CT-702N

CYBER SECURITY
PREPARED BY: PROF.NEHAL SHAH
 UNIT 2
Information Security
Concepts
Introduction
• Information Security Overview
• Information Security Services
• Goals for Security
• E-commerce security
• Computer Forensics
• Digital Forensics Science
• Digital Forensics Life Cycle.
Information Security
• Information Security is not only about securing information from
unauthorized access.
• Information Security is basically the practice of preventing
unauthorized access, use, disclosure, disruption, modification,
inspection, recording or destruction of information.
• Information can be physical or electronic one. Information can be
anything like Your details or we can say your profile on social media,
your data in mobile phone, your biometrics etc.
• Thus Information Security spans so many research areas like
Cryptography, Mobile Computing, Cyber Forensics, Online
Social Media etc. 

• Information Security programs are build around 3

objectives, commonly known as CIA – Confidentiality,
Integrity, Availability
Cyber Security Goals
• The objective of Cybersecurity is to protect information from being
stolen, compromised or attacked.
• Cybersecurity can be measured by at least one of three goals-

1.Protect the confidentiality of data.

2.Preserve the integrity of data.
3.Promote the availability of data for authorized users.
• These goals form the confidentiality, integrity, availability (CIA) triad,
the basis of all security programs.
• The CIA triad is a security model that is designed to guide policies
for information security within the premises of an organization or
company.
• This model is also referred to as the AIC (Availability, Integrity, and
Confidentiality) triad to avoid the confusion with the Central
Intelligence Agency.
• The elements of the triad are considered the three most crucial
components of security.
• The CIA criteria are one that most of the organizations and
companies use when they have installed a new application, creates a
database or when guaranteeing access to some data.
• For data to be completely secure, all of these security goals must
come into effect.
• These are security policies that all work together, and therefore it can
be wrong to overlook one policy.
1. Confidentiality
• Confidentiality is roughly equivalent to privacy and avoids the
unauthorized disclosure of information.
• It involves the protection of data, providing access for those who
are allowed to see it while disallowing others from learning
anything about its content.
• It prevents essential information from reaching the wrong people
while making sure that the right people can get it.
• Data encryption is a good example to ensure confidentiality.
Tools for Confidentiality
Encryption
• Encryption is a method of transforming information to make it
unreadable for unauthorized users by using an algorithm.
• The transformation of data uses a secret key (an encryption key)
so that the transformed data can only be read by using another
secret key (decryption key).
• It protects sensitive data such as credit card numbers by encoding
and transforming data into unreadable cipher text.
• This encrypted data can only be read by decrypting it.
• Asymmetric-key and symmetric-key are the two primary types of
encryption.
Access control
• Access control defines rules and policies for limiting access to a
system or to physical or virtual resources.
• It is a process by which users are granted access and certain
privileges to systems, resources or information.
• In access control systems, users need to present credentials before
they can be granted access such as a person's name or a computer's
serial number.
• In physical systems, these credentials may come in many forms, but
credentials that can't be transferred provide the most security.
Authentication

• An authentication is a process that ensures and confirms a user's identity

or role that someone has. It can be done in a number of different ways, but
it is usually based on a combination of-
• something the person has (like a smart card or a radio key for storing
secret keys),
• something the person knows (like a password),
• something the person is (like a human with a fingerprint).
• Authentication is the necessity of every organizations because it enables
organizations to keep their networks secure by permitting only
authenticated users to access its protected resources.
• These resources may include computer systems, networks, databases,
websites and other network-based applications or services.
Authorization
• Authorization is a security mechanism which gives permission to
do or have something.
• It is used to determine a person or system is allowed access to
resources, based on an access control policy, including computer
programs, files, services, data and application features.
• It is normally preceded by authentication for user identity
verification. System administrators are typically assigned
permission levels covering all system and user resources.
• During authorization, a system verifies an authenticated user's
access rules and either grants or refuses resource access.
Physical Security

• Physical security describes measures designed to deny the

unauthorized access of IT assets like facilities, equipment,
personnel, resources and other properties from damage.
• It protects these assets from physical threats including theft,
vandalism, fire and natural disasters.
2. Integrity

• Integrity refers to the methods for ensuring that data is real,

accurate and safeguarded from unauthorized user modification.
• It is the property that information has not be altered in an
unauthorized way, and that source of the information is genuine.
Tools for Integrity
Backups
• Backup is the periodic archiving of data. It is a process of making
copies of data or data files to use in the event when the original
data or data files are lost or destroyed.
• It is also used to make copies for historical purposes, such as for
longitudinal studies, statistics or for historical records or to meet
the requirements of a data retention policy.
• Many applications especially in a Windows environment, produce
backup files using the .BAK file extension.
Checksums

• A checksum is a numerical value used to verify the integrity of a

file or a data transfer.
• In other words, it is the computation of a function that maps the
contents of a file to a numerical value.
• They are typically used to compare two sets of data to make sure
that they are the same. A checksum function depends on the entire
contents of a file.
• It is designed in a way that even a small change to the input file
(such as flipping a single bit) likely to results in different output
value.
Data Correcting Codes

• It is a method for storing data in such a way that small changes can
be easily detected and automatically corrected.
3. Availability

• Availability is the property in which information is accessible and

modifiable in a timely fashion by those authorized to do so.
• It is the guarantee of reliable and constant access to our sensitive
data by authorized people.
Tools for Availability

• Physical Protections
• Computational Redundancies
Physical Protections

• Physical safeguard means to keep information available even in

the event of physical challenges.
• It ensure sensitive information and critical information technology
are housed in secure areas.
Computational redundancies

• It is applied as fault tolerant against accidental faults. It protects

computers and storage devices that serve as fallbacks in the case
of failures.
E-Commerce Security
• E-commerce security is the protection of e-commerce assets from
unauthorized access, use, alteration, or destruction. 
• Security is an essential part of any transaction that takes place over
the internet. Customers will lose his/her faith in e-business if its
security is compromised.
• 6 dimensions of e-commerce security
• Authenticity − There should be a mechanism to authenticate a user
before giving him/her an access to the required information.
• Confidentiality − Information should not be accessible to an
unauthorized person. It should not be intercepted during the
transmission.
• Availability − Information should be available wherever and whenever
required within a time limit specified.
• Privacy- Provision of data control and disclosure
• Integrity − Information should not be altered during its transmission
over the network.
• Non-Repudiability − It is the protection against the denial of order or
denial of payment. Once a sender sends a message, the sender should not
be able to deny sending the message. Similarly, the recipient of message
should not be able to deny the receipt.
Threat to E-Commerce

• E-Commerce refers to the activity of buying and selling things over

the internet. Simply, it refers to the commercial transactions which
are conducted online.
• E-commerce can be drawn on many technologies such as mobile
commerce, Internet marketing, online transaction processing,
electronic funds transfer, supply chain management, electronic
data interchange (EDI), inventory management systems, and
automated data collection systems.
• E-commerce threat is occurring by using the internet for unfair
means with the intention of stealing, fraud and security breach.
• There are various types of e-commerce threats.
• Some are accidental, some are purposeful, and some of them are
due to human error.
• The most common security threats are an electronic payments
system, e-cash, data misuse, credit/debit card frauds, etc.
Electronic payments system:
• With the rapid development of the computer, mobile, and network
technology, e-commerce has become a routine part of human life.
• In e-commerce, the customer can order products at home and save
time for doing other things.
• There is no need of visiting a store or a shop.
• The customer can select different stores on the Internet in a very
short time and compare the products with different characteristics
such as price, color, and quality.
• The electronic payment systems have a very important role in e-
commerce.
• E-commerce organizations use electronic payment systems that
refer to paperless monetary transactions.
• It revolutionized the business processing by reducing paperwork,
transaction costs, and labor cost. E-commerce processing is user-
friendly and less time consuming than manual processing.
• Electronic commerce helps a business organization expand its
market reach expansion.
• There is a certain risk with the electronic payments system.
Some of them are:

• The Risk of Fraud

• An electronic payment system has a huge risk of fraud. The
computing devices use an identity of the person for authorizing a
payment such as passwords and security questions.
• These authentications are not full proof in determining the
identity of a person.
• If the password and the answers to the security questions are
matched, the system doesn't care who is on the other side.
• If someone has access to our password or the answers to our
security question, he will gain access to our money and can steal it
from us.
• The Risk of Tax Evasion
• The Internal Revenue Service law requires that every business
declare their financial transactions and provide paper records so that
tax compliance can be verified.
• The problem with electronic systems is that they don't provide
cleanly into this paradigm.
• It makes the process of tax collection very frustrating for the Internal
Revenue Service.
• It is at the business's choice to disclose payments received or made
via electronic payment systems. The IRS has no way to know that it is
telling the truth or not that makes it easy to evade taxation.
• The Risk of Payment Conflicts
• In electronic payment systems, the payments are handled by an
automated electronic system, not by humans. T
• he system is prone to errors when it handles large amounts of
payments on a frequent basis with more than one recipients
involved.
• It is essential to continually check our pay slip after every pay period
ends in order to ensure everything makes sense.
• If it is a failure to do this, may result in conflicts of payment caused
by technical glitches and anomalies.
• E-cash
• E-cash is a paperless cash system which facilitates the transfer of
funds anonymously.
• E-cash is free to the user while the sellers have paid a fee for this.
• The e-cash fund can be either stored on a card itself or in an account
which is associated with the card.
• The most common examples of e-cash system are transit card,
PayPal, GooglePay, Paytm, etc.
E-cash has four major components-

1.Issuers - They can be banks or a non-bank institution.

2.Customers - They are the users who spend the e-cash.
3.Merchants or Traders - They are the vendors who receive e-cash.
4.Regulators - They are related to authorities or state tax agencies.
• In e-cash, we stored financial information on the computer,
electronic device or on the internet which is vulnerable to the
hackers. Some of the major threats related to e-cash system are-
• Backdoors Attacks
• It is a type of attacks which gives an attacker to unauthorized access
to a system by bypasses the normal authentication mechanisms. It
works in the background and hides itself from the user that makes it
difficult to detect and remove.
• Denial of service attacks
• A denial-of-service attack (DoS attack) is a security attack in which
the attacker takes action that prevents the legitimate (correct) users
from accessing the electronic devices. It makes a network resource
unavailable to its intended users by temporarily disrupting services of
a host connected to the Internet.
• Direct Access Attacks
• Direct access attack is an attack in which an intruder gains physical
access to the computer to perform an unauthorized activity and
installing various types of software to compromise security. These
types of software loaded with worms and download a huge amount
of sensitive data from the target victims.
• Eavesdropping
• This is an unauthorized way of listening to private communication
over the network. It does not interfere with the normal operations of
the targeting system so that the sender and the recipient of the
messages are not aware that their conversation is tracking.
• Credit/Debit card fraud
• A credit card allows us to borrow money from a recipient bank to
make purchases. The issuer of the credit card has the condition that
the cardholder will pay back the borrowed money with an additional
agreed-upon charge.
• A debit card is of a plastic card which issued by the financial
organization to account holder who has a savings deposit account
that can be used instead of cash to make purchases. The debit card
can be used only when the fund is available in the account.
Some of the important threats associated with the
debit/credit card are-

• ATM (Automated Teller Machine)-

• It is the favorite place of the fraudster from there they can steal our
card details. Some of the important techniques which the criminals
opt for getting hold of our card information is:
• Skimming-
• It is the process of attaching a data-skimming device in the card
reader of the ATM.
• When the customer swipes their card in the ATM card reader, the
information is copied from the magnetic strip to the device. By
doing this, the criminals get to know the details of the Card
number, name, CVV number, expiry date of the card and other
details.
• Unwanted Presence-
• It is a rule that not more than one user should use the ATM at a time.
If we find more than one people lurking around together, the
intention behind this is to overlook our card details while we were
making our transaction.
• Vishing/Phishing
• Phishing is an activity in which an intruder obtained the sensitive
information of a user such as password, usernames, and credit card
details, often for malicious reasons, etc.
• Vishing is an activity in which an intruder obtained the sensitive
information of a user via sending SMS on mobiles. These SMS and Call
appears to be from a reliable source, but in real they are fake. The
main objective of vishing and phishing is to get the customer's PIN,
account details, and passwords.
• Online Transaction
• Online transaction can be made by the customer to do shopping and
pay their bills over the internet. It is as easy as for the customer, also
easy for the customer to hack into our system and steal our sensitive
information. Some important ways to steal our confidential
information during an online transaction are-
• By downloading software which scans our keystroke and steals our
password and card details.
• By redirecting a customer to a fake website which looks like original
and steals our sensitive information.
• By using public Wi-Fi
• POS Theft
• It is commonly done at merchant stores at the time of POS
transaction. In this, the salesperson takes the customer card for
processing payment and illegally copies the card details for later use.
Computer Forensics
• Cyber forensics is a process of extracting data as proof
for a crime (that involves electronic devices) while
following proper investigation rules to nab the culprit by
presenting the evidence to the court.
• Cyber forensics is also known as computer forensics.
• The main aim of cyber forensics is to maintain the
thread of evidence and documentation to find out
who did the crime digitally.
• Cyber forensics can do the following:
• It can recover deleted files, chat logs, emails, etc
• It can also get deleted SMS, Phone calls.
• It can get recorded audio of phone conversations.
• It can determine which user used which system and for how
much time.
• It can identify which user ran which program.
 Why is cyber forensics important?
• In todays technology driven generation, the importance of cyber
forensics is immense.
• Technology combined with forensic forensics paves the way for
quicker investigations and accurate results.
• Below are the points depicting the importance of cyber forensics:
• Cyber forensics helps in collecting important digital evidence to trace
the criminal.
• Electronic equipment stores massive amounts of data that a normal
person fails to see. For example: in a smart house, for every word
we speak, actions performed by smart devices, collect huge data
which is crucial in cyber forensics.
• It is also helpful for innocent people to prove their innocence via the
evidence collected online.
• It is not only used to solve digital crimes but also used to solve real-
world crimes like theft cases, murder, etc.
• Businesses are equally benefitted from cyber forensics in tracking
system breaches and finding the attackers.
The Process Involved in Cyber Forensics

1.Obtaining a digital copy of the system that is being or is required to

be inspected.
2.Authenticating and verifying the reproduction.
3.Recovering deleted files (using Autopsy Tool).
4.Using keywords to find the information you need.
5.Establishing a technical report.
How did Cyber Forensics Experts work?

• Cyber forensics is a field that follows certain procedures to find the

evidence to reach conclusions after proper investigation of matters.
• The procedures that cyber forensic experts follow are:

• Identification:
• The first step of cyber forensics experts are to identify what evidence is
present, where it is stored, and in which format it is stored.

• Preservation:
• After identifying the data the next step is to safely preserve the data and
not allow other people to use that device so that no one can tamper data.
• Analysis:
• After getting the data, the next step is to analyze the data or system.
Here the expert recovers the deleted files and verifies the recovered
data and finds the evidence that the criminal tried to erase by deleting
secret files. This process might take several iterations to reach the final
conclusion.
• Documentation:
• Now after analyzing data a record is created. This record contains all
the recovered and available(not deleted) data which helps in
recreating the crime scene and reviewing it.
• Presentation:
• This is the final step in which the analyzed data is presented in front of
the court to solve cases.
Types of computer forensics

• There are multiple types of computer forensics depending on the field in

which digital investigation is needed. The fields are:
• Network forensics: This involves monitoring and analyzing the
network traffic to and from the criminal’s network. The tools used
here are network intrusion detection systems and other automated
tools.
• Email forensics: In this type of forensics, the experts check the email
of the criminal and recover deleted email threads to extract out
crucial information related to the case.
• Malware forensics: This branch of forensics involves hacking related
crimes. Here, the forensics expert examines the malware, trojans to
identify the hacker involved behind this.
• Memory forensics: This branch of forensics deals with collecting data
from the memory(like cache, RAM, etc.) in raw and then retrieve
information from that data.

• Mobile Phone forensics: This branch of forensics generally deals with

mobile phones. They examine and analyze data from the mobile
phone.

• Database forensics: This branch of forensics examines and analyzes

the data from databases and their related metadata.

• Disk forensics: This branch of forensics extracts data from storage

media by searching modified,  active, or deleted files.
Techniques that cyber forensic investigators use
• Cyber forensic investigators use various techniques and tools to
examine the data and some of the commonly used techniques are:
• Reverse steganography: Steganography is a method of hiding
important data inside the digital file, image, etc. So, cyber forensic
experts do reverse steganography to analyze the data and find a
relation with the case.
• Stochastic forensics: In Stochastic forensics, the experts analyze and
reconstruct digital activity without using digital artifacts. Here,
artifacts mean unintended alterations of data that occur from digital
processes.
• Cross-drive analysis: In this process, the information found on
multiple computer drives is correlated and cross-references to
analyze and preserve information that is relevant to the investigation
• Live analysis: In this technique, the computer of criminals is
analyzed from within the OS in running mode. It aims at the volatile
data of RAM to get some valuable information.
• Deleted file recovery: This includes searching for memory to find
fragments of a partially deleted file in order to recover it for evidence
purposes.
Advantages
• Cyber forensics ensures the integrity of the computer.
• Through cyber forensics, many people, companies, etc get to know
about such crimes, thus taking proper measures to avoid them.
• Cyber forensics find evidence from digital devices and then
present them in court, which can lead to the punishment of the
culprit.
• They efficiently track down the culprit anywhere in the world.
• They help people or organizations to protect their money and
time.
difference between computer forensics and
digital forensics
• Technically, the term computer forensics refers to the
investigation of computers. Digital forensics includes not only
computers but also any digital device, such as digital networks,
cell phones, flash drives and digital cameras.
DIGITAL FORENSICS
• Digital Forensics is a branch of forensic science which includes the
identification, collection, analysis and reporting any valuable digital
information in the digital devices related to the computer crimes, as a
part of the investigation.
• In simple words, Digital Forensics is the process of identifying,
preserving, analyzing and presenting digital evidences.
• The first computer crimes were recognized in the 1978 Florida
computers act and after this, the field of digital forensics grew pretty
fast in the late 1980-90’s.
• It includes the area of analysis like storage media, hardware,
operating system, network and applications. It consists of 5 steps at
high level:
1.Identification of evidence: It includes of identifying evidences related to the digital
crime in storage media, hardware, operating system, network and/or applications. It
is the most important and basic step.
2.Collection: It includes preserving the digital evidences identified in the first step so
that they doesn’t degrade to vanish with time. Preserving the digital evidences is very
important and crucial.
3.Analysis: It includes analyzing the collected digital evidences of the committed
computer crime in order to trace the criminal and possible path used to breach into
the system.
4.Documentation: It includes the proper documentation of the whole digital
investigation, digital evidences, loop holes of the attacked system etc. so that the case
can be studied and analyzed in future also and can be presented in the court in a
proper format.
5.Presentation: It includes the presentation of all the digital evidences and
documentation in the court in order to prove the digital crime committed and identify
the criminal.
Branches of Digital Forensics:

• Media forensics: It is the branch of digital forensics which includes

identification, collection, analysis and presentation of audio, video and image
evidences during the investigation process.
• Cyber forensics: It is the branch of digital forensics which includes
identification, collection, analysis and presentation of digital evidences during
the investigation of a cyber crime.
• Mobile forensics: It is the branch of digital forensics which includes
identification, collection, analysis and presentation of digital evidences during
the investigation of a crime committed through a mobile device like mobile
phones, GPS device, tablet, laptop.
• Software forensics: It is the branch of digital forensics which includes
identification, collection, analysis and presentation of digital evidences during
the investigation of a crime related to softwares only.
DIGITAL FORENSICS
LIFECYCLE
The digital forensics process is shown in the
following figure. Forensic life cycle phases are:
• 1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
1. Preparing for the Evidence and Identifying the Evidence

• In order to be processed and analysed, evidence must first be identified. It

might be possible that the evidence may be overlooked and not identified at
all. A sequence of events in a computer might include interactions between:
• Different files
• Files and file systems
• Processes and files
• Log files

• In case of a network, the interactions can be between devices in the

organization or across the globe (Internet). If the evidence is never identified
as relevant, it may never be collected and processed.
2. Collecting and Recording Digital Evidence

• Digital evidence can be collected from many sources. The obvious

sources can be:
• Mobile phone
• Digital cameras
• Hard drives
• CDs
• USB memory devices
• Non-obvious sources can be:
• Digital thermometer settings
• Black boxes inside automobiles
• RFID tags
• Proper care should be taken while handling digital evidence as it can
be changed easily.
• Once changed, the evidence cannot be analysed further. A
cryptographic hash can be calculated for the evidence file and later
checked if there were any changes made to the file or not.
• Sometimes important evidence might reside in the volatile memory.
Gathering volatile data requires special technical skills
Storing and Transporting Digital Evidence

• Some guidelines for handling of digital evidence:

• Image computer-media using a write-blocking tool to ensure that
no data is added to the suspect device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been tested and evaluated to
validate their accuracy and reliability
• Care should be taken that evidence does not go anywhere without
properly being traced. Things that can go wrong in storage include:
• Decay over time (natural or unnatural)
• Environmental changes (direct or indirect)
• Fires
• Floods
• Loss of power to batteries and other media preserving mechanisms
• Sometimes evidence must be transported from place to place either
physically or through a network.
• Care should be taken that the evidence is not changed while in transit.
Analysis is generally done on the copy of real evidence.
• If there is any dispute over the copy, the real can be produced in court.
4. Examining/Investigating Digital Evidence

• Forensics specialist should ensure that he/she has proper legal

authority to seize, copy and examine the data.
• As a general rule, one should not examine digital information
unless one has the legal authority to do so.
• Forensic investigation performed on data at rest (hard disk) is
called dead analysis.
• Many current attacks leave no trace on the computer’s hard drive.
• The attacker only exploits the information in the computer’s main
memory. Performing forensic investigation on main memory is
called live analysis.
• Sometimes the decryption key might be available only in RAM.
• Turning off the system will erase the decryption key. The process of
creating and exact duplicate of the original evidence is called
imaging. Some tools which can create entire hard drive images are:
5. Analysis, Interpretation and Attribution

• In digital forensics, only a few sequences of events might produce

evidence. But the possible number of sequences is very huge. The
digital evidence must be analyzed to determine the type of
information stored on it. Examples of forensics tools:
• Forensics Tool Kit (FTK)
• EnCase
• Scalpel (file carving tool)
• The Sleuth Kit (TSK)
• Autopsy
• Forensic analysis includes the following activities:
• Manual review of data on the media
• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to crime
• Extracting emails and images
• Types of digital analysis:
• Media analysis
• Media management analysis
• File system analysis
• Application analysis
• Network analysis
• Image analysis
• Video analysis
 6. Reporting

• After the analysis is done, a report is generated. The report may be in oral form or in written
form or both. The report contains all the details about the evidence in analysis,
interpretation, and attribution steps. As a result of the findings in this phase, it should be
possible to confirm or discard the allegations. Some of the general elements in the report are:
• Identity of the report agency
• Case identifier or submission number
• Case investigator
• Identity of the submitter
• Date of receipt
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Brief description of steps taken during examination
• Results / conclusions
7. Testifying

• This phase involves presentation and cross-examination of expert

witnesses. An expert witness can testify in the form of:
• Testimony is based on sufficient facts or data
• Testimony is the product of reliable principles and methods
• Witness has applied principles and methods reliably to the facts of
the case
THANK YOU