Comparison of Attack Categories against Desired
Cyber Ecosystem Capabilities −
Types of Attacks
The following table describes the attack categories −
Attack Category Description of Attack
Attrition Methods used to damage networks and

systems. It includes the following −
 distributed denial of service

attacks
 impair or deny access to a service
or application
 resource depletion attacks
Malware Any malicious software used to interrupt

normal computer operation and harm
information assets without the owner’s
consent. Any execution from a removable
device can enhance the threat of a
malware.
Hacking An attempt to intentionally exploit

weaknesses to get unethical access,
usually conducted remotely. It may
include −
 data-leakage attacks
 injection attacks and abuse of
functionality
 spoofing
 time-state attacks
 buffer and data structure attacks
 resource manipulation
 stolen credentials usage
 backdoors
 dictionary attacks on passwords
 exploitation of authentication
Social Tactics Using social tactics such as deception and

manipulation to acquire access to data,
systems or controls. It includes −
 pre-texting (forged surveys)
 inciting phishing
 retrieving of information through
conversation
Improper Usage (Insider Threat) Misuse of rights to data and controls by

an individual in an organization that
would violate the organization’s policies.
It includes −
 installation of unauthorized
software
 removal of sensitive data
Physical Action/Loss or Theft of Equipment Human-Driven attacks such as −
 stolen identity tokens and credit

cards
 fiddling with or replacing card
readers and point of sale terminals
 interfering with sensors
 theft of a computing device used
by the organization, such as a
laptop
Multiple Component Single attach techniques which contains

several advanced attack techniques and
components.
Other Attacks such as −
 supply chain attacks

 network investigation
Strategy 2 − Creating an Assurance Framework
The objective of this strategy is to design an outline in
compliance with the global security standards through
traditional products, processes, people, and technology.
To cater to the national security requirements, a national
framework known as the Cybersecurity Assurance
Framework was developed. It accommodates critical
infrastructure organizations and the governments through
"Enabling and Endorsing" actions.
Enabling actions are performed by government entities that are
autonomous bodies free from commercial interests. The
publication of "National Security Policy Compliance
Requirements" and IT security guidelines and documents to
enable IT security implementation and compliance are done by
these authorities.
Endorsing actions are involved in profitable services after
meeting the obligatory qualification standards and they include
the following −
ISO 27001/BS 7799 ISMS certification, IS system audits etc.,
which are essentially the compliance certifications.
'Common Criteria' standard ISO 15408 and Crypto module
verification standards, which are the IT Security product
evaluation and certification.
Services to assist consumers in implementation of IT security
such as IT security manpower training.
Trusted Company Certification
Indian IT/ITES/BPOs need to comply with the international

standards and best practices on security and privacy with the
development of the outsourcing market. ISO 9000, CMM, Six
Sigma, Total Quality Management, ISO 27001 etc., are some of
the certifications.
Existing models such as SEI CMM levels are exclusively meant
for software development processes and do not address security
issues. Therefore, several efforts are made to create a model
based on self-certification concept and on the lines of Software
Capability Maturity Model (SW-CMM) of CMU, USA.
The structure that has been produced through such association
between industry and government, comprises of the following −
standards
guidelines
practices
These parameters help the owners and operators of critical
infrastructure to manage cybersecurity-related risks.
Strategy 3 − Encouraging Open Standards

Standards play a significant role in defining how we approach
information security related issues across geographical regions
and societies. Open standards are encouraged to −
Enhance the efficiency of key processes,
Enable systems incorporations,
Provide a medium for users to measure new products or
services,
Organize the approach to arrange new technologies or business
models,
Interpret complex environments, and
Endorse economic growth.
Standards such as ISO 27001[3] encourage the implementation
of a standard organization structure, where customers can
understand processes, and reduce the costs of auditing.
Strategy 4 − Strengthening the Regulatory Framework

The objective of this strategy is to create a secure cyberspace
ecosystem and strengthen the regulatory framework. A 24X7
mechanism has been envisioned to deal with cyber threats
through National Critical Information Infrastructure Protection
Centre (NCIIPC). The Computer Emergency Response Team
(CERT-In) has been designated to act as a nodal agency for
crisis management.
Some highlights of this strategy are as follows −
Promotion of research and development in cybersecurity.
Developing human resource through education and training
programs.
Encouraging all organizations, whether public or private, to
designate a person to serve as Chief Information Security
Officer (CISO) who will be responsible for cybersecurity
initiatives.
Indian Armed Forces are in the process of establishing a
cyber-command as a part of strengthening the cybersecurity of
defense network and installations.
Effective implementation of public-private partnership is in
pipeline that will go a long way in creating solutions to the
ever-changing threat landscape.
Strategy 5 − Creating Mechanisms for IT Security

Some basic mechanisms that are in place for ensuring IT
security are − link-oriented security measures, end-to-end
security measures, association-oriented measures, and data
encryption. These methods differ in their internal application
features and also in the attributes of the security they provide.
Let us discuss them in brief.
Link-Oriented Measures
It delivers security while transferring data between two nodes,
irrespective of the eventual source and destination of the data.
End-to-End Measures
It is a medium for transporting Protocol Data Units (PDUs) in a
protected manner from source to destination in such a way that
disruption of any of their communication links does not violate
security.
Association-Oriented Measures
Association-oriented measures are a modified set of end-to-end
measures that protect every association individually.
Data Encryption
It defines some general features of conventional ciphers and the
recently developed class of public-key ciphers. It encodes
information in a way that only the authorized personnel can
decrypt them.
Strategy 6 − Securing E-Governance Services
Electronic governance (e-governance) is the most treasured
instrument with the government to provide public services in an
accountable manner. Unfortunately, in the current scenario,
there is no devoted legal structure for e-governance in India.
Similarly, there is no law for obligatory e-delivery of public
services in India. And nothing is more hazardous and
troublesome than executing e-governance projects without
sufficient cybersecurity. Hence, securing the e-governance
services has become a crucial task, especially when the nation
is making daily transactions through cards.
Fortunately, the Reserve Bank of India has implemented
security and risk mitigation measures for card transactions in
India enforceable from 1st October, 2013. It has put the
responsibility of ensuring secured card transactions upon banks
rather than on customers.
"E-government" or electronic government refers to the use of
Information and Communication Technologies (ICTs) by
government bodies for the following −
Efficient delivery of public services
Refining internal efficiency
Easy information exchange among citizens, organizations, and
government bodies
Re-structuring of administrative processes.
Strategy 7 − Protecting Critical Information

Infrastructure
Critical information infrastructure is the backbone of a
country’s national and economic security. It includes power
plants, highways, bridges, chemical plants, networks, as well as
the buildings where millions of people work every day. These
can be secured with stringent collaboration plans and
disciplined implementations.
Safeguarding critical infrastructure against developing
cyber-threats needs a structured approach. It is required that the
government aggressively collaborates with public and private
sectors on a regular basis to prevent, respond to, and coordinate
mitigation efforts against attempted disruptions and adverse
impacts to the nation’s critical infrastructure.
It is in demand that the government works with business
owners and operators to reinforce their services and groups by
sharing cyber and other threat information.
A common platform should be shared with the users to submit
comments and ideas, which can be worked together to build a
tougher foundation for securing and protecting critical
infrastructures.
The government of USA has passed an executive order
"Improving Critical Infrastructure Cybersecurity" in 2013 that
prioritizes the management of cybersecurity risk involved in the
delivery of critical infrastructure services. This Framework
provides a common classification and mechanism for
organizations to −
Define their existing cybersecurity bearing,
Define their objectives for cybersecurity,
Categorize and prioritize chances for development within the
framework of a constant process, and
Communicate with all the investors about cybersecurity.
Lecture 5
Indian ITA 2000
As discussed in the first chapter, the Government of India

enacted the Information Technology (I.T.) Act with some major
objectives to deliver and facilitate lawful electronic, digital, and
online transactions, and mitigate cyber-crimes.
Salient Features of I.T Act

The salient features of the I.T Act are as follows −
Digital signature has been replaced with electronic signature to
make it a more technology neutral act.
It elaborates on offenses, penalties, and breaches.
It outlines the Justice Dispensation Systems for cyber-crimes.
It defines in a new section that cyber café is any facility from
where the access to the internet is offered by any person in the
ordinary course of business to the members of the public.
It provides for the constitution of the Cyber Regulations
Advisory Committee.
It is based on The Indian Penal Code, 1860, The Indian
Evidence Act, 1872, The Bankers' Books Evidence Act, 1891,
The Reserve Bank of India Act, 1934, etc.
It adds a provision to Section 81, which states that the
provisions of the Act shall have overriding effect. The
provision states that nothing contained in the Act shall restrict
any person from exercising any right conferred under the
Copyright Act, 1957.
Scheme of I.T Act
The following points define the scheme of the I.T. Act −
The I.T. Act contains 13 chapters and 90 sections.
The last four sections namely sections 91 to 94 in the I.T. Act
2000 deals with the amendments to the Indian Penal Code 1860,
The Indian Evidence Act 1872, The Bankers’ Books Evidence Act 1891 and
the Reserve Bank of India Act 1934 were deleted.
It commences with Preliminary aspect in Chapter 1, which
deals with the short, title, extent, commencement and
application of the Act in Section 1. Section 2 provides
Definition.
Chapter 2 deals with the authentication of electronic records,
digital signatures, electronic signatures, etc.
Chapter 11 deals with offences and penalties. A series of

offences have been provided along with punishment in this part
of The Act.
Thereafter the provisions about due diligence, role of
intermediaries and some miscellaneous provisions are been
stated.
The Act is embedded with two schedules. The First Schedule
deals with Documents or Transactions to which the Act shall
not apply. The Second Schedule deals with electronic signature
or electronic authentication technique and procedure. The Third
and Fourth Schedule are omitted.
Application of the I.T Act
As per the sub clause (4) of Section 1, nothing in this Act shall
apply to documents or transactions specified in First Schedule.
Following are the documents or transactions to which the Act
shall not apply −
Negotiable Instrument (Other than a cheque) as defined in
section 13 of the Negotiable Instruments Act, 1881;
A power-of-attorney as defined in section 1A of the Powers-of-Attorney Act,
1882;
A trust as defined in section 3 of the Indian Trusts Act, 1882;
A will as defined in clause (h) of section 2 of the Indian Succession Act, 1925
including any other testamentary disposition;
Any contract for the sale or conveyance of immovable property or any
interest in such property;
Any such class of documents or transactions as may be notified by the
Central Government.
Amendments Brought in the I.T Act

The I.T. Act has brought amendment in four statutes vide
section 91-94. These changes have been provided in schedule
1-4.
The first schedule contains the amendments in the Penal
Code. It has widened the scope of the term "document" to bring
within its ambit electronic documents.
The second schedule deals with amendments to the India
Evidence Act. It pertains to the inclusion of electronic
document in the definition of evidence.
The third schedule amends the Banker's Books Evidence
Act. This amendment brings about change in the definition of
"Banker's-book". It includes printouts of data stored in a floppy,
disc, tape or any other form of electromagnetic data storage
device. Similar change has been brought about in the
expression "Certified-copy" to include such printouts within its
purview.
The fourth schedule amends the Reserve Bank of India Act. It
pertains to the regulation of fund transfer through electronic
means between the banks or between the banks and other
financial institution.
Intermediary Liability
Intermediary, dealing with any specific electronic records, is a
person who on behalf of another person accepts, stores or
transmits that record or provides any service with respect to that
record.
According to the above mentioned definition, it includes the
following −
Telecom service providers
Network service providers
Internet service providers
Web-hosting service providers
Search engines
Online payment sites
Online auction sites
Highlights of the Amended Act

The newly amended act came with following highlights −
It stresses on privacy issues and highlights information security.
It elaborates Digital Signature.
It clarifies rational security practices for corporate.
It focuses on the role of Intermediaries.
New faces of Cyber Crime were added.
Lecture 6
Global Perspective on Cyber crimes.
1. August 4,2006 Announcement: The US Senate ratifies CoE
Convention on Cyber Crime. The convention targets hackers,
those spreading destructive computer viruses, those using the
Internet for the sexual exploitation of children or the distribution
of racist material, and terrorists attempting to attack
infrastructure facilities or financial institutions. The Convention
is in full accord with all the US constitutional protections, such
as free speech and other civil liberties, and will require no
change to the US laws.
2. In August 18,2006, there was a news article published "ISPs
Wary About 'Drastic Obligations' on Web Site Blocking."
European Union (EU) officials want to debar suspicious
websites as part of a 6 -point plan to boost joint anti terrorism
activities. They want to block websites that incite terrorist action.
Once again it is underlined that monitoring calls, Internet and
E-Mail traffic for law enforcement purposes is a task vested in
the government, which must reimburse carriers and providers
for retaining the data.
3. CoE Cyber Crime
Convention (1997−2001)(1997−2001) was the first
international treaty seeking to address Internet crimes by
harmonizing national laws, improving investigative techniques
and increasing cooperation among nations.More than 40
countries have ratified the Convention to date.
One wonders as to what is the role of business/private sector in
taking up measures to prevent cyber crime and toward
responsibilities and role related to the ownership of information
and communication infrastructures. Effective security requires
an in-depth understanding of the various aspects of information
and communication network.and communication networks.
Therefore private sector's expertise should be increasingly
involved in the development and implementation of a country's
cyber security strategy.
Cybercrime and the Extended Enterprise
It is a continuing problem that the average user is not adequately
educated to understand the threats and how to protect oneself.
Actually, it is the responsibility of each user to become aware of
the threats as well as the opportunities that "connectivity" and
"mobility" presents them with. In this context, it is important to
understand the concept of "extended enterprise." This term
(Figure 1) represents the concept that a company is made up not
just of its employees, its board members and executives, but also
its business partners, its suppliers and even its customers. The
extended enterprise can only be successful if all of the
component groups and individuals have the information they
need in order to do business effectively. An extended enterprise
is a "loosely coupled, self-organizing network" of firms that
combine their economic output to provide "provide "products
and services" offerings to the market. Firms in the extended
enterprise may operate independently, for example, through
market mechanisms or cooperatively through agreements and
contracts.
Seamless flow of "information" to support instantaneous
"decision-making ability" is crucial for the "external enterprise."
This becomes possible through the "interconnectedness". Due to
the interconnected features of information and communication
technologies security overall can only be fully promoted when
the users have full awareness of the existing threats and dangers.
Governments, businesses and the international community must,
therefore, proactively help users' access information on how to
protect themselves.
Given the promises and challenges in the extended enterprise
scenario, organizations in the international community have a
special role in sharing information on good practices, and
creating open and accessible enterprise information flow
channels for exchanging of ideas in a collaborative manner.
International cooperation at the levels of government, industry,
consumer, business and technical groups to allow a global and
coordinated approach to achieving global cyber security is the
key.
LECTURE 7
Introduction, Proliferation of Mobile and Wireless

Devices
Today, incredible advances are being made for mobile devices.

The trend is for smaller devices and more processing power. A
few years ago, the choice was between a wireless phone and a
simple PDA. Now the buyers have a choice between high-end
PDAs with integrated wireless modems and small phones with
wireless Web-browsing capabilities. A long list of options is
available to the mobile users. A simple hand-held mobile device
provides enough computing power to run small applications,
play games and music, and make voice calls. A key driver for
the growth of mobile technology is the rapid growth of business
solutions into hand-held devices.
As the term "mobile device" includes many products. We first
provide a clear distinction among the key terms: mobile
computing, wireless computing and hand-held devices. Figure
below helps us understand how these terms are related. Let us
understand the concept of mobile computing and the various
types of devices.
Mobile computing is "taking a computer and all necessary files
and software out into the field." Many types of mobile
computers have been introduced since 1990s. They are as
follows:
1. Portable computer: It is a general-purpose computer that
can be easily moved from one place to another, but cannot be
used while in transit, usually because it requires some
"setting-up" and an AC power source.
2. Tablet PC: It lacks a keyboard, is shaped like a slate or a

paper notebook and has features of a touchscreen with a stylus
and handwriting recognition software. Tablets may not be best
suited for applications requiring a physical keyboard for typing,
but are otherwise capable of carrying out most tasks that an
ordinary laptop would be able to perform.
3. Internet tablet: It is the Internet appliance in tablet form.

Unlike a Tablet PC, the Internet tablet does not have much
computing power and its applications suite is limited. Also it
cannot replace a general-purpose computer. The Internet tablets
typically feature an MP3 and video player, a Web browser, a
chat application and a picture viewer.
4. Personal digital assistant (PDA): It is a small, usually

pocket-sized, computer with limited functionality. It is intended
to supplement and synchronize with a desktop computer, giving
access to contacts, address book, notes, E-Mail and other
features.
5. Ultramobile (PC): It is a full-featured, PDA-sized computer

running a general-purpose operating system (OS).
6. Smartphone: It is a PDA with an integrated cell phone
functionality. Current Smartphones have a wide range of
features and installable applications.
7. Carputer: It is a computing device installed in an

automobile. It operates as a wireless computer, sound system,
global positioning system (GPS) and DVD player. It also
contains word processing software and is Bluetooth compatible.
8. Fly Fusion Pentop computer: It is a computing device with

the size and shape of a pen. It functions as a writing utensil,
MP3 player, language translator, digital storage device and
calculator.
Lecture 8
Security Challenges Posed by Mobile Devices
Mobility brings two main challenges to cybersecurity: first, on

the hand-held devices, information is being taken outside the
physically controlled environment and second remote access
back to the protected environment is being granted. Perceptions
of the organizations to these cybersecurity challenges are
important in devising appropriate security operating procedure.
When people are asked about important in managing a diverse
range of mobile devices, they seem to be thinking of the ones
shown in below figure.
As the number of mobile device users increases, two challenges
are presented: one at the device level called "micro challenges"
and another at the organizational level called
"macro-challenges."
Some well-known technical challenges in mobile security are:
managing the registry settings and configurations, authentication
service security, cryptography security, Lightweight Directory
Access Protocol (LDAP) security, remote access server (RAS)
security, media player control security, networking application
program interface (API), security etc.
Challenges to Physical Security
Mobile devices are small, lightweight, and convenient –
especially for thieves and pickpockets. Even laptops with
moderate form factors, tablets, or notepad computers are easy
enough to steal.
And if your desktop isn’t protected by a password, lock screen,

or biometrics, it’s a straightforward matter for anyone who gets
their hands on your device to gain unauthorized access to a
treasure trove of confidential data, intellectual property,
software, and messaging functionality. With weak passwords
relatively easy to guess or hack, thieves may hijack your email
or other accounts, giving them the ability to extend their haul to
the data and assets you may have resident in the cloud.
Remote data wiping facilities are often available to the

administrators of corporate BYOD (Bring Your Own Device)
and mobile device management (MDM) schemes – but even
here, the security benefit on a stolen device is only as good as
the data shredding algorithm used by the wiping tool. There’s
software readily available out there for forensic data retrieval –
the kinds of tools that are a lifesaver in cases where crucial files
were mistakenly scrubbed or a power surge causes file
corruption, but which are also a valued asset for cyber-criminals
wishing to reconstruct data from poorly deleted files.
Managing Diversity and Proliferation of Hand-Held Devices
Cybersecurity is always a primary concern; even then, at times,

there is still some short sightedness. Most organizations fail to
see the long-term significance of keeping track of who owns
what kind of mobile devices. Mobile devices of employees
should be registered in corporate asset register irrespective of
whether or not the devices have been provided by the
organization. In addition, close monitoring of these devices is
required in terms of their usage. When an employee leaves, it is
important to remove his/her logical as well as physical access to
corporate resources because employees (for malicious or other
reasons) could be using their mobile devices to connect into the
corporate networks. Thus, mobile devices that belong to the
company should be returned to the IT department and, at the
very least, should be deactivated and cleansed.
In addition, employees should be encouraged to register with the
IT department any devices they use for themselves, so that
access can be provisioned in a controlled manner and
de-provisioned appropriately when the employee leaves.
Younger workers are pushing many enterprises to embrace
mobility solutions. These younger workers prefer instant/text
mesaging instead of E-Mail, and frequently use social
networking services such as Facebook, Myspace and Twitter.
They often prefer to use personal, consumer-oriented devices
(both laptops and mobile devices) in the work environment, and
adapt quickly to new technology. In contrast, older workers are
found to be slow to accept mobility solutions and rely almost
entirely on voice communications and E-Mail. These old
workers often do not see the benefit of instant messaging and
social networking. Interestingly, at the same time these older
workers are often found to be on the seat that provides authority
and control for staffing and budget, and they can therefore
greatly influence mobility policy. These different points of view
between younger and older workers have created a mobility
generational gap. Older workers sometimes see younger workers
as being "spoiled" whereas younger workers sometimes see
older workers as a barrier to progress.
Unconventional/Stealth Storage Devices

We would like to emphasize upon widening the spectrum of
mobile devices and focus on secondary storage devices, such as
compact disks (CDs) and Universal Serial Bus (USB) drives
(also called zip drive, memory sticks) used by employees. As
the technology is advancing, the devices continue to decrease in
size and emerge in new shapes and sizes -
unconventional/stealth storage devices available nowadays are
difficult to detect and have become a prime challenge for
organizational security. It is advisable to prohibit the employees
in using these devices.
Firewalls and antivirus software are no defense against the
threat of open USB ports. Not only can viruses, worms and
Trojans get into the organization network, but can also destroy
valuable data in the organization network. Organization has to
have a policy in place to block these ports while issuing the
asset to the employee. However, sometimes the standard access
controls with Windows OS do not allow the assignment of
permissions for USB ports and restricting these devices becomes
next to impossible. Disgruntled employees can connect a
USB/small digital camera/MP3 player to the USB port of any
unattended computer and will be able to download confidential
data or upload harmful viruses. As the malicious attack is
launched from within the organization, firewalls and antivirus
software are not alerted.
Using "DeviceLock" software solution, one can have control
over unauthorized access to plug and play play devices.The
features of the software allows system administrator to:
1. Monitor which users or groups can access USB Ports,

Wi-Fi and Bluetooth adapters, CD read-only memories
(CD-ROMs) and other removable devices.
2. Control the access to devices depending on the time of the
day and day of the week.
3. Create the white list of USB devices which allows you to
authorize only specific devices that will not be locked
regardless of any other settings.
4. Set devices in read-only mode.
Lecture 9
Service Security
With the advent of the cloud, there is absolutely nothing about

your IT infrastructure that other people or companies cannot do
for you. More and more companies are relying on services, such
as Amazon AWS, to get their required computing and storage
resources to run their websites and applications. Others rely on
hypervisors and other technologies to get high-level APIs from
online services, or get an entire platform complete with
operating systems, middleware, servers, and databases from a
third-party provider.Still, others rely on third-party providers for
software and applications. The whole as-a-service environment
has made it faster, easier, and more affordable for companies to
get their IT demands fulfilled without having to come up with
their own infrastructure or invest in developing, maintaining,
and creating these resources. Over time, we have seen just about
anything being offered as a service, From backends to content,
logging, disaster recovery, and storage, services have taken over.
Today, it’s even possible to have security delivered as a service.
A DEFINITION OF SECURITY AS A SERVICE
Security as a service (SECaaS) is an outsourced service wherein

an outside company handles and manages your security. At its
most basic, the simplest example of security as a service is using
an anti-virus software over the Internet.With security as a
service, security solutions are no longer delivered locally, where
your IT department installs virus protection software, spam
filtering software, and other security tools on each machine or
on the network or server in your workplace, keeping the
software up-to-date or telling them to use it. The old way of
doing things is also expensive; you have upfront costs for
hardware as well as continuing costs for licenses to allow you to
use the software. Instead, security as a service allows you to use
the same tools using only a web browser, making it direct and
affordable.
BENEFITS OF SECURITY AS A SERVICE
There are a lot of advantages to using a security as a service

offering. These include:
1. You work with the latest and most updated security tools
available. For anti-virus tools to be effective and useful, they
need to work with the latest virus definitions, allowing them to
stomp out threats, even the newest ones. With security as a
service, you’re always using tools that are updated with the
latest threats and options. This means no more worrying that
your users are not updating their anti-virus software and keeping
other software up to date to ensure the latest security patches are
in use. The same case goes for updating and maintaining spam
filters.
2. You get the best security people working for you. IT security
experts are at your beck and call, and they may have more
experience and a better skillset than anybody on your IT team.
3. Faster provisioning. The beauty of as-a-service offerings is

that you can give your users access to these tools instantly.
SECaaS offerings are provided on demand, so you can scale up
or down as the need arises, and you can do so with speed and
agility.
4. You get to focus on what's more important for your

organization. Using a web interface or having access to a
management dashboard can make it easier for your own IT team
to administer and control security processes within the
organization.
5. Makes in-house management simpler. If you have protected

data, it is not enough to just keep it secure. You should know
when a user accesses this data when he or she does not have any
legitimate business reason to access it.
5. Save on costs. You do not have to buy hardware or pay for

software licenses. Instead, you can replace the upfront capital
with variable operating expense, usually at a discounted rate
compared to the upfront costs.
EXAMPLES OF SECURITY AS A SERVICE OFFERINGS
Security as a service encompasses security software that are

delivered on the cloud, as well as in-house security management
that is offered by a third party. Some of the solutions that you
can avail touch on several categories, as outlined by the Cloud
Security Alliance:
• Disaster recovery and business continuity. Tools that help you

make sure that your IT and operations are back in no time when
disaster strikes.
• Continuous monitoring. Tools that allow you to manage risks
continually by monitoring the security processes that are in
place.
• Data loss prevention. Tools that protect, monitor, and verify
the security of all of your data, whether they are in storage or in
use.
• Email security. Protects your business from phishing, spam,
and malicious attachments.
• Encryption. Makes your data unreadable unless it is decoded
using the right numerical and cryptographic ciphers.
• Identity and access management. Provides authentication,
access intelligence, and identify verification & user management
tools.
• Intrusion management. Detects unusual events and behaviors
using pattern recognition technology. These tools not only
detect intrusions; they also help you manage them.
• Network security. Tools and services that help you manage
network access and distribute, protect, and monitor network
services.
• Security assessment. Audits the current security measures you
have in place to see if these are compliant with industry
standards.
• Security information and event management. Tools that
aggregate log and event information, which can be analyzed in
real time to help you detect possible anomalies and intrusion.
• Vulnerability scanning. Detects any vulnerability in your
network or IT infrastructure.
• Web security. Gives you protection for online applications that
are accessed by the public in real time.
WHAT TO LOOK FOR IN SECAAS PROVIDERS
If you’re thinking about utilizing the services of a SECaaS

provider, there are a few important things to look for:
1. Interoperable.
Avoid vendor lock-in and have more flexibility by making sure
that the solutions you choose have no interoperability issues.
2. Low TCO.
The total cost of ownership (TCO) is a good criterion in
choosing a SECaaS provider. Read the fine print and be sure
that you get the language right, or else you might end up paying
more with your chosen package than a similar one with a
nominally higher advertised rate.
3. Reporting.
Your chosen solutions should have a reporting mechanism that
would allow you to see major security events, attack logs, and
other important data. While the primary benefit of SECaaS is
having a third party to manage the full security picture, you still
want the visibility option.Security as a Service is becoming
an increasingly popular option among enterprises and SMBs
alike. The growing adoption of SECaaS is driven by a shortage
of security resources including qualified infosec professionals as
well as skills and tools as a whole – coupled with the
ever-expanding threat landscape. For many companies today,
the idea of outsourcing the management, implementation, and
oversight of the complex realm of security simply makes sense,
and it’s proving a cost-effective investment for companies that
take advantage of it.
Lecture 10
Attacks on Mobile/Cell Phones, Mobile Devices
Below are some of the most common types of Wireless and

Mobile Device Attacks:
SMiShing :
Smishing become common now as smartphones are widely used.
SMiShing uses Short Message Service (SMS) to send fraud text
messages or links. The criminals cheat the user by calling.
Victims may provide sensitive information such as credit card
information, account information, etc. Accessing a website
might result in the user unknowingly downloading malware that
infects the device.
War driving :
War driving is a way used by attackers to find access points
wherever they can be. With the availability of free Wi-Fi
connection, they can drive around and obtain a very huge
amount of information over a very short period of time.
WEP attack :
Wired Equivalent Privacy (WEP) is a security protocol that
attempted to provide a wireless local area network with the same
level of security as a wired LAN. Since physical security steps
help to protect a wired LAN, WEP attempts to provide similar
protection for data transmitted over WLAN with encryption.
WEP uses a key for encryption. There is no provision for key

management with Wired Equivalent Privacy, so the number of
people sharing the key will continually grow. Since everyone is
using the same key, the criminal has access to a large amount of
traffic for analytic attacks.
WPA attack :
Wi-Fi Protected Access (WPA) and then WPA2 came out as
improved protocols to replace WEP. WPA2 does not have the
same encryption problems because an attacker cannot recover
the key by noticing traffic. WPA2 is susceptible to attack
because cyber criminals can analyze the packets going between
the access point and an authorized user.
Bluejacking :
Bluejacking is used for sending unauthorized messages to
another Bluetooth device. Bluetooth is a high-speed but very
short-range wireless technology for exchanging data between
desktop and mobile computers and other devices.
Replay attacks :
In Replay attack an attacker spies on information being sent
between a sender and a receiver. Once the attacker has spied on
the information, he or she can intercept it and retransmit it again
thus leading to some delay in data transmission. It is also known
as playback attack.
Bluesnarfing :
It occurs when the attacker copies the victim’s information from
his device. An attacker can access information such as the user’s
calendar, contact list, e-mail and text messages without leaving
any evidence of the attack.
RF Jamming :
Wireless signals are susceptible to electromagnetic interference
and radio-frequency interference. Radio frequency (RF)
jamming distorts the transmission of a satellite station so that the
signal does not reach the receiving station.
Attention reader! Don’t stop learning now. Get hold of all the
important CS Theory concepts for SDE interviews with the CS
Theory Course at a student-friendly price and become industry
ready.
Concept of Mishing
Misbing is a combination of mobile phone and Phishing.
Mishing attacks are attempted using mobile phone technology.
M-Commerce is fast becoming a part of everyday life. If you
use your mobile phone for purchasing goods/services and for
banking, you could be more vulnerable to a Mishing scam. A
typical Mishing attacker uses call termed as Vishing or message
(SMS) known as Smishing. Attacker will pretend to be an
employee-from your bank or another organization and will
claim a need for your personal details. Attackers are very
creative and they would try to convince you with different
reasons why they need this information from you.
Concept of Vishing
Vishing is the criminal practice of using social engineering over

the telephone system, most often using features facilitated by
VoIP, to gain access to personal and financial information from
the public for the purpose of financial reward. The term is a
combination of V-voice and Phishing. Vishing is usually used to
steal credit card numbers or other related data used in ID theft
schemes from individuals.
The most profitable uses of the information gained through a
Vishing attack include:
 ID theft
 Purchasing luxury goods and services
 Transferring money/funds
 Monitoring the victims' bank accounts
 Making applications for loans and credit cards
How Vishing Works
The criminal can initiate a Vishing attack using a variety of

methods, each of which depends upon information gathered by a
criminal and criminal's will to reach a particular audience.
1. Internet E-Mail: It is also called Phishing mail
2. Mobile text messaging
3. Voicemail: Here, victim is forced to call on the provided
phone number, once he/she listens to voicemail.
4. Direct phone call: Following are the steps detailing on how
direct phone call works:
The criminal gathers cell/mobile phone numbers located in a
particular region and/or steals cell/ mobile phone numbers after
accessing legitimate voice messaging company.
The criminal often uses a war dialer to call phone numbers of
people from a specific region, and that to from the gathered list
of phone numbers.
When the victim answers the call, an automated recorded
message is played to alert the victim that his/her credit card has
had fraudulent activity and/or his/her bank account has had
unusual activity. The message instructs the victim to call one
phone number immediately. The same phone number is often
displayed in the spoofed caller ID, under the name of the
financial company the criminal is pretending to represent.
When the victim calls on the provided number, he/she is given
automated instructions to enter his/her credit card number or
bank account details with the help of phone keypad.
Once the victim enters these details, the criminal (i.e., visher)
has the necessary information to make fraudulent use of the card
or to access the account.
Such calls are often used to harvest additional details such as
date of birth, credit card expiration date, etc.
Some of the examples of vished calls, when victim calls on the
provided number after receiving phished E-Mail and/or after
-listening voicemail, are as follows:
1. Automated message: Thank you for calling (name of local
bank). Your business is important to us. To help you reach the
correct representative and answer your query fully, please press
the appropriate number on your handset after listening to
options.
Press 1 if you need to check your banking details and live
balance.
Press 2 if you wish to transfer funds.
Press 3 to unlock your online profile.
Press 0 for any other query.
2. Regardless of what the victim enters (i.e., presses the key),
the automated system prompts him to authenticate himself: "The
security of each customer is important to us. To proceed further,
we require that you authenticate your ID before proceeding.
Please type your bank account number, followed by the pound
key."
3. The victim enters his/her bank account number and hears the
next prompt: "Thank you. Now please type your date of birth,
followed by the pound key. For example 01 January 1950 press
01011950 ."
4. The caller enters his/her date of birth and again receives a
prompt from the automated system: "Thank you. Now please
type your PIN, followed by the pound key."
5. The caller enters his PIN and hears one last prompt from the
system: "Thank you. We will now transfer you to the
appropriate representative."
At this stage, the phone call gets disconnected, and the victim
thinks there something wrong with the telephone line; or visher
may redirect the victim to the real customer service line, and the
victim will not be able to know at all that his authentication was
appropriated by the visher.
How to Protect from Vishing Attacks
Be suspicious about all unknown callers.
Do not trust caller ID. It does not guarantee whether the call is
really coming from that number, that is, from the individual
and/or company - caller ID Spoofing is easy.
Be aware and ask questions, in case someone is asking for your
personal information.
Call them back. If someone is asking you for your personal or
financial information, tell them that you will call them back
immediately to verify if the company is legitimate or not. In
casse someone is calling from a bank and/or credit card
company, call them back using a number displayed on invoice
and/or displayed on website.
Report incidents: Report Vishing calls to the nearest cyberpolice
cell with the number and name that appeared on the caller ID as
well as the time of day and the information talked about or heard
in a recorded message.
Concept of Smishing
Smishing is a criminal offense conducted by using social
engineering techniques similar to Phishing. The name is derived
from "SMS PhISHING." SMS - Short Message Service - is the
text messages communication component dominantly used into
mobile phones.
Smishing uses cell phone text messages to deliver a lure
message to get the victim to reveal his/her PI. The popular
technique to "hook" (method used to actually "capture" your
information) the victim is either provide a phone number to
force the victim to call or provide a website URL to force the
victim to access the URL, wherein, the victim gets connected
with bogus website (i.e., duplicate but fake site created by the
criminal) and submits his/her PI.
Smishing works in the similar pattern as Vishing. A few
examples of Smishing are provided herewith to demonstrate
how the victim is forced to disclose PI.
"We are happy to send our confirmation toward your enrollment
for our 'xxxxxxxxxx Club Membership'." You will be charged
Rs 50/- per day, unless you reconfirm your acceptance of your
membership on our "Membership Office Contact no.
XXXXXXX"
"[(Name of popular online bank) is confirming that you have

purchased LCD TV set, worth of Rs 90,000 /- only from (name
of popular computer company).Visit www. abcdef.com if you
did not make this online purchase."
How to Protect from Smishing Attacks

Do not answer a text message that you have received asking for
your PI. Even if the message seems to be received from your
best friend, do not respond, because he/she may not be the one
who has actually sent it.
Avoid calling any phone numbers, as mentioned in the received
message, to cancel a membership and/or confirming a
transaction which you have not initiated but mentioned in the
message. Always call on the numbers displayed on the invoice
and/or appearing in the bank statements/ passbook.
Never click on a hot link received through message on your
Smartphone or PDA. Hot links are links that you can click,
which will take you directly to the Internet sites. Smishing
messages may have hot links, wherein you click on the link and
download Spyware to your phone without knowing. Once this
software has been downloaded, criminals can easily steal any
information that is available on your cell phone and have access
to everything that you do on your cell phone.
Lecture 11
Security Implications for Organizations
Managing Diversity and Proliferation of Hand-Held Devices

Cybersecurity is always a primary concern; even then, at times,
there is still some short sightedness. Most organizations fail to
see the long-term significance of keeping track of who owns
what kind of mobile devices. Mobile devices of employees
should be registered in corporate asset register irrespective of
whether or not the devices have been provided by the
organization. In addition, close monitoring of these devices is
required in terms of their usage. When an employee leaves, it is
important to remove his/her logical as well as physical access to
corporate resources because employees (for malicious or other
reasons) could be using their mobile devices to connect into the
corporate networks. Thus, mobile devices that belong to the
company should be returned to the IT department and, at the
very least, should be deactivated and cleansed.
In addition, employees should be encouraged to register with the
IT department any devices they use for themselves, so that
access can be provisioned in a controlled manner and
de-provisioned appropriately when the employee leaves.
Younger workers are pushing many enterprises to embrace
mobility solutions. These younger workers prefer instant/text
mesaging instead of E-Mail, and frequently use social
networking services such as Facebook, Myspace and Twitter.
They often prefer to use personal, consumer-oriented devices
(both laptops and mobile devices) in the work environment, and
adapt quickly to new technology. In contrast, older workers are
found to be slow to accept mobility solutions and rely almost
entirely on voice communications and E-Mail. These old
workers often do not see the benefit of instant messaging and
social networking. Interestingly, at the same time these older
workers are often found to be on the seat that provides authority
and control for staffing and budget, and they can therefore
greatly influence mobility policy. These different points of view
between younger and older workers have created a mobility
generational gap. Older workers sometimes see younger workers
as being "spoiled" whereas younger workers sometimes see
older workers as a barrier to progress.
Unconventional/Stealth Storage Devices
We would like to emphasize upon widening the spectrum of
mobile devices and focus on secondary storage devices, such as
compact disks (CDs) and Universal Serial Bus (USB) drives
(also called zip drive, memory sticks) used by employees. As
the technology is advancing, the devices continue to decrease in
size and emerge in new shapes and sizes -
unconventional/stealth storage devices available nowadays are
difficult to detect and have become a prime challenge for
organizational security. It is advisable to prohibit the employees
in using these devices.
Firewalls and antivirus software are no defense against the
threat of open USB ports. Not only can viruses, worms and
Trojans get into the organization network, but can also destroy
valuable data in the organization network. Organization has to
have a policy in place to block these ports while issuing the
asset to the employee. However, sometimes the standard access
controls with Windows OS do not allow the assignment of
permissions for USB ports and restricting these devices becomes
next to impossible. Disgruntled employees can connect a
USB/small digital camera/MP3 player to the USB port of any
unattended computer and will be able to download confidential
data or upload harmful viruses. As the malicious attack is
launched from within the organization, firewalls and antivirus
software are not alerted.
Using "DeviceLock" software solution, one can have control
over unauthorized access to plug and play play devices.The
features of the software allows system administrator to:
Monitor which users or groups can access USB Ports, Wi-Fi and
Bluetooth adapters, CD read-only memories (CD-ROMs) and
other removable devices.
Control the access to devices depending on the time of the day
and day of the week.
Create the white list of USB devices which allows you to
authorize only specific devices that will not be locked regardless
of any other settings.
Set devices in read-only mode.
Protect disks from accidental or intentional formatting.
Threats through Lost and Stolen Devices and Protecting
Data on Lost Devices
Threats through Lost and Stolen Device
This is a new emerging issue for cybersecurity. Often mobile

hand-held devices are lost while people are on the move. Lost
mobile devices are becoming even. a larger security risk to
corporations.
The cybersecurity threat under this scenario is scary; owing to a
general lack of security in mobile devices, it is often not the
value of the hand-held device that is important but rather the
content that, if lost or stolen, can put a company at a serious risk
of sabotage, exploitation or damage to its professional integrity,
as most of the times the mobile hand-held devices are provided
by the organization. Most of these lost devices have wireless
access to a corporate network and have potentially very little
security, making them a weak link and a major headache for
security administrators.
Protecting Data on Lost Devices
For protecting data that are stored persistently on a device, there
are two precautions that individuals can take to prevent
disclosure of the data stored on a mobile device: (a) encrypting
sensitive data and (b) encrypting the entire file.system. Data that
are stored on hard disks in persistent memory or on removable
memory sticks should be protected. There are many third party
solutions/tools available to protect data on the lost devices,
including encrypting the servers where a database file is residing.
There are solutions using which individuals can enforce a
self-destruct policy to destroy privileged data on a lost device or
create a database action to delete the data on a user's device
using a suitable tool.
A key point here is that the organizations should have a clear
policy on how to respond to the loss or theft of a device,
whether it is data storage, a PDA or a laptop. There should be a
method for the device owner to quickly report the loss, and
device owners should be aware of this method. Writing the
emergency contact information on the device itself is unlikely to
be very helpful.
Educating the Laptop users
Often it so happens that corporate laptop users could be putting
their company's networks at risk by downloading
non-work-related software capable of spreading viruses and
Spyware. This is because the software assets on laptops become
more complex as more applications are used on an increasingly
sophisticated OS with diverse connectivity options.
According to year 2004 finding, through one survey, it was
found that some 86%% of employees with laptops admitted to
installing software onto their machines when outside of the
office, with many using their laptops to access peer-to-peer
websites and downloading illegal music files and movies.
The result from a survey quoted in above figure, further
supports this point on cybersecurity threats from corporate
laptop users. However, despite the growth in corporate security
risks, resulting from mobile working, the tone of most of the
security-awareness surveys shows that only half of the
companies have tools in place to manage the Internet access on
laptops, with one quarter of businesses physically enforcing
these policies. An important point to be noted is that the policies
and procedures put in place for support of laptop have evolved
over the years to be able to cope successfully with managing
laptops, connected by wireless means or otherwise. This shows
how much role-perception" plays in terms of most people
perceiving laptops as greater culprits compared with other
innocuous-looking mobile hand-held devices.
Lecture 12
Organizational Security Policies an Measures in Mobile

Computing Era, Laptops
Importance of Security Policies relating to Mobile Computing Devices
Proliferation of hand-held devices used makes the cybersecurity

issue graver than what we would tend to think. People have
grown so used to their hand-helds they are treating them like
wallets! For example, people are storing more types of
confidential information on mobile computing devices than their
employers or they themselves know; they listen to music using
their-hand-held devices.One should think about not to keep
credit card and bank account numbers, passwords, confidential
E-Mails and strategic information about organization, merger or
takeover plans and also other valuable information that could
impact stock values in the mobile devices. Imagine the business
impact if an employee's USB, pluggable drive or laptop was lost
or stolen, revealing sensitive customer data such as credit
reports, social security numbers (SSNs) and contact information.
Not only would this be a public relations (PR) disaster, but it
could also violate laws and regulations. One should give a deep
thought about the potential legal troubles for a public company
whose sales reports, employee records or expansion plans may
fall into wrong hands.
When controls cannot be implemented to protect data in the
event they are stolen, the simplest solution is to prevent users
from storing proprietary information on platforms deemed to be
insufficiently secure. This sort of policy can be difficult to
enforce, however, by increasing awareness of 'the user, it can be
reasonably effective. Information classification and handling
policy should clearly define what sorts of data may be stored on
mobile devices. In the absence of other controls, simply not
storing confidential data on at-risk platforms will mitigate the
risk of theft or loss.
Operating Guidelines for Implementing Mobile
Device Security Policies
In situations such as those described above, the ideal solution
would be to prohibit all confidential data from being stored on
mobile devices, but this may not always be practical.
Organizations can, however, reduce the risk that confidential
information will be accessed from lost or stolen mobile devices
through the following steps:
Determine whether the employees in the organization need to
use mobile computing devices at all, based on their risks and
benefits within the organization, industry and regulatory
environment.
Implement additional security technologies, as appropriate to fit
both the organization and the types of devices used. Most (and
perhaps all) mobile computing devices will need to have their
native security augmented with such tools as strong encryption,
device passwords and physical locks. Biometrics techniques can
be used for authentication and encryption and have great
potential to eliminate the challenges associated with passwords.
Standardize the mobile computing devices and the associated
security tools being used with them. As a matter of fundamental
principle, security deteriorates quickly as the tools and devices
used become increasingly disparate.
Develop a specific framework for using mobile computing
devices, including guidelines for data syncing, the use of
firewalls and anti-malware software and the types of
information that can be stored on them.
Centralize management of your mobile computing devices.
Maintain an inventory so that you know who is using what kinds
of devices.,
Establish patching procedures for software on mobile devices.
This can often be simplified by integrating patching with
syncing or patch management with the centralized inventory
database.
Label the devices and register them with a suitable service that
helps recovered devices to the owners.
Establish procedures to disable remote access for any mobile
devices reported as lost or stolen. Many devices allow the users
to store usernames and passwords for website portals, which
could allow a thief to access even more information than on the
device itself.
Remove data from computing devices that are not in use or
before re-assigning those devices to new owners. This is to
preclude incidents through which people obtain "old" computing
devices that still had confidential company data.
Provide education and awareness training to personnel using
mobile devices. People cannot be expected to appropriately
secure their information if they have not been told how.
Organizational Policies for the Use of Mobile Hand-Held Devices
There are many ways to handle the matter of creating policy for
mobile devices. One way is creating distinct mobile computing
policy. Another way is including such devices existing policy.
There are also approaches in between where mobile devices fall
under both existing policies and a new one.In the hybrid
approach, a new policy is created to address the specific needs
of the mobile devices but more general usage issues fall under
general IT policies. As a part of this approach, the "acceptable
use" policy for other technologies is extended to the mobile
devices. There may not be a need for separate policies for
wireless, LAN, wide area network (WAN), etc. because a
properly written network policy can cover all connections to the
company data, including mobile and wireless.
Companies new to mobile devices may adopt an umbrella
mobile policy but they find over time the the they will need to
modify their policies to match the challenges posed by different
kinds of mobile hand-held devices. For example, wireless
devices pose different challenges than non-wireless Also,
employees who use mobile devices more than 20%% of the time
will have different requirements than less-frequent users. It may
happen that over time, companies may need to create separate
policies for the mobile devices on the basis of whether they
connect wirelessly and with distinctions for devices that connect
to WANs and LANs .
It is never too early to start, planning for mobile devices, even
when a company, at a given point of time, cannot afford creating
any special security policies to mitigate the threats posed by
mobile computing devices to cyber security. It is, after all, an
issue of new technology adoption for many organizations. By
contemplating its uses companies may think of ways they can
use it and, perhaps just as important, how their competitors will
use it.
Lecture 13
Cyber Offenses
The faster world-wide connectivity has developed numerous
online crimes and these increased offences led to the need of
laws for protection. In order to keep in stride with the changing
generation, the Indian Parliament passed the Information
Technology Act 2000 that has been conceptualized on the
United Nations Commissions on International Trade Law
(UNCITRAL) Model Law.
The law defines the offenses in a detailed manner along with the
penalties for each category of offence.
Offences
Cyber offences are the illegitimate actions, which are carried out
in a classy manner where either the computer is the tool or target
or both.
Cyber-crime usually includes the following −
Unauthorized access of the computers
Data diddling
Virus/worms attack
Theft of computer system
Hacking
Denial of attacks
Logic bombs
Trojan attacks
Internet time theft
Web jacking
Email bombing
Salami attacks
Physically damaging computer system.
The offences included in the I.T. Act 2000 are as follows −
Tampering with the computer source documents.
Hacking with computer system.
Publishing of information which is obscene in electronic form.
Power of Controller to give directions.
Directions of Controller to a subscriber to extend facilities to
decrypt information.
Protected system.
Penalty for misrepresentation.
Penalty for breach of confidentiality and privacy.
Penalty for publishing Digital Signature Certificate false in
certain particulars.
Publication for fraudulent purpose.
Act to apply for offence or contravention committed outside
India Confiscation.
Penalties or confiscation not to interfere with other punishments.
Power to investigate offences.
Classifications of Cybercrime
Crime is defined as "an act or the commission of an act that is
forbidden, or the omission of a duty that is commanded by a
public law and that makes the offender liable to punishment by
that law".
Cybercrimes are classified as follows:
1. Cybercrime against individual
 Electronic Mail (E-Mail) Spoofing and other online frauds

 Phishing, Spear Phishing and its various other forms such
as Vishing and Smishing
 Spamming
 Cyberdefamation
 Cyberstalking and Harassment
 Computer Sabotage
 Pornographic Offenses
 Password Sniffing
2. Cybercrime against property
 Credit card frauds

 Intellectual property (IP) crimes
 Internet time theft
3. Cybercrime against organization
 Unauthorized accessing of computer

 Password sniffing
 Denial-of-service attacks
 Virus attack/dissemination of viruses
 E-Mail bombing/mail bombs
 Salami attack/Salami technique
 Logic bomb
 Trojan Horse
 Data diddling
 Crimes emanating from Usenet newsgroup
 Industrial spying/industrial espionage
 Computer network intrusions
 Software piracy
4. Cybercrime against Society
 Forgery
 Cyberterrorism
 Web Jacking
5. Crimes emanating from Usenet newsgroup
By its very nature, Usenet groups may carry very offensive,

harmful, inaccurate or otherwise inappropriate material, or in
some cases, postings that have been mislabeled or are deceptive
in another way, Therefore, it is expected that you will use
caution and common sense and exercise proper judgment when
using Usenet, as well as use the service at your own risk.
Lecture 14
How Criminals plan the Attacks
Criminals use many methods and tools to locate the

vulnerabilities of their target. The target can be an individual
and/or an organization.Criminals plan passive and active
attacks.Active attacks are usually used to alter the system,
whereas passive attacks attempt to gain information about the
target. Active attacks may affect the availability, integrity and
authenticity of data whereas passive attacks lead to breaches of
confidentiality.
In addition to the active and passive categories, attacks can be
categorized as either inside or outside. An attack originating
and/or attempted within the security, perimeter of an
organization is an inside attack. it is usually attempted by an
"insider" who gains access to more resources. than expected. An
outside attack is attempted by a source outside the security
perimeter, maybe attempted by an insider and/or an outsider,
who is indirectly associated with the organization, it is
attempted through the Internet or a remote access connection.
The following phases are involved in planning cybercrime:
1. Reconnaissance (information gathering) is the first phase

and is treated as passive attacks.
2. Scanning and scrutinizing the gathered information for the
validity of the information as well as to identify the
existing vulnerabilities.
3. Launching an attack (gaining and maintaining the system
access)
1. Reconnaissance
The literal meaning of "Reconnaissance" is an act of
reconnoitering- explore, often with the goal of finding
something or somebody (especially to gain information about an
enemy or potential enemy).
In the world of "hacking," reconnaissance phase begins with
"Footprinting" - this is the preparation toward preattack phase,
and involves accumulating data about the target's environment
and computer architecture to find ways to intrude into that
environment. Footprinting gives an overview about system
vulnerabilities and provides a judgment about possible
exploitation of those vulnerabilities. The objective of this
preparatory phase is to understand the system, its networking
ports and services, and any other aspects of its security that are
needful for launching the attack.
Thus, an attacker attempts to gather information in two phases:
passive and active attacks.
2. Passive Attacks
A passive attack involves gathering information about a target
without his/her (individual's or company's) knowledge. It can be
as simple as watching a building to identify what time
employees enter the building's premises. However, it is usually
done using Internet searches or by Googling (i,e., searching the
required information with the help of search engine Google) an
individual or company to gain information.
Google or Yahoo search: People search to locate information
about employees.
Surfing online community groups like Orkut/Facebook will
prove useful to gain the information about an individual.
Organization's website may provide a personnel directory or
information about key employees, for example, contact details,
E-Mail address, etc. These can be used in a social engineering
attack to reach the target.
Blogs, newsgroups, press releases, etc. are generally used as the
mediums to gain information about the company or employees.
Going through the job postings in particular job profiles for
technical persons can provide information about type of
technology, that is, servers or infrastructure devices a company
maybe using on its network.
3. Active Attacks
An active attack involves probing the network to discover
individual hosts to confirm the information (IP addresses,
operating system type and version, and services on the network)
gathered in the passive attack, phase. It involves the risk of
detection and is also called "Rattling the doorknobs" or "Active
reconnaissance."
Active reconnaissance can provide confirmation to an attacker
about security measures in place,, but the process can also
increase the chance of being caught or raise suspicion.
4. Scanning and Scrutinizing Gathered Information
Scanning is a key step to examine intelligently while gathering
information about the target. The objectives of scanning are as
follows:
Port scanning: Identify open/close ports and services.
Network scanning: Understand IP Addresses and related
information about the computer network systems.
Vulnerability scanning: Understand the existing weaknesses in
the system.
The scrutinizing phase is always called "enumeration" in the
hacking world. The objective behind this step is to identify:
The valid user accounts or groups;
Network resources and/or shared resources
OS and different applications that are running on the OS
5. Attack (Gaining and Maintaining the System Access)
After the scanning and enumeration, the attack is launched using
the following steps:
Crack the password
Exploit he password
Execute the malicious command/applications;
Hide the files (if required)
Lecture 15
Social Engineering
Social engineering is the "technique to influence" and

"persuasion to deceive "people to obtain the information or
perform some action. Social engineers exploit the natural
tendency of a person to trust social engineers' word, rather than
exploiting computer security holes. It is generally agreed that
people are the weak link in security and this principle makes
social engineering possible. A social engineer usually uses
telecommunication (i.e., telephone and/or cell phone) or Internet
to get them to do something that is against the security practices
and/or policies of the organization.
Social engineering involves gaining sensitive information or
unauthorized access privileges by building inappropriate trust
relationships with insiders. It is an art of exploiting the trust of
people, which is not doubted while speaking in a normal manner.
The goal of a social engineer is to fool someone into providing
valuable information or access to that information. Social
engineer studies the human behavior so that people will help
because of the desire to be helpful, the attitude to trust people,
and the fear of getting into trouble. The sign of truly successful
social engineers is that they receive information without any
suspicion.
A simple example is calling a user and pretending to be
someone from the service desk working on a network. issue; the
attacker then proceeds to ask questions about what the user is
working on, what file shares he/she uses, what his/her password
is, and so on.
A. Human-Based Social Engineering
Human-based social engineering refers to person-to-person
interaction to get the required/desired information. An example
is calling the help desk and trying to find out a password.
1. Impersonating an employee or valid user: "Impersonation"
(e.g. posing oneself as an employee of the same organization) is
perhaps the greatest technique used by social engineers to
deceive people. Social engineers "take advantage" of the fact
that most people are basically helpful, so it seems harmless to
tell someone who appears to be lost where the computer room is
located, or to let someone into the building who "forgot" his/her
badge, etc, or pretending to be an employee or valid user on the
system.
2.Posing as an important user: The attacker pretends to be an
important user - for example, a Chief Executive Officer (CEO)
or high-level manager who needs immediate assistance to gain
access to a system. The attacker uses intimidation so that a
lower-level employee such as a help-desk worker will him/her
in gaining access to the system. Most of the low-level
employees will not ask any question to someone who appears to
be in a position of authority.
3. Using a third person: An attacker pretends to have
permission from an authorized source to use a system. This trick
is useful when the supposed authorized personnel is on vacation
or cannot be contacted for verification.
4. Calling technical support: Calling the technical support for
assistance is a classic social engineering example. Help-desk
and technical support personnel are trained to help users, which
makes them good prey for social engineering attacks.
5. Shoulder surfing: It is a technique of gathering information
such as usernames and passwords by watching over a person's
shoulder while he/she logs into the system, thereby helping an
attacker to gain access to the system.
6. Dumpster diving: It involves looking in the trash for
information written on pieces of paper or computer printouts.
B. Computer-Based Social Engineering

Computer-based social engineering refers to an attempt, made to
get the required/desired information by using computer
software/Internet. For example, sending. a fake E-Mail to the
user and asking him/her to re-enter a password in a web-page to
confirm it.
1. Fake E-Mails: The attacker sends fake E-Mails to numerous
users in such that the user finds it as a legitimate mail. This
activity is also called "Phishing". It is an attempt to entice the
Internet users (netizens) to reveal their sensitive personal
information, such as user-names, passwords and credit card
details by impersonating as a trustworthy and legitimate
organization and/or an individual. Banks, financial institutes and
payment gateways are the common targets. Phishing is typically
carried out through E-Mails or instant messaging and often
directs users to enter details at a website, usually designed by
the attacker with abiding the look and feel of the original
website. Thus,Phishing is also an example of social engineering
techniques used to fool netizens. The term "Phishing" has been
evolved from the analogy that Internet scammers are using
E-Mails lures to fish "Phishing" and financial data from the sea
of Internet users (i.e., netizens).
2. E-Mail attachments: E-Mail attachments are used to send
malicious code to a victim's system, which will automatically
(e.g., keylogger utility to capture passwords) get executed.
Viruses, Trojans, and worms can be included cleverly into the
attachments to entice a victim to open the attachment.
3.Pop-up windows: Pop-up windows are also used, in a similar
manner to E-Mail attachments. Pop-up windows with special
offers or free stuff can encourage a unintentionally install
malicious software
Lecture 16
Cyber stalking
The dictionary meaning of "stalking" is an "actor process of

following prey stealthily -trying to approach somebody or
something." Cyberstalking has been defined as the use of
information and communications technology, particularly the
Internet, by an individual or group of individuals to harass
another individual, group of individuals, or organization. The
behavior includes false accusations, monitoring, transmission of
threat ID theft, damage to data or equipment, solicitation of
minors for sexual purposes, and gathering information for
harassment purposes.
Cyberstalking refers to the use of Internet and/or other
electronic communications devices to stalkers another person. It
involves harassing or threatening behavior that an individual
will conduct repeatedly. As the Internet has become an integral
part of our personal and professional lives, cybersalkers take
advantage of ease of communication and an increase access to
personal information available with a few mouse clicks or
keystrokes.
A. Types of Stalkers
There are primarily two types of stalkers.
1. Online stalkers: They aim to start the interaction with the
victim directly with the help of the Internet. E-Mail and chat
rooms are the most popular communication medium to get
connected with the victim, rather than using traditional
instrumentation like telephone/cell phone. The stalkers makes
sure that the victim recognizes the attack attempted on him/her.
The stalker can make use of a third party to harass the victim.
2. Offline stalkers: The stalker may begin the attack using
traditional methods such as following the victim, watching the
daily of the victim, etc. Searching on message
boards/newsgroups, personal websites, and people finding
services or websites are most common ways to gather
information about the victim using the Internet. The victim is
not aware that the Internet has been used to perpetuate an attack
against them.
B. Case Reported on Cyberstalking
The majority of cyberstalkers are men and the majority of their
victims are women. Some cases also have been reported where
women act as cyberstalkers and men as the victims as well as
cases of same-sex cyberstalking In many cases, the
cyberstalkers and the victim hold a prior relationship, and the
cyberstalking begins where the victim attempts to break off the
relationship, for example, ex-lover, ex-spouse, boss/subordinate,
and neighbor. However, there also have been many instances of
cyberstalking by strangers.
C. How Stalking Works?
It is seen that stalking works in the following ways
If Personal information gathering about the victim: Name;
family background; contact details such a cell phone and
telephone numbers (of residence as well as office); address of
residence as well as o the office; E-Mail address; date of birth,
etc.
Establish a contract with victim through telephone/cell phone.
Once the contact is established, the stalker may make calls to the
victim to threaten/harass.
Stalkers will almost always establish a contact with the victims
through E-Mail. The letters may have the tone of loving,
threatening or can be sexually explicit. The stalker may use
multiple names while contacting the victim.
Some stalkers keep on sending repeated E-Mails asking for
various kinds of favors or threaten the victim.
The stalker may post the victim's personal information on any
website related to illicit services such as sex-workers' services or
dating services, posing as if the victim has posted the
information and invite the people to call the victim on the given
contact details (telephone numbers/cell phone numbers/E-Mail
address) to have sexual services. The stalker will use bad and/or
offensive/attractive language to invite the interested persons.
Whosoever comes across the information, start calling the
victim on the given contact details (telephone/cell phone nos),
asking for sexual services or relationships.
Some stalkers subscribe/register the E-Mail account of the
victim to innumerable pornographic and sex sites, because of
which victim will start receiving such kind of unsolicited
E-Mails.
Lecture 17
Cyber cafe and Cybercrimes
In February 2009 , Nielsen survey on the profile of cybercafes

users in India, it was found that 90%% of the audience, across
eight cities and 3,5003,500 cafes, were male and in the age
group of 15−3515−35 years; 52%% were of graduates and
postgraduates, though almost over 50%% were students. Hence,
it is extremely important to understand the IT security and
governance practiced in the cybercafes.
In the past several years, many instances have been reported in
India, where cybercafes are known to be used for either real or
false terrorist communication. Cybercrimes such as stealing of
bank passwords and subsequent fraudulent withdrawal of money
have also happened through cybercafes. Cybercafes have also
been used regularly for sending obscene mails to harass people.
Public computers, usually referred to the systems, available in
cybercafes, hold two types of risks. First, we do not know what
programs are installed on the computer - that is, risk of
malicious programs such as keyloggers or Spyware, which
maybe running at the background that can capture the
keystrokes to know the passwords and other confidential
information and/or monitor the browsing behavior. Second,
over-the-shoulder peeping (i.e., shoulder surfing) can enable
others to find out your passwords. Therefore, one has to be
extremely careful about protecting his/her privacy on such
systems, as one does not know who will use computer after
him/her.
Indian Information Technology Act (ITA) 2000 does not define
cybercafes and interprets cybercafes as "network service
providers" referred to under the erstwhile Section 79 , which
imposed on them a responsibility for "due diligence" failing
which they would be liable for the offenses committed in their
network. The concept of "due diligence" was interpreted from
the various provisions in cyber cafe regulations where available
or normal responsibilities were expected from network service
providers.
Cyber criminals prefer cybercafes to carry out their activities.
The criminals tend to identify one particular personal computer
PC to prepare it for their use. Cyber criminals will visit these
cafes at a particular time and on the prescribed frequency,
maybe alternate day or twice a week.
A recent survey conducted in one of the metropolitan cities in
India reveals the following facts,
Pirated software(s) such as OS, browser, office automation
software(s) (e.g., Microsoft Office) are installed in all the
computers.
Antivirus software is found to be not updated to the latest patch
and/or antivirus signature.
Several cybercafes had installed the software called "Deep
Freeze" for protecting the computers from prospective malware
attacks.
Annual maintenance contract (AMC) found to be not in a place
for servicing the computers; hence, hard disks for all the
computers are not formatted unless the computer is down. Not
having the AMC is a risk from cyber crime perspective because
a cyber criminal can install a Malicious Code on a computer and
conduct criminal activities without any interruption.
Pornographic websites and other similar websites with indecent
contents are not blocked.
Cybercafe owners have very less awareness about IT Security
and IT Governance.
Government/ISPs/State Police (cyber cell wing) do not seem to
provide IT Governance guidelines to cybercafe owners.
Cybercafe association or State Police (cyber cell wing) do not
seem to conduct periodic visits to cybercafes - one of the
cybercafe owners whom we interviewed expressed a view that
the police will not visit a cybercafe unless criminal activity is
registered by fling an First Information Report (FIR). Cybercafe
owners feel that police either have a very little knowledge about
the technical aspects. involved in cybercrimes and/or about
conceptual understanding of IT security.
There are thousands of cybercafes across India. In the event that
a central agency takes up the responsibility for monitoring
cybercafes, an individual should take care while visiting and/or
operating from cybercafe.
Here are a few tips for safety and security while using the
computer in a cybercafe:
1. Always logout: While checking E-Mails or logging into
chatting services such as instant messaging or using any other
service that requires a username and a password, always click
"logout" or sign out" before leaving the system. Simply closing
the browser window is not enough, because if somebody uses
the same service after you then one can get an easy access to
your account. However, do not save your login information
through options that allow automatic login. Disable such options
before logon.
body uses the same service after you then one can get an easy
access to your account. However, do not save your login
information through options that allow automatic login. Disable
such options before logon.
2. Stay with the computer: While surfing/browsing, one should
not leave the system unattended for any period of time. If one
has to go out, logout and close all browser windows.
3. Clear history and temporary files: Internet Explorer saves
pages that you have visited in the history folder and in
temporary Internet files.Your passwords may also be stored in
the browser if that option has been enabled on the computer that
you have used.Therefore, before you begin browsing, do the
following in case of the browser Internet Explorer:
Go to Tools →→ Internet options →→ click the Content
tab →→ click Auto Complete. If the checkboxes for passwords
are selected, deselect them. Click OK twice.
After you have finished browsing, you should clear the history
and temporary Internet files folders. For this, go to
Tools →→ Internet options again →→ click the General
tab →→ go to Temporary Internet Files →→ click Delete Files
and then click Delete Cookies.
Then, under history, click clear history. Wait for the process to
finish before leaving the computer.
4. Be alert: One should have to stay alert and aware of the
surroundings while using a public computer. Snooping over the
shoulder is an easy way of getting your username and password.
5. Avoid online financial transactions: Ideally one should
avoid online banking, shopping or other transactions that require
one to provide personal, confidential and sensitive information
such as credit card or bank account details. In case of urgency
one has to do it; however, one should take the precaution of
changing all the passwords as soon as possible. One should
change the passwords using a more trusted computer, such as at
home and/or in office.
6. Change password
7. Virtual keyboard: Nowadays almost every bank has
provided the virtual keyboard on their website.
8. Security warnings: One should take utmost care while
accessing the websites of any banks/financial institution.
Individual should take care while accessing computers in public
places, that is, accessing the Internet in public places such as
hotels, libraries and holiday resorts. Moreover, one should not
forget that whatever is applicable for cybercafes (i.e., from
information security perspective) is also true in the case of all
other all public places where the Internet is made available.
Hence, one should follow all tips about safety and security while
operating the systems from these facilities.
Lecture 18
Botnets: The Fuel for Cybercrime
The dictionary meaning of Bot is "(computing) an automated

program for doing some particular task, often over a network.
Botnet is a term used for collection of software robots, or Bots,
that run autonomously and automatically. The term is often
associated with malicious software but can also refer to the
network of computers using distributed computing software.
In simple terms, a Bot is simply an automated computer
program. One can gain the control of your computer by
infecting them with a virus or other Malicious Code that gives
the access. Your computer system maybe a part of a Botnet even
though it appears to be operating normally. Botnets are often
used to conduct a range of activities, from distributing Spam and
viruses to conducting denial-of-service (DoS) attacks.
A Botnet (also called as zombie network) is a network of
computers infected with a malicious program that allows
cybercriminals to control the infected machines remotely
without the users' knowledge. "Zombie networks" have become
of income for entire groups of cybercriminals. The invariably
low cost of maintaining a Botnet and the ever diminishing
degree of knowledge require to manage one are conducive to the
growth in popularity and, consequently, the number of Botnets.
If someone wants to start a "business" and has no programming
skills, there are plenty of "Bot for sale offers on forums.
Obfuscation and encryption of these programs' code can also be
ordered in the same way to protect them from detection by
antivirus tools. Another option is to steal an existing Botnet.
Figure below explains how Botnets create business.
One can reduce the chances of becoming part of a Bot by
limiting access into the system. Leaving your Internet
connection ON and unprotected is just like leaving the front
door of the house wide open. One can ensure following to
secure the system:
1. Use antivirus and anti-Spyware software and keep it
up-to-date: It is important to remove and/or quarantine the
viruses. The settings of these softwares should be done during
the installations so that these softwares get updated
automatically on a daily basis.
2. Set the OS to download and install security patches
automatically: OS companies issue the security patches for
flaws that are found in these systems.
3. Use a firewall to protect the system, from hacking attacks
while it is connected on the Internet: A firewall is a software
and/or hardware that is designed to block unauthorized access
while permitting authorized communications. It is a device or
set of devices configured to permit, deny, encrypt, decrypt, or
proxy all (in and out) computer traffic between different security
domains based upon a set of rules and other criteria. A firewall
is different from antivirus protection. Antivirus software scans
incoming communications and files for troublesome viruses
vis-a-vis properly configured firewall that helps to block all
incoming communications from unauthorized sources.
4. Disconnect from the Internet. when you are away from your
computer: Attackers cannot get into the system when the system
is disconnected from the Internet. Firewall, antivirus, and
anti-Spyware softwares are not foolproof mechanisms to get
access to the system.
5. Downloading the freeware only from websites that are known
and trustworthy: It is always appealing to download free
software(s) such as games, file-sharing programs, customized
toolbars, etc. However, one should remember that many free
software(s) contain other software, which may include Spyware.
6. Check regularly the folders in the mail box- "sent items" or
"outgoing"-for those messages, you did not send: If you do find
such messages in your outbox, it is a sign that your system may
have infected with Spyware, and maybe a part of a Botnet. This
is not foolproof; many spammers have learned to hide their
unauthorized access.
7. Take an immediate action if your system is infected: If your
system is found to be infected by a virus, disconnect it from the
Internet immediately. Then scan the entire system with fully
updated antivirus, and anti-Spyware software. Report the
unauthorized accesses to ISP and to the legal authorities. There
is a possibility that your passwords may have been
compromised in such cases, so change all the passwords
immediately.
Lecture 19
Attack Vector
An "attack vector" is a path or means by which an attacker can

gain access to a computer or to a network server to deliver a
payload or malicious outcome. Attack vectors enable attackers
to exploit system vulnerabilities, including the human element.
Attack vectors include viruses, E-Mail attachments, webpages,
pop-up windows, instant messages, chat rooms, and deception.
All of these methods involve programming (or, in a few cases,
hardware), except deception, in which a human operator is
fooled into removing or weakening system defenses.
To some extent, firewalls and antivirus software can block
attack vectors. However, no protection method is totally
attack-proof. A defense method that is effective today may not
remain so for long because attackers are constantly updating
attack vectors, and seeking new ones, in their quest to gain
unauthorized access to computers and servers.
The most common malicious payloads are viruses (which can
function as their own attack vectors), Trojan Horses, worms, and
Spyware. If an attack vector is thought of as a guided missile, its
payload can be compared to the warhead in the tip of the
missile.
In the technical terms, payload is the necessary data being
carried within a packet or other transmission unit - in this
scenario (i.e., attack vector) payload means the malicious
activity that the attack performs. From the technical perspective,
payload does not include the "overhead" "data required to get
the packet to its destination. Payload may depend on the
following point of view: "What constitutes it?" To a
communications layer that needs some of the overhead data to
do its job, the payload is sometimes considered to include that
part of the overhead data that this layer handles. However, in
more general usage, the payload is the bits that get delivered to
the end-user at the destination.
The attack vectors described here are how most of them are
launched.
1. Attack by E-Mail: The hostile content is either embedded in
the message or linked to by the message. Sometimes attacks
combine the two vectors, so that if the message does not get you,
the attachment will. Spam is almost always carrier for scams,
fraud, dirty tricks, or malicious action of some kind. Any link
that offers something "free" or tempting is a suspect.
2. Attachments (and other files): Malicious attachments install
malicious computer code. The code could be a virus, Trojan
Horse, Spyware, or any other kind of malware. Attachments
attempt to install their payload as soon as you open them.
3. Attack by deception: Deception is aimed at the user/operator
as a vulnerable entry point, It is not just malicious computer
code that one needs to monitor. Fraud, scams, hoaxes, and to
some extent Spam, not to mention viruses, worms and such
require the unwitting cooperation of the computer's operator to
succeed. Social engineering and hoaxes are other forms of
deception that are often an attack vector too.
4. Hackers: Hackers/crackers are a formidable attack vector
because, unlike ordinary Malicious Code, people are flexible
and they can improvise. Hackers/crackers use a variety of
hacking tools, heuristics,and social engineering to gain access to
computers and online accounts. They often install a Trojan
Horse to commandeer the computer for their own use.
5. Heedless guests (attack by webpage): Counterfeit websites
are used to extract personal information. Such websites look
very, much like genuine websites they imitate. One may think
he/she is doing business with someone you trust. However,
he/she is really giving their personal information, like address,
credit card number, and expiration date. They are often used in
conjunction with Spam, which gets you there in the first place.
Pop-up webpages may install Spyware, Adware or Trojans.
6. Attack of the worms: Many worms are delivered as E-Mail
attachments, but Network worms use holes in network protocols
directly. Any remote access service, like file sharing, is likely to
be vulnerable to this sort of worm. In most cases, a firewall will
block system worms. Many of these system worms install
Trojan Horses. Next they begin scanning the Internet from the
computer they have just infected, and start looking for other
computers to infect. If the worm is successful, it propagates
rapidly. The worm owner soon has thousands of "zombie"
computers to use for more mischief.
7. Malicious macros: Microsoft Word and Microsoft Excel are
some of the examples that allow macros. A macro does
something like automating a spreadsheet, for example. Macros
can also be used for malicious purposes. All Internet services
like instant messaging, Internet Relay Chart (IRC), and P2P
file-sharing networks rely on cozy connections between the
computer and the other computers on the Internet. If one is using
P2P software then his/her system is more vulnerable to hostile
exploits.
8. Foistware (sneakware): Foistware is the software that adds
hidden components to the system on the sly. Spyware is the
most common form of foistware. Foistware is quasi-legal
software bundled with some attractive software. Sneak software
often hijacks your browser and diverts you to some "revenue
opportunity" that the foistware has set up.
9. Viruses: These are malicious computer codes that hitch a ride
and make the payload. Nowadays, virus vectors include E-Mail
attachments, downloaded files, worms, etc.
Lecture 20
Cloud Computing
Cloud computing has two meanings. The most common refers to

running workloads remotely over the internet in a commercial
provider’s data center, also known as the “public cloud” model.
Popular public cloud offerings—such as Amazon Web Services
(AWS), Salesforce’s CRM system, and Microsoft Azure—all
exemplify this familiar notion of cloud computing. Today, most
businesses take a multicloud approach, which simply means
they use more than one public cloud service.
The second meaning of cloud computing describes how it works:
a virtualized pool of resources, from raw compute power to
application functionality, available on demand. When customers
procure cloud services, the provider fulfills those requests using
advanced automation rather than manual provisioning. The key
advantage is agility: the ability to apply abstracted compute,
storage, and network resources to workloads as needed and tap
into an abundance of prebuilt services.
Learn all about the cloud at InfoWorld. Start with the basics:
Learn what is IaaS (infrastructure as a service), what is PaaS
(platform as a service), and what is SaaS (software as a service).
|Get ready for the latest trend in cloud computing: What is
multicloud? The next step in cloud computing.
The public cloud lets customers gain new capabilities without
investing in new hardware or software. Instead, they pay their
cloud provider a subscription fee or pay for only the resources
they use. Simply by filling in web forms, users can set up
accounts and spin up virtual machines or provision new
applications. More users or computing resources can be added
on the fly—the latter in real time as workloads demand those
resources thanks to a feature known as auto scaling.
Cloud computing definitions for each type
Other cloud computing considerations
Benefits of cloud computing
Cloud computing definitions for each type
The array of available cloud computing services is vast, but
most fall into one of the following categories.
SaaS (software as a service)
This type of public cloud computing delivers applications over
the internet through the browser. The most
popular SaaS applications for business can be found in Google’s
G Suite and Microsoft’s Office 365; among enterprise
applications, Salesforce leads the pack. But virtually all
enterprise applications, including ERP suites from Oracle and
SAP, have adopted the SaaS model. Typically, SaaS
applications offer extensive configuration options as well as
development environments that enable customers to code their
own modifications and additions.
IaaS (infrastructure as a service) definition
At a basic level, IaaS public cloud providers offer storage and
compute services on a pay-per-use basis. But the full array of
services offered by all major public cloud providers is
staggering: highly scalable databases, virtual private
networks, big data analytics, developer tools, machine learning,
application monitoring, and so on. Amazon Web Services was
the first IaaS provider and remains the leader, followed
byMicrosoft Azure, Google Cloud Platform, and IBM Cloud.
[ InfoWorld helps you identify the right tools for the job: AWS
cloud services guide. • Microsoft Azure services guide. • Google
Cloud Platform services guide. • IBM Cloud services guide. ]
PaaS (platform as a service) definition
PaaS provides sets of services and workflows that specifically
target developers, who can use shared tools, processes, and APIs
to accelerate the development, testing, and deployment of
applications. Salesforce’s Heroku and Force.com are popular
public cloud PaaS offerings; Pivotal’s Cloud Foundry and Red
Hat’s OpenShift can be deployed on premises or accessed
through the major public clouds. For enterprises, PaaS can
ensure that developers have ready access to resources, follow
certain processes, and use only a specific array of services,
while operators maintain the underlying infrastructure.
FaaS (functions as a service) definition
FaaS, the cloud version of serverless computing, adds another
layer of abstraction to PaaS, so that developers are completely
insulated from everything in the stack below their code. Instead
of futzing with virtual servers, containers, and application
runtimes, they upload narrowly functional blocks of code, and
set them to be triggered by a certain event (such as a form
submission or uploaded file). All the major clouds offer FaaS on
top of IaaS: AWS Lambda, Azure Functions, Google Cloud
Functions, and IBM OpenWhisk. A special benefit of FaaS
applications is that they consume no IaaS resources until an
event occurs, reducing pay-per-use fees.
Private cloud definition
A private cloud downsizes the technologies used to run IaaS
public clouds into software that can be deployed and operated in
a customer’s data center. As with a public cloud, internal
customers can provision their own virtual resources to build, test,
and run applications, with metering to charge back departments
for resource consumption. For administrators, the private cloud
amounts to the ultimate in data center automation, minimizing
manual provisioning and management. VMware’s Software
Defined Data Center stack is the most popular commercial
private cloud software, while OpenStack is the open source
leader.
Note, however, that the private cloud does not fully conform to
the definition of cloud computing. Cloud computing is a service.
A private cloud demands that an organization build and
maintain its own underlying cloud infrastructure; only
internal usersof a private cloud experience it as a cloud
computing service.
Hybrid cloud definition
A hybrid cloud is the integration of a private cloud with a public
cloud. At its most developed, the hybrid cloud involves creating
parallel environments in which applications can move easily
between private and public clouds. In other instances, databases
may stay in the customer data center and integrate with public
cloud applications—or virtualized data center workloads may be
replicated to the cloud during times of peak demand. The types
of integrations between private and public cloud vary widely,
but they must be extensive to earn a hybrid cloud designation.
Lecture 21
Introduction, Proxy Servers and Anonymizers,
Proxy Server
It is a server (a computer system or an application) that acts as

an intermediary for requests from clients seeking resources from
other servers. A client connects to the proxy server, requesting
some service, such as a file, connection, web page, or other
resource available from a different server and the proxy server
evaluates the request as a way to simplify and control its
complexity. Proxies were invented to add structure and
encapsulation to distributed systems. Today, most proxies are
web proxies, facilitating access to content on the World Wide
Web and providing anonymity.
Types of proxy –
A proxy server may reside on the user’s local computer, or at
various points between the user’s computer and destination
servers on the Internet.
A proxy server that passes requests and responses unmodified is
usually called a gateway or sometimes a tunneling proxy.
A forward proxy is an Internet-facing proxy used to retrieve
from a wide range of sources (in most cases anywhere on the
Internet).
A reverse proxy is usually an Internet-facing proxy used as a
front-end to control and protect access to a server on a private
network. A reverse proxy commonly also performs tasks such as
load-balancing, authentication, decryption or caching.
Open proxies – An open proxy is a forwarding proxy server that
is accessible by any Internet user. Gordon Lyon estimates there
are “hundreds of thousands” of open proxies on the Internet. An
anonymous open proxy allows users to conceal their IP address
while browsing the Web or using other Internet services. There
are varying degrees of anonymity however, as well as a number
of methods of ‘tricking’ the client into revealing itself regardless
of the proxy being used.
Reverse proxies – A reverse proxy (or surrogate) is a proxy

server that appears to clients to be an ordinary server. Requests
are forwarded to one or more proxy servers which handle the
request. The response from the proxy server is returned as if it
came directly from the original server, leaving the client no
knowledge of the origin servers. Reverse proxies are installed in
the neighborhood of one or more web servers. All traffic coming
from the Internet and with a destination of one of the
neighborhood’s web servers goes through the proxy server. The
use of “reverse” originates in its counterpart “forward proxy”
since the reverse proxy sits closer to the web server and serves
only a restricted set of websites.
There are several reasons for installing reverse proxy servers

Encryption / SSL acceleration: when secure web sites are
created, the SSL encryption is often not done by the web server
itself, but by a reverse proxy that is equipped with SSL
acceleration hardware. See Secure Sockets Layer. Furthermore,
a host can provide a single “SSL proxy” to provide SSL
encryption for an arbitrary number of hosts; removing the need
for a separate SSL Server Certificate for each host, with the
downside that all hosts behind the SSL proxy have to share a
common DNS name or IP address for SSL connections. This
problem can partly be overcome by using the SubjectAltName
feature of X.509 certificates.
Load balancing: the reverse proxy can distribute the load to
several web servers, each web server serving its own application
area. In such a case, the reverse proxy may need to rewrite the
URLs in each web page (translation from externally known
URLs to the internal locations).
Serve/cache static content: A reverse proxy can offload the
web servers by caching static content like pictures and other
static graphical content.
Compression: the proxy server can optimize and compress the
content to speed up the load time.
Spoon feeding: reduces resource usage caused by slow clients
on the web servers by caching the content the web server sent
and slowly “spoon feeding” it to the client. This especially
benefits dynamically generated pages.
Security: the proxy server is an additional layer of defense and
can protect against some OS and Web Server specific attacks.
However, it does not provide any protection from attacks against
the web application or service itself, which is generally
considered the larger threat.
Extranet Publishing: a reverse proxy server facing the Internet
can be used to communicate to a firewall server internal to an
organization, providing extranet access to some functions while
keeping the servers behind the firewalls. If used in this way,
security measures should be considered to protect the rest of
your infrastructure in case this server is compromised, as its web
application is exposed to attack from the Internet.
If the destination server filters content based on the origin of the
request, the use of a proxy can circumvent this filter. For
example, a server using IP-based geolocation to restrict its
service to a certain country can be accessed using a proxy
located in that country to access the service.
Web proxies are the most common means of bypassing
government censorship, although no more than 3% of Internet
users use any circumvention tools. In some cases users can
circumvent proxies which filter using blacklists using services
designed to proxy information from a non-blacklisted location.
Proxies can be installed in order to eavesdrop upon the
data-flow between client machines and the web. All content sent
or accessed – including passwords submitted and cookies used –
can be captured and analyzed by the proxy operator. For this
reason, passwords to online services (such as webmail and
banking) should always be exchanged over a cryptographically
secured connection, such as SSL. By chaining proxies which do
not reveal data about the original requester, it is possible to
obfuscate activities from the eyes of the user’s destination.
However, more traces will be left on the intermediate hops,
which could be used or offered up to trace the user’s activities.
If the policies and administrators of these other proxies are
unknown, the user may fall victim to a false sense of security
just because those details are out of sight and mind. In what is
more of an inconvenience than a risk, proxy users may find
themselves being blocked from certain Web sites, as numerous
forums and Web sites block IP addresses from proxies known to
have spammed or trolled the site. Proxy bouncing can be used to
maintain your privacy.
Anonymizer
An anonymizer or an anonymous proxy is a tool that attempts to
make activity on the Internet untraceable. It is a proxy server
computer that acts as an intermediary and privacy shield
between a client computer and the rest of the Internet. It
accesses the Internet on the user’s behalf, protecting personal
information by hiding the client computer’s identifying
information.
There are many reasons for using anonymizers. Anonymizers
help minimize risk. They can be used to prevent identity theft,
or to protect search histories from public disclosure. Some
countries apply heavy censorship on the internet. Anonymizers
can help in allowing free access to all of the internet content, but
cannot help against persecution for accessing the Anonymizer
website itself. Furthermore, as information itself about
Anonymizer websites are banned in these countries, users are
wary that they may be falling into a government-set trap.
Anonymizers are also used by people who wish to receive
objective information with the growing target marketing on the
internet and targeted information. For example, large news
outlets such as CNN target the viewers according to region and
give different information to different populations. Websites
such as YouTube obtain information about the last videos
viewed on a computer, and propose “recommended” videos
accordingly, and most of the online targeted marketing is done
by showing advertisements according to that region.
Anonymizers are used for avoiding this kind of targeting and
getting a more objective view of information.
Types
Protocol specific anonymizers – Sometimes anonymizers are
implemented to work only with one particular protocol. The
advantage is that no extra software is needed. The operation
occurs in this manner: A connection is made by the user to the
anonymizer. Commands to the anonymizer are included inside a
typical message. The anonymizer then makes a connection to
the resource specified by the inbound command and relays the
message with the command stripped out. An example of a
protocol-specific anonymizer is an anonymous remailer for
e-mail. Also of note are web proxies, and bouncers for FTP and
IRC.
Protocol independent anonymizers – Protocol independence
can be achieved by creating a tunnel to an anonymizer. The
technology to do so varies. Protocols used by anonymizer
services may include SOCKS, PPTP, or OpenVPN. In this case
either the desired application must support the tunneling
protocol, or a piece of software must be installed to force all
connections through the tunnel. Web browsers, FTP and IRC
clients often support SOCKS for example, unlike telnet.
Lecture 22
Phishing, Password Cracking
Phishing - Techniques
1. URL (weblink) manipulation: URLs are the weblinks (i.e.,

Internet addresses) that direct the netizens/users to a specific
website. In Phishing attack, these URLs are usually supplied as
misspelled, for example, instead of www. abcbank.com, URL is
provided as www. abcbankl.com.
2. Filter evasion: This technique use graphics (i.e., images)
instead of text to obviate from netting such E-Mails by
anti-Phishing filters. Normally, these filters are inbuilt into the
web browsers. For example,
Internet Explorer version 7 has inbuilt "Microsoft phishing
filter." One can enable it during the installation or it can be
enabled post-installation. It is important to note that it is not
enabled by default.
Firefox 2.0 and above has inbuilt "Google Phishing filter," duly
licensed from Google. It is enabled by default.
The Opera Phishing filter is dubbed Opera Fraud Protection and
is included in version 9.5+9.5+
3. Website forgery: In this technique the phisher directs the
netizens to the website designed and developed by him, to login
into the website, by altering the browser address bar through
JavaScript commands. As the netizen logs into the fake/bogus
website, phisher gets the confidential information very easily.
Another technique used is known as "cloaked" URL - domain
forwarding and/or inserting control characters into the URL
while concealing the weblink address of the real website.
4. Flash Phishing: Anti-Phishing toolbars are installed/enabled
to help checking the webpage content for signs of Phishing, but
have limitations that they do not analyze flash objects at all.
Phishers use it to emulate the legitimate website. Netizens
believe that the website is "Clean" and is a real website because
anti-Phishing toolbar is unable to detect it.
5. Social Phishing: Phishers entice the netizens to reveal
sensitive data by other means and it works in a systematic
manner.,
Phisher sends a mail as if it is sent by a bank asking to call them
back because there was a security. breach.
The victim calls the bank on the phone numbers displayed in the
mail.
The phone number provided in the mail is a false number and
the victim gets redirected to the phisher.
Phisher speaks with the victim in the similar fashion/style as a
bank employee, asking to verify that the victim is the customer
of the bank. For example, "Sir, we need to make sure that you
are indeed our customer. Could you please supply your credit
card information so that I can verify your identity?"
Phisher gets the required details swimmingly.
6. Phone Phishing: Besides such attacks, phisher can use a fake
caller ID data to make it appear that the call is received from a
trusted organization to entice the users to reveal their personal
information such as account numbers and passwords.
Password - Cracking
Password is like a key to get an entry into computerized systems
like a lock. Password cracking is a process of recovering
passwords from data that have been stored in or transmitted by a
computer system.Usually, an attacker follows a common
approach-repeatedly making guesses for the password. The
purpose of password cracking is as follows:
To recover a forgotten password.
As a preventive measure by system administrators to check for
easily crackable passwords.
To gain unauthorized access to a system.
Manual password cracking is to attempt to logon with different
passwords. The attacker follows the following steps:
Find a valid user account such as an Administrator or Guest
Create a list of possible passwords;
Rank the passwords from high to low probability;
Key-in each password;
Try again until a successful password is found.
Passwords can be guessed sometimes with knowledge of the
user's personal information. Examples of guessable passwords
include:
Blank (none);
The words like "password," "passcode" and "admin";
Series of letters from the "QWERTY" keyboard, for example,
qwerty, asdf or qwertyuiop;
User's name or login name;
Name of user's friend/relative/pet;
User's birthplace or date of birth, or a relative's or a friend's;
User's vehicle number, office number, residence number or
mobile number
Name of a celebrity who is considered to be an idol (e.g, actors,
actress, spiritual gurus) by the user;
Simple modification of one of the preceding, such as suffixing a
digit, particularly 1, or reversing the order of letters.
An attacker can also create a script file (i.e, automated program)
which will be executed to try each password in a list. This is still
considered manual cracking, is time-consuming and not usually
effective.
Passwords are stored in a database and password verification
process is established into the system when a user attempts to
login or access a restricted resource. To ensure confidentiality of
passwords, the password verification data is usually not stored
in a clear text format. For example, one-way function is applied
to the password, possibly in combination with other data, and
the resulting value is stored. When a user a user attempts to
login to the system by entering the password, the same function
is applied to the entered value and the result is compared with
the stored value. If they match, user gains the access; this
process is called authentication.
Password cracking attacks can be classified under three
categories as follows:
Online attacks;
Offline attacks;
Non-electronic attacks
Online -and Offline Attacks
Online Attacks
An attacker can create a script file (i.e., automated program) that
will be executed to try each password in list and when matches,
an attacker can gain the access to the system. The most popular
online attack is man-in-the middle (MITM) attack, also termed
as "bucket-brigade attack" or sometimes "Janus attack," It is a
form of active eavesdroping" in which the attacker establishes a
connection between a victim and the server to which a victim is
connected. When a victim client connects to the fraudulent
server, the MTM server intercepts the call, hashes the password
and passes the connection to the victim server. This type of
attack is used to obtain the passwords for E-Mail accounts on
public websites such as Yahoo, Hotmail and Gmail and can also
used to get the passwords for financial websites that would like
to gain the access to banking websites.
Offline Attacks
Mostly offline attacks are performed from a location other than
the target (i.e., either a computer system or while on the network)
where these passwords reside or are used. Offline attacks
usually require physical access to the computer and copying the
password file from the system onto removable media. Different
types of offline password attacks are described in below table.
Type of Description Example of a

Attack Password
Dictionary Attempts to match all the words Administrator

Attack from the dictionary to get the
password
Hybrid Substitutes numbers and symbols Administrator

Attack to get the password
Brute Force Attempts all possible permutation Admin@09

Attack combinations of letter numbers
and special characters
Strong, Weak and Random Passwords

Weak Passwords
A weak password is one, which could be easily guessed, short,
common and a system default passwords, that could be easily
found by executing a brute force attack and by using a subset of
all possible passwords, such as words in the dictionary, proper
names and words based on the username or common variations
on these themes. Passwords that can be easily guessed by
acquaintances of the netizens (such as date of birth, pet's name
and spouses' name) are considered to be very weak. Here are
some of the examples of "weak, passwords":
Susan: Common personal name;
aaaa: Repeated letters, can be guessed;
rover: Common name for a pet, also a dictionary word;
abc123: Can be easily guessed;
admin: Can be easily guessed;
1234: Can be easily guessed;
QWERTY: A sequence of adjacent letters on many keyboards;
12/3/75: Date, possibly of personal importance;
nbusr 123: Probably a username, and if so, can be very easily
guessed;
password: Used very often - trivially guessed;
December 12: Using the date of a forced password change is
very common.
Strong Passwords
A strong password is long enough, random or otherwise difficult
to guess - producible only by the user who chooses it. The
length of time deemed to be too long will vary with the attacker,
the attacker's resources, the ease with which a password can be
tried and the value of the password to the attacker. A student's
password might not be worth more than a few seconds of
computer time, while a password controlling access to a large
bank's electronic money transfer system might be worth many
weeks of computer time for trying to crack it. Here are some
examples of strong passwords:
Convert £100£100 to Euros!: Such phrases are long, memorable
and contain an extended symbol to increase the strength of the
password.
382465304H: It is mix of numbers and a letter at the end,
usually used on mass user accounts and such passwords can be
generated randomly, for example, in schools and business.
MoOoOfIn245679: It is long with both alphabets and numerals.
t3wahSetye T4: It is not a dictionary word; however, it has both
alphabets and numerals.
Random Passwords
Password is stronger if it includes a mix of upper and lower case
letters, numbers and other symbols, when allowed, for the same
number of characters. The difficulty in remembering such a
password increases the chance that the user will write down the
password, which makes it more vulnerable to a different attack.
Whether this represents a net reduction in security depends on
whether the primary threat to security is internal (e.g., social
engineering) or external. A password can, at first sight, be
random, but if you-really examine it, it is just a pattern. One of
these types of passwords is 26845. Although short, it is not
easily guessed. However, the person who created the password
is able to remember it because it is just the four direction keys
on the square number board plus a five in the middle.
The general guidelines applicable to the password policies,
which can be implemented organization-wide, are as follows:
Passwords and user logon identities (IDs) should be unique to
each authorized user.
Passwords should consist of a minimum of eight alphanumeric
characters (no common names or phrases).
There should be computer-controlled lists of prescribed
password rules and periodic testing (e.g., letter and number
sequences, character repetition, initials, common words and
standard names) to identify any password weaknesses.
Passwords should be kept private, that is, not shared with friends,
colleagues, etc. They shall not be coded into programs or noted
down anywhere.
Passwords shall be changed every 30/45 or less. Most operating
systems (OSs) can enforce a password with an automatic
expiration and prevent repeated or reused passwords.
User accounts should be frozen after five failed logon attempts.
All erroneous password entries should be recorded in an audit
log for later inspection and action, as necessary.
Sessions should be suspended after 15 minutes (or other
specified period) of inactivity and require the passwords to be
re-entered.
Successful logons should display the date and time of the last
logon and logoff.
Logon IDs and passwords should be suspended after a specified
period of non-use.
Lecture 23
Keyloggers
Keystroke logging, often called keylogging, is the practice of

noting (or logging) the keys struck on a keyboard, typically in a
covert manner so that the person using the keyboard is unaware
that such actions are being monitored.
Keystroke logger or keylogger is quicker and easier way of
capturing the passwords and monitoring the victims' IT savvy
behavior. It can be classified as software keylogger and
hardware keylogger.
1. Software Keyloggers
Software keyloggers are software programs installed on the
computer systems which usually are located between the OS and
the keyboard hardware, and every keystroke is recorded.
Software keyloggers are installed on a computer system by
Trojans or viruses without the knowledge of the user.
Cybercriminals always install such tools on the insecure
computer systems available in public places and can obtain the
required information about the victim very easily. A keylogger
usually consists of two files that get installed in the same
directory: a dynamic link library (DLL) file and an EXEcutable
(EXE) file that installs the DLL file and triggers it to work. DLL
does all the recording of keystrokes.
2. Hardware Keyloggers
To install these keylogers, physical access to the computer
system is required. Hardware keyloggers are small hardware
devices. These are connected to the PC and/or to the keyboard
and save every keystroke into a file or in the memory of the
hardware device. Cybercriminals install such devices on ATM
machines to capture ATM Cards'PINs. Each keypress on the
keyboard of the ATM gets registered by these keyloggers These
keyloggers look like an integrated part of such systems; hence,
bank customers are unaware of their presence.
3. Antikeylogger
Antikeylogger is a tool that can detect the keylogger installed on
the computer system and also can remove the tool.
Advantages of using antikeylogger are as follows:
Firewalls cannot detect the installations of keyloggers on the
systems; hence, antikeyloggers can detect installations of
keylogger.
This software does not require regular updates of signature
bases to work effectively such as other antivirus and antispy
programs if not updated, it does not serve the purpose, which
makes the users at risk.
Prevents Internet banking frauds. Passwords can be easily
gained with the help of installing keyloggers.
It prevents ID theft
It secures E-Mail and instant messaging/chatting.
Lecture 24
Spywares
Spywares
Spyware is a type of malware, that is installed on computers
which collects information about users without their knowledge.
The presence of Spyware is typically hidden, from the user, it is
secretly installed on the user's personal computer. Sometimes,
however, Spywares such as keyloggers are installed by the
owner of a shared, corporate or public computer on purpose to
secretly monitor other users.
It is clearly understood from the term Spyware that it secretly
monitors the user. The features and functions of such Spywares
are beyond simple monitoring. Spyware programs collect
personal information about the victim, such as the Internet
surfing habits/patterns and websites visited. The Spyware can
also redirect Internet surfing activities by installing another
stealth utility on the users' computer system. Spyware may also
have an ability to change computer settings, which may result in
slowing of the Internet connection speeds and slowing of
response time that may result into user complaining about the
Internet speed connection with Internet Service Providers (ISP).
To overcome the emergence of Spywares that proved to be
troublesome for the normal user, anti-Spyware softwares are
available in the market. Installation of anti-Spyware has become
a common element nowadays from computer security practices
perspective.
Spyware is malicious software that infects computers and other
internet-connected devices and secretly records your browsing
habits, the websites you visit, and your online purchases. Some
types of spyware also record your passwords, login credentials,
and credit card details. This information is then forwarded to the
spyware author, who can either use it for their own personal
gain or sell it to a third party.
Like all other types of malicious software, spyware is installed
on your computer without your consent. It is usually bundled
with legitimate software that you have intentionally downloaded
(like file-sharing programs and other freeware or shareware
applications), but you can also unwittingly download it by
visiting malicious websites or clicking on links and attachments
in infected emails. As soon as you install it, spyware will attach
itself to your operating system and start running quietly in the
background.
The term spyware was coined in the mid-1990s, but the software
itself had existed long before that. At first, developers would
add a spyware component to their programs to track their usage.
They would then approach potential advertisers with these stats
or utilize them to detect any unlicensed use of the software. By
the early noughties, however, more than 90 percent of computer
users worldwide had their machines infected with some form of
spyware, unknowingly installed without their permission.
Nowadays, there are many spyware programs in circulation,
some even bundled with hardware. Rather than targeting
individual users, the creators of spyware aim to gather as much
data as possible and sell it to advertisers, spammers, scammers,
or hackers. With new forms of malicious software being
released every few seconds, no one is safe from spyware. Even
the companies you trust use spyware to track your behavior,
which you have allowed them to do when you accepted their
End User License Agreement.
What Types of Spyware Exist?
All forms of spyware can be divided into the following five
categories:
Infostealers
As the name suggests, infostealers are programs that have the
ability to scan infected computers and steal a variety of personal
information. This information can include browsing histories,
usernames, passwords, email addresses, personal documents, as
well as media files. Depending on the program, infostealers
store the data they collect either on a remote server or locally for
later retrieval.
In most cases, infostealers exploit browser-related security
deficiencies to collect your private data. They sometimes also
use the so-called injection scripts to add extra fields to web
forms. When you type in the requested information and hit
“Submit”, instead of going to the website owner, the
information will go directly to the hacker, who can then
potentially use it to impersonate you on the internet.
Password Stealers
Password stealers are very similar to infostealers, the only
difference being that they are specially designed to steal login
credentials from infected devices. First detected in 2012, these
pieces of spyware don’t steal your passwords as you type them.
Instead, they attach themselves to the browser to extract all your
saved usernames and passwords. In addition, they can also
record your system login credentials.
Most password stealers are routinely removed by reliable
security software, but some types still manage to avoid detection
by changing their file hashes before each attack. As with
infostealers, the creators of password stealers can choose
whether they want to store the collected data on a remote server
or in a hidden file on your hard drive.
Keyloggers
Sometimes referred to as system monitors, keyloggers are

spyware programs that record the keystrokes typed on a
keyboard connected to an infected computer. While
hardware-based keyloggers record each keystroke in real time,
software-based keystroke loggers collect periodic screenshots of
the currently active windows. This, in turn, allows them to
record passwords (if they are not encrypted on-screen), credit
card details, search histories, email and social media messages,
as well as browser histories.
While keyloggers are mostly used by hackers to gather sensitive
data from unsuspecting victims, they have also found a more
practical use in recent years. Namely, some business owners
utilize them to monitor the activity of their employees, while
concerned parents may install them on their children’s
computers to ensure that they are safe online. Some law
enforcement agencies in the United States have also used
keyloggers to arrest notorious criminals and crack down on drug
dealers.
Banker Trojans
Banker Trojans are programs that are designed to access and

record sensitive information that is either stored on or processed
through online banking systems. Often disguised as legitimate
software, banker Trojans have the ability to modify web pages
on online banking sites, alter the values of transactions, and
even add extra transactions to benefit the hackers behind them.
Like all other types of spyware, banker Trojans are built with a
backdoor, allowing them to send all the data they collect to a
remote server.
These programs usually target financial institutions ranging
from banks and brokerages to online financial services and
electronic wallet providers. Due to their sophisticated design,
banking Trojans are often undetected even by the state-of-the-art
security systems of some financial institutions.
Modem Hijackers
With the gradual shift from dial-up to broadband in the last
decade, modem hijackers have become a thing of the past. They
are perhaps the oldest type of spyware that would attack its
victims while they were browsing the internet. As a rule, a
pop-up ad would appear, prompting the user to click on it. When
they did, it would initiate a silent download of a file that would
then take control of their dial-up modem.
Once in charge of the computer, the modem hijacker would
disconnect the phone line from its current local connection and
instead connect it to an international one. Most hackers would
premium-priced phone numbers (usually intended for adult chat
lines) that were registered in countries with insufficient
cybercrime legislation like China, Russia, and some South
American countries. The victims would usually only become
aware of the problem when they saw their $1,000+ phone bill
early next month.
Examples of Spyware
With the development of cybersecurity technologies over the
years, many spyware programs have disappeared, while some
other, more sophisticated forms of spyware have emerged. Some
of the best-known examples of spyware include the following:
 CoolWebSearch – This program would take advantage of
the security vulnerabilities in Internet Explorer to hijack the
browser, change the settings, and send browsing data to its
author.
 Gator – Usually bundled with file-sharing software like
Kazaa, this program would monitor the victim’s web surfing
habits and use the information to serve them with better-targeted
ads.
 Internet Optimizer – Particularly popular in the dial-up
days, this program promised to help increase internet speeds.
Instead, it would replace all error and login pages with
advertisements.
 TIBS Dialer – This was a modem hijacker that would
disconnect the victim’s computer from a local phone line and
connect them to a toll number designed for accessing
pornographic sites.
 Zlob – Also known as Zlob Trojan, this program uses
vulnerabilities in the ActiveX codec to download itself to a
computer and record search and browsing histories, as well as
keystrokes.
How to Remove Spyware
Similar to some other types of malware, you will usually be able
to recognize some symptoms of a spyware infection on your
computer. These can range from changes to your web browser’s
homepage and redirected searches to performance issues and
increased modem activity when you’re not using your computer.
If you notice any of these problems, you should use the best
antivirus software to run a scan of your computer and quarantine
or remove any infected or compromised files it detects.
As with any other cybersecurity threat, nurturing good browsing
habits is the best way to keep your computer and personal
information safe. Because spyware is most often distributed via
malicious emails and websites, you shouldn’t open any
attachments or click on any links that are included in suspicious
emails or messages you receive on social media. Some programs
allow you to opt out of installing bundled spyware, so make sure
to read the instructions carefully when installing software on
your PC.
Finally, even if your computer is showing no signs of a spyware
infection, you should still scan it for all potential threats at least
once a week. With the best antivirus software, you can schedule
a weekly scan so that you won’t have to manually start it every
time. These programs also offer real-time protection against a
wide range of threats, from viruses and worms to spyware and
ransomware. What’s more, they automatically check for virus
and malware database updates every day to ensure optimal
protection.
Lecture 25
Virus and Worms, Trojan Horse
Types of viruses:
i. Parasitic Virus: The traditional and still most common form of
virus. A parasitic virus attaches itself to executable and
replicates when the infected program is executed.
ii. Memory resident Virus: Lodges in main memory as part of a
resident system program. From that point on, the virus infects
every program that executes.
iii. Boot-Sector Virus: Infects a master boot record or boot
record and spreads when a system is booted from the disk
containing the virus.
iv. Stealth Virus: A form of virus explicitly designed to hide
itself from detection by antivirus software.
v. Polymorphic Virus: A virus that mutates with every infection,
making detection by the “signature” of the virus impossible.
vi. Metamorphic Virus: A metamorphic virus mutates with
every infection. The difference is that a metamorphic virus
rewrites itself completely at each iteration, increasing the
difficulty of detection. Metamorphic viruses may change their
behaviour as well as their appearance.
Examples of recent viruses:
i. Macro viruses:
 Macro virus is platform independent. Virtually all of the

macro viruses infect Microsoft Word documents. Any
hardware platform and operating system that supports
word can be infected.
 Macro viruses infect documents, not executable portions
of code. Most of the information introduced onto a
computer system is in the form of a document rather than a
program.
Macro viruses are easily spread. A very common method
is by e-mail.
ii. E-Mail viruses:
A more recent development in malicious software is the
e-mail virus. The first rapidly spreading e-mail viruses
such as Melissa, made use of a Microsoft word macro
embedded in an attachment. If the recipient opens the
e-mail attachment, the word macro is activated. Then,
 The e-mail virus sends itself to everyone on the mailing

list in the user’s email package.
 The virus does local damage.
Worms:
 A worm is a program that can replicate itself and send

copies from computer to computer across network
connections. Upon arrival, the worm may be activated to
replicate and propagate again.
 In addition to propagation, the worm usually performs
some unwanted function. An e-mail virus has some of the
characteristics, of a worm, because it propagates itself
from system to system. A worm actively seeks out more
machines launching pad for attacks on other machines.
 Network worm programs use network connections to
spread from system to system. Once active within a system,
a network worm can behave as a computer virus or
bacteria, or it could implant Trojan horse programs or
perform any number of disruptive or destructive actions.
State of worm technology
 Multiplatform: Worms are not limited to windows

machines but can attack a variety of platforms, especially
the popular varieties of UNIX.
 Multiexploit: New worms penetrate systems in a variety of
ways, using exploits against web servers, browsers, e-mail,
file sharing and other network based applications.
 Ultrafast Spreading: One technique to accelerate the
spread of a worm is to conduct a prior internet scan to
accumulate internet addresses of vulnerable machines.
 Polymorphic: To evade detection, skip past filters and foil
real-time analysis, worms adopt the virus polymorphic
technique. Each copy of the worm has new code generated
on the fly using functionality equivalent instructions and
encryption techniques.
 Metamorphic: In addition to changing their appearance,
metamorphic worms have a repertoire of behaviour pattern
that are unleashed at different stages of propagation.
 Transport Vehicles: Because worms can rapidly
compromise a large no.of systems, they are ideal for
spreading other distributed attack tools, such as distributed
denial of service zombies.
 Zero-Day exploit: To achieve maximum surprise and
distribution, a worm should exploit an unkown
vulnerability that is only discovered by the general
network community when the worm is launched.
Trojan Horse
A Trojan horse, commonly known as a “Trojan,” is a type
of malware that disguises itself as a normal file or program
to trick users into downloading and installing malware.
A Trojan can give a malicious party remote access to an
infected computer.
Once an attacker has access to an infected computer, it is
possible for the attacker to steal data (logins, financial data, even
electronic money), install more malware, modify files, monitor
user activity (screen watching, key logging, etc), use the
computer in botnets, and anonymise internet activity by the
attacker.
Lecture 26
Steganography, DoS and DDoS attacks
Steganography (hiding/covering information)

Stego means cover, graphia means text/writing
A plaintext message may be hidden in one of two ways. The
methods of steganography conceals the existence of the message,
whereas the methods of cryptography render the message
unintelligible to outsiders by various transformations of the text.
Steganography is data hidden within data. It is an encryption
technique that can be used along with cryptography as an
extra-secure method to protect data.
Thus,the technique of hiding information in any other
information & also hiding the fact that communication is taking
place is known as steganography.
The main aim of steganography is for a sender to transfer a
plaintext to a receiver in such a way that only the receiver can
extract the plaintext because only the receiver knows the hidden
plaintext exists in the first place & how to look for it.
Steganography techniques can be applied to images, a video file
or an audio file. Typically, however, steganography is written in
characters including hash marking, but its usage within images
is also common. At any rate, steganography protects from
pirating copyrighted materials as well as aiding in unauthorized
viewing.
How it works
Steganography replaces unneeded or unused bits in regular
computer files (Graphics, sound, text) with bits of different and
invisible information. Hidden information can be any other
regular computer file or encrypted data.
Types of steganography are:
There are different ways to hide the message in another, well
known are Least Significant bytes and Injection.
When a file or an image is created there are few bytes in the file
or image which are not necessary or least important. These types
of bytes can be replaced with a message without damaging or
replacing the original message, by which the secret message is
hidden in the file or image.
Another way is a message can be directly injected into a file or
image. But in this way, the size of the file would be increased
accordingly depending on the secrete message
Least Significant Bit (LSB) insertion is the most widely known
algorithm for image steganography, it involves the modification
of the LSB layer of the image. In this technique, the message is
stored in the LSB of the pixels which could be considered as
random noise. Thus, altering them does not have any obvious
effect on the image.
Techniques for steganography
The most common in digital steganography are:
─ Image-based techniques: the carrier is an image. Usually, one
hides messages in the noise component of a given image.
─ Sound-based techniques: the carrier is sound.
─ Text-based techniques: can consist of typos, spacing schemas,
rendering mistakes et.al. in order to convey messages
─ Network packets: hiding is performed in the unused headers
of an TCP/IP packet
─ OS-hiding: embedding in unused portions of the hard-drive.
Classification of Steganography Techniques:
Spatial Domain Techniques: These techniques use the pixel gray
levels and their color values directly for encoding the message
bits. These techniques are some of the simplest schemes in
terms of embedding and extraction complexity. The most
common algorithm belonging to this class of techniques is the
Least Significant Bit (LSB) Replacement technique in which the
LSB of the binary representation of the pixel gray levels is used
to represent the message bit.
Transform Domain Techniques: These techniques try to
encode message bits in the transform domain coefficients of the
image. Data embedding performed in the transform domain is
widely used for robust watermarking. Similar techniques can
also realize large capacity embedding for Steganography.
Candidate transforms include discrete cosine transform (DCT),
discrete wavelet transform (DWT), and discrete Fourier
transform (DFT).
DoS - Attack
in this type of criminal act, the attacker floods the bandwidth of
the victim's network or fills his E-Mail box with Spam mail
depriving him of the services he is entitled to access or provide.
Although the means to carry out, motives for, and targets of a
DoS attack may vary, it generally consists of the concerted
efforts of a person or people to prevent the Internet site or
service from functioning efficiently or at all, temporarily or
indefinitely. The attackers typically target sites or services
hosted on high-profile web servers such as banks, credit card
payment gateways, mobile phone networks and even root name
servers (i.e., domain name, servers). Buffer overflow technique
is employed to commit such kind of criminal attack known as
spoofing. The term IP address Spoofing refers to the creation of
IP packets with a forged (spoofed) source IP address with the
purpose of concealing the ID of the sender or impersonating
another computing system. A packet is a formatted unit of data
carried by a packet mode computer network. The attacker spoofs
the IP address and floods the network of the victim with
repeated requests. As the IP address is fake, the victim machine
keeps waiting for response from the attacker's machine for each
request. This consumes the bandwidth of the network which
then fails to serve the legitimate requests and ultimately breaks
down.
The United States Computer Emergency Response Team
defines symptoms of DoS attacks to include:
Unusually slow network performance (opening files or
accessing websites);
Unavailability of a particular website;
Inability to access any website;
Dramatic increase in the number of Spam E-Mails receive of
DoS attack is termed as an E-Mail bomb).
The goal of DoS is not to gain unauthorized access to systems or
data, but to prevent intended users (i.e., legitimate users) of a
service from using it. A DoS attack may do the following:
Flood a network with traffic, thereby preventing legitimate
network traffic.
Disrupt connections between two systems, thereby preventing
access to a service.
Prevent a particular individual from accessing a service.
Disrupt service to a specific system or person.
DDoS - Attack
In a DDoS attack, an attacker may use your computer to attack
another computer. By taking advantage of security
vulnerabilities or weaknesses, an attacker could take control of
your computer. He/she could then force your computer to send
huge amounts of data to a website or send Spam to particular
E-Mail addresses. The attack is "distributed" because the
attacker is using multiple computers, including yours, to launch
the DoS attack.
A DDoS attack is a distributed DoS wherein a large number of
zombie systems are synchronized to attack a particular system.
The zombie systems are called "secondary victims" and the
main target is called "primary victim."
Tools used to launch DDoS attack
1. Trinoo: It is a set of computer programs to conduct a DDoS
attack. It is believed that Trinoo networks have been set up on
thousands of systems on the Internet that have been
compromised by remote buffer overrun exploit.
2. Tribe Flood Network (TFN): It is a set of computer
programs to conduct various DDoS attacks such as ICMP flood,
SYN flood, UDP flood and Smurf attack.
3. Stacheldraht: It is written by Random for Linux and Solaris
systems, which acts as a DDoS agent. It combines features of
Trinoo with TFN and adds encryption.
4. Shaft: This network looks conceptually similar to a Trinoo; it
is a packet flooding attack and the client controls the size of the
flooding packets and duration of the attack.
5. MStream: It uses spoofed TCP packets with the ACK flag set
to attack the target. Communication is not encrypted and is
performed through TCP and UDP. packers. Access to the
handler is password protected. This program has a feature not
found in other DDoS tools. It informs all connected users of
access, successful or not, to the handler(s) by competing parties.
Lecture 27
SQL Injection
Structured Query Language (SQL) is a database computer
language designed for managing data in relational database
management systems (RDBMS). SQL injection is a code
injection technique that exploits a security vulnerability
occurring in the database layer of an application. The
vulnerability is present when user input is either filtered
incorrectly for string literal escape characters embedded in SQL
statements or user input is not strongly typed and thereby
unexpectedly executed. It is an instance of a more general class
of vulnerabilities that can occur whenever one programming or
scripting language is embedded inside another. SQL injection
attacks are also known as SQL insertion attacks.
Attackers target the SQL servers - common database servers
used by many organizations to store confidential data. The
prime objective behind SQL injection attack is to obtain the
information while accessing a database table that may contain
personal information such as credit card numbers, social
security numbers or passwords. During an SQL injection attack,
Malicious Code is inserted into a web form field or the website's
code to make a system execute a command shell or other
arbitrary commands. Just as a legitimate user enters queries and
additions to the SQL database via a web form, the attacker can
insert commands to the SQL server through the same web form
field. For example, an arbitrary command from an attacker
might open a command prompt or display a table from the
database. This makes an SQL server a high-value target and
therefore a system seems to be very attractive to attackers.
The attacker determines whether a database and the tables
residing into it are vulnerable, before launching an attack. Many
webpages take parameters from web user and make SQL query
to the database. For example, when a user logs in with username
and password, an SQL query is sent to the database to check if a
user has valid name and password. With SQL injection, it is
possible for an attacker to send crafted username and/or
password field that will change the SQL query.
Steps for SQL Injection Attack

Following are some steps for SQL injection attack:
The attacker looks for the webpages that allow submitting data,
that is, login page, search page, feedback, etc. The attacker also
looks for the webpages that display the HTML commands such
as POST or GET by checking the site's source code.
To check the source code of any website, right click on the
webpage and click on "view source" ,source code is displayed in
the notepad. The attacker checks the source code of the HTML,
and look for "FORM" tag in the HTML code. Everything
between the <FORM><FORM> and </FORM></FORM>have
potential parameters that might be useful to find the
vulnerabilities.
The attacker inputs a single quote under the text box provided
on the webpage to accept the username and password. This
checks whether the user-input variable is sanitized or interpreted
literally by the server. If the response is an error message such
as use "a"="a" (or something similar) then the website is found
to be susceptible to an SQL injection attack.
The attacker uses SQL commands such as SELECT statement
command to retrieve data from the database or INSERT
statement to add information to the database.
Here are few examples of variable field text the attacker uses on
a webpage to test for SQL vulnerabilities:
Blah' or 1=1--
Login: blah'or 1=1--
Password:: blah' or 1=1--
http://search/index.asp?id =blah'or 1=1--
Similar SQL commands may allow bypassing of a login and
may return many rows in a table or even an entire database table
because the SQL server is interpreting the terms literally. The
double dashes near the end of the command tell SQL to ignore
the rest of the command as a comment.
Blind SQL Injection
Blind SQL injection is used when a web application is
vulnerable to an SQL injection but the results of the injection
are not visible to the attacker. The page with the vulnerability
may not be the one that displays data; however, it will display
differently depending on the results of a logical statement
injected into the legitimate SQL statement called for that page.
This type of attack can become time-intensive because a new
statement must be crafted for each bit recovered. There are
several tools that can automate these attacks once the location of
the vulnerability and the target information have been
established.
In summary, using SQL injections, attackers can:
Obtain some basic information if the purpose of the attack is
reconnaissance
May gain access to the database by obtaining username and their
password
Add new data to the database.
Execute the INSERT command: This may enable selling
politically incorrect items on an an E-Commerce website.
Modify data currently in the database
Execute the UPDATE command: May be used to have an
expensive item suddenly be deeply "discounted,"
Lecture 28
Buffer Overflow
Buffer overflow, or buffer overrun, is an anomaly where a
process stores data in a buffer outside the memory the
programmer has set aside for it. The extra data overwrites
adjacent memory, which may contain other data including
program variables and program flow control data. This may
result in erratic program behavior, including memory access
errors, incorrect results, program termination (a crash) or a
breach of system security.
Buffer overflows can be triggered by inputs that are designed to
execute code or alter the way the program operates. They are,
thus, the basis of many software vulnerabilities and can be
maliciously exploited. Bounds checking can prevent buffer
overflows.
Programming languages commonly associated with buffer
overflows include CC and C++C++ , which provide no built-in
protection against accessing or overwriting data in any part of
memory and do not automatically check that data written to an
array (the built-in buffer type), which is which is boundaries of
that array.
Buffer overflow occurs when a program or process tries to store
more data in a buffer (temporary data) storage area) than it was
intended to hold. As buffers are created to contain a finite
amount of data, the extra information - which has to go
somewhere - can overflow into adjacent buffers, corrupting or
overwriting the valid data held in them. Although it may occur
accidentally through programming error, buffer overflow is an
increasingly common type of security attack on data integrity.
The knowledge of C,C++C,C++ or any other high-level
computer language (i.e., assembly language) is essential to
understand buffer overflow, as basic knowledge of process
memory layout is very important. A buffer is a contiguous
allocated chunk of memory such as an array or a pointer
in C.C. In C,C+tC,C+t , there are no automatic bounds checking
on the buffer - which means a user can write past a buffer. For
example,
int main ()
{
int buffer [10];
buffer [20]=10;
}
This C program is a valid program and every compiler can
compile it without any errors. However, the program attempts to
write beyond the allocated memory for the buffer, which might
result in an unexpected behavior.
Types of Buffer Overflow

Stack-Based Buffer Overflow,
Stack buffer overflow occurs when a program writes to a
memory address on the program's call stack outside the intended
data structure - usually a fixed length buffer. Here are the
characteristics of stack-based programming:
"Stack " is a memory space in which automatic variables
allocated.
Function parameters are allocated on the stack and are not
automatically initialized by the system, so they usually have
garbage in them until they are initialized.
Once a function has completed its cycle, the reference to the
variable in the stack is removed.
The attacker may exploit stack-based buffer overflows to
manipulate the program in various ways by overwriting:
A local variable that is near the buffer in memory on the stack to
change the behavior of the program that may benefit the
attacker.
The return address in a stack frame. Once the function returns,
execution will resume at the return address as specified by the
attacker, usually a user input-filled buffer.
A function pointer, or exception handler, which is subsequently
executed.
The factors that contribute to overcome the exploits are
Null bytes in addresses;
Variability in the location of shellcode;
Differences between environments.
NOPs
NOP or NOOP (short form of no peration or no operation
performed) is an assembly language instruction/command that
effectively does nothing at all. The explicit purpose of this
command is not to change the state of status flags or memory
locations in the code. This means NOP enables the developer to
force memory alignment to act as a place holder to be replaced
by active instructions later on in program development.
NOP opcode can be used to form an NOP slide, which allows
code to execute when the exact value of the instruction pointer
is indeterminate. It is the oldest and most widely used technique
for successfully exploiting a stack buffer overflow. It helps to
know/locate the exact address of the buffer by effectively
increasing the size of the target stack buffer area.
Heap Buffer Overflow
Heap buffer overflow occurs in the heap data area and may be
introduced accidentally by an application programmer, or it may
result from a deliberate exploit. In either case, the overflow
occurs when an application copies more data into a buffer than
the buffer was designed to contain. A routine is vulnerable to
exploitation if it copies data to a buffer without first verifying
that the source will fit into the destination. The characteristics of
stack-based and heap-based programming are as follows:
"Heap" is a "free store" that is a memory space, where dynamic
objects are allocated.
The heap is the memory space that is dynamically allocated
new(), malloc() and calloc() functions; it is different from the
memory space allocated for stack and code.
Dynamically created variables (i.e., declared variables) are
created on the heap before the execution program is initialized
to zeros and are stored in the memory until the life cycle of the
object has completed.
Memory on the heap is dynamically allocated by the application
at run-time and normally contains program data. Exploitation is
performed by corrupting this data in specific ways to cause the
application to overwrite internal structures such as linked list
pointers. The canonical heap overflow technique overwrites
dynamic memory allocation linkage and uses the resulting
pointer exchange to overwrite a program function pointer.
Lecture 29
Organizational Implications Introduction
Lecture 30
Cyber crimes and IPR issues
With the growth in the use of internet these days the cyber
crimes are also growing. Cyber theft of Intellectual Property(IP)
is one of them. Cyber theft of IP means stealing of copyrights,
trade secrets, patents etc., using internet and computers.
Copyrights and trade secrets are the two forms of IP that is
frequently stolen. For example, stealing of software, a unique
recipe of a well-known dish, business strategies etc. Generally,
the stolen material is sold to the rivals or others for further sale
of the product. This may result in the huge loss to the company
who originally created it.
Earlier, a lot of physical labour, time and money was spent to
steal a trade secret or make a pirated version of anything. The
original copies had to be physically stolen which used to take lot
of time and money. But in the present scenario these works can
be done easily sitting at one place without shedding too much
time and money on it without leaving any proof of it.
One of the major cyber theft of IP faced by India is piracy.
These days one can get pirated version of movies, software etc.
The piracy results in a huge loss of revenue to the copyright
holder. It is difficult to find the cyber thieves and punish them
because everything they do is over internet, so they erase the
data immediately and disappear within fraction of a second. The
country has started taking strict measures to curb this offence.
Telangana Intellectual Property Crime Unit (TIPCU) is one of
the first unit that has been launched to deal with the IP crime.
Some of the ways through which one can protect IP from cyber
theft are:
Frequently updating the list of IPs' that need to be secured.
The company can increase the security to access its trade
secrets.
It can reduce the number of people who can access their trade
secrets.
Company needs to be up to date with software systems.
Constantly checking for some unusual cyber activities.
Constantly educate their employees about cyber security.
Constructing some threat mitigating programmes.
Installing up-to date anti-virus software.
Allowing employees to reach only some classified data.
Even after taking all these steps to protect IP's there is no
guarantee that they cannot be stolen because human dependence
on the internet is growing constantly and people come up with
new ways to do even a small thing so even in this case these
cyber thieves may come up with new ways to crack all these
security systems.
Types of intellectual property

Intellectual property includes copyrights, trademarks, patents
and trade secrets. Each form of intellectual property is explored
in further detail below.
Copyrights
Copyrights include "literary and artistic works," which are
described in Article 2(1) of the Berne Convention for the
Protection of Literary and Artistic Works of 1886 as,
The expression 'literary and artistic works' shall include every
production in the literary, scientific and artistic domain,
whatever may be the mode or form of its expression, such as
books, pamphlets and other writings; lectures, addresses,
sermons and other works of the same nature; dramatic or
dramatico-musical works; choreographic works and
entertainments in dumb show; musical compositions with or
without words; cinematographic works to which are assimilated
works expressed by a process analogous to cinematography;
works of drawing, painting, architecture, sculpture, engraving
and lithography; photographic works to which are assimilated
works expressed by a process analogous to photography; works
of applied art; illustrations, maps, plans, sketches and
three-dimensional works relative to geography, topography,
architecture or science.
In addition to the Berne Convention, the International
Convention for the Protection of Performers, Producers of
Phonograms and Broadcasting Organisations of 1961 (Rome
Neighbouring Rights Convention) also protects copyrights and
delineates the rights of copyright holders. The World
Intellectual Property Organization (WIPO), the International
Labour Organization (ILO) and the United Nations Educational,
Scientific and Cultural Organization (UNESCO) jointly
administer this convention. WIPO, ILO and UNESCO also
jointly administer the Convention for the Protection of
Producers of Phonograms Against Unauthorized Duplication of
Their Phonograms of 1971 (Geneva Phonograms Convention).
"Recognizing the profound impact of the development and
convergence of information and communication technologies on
the production and use of performances and phonograms,"
WIPO's Performances and Phonograms Treaty of 1996 covers
the rights of "performers (actors, singers, musicians, etc.);
and …producers of phonograms (persons or legal entities that
take the initiative and have the responsibility for the fixation of
sounds)" "in the digital environment" (WIPO, n.d.).
Additionally, WIPO's Copyright Treaty of 1996, "a special
agreement under the Berne Convention…[,] deals with the
protection of works and the rights of their authors in the digital
environment…[including]computer programs, whatever the
mode or form of their expression… and …compilations of data
or other material ("databases") (WIPO, "WIPO Copyright
Treaty").National laws (e.g., Burundi, Law No. 1/021 of 30
December 2005, on the Protection of Copyright and Related
Rights) and regional treaties also exist that protect copyrights
(e.g., Organization of American States (OAS) Inter-American
Convention on the Rights of the Author in Literary, Scientific,
and Artistic Works of 1947).
The infringement of copyright protection online is known
as digital piracy, which involves the uploading, streaming,
downloading and sharing of copyrighted works (e.g., books,
music, and films) beyond authorization for access, use and
distribution prescribed by law. A case in point was Napster, an
online platform that enabled the illegal distribution of music
through peer-to-peer file sharing ( A&M Records, Inc. v.
Napster, Inc., 2001). Copyright infringement also occurred on
other peer-to-peer file sharing and Torrent sites (such as Kazaa,
Limewire, and PirateBay), and cryptolockers (i.e., sites that
provide cloud storage and sharing services to clients; e.g.,
Megaupload) (Drath, 2012). Like other forms of cyber-enabled
intellectual property crime, digital piracy deprives the authors
and publishers of copyrighted works of economic returns on
their creations, property and labour. For example, HBO (a US
channel network that requires viewers to pay to view content)
experienced millions of dollars in lost US revenue when
episodes of one of its TV series, Game of Thrones, were leaked
online for free viewing (Denham, 2015).Scripts of Game of
Thrones' episodes and the unaired episodes of the HBO TV
shows were also leaked online following a data breach that HBO
experienced in 2017 (Gibbs, 2017).
Trademarks
Trademarks are identifiers that distinguish the source of a good
or service (Maras, 2016). This source can be either a business,
person or geographical location. Trademarks can include logos,
symbols, designs, names, and slogans, among other things,
which belong to and distinguish between goods, services, and
brands. The identifiers that make up trademarks acquire value
through the labour, money, knowledge, and the skills of the
trademark owners. The value acquired is based on the
characteristics, quality and/or reliability of the good or service.
Trademarks protect owners of the trademark from unfair
competition practices that seek to profit from the owner's
investment in the development and/or provision of the good or
service (WIPO, 1993). Trademarks also protect consumers by
helping them recognize the source of a good or service.
Patents
Patents are novel and unique creations, innovations, and
inventions that have been registered with a governing body,
which may extend protections nationally and/or internationally.
Patents proscribe the use and exploitation of innovations without
the authorization (i.e., explicit consent or permission) of the
patent owner. Design patents (or industrial designs) are also a
protected form of intellectual property. Industrial designs are
considered a form of intellectual property because these designs
are created with the specific purpose of being aesthetically
pleasing to consumers and impacts consumers' choices between
products. Industrial designs, therefore, impact the marketability
and commercial value of products (WIPO, 2006).
Lecture 31
Web threats for Organizations
Cyber attackers are day by day changing their attacking

techniques and gaining access of a organizations system. There
are different types of security threats to organizations, which can
affect business continuity of an organization. So, there is no way
to be completely sure that an organization is free from cyber
security threats or attacks.
TYPES OF SECURITY THREATS TO

ORGANIZATIONS
we will discuss on different types of security threats to
organizations, which are as follows:
1. COMPUTER VIRUSES
A virus is a software program that can spread from one
computer to another computer or one network to another
network without the user’s knowledge and performs malicious
attacks.
It has capability to corrupt or damage organization’s sensitive
data, destroy files, and format hard drives.
HOW DOES A VIRUS ATTACK?
There are different ways that a virus can be spread or attack,
such as:
Clicking on an executable file
Installing free software and apps
Visiting an infected and unsecured website
Clicking on advertisement
Using of infected removable storage devices, such USB drives
Opening spam email or clicking on URL link
Downloading free games, toolbars, media players and other
software.
2. TROJANS HORSE
Trojan horse is a malicious code or program that developed by
hackers to disguise as legitimate software to gain access to
organization’s systems. It has designed to delete, modify,
damage, block, or some other harmful action on
your data or network.
HOW DOES TROJANS HORSE ATTACK?
 The victim receives an email with an attachment file which

is looking as an original official email. The attachment file
can contain malicious code that is executed as soon as when
the victim clicks on the attachment file.
 In that case, the victim does not suspect or understand that
the attachment is actually a Trojan horse.
3. ADWARE
Adware is a software program that contains commercial and
marketing related advertisements such as
display advertisements through pop-up windows or bars, banner
ads, video on your computer screen.
Its main purpose is to generate revenue for its developer
(Adware) by serving different types advertisements to an
internet user.
HOW DOES ADWARE ATTACK?
 When you click on that type of advertisements then it

redirect you to an advertising websites and collect
information from to you.
 It can be also used to steal all your sensitive information
and login credentials by monitoring your online activities and
selling that information to the third party.
4. SPYWARE
Spyware is unwanted types of security threats to
organizations which installed in user’s computer and collects
sensitive information such as personal or organization’s
business information, login credentials and credit card details
without user knowledge.
This type of threats monitor your internet activity, tracking your
login credentials, and spying on your sensitive information.
So, every organization or individual should take an action to
prevent from spyware by using anti-virus, firewall and
download software from trusted sources.
HOW DOES SPYWARE INSTALL?
It can be automatically installs itself on your computer or hidden
component of software packages or can be install as traditional
malware such as deceptive ads, email and instant messages.
5. WORM
Computer worm is a type of malicious software or program that
spreads within its connected network and copies itself from one
computer to another computer of an organization.
HOW DOES WORM SPREADS?
It can spread without any human assistance and exploit the
security holes of the software and trying to access in order to
stealing sensitive information, corrupting files and installing a
back door for remote access to the system.
6. DENIAL-OF-SERVICE (DOS) ATTACKS
Denial-of-Service is an attack that shut down a machine or
network or making it inaccessible to the users. It typically
flooding a targeted system with requests until normal traffic is
unable to be processed, resulting in denial-of-service to users.
HOW DOES DOS ATTACK?
 It occurs when an attacker prevents legitimate users from

accessing specific computer systems, devices or other
resources.
 The attacker sends too much traffic to the target server
 Overloading it with traffic and the server is overwhelmed,
which causes to down websites, email servers and other
services which connect to the Internet.
7. PHISHING
Phishing is a type of social engineering attack that attempt to
gain confidential information such as usernames, passwords,
credit card information, login credentials, and so more.
HOW DOES PHISHING ATTACK?
 In a phishing email attack, an attacker sends phishing

emails to victim’s email that looks like it came from your
bank and they are asked to provide your personal
information.
 The message contains a link, which redirects you to
another vulnerable website to steal your information.
 So, it is better to avoid or don’t click or don’t open such
type of email and don’t provide your sensitive information.
8. SQL INJECTION
SQL injection is type of an injection attack and one of the most
common web hacking techniques that allows attacker to control
the back end database to change or delete data.
HOW DOES SQL INJECTION ATTACK?
It is an application security weakness and when an application
fails to properly sanitize the SQL statements then attacker can
include their own malicious SQL commands to access the
organization database. Attacker includes the malicious code
in SQL statements, via web page input.
9. ROOTKIT
Rootkit is a malicious program that installs and executes
malicious code on a system without user consent in order gain
administrator-level access to a computer or network system.
There are different types of Rootkit virus such as Bootkits,
Firmware Rootkits, Kernel-Level Rootkits and application
Rootkits.
HOW DOES ROOTKIT INSTALL?
It can be infected in a computer either by sharing infected disks
or drives. It is typically installed through a stolen password or
installed through by exploiting system vulnerabilities, social
engineering tactics, and phishing techniques without the
victim’s knowledge.
10. MALWARE
Malware is software that typically consists of program or code
and which is developed by cyber attackers. It is types of cyber
security threats to organizations which are designed to extensive
damage to systems or to gain unauthorized access to a computer.
HOW DOES MALWARE ATTACK?
 There are different ways that a malware can infect a device

such as it can be delivered in the form of a link or file over
email and it requires the user to click on that link or open the
file to execute the malware.
 This type of attack includes computer viruses, worms,
Trojan horses and spyware.
11. RANSOMWARE
Ransomware is type of security threats that blocks to access
computer system and demands for bitcoin in order to access the
system. The most dangerous ransomware attacks are WannaCry,
Petya, Cerber, Locky and CryptoLocker etc.
HOW DOES RANSOMWARE INSTALL?
All types of threats typically installed in a computer system through the following ways:
 When download and open a malicious email attachment

 Install an infected software or apps
 When user visit a malicious or vulnerable website
 Click on untrusted web link or images
12. DATA BREACH

A data breach is a security threat that exposes confidential or
protected information and the information is accessed from a
system without authorization of the system’s owner.
The information may involve sensitive, proprietary, or
confidential such as credit card numbers, customer data, trade
secrets etc.
13. ZERO DAY ATTACK
Zero day attack is the application based cyber security threats
which is unknown security vulnerability in a computer software
or application. When an organization going to launch an
application, they don’t what types of vulnerability is there?
HOW DOES ZERO DAY ATTACK?
 When the patch has not been released or the software

developers were unaware of or did not have sufficient time to
fix the vulnerability of the application.
 If the vulnerability is not solved by the developer then it
can affect on computer programs, data, or a network.
14. CARELESS EMPLOYEES OF ORGANIZATION
Employees are the greatest security risk for any organization,
because they know everything of the organizations such as
where the sensitive information is stored and how to access it. In
addition to malicious attacks, careless employees are other types
of cyber security threats to organizations.
HOW DOES ATTACK?
They use very simple password to remember their mind and also
share passwords. Another common problem is that employees
opening suspicious email attachments, clicking on the link or
visit malicious websites, which can introduce malware into the
system.
Lecture 32
Social media Marketing
Whether you want to attribute it to the rise of interconnected

devices in the IoT revolution or just the growing instances of
cybercrime, the cyber security industry has seen immense
growth in recent years and shows no signs of stopping. In fact,
according to a Cybersecurity Market Report published by
Cybersecurity Ventures, worldwide spending on cybersecurity
products and services is predicted to surpass $1 trillion from
now until 2021. This should come as no surprise given that the
average annual cost of cyberattacks worldwide is about $9.5
million, according to Ponemon Institute.
Though there is clearly a need for effective cyber security
products and services, there are also many solutions on the
market, making it more difficult to capture the attention of your
target audience. If your company wants to improve demo
sign-ups and drive sales, you’ll need to find ways to make your
service stand out in the crowd.
Having worked with cyber security clients, we understand that it
can be a challenge to stand out in the crowd and communicate
the value of your brand. Over the past few years, we’ve
identified a number of tactics that work well for cyber security
companies and that ultimately generate demo trials and increase
sales.
Below, we’ll discuss why cyber security marketing can be such
a challenge and what marketing techniques cyber security
organizations can use to improve their reach and conversions.
Why Cyber Security Marketing Can Be a Challenge
Before we get into how exactly to develop cyber security
marketing that actually works, let’s look at the challenges that
often stand in the way of marketers in this industry. Here are
just a few of the roadblocks you may face when trying to get
your target audience to sign up for a demo:
There is already a lot of competition out there.

New cyber security companies are popping up all the time in
response to the heightened demand. This can make it hard to
stand out in the crowd, and it makes it essential for you to
communicate what makes your brand different.
Though it’s important to stand out from your competitors, you
also want to be credible. Outlandish or over-exaggerated claims
may draw a crowd, but, in the end, it is the credible companies
that communicate their honest value that will find the greatest
long-term success. Unfortunately, it can be difficult to find a
balance between standing out while still remaining credible.
Potential customers need a lot of education.

There are a lot of different cyber threats out there, and these
threats can change from day to day. As a result, your potential
customers need a significant amount of education to understand
what threats they face and what solutions they may need.
This is especially true given that CEOs and other C-level
executives are not as well versed in information security, which
can impact a company’s decision to include cyber security as
part of their overall preparedness plan. In fact, according EY’s
19th Global Information Security Survey 2016-2017, almost
one-third of information security managers and IT leaders
surveyed said that a lack of executive awareness and support
was a significant challenge in developing an effective
cybersecurity plan for preparedness.
Many businesses just don’t prioritize cyber security.
Though there is plenty of evidence pointing to the necessity of
cyber security in protecting valuable data, the truth is that many
businesses just don’t prioritize cyber security until it is too late.
According to the same Global Information Security Survey
mentioned above, only one in five, or 22% of those surveyed
said that they fully incorporate information security into their
strategy and planning.
This is a surprisingly low percentage given the increase in the

number of cyber security attacks in recent years and the average
cost of these breaches. Ultimately, this data suggests that cyber
security marketers must find ways to create a sense of urgency
for potential customers and emphasize the importance of acting
pre-emptively.
Which Tactics Should Cyber Security Marketers Use?
That bring us to the big question of how cyber security

companies can overcome these challenges and connect with
those who need their services. Below, we’ve put together some
of the best cyber security marketing tactics to help you drive
demo sign-ups and improve overall sales through promoting
education and awareness:
1. Content Marketing
Content marketing can help you build credibility while addressing the major
challenge of educating your prospects. In order for your content
to be effective, it’s essential that your company provides
real-world examples to demonstrate both the importance of
cyber security and the effectiveness of your solutions.
Not only will your content need to be comprehensive and

data-driven, but you’ll also want to ensure that it is unique.
Develop educational content that clearly demonstrates how your
product solves a real-life cyber security attack and back it up
with case studies, independent industry reviews etc. Rather than
rehashing the same content that already exists out there, try
using new examples or offering a different angle on the types of
cyber threats that relate to your specific products and solutions.
When it comes to content marketing, there are a number of

different types of content that you can use to reach and engage
your audience. Here are a few types of content that can help you
reach customers at different points in the buyer’s journey:
Blogs
Blogs are great for attracting prospects in every stage of the

buyer’s journey. Try to create some evergreen blog content that
will be universally relevant. Topics like “What is a Phishing
Attack?” or "What is Mirai-Style DDoS Attack?"are great for
customers who are just starting their research and need to learn
the basics. For more middle-of-the-funnel leads, topics like
“How to Identify Phishing Emails?” or "DDoS Mitigation Best
Practices" would work well. Finally, for those prospects that are
ready to buy, you can go with a topic like “X Reasons to Choose
XYZ Security for Your Anti-Malware Software.”
Downloadable Content
Offering downloadable content like e-books and whitepapers is
also an excellent way to convert your site traffic into leads that
you can later nurture. Not every topic is suited for long-form
content, and the truth is that you just won’t have time or
resources to create long-form content on every topic. Review
analytics for your current content to find the most popular or
searched for topics and terms. These are often the best places to
start when planning topics for downloadable content.
Downloadable assets like this e-book are a great way to capture

TOFU leads
Another aspect of downloadable content that you’ll need to

consider is the landing page. Long-form assets like e-books are
great candidates for gated content. This will require you to
create a tailored landing page that introduces the asset’s topic
and provides enough detail for the viewer to determine it is
relevant without giving away the good stuff.
With cyber security, landing pages need to quickly and clearly

communicate the value of the offer.
Video
Explanation videos are another great way to communicate what
your cyber security offering does and why it can be valuable to
your prospects. This can be an especially helpful tactic when
you’re trying to target CEOs and other C-level executives who
need more education. According to inbound marketing experts
at HubSpot, 75% of executives watch work-related videos on
business websites at least once a week, and 59% of executives
would rather watch a video than read text. These statistics
indicate that executives are open to learning more from video
content and may even prefer it over written content.
There are many ways that your company can use video to
engage and educate your audience. You might use video content
to break down statistics on cyberattacks, recovery expenses, and
the value of cyber security solutions. By providing real
examples of these issues in your video content, you can help
make the statistics more relevant and help create a stronger
sense of urgency.
You can also use this visual format to better explain how your
solution works and emphasize the value that your company can
offer its target audience. As with any offering from a technology
company, cyber security solutions can be difficult for those
outside of the IT world to understand. However, video content
allows you to more easily break down complex ideas for a wider
reading audience. This makes it ideal for cyber security
companies that need to communicate their value, especially to
C-level executives who may need a bit more explanation.
2. Email Marketing
Since education and awareness is a barrier to selling your
solution, it can often take a potential lead a significant amount
of time to reach the point where they are ready to request a
demo or contact a sales representative. In the meantime, you
need a way to nurture these leads and move them further down
the funnel. Email marketing is an effective way to do just that.
With so many emails in your prospect’s inbox, they may be

inclined to delete your email or unsubscribe if they don’t find
your content worthwhile. Here are some examples of content
that you might include in your email marketing:
Downloadable content like e-books, case studies, and reports

that provide readers with a more in-depth understanding of
important cyber security topics.
Links to your most recent blog posts talking about recent attacks
or security concerns and those that break down complex cyber
security topics for a wider reading audience.
Video content that emphasizes the importance of cyber security

and communicates the value of your company’s offering.
A digest of relevant articles from reputable industry publications

that helps readers better understand hot topics in cyber security.
Monthly offers and sales promotions like a free trail, which can
encourage prospects to sign up.
Email (along with retargeting ads) are the primary way to

nurture leads
Overall, email marketing is an effective way to stay connected

to those leads who may not yet be ready to make a purchase. Be
sure to regularly monitor your campaigns to see which types of
content, subject lines, copy, and images are most effective in
regard to open and click-through rates. Also, be cognizant of
how many emails you are sending to your prospects. If you
flood your prospect’s inbox with emails about the various cyber
threats they face, they will become desensitized to them and lose
interest.
3. Webinars
Webinars are a great way for cyber security marketers to
connect with bottom-of-the-funnel leads. Webinars attendees are
already interested in learning more about your solution and the
threats it protects against, and they typically have taken some
time to do research. This means that they are more likely to be
engaged in the topics you are presenting.
One vital part of the webinar is including an interactive element.

Webinars typically include a question and answer session at the
end of the presentation that offers attendees the opportunity to
ask more questions about the topic and your services. This is a
valuable opportunity to advertise other helpful content or
encourage demo sign-ups. Even if you decide to pre-record your
webinar, you can still accept viewer questions and respond in a
follow-up.
Webinars can sometimes be costly to produce. However, as with

other parts of your marketing campaign, there is also an
opportunity to repurpose your webinar to get more out of this
content. If the webinar is offered live, be sure to record the
content and make this recording available later for those who
were unable to attend. If the webinar has a great response then
you may also want to consider taking the topics discussed there
and creating other types of content like blog posts around these
topics. The questions that users ask during the webinar are also
an excellent starting point for developing new content that
addresses your target audience’s greatest challenges.
In order to promote a webinar and drive attendance, paid

channels work well. We have been able to get great results from
LinkedIn as well as Google retargeting ads.
4. Paid Campaigns
Paid campaigns are great at accomplishing two goals –
amplifying your content marketing efforts and getting prospects
to arrive at your demo request landing page.
First, let’s talk about content marketing amplification. Many

marketers feel that paid campaigns and inbound marketing don’t
mix, but the truth is that when you combine these two strategies,
you end up with a powerful campaign. Say, for example, you
just published a study with some pretty compelling data about a
particular cyber threat. With this sort of asset, time is of the
essence – the older the data is, the less likely prospects will find
it useful. By promoting your content through paid channels, you
can start to see results more quickly, allowing you to get the
most out of the content you’ve created.
LinkedIn is a great paid channel for cyber security.
One of the major goals of any cyber security marketer is getting

prospects to request a demo. While getting prospects to this
stage takes a little work and a lot of nurturing, paid campaigns
can help accelerate the process for those who are ready to make
a purchasing decision. You can use paid marketing campaigns to
drive more prospects to your demo request landing page. These
ads can help ensure that your brand is visible to those who are
ready to buy while making your demo readily available to these
prospects.
Some cyber security companies may avoid using paid

campaigns due to the competitive nature of paid advertising in
the cyber security space. That’s understandable – if you don’t
know what you’re doing, it’s easy to spend thousands on cyber
security ads and get nothing in return. For paid campaigns, you
either need a dedicated in-house person (or team) with
experience in this area or an agency that specializes in cyber
security paid marketing.
Additional Cyber Security Marketing Tips
In addition to using the tactics above, it’s also important to keep
a few things in mind about your audience. Though it’s easy to
just target CTOs, these are not the only people interested in your
solutions. High-ranking IT professionals will likely have a say
in which cyber security solution a company decides to go with.
However, with the critical nature of data security, the CEO will
often be the final decision-maker, and other C-level executives
may also be involved in the decision-making process.
Whether you are marketing to the CEO or the CTO, some things
remain the same – it is vital that you are honest about your
solution’s capabilities and take a data-driven approach to
messaging. Use these tips to stay on track:
Don’t exaggerate your solution’s results.
 If your cyber security solution only blocks 99% of

attacks, don’t say it blocks all attacks. Being honest
about your success rate and the capabilities of your
solution is the best way to build long-term
relationships and drive more positive customer
referrals over time.
Use data in your messaging.
 Companies who are looking for a cyber security

solution need the facts. Use data in your marketing
messages to create a sense of urgency and help
potential customers better understand the value of
your product. In the end, no matter how great your
messaging is, the numbers will speak for themselves.
Lecture 33
Security Risks and Perils for Organizations
Top security threats can impact your company’s growth
Vulnerabilities in your company’s infrastructure can
compromise both your current financial situation and endanger
its future. Companies everywhere are looking into potential
solutions to their cybersecurity issues, as The Global State of
Information Security® Survey 2017 reveals.
Integration seems to be the objective that CSOs and CIOs are
striving towards. Getting all the ducks in a row could paint a
clearer picture in terms of security risks and vulnerabilities –
and that is, indeed, a must-have. So amid this turbulent context,
companies desperately need to incorporate cybersecurity
measures as a key asset. It’s not just about the tech, it’s
about business continuity.
If you are concerned with your company’s safety, there are
solutions to keeping your assets secure. The first step is to
acknowledge the existing cybersecurity risks that expose your
organization to malicious hackers.
Corporate cybersecurity risks to prepare for
Information security is a topic that you’ll want to place at the
top of your business plan for years to come. Having a strong
plan to protect your organization from cyber attacks is
fundamental. So is a business continuity plan to help you deal
with the aftermath of a potential security breach.
Below you’ll find a collection of IT security risks in no
particular order that will be helpful as you create an action plan
to strengthen your company’s defenses against aggressive cyber
criminals and their practices.
Failure to cover cybersecurity basics
The common vulnerabilities and exploits used by attackers in
the past year reveal that fundamental cybersecurity measures are
lacking. Cyber criminals use less than a dozen vulnerabilities to
hack into organizations and their systems, because they don’t
need more.
The top 10 external vulnerabilities accounted for nearly 52% of
all identified external vulnerabilities Thousands of
vulnerabilities account for the other 48%.
The top 10 internal vulnerabilities accounted for over 78% of all
internal vulnerabilities during 2015. All 10 internal
vulnerabilities are directly related to outdated patch levels on
the target systems.
For example, something as simple as timely patching could have
blocked 78% of internal vulnerabilities in the surveyed
organizations. And the same goes for external security holes.
Moreover, relying on antivirus as a single security layer and
failing to encrypt data is an open invitation for attackers. It just
screams: “open for hacking!”
Not understanding what generates corporate cybersecurity risks
Companies often fail to understand “their vulnerability to attack,
the value of their critical assets, and the profile or sophistication
of potential attackers”. This issue came up at the 2015 World
Economic Forum and it will probably still be relevant for a few
more years.
Security risks are not always obvious. The categories below can
provide some guidance for a deliberate effort to map and plan to
mitigate them in the long term.
Source: Ponemon Institute – Security Beyond the Traditional
Perimeter
Technology isn’t the only source for security risks.
Psychological and sociological aspects are also involved. This is
why company culture plays a major role in how it handles and
perceives cybersecurity and its role.
1. Lack of a cybersecurity policy
Security standards are a must for any company that does
business nowadays and wants to thrive at it. Cyber criminals
aren’t only targeting companies in the finance or tech sectors.
They’re threatening every single company out there.
The increasing frequency of high-profile security breaches has
made C-level management more aware of the matter. This is an
important step, but one of many. External attacks are frequent
and the financial costs of external attacks are significant. The
505 enterprises and financial institutions surveyed experienced
an average of more than one cyber attack each month and spent
an average of almost $3.5 million annually to deal with attacks.
Source: Ponemon Institute – Security Beyond the Traditional
Perimeter
Not prioritizing the cybersecurity policy as an issue and not
getting employees to engage with it is not something that
companies nowadays can afford. This piece of advice shared in
an article on Fortune.com is worth considering: Just as
companies seek outside expertise for legal and financial matters,
they should now be looking for experts in cybersecurity and data
privacy.
As part of their cybersecurity policy, companies should:
 identify risks related to cybersecurity
 establish cybersecurity governance
 develop policies, procedures, and oversight processes
 protect company networks and information
 identify and address risks associated with remote access to
client information and funds transfer requests
 define and handle risks associated with vendors and other
third parties
 be able to detect unauthorized activity.
1. Confusing compliance with cybersecurity
Another risk businesses have to deal with is the confusion
between compliance and a cybersecurity policy. Ensuring
compliance with company rules is not the equivalent of
protecting the company against cyber attacks. Unless the rules
integrate a clear focus on security, of course.
Enterprise risk management requires that every manager in the
company has access to the parts of the security system that are
relevant to them. Security is a company-wide responsibility, as
our CEO always says. As a result, managers (and everyone else)
should oversee how data flows through the system and know
how to protect confidential information from leaking to cyber
criminal infrastructure.
Most companies are still not adequately prepared for – or even
understand the risks faced: Only 37% of organizations have a
cyber incident response plan. Clearly, there is plenty of work to
be done here.
The Carbon Lifeform – the weakest link

There are also other factors that can become corporate
cybersecurity risks. They’re the less technological kind. The
human factor plays an important role in how strong (or weak)
your company’s information security defenses are. It turns out
that people in higher positions, such as executive and
management roles, are less prone to becoming malicious
insiders. It’s the lower-level employees who can weaken your
security considerably. Be mindful of how you set and monitor
their access levels.
As you can see for this recent statistic, privilege abuse is the
leading cause for data leakage determined by malicious insiders.
Source: Verizon 2016 Data Breach Investigations Report
That is one more reason to add a cybersecurity policy to your
company’s approach, beyond a compliance checklist that you
may already have in place. Protecting sensitive information is
essential, and you need to look inside, as well as outside to map
and mitigate potential threats.
1. Bring your own device policy (BYOD) and the cloud
In the quest to providing your employees with better working
conditions and a more flexible environment, you may have
adopted the “Bring Your Own Device” policy. But have you
considered the corporate cybersecurity risks you brought on by
doing so?
The BYOD and Mobile Security 2016 study provides key
metrics:
 One in five organizations suffered a mobile security
breach, primarily driven by malware and malicious WiFi.
 Security threats to BYOD impose heavy burdens on
organizations’ IT resources (35%) and help desk workloads
(27%).
 Despite increasing mobile security threats, data breaches
and new regulations, only 30% of organizations are increasing
security budgets for BYOD in the next 12 months. Meanwhile,
37% have no plans to change their security budgets.
The bright side is that awareness on the matter of BYOD
policies is increasing. When it comes to mobile
devices, password protection is still the go-to solution. Overall,
things seem to be going in the right direction with BYOD
security. But, as with everything else, there is much more
companies can do about it.
Funding, talent and resources constraints
We know that there are plenty of issues to consider when it
comes to growing your business, keeping your advantages and
planning for growth. So budgets are tight and resources scarce.
That’s precisely one of the factors that incur corporate
cybersecurity risks. Think of this security layer as your
company’s immune system. It needs funding and talent to
prevent severe losses as a consequence of cyber attacks.
A good approach would be to set reasonable expectations
towards this objective and allocate the resources you can afford.
It won’t be easy, given the shortage of cybersecurity specialists,
a phenomenon that’s affecting the entire industry.
No information security training

Employee training and awareness are critical to your company’s
safety. In fact, 50% of companies believe security training for
both new and current employees is a priority, according to
Dell’s Protecting the organization against the unknown – A new
generation of threats.
The specialists’ recommendation is to take a quick look at the
most common file types that cyber attackers use to penetrate
your system. This will tell you what types of actionable advice
you could include in your employees’ trainings on
cybersecurity. The human filter can be a strength as well as a
serious weakness. Educate your employees, and they might
thank you for it. This training can be valuable for their private
lives as well.
Lack of a recovery plan
Being prepared for a security attack means to have a thorough
plan. This plan should include what can happen to prevent the
cyber attack, but also how to minimize the damage if is takes
place. Unfortunately, the statistics reveal that companies are not
ready to deal with such critical situations:
Observing the trend of incidents supported since 2013, there has
been little improvement in preparedness In 2015 there was a
slight increase in organizations that were unprepared and had no
formal plan to respond to incidents. Over the last three years, an
average of 77% of organizations fall into this category, leaving
only 23% having some capability to effectively respond.
If 77% of organizations lack a recovery plan, then maybe their
resources would be better spent on preventive measures. This
way, companies can detect the attack in its early stages, and the
threats can be isolated and managed more effectively. But that
doesn’t eliminate the need for a recovery plan. There’s no doubt
that such a plan is critical for your response time and for
resuming business activities.
Constantly evolving risks
There is one risk that you can’t do much about: the
polymorphism and stealthiness specific to current malware.
Lecture 34
Social Computing and the associated challenges for
Organizations
Ten top issues with social computing in business
Lack of social media literacy among workers. Anecdote, the farther
a business is from the technology industry, the less likely that line
workers will be familiar with the latest software innovations. Those
who haven't been maintaining blogs, updating wiki sites, using
social networks, sharing information socially, etc. will require
more education than those who do. Even the basics of netiquette as
well as key techniques to get the most from social computing
platforms such as encouraging the building of links between data,
tagging information, or establishing weak ties over the network are
often poorly understood even by frequent users of social computing
tools. In short, social computing requires some literacy efforts in
most organizations to achieve effectiveness, just like personal
computing skills did a few decades ago.
A perception that social tools won't work well in a particular
industry. There is often an assumption in many specialized
industries -- such as medicine or manufacturing, just to cite two
random examples -- that social tools won't be a good fit for their
specific vertical; that they are unique in some way that makes
social business models inappropriate or a non-starter in some way.
While many enterprise Web 2.0 advances have spread rather
unevenly in many industries -- with media and financial services
often leading the way in early adoption -- more and more evidence
is accumulating that social computing tools have use in most, if not
all, industries. However, more than five years after social software
became common in private life, it's still surprisingly common
encounter a culture of resistance (though often to change in general,
and not just enterprise social tools) in organizations that have fewer
competitive pressures, are highly specialized, or are unusually late
adopters of technology.
Social software is still perceived as too risky to use for core
business activities. There is still a broad sense with many that I talk
to that social computing applications are more suitable for
knowledge workers isolated from the mission critical functions of
an organization or in more fungible areas such as marketing and
advertising. There's a sense that social computing is not for
operations or key business capabilities. This can be ascribed
variously to concerns about unpredictability, loss of control, or
worries of introducing potential distractions to activities that
directly and immediately affect the conditions of the business,
including the bottom line. Interestingly, in my analysis of case
studies and discussions with implementers, this is the very place
where social tools have the most impact when deployed, usually by
improving decisions, making key data (or potential experts with the
information you need) more accessible and discoverable, and so on.
In fact, no case that I can find has emerged of social tools
disrupting the workplace in any significant manner, and almost all
reports, some of which are indeed integrating social tools into key
business processes, are positive. This concern will likely persist for
a while yet, pending the arrival of a preponderance of research and
internal results belies it.
Can't get enough senior executives engaged with social tools. I've
been known to say that most senior executives in large
organizations are often read-only users of their IT systems, whether
it's Outlook, their Blackberry, or operational dashboards. Despite
even the earliest Enterprise 2.0 case studies confirming that social
tool adoption is greatly improved by an organization's top
personnel leading by example, these are often the folks that have
the least time to participate and little practical experience in doing
so. (Note: Enterprise 2.0 is just part of the enterprise social
computing spectrum, though a very important one.) It's something
I'm beginning to hear often, and that is lack of engagement by
senior executives in most social computing efforts, public or
private. I'm personally torn by whether this is critical for success in
the long term, since social computing is largely about tapping into
the cognitive surpluses within an organization and across the
network, but it certainly is a key factor in the short term by slowing
the effectiveness of adoption internally.
There is vapor lock between IT and the social computing
initiative. The famous IT/business divide is often holding up social
computing initiatives, often by months -- and in some cases for a
year or more -- as IT tries to find (and sometimes build) social
computing applications that meet requirements for internal
software, architecture, security, and governance standards, while
still exhibiting the latest best practices on the social computing side.
That many of the best social computing applications come from
newer, smaller firms that often don't focus on traditional enterprise
requirements only exacerbates the issues. IT shops also tend to
have limited understanding of the business side of social
computing and try to shoehorn existing solutions on hand to solve
business needs. While this isn't automatically a bad practice, the
classic example of SharePoint and Enterprise 2.0 illustrates how
this can often become a charged issue and hold up efforts while it
is resolved.
1. Need to prove ROI before there will be support for social
software. This is a classic anti-pattern for enterprise software
acquisition in general (and Enterprise 2.0 in particular), and
while there are certainly twists that are unique to social
computing, the ROI proof objection has increasingly fallen by
wayside with the growing number of successful case studies.
2. Security concerns are holding up pilot projects/adoption
plans. Because social tools make many things that were
normally private much more public -- including policies,
procedures, critical methods, corporate data, and intellectual
property -- many organizations would rather wait for best
practices in dealing with this important issue to solidify before
climbing very far up the social computing adoption curve.
We've seen a surprisingly increase and friendly reception lately
for tools that address security as well as governance with social
computing tools. I'll explore some of these in an upcoming post.
3. The needs around community management have come as a
surprise. Social tools create participant audiences with a shared
understanding and sense of community, as well as an internally
guided direction. Without suitable management (help, support,
guidance, moderation, administration, and planning)
communities will (and should) eventually take on a life of their
own, but perhaps without your involvement. Community
management is the facility through which they stay connected to
the organization and its goals/needs while satisfying their own
internal requirements. The staffing skills, team sizes, techniques,
and tools of community management for the full spectrum of
enterprise social computing needs is still something that we're
learning as an industry. This is also an emerging story that I'll be
covering this year as social computing matures in more and
more organizations.
4. Difficulties sustaining external engagement. As I discussed
last year in covering 12 best practices for online customer
communities, many organizations have trouble engaging the
broader world using their own social computing initiatives.
They build communities but their target audiences often ends up
preferring the ones they built for themselves, especially if they
perceive too cynical an approach or one that is too narrow for
their needs (focusing on just a product from one company
instead of an entire vertical or niche). Creating thriving social
computing environments is still as much an art as a science and
while engagement can always be generated through expensive
traditional marketing and PR channels, learning the emerging
rules for social business can really help.
5. Struggling to survive due to unexpected success. More and
more frequently lately I'm coming across enterprise social
computing stories that had considerable and unexpected early
success. This led to attention and scrutiny from across the
organization and a subsequent struggle to fund a fast growing
venture amid internecine turf wars, battles over control, and the
battles with competing efforts. With social computing a foreign
way of doing business for many organizations, the rapid growth
of new effort can spell disaster without careful oversight,
planning, and expectation setting. Building a strong network of
friendly and well-respected sponsors internally can help this
issue in particular.
Lecture 35
Management Perspective of Cyber Security (ISO27001)hy
ISO 27001?
ISO 27001:2013 is the de-facto international Information
Security Management System (ISMS) standard and is deployed
globally. For business, this means that accreditation is
recognised everywhere and the resources needed to achieve the
certification (provided by qualified assessment partners
like Stickman) are readily available to help organisations
achieve the best possible security outcomes.
Introducing ISO 27001 | Information Security Management
System Framework
ISO 27001 is an ISMS standard that provides a risk-based
approach to managing people, processes and technical controls.
The standard’s modular approach to auditing people and
technical dependencies ensures that numerous operational
benchmarks can be measured, compared, and improved if
security gaps are discovered. The standard is independently
administered with certified practitioners offering
implementation services for those organisations who lack the
resources or desire in taking the DIY approach.
Business Case: Value proposition for implementing ISO 27001
The lack of appropriate security safeguards and controls poses
an existential threat for businesses of all sizes. Making sure that
security safeguards, controls and policy guidelines meet the
individual needs of an organisation is vital to securing your
information framework. By implementing a tried and
tested security management system, gaps can be remediated
using industry best practice. ISO 27001 is more than just a
security blueprint. The standard (when implemented) engages
with all stakeholders across the organisation and features
modular architecture that enables individuals, business units or
the entire organisation to accept responsibility for security
within their environment. This approach assists management to
thoroughly fortify security and helps to raise threat awareness
across all levels of the organisation. Often the ISO 27001 review
is part of an all-encompassing organisational assessment that
examines every facet of processes, systems and supply chains.
There are eight good reasons to invest in aligning your security
safeguards against those of a mature and highly respected
certification standard like ISO 27001.
 Reducing risk with benchmarks
Reducing business risk is imperative for management, but
taming information security poses a challenge for both staff and
management in organisations of every size. ISO 27001
guidelines and benchmarks help management and IT staff
meet best security practices and compare their results with
peers.
 Privacy legislation – conformance and governance
Instead of dealing with point solutions to solve discrete security
issues, implementing an ISMS using ISO 27001 guidelines
enables administrators to take a “top-down” view of governance.
With the benefit of a robust structure and a dispassionate
perspective, employee’s compliance burden is eased by
maximising existing tools and resources that help extend the
ROI on your security investment.
 Enhancing the value of your business
Reputations, relationships, respect and trust are built up over
time. By demonstrating how committed your organisation is to
deploying the best tools in protecting information security,
commercial partners feel vindicated that their commitment to
the business relationship with your organisation is a good
investment.
 Trusted supply chain
As supply chains become more entwined, your security defences
are only as good as the weakest link in your trusted chain. ISO
27001 accreditation provides the assurance that business-partner
security has met agreed security benchmarks that mitigates
interdependency risk and protects your assets from nefarious
threats posed from within trusted sources.
 Business continuity and resilience
Security breaches cost organisations vast sums of money in
addition to the potential loss of reputation and brand value. ISO
27001 deployment drives a culture of proactive, proven and
tested enhancements that reinforce processes, systems and
controls.
 ISO 27001 encompasses all facets of business
operations
Security threats can come from the most unexpected sources. A
risk-based approach to security helps organisations implement
threat modelling to “war-game” and rethink their approach to
information security in a “whole-of-enterprise”,
all-encompassing context.
 Gap analysis
In many organisations’ security safeguards are deployed
because it’s perceived (often prompted with alarmist vendor
marketing) that the need exists. Without a
comprehensive security gap analysis to prove the need exists,
it’s just informed guesswork. Because ISO 27001 is risk-based
it’s critical that weaknesses and other security fractures are
identified, prioritised and remediated, when time, resources and
budget are available. Aligning internal systems and processes
with ISO 27001 can often take some time because of the
granularity and depth needed to complete the certification
process. A gap analysis helps stakeholders assign security
priorities and wrangle the resources and funding needed to
deliver the best outcome.
 Risk based – not just another
“tick-in-the-compliance-box”
Some security accreditations are based on box ticking and
inflexible policies. This type of approach will meet compliance
objectives but could leave serious security risks undiscovered
until it’s too late.
What is a typical ISO 27001 engagement?
As a certified accreditor, Stickman’s engagement model is
straight-forward and typical of top-tier certifiers;
 Review ISMS documentation, scope the requirements and
report.
 Granular audit – validate your ISMS against the ISO27001
standard.
 Regularly scheduled independent reviews to ensure
ongoing conformance with your ISO certification.
This certification looks deceptively easy but is onerous and
demanding for one simple reason: it must be. The ISO 27001
audit shines a bright light on every aspect of business operations
and flags limitations in people, processes, controls and
infrastructure that could compromise information security.
Lecture 36
Risk Assessment and Treatment
Risk assessment (often called risk analysis) is probably the most

complex part of ISO 27001 implementation; but at the same
time risk assessment (and treatment) is the most important step
at the beginning of your information security project – it sets the
foundations for information security in your company.
The question is – why is it so important? The answer is quite
simple although not understood by many people: the main
philosophy of ISO 27001 is to find out which incidents could
occur (i.e. assess the risks) and then find the most appropriate
ways to avoid such incidents (i.e. treat the risks). Not only this,
you also have to assess the importance of each risk so that you
can focus on the most important ones.
Although risk assessment and treatment (together: risk
management) is a complex job, it is very often unnecessarily
mystified. These 6 basic steps will shed light on what you have
to do:
1. ISO 27001 risk assessment methodology

This is the first step on your voyage through risk management.
You need to define rules on how you are going to perform the
risk management because you want your whole organization to
do it the same way – the biggest problem with risk assessment
happens if different parts of the organization perform it in a
different way. Therefore, you need to define whether you want
qualitative or quantitative risk assessment, which scales you will
use for qualitative assessment, what will be the acceptable level
of risk, etc.
2. Risk assessment implementation
Once you know the rules, you can start finding out which
potential problems could happen to you – you need to list all
your assets, then threats and vulnerabilities related to those
assets, assess the impact and likelihood for each combination of
assets/threats/vulnerabilities and finally calculate the level of
risk.
In my experience, companies are usually aware of only 30% of
their risks. Therefore, you’ll probably find this kind of exercise
quite revealing – when you are finished you’ll start to appreciate
the effort you’ve made.
3. Risk treatment implementation

Of course, not all risks are created equal – you have to focus on
the most important ones, so-called ‘unacceptable risks’.
There are four options you can choose from to mitigate each
unacceptable risk:
Apply security controls from Annex A to decrease the risks –
see this article ISO 27001 Annex A controls.
Transfer the risk to another party – e.g. to an insurance company
by buying an insurance policy.
Avoid the risk by stopping an activity that is too risky, or by
doing it in a completely different fashion.
Accept the risk – if, for instance, the cost for mitigating that risk
would be higher that the damage itself.
This is where you need to get creative – how to decrease the
risks with minimum investment. It would be the easiest if your
budget was unlimited, but that is never going to happen. And I
must tell you that unfortunately your management is right – it is
possible to achieve the same result with less money – you only
need to figure out how.
4. ISMS Risk Assessment Report

Unlike previous steps, this one is quite boring – you need to
document everything you’ve done so far. Not only for the
auditors, but you may want to check yourself these results in a
year or two.
5. Statement of Applicability
This document actually shows the security profile of your
company – based on the results of the risk treatment you need to
list all the controls you have implemented, why you have
implemented them and how. This document is also very
important because the certification auditor will use it as the main
guideline for the audit.
For details about this document, see article The importance of
Statement of Applicability for ISO 27001.
6. Risk Treatment Plan

This is the step where you have to move from theory to practice.
Let’s be frank – all up to now this whole risk management job
was purely theoretical, but now it’s time to show some concrete
results.
This is the purpose of Risk Treatment Plan – to define exactly
who is going to implement each control, in which timeframe,
with which budget, etc. I would prefer to call this document
‘Implementation Plan’ or ‘Action Plan’, but let’s stick to the
terminology used in ISO 27001.
Once you’ve written this document, it is crucial to get your
management approval because it will take considerable time and
effort (and money) to implement all the controls that you have
planned here. And without their commitment you won’t get any
of these.
And this is it – you’ve started your journey from not knowing
how to setup your information security all the way to having a
very clear picture of what you need to implement. The point is –
ISO 27001 forces you to make this journey in a systematic way.
Lecture 37
Security Policy
What is an IT Security Policy?
An Information Technology (IT) Security Policy identifies the

rules and procedures for all individuals accessing and using an
organization's IT assets and resources. Effective IT Security
Policy is a model of the organization’s culture, in which rules
and procedures are driven from its employees' approach to their
information and work. Thus, an effective IT security policy is a
unique document for each organization, cultivated from its
people’s perspectives on risk tolerance, how they see and value
their information, and the resulting availability that they
maintain of that information. For this reason, many companies
will find a boilerplate IT security policy inappropriate due to its
lack of consideration for how the organization’s people actually
use and share information among themselves and to the public.
The objectives of an IT security policy is the preservation of
confidentiality, integrity, and availability of systems and
information used by an organization’s members. These three
principles compose the CIA triad:
 Confidentiality involves the protection of assets from unauthorized
entities
 Integrity ensures the modification of assets is handled in a specified and
authorized manner
 Availability is a state of the system in which authorized users have
continuous access to said assets
The IT Security Policy is a living document that is continually

updated to adapt with evolving business and IT requirements.
Institutions such as the International Organization of
Standardization (ISO) and the U.S. National Institute of
Standards and Technology (NIST) have published standards and
best practices for security policy formation. As stipulated by the
National Research Council (NRC), the specifications of any
company policy should address:
1. Objectives
2. Scope
3. Specific goals
4. Responsibilities for compliance and actions to be taken in the
event of noncompliance.
Also mandatory for every IT security policy are sections
dedicated to the adherence to regulations that govern the
organization’s industry. Common examples of this include the
PCI Data Security Standard and the Basel Accords worldwide,
or the Dodd-Frank Wall Street Reform, the Consumer
Protection Act, the Health Insurance Portability and
Accountability Act, and the Financial Industry Regulatory
Authority in the United States. Many of these regulatory entities
require a written IT security policy themselves.
An organization’s security policy will play a large role in its
decisions and direction, but it should not alter its strategy or
mission. Therefore, it is important to write a policy that is drawn
from the organization’s existing cultural and structural
framework to support the continuity of good productivity and
innovation, and not as a generic policy that impedes the
organization and its people from meeting its mission and goals.
Lecture 38
Organization of Information Security
Security Program Development can be thought of as having an
emphasis on establishing information security related roles and
responsibilities throughout the organization. Two major areas
are addressed in this section:
Developing an effective Information Security Organization
Mobile Computing and Teleworking standards (and the “BYOD
challenge”)
Establishing an effective internal Information Security
Organization can be further sub-divided into multiple topics of
interest:
One of the key sub-topics is information security roles and
responsibilities, which addresses the need to designate and
assign accountability for information security across
the organization to ensure that employee apply appropriate
protection to assets and information under their direct control.
Additionally, this topic addresses the need to establish an
information security governance framework and designate a
leader who will manage the information security program and
develop program initiatives. This designation should be
documented in a formal job description for the individual with
the designated responsibility and such designation should be
utilized in properly demonstrating compliance with applicable
regulatory and compliance requirements such as HIPAA, GLBA,
and PCI DSS. Note that there are a variety of roles and
responsibilities for information security leaders Avoiding
conflicts of interest that can arise when segregation of duties is
not considered. This is another area to be addressed to ensure
that no single individual at an organization can escape detection
if engaging in unauthorized activities or abusing access to
information and technology systems.
The information security organization is also responsible for
appropriate contact with authorities and contact with special
interest groups.
Addressing information security in project management
activities is important to ensure that risks are identified and
addressed throughout the project management lifecycle.
The information security organization is typically also
responsible for developing information security policies and
creating a comprehensive risk-based information security
program.
Mobile Computing and Teleworking relates to the risks of
working with mobile devices in unprotected environments.
Internal organization
Objective:
To establish a management framework to initiate and control the
implementation and operation of information security within the
organization.
Information security roles and responsibilities
Control
All information security responsibilities should be defined and
allocated.
Implementation guidance
Allocation of information security responsibilities should be
done in accordance with the information security policies.
Responsibilities for the protection of individual assets and for
carrying out specific information security processes should be
identified. Responsibilities for information security risk
management activities and in particular for acceptance of
residual risks should be defined. These responsibilities should
be supplemented, where necessary, with more detailed guidance
for specific sites and information processing facilities. Local
responsibilities for the protection of assets and for carrying out
specific security processes should be defined. Individuals with
allocated information security responsibilities may delegate
security tasks to others. Nevertheless they remain accountable
and should determine that any delegated tasks have been
correctly performed. Areas for which individuals are responsible
should be stated. In particular the following should take place:
a) the assets and information security processes should be
identified and defined;
b) the entity responsible for each asset or information security
process should be assigned and the details of this responsibility
should be documented;
c) authorization levels should be defined and documented;
d) to be able to fulfil responsibilities in the information security
area the appointed individuals should be competent in the area
and be given opportunities to keep up to date with developments;
e) coordination and oversight of information security aspects of
supplier relationships should be identified and documented.
Other information
Many organizations appoint an information security manager to
take overall responsibility for the development and
implementation of information security and to support the
identification of controls. However, responsibility for resourcing
and implementing the controls will often remain with individual
managers. One common practice is to appoint an owner for each
asset who then becomes responsible for its day-to-day
protection.
Segregation of duties
Conflicting duties and areas of responsibility should be
segregated to reduce opportunities for unauthorized or
unintentional modification or misuse of the organization’s
assets.
Care should be taken that no single person can access, modify or
use assets without authorization or detection. The initiation of an
event should be separated from its authorization. The possibility
of collusion should be considered in designing the
controls. Small organizations may find segregation of duties
difficult to achieve, but the principle should be applied as far as
is possible and practicable. Whenever it is difficult to segregate,
other controls such as monitoring of activities, audit trails and
management supervision should be considered.
Other information
Segregation of duties is a method for reducing the risk of
accidental or deliberate misuse of an organization’s assets.
Organizations should have procedures in place that specify
when and by whom authorities (e.g. law enforcement, regulatory
bodies, supervisory authorities) should be contacted and how
identified information security incidents should be reported in a
timely manner (e.g. if it is suspected that laws may have been
broken).
Appropriate contacts with special interest groups or other
specialist security forums and professional associations should
be maintained.
Membership in special interest groups or forums should be
considered as a means to:
improve knowledge about best practices and stay up to date with
relevant security information;
ensure the understanding of the information security
environment is current and complete;
receive early warnings of alerts, advisories and patches
pertaining to attacks and vulnerabilities;
gain access to specialist information security advice;
share and exchange information about new technologies,
products, threats or vulnerabilities;
provide suitable liaison points when dealing with information
security incidents.
Information security in project management

Information security should be addressed in project management,
regardless of the type of the project.
Information security should be integrated into the organization’s
project management method to ensure that information security
risks are identified and addressed as part of a project. This
applies generally to any project regardless of its character, e.g. a
project for a core business process, IT, facility management and
other supporting processes. The project management methods in
use should require that:
information security objectives are included in project
objectives;
an information security risk assessment is conducted at an early
stage of the project to identify necessary controls;
information security is part of all phases of the applied project
methodology.
Information security implications should be addressed and
reviewed regularly in all projects. Responsibilities for
information security should be defined and allocated to specified
roles defined in the project management methods. it is about
internal organization. The objective in this Annex A area is to
establish a management framework to initiate and control the
implementation and operation of information security within the
organization. Organization need to establish a mechanism to
manage information security across the entire enterprise and
gain the support of leadership to assist in providing overall
direction.
Implementing a Security Strategy
An effective information security strategy for a organization
must take into account the overall strategic objectives of
the organizations and varied departments. Even when focusing
on critical processes and legal mandates, it is necessary to
extend protective measures beyond the underlying IT systems
and associated staff. For example, many employees have access
to critical customer records, and this access must be considered
when assessing the security risks associated with these data. A
failure to provide employees with securely configured
workstations increases the risk of sensitive data being exposed
via their computers. This risk can also be reduced by
implementing a middleware solution to properly control which
records each faculty member can access and to minimize the
amount of sensitive data stored on their computers. Also, to be
effective, security practices cannot rely completely on
technological solutions. Continuing the example, policies are
required to clearly define staff’ responsibilities relating to the
data and the security of their workstations. Also, awareness
programs aimed specifically at staff and their responsibilities to
safeguard information might be developed, possibly in
conjunction with the organization’s s information officer.
To complicate matters, the operational needs of organization
networks often directly conflict with security practices such as
perimeter firewalls, port authentication, centralized
configuration management, and strong authentication. The
networks must therefore be designed to balance security and
privacy requirements while accommodating a wide variety of
end users and their needs – e.g., visitors, new employees
arriving with computers, managers sharing large quantities of
data with other managers, remote access to a variety of
network services for individuals who are traveling or
telecommuting, and mobile users moving between different
locations. Although firewalls are becoming widely used to
protect critical systems on organizations networks, their use at
the perimeter is less common because it is difficult to reconcile
their restrictiveness with the need for an open networking
environment that supports high-speed networking. Although
centralized management is feasible for certain hosts on
a network, this approach is not suitable for most computers and
many systems. In the end, security and privacy practices need to
be integrated into operational practices in a way that makes the
most sense for each locations. This is not to say
that organization cannot be secured; many organization are
successfully balancing the need for security and an open,
collaborative networking environment.
Information Security Governance
Effective governance of the information security function is
critical to a successful program. It can be both the “proof of the
pudding…” with regard to management commitment and
provide necessary guidance when deciding where to allocate
scarce resources.
What is Information Security Governance and What it is Not
Why Information Security Governance is Needed
How to Govern Information Security
Organizational Structure
Roles and Responsibilities
Strategic Planning
Policy
Compliance
Risk Management
Measuring and Reporting Performance
Governance Models and Success Stories
Information Security Roles & Responsibilities
All information security responsibilities need to be defined and
allocated. Information security is the responsibility of everyone
at the organization. It is important to establish roles and
responsibilities so that everyone knows what is expected of
them when handling information. Leadership is also very
important, and many organizations have at least one person who
is primarily responsible for organizing the information security
program. Typically this is a Chief Information Security Officer
(CISO), Information Security Officer (ISO), Director of
Information Security, although the title may vary depending on
the organizations. No matter what title is selected, there should
be someone at the organizations who can provide a high level of
decision-making support to organizations leadership when
considering information security issues and
solutions. Information security responsibilities can be general
(e.g. protecting information) and/or specific (e.g. the
responsibility for granting a particular permission).
Consideration should be given to the ownership of information
assets or groups of assets when identifying responsibilities.
Some examples of the business roles which are likely to have
some information security relevance include; Departmental
heads; Business process owners; Facilities manager; HR
manager; and Internal Auditor. The auditor will be looking to
gain assurance that the organization has made clear who is
responsible for what in an adequate and proportionate manner
according to the size and nature of the organization. For
smaller organizations, it is generally unrealistic to have full-time
roles associated with these roles and responsibilities. As such,
clarifying specific information security responsibilities within
existing job roles is important e.g. the Operations Director or
CEO might also be the equivalent of the CISO, the Chief
Information Security Officer, with overarching responsibility for
all of the ISMS. The CTO might own all the technology related
information assets etc.
Segregation of Duties
Segregation of duties is the concept of having more than one
person required to complete a task. This is a best practice,
especially in cases where sensitive data is being handled.
Segregation of duties is a control put in place by
many organizations to mitigate the risk of an insider threat or
accidental employee mistakes. Sometimes this isn’t practical or
possible, but the organizations should be aware of the risks of a
single person having too much access. Ideally, critical processes
or activities should be split up between multiple people. For
example the initiation of a process, its execution, and
authorization should be separated when possible. When this is
not possible, monitoring and auditing critical processes is very
important. Conflicting duties and areas of responsibility must be
segregated in order to reduce the opportunities for unauthorized
or unintentional modification or misuse of any of the
organization’s assets. The organization needs to ask itself
whether or not the segregation of duties been considered and
implemented where appropriate. Smaller organizations may
struggle with this, but the principle should be applied as far as
possible and good governance & controls put in place for the
higher risk/higher value information assets, captured as part of
the risk evaluation and treatment.
Relationships with law enforcement are important to an
organization, and should be established prior to an emergency.
Having a protocol for engagement established before there is an
emergency will help in handling an incident appropriately. A
protocol for engagement with law enforcement can be a part of
the security incident response plan or a broader crisis
management procedure. The plan should be clear about which
situations require working with law enforcement, such as when
laws are broken. The plan should also clearly state who contacts
authorities and under what circumstances (e.g., when law
enforcement should be contacted by the information security
office or campus safety). Appropriate contacts with relevant
authorities must be maintained. Remember when adapting this
control to think about the legal responsibilities for contacting
authorities such as the Police, the Information Commissioner’s
Office or other regulatory bodies. Consider how that contact is
to be made, by whom, under what circumstances, and the nature
of the information to be provided.
There are many groups that support Information Security that
an organizations can collaborate and participate in. The
information security threat landscape is ever changing and
security professionals can benefit from collaborating together.
Being connected to special interest groups allows for knowledge
transfer and best practice development. Warnings about
potential threats can also help security operations prepare and
respond appropriately. Appropriate contacts with special interest
groups or other specialist security forums and professional
associations must also be maintained. When adapting this
control to your specific needs remember that memberships of
professional bodies, industry organizations, forums and
discussion groups all count towards this control.
Lecture 39
Information Security Standard compliance
History of the ISO 27001 standard
The ISO 27000 series of standards have been specifically

reserved by ISO for InfoSec matters. This, of course, aligns with
a number of other topics, including ISO 9000 (quality
management) and
Industry working group formed -1993
Code of practice -1993
British Standard -1995
BS 7799 Part 2-1998
BS 7799 Part 1 and Part 2 revised 1999
BS ISO/IEC 17799 (BS 7799-1 : 2000)
BS 7799-2 : 2002 published September 5,2002
ISO 17799 : 2005
ISO 27001 : 2005
The ISO 27001 standard was published in October 2005,
essentially replacing the old BS 7799-2 standard (see Figure 1).
1S0- 27001 is the specification for an Information Security
Management System. BS 7799 itself was a lon standing standard,
first published in the 1990s as a code of practice. As it matured,
a second part emerged to cover management systems, on the
basis, of which certification is granted, that is, it is an auditable
standard. Today, more than 1,000 BS 7799 certificates are in
place, across the world. ISO 27001 enhanced the content of BS
7799-2 (i.e., Part II of the BS 7799) and harmonized it with the
other standards. A scheme has been introduced by various
certification bodies for conversion from BS 7799 certification to
ISO 27001 certification.
The ISO 27002 standard is expected to be the rename of the
existing 1S0 17799 standard. However, as a new version of ISO
17799 has only recently hit the presses, this is not likely to be
enacted for a considerable period (years, not months). The ISO
17799 itself is a code of practice for InfoSec. It basically
outlines hundreds of potential controls and control mechanisms,
which may be implemented, in theory, subject to the ISMS
guidance provided within ISO 27001. It was originally a
document published by the UK government, but became a
standard “proper’ in 1995 when it was re-published by British
Standards Institute (BSI) as BS 7799. In 2000 it was again
republished, this time by ISO, as ISO 17799.
As at the time of writing this, the ISO/IEC 27004 is proposed:
information technology security (ITS) techniques and ISM
measurements. ISO 27004 will be a new ISO standard on ISM
measurements. The standard is currently a working draft, being
circulated for study and comment.As per information available
at the time of writing this, if things go as per plan, it will soon
be published. Publication is due sometime in 2008. The standard
is expected to help organizations measure and report the
effectiveness of their ISMSs, covering both the security
management processes (defined in ISO 27001) and the controls
(ISO 17799/ ISO 27002).
The scope of the ISO 27004 standard is to "provide guidance on
the specification and use of measurement techniques for
providing assurance as regards the effectiveness of information
security management systems. It is intended to be applicable to
a wide range of organizations with a correspondingly wide
range of information security management systems. It provides
guidance for measurement procedures and techniques, to
determine the effectiveness of information security controls and
information security processes applied in ISMS. The purpose of
the Information Security Management Measurements
Development and Implementation process, defined in this
Standard is to create a base for each organization to collect,
analyze and communicate data related to ISMS processes. This
data is ultimately to be used to base ISMS-related decisions and
to to improve implementation of ISMS."
At the time of writing this, ISO/IEC 27005 is proposed to cover
ITS techniques and management of information and
communications technology security (MICTS)-Part 2:
Techniques for information and communications technology
(ICT) security risk management. Parts 1-4 of ISO TR 13335 will
become an international standard for MICTS consisting of the
following two parts:
Part 1: Concepts and models for ICT security management
(combining Parts 1 and 2 of ISO TR 13335 ).
Part 2: Techniques for ICT security risk management (consisting
of ISO TR 13335 Part 3 ).
The proposed scope of ISO 27005 is to 'provide techniques for
information security risk management that includes information
and communications technology security risk management. The
techniques are based on the general concepts, models, and
management and planning guidelines laid out in Part 1 of this
International Standard. These guidelines are designed to assist
the implementation of information security. Familiarity with the
concepts and models, and the material concerning the
management and planning of information security in ISO/IEC
13335-1, is important for a complete understanding of Part 2 .
This document gives guidelines for information security risk
management, which ISO/IEC 13335-1 of this International
Standard specifies as one of activities that information security
management requires to be carried out. ISO/IEC 27005 is
applicable to any organization, which intends to manage risk
that could compromise the organization's information
security.International Standard specifies as one of activities that
information security management requires to be carried out.
ISO/IEC 27005 is applicable to any organization, which intends
to manage risk that could compromise the organization's
information security.
ISO 27001 in Organizational Context
ISO 27001 (formerly BS 7799) describes a six-stage process:
Define an InfoSec policy:
Define the scope of the ISMS.
Perform a security risk assessment.
Manage the identified risk.
Select controls to be implemented and applied.
Prepare a 'statement of applicability' (SoA).
The Plan-Do-Check-Act (PDCA) approach described by ISO
27001 and its details in implementation context are depicted in
Figure 1. In reference to this figure, the PDCA cycle can be
explained in brief as follows:
1. PLAN-Establish Context:
Define ISMS scope.
Define policy.
Identify risks.
Assess risks.
Select control objectives.
2. DO - Implement and operate:
Implement risk treatment plan.
Deploy controls
3. CHECK-Monitor and Review:
Monitor processes
Regular reviews.
Internal audits.
4. ACT-Maintain and Improve
Implement improvements.
Corrective actions.
Preventative actions.
Communicate with stakeholders.
As can be seen, ISO 27001 is an ISMS development
methodology and it explains how to create lSMS. However, it
does not tell you what kind of elements make up ISMS. That is
what ISO 17799 is all about. ,
ISO 17799 lists all the bits and pieces that combine to makes up
ISMS. It presents a detailed list of generally accepted
information security management practices. ISO 27001 asks you
to select only those security practices that address your
organization's unique security risks and requirements (see
Figure 2).
The ISM practices that make up ISO 17799 are organized as
follows:
Security objectives (for ISO 27001).
Security controls (for ISO 27001)-there are total 15 controls,
each divided into subsections.
Implementation guidance.
Other information.
Thus, ISO 27001 asks you to select the security objectives and
security controls that address your unique security risks and
requirements, and then to use this information to prepare what
ISO calls an SoA. This SoA is, in turn, used to prepare a
detailed Risk Treatment Plan. Once you have implemented this
Plan, you have established ISMS, one that meets your
organization's unique InfoSec needs and requirements.
Fortunately, the ISO 17799 security objectives and security
controls are included with the ISO 27001 standard, so there is no
need to purchase ISO 17799 in order to build the ISMS.
However, for getting additional detailed implementation
guidance and other related information one has to purchase ISO
17799 . It is to be noted that ISO 17799 will eventually become
ISO 27002 .

1 Nov 23 Cyber Notes-1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1 Nov 23 Cyber Notes-1

Uploaded by

Copyright:

Available Formats

Lecture 0

Introduction: Objective, scope and outcome of the

Cyber crime: Definition and Origins of the World

Reaching consensus on a definition of computer crime is

 Any illegal act where a special knowledge of computer

Here is yet another definition: "cyber crime (computer crime) is

1. A crime committed using a computer and the Internet to

According to one information security glossary cybercrime is

2) Introduction to cyber law

3) Prevention of cyber crime

4) Importance of cyber crime to organizations

5) Cyber crime Tools

6) Law Related to Cyber crime

1. Cyber Security: Understanding Cyber Crimes, Computer

1. Cyber Security Essentials, James Graham, Richard Howard

Introduction to Cyber crime

Cybercrime is criminal activity that either targets or uses a

Cybercrime that uses computers to commit other crimes may

A malware attack is where a computer system or network is

Distributed DoS attacks

How to protect yourself against cybercrime

Keeping your software and operating system up to date ensures

Using anti-virus or a comprehensive internet security solution

A classic way that computers get infected by malware attacks

Emerging Trends of Cyber Law

Reports reveal that upcoming years will experience more

While the U.S. government has declared October as the

The "Cyberlaw Trends in India 2013" and "Cyber law

To design and implement a secure cyberspace, some stringent

Strategy 1 − Creating a Secure Cyber Ecosystem

Attack Category Description of Attack

Attrition Methods used to damage networks and

 distributed denial of service

Malware Any malicious software used to interrupt

Hacking An attempt to intentionally exploit

Social Tactics Using social tactics such as deception and

Improper Usage (Insider Threat) Misuse of rights to data and controls by

Physical Action/Loss or Theft of Equipment Human-Driven attacks such as −

 stolen identity tokens and credit

Multiple Component Single attach techniques which contains

Other Attacks such as −

 supply chain attacks

Indian IT/ITES/BPOs need to comply with the international

Strategy 3 − Encouraging Open Standards

Strategy 4 − Strengthening the Regulatory Framework

Strategy 5 − Creating Mechanisms for IT Security

Strategy 7 − Protecting Critical Information

As discussed in the first chapter, the Government of India

Salient Features of I.T Act

Chapter 11 deals with offences and penalties. A series of

Amendments Brought in the I.T Act

Highlights of the Amended Act

Introduction, Proliferation of Mobile and Wireless

Today, incredible advances are being made for mobile devices.

2. Tablet PC: It lacks a keyboard, is shaped like a slate or a

3. Internet tablet: It is the Internet appliance in tablet form.

4. Personal digital assistant (PDA): It is a small, usually

5. Ultramobile (PC): It is a full-featured, PDA-sized computer

7. Carputer: It is a computing device installed in an

8. Fly Fusion Pentop computer: It is a computing device with

Security Challenges Posed by Mobile Devices

Mobility brings two main challenges to cybersecurity: first, on

And if your desktop isn’t protected by a password, lock screen,

Remote data wiping facilities are often available to the