MODULE - 3

Security Management
INTRODUCTION -
Security management prevents unauthorized access to information. It is a significant activity that
controls the provision of information. For many years, security management was given less importance. However, it is
being given more importance nowadays. In forthcoming years, security will be considered to be ore of the important
activities. Because of growing use of the internet and e-Commerce technologies day by day, internet security has been
increased. The growth of the internet has introduced tremendous changes in the business activities. More and more
companies are dependent on their information system which provides all the information to their partners and
suppliers. Therefore, it is important to know the type of access control and user rights to be provided. Access control is
essential in order to securely access the information system. In addition to this, i is also an important factor to know
the components of the company that need to be protected. The modern infrastructure facility allows the virtual
connection to access the information system which means all the employees can access the information source from
anywhere and anytime. Also, it allows carrying outside a part of the information system from company's secure
infrastructure. This introduces the risk of intrusion and raises some important questions for business, such as different
types of risk, the means to cover them and measures to be taken in the next budgeting round. The higher authorities
have to undertake a thorough risk analysis in order to take the decisions. The output of this analysis should serve as an
input to the system, in order to determine the security requirements.

Security can be defined as preventing unauthorized access, use or modification of the information
system. It also means protection of information and system. A threat is a type of action that is of harm and
vulnerability refers to the level of exposure. And, in particular context, the countermeasure is the action taken to
prevent the threat. Risk in terms of security can generally be characterized by the following equation:-

Risk = (Threat x Vulnerability) / Countermeasure

Goals of Security

Security generally tries to ensure that, in an organization the usage of material and software is only for their intended
purposes. It generally is comprised of following five major goals.

Integrity - It ensures that the information cannot be modified in unexpected ways.

Confidentiality - It ensures that the system protects the information from unauthorised users.

Availability- It ensures the continuity in providing the information and accessibility at any agreed time. Netfli

Non-repudiation - It ensures that all the operations and activities cannot be denied.

Authentication-It ensures that only authorized individuals have access to the resources.

COMPUTER SECURITY

It refers to protection of a computer and the information in it, from the Unauthorised users. It also includes the
policies, procedures, hardware & software tools that are necessary to protect the computers and the information
processed, stored and transmitted by the systems. It refers to the measurement of confidentiality, integrity and
availability of the information, by a computer. These aspects are responsible for effective computer security.

Security Threats

Computer systems are vulnerable to many kinds of threats that can cause various types of damages which may
result in significant data loss. This can range from errors that can cause integrity violation of the database to a natural
calamity which can completely destroy entire computer centers. Some threats affect the confidentiality or integrity of
the data, while the others affect the availability of the system itself. A threat can occur from many ways-it can arise
from intentional modification of sensitive information or an accidental error or an act of natural disaster (flood, storm,
fire). Some of the commonly occurring threats are-
Malicious Code and Software

Malicious code is a software program that generates threats to the computers and data stored on it. This code
can be in the form of worms, logic bombs, viruses, Trojan horses and other types of software. Virus is a small segment
code which replicates by attaching copies of itself to the exiting executable files. When a user executes the new host
program, a new copy of the virus is executed. Worm is a self-replicating program which is self-contained and does not
require a host program. In order to propagate to other host systems, worms commonly utilise network services. Trojan
horse is a program that performs a desired talk but also includes unexpected tasks. Most organizations and institutes
use antivirus software and other protective measures, to limit the risk of virus infection.

Hacker and Cracker

A hacker is a person who breaks into computers without authorization. Hackers are actively involved in
computer security and are non- professionals or programmers without formal training. The threat generated from a
hacker should be considered in terms of the past and potential future damage Another class of people, called a cracker,
also poses security threat. Cracker is an individual who attempts to access computer systems without
authorisation.Cracking refers to modification of software to remove protection methods including serial number, copy
protection, trial/demo version, hardware key, date checks etc.

Malicious Program

Any computer program or code that is designed to do harm, can be termed malicious program. It does this by
destroying, consuming valuable resources exposing, creating or installing vulnerabilities in a computer system. These
malicious programs are often called virus, worms, Trojan horse, logic bomb, spyware and so on.

VIRUS It is a computer program that can copy itself and infect a computer withou the permission or
knowledge of the owner. It executes when an infected programs executed. On MS-DOS system, these files usually
have the extensions.EXE, COMO BAT. Virus attaches into the program from an external software source and easily
hides in healthy software. They become destructive as soon as they enter a system or they wait until activated by a
trigger. Virus has the ability to infect different parts of the computer system. There are different types of viruses and
some of them are mentioned here. Boot sector virus infects the Master Boot Record (MBR), boot sector on hard disks,
floppy disks as well as other bootable media, such as CD's and DVDs on a computer system. This type of virus first
moves or overwrites the original boot code with the infected one and then moves the original boot sector information
to another sector on the disk.

Worms A computer worm is a self-replicating computer program designed to computer system to another system.
Thus, worms attack systems that are linked through communication lines. Viruses almost always corrupt or devour
files on a targeted computer while worms always cause at least some harm to the network like arisuming bandwidth.
To reproduce themselves, worms make use of the network medium, depending on the type of network and systems.
These are:

 Remote log in capability, whereby a worm can log into a remote system as a user and then use commands to
copy itself from one system to another
 Network mail facility, in which a worm can mail a copy of itself to other systems.
 Remote execution capability, in which a worm can execute a copy of itself on another system.

Trojan Horse

The term 'Trojan Horse' is from ancient Greek mythology. In the war between Greeks and Troy, the Greek
army blocked the city of Troy but was unable to penetrate inside the city. Therefore, they decided to cheat their
enemies by building a large wooden horse with soldiers hidden secretly inside it and by presenting it as a gift to the
citizen of Troy. At night, the warriors came out from the horse and overran the city. In the context of computer
terminology, Trojan describes a class of computer threats. Trojan appears to perform a desirable function but, in fact,
performs undisclosed, malicious functions. These programs enter into a computer through an e-mail or free programs
that are downloaded from the internet. Once they safely pass into the computer, they may lie inactive for months
before they are activated or complete control of the computer is given to a hacker. It allows unauthorized access to the
host machine, giving them the ability to save their files on the user's computer or even to watch the user's screen and
to control the computer. It can also include software which is downloaded free. Based on the way Trojan horses
violate systems and make damages, they can be classified into sever major groups:-
  Remote access Trojans
 Data sending Trojans
 Destructive Trojans
 Proxy Trojans
 FTP Trojans
 Security software disabler Trojans
 Denial-of-Service (DoS) attack Trojans

Logic Bomb

This is one of the oldest types of programs and it embeds its code in legitimate programs. Like a bomb it
explodes all the data when certain conditions are met. This could be either destroying or deletion of certain files on a
particular day and at a particular time, and so on. The time bomb is the logic bomb that reacts based on time and date.

Antivirus

It is a software utility which mainly prevents and removes computer viruses including worms and Trojan
horses. It scans the hard disk for viruses and tries to remove them, if found. Such a program may also detect and
remove spyware adware and other forms of malware. There exist many varieties of strategies.

"Signatures refer to searching for known malicious patterns in executable code However, signatures can only
be updated as new viruses are created, user can be infected during the time taken to create and distribute a signature.
In order to counteract such zero-day-viruses, heuristics may be used to guess if the file is truly malicious. Generic
signature is the one that searches for known malicious code and uses wild cards to identify variants of a single virus.
An antivirus may also take after a program in a sandbox, monitoring for malicious behavior. Success depends on
striking a balance between false accept rate and false rejection rate. False accept rate can be as destructive as false
rejection rate. One faulty virus signature, generated mistakenly, may remove essential operating system files, leaving a
number of personal computers unable to boot. Most antivirus software includes an auto-update feature that enables the
program to download profiles of new viruses, so that it can check for the new viruses as soon as they are discovered.
The most popular antivirus software available are Norton antivirus and McAfee antivirus programs.

Antivirus software has many drawbacks. If it is of the type that scans continuously, antivirus software may
cause a significant delay in performance, or it may ask users to choose an option with a decision which the users may
not understand. Antivirus software generally works at the highly trusted kernel level of the operating system, creating
a possibility of attacks. The effectiveness of antivirus software is a controversial issue. It has been found that the
success rate of detecting viruses by major antivirus software has dropped over a one-year period. A Virus removal
tool is a software that can remove some specific viruses from infected computers Unlike complete antivirus scanners,
it is usually not intended to detect and remove an extensive list of viruses; rather it is designed to remove specific
viruses, usually more effectively than normal antivirus software. Examples of this type of software include McAfee
stringer and the Microsoft windows malicious software removal tool which runs automatically by windows update.

Cryptography
When the data is transmitted over the network, it passes a number of intermediate servers before it reaches the
destination. This data is stored on servers for months and at any stage, it is vulnerable to interception. Therefore, the
best way is the use of cryptography technique. In simple terms, cryptography is the process of altering the original
messages to hide their meaning from opponents who might intercept them. Cryptography can be referred to as
encryption which is the process of converting plain text into cipher text. The reverse is decryption that converts cipher
text to plain text. Cryptography relies upon two basic components an algorithm and a key.

Algorithms are complex mathematical structures and keys are strings of bits. In ader to communicate over the internet,
two parties must use the same of and key. Communications through the internet, for example e-the same algorithm
may not be secure, if there is no encryption. Hackers may be able to read messages even modify the messages, if
cryptography technique is not used. There are everal categories of cryptographic algorithms, all based on the number
of keys bat are used for encryption and decryption algorithm. Some of the algorithms are discussed here:-

 Secret Key Cryptography (SKC)

 Public Key Cryptography (PKC)
 Hash Functions (HF)
 Digital Signature.
Secret Key Cryptography

A single key is used in SKC for both encryption and decryption of data. In this form of cryptography the key
must be known to both the sender and the receiver. If the key is compromised, the security offered by cret key
cryptography is violated. SKC assumes that the two communicating parties rely upon each other and are not to
disclose the key and to protect it against modification. SKC is categorized as stream ciphers and block ciphers. Stream
ciphers operate on a single bit at a time with different key. On the other hand; a block cipher encrypts the data block
wise. It encrypts one block at a time, using the same key. In general, a block cipher always generates the same cipher
text when using the same key with the same plain text, whereas in a stream cipher, the same plain text encrypts to
different cipher text when using the different keys. The sender uses the key to encrypt the plain text and sends the
cipher text to the receiver. In order to decrypt the message, the receiver also applies the same key.

Public Key Cryptography

This concept has been introduced to solve the problems found in secret key cryptography. Each person in this
technique gets two keys known as the public and the private key. Each person's public key is publicly known and the
private key is kept secret. Hence, the need for the both parties involved in communication to share secret information
is eliminated. All communication takes place only with the public key and no communication uses the private key. It
is therefore not necessary to trust some communication channels. Anyone can send confidential information by using
the public key but the decryption can be done only with the private key which is the sole asset of the intended
recipient. Public key cryptography can also be used for the authentication (digital signature) of data. The sender uses
the receiver's public key to encrypt the message and, when the receiver receives the encrypted message, he uses his
private key to decrypt the message.

Hash Function

It is also called message digests and it is a one-way encryption algorithm that does not use any key to encrypt
or decrypt the message. This technique generates a fixed length hash value based upon the plain text. The hash
function makes it impossible to recover the contents of the plain text. It uses a digital fingerprint of a file's contents, in
order to ensure that the file has not been changed by an intruder or any type of virus. It is also used by many operating
systems to encrypt a password and preserve the integrity of a file.

Digital Signature

A digital signature is a type of asymmetric cryptography enables the receiver to believe that the one who has
sent the message is the claimed person. In many respects, it is equivalent to traditional handwritten signature. But a
digital signature is more difficult to forge than a handwritten signature since digital signature is created and verified by
cryptography, a branch of applied mathematics. It transforms the messages into cipher text and back to plain text.
Digital signature uses the public key cryptography technique. It uses two different mathematics. leys in an algorithm
but these are mathematically related to each other. One is for digital signature creation and another key for verifying a
digital signature. The owner of the digital signature cannot successfully claim that he has not signed a message.
Hence, the digital signature may be used for non-repudiation.

Digital signature creation: It uses a hash function to both the given message and a private key to create a digital
signature.

Digital signature verification: A signature verifying algorithm message with the help of the public key and the digital
signature.

CAPTCHA It is a computer program that can tell whether its user is a human CAPTCHAter. It is
acronym for "Completely Automated Public, Turing test to Computers and Humans Apart". In modern computers, a
robot or an automated program generates undesired information in the web pages and websites Automated programs
are written to generate the spam. In order to prevent abuse generated from robot or any other programs, CAPTCHA
are used. It uses the simple concept that the computer programs are not intelligent. It cannot read distorted images or
text as well as human can. Hence, a robot or any automated program cannot navigate websites protected by
CAPTCHAS. Most of us have probably seen the CAPTCHAs at the time of filling web registration forms displays
colourful images with distorted text at the bottom of web pages.

A CAPTCHA (or Captcha) is a type of test in computing to make sure that the response is not generated by a
computer. A CAPTCHA is a program that generates images that human can understand but a program cannot. It uses
these images as the test images and grades them to verify whether the user is a human or a computer.A common type
of CAPTCHA requires that the user types the letters or dig from a distorted image that appear on the screen. This
process involves one server which asks the user to complete a simple test which is able to take a decision. A user
entering a correct solution is assumed to be human. This looks like a revere Turing test in contrast to the standard
Turing test. Standard Turing test is typicall administered by a human and targeted to a machine whereas the reverse
Tung test is administered by a machine and targeted to a human. The following are the various applications of
CAPTCHA :-

Website Registration -Protecting website registration is one of the most important applications of CAPTCHA. Most
of the server machines which offer free email services suffered from specific type of attacks. One of the most
important attacks is automatic sign up. These are the automated computer programs which would sign up for
thousands of emails every minute. One of the solutions is the use of the to make sure that programs.

Preventing Spam- Comment spam is an automated program that submits bogus comments for the purpose of raising
the search engine ranks of some website. The solution to avoid this type of problem is to make use of CAPTCHA. If
we can avoid the user sign up methodology for entering comments, it may help in avoiding bogid comments. It also
makes sure that only humans are the users.

E-mail Worms and Spam-CAPTCHA can be used to prevent email worms and spam. CAPTCHA is used because it
accepts the emails only if it knows that humans are the composers. Otherwise, it simply ignores those mails.

Dictionary Attacks-In password system, use of CAPCHA prevents dictionary attacks. If the CAPTCHA is not
successful after a certain number, then a computer is prevented from being able to sign up, by assuming that the user is
not a human but some automated program attempting to login.

INTERNET SECURITY
The internet is growing faster than any telecommunication system including the telephone system. For the
intruders, the internet and the internal networks are the target to attack the systems. New internet sites, in particular,
are often prime targets for malicious activity including file tampering, service distribution and tampering: Information
experts and security practitioners must be aware of the risk of computer security incidents from the internet and the
steps that they can take to secure public and private sites. This section discusses management and the technical
concerns related to telecommunication and network security.

The Open System Interconnection (OSI) Reference Model

OSI reference Model is a model for network communications. The International Standards Organization (ISO)
developed OSI in the early 1980s to promote interoperability of network devices. The basic structure is that it divides
network architecture into seven layers, named as the Application, Presentation, Session, Transport, Network, Data-
Link and Physical Layers. Therefore, it is also referred as the OSI Seven Layer Model. A layer is a collection of
functions that provides services to the upper layer and receives the services from the layer below. This is known as
layered communications. Each of the layers is an instance providing service to the upper layer. Hence, it is also known
as computer network protocol design. Each of the layers is briefly explained below:-

Application Layer- This layer is responsible for a specific application. It is also known as end-user processes. It is
responsible for user authentication, identification of the partners and for providing the quality of service. This layer
provides application services for file transfer, email and other network services. Telnet and FTP are applications that
exist completely in the application level. It is also responsible to identify constraints in the data syntax.

Presentation Layer- This layer is responsible for translating the application specific to network specific format and
vice versa. Its function is to make the application layer to understand the data. Before sending the data into the
network, it encrypts the data according to the standard format. Hence, it is also known as syntax layer.

Session Layer- This layer is responsible for end-to-end connection. This protocol maintains this property and is
known as three-way hand shaking. It is responsible for initiating, maintaining and terminating the connection. It
properly maintains the session between two terminals. It is also responsible for setup, exchange of data and
terminating the connection between two terminals.

Transport Layer -This layer is responsible for transferring the data between two and systems or between two hosts
and is also responsible for end-to-end error recovery and flow control. It ensures completion of data transfer.

Network Layer -This layer takes care of the responsibilities of switching and routing technologies. In order to
transfer the data, it establishes the path between two terminals. This logical path. is known as a packet-switched
network. The major functions of this layer are the routing and forwarding of packets between the nodes. It is also
responsible for data fragmentation, congestion control and error handing

Data Link Layer- This layer receives the bits from the physical layer enclosed in the standard format known as data
packets. The data link Layers is divided into two sub layers: The Medium Access Control (MAC) layer and the
Logical Link Control (LLC) layer. The MAC sub layer encodes the bits into a data packet and it provides permission
to transmit it.The LLC controls error checking, frame synchronization, flow control and error control.

Physical Layer- This layer is responsible for converting an electrical impulse, light or radio signal into a bit stream. It
converts any form of signal into a carrier signal and sends it via a physical medium such as cable, cards, etc. It
provides the hardware means for sending and receiving the data. It operates at the low level of signals that only the
machine can understand. It is known as binary digit (Bits).

Security for the OSI Model

ISO has in fact identified following security services to protect networks from attack:-

Authentication - Access to documents can be restricted in two ways. One of them is to use username and password.
This is referred to as "user authentication" and requires creation of a file of user IDs and passwords and to define
critical resources to the server.

Access Control- This is referred to as restricting access based on something other than identity, called access control.
It allows or denies accessing network services or resources, based on host name or address.

Logging and Monitoring- These services enable the security specialist to observe system activity during and after the
fact, by using monitoring and logging tools. This includes operating system logs, server records, application log errors,
warning and network switch and router traffic between network segments.

Data Integrity-The aim is to secure the data from accidental or malicious modification occurred during data transfer,
data storage or from an operation performed on it and to preserve it for its intended use.

Non-repudiation -This is to guarantee that both the sender and the receiver cannot deny their operations or activities
at a later stage.

Data Confidentiality-It protects data from unauthorized users. It consists of two components. The first one is content
confidentiality and the second one is message flow confidentiality. The content confidentiality is the one protecting
the plain te from unauthorized users. Encryption is the technique for content Message flow confidentiality is
protecting the information from being observed modified by some unauthorized users. Digital signature is the
technique for message flow confidentiality.

TCP/IP Reference Model

TCP/IP is based on a four-layer reference model. The TCP/IP model corresponds to one or more layers of
the seven layers Open Systems Interconnection (OSI) reference model proposed by the International Standards
Organization(ISO).All protocols that belong to the TCP/IP protocol suite are located in the top three layers of this
model.

Application Layer- It defines the interface between application and transport layer. This layer is an application-
specific layer. The remote login permits a user to log into a remote machine and work there. This enables the virtual
connection between two terminals. In order to transfer the files from one machine to another initially Electronic mail
has been used. But later, a specialized protocol has been developed for it, known as File Transfer Protocol (FTP). The
File Transfer Protocol transfers data efficiently between two terminals. Other well-known application protocols are
HTTP, Telnet, TFTP, SNMP, DNS, SMTP and X Windows.

Transport Layer- It is responsible to maintain the session between the host computers. The session has to be
maintained completely until the two machines finish the operation. In order to create the session, this layer specifies
two end-to end protocols, known as TCP and UDP.

TCP (Transmission Control Protocol) - It is also known as reliable connection oriented protocol. It is reliable
because it transmits the data without error. maintains the connection permanently until it transmits all the
data from one machine to another. It divides the data into small segments and passes them to the internet layer.
The internet layer encloses the data in the form of data packets. TCP deals with flow control to make sure that
a fast sender cannot overwhelm a slow receiver. At the destination, it collects the packets which are out of
sequence and reassembles the data into its original form.

UDP (User Datagram Protocol)- It is also known as unreliable, connection-less protocol, UDP is used in some
applications where sequencing order of receiving the packet at the receiver is not required. So it request-reply
queries. Also, between the nodes. May be used for client-server type it does not control the flow when the data
is transmitting

Internet Layer-Packet-switching network depends upon a connectionless internet work layer. The internet layer
specifies an official packet format and protocol, known protocol of the major goal of to control the lion of data.
Routing and switching are the esvoid congestion and to avoid congestion. The function of internet layer is to insert the
packets into a network in any order. The packets are known as IP datagram which contains sour a and destination
address. This information is used to forward the datagram between hosts and across networks. At the destination, the
packets are in different order from the order in which they have been sent. Based on its sequence number, it rearranges
them at the destination. For this reason, it is said that TCP/IP internet layer performs the same function as that of OSI
network layer. Other well-known internet protocols are IP, ICMP, ARP and RARP.

Network Interface Layer- This protocol varies from host to host and network to network. This layer is similar to the
physical layer in the TCP/IP model. It transforms the signal into bits and transmits the bits through a physical medium
such as coaxial cable, optical fiber or twisted-pair copper wire. The other well-known network interfaces are Ethernet,
Token Ring, FDDI, X.25, Frame Relay, RS-232 and v.35.

Security for the TCP/IP Model

The following are the security devices and the techniques used for protecting TCP/ IP five layer architecture models:

Routers-A router is a network traffic management device designed to forward the packets. It consists of hardware
(hubs) and software (routing table) to implement the task of forwarding the packets. Different routing algorithms play
a role in delivering the packets by the shortest path. The term "layer 3 switch" is frequently used interchangeably with
router. For example, on the internet, information is directed to various paths by routers. Routers sit at the intermediate
node in the network, called Local Area Networks (LANs) and forward the packet to its intended destination.

Firewall- Firewall in a system has been designed to prevent unauthorised access to or from a private network. It is a
part of a computer system or network to block unauthorised access while permitting authorised access. Firewalls can
be implemented in both hardware and software or a combination of both. The goal of a firewall is to both wear access
to the network by unauthorised users. Finally especially designed to protect the intranet. It is a device configured to
permit, deny or proxy all computer traffic between different security domains, based upon a sug rules and other puter
traffic messages entering or leaving the intranet pass through the firewall. It examines each message and permits only
if it meets the security criteria and denies if it does not. There exist several types of firewall techniques ind the
following subsection explains the techniques in detail:

Packet Filtering- It is also referred to as static packet filtering. Packet filtering is one of the techniques for
implementing security firewalls. It controls access to a network by analysing the incoming and outgoing packets.
Based on the IP address of sours and destination, either it halts or passes the packets into the network. Packet filtering
is fairly effective and transparent to users,but it is difficult to configure.

Application-level Gateway- It allows the network administrator to implement stricter security policies compared to a
method adopted by packet filtering routers It can provide proxy services for some application protocols. Such
application protocols include FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol), HTTP (Hypertext
Transfer Protocol) and Telnet. These types of firewalls perform traffic monitoring on the host system and notify an
operator under some defined conditions. It may also be instructed to produce sound alarms based on some events.
Note that a separate proxy must be installed for each application-level service. Application-level gateways are
generally regarded as the most secure type of firewall. They certainly have the most sophisticated capabilities. It not
only evaluates IP addresses of the server but also looks at the data in the packets for corruption and alteration. An
application gateway is normally implemented on a separate computer on the network whose primary function is to
provide proxy service. With proxies, security policies can be much more powerful and flexible since the administrator
makes use of the packet information to define the rules. These rules determine the way of handling packets by the
gateway.

Circuit Level Gateway- It is another type of firewall. All internal computers establish a 'virtual circuit' with the proxy
server. It applies some security mechanism when the connection is established between the two terminals. Once the
connection has been made, packets can flow between the hosts. This type of proxy server provides a controlled
network connection between internal and external systems. The proxy server performs all communications with the
internet. External computers only see the IP address the proxy server and never communicate directly with the internal
clients.

PHYSICAL SECURITY

The connection between physical systems (computer hardware) and logical systems (the software that runs on it)
ensures that, in order to protect logical systems, the hardware which is alive at that time must be physically secured.
Controlling physical security involves protecting sites from natural and man-made physical threats. Physical security
involves determining and preventing attacks for accessing resource or any valuable information that is stored in
physical medium. It also gives an idea of structural design to resist various hostile acts. It deals with who has access to
building, computer rooms, and the devices within them. The physical devices can protect from unauthorised contact
through proper guidance, and by developing and implementing the plans.

Physical Security Threats-

The site selection depends heavily on a list of potential physical security threats for a given location. The goal of
identifying these threats is to provide assured, uninterrupted business and service, reduce the risk of physical damage
to a site from natural or man-made causes, and reduce the risk of both internal and external theft. The major categories
of physical security threats are:

 Weather: hurricanes, floods, fire, snow, ice, heat, cold, humidity.

 Earth movement: earthquakes, mudslides.
 Structural failure: building collapse.
 Fire/chemical: explosions, toxic waste/gases, smoke, fire.
 Energy: loss of power, radiation, magnetic wave infrastructure.
 Biological: virus, bacteria, infestations of animals or insects.

IDENTITY MANAGEMENT

Identity management is a discipline which encompasses all tasks required to create, manage and delete user identities
in computing environment. It identifies the individuals in a system and restricts their access to the system. The driver
licensing system is an example of identity management. Drivers are identified by their license numbers and the user
specification is linked to the identifying number. Identity management is used in the computer system to automatise
the administrative process, such as adding or removing access to specific systems password reset for lost password
followed by change of password and enforcing Periodic changes of password to increase network security. Enabling
the users to reset their own passwords can save significant money and resources because of the fact that large
percentage of help desk calls are password related issues. Another way of thinking about identity management is to
imagine an enormous blueprint of an office building. It clearly defines the rooms into which each person working in
the building can enter. It also explains what kind of key each person would need to open the door to get into that room.
A computer system is similar to the building and each room represents a file, database or application on that network.
The employees working in the system are the users. The keys are the privileges given by the administrator to each
person working on the system, such as providing access to a file, database or application. The key distribution also
determines what they can do while accessing a specific file or application. Like physical security, identity
management is the most essential component of information protection that an organisation uses. In the context of
online access systems, identity management can be viewed as the following model:-

The Pure Identity Model -It deals with the creation, management and deletion of identities

The User Access (log-on) Model- It allows users to register, log in and log out. For example, a smart card and its
associated data are used by a customer to log on to a service.

The Service Model-It deals with the system that delivers online, personalised, on- demand and role-based services to
users and their devices.

ACCESS CONTROL SYSTEM

Access management is a collection of mechanisms that works together to create a security architecture to protect the
assets of an information system. The main goal of Access management is personal accountability, to prove that
someone has performed a computer activity at a specific point of time . Every business model has the need define tp
protect the systems from any unauthorised disclosure. In order to protect the information, companies define policies
that can allow an access to specific type of business or personal information. Access management is the heart of an
Information Technology based security system and is needed to meet the major goals of information security-
confidentiality and integrity.

There are few terminologies that are required to understand the principle of access management. Some of these
terminologies are discussed below:-

Mandatory Access Control (MAC) The system which uses MAC has to decide who gains access to information,
based on the concepts of subjects, objects and labels. MAC is primarily used by the military and the government.
Under MAC, all the resource accessibility is controlled by the system administrator. Actually, MAC deals with the
hierarchical approach in providing access to the system resources. As such, all access to resource objects is strictly
controlled by the configuration set by the system administrator and the users cannot change the access control under
the MAC.

 Subjects: The people who are granted a clearance to access an object within the information system.
 Objects: The elements that are being protected from the use or access within the information system.
 Labels: This is the mechanism that binds objects with the subjects. A subject's clearance permits access to an
object based on the labelled security protection assigned to that object.

Note- MAC assigns security labels to all the resource objects on the information system.This contains two
components, known as classification and category.

Biometric Techniques
Traditionally, authentication is mainly performed using two kinds of techniques- possession-based and knowledge-
based. These techniques are briefly described below:-

 Possession-based-It is based on some token which the user possesses. Some common examples of
possession-based tokens are keys, smart cards, etc. In this type of authentication, security is compromised if
the token is lost.
 Knowledge-based-It is based on a token which user knows. Password and PIN are very common examples of
knowledge-based tokens. In this case, user has to remember the token to confirm his or her identity. Even
though it appears a better solution than the possession-based method, yet it has some limitations. In order to
protect the token, some encryption algorithms have been used. Even if the best possible encrypting algorithm
is used, the whole concept is based on a key. If the key is too short, it may be possible to crack it by number of
attempts. But if the key is too complicated, it is difficult to remember and the common user may have to keep
it written somewhere which is prone to loss or theft.

Biometrics Applications

The primary applications of a biometric systems include governmental applications in the areas of national security, e-
governance, national level cards such as voter ID, PAN, National ID, driving license, social security benefits, etc.
Some of the major biometric applications are discussed here:-

Authentication Systems-Biometrics is integrated with large-scale systems used for various purposes such as driver
licensing, surveillance, identity cards, health and benefits issuance. There are many applications where there is a
requirement of unique identification, and biometric serves this go purpose well. Transactional verification has also
emerged in various public and private sector environments where biometrics-based solutions are helpful.

Network Security-As increasingly valuable information is made available to people via network, the danger
associated with unauthorised access to sensitive data is growing larger. Protecting this information over network using
a password is problematic since the password can be easily compromised. In this kind of application, biometric-based
security might be a good option.

Combating Cybercrimes-Though information technology's positive impacts on individuals and businesses are
considerable, cybercrime continues to represent one of the greatest threats in the digital world. It is emerging as an
international problem and a major concern for anyone who manages or accesses computer systems connected to the
World Wide Web (WWW). Advances in biometric technology hold promise for solving this problem by offering users
greater protection. Use of biometrics and smart cards has curbed the threat of cyber-crime up to some extent.
 INTRUSION DETECTION
Intrusion Detection (ID) system tries to detect an intruder breaking into the system or an unauthorised user
misusing the system resources. The IDs operate continuously on the system, working in the background and notify
only when something considered suspicious or illegal is detected. An ID system collects and analyses information
from various areas within a computer or a network to detect a possible security violation which includes both
intrusions (outside intruders) and misuse (inside intruders). ID uses sensitivity assessment (sometimes referred to as
scanning) which is a based on the technology to assess the security of a computer system or network. The goal of an
ID system is to identify any malicious programs that can violate the security of a computer system. That means, it
identifies malicious behavior of the system, like unauthorised logins and access to system, resources, host-based
attacks such as modifying the user privilege, application attacks and all types of malicious programs. The functions of
intrusion detection are as follows:-

 Monitoring and analysing both user and system activities.

 Analysing system configurations and vulnerabilities.
 Assessing system and file integrity.
 Recognising patterns typical of attacks.
 Analysing abnormal activity patterns.
 Tracking user policy violations.

An ID is composed of several parts; the most important being-(i) Sensors to generate security alerts, (ii) a
Console to control the sensor and to monitor events and triggers and (iii) a central Engine to use a system of rules to
generate alerts from security events received and to list out the records events logged by the sensors in a database. The
ID system follows a two-step process:

Active Component-This type of mechanism is set in place to reenact known methods of attack and to record system
responses.

Passive Component-This type of component includes activities such as inspection of the system's configuration files
and password files, to detect inadvisable settings and passwords. It also inspects the other system files to detect policy
violation.

Types of Intrusion Detection Systems -

There exist following types of intrusion detection systems. Each has a distinct approach to monitor and secure
data, and has distinct advantages and disadvantages.

Host-based Intrusion Detection System- It identifies intrusions by analyzing system calls, application logs, file
system modifications and other host activities.

Protocol-based Intrusion Detection System -lt monitors and analyses the communication protocol which is used in
between connected devices. It sits at the front end of a server.

Hybrid Intrusion Detection System- It is a combination of two or more approaches. The network information has to
combine with the host agent information to form a comprehensive view of the network.

Network Intrusion Detection System-It gains access to network traffic by connecting to a hub or network tap. By
examining network traffic and monitoring, multiple hosts, it detects the existence of any intrusions.

Application Protocol-based Intrusion Detection System- It deals with the application-specific intrusions. It includes
functions such as monitoring, and analysing the application specific protocols. For example, in a web server, this
could monitor the SQL-specific protocols which are specifically designed for the middleware/business-login, as it
transacts with the database.
 IT ETHICS
INTRODUCTION -
When we are talking about Information Technology (IT), its infrastructure and management, it
becomes very important to discuss the ethical aspects of IT. This chapter deals with the legal issues related to security
and privacy in IT with special emphasis on intellectual property rights and privacy. This is an exciting period where
the popularity of computers and availability of internet connections provides unparalleled opportunities to people to
communicate and interact with each other. Although majority of the users utilise the internet as a greatly-beneficial
tool for communication and education purposes, some individuals misuse the power of the internet for felonious and
unlawful activities.

In the present time, our society has become an information society and we are living in the era of information. There
are many ethical challenges that one faces in this age of information. There are many ethical issues which are critical
in nature. Richard Mason¹ has pointed out four ethical issues in the information age. These are summarised by means
of an acronym- PAPA :-

Privacy - As the technology around us increases, it creates more threat to our privacy. In this information age,
people, in fact, do not clearly know what information they should reveal to others about themselves and under what
conditions and with what protection measures.Also, sometimes any idea about the things that they can keep to
themselves and should not be forced reveal to others.

Accuracy -Internet contains plenty of information but it does not have any check on the accuracy of the information.
In most of the cases, it is not known who is responsible for the authenticity, fidelity and accuracy of information. Also,
sometimes it is very difficult to determine as to who should be held accountable/ responsible for incorrect information.

Property -It is required to know the true owner of the information and whether he has the right of intellectual
property. It is unethical to copy ation and whether without taking the permission. For example, it is not correct to
download and use an image from a webpage without permission and/or acknowledging the source.

Accessibility-Ethical issues of access to information are very important. It is important to know what information a
person or an organisation has privilege to see or obtain and what are the conditions for which he has been allowed to
see or obtain such information.

The term 'cyber ethics' refers to a code of safe, secure and responsible behaviour for the internet
community and is concerned with the safe use of the internet. Acceptable behaviour on the internet is similar to that in
day-to-day life. Some common examples of violation of cyber ethics are given below:

1. Plagiarism: It refers to copying of information from the internet and using it without proper acknowledgement or
permission.

2. Sharing of the copyrighted material over internet without proper authorisation.

3. Pretending to be someone else while communicating with others over the internet.

4. Using rude or bad language in e-mails and during chatting.

5. Sharing of inflammatory material over the internet, which may lead to an unhealthy atmosphere in the society.

INTELLECTUAL PROPERTY

The term 'intellectual property' refers to the idea that its content is the creation of the mind of the
intellect it is the legal property rights over creations of the mind. It should of the intellect this term intellectual
property not only describes the intellectual work but also provides specific legal rights of the intellectual work.There
could work but also of intellectual properties such as patents, trademarks, trade secrets, industrial designs, plant
variety protection and copyrights.

Intellectual property can be divided into two categories: industrial property and copyright. Industrial property
includes inventions (in the form of patents), trademarks, trade secrets, industrial designs, etc. Copyright includes
artistic and literary works such as books, novels, poems, musical works, artistic works such as drawings, paintings,
photographs and sculptures and architectural designs.
Patent - A patent is an exclusive right granted for an invention. The invention can be in the form of a product or a
process that usually provides a new way of performing some task or gives a new technical solution to a problem. In
order to be patentable. the invention must fulfil certain conditions. A patent provides protection for the invention to
the owner of the patent. The protection is granted for a limited period, which is usually 20 years. Patents provide
encouragement to individuals by providing them recognition for their creativity and monetory rewards for their
remarkable and marketable inventions. These encouragements inspire innovation, promising that the quality of human
life is continuously improved.

Trademark -A trademark is a distinctive sign which identifies certain goods or services as those produced or
provided by a specific person or enterprise. Over the years these marks have evolved into today's system of trademark
registration and protection. The system helps consumers to identify and purchase a product or service because its ature
and quality-indicated by its unique trademark-may meet their needs.

A trademark provides protection to the owner of the mark by ensuring the exclusive right can be or services. The
period of by ensuring Put a trademark can be renewed endlessly for further legal time period on parent of additional
fees. Trademark protection is enforced by there period on payment stems have the right to block trademark violation.

Trade Secrets-Any confidential trade information which provides any company a competitive edge may be
considered as a trade secret. Trade secrets usually include manufacturing methods, industrial and commercial
information, sales and distribution methods, consumer profiles, advertising strategies, lists of suppliers and clients. As
in case of patents and trademarks, trade secrets do not have a well-defined legal protection system. But an
unauthorised use of such information by persons or company other than the holder is regarded as an unfair practice
and a violation of the trade secret.

PRIVACY AND LAW

We come across the issue of privacy in everyday life. For example, when we go to a hospital for any
treatment, we need to give our personal data and we may not like to share this data with others. Similarly, to browse
the internet, we need to type our password, or to access our bank account, we have to provide the password or PIN.
This information is critical and cannot be shared with others in order to avoid problems. Privacy laws deals with the
protection and preservation of the privacy rights of the people. Many government, public and private organisations
collect large amount of personal information from several people and use it for a variety of purposes. The privacy law
regulates and puts safeguards for the type of information which may be collected and how this information may be
used.

Types of Privacy Laws-

Privacy laws can be broadly classified into two types: General privacy laws and Specific privacy laws.
General privacy laws have an overall influence on the personal data of individuals and affect the policies that control
many different domains of information. Specific privacy laws are conceived to regulate specific types of information.
Some examples of specific privacy laws include financial privacy laws, health privacy laws, online privacy laws,
communication privacy laws and information privacy laws.

COMPUTER FORENSICS

Computer forensics, also known as digital forensic, is a branch of forensic science which is used investigate
the crimes committed with computers by using the legal evidences found in computers and digital storage media. In
general, the goal computer forensics is to explain the current state of a digital artefact such as a computer system, a
storage medium (e.g., hard disk, floppy, and CD and DVD disks) or an electronic document (e.g., an email message,
computer document and digital images). Digital forensics is even used to analyse sequence of packets moving over a
computer network.

The main task of computer forensic experts is not only to find the criminal but also to find out the evidences
and to present the evidence in a manner that leads to legal action against the accused. Some examples of computer
crimes are as follows:

1. Unauthorised use of computers, mainly by stealing a username and password.

2. Accessing the someone else's computer via the internet.

3. Releasing a malicious computer program (for example, a virus).

4. Harassment in cyberspace
5. E-mail frauds.

6. Theft of company documents.

ETHICS AND INTERNET

Internet is growing with a very of fast speed where millions of users are being added every year. The
internet and the World Wide Web (WWW) have grown rapidly from a research project into something that involves
millions of people all over the world. The internet has a number of noticeable features. It is fast and almost
instantaneous. It has a worldwide reach, distributed, interactive, flexible and adaptable up to a great extent. Much of
the usefulness of the internet comes from the fact that it is shared by users and service providers (and many others), in
the sense that everyone depends on others and needs to support and help others. It pertains to equal rights in the sense
that anyone with the necessary tools and moderate technical qualification can make himself an active participant in
cyberspace, broadcast messages to the world and can ask for attention. In the present age, thinking of life without
internet technology is almost impossible.

Need for Internet Ethics - The internet blurs the difference between traditional categories of ethics such as
professional and non-professional, published and unpublished and public and private. Therefore, the existing rules of
ethical conduct of human beings, which depend on above categories, are difficult to extend to this new era of internet.
With good and meaningful information available on the internet, there is a growing possibility of finding
unauthenticated, misleading, inaccurate and, many times dangerous information on the internet. Ethical guidelines can
play a role in ensuring people to take full benefit of the internet to improve their lives, without any harm. Ethic
standards and guidelines for internet are being developed and promoted by several government organisations and
quasi-government agencies. Ethics makes each one of us to realise that the WWW is what we make it. We are the
people who use the web, who surf the web and who upload the information on the web.

CYBER CRIMES
Cyber crime or computer crime refers to a criminal activity where a computer or network is used as a
medium, target or place for committing the crime. It can be broadly defined as a criminal activity which involves an
information technology infrastructure for its execution. Some traditional crimes (such as theft, fraud, Hack mail and
forgery) in which computers or networks are used, also come under cyber crime. Thus, it has become very important
not only to know more about cyber crimes but also to spread awareness among the common people about these
crimes. This is because of the fact that in the present time almost everybody is using computers and the new
generation is growing up with computers. Conventional crimes such as forgery and extortion are being committed
with the help of computers and more importantly, monetory transactions are moving on the internet.

Cyber Crime Categories

Cyber crime is an evil having its origin in the growing dependence on computers in modern life. Certified Information
Systems Security Professional (CISSP)-an independent information security certification body-governed by the
International Information Systems Security Certification Consortium (ISC)² classified major cyber crimes in following
categories:

Financial Attacks - These are attacks targeting banks and other financial institutions for monetory benefits. These
include hacking the computer systems, modifying the computer data and tapping the network for stealing the secret
password or PIN information.

Business Attacks -Illegal accessing of proprietary information for the benefit of one's business comes under business
attacks.

Military and Intelligence Attacks -This includes all illegal efforts to obtain military and intelligence information.

Terrorist Attacks- Making use of computers and networks for carrying out terrorist activities comes under this
category.

Grudge and Trill Attacks- Grudge attacks are concerned with the act performed by an employee to take the revenge
against his company for ill-treatment of for any other reason. Trill attacks, on the contrary, are not for for any revenge
but just for fun. Common grudge and trill attacks include hacking the computer, changing information on computer,
stealing confidential information, etc.
 Common Cyber Crimes
Cyber crime is flourishing at a very high speed and everyday, a new type of cyber fraud is coming into
picture. Some of the major-cyber crimes that have been noticed in the past are listed here:

Denial of Service Attack (DoS) - It is a type of attack that is designed to bring a network or website down and stop
its legitimate access, by flooding it with useless traffic. Common DoS attacks target network bandwidth or
connectivity and exploit the limitations of the TCP/IP protocols. Bandwidth attacks try to flood the network with a
very high amount of network traffic so that all network resources are consumed and legitimate user requests are
prevented from being fulfilled. Connectivity attacks flood a computer with very high volume of connection requests so
that available connection limit is reached and the computer can no longer process legitimate user requests. For almost
all known DoS attacks, there are software solutions available which system administrators can install in the systems
and use them to limit the damage caused by these attacks. Similar to the computer virus, new DoS attacks are
continuously being dreamed up by hackers.

Software Piracy -Software piracy refers to unauthorised copying and duplication of a software. Most of the computer
application programs are licensed for use at one computer or for use by only restricted number of users at any time.
Usually, a licensed copy of the software has to be purchased to become a licensed user. However, making copies of
the program and distributing them to others is not allowed. Software piracy is very difficult to stop. Originally,
companies have tried to stop software piracy by copy-protecting their software. However, this technique could not
work well because it was found rather inconvenient by users and is also not totally foolproof.

Common Software Piracy Terminologies

The following terminologies relate to the illegal use of software by various ways:

Crack - A software crack is a working version of software which is obtained illegally by circumventing the software's
copyright protection. Software cracking is carried out by modifying the software in order to remove the encoded copy
prevention.

Hack - It refers to working around the copy protection of application software, for the purpose of creating an illegal
version of the software.

Phishing -Phishing is derived from the word 'fishing'. It refers to the duplication of an existing webpage to attract
users, in order to steal their private or financial particulars such as password, bank account information, etc. Fraudsters
use this information to carry out funds transfers or to undertake transactions that are billed against original customer.
The duplicated webpage, commonly known as spoofed webpage, looks very similar to a real webpage of a genuine
institution. For example, if a bank's actual internet URL is www.mybank.com, the fraudsters may create a webpage in
the fashion www.mybank.org or www.mybank.net, etc.

Hacking - In simple terms, hacking can be defined as an illegal intrusion into a computer system and/or network. The
person who breaks into computers is called a hacker. Hackers write a computer programs to attack the target
computer. Usually, they possess the desire to destroy the system and get rid of such destruction. Most of the time,
hacking is done to get some monetary gains such as stealing credit card information, transferring money from other's
bank accounts to their own account, etc.

The term 'hacking' is bit different from 'cracking". But in the perspective of Indian laws, there is no difference
between 'hacking' and 'cracking'. It considers every act committed towards breaking into a computer and/or network as
'hacking'.

Cyber Terrorism -As the internet is becoming more and more common in all areas of human activities, few
individuals or groups can use the anonymity offered by cyberspace to threaten citizens, specific groups belonging to
some particular ethnicity or religious belief, communities or entire countries. Using the internet, these individuals or
groups are able to carry out their task without the inherent danger of capture or death to the attacker which would have
been the case if the attackers needed to be physically present at the attacking site. Cyber terrorism is a big threat in
current times and can have serious influence on Cyber terrorism people. It can even adversely affect the economy of a
country.
 Emerging Trends in IT
INTRODUCTION -
Information Technology (IT) plays a major role in today's society. By considering the growth of IT in
the past few years, it is possible to reflect its importance in the future. Although different organisations, industries and
regions of the world are adopting IT in different ways, it is increasingly penetrating our daily life. In early years, the
use of computers was primarily in the field of business and research, However, introduction of cheaper and more
versatile computers in the 1980s and 1990s led to increase in the number of users in the offices and at home. The
computer plays an important role in various fields like education, health care, hospitals, entertainment, etc. In
business, consumers are expected to register themselves, through digital signature and two parties can then start
communicating through encrypted secured communication. With the emergence of the electronic commerce and
wireless networks, business and trading activities have become much easier.

E-COMMERCE (Electronic Commerce)

Traditionally, the word 'commerce' refers to exchange or buying and selling of goods and sernally, the word
'com exchange of money and transportation of goods from one place to another. In present times, we can observe,
different forms of commercial activities around us. For example, in a grocery store itself, buying and selling are the
main activities that form the essence of commerce. With technological advancement, commerce has added a new
dimension in the form of digital information (electronic trade), which is more powerful and easier method to perform
such type of transactions compared to the traditional commerce system. After the introduction of electronic trade, a
revolution has happened in the commercial system which results in most of the business activities being carried out
through electronic commerce across the world. In today's lifestyle, where time and money are the prime factors, e-
Commerce plays an important role in bridging the gap between buyers and sellers.

Types of E-Commerce - E-Commerce can be divided into four main categories, namely Business-to-Business,
Business-to-Consumer, Consumer-to-Business, and Customer-to-Customer.

Business-to-Business (B2B) - B2B is doing business between companies such as manufacturers selling to
distributors and wholesalers selling to retailers. This is between the wholesale and the retail. Pricing is based
on quantity of order and is often negotiable. But B2B involves more than this activity, for example,
interaction between businesses by chain process or with new trading partners, maintaining detailed
information flow among all parties involved in the process. Hence B2B includes widening the circle of
suppliers (for safety and competition) and centralising control (for records and discounts).
Business-to-Consumer (B2C)-It is a concept of online marketing and distribution of products and services
over the internet. For many retailers, this is a stepping process to sell goods directly to the customer. The key
features for the success of B2C commerce are reaching more customers, providing better services and
increasing sales, while spending less. The importance of e-Commerce is highly important for the consumer
as it saves precious time by making transactions sitting at home. Otherwise, one has to spend substantial
amount of time by moving from one corner to other to perform business. Also, it enables one to do shopping
at any time virtually on the internet and to have goods delivered at the doorstep.
Business-to-Administration (B2A) In B2A system, the interaction Business communities with the public
sector happens electronically.B2A includes submission of planning documents, tax returns or patent
registration.
Customer-to-Customer (C2C) -C2C system enables customers to each other. This completely excludes the
business activities by enabling person to person transaction. This refers to an E-Commerce activity which
uses an auction- style model. Example of this type of system is available in www.ebay.com.and
www.amazon.com.
Types of Electronic Payment
E-Commerce is based on the electronic payment mode on the internet of the traditional
payment system. Electronic payment systems are based on the digital information. Every transaction takes
place in the form of digital string. There are three modes of electronic payment system, namely e-cash, e-
cheque and credit card.
E-cash - E-cash is one of the commercial transactions in real-time environment on the internet. In e-cash,
transactions are carried out in the electronic form. A bank issues a token to the customer for some particular
amount of currency. The bank then debits the amount from the customer's account which equals the value of
token issued to the customer. The bank then authenticates each token with a digital stamp before
transmitting it to the customer. If the customer wants to spend the e-cash, he can transmit the token to the
merchant who then approaches the bank for verification. The bank records the serial number of each token
that the customer spends in order to avoid fraudulent transactions. If the bank finds that the serial number of
the token is already recorded in their database, it sends the intimation to the merchant for its invalidity.

E-cheque - E-cheque is similar to a paper cheque. A paper cheque is a kind of message given to a
consumer's bank asking them to transfer some amount from one particular account to another. Similarly, e-
cheque also issues a request to transfer the fund electronically. The advantage of an e-cheque is that it
protects the customer's account details by encoding the account number with the bank's public key. This
prevents the merchant from knowing the customer's account details, thereby the chances of fraudulent
transactions are eliminated.
Credit Card –It is a part of an electronic payment system after a small plastic card has been issued to users
of the system. The card holder after a entitled buy goods credit card number to the vendor. The vendor then
verifies it from the giving the issues a purchase slip for the customer to approve. The vendor then uses a
copy of the purchase slip to collect money from the bank, and in the billing cycle, the Consumer receives- at
his address-a statement of recorded transaction. As in case of E-cheque, the credit card number is encoded
before it gets transmitted over the internet.

Advantages of E-Commerce
The use of e-Commerce technology has a number of advantages. Some of them are highlighted below:
Availability -The service availability is 24 × 7. Online business is always ON, as opposed to conventional
businesses. Consumers can access these online services at any time they want.
Reduced Cost -The product cost is reduced since stages along the value chain are decreased. For example,
the company directly sells the product to the customer instead of distributing through a retail store. This
process eliminates the intermediaries.

Low Cost Advertising - Advertising on the paper is costlier than the advertising on the internet.
Low Start-up Cost -Anyone can start a company on the internet. Since there is no need for the capital
investment, start-up cost is minimum in e-Commerce.
Increased Market Share-The power of internet enables business to have access to international markets,
thereby increases their market share.

Disadvantages of E-Commerce
The introduction of innovation also brings certain limitations and drawbacks long with it. The same is the
case with E-Commerce. The following are some of its disadvantages:-
Unable to Examine the Products - Online ordering for products, through the internet does not allow
physical examination of products. Only the images of the products are displayed to the user for viewing.
Hence, there is uncertainty regarding the quality of the product.

Need of Specific Setup Specific hardware and software are required to start an E- Commerce company,
which increases the cost.
Distribution Setup -Efficient distribution is required, especially when supplies are to a global market.
Maintenance of Website -It requires regular updates and maintenance, which requires extra labour costs.
Security Risks- It exposes itself to security risks and may be vulnerable to confidential data such as
transaction information which includes credit card number and personal account details. Possibilities of
stealing personal account details are the real threats in e-Commerce activity.

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (GSM)

It is a globally accepted standard for digital communication. GSM is used by over 3 billion
people in more than 212 countries. GSM is the name of a standardisation group established in 1982 to create
a common European mobile telephone standard that would formulate specifications for a pan-European
mobile cellular radio system. It operates at either 900 MHz or 1800 MHz frequency band. It makes
international roaming very common between mobile phone operators, enabling subscribers to use their
phones in many parts of the world. GSM has been considered as a second generation (2G) mobile
communication system since both signalling and speech channels are digital. It is also built for the easy way
of data communication via the mobile system.

Advantages of GSM
GSM standard has offered several advantages to both consumers and network operators. For the consumers,
it provides roaming facility and switching carriers without additional efforts while for the network operators,
it allows choice of equipment from any vendor. An alternative to voice call is the Short Message Service
(SMS), which is now supported on the other mobile standards advantages of the GSM network are listed
below:-

 Seamless interoperability between networks and handsets.

 International roaming capability in over 100 countries.
 Efficient use of spectrum.
 A wide variety of handsets and accessories.
 Ease of use with over-the-air activation, and all account information is held in a smart card which
can be moved from handset to handset.
 Easy subscription process (SIM-based).
 Global footprint for international roaming, including SMS, data and other value added services.
 Security against fraud and eavesdropping.
 Advanced features such as short messaging and caller ID.
 High stability mobile fax and data, at up to 9600 baud.

BLUETOOTH

Bluetooth is the name of a new technology that is now available commercially. It

significantly changes the usage of the machines. One can observe that the computer is connected to the
keyboard as well as a printer, mouse, monitor and so on. All these peripherals are connected by cables.
Cables have become the bane of many offices, homes, etc. Bluetooth is specifically designed to replace the
cable by using short range radio links.The Bluetooth chipboard that is used in a computer system to connect
the peripherals without cables. Hence, it is also known as cable-replacement technology, which allows users
to form wireless connections between devices such as the keyboard, printers, etc.
It is a standard specification to communicate between small devices. It is a low-cost, short-
range radio communication between mobile PCs, mobile phones and other portable devices. The technology
allows users to form wireless connections between various communication devices in order to transmit real-
time voice and data. Figure 8.6 shows the Bluetooth enabled devices which are connected to each other. Its
key features are robustness, compactness, low power and cost, and is designed to operate even in noisy
frequency environments.
 Bluetooth-Applications

Bluetooth has a powerful potential in moving and synchronising information in a localised

setting. Since people can now communicate more with those who are close-a natural phenomenon of human
interaction-the possibility of Bluetooth applications is enormous. Some applications of Bluetooth
technologies are given below:

 In the computer industry, almost all the companies have started using this Bluetooth technology.
People who need to transmit data between their laptops or PDAs to their computer, use Bluetooth
technology.
 Since Bluetooth supports both point-to-point and point-to-multipoint, it simultaneously creates a
virtual link between a number of devices.
 Using Bluetooth technology, it is possible to send still or video images from one location to another,
without the hassle of connecting the digital camera to the mobile phone.

Advantages of Bluetooth

 It is an economic wireless solution, both for the data and voice within the short distance.
 It uses global technology specification, ie., it uses universal radio frequency of 2.4 GHz ISM
frequency band.
 It is applicable to both stationary and mobile environments.
 Its devices are automatically connected to themselves. The user does not have to manually operate
the devices.
 No specific setup is needed.

Disadvantages of Bluetooth

 Limited Range -The range for this technology is limited to only 30 feet. This limits the Personal
Area Network (PAN) and the connection accessibility for the electronic devices to perform an action.
 High Chipset Cost -Because of its high chipset cost, there exists technology problem in approaching
general markets.
 Additional Antenna-It has led to increased bulk of the portable devices. It requires a larger antenna
in portable devices to transmit and receive data through radio waves.
 Limited Transmission Capacity- Data transmission capacity is limited to 1 Mbps which makes data
exchange very slow when handling large size files or folders.
 Security- Possibility of security threats are more due to the aspect of radio waves. The radio waves
may provide others access to the Bluetooth-enabled devices and allow them to break into the
network of any organisation from the outside. A Bluetooth chip allows to communicate with any
device within 10 metres range. For example, if a mobile call is made using a Bluetooth device, any
mobile within the range is capable of picking up the call.

INFRARED TECHNOLOGY

In recent years, wireless communication has offered an alternative solution to the fixed cable
network. Wireless technology is beneficial since it provides mobility and compact devices. In future, the
trend in telecommunication may consist of a fibre- optic network and wireless short range access over
wireless channels. Presently, wireless technology uses radio waves to communicate which may not be
sufficient for fulfilling future needs, since radio communication has several limitations. As a result, every
radio communication is being pushed to higher frequencies. In order to overcome this problem, an
alternative medium-called infrared wave technology- is becoming available for use as a new medium of
communication. Figure 8.8 shows the infrared enabled miniature USB adapter.
Infrared (IR) is a wireless technology system that exchanges data through infrared radiation.
It is electromagnetic energy with wavelengths somewhat longer than those of red light. It is a technology
that allows devices to communicate with each other through short-range wireless signals. With infrared,
computers can transfer files and other digital data bi-directionally.
 Applications of Infrared Technology
Infrared communications have many applications. Some of them are mentioned below.

 It is used in every corner of our home since television, air conditioner, computer peripherals, etc. are
controlled by infrared-enabled devices.
 It helps to communicate between two buildings, where the cost of cabling between the two buildings
is significantly larger,
 Infrared communication is used in sending documents, schedules and books from a hand-held
computer to a printer.
 It can also send faxes from a hand-held computer to a distant fax machine.
 Infrared communication is used by business people for exchanging messages, business cards and
other information via hand-held personal computer.

Advantages of Infrared Technology

1. Simple circuitry: It can incorporate into the integrated circuit product without any special or proprietary
hardware.
2. The infrared enabled devices are portable.
3. Few international regulatory constraints: IrDA (Infrared Data Association) functional devices can ideally
be used by international travelers, no matter where they may be.
4. High noise immunity: It is not as likely to have interference from signals of other devices.
5. Low circuitry costs: It requires less cost for the entire coding/decoding circuitry.
6. Higher security: Line of Sight (LOS) helps to ensure that data is not leaked or spilled to nearby devices
during transmission.
7. It is ideal for laptops, telephones and personal digital assistants because of its low power requirements.

Disadvantages of Infrared Technology

1. Short Range - Performance is good within a short distance and the performance drops off with longer
distances
2. Light and Weather Sensitive - Direct sunlight, rain, fog, dust and pollution can adversely affect
transmission.

3. Blocked by Common Materials – People, walls ,plants etc. can block the transmission of data.
4. Line of Sight - Transmitters and receivers must be almost directly aligned(i.e. able to see each other)to
communicate.
5. Speed – Data transmission rate is lower than fixed cable wired transmission.