[CYBER SECURITY]

5 LEGAL ISSUES AND ETHICS

UNIT
In this chapter we study human controls applicable to computer security: the
legal system and ethics. The legal system has adapted quite well to computer
technology by reusing some old forms of legal protection (copyrights and
patents) and creating laws where no adequate ones existed (malicious access).
Still, the courts are not a perfect form of protection for computer resources, for
two reasons. First, the courts tend to be reactive instead of proactive. That is,
we have to wait for a transgression to occur and then adjudicate it, rather than
try to prevent it in the first place. Second, fixing a problem through the courts
can be time consuming (sometimes taking years) and expensive; the latter
characteristic prevents all but the wealthy from addressing most security issues.

On the other hand, ethics has not had to change, because ethics is more
situational and personal than the law. For example, the privacy of personal
information is becoming an important part of computer security. And although
technically this issue is just an aspect of confidentiality, practically it has a long
history in both law and ethics. The purpose of this chapter is to round out our
study of protection for computing systems by understanding the context in
which security is assessed and applied.

Not always are conflicts resolved pleasantly. Some people will think that they
have been treated unfairly, and some people do indeed act unfairly. In some
countries, a citizen reacts to a wrongful act by going to court. The courts are
seen as the ultimate arbiters and enforcers of fairness. But, as most lawyers will
tell you, the courts' definition of fair may not coincide with yours. Even if you
could be sure the courts would side with you, a legal battle can be emotionally
draining. Our purpose in this section is not only to understand how the legal

UNIT - V 1
[CYBER SECURITY]

system helps protect computer security but also to know how and when to use
the legal system wisely.

Law and computer security are related in several ways. First, international,
national, state, and city laws can affect privacy and secrecy. These statutes often
apply to the rights of individuals to keep personal matters private. Second, laws
regulate the use, development, and ownership of data and programs. Patents,
copyrights, and trade secrets are legal devices to protect the rights of developers
and owners of programs and data. Similarly, one aspect of computer security is
controlling access to programs and data; that access control is supported by
these mechanisms of the law. Third, laws affect actions that can be taken to
protect the secrecy, integrity, and availability of computer information and
service. These basic concerns in computer security are both strengthened and
constrained by applicable laws. Thus, legal means interact with other controls
to establish computer security.

However, the law does not always provide an adequate control. When computer
systems are concerned, the law is slowly evolving because the issues are similar
to but not the same as those for property rights. Computers are new, compared
to houses, land, horses, or money. As a consequence, the place of computer
systems in law is not yet firmly established. As statutes are written and cases
decided, the roles of computers and the people, data, and processes involved
are becoming more defined in the law. However, laws do not yet address all
improper acts committed with computers. Finally, some judges, lawyers, and
police officers do not understand computing, so they cannot determine how
computing relates to other, more established, parts of the law.

The laws dealing with computer security affect programmers, designers, users,
and maintainers of computing systems and computerized data banks. These
laws protect, but they also regulate the behavior of people who use computers.
Furthermore, computer professionals are among the best-qualified advocates
for changing old laws and creating new ones regarding computers. Before
recommending change, however, professionals must understand the current
state of computers and the law. Therefore, we have three motivations for
studying the legal section of this chapter:

to know what protection the law provides for computers and data
UNIT - V 2
[CYBER SECURITY]

to appreciate laws that protect the rights of others with respect to

computers, programs, and data

to understand existing laws as a basis for recommending new laws to protect

computers, data, and people The next few sections address the following
aspects of protection of the security of computers.

PROTECTING PROGRAMS AND DATA

Protecting computing systems against criminals. Computer criminals violate
the principles of confidentiality, integrity, and availability for computer
systems. Preventing the violation is better than prosecuting it after the
fact. However, if other controls fail, legal action may be necessary. In this
section we study several representative laws to determine what acts are
punishable under the law.

Protecting code and data. Copyrights, patents, and trade secrets are all forms
of legal protection that can be applied to programs and, sometimes, data.
However, we must understand the fundamental differences between the
kind of protection these three provide and the methods of obtaining that
protection.

Protecting programmers' and employers' rights. The law protects both

programmers and people who employ programmers. Generally,
programmers have only limited legal rights to access programs they have
written while employed. This section contains a survey of the rights of
employees and employers regarding programs written for pay.

Protecting users of programs. When you buy a program, you expect it to work
properly. If it doesn't, you want the legal system to protect your rights as a
consumer. This section surveys the legal recourse you have to address
faulty programs.

Computer law is complex and emerging rather rapidly as it tries to keep up with
the rapid technological advances in and enabled by computing. We present the
fundamentals in this book not in their full detail as you would expect by
someone with a law degree, but as a situational analysis to heighten the

UNIT - V 3
[CYBER SECURITY]

awareness of those who are not lawyers but who must deal with the law's
implications. You should consult a lawyer who understands and specializes in
computer law in order to apply the material of this section to any specific case.
And, as most lawyers will advise, ensuring legal protection by doing things
correctly from the beginning is far easierand cheaperthan hiring a lawyer to sort
out a web of conflict after things have gone wrong.

INFORMATION AND THE LAW

Cyber law, also known as Internet Law or Cyber Law, is the part of the overall
legal system thet is related to legal informatics and supervises the digital
circulation of information, e-commerce, software and information security. It is
associated with legal informatics and electronic elements, including information
systems, computers, software, and hardware. It covers many areas, such as
access to and usage of the Internet, encompassing various subtopics as well as
freedom of expression, and online privacy.

Cyber laws help to reduce or prevent people from cybercriminal activities on a

large scale with the help of protecting information access from unauthorized
people, freedom of speech related to the use of the Internet, privacy,
communications, email, websites, intellectual property, hardware and software,
such as data storage devices. As Internet traffic is increasing rapidly day by day,
that has led to a higher percentage of legal issues worldwide. Because cyber laws

UNIT - V 4
[CYBER SECURITY]

are different according to the country and jurisdiction, restitution ranges from
fines to imprisonment, and enforcement is challenging.

Cyberlaw offers legal protections for people who are using the Internet as well
as running an online business. It is most important for Internet users to know
about the local area and cyber law of their country by which they could know
what activities are legal or not on the network. Also, they can prevent ourselves
from unauthorized activities.

The Computer Fraud and Abuse Act was the first cyber law, called CFFA, that
was enacted in 1986. This law was helpful in preventing unauthorized access to
computers. And it also provided a description of the stages of punishment for
breaking that law or performing any illegal activity.

Why are cyber laws needed?

There are many security issues with using the Internet and also available
different malicious people who try to unauthorized access your computer
system to perform potential fraud. Therefore, similarly, any law, cyber law is
created to protect online organizations and people on the network from
unauthorized access and malicious people. If someone does any illegal activity
or breaks the cyber rule, it offers people or organizations to have that persons
sentenced to punishment or take action against them.

What happens if anyone breaks a cyber law?

If anyone breaks a cyber law, the action would be taken against that person on
the basis of the type of cyberlaw he broke, where he lives, and where he broke
the law. There are many situations like if you break the law on a website, your
account will be banned or suspended and blocked your IP (Internet
Protocol) address. Furthermore, if any person performs a very serious illegal
activity, such as causing another person or company distress, hacking, attacking
another person or website, advance action can be taken against that person.

Importance of Cyber Law

Cyber laws are formed to punish people who perform any illegal activities
online. They are important to punish related to these types of issues such as
online harassment, attacking another website or individual, data theft,
disrupting the online workflow of any enterprise and other illegal activities.

UNIT - V 5
[CYBER SECURITY]

If anyone breaks a cyber law, the action would be taken against that person on
the basis of the type of cyberlaw he broke, where he lives, and where he broke
the law. It is most important to punish the criminals or to bring them to behind
bars, as most of the cybercrimes cross the limit of crime that cannot be
considered as a common crime.

These crimes may be very harmful for losing the reliability and confidentiality of
personal information or a nation. Therefore, these issues must be handled
according to the laws.

o When users apply transactions on the Internet, cyber law covers every
transaction and protect them.
o It touches every reaction and action in cyberspace.
o It captures all activities on the Internet.

Areas involving in Cyber Laws

These laws deal with multiple activities and areas that occur online and serve
several purposes. Some laws are formed to describe the policies for using the
Internet and the computer in an organization, and some are formed to offer
people security from unauthorized users and malicious activities. There are
various broad categories that come under cyber laws; some are as follows:

Fraud

Cyber laws are formed to prevent financial crimes such as identity theft, credit
card theft and other that occurring online. A person may face confederate or
state criminal charges if he commits any type of identity theft. These laws have
explained strict policies to prosecute and defend against allegations of using the
internet.

Copyrighting Issues

The Internet is the source that contains different types of data, which can be
accessed anytime, anywhere. But it is the authority of anyone to copy the
content of any other person. The strict rules are defined in the cyber laws if
anyone goes against copyright that protects the creative work of individuals and
companies.

UNIT - V 6
[CYBER SECURITY]

Scam/ Treachery

There are different frauds and scams available on the Internet that can be
personally harmful to any company or an individual. Cyber laws offer many ways
to protect people and prevent any identity theft and financial crimes that
happen online.

Online Insults and Character Degradation

There are multiple online social media platforms that are the best resources to
share your mind with anyone freely. But there are some rules in cyber laws if
you speak and defaming someone online. Cyber laws address and deal with
many issues, such as racism, online insults, gender targets to protect a person's
reputation.

Online Harassment and Stalking

Harassment is a big issue in cyberspace, which is a violation of both criminal laws

and civil. In cyber laws, there are some hard laws defined to prohibit these kinds
of despicable crimes.

Data Protection

People using the internet depends on cyber laws and policies to protect their
personal information. Companies or organizations are also relying on cyber laws
to protect the data of their users as well as maintain the confidentiality of their
data.

Contracts and Employment Law

When you are visiting a website, you click a button that gives a message to ask
you to agree for terms and conditions; if you agree with it, that ensures you have
used cyber law. For every website, there are terms and conditions available that
are associated with privacy concerns.

Trade Secrets

There are many organizations that are doing online businesses, which are often
relying on cyber laws to protect their trade secrets. For example, online search
engines like Google spend much time to develop the algorithms that generate a
search result. They also spend lots of time developing other features such as
intelligent assistance, flight search services, to name a few and maps. Cyber laws

UNIT - V 7
[CYBER SECURITY]

help these organizations to perform legal action by describing necessary legal

laws for protecting their trade secrets.

How to protect yourself on the Internet

Although the Internet is a resource that contains multiple different types of

content, there are many hackers or unauthorized users that may be harmful to
you in order to thief your personal information. Below are given all of the steps
that may help you to keep your personal information and computers safe while
using the Internet. All of the given steps or suggestions can be beneficial for all
computer users, even if what type of computer, device, or operating system they
are using.

Verify data is encrypted

When you are sending any confidential information, such as debit card numbers,
credit card numbers, usernames, or passwords, send these types of information
securely. In Internet browsers, look for a small lock (Internet browser security
lock) to verify this; an icon will be shown in the right corner of the bottom of the
browser address bar or browser Window. If you see the icon, it should be in a
locked condition and not in an unlocked position. Also, make sure the URL starts
with https (Hypertext Transfer Protocol Secure), as displaying in the below
screenshot:

UNIT - V 8
[CYBER SECURITY]

If the lock icon is in the locked position and data is intercepted, the data is
encrypted that helps to keep secure your data and prevent others to understand
it. The data can be read by anyone if the lock is in the unlocked position or no
lock is visible because all information will be in the form of plain text. For
example, an online forum is not secure, use a password, but you will not use the
password with protected sites like an online banking website.

Use a safe password

Like online bank site or other websites that contain confidential information,
need to use very strong passwords, it is also recommended; you must use the
different and strong password for all websites that require login id and
password. You could use a password manager if you required help to remember
your password.

Keep your software and operating system up-to-date

To protect yourself on the Internet, it is better to update your software installed

on your computer and operating system regularly. It is necessary because many
updates are released by the developers of the operating system that are related
to computer security-related issues. Therefore, you should update your system
when the latest updates are released.

When available always enable two-factor authentication

You can use the two-factor authentication feature to make more secure your
accounts, like Gmail or others that require a login and contain your private data.
It offers advanced protection by adding an additional step in verifying you at the
time of login. If you enable two-factor authentication and the service does not
verify your computer or other devices after authenticating your password, it
sends a text message with a verification code on your cell phone. It includes
more powerful security; for example, if someone knows your password of any
account and tries to access your account, but he does not have your phone, he
cannot access your account even with a valid password.

Always be cautious of e-mail links and attachments

UNIT - V 9
[CYBER SECURITY]

The email attachments and hyperlinks sent through email are the most common
resources to spread viruses and malware. It is recommended to always be
extremely cautious to open any attachments and hyperlinks, which you have
received through email from others, even if they have sent by friend or family.

Be aware of phishing scams

There are many phishing scams and techniques that can be more harmful in
respect to losing your secret information. Therefore, it is necessary to familiarize
yourself with these types of techniques. Hackers mainly target websites that
need a login, such as PayPal, eBay, Amazon, online banking sites, and other
popular sites.

E-mail is not encrypted

If you send any confidential information through email, it can be read or

understood by unauthorized users as email is not encrypted. Therefore,
confidential data like debit card information, credit card information, password
and more should not be transmitted over e-mail.

Use an alternative browser

For protecting your systems, Internet browsers also play an important role. For
example, earlier versions of Internet Explorer are not more secure. If you are
using a lass secure browser in terms of your browser like Internet Explorer, you
should switch to another browser like Mozilla Firefox or Google Chrome. Also, if
you are using Microsoft Windows 10 operating system on your computer and
want to stay to use a Microsoft Internet browser, you can switch to the
Microsoft Edge rather than Internet Explorer that is more secure in terms of
protecting your systems.

Use caution when accepting or agreeing to prompts

When you are indicated to install an add-on or any program, before clicking on
the Ok button, you need to read and understand the agreement carefully. If you
do not understand the agreement or feel it is not necessary to install, you should
not install this kind of program, cancel or close the window, which may be
harmful for you.

Also, when you are installing an add-on or any program, you need to care about
any check box that asks if this third-party program will be ok to install. These

UNIT - V 10
[CYBER SECURITY]

often cause more issues and leave these boxes unchecked because these are
never required.

Be cautious where you are logging in from

Business

If you are working in any organization, your place of work can monitor your
computer by installing key loggers or use other methods. In this case, someone
can collect usernames and passwords and read these logs if he has access to this
information. It can be more harmful to lose your personal information.
Additionally, if your computer is shared with other co-workers, do not store any
passwords in your browser.

Wireless network

When you are using a wireless network, you must be careful that all the
information sent from your computer and to your computer can be read and
intercepted by any unauthorized person. You can log in to the network securely
with the help of using WPA or WEP and prevent losing your secret information.
Furthermore, make sure the network is secure if it is a home wireless network.

Friend's house

Sometimes, you may use your friend's computer and log in to your account on
that computer, which may not be fully secure. Intentionally or unintentionally,
you can enter your username and password on your friend's computer or the
computer with whom you are not familiar. Finally, never save the password
information on your friend's computer browser when you are logging into any
site on a friend's computer.

Always think before you share something

There are many social media sites, such as Instagram, Facebook, that enable you
to make online friends and connect with them. The networking sites are also the
best place to share your personal information with your friends, family or others.
When you share something on social networking sites or the Internet, make sure
you are not sending any information that can be harmful to you if everyone sees
it. The sent information on the social network or the Internet should be public.
Also, make sure you are sharing such something that will not offend anyone or
embarrass you, and you must not be uploaded on the Internet.

UNIT - V 11
[CYBER SECURITY]

Update Internet browser plugins

You should update Internet browser plugins or install the latest plugins to
protect yourself while online on the computer. Due to browser plugins like
Adobe Flash, attackers may find some easiness or security vulnerabilities to hack
any system. Therefore, you need to check out regularly that all your installed
Internet plug-ins are up-to-date.

Be aware of those around you

If you are working on the computer at any public area, school, library and more,
make sure anyone is not looking at your screen, as there will be many people
around you. On the other hand, it can be cautious if anyone is looking at your
system screen that is called shoulder surfing. If you are required to system
screen private, you can use a privacy filter for the display.

Secure saved passwords

There are many users that are habitual to save login information and password
on the system, but it can be insecure. Therefore, make sure you are storing your
personal details, such as credit card detail and account passwords, in a secure
area. It is recommended for everyone to use a password manager to save your
passwords.

A password manager is a software that holds all securely encrypts and login
information, and password protects that information. If you save a password in
a browser and anyone has access to your Internet browser, the password
information may be seen by that person. For instance, in the Firefox Internet
browser, anyone can see all stored passwords if you do not set up a master
password.

RIGHTS OF EMPLOYEES AND EMPLOYERS

Cyprus Employment Law is a combination of common laws and statutes that
govern the relationship between an employer and employee. Since employment
is regarded as a contract, contract law's standard principles underlay all
employment agreements in Cyprus. As such, it is understood that both parties
agreed to the terms and conditions of the contract freely and willingly. Several
statutory regulations and obligations, such as the Termination of Employment
Law of 1967, and collective agreements, complement common law to ensure
that employee rights are protected.

UNIT - V 12
[CYBER SECURITY]

Employee Rights Safeguarded by the Statute

In addition to honoring contract law, employers are obligated to uphold all

employees' constitutional rights( to work, strike, and be treated equally in the
workplace). Furthermore, several statutes related to employment exist to
safeguard workers' rights in Cyprus. The most important is the Termination of
Employment Law of 1967. Others include:
 The Social Security Insurance Law of 1967,
 The Annual Paid Leave Law of 1967,
 The Protection of Maternity Law of 1997,
 The Health and Safety at Work Law of 1996,
 The Collective Redundancies Law of 2001,
 The Equal Treatment at Work and Employment Law of 2004, and
The Minimum Salaries Law.
Employers are also obligated to inform employees of conditions related to the
employment relationship or any changes to those conditions.

Employment Contracts

In Cyprus, contracts are binding whether they are written agreements or not.
However, employers must provide details of the terms of employment within a
month of the commencement date. It needn't be a formal employment contract
either. Any document, contract, or letter of appointment that outlines the terms
of employment and is signed by the employer will do.
It's important to note that statutory and common law rights and obligations
apply to all employment contracts. This is irrespective of them being mentioned
in the agreement or not. Some employee rights include the following:
 A working week, including or excluding overtime, cannot exceed 48 hours.
 Parents are entitled to maternity and parental leave.
 A minimum of 20 weeks should be available for maternity leave.
 All employees have the right to be paid equally for equal work done.
 The minimum wage is guaranteed for employees in specific industries.

UNIT - V 13
[CYBER SECURITY]

Termination of Employment in Cyprus

In Cyprus, the most important employment law related statute is the

Termination of Employment Law. It regulates termination of employment, and
its primary purpose is to protect employees against dismissal. This law covers all
employees, whether in the private or public sector.
According to the Termination of Employment Law of 1967, employers must give
adequate notice of termination. However, the notice period varies depending
on the length of service:
 26 to 52 weeks of service requires a notice period of one week,
 52 to 104 weeks of service requires a notice period of two weeks,
 104 to 156 weeks of service requires a notice period of four weeks,
 156 to 208 weeks of service requires a notice period of five weeks,
 208 to 260 weeks of service requires a notice period of six weeks,
 206 to 312 weeks of service requires a notice period of seven weeks, and
 52 to 104 weeks of service requires a notice period of eight weeks
Employers are obligated to provide a reason for dismissal. If they cannot give a
reason or the reason is unjustified, the employee has the right to file a claim of
unlawful dismissal.
There are certain circumstances where employers are not lawfully entitled to
terminate an employment contract. For instance, your employer legally can't
fire you for being a member of a trade union or a safety committee. Similarly,
you can't be dismissed for filing a complaint in good faith.
Employers are entitled to terminate an employment agreement and dismiss the
employee in the following scenarios lawfully:
 An employee's work performance is not up to standard;
 A role has become redundant;
 Force majeure, war, civil unrest, natural disasters, or an act of God;
 Non-renewal at the end of a fixed period;
 An employee is subject to summary dismissal based on their conduct;
 The relationship between the employee and employer cannot be
expected to continue due to the employee's conduct;
UNIT - V 14
[CYBER SECURITY]

 An employee commits a disciplinary or criminal offense or behaved

indecently;
 An employee repeatedly violates or ignores the terms of employment.
Termination based on redundancy has to meet certain criteria as well. If a
company closes or relocates to a different premise, an employer may terminate
the employment agreement lawfully as long as employees are given adequate
notice. Technological advances or any other changes in its production method
may also cause redundancy. Also in the below cases, a company has grounds to
let go of employees on the bases of redundancy:
 when companies downsize,
 experience a reduction in profits,
 if a product is no longer successful in the market.

Maternity and Family Leave Rights

Cyprus' Protection of Maternity Law of 1997 guarantees female and male

employees leave after a child's birth. Employees are entitled to 18 continuous
weeks of maternity leave and up to two weeks of paternity leave.
This statute doesn't obligate employers to pay wages or benefits to employees
on maternity leave. However, it does protect pregnant workers from dismissal
due to pregnancy. Additionally, pregnant employees are entitled to paid time
off.

Minimum Wage
For most employment agreements, the employer and employee agree upon a
salary through negotiation. However, certain occupations have a guaranteed
minimum wage. The amount is set yearly by the Ministerial Council's order,
which sits annually on the 1st of April. The minimum wage statutes cover the
following workers:
 Shop assistants
 Clerks
 School assistants
 Security guards
 Nursing assistants
 Assistant baby and childminders
UNIT - V 15
[CYBER SECURITY]

 Employees with caring and sanitation duties in senior living communities,

private hospitals, and clinics.
 A minimum hourly wage exists for security guards and cleaners.

Discrimination

Employment and labour law in Cyprus protects employees against all forms of
discrimination (age, gender, language, race, ethnicity, nationality, religion,
sexual orientation, or political beliefs). Unequal pay based on sex is prohibited
explicitly in Cyprus, where workers are entitled to equal compensation for equal
work.
The law also protects employees who file sexual harassment complaints. Sexual
harassment complaints should be investigated by a Gender Equality Inspector
or the Ombudsman.
In the event of unfairness, employees have two options. They may file a civil
claim or file a complaint to the relevant authorities depending on the nature of
discrimination. If the discrimination claim is successful, employees are entitled
to claim damages, reinstatement, and attorney's fees.
Part-time and fix-time employees should also be treated equally. Part-time
workers are entitled to the same salary and benefits as full-time employees
fulfilling the same duties. Employers should pay part-time workers pro-rata to
the number of hours worked.

Working Hours
Employees working a five-day week should not exceed 48 hours per week or
eight hours a day. This restriction includes overtime. There are circumstances
where different limitations apply. The hotel industry is one example. Shift
workers also have other limits. Employees are also entitled to a minimum of 11
continuous hours of rest every 24 hours. Also, they have the right to a constant
24-hour rest period each week. Furthermore, employees are entitled to either
two consecutive days off with a 14-day cycle.

REDRESS FOR SOFTWARE FAILURES

So far, we have considered programs, algorithms, and data as objects of
ownership. But these objects vary in quality, and some of the legal issues
involved with them concern the degree to which they function properly or well.
In fact, people have legitimate differences of opinion on what constitutes "fair,"
UNIT - V 16
[CYBER SECURITY]

"good," and "prudent" as these terms relate to computer software and

programmers and vendors. The law applies most easily when there is broad
consensus. In this section we look closely at the role that quality plays in various
legal disputes. At the same time, we also look at the ethical side of software
quality, foreshadowing a broader discussion on ethics later in this chapter.

Program development is a human process of design, creation, and testing,

involving a great deal of communication and interaction. For these reasons,
there will always be errors in the software we produce. We sometimes expect
perfect consumer products, such as automobiles or lawn mowers. At other
times, we expect products to be "good enough" for use, in that most instances
will be acceptable. We do not mind variation in the amount of cheese in our
pizza or a slight flaw in the glaze on a ceramic tile. If an instance of a product is
not usable, we expect the manufacturer to provide some appropriate remedy,
such as repair or replacement. In fact, the way in which these problems are
handled can contribute to a vendor's reputation for quality service; on the rare
occasions when there is a problem, the vendor will promptly and courteously
make amends.

But the situation with software is very different. To be fair, an operating system
is a great deal more complex than many consumer products, and more
opportunities for failure exist. For this reason, this section addresses three
questions:

• What are the legal issues in selling correct and usable software?
• What are the moral or ethical issues in producing correct and usable
software?
• What are the moral or ethical issues in finding, reporting, publicizing, and
fixing flaws?
In some ways, the legal issues are evolving. Everyone acknowledges that all
vendors should produce good software, but that does not always happen. The
more difficult concerns arise in the development and maintenance communities
about what to do when faults are discovered.

Selling Correct Software

Software is a product. It is built with a purpose and an audience in mind, and it
is purchased by a consumer with an intended use in an expected context. And
the consumer has some expectations of a reasonable level of quality and
function. In that sense, buying software is like buying a radio. If you buy a faulty
radio, you have certain legal rights relating to your purchase and you can enforce

UNIT - V 17
[CYBER SECURITY]

them in court if necessary. You may have three reactions if you find something
wrong with the radio: You want your money back, you want a different (not
faulty) radio, or you want someone to fix your radio. With software you have
the same three possibilities, and we consider each one in turn.

To consider our alternatives with software, we must first investigate the nature
of the faulty code. Why was the software bad? One possibility is that it was
presented on a defective medium. For example, the CD may have had a flaw and
you could not load the software on your computer. In this case, almost any
merchant will exchange the faulty copy with a new one with little argument. The
second possibility is that the software worked properly, but you don't like it
when you try it out. It may not do all it was advertised to do. Or you don't like
the "look and feel," or it is slower than you expected it to be, or it works only
with European phone numbers, not the phone scheme in your country. The
bottom line is that there is some attribute of the software that disappoints you,
and you do not want this software.

The final possibility is that the software malfunctions, so you cannot use it with
your computer system. Here, too, you do not want the software and hope to
return it.

I Want a Refund
If the item were a radio, you would have the opportunity to look at it and listen
to it in the shop, to assess its sound quality, measure its size (if it is to fit in a
particular space), and inspect it for flaws. Do you have that opportunity with a
program? Probably not.

The U.S. Uniform Commercial Code (UCC) governs transactions between buyers
and sellers in the United States. Section 2-601 says that "if the goods or the
tender of delivery fail in any respect to conform to the contract, the buyer may
reject them." You may have had no opportunity to try out the software before
purchase, particularly on your computer. Your inspection often could not occur
in the store (stores tend to frown on your bringing your own computer, opening
their shrink-wrapped software, installing the software on your machine, and
checking the features). Even if you could have tried the software in the store,
you may not have been able to assess how it works with the other applications
with which it must interface. So you take home the software, only to find that it
is free from flaws but does not fit your needs. You are entitled to a reasonable
period to inspect the software, long enough to try out its features. If you decide
within a reasonably short period of time that the product is not for you, you can
cite UCC §2-601 to obtain a refund.
UNIT - V 18
[CYBER SECURITY]

More often, though, the reason you want to return the software is because it
simply is not of high enough quality. Unfortunately, correctness of software is
more difficult to enforce legally.

I Want It to Be Good
Quality demands for mass market software are usually outside the range of legal
enforcement for several reasons.

o Mass-market software is seldom totally bad. Certain features may not

work, and faults may prevent some features from working as specified or
as advertised. But the software works for most of its many users or works
most of the time for all of its users.
o The manufacturer has "deep pockets." An individual suing a major
manufacturer could find that the manufacturer has a permanent legal
staff of dozens of full-time attorneys. The cost to the individual of bringing
a suit is prohibitive.
o Legal remedies typically result in monetary awards for damages, not a
mandate to fix the faulty software.
o The manufacturer has little incentive to fix small problems. Unless a
problem will seriously damage a manufacturer's image or possibly leave
the manufacturer open to large damage amounts, there is little
justification to fix problems that affect only a small number of users or
that do not render the product unfit for general use.

Thus, legal remedies are most appropriate only for a large complaint, such as
one from a government or one representing a large class of dissatisfied and vocal
users. The "fit for use" provision of the UCC dictates that the product must be
usable for its intended purpose; software that doesn't work is clearly not usable.
The UCC may help you get your money back, but you may not necessarily end
up with working software.

Some manufacturers are very attentive to their customers. When flaws are
discovered, the manufacturers promptly investigate the problems and fix
serious ones immediately, perhaps holding smaller corrections for a later
release. These companies are motivated more by public image or moral
obligation than by legal requirement.

Trope [TRO04] proposes a warranty of cyberworthiness. The warranty would

state that the manufacturer made a diligent search for security vulnerabilities
and had removed all known critical ones. Furthermore, the vendor will continue
to search for vulnerabilities after release and, on learning of any critical ones,

UNIT - V 19
[CYBER SECURITY]

will contact affected parties with patches and work-arounds. Now, a maker is
potentially liable for all possible failings, and a major security-critical flaw could
be very costly. Trope's approach limits the exposure to addressing known
defects reasonably promptly.

COMPUTER CRIME
Computer crime is an act that describes a large category of offenses, which is
also known as hi-tech crime, e-crime, cybercrime, or electronic crime. It is
performed by a computer user who has great knowledge about hacking. The
hacker tries to gain unauthorized access to any particular account, personal
information or steals a company's or individual's private information. In some
cases, hackers can corrupt the computer or data files that can be very harmful
to you.

On the basis of the person, situation, and individual frame of reference, the term
computer crime has different meanings. For example, there are different
communities like network administrators, private security, law enforcement, or
prosecutors, but the investigation of computer crime does not need these
communities. However, conventional or physical borders do not restrict
computer crime as it is by its very nature.

The first definitional categories for computer crime are presented by Donn
Parke, who is generally cited as the author. A higher-level definition to the term
computer abuse was described by him, computer crime can be any event
involving an planned act where a unauthorize person or offender wants to gain
related to computers, but a victim suffered or could have suffered a loss.

Expanding on Parker's definitions Robert Taylor and company describe four

major categories of computer crime:

1. The computer as a target: Computers can be the target of an illegal

activity, which means the attacker has to main objective to deny the
owners or legal users of the system to their data or computer. Unleashing
a virus through email is one of the most common crimes at the time of
targeting computers. An example of this category (computer as a target)
is a Denial-of-Service attack or a virus. A virus is referred to destroy your
system's data or even a computer system, which is a computer program
2. The computer as an instrument of the crime: In this category, a computer
is used to accomplish complex financial schemes to defraud or use to gain
UNIT - V 20
[CYBER SECURITY]

some information or data, which data is further used for any illegal
activity. For case, a computer system can be used by a hacker to steal
personal information, which can be used for the criminal objective.
3. The computer as incidental to a crime: The computer may be incidental
to a crime that means it can only facilitate the crime but may not the
primary instrument of it. For example, the trading of child pornography
and money laundering.
4. Crimes associated with the prevalence of computers: This category
comprises of the actions such as software piracy, intellectual property
theft, and other crimes against the computer industry.

Examples of computer crimes

In modern times, there are various kinds of computer crime available, which are
discussed below:

o Child pornography: Child pornography is an example of computer crimes,

which is a form of child sexual exploitation.
o Cracking: Another example of computer crime is cracking, in which the
cracker decodes or breaks the codes that are designed to protect data. A
cracker is an individual who uses a script or program to decipher codes or
breakdown security systems for illegal activities. The program or script,
which is used to break the security, is known as crack.
o Copyright violation: If anyone steals another person's copyrighted data,
it is also a type of computer crime.
o Cyber terrorism: In this category, the attacks come, like blackmailing,
hacking, threats towards a person or business to gain unauthorized access
to perform illegal activities.
o Cybersquatting: Cybersquatting is a term, which is also referred to as
domain squatting and typo squatting that is used to set up a domain of
another person or company and hold it for resale at a premium price.
o Cyberbully or Cyberstalking: Cyberstalking is a kind of attack in which
anyone harasses or stalks other persons online by posting inappropriate
or unwanted things about them.
o Creating Malware: Malware is malicious software that is installed on your
computer without your consent as it uses deceptive and unethical tactics.

UNIT - V 21
[CYBER SECURITY]

It is designed to watch browsing habits, delete software, or even open

someone's computer to attack. For case, sometimes you mistakenly run
software on your computer when you are visiting a website and get an
unrequested download.
o Denial of Service attack: A DoS attack, which stands for denial of service
attack, is a kind of computer crime in which an attacker sends an
abnormally high number of requests to the victim that is led to the
network slow down or fail. These requests cannot be served as normal
requests.
o Doxing: It is another type of attack when someone shares another
person's personal information with anyone without their consent. The
personal information may be in the form of someone's full name, address,
history, password, and other identifying information.
o Espionage: Espionage is the act of spying on a person or business to
obtain secret or confidential information. A person who performs these
kinds of activities is known as a spy or espionage agent. Espionage agents
can work in company or independent operations to uncover agencies or
other secret information.
o Fraud: Fraud is the use of computers, internet services, or devices to
manipulating data or defraud people or organizations; for example, to
participate in credit card fraud or to transfer money to an account,
changing banking records. Examples of illegal computer activities include:
social engineering, DDoS, viruses, and phishing attacks are used to gain
unauthorized access to another fund.
o Harvesting: A harvester is a software, also known as a web harvester, that
is designed to gather account or account-related information of others, or
it is also used to parse large amounts of data. For instance, large numbers
of web pages may be processed by a web harvester to take out names,
phone numbers, email addresses, account names from the website.
o Human trafficking: It is one of the serious crimes, which is an act of
participating in buying or selling other humans. Basically, it graves a
violation of human rights. There are thousands of men, women, and
children who become a victim of traffickers. Approximately all countries
in the world become a victim of attackers.

UNIT - V 22
[CYBER SECURITY]

o Identity theft: Identity theft is an act to be a person you are not that one.
In this category, attackers try to gain information illegally about someone
else. Attackers or thieves can try to information such as phone number,
credit card numbers, full name, maiden name, social security number,
passwords, etc.
o Illegal sales: It is an act of purchasing or selling illicit goods online, such as
psychotropic substances, drugs, guns, and more.
o Intellectual property theft: It is a category of property where a human
creates something by using their own mind. In this case, if anyone steals
practical or conceptual information that is created by other persons or
organizations, it comes under intellectual property theft, which is known
as a crime. Trade secrets, copyrights, trademarks, and patents are well-
known types of intellectual property.
o Phishing or vishing: It is a term that is used to deceive individuals or
groups to obtain secret information about that person. For that, they
create web pages designed to gather personal information like a credit
card, online bank, password, or other private information. They also do so
with the help of sending emails.
o Salami slicing: Generally, it can be defined as stealing small amounts of
money from each transaction that builds into a large sum of illegally
gained money.
o Scam: A scam is a term that is used to trick people into believing
something, which is not actually true. For example, people start a fraud
scheme or business through which they gain money from an unsuspecting
person. Online scams have increased because the world is more
connected to the network. And, it depends on you to keep careful yourself
from these kinds of online scams
o Slander: A slander is an act of posting libel against another organization
or person.
o Software piracy: Generally, it describes illegally copying, distributing, or
using software without ownership or legal rights. Today, most of the
software may have installed on one computer to use as it is purchased as
a single-user license. If you share that software with anyone or copy it on
multiple computer devices without purchasing multiple licenses, it is
illegal and comes under software piracy.

UNIT - V 23
[CYBER SECURITY]

o Spamming: Spam is an e-mail distributed process that is used to promote

a specific product or a scam to obtain other people's money by sending
unsolicited e-mail to thousands and sometimes millions of people without
their consent. It describes junk e-mail on the Internet that is also known
as UCE (unsolicited commercial e-mail), mass e-mail marketing, and bulk
e-mail.
o Spoofing: Generally, the term spoof describes hacking or deception that
means to deceive a system by imitating another person, computer,
hardware device. You do that bypassing security measures. IP spoofing is
one of the well-known spoofing's.
o Typosquatting: Cybersquatting is a term used to describe a domain that
is a misspelling of another domain. Generally, it is also known as domain
squatting and typo squatting that means a company or individual
knowingly buys a domain and holds it resale at a premium price.
o Unauthorized access: When someone tries to access a system, server,
program, and service by using an illegal method or someone else's
account information. Basically, unauthorized access means accessing a
system on which you have no permission to access. For the case, you have
a Gmail account, and someone kept guessing a password or username for
your account and accessed this account, which is considered
unauthorized access.
o Wiretapping: Wiretapping is the surreptitious electronic monitoring
device that is used to connect a device to a phone line to listen to
conversations.

Protect Yourself against Computer Crimes

Due to a computer or cybercrime, losing account information, computer, or

other personal information can be very harmful; because this information can
be used by an unauthorized person for any illegal activity. Especially, there are
more chances to become victims of these crimes when you are relay more and
more on these networks to conduct business. However, there are different ways
that can help you out to protect you from these crimes.

The online use of computers is very much involved in fraud or computer crimes.
You must be careful at the time of sharing your important personal information
over the internet. This information can be in terms of your social security
numbers, account id, password, credit card number, etc.
UNIT - V 24
[CYBER SECURITY]

Also, use a difficult password to take basic precautions for keeping your data
private and change the password frequently that would be made hacking
difficult. Make sure you are not doing financial transactions over unprotected
networks or on public computers. A good anti-virus program also helps to
prevent these crimes; so, you should install anti-virus on your system and
update it regularly. Furthermore, there are various websites that can have
viruses, spyware, or other malware; therefore, be careful when you are
downloading software from these kinds of websites.

There are some important key points that can help you protect against
computer crimes:

o Use strong passwords: Always use a strong, unique password and change
your password frequently. Also, the repeated password is not beneficial;
so, do not keep the same passwords on different sites. And you should
always try to password with the combination of at least 10 -14 letters that
have symbols, special characters, and numbers, which means create a
complex password. A complex password cannot be hacked easily like
"123456" or "another simple password."
o Keep your software updated: Especially, it is most important with your
internet security software; because attackers always try to gain access to
your system by using flaws or known exploits. Therefore, you should keep
your software up to date, which helps to patch those exploits and flaws,
which led to a decrease in the chances of becoming a victim of cybercrime.
o Be careful about using public Wi-Fi: It is very easy for hackers to connect
with public Wi-Fi. That means they can see your history what you're doing
on the internet, such as watching a movie, including they can see your
account information, password, or other personal sensitive information
you are logging on the device. To protect yourself against crime, do not
enter your secret information while using public Wi-Fi, and when you are
on public Wi-Fi, use apps that need a password to access.
o Manage your social media settings: Make sure your private and personal
information is locked. As you mostly share your pictures or other data on
social media sites publicly, which can be hacked by social engineering
cybercriminals. So, it would be better for you to less share your personal
information on social media.

UNIT - V 25
[CYBER SECURITY]

ETHICAL ISSUES IN COMPUTER SECURITY

So we hire cybersecurity experts to be the guardians at the gates, protecting our
systems and information from those who would misuse them. We place a great
deal of trust in these professionals who can assign and revoke passwords and
access privileges, who can read our emails, track our web activity and scan our
computers to reveal all their contents.

Issues Facing Cybersecurity Professionals

On the one hand, we seem to have little choice in the matter. Most people’s
lives don’t revolve around virus signatures and threat vectors; most of us use
computers and smartphones and networks to do other things, so we have to
entrust our security to the experts. However, we should understand that
cybersecurity experts face special ethical issues that the rest of us may not ever
deal with.

Confidentiality

Confidentiality is a key ethical issue in cybersecurity. Security professionals will,

by the nature of their profession, see and handle personal, private or proprietary
information that should be kept strictly confidential. People working in these
fields may be tempted to reveal whatever juicy gossip they discovered while
running a virus scan on somebody’s hard drive, but doing so could ruin that
person’s career or personal life. Cybersecurity professionals should follow what
has been called the “butler’s credo”: The butler never tells.

Security

Security is another ethical issue, which may sound redundant when speaking of
a cybersecruity professional, but think of it this way: If we’re all responsible for
following appropriate cybersecurity procedures in our own lives, take your
personal level of responsibility and multiply it by 100. That’s the security
responsibility of a cybersecurity professional. If most people leave their
computer unattended or neglect to perform a scheduled update, it may not be
a big deal; but for a cybersecurity expert, that could be a severe ethical lapse.
They, more than anyone, are obliged to keep devices, data and networks secure.

The Ethics of Whistleblowing

Let’s say you work for a company that mostly does good work, but one business
unit is involved in something you think is ethically wrong. If you steal electronic

UNIT - V 26
[CYBER SECURITY]

documentation of the business’ shady practices and provide it to the media or

law enforcement, you could shine a light on their wrongdoing and hopefully put
a stop to it. You’ve done what you think is a good deed—or at least you’ve done
a questionable deed to achieve a good result. Congratulations, you're
a whistleblower. But does the end justify the means? Have you behaved
ethically?
The answer, of course, depends on the details of the situation, as well as whom
you ask. To many people, Edward Snowden is a hero who discovered that the
National Security Agency was conducting unethical surveillance on innocent
Americans. The fact that he had to steal the documentation of these practices
in order to provide it to the public is almost entirely beside the point. To others,
he is a criminal (that part is beyond dispute) and a traitor who endangered the
lives of intelligence agents working for the United States and its allies by
revealing classified information about clandestine operations. Did he behave
ethically? What do you think?

Threats to Privacy

Privacy concerns are intertwined with cybersecurity issues in a complex

relationship. Cybersecurity is intended to defend us against such threats
as ransomware and identity theft, two forms of hacking that depend on deeply
violating a user’s privacy. Think about all the high-profile data breaches that
have happened recently: Target’s 70 million credit-card transactions recorded
by thieves, Facebook’s 87 million user records compromised by Cambridge
Analytica, Equifax’s 143 million credit records stolen by unknown parties.
Organizations that possess personal information about their users are ethically
responsible for protecting that information from hackers. Unfortunately, in
many high-profile data breaches the organizations that got hacked were at least
partially at fault. For instance, in Equifax’s case, view citation[1] the firm was
initially hacked through a consumer complaint web portal on the company’s site.
The attackers used a widely known vulnerability that Equifax should have
already patched. However, the company’s internal processes for rolling
out patches were insufficient or were not being followed, causing the
vulnerability to remain unpatched and leaving the door wide open for
the hackers to get busy stealing.
In a world where unauthorized access is a fact of life, we need security measures
to protect our devices, data and networks. However, sometimes the security we
implement to protect our privacy can wind up violating it instead, as when
Edward Snowden found that the NSA was collecting far more data than the
agency’s director had admitted to Congress. One of the main reasons Snowden

UNIT - V 27
[CYBER SECURITY]

stole classified files from the NSA and provided them to the public is that he felt
the agency was collecting too much information on the wrong people. In other
words, he believed that the NSA was violating the privacy of law-abiding
Americans for no good reason.

Wrestling With the Dilemma

How do we balance the need to be secure with the need to protect our privacy?
How do we determine the extent of an organization’s ethical responsibility to
safeguard our information or respect our privacy—and how do we hold them
accountable? The first step we all need to take is to value privacy as a worthy
end in itself. The notion that people are entitled to privacy stems from the
ethical idea that humans have intrinsic worth and dignity. Beings with dignity
are entitled to privacy, both in person and online. To behave or believe
otherwise would violate our most deeply held ethical principles.

That’s the starting point for a set of ethical debates that we have to have. We
may never arrive at a solution that pleases everyone, but at least we’ll be asking
the right questions and moving in the right direction: greater safety, security and
privacy for us all.

INCIDENT ANALYSIS WITH ETHICS EMERGING TOPICS:

Ethics — moral principles that govern a person’s behavior — is a critical part of
any sound cybersecurity defense strategy. Without clear ethical standards and
rules, cybersecurity professionals are almost indistinguishable from the black-
hat criminals against whom they seek to protect systems and data.

The study of cybersecurity ethics, which encompasses a wide array of

approaches and schools of thought, does not offer a simple solution to the many
complex ethical dilemmas IT professionals, chief information security officers
(CISOs) and organizations face on a daily basis.

A Shaky Moral Compass

The cybersecurity landscape shifts every year. As a booming, immature industry,

organizations are desperate to fill the growing chasm of security jobs amid a
serious shortfall of skilled graduates.

UNIT - V 28
[CYBER SECURITY]

In this frenetic climate, we tend to focus on developing individuals’ cybersecurity

knowledge and talent and putting them on the front line as quickly as possible.
In the mad rush, we often forget to consider how new recruits could potentially
abuse these abilities on the job or in the wild. Lacking context on cybersecurity
ethics, individuals must defer to their personal moral compass. This leads to
good decisions as often as it leads to mistakes.

How can management infuse the highest of cybersecurity ethical standards and
intrinsic values? If your organization has not done so already, you should
strongly consider implementing an ethical practice policy, guidelines and/or
code of conduct for your IT and security staff to follow. Review this policy
regularly in the context of available industry guidelines and best practices. After
formulating a clear policy, be sure to engage your employees in the ethics
conversation by offering training and guidance.

Even the most ethical and highly technical of cybersecurity teams cannot
prevent the most determined attackers. It is wise, therefore, to thoroughly
prepare for cybersecurity incidents. This requires a well-prepped incident
response plan that encompasses the technical details, practical instructions for
executive and legal teams, and any key ethical considerations.

Harrowing Headlines

Aside from their employees, businesses themselves must fulfill certain ethical
and legal obligations in the event of a security incident, particularly a data
breach. Time is undoubtedly a key factor in responding to cyberattacks.
However, notifying customers and clients about any serious, immediate
implications, such as stolen data and credentials, is also an integral part of the
incident response process. When a company leaves the public in the dark after
a catastrophic breach, customers remain vulnerable.

When a company’s data is compromised, it may face lawsuits, reputational

damage and questions about its ethical standards. Delaying a public
announcement can compound these consequences. Those responsible for
overseeing information security practices within organizations, such as CISOs
and supporting executive management, must be engaged and lead by example
to help engender a culture of high ethical standards.

Where Do White Hats Draw the Line?

UNIT - V 29
[CYBER SECURITY]

Outside of university courses and industry certifications, there is little

standardized training or formal accreditation required to work as a cybersecurity
professional, yet they face daily ethical dilemmas unique to their line of work.
Cybersecurity professionals are the technological gatekeepers in their
respective organizations, entrusted with great responsibility and the high levels
of access needed to carry out their roles effectively.

White hats work with sensitive data, come across company secrets and wield
great power over computer networks, applications and systems. How an
individual manages this authority comes down to his or her own ethical
yardstick, which is why organizations must carefully select security experts who
exhibit sufficient standards and technical competency. But is this enough? Can
we trust our respected practitioners?

Without codified cybersecurity ethics guidelines in place at the industry and

employer levels, it is largely up to the individual at the helm to determine the
most ethically sound response to a given incident.

Ethics can be subjective, influenced by an individual’s background, culture,

education, personality and other factors. Some white-hat hackers, for example,
have no problem casually testing their phone company’s billing platform for
vulnerabilities. By poking holes in the phone providers’ security infrastructure,
they believe they are legitimately contributing to the common good of
cybersecurity. Others might regard these activities as criminal, or at least
unethical, well-intentioned or not.

Hats of All Colors

Even the lines between the different shades of the hacker spectrum — white
hat, gray hat, black hat, etc. — can be blurry. In fact, black- and white-hat
hackers often use the same tools and methods to achieve vastly different ends.
This muddies the ethical waters of cybersecurity even more, making it difficult
to determine exactly where the moral line falls when it comes to producing
fruitful, legitimate and ethically sound security research.

While legal, medical, accounting and other established professions have legally
binding codes of conduct overseen by longstanding regulatory bodies, IT
security professionals have yet to establish formal guidance or universal checks
and balances. The industry lacks an independent register to determine who can
practice ethical hacking or security research.

UNIT - V 30
[CYBER SECURITY]

Cybersecurity leaders must rely on reputation and background checks alone to

determine the trustworthiness of potential hires. If IT professionals betray this
trust by behaving unethically, there is no third-party committee or board to
evaluate the consequences of these actions and rule in the context of the
profession as a whole. Rogue security professionals cannot be struck off the
register or removed from a database, because such a database does not exist.

Several associations, such as ISSA, ISC2 and SANS, have volunteered to tackle
governing ethical issues in IT and cybersecurity. However, industry professionals
are rarely required to subscribe to these bodies or adhere to their codes of
conduct.

Hollywood Hacking and Real-World Challenges

In the very first episode of “Mr. Robot,” the Emmy-nominated, cybercrime-

themed fictional television series, the show’s protagonist, Elliot, a disillusioned
cybersecurity engineer working in New York, faces a critical ethical decision on
the job. The character, played by Rami Malek, comes across a suspicious file on
a client’s compromised server when diagnosing a distributed denial-of-service
(DDoS) attack. This unusual file has a mysterious message for Elliot: “Leave me
here.”

In this pivotal moment of the show, Elliot can choose to either delete the file
(the ethical decision) or leave it on the client’s server. Intrigued, Elliot acts
unethically and leaves the file on the server without notifying his incident
response team, management or the server owner. This decision is the catalyst
upon which the whole story arc hinges, leading to the protagonist’s involvement
with the enigmatic illegal cybercrime gang fsociety and a massive data breach
for the important client.

While the depiction of cybersecurity ethics in “Mr. Robot” is a somewhat

overdramatic Hollywood rendition, it is not totally dissimilar to the real-world
ethical challenges security professionals frequently encounter in the field.
Through both deliberate and unintentional actions, a cybersecurity professional
can criss-cross the often complex and delicate ethical line. Like Malek’s
character in “Mr. Robot,” even the smallest diversion in the nuances of ethical
decision-making could open a can of worms with far-reaching consequences,
potentially putting the business, customer base and individual at risk.

UNIT - V 31
[CYBER SECURITY]

Hacking Airplanes: Helpful or Harebrained?

Security researcher and One World Labs founder Chris Roberts made
controversial headlines in 2015 after tweeting that he was considering doing a
live penetration test of his domestic United Airlines flight to Syracuse, New York.
Roberts, who was the subject of an FBI affidavit, allegedly commandeered a
Boeing aircraft by tampering with the thrust management computer via its in-
flight entertainment system, causing “one of the airplane engines to climb,
resulting in a lateral or sideways movement” of the aircraft, Wired reported.

It’s unlikely Roberts intended to threaten or harm himself, airline staff or the
other passengers onboard. Despite apparent white-hat intentions, however, the
consequences of Roberts’ alleged actions against such critical systems could
have been grave.

After the story broke, several prominent cybersecurity professionals spoke

publicly about the dubious ethics and legalities at play. According to Business
Insider, Alex Stamos, then CISO at Yahoo, tweeted, “You cannot promote the
(true) idea that security research benefits humanity while defending research
that endangered hundreds of innocents.”

Education, Awareness and Outreach

While a deeply integrated code of cybersecurity ethics and conduct is vital, it is

also crucial to cultivate ethical teachings among students and young enthusiasts
— the security professionals of tomorrow. By promoting awareness of
cybersecurity ethics at the early stages of learning and professional
development, we can help ensure that future white hats stay on the right side
of the ethical divide.

Bug bounties and hacking competitions provide ethical sandboxes where

budding young hackers and senior professionals can mess around and challenge
themselves. Many major organizations, including Facebook, Google and several
prominent airlines, offer crowd-sourced bug bounty programs in which hackers
are rewarded for discovering vulnerabilities in selected targets. This model
improves the security of the company’s assets while offering a defined structure
and guidelines under which eager global security researchers can legally hack,
learn and reap handsome rewards.

UNIT - V 32
[CYBER SECURITY]

Cybersecurity enthusiasts can also use a variety of deliberately vulnerable

simulation platforms to learn penetration testing skills inside a safe
environment. It is important that such education tools provide users with the
necessary ethical context to ensure that their teachings are not misplaced.

Who’s to Blame?

Young rogue hackers often fall into the hands of law enforcement when
conducting activities against legitimate, unsuspecting targets. Many plead
ignorance, asserting that they did not realize the activities were illegal.

Who is to blame in these situations? In some cases, hacking tools, including

those that contribute to DDoS botnet attacks, are part of the problem. Often, at
a core level, this software has become so easy to use that it enables unwitting
newbies to invoke potentially illegal damage across the internet with just a
single mouse click.

On the other hand, many hackers have knowingly crossed ethical boundaries
with ignorance falling short as a defense. If a young cybersecurity enthusiast
behaved unethically in his or her juvenile hacking past but shows a promising
future, can he or she be trusted by a potential employer? Despite the noted
demand for cybersecurity professionals, organizations are usually hesitant to
hire talented ex-black hats.

Cybersecurity Ethics Workshops

It is important to give talented youth the best opportunity to develop

cybersecurity skills in safe and legal environments and to provide concrete
guidance and rules regarding ethics.

As part of our outreach and awareness initiatives in the IBM Ireland Lab, my
colleagues and I on the IBM Ethical Hacking team occasionally run cybersecurity
workshops with third-level computer science students across Ireland and the
U.K. These workshops are designed to give soon-to-be graduates a brief
introduction to cybersecurity and the skills required to work in the industry. In
this capacity, my team serves the critical role of educators and role models. This
requires very careful consideration.

Imperatively, at the very beginning of each university workshop session, we

make certain to specifically emphasize the fine legal and ethical line and the
UNIT - V 33
[CYBER SECURITY]

exceptional duty that comes with having much-touted hacking skills. As the
saying goes, with great power comes great responsibility.

THE INTERNET OF THINGS

The internet of things, or IoT, is a system of interrelated computing devices,

mechanical and digital machines, objects, animals or people that are provided
with unique identifiers (UIDs) and the ability to transfer data over a network
without requiring human-to-human or human-to-computer interaction.

A thing in the internet of things can be a person with a heart monitor implant, a
farm animal with a biochip transponder, an automobile that has built-
in sensors to alert the driver when tire pressure is low or any other natural or
man-made object that can be assigned an Internet Protocol (IP) address and is
able to transfer data over a network.

Increasingly, organizations in a variety of industries are using IoT to operate

more efficiently, better understand customers to deliver enhanced customer
service, improve decision-making and increase the value of the business.

How does IoT work?

An IoT ecosystem consists of web-enabled smart devices that use embedded
systems, such as processors, sensors and communication hardware, to collect,
send and act on data they acquire from their environments. IoT devices share
the sensor data they collect by connecting to an IoT gateway or other edge
device where data is either sent to the cloud to be analyzed or analyzed locally.
Sometimes, these devices communicate with other related devices and act on
the information they get from one another. The devices do most of the work
without human intervention, although people can interact with the devices --
for instance, to set them up, give them instructions or access the data.

The connectivity, networking and communication protocols used with these

web-enabled devices largely depend on the specific IoT applications deployed.

UNIT - V 34
[CYBER SECURITY]

IoT can also make use of artificial intelligence (AI) and machine learning to aid in
making data collecting processes easier and more dynamic.

An
example of how an IoT system works from collecting data to taking action
Why is IoT important?
The internet of things helps people live and work smarter, as well as gain
complete control over their lives. In addition to offering smart devices to
automate homes, IoT is essential to business. IoT provides businesses with a
real-time look into how their systems really work, delivering insights into
everything from the performance of machines to supply chain and logistics
operations.

IoT enables companies to automate processes and reduce labor costs. It also
cuts down on waste and improves service delivery, making it less expensive to
manufacture and deliver goods, as well as offering transparency into customer
transactions.

UNIT - V 35
[CYBER SECURITY]

As such, IoT is one of the most important technologies of everyday life, and it
will continue to pick up steam as more businesses realize the potential of
connected devices to keep them competitive.

What are the benefits of IoT to organizations?

The internet of things offers several benefits to organizations. Some benefits are
industry-specific, and some are applicable across multiple industries. Some of
the common benefits of IoT enable businesses to:

 monitor their overall business processes;

 improve the customer experience (CX);
 save time and money;
 enhance employee productivity;
 integrate and adapt business models;
 make better business decisions; and
 generate more revenue.

IoT encourages companies to rethink the ways they approach their businesses
and gives them the tools to improve their business strategies.

Generally, IoT is most abundant in manufacturing, transportation and utility

organizations, making use of sensors and other IoT devices; however, it has also
found use cases for organizations within the agriculture, infrastructure and
home automation industries, leading some organizations toward digital
transformation.

IoT can benefit farmers in agriculture by making their job easier. Sensors can
collect data on rainfall, humidity, temperature and soil content, as well as other
factors, that would help automate farming techniques.

The ability to monitor operations surrounding infrastructure is also a factor that

IoT can help with. Sensors, for example, could be used to monitor events or

UNIT - V 36
[CYBER SECURITY]

changes within structural buildings, bridges and other infrastructure. This brings
benefits with it, such as cost saving, saved time, quality-of-life workflow changes
and paperless workflow.

A home automation business can utilize IoT to monitor and manipulate

mechanical and electrical systems in a building. On a broader scale, smart
cities can help citizens reduce waste and energy consumption.

IoT touches every industry, including businesses within healthcare, finance,

retail and manufacturing.

What are the pros and cons of IoT?

Some of the advantages of IoT include the following:

 ability to access information from anywhere at any time on any device;

 improved communication between connected electronic devices;
 transferring data packets over a connected network saving time and
money; and
 automating tasks helping to improve the quality of a business's
services and reducing the need for human intervention.

Some disadvantages of IoT include the following:

 As the number of connected devices increases and more information

is shared between devices, the potential that a hacker could steal
confidential information also increases.
 Enterprises may eventually have to deal with massive numbers --
maybe even millions -- of IoT devices, and collecting and managing the
data from all those devices will be challenging.
 If there's a bug in the system, it's likely that every connected device
will become corrupted.

UNIT - V 37
[CYBER SECURITY]

 Since there's no international standard of compatibility for IoT, it's

difficult for devices from different manufacturers to communicate
with each other.
IoT standards and frameworks
There are several emerging IoT standards, including the following:

 IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN) is

an open standard defined by the Internet Engineering Task Force
(IETF). The 6LoWPAN standard enables any low-power radio to
communicate to the internet, including 804.15.4, Bluetooth Low
Energy (BLE) and Z-Wave (for home automation).
 ZigBee is a low-power, low-data rate wireless network used mainly in
industrial settings. ZigBee is based on the Institute of Electrical and
Electronics Engineers (IEEE) 802.15.4 standard. The ZigBee Alliance
created Dotdot, the universal language for IoT that enables smart
objects to work securely on any network and understand each other.
 LiteOS is a Unix-like operating system (OS) for wireless sensor
networks. LiteOS supports smartphones, wearables, intelligent
manufacturing applications, smart homes and the internet of vehicles
(IoV). The OS also serves as a smart device development platform.
 OneM2M is a machine-to-machine service layer that can be
embedded in software and hardware to connect devices. The global
standardization body, OneM2M, was created to develop reusable
standards to enable IoT applications across different verticals to
communicate.
 Data Distribution Service (DDS) was developed by the Object
Management Group (OMG) and is an IoT standard for real-time,
scalable and high-performance M2M communication.
 Advanced Message Queuing Protocol (AMQP) is an open source
published standard for asynchronous messaging by wire. AMQP
enables encrypted and interoperable messaging between

UNIT - V 38
[CYBER SECURITY]

organizations and applications. The protocol is used in client-

server messaging and in IoT device management.
 Constrained Application Protocol (CoAP) is a protocol designed by the
IETF that specifies how low-power, compute-constrained devices can
operate in the internet of things.
 Long Range Wide Area Network (LoRaWAN) is a protocol for WANs
designed to support huge networks, such as smart cities, with millions
of low-power devices.

IoT frameworks include the following:

 Amazon Web Services (AWS) IoT is a cloud computing platform for IoT
released by Amazon. This framework is designed to enable smart
devices to easily connect and securely interact with the AWS cloud and
other connected devices.
 Arm Mbed IoT is a platform to develop apps for IoT based on Arm
microcontrollers. The goal of the Arm Mbed IoT platform is to provide
a scalable, connected and secure environment for IoT devices by
integrating Mbed tools and services.
 Microsoft's Azure IoT Suite is a platform that consists of a set of
services that enables users to interact with and receive data from their
IoT devices, as well as perform various operations over data, such as
multidimensional analysis, transformation and aggregation, and
visualize those operations in a way that's suitable for business.
 Google's Brillo/Weave is a platform for the rapid implementation of
IoT applications. The platform consists of two main backbones: Brillo,
an Android-based OS for the development of embedded low-power
devices, and Weave, an IoT-oriented communication protocol that
serves as the communication language between the device and the
cloud.
 Calvin is an open source IoT platform released by Ericsson designed
for building and managing distributed applications that enable devices

UNIT - V 39
[CYBER SECURITY]

to talk to each other. Calvin includes a development framework for

application developers, as well as a runtime environment for handling
the running application.
Consumer and enterprise IoT applications
There are numerous real-world applications of the internet of things, ranging
from consumer IoT and enterprise IoT to manufacturing and industrial IoT (IIoT).
IoT applications span numerous verticals, including automotive, telecom and
energy.

In the consumer segment, for example, smart homes that are equipped with
smart thermostats, smart appliances and connected heating, lighting and
electronic devices can be controlled remotely via computers and smartphones.

Wearable devices with sensors and software can collect and analyze user data,
sending messages to other technologies about the users with the aim of making
users' lives easier and more comfortable. Wearable devices are also used for
public safety -- for example, improving first responders' response times during
emergencies by providing optimized routes to a location or by tracking
construction workers' or firefighters' vital signs at life-threatening sites.

In healthcare, IoT offers many benefits, including the ability to monitor patients
more closely using an analysis of the data that's generated. Hospitals often use
IoT systems to complete tasks such as inventory management for both
pharmaceuticals and medical instruments.

Smart buildings can, for instance, reduce energy costs using sensors that detect
how many occupants are in a room. The temperature can adjust automatically -
- for example, turning the air conditioner on if sensors detect a conference room
is full or turning the heat down if everyone in the office has gone home.

In agriculture, IoT-based smart farming systems can help monitor, for instance,
light, temperature, humidity and soil moisture of crop fields using connected
sensors. IoT is also instrumental in automating irrigation systems.

UNIT - V 40
[CYBER SECURITY]

In a smart city, IoT sensors and deployments, such as smart streetlights and
smart meters, can help alleviate traffic, conserve energy, monitor and address
environmental concerns, and improve sanitation.

IoT security and privacy issues

The internet of things connects billions of devices to the internet and involves
the use of billions of data points, all of which need to be secured. Due to its
expanded attack surface, IoT security and IoT privacy are cited as major
concerns.

In 2016, one of the most notorious recent IoT attacks was Mirai, a botnet that
infiltrated domain name server provider Dyn and took down many websites for
an extended period of time in one of the biggest distributed denial-of-service
(DDoS) attacks ever seen. Attackers gained access to the network by exploiting
poorly secured IoT devices.

Because IoT devices are closely connected, all a hacker has to do is exploit one
vulnerability to manipulate all the data, rendering it unusable. Manufacturers
that don't update their devices regularly -- or at all -- leave them vulnerable to
cybercriminals.

Additionally, connected devices often ask users to input their personal

information, including names, ages, addresses, phone numbers and even social
media accounts -- information that's invaluable to hackers.

Hackers aren't the only threat to the internet of things; privacy is another major
concern for IoT users. For instance, companies that make and distribute
consumer IoT devices could use those devices to obtain and sell users' personal
data.

Beyond leaking personal data, IoT poses a risk to critical infrastructure, including
electricity, transportation and inancial services.

UNIT - V 41
[CYBER SECURITY]

What is the history of IoT?

Kevin Ashton, co-founder of the Auto-ID Center at the Massachusetts Institute
of Technology (MIT), first mentioned the internet of things in a presentation he
made to Procter &Gamble (P&G) in 1999. Wanting to bring radio frequency ID
(RFID) to the attention of P&G's senior management, Ashton called his
presentation "Internet of Things" to incorporate the cool new trend of 1999: the
internet. MIT professor Neil Gershenfeld's book, When Things Start to Think,
also appeared in 1999. It didn't use the exact term but provided a clear vision of
where IoT was headed.

IoT has evolved from the convergence of wireless technologies,

microelectromechanical systems (MEMSes), microservices and the internet.
The convergence has helped tear down the silos between operational
technology (OT) and information technology (IT), enabling unstructured
machine-generated data to be analyzed for insights to drive improvements.

Although Ashton's was the first mention of the internet of things, the idea of
connected devices has been around since the 1970s, under the
monikers embedded internet and pervasive computing.

The first internet appliance, for example, was a Coke machine at Carnegie
Mellon University in the early 1980s. Using the web, programmers could check
the status of the machine and determine whether there would be a cold drink
awaiting them, should they decide to make the trip to the machine.

IoT evolved from M2M communication, i.e., machines connecting to each other
via a network without human interaction. M2M refers to connecting a device to
the cloud, managing it and collecting data.

Taking M2M to the next level, IoT is a sensor network of billions of smart devices
that connect people, systems and other applications to collect and share data.
As its foundation, M2M offers the connectivity that enables IoT.

The internet of things is also a natural extension of supervisory control and data
acquisition (SCADA), a category of software application programs for process
UNIT - V 42
[CYBER SECURITY]

control, the gathering of data in real time from remote locations to control
equipment and conditions. SCADA systems include hardware and software
components. The hardware gathers and feeds data into a computer that has
SCADA software installed, where it is then processed and presented in a timely
manner. The evolution of SCADA is such that late-generation SCADA systems
developed into first-generation IoT systems.

The concept of the IoT ecosystem, however, didn't really come into its own until
the middle of 2010 when, in part, the government of China said it would make
IoT a strategic priority in its five-year plan.

ECONOMICS
This economics course provides an introduction to the field of cybersecurity
through the lens of economic principles. Delivered by four leading research
teams, it will provide you with the economic concepts, measurement
approaches and data analytics to make better security and IT decisions, as well
as understand the forces that shape the security decisions of other actors in the
ecosystem of information goods and services.
Systems often fail because the organizations that defend them do not bear the
full costs of failure. In order to solve the problems of growing vulnerability to
computer hackers and increasing crime, solutions must coherently allocate
responsibilities and liabilities so that the parties in a position to fix problems
have an incentive to do so. This requires a technical comprehension of security
threats combined with an economic perspective to uncover the strategies
employed by cyber hackers, attackers and defenders.
The course covers five main areas:
1. Introduction to key concepts in security economics. Here, we provide
an overview of how information security is shaped by economic
mechanisms, such as misaligned incentives, information asymmetry,
and externalities.
2. Measuring cybersecurity. We introduce state of the art security and IT
metrics and conceptualize the characteristics of a security metric, its
challenges and advantages.

UNIT - V 43
[CYBER SECURITY]

3. Economics of information security investment. We discuss and apply

different economic models that help determine the costs and benefits
of security investments in network security.
4. Security market failures. We discuss market failures that may lead to
cybersecurity investment levels that are insufficient from society's
perspective and other forms of unsafe behaviour in cyber space.
5. Behavioural economics for information security, policy and regulation.
We discuss available economic tools to better align the incentives for
cybersecurity, including better security metrics, cyber insurance/risk
transfer, information sharing, and liability assignment.
After finishing this course, you will be able to apply economic analysis and data
analytics to cybersecurity. You will understand the role played by incentives on
the adoption and effectiveness of security mechanisms, and on the design of
technical, market-based, and regulatory solutions to different security threats.

COMPUTERIZED ELECTIONS
Election cyber security is one of the hottest topics in the country today. It
dominated both the 2016 and 2020 Presidential elections, and most likely will
continue to do so until state and local governments can demonstrate that their
voting infrastructure and solutions are as secure and tamper-proof as possible.

When voters go to the polls, they might not realize the complex blend of
components that power today's democratic system. Secure these, and you
stand a much better chance of mitigating the threat from external actors.

What are the main election cyber security threats?

Electronic voting is quicker, faster and more accurate than manual voting and
counting by hand. But because intelligent systems can be used to gather data
and communicate with other systems, they could be exposed to cyber
threats. For example, potential vulnerabilities in the machines used to supply
registration data might allow unauthorized individuals to manipulate voter
information.

According to Cybersecurity and Infrastructure agency (CISA), election cyber

security threats can take three basic forms:

UNIT - V 44
[CYBER SECURITY]

 Information theft (confidentiality attacks): This could include voter

registration data or the results of early tabulation. Data theft could cast
doubt on the integrity of the system.
 Changing the information within or functionality of a system (integrity
attacks): This may include changing the results of voter
tabulation/aggregation, which could have a serious impact on the
result. This also includes any attempts to change the recorded votes
themselves. For example, foreign attackers allegedly breached voter
systems in two Florida counties in 2016, although they made no
changes.
 Denial of service (availability attacks): This could take the form of DDoS
or ransomware attacks against voting infrastructure. By freezing voter
registration databases and voting machines, threat actors could
severely disrupt voting.

Fortunately, there are technologies that can go a long way toward providing
protections—starting with private network solutions.

How does election infrastructure work?

Networks arguably play a critical role as it is these communications channels
that connect key infrastructure components to each other and to centralized
data centers.

CISA is tasked with ensuring free and fair elections and divides electronic voting
infrastructure into several main elements:

 Registration: Databases of voter records that include information such

as whether and where individuals can vote.
 Poll books: Electronic poll books contain voter information from the
above databases and could be connected to additional voter databases
or servers.
 Voting machine: This is the main technology voters interact with to cast
their ballot. Voting machines can be broken down into three
categories: electronic voting consoles at voting sites, paper ballot
scanning and tabulation devices at voting sites and mail-in ballot
scanning equipment.

UNIT - V 45
[CYBER SECURITY]

 Tabulation: The machines and processes that tally the votes cast at the
voting machines. This can occur at the precinct level or in more
centralized locations.
 Websites: Official election sites that convey information such as how
to register and how to vote, as well as election results.

Election cyber attacks: What's at stake?

Multiple threat actors have various motives to disrupt elections. These can
include foreign states looking to sow conflict and diminish America's geopolitical
power, hacktivists hoping to drive chaos and division, and cyber criminals
planning to cash in on extortion attempts.

Should hackers cause disruption, reporting delays or even data theft, this could
undermine voter confidence in election results. Election cyber attacks could
have a dangerous, long-term impact on voter turnout and polarization of the
electorate.

How to best improve election cyber security?

Given the volume of sensitive data—including the all-important vote tallies—
being transmitted, it’s logical to begin election cyber security efforts with secure
infrastructure solutions.

Local and state governments are already taking the following steps:

 Building private wireless networks: The public internet is the primary

means by which external threat actors can reach election equipment.
That means the first step is to keep election data and devices off the
publicly routed internet. Instead, they can be moved to 4G LTE/5G
networks with private IPs, which makes it harder for attackers to
discover and infiltrate. Election administrators can work with
their network provider to help ensure volunteer election workers’
communications are segmented from voting data traffic and provide
seamless, authorized access to a highly reliable, nationwide network—
offering scalability and control where they're needed most.
 Replacing consumer-grade connectivity: Upgrade routers at key
election locations to those with built-in security features, including
unified threat management, web content filtering and IDS/IPS. Support
for 4G LTE or 5G also offers enhanced security, including end-to-end
encryption.

UNIT - V 46
[CYBER SECURITY]

 Minimizing transmission times: This can help reduce the window of

opportunity for attackers come election day.
 Decommissioning voting equipment: When voting machines are
decommissioned, it is important to follow manufacturers’ instructions
on properly cleansing any data that might be stored within the voting
machine to help prevent potential hacking, should the machine be
recommissioned in the future.

What to look for in a partner

Once you've worked out the best way to mitigate election cyber attacks, it's time
to choose the providers and technologies that are:

 Reliable, with nationwide coverage

 Robust, with connection redundancy, backed by secure network
technologies
 Easy to deploy at temporary locations
 Manageable remotely
 A reputable managed and professional services provider
 Interoperable with different third-party systems
 Cost effective

CYBER WARFARE
Cyber warfare is usually defined as a cyber attack or series of attacks that target
a country. It has the potential to wreak havoc on government and civilian
infrastructure and disrupt critical systems, resulting in damage to the state and
even loss of life.

There is, however, a debate among cyber security experts as to what kind of
activity constitutes cyber warfare. The US Department of Defense (DoD)
recognizes the threat to national security posed by the malicious use of the
Internet but doesn’t provide a clearer definition of cyber warfare. Some consider
cyber warfare to be a cyber attack that can result in death.

Cyber warfare typically involves a nation-state perpetrating cyber attacks on

another, but in some cases, the attacks are carried out by terrorist organizations
or non-state actors seeking to further the goal of a hostile nation. There are
UNIT - V 47
[CYBER SECURITY]

several examples of alleged cyber warfare in recent history, but there is no

universal, formal, definition for how a cyber attack may constitute an act of war.

7 Types of Cyber Warfare Attacks

Here are some of the main types of cyber warfare attacks.

Espionage

Refers to monitoring other countries to steal secrets. In cyber warfare, this can
involve using botnets or spear phishing attacks to compromise sensitive
computer systems before exfiltrating sensitive information.

Sabotage

Government organizations must determine sensitive information and the risks

if it is compromised. Hostile governments or terrorists may steal information,
destroy it, or leverage insider threats such as dissatisfied or careless employees,
or government employees with affiliation to the attacking country.

Denial-of-service (DoS) Attacks

DoS attacks prevent legitimate users from accessing a website by flooding it with
fake requests and forcing the website to handle these requests. This type of
attack can be used to disrupt critical operations and systems and block access to
sensitive websites by civilians, military and security personnel, or research
bodies.

UNIT - V 48
[CYBER SECURITY]

Electrical Power Grid

Attacking the power grid allows attackers to disable critical systems, disrupt
infrastructure, and potentially result in bodily harm. Attacks on the power grid
can also disrupt communications and render services such as text messages and
communications unusable.

Propaganda Attacks

Attempts to control the minds and thoughts of people living in or fighting for a
target country. Propaganda can be used to expose embarrassing truths, spread
lies to make people lose trust in their country, or side with their enemies.

Economic Disruption

Most modern economic systems operate using computers. Attackers can target
computer networks of economic establishments such as stock markets,
payment systems, and banks to steal money or block people from accessing the
funds they need.

Surprise Attacks

These are the cyber equivalent of attacks like Pearl Harbor and 9/11. The point
is to carry out a massive attack that the enemy isn’t expecting, enabling the
attacker to weaken their defenses. This can be done to prepare the ground for
a physical attack in the context of hybrid warfare.

Examples of Cyber Warfare Operations

Here are several well-publicized examples of cyber warfare in recent times.

Stuxnet Virus

Stuxnet was a worm that attacked the Iranian nuclear program. It is among the
most sophisticated cyber attacks in history. The malware spread
via infected Universal Serial Bus devices and targeted data acquisition and
supervisory control systems. According to most reports, the attack seriously
damaged Iran’s ability to manufacture nuclear weapons.

UNIT - V 49
[CYBER SECURITY]

Sony Pictures Hack

An attack on Sony Pictures followed the release of the film “The Interview”,
which presented a negative portrayal of Kim Jong Un. The attack is attributed to
North Korean government hackers. The FBI found similarities to previous
malware attacks by North Koreans, including code, encryption algorithms, and
data deletion mechanisms.

Bronze Soldier

In 2007, Estonia relocated a statue associated with the Soviet Union, the Bronze
Soldier, from the center of its capital Tallinn to a military cemetery near the city.
Estonia suffered a number of significant cyber attacks in the following months.
Estonian government websites, media outlets, and banks were overloaded with
traffic in massive denial of service (DoS) attacks and consequently were taken
offline.

Fancy Bear

CrowdStrike claims that the Russian organized cybercrime group Fancy Bear
targeted Ukrainian rocket forces and artillery between 2014 and 2016. The
malware was spread via an infected Android application used by the D-30
Howitzer artillery unit to manage targeting data.

Ukrainian officers made wide use of the app, which contained the X-Agent
spyware. This is considered to be a highly successful attack, resulting in the
destruction of over 80% of Ukraine’s D-30 Howitzers.

Enemies of Qatar

Elliott Broidy, an American Republican fundraiser, sued the government of Qatar

in 2018, accusing it of stealing and leaking his emails in an attempt to discredit
him. The Qataris allegedly saw him as an obstacle to improving their standing in
Washington.

According to the lawsuit, the brother of the Qatari Emir was alleged to have
orchestrated a cyber warfare campaign, along with others in Qatari leadership.
1,200 people were targeted by the same attackers, with many of these being

UNIT - V 50
[CYBER SECURITY]

known “enemies of Qatar”, including senior officials from Egypt, Saudi Arabia,
the United Arab Emirates, and Bahrain.

How to Combat Cyber Warfare

The legal status of this new field is still unclear as there is no international law
governing the use of cyber weapons. However, this does not mean that cyber
warfare is not addressed by the law.

The Cooperative Cyber Defense Center of Excellence (CCDCoE) has published the
Tallinn Manual, a textbook that addresses rare but serious cyber threats. This
manual explains when cyber attacks violate international law and how countries
may respond to such violations.

Conducting Risk Assessments with Cyber Wargames

The best way to assess a nation’s readiness for cyber warfare is to conduct a
real-life exercise or simulation, also known as a cyber wargame.

A wargame can test how governments and private organizations respond to a

cyber warfare scenario, expose gaps in defenses, and improve cooperation
between entities. Most importantly, a wargame can help defenders learn how
to act quickly to protect critical infrastructure and save lives.

Cyber wargames can help cities, states, or countries improve readiness for cyber
warfare by:

 Testing different situations – such as detecting attacks in early stages, or

mitigating risks after critical infrastructure has already been
compromised.
 Testing unusual scenarios – attacks are never conducted “by the book”.
By establishing a red team that acts as the attackers and tries to find
creative ways to breach a target system, the defenders can learn how to
mitigate real threats.
 Division of labor and cooperation mechanisms – cyber warfare requires
many individuals from different organizations and government units to
collaborate. A cyber wargame can bring together those people, who may

UNIT - V 51
[CYBER SECURITY]

not know each other, and help them decide how to work together in the
event of a crisis.
 Improving policies – governments may establish cyber warfare policies,
but need to test them in practice. A cyber wargame can test the
effectiveness of policies and provide an opportunity for improving them.

The Importance of Layered Defense

Under the pressure of cyber warfare, governments of many countries have

issued operational national security policies to protect their information
infrastructure. These policies typically use a layered defense approach, which
includes:

 Securing the cyber ecosystem

 Raising awareness for cybersecurity
 Promoting open standards for combating cyber threats
 Implementing a national cybersecurity assurance framework
 Working with private organizations to improve their cybersecurity
capabilities

Securing the Private Sector

A strategic factor in cyberwarfare is the resilience of local businesses to cyber

attacks. Businesses need to tighten their security measures to reduce the
benefits of an attack on a nation-state. The following is a set of measures to
ensure corporate cybersecurity, which can promote national security:

 Create obstacles to breaching the network

 Use web application firewalls (WAF) to quickly detect, investigate, and
block malicious traffic
 Quickly respond to a breach and restore business operations
 Facilitate cooperation between the public and private sectors
 Use local hackers as a resource to help protect against foreign cyber
threats

Imperva Cyber Warfare Protection

Imperva can help organizations protect themselves against cyberwarfare by

implementing a comprehensive cybersecurity solution, including both
application and data security.

UNIT - V 52
[CYBER SECURITY]

Imperva Application Security

Imperva provides comprehensive protection for applications, APIs, and

microservices:

Web Application Firewall – Prevent attacks with world-class analysis of web

traffic to your applications.

Runtime Application Self-Protection (RASP) – Real-time attack detection and

prevention from your application runtime environment goes wherever your
applications go. Stop external attacks and injections and reduce
your vulnerability backlog.

API Security – Automated API protection ensures your API endpoints are
protected as they are published, shielding your applications from exploitation.

Advanced Bot Protection – Prevent business logic attacks from all access points
– websites, mobile apps and APIs. Gain seamless visibility and control over bot
traffic to stop online fraud through account takeover or competitive price
scraping.

DDoS Protection – Block attack traffic at the edge to ensure business continuity
with guaranteed uptime and no performance impact. Secure your on premises
or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or
Google Public Cloud.

Attack Analytics – Ensures complete visibility with machine learning and domain
expertise across the application security stack to reveal patterns in the noise and
detect application attacks, enabling you to isolate and prevent attack
campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript

code to reduce the risk of supply chain fraud, prevent data breaches, and client-
side attacks.

UNIT - V 53
[CYBER SECURITY]

Imperva Data Security

Imperva protects all cloud-based data stores to ensure compliance and preserve
the agility and cost benefits you get from your cloud investments

Cloud Data Security – Simplify securing your cloud databases to catch up and
keep up with DevOps. Imperva’s solution enables cloud-managed services users
to rapidly gain visibility and control of cloud data.

Database Security – Imperva delivers analytics, protection, and response across

your data assets, on-premise and in the cloud – giving you the risk visibility to
prevent data breaches and avoid compliance incidents. Integrate with any
database to gain instant visibility, implement universal policies, and speed time
to value.

Data Risk Analysis – Automate the detection of non-compliant, risky, or

malicious data access behavior across all of your datab ases enterprise-wide to
accelerate remediation.

UNIT - V 54