ST.

PAUL’S DEGREE & PG COLLEGE

(Affiliated to Osmania University)
Street No. 8, Himayathnagar, Hyderabad. Ph.No: 27602533

B.Com VI Semester [Computer Application]

Cyber Security[Study Material]

UNIT-I

Cyber security is the application of technologies, processes and controls to protect systems,
networks, programs, devices and data from cyber attacks.
It aims to reduce the risk of cyber attacks and protect against the unauthorised exploitation of
systems, networks and technologies.
Who needs cyber security?
Everyone who is connected to the Internet needs cyber security. This is because most cyber
attacks are automated and aim to exploit common vulnerabilities rather than specific websites
or organisations.
Types of cyber threats
Common cyber threats include:
 Malware, such as ransom ware, botnet software, RATs (remote access Trojans),
rootkits and bootkits, spyware, Trojans, viruses and worms.
 Backdoors, which allow remote access.
 Form jacking, which inserts malicious code into online forms.
 Cryptojacking, which installs illicit crypto currency mining software.
 DDoS (distributed denial-of-service) attacks, which flood servers, systems and
networks with traffic to knock them offline.
 DNS (domain name system) poisoning attacks, which compromise the DNS to
redirect traffic to malicious sites.
What are the 5 types of cyber security?
1. Critical infrastructure cyber security
Critical infrastructure organisations are often more vulnerable to attack than others because
SCADA (supervisory control and data acquisition) systems often rely on older software.
Operators of essential services in the UK‘s energy, transport, health, water and digital
infrastructure sectors, and digital service providers are bound by the NIS Regulations
(Network and Information Systems Regulations 2018).
Among other provisions, the Regulations require organisations to implement appropriate
technical and organisational measures to manage their security risks.
2. Network security
Network security involves addressing vulnerabilities affecting our operating systems and
network architecture, including servers and hosts, firewalls and wireless access points, and
network protocols.
3. Cloud security
Cloud security is concerned with securing data, applications and infrastructure in the Cloud.
4. IoT (Internet of Things) security

1
IoT security involves securing smart devices and networks that are connected to the IoT. IoT
devices include things that connect to the Internet without human intervention, such as smart
fire alarms, lights, thermostats and other appliances.
5. Application security
Application security involves addressing vulnerabilities resulting from insecure development
processes in the design, coding and publishing of software or a website.
Cyber security vs information security
Cyber security is often confused with information security.
 Cyber security focuses on protecting computer systems from unauthorised access or
being otherwise damaged or made inaccessible.
 Information security is a broader category that protects all information assets, whether
in hard copy or digital form.
What is internet governance?
A) Internet governance refers to the rules, policies, standards and practices
that coordinate and shape global cyberspace. The Internet is a vast network of independently-
managed networks, woven together by globally standardized data communication protocols
(primarily, Internet Protocol, TCP, UDP, DNS and BGP). The common adoption and use of
these protocols unified the world of information and communications like never before.
Millions of digital devices and massive amounts of data, software applications, and electronic
services became compatible and interoperable. The Internet created a new environment, a
complex and dynamic ―cyberspace.‖
While Internet connectivity generated innovative new services, capabilities and
unprecedented forms of sharing and cooperation, it also created new forms of crime, abuse,
surveillance and social conflict. Internet governance is the process whereby cyberspace
participants resolve conflicts over these problems and develop a workable order.
The challenges of Internet governance
Cyber Threats:
the word ―cyber‖ referred to cybernetics – the science of understanding the control and
movement of machines and animals. This was followed by ―cyber‖ standing for
―computerized.‖
A cyber or cyber security threat is a malicious act that seeks to damage data, steal data, or
disrupt digital life in general. Cyber threats include computer viruses, data breaches, Denial
of Service (DoS) attacks, and other attack vectors.
Cyberwarfare:
cyberwarfare is the use of cyber attacks against a nation-state, causing it significant harm, up
to and including physical warfare, disruption of vital computer systems and loss of life.
Types of cyberwarfare attacks
The threat of cyberwarfare attacks grows as a nation's critical systems are increasingly
connected to the internet. Even if these systems can be properly secured, they can still be
hacked by perpetrators recruited by nation-states to find weaknesses and exploit them.
Major types of cyberwarfare attacks include the following.
Destabilization
In recent years, cybercriminals have been attacking governments through critical
infrastructure, including such entities as transportation systems, banking systems, power
grids, water supplies, dams and hospitals. The adoption of the internet of things makes the
manufacturing industry increasingly susceptible to outside threats.

2
From a national security perspective, destabilizing critical digital infrastructure inflicts
damage on vital modern services or processes.
For example, an attack on the energy grid could have massive consequences for the
industrial, commercial and private sectors.
Sabotage
Cyber attacks that sabotage government computer systems can be used to support
conventional warfare efforts. Such attacks can block official government communications,
contaminate digital systems, enable the theft of vital intelligence and threaten national
security. State-sponsored or military-sponsored attacks,
for example, may target military databases to get information on troop locations, weapons
and equipment being used.
Data theft
Cybercriminals hack computer systems to steal data that can be used for intelligence, held for
ransom, sold, used to incite scandals and chaos, or even destroyed.
Cyber Crime
The crime that involves and uses computer devices and Internet, is known as cybercrime.
Cybercrime can be committed against an individual or a group; it can also be committed
against government and private organizations. It may be intended to harm someone‘s
reputation, physical harm, or even mental harm.
Cybercrime can cause direct harm or indirect harm to whoever the victim is. However, the
largest threat of cybercrime is on the financial security of an individual as well as the
government.
Types of Cybercrime
Hacking
It is an illegal practice by which a hacker breaches the computer‘s security
system of someone for personal interest.
Unwarranted mass-surveillance
Mass surveillance means surveillance of a substantial fraction of a group of people by the
authority especially for the security purpose, but if someone does it for personal interest, it is
considered as cybercrime.
Child pornography
It is one of the most heinous crimes that is brazenly practiced across the world. Children are
sexually abused and videos are being made and uploaded on the Internet.
Child grooming
It is the practice of establishing an emotional connection with a child especially for the
purpose of child-trafficking and child prostitution.
Copyright infringement
If someone infringes someone‘s protected copyright without permission and publishes that
with his own name, is known as copyright infringement.
Money laundering
Illegal possession of money by an individual or an organization is known as money
laundering. It typically involves transfers of money through foreign banks and/or legitimate
business. In other words, it is the practice of transforming illegitimately earned money into
the legitimate financial system.
Cyber terrorism:
Cyber terrorism can be explained as internet terrorism. With the advent of the internet,
individuals and groups are misusing the anonymity to threaten individuals, certain groups,

3
religions, ethnicities or beliefs. Cyberterrorism can be broadly categorized under three major
categories:
Simple: This consists of basic attacks including the hacking of an individual system.
Advanced: These are more sophisticated attacks and can involve hacking multiple systems
and/or networks.
Complex: These are coordinated attacks that can have a large-scale impact and make use of
sophisticated tools.
Cyber Espionage
Cyber espionage, or cyber spying, is a type of cyber attack in which an unauthorized user
attempts to access sensitive or classified data or intellectual property (IP) for economic gain,
competitive advantage or political reasons.
Cyber espionage attacks can be motivated by monetary gain; they may also be deployed in
conjunction with military operations or as an act of cyber terrorism or cyber warfare. The
impact of cyber espionage, particularly when it is part of a broader military or political
campaign, can lead to disruption of public services and infrastructure, as well as loss of life.
Need for a Comprehensive Cyber Security Policy
Security policies are a formal set of rules which is issued by an organization to ensure that the
user who are authorized to access company technology and information assets comply with
rules and guidelines related to the security of information. It is a written document in the
organization which is responsible for how to protect the organizations from threats and how
to handles them when they will occur. A security policy also considered to be a "living
document" which means that the document is never finished, but it is continuously updated as
requirements of the technology and employee changes.
Need of Security policies-
1) It increases efficiency.
The best thing about having a policy is being able to increase the level of consistency which
saves time, money and resources. The policy should inform the employees about their
individual duties, and telling them what they can do and what they cannot do with the
organization sensitive information.
2) It upholds discipline and accountability
When any human mistake will occur, and system security is compromised, then the security
policy of the organization will back up any disciplinary action
and also supporting a case in a court of law. The organization policies act as a contract which
proves that an organization has taken steps to protect its intellectual property, as well as its
customers and clients.
3) It can make or break a business deal
It is not necessary for companies to provide a copy of their information security policy to
other vendors during a business deal that involves the transference of their sensitive
information. It is true in a case of bigger businesses which ensures their own security interests
are protected when dealing with smaller businesses which have less high-end security
systems in place.
4) It helps to educate employees on security literacy
A well-written security policy can also be seen as an educational document which informs the
readers about their importance of responsibility in protecting the organization sensitive data.
It involves on choosing the right passwords, to providing guidelines for file transfers and data
storage which increases employee's overall awareness of security and how it can be
strengthened.

4
Need for a Nodal Authority:
What is nodal authority?
Nodal Officer means an officer of the Company nominated by the Board to receive protected
disclosures from whistle blowers, maintaining records thereof, placing the same before the
Audit Committee for its disposal and informing the whistle blower the result thereof.
CERT-In is the national nodal agency for responding to computer security incidents as and
when they occur. CERT-In has been designated to serve as the national agency to perform the
following functions in the area of cyber security: Collection, analysis and dissemination of
information on cyber incidents.
Need for an International convention on Cyberspace.
The need to create a universal and transparent global framework to ensure the effective
security and utilization of cyberspace ―for the economic and social advancement of all
peoples‖ has become paramount.
Cyber Security Vulnerabilities: Overview
What is Vulnerability in Cyber Security?
A vulnerability in cyber security refers to any weakness in an information system, system
processes, or internal controls of an organization. These vulnerabilities are targets for lurking
cybercrimes and open to exploitation through the points of vulnerability.
These hackers are able to gain illegal access to the systems and data and cause severe
damage. Therefore, cyber security vulnerabilities are extremely important to monitor for the
overall security posture as gaps in a network can result in a full-scale breach of systems in an
organization.
Examples of Vulnerabilities
A weakness in a firewall that can lead to malicious hackers getting into a computer network
 Lack of security cameras
 Unlocked doors at businesses.
 vulnerabilities in software
A software vulnerability is a defect in software that could allow an attacker to gain control of
a system. These defects can be because of the way the software is designed, or because of a
flaw in the way that it‘s coded.
How Does a Software Vulnerability Work?
An attacker first finds out if a system has a software vulnerability by scanning it. The scan
can tell the attacker what types of software are on the system, are they up to date, and
whether any of the software packages are vulnerable.
When the attacker finds that out, he or she will have a better idea of what types of attacks to
launch against the system. A successful attack would result in the attacker being able to run
malicious commands on the target system.
System administration
A security systems administrator is someone who gives expert advice to companies regarding
their internal security procedures and can also help to detect any weaknesses in a
company's computer network that may make them vulnerable to cyber attacks. Security
systems administrators are a company‘s first step in monitoring suspicious activity either
within the local network or from outside internet traffic.
Security systems administrators are in charge of the daily operation of security systems, and
can handle things like systems monitoring and running regular backups; setting up, deleting
and maintaining individual user accounts; and developing organizational security procedures.

5
Complex Network Architectures:
Cybersecurity architecture, also known as ―network security architecture‖, is a framework
that specifies the organizational structure, standards, policies and functional behavior of a
computer network, including both security and network features. Cybersecurity architecture
is also the manner in which various components of our cyber or computer system are
organized, synced and integrated.
The components listed below are part of an effective and carefully planned security
architecture:
Direction in the area of incident response to threats, disaster recovery, systems configuration,
account creation and management, and cybersecurity monitoring.
 Identity management.
 Decided inclusion and exclusion of those subject to the domain of the
security architecture.
 Access and border control.
 Validation and adjustment of the architecture.
 Training.
Poor Cyber Security Awareness:
While many businesses use strong security practices to reduce the risks to our
information, it‘s up to everyone to make these methods stronger. After all, we wouldn‘t
leave our car unlocked when we‘re heading off to the mall for the day. Companies will
do what they can to protect our information, but we should also do what we can to keep
it safe as well.
1. Outdated Software
Websites are not the only ways we can be hacked, either. Operating systems on our
computer, mobile devices or even software running our wireless network at home are easy to
compromise for hackers.
2. Not Understanding the Threat
One of the most common reasons why cyber attacks cause so much damage is because
of the lack of proper understanding. A lot of people believe themselves to be immune
from threats and don‘t really put thought into how dangerous attacks can become.
Even something as simple as a web browser can lead to all kinds of problems in work
and personal lifestyles
3. Lack of Proper Protection
One of the leading causes to how hackers gain a foothold in our systems is due to
improper protection.
Remember the comment earlier about not locking our door at night? Essentially, a lack
of security software on our computer or website would be like removing that door
entirely.
3. Effects of Ransomware
Ransomware has been around for quite some time, but it has grown exponentially since
2015. Essentially, this is when someone gains control of a database or computer system
and blocks its use until a ―ransom‖ is paid.
Keep firewalls online and updates current. If we come across suspicious emails or
programming, run anti-malware applications or seek professional help. Unfortunately,
some attacks may require far more attention than what software can give.
4. Evolving Software

6
 Some forms of attacks are extremely difficult to track down and stop, even for
high-end software.
For example, a polymorphic virus delivers a new payload every time it expands.
This means it essentially mutates each time making it very difficult to spot.
Update all of our applications regularly. Even things we don‘t use that often, such
as Adobe Flash or Java Runtime, can have vulnerabilities. This is why companies
will often send out update requests to computers running those apps.
5. Carelessness through Email
One of the most common forms of attacks from hackers is that of using email.
Messages that may look legitimate are often points for the criminal element to steal
information. This is called, ―phishing.‖ In many cases, these messages are almost
impossible to discern from the real thing.

Attachments are another common way that hackers infiltrate computer systems through
email. Even the most innocent of files can become weapons against we. Many of these
file types include ZIP, EXE and XLS extensions.
Never open unknown or suspicious attachments in our email. If we didn‘t specifically
ask for the file to be sent to we, there is a good chance that it‘s a form of an attack we
want to avoid.
6. Unprotected Home Networks
A common problem that affects many people every year is an unprotected home
network. Update firmware on our devices when it becomes available. Also, keep our
Wi-Fi networks protected with high-encryption methods and MAC address
authentication if it‘s available. And don‘t underestimate the value of hiding our SSID.
Older wireless networks are just as sensitive to new attacks as older pieces of software. It
may be worth the money to upgrade our system.
8. Social Media Behavior
Even our activity on social media can become a target for hackers. Most of the time,
this is through gaining access to an account.
Always be on the lookout for suspicious links from friends and family. We may also want to
be mindful about what applications we allow to have access to our social media accounts.
We could be handing someone over the keys to our proverbial front door in the cyber world.
9. Lack of Recovery
Another dangerous aspect to cyber threats is the inability to recover from a disaster.
invest in a system that delivers regular backups and an easy recovery system. Even if a
hacker does destroy our information, we can easily replace it all with the right platform.
In some instances, this can all be done automatically or with a drag-and-drop platform.
Cyber security safeguards overview
Cyber security is the application of technologies, processes and controls to protect systems,
networks, programs, devices and data from cyber attacks. It aims to reduce the risk of cyber
attacks and protect against the unauthorised exploitation of systems, networks and
technologies. Boost our cyber defences with these must-have security measures:
1. Staff awareness training
Human error is the leading cause of data breaches. It is therefore essential that we equip staff
with the knowledge to deal with the threats they face.
Staff awareness training will show employees how security threats affect them and help them
apply best-practice advice to real-world situations.

7
2. Application security
Web application vulnerabilities are a common point of intrusion for cyber criminals.
As applications play an increasingly critical role in business, it is vital to focus on web
application security.
3. Network security
Network security is the process of protecting the usability and integrity of our network and data.
This is achieved by conducting a network penetration test, which assesses our network for
vulnerabilities and security issues.
4. Leadership commitment
Leadership commitment is key to cyber resilience. Without it, it is tough to establish or enforce
effective processes. Top management must be prepared to invest in appropriate cyber security
resources, such as awareness training.
5. Password management
Almost half of the UK population uses ‗password‘, ‗123456‘ or ‗qwerty‘ as their password. We
should implement a password management policy that provides guidance to ensure staff create
strong passwords and keep them secure.
6.Access control:
Access control is a data security process that enables organizations to manage who is
authorized to access corporate data and resources. Secure access control uses policies that
verify users are who they claim to be and ensures appropriate control access levels are
granted to users.
Access control is managed through several components:
7.Authentication
Authentication is the initial process of establishing the identity of a user. For example, when
a user signs in to their email service or online banking account with a username and password
combination, their identity has been authenticated. However, authentication alone is not
sufficient to protect organizations‘ data.
8.Authorization
Authorization adds an extra layer of security to the authentication process. It specifies access
rights and privileges to resources to determine whether the user should be granted access to
data or make a specific transaction.
For example, an email service or online bank account can require users to provide two-factor
authentication (2FA), which is typically a combination of something they know (such as a
password), something they possess (such as a token), or something they are (like a biometric
verification). This information can also be verified through a 2FA mobile app or a thumbprint
scan on a smartphone.
9.Access
Once a user has completed the authentication and authorization steps, their identity will be
verified. This grants them access to the resource they are attempting to log in to.

8
 10.Manage
Organizations can manage their access control system by adding and removing the
authentication and authorization of their users and systems. Managing these systems can
become complex in modern IT environments that comprise cloud services and on-premises
systems.
11.Audit
Organizations can enforce the principle of least privilege through the access control audit
process. This enables them to gather data around user activity and analyze that information to
discover potential access violations.

12.Biometrics:
Biometrics scanners are hardware used to capture the biometric for verification of identity.
These scans match against the saved database to approve or deny access to the system. In other
words, biometric security means our body becomes the ―key‖ to unlock our access.
13.cryptography
Cryptography is the study of secure communications techniques that allow only the sender and
intended recipient of a message to view its contents. The term is derived from the Greek
word kryptos, which means hidden. It is closely associated to encryption, which is the act of
scrambling ordinary text into what's known as ciphertext and then back again upon arrival. In
addition, cryptography also covers the obfuscation of information in images using techniques
such as microdots or merging. Ancient Egyptians were known to use these methods in complex
hieroglyphics, and Roman Emperor Julius Caesar is credited with using one of the first modern
ciphers.

14.Deception:
Deception technology is a cybersecurity defense practice that aims to deceive attackers by
distributing a collection of traps and decoys across a system's infrastructure to imitate genuine
assets.
Denial of Service Filters

15]Ethical Hacking
Ethical Hacking is an authorized practice of bypassing system security to identify potential
data breaches and threats in a network. The company that owns the system or network

9
allows Cyber Security engineers to perform such activities in order to test the system‘s
defenses. Thus, unlike malicious hacking, this process is planned, approved, and more
importantly, legal.
Ethical hackers aim to investigate the system or network for weak points that malicious
hackers can exploit or destroy. They collect and analyze the information to figure out ways to
strengthen the security of the system/network/applications. By doing so, they can improve
the security footprint so that it can better withstand attacks or divert them.
Ethical hackers are hired by organizations to look into the vulnerabilities of their systems and
networks and develop solutions to prevent data breaches. Consider it a high-tech permutation
of the old saying ―It takes a thief to catch a thief.‖
They check for key vulnerabilities include but are not limited to:
 Injection attacks
 Changes in security settings
 Exposure of sensitive data
 Breach in authentication protocols
 Components used in the system or network that may be used as access points
16]Firewalls: A Firewall is a network security device that monitors and filters incoming and
outgoing network traffic based on an organization‘s previously established security policies.
At its most basic, a firewall is essentially the barrier that sits between a private internal
network and the public Internet. A firewall‘s main purpose is to allow non-threatening traffic
in and to keep dangerous traffic out.
17]Intrusion Detection Systems:An Intrusion Detection System (IDS) is a monitoring
system that detects suspicious activities and generates alerts when they are detected.
Based upon these alerts, a security operations center (SOC) analyst or incident responder can
investigate the issue and take the appropriate actions to remediate the threat.
18]Response:Incident response (IR) is a set of information security policies and procedures
that we can use to identify, contain, and eliminate cyberattacks. The goal of incident response
is to enable an organization to quickly detect and halt attacks, minimizing damage and
preventing future attacks of the same type
19]Scanning:Scanning is a set of procedures for identifying live hosts, ports, and services,
discovering Operating system and architecture of target system, Identifying vulnerabilities
and threats in the network.
20]Security policy:A cybersecurity policy sets the standards of behavior for activities such
as the encryption of email attachments and restrictions on the use of social media.
Cybersecurity policies are important because cyberattacks and data breaches are potentially
costly. For large organizations or those in regulated industries, a cybersecurity policy is often
dozens of pages long. For small organizations, however, a security policy might be only a
few pages and cover basic safety practices. Such practices might include:

10
  Rules for using email encryption
 Steps for accessing work applications remotely
 Guidelines for creating and safeguarding passwords
 Rules on use of social media

What is Ethical Hacking and Type of Ethical Hackers

The term ‗Hacker‘ was coined to describe experts who used their skills to re-develop
mainframe systems, increasing their efficiency and allowing them to multi-task. Nowadays,
the term routinely describes skilled programmers who gain unauthorized access into
computer systems by exploiting weaknesses or using bugs, motivated either by malice or
mischief. For example, a hacker can create algorithms to crack passwords, penetrate
networks, or even disrupt network services.
The primary motive of malicious/unethical hacking involves stealing valuable information or
financial gain. However, not all hacking is bad. This brings us to the second type of hacking:
Ethical hacking. So what is ethical hacking, and why do we need it? And in this article, we
will learn all about what is ethical hacking and more.

Type of Hackers
The practice of ethical hacking is called ―White Hat” hacking, and those who perform it are
called White Hat hackers. In contrast to Ethical Hacking, “Black Hat‖ hacking describes
practices involving security violations. The Black Hat hackers use illegal techniques to
compromise the system or destroy information.
Unlike White Hat hackers, ―Grey Hat” hackers don‘t ask for permission before getting into
our system. But Grey Hats are also different from Black Hats because they don‘t perform
hacking for any personal or third-party benefit. These hackers do not have any malicious
intention and hack systems for fun or various other reasons, usually informing the owner
about any threats they find. Grey Hat and Black Hat hacking are both illegal as they both
constitute an unauthorized system breach, even though the intentions of both types of hackers
differ.

White Hat vs Black Hat Hacker

The best way to differentiate between White Hat and Black Hat hackers is by taking a look at
their motives. Black Hat hackers are motivated by malicious intent, manifested by personal
gains, profit, or harassment; whereas White Hat hackers seek out and remedy vulnerabilities,
so as to prevent Black Hats from taking advantage.

11
Threat Management.
Most security teams face information fragmentation, which can lead to blind spots in security
operations. And wherever they exist, blind spots compromise a team‘s ability to identify,
protect against and respond to security threats promptly.
Today‘s dangers now include mutating software, advanced persistent threats (APT), insider
threats, and vulnerabilities around cloud-based computing services — more than antivirus
software can handle.
How threat management works
Many modern threat management systems use the cybersecurity framework established by
the National Institute of Standards and Technology (NIST). NIST provides comprehensive
guidance to improve information security and cybersecurity risk management for private
sector organizations. One of their guides, the NIST Cybersecurity Framework (NIST CF),
consists of standards and best practices. Five primary functions make up its core structure.
They are to identify, protect, detect, respond and recover.

12
 UNIT-II

Introduction
Web application security, as the name suggests, is the process of securing websites, web
applications, and other internet-based services from cyber-attacks, breaches, and security
threats that leverage loopholes, misconfigurations, and vulnerabilities in these applications or
their codes.

Why is web application security necessary for businesses?

While businesses are leveraging the revolutionary developments in technology and
communication and the internet penetration rates, cyber criminals too are doing the same.
They are finding new and innovative ways to orchestrate breaches and cyber-attacks that
will help them get access to data,
Web server is a computer where the web content is stored. Basically web server is used to
host the web sites but there exists other web servers also such as gaming, storage, FTP,
email etc.
Web site is collection of web pages while web server is a software that respond to the request
for web resources.

13
Web Server Working
Web server respond to the client request in either of the following two ways:
 Sending the file to the client associated with the requested URL.
 Generating response by invoking a script and communicating with database

Basic security for HTTP Applications and Services

Web services Security is a standard that addresses security when data is exchanged as part of
a Web service.
Security is an important feature in any web application. Since almost all web applications are
exposed to the internet, there is always a chance of a security threat to web applications.
Hence, when developing web-based applications, it is always recommended to ensure that
application is designed and developed with security in mind.
To understand security threats which can be hostile to a web application, let‘s look at a
simple scenario of a web application and see how it works in terms of Security.
One of the security measures available for the HTTP is the HTTPS protocol. HTTPS is the
secure way of communication between the client and the server over the web. HTTPS makes
use of the Secure Sockets layer or SSL for secure communication. Both the client and the
server will have a digital certificate to identify themselves as genuine when any
communication happens between the client and the server.

14
HTTP Request Methods
The HTTP protocol defines a number of HTTP request methods (sometimes also referred to
as verbs), which are used within HTTP requests to indicate to the server the desired action for
a particular resource.

Method Description

GET The GET method is used to retrieve a resource from a server.

POST The POST method is used to submit data to a resource.

TRACE The TRACE method is used to echo back anything sent by the client. This
HTTP method is typically abused for reflected Cross-site Scripting attacks.

PATCH The PATCH method is used to apply partial updates to a resource.

PUT The PUT method is used to replace a resource.

HEAD The HEAD method is used to retrieve a resource identical to that of a GET
request, but without the response body.

DELETE The DELETE method is used to delete the specified resource.

OPTIONS The OPTIONS method is used to describe the supported HTTP methods for a
resource.

CONNECT The CONNECT method is used to establish a tunnel to the server specified by
the target resource (used by HTTP proxies and HTTPS).

HTTP Responses
On the server-side, an HTTP server listening on port 80 sends back an HTTP response to the
client for what it has requested.
The HTTP response will contain a status line as the first line in the response, followed by the
response. The status line indicates the version of the protocol, the status code (200 in the
below example), and, usually, a description of that status code.
Response Status Codes
HTTP response status codes are issued by the server within an HTTP response to let the
client know what the status of the request is. Status codes are organized in the following
categories.

15
Status code group Description

1xx Informational

2xx Success

3xx Redirection

4xx Client error

5xx Server error

In a standard HTTPS communication between the client and the server, the following steps
take place
1. The client sends a request to the server via the client certificate. When the server sees
the client certificate, it makes a note in its cache system so that it knows the response
should only go back to this client.
2. The server then authenticates itself to the client by sending its certificate. This ensures
that the client is communicating with the right server.
3. All communication thereafter between the client and server is encrypted. This ensures
that if any other users try to break the security and get the required data, they would
not be able to read it because it would be encrypted.
Basic Security for SOAP Services
WS Security is a standard that addresses security when data is exchanged as part of a Web
service. This is a key feature in SOAP that makes it very popular for creating web services.
There can come a time when the client can talk to multiple servers. An example given below
shows a client talking to both a database and a web server at a time. In such cases, not all
information can pass through the https protocol.

This is where SOAP comes in action to overcome such obstacles by having the WS Security
specification in place. With this specification, all security related data is defined in the SOAP
header element.
The header element can contain the below-mentioned information

16
 1. If the message within the SOAP body has been signed with any security key, that key
can be defined in the header element.
2. If any element within the SOAP Body is encrypted, the header would contain the
necessary encryptions keys so that the message can be decrypted when it reaches the
destination.
In a multiple server environments, the above technique of SOAP authentication helps in the
following way.
 Since the SOAP body is encrypted, it will only be able to be decrypted by the web
server that hosts the web service. This is because of how the SOAP protocol is
designed.
 Suppose if the message is passed to the database server in an HTTP request, it cannot
be decrypted because the database does not have right mechanisms to do so.
 Only when the request actually reaches the Web server as a SOAP protocol, it will be
able to decipher the message and send the appropriate response back to the client.

Web Service Security Standards

the WS-Security standard revolves around having the security definition included in the
SOAP Header.
The credentials in the SOAP header is managed in 2 ways.
First, it defines a special element called UsernameToken. This is used to pass the username
and password to the web service.
The other way is to use a Binary Token via the BinarySecurityToken. This is used in
situations in which encryption techniques such as Kerberos or X.509 is used.
The below diagram shows the flow of how the security model works in WS Security

Below are the steps which take place in the above workflow
1. A request can be sent from the Web service client to Security Token Service. This
service can be an intermediate web service which is specifically built to supply
usernames/passwords or certificates to the actual SOAP web service.
2. The security token is then passed to the Web service client.
3. The Web service client then called the web service, but, this time, ensuring that the
security token is embedded in the SOAP message.
4. The Web service then understands the SOAP message with the authentication token
and can then contact the Security Token service to see if the security token is
authentic or not.
Identity Management and Web Services
Identity management (IdM), also known as identity and access management (IAM) ensures
that authorized people – and only authorized people – have access to the technology
resources they need to perform their job functions. It includes polices and technologies that
encompass an organization-wide process to properly identify, authenticate, and authorize
people, groups of people, or software applications through attributes including user access
rights and restrictions based on their identities.
An identity management system prevents unauthorized access to systems and resources, helps
prevent exfiltration of enterprise or protected data, and raises alerts and alarms when access

17
attempts are made by unauthorized personnel or programs, whether from inside or outside the
enterprise perimeter.
Identity management solutions not only protect software and data access, they also protect the
hardware resources in an enterprise, such as servers, networks, and storage devices from
unauthorized access which could lead to a ransomware attack. Identity management has
gained importance over the past decade due to the growing number of global regulatory,
compliance, and governance mandates that seek to protect sensitive data from exposure of
any kind.
How does Identity Management Work?
As part of an overall IAM framework which covers access management and identity
management, enterprises typically utilize both user management component and a central
directory component such as Active Directory for Windows or Apache Directory Studio or
Open LDAP for Linux systems.
The user management component handles delegation of admin authority, tracking roles and
responsibilities for each user and group, provisioning and de-provisioning user accounts, and
password management. Some or all of these functions, such as password reset, are typically
self-service to reduce the burden on IT staff.
The central directory is a repository off all user and group data for the enterprise. As such, a
major role of this component is to synchronize the directory or repository across the
enterprise, which can span on-premises and public or private cloud components. This enables
a single view of the users and their permissions at anytime, anywhere in a hybrid
cloud or multi-cloud infrastructure.
Need for identity management?
A recent (ISC)² study found that 80% of breaches were due to identity access issues, namely
weak or mismanaged credentials. If proper controls are not in place – or procedures and
processes for IAM not properly followed, passwords could become compromised, phishing
attacks enabled, and breaches or ransomware attacks become a reality. Fortunately, modern
IAM platforms offer automation of many of the functions to help ensure controls are utilized,
such as removing a user from the directory when the HR system indicated an employee has
left the organization.
Since new privacy and data secrecy legislation is so frequently created, IAM can play another
important role, that of helping the organization stay in compliance with the myriad of
regulatory and governance mandates in effect, ensuringthat only authorized users have access
to data, but that the data itself is where it should be. In the end, IT security is largely about
access, so a solid IAM strategy is a critical component of overall IT security and offers a first
line of protection to any threat, whether from outside or inside the firewall.

What are the business benefits of identity management?

The ability to successfully protect assets – including digital assets – can have a direct bottom-
line impact on the value of the organization. IAM accelerates the time to value for anyone
who needs access to enterprise resources to perform their job, often speeding the time
between onboarding a new employee until when they have access to system resources from
days to minutes.
Besides providing an enhanced business value as a result of improved security, there are
other tangible business benefits. Automation of IAM tasks frees up IT for bottom-line
focused projects, and self-service identity management tools improve the overall productivity
of employees, contractors, and other users who access corporate resources.
Implementing an overall IAM framework can provide opportunities for growth, by improving
scalability of those services critical to onboarding new users, and that reduction of IT
manpower translates to a better ROI for the IT organization as a whole.

18
Identity and access management has become the foundation for all of these business benefits
and continues to protect the enterprise from threats that could lead to data theft, malicious
attacks, or exposing sensitive customer, patient, or legal information.

Authorization Patterns
The Authorization pattern is a Structural Security Pattern. Authorization provides a
structure that facilitates access control to resources. Many systems need to restrict access to
their resources according to certain criteria
Patterns capture the experience of experts about good or best practices and document these
nuggets of wisdom in a format that is easy to understand. The use of patterns raises the level
of awareness and discourse in a discipline.
1977 Christopher Alexander – A Pattern Language timeless wisdom in architecture & town
design – 1978 Trygve Reenskaug – Model View Controller
– 1987 Cunningham & Beck – OOPSLA paper
– 1994 Gamma, Helm, Johnson, Vlissides - GoF
– 1997 Yoder & Barclaw – security patterns
– 2006 Eduardo B. Fernandez – book(s) estimated 400 security related patterns exist today
A pattern is self-contained
Synopsis
• Context where applies
• Example problem
• Problem
• Forces
• Solution
• Solution structure
• Solution dynamics
• Example solution
• Variations
• Known uses
• Consequences
Different kinds of patterns

Traditional patterns
Design
• Architecture
• Analysis
• Organizational
• Management
• Anti-patterns

Less traditional patterns

Attacks
• Domains – EHR, banking
• Standards – HIPPA, SSL, WiMax
• Forensics
Patterns deliver targeted knowledge
– Assume minimal prior knowledge

19
– Useable in arbitrary groups and ordering
– Searchable, downloadable, write our own
• Patterns raise the level of discourse
– Each pattern represents a higher level solution
– Each pattern becomes a term in the vocabulary
Security Considerations
The Internet is an open forum, with millions of users availing a variety of services with a high
level of trust. They often fail to see the poor level of security the internet has and the potential
threats they may have to encounter.
With security becoming a huge concern in the digital world, companies are scrutinizing their
data security to prevent solicited access from outsiders. let us learn about data security
considerations:
What is Data Security?
Data Security is a process of protecting databases and sensitive information on the network
from unauthorized access and corruption throughout its lifecycle.
The set of techniques and applications strengthens the physical arrangements and software
checks of an organization. This helps in tightening the security parameters of the company
and reduce the risk.
Data security consideration entails the security of data and system resources against
unauthorized access, disclosure, or corruption. Data breaches may be intentional or
unintentional but ultimately cause huge losses to the organization hence need to be taken
seriously.
Data Security Considerations
Backing up Data
The purpose of data backup is to create extra copies of important files in a separate storage
location to act as a backup during any failure.
Various factors like human carelessness, malicious attack, or system faults trigger failure in
an infrastructure. Physical storage or cloud storage stores the backed-up data.

Data Archiving for Security

As a business grows, keeping track of huge amounts of data and managing them can be
tricky. Data archiving is the process of retaining inactive data at a secure place for a long
time.
Archives have search facilities. Indexed makes the retrieval fast and easy. Archives hold old
information that is unnecessary for everyday tasks. Storing such inactive information in
primary storage can reduce its efficiency.
Data archive helps in reducing the load on primary storage by moving unused resources to
the archive.
The medium and device used for storing the archive data are carefully decided based on the
utility. Determining which information goes to the archive and revisiting the archived data
plays an important role in managing and monitoring the information.
UNIT-III
INTRUSION DETECTION AND PREVENTION
INTRUSION :A illegal access, seizing, or taking possession of the property of others without
the rights is considered an intrusion. In simple words unwanted involvement of external
users in the legitimate activities of a victim. Intrusion in the cyber world is a criminal attempt

20
to enter after the determination of a particular estate, made before the remainderman or
reversioner has entered.
Types of Intruders:
INTRODUCTION TO INTRUDERS: A person with criminal intention who attempts to
violate security and steals credentials of authorized user to damage the system /data is
considered as in intruder. Malicious activity directed at a computer system / services as
viruses, unauthorized access, bug exploitation, violence of a feature, snooping to gather
information, or a physical hardware attacks are the errands of intruders.
TYPES OF INTRUDERS
Group of Attackers (External Penetrator who have no direct access also called as Hackers)
 Masquerader: Outsiders have gained access to the system ( using others id password)
 Misfeasor: Legitimate user abusing the privileges (violate security policies)
 Clandestine user: Legitimate user with supervisory privileges (misusing the system)
Masquerader
 User with no authority to use the system
 Mostly an External user
 An unauthorized individual who penetrates a system to exploit a legitimate user
account
 Penetrates the security system as a legitimate user
Misfeasor: type of intruders basically divided in two types
 Generally an insider with limited access
 Legitimate user who misuses privileges
1.Legitimate user with no permission to access a application in the controlled area
(example access of internet)
Clandestine
Can be and internal or external user who try to steal and use the credentials of their
supervisor.Individual who seizes supervisory control to evade auditing and access controls or
to suppress audit collection.
 A,B legitimate users (A –Admin B with limited access privileges)
 A is the supervisor of B
 B doing illegal activity with a credentials
 A is punished in the auditing

21
PHYSICAL THREAT: An adversary gaining physical access over a system or device
through theft of the item is considered as physical theft. Acquiring the possession of a system
or device to trigger number of unique attacks which are executed with an extended
timeframe and resulting with huge financial, data and life lose.
Standard protection system to secure sensitive information usually fails in case of physical
theft as the adversary has physical access over the system with enough time to trigger the
attack.
Devices prone for physical theft:
 Digital/ Communication devices (Laptop, Computers, Mobile phones)
 Removable Storage Media.(USB Drives)
 The value of the equipment or storage media.
 Loss/theft of data.
 Software theft.
 Access to networks
 Loss of productivity.

ABUSE OF PRIVILEGE IN CYBER SECURITY

Person with legitimate access misusing their permission in ways which cause a security
breach resulting to privilege abuse. In simple words a data breach caused by the result of poor
access control is considered as abuse of privileges for digital devices.
Reasons for Privilege Abuse:
 A user is given execs permission than required accidentally or negligently to do their
jobs effectively.
 Lack of proper monitoring of user activity and lack of automatic accessibility
controls.
 Access of official account, after leaving the organization.
 A user accidentally compromises their login credentials or falls for an external threat
by clicking a malicious email link.
Lack of security protocol in work place, where employees can easily gain access to sensitive
information and increase the risk of data being leaked. This can happen by accident, because
of sloppy or lacking privileged access management (PAM) or through the interference of a
cyber adversary.

22
  Unintentionally privilege extensions create the risk in security controls as:
 Misuse of privilege: insider using legitimate permissions to launch malicious
activities.
 Creating unintentional threats: Sharing the password or credentials may lead to
unnecessary actions.
 Escalation of privileges: when an insider deliberately raises his or her level of
permissions to get more access rights
UNAUTHORIZED ACCESS
Gaining entry to a computer network/ system and accessing the applications, software, data,
or other resources without permission is unauthorized access. In simple words any access to
an information system or network that violates the owner or operator's stated security policy
is considered unauthorized access.
Voilating the protocols and accessing website, program, server, service, or other system with
legitimate credientials by attackers is the attempt of unauthorized access. Example: guessing
a password or username for others account until they gained access. Attackers access an area
of a system they should not be accessing, may denied access and possibly see an
unauthorized access message contribute to a more security-focused environment.
MALWARE INFECTION
Malicious software specially designed to damage the system data is termed as malware. This
software disrupt computer operation, gather confidential information and gain unauthorized
access to protected network area. A malicious code hidden in the computer system, often
installed without the knowledge of the owner. This type of infection is spread by emails,
operating system, portable storage media and global network. Some of the dangerous
malware‘s are: viruses, spyware, worms, rootkits and Trojan horses.
A virus is a piece of software that duplicates itself and spreads from one computer to another.
A worm spread on its own, to infect the other computer or programs. Trojan horse contain a
malicious code but look benign(normal) but causes damage to the system and provide access
to attacker.Adware is an unintensional add with malicious feed. Spyware constantly monitors
the system activity, to trigger attack at the right time.
Types of Malware

23
Example of the procedure to implement Malicious attack.
 An attacker send a malicious email to the victim
 A victim open the mail and click the attachment
 Unintentionally a file is download which has malicious content
 The file has droppers which are decrypts the content
 The malicious data is injected into the browser window with additional extension
 Finally it sends the commands or forward the same to given CC address.
INTRUSION DETECTION AND PREVENTION TECHNIQUES
Denning, D. E. in 1986 defined that " Intrusion-detection expert system aims to detect a wide
range of security violations ranging from attempted break-ins by outsiders to system
penetrations and abuses by insiders". Increasing internet threat creates a hazard for the digital
user which are not easily identified by regular firewall protection, a special detection system
is needed which can identify the attack that inexorably enters the host or break the network
even with high-level security protection. IDS is an emerging security tool to protect the
system from intrusion attempts, this is implemented in two forms one to identify malicious
activity and abort the process from taking actions, and the other to record and store the
information about the attacks and handle it by comparing with regular actives in future

The above figure explains the working methodology of IDS which is established after the
firewall, and connected to the host devices, the detection model is depended on two

24
principles: one anomaly detection (behavior deviation), and second signature detection
(pattern deviation) once the rules are matched with existing patters or the behavior, an alert is
raised by sending the report to the security officer. The result is measured with four unique
states as true-positive: Rules matching and the attack present, Legitimate attack which trigger
IDS and raise alarm, False-positive: Rules matched but no attack found, IDS triggered with
alarm but no attack, True-Negative: Rules have not matched any attack raised. False-
Negative: Rules are not matched but attack present, failure of IDS to detect an actual attack.
AVANTAGES OF IDS:
 Identification of suspicious invasion by continuous monitoring of network traffic,
activities, behavior, and transactions.
 Effectively prevents network damage by matching the attack with the previous attack.
 Categorizes the difference between baseline behavior and ongoing activity.
 It provides a user-friendly interface that allows easy security management systems.
 Potential to detect previously unknown types of attacks.
 Alterations to data files are easily detected and reported.

DISADVANTAGE OF IDS:
 IDS is used as a second choice
 Failure in detecting the source of the attack results in blocking the whole network.
 Swayed to false positives, heavy processing overhead,
 Not effective in categorizing new attacks.
 Difficult to train in highly dynamic environments
 Hard to identify an unknown attack.
 Intermediate actions cannot be performed.
 More vulnerable to network security evasion techniques.
CLASSIFICATION OF INTRUSION DETECTION SYSTEM
IDS physical structure is discussed in the previous session, the procedure of implementation
is classified based on technique, this session focus on how the IDS detect and analyze the
suspicious activities and further prevent it for securing the system. Many new procedures are
been introduced based on these techniques with the integration of intelligent systems. The
basic categories are: anomaly-based detection, signature-based detection under techniques,
Network and host based detection under architecture. The detailed taxonomy of IDS is given
below:

25
 Classification of Intrusion Detection Systems

Intrusion detection systems are designed to be deployed in different environments. And like
many cybersecurity solutions, an IDS can either be host-based or network-based.

 Host-Based IDS (HIDS): A host-based IDS is deployed on a particular endpoint and

designed to protect it against internal and external threats. Such an IDS may have the ability
to monitor network traffic to and from the machine, observe running processes, and inspect
the system‘s logs. A host-based IDS‘s visibility is limited to its host machine, decreasing the
available context for decision-making, but has deep visibility into the host computer‘s
internals.

 Network-Based IDS (NIDS): A network-based IDS solution is designed to monitor an entire

protected network. It has visibility into all traffic flowing through the network and makes
determinations based upon packet metadata and contents. This wider viewpoint provides
more context and the ability to detect widespread threats; however, these systems lack
visibility into the internals of the endpoints that they protect.

Detection Method of IDS Deployment

Beyond their deployment location, IDS solutions also differ in how they identify potential
intrusions:

 Signature Detection: Signature-based IDS solutions use fingerprints of known threats to

identify them. Once malware or other malicious content has been identified, a signature is
generated and added to the list used by the IDS solution to test incoming content. This
enables an IDS to achieve a high threat detection rate with no false positives because all alerts

26
 are generated based upon detection of known-malicious content. However, a signature-based
IDS is limited to detecting known threats and is blind to zero-day vulnerabilities.

 Anomaly Detection: Anomaly-based IDS solutions build a model of the ―normal‖ behavior
of the protected system. All future behavior is compared to this model, and any anomalies are
labeled as potential threats and generate alerts. While this approach can detect novel or zero-
day threats, the difficulty of building an accurate model of ―normal‖ behavior means that
these systems must balance false positives (incorrect alerts) with false negatives (missed
detections).

 Hybrid Detection: A hybrid IDS uses both signature-based and anomaly-based detection.
This enables it to detect more potential attacks with a lower error rate than using either
system in isolation.

CENTRALIZED AND DISTRIBUTED IDS

Based on location IDS is classified with two basic models as centralized and distributed.
Analyzing the data with a fixed number of locations in the process of centralized IDS, by
connecting to host system(independent on how many hosts are connected), this monitor the
behavior of connect host on the network traffic and correlate aggregate, and analyses with
standard detection algorithm and generate an alert message if required. Whereas combining
multiple IDS over a large network area with a central server to control and coordinate the
detection process is considered as distributed IDS, each monitoring unit is equally distributed
with the centralized task for analysis, basically used for peer to peer architecture.
Property Distributed IDS Centralized IDS
Scale and Scale a larger number of hosts and Size is fixed with limited
extendibility extended as needed. components.
Fault-tolerant rate High in the distributed state. Low as a centralized state.
Storage Difficulty for storage, and recovery. Easier to recover after a crash.
Load-Proposing Lower load for systems, extra load No-load on the system, high load
for the monitoring system. assigned for a host with analysis
task.
Reconfiguration Dynamic reconfiguration of each The set of systems monitoring is
method component without affecting other reconfigured and restarted.
IDS.
Execution Harder comparatively as multiple Easy for executing a small

27
procedure components are connected. number of components.

INTRUSION PREVENTION SYSTEM:

A virtual security system for detection and prevention is part of the network to monitor and
compare the in and out data packets travelled in the network with stored patterns or
signatures for handling cyber intrusion activity IDS monitor the system and the IPS control
the system. Analyzing the network or system for any suspicious activities recording in the
form of state, signature or behavior and testing the match from stored audit database and raise
alert notification if any deviation occurs is the main function of IDS.
A regular security detection system to handle cyber-attacks will monitor the network traffic
or the host system for suspicious actions as violating the security policy, execution of
unauthorized malware applications, and port scanning and generate a report. At the same time
analyzing the packets and identifying the suspicious event comparing with the database and if
match found restricting them into the network traffic is the function of Intrusion Prevention
Systems. Both detection systems are software applications that reside in the same place read
and compare network packets contents with stored attacks in the database. The
implementation process is different in IDS and IPS. IDS only identify the attack and wait for
human instruction as of what action to be taken, whereas IPS is a passive method to control
the process, identify the intrusion and reject the packets based on defined protocols also used
to identify unsafe data packets and drop them in the network before reaching the target.

28
IDS AND IPS

FEATURES IDS IPS

Full form Intrusion detection system Intrusion Prevention System
Technique Signature detection by Statistical , Anomaly and Signature
exploiting the known based detection and prevention
patterns
Availability Out of band from data Inline to data communication
communication
Action taken Send alert of identification Drop, an alert and clean the malicious
of suspicious/ malicious traffic and take relevant actions( stop the
attempt process/ block the N/W)
Performance Does not impact due to non- Sow down network due to delay caused
impact on N/W line deployment of IDS by inline IPS processing
Advantages Does not block the traffic Preferred by many organizations for
implementing both Detection and
prevention automatically.

Impact of IDS with various Security services

Security Violation of HIDS NIDS Method of
Service/IDS service by the Intrusion
intruder
Authentication Masquerade - Monitor the Host Monitor the Signature
legitimate user Credentials – Network Patters – Based
misuse other detect abnormal packets, header, detection and
credentials activity sender and receiver Anomaly
Information Detection (by
matching with
Auditing data)
Authorization Misfeasor- user Analyze the Monitor the log Anomaly-
trying to utilize limitations and files, IP address, based IDS
unauthorized services given to Packet Information check the
data/ services the user if of the user, and behavior and
violated raise analyze if any analyze the
and alert. unauthorized traffic pattern
attempt is
implemented.
Data Clandestine Monitor network Implementation of State full
Confidentiality user -utilize pattern use Routing Control to protocol
supervisor Traffic flow to mislead the analysis
credentials to control the intruders and avoid (match the
misuse privacy intrusion. signatures of
confidential patterns of
data. usage)

Non- Observe the Store the proof Record the traffic Necessary for
repudiation regular records of data transfer information and all IDS

29
 of data transfer include sender report to audit (As methods to
to identify the and receiver sender and receiver first check this
general pattern. information to IP address, method information
avoid of sharing,
nonrepudiation protocols used,
pattern analyzed)
Auditing Try to manifest Obligatory to generate a report after an All the
the audit data attack and update the audit database to Methods of
by showing control such in future IDS check the
themselves as audit database
legitimate users to match
(leads for the (Signatures,
generation of patters,
false positive behaviours)
alerts) and report
abnormal
activity.

NETWORK BASE INTRUSION DETECTION SYSTEMS:

Exclusive IDS placed near a firewall with an independent sensor device with a network
operating system for monitoring local network traffic and helps in identifying malicious
events from incoming packets as a denial of attacks on services and scanned port on the
network. This system resides in the network ports and works with a firewall for better
protection against known attacks. NIDS is classified in two forms as network node-based ID,
and Promiscuous-mode based NID. Analyzing packets bounded by a single destination is the
quality of node-based NID with distributed agents, whereas sniffing all the packets across the
network traffic and analyzing for the suspicious attempt with a single sensor on each segment
is the property of promiscuous mode NID. The working procedure of NIDS is explained in
below figure.

30
The regular functions are carried out by this system are continuous checking of each packet
entering the network. Sniffing, matching and analyzing against the known profiles, and
trigger the alarm when unnormal activity is observed. NIDS setup at a selected point as
subnet within the network to examine and match all passing traffic, analyze the activity and
report an alert if violated, These Sensors have interfaces for managing, controlling, and
receiving alerts and send to the central server. NIDS application attached to network medium
ethernet functions with two interfaces, one to just monitor the network conversation and the
other to control and report the activity.
NIDS countermeasure: various measures implemented to avoid the Network breakdown
are:
 Shunning – filtering a suspicious host at a network gateway by interacting with
network devices and prevent from intrusion of a malicious host to target. Session
Sniping –Interruption of communication (sending packets) with a target host.
 Non-blocking –Minimizing of an attack impact by triggering customized actions.

31
  Re-direction –divert an attacker to a controlled environment.
 Counterattacks – A reverse attack on a malicious host (neutralize the ability)
 Filtering – Categorize and remove suspected activities on network traffic, also
considered as NIPS(network intrusion prevention system.
Some of the advantages of NIDS are: having good network design and placement of NIDS
can be used to monitor a wide subnet, because of the passive nature it can be deployed into
existing networks, Some drawbacks of NIDS as overwhelmed by network volume resulting
in recognition failures of the attacks, causing difficulty to process all packets in a busy
network. Accessibility to be given for all traffic to be monitored, analyzing encrypted packets
is no possible. Fragmented packet attacks are not easily discerned by NIDS, hard to identify
traffic which does not cross the network area, discrepancies between the sensor and target
viewpoint, regular updates of the new profile are challenging, inefficient to find the latest
exploits.

NETWORK BASED INTRUSION PREVENTION SYSTEMS:

IPS are also divided into multiple categories based on the implemented area and performance,
some of them are NIPS -Network-based Intrusion Prevention Systems (NIPS) like NIDS with
the technical difference of stopping the intrusion events on the network using defined
signatures. NBA- Network Behavior Analysis similar to NIPS used to prevent the intrusion
activities in the network area but implemented with anomalies detection protocols, require a
training phase to identify the normal behavior and testing phase for comparison. This is used
in stateful protocol analysis executed with a pre-defined baseline norm instead of learned
during the training phase. HIPS -Host-based Intrusion Prevention Systems installed on host
system similar to HIDS this provides gritty attention to each host connected in the network.
Another unique prevention method especially to avoid the doubtful event for a wireless
network area is WIPS Wireless-based Prevention Systems (WIPS), basically implemented
with two components, integrated and overlay monitoring. The overlay technique is used to
monitor the radio frequencies with installed devices near access points and the integrated
monitor using self APs that combination of both results in hybrid monitoring. Functions of
IPS: targeted network or host TCP session is terminated which is an offending source to
utilize the application, record the details of attack and update and reconfigure the firewall
protection to prevent the near attacks of the same type. Rectify the network or host area and

32
remove or replace any suspicious data after the attack form files by repackaging, deleting
header and attachment information..
HOST BASED INTRUSION DETECTION SYSTEM (HIDS):
An intelligent detection system resides on a host to inspect continuously and report for
suspicious activity is considered as HIDS, this is an agent that monitors a computer system
(host) by residing on it, with incessant observation of dynamic behavior, state of the system
(storage area), Internal configuration, network packets targeted, program executed, resource
accessed are some of the function of HIDS. This analyzes log files available on the host
(kernel, system, server, and network) and monitors file access and configuration changes in
runtime, then analyses by comparing with previous attacks stored in the server .

Working Procedure of HIDS

Work on configuration or change management principles and the working procedure of HIDS
is explained in Figure 6. HIDS is a complementary solution to network-based IDS programs,
to provides host-level detection and improve the control over the operating system and file
structure by installing agent applications on the host. A centralized server is established to
control the agent software with HIDS administrator used to configure, maintain, and collect
events from agents. Events are collected from the connected host and compared with
33
available log data of predefined signatures for any suspicious activity and report to the
security officer with an alert message and store the new signatures to log the program for
further analysis.

HIDS Functions are implemented based on three categories:

 File-level-detection:- Periodical checking and comparing with snapshots of existing
and previous file structure tracing the difference using message digest or
checksum(cryptographic)methods to stop suspicious events for attributes, integrity
and access attempts of a file. Analyzing the changes in the binary structure of a
selected file available in the host is considered as an integrity check. Attribute
checking: Each file has some unique attributes as ownership and permissions, change
in these activities is compared and analyzed and intimated to the administrator if
violated.

 Access attempts: Comparison on predefined policies to monitor the current attempt

including the request of file/application, mode of operation (read, write, execute) help
to deny file access, this level gives only the after-effects by comparing snapshots, for
example, rootkits and Trojan horses,and also prevent modification, deletion,
unauthorized access and replacement of the file.

 The next is analyzing the code: Host Agent can track by comparing the record of
calling and called by the application, the process implemented, a task performed on
the host, and drivers to prevent rootkits attacks by monitoring regularly and restrict
unauthorized library applications and versions.
 Configuration monitoring: monitoring both wired, wireless, public, and private
network configuration and the modem of host device identification additional network
protocols used as TCP/UDP [17]. The major operation of HIDS depends on the traces
left by an intruder after the activity, an intruder to own the hacked system, install
software and access various activities like theft of identify, spamming the data
content, repeated keystroke monitoring, etc.

 The main target of the intruder is the dynamic objects of the host system; HIDS fails
in monitoring this because of dynamic nature which is not suitable for the checksum

34
 technique. HIDS is installed on server/endpoint devices functions based on audit trails
to secure from intruders.

NETWORK BASED IDS HOST –BASED IDS

Host independent Network dependent Host dependent Network independent
Near real-time response Responds after a suspicious entry
Broad in scope Narrow in scope
Examine packet header and entire packet Examine in and out activities, Monitor all
passing in the network events of host.
Detects network attacks as payload is Detects local attacks before they hit the
analysed network
Not suitable for encrypted and switches Well-suited for encrypted and switches
network environment
High false positives rate, No overload Low false positive rate, Fully overloaded.
Does not perform normal detection for Powerful tool for analyzing a possible attack
complex attacks with known patters,
Better for outside attack detection and handle Better for inside attack detection and handle
the missed HIDS attacks the missed NIDS attacks.

SECURITY INFORMATION MANAGEMENT:

Information security management (ISM) defines and manages controls that an organization
needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and
integrity of assets from threats and vulnerabilities. Information security management
describes the set of policies and procedural controls that IT and business organizations
implement to secure their informational assets against threats and vulnerabilities.
Responsibility for information security may be assigned to a Chief Security Officer, Chief
Technical Officer, or to an IT Operations manager whose team includes IT operators and
security analysts. Many organizations develop a formal, documented process for managing
InfoSec - often called an Information Security Management System, or ISMS. An
information security management system (ISMS) represents the collation of all the
interrelated/interacting information security elements of an organization so as to ensure
policies, procedures, and objectives can be created, implemented, communicated, and
evaluated to better guarantee an organization's overall information security. This system is

35
typically influenced by organization's needs, objectives, security requirements, size, and
processes. An ISMS includes and lends to effective risk management and mitigation
strategies. Additionally, an organization's adoption of an ISMS largely indicates that it is
systematically identifying, assessing, and managing information security risks and "will be
capable of successfully addressing information confidentiality, integrity, and availability
requirements
INFORMATION SECURITY MANAGEMENT LIFE CYCLE
The information security program lifecycle helps prioritize our IT systems and analyze our
needs through a step-by-step procedure, positioning our company to take advantage of

1.Identify

6.Monitor 2. Assess

Information
Security
Life
Cycle

5. Protect 3. Design

4.Implement

continuous improvement through assessment and monitoring protocols.

ISM life cycle:
Step 1: Identify :
Find the items needed to be protected, with the network and system details. This help to
understand the assets within a system and their relations.
Step 2: Assess
Gather data from identify step and consolidate to perform assessment on all assets. including
process and system reviews, server reviews, and vulnerability assessments.
Step 3: Design
Collect the information related to issues faced based on the assessment details given in the
above step and find out a technical model to protect the device. Solutions to resolve specific
problems, including cybersecurity threats, security products, and information security culture
and processes.

36
 Step 4: Implement
Develop a change plan: When possible, they focus on the most important areas first, then
work down toward the least vulnerable areas. The change plan should also account for any
personnel training needed to implement new procedures or policies.
Step 5: Protect
The mitigation phase, used to validate security measures to ensure systems match and
established security policies and standards, security levels and implementation verification .
Step 6: Monitor
The team monitors the system and any changes put in place. While security measures
implemented may protect against vulnerabilities, there is no guarantee that they will remain
secure in the future. The goal of the monitoring phase is twofold: to ensure that strengthened
security remains in place and to identify new vulnerabilities as they arise.
The Importance of Information Security Management
The average organization collects a great deal of data. This includes sensitive customer data,
intellectual property, and other data that is vital to an organization‘s competitive advantage
and ability to operate.
The value of this data means that it is under constant threat of being stolen by cybercriminals
or encrypted by ransomware. An effective security management architecture is vital because
organizations need to take steps to secure this data to protect themselves and their customers.
Objectives of Information Security Management
The objective of information security management is to protect data:
 Confidentiality: Protecting data confidentiality requires restricting access to data to only
authorized users. Data breaches are a breach of confidentiality.
 Integrity: Ensuring data integrity requires the ability to ensure that data is accurate and
complete. A cyber threat actor that corrupts data in an organization‘s databases is a breach of
data integrity.
 Availability: Data and the services that rely upon it must be available to authorized users,
whether inside or outside of the company. A Distributed Denial of Service (DDoS) attack is
an example of a threat against the availability of an organization‘s data and services.
The confidentiality, integrity, and availability of an organization‘s data can be threatened in
various ways. Information security management involves identifying the potential risks to an
organization, assessing their likelihood and potential impact, and developing and
implementing remediation strategies designed to decrease risk as much as possible with
available resources.

37
 Benefits of Information Security Management
In addition to improving an organization‘s data security, an infosec management program can
provide the following benefits:
 Streamlined Data Security: An information security management program creates a
framework and process for assessing data security risks and remediating them. Adopting such
a program can make data security more efficient and effective by enabling an organization to
optimize its security architecture and eliminate unnecessary and overlapping solutions.
 Improved Security Culture: Often, infosec is owned by the IT or security department, and it
is difficult to spread and enforce across the organization. Educating employees about the
company‘s information security management program can improve security and create a
more positive security culture.
 Brand Image: Data breaches and other security incidents can harm an organization‘s brand
image. Demonstrated compliance with security best practices can help an organization‘s
reputation and improve relationships with customers and partners.

NETWORK SESSION ANALYSIS (NTA)

• Session data represents a summary of a conversation between two parties. A session,
also known as a flow, a stream or a conversation, is a summary of a packet exchange
between two systems.
A method of monitoring network availability and activity to identify anomalies, including
security and operational issues.
This analysis include:
 Collection of real-time and historical record of issues faced in the network.
 Detection of dangerous malware and suspicious activity.
 Detecting the use of vulnerable protocols and ciphers
 Troubleshooting a slow network
 Improving internal visibility and eliminating blind spots

Continuous monitoring solution help to understand the network performance and minimize
the attack surface and enhance security controls by improving the resource management
techniques. It‘s important to consider the data source of the network and the monitoring tools
to analyse the flow of data from devices like routers and packets and data prone to span
mirror ports and network Traps.
Benefits of NTA:

38
  Improved visibility into devices connecting to our network (e.g. IoT devices,
healthcare visitors)
 Meet compliance requirements
 Troubleshoot operational and security issues
 Respond to investigations faster with rich detail and additional network context
Main goal of NTA to ensure the right source for data collection and control the flow of
data in traffic volumes and mapping the journey of the network packet from the start to
destination points. This help in detecting unauthorized WAN traffic and attempted
networks with the resources used, but lack in collecting detailed information which
create security issues.
Use cases for analyzing and monitoring network traffic include:
• Detection of ransomware activity
• Monitoring data exfiltration/internet activity
• Monitor access to files on file servers or MSSQL databases
• Track a user‘s activity on the network, though User Forensics reporting
• Provide an inventory of what devices, servers and services are running on the network
• Highlight and identity root cause of bandwidth peaks on the network
• Provide real-time dashboards focusing on network and user activity
• Generate network activity reports for management and auditors for any time period

SYSTEM INTEGRITY VALIDATION :

A feature that is used for checking the status of all security detectors and the devices before
development. In simple words checking is disabled by default. A mandatory function for
professional security systems. It does not allow activating the arming mode if the window is
not closed in the room, the detector lid is open, or communication with one of the devices is
lost.
If arming with malfunctions is allowed, and a malfunction was detected when trying to arm, a
confirmation alert to be raised, for arming with the device from which it was tried to arm.
All users of the hub with the appropriate rights and settings receive notifications about
arming with a complete list of malfunctions. The monitoring station of the security company
also receives corresponding notifications.
Integrity is the protection of system data from international or accidental unauthorized
changes. The challenges of the security program are to ensure that data is maintained in the

39
state that is expected by the users. Although the security program cannot improve the
accuracy of the data that is put into the system by users. It can help ensure that any changes
are intended and correctly applied. An additional element of integrity is the need to protect
the process or program used to manipulate the data from unauthorized modification.
A critical requirement of both commercial and government data processing is to ensure the
integrity of data to prevent fraud and errors. It is imperative, therefore, no user be able to
modify data in a way that might corrupt or lose assets or financial records or render decision
making information unreliable.

Protecting against Threats to Integrity:

Like confidentiality, integrity can also be arbitrated by hackers, masqueraders, unprotected
downloaded files, LANs, unauthorized user activities, and unauthorized programs like Trojan
Horse and viruses, because each of these threads can lead to unauthorized changes to data or
programs.
For example, unauthorized user can corrupt or change data and programs intentionally or
accidentally if their activities on the system are not properly controlled.
Generally, three basic principles are used to establish integrity controls:

 Need-to-know access: User should be granted access only on to those files and
programs that they need in order to perform their assigned jobs functions.
 Separation of duties: To ensure that no single employee has control of a transaction
from beginning to end, two or more people should be responsible for performing it.
 Rotation of duties: Job assignment should be changed periodically so that it becomes
more difficult for the users to collaborate to exercise complete control of a transaction
and subvert it for fraudulent purposes.
UNIT-IV

CRYPTOGRAPHY AND NETWORK SECURITY:

Introduction to Cryptography
Cryptography is the science of using mathematics to encrypt and decrypt data.
Cryptography is the art and science of keeping messages secure.
The art and science of concealing the messages to introduce secrecy in information security is
recognized as cryptography.
Cryptography is the study and practice of techniques for secure communication in the
presence of third parties called adversaries. It deals with developing and analyzing
protocols which prevents malicious third parties from retrieving information being shared
between two entities thereby following the various aspects of information security.

40
Secure Communication refers to the scenario where the message or data shared between
two parties can‘t be accessed by an adversary. In Cryptography, an Adversary is a
malicious entity, which aims to retrieve precious information or data thereby undermining
the principles of information security.
Data Confidentiality, Data Integrity, Authentication and Non-repudiation are core
principles of modern-day cryptography.
1. Confidentiality refers to certain rules and guidelines usually executed under
confidentiality agreements which ensure that the information is restricted to
certain people or places.
2. Data integrity refers to maintaining and making sure that the data stays accurate
and consistent over its entire life cycle.
3. Authentication is the process of making sure that the piece of data being
claimed by the user belongs to it.
4. Non-repudiation refers to ability to make sure that a person or a party
associated with a contract or a communication cannot deny the authenticity of
their signature over their document or the sending of a message.

Terminologies
A message is plaintext (sometimes called cleartext). The process of disguising a message in
such a way as to hide its substance is encryption. An encrypted message is ciphertext. The
process of turning ciphertext back into plaintext is decryption.
Data Encryption
Data encryption translates data into another form, or code, so that only people with access to
a secret key (formally called a decryption key) or password can read it. Encrypted data
is commonly referred to as ciphertext, while unencrypted data is called plaintext.
The purpose of data encryption is to protect digital data confidentiality as it is stored on
computer systems and transmitted using the internet or other computer networks.

ENCRYPTION

41
Encryption is the process in which a sender converts the original information to another form
and sends the resulting unintelligible message out over the network. The sender requires an
encryption algorithm and a key to transform the plaintext (original message) into a ciphertext
(encrypted message). It is also known as enciphering. The original information is called
Plaintext and the encrypted information is called the Cipher Text.

DECRYPTION
Decryption inverts the encryption process in order to convert the message back to its real
form. The receiver uses a decryption algorithm and a key to transform the ciphertext back to
original plaintext, it is also known as eciphering.
A mathematical process utilized for decryption is known as Decryption algorithm. This
process is the reverse process of the encryption algorithm

42
Symmetric key Cryptography
Symmetric Key Cryptography also known as Symmetric Encryption is when a secret key is
leveraged for both encryption and decryption functions.
Symmetric key encryption algorithm uses same cryptographic keys for both encryption and
decryption of cipher text.
 Both sender and receiver uses a common key to encrypt and decrypt the message.
 This secret key is known only to the sender and to the receiver.
 It is also called as secret key cryptography.

 Before starting the communication, sender and receiver shares the secret key.
 This secret key is shared through some external means.
 At sender side, sender encrypts the message using his copy of the key.
 The cipher text is then sent to the receiver over the communication channel.
 At receiver side, receiver decrypts the cipher text using his copy of the key.
 After decryption, the message converts back into readable format.
 Advanced Encryption Standard (AES)

43
  Data Encryption Standard (DES)
Advantages-

The advantages of symmetric key algorithms are-

 They are efficient.
 They take less time to encrypt and decrypt the message.

Asymmetric Key Cryptography-

 Sender and receiver use different keys to encrypt and decrypt the message.
 It is called so because sender and receiver use different keys.
 It is also called as public key cryptography.
 Public key encryption algorithm uses pair of keys, one of which is a secret key and
one of which is public. These two keys are mathematically linked with each other.

At sender side,
 Sender encrypts the message using receiver‘s public key.
 The public key of receiver is publicly available and known to everyone.
 Encryption converts the message into a cipher text.
 This cipher text can be decrypted only using the receiver‘s private key.

The cipher text is sent to the receiver over the communication channel.

44
At receiver side,
 Receiver decrypts the cipher text using his private key.
 The private key of the receiver is known only to the receiver.
 Using the public key, it is not possible for anyone to determine the receiver‘s private
key.
 After decryption, cipher text converts back into a readable format.

Advantages-

The advantages of public key cryptography are-

 It is more robust.
 It is less susceptible to third-party security breach attempts.

Message Authentication

Message authentication can be provided using the cryptographic techniques that use secret
keys as done in case of encryption.
Message authentication ensures that the message has been sent by a genuine identity and not
by an imposter.
• The service used to provide message authentication is a Message Authentication Code
(MAC).

 The sender uses some publicly known MAC algorithm, inputs the message and the
secret key K and produces a MAC value.
 Similar to hash, MAC function also compresses an arbitrary long input into a fixed
length output. The major difference between hash and MAC is that MAC uses secret
key during the compression.
 The sender forwards the message along with the MAC. Here, we assume that the
message is sent in the clear, as we are concerned of providing message origin
authentication, not confidentiality. If confidentiality is required then the message
needs encryption.
 On receipt of the message and the MAC, the receiver feeds the received message and
the shared secret key K into the MAC algorithm and re-computes the MAC value.
 The receiver now checks equality of freshly computed MAC with the MAC received
from the sender. If they match, then the receiver accepts the message and assures
himself that the message has been sent by the intended sender.
 If the computed MAC does not match the MAC sent by the sender, the receiver
cannot determine whether it is the message that has been altered or it is the origin

45
 that has been falsified. As a bottom-line, a receiver safely assumes that the message
is not the genuine.
Limitations of MAC
There are two major limitations of MAC, both due to its symmetric nature of operation −
 Establishment of Shared Secret.
 It can provide message authentication among pre-decided legitimate users
who have shared key.
 This requires establishment of shared secret prior to use of MAC.
 Inability to Provide Non-Repudiation
 Non-repudiation is the assurance that a message originator cannot deny any
previously sent messages and commitments or actions.
 MAC technique does not provide a non-repudiation service. If the sender and
receiver get involved in a dispute over message origination, MACs cannot
provide a proof that a message was indeed sent by the sender.
 Though no third party can compute the MAC, still sender could deny having
sent the message and claim that the receiver forged it, as it is impossible to
determine which of the two parties computed the MAC.

Digital Signatures

A digital signature is a mathematical technique used to validate the authenticity and integrity
of a message, software or digital document. It's the digital equivalent of a handwritten
signature or stamped seal, but it offers far more inherent security.

A digital signature is basically a way to ensure that an electronic document (e-mail, spread
sheet, text file, etc.) is authentic. Authentic means that we know who created the document
and we know that it has not been altered in any way since that person created it.
Digital signatures use a certificate-based digital ID issued by an accredited Certificate
Authority (CA) or Trust Service Provider (TSP) so when we digitally sign a document, our
identity is uniquely linked to we, the signature is bound to the document with encryption, and
everything can be verified using underlying technology known as Public Key Infrastructure
(PKI).

Working of Digital Signature

Digital signatures are based on Public Key Infrastructure (PKI). By this mechanism, two
keys are generated, a Public Key and Private Key. The private key is kept by the signer and it
should be kept securely. On the other hand, the receiver must have the public key to decrypt
the message.

46
What are the benefits of digital signatures?
Security is the main benefit of digital signatures. Security capabilities embedded in digital
signatures ensure a document is not altered and signatures are legitimate. Security features
and methods used in digital signatures include the following:
 Personal identification numbers (PINs), passwords and codes. Used to
authenticate and verify a signer's identity and approve their signature. Email,
username and password are the most common methods used.
 Asymmetric cryptography. Employs a public key algorithm that includes private
and public key encryption and authentication.
 Checksum. A long string of letters and numbers that represents the sum of the
correct digits in a piece of digital data, against which comparisons can be made to
detect errors or changes. A checksum acts as a data fingerprint.
 Cyclic redundancy check (CRC). An error-detecting code and verification
feature used in digital networks and storage devices to detect changes to raw data.
 Certificate authority (CA) validation. CAs issue digital signatures and act as
trusted third parties by accepting, authenticating, issuing and maintaining digital
certificates. The use of CAs helps avoid the creation of fake digital certificates.

47
  Trust service provider (TSP) validation. A TSP is a person or legal entity that
performs validation of a digital signature on a company's behalf and offers
signature validation reports.

Applications of Cryptography

1. Digital Currency: A much-known application of cryptography is digital currency

wherein cryptocurrencies are traded over the internet. Top cryptocurrencies like

Bitcoin, Ethereum, and Ripple have been developed and traded over time.

With cashless economies emerging, digital currencies have grabbed the attention of

the world. Unregulated by any government or banks, cryptocurrencies are our

upcoming future.

2. E-commerce: These transactions are encrypted and perhaps cannot be altered by any

third party. Moreover, the passwords we set for such sites are also protected under keys

to ensure that no hacker gets access to our e-commerce details for harmful purposes.

3. Military Operations: The applications of cryptography in the military are well-known.

Military operations have also derived great use from cryptography for a long time.

Used for encrypting military communication channels, military encryption devices

convert the real communication characters so that the enemies cannot come to know

about their upcoming plans.

Simply put, cryptography safely transmits messages from one end to the other without

letting the enemy forces intercept the real meaning. This is a very important application

of cryptology as it can be of both public and private use.

On the large scale, it can be widely used for declaring wars and sending crucial messages
without the involvement of a messenger. Unlike traditional times, this technology can be
precisely used to enhance the military strength of a nation.

Secure communications
The most obvious use of cryptography, and the one that all of us use frequently, is encrypting
communications between us and another system. This is most commonly used for
communicating between a client program and a server. Examples are a web browser and web
48
server, or email client and email server. When the internet was developed it was a small
academic and government community, and misuse was rare. Most systems communicated in
the clear (without encryption), so anyone who intercepted network traffic could capture
communications and passwords. Modern switched networks make interception harder, but
some cases – for example, public wifi – still allow it. To make the internet more secure, most
communication protocols have adopted encryption. Many older protocols have been dropped
in favour of newer, encrypted replacements.
End-to-end Encryption
Email is one area where encryption is not widely in use. When email moves from server to
server, and from server to we, it is encrypted. On the mail server and on our system, however,
an administrator can read it. There are options to implement ―end-to-end‖ encryption for
email (I use PGP) but email systems are complex and these options are complex. Truly secure
messaging systems – where only the sender and receiver can read the message – are those
where encryption has been built in from the start. Whatsapp is good; Signal is better.
Storing Data
We all store a large amount of data, and any data is valuable to at least the person who
generated it. Every operating system uses encryption in some of the core components to keep
passwords secret, conceal some parts of the system, and make sure that updates and patches
are really from the maker of the system.
Storing Passwords

One of the main uses of this is to store passwords. It is very risky to store passwords in an
accessible way. If stored in plaintext on a system, anyone who has access to the system –
legitimate or malicious – can read the password. Encryption is only a partial answer to storing
passwords. If someone has access to the system storing the encrypted passwords, they will
probably have access to the encryption key to decrypt the password. Hashing, on the other
hand, produces a relatively useless value for the attacker. A system will take the password on
login, hash it, and compare to the hashed value. At no point will the system – or an attacker –
have access to the plaintext password.

Overview of Firewalls

A firewall is a network security device, either hardware or software-based, which monitors

all incoming and outgoing traffic and based on a defined set of security rules it accepts,
rejects or drops that specific traffic.

49
Accept : allow the traffic
Reject : block the traffic but reply with an ―unreachable error‖
Drop : block the traffic with no reply

History and Need for Firewall

Before Firewalls, network security was performed by Access Control Lists (ACLs) residing
on routers. ACLs are rules that determine whether network access should be granted or
denied to specific IP address.
But ACLs cannot determine the nature of the packet it is blocking. Also, ACL alone does
not have the capacity to keep threats out of the network. Hence, the Firewall was
introduced.
Connectivity to the Internet is no longer optional for organizations. However, accessing the
Internet provides benefits to the organization; it also enables the outside world to interact
with the internal network of the organization. This creates a threat to the organization. In
order to secure the internal network from unauthorized traffic, we need a Firewall.

How Firewall Works

Firewall match the network traffic against the rule set defined in its table. Once the rule is
matched, associate action is applied to the network traffic. For example, Rules are defined
as any employee from HR department cannot access the data from code server and at the
same time another rule is defined like system administrator can access the data from both
HR and technical department. Rules can be defined on the firewall based on the necessity
and security policies of the organization.
From the perspective of a server, network traffic can be either outgoing or incoming.
Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing traffic,
originated from the server itself, allowed to pass. Still, setting a rule on outgoing traffic is
always better in order to achieve more security and prevent unwanted communication.
Incoming traffic is treated differently. Most traffic which reaches on the firewall is one of
these three major Transport Layer protocols- TCP, UDP or ICMP. All these types have a

50
source address and destination address. Also, TCP and UDP have port numbers. ICMP
uses type code instead of port number which identifies purpose of that packet.
Generation of Firewall
Firewalls can be categorized based on its generation.
1. First Generation- Packet Filtering Firewall : Packet filtering firewall is used
to control network access by monitoring outgoing and incoming packet and
allowing them to pass or stop based on source and destination IP address,
protocols and ports. It analyses traffic at the transport protocol layer (but mainly
uses first 3 layers).
Packet firewalls treat each packet in isolation. They have no ability to tell
whether a packet is part of an existing stream of traffic. Only It can allow or
deny the packets based on unique packet headers.
2. Second Generation- Stateful Inspection Firewall : Stateful firewalls (performs
Stateful Packet Inspection) are able to determine the connection state of packet,
unlike Packet filtering firewall, which makes it more efficient. It keeps track of the
state of networks connection travelling across it, such as TCP streams. So the
filtering decisions would not only be based on defined rules, but also on packet‘s
history in the state table.
3. Third Generation- Application Layer Firewall : Application layer firewall can
inspect and filter the packets on any OSI layer, up to the application layer. It has the
ability to block specific content, also recognize when certain application and
protocols (like HTTP, FTP) are being misused.
In other words, Application layer firewalls are hosts that run proxy servers. A proxy
firewall prevents the direct connection between either side of the firewall, each
packet has to pass through the proxy. It can allow or block the traffic based on
predefined rules.
4. Next Generation Firewalls (NGFW) : Next Generation Firewalls are being
deployed these days to stop modern security breaches like advance malware attacks
and application-layer attacks. NGFW consists of Deep Packet Inspection,
Application Inspection, SSL/SSH inspection and many functionalities to protect the
network from these modern threats.

Types of Firewalls

1. Host- based Firewalls : Host-based firewall is installed on each network node

which controls each incoming and outgoing packet. It is a software application
or suite of applications, comes as a part of the operating system. Host-based
firewalls are needed because network firewalls cannot provide protection inside
a trusted network. Host firewall protects each host from attacks and
unauthorized access.
2. Network-based Firewalls : Network firewall function on network level. In
other words, these firewalls filter all incoming and outgoing traffic across the
network. It protects the internal network by filtering the traffic using rules
defined on the firewall. A Network firewall might have two or more network
interface cards (NICs). A network-based firewall is usually a dedicated system
with proprietary software installed.
3. Packet Filtering: This is the grandfather of firewalls, and sometimes referred to as a
stateless firewall. Packet filters basically inspect a packet, and determine whether or
not it fits a rule set that will allow it to pass through the filter. For example, if there‘s
a rule allowing TCP port 80 traffic inbound/outbound we can communicate using

51
 HTTP services. These are cheap, but require a bit of configuration, and they don‘t
examine entire packets.
4. Stateful Filtering: This type of firewall still uses packet filtering, but now it also
considers the connection state of a device. Initially the firewall inspects packets at the
application layer, once a connection is established, the inspection on the application
layer is no longer needed. It performs most of its examinations between the Physical
and Transport layers of the OSI model. Note that these can be vulnerable to man-in-
the-middle attacks (IP spoofing).
5. Application Layer Firewalls: Application layer firewalls filter by process instead of
by port. They are useful in preventing attacks on processes like HTTP and SMTP,
guarding against SQL injection, DDoS attacks, and more. These actually filter
application level commands and fully inspect the packet. Of course, vendors need to
keep pushing out updates for new protocols, and there may be some delay in this
support, which could lead to potential exploits.
6. Circuit Level Gateway: These work on the Session layer of the OSI model to
confirm that TCP handshakes between packets are legit. This acts as a circuit for a
proxy server and internal clients; and ensures that an external client doesn‘t have any
actual information about the server. There is potential for harmful information to get
through to the proxy to the Internal client because these do not examine packet
contents.
7. Stateful Multilayer Inspection: These are a combination of packet filtering, circuit
level gateways, and application layer firewalls. These are fairly complex, and could
actually be more insecure than a simple firewall if we don‘t have an admin who is
knowledgeable about proper configuration.

User Management

User management (UM) is defined as the effective management of users and their accounts,
giving them access to various IT resources like devices, applications, systems, networks,
SaaS services, storage systems, and more.
User management enables administrators to grant access and manage user access and
control user accounts. A user management system forms an integral part of identity and
access management (IAM) and serves as a basic form of security.

User management describes the ability for administrators to manage user access to various IT
resources like systems, devices, applications, storage systems, networks, SaaS services, and
more. User management is a core part to any identity and access management (IAM)
solution, in particular directory services tools. Controlling and managing user access to IT
resources is a fundamental security essential for any organization. User management enables
admins to control user access and on-board and off-board users to and from IT resources.
Subsequently a directory service will then authenticate, authorize, and audit user access to IT
resources based on what the IT admin had dictated.

Why Do We Need User Management?

Simply put, user management solves the problem of managing user access to various
resources. For example, the marketing team generally requires access to different resources
than the accounting team. Further, an employee on the marketing team likely doesn‘t need

52
access to internal financial systems and vice versa, a finance employee isn‘t requiring access
to Salesforce or Market. User management enables IT administrators to manage resources
and provision users based on need and role while keeping their digital assets secure. For end
users, the tasks of user management are often invisible to them, but the results are not.

Why is user management important?

As more services are moving to the cloud, users are being exponentially created. For
example, when a company integrates a new cloud service, they have one account within that
service in which to manage all of their users. The amount of users per account can vary
anywhere from 5 users to the millions.

User management factors

When reviewing user management tools, it‘s important to understand two things: 1. our
integration and management needs, and 2. the ability of our cloud services to communicate
through an API. Each of these factors plays a crucial role in the usability of the tool.
Integration is the ability to tie into existing systems through an agent or by federation. This
makes the migration off of older systems a breeze, or at least eases user adoption in that users
can immediately use their existing credentials in the new system.
Management includes all the features that allow we to complete user management tasks once
users are in the system. This includes user and password storage, CRUD (create, update, read,
and delete) operations, policy (security, password) management, attribute transformation, and
self service flows such as account recovery and registration.
As the adoption of cloud services increase, so does the need to manage user access via an
API. The ability to allow API communication makes our user management tasks more
accessible and increases the efficiency and flexibility of our system.

53
VPN Security protocols

VPN stands for Virtual Private Network (VPN), that allows a user to connect to a private
network over the Internet securely and privately. VPN creates an encrypted connection that
is called VPN tunnel, and all Internet traffic and communication is passed through this
secure tunnel.
Virtual Private Network (VPN) is basically of 2 types:
1. Remote Access VPN:
Remote Access VPN permits a user to connect to a private network and access
all its services and resources remotely. The connection between the user and the
private network occurs through the Internet and the connection is secure and
private. Remote Access VPN is useful for home users and business users both.
2. Site to Site VPN:
A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly
used in the large companies. Companies or organizations, with branch offices in
different locations, use Site-to-site VPN to connect the network of one office
location to the network at another office location.

 Intranet based VPN: When several offices of the same company are connected
using Site-to-Site VPN type, it is called as Intranet based VPN.
 Extranet based VPN: When companies use Site-to-site VPN type to connect to
the office of another company, it is called as Extranet based VPN.
Types of Virtual Private Network (VPN) Protocols:
1. Internet Protocol Security (IPSec):
Internet Protocol Security, known as IPSec, is used to secure Internet
communication across an IP network. IPSec secures Internet Protocol
communication by verifying the session and encrypts each data packet during
the connection.
IPSec runs in 2 modes:
 (i) Transport mode
 (ii) Tunneling mode
The work of transport mode is to encrypt the message in the data packet and the
tunneling mode encrypts the whole data packet. IPSec can also be used with
other security protocols to improve the security system.
1. Layer 2 Tunneling Protocol (L2TP):
L2TP or Layer 2 Tunneling Protocol is a tunneling protocol that is often
combined with another VPN security protocol like IPSec to establish a highly
secure VPN connection. L2TP generates a tunnel between two L2TP connection
points and IPSec protocol encrypts the data and maintains secure communication
between the tunnel.

2. Point–to–Point Tunneling Protocol (PPTP):

PPTP or Point-to-Point Tunneling Protocol generates a tunnel and confines the
data packet. Point-to-Point Protocol (PPP) is used to encrypt the data between
the connection. PPTP is one of the most widely used VPN protocol and has been
in use since the early release of Windows. PPTP is also used on Mac and Linux
apart from Windows.
3. SSL and TLS:
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) generate a VPN
connection where the web browser acts as the client and user access is prohibited to

54
 specific applications instead of entire network. Online shopping websites commonly
uses SSL and TLS protocol. It is easy to switch to SSL by web browsers and with
almost no action required from the user as web browsers come integrated with SSL
and TLS. SSL connections have ―https‖ in the initial of the URL instead of ―http‖.

4. OpenVPN:
OpenVPN is an open source VPN that is commonly used for creating Point-to-Point
and Site-to-Site connections. It uses a traditional security protocol based on SSL and
TLS protocol.
5. Secure Shell (SSH):
Secure Shell or SSH generates the VPN tunnel through which the data transfer
occurs and also ensures that the tunnel is encrypted. SSH connections are generated
by a SSH client and data is transferred from a local port on to the remote server
through the encrypted tunnel.

Security Protocols

security at the Application Layer- PGP and S/MIME

Application layer security refers to ways of protecting web applications at the

application layer (layer 7 of the OSI model) from malicious attacks.
Since the application layer is the closest layer to the end user, it provides hackers with the
largest threat surface.

Some application layer attacks include:

 SQL injections
 denial of service attacks
 cross-site scripting
 access to unauthorized data
 parameter tampering

Various business services are now provided online even though client-server applications.
The most popular forms are web application and In each applications, the client
communicates to the specific server and obtains services.
While using a provider from any server application, the patron and server change numerous
information on the underlying intranet or internet. we are aware of fact that these data
transactions are vulnerable to numerous attacks.
Network security entails securing information against assaults even as it is in transit on a
network. To attain this purpose, many real-time security protocols were designed. Such
protocol needs to offer at least the following primary goals −
 The parties can negotiate interactively to authenticate each different.
 Establish a secret session key before changing data on network.
 Change the data in encrypted form.

55
E-mail Security
Nowadays, e-mail has become very extensively used network application. let‘s briefly
discuss e-mail infrastructure before proceeding to recognize about e-mail security protocols.
E-mail Infrastructure
The best way of sending an e-mail might be sending a message directly from the sender‘s
machine to the recipient‘s device. In this case, it is important for each the machines to be
running on the network simultaneously. but, this setup is impractical as users can also
occasionally connect their machines to the network.
Hence, the concept of setting up e-mail servers arrived. On this setup, the e-mail is sent to a e
mail server which is completely available at the network. when the recipient‘s machine
connects to the network, it reads the the e-mail from the e mail server.
In general, e-mail infrastructure includes a mesh of electronic mail servers, also termed
as Message Transfer Agents (MTAs) and consumer machines running an e-mail program
comprising of user Agent (UA) and local MTA.
Typically, an e-mail message gets forwarded from its UA, goes through the mesh of MTAs
and finally reaches the UA at the recipient‘s machine.

The protocols used forE-Mail are as follows −

 Simple the email transfer Protocol (SMTP) used for forwarding E-Mail messages.
 Post office Protocol (POP) and internet Message access Protocol (IMAP) are used to
retrieve the messages by recipient from the server.

MIME
Basic internet E-Mail preferred became written in 1982 and it describes the lawet of E-Mail
message exchanged on the net. It mainly helps E-Mail message written as text in basic
Roman alphabet.

56
By 1992, the want became felt to improve the equal. hence, a further general Multipurpose
internet Mail Extensions (MIME) became defined. it is a set of extensions to the basic net E-
Mail standard. MIME gives an ability to send E-Mail using characters other than those of the
simple Roman alphabet including Cyrillic alphabet (used in Russian), the Greek alphabet, or
even the ideographic characters of chinese.
Another want fulfilled through MIME is to send non-text contents, including images or video
clips. due to this features, the MIME popular became widely followed with SMTP for E-Mail
communication.

E-Mail Security Services

Developing use of E-Mail communication for essential and crucial transactions needs
provision of sure fundamental security services as the following −
 Confidentiality − E-Mail message must now not be read through anyone but the
supposed recipient.
 Authentication − E-Mail recipient can be sure of the identity of the sender.
 Integrity −Assurance to the recipient that af E-Mail message has now not been
altered since it became transmitted through the sender.
 Non-repudiation − E-Mail recipient is able to show to a third party that the sender
simply did send the message.
 Proof of Submission − E-Mail sender gets the confirmation that the message is
passed to the e-mail delivery system.
 Proof of Delivery − Sender gets a confirmation that the recipient received the
message.
One-to-One E-Mail
In this scenario, the sender sends an E-Mail message to best one recipient. usually, not more
than MTA are involved in the communication.

57
Let‘s assume a sender wants to send a personal E-Mail to a recipient. the provision of privacy
in this situation is performed as follows −
 The sender and receiver have their private-public keys as (SPVT, SPUB) and
(RPVT, RPUB) respectively.
 The sender generates a secret symmetric key, KS for encryption. though the sender
should have used RPUB for encryption, a symmetric key is used to obtain faster
encryption and decryption.
 The sender encrypts message with key KS and also encrypts KS with public key of
the recipient, RPUB.
 The sender sends encrypted message and encrypted KS to the recipient.
 The recipient first obtains KS through decrypting encoded KS using his private key,
RPVT.
 The recipient then decrypts message using the symmetric key, KS.

If message integrity, authentication, and non-repudiation services also are needed in this
scenario, the following steps are introduced to the above method.
 The sender produces hash of message and digitally signs this hash with his private
key, SPVT.
 The sender sends this signed hash to the recipient together with other components.

58
PGP
Pretty Good Privacy (PGP) is an e-mail encryption scheme. It has become the de-facto
preferred for providing security services for e-mail communication.
As mentioned above, it uses public key cryptography, symmetric key cryptography, hash
feature, and digital signature. It provides −
 Privacy
 Sender Authentication
 Message Integrity
 Non-repudiation

Along with those security services, it also presents records compression and key control help.
PGP uses present cryptographic algorithms along with RSA, concept, MD5, etc., instead of
inventing the new ones.

Working of PGP

 Hash of the message is calculated. (MD5 algorithm)

 Resultant 128 bit hash is signed using the private key of the sender (RSA algorithm).
 The digital signature is concatenated to message, and the result is compressed.
 A 128-bit symmetric key, KS is generated and used to encrypt the compressed
message with concept.
 KS is encrypted using the public key of the recipient the use of RSA algorithm and
the result is appended to the encrypted message.
The lawet of PGP message is shown within the following diagram. The IDs suggest which
key is used to encrypt KS and which key is for use to confirm the signature on the hash.

59
S / MIME
S/MIME stands for secure Multipurpose net Mail Extension. S/MIME is a secure e-mail
preferred. it is based on an earlier non-at ease e-e-mailing popular known as MIME.
Working of S/MIME
S/MIME method is just like PGP. It also uses public key cryptography, symmetric key
cryptography, hash functions, and digital signatures. It presents similar protection services as
PGP for e-mail communication.
The most common symmetric ciphers used in S/MIME are RC2 and TripleDES. the usual
public key technique is RSA, and the hashing algorithm is SHA-1 or MD5.
S/MIME specifies the additional MIME type, including ―application/pkcs7-mime‖, for
information enveloping after encrypting. The entire MIME entity is encrypted and packed
into an object. S/MIME has standardized cryptographic message formats (specific from
PGP). In reality, MIME is extended with a few keywords to identify the encrypted and/or
signed components in the message.

Employability of S/MIME
Due to the requirement of a certificates from certification authority for implementation, not
all users can take advantage of S/MIME, as some may wish to encrypt a message, with a
public/private key pair. for example, without the involvement or administrative overhead of
certificates.

60
In practice, although most e-e-mailing programs implement S/MIME, the certificates
enrollment method is complex. instead PGP guide usually requires adding a plug-in and that
plug-in comes with all this is needed to manage keys. The web of trust isn't actually used.
people exchange their public keys over another medium. as soon as received, they preserve a
copy of public keys of those with whom e-emails are usually exchanged.
Implementation layer in network architecture for PGP and S/MIME schemes is proven in the
following image. each these schemes offer application level security of for e-mail
communication.

One of the schemes, both PGP or S/MIME, is used depending on the environment. A secure
e-e-mail communication in a captive network can be provided by adapting to PGP. For e-mail
security over internet, where e-mails are exchanged with new unknown users very often,
S/MIME is considered as a great option.

Security at Transport Layer- SSL and TLS

The security at this layer is mostly used to secure HTTP based web transactions on a
network. However, it can be employed by any application running over TCP.
Philosophy of TLS Design
Transport Layer Security (TLS) protocols operate above the TCP layer. Design of these
protocols use popular Application Program Interfaces (API) to TCP, called ―sockets" for
interfacing with TCP layer.
Applications are now interfaced to Transport Security Layer instead of TCP directly.
Transport Security Layer provides a simple API with sockets, which is similar and
analogous to TCP's API.

61
In the above diagram, although TLS technically resides between application and transport
layer, from the common perspective it is a transport protocol that acts as TCP layer
enhanced with security services.
TLS is designed to operate over TCP, the reliable layer 4 protocol (not on UDP protocol), to
make design of TLS much simpler, because it doesn't have to worry about ‗timing out‘ and
‗retransmitting lost data‘. The TCP layer continues doing that as usual which serves the need
of TLS.
Why TLS is Popular?
The reason for popularity of using a security at Transport Layer is simplicity. Design and
deployment of security at this layer does not require any change in TCP/IP protocols that are
implemented in an operating system. Only user processes and applications needs to be
designed/modified which is less complex.
Secure Socket Layer (SSL)
In this section, we discuss the family of protocols designed for TLS. The family includes
SSL versions 2 and 3 and TLS protocol. SSLv2 has been now replaced by SSLv3, so we will
focus on SSL v3 and TLS.

Brief History of SSL

In year 1995, Netscape developed SSLv2 and used in Netscape Navigator 1.1. The SSL
version1 was never published and used. Later, Microsoft improved upon SSLv2 and
introduced another similar protocol named Private Communications Technology (PCT).
Netscape substantially improved SSLv2 on various security issues and deployed SSLv3 in
1999. The Internet Engineering Task Force (IETF) subsequently, introduced a similar TLS
(Transport Layer Security) protocol as an open standard. TLS protocol is non-interoperable
with SSLv3.
TLS modified the cryptographic algorithms for key expansion and authentication. Also, TLS
suggested use of open crypto Diffie-Hellman (DH) and Digital Signature Standard (DSS) in

62
place of patented RSA crypto used in SSL. But due to expiry of RSA patent in 2000, there
existed no strong reasons for users to shift away from the widely deployed SSLv3 to TLS.
Salient Features of SSL
The salient features of SSL protocol are as follows −
 SSL provides network connection security through −
 Confidentiality − Information is exchanged in an encrypted form.
 Authentication − Communication entities identify each other through the use
of digital certificates. Web-server authentication is mandatory whereas client
authentication is kept optional.
 Reliability − Maintains message integrity checks.
 SSL is available for all TCP applications.
 Supported by almost all web browsers.
 Provides ease in doing business with new online entities.
 Developed primarily for Web e-commerce.
Architecture of SSL
SSL is specific to TCP and it does not work with UDP. SSL provides Application
Programming Interface (API) to applications. C and Java SSL libraries/classes are readily
available.
SSL protocol is designed to interwork between application and transport layer as shown in
the following image −

SSL itself is not a single layer protocol as depicted in the image; in fact it is composed of
two sub-layers.
 Lower sub-layer comprises of the one component of SSL protocol called as SSL
Record Protocol. This component provides integrity and confidentiality services.
 Upper sub-layer comprises of three SSL-related protocol components and an
application protocol. Application component provides the information transfer
service between client/server interactions. Technically, it can operate on top of SSL
layer as well. Three SSL related protocol components are −
 SSL Handshake Protocol
 Change Cipher Spec Protocol
 Alert Protocol.
 These three protocols manage all of SSL message exchanges and are discussed later
in this section.

63
Functions of SSL Protocol Components
The four sub-components of the SSL protocol handle various tasks for secure
communication between the client machine and the server.
 Record Protocol
 The record layer formats the upper layer protocol messages.
 It fragments the data into manageable blocks (max length 16 KB). It
optionally compresses the data.
 Encrypts the data.
 Provides a header for each message and a hash (Message Authentication Code
(MAC)) at the end.
 Hands over the formatted blocks to TCP layer for transmission.

SSL Handshake Protocol

 It is the most complex part of SSL. It is invoked before any application data is
transmitted. It creates SSL sessions between the client and the server.
 Establishment of session involves Server authentication, Key and algorithm
negotiation, Establishing keys and Client authentication (optional).
 A session is identified by unique set of cryptographic security parameters.

64
  Multiple secure TCP connections between a client and a server can share the same
session.
 Handshake protocol actions through four phases. These are discussed in the next
section.

Establishment of SSL Session

As discussed above, there are four phases of SSL session establishment. These are mainly
handled by SSL Handshake protocol.
Phase 1 − Establishing security capabilities.
 This phase comprises of exchange of two messages – Client_hello and Server_hello.

 Client_hello contains of list of cryptographic algorithms supported by the client, in

decreasing order of preference.
 Server_hello contains the selected Cipher Specification (CipherSpec) and a
new session_id.
 The CipherSpec contains fields like −
 Cipher Algorithm (DES, 3DES, RC2, and RC4)
 MAC Algorithm (based on MD5, SHA-1)
 Public-key algorithm (RSA)
 Both messages have ―nonce‖ to prevent replay attack.
Phase 2 − Server authentication and key exchange.

 Server sends certificate. Client software comes configured with public keys of
various ―trusted‖ organizations (CAs) to check certificate.

65
  Server sends chosen cipher suite.
 Server may request client certificate. Usually it is not done.
 Server indicates end of Server_hello.
Phase 3 − Client authentication and key exchange.

 Client sends certificate, only if requested by the server.

 It also sends the Pre-master Secret (PMS) encrypted with the server‘s public key.
 Client also sends Certificate_verify message if certificate is sent by him to prove he
has the private key associated with this certificate. Basically, the client signs a hash
of the previous messages.
Phase 4 − Finish.

 Client and server send Change_cipher_spec messages to each other to cause the
pending cipher state to be copied into the current state.
 From now on, all data is encrypted and integrity protected.
 Message ―Finished‖ from each end verifies that the key exchange and authentication
processes were successful.

66
SSL Session Keys
We have seen that during Phase 3 of SSL session establishment, a pre-master secret is sent
by the client to the server encrypted using server‘s public key. The master secret and various
session keys are generated as follows −
 The master secret is generated (via pseudo random number generator) using −
 The pre-master secret.
 Two nonces (RA and RB) exchanged in the client_hello and server_hello
messages.
 Six secret values are then derived from this master secret as −
 Secret key used with MAC (for data sent by server)
 Secret key used with MAC (for data sent by client)
 Secret key and IV used for encryption (by server)
 Secret key and IV used for encryption (by client)

TLS Protocol
In order to provide an open Internet standard of SSL, IETF released The Transport Layer
Security (TLS) protocol in January 1999. TLS is defined as a proposed Internet Standard in
RFC 5246.
Salient Features
 TLS protocol has same objectives as SSL.
 It enables client/server applications to communicate in a secure manner by
authenticating, preventing eavesdropping and resisting message modification.
 TLS protocol sits above the reliable connection-oriented transport TCP layer in the
networking layers stack.
 The architecture of TLS protocol is similar to SSLv3 protocol. It has two sub
protocols: the TLS Record protocol and the TLS Handshake protocol.
 Though SSLv3 and TLS protocol have similar architecture, several changes were
made in architecture and functioning particularly for the handshake protocol.
Comparison of TLS and SSL Protocols
There are main eight differences between TLS and SSLv3 protocols. These are as follows −
 Protocol Version − The header of TLS protocol segment carries the version number
3.1 to differentiate between number 3 carried by SSL protocol segment header.
 Message Authentication − TLS employs a keyed-hash message authentication code
(H-MAC). Benefit is that H-MAC operates with any hash function, not just MD5 or
SHA, as explicitly stated by the SSL protocol.
 Session Key Generation − There are two differences between TLS and SSL protocol
for generation of key material.
 Method of computing pre-master and master secrets is similar. But in TLS
protocol, computation of master secret uses the HMAC standard and
pseudorandom function (PRF) output instead of ad-hoc MAC.
 The algorithm for computing session keys and initiation values (IV) is
different in TLS than SSL protocol.
 Alert Protocol Message −
 TLS protocol supports all the messages used by the Alert protocol of SSL,
except No certificate alert message being made redundant. The client sends
empty certificate in case client authentication is not required.
 Many additional Alert messages are included in TLS protocol for other error
conditions such as record_overflow, decode_error etc.
 Supported Cipher Suites − SSL supports RSA, Diffie-Hellman and Fortezza cipher
suites. TLS protocol supports all suits except Fortezza.

67
  Client Certificate Types − TLS defines certificate types to be requested in
a certificate_request message. SSLv3 support all of these. Additionally, SSL support
certain other types of certificate such as Fortezza.
 CertificateVerify and Finished Messages −
o In SSL, complex message procedure is used for
the certificate_verify message. With TLS, the verified information is
contained in the handshake messages itself thus avoiding this complex
procedure.

o Finished message is computed in different manners in TLS and SSLv3.

 Padding of Data − In SSL protocol, the padding added to user data before
encryption is the minimum amount required to make the total data-size equal to a
multiple of the cipher‘s block length. In TLS, the padding can be any amount that
results in data-size that is a multiple of the cipher‘s block length, up to a maximum of
255 bytes.

UNIT-V

CYBERSPACE AND THE LAW, CYBER FORENSICS

What Exactly Is Cyberspace?

Cyberspace can be defined as an intricate environment that involves interactions between

people, software, and services. It is maintained by the worldwide distribution of information
and communication technology devices and networks.
With the benefits carried by the technological advancements, the cyberspace today has
become a common pool used by citizens, businesses, critical information infrastructure,
military and governments in a fashion that makes it hard to induce clear boundaries among
these different groups. The cyberspace is anticipated to become even more complex in the
upcoming years, with the increase in networks and devices connected to it.

IMPORTANCE OF CYBER SPACE

Cyberspace has many merits for the human race. It can be said to be a virtual library where
one can easily access the required information on any subject they are looking for. With a
proper internet connection, this can be done at any time of the day. In addition,
communication has become a lot easier and cheap due to Cyberspace. One can simply call the
other person or use other services like messages and e-mail. Cyberspace has become a huge
place for endless entertainment where a user can find songs to listen to or movies to watch or
play games. Most importantly, Cyberspace allows the users to get opportunities like a job
which can help the user tremendously.

Cyberspace can be a place for many illegal activities which need proper supervision so that
the security of the users is tightened and they feel safe. For this reason, governments of all
countries have introduced many Cyber laws including India. Practices like money laundering,
68
identity theft, illegal trade occur through Cyberspace and the Cyber laws take the legal
actions that need to be taken to curb such practices. The IT or Information Technology Act
was enacted by the Indian Government in 2000 which the main purpose was for the
protection of online banking and commerce as well as punishments for Cyber Crimes.

What is Cyber Law?

Cyber Law encapsulates legal issues which are related to the use of communicative,
transactional, and distributive aspects of networked information technologies and devices.

It is not as distinct as the Property Law or other such laws since it covers many areas the law and
regulation. It encompasses the legal, statutory, and constitutional provisions which affect
computers and networks.

Further, it concerns itself with individuals, and institutions which:

 Play an important part in providing access to cyberspace

 Create hardware or software which allows people to access cyberspace

 Use their own computers and enter cyberspace

Cyber Law is a generic term referring to all the legal and regulatory aspects of the internet.
Everything concerned with or related to or emanating from any legal aspects or concerning any
activities of the citizens in the cyberspace comes within the ambit of cyber laws.

Currently, there are two main statutes which ensure cyber security:

1. The Indian Penal Code. 1860

2. The Information Technology Act, 2000

Importance of Cyber Law

Cyber laws are formed to punish people who perform any illegal activities online. They are
important to punish related to these types of issues such as online harassment, attacking
another website or individual, data theft, disrupting the online workflow of any enterprise and
other illegal activities.
If anyone breaks a cyber law, the action would be taken against that person on the basis of the
type of cyberlaw he broke, where he lives, and where he broke the law. It is most important
to punish the criminals or to bring them to behind bars, as most of the cybercrimes cross the
limit of crime that cannot be considered as a common crime.
These crimes may be very harmful for losing the reliability and confidentiality of personal
information or a nation. Therefore, these issues must be handled according to the laws.
 When users apply transactions on the Internet, cyber law covers every transaction and
protect them.
 It touches every reaction and action in cyberspace.

69
  It captures all activities on the Internet.
Areas involving in Cyber Laws
These laws deal with multiple activities and areas that occur online and serve several
purposes. Some laws are formed to describe the policies for using the Internet and the
computer in an organization, and some are formed to offer people security from unauthorized
users and malicious activities. There are various broad categories that come under cyber laws;
some are as follows:
Fraud
Cyber laws are formed to prevent financial crimes such as identity theft, credit card theft and
other that occurring online. A person may face confederate or state criminal charges if he
commits any type of identity theft. These laws have explained strict policies to prosecute and
defend against allegations of using the internet.
Copyrighting Issues
The Internet is the source that contains different types of data, which can be accessed
anytime, anywhere. But it is the authority of anyone to copy the content of any other person.
The strict rules are defined in the cyber laws if anyone goes against copyright that protects
the creative work of individuals and companies.
Scam/ Treachery
There are different frauds and scams available on the Internet that can be personally harmful
to any company or an individual. Cyber laws offer many ways to protect people and prevent
any identity theft and financial crimes that happen online.

Cyber Security Regulations

Managing Risk and Cyber Security Regulations

Data breaches have become the new ―business normal.‖ Indeed, in a 2019 report, Carbon
Black reported that in the past 12 months, 88% of global businesses had experienced one or
more breaches. In response to this growing onslaught of cyber threats, new regulations are
being implemented to protect organizations, their data, and their customers. From the EU‘s
General Data Protection Regulation (GDPR) and HIPAA to PCI security standards and
privacy laws throughout the world, cyber security regulations have never been as voluminous
or complicated.
The Rise of Cyber Security Regulations
A growing number of cyber security regulations are creating a complex web of compliance
requirements for organizations around the world. In analyzing the massive and escalating
volume of regulation, a couple of themes emerge loud and clear.

Roles of International Law

International law structures relations among states and other international stakeholders (most
notably international organizations) through various prohibitions, requirements, and
permissions. As such, it has provided a path for regulating global governance issues from
arms control to trade to the environment. As states give increased attention to the
governance of cyberspace (the technical architecture that allows the global internet to
function) and governance in cyberspace (how states, industry, and users may use this
technology), the role of international law in the cyber context has gained increasing
prominence.

70
 international law does not have tailor-made rules for regulating cyberspace. Moreover, the
technology is both novel and dynamic. Thus, for several years, there were open questions
about whether existing international law applied to cyberspace at all. Today, most states and
several international organizations, including the UN General Assembly‘s First Committee
on Disarmament and International Security, the G20, the European Union, ASEAN, and
the OAS have affirmed that existing international law applies to the use of information and
communication technologies (ICTs) by states. As such, the current discourse centers not on
whether international law applies, but rather how it does so.

THE MAIN ISSUES

Issues surrounding international law‘s application to cyberspace may be broken into five
discrete categories: (i) silence; (ii) existential disagreements; (iii) interpretative challenges;
(iv) attribution; and (v) accountability.
Silence: Without tailored-made treaties on cyber issues, the application of international law
depends on identifying customary international law rules—that is, state practice accepted as
law. For many years, figuring what states were doing in cyberspace—let alone what they
thought international law had to say about it—was complicated by state silence.

Existential Disagreements: Among those states that have taken positions on international
law‘s application to cyberspace, there are a number of ―existential‖ disagreements—
competing claims that a particular international legal rule or regime is entirely included or
excluded from cyberspace. In the UN context, for example, a few states have challenged the
availability of international humanitarian law, the right of self-defense, the duty of due
diligence, and the right to take countermeasures with respect to online activity. The existence
(or absence) of one or more of these legal frameworks from cyberspace has significant
implications for international law‘s application, impacting how states conduct their cyber
operations in armed conflicts, their ability to respond to malicious cyber activity conducted
by other states, and what actions they must take to protect the rights of third states from
harms originating in their own territories.

Interpretative Questions: Even where states accept that a particular international legal rule or
regime applies in cyberspace, substantial interpretative questions often remain open to
debate. International legal regimes like nonintervention, sovereignty, and human rights
encounter much ambiguity in their applications to cyberspace. The duty of nonintervention,
for example, protects a states‘ international and external affairs from ―coercive‖ intervention
by other states. Yet, there‘s no consensus on which ―affairs‖ the duty protects, let alone what
differentiates coercive from noncoercive cyber activity. Similarly, sovereignty is undoubtedly
one of the core architectural features of the international legal order. States appear to diverge,
however, on whether sovereignty merely is a foundational principle on which other
international legal rules (like non-intervention) rest, or if it is an independent rule that can be
breached by certain foreign state cyber operations directly.

Attribution: International law only regulates its subjects of international law (for example,
states). It does not usually direct the behavior of ICT companies or individuals (who are
usually subject to one or more domestic legal orders). To apply international law in
cyberspace, therefore, it is necessary to know the identity of whoever is responsible for the

71
activity in question: is it a state or state-sponsored actor subject to international law or is it an
individual(s) engaged in behavior outside international law‘s ambit? Such identifications are,
however, difficult in cyberspace given well-known challenges in technical attribution—
identifying the origins of malicious cyber behavior is often difficult and time-consuming.
Moreover, where states employ proxies, attribution is further complicated by the need
to show evidence of state ―control‖ over the proxy actor (international law has yet to fully
resolve how much control is required or what evidence must be shown to demonstrate it).

Accountability: Although attributions of state and state-sponsored cyber operations may be

on the rise, accountability has proved challenging. States that accuse other states of malicious
cyber behavior rarely invoke international law in doing so. The absence of international legal
rhetoric may imply that the behavior may be lawful, even if unwanted. Nor has the naming
and shaming that has occurred done much to change the accused‘s behavior (it may,
however, help clarify the existence and meaning of international law in cyberspace). Some
states have been working to create coalitions that can cooperate on improving accountability
through collective accusations or even sanctions. So far, however, such efforts have not
focused on using international law‘s benchmarks for measuring malicious cyber behavior nor
its tools (for example, countermeasures) for addressing its violation.

The state and Private Sector in Cyberspace

Cyber security has evolved into a central board topic and a core business concern. Gone are
the days where cyber risk management was avoidable. Today, companies are more informed
security buyers, looking for efficient and effective investments rather than mere silver bullets.
In a constantly-evolving world of cyber threat, what is the role of the private sector? A panel
of experts addressed the topic at the US Chamber of Commerce 5th Annual Cybersecurity
Summit in Washington, DC. The panel agreed that businesses of all sizes must take on the
challenges of ransomware, third party risk, and security complacency. They must also
recognize the increasing attention regulators are placing on private sector cyber practices and
safeguards, according to panelist Natalie Lehr, Vice President of Analytics at Secure Halo.
Cyber Now A Board Responsibility
While board members have always held a traditional role of fiduciary responsibility, cyber
security risks now fit within this realm. Having become more proactively engaged, boards
demand better cyber insights than basic, one-size-fits-all checklists. Cyber research indicates
that reactive and uncoordinated governance of risk functions ultimately leaves staff members
unprepared to stem losses – corporate harm is therefore dictated by the capability of the
attacker rather than the strength of a safeguard.
Proactive Defense Requires Going on the Offense
As the number and sophistication of threats has increased over time, the conversation around
cybersecurity has changed from educating business leaders on why it‘s important, to
identifying their priority security needs and providing them with solutions that offer the
greatest return on their security investment dollar.
Lehr recommended four ways to start.
1. Harmonize Technology, Processes and People
Security is neither a single act, nor sensor. Technology is crucial to any risk management
discussion, but it cannot be relied upon at the expense of other considerations, such as
developing a mature cybersecurity culture and synchronizing third party vendor security. In
its years of performing Enterprise Risk Assessments on organizations of varying sizes and

72
sectors, TSC has found that those that invest in complementary cyber security efforts across
their enterprise are more resilient when confronting a cyber attack or breach.
2. Transfer Risk!
Since there is no technical silver bullet that eliminates economic risks in an increasingly
digital ecosystem, corporate risk strategies leveraging cyber insurance can help businesses
assure their operational integrity, maintain customer privacy and defend corporate value. The
potential benefits of cyber insurance were noted by other Chamber conference speakers, such
as General Michael Hayden, USAF (Ret.) and Chris Inglis, former Deputy Director, National
Security Agency. Hayden suggested insurance could be a good motivator for improving
private sector cybersecurity, likening pre- or post-binding insurance assessments to requiring
a physical. As breaches continue to abound, insurers are placing more emphasis on
assessment performed by independent security firms, which review the maturity of a
company‘s practices, the security of vendors, sensitivity of corporate data, and ability to
maintain business continuity and recover from an attack.
3. Share Information
The Federal Bureau of Investigations (FBI) and the U.S. Department of Homeland Security
(DHS) both have robust threat intelligence sharing and public/private sector outreach
programs covering critical infrastructure, white-collar crime, economic espionage, terrorism
and more. These additional resources should be included as part of our organization‘s cyber
toolkit. Depending on our specific industry, there are also numerous member-driven
Information Sharing and Analysis Centers (ISACs) which collect, analyze and share threat
information. Join one to maintain sector-specific situational-awareness.
4. Get Back to Basics
Surprisingly, some enterprises overlook basic security controls such as complex passwords,
multi-factor authentication, and use of a virtual private network (VPN), but basics should go
beyond that. Secure Halo has found that only half of the organizations it has assessed had
fully documented external crisis communication plans for disasters or breaches, and very few
organizations have identified, classified, and monitored their critical and valuable
assets. While this is not an easy undertaking, it makes the job of protecting those assets
virtually impossible if we are unaware of what exists or where the assets are located.
Cyber Security Standards
To make cybersecurity measures explicit, the written norms are required. These norms are
known as cybersecurity standards: the generic sets of prescriptions for an ideal execution of
certain measures. The standards may involve methods, guidelines, reference frameworks, etc.
It ensures efficiency of security, facilitates integration and interoperability, enables
meaningful comparison of measures, reduces complexity, and provide the structure for new
developments.
1. ISO
ISO stands for International Organization for Standardization. International Standards make
things to work. These standards provide a world-class specification for products, services and
computers, to ensure quality, safety and efficiency. They are instrumental in facilitating
international trade.

ISO 27000 Series

It is the family of information security standards which is developed by the International
Organization for Standardization and the International Electrotechnical Commission to
provide a globally recognized framework for best information security management. It helps
the organization to keep their information assets secure such as employee details, financial
information, and intellectual property.

73
The need of ISO 27000 series arises because of the risk of cyber-attacks which the
organization face. The cyber-attacks are growing day by day making hackers a constant threat
to any industry that uses technology.
The ISO 27000 series can be categorized into many types. They are-
ISO 27001- This standard allows us to prove the clients and stakeholders of any organization
to managing the best security of their confidential data and information. This standard
involves a process-based approach for establishing, implementing, operating, monitoring,
maintaining, and improving our ISMS.
ISO 27000- This standard provides an explanation of terminologies used in ISO 27001.

ISO 27002- This standard provides guidelines for organizational information security
standards and information security management practices. It includes the selection,
implementation, operating and management of controls taking into consideration the
organization's information security risk environment(s).
ISO 27005- This standard supports the general concepts specified in 27001. It is designed to
provide the guidelines for implementation of information security based on a risk
management approach. To completely understand the ISO/IEC 27005, the knowledge of the
concepts, models, processes, and terminologies described in ISO/IEC 27001 and ISO/IEC
27002 is required. This standard is capable for all kind of organizations such as non-
government organization, government agencies, and commercial enterprises.

ISO 27032- It is the international Standard which focuses explicitly on cybersecurity. This
Standard includes guidelines for protecting the information beyond the borders of an
organization such as in collaborations, partnerships or other information sharing
arrangements with clients and suppliers.

2. IT Act
The Information Technology Act also known as ITA-2000, or the IT Act main aims is to
provide the legal infrastructure in India which deal with cybercrime and e-commerce. The IT
Act is based on the United Nations Model Law on E-Commerce 1996 recommended by the
General Assembly of United Nations. This act is also used to check misuse of cyber network
and computer in India. It was officially passed in 2000 and amended in 2008. It has been
designed to give the boost to Electronic commerce, e-transactions and related activities
associated with commerce and trade. It also facilitate electronic governance by means of
reliable electronic records.

3. Copyright Act
The Copyright Act 1957 amended by the Copyright Amendment Act 2012 governs the
subject of copyright law in India. This Act is applicable from 21 January 1958. Copyright is a
legal term which describes the ownership of control of the rights to the authors of "original
works of authorship" that are fixed in a tangible form of expression. An original work of
authorship is a distribution of certain works of creative expression including books, video,
movies, music, and computer programs. The copyright law has been enacted to balance the
use and reuse of creative works against the desire of the creators of art, literature, music and
monetize their work by controlling who can make and sell copies of the work.
The copyright act covers the following-
 Rights of copyright owners
 Works eligible for protection
 Duration of copyright

74
  Who can claim copyright
The copyright act does not covers the following-
 Ideas, procedures, methods, processes, concepts, systems, principles, or discoveries
 Works that are not fixed in a tangible form (such as a choreographic work that has not
been notated or recorded or an improvisational speech that has not been written down)
 Familiar symbols or designs
 Titles, names, short phrases, and slogans
 Mere variations of typographic ornamentation, lettering, or coloring
4. Patent Law
Patent law is a law that deals with new inventions. Traditional patent law protect tangible
scientific inventions, such as circuit boards, heating coils, car engines, or zippers. As time
increases patent law have been used to protect a broader variety of inventions such as
business practices, coding algorithms, or genetically modified organisms. It is the right to
exclude others from making, using, selling, importing, inducing others to infringe, and
offering a product specially adapted for practice of the patent.
In general, a patent is a right that can be granted if an invention is:
 Not a natural object or process
 New
 Useful
 Not obvious.
5. IPR
Intellectual property rights is a right that allow creators, or owners of patents, trademarks or
copyrighted works to benefit from their own plans, ideas, or other intangible assets or
investment in a creation. These IPR rights are outlined in the Article 27 of the Universal
Declaration of Human Rights. It provides for the right to benefit from the protection of moral
and material interests resulting from authorship of scientific, literary or artistic productions.
These property rights allow the holder to exercise a monopoly on the use of the item for a
specified period.

The INDIAN Cyberspace

Indian cyberspace was born in 1975 with the establishment of National Informatics Centre
(NIC) with an aim to provide govt with IT solutions. Three networks (NWs) were set up
between 1986 and 1988 to connect various agencies of govt. These NWs were, INDONET
which connected the IBM mainframe installations that made up India‘s computer
infrastructure, NICNET (the NIC NW) a nationwide very small aperture terminal (VSAT)
NW for public sector organisations as well as to connect the central govt with the state govts
and district administrations, the third NW setup was ERNET (the Education and Research
Network), to serve the academic and research communities.
Indian Economy Going the e-Way
Post liberalization in 1991, India witnessed steady economic growth, benefiting from
globalization and information revolution. IT revolution has played a crucial role in

75
transforming country‘s GDP growth rate. As per recent Boston Consulting Group report3 the
Internet economy of India in 2010 amounted to USD 70 billion (4.1% of GDP) and is
estimated to reach USD 242 billion (5.6% of GDP) in 2016. IT is contributing in India‘s
development in following ways:-
(a) Development of Infrastructure. Airports, metros, highways and augmentation of existing
infrastructure which include power generation, financial services, telecom, transportation,
defence, etc. Nation‘s critical infrastructure are driven and controlled by ICT and it is getting
increasingly dependent on IT this includes power grids, air traffic controller, industrial
systems, stock exchanges, banking, telecom among others.
(b) e-Governance. Govt is undertaking projects driven by IT to address social, economic and
development challenges in the country. Using IT, the govt intends to improve governance by
increasing transparency, curbing corruption, time bound delivery of govt services and
ensuring financial inclusion. The National e-Governance Plan (NeGP) is designed to take a
holistic view of e-Governance initiatives across the country. (c) Aadhaar. The Aadhaar
number provides unique identity, which will become acceptable across India. The project
promises to eliminate duplicate and fake identities through effective verification and
authentication. Many of the govt‘s social benefit programs are envisaged to be linked with
the Aadhaar number.
(d) e-Commerce. e-Commerce industry is witnessing phenomenal growth and expected to
touch USD 10 billion, an increase of 47% from 20105. e-payments in India account for
35.3% of the total transactions in terms of volume and 88.3% in terms of value6, card
circulation both credit and debit was around 200 million in 20107.
( e) IT/BPO sector. India is emerging as the IT knowledge hub of the world with many global
companies opening their R&D and innovation centres in India. The industry has provided job
opportunities to over 10 million people and accounts for 6.4% of India‘s GDP. It aims to
grow revenues to USD 225 billion by 202012 out of which USD 175 billion will be on
account of export of software and services. Cloud Computing is a huge opportunity for India
as the next wave of growth for the Indian IT industry.
(f) Modernization of Police and Defence. Defence forces & Police agencies are making
strategic use of technology to modernize. Projects such as Crime and Criminal Tracking
Network and Systems (CCTNS) and National Intelligence Grid (NATGRID) are flagship
projects for modernization of police. CCTNS will connect 14,000 police stations and 6,000
police officers to a centralized database. The goal of CCTNS is to facilitate collection,
storage, retrieval, analysis, transfer and sharing of data and information at the police station
and between the police station and the State Headquarters and the Central Police
Organizations.‘13 Indian Army has also taken similar initiatives which include creation of an
Army Wide Area Network

76
(g) Social Media. Social media is emerging as a very powerful phenomenon in Indian
cyberspace with around 45 million16 Indians using the social media and the number is
increasing every day. It is revolutionizing the way society interacts. Personal Information is
becoming the economic commodity on which social networking is thriving. Businesses, Non-
Governmental Organizations (NGOs) and even the governments are using this platform for
variety of reasons which include communication, marketing, branding, awareness, etc. The
social media has also caught the attention of the governments and the regulators worldwide
(for wrong reasons) including the Indian govt and there is an on going debate on regulating
the social media17

India’s Cyber Security Initiative

Having visualised the cyber security threat & its impact on national security, Indian govt has
taken many initiatives to protect the critical infrastructure driven by IT within Indian
cyberspace domain. Some of the initiatives are as follows:-
(a) Legal Framework to include enactment of IT Act (Amendment) 2008.
(b) Policy Initiatives.
(c) Cyber Security Initiatives.

IT Act (Amendment) 2008. Information Technology Act (IT Act) was enacted in year 2000
to provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication. To establish a robust cyber
security and data protection regime in the country, the IT Act was amended in year 2008. It
provides a comprehensive definition of the computer system & tries to ascertain liability
based on the type of cyber crime committed ( Hacking, spamming, tampering, identity theft,
impersonation, cyber terrorism, pornography, child pornography). The act introduces the
concept of ‗sensitive personal information‘ and fixes liability of the ‗body corporate‘ to
protect the same through implementation of ‗reasonable security practices‘. In case a body
corporate fails to do so, it can be fined upto Rs. 5 crore (approx. USD 1.2 million) by the
Adjudicating Officer and civil court can fine amount greater than Rs. 5 crore.
Policy Initiatives. The draft version of National Cyber Security Policy was released by the
DIT in March 2011 for public consultation. The draft policy has been aimed to enable secure
computing environment and adequate trust and confidence in electronic transactions. The
draft policy tries to lawet the cyber security ecosystem for the country. It covers the
following:-
(a) Based on the key policy considerations and threat landscape, the draft policy identifies
priority areas for action.
(b) Identifies PPP as a key component.
(c) Identifies key actions to reduce security threats and vulnerabilities
(d) Establishment of National Cyber Alert System for early watch and warning, information
exchange, responding to national level cyber incidents and facilitating restoration.
(e) Defines role of sectorial CERTs and establishment of local incident response teams for
each critical sector organization.

77
(f) Implementation of best practices in critical information and government infrastructure
protection through creation, establishment and operation of Information Security Assurance
Framework.
(g) Establishes framework for Crisis Management Plan for Countering Cyber Attacks and
Cyber Terrorism.
(h) Identifies priorities for action for legal framework and law enforcement capability
development.
(j) Defines priorities for international cooperation for information sharing.
(k) Identifies indigenous Research & Development as an essential component of cyber
security and enlists thrust areas for R&D.
(l) Identifies major actions and initiatives for user awareness, education, and training
(capacity building).
(m) Defines responsible actions for network service providers, large corporates and
small/medium & home users to secure information and systems.
(n) Identifies various stakeholders (ministries and government departments only) in cyber
security and their responsibilities.

The Ministry of Communications and Information Technology (MCIT), Govt of India, is

formulating a combination of three interdependent and synergistic policies for IT, Telecom
and Electronics "Triad of Policies to Drive a National Agenda for Information &
Communications Technology and Electronics (ICTE)". The three policies are as below:
(a) National Policy on Electronics, 2011.
(b) National Policy on Information Technology, 2011.
(c) National Telecom Policy, 2011.

The integrated policy has twin goals:-

(a) To facilitate the application of new, technology-enabled approaches to overcome
developmental challenges in education, health, skill development, employment generation,
financial inclusion, governance etc and to enhance efficiency, convenience and access.

(b) To harness the power and capability of India in ICT to meet global demand

Cyber Security Initiatives. Govt and IT industry have taken various initiatives in cyber
security. However, much more needs to be done in this area. Major initiatives are
summarized below:-
(a) CERT-In. In 2003, Govt set up a the Indian Computer Emergency Response Team
(CERT-In) under DIT, MCIT as a nodal agency for responding to cyber security incidents.
The IT (Amendment) Act, 2008, recognizes CERT-In as a nodal agency for security incident
management and provides it the authority to call for information on security incidents from

78
organizations. CERT-In charter involves collection, analysis, dissemination of information on
cyber security incidents through a dedicated infrastructure. It monitors and investigates
threats that affect computer systems and forecasts and generates alerts for cyber security
incidents.
(b) Information Security Education and Awareness. To make up the shortfall of cyber
security professionals in the country, DIT initiated the Information Security Education
Awareness (ISEA) program in 2005. To spread awareness on cyber security in the country,
ISEA program aims at capacity building by introducing information security courses at
graduate, post-graduate and doctoral levels, establishing education exchange programs,
training system administrators and government officers.
(c) LEA Capacity Building Programs. To address the challenges that Indian LEAs face in
handling cyber crimes such as poor knowledge of technology and cyber crime investigation
techniques/ tools and cyber forensics, lack of state-of-the-art technical infrastructure,
insufficient training facilities & forensics labs in the country. Govt has taken some key
initiatives.
(d) Security in e-Governance projects. The National e-Governance Division (NeGD), under
DIT, is the Program Management Office of NeGP. Among its various activities, including
facilitating implementation of NeGP by various Ministries and State governments, the agency
is also responsible for issuing cyber security and data security standards and guidelines for all
the e-Governance projects under NeGP. For securing e-Governance projects, Standardization
Testing and Quality Certification Directorate (STQC) has developed e-Governance Security
Assurance Framework (e-SAFE), which provides list of security controls based on the risk
categorization of particular assets.
(e) Common Criteria Certification Scheme. This scheme has been set up by DIT to evaluate
and certify IT Security Products and Protection Profiles against the requirements of Common
Criteria Standards ver 3.1 R2, at Evaluation Assurance Levels EAL 1 through 4. Presently,
the scheme provides national certification. The scheme would also provide a framework for
international certification through the National Mutual Recognition Arrangement with the
other member countries of Common Criteria Recognition Arrangement (CCRA). Along with
24 other countries, India has already become a member of CCRA as a certificate consuming
nation and soon will be recognized as a certificate producing nation. STQC is a certification
body of the country with STQC IT, Kolkata centre as the Common Criteria Test Lab23.
(f) Sectoral Security. Critical sectors such as banking and telecommunication are strongly
regulated through Reserve Bank of India (RBI) and Department of Telecommunications
(DoT)/ Telecom Regulatory Authority of India (TRAI) respectively. The regulators keep
issuing security guidelines, mandating the companies to implement the same.
National Cyber Security Policy 2013.

79
What is the National Cyber Security Policy
National Cyber Security Policy is a policy framework by Department of Electronics and
Information Technology (DeitY) It aims at protecting the public and private infrastructure
from cyber attacks. The policy also intends to safeguard ―information, such as personal
information (of web users), financial and banking information and sovereign data‖. Ministry
of Communications and Information Technology (India) defines Cyberspace as a complex
environment consisting of interactions between people, software services supported by
worldwide distribution of information and communication technology.

With an aim to monitor and protect information and strengthen defences from cyber
attacks, the National Cyber Security Policy 2013 was released on July 2, 2013 by the
Government of India. The purpose of this framework document is to ensure a secure and
resilient cyberspace for citizens, businesses and the government. With rapid information
flow and transactions occurring via cyberspace, a national policy was much needed.
The document highlights the significance of Information Technology (IT) in driving the
economic growth of the country. It endorses the fact that IT has played a significant role
in transforming India‘s image to that of a global player in providing IT solutions of the
highest standards.
The Cyber Security Policy aims at protection of information infrastructure in cyberspace,
reduce vulnerabilities, build capabilities to prevent and respond to cyber threats an d
minimize damage from cyber incidents through a combination of institutional structures,
people, process, technology and cooperation. The objective of this policy in broad terms
is to create a secure cyberspace ecosystem and strengthen the regulatory fram ework. A
National and sectoral 24X7 mechanism has been envisaged to deal with cyber threats
through National Critical Information Infrastructure Protection Centre (NCIIPC).
Computer Emergency Response Team (CERT-In) has been designated to act as a nodal
agency for coordination of crisis management efforts. CERT-In will also act as umbrella
organization for coordination actions and operationalization of sectoral CERTs. A
mechanism is proposed to be evolved for obtaining strategic information regarding
threats to information and communication technology (ICT) infrastructure, creating
scenarios of response, resolution and crisis management through effective predictive,
prevention, response and recovery action.
Need for a cybersecurity policy
 Before 2013, India did not have a cybersecurity policy. The need for it was felt during
the NSA spying issue that surfaced in 2013.
 Information empowers people and there is a need to create a distinction between
information that can run freely between systems and those that need to be secured.
This could be personal information, banking and financial details, security
information which when passed onto the wrong hands can put the country‘s safety in
jeopardy.
 This Policy has been drafted in consultation with all the stakeholders.
 In order to digitise the economy and promote more digital transactions, the
government must be able to generate trust in people in the Information and
Communications Technology systems that govern financial transactions.
 A strong integrated and coherent policy on cybersecurity is also needed to curb the
menace of cyber terrorism.
National Cyber Security Policy Objectives
 Encouraging the adoption of IT in all sectors of the economy by creating adequate
trust in IT systems by the creation of a secure cyber ecosystem.

80
  Creating an assurance framework for the design of security policies and for the
promotion and enabling actions for compliance with global security standards and
best practices through conformity assessment.
 Bolstering the regulatory framework for ensuring a secure cyberspace ecosystem.
 Enhancing and developing national and sectoral level 24 x 7 mechanisms for
obtaining strategic information concerning threats to ICT infrastructure, creating
scenarios for response, resolution and crisis management through effective predictive,
preventive, protective, response and recovery actions.
 Operating a 24×7 National Critical Information Infrastructure Protection Centre
(NCIIPC) to improve the protection and resilience of the country‘s critical
infrastructure information.
 Developing suitable indigenous security technologies to address requirements in this
field.

Cyber Forensics: Introduction to Cyber Forensics

Cyber forensics is a process of extracting data as proof for a crime (that involves electronic
devices) while following proper investigation rules to nab the culprit by presenting the
evidence to the court. Cyber forensics is also known as computer forensics. The main aim
of cyber forensics is to maintain the thread of evidence and documentation to find out who
did the crime digitally. Cyber forensics can do the following:

 It can recover deleted files, chat logs, emails, etc

 It can also get deleted SMS, Phone calls.
 It can get recorded audio of phone conversations.
 It can determine which user used which system and for how much time.
 It can identify which user ran which program.
Why is cyber forensics important?
in todays technology driven generation, the importance of cyber forensics is immense.
Technology combined with forensic forensics paves the way for quicker investigations and
accurate results. Below are the points depicting the importance of cyber forensics:

 Cyber forensics helps in collecting important digital evidence to trace the

criminal.
 Electronic equipment stores massive amounts of data that a normal person fails
to see. For example: in a smart house, for every word we speak, actions
performed by smart devices, collect huge data which is crucial in cyber
forensics.
 It is also helpful for innocent people to prove their innocence via the evidence
collected online.
 It is not only used to solve digital crimes but also used to solve real-world
crimes like theft cases, murder, etc.
 Businesses are equally benefitted from cyber forensics in tracking system
breaches and finding the attackers.

How did Cyber Forensics Experts work?

Cyber forensics is a field that follows certain procedures to find the evidence to reach
conclusions after proper investigation of matters. The procedures that cyber forensic
experts follow are:

81
  Identification: The first step of cyber forensics experts are to identify what
evidence is present, where it is stored, and in which format it is stored.
 Preservation: After identifying the data the next step is to safely preserve the
data and not allow other people to use that device so that no one can tamper
data.
 Analysis: After getting the data, the next step is to analyze the data or system.
Here the expert recovers the deleted files and verifies the recovered data and
finds the evidence that the criminal tried to erase by deleting secret files. This
process might take several iterations to reach the final conclusion.
 Documentation: Now after analyzing data a record is created. This record
contains all the recovered and available(not deleted) data which helps in
recreating the crime scene and reviewing it.
 Presentation: This is the final step in which the analyzed data is presented in
front of the court to solve cases.

Types of computer forensics

There are multiple types of computer forensics depending on the field in which digital
investigation is needed. The fields are:

 Network forensics: This involves monitoring and analyzing the network traffic
to and from the criminal‘s network. The tools used here are network intrusion
detection systems and other automated tools.
 Email forensics: In this type of forensics, the experts check the email of the
criminal and recover deleted email threads to extract out crucial information
related to the case.
 Malware forensics: This branch of forensics involves hacking related crimes.
Here, the forensics expert examines the malware, trojans to identify the hacker
involved behind this.
 Memory forensics: This branch of forensics deals with collecting data from the
memory(like cache, RAM, etc.) in raw and then retrieve information from that
data.
 Mobile Phone forensics: This branch of forensics generally deals with mobile
phones. They examine and analyze data from the mobile phone.
 Database forensics: This branch of forensics examines and analyzes the data
from databases and their related metadata.
 Disk forensics: This branch of forensics extracts data from storage media by
searching modified, active, or deleted files.
Techniques that cyber forensic investigators use
Cyber forensic investigators use various techniques and tools to examine the data and some
of the commonly used techniques are:

 Reverse steganography: Steganography is a method of hiding important data

inside the digital file, image, etc. So, cyber forensic experts do reverse
steganography to analyze the data and find a relation with the case.
 Stochastic forensics: In Stochastic forensics, the experts analyze and
reconstruct digital activity without using digital artifacts. Here, artifacts mean
unintended alterations of data that occur from digital processes.

82
  Cross-drive analysis: In this process, the information found on multiple
computer drives is correlated and cross-references to analyze and preserve
information that is relevant to the investigation.
 Live analysis: In this technique, the computer of criminals is analyzed from
within the OS in running mode. It aims at the volatile data of RAM to get some
valuable information.
 Deleted file recovery: This includes searching for memory to find fragments of
a partially deleted file in order to recover it for evidence purposes.

Advantages
 Cyber forensics ensures the integrity of the computer.
 Through cyber forensics, many people, companies, etc get to know about such
crimes, thus taking proper measures to avoid them.
 Cyber forensics find evidence from digital devices and then present them in
court, which can lead to the punishment of the culprit.
 They efficiently track down the culprit anywhere in the world.
 They help people or organizations to protect their money and time.
 The relevant data can be made trending and be used in making the public aware
of it.
What are the required set of skills needed to be a cyber forensic expert?
The following skills are required to be a cyber forensic expert:
 As we know, cyber forensic based on technology. So, knowledge of various
technologies, computers, mobile phones, network hacks, security breaches, etc.
is required.
 The expert should be very attentive while examining a large amount of data to
identify proof/evidence.
 The expert must be aware of criminal laws, a criminal investigation, etc.
 As we know, over time technology always changes, so the experts must be
updated with the latest technology.
 Cyber forensic experts must be able to analyse the data, derive conclusions from
it and make proper interpretations.
 The communication skill of the expert must be good so that while presenting
evidence in front of the court, everyone understands each detail with clarity.
 The expert must have strong knowledge of basic cyber security.

Handling Preliminary Investigations

Cybersecurity and forensics have another essential terminology that is often used in this field
- incident handling. Computer security incidents are some real or suspected offensive events
related to cybercrime and cybersecurity and computer networks. Forensics investigators or
internal cybersecurity professionals are hired in organizations to handle such events and
incidents, known as incident handlers.
Incidents are categorized into three types:
 Low-level incidents: where the impact of cybercrime is low.
 Mid-level incidents: The impact of cybercrime is comparatively high and needs
security professionals to handle the situations.
 High-level events: where the impact of cybercrime is the most serious and needs
security professionals, and forensic investigators to handle the situations and analyze
the scenario, respectively.

83
Policy and Procedure Development
Whether related to malicious cyber activity, criminal conspiracy or the intent to commit a
crime, digital evidence can be delicate and highly sensitive. Cybersecurity professionals
understand the value of this information and respect the fact that it can be easily
compromised if not properly handled and protected. For this reason, it is critical to establish
and follow strict guidelines and procedures for activities related to computer forensic
investigations. Such procedures can include detailed instructions about when computer
forensics investigators are authorized to recover potential digital evidence, how to properly
prepare systems for evidence retrieval, where to store any retrieved evidence, and how to
document these activities to help ensure the authenticity of the data.

Evidence Assessment
A key component of the investigative process involves the assessment of potential evidence
in a cyber crime. Central to the effective processing of evidence is a clear understanding of
the details of the case at hand and thus, the classification of cyber crime in question. For
instance, if an agency seeks to prove that an individual has committed crimes related to
identity theft, computer forensics investigators use sophisticated methods to sift through hard
drives, email accounts, social networking sites, and other digital archives to retrieve and
assess any information that can serve as viable evidence of the crime. This is, of course, true
for other crimes, such as engaging in online criminal behavior like posting fake products on
eBay or Craigslist intended to lure victims into sharing credit card information.

Evidence Acquisition
Perhaps the most critical facet of successful computer forensic investigation is a rigorous,
detailed plan for acquiring evidence. Extensive documentation is needed prior to, during, and
after the acquisition process; detailed information must be recorded and preserved, including
all hardware and software specifications, any systems used in the investigation process, and
the systems being investigated. This step is where policies related to preserving the integrity
of potential evidence are most applicable. General guidelines for preserving evidence include
the physical removal of storage devices, using controlled boot discs to retrieve sensitive data
and ensure functionality, and taking appropriate steps to copy and transfer evidence to the
investigator‘s system.

Evidence Examination
In order to effectively investigate potential evidence, procedures must be in place for
retrieving, copying, and storing evidence within appropriate databases. Investigators typically
examine data from designated archives, using a variety of methods and approaches to analyze
information; these could include utilizing analysis software to search massive archives of data
for specific keywords or file types, as well as procedures for retrieving files that have been
recently deleted. Data tagged with times and dates is particularly useful to investigators, as
are suspicious files or programs that have been encrypted or intentionally hidden.

Documenting and Reporting

In addition to fully documenting information related to hardware and software specs,
computer forensic investigators must keep an accurate record of all activity related to the
investigation, including all methods used for testing system functionality and retrieving,
copying, and storing data, as well as all actions taken to acquire, examine and assess

84
evidence. Not only does this demonstrate how the integrity of user data has been preserved,
but it also ensures proper policies and procedures have been adhered to by all parties. As the
purpose of the entire process is to acquire data that can be presented as evidence in a court of
law, an investigator‘s failure to accurately document his or her process could compromise the
validity of that evidence and ultimately, the case itself.

Controlling an Investigation

1. Securely acquire and store raw log data for as long as possible from as many
disparate devices as possible while providing search and restore capabilities of
these logs for analysis.

2. Monitor interesting events coming from all important devices, systems, and
applications in as near real time as possible.
3. Run regular vulnerability scans on our hosts and devices; and, correlate these
vulnerabilities to intrusion detection alerts or other interesting events,
identifying high-priority attacks as they happen, and minimizing false
positives. SIEM and log management solutions in general can assist in security
information monitoring (see Figure 1.21); as well as, regulatory compliance
and incident response.

4. Aggregate and normalize event data from unrelated network devices, security
devices, and application servers into usable information.
5. Analyze and correlate information from various sources such as vulnerability
scanners, IDS/IPS, firewalls, servers, and so on, to identify attacks as soon as
possible and help respond to intrusions more quickly.
6. Conduct network forensic analysis on historical or real-time events through
visualization and replay of events.
2. Create customized reports for better visualization of our organizational security
posture.
3. Increase the value and performance of existing security devices by providing a
consolidated event management and analysis platform.
4. Improve the effectiveness and help focus IT risk management personnel on the events
that are important.

85
 5. Meet regulatory compliance and forensics requirements by securely storing all event
data on a network for long-term retention and enabling instant accessibility to
archived data.

Conducting disk-based analysis

Disk forensics is the science of extracting forensic information from digital storage media
like Hard disk, USB devices, Firewire devices, CD, DVD, Flash drives, Floppy disks etc..
The process of Disk Forensics are
1. Identify digital evidence
2. Seize & Acquire the evidence
3. Authenticate the evidence
4. Preserve the evidence
5. Analyze the evidence
6. Report the findings
7. Documenting

Identify digital storage devices

First step in Disk Forensics is identification of storage devices at the scene of crime like hard
disks with IDE/SATA/SCSI interfaces, CD, DVD, Floppy disk, Mobiles, PDAs, flash cards,
SIM, USB/ Fire wire disks, Magnetic Tapes, Zip drives, Jazz drives etc. These are some of
the sources of digital evidence.

Seizure and Acquisition of Storage devices

Next step is seizing the storage media for digital evidence collection. This step is performed
at the scene of crime. In this step, a hash value of the storage media to be seized is computed
using appropriate cyber forensics tool. Hash value is a unique signature generated by a
mathematical hashing algorithm based on the content of the storage media. After computing
the hash value, the storage media is securely sealed and taken for further processing.

One of the cardinal rules of Cyber Forensics is ―Never work on original evidence‖. To ensure
this rule, an exact copy of the original evidence is to be created for analysis and digital
evidence collection. Acquisition is the process of creating this exact copy, where original
storage media will be write protected and bit stream copying is made to ensure complete data
is copied into the destination media. Acquisition of source media is usually done in a Cyber
Forensics laboratory.

Authentication of the evidence

Authentication of the evidence is carried out in Cyber Forensics laboratory. Hash values of
both source and destination media will be compared to make sure that both the values are
same, which ensures that the content of destination media is an exact copy of the source
media.

Preservation of the evidence

86
Electronic evidences might be altered or tampered without trace. Once the acquisition and
authentication have been done, the original evidence should be placed in secure storage
keeping away from highly magnetic and radiation sources. One more copy of image should
be taken and it needs to be stored into appropriate media or reliable mass storage. Optical
media can be used as the mass storage. It is reliable, fast, longer life span and reusable.

Verification and Analysis of the evidence

Verification of evidence before starting analysis is an important step in Cyber Forensics

process. This is done in Cyber Forensics laboratory before commencing analysis. Hash value
of the evidence is computed and compared it with the hash value taken at the time of
acquisition. If both the values are same, there is no change in the content of the evidence. If
both are different, there is some change in the content. The result of verification should be
properly documented.

Reporting the findings

Case analysis report should be prepared based on the nature of examination requested by a
court or investigation agency. It should contain nature of the case, details of examination
requested, details of material objects and hash values, result of evidence verification, details
of analysis conducted and digital evidence collected, observations of the examiner and
conclusion. Presentation of the report should be in simple terms and precise way so that non-
technical persons should be able to understand the content of the report.

Documentation

Documentation is very important in every step of the Cyber Forensics process. Everything
should be appropriately documented to make a case admissible in a court of law.
Documentation should be started from the planning of case investigation and continue
through searching in scene of crime, seizure of material objects, chain of custody,
authentication and acquisition of evidence, verification and analysis of evidence, collection of
digital evidence and reporting, preservation of material objects and up to the closing of a
case.

Investigating Information-hiding

Steganography Steganography is the way to provide the security when data is transferred in
the network. Steganography word came out from Greek, literally means covered writing . It is
an art of hiding information in the way to prevent the detection of hidden messages. In this
way we hide the information through some multimedia files. These multimedia files can be
audio, image or video. The purpose of Steganography is to covert communication to hide the
confidential information from unauthorized user or the third party. In this process if the
feature is visible, the point of attack is evident thus the goal here is always to give chances to
the very existence of embedded data.
Technical Steganography
In this technique, we use invisible ink or microdots and other sizes reduction methods. This is
a scientific method to hide data .Technical Steganography is used in the following technique:-

87
 a) Video Steganography: In this technique, we can easily hide large data file in the video
Steganography. Video file is generally a collection of images and sounds. Any small but
otherwise noticeable distortion might go by unobserved by humans because of the continuous
flow of information.
b)Audio Steganography: In this technique, secret messages are embedding in digital sound.
The secret message is embedded by slightly altering the binary sequence of a sound file.
Existing audio Steganography software can embed messages in WAV, AU and even MP3
sound files.
c)Text Steganography: In text Steganography the message is hidden in the text and we use
the different method to hide the message in text by changing the last bit of the message.
Sometime one sentence in ten times and use blank space in alphabet terms is used.
d) Image Steganography: In this technique, hide information; straight message insertion
may encode every bit of information in the image. The messages may also be scattered
randomly throughout the images. A number of ways exist to hide information in digital
media.
e) Protocol Steganography: In this technique, Steganography can be used in the layer of
OSI network model and cover channels protocols. Steganography is referred to the
techniques of embedding information within messages and network control protocol used in
network transmission. The information is adding in TCP/IP header and sends in the network.

Linguistic Steganography
This technique hides the message within the carrier in some non-obvious ways. It is
categorized Into two ways:-
a) Semagrams: Semagrams use some symbols and signs to hide the information .it is further
categorized into two ways:
i)Visual Semagrams: A visual semagram uses innocent-looking or everyday physical
objects to convey a message, such as doodles or the positioning of the items on a web site.
ii).Text Semagrams: This hides a message by modifying the appearance of the carrier text,
such as subtle changes in font size or type, adding extra space, or different flourished in
letters or handwritten text
b)Open Code: This hide a message within a legitimate carrier message in the ways that are
not obvious to an unsuspecting observer.
i) Jargon: This is one type of language which is meaningless to other but can be understood
by group of people. Only Jargon codes include symbols used to indicate the presence and
type of wireless network signal, underground terminology, or an innocent conversation that
conveys special meaning because of the facts that are known to the speakers only. A subset of
jargon codes are cue codes, where certain prearranged phrases convey meaning.
ii)Covered Cipher: Covered or concealed ciphers hide a message openly in the carrier
medium so that it can be recovered by anyone who knows the secret for how it was
concealed.
- Null Cipher A null cipher hides the message according to some prearranged set of rules,
such as "read every fifth word" or "look at the third character in every word."
- Grille Cipher A grille cipher employs a template that is used to cover the carrier message;
the words that appear in the openings of the template are the hidden message.

Watermarking
In watermarking applications, the message contains information such as owner identification
and a digital time stamp, which is usually applied for copyright protection. This is
categorized into two parts

88
Fragile watermark:
Fragile watermark is watermark that is readily altered when the host image is modified
thorough a liner or non-liner transformation. It is used to the authentication of image. This is
used to verify the image.
Robust Watermarking:
Robust watermarks are used in copy protection applications to carry copy and no access
control information to form correct order and get the digital water marking. A digital
watermark is called perceptible if its presence in the marked signal is noticeable. It is
categorized into three parts:-
i) Fingerprint: In Fingerprint, the owner of the data set embeds a serial number that
uniquely identifies the user of the data set. This adds to copyright information to make it
possible to trace any unauthorized use of the data set back to the user.
ii)Imperceptible: A digital watermark is called imperceptible if the original cover signal and
the marked signal are perceptually indistinguishable.
iii)Visible: In this visible digital watermarking, the information is visible in the picture or
video. The image on the right has a visible watermark. When a television broadcaster adds its
logo to the corner of transmitted video, this is also a visible watermark.

Steganalysis
Steganalysis is simply the detection of steganography by a third party. This is a relatively
new field, since the new technology behind steganography is just becoming popular. There
are two main types of steganalysis:
visual analysis and statistical (algorithmic) analysis. Visual analysis tries to reveal the
presence of hidden information through inspection with the naked eye or with the assistance
of a computer, which can separate the image into bit planes for further analysis. Statistical
analysis is more powerful and successful, because it reveals the smallest alterations in an
image‟s statistical behavior. There are several statistical tests which can be run on an image:
average bytes, variations of the bytes, skew, kurtosis, average deviation and differential
values.

Cryptography
Cryptography is the process of transforming plain text or original information into an
unintelligible form (cipher text) so that it may be sent over unsafe channels or
communications. The transformer process is controlled by a data string (key). Anyone getting
hold of the cipher text while it is on the unsafe channel would need to have the appropriate
key to be able to get to the original information. The authorized receiver is assumed to have
that key. cryptography is study of methods of sending message in disguised form so that only
the intended recipients can remove the disguised message. It is the art of converting message
into different form, such that no one can read them without having access to „key‟. the
message may be converted Using „code‟ or a „cipher‟. Cryptology is the science underlying
cryptography.

Cryptography v/s steganography

In the cryptography technique, the sender encrypts the data with the help of encryption
algorithm and keys when it is sent into the network. When receiver receives the data is
decrypt with the help of keys and get the original data. Steganography is not as same as
cryptography. Basically the purpose of cryptography and Steganography are to provide secret
communication. Basically, cryptography offers the ability of transmitting information among
persons in a way that prevents a third party from reading it. Cryptography can also provide
authentication for verifying the identity of someone or something .

89
Investigation
analysis Nowadays the computer crime and cybercrime are big challenges. The criminal hide
the message and data in images then it is difficult to recognize. Then the digital forensics is
an investigation the crime in the organization which is done by the criminal. Digital forensics
is used to investigation of Steganography slack points. Its examiners are very familiar with
data that remains in the file slack or unallocated space as the remnants of previous files,
programs can be written that can access slack unallocated space directly. Sometimes small
amount of data can also be hidden in unused portion of file headers . Digital forensics does
investigation on network channel like as TCP/IP protocol because this pass the messages and
causes some crimes like criminal communications, fraud, hacking electronic payments,
gambling and pornography, harassment, viruses, pedophilia.

Scrutinizing E-mail
Email security is a term for describing different procedures and techniques for protecting
email accounts, content, and communication against unauthorized access, loss or
compromise. Email is often used to spread malware, spam and phishing attacks. Attackers
use deceptive messages to entice recipients to part with sensitive information, open
attachments or click on hyperlinks that install malware on the victim‘s device. Email is also a
common entry point for attackers looking to gain a foothold in an enterprise network and
obtain valuable company data.

Validating E-mail header information

An email header is more than the to, from, date, and subject section that precedes an
email body. Headers also play an essential role in recording an email‘s route since every
email message has an email header.
When an email is sent from one address to another, the message will go through mail
transfer agents (MTA). So, email headers will show If the email was sent to other
addresses before reaching the final destination. If the header information looks
suspicious, users can avoid engaging with the email.

we can see the authentication results for SPF, DKIM and DMARC. It is important to note
that, in order for an email to pass DMARC, it must pass either SPF or DKIM. It does not
have to pass both.

SPF headers
The criterion that is checked for SPF is whether the server that originated the email is an
authorized sender. We may see a field in the email header labeled ‗Received SPF‘ which will
show whether the email passed or failed this test. We will also see text that shows the IP
address of the originating server and whether the sending domain lists that IP address as an
authorized sender

90
Here is how some large email providers represent this information. Note: These headers were
copied from a real email, though I‘ve replaced the actual domain and IP addresses with
generic values:
Google and Yahoo!:
Received-SPF: pass (google.com: domain of example.com designates 10.1.2.3 as permitted
sender)
Microsoft (Hotmail):
CMM-Authentication-Results: hotmail.com; spf=pass (sender IP is 10.1.2.3; identity
alignment result is pass and alignment mode is relaxed)

DKIM headers
There may be multiple DKIM records in an email header. The results of the DKIM evaluation
will also show the domain that was evaluated.To make sure we are looking at the proper
result, look for the one that matches the domain in the From address for the email.
Here is how some large email providers show we the results of DKIM validation. As we can
see, each uses a different label for the domain that was validated (In each case, the evaluated
domain below is example.com)
Google:
dkim=pass [email protected]
Yahoo!:
from=example.com; dkim=pass (ok)
Microsoft (Hotmail):
dkim=pass (identity alignment result is pass and alignment mode is relaxed)
header.d=example.com

DMARC headers
Unfortunately, not all email receivers show DMARC results in the header. Of the big three,
Google is the only one that does. Other receivers, like Microsoft, will be adding this in the
future. (And unfortunately, until they do, there‘s no way to check the DMARC status of a
message.)
For those that do include it, the DMARC results are fairly easy to read. The results will show
whether or not the email passed DMARC. The example below is extracted from the ‗From‘
field in the header.
Google:
dmarc=pass (p=REJECT dis=NONE) header.from=example.com

91
In this case, the email has passed DMARC (dmarc=pass). In this case we can also see the
DMARC policy for the domain (p=REJECT) and the disposition (dis=NONE) which will
show what action the receiver took with the email (NONE, QUARANTINE, REJECT).
Note that the receiver may choose to override results of DMARC results. This could happen
where the email receiver has a trusted relationship with the sender and will allow emails from
that sender, even if DMARC authentication fails for those messages.

The road ahead

Today we can only find out if an email was authenticated by looking at the information
above. Later on this year, the large ISPs (Google, Microsoft, Yahoo!, etc.) will start showing
indicators of authentication results directly to the user. For example, if an email does not pass
authentication, the ISPs may remove images from the email or show text stating that the
email has not been authenticated. Time to get those emails authenticating properly!
Tracing Internet access,

Tracing is a process that follows the Internet activity backwards, from the recipient to the
user. As well, a user's Internet activity on web sites can also be tracked on the recipient site
(i.e., what sites are visited and how often, the activity at a particular site). Sometimes this
tracking and tracing ability is used to generate e-mail to the user, promoting a product that is
related to the sites visited. User information, however, can also be gathered covertly.

Step 1: (Optional) Download and install a free program

a. Open a search engine such as Google (www.google.com), Yahoo (www.yahoo.com), or

Search (http://search.com).
b. Which words do we think would give we the best result if we are searching for a visual
program that allows we to trace how data (a packet) travels through the Internet? Write our
search words.
c. Type the words we chose in the Search field. Locate and download the software and install
it. Normally, the website has a link to the download site or we can click the words
―Download‖ or ―Download Now‖. When we download any freeware, remember the location
on the hard drive, flash drive, or disk media where we saved the program.
d. What is the name of the program we installed?
Step 2: Locate web sites

a. Using the search engine again, locate five businesses with a web server, which are located
in a country different from our own.
b. Write the names of the five business web sites.
c. Using the search engine again, locate a business in our own country that has a web site
that is accessible.
d. Write the URL of the web site. An example URL is www.cisco.com

Step 3: (Optional) Use downloaded visual trace route tool

92
a. Using the software we have downloaded and installed, use the tool to determine the path
which the packet takes to reach one of the remote country destinations. Each tool normally
allows we to type a URL. The program should either list or visually display the path taken by
the packet.
b. How many hops does the packet take to get from our computer to the destination
computer?
c. If our tool also provides time information, write down how long it took for the packet to
reach the first hop?
d. Use the tool to determine the path to another foreign country site. e. How many hops does
the packet take to get from our computer to the destination computer? f. Use the tool to
determine the path to a web site in our own country.

Step 4: Use the tracert command

a. Click the Start button, click the Run option, type cmd, and press Enter. An alternate way
to get to the command prompt is to click Start > All Programs > Accessories > Command
Prompt.
b. From the command prompt, type tracert and press Enter. Options that can be used with the
tracert command are shown. Items shown in square brackets [ ] are optional. For example, the
first option that can be used with the tracert command is –d. If someone was to type tracert –d
www.cisco.com, then the command issued to the computer is to trace the route to
www.cisco.com, but do not try to resolve IP addresses to names. The target_name parameter
is mandatory (it does not have brackets around it) and it is replaced with the destination
network. In the previous example of tracert –d www.cisco.com, www.cisco.com is the
target_name.
c. Which tracert option would be used to designate that only 5 hops could be used to search
for the device address on the destination network?
d. Write the full command that would be typed to trace a route to www.cisco.com and
instruct the computer to not search for it after seven hops.
e. Using one of the remote country destination addresses (use the same address as the one we
used with the visual tool if possible) use the tracert command to determine how many hops it
takes to reach the remote web server. Write the number of hops and the destination.
f. The tracert command uses Internet Control Message Protocol (ICMP) echo request
messages to determine the path to the final destination. The path displayed is a list of IP
addresses assigned to routers that connect to one another to form the path. The ICMP packets
contain a value called Time To Live (TTL). The TTL value is 30 by default on a Microsoft-
based PC and each router through which the packet passes, decrements that value by 1 before
sending the packet on to the next router in the path. When the TTL value reaches 0, the router
that has the packet sends an ICMP time exceeded message back to the source. The tracert
command determines the path by sending the first ICMP echo request message with a TTL of
1 and then increases that TTL value by 1 until the target responds or the maximum number of
hops is reached. The path is determined by examining the ICMP time exceed messages that
are sent back by routers along the way and by the ICMP echo reply message that is returned
from the destination. Routers that do not return the ICMP time exceed messages are shown
by a row of asterisks (*).

Step 5: Use the pathping command

93
a. A similar command that can be used on a Windows XP computer is pathping. This
command combines the abilities of the tracert command with the ping command. From the
command prompt, use the pathping command to determine the IP addresses of the routers
used to create the packet path to an other foreign country address. An example of the
pathping command used to trace the path to Cisco is pathping www.cisco.com.
b. How many hops did the pathping command display to our remote destination?
c. When do we think that we would ever use a tool like pathping or tracert?

Step 6: (Optional) Use the whois function

a. Some of the freeware tools include an option to perform a whois function. Whois is a
separate program or integrated with a tool similar to tracert or pathping. It displays (and
sometimes has a link) who owns the web link of either the destination URL (such as
cisco.com) or any of the links along the path. Explore the freeware tool that we have
downloaded and installed and determine if it has a whois function. If it does, use it to
determine who owns the domain name of one of the previous destinations used.
b. Why would we want to use the whois function?

Step 7: Presenting the result

Answer all the redmarked questions, write the our answers in a Word-document and send it to
our teacher.

Tracing memory in real-time

Often it‘s necessary to trace memory usage of the system in order to determine the program
that consumes all CPU resources or the program that is responsible to slowing down the
activities of the CPU. Tracing memory usage also becomes necessary to determine the load
on the server. Parsing the usage data enables the servers to be able to balance the load and
serve the user‘s request without slowing down the system.
1. free Displays the amount of memory which is currently available and used by
the system(both physical and swapped). free command gathers this data by
parsing /proc/meminfo. By default, the amount of memory is display in
kilobytes.

free command in UNIX

watch -n 5 free -m watch command is used to execute a program periodically.

94
 1. According to the image above, there is a total of 2000 MB of RAM and 1196
MB of swap space allotted to Linux system. Out of this 2000 MB of RAM, 834
MB is currently used where as 590 MB is free. Similarly for swap space, out of
1196 MB, 0 MB is use and 1196 MB is free currently in the system.
2. vmstat vmstat command is used to display virtual memory statistics of the
system. This command reports data about the memory, paging, disk and CPU
activities, etc. The first use of this command returns the data averages since the
last reboot. Further uses returns the data based on sampling periods of length
delays.

vmstat -d Reports disk statistics

vmstat -s Displays the amount of memory used and available

95
top top command displays all the currently running process in the system. This command
displays the list of processes and thread currently being handled by the kernel. top
command can also be used to monitor the total amount of memory usage.

top -H Threads-mode operation

Displays individual thread that are currently in the system. Without this command

96
option, a summation of all thread in each process is displayed.

/proc/meminfo This file contains all the data about the memory usage. It provides the
current memory usage details rather than old stored values.

97
htop htop is an interactive process viewer. This command is similar to top command except
that it allows to scroll vertically and horizontally to allows users to view all processes
running on the system, along with their full command line as well as viewing them as a
process tree, selecting multiple processes and acting on them all at once.
working of htop command in UNIX:

There are varying options to monitor the CPU and memory usage. This can be done through
different methods.

Programmatically with LabVIEW 2012 and Later:

Using the System Configuration API, we can use the System Property Node get memory
usage information using the System Property Node to get memory usage information and
the Hardware Property Node to get both memory and CPU usage details. For more
information about how to use the Hardware and System Property Nodes, refer to
the Resource Monitor.vi example in LabVIEW by going to Help >> Find Examples... and
once the NI Example Finder loads, browsing to Hardware Input and Output >> System
Configuration.

98
Externally with Measurement & Automation Explorer (MAX) (Memory only):
1. Open MAX. We can do this by selecting Start»Programs»National
Instruments»Measurement & Automation.

99
 2. Expand Remote Systems in the Configuration window.
3. Select our real-time controller.
4. In the main window, select the System Settings tab. This tab includes the total and
available memory, as well as the total disk space and the amount of free space on the
disk.

Externally with the NI Distributed System Manager (DSM) (LabVIEW 2009 or later):
1. Open Distributed System Manager. We can do this from Windows
by selecting Start»Programs»National Instruments»Distributed System
Manager, or from LabVIEW clicking Tools»Distributed System Manager.
2. Expand Network Items in the Configuration window.
3. Select our real-time controller's IP Address.
4. Select the CPU/Memory tab and view the memory usage in the Auto View.

100
We can also select the individual Shared Variable that holds the Free Memory value to view
the available memory.

101
102