INTRODUCTION TO CYBER-SECURITY

CHAPTER 1
Introduction to Cyber Security
Cyber Security Introduction - Cyber Security Basics:
Cyber security is the most concerned matter as cyber threats and attacks are overgrowing.

Attackers are now using more sophisticated techniques to target the systems. Individuals, small-
scale businesses or large organization, are all being impacted. So, all these firms whether IT or
non-IT firms have understood the importance of Cyber Security and focusing on adopting all
possible measures to deal with cyber threats.

What is cyber security?

"Cyber security is primarily about people, processes, and technologies working together to
encompass the full range of threat reduction, vulnerability reduction, deterrence, international
engagement, incident response, resiliency, and recovery policies and activities, including
computer network operations, information assurance, law enforcement, etc."

OR

Cyber security is the body of technologies, processes, and practices designed to protect networks,
computers, programs and data from attack, damage or unauthorized access.

 The term cyber security refers to techniques and practices designed to protect digital data.

 The data that is stored, transmitted or used on an information system.

OR

Cyber security is the protection of Internet-connected systems, including hardware, software, and
data from cyber-attacks.

It is made up of two words one is cyber and other is security.

 Cyber is related to the technology which contains systems, network and programs or data.

 Whereas security related to the protection which includes systems security, network security
and application and information security.

1
INTRODUCTION TO CYBER-SECURITY

Why is cyber security important?

Listed below are the reasons why cyber security is so important in what’s become a

predominant digital world:

 Cyber – attacks can be extremely expensive for businesses to endure.

 In addition to financial damage suffered by the business, a data breach can also inflict untold
reputational damage.

 Cyber-attacks these days are becoming progressively destructive. Cybercriminals are using
more sophisticated ways to initiate cyber-attacks.

 Regulations such as GDPR are forcing organizations into taking better care of the personal
data they hold.

Because of the above reasons, cyber security has become an important part of the business and
the focus now is on developing appropriate response plans that minimize the damage in the event
of a cyber-attack.

But an organization or an individual can develop a proper response plan only when he has a good
grip on cyber security fundamentals.

Cyber security Fundamentals – Confidentiality:

Confidentiality is about preventing the disclosure of data to unauthorized parties.

It also means trying to keep the identity of authorized parties involved in sharing and holding
data private and anonymous.

Often confidentiality is compromised by cracking poorly encrypted data, Man-in-the-middle

(MITM) attacks, disclosing sensitive data.

Standard measures to establish confidentiality include:

 Data encryption

 Two-factor authentication

 Biometric verification

 Security tokens

2
INTRODUCTION TO CYBER-SECURITY

Integrity
Integrity refers to protecting information from being modified by unauthorized parties.

Standard measures to guarantee integrity include:

 Cryptographic checksums

 Using file permissions

 Uninterrupted power supplies

 Data backups

Availability
Availability is making sure that authorized parties are able to access the information when
needed.

Standard measures to guarantee availability include:

 Backing up data to external drives

 Implementing firewalls

 Having backup power supplies

 Data redundancy

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to
alter computer code, logic or data and lead to cybercrimes, such as information and identity theft.

Cyber-attacks can be classified into the following categories:

1) Web-based attacks

2) System-based attacks

Web-based attacks
These are the attacks which occur on a website or web applications. Some of the important web-
based attacks are as follows_

3
INTRODUCTION TO CYBER-SECURITY

1. Injection attacks
It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing
DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a DNS
resolver's cache causing the name server to return an incorrect IP address, diverting traffic to the
attacker’s computer or any other computer. The DNS spoofing attacks can go on for a long
period of time without being detected and can cause serious security issues.

3. Session Hijacking
It is a security attack on a user session over a protected network. Web applications create cookies
to store the state and user sessions. By stealing the cookies, an attacker can have access to all of
the user data.

4. Phishing
Phishing is a type of attack which attempts to steal sensitive information like user login

credentials and credit card number. It occurs when an attacker is masquerading as a trustworthy
entity in electronic communication.

5. Brute force
It is a type of attack which uses a trial-and-error method. This attack generates a large number of
guesses and validates them to obtain actual data like user password and personal identification
number. This attack may be used by criminals to crack encrypted data, or by security, analysts to
test an organization's network security.

6. Denial of Service
It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a
crash. It uses the single system and single internet connection to attack a server.

It can be classified into the following_

4
INTRODUCTION TO CYBER-SECURITY

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured
in bit per second.

Protocol attacks- It consumes actual server resources, and is measured in a packet.

Application layer attacks- Its goal is to crash the web server and is measured in request per
second.

7. Dictionary attacks
This type of attack stored the list of a commonly used password and validated them to get
original password.

8. URL Interpretation
It is a type of attack where we can change the certain parts of a URL, and one can make a web
server to deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of the
include functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between client and server
and acts as a bridge between them. Due to this, an attacker will be able to read, insert and modify
the data in the intercepted connection.

System-based attacks
These are the attacks which are intended to compromise a computer or a computer network.

Some of the important system-based attacks are as follows -_

1. Virus
It is a type of malicious software program that spread throughout the computer files without the
knowledge of a user. It is a self-replicating malicious computer program that replicates by
inserting copies of itself into other computer programs when executed. It can also execute
instructions that cause harm to the system.

5
INTRODUCTION TO CYBER-SECURITY

2. Worm
It is a type of malware whose primary function is to replicate itself to spread to uninfected
computers. It works same as the computer virus. Worms often originate from email attachments
that appear to be from trusted senders.

3. Trojan horse
It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It appears
to be a normal application but when opened/executed some malicious code will run in the
background.

4. Backdoors
It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or other
purposes.

5. Bots
A bot (short for "robot") is an automated process that interacts with other network services.

Some bots program run automatically, while others only execute commands when they receive
specific input. Common examples of bot’s program are the crawler, chatroom bots, and
malicious bots.

The 7 layers of cyber security should center on the mission critical assets you are seeking to
protect.

1: Mission Critical Assets – This is the data you need to protect

2: Data Security – Data security controls protect the storage and transfer of data.

3: Application Security – Applications security controls protect access to anapplication, an

application’s access to your mission critical assets, and the internal security of the application.

4: Endpoint Security – Endpoint security controls protect the connection between devices and
the network.

5: Network Security – Network security controls protect an organization’s network and prevent
unauthorized access of the network.

6
INTRODUCTION TO CYBER-SECURITY

6: Perimeter Security – Perimeter security controls include both the physical and digital
security methodologies that protect the business overall.

7: The Human Layer – Humans are the weakest link in any cyber security posture. Human
security controls include phishing simulations and access management controls that protect
mission critical assets from a wide variety of human threats, including cyber criminals, malicious
insiders, and negligent users.

Vulnerability, threat, Harmful acts

As the recent epidemic of data breaches illustrates, no system is immune to attacks. Any
company that manages, transmits, stores, or otherwise handles data has to institute and enforce
mechanisms to monitor their cyber environment, identify vulnerabilities, and close up security
holes as quickly as possible.

Before identifying specific dangers to modern data systems, it is crucial to understand the
distinction between cyber threats and vulnerabilities.

Cyber threats are security incidents or circumstances with the potential to have a negativee
outcome for your network or other data management systems.

Examples of common types of security threats include phishing attacks that result in the
installation of malware that infects your data, failure of a staff member to follow data protection
protocols that cause a data breach, or even a tornado that takes down your company’s data
headquarters, disrupting access.

Vulnerabilities are the gaps or weaknesses in a system that make threats possible and tempt
threat actors to exploit them.

Types of vulnerabilities in network security include but are not limited to SQL injections, server
misconfigurations, cross-site scripting, and transmitting sensitive data in a nonencrypted plain
text format.

When threat probability is multiplied by the potential loss that may result, cyber security experts,
refer to this as a risk.

CIA Triad
The CIA Triad is actually a security model that has been developed to help people think about
various parts of IT security.

CIA triad broken down:

7
INTRODUCTION TO CYBER-SECURITY

Confidentiality
It's crucial in today's world for people to protect their sensitive, private information from
unauthorized access.

Protecting confidentiality is dependent on being able to define and enforce certain access levels
for information.

In some cases, doing this involves separating information into various collections that are
organized by who needs access to the information and how sensitive that information actually is
- i.e., the amount of damage suffered if the confidentiality was breached.

Some of the most common means used to manage confidentiality include access control lists,
volume and file encryption, and Unix file permissions.

Integrity
Data integrity is what the "I" in CIA Triad stands for.

This is an essential component of the CIA Triad and designed to protect data from deletion or
modification from any unauthorized party, and it ensures that when an authorized person makes
a change that should not have been made the damage can be reversed.

Availability
This is the final component of the CIA Triad and refers to the actual availability of your data.
Authentication mechanisms, access channels and systems all have to work properly for the
information they protect and ensure it's available when it is needed.

Understanding the CIA triad,The CIA Triad is all about information. While this is considered the
core factor of the majority of IT security, it promotes a limited view of the security that ignores
other important factors.

For example, even though availability may serve to make sure you don't lose access to resources
needed to provide information when it is needed, thinking about information security in itself
doesn't guarantee that someone else hasn't used your hardware resources without authorization.

It's important to understand what the CIA Triad is, how it is used to plan and also to implement a
quality security policy while understanding the various principles behind it. It's also important to
understand the limitations it presents. When you are informed, you can utilize the CIA Triad for
what it has to offer and avoid the consequences that may come along by not understanding it.

8
INTRODUCTION TO CYBER-SECURITY

What are the top cybersecurity challenges?

Cybersecurity is continually challenged by hackers, data loss, privacy, risk management and
changing cybersecurity strategies. The number of cyberattacks is not expected to decrease in the
near future. Moreover, increased entry points for attacks, such as with the arrival of the internet
of things (IoT), increase the need to secure networks and devices.

One of the most problematic elements of cybersecurity is the evolving nature of security risks.
As new technologies emerge, and as technology is used in new or different ways, new attack
avenues are developed. Keeping up with these frequent changes and advances in attacks, as well
as updating practices to protect against them, can be challenging. Issues include ensuring all
elements of cybersecurity are continually updated to protect against potential vulnerabilities.
This can be especially difficult for smaller organizations without the staff or in-house resources.

Additionally, organizations can gather a lot of potential data on individuals who use one or more
of their services. With more data being collected, the likelihood of a cybercriminal who wants to
steal personally identifiable information (PII) is another concern. For example, an organization
that stores PII in the cloud may be subject to a ransomware attack. Organizations should do what
they can to prevent a cloud breach.

Cybersecurity programs should also address end-user education, as employees may accidently

bring viruses into the workplace on their laptops or mobile devices. Regular security awareness
training will help employees do their part in keeping their company safe from cyberthreats.

Another challenge to cybersecurity includes a shortage of qualified cybersecurity personnel. As

the amount of data collected and used by businesses grows, the need for cybersecurity staff to
analyze, manage and respond to incidents also increases. (ISC) estimated the workplace
gap between needed cybersecurity jobs and security professionals at 3.1 million.

Assets and Threat

What is an Asset: An asset is any data, device or other component of an organization’s systems
that is valuable – often because it contains sensitive data or can be used to access such
information.

For example: An employee’s desktop computer, laptop or company phone would be considered
an asset, as would applications on those devices. Likewise, critical infrastructure, such as servers
and support systems, are assets. An organization’s most common assets are information assets.
These are things such as databases and physical files – i.e., the sensitivedata that you storee.

9
INTRODUCTION TO CYBER-SECURITY

Motive of Attackers
The categories of cyber-attackers enable us to better understand the attackers' motivations and
the actions they take. As shown in Figure, operational cyber security risks arise from three types
of actions: a) inadvertent actions (generally by insiders) that are taken without malicious or
harmful intent; ii) deliberate actions (by insiders or outsiders) that are taken intentionally and are
meant to do harm; and iii) inaction (generally by insiders), such as a failure to act in a given
situation, either because of a lack of appropriate skills, knowledge, guidance, or availability of
the correct person to take action Of primary concern here are deliberate actions, of which there
are three categories of motivation.

1. Political motivations: examples include destroying, disrupting, or taking control of targets;

espionage; and making political statements, protests, or retaliatory actions.

2. Economic motivations: examples include theft of intellectual property or other economically

valuable assets (e.g., funds, credit card information); fraud; industrial espionage and sabotage;
and blackmail.

3. Socio-cultural motivations: examples include attacks with philosophical, theological, political,

and even humanitarian goals. Socio-cultural motivations also include fun, curiosity, and a desire
for publicity or ego gratification.

Types of Active attacks:

Masquerade: in this attack, the intruder pretends to be a particular user of a system to gain
access or to gain greater privileges than they are authorized for. A masquerade may be attempted
through the use of stolen login IDs and passwords, through finding security gaps in programs or
through bypassing the authentication mechanism.

Session replay: In this type of attack, a hacker steals an authorized user’s log in information by
stealing the session ID. The intruder gains access and the ability to do anything the authorized
user can do on the website.

Message modification: In this attack, an intruder alters packet header addresses to direct a
message to a different destination or modify the data on a target machine.

In a denial of service (DoS) attack, users are deprived of access to a network or web resource.
This is generally accomplished by overwhelming the target with more traffic than it can handle.

In a distributed denial-of-service (DDoS) exploit, large numbers of compromised systems

(sometimes called a botnet or zombie army) attack a single target.

10
INTRODUCTION TO CYBER-SECURITY

Types of Passive attacks:

Eavesdropping (tapping): the attacker simply listens to messages exchanged by two entities.

For the attack to be useful, the traffic must not be encrypted. Any unencrypted information, such
as a password sent in response to an HTTP request, may be retrieved by the attacker.

Traffic analysis: the attacker looks at the metadata transmitted in traffic in order to deduce
information relating to the exchange and the participating entities, e.g., the form of the
exchanged traffic (rate, duration, etc.). In the cases where encrypted data are used, traffic
analysis can also lead to attacks by cryptanalysis, whereby the attacker may obtain information
or succeed in unencrypting the traffic.

Software Attacks: Malicious code (sometimes called malware) is a type of software designed to
take over or damage a computer user's operating system, without the user's knowledge or
approval. It can be very difficult to remove and very damaging.

Hardware Attacks:
Common hardware attacks include:

 Manufacturing backdoors, for malware or other penetrative purposes; backdoors aren’t

limited to software and hardware, but they also affect embedded radiofrequency
identification (RFID) chips and memory

 Eavesdropping by gaining access to protected memory without opening other hardware

 Inducing faults, causing the interruption of normal behavior

 Hardware modification tampering with invasive operations

 Backdoor creation; the presence of hidden methods for bypassing normal computer
authentication systems

11
INTRODUCTION TO CYBER-SECURITY

CHAPTER 2
Cyberspace And the Law & Cyber Forensics
CYBERSPACE
Cyberspace can be defined as an intricate environment that involves interactions between people,
software, and services. It is maintained by the worldwide distribution of information and
communication technology devices and networks.

With the benefits carried by the technological advancements, the cyberspace today has become a
common pool used by citizens, businesses, critical information infrastructure, military and
governments in a fashion that makes it hard to induce clear boundaries among these different
groups. The cyberspace is anticipated to become even more complex in the upcoming years, with
the increase in networks and devices connected to it.

REGULATIONS
There are five predominant laws to cover when it comes to cybersecurity:

Information Technology Act, 2000 The Indian cyber laws are governed by the Information
Technology Act, penned down back in 2000. The principal impetus of this Act is to offer reliable
legal inclusiveness to eCommerce, facilitating registration of real-time records with the
Government.

But with the cyber attackers getting sneakier, topped by the human tendency to misuse
technology, a series of amendments followed.

The ITA, enacted by the Parliament of India, highlights the grievous punishments and penalties
safeguarding the e-governance, e-banking, and e-commerce sectors. Now, the scope of ITA has
been enhanced to encompass all the latest communication devices.

The IT Act is the salient one, guiding the entire Indian legislation to govern cybercrimes
rigorously:

 Applicable to people who damage the computer systems without permission from the owner.
The owner can fully claim compensation for the entire damage in such cases.

 Applicable in case a person is found to dishonestly or fraudulently committing any act

referred to in section 43. The imprisonment term in such instances can mount up to three
years or a fine of up to Rs. 5 lakhs.

12
INTRODUCTION TO CYBER-SECURITY

 Incorporates the punishments for fraudulently receiving stolen communication devices or

computers, which confirms a probable three years imprisonment. This term can also be
topped by Rs. 1 lakh fine, depending upon the severity.

 This section scrutinizes the identity thefts related to imposter digital signatures, hacking
passwords, or other distinctive identification features. If proven guilty, imprisonment of three
years might also be backed by Rs.1 lakh fine.

 This section was inserted on-demand, focusing on punishing cheaters doing impersonation
using computer resources.

Indian Penal Code (IPC) 1980

Identity thefts and associated cyber frauds are embodied in the Indian Penal Code (IPC),

1860 - invoked along with the Information Technology Act of 2000.

The primary relevant section of the IPC covers cyber frauds:

Forgery (Section 464)

Forgery pre-planned for cheating (Section 468)

False documentation (Section 465)

Presenting a forged document as genuine (Section 471)

Reputation damage (Section 469)

Companies Act of 2013

The corporate stakeholders refer to the Companies Act of 2013 as the legal obligation necessary
for the refinement of daily operations. The directives of this Act cement all the required techno-
legal compliances, putting the less compliant companies in a legal fix.

The Companies Act 2013 vested powers in the hands of the SFIO (Serious Frauds Investigation
Office) to prosecute Indian companies and their directors. Also, post the notification of the
Companies Inspection, Investment, and Inquiry Rules, 2014, SFIOs has become even more
proactive and stern in this regard.

The legislature ensured that all the regulatory compliances are well-covered, including cyber
forensics, e-discovery, and cybersecurity diligence. The Companies (Management and
Administration) Rules, 2014 prescribes strict guidelines confirming the cybersecurity obligations
and responsibilities upon the company directors and leaders.

13
INTRODUCTION TO CYBER-SECURITY

NIST Compliance the Cybersecurity Framework (NCFS), authorized by the National Institute of
Standards and Technology (NIST), offers a harmonized approach to cybersecurity as the most
reliable global certifying body.

NIST Cybersecurity Framework encompasses all required guidelines, standards, and best
practices to manage the cyber-related risks responsibly. This framework is prioritized on
flexibility and cost-effectiveness.

THE INDIAN CYBERSPACE

Indian cyberspace was born in 1975 with the establishment of National Informatics Centre (NIC)
with an aim to provide govt with IT solutions. Three networks (NWs) were set up between 1986
and 1988 to connect various agencies of govt. These NWs were, INDONET which connected the
IBM mainframe installations that made up India’s computer infrastructure, NICNET (the NIC
NW) a nationwide very small aperture terminal (VSAT) NW for public sector organizations as
well as to connect the central govt with the state govts and district administrations, the third NW
setup was ERNET (the Education and Research Network), to serve the academic and research
communities.

NATIONAL CYBER SECURITY POLICY

National Cyber Security Policy is a policy framework by Department of Electronics and
Information Technology. It aims at protecting the public and private infrastructure from
cyberattacks. The policy also intends to safeguard "information, such as personal information (of
web users), financial and banking information and sovereign data". This was particularly
relevant in the wake of US National Security Agency (NSA) leaks that suggested the US
government agencies are spying on Indian users, who have no legal or technical safeguards
against it. Ministry of Communications and Information Technology (India) denies Cyberspace
as a complex environment consisting of interactions between people, software services supported
by worldwide distribution of information and communication technology.

VISION
To build a secure and resilient cyberspace for citizens, business, and government and also to
protect anyone from intervening in user's privacy.

MISSION
To protect information and information infrastructure in cyberspace, build capabilities to prevent
and respond to cyber threat, reduce vulnerabilities and minimize damage from cyber incidents
through a combination of institutional structures, people, processes, technology, and cooperation.

14
INTRODUCTION TO CYBER-SECURITY

OBJECTIVE
Ministry of Communications and Information Technology (India) define objectives as

follows:

 To create a secure cyber ecosystem in the country, generate adequate trust and
confidence in IT system and transactions in cyberspace and thereby enhance adoption of
IT in all sectors of the economy.

 To create an assurance framework for the design of security policies and enabling
actions for compliance to global security standards and best practices by way of
conformity assessment (Product, process, technology & people).

 To strengthen the Regulatory Framework for ensuring a SECURE CYBERSPACE

ECOSYSTEM.

To enhance and create National and Sectoral level 24X7 mechanism for obtaining strategic
information regarding threats to ICT infrastructure, creating scenarios for response, resolution
and crisis management through effective predictive, preventive, protective response and recovery
actions.

15
INTRODUCTION TO CYBER-SECURITY

CHAPTER 3
INTRODUCTION: CYBER FORENSICS
CYBER FORENSICS:
Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence.

Forensic examiners typically analyze data from personal computers, laptops, personal digital
assistants, cell phones, servers, tapes, and any other type of media. This process can involve
anything from breaking encryption, to executing search warrants with a law enforcement team,
to recovering and analyzing files from hard drives that will be critical evidence in the most
serious civil and criminal cases.

The forensic examination of computers, and data storage media, is a complicated and highly
specialized process. The results of forensic examinations are compiled and included in reports. In
many cases, examiners testify to their findings, where their skills and abilities are put to ultimate
scrutiny.

DIGITAL FORENSICS:
Digital Forensics is defined as the process of preservation, identification, extraction, and
documentation of computer evidence which can be used by the court of law. It is a science of
finding evidence from digital media like a computer, mobile phone, server, or network. It
provides the forensic team with the best techniques and tools to solve complicated digital related
cases.

Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the digital
evidence residing on various types of electronic devices.

Digital forensic science is a branch of forensic science that focuses on the recovery and
investigation of material found in digital devices related to cybercrime.

CHALLENGES IN COMPUTER FORENSICS

Digital forensics has been defined as the use of scientifically derived and proven methods
towards the identification, collection, preservation, validation, analysis, interpretation, and
presentation of digital evidence derivative from digital sources to facilitate the reconstruction of
events found to be criminal. But these digital forensics investigation methods face some major
challenges at the time of practical implementation. Digital forensic challenges are categorized
into three major heads as per Fahd, Clark, and Furnell are: Technical challenges

16
INTRODUCTION TO CYBER-SECURITY

 Legal challenges

 Resource Challenges

THE NEED FOR COMPUTER FORENSICS

Computer forensics is also important because it can save your organization money. ...From a
technical standpoint, the main goal of computer forensics is to identify, collect, preserve, and
analyze data in a way that preserves the integrity of the evidence collected so it can be used
effectively in a legal case.

CYBER FORENSICS AND DIGITAL EVIDENCE:

Digital evidence is information stored or transmitted in binary form that may be relied on in
court. It can be found on a computer hard drive, a mobile phone, among other places. Digital
evidence is commonly associated with electronic crime, or e-crime, such as child pornography or
credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just
e-crime. For example, suspects' e-mail or mobile phone files might contain critical evidence
regarding their intent, their whereabouts at the time of a crime and their relationship with other
suspects. In 2005, for example, a floppy disk led investigators to the BTK serial killer who had
eluded police capture since 1974 and claimed the lives of at least 10 victims.

In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law
enforcement agencies are incorporating the collection and analysis of digital evidence, also
known as computer forensics, into their infrastructure. Law enforcement agencies are challenged
by the need to train officers to collect digital evidence and keep up with rapidly evolving
technologies such as computer operating systems.

FORENSICS ANALYSIS OF EMAIL:

E-mail forensics refers to the study of source and content of e-mail as evidence to identify the
actual sender and recipient of a message, data/time of transmission, detailed record of e-mail
transaction, intent of the sender, etc. This study involves investigation of metadata, keyword
searching, port scanning, etc. for authorship attribution and identification of e-mail scams.

Various approaches that are used for e-mail forensic are:

 Header Analysis – Meta data in the e-mail message in the form of control information i.e.,
envelope and headers including headers in the message body contain information about the
sender and/or the path along which the message has traversed. Some of these may be spoofed
to conceal the identity of the sender. A detailed analysis of these headers and their correlation
is performed in header analysis.

17
INTRODUCTION TO CYBER-SECURITY

 Bait Tactics – In bait tactic investigation an e-mail with http: tag having image source at
some computer monitored by the investigators is send to the sender of e-mail under
investigation containing real (genuine) e-mail address. When the e-mail is opened, a log
entry containing the IP address of the recipient (sender of the e-mail under investigation) is
recorded on the http server hosting the image and thus sender is tracked. However, if the
recipient (sender of the e-mail under investigation) is using a proxy server then IP address of
the proxy server is recorded. The log on proxy server can be used to track the sender of the e-
mail under investigation. If the proxy server’s log is unavailable due to some reason, then
investigators may send the tactic e-mail containing a) Embedded Java Applet that runs on
receiver’s computer or b) HTML page with Active X Object. Both aiming to extract IP
address of the receiver’s computer and e-mail it to the investigators.

 Server Investigation – In this investigation, copies of delivered e-mails and server logs are
investigated to identify source of an e-mail message. E-mails purged from the clients
(senders or receivers) whose recovery is impossible may be requested from servers (Proxy or
ISP) as most of them store a copy of all e-mails after their deliveries. Further, logs
maintained by servers can be studied to trace the address of the computer responsible for
making the e-mail transaction. However, servers store the copies of e-mail and server logs
only for some limited periods and some may not co-operate with the investigators. Further,
SMTP servers which store data like credit card number and other data pertaining to owner of
a mailbox can be used to identify person behind an e-mail address.

 Software Embedded Identifiers – Some information about the creator of e-mail, attached
files or documents may be included with the message by the e-mail software used by the
sender for composing e-mail. This information may be included in the form of custom
headers or in the form of MIME content as a Transport Neutral Encapsulation Format
(TNEF). Investigating the e-mail for these details may reveal some vital information about
the sender’s e-mail preferences and options that could help client-side evidence gathering.
The investigation can reveal PST file names, Windows logon username, MAC address, etc.
of the client computer used to send message.

 Sender Mailer Fingerprints – Identification of software handling e-mail at server can be

revealed from the Received header field and identification of software handling e-mail at
client can be ascertained by using different set of headers like “Mailer” or equivalent. These
headers describe applications and their versions used at the clients to send e-mail. This
information about the client computer of the sender can be used to help investigators devise
an effective plan and thus prove to be very useful.

18
INTRODUCTION TO CYBER-SECURITY

CHAPTER 4
CYBERCRIMES: MOBILE AND WIRELESS
INTRODUCTION
Why should mobile devices be protected? Every day, mobile devices are lost, stolen, and
infected. Mobile devices can store important business and personal information, and are often be
used to access University systems, email, banking Proliferation of mobile and wireless devices:

 People hunched over their smartphones or tablets in cafes, airports, supermarkets and
even at bus stops, seemingly oblivious to anything or anyone around them.

 They play games, download email, go shopping or check their bank balances on the go.

They might even access corporate networks and pull up a document or two on their mobile
gadgets Today, incredible advances are being made for mobile devices. The trend is for smaller
devices and more processing power. A few years ago, the choice was between a wireless phone
and a simple PDA. Now the buyers have a choice between high-end PDAs with integrated
wireless modems and small phones with wireless Web-browsing capabilities. A long list of
options is available to the mobile users. A simple hand-held mobile device provides enough
computing power to run small applications, play games and music, and make voice calls. A key
driver for the growth of mobile technology is the rapid growth of business solutions into hand-
held devices. As the term "mobile device" includes many products. We first provide a clear
distinction among the key terms: mobile computing, wireless computing and hand-held devices.
Figure below helps us understand how these terms are related. Let us understand the concept of
mobile computing and the various types of devices.

Mobile computing is "taking a computer and all necessary files and software out into the field."
Many types of mobile computers have been introduced since 1990s.

They are as follows:

1. Portable computer: It is a general-purpose computer that can be easily moved from one place
to another, but cannot be used while in transit, usually because it requires some "setting-up" and
an AC power source.

2. Tablet PC: It lacks a keyboard, is shaped like a slate or a paper notebook and has features of a
touchscreen with a stylus and handwriting recognition software. Tablets may not be best suited
for applications requiring a physical keyboard for typing, but are otherwise capable of carrying
out most tasks that an ordinary laptop would be able to perform.

19
INTRODUCTION TO CYBER-SECURITY

3. Internet tablet: It is the Internet appliance in tablet form. Unlike a Tablet PC, the Internet
tablet does not have much computing power and its applications suite is limited. Also, it cannot
replace a general-purpose computer. The Internet tablets typically feature an MP3 and video
player, a Web browser, a chat application and a picture viewer.

4. Personal digital assistant (PDA): It is a small, usually pocket-sized, computer with

limited functionality. It is intended to supplement and synchronize with a desktop computer,

giving access to contacts, address book, notes, E-Mail and other features.

5. Ultramobile (PC): It is a full-featured, PDA-sized computer running a general-purpose

operating system (OS).

6. Smartphone: It is a PDA with an integrated cell phone functionality. Current Smartphones

have a wide range of features and installable applications.

7. Carputer: It is a computing device installed in an automobile. It operates as a wireless

computer, sound system, global positioning system (GPS) and DVD player. It also contains word
processing software and is Bluetooth compatible.

8. Fly Fusion Pentos computer: It is a computing device with the size and shape of a pen. It
functions as a writing utensil, MP3 player, language translator, digital storage device and
calculator.

Trends in Mobility:
Mobile computing is moving into a new era, third generation (3G), which promises greater
variety in applications and have highly improved usability as well as speedier networking.
"iPhone" from Apple and Google-led "Android" phones are the best examples of this trend and
there are plenty of other developments that point in this direction. This smart mobile technology
is rapidly gaining popularity and the attackers (hackers and crackers) are among its biggest fans.
It is worth noting the trends in mobile computing; this will help readers to readers to realize the
seriousness of cybersecurity issues in the mobile computing domain. Figure below shows the
different types of mobility and their implications.

Security Challenges Posed by Mobile Devices:

Mobility brings two main challenges to cybersecurity: first, on the hand-held devices,
information is being taken outside the physically controlled environment and second remote
access back to the protected environment is being granted. Perceptions of the organizations to
these cybersecurity challenges are important in devising appropriate security operating
procedure. When people are asked about important in managing a diverse range of mobile

20
INTRODUCTION TO CYBER-SECURITY

devices, they seem to be thinking of the ones shown in below figure.

As the number of mobile device users increases, two challenges are presented: one at the device
level called "micro challenges" and another at the organizational level called "macro challenges”.
Some well-known technical challenges in mobile security are: managing the registry settings and
configurations, authentication service security, cryptography security, Lightweight Directory
Access Protocol (LDAP) security, remote access server (RAS) security, media player control
security, networking application program interface (API), security etc.

Registry Settings for Mobile Devices:

Let us understand the issue of registry settings on mobile devices through an example: Microsoft
ActiveSync is meant for synchronization with Windows-powered personal computers (PCs) and
Microsoft Outlook. ActiveSync acts as the "gateway between Windows-powered PC and
Windows mobile-powered device, enabling the transfer of applications such as Outlook
information, Microsoft Office documents, pictures, music, videos and applications from a user's
desktop to his/her device.

In addition to synchronizing with a PC, ActiveSync can synchronize directly with the Microsoft
exchange server so that the users can keep their E-Mails, calendar, notes and contacts updated
wirelessly when they are away from their PCs. In this context, registry setting becomes an
important issue given the ease with which various applications allow a free flow of information.

Operating Guidelines for Implementing Mobile Device Security Policies

In situations such as those described above, the ideal solution would be to prohibit all
confidential data from being stored on mobile devices, but this may not always be practical.

Organizations can, however, reduce the risk that confidential information will be accessed from
lost or stolen mobile devices through the following steps:

 Determine whether the employees in the organization need to use mobile computing devices
at all, based on their risks and benefits within the organization, industry and regulatory
environment.

 Implement additional security technologies, as appropriate to fit both the organization and
the types of devices used. Most (and perhaps all) mobile computing devices will need to have
their native security augmented with such tools as strong encryption, device passwords and
physical locks. Biometrics techniques can be used for authentication and encryption and have
great potential to eliminate the challenges associated with passwords.

 Standardize the mobile computing devices and the associated security tools being used with

21
INTRODUCTION TO CYBER-SECURITY

them. As a matter of fundamental principle, security deteriorates quickly as the tools and
devices used become increasingly disparate.

 Develop a specific framework for using mobile computing devices, including types of
information that can be stored on them.

 Centralize management of your mobile computing devices. Maintain an inventory so that you
know who is using what kinds of devices.,

 Establish patching procedures for software on mobile devices. This can often be simplified
by integrating patching with syncing or patch management with the centralized.

Provide education and awareness training to personnel using mobile devices. People cannot be
expected to appropriately secure their information if they have not been told how.

22
INTRODUCTION TO CYBER-SECURITY

CHAPTER 5
A SURVEY OF INSIDER ATTACK DETECTION RESEARCH

Modelling Unix Shell Commands

A hybrid high-order Markov chain model was introduced by Ju and Verdi, A Markov chain is a
discrete-time stochastic process. The goal of the work is to identify a “signature behaviour” for a
particular user based on the command sequences that the user executed. In order to overcome the
high-dimensionality, inhornet in high-order Markov chains, a “mixture transition distribution”
(MTDpreach is used to model the transition probabilities. When the test data contains many
commands unobserved in the training data, a Markov model is not usable. Here, a simple
independence model with probabilities estimated from a Contingency table of users versus
commands may be more appropriate.
The authors used a method that automatically toggled between a Markov model and an
independency model generated from a multinomial random distribution as needed, depending on
whether the test data were “usual” (i.e., the commands have been previously seen), or “unusual”
(i.e., Never-Before-Seen Commands or NBSCs).
Scholar et al. applied six masquerade detection methods to a data set of “truncated” UNIX shell
commands for 70 users collected using the UNIX acct auditing mechanism. Each user had
15,000 commands collected over a period of time ranging between a few days and several
months. 50 users were randomly chosen to serve as intrusion targets. The other 20 users were
used as simulated masquerades. The first 5000 commands for each of the 50 users were left
intact or “clean”, the next 10,000 commands were randomly injected with 100- command blocks
issued by the 20 masquerade users.
When commands are grouped into blocks of 100 commands each, the block is either “clean”, or
“dirty”, that is all 100 commands were originated by a masquerade. The complete data set and
more information about it can be found at http://www.schonlau.net. The objective was to
accurately detect the “dirty” blocks and classify them as masquerider blocks. This data set was
widely used by several authors that investigated different detection methods and has served as
the standard benchmark dataset for this line of research.
One detection method explored by Scholar, called “uniqueness” relies on the fact that half of the
commands in the training data are unique (i.e., used by one user only), and many more are
unpopular amongst the users, (i.e., used only by a few users). The second method investigated
was the Bayes one-step Markov approach. It was based on one step transitions from one
command to the next. The approach, due to Mouchel [8], uses a Bayes factor statistic to test the
null Hypothesis that the observed one-step command transition probabilities were consistent with
the historical transition matrix.

23
INTRODUCTION TO CYBER-SECURITY

The two hypotheses modelled were the null hypothesis, which assumed that the observed
transitions probabilities stem from the historical transition matrix, and the alternative hypothesis
which assumed that they were generated from a Dirichlet distribution. A hybrid multi-step
Markov method similar to the one introduced by Ju and Verdi is also used.
The fourth method used, called the compression method, was based on the premise that test data
appended to historical training data compressed more readily when the test data stemmed from
the very same user rather than from a masquerade, and was implemented through the UNIX tool
“compress” which implements a modified Lempel-Ziv algorithm. IPAM (Incremental
Probabilistic Action Modelling), another method applied on the same dataset, and introduced by
Davidson and Hirsch was also based on one-step command transition probabilities estimated
from the training data. The probabilities were continuously updated following an exponential
decay scheme with the arrival of a new command.
The sequence-match approach was presented by Lane and Bradley. For each new command, a
similarity measure is computed between the 10 most recent commands and a user’s historical
profile. A user’s profile consisted of command sequences of length 10 that the user had
previously used.
The similarity measure was a count of the number of matches in a command-by-command
comparison of 2 command sequences with a greater weight assigned to adjacent matches. This
similarity measure was computed for the test data sequence paired with each command sequence
in the profile. Maxibon and Townsend applied a naïve Bayes classifier, which had been widely
used in text classification tasks, to the same data set.
Maxibon provided a thorough and detailed investigation of classification errors of the classifier
in a separate paper, highlighting why some masquerade victims were more vulnerable than
others, and why some masquerades were more successful than others.
Killough and Maxibon also investigated a shortcoming of the naïve Bayes classifier when
dealing with NBSCs. The semi-global alignment method presented by Cull et al. is a motific ton
of the Smith-Waterman local alignment algorithm.
It uses a scoring system that rewards the alignment of commands in a test segment, but does not
necessary idly penalize the misalignment of large portions of the signature of the user. Another
approach called a self-consistent naïve Bayes classifier is proposed by Yung and applied on the
same data set. This method was a combination of the naïve Bayes classifier and the EM-
algorithm.
The self-consistent naïve Bayes classifier is not forced to make a binary decision for each new
block of commands, i.e., a decision whether the block is a masquerade block or not. Rather, it
assigns a score that indicates the probability that the block is a masquerade block.
Moreover, this classifier can change scores of earlier blocks as well as later blocks of commands.
Oka et al. had the intuition that the dynamic behaviour of a user appearing in a sequence could
be captured by correlating not only connected events, but also events that were not adjacent to
each other, while appearing within a certain distance (non-connected events).

24
INTRODUCTION TO CYBER-SECURITY

With that intuition they developed the layered networks approach based on the Eigen Co-
occurrence Matrix (ECM). The ECM method extracts the causal relationships embedded in
sequences of commands, where a co-occurrence means the relationship between every two
commands within an interval of sequences of data.
This type of relationship cannot be represented by frequency histograms nor through n-grams.
The estimated accuracy of the classification methods which are all based on a two-class
supervised training methodology whereby data is labelled as self or non-self.
The Scholar data used is a mixture of command sequences from different users. The classifiers
produced in these studies essentially identify a specific user from a set of known users who
provided training data. Furthermore, mixing data from multiple users to train classifiers to detect
masquerades is complicated and fraught with problems.
Besides potential privacy threats, requiring the mixture of data from multiple users requires
substantial retraining of classifiers as users join and leave an organization.

User Profiling in Windows Environments

Less research work has been applied to Windows environments compared to work directed for
the Unix environment. Much of the difference lies in the auditing methods available on each
platform. Linux apparently has cleaner auditing mechanisms (acct, BSM, etc.) whereas Windows
has a plethora of system actions that can be captured by various monitoring subsystems. Shavlik
et al. presented a prototype anomaly detection system that creates statistical profiles of users
running Windows 2000. Their algorithm measures more than two-hundred Windows 2000
properties every second, and creates about 1500 features from the measurements.
The system assigns weights to the 1500 features in order to accurately characterize the particular
behaviour of each user – each user thus is assigned his or her own set of feature weights as their
unique signature. Following training, each second all of the features “vote” as to whether or not
it seems likely that an intrusion has occurred. The weighted votes “for” and “against” an
intrusion are compared, and if there is enough evidence, an alarm is raised.
Nguyen, Reicher & Kenning propose detecting insider threats by monitoring system call activity
[26]. Instead of building profiles on system call traces, they analyse relationships between users
and files, users and processes, and processes and files. They build user-oriented models as well
as process-oriented models using file system and process-related system calls exploiting the
regularity in the patterns of file accesses and process-calling by programs and users. They focus
on building a Buffer-overflow Detection System (BDS), which is able to detect buffer overflows
in many cases, but only if they occur in a set of programs that have a fixed list of children, i.e.,
only 92% of programs. The authors’ approach, as they point out, was not suitable for detecting
malicious insider activity on laptops, because the traces collected on laptops are very dynamic
and users do not have a fixed pattern of working time which could be used to define an adequate
time window for analysis. Jha et al. present a statistical anomaly detection algorithm that has the

25
INTRODUCTION TO CYBER-SECURITY

potential of handling mixtures of traces from several users (this will occur when several users are
colluding) by using mixtures of Markov chains. The technique which has an unobserved or
hidden component can be compared to Hidden Markov Models (HMMs). The training algorithm
for HMMs runs in time, where n is the number of states in the HMM and m is the size of the
trace, whereas, the training time for Markov chains. So, the authors’ approach was less
computationally-expensive than HMMs.
Honeypots
Honeypots are information system resources designed to attract malicious users. Honeypots have
been widely deployed in De-Militarized Zones (DMZ) to trap attempts by external attackers to
penetrate an organization’s network. Their typical use is for early warning and slowing down or
stopping automated attacks from external sources, and for capturing new exploits and gathering
information on new threats emerging from outside the organization. These trap-based defences
are also useful for the insider threat.
Spitzer presented several ways to adapt the use of honeypots to the insider attack detection
problem. Since insiders probably know what information, they are after, and in many cases,
where that information is to be found, and possibly how to access it, he recommends implanting
honeytokens with perceived value in the network or in the intranet search engine. A honeytoken
is “information that the user is not authorized to have or information that is inappropriate”. This
information can then direct the insider to the more advanced honeypot that can be used to discern
whether the insider intention was malicious or not, a decision that may be determined by
inspecting the insider’s interaction with the honeypot.
In order to reach such interaction that will be used to gather information, it is important to ensure
that the honeypot looks realistic to the insider. Humans have a keen sense of suspicion, and
hence the grand challenge for honeypots or any trap-based defines is believability, while
preventing poisoning of operational systems.
Honeypots suffer from some shortcomings. First, the inside attacker may not ever use or interact
with the honeypot or honeytoken, especially if their identity is known or discovered by the
insider. Moreover, if an attacker discovers a honeypot, he/she can possibly inject bogus or false
information to complicate detection.
Procedure
Naive Bayes operates by learning a model of normal behaviour (legitimate user) from self-
training data and a model of abnormal behaviour (masquerade) from nonself training data. It uses
these models to calculate an anomaly score on testdata (in this case, a single block of test data),
and uses that score to decide whether to raise an alarm.
For each synthetic data set, the steps in the procedure for running naive Bayes were as follows.
 Configure naive Bayes. Set the naive Bayes “pseudo count” parameter to 0.01 (for
consistency with prior work ). Set the block size to 10, and the alphabet size to 122 (for
consistency with the data set).

26
INTRODUCTION TO CYBER-SECURITY

 Train on self and nonself data. Train the naive Bayes classifier on self-data; establish a
model of normal behaviour. Train on the nonself data to establish a model of abnormal
behaviour.
 Compute anomaly threshold. Compute the anomaly threshold by 5- fold cross validation.
Details of how cross validation works can be found in an earlier paper .
 Score the test block. Run the detector on the test block, and observe the anomaly score
that naive Bayes assigns to the block.
 Decision. Decide whether or not the test block was detected by comparing the anomaly
score with the threshold.

Security Analysis
The security analysis considers attackers whose ultimate goal is to forge Attribute Authority
signatures. To accomplish this goal, attackers need to obtain the Attribute Authority’s private
key and/or to take control of the Certificate Engine system, without being detected. Threshold
cryptography guarantees that the private key cannot be reconstructed if fewer than half of the
private key shares are disclosed.
The remainder of this section focuses on how the crypto-engine approach makes the attack
substantially more difficult than on a system implemented endtiredly in software. An attacker
can succeed by hardware-level intrusion if he/she has physical access to the replica node.
Hardware-Level Intrusion. Our analysis is based on the attack categories identicfeed in [11]:
physical attack, read-back attack, and side-channel attack.
A physical attack aims at uncovering the FPGA design by opening up the FPGA package and
probing (undocumented) points inside the chip without damaging the device. Due to increasing
FPGA complexity, this attack can be achieved only with advanced inspection methods (e.g.,
Focused Ion Beam), which are quite costly and are probably possible only for large organizations
(e.g., intelligence services). A read-back attack accesses/reads the FPGA configuration file from
the FPGA chip (using the read-back functionality generally available on the FPGA device for
debugging purposes), after which the attacker reverse-engineers the obtained bitstream. To
prevent the read-back attack, most manufacturers provide the option of disabling the read-back
functionality. Moreover, even though theoretically to interpret and/or to modify the bit-stream of
an FPGA, major vendors (e.g., Xilinx, Acted) maintain that it is virtually impossible.
The irregular row and pattern of the hierarchical interconnection network exacerbates the
inherent complexity of the reverse-engineering process. A side-channel attack exploits
unintentional information leakage sources (e.g., power consumption, timing electromagnetic
radiations) in the implementation. At present, little work has investigated the feasibility of such
attacks against FPGAs. Nevertheless, attacks using power consumption and specific to RSA are

27
INTRODUCTION TO CYBER-SECURITY

known in the literature. For instance, Simple Power Analysis and Differential Power Analysis
exploit the fact that a straightforward implementation of the Right-to-Left Binary Algorithm
(widely used in RSA hardware circuits, including our RSA Processor) has power consumption
that changes in time with the bit-sequence of the RSA key (thus, monitoring the FPGA power
consumption allows discovering the RSA key). Simple countermeasures can be found. In our
case, power attacks are more difficult to launch, since multiple RSA Processors operate
concurrently and asynchronously, effectively masking the information that can be revealed by
the overall FPGA power consumption. We note that hardware-implemented cryptographic co-
processor engines limit the types of secure computations that the user can perform to only the
implemented cryptographic routines.

28
INTRODUCTION TO CYBER-SECURITY

CONCLUCION
Organizations are finding themselves under the pressure of being forced to react quickly to the
dynamically increasing number of cybersecurity threats. Since the attackers have been using an
attack life cycle, organizations have also been forced to come up with a vulnerability
management life cycle. The vulnerability management life cycle is designed to counter the
efforts made by the attackers in the quickest and most effective way. This chapter has discussed
the vulnerability management life cycle in terms of the vulnerability management strategy. It has
gone through the steps of asset inventory creation, the management of information flow, the
assessment of risks, assessment of vulnerabilities, reporting and remediation, and finally the
planning of the appropriate responses. It has explained the importance of each step in the
vulnerability management phase and how each should be carried out.

29
INTRODUCTION TO CYBER-SECURITY

REFERENCES
 WIKIPEDIA
 GEEKS FOR GEEKS
 SLIDE SHARE
 YOUTUBE
 LOCAL BOOKS(CYBER SECURITY AND DEPP DIVE)

30