Module 1

Q1. What is Cybercrime? Who are Cybercriminals?

Cybercrime Definition:
• Broadly defined, cybercrime is any act committed on, via, or with the help of the internet, that
is prohibited by law and for which punishment is provided.
• The Information Technology Act, 2000 (IT Act, 2000) doesn't define cybercrime, but it does
define specific offenses and their punishments.
• Narrowly, cybercrime refers to offenses listed in the IT Act, 2000, such as hacking, cyber
pornography, and cyber fraud.
Cybercriminals:
• Cybercriminals are people who commit such acts. They can be categorized into three groups
based on their motivation:
o Hungry for recognition: Hobby hackers, IT professionals, politically motivated
hackers, and terrorist organizations.
o Not interested in recognition: Psychological perverts, financially motivated hackers,
state-sponsored hackers, and organized criminals.
o The Insiders: Unhappy or ex-employees seeking revenge, or rival companies using
employees to gain an advantage.

Q2. Explain the classification of cybercrime with examples.

Cybercrimes are classified based on their target: against individuals, property, and organizations.
1. Cybercrime Against Individuals
• Email spoofing and online frauds: Forging an email header to make a message appear to be
from a trusted source. Used in phishing to get recipients to open malicious attachments.
• Phishing and spear phishing: Using emails to trick a recipient into performing an action,
like clicking a malicious link. Phishing is sent to many recipients at random, while spear
phishing is a targeted attack on a single person.
• Cyber defamation: Making or publishing imputations to harm a person's reputation. For
example, sending an email with derogatory comments about a person to a third party.
• Cyberstalking and harassment: Online harassment where a user is subjected to intimidating
messages and emails. Cyberstalkers often know their victims and use social media to instill
fear.
• Pornographic offenses: Using cyberspace to create, display, or distribute obscene materials.
This includes publishing and transmitting such content via digital portals like websites or
messaging apps.
2. Cybercrime Against Property
 • Credit card frauds: Unauthorized use of a credit card or account. This can happen if a
physical card is stolen or if a fraudster steals the account number and security code to make
transactions online.
• Intellectual property (IP) crimes: Includes software piracy, copyright infringement,
trademark violations, and theft of source codes.
• Internet time theft: An unauthorized person using another's internet connection, often by
gaining access to their account details. This is more prevalent with open Wi-Fi connections.
3. Cybercrime Against an Organization
• Denial-of-Service (DoS) attacks: Flooding a computer resource with requests to make it
unavailable to its intended users.
• Virus attacks: Malicious software programs designed to spread and interfere with computer
operations, often corrupting or deleting data. They spread through email attachments or
instant messages.
• Logic bomb: A piece of malicious code that lies dormant until triggered by a specific event,
often used by disgruntled employees to delete databases.
• Trojan horse: A program that appears harmless but is malicious and can be used to execute
tasks designed by an attacker once installed.
• Data diddling: Unauthorized data alteration that occurs before or during data input or before
output.
• Industrial spying: Investigating competitors to gain a business advantage, such as stealing
trade secrets or business plans.

Q3. How do cybercrimes differ from terrestrial crimes?

• Cybercrimes are committed on or with the help of the internet. Traditional, or "terrestrial"
crimes like murder or theft are typically committed offline.
• The internet allows cybercriminals to expand their reach and con people from a distance,
attempting to trick millions of users simultaneously.
• Some cybercrimes are simply traditional crimes, like fraud, committed using a computer as a
tool. Other cybercrimes, like hacking, target the computer itself.
• Cybercrimes often have no boundaries, requiring international cooperation to enforce anti-
spam and other laws. The ability to find the perpetrator may be difficult.

Q4. What are the objectives and features of the IT Act 2000?
The IT Act, 2000, aims to provide a legal framework for electronic transactions and combat
cybercrime in India.
• Cybercrime Regulation: It defines and punishes certain computer-related offenses, such as
tampering with source documents, hacking, and publishing obscene information in electronic
form.
 • Legal Recognition of Electronic Records: It provides legal validity to transactions
conducted through electronic means, ensuring that contracts concluded electronically are not
unenforceable solely because of their electronic nature.
• Digital Signatures: The Act establishes a legal framework for digital signatures, specifying
that they use an asymmetric crypto system and a hash function for authentication.
• Certifying Authorities: It provides for the appointment of a Controller of Certifying
Authorities to license, certify, and oversee the activities of certifying authorities that issue
digital signature certificates.
• Electronic Evidence: It amends the Indian Evidence Act, 1872, to recognize electronic
records as admissible evidence in court.
• Jurisdiction: The Act applies to offenses or contraventions committed outside of India as
well.

Module 2
Q1. How do criminals plan an attack? Explain the steps of planning a cyberattack.
Criminals typically plan a cyberattack in three main phases: reconnaissance, scanning, and launching
the attack.
1. Reconnaissance (Planning Phase)
• This is the initial phase where the attacker gathers information about the target. This process
is also called footprinting, where the attacker collects data on security policies, identifies IP
addresses, and draws a network map.
• Passive Attack: The attacker collects information without the target's knowledge. This can be
done by observing employees' routines or using public sources like search engines, social
media, and the company's website.
• Active Attack: The attacker examines the system or network to confirm the data collected
during the passive phase. This carries a higher risk of being detected but provides
confirmation about the target's security measures.
2. Scanning and Scrutinizing Collected Information
• In this phase, the attacker examines the network based on the data gathered during
reconnaissance. This is also known as enumeration in the hacking world.
• The objective is to identify valid user accounts, network resources, and the operating system
and applications running on it.
• Methods include pre-attack scanning, port scanning to search for vulnerabilities, and
information extraction to gather details about ports and live machines.
3. Launching an Attack
• This is the phase where the actual hacking takes place. The hacker uses the blueprint of the
network to gain access to the system and escalate user privileges to control the systems.
• Attacks launched in this phase can include password cracking, exploiting privileges, and
executing malicious code.
 • After the attack, hackers try to cover their tracks by removing log files and other evidence to
avoid detection.

Q2. What are the security risks for an organization?

• Insider Threats: Disgruntled employees may use their access to delete databases or use logic
bombs to sabotage a company's network. Rival companies can also use employees to steal
data.
• The Proliferation of Mobile Devices: The widespread use of mobile and wireless devices
poses two key challenges: information can be taken outside of physically controlled
environments, and remote access is granted to protected networks. Lost or stolen mobile
devices are a significant security risk, as they can lead to the exposure of sensitive data.
• Financial and Data Loss: Organizations face financial losses due to cybercrimes like the
leaking of customer data. These losses are difficult to quantify and report due to a lack of
proper accounting for security incidents and a desire to avoid negative publicity.
• Malicious Software: Organizations are at risk from a variety of malicious software, including
viruses, worms, Trojans, and botnets.
Botnets are networks of private computers infected with malicious software that allow criminals to
control millions of systems and overload organizational networks to hide their origins.

Q3. Explain the security precautions for laptops and wireless devices.
Laptops:
• Physical Security: Use cables and hardwired locks, such as Kensington cables, to secure the
laptop to a fixed object.
• Alarms and Tracking: Use alarms and motion sensors to deter theft and track missing
devices. Identification labels with tracking information can also be fixed onto the laptop.
• Data Protection: Encrypt sensitive data and the entire file system to protect data on lost
devices. Back up data regularly.
• Logical Access Controls: Use strong passwords with a mix of letters, numbers, and symbols
and change them regularly.
• Network Security: Install antivirus software, firewalls, and intrusion detection systems
(IDSs). Disable unnecessary user accounts and lock unwanted ports.
Wireless Devices:
• Wi-Fi Security: Use WPA2 security to make it difficult for hackers to crack the access code.
• Firewalls and VPNs: Enable your router's firewall and use a VPN on public networks to
communicate through an encrypted tunnel.
• Updates: Keep software and firmware updated to fix security flaws.
• Authentication: Use strong, unique passwords for Wi-Fi and change the default
administrative login credentials on your router.
 • Bluetooth: When not in use, turn off Bluetooth or set it to non-discoverable mode to prevent
attackers from finding and connecting to your device.

Module 3
Q1. What are DoS and DDoS attacks? Explain the types and mitigation of DDoS attacks.
DoS Attack: A
Denial-of-Service (DoS) attack is a cyberattack meant to make a machine or network inaccessible to
its intended users. This is typically done by flooding the target with so much traffic that it overwhelms
the server and causes it to crash.
DDoS Attack: A
Distributed Denial-of-Service (DDoS) attack is an attack where multiple compromised computer
systems (botnets) attack a single target, causing a denial of service for its users. The flood of requests
forces the target system to slow down or shut down, and because the bots are legitimate internet
devices, it is difficult to separate attack traffic from normal traffic.
Types of DDoS Attacks:
• Application Layer Attacks (Layer 7): These attacks aim to exhaust the target's resources by
flooding it with a large number of HTTP requests that are expensive for the server to process.
• Protocol Attacks: These attacks consume the state table capacity of web servers or
intermediate devices like firewalls by exploiting weaknesses in Layers 3 and 4 of the protocol
stack. A
SYN flood is a type of protocol attack that sends many connection requests without completing the
handshake, exhausting the target's resources.
• Volumetric Attacks: These attacks attempt to create network congestion by consuming all
available bandwidth. They send large amounts of data to a target using a botnet or
amplification, such as a
DNS amplification attack, which makes an open DNS server respond to the target with a massive
amount of data.
DDoS Attack Mitigation:
• Black Hole Routing: All traffic, both legitimate and malicious, is routed to a null route or
blackhole and is dropped from the network.
• Rate Limiting: This method limits the number of requests a server accepts over a certain
period, which is useful for slowing down attacks but is often insufficient on its own.
• Web Application Firewall (WAF): A WAF filters out malicious traffic and can be used to
mitigate a Layer 7 DDoS attack by protecting the server and implementing custom rules to
identify and block malicious requests.
• Anycast Network Diffusion: This approach uses an Anycast network to scatter the attack
traffic across distributed servers, diffusing the impact to a manageable level.

Q2. Explain SQL Injection attack with its types and countermeasures.
SQL Injection (SQLi):
• SQLi is a type of injection attack that allows a hacker to execute malicious SQL statements to
control a database server behind a web application.
• Attackers use SQLi to bypass security measures, retrieve the content of the entire SQL
database, and add, modify, or delete records.
• For example, an attacker can input a command like
' OR 1=1 into a password field to trick the database into returning the first user ID in the table, which
is often the administrator.
Types of SQLi:
• In-band SQLi (Classic): The attacker uses the same channel to launch the attack and gather
results. It includes:
o Error-based SQLi: The attacker causes database error messages to appear, which
can reveal information about the database structure.
o Union-based SQLi: The attacker uses the UNION SQL operator to combine a
malicious query with a legitimate one to obtain data from other tables.
• Inferential SQLi (Blind): The attacker sends payloads to the server and observes its
responses and behavior to learn about its structure, without the data being transferred directly
from the database. This includes Boolean-based and Time-based attacks.
• Out-of-band SQLi: This is an alternative used when in-band or inferential SQLi is not
possible. It relies on the server's ability to create DNS or HTTP requests to transfer data to the
attacker.
SQLi Countermeasures:
• Input Validation: Writing code to identify and filter out illegitimate user inputs.
• Web Application Firewall (WAF): A WAF is a tool that filters out SQLi and other online
threats by using a list of signatures to identify malicious SQL queries.

Q3. Explain buffer overflow attack with its types and mitigation.
Buffer Overflow Attack:
• A buffer is a small, temporary memory used by software programs to store data. A buffer
overflow occurs when more information is placed into the buffer than it can handle.
• Hackers deliberately cause a buffer to overflow to exploit the system and run their own
malicious code.
Types of Buffer Overflow Attacks:
• Stack Attack: The most common type, where the hacker overflows the stack memory to trick
the program into executing their code located elsewhere in RAM.
• Heap Attack: A more difficult attack where the hacker overflows the heap, a larger memory
chunk, to store complex data related to the program.
 • Arithmetic Attack: This attack exploits how programming languages handle signed and
unsigned numbers to convert a small, negative number into a much larger one, causing a crash
that can be leveraged for an attack.
• Format Attack: This occurs when text strings are automatically converted to a larger format,
exceeding the buffer's capacity if the programmer was not careful.
Buffer Overflow Mitigation:
• Detection and Elimination: Vulnerable code needs to be detected and eliminated before it
can be exploited.
• Compiler Modifications: Modifying how data is stored in memory can prevent attacks.
StackGuard, for example, is a compiler that adds "canaries" or gaps in memory to prevent
overwrites.
• Array Bounds Checking: Checking the boundaries of an array before performing an
operation to prevent writing beyond it.
• Non-Executable Stack: Marking the stack as non-executable can stop buffer overflow
attacks by preventing genuine programs from executing directly from it.
• Address Space Layout Randomization (ASLR): This technique randomly allocates
memory locations for code and data, making it difficult for an attacker to find the instructions
they need to execute.

Q4. What are Botnets? How are they exploited?

Botnets:
• The word botnet comes from "network of robots". It is a collection of a large number of
infected computers that are under the control of a cybercriminal. Each infected system runs a
piece of software called a "Bot" and the network is also known as a zombie network.
• A botnet's structure includes a
Bot-Master, Bot-Managers, and the Zombie army (infected computers).
Exploitation:
• The hacker, or bot-master, controls the botnet to carry out malicious tasks. In some modern
attacks, the bot-master's role is delegated to and rotated among bot-managers to make them
harder to detect.
• Botnets have four main modules for exploitation:
o Command Module: This module sends commands to the child botnets.
o Control Module: This module controls ownership and decides which bots should
listen to which managers.
o Infection Module: This module finds unpatched servers in a network and infects
them with a copy of the botnet.
o Stealth Module: This module disables antivirus software, achieves root access, and
hides the botnet's footprint on the infected machine to prevent detection.
 • Botnets are used to overload organizational networks and hide the origin of the criminals.
They are used to launch large-scale attacks, such as email bombing or DDoS attacks, by
flooding networks with traffic from millions of infected systems.

Q5. What is Phishing and Identity Theft?

Phishing:
• Phishing is a technique used to gain a victim's personal information, generally for the purpose
of identity theft.
• It involves using a form of spam to trick a victim into revealing sensitive information like
online banking details or credit card information.
• Phishing emails often contain lucrative offers or a sense of urgency to trick recipients into
clicking on malicious hyperlinks or attachments that install malware.
Identity Theft (ID Theft):
• Identity theft is a type of online crime that focuses on stealing a person's personal data to
create a false identity.
• This stolen information can include a person's Social Security number, name, address, birth
date, credit card numbers, and medical insurance information.
• Criminals use this information to impersonate the victim, max out their credit cards, rent an
apartment, or commit financial fraud.
• Common techniques used for identity theft include shoulder surfing, dumpster diving, and
using unsecured public Wi-Fi or unencrypted websites.