Professional Documents
Culture Documents
Question:-1 Define
1. Password Cracking:- Password cracking is the process of using
an application program to identify an unknown or forgotten
password to a computer or network resource. It can also be
used to help a threat actor obtain unauthorized access to
resources.
24. WIPO:- the intellectual property rights are laid down by the
World Intellectual Property Organization (WIPO).
Answer:---
Information Securtiy: Information security simply referred to as
InfoSec, is the practice of defending information from unauthorized
access, use, disclosure, disruption, modification, perusal, inspection,
recording or destruction.
7
Answer:-
• The objective of Cyber security is to protect information
from being stolen, compromised or attacked. Cyber security
can be measured by at least one of three
goals:-
• Protect the confidentiality of data.
• Preserve the integrity of data.
• Promote the availability of data for authorized users.
9
Confidentiality :-
• Confidentiality is roughly equivalent to privacy and avoids
the unauthorized disclosure of information.
• It involves the protection of data, providing access for those who
are allowed to see it while disallowing others from learning
anything about its content.
• It prevents essential information from reaching the wrong people
while making sure that the right people can get it. Data encryption
is a good example to ensure confidentiality.
Confidentiality tools:-
• Encryption
• Access control
• Authentication
• Authorization
• Physical Security
Integrity :--
• Integrity refers to the methods for ensuring that data is real,
accurate and safeguarded from unauthorized user
modification.
• It is the property that information has not be altered in an
unauthorized way, and that source of the information is
genuine.
1
Integrity tools:-
• Backups
• Checksums
• Data Correcting Codes
Availability:-
• Availability is the property in which information is accessible and
modifiable in a timely fashion by those authorized to do so. It is
the guarantee of reliable and constant access to our sensitive data
by
authorized people.
• Tools for Availability
• Physical Protections
• Computational Redundancies
Availability tools :--
• Physical Protections
• Computational Redundancies
1
Security policy :-
Security policy is the statement of responsible decision
makers about the protection mechanism of a company crucial
physical and information assets.
Overall, it is a document that describes a company’s
security controls and activities.
Security policy does not specify a technological solution,
instead, specifies sets of intentions and conditions that will aid
to protect assets along with its proficiency to organize
business.
Policy makers :-
Security policy development is a joint or collective operation of
all entity of an organization that is affected by its rules.
security policies should not be developed by IT team itself as it
is a responsibility of everyone that has a stake in the security
policy should be involved in its development so that they could
too, mold the policy according to their requirement
1
Policy audit :-
• Security documents are living documents. Therefore, they ought
to be updated at specific intervals in response to changing business
and customer requirements.
• Once, policies are well-established and ready to dictate typical
operations, an audit may be performed by outsiders or insider
agencies to compare existing practices to the intentions of
policy.
• Security policy audits assist the company to understand better
the threat the organization is exposed to and the effectiveness of
your
current protection
1
Policy enforcement :-
Enforcement of security policies ensures compliance with the
principle and practices dictated by the company because policy,
procedure do not work if there are violated.
Enforcement is arguably the most significant aspect of a
company; it dissuades anyone from deliberately, accidentally
violates policies rules
Policy awareness :-
Company employees are often perceived as “soft” target to be
compromised, as the human elements the least predictable and
easiest to exploit.
Trusted employees either “disgruntle” or are framed to provide
valuable information of a company.
Therefore, one of the most robust storage to combat this
exposure of information by employees is “education.”
Economy of mechanism :-
This principle states that Security mechanisms should be as
simple and small as possible.
The Economy of mechanism principle simplifies the design and
implementation of security mechanisms.
If the design and implementation are simple and small, fewer
possibilities exist for errors.
The checking and testing process is less complicated so that
fewer components need to be tested
Fail-safe defaults :-
The Fail-safe defaults principle states that the default
configuration of a system should have a conservative protection
scheme.
This principle also restricts how privileges are initialized when a
subject or object is created.
1
Least Privilege :-
This principle states that a user should only have those
privileges that need to complete his task.
Its primary function is to control the assignment of rights
granted to the user, not the identity of the user.
This means that if the boss demands root access to a UNIX
system that you administer, he/she should not be given that
right unless he/she has a task that requires such level of access.
If possible, the elevated rights of a user identity should be
removed as soon as those rights are no longer needed
Open Design :-
This principle states that the security of a mechanism should
not depend on the secrecy of its design or implementation.
It suggests that complexity does not add security.
This principle is the opposite of the approach known as
"security through obscurity.”
Example: DVD player & Content Scrambling System (CSS)
protection.
The CSS is a cryptographic algorithm that protects the DVD
movie disks from unauthorized copying.
1
Complete mediation :-
The principle of complete mediation restricts the caching of
information, which often leads to simpler implementations of
mechanisms.
The idea of this principle is that access to every object must be
checked for compliance with a protection scheme to ensure
that they are allowed.
As a consequence, there should be wary of performance
improvement techniques which save the details of previous
authorization checks, since the permissions can change over
time.
Separation of Privilege:-
This principle states that a system should grant access
permission based on more than one condition being satisfied.
This principle may also be restrictive because it limits access to
system entities.
Thus before privilege is granted more than two verification
should be performed.
Example: To su (change) to root, two conditions must be met-
1 The user must know the root password.
2 The user must be in the right group (wheel)
Least Common Mechanism :-
This principle states that in systems with multiple users, the
mechanisms allowing resources shared by more than one user
should be minimized as much as possible.
This principle may also be restrictive because it limits the
sharing of resources.
Example: If there is a need to be accessed a file or
application by more than one user, then these users should
use separate channels to access these resources, which helps
to prevent
1
Psychological acceptability :-
This principle states that a security mechanism should not make
the resource more complicated to access if the security
mechanisms were not present.
At the same time, applications should not impart unnecessary
information that may lead to a compromise in security.
Example: When we enter a wrong password, the system should
only tell us that the user id or password was incorrect. It should
not tell us that only the password was wrong as this gives the
attacker information
Work Factor :-
This principle states that the cost of circumventing a security
mechanism should be compared with the resources of a
potential attacker when designing a security scheme.
In some cases, the cost of circumventing ("known as work
factor") can be easily calculated.
Example: Suppose the number of experiments needed to try all
possible four character passwords is 244 = 331776. If the
potential attacker must try each experimental password at a
terminal, one might consider a four-character password to be
satisfactory.
1
Compromise Recording :-
The Compromise Recording principle states that sometimes it
is more desirable to record the details of intrusion that to
adopt a more sophisticated measure to prevent it.
Example: The servers in an office network may keep logs for all
accesses to files, all emails sent and received, and all browsing
sessions on the web. Another example is that Internet-
connected surveillance cameras are a typical example of a
compromise recording system that can be placed to protect a
building.
There are number of illegal activities which are committed over the
internet by technically skilled criminals.
2
PUPs:-
PUPS or Potentially Unwanted Programs are less threatening
than other cybercrimes, but are a type of malware.
They uninstall necessary software in your system including
search engines and pre-downloaded apps.
2
Phishing:-
This type of attack involves hackers sending malicious email
attachments or URLs to users to gain access to their accounts or
computer.
Cybercriminals are becoming more established and many of
these emails are not flagged as spam.
Users are tricked into emails claiming they need to change their
password or update their billing information, giving criminals
access.
Prohibited/Illegal Content
This cybercrime involves criminals sharing and distributing
inappropriate content that can be considered highly distressing
and offensive.
Illegal content includes materials advocating terrorism-related
acts and child exploitation material.
This type of content exists both on the everyday internet and
on the dark web, an anonymous network.
Online Scams:-
These are usually in the form of ads or spam emails that include
promises of rewards or offers of unrealistic amounts of money.
Online scams include enticing offers that are “too good to be
true” and when clicked on can cause malware to interfere and
compromise information.
2
Exploit Kits:-
Exploit kits need a vulnerability (bug in the code of a software)
in order to gain control of a user’s computer.
They are readymade tools criminals can buy online and use
against anyone with a computer.
The exploit kits are upgraded regularly similar to normal
software and are available on dark web hacking forums.
Cookie theft:--
• The cookies in our browser store personal data such as
browsing history, username, and passwords for different sites we
access.
• Once the hacker gets access to your cookie, he can
even authenticate himself as you on a browser.
• A popular method to carry out this attack is to manipulate a
user’s IP packets to pass through attacker’s machine.
• Also known as SideJacking or Session Hijacking, this attack is easy
to carry out if the user is not using SSL (HTTPS) for the complete
session.
• On the websites where you enter your password and banking
details, it’s of utmost importance for them to make their
connections encrypted.
Click Jacking Attacks:--
2
Phishing:--
• Phishing is a hacking technique using which hacker replicates
the most-accessed sites and traps the victim by sending that
spoofed link.
2
Fake WAP:--
• Just for fun, a hacker can use software to fake a wireless
access point.
• This WAP connects to the official public place WAP. Once you get
connected to the fake WAP, a hacker can access your data, just like
in the case above.
• It’s one of the easier hacks to accomplish and one needs a
simple software and wireless network to execute it.
3
Waterhole attacks:---
• If you are a big fan of Discovery or National Geographic channels,
you could relate easily with the waterhole attacks.To poison a
place, in this case, the hacker hits the most accessible physical
point of the victim.
• For example, if the source of a river is poisoned, it will hit the
entire stretch of animals during summer. In the same way, hackers
target he most accessed physical location to attack the victim. That
point could be a coffee shop, a cafeteria, etc.
• Once the hacker is aware of your timings, they can use this type
of attack to create a fake Wi-Fi access point. Using this they can
modify your most visited website to redirect them to you to get
your personal information. As this attack collects information on a
user from a specific place, detecting the attacker is even harder.
One of the best ways to protect yourself again such types of
hacking attacks is to follow basic security practices and keep your
software/OS updated.
Key logger:--
• A key logger is a simple software that records the key
sequence and strokes of your keyboard into a log file on
your machine.
• These log files might even contain your personal email IDs
and passwords. Also known as keyboard capturing, it can be
either software or hardware. While software-based keyloggers
target the programs installed on a computer, hardware
devices target keyboards, electromagnetic emissions,
smartphone sensors, etc.
• Keylogger is one of the main reasons why online banking
sites give you an option to use their virtual keyboards. So,
whenever you’re operating a computer in a public setting, try
3
Objective of IPR:-
1. To create public awareness about the benefits of
Intellectual property among all section of society.
2. To stimulate the creation and growth of intellectual
property by undertaking relevant measures.
3. To have strong effective laws with regard to IP
rights consistent with international obligations.
4. To modernise and strengthen IP administration.
5. To catalyse commercialization of IP rights.
6. To strengthen the enforcement and adjudicatory
mechanisms for combating IP violations and to promote
awareness and respect for IP rights.
Question: 15:- Define WIPO. When did India join WIPO? Describe
the WIPO & India in brief.
Answer:--
Define WIPO:- The World Intellectual Property Organization
(WIPO) is a specialized agency of the United Nations that aims
to promote and protect intellectual property (IP) across the
world.
India joined WIPO in 1975 and has acceded to several WIPO
treaties including IPO Convention (1975), Paris Convention
(1998), Berne Convention (1928), Patent Cooperation Treaty
(1998), Phonograms Convention (1975), Nairobi Treaty (1983),
Nice Agreement (2019), Locarno Agreement (2019), and Vienna
Agreement (2019)
Question: 18 :- When India joined WIPO? List out the convention &
treaties that India attended or part of its.
Answer:-
India, the country with the world's second largest population,
became a member of WIPO in 1975 and is currently party to six
treaties administered by WIPO, namely, WIPO Convention
(1975), Paris Convention (1998), Berne Convention (1928),
Patent Cooperation Treaty (1998), Phonograms Convention
(1975) and Nairobi Treaty (1983).
Question: 19:- Explain in brief about White Hat Hacker, Grey Hat
Hacker and Black Hat Hacker.
Answer:--
A Hacker is a person who is familiar with Computer Networks, Linux,
Cryptography, and other skills
White Hat Hackers:-
White-Hat Hackers are also known as Ethical Hackers.
They are certified hackers who learn hacking
from courses.
4
Black-Hat Hackers:
Black-Hat Hackers are those hackers who enter the
system without taking owners’ permission.
These hackers use vulnerabilities as entry points.
They hack systems illegally.
They use their skills to deceive and harm people.
They conduct various attacks, write malware, and
damage system security.
They steal users’ passwords, data, and credit card
information by damaging system security.
Black-hat hackers make money by selling data and
credit card information on the dark web.
They are also ruining anyone’s reputation to take
revenge.
Sometimes they steal the personal data of users and
blackmail them.
4
Gray-Hat Hackers:
Gray-Hat Hackers are a mix of both black and white hat
hackers.
These types of hackers find vulnerabilities in systems without
the permission of owners.
They don’t have any malicious intent.
However, this type of hacking is still considered illegal. But
they never share information with black hat hackers.
They find issues and report the owner, sometimes requesting a
small amount of money to fix it.
But some organizations disregard gray hat hackers because the
hacker is not bound by ethical hacking policies. These type of
hackers does not put someone at risk.
Answer:-
In law, property refers to anything that can be owned or
possessed by a person or entity.
Tangible property refers to physical property that can be
touched such as buildings, cars, furniture, etc. On the other
hand, intangible property refers to non-physical property such
as patents, trademarks, copyrights, etc.