Introduction To Cyber Security Handbook PDF
Introduction To Cyber Security Handbook PDF
1. Mission-Critical Assets
This is data that is absolutely critical to protect. Whether businesses would like
to admit it or not, they face malicious forces daily. The question is how are
leaders dealing with this type of protection? And what measures have they put
in place to guard against breaches?
An example of mission-critical assets in the Healthcare industry is Electronic
Medical Record (EMR) software. In the financial sector, its customer’s financial
records.
2. Data Security
Data security is when there are security controls put in place to protect both the
transfer and the storage of data. There has to be a backup security measure in
place to prevent the loss of data, this will also require the use of encryption and
archiving.
Data security is an important focus for all businesses as a breach of data can
have dire consequences.
3. Application Security
This involves the security features that control access to an application and that
application’s access to your assets. It also includes the internal security of the
app itself.
Most of the time, applications are designed with security measures that continue
to provide protection when the app is in use.
4. Endpoint Security
This layer of security makes sure that the endpoints of user devices are not
exploited by breaches. This includes the protection of mobile devices, desktops,
and laptops.
Endpoint security systems enable protection either on a network or in the cloud
depending on the needs of a business.
5. Network Security
This is where security controls are put in place to protect the business’s
network. The goal is to prevent unauthorized access to the network.
It is crucial to regularly update all systems on the business network with the
necessary security patches, including encryption. It’s always best to disable
unused interfaces to further guard against any threats.
6. Perimeter Security
This security layer ensures that both the physical and digital security methods
protect a business as a whole. It includes things like firewalls that protect the
business network against external forces.
7. The Human Layer
Despite being known as the weakest link in the security chain, the human layer
is a very necessary layer. It incorporates management controls and phishing
simulations as an example.
These human management controls aim to protect that which is most critical to
a business in terms of security. This includes the very real threat that humans,
cyber attackers, and malicious users pose to a business.
Vulnerabilities:
Vulnerabilities simply refer to weaknesses in a system. They make threat
outcomes possible and potentially even more dangerous. A system could be
exploited through a single vulnerability, for example, a single SQL Injection
attack could give an attacker full control over sensitive data. An attacker could
also chain several exploits together, taking advantage of more than one
vulnerability to gain more control.
Below are some examples of vulnerability:
A weakness in a firewall that can lead to malicious hackers getting into a
computer network
Lack of security cameras
Unlocked doors at businesses
Note1: Firewall
A firewall is a network security device that monitors incoming and
outgoing network traffic and decides whether to allow or block specific
traffic based on a defined set of security rules.
Firewalls have been a first line of defense in network security for over 25
years. They establish a barrier between secured and controlled internal
networks that can be trusted and untrusted outside networks, such as the
Internet.
A firewall can be hardware, software, or both.
Note2: VPN
A virtual private network, or VPN, is an encrypted connection over the
Internet from a device to a network. The encrypted connection helps
ensure that sensitive data is safely transmitted.
It prevents unauthorized people from eavesdropping on the traffic and
allows the user to conduct work remotely.
VPN technology is widely used in corporate environments.
Threats and Harmful Acts:
Cyber threats, or simply threats, refer to cybersecurity circumstances or events
with the potential to cause harm by way of their outcome. A few examples of
common threats include a social-engineering or phishing attack that leads to an
attacker installing a trojan and stealing private information from your
applications, DoS-Ing your website, an administrator accidentally leaving data
unprotected on a production system causing a data breach, or a storm flooding
your ISP’s data center.
Cybersecurity threats are actualized by threat actors. Threat actors usually refer
to persons or entities who may potentially initiate a threat. While natural
disasters, as well as other environmental and political events, do constitute
threats, they are not generally regarded as being threat actors (this does not
mean that such threats should be disregarded or given less importance).
Examples of common threat actors include financially motivated criminals
(cybercriminals), politically motivated activists (hacktivists), competitors,
careless employees, disgruntled employees, and nation-state attackers.
Cyber threats can also become more dangerous if threat actors leverage one or
more vulnerabilities to gain access to a system, often including the operating
system.
Internet Governance – Challenges and Constraints:
Internet Governance:
Internet governance refers to the rules, policies, standards and practices that
coordinate and shape global cyberspace.
The Internet is a vast network of independently-managed networks, woven
together by globally standardized data communication protocols (primarily,
Internet Protocol, TCP, UDP, DNS and BGP). The common adoption and use of
these protocols unified the world of information and communications like never
before. Millions of digital devices and massive amounts of data, software
applications, and electronic services became compatible and interoperable. The
Internet created a new environment, a complex and dynamic “cyberspace.”
While Internet connectivity generated innovative new services, capabilities and
unprecedented forms of sharing and cooperation, it also created new forms of
crime, abuse, surveillance and social conflict. Internet governance is the process
whereby cyberspace participants resolve conflicts over these problems and
develop a workable order.
The term “Internet governance” first started to be used in connection with the
governance of Internet identifiers such as domain names and IP addresses,
which led to the formation of ICANN (Internet Corporation for Assigned Names
and Numbers). Since then, the economic, political, social and military
implications of Internet governance have expanded to embrace a number of
other areas of policy:
Constraints of Internet Governance:
a. Cybersecurity: Cybersecurity is the practice of protecting systems,
networks, and programs from digital attacks. These cyberattacks are
usually aimed at accessing, changing, or destroying sensitive
information; extorting money from users; or interrupting normal business
processes.
b. Digital Trade: Digital trade is a broad concept, capturing not just the
sale of consumer products on the Internet and the supply of online
services, but also data flows that enable global value chains, services that
enable smart manufacturing, and myriad other platforms and
applications.
c. Free Expression Online: Freedom of expression includes the right to
access information, which in the case of journalists could mean being
granted access in a public institution, including courts, or to a public
document, including data of secret services.
d. Privacy & Surveillance:
privacy is the right to be let alone, or freedom from interference or
intrusion. Information privacy is the right to have some control over how
your personal information is collected and used.
Surveillance is the careful watching of a person or place, especially by
the police or army, because of a crime that has happened or is expected.
e. Internet of Things: The Internet of things describes physical objects
with sensors, processing ability, software, and other technologies that
connect and exchange data with other devices and systems over the
Internet or other communications networks.
f. IG Institutions: Internet Governance Institute (IGI) is an initiative
established for strengthening Internet Governance at the grass-root level
through research, capacity building, awareness, debates and policy
intervention across the Asia Pacific. IGI believes in collaboration and
operates through the participation of IG related institutions.
The main objective of IGI is to contribute to strengthening grass root
level stakeholders through research, capacity building, awareness,
debates, and policy intervention.
Major objectives of IGI are as follows:
Research and development on Internet Governance issues,
Conduct short and long academic and non-academic online and
offline course on Internet Governance,
Conduct lectures, symposia, international meetings, conferences,
and workshops on Internet Governance,
Exchange of researchers and students working in the area of
Internet Governance,
Do advocacy and promotional activities on Internet Governance
related issues and others,
Design, develop, distribution and sales of digital and nondigital
content on Internet Governance issues,
g. Internet Identifiers: Internet identifiers means an electronic mail
address, instant message address or identifier, or any other designation or
moniker used for self-identification during internet communication or
posting, including all designations used for the purpose of routing or
self-identification in internet communications or postings.
h. Geopolitics of IG: Geopolitics is the study of the effects of Earth's
geography on politics and international relations. Geopolitical examples
may include trade agreements, war treaties, border or territorial
acknowledgements, climate agreements, and more. Two recent examples
are NAFTA and the Kyoto protocol
Challenges of Internet Governance:
a. Censorship of Internet: Internet censorship is the control or suppression
of what can be accessed, published, or viewed on the Internet enacted by
regulators, or on their own initiative. Internet censorship puts restrictions
on what information can be put on the internet or not.
b. Anonymity and Attribution Challenges:
Anonymity is when nobody knows who you are but potentially, they
know what you are doing.
Attribution is the process of tracking, identifying and laying blame on
the perpetrator of a cyberattack or other hacking exploit.
c. Applicability of Existing Laws of Warfare to Cyberspace:
Applicability of Laws means all applicable provisions of constitutions,
laws, statutes, ordinances, rules, treaties, regulations, permits, licenses,
approvals, interpretations and orders of courts or Governmental
Authorities and all orders and decrees of all courts and arbitrators of
Warfare to Cyberspace.
d. Spillover of Cyber-attacks: Cyber- conflict terminology spillover means
when cyber conflicts seep and bleed into traditional arena of militarized
and foreign policy conflict.
e. Intellectual Property Protection:
Intellectual Property Protection is protection for inventions, literary and
artistic works, symbols, names, and images created by the mind.
Ex: Patents, Trademarks, Trade Secrets, and Copyrights.
Computer Criminals or Cyber Criminals:
Cybercriminals are individuals or teams of people who use technology to
commit malicious activities on digital systems or networks with the intention of
stealing sensitive company information or personal data, and generating profit.
Types of Cyber Criminals:
1. Hackers: The term hacker may refer to anyone with technical skills,
however, it typically refers to an individual who uses his or her skills to achieve
unauthorized access to systems or networks so as to commit crimes. The intent
of the burglary determines the classification of those attackers as white, grey, or
black hats. White hat attackers burgled networks or PC systems to get
weaknesses so as to boost the protection of those systems. The owners of the
system offer permission to perform the burglary, and they receive the results of
the take a look at. On the opposite hand, black hat attackers make the most of
any vulnerability for embezzled personal, monetary or political gain. Grey hat
attackers are somewhere between white and black hat attackers. Grey hat
attackers could notice a vulnerability and report it to the owners of the system if
that action coincides with their agenda.
(a) White Hat Hackers – These hackers utilize their programming aptitudes for
a good and lawful reason. These hackers may perform network penetration tests
in an attempt to compromise networks to discover network vulnerabilities.
Security vulnerabilities are then reported to developers to fix them.
(b) Gray Hat Hackers – These hackers carry out violations and do seemingly
deceptive things however not for individual addition or to cause harm. These
hackers may disclose a vulnerability to the affected organization after having
compromised their network.
(c) Black Hat Hackers – These hackers are unethical criminals who violate
network security for personal gain. They misuse vulnerabilities to bargain PC
frameworks.
2. Internet Stalkers: Internet stalkers are people who maliciously monitor the
web activity of their victims to acquire personal data. This type of cybercrime is
conducted through the use of social networking platforms and malware, that are
able to track an individual’s PC activity with little or no detection.
3. Disgruntled Employees: Disgruntled employees become hackers with a
particular motive and also commit cybercrimes. It is hard to believe that
dissatisfied employees can become such malicious hackers. In the previous
time, they had the only option of going on strike against employers. But with
the advancement of technology there is increased in work on computers and the
automation of processes, it is simple for disgruntled employees to do more
damage to their employers and organization by committing cybercrimes. The
attacks by such employees brings the entire system down.
4. Phishing Scammers: Phishers are cyber criminals who attempt to get ahold
of personal or sensitive information through victims’ computers. This is often
done via phishing websites that are designed to copycat small-business,
corporate or government websites. Unsuspecting computer users often fall prey
to such activities by unknowingly providing personal information including
home addresses, social security numbers, and even bank passwords. Once such
information is obtained, phishers either use the information themselves for
identity fraud scams or sell it in the dark web. It’s important for businesses to
constantly be aware of phishing scams, particularly scams that may be trying to
copycat their own business site. Such sites can tarnish the company’s reputation
and brand, which could potentially lead to a decrease in earnings.
CIA Triad:
Confidentiality, Integrity and Availability, also known as the CIA triad, is a
model designed to guide policies for information security within an
organization.
The model is also sometimes referred to as the AIC triad (Availability, Integrity
and Confidentiality) to avoid confusion with the Central Intelligence Agency.
The CIA Triad is actually a security model that has been developed to help
people think about various parts of IT security.
Confidentiality:
It's crucial in today's world for people to protect their sensitive, private
information from unauthorized access.
Protecting confidentiality is dependent on being able to define and enforce
certain access levels for information.
In some cases, doing this involves separating information into various
collections that are organized by who needs access to the information and how
sensitive that information actually is - i.e., the amount of damage suffered if the
confidentiality was breached.
Some of the most common means used to manage confidentiality include access
control lists, volume and file encryption, and Unix file permissions.
Integrity:
Data integrity is what the "I" in CIA Triad stands for. This is an essential
component of the CIA Triad and designed to protect data from deletion or
modification from any unauthorized party, and it ensures that when an
authorized person makes a change that should not have been made the damage
can be reversed.
Availability:
This is the final component of the CIA Triad and refers to the actual availability
of your data. Authentication mechanisms, access channels and systems all have
to work properly for the information they protect and ensure it's available when
it is needed.
High availability systems are the computing resources that have architectures
that are specifically designed to improve availability.
Based on the specific HA system design, this may target hardware failures,
upgrades or power outages to help improve availability, or it may manage
several network connections to route around various network outages.
Understanding the CIA triad:
Chances are you have noticed a trend here - the CIA Triad is all about
information. While this is considered the core factor of the majority of IT
security, it promotes a limited view of the security that ignores other important
factors.
For example, even though availability may serve to make sure you don't lose
access to resources needed to provide information when it is needed, thinking
about information security in itself doesn't guarantee that someone else hasn't
used your hardware resources without authorization.
It's important to understand what the CIA Triad is, how it is used to plan and
also to implement a quality security policy while understanding the various
principles behind it.
It's also important to understand the limitations it presents. When you are
informed, you can utilize the CIA Triad for what it has to offer and avoid the
consequences that may come along by not understanding it.
Assets and Threat:
Asset:
An asset is any data, device or other component of an organization’s systems
that is valuable – often because it contains sensitive data or can be used to
access such information.
For example, an employee’s desktop computer, laptop or company phone would
be considered an asset, as would applications on those devices. Likewise,
critical infrastructure, such as servers and support systems, are assets.
An organization’s most common assets are information assets. These are things
such as databases and physical files – i.e., the sensitive data that you store.
Threat:
A threat is any incident that could negatively affect an asset – for example, if
it’s lost, knocked offline or accessed by an unauthorized party.
Threats can be categorized as circumstances that compromise the
confidentiality, integrity or availability of an asset, and can either be intentional
or accidental.
Intentional threats include things such as criminal hacking or a malicious insider
stealing information, whereas accidental threats generally involve employee
error, a technical malfunction or an event that causes physical damage, such as a
fire or natural disaster.
Motive of Attackers:
Every hacker has a different motive for doing cybercrime. These are some of
the known reasons behind cybercrime.
1. Financial Gain:
Most of the hacker’s primary motivation is Financial Gain. They are using a
variety of methods to do the crime.
Hackers use phishing attacks to collect credit card or debit card details, banking
account login details, etc. Once they gain credentials, they login into your
account and transfer the money to their account. They also use attacks like
Ransomware on the entire organization for money.
Some of the hackers use fake social media profiles to trap people and may
collect money from them.
2. Insider Threats:
The threat has occurred directly or indirectly by the person who is working in an
organization with access to critical information. He may sell details to other
organizations for personal gain or to damage the company’s reputation in
public.
Sometimes the threat has occurred due to his negligence in using exposed
passwords and easily guessable passwords for accounts. The attackers identify
these details and collect the required information.
3. Recognition & Popularity:
In general, every human has comitative nature. He feels happy when everyone
recognizes him. Hackers also do this activity for their recognition.
Example: The hacker hacks the girlfriend’s account to recognize his friend.
4. State-Sponsored Hackers:
These hackers are either white hat or black hat hackers who steal information
from foreign governments. Their targets are terrorists, foreign governments, and
corporations. They may work for their governments.
The Government provides funds to these hackers. These hackers themself treat
as legitimate because they work for their government.
5. Hacktivists:
Hacktivists are the hackers who protest the political and social ideas of
organizations and governments by posting articles, videos, leaking sensitive
information, and more.
Sometimes they do DDoS attacks to stop their website services. These types of
hackers come under the category of Gray Hat Hackers.
Example: The most famous Hacking Group is Anonymous. It fights for people
against governments and organizations. It works secretly.
Anonymous Hacking Group hacks governments’ sites and leaks sensitive
information and this group has a lot of fans.
In the Recent Ukraine War, hackers did a DDoS attack on Russia Government
Websites. Most sites are down due to this activity.
Example: 1. Cult of the Dead Cow 2. Anonymous 3. WikiLeaks etc.
6. Crackers:
Crackers are hackers who modify the programming in applications to use those
applications for free.
Some crackers crack the tools placed on websites like getintopc.com to earn
money with ads and some of the hackers insert malicious code in these cracks to
collect users’ information credit card links.
7. Pornography:
Some hackers did hack to produce pornography by hacking users’ phones &
Computers and collecting their personal information and blackmailing and
uploading their videos porn sites. etc.
Some stupid people did women trafficking by collecting their personal
information and blackmailing them.
8. Drugs:
Some Persons use their technical skills to do illegal activities like selling drugs
etc.
Most crimes have been done using the darknet. Darknet sites do not open by
using normal browsers. They are using separate browsers like TOR etc.
Active Attacks:
An active attack is a network exploit in which a hacker attempts to make
changes to data on the target or data enroute to the target.
There are several different types of active attacks. However, in all cases, the
threat actor takes some sort of action on the data in the system or the devices the
data resides on. Attackers may attempt to insert data into the system or change
or control data that is already in the system.
Types of active attacks:
Masquerade attack:
In a masquerade attack, the intruder pretends to be a particular user of a system
to gain access or to gain greater privileges than they are authorized for.
Masquerade attacks are conducted in several different ways, including the
following:
using stolen login identifications (IDs) and passwords;
finding security gaps in programs; and
bypassing the authentication
An attempt may come from an employee inside an organization or from an
outside threat actor using a connection to the public network. Weak
authentication can provide a point of entry for a masquerade attack and make it
easy for an attacker to gain entry. If attackers successfully receive authorization
and enter the network, depending on their privilege level, they may be able to
modify or delete the organization's data. Or they may make changes to network
configuration and routing information.
For example, an outside attacker can use spoofed Internet Protocol (IP)
addresses to bypass the victim's firewall and gain access from an unauthorized
source. To do this, the attacker may use a network sniffer to capture IP packets
from the target machine. Another device is used to send a message to the
firewall with the forged IP address. The firewall then permits access to the
victim's machine.
Session hijacking attack:
A session hijacking attack is also called a session replay attack. In it, the
attacker takes advantage of a vulnerability in a network or computer system and
replays the session information of a previously authorized system or user. The
attacker steals an authorized user's session ID to get that user's login
information. The attacker can then use that information to impersonate the
authorized user.
A session hijacking attack commonly occurs over web applications and
software that use cookies for authentication. With the use of the session ID, the
attacker can access any site and any data that is available to the system or the
user being impersonated.
Message modification attack:
In a message modification attack, an intruder alters packet header addresses to
direct a message to a different destination or to modify the data on a target
machine. Message modification attacks are commonly email-based attacks. The
attacker takes advantage of security weaknesses in email protocols to inject
malicious content into the email message. The attacker may insert malicious
content into the message body or header fields.
DoS attack:
In a denial-of-service (DoS) attack, the attackers overwhelm the victim's
system, network or website with network traffic, making it difficult for
legitimate users to access those resources. Two ways a DoS attack can occur
include:
Flooding: The attacker floods the target computer with internet traffic to
the point that the traffic overwhelms the target system. The target system
is unable to respond to any requests or process any data, making it
unavailable to legitimate users.
Malformed data: Rather than overloading a system with requests, an
attacker may strategically send data that a victim's system cannot handle.
For example, a DoS attack could corrupt system memory, manipulate
fields in the network protocol packets or exploit servers.
DDoS attack:
In a Distributed Denial of Service (DDoS) exploit, large numbers of
compromised systems -- also referred to as a botnet or zombie army -- attack a
single target with a DoS attack.
A DDoS uses multiple devices and locations to launch requests and overwhelm
a victim's system in the same way a DoS attack does.
Passive Attacks:
Active attacks contrast with passive attacks, in which an unauthorized party
monitors networks and sometimes scans for open ports and vulnerabilities.
Passive attackers aim to collect information about the target; they don't steal or
change data. However, passive attacks are often part of the steps an attacker
takes in preparation for an active attack.
Types of passive attacks:
War driving:
This is a wireless network reconnaissance method that involves driving or
walking around with a laptop computer and portable Wi-Fi-enabled wireless
Ethernet card to find unsecured wireless networks. Once found, these attackers
use these networks to illegally access computers and steal confidential
information.
Dumpster diving:
This passive attack involves intruders searching for information on discarded
devices or for notes containing passwords in trash bins. For example, the
attacker can retrieve information from hard drives or other storage media that
have not been properly erased.
Software Attacks:
A software attack or cyber-attack is any attempt to gain unauthorized access to a
computer, computing system or computer network with the intent to cause
damage. Cyber-attacks aim to disable, disrupt, destroy or control computer
systems or to alter, block, delete, manipulate or steal the data held within these
systems.
Types of Software attacks or Cyber-attacks:
1. Malware attack
2. SQL injection attack
3. Phishing attack
4. Man-in-the-middle attack
5. Denial-of-service attack
6. Zero-day exploit
7. DNS Tunneling
8. Password attack
Note: First 5 attacks are already discussed in the methods of cyber security topic
Zero-day exploit
A zero-day (0day) exploit is a cyber-attack targeting a software vulnerability
which is unknown to the software vendor or to antivirus vendors. The attacker
spots the software vulnerability before any parties interested in mitigating it,
quickly creates an exploit, and uses it for an attack. Such attacks are highly
likely to succeed because defenses are not in place. This makes zero-day attacks
a severe security threat.
DNS Tunneling
DNS Tunneling is a method of cyber-attack that encodes the data of other
programs or protocols in DNS queries and responses. DNS tunneling often
includes data payloads that can be added to an attacked DNS server and used to
control a remote server and applications.
Typically, DNS tunneling requires the compromised system to have external
network connectivity, as DNS tunneling requires access to an internal DNS
server with network access. Hackers must also control a domain and a server
that can act as an authoritative server in order to execute the server-side
tunneling and data payload executable programs.
Note: DNS
Domain name system, or DNS, is the protocol that translates human-
friendly URLs, such as paloaltonetworks.com, into machine-friendly IP
addresses, such as 199.167.52.137.
Password attack
Password attacks involve exploiting a broken authorization vulnerability in the
system combined with automatic password attack tools that speed up the
guessing and cracking of passwords.
The attacker uses various techniques to access and expose the credentials of a
legitimate user, assuming their identity and privileges. The username-password
combination is one of the oldest known account authentication techniques, so
adversaries have had time to craft multiple methods of obtaining guessable
passwords.
Additionally, applications that use passwords as the sole authentication factor
are vulnerable to password attacks since the vulnerabilities are well understood.
Brute-Force attack, Dictionary attack, and Keylogging are the examples of the
password attack.
Note:
Keystroke logging, often referred to as keylogging or keyboard capturing, is the
action of recording the keys struck on a keyboard, typically covertly, so that a
person using the keyboard is unaware that their actions are being monitored.
Data can then be retrieved by the person operating the logging program.
Hardware Attacks:
Hardware attacks are not as well-known as software attacks, but they are just as
dangerous. They involve directly exploiting interaction with a system's
electronic components. These sneak attacks are particularly effective against
connected objects.
Types of Hardware Attacks:
VMX - Virtual machine Extensions
Virtualizations offer 2 levels-
(a.) higher performance & more cost-effective Ex: Intel
(b.) greater isolation & higher costs Ex: IBMs
Most of us will use 'a.' vs 'b.' not knowing the underlying threats for the reduced
isolation.
Bluepill
A rootkit designed for x86 virtualization. It creates a thin hypervisor/VMM and
running the remaining machine virtually. It's almost undetectable, however
there was a controversy on this. Hardware assisted virtualization can help
malicious software, thus hardware architecture is prime here.
Extreme Privilege Escalation
This was demonstrated with modern windows8. Exploitation of platform
firmware UEFI using new API (windows 8). Privilege escalation from ring3 to
ring0, most privileged level-almost directly communicates with the hardware
resources.
Stepping p3wns
This attack used resource (printer here) firmware update, that by passes the anti-
virus at the computer as it's not windows malicious. However, when the task is
received at printer side, the firmware gets updated to the malicious one. This
exploitation enables infecting IP phones etc. which can be a huge concern in
'BYOD' times.
Shadow walker (TLB Splitting)
Misuse x86 hardware to hide malware from OS and anti-virus. In fact, even
code modifications could not be detected by anti-virus. The flaw-difference
between reading the memory and executing it.
Cyber Threats:
a. Cyber Warfare
b. Cyber Crime
c. Cyber Terrorism
d. Cyber Espionage
Cyber Warfare
Cyber Warfare is typically defined as a set of actions by a nation or organization
to attack countries or institutions' computer network systems with the intention
of disrupting, damaging, or destroying infrastructure by computer viruses or
denial-of-service attacks.
Cyber warfare can take many forms, but all of them involve either the
destabilization or destruction of critical systems. The objective is to weaken the
target country by compromising its core systems.
This means cyber warfare may take several different shapes:
Attacks on financial infrastructure
Attacks on public infrastructure like dams or electrical systems
Attacks on safety infrastructure like traffic signals or early warning
systems
Attacks against military resources or organizations
Cyber Crime
Cybercrime or a computer-oriented crime is a crime that includes a computer
and a network. The computer may have been used in the execution of a crime or
it may be the target.
Cybercrime is the use of a computer as a weapon for committing crimes such as
committing fraud, identity theft, or breaching privacy.
Cybercrime, especially through the Internet, has grown in importance as the
computer has become central to every field like commerce, entertainment, and
government.
Cybercrime may endanger a person or a nation’s security and financial health.
Cybercrime encloses a wide range of activities, but these can generally be
divided into two categories:
Crimes that aim at computer networks or devices. These types of crimes
involve different threats (like virus, bugs etc.) and denial-of-service
(DoS) attacks.
Crimes that use computer networks to commit other criminal activities.
These types of crimes include cyber stalking, financial fraud or identity
theft.
Cyber Terrorism
Cyberterrorism is the convergence of cyberspace and terrorism. It refers to
unlawful attacks and threats of attacks against computers, networks and the
information stored therein when done to intimidate or coerce a government or
its people in furtherance of political or social objectives.
Further, to qualify as cyberterrorism, an attack should result in violence against
persons or property, or at least cause enough harm to generate fear.
Attacks that lead to death or bodily injury, explosions, or severe economic loss
would be examples.
Serious attacks against critical infrastructures could be acts of cyberterrorism,
depending on their impact. Attacks that disrupt nonessential services or that are
mainly a costly nuisance would not.
One way of understanding cyberterrorism involves the idea that terrorists could
cause massive loss of life, worldwide economic chaos and environmental
damage by hacking into critical infrastructure systems. The nature of
cyberterrorism covers conduct involving computer or Internet technology that:
is motivated by a political, religious or ideological cause
is intended to intimidate a government or a section of the public to
varying degrees
seriously interferes with infrastructure
Cyber Espionage
Cyber espionage, or cyber spying, is a type of cyberattack in which an
unauthorized user attempts to access sensitive or classified data or intellectual
property (IP) for economic gain, competitive advantage or political reasons.
Cyber espionage is primarily used as a means to gather sensitive or classified
data, trade secrets or other forms of IP that can be used by the aggressor to
create a competitive advantage or sold for financial gain. In some cases, the
breach is simply intended to cause reputational harm to the victim by exposing
private information or questionable business practices.
Cyber espionage attacks can be motivated by monetary gain; they may also be
deployed in conjunction with military operations or as an act of cyber terrorism
or cyber warfare. The impact of cyber espionage, particularly when it is part of
a broader military or political campaign, can lead to disruption of public
services and infrastructure, as well as loss of life.
The most common targets of cyber espionage include large corporations,
government agencies, academic institutions, think tanks or other organizations
that possess valuable IP and technical data that can create a competitive
advantage for another organization or government. Targeted campaigns can also
be waged against individuals, such as prominent political leaders and
government officials, business executives and even celebrities.
Cyber spies most commonly attempt to access the following assets:
Research & Development data and activity
Academic research data
IP, such as product formulas or blueprints
Salaries, bonus structures and other sensitive information regarding
organizational finances and expenditures
Client or customer lists and payment structures
Business goals, strategic plans and marketing tactics
Political strategies, affiliations and communications
Military intelligence
Comprehensive Cyber Security Policy:
Security policies are a formal set of rules which is issued by an organization to
ensure that the user who are authorized to access company technology and
information assets comply with rules and guidelines related to the security of
information. It is a written document in the organization which is responsible
for how to protect the organizations from threats and how to handles them when
they will occur. A security policy also considered to be a "living document"
which means that the document is never finished, but it is continuously updated
as requirements of the technology and employee changes.
Need of Security policies
1) It increases efficiency.
The best thing about having a policy is being able to increase the level of
consistency which saves time, money and resources. The policy should inform
the employees about their individual duties, and telling them what they can do
and what they cannot do with the organization sensitive information.
2) It upholds discipline and accountability
When any human mistake will occur, and system security is compromised, then
the security policy of the organization will back up any disciplinary action and
also supporting a case in a court of law. The organization policies act as a
contract which proves that an organization has taken steps to protect its
intellectual property, as well as its customers and clients.
3) It can make or break a business deal
It is not necessary for companies to provide a copy of their information security
policy to other vendors during a business deal that involves the transference of
their sensitive information. It is true in a case of bigger businesses which
ensures their own security interests are protected when dealing with smaller
businesses which have less high-end security systems in place.
4) It helps to educate employees on security literacy
A well-written security policy can also be seen as an educational document
which informs the readers about their importance of responsibility in protecting
the organization sensitive data. It involves on choosing the right passwords, to
providing guidelines for file transfers and data storage which increases
employee's overall awareness of security and how it can be strengthened.
We use security policies to manage our network security. Most types of security
policies are automatically created during the installation. We can also customize
policies to suit our specific environment. There are some important
cybersecurity policies recommendations describe below-
1. Virus and Spyware Protection policy
This policy provides the following protection:
It helps to detect, removes, and repairs the side effects of viruses and
security risks by using signatures.
It helps to detect the threats in the files which the users try to download
by using reputation data from Download Insight.
It helps to detect the applications that exhibit suspicious behavior by
using SONAR heuristics and reputation data.
2. Firewall Policy
This policy provides the following protection:
It blocks the unauthorized users from accessing the systems and networks
that connect to the Internet.
It detects the attacks by cybercriminals.
It removes the unwanted sources of network traffic.
3. Intrusion Prevention policy
This policy automatically detects and blocks the network attacks and browser
attacks. It also protects applications from vulnerabilities. It checks the contents
of one or more data packages and detects malware which is coming through
legal ways.
4. LiveUpdate policy
This policy can be categorized into two types one is LiveUpdate Content policy,
and another is LiveUpdate Setting Policy. The LiveUpdate policy contains the
setting which determines when and how client computers download the content
updates from LiveUpdate. We can define the computer that clients contact to
check for updates and schedule when and how often client’s computer check for
updates.
5. Application and Device Control policy
This policy protects a system's resources from applications and manages the
peripheral devices that can attach to a system. The device control policy applies
to both Windows and Mac computers whereas application control policy can be
applied only to Windows clients.
6. Exceptions policy
This policy provides the ability to exclude applications and processes from
detection by the virus and spyware scans.
7. Host Integrity policy
This policy provides the ability to define, enforce, and restore the security of
client computers to keep enterprise networks and data secure. We use this
policy to ensure that the client's computers who access our network are
protected and compliant with companies? securities policies. This policy
requires that the client system must have installed antivirus.
UNIT-II
Cyberspace and the Law & Cyber Forensics
Cyberspace:
Cyberspace refers to the virtual computer world, and more specifically, an
electronic medium that is used to facilitate online communication. Cyberspace
typically involves a large computer network made up of many worldwide
computer subnetworks that employ TCP/IP protocol to aid in communication
and data exchange activities.
Cyberspace's core feature is an interactive and virtual environment for a broad
range of participants.
In the common IT lexicon, any system that has a significant user base or even a
well-designed interface can be thought to be “cyberspace.”
Cyber Security Regulations:
There are four predominant cyber laws to cover when it comes to cybersecurity
regulations:
In countries like India, where the internet is used very extensively, cyber laws in
India become extremely crucial. Stringent cyber laws fulfil the purpose of
supervising the digital circulation of information, software, information
security, e-commerce, and monetary transactions.
By providing maximum connectivity and minimizing cybersecurity concerns,
India's Cybersecurity Law has cleared the path for electronic commerce and
electronic government in the country and also broadened the scope and
application of digital media.
1. Information Technology Act, 2000
The Indian cyber law is governed by the Information Technology Act, penned
down back in 2000. The principal impetus of this Act is to offer reliable legal
inclusiveness to eCommerce, facilitating registration of real-time records with
the Government.
But with the cyber attackers getting sneakier, topped by the human tendency to
misuse technology, a series of amendments followed.
The ITA, enacted by the Parliament of India, highlights the grievous
punishments and penalties safeguarding the e-governance, e-banking, and
e-commerce sectors. Now, the scope of ITA has been enhanced to encompass
all the latest communication devices.
The IT Act is the salient one, guiding the entire Indian legislation to govern
cybercrimes rigorously:
Section 43 - Applicable to people who damage the computer systems
without permission from the owner. The owner can fully claim
compensation for the entire damage in such cases.
Section 66 - Applicable in case a person is found to dishonestly or
fraudulently commit any act referred to in section 43. The imprisonment
term in such instances can mount up to three years or a fine of up to Rs.5
lakhs.
Section 66B - Incorporates the punishments for fraudulently receiving
stolen communication devices or computers, which confirms a probable
three years imprisonment. This term can also be topped by a Rs. 1 lakh
fine, depending upon the severity.
Section 66C - This section scrutinizes the identity thefts related to
imposter digital signatures, hacking passwords, or other distinctive
identification features. If proven guilty, imprisonment of three years
might also be backed by a Rs.1 lakh fine.
Section 66D - This section was inserted on-demand, focusing on
punishing cheaters doing impersonation using computer resources.
2. Indian Penal Code (IPC) 1980
Identity thefts and associated cyber frauds are embodied in the Indian Penal
Code (IPC), 1860 - invoked along with the Information Technology Act of
2000.
The primary relevant section of the IPC covers cyber frauds:
Forgery (Section 464)
Forgery pre-planned for cheating (Section 468)
False documentation (Section 465)
Presenting a forged document as genuine (Section 471)
Reputation damage (Section 469)
3. Companies Act of 2013
The corporate stakeholders refer to the Companies Act of 2013 as the legal
obligation necessary for the refinement of daily operations. The directives of
this Act cement all the required techno-legal compliances, putting the less
compliant companies in a legal fix.
The Companies Act 2013 vested powers in the hands of the SFIO (Serious
Frauds Investigation Office) to prosecute Indian companies and their directors.
Also, post the notification of the Companies Inspection, Investment, and Inquiry
Rules, 2014, SFIOs have become even more proactive and stern in this regard.
The legislature ensured that all the regulatory compliances are well-covered,
including cyber forensics, e-discovery, and cybersecurity diligence. The
Companies (Management and Administration) Rules, 2014 prescribes strict
guidelines confirming the cybersecurity obligations and responsibilities of the
company directors and leaders.
4. NIST Compliance
The Cybersecurity Framework, authorized by the National Institute of Standards
and Technology (NIST), offers a harmonized approach to cybersecurity as the
most reliable global certifying body.
NIST Cybersecurity Framework encompasses all required guidelines, standards,
and best practices to manage the cyber-related risks responsibly. This
framework is prioritized flexibility and cost-effectiveness. It promotes the
resilience and protection of critical infrastructure by:
Allowing better interpretation, management, and reduction of
cybersecurity risks – to mitigate data loss, data misuse, and the
subsequent restoration costs
Determining the most important activities and critical operations - to
focus on securing them
Demonstrates the trust-worthiness of organizations that secure critical
assets
Helps to prioritize investments to maximize the cybersecurity ROI
Addresses regulatory and contractual obligations
Supports the wider information security program
By combining the NIST CSF framework with ISO/IEC 27001 - cyber security
risk management becomes simplified. It also makes communication easier
throughout the organization and across the supply chains via common
cybersecurity directives laid by NIST.
International Law:
International law is a system of treaties and agreements between nations that
governs how nations interact with other nations, citizens of other nations, and
businesses of other nations. In terms of types of international law, it can be
divided into two significant categories: private and public international law.
On the other hand, international law is nothing but a set of rules governing and
concerning the mutual relations between countries. Nations accept those rules as
legally binding and as such, they are applicable to all countries regardless of
state borders. There are some major substantive fields of international law, such
as the following:
International economic law: the body of law concerned with rights and
obligations of sovereign states in international economic relations.
International security law: set of rules aims to ensure effective
operational cooperation between states in terms of maintaining
international security, justice, and peace on a global basis.
International criminal law: the area of law that deals with prosecution
and punishment of perpetrators, individuals responsible for grave.
violations of human rights, relating specifically to the commission of war
crimes, genocide, crimes against humanity, and the crime of aggression.
International environmental law: the field of international law
regulating the behavior of states and international organizations relating
to the environment.
Diplomatic law: the area of international law concerning diplomatic
privileges and immunities, permanent or temporary diplomatic missions,
and the rights and obligations of the state representatives while operating
on the territory of other states.
International humanitarian law, A.K.A. law of war: set of rules that
seek to regulate armed conflicts between states, as well as between states
and individuals or informal groups.
International human rights law: the body of international law aimed to
promote and ensure the protection and respect of human rights that are
inherent to every human being.
Roles of International Law:
International Law is a set of rules which are necessary in order to regulate
the behavior of nation-States towards each other so as to ensure peace and
welfare of the international community.
International Law helps in resolving disputes amongst States.
International Law may influence internal laws too and may become a part
of domestic law.
International Law is majorly concerned with the relation among States.
In the case of International Law, the law is not above the individuals but
between the sovereign States and the States themselves create the law.
In International Law, the States often disobey the laws or create laws as
per their interests.
Article 38 of the Statute of the ICJ is considered as the most authoritative
statement of the sources of law for the Public International Law. It states
the sources of law such as customs, conventions, treaties, general
principles of law recognized by civilized nations and judicial decisions
and teachings of highly qualified publicists.
It is not necessary for International Law to be codified into an agreement.
There have been a lot of developments in the Modern International Law
and the International Court of Justice is considered as the principal body
responsible for upholding the tenants of International Law.
The INDIAN Cyberspace:
Indian cyberspace was born in 1975 with the establishment of National
Informatics Centre (NIC) with an aim to provide govt with IT solutions. Three
networks (NWs) were set up between 1986 and 1988 to connect various
agencies of govt.
These NWs were, INDONET which connected the IBM mainframe installations
that made up India’s computer infrastructure, NICNET (the NIC NW) a
nationwide very small aperture terminal (VSAT) NW for public sector
organizations as well as to connect the central govt with the state govts and
district administrations, the third NW setup was ERNET (the Education and
Research Network), to serve the academic and research communities.
New Internet Policy of 1998 paved the way for services from multiple Internet
service providers (ISPs) and gave boost to the Internet user base grow from 1.4
million in 1999 to over 150 million by Dec 2012.
Exponential growth rate is attributed to increasing Internet access through
mobile phones and tablets. Govt is making a determined push to increase
broadband penetration from its present level of about 6%.
National Cyber Security Policy:
National Cyber Security Policy is a policy framework by Department of
Electronics and Information Technology (DeitY). It aims at protecting the
public and private infrastructure from cyber-attacks. The policy also intends to
safeguard "information, such as personal information (of web users), financial
and banking information and sovereign data". This was particularly relevant in
the wake of US National Security Agency (NSA) leaks that suggested the US
government agencies are spying on Indian users, who have no legal or technical
safeguards against it. Ministry of Communications and Information Technology
(India) defines Cyberspace as a complex environment consisting of interactions
between people, software services supported by worldwide distribution of
information and communication technology.
Reason for Cyber Security policies:
India had no Cyber security policy before 2013. In 2013, The Hindu newspaper,
citing documents leaked by NSA whistle-blower Edward Snowden, has alleged
that much of the NSA surveillance was focused on India's domestic politics and
its strategic and commercial interests.[5] This sparked a furor among people.
Under pressure, the government unveiled a National Cyber Security Policy
2013 on 2 July 2013.
Vision:
To build a secure and resilient cyberspace for citizens, business, and
government and also to protect anyone from intervening in user's privacy.
Mission:
To protect information and information infrastructure in cyberspace, build
capabilities to prevent and respond to cyber threat, reduce vulnerabilities and
minimize damage from cyber incidents through a combination of institutional
structures, people, processes, technology, and cooperation.
Objectives:
To create a secure cyber ecosystem in the country, generate adequate trust
and confidence in IT system and transactions in cyberspace and thereby
enhance adoption of IT in all sectors of the economy.
To create an assurance framework for the design of security policies and
promotion and enabling actions for compliance to global security
standards and best practices by way of conformity assessment (Product,
process, technology & people).
To strengthen the Regulatory Framework for ensuring a SECURE
CYBERSPACE ECOSYSTEM.
To enhance and create National and Sectoral level 24x7 mechanism for
obtaining strategic information regarding threats to ICT infrastructure,
creating scenarios for response, resolution and crisis management through
effective predictive, preventive, protective response and recovery actions.
To improve visibility of integrity of ICT products and services by
establishing infrastructure for testing & validation of security of such
product.
To create workforce for 5,00,000 professionals skilled in next 5 years
through capacity building skill development and training.
To provide fiscal benefit to businesses for adoption of standard security
practices and processes.
To enable Protection of information while in process, handling, storage &
transit so as to safeguard privacy of citizen's data and reducing economic
losses due to cybercrime or data theft.
To enable effective prevention, investigation and prosecution of
cybercrime and enhancement of law enforcement capabilities through
appropriate legislative intervention.
Strategies:
Creating a secured Ecosystem.
Creating an assurance framework.
Encouraging Open Standards.
Strengthening The regulatory Framework.
Creating a mechanism for Security Threats Early Warning, Vulnerability
management, and response to security threats.
Securing E-Governance services.
Protection and resilience of Critical Information Infrastructure.
Promotion of Research and Development in cyber security.
Reducing supply chain risks
Human Resource Development (fostering education and training
programs both in formal and informal sectors to Support the Nation's
cyber security needs and build capacity.
Creating cyber security awareness.
Developing effective Public-Private partnerships.
To develop bilateral and multilateral relationships in the area of cyber
security with another country. (Information sharing and cooperation)
A Prioritized approach for implementation.
Cyber Forensics:
Cyber Forensics is a process of extracting data as proof for a crime (that
involves electronic devices) while following proper investigation rules to nab
the culprit by presenting the evidence to the court. Cyber forensics is also
known as computer forensics. The main aim of cyber forensics is to maintain
the thread of evidence and documentation to find out who did the crime
digitally. Cyber forensics can do the following:
It can recover deleted files, chat logs, emails, etc.
It can also get deleted SMS, Phone calls.
It can get recorded audio of phone conversations.
It can determine which user used which system and for how much time.
It can identify which user ran which program.
Computer Forensics:
Computer Forensics (also known as computer forensic science) is a branch of
digital forensic science pertaining to evidence found in computers and digital
storage media. The goal of computer forensics is to examine digital media in a
forensically sound manner with the aim of identifying, preserving, recovering,
analyzing and presenting facts and opinions about the digital information.
Although it is most often associated with the investigation of a wide variety of
computer crime, computer forensics may also be used in civil proceedings. The
discipline involves similar techniques and principles to data recovery, but with
additional guidelines and practices designed to create a legal audit trail.
Evidence from computer forensics investigations is usually subjected to the
same guidelines and practices of other digital evidence. It has been used in a
number of high-profile cases and is accepted as reliable within court systems.
Types of computer forensics:
There are multiple types of computer forensics depending on the field in which
digital investigation is needed. The fields are:
Network forensics: This involves monitoring and analyzing the network
traffic to and from the criminal’s network. The tools used here are
network intrusion detection systems and other automated tools.
Email forensics: In this type of forensics, the experts check the email of
the criminal and recover deleted email threads to extract out crucial
information related to the case.
Malware forensics: This branch of forensics involves hacking related
crimes. Here, the forensics expert examines the malware, trojans to
identify the hacker involved behind this.
Memory forensics: This branch of forensics deals with collecting data
from the memory (like cache, RAM, etc.) in raw and then retrieve
information from that data.
Mobile Phone forensics: This branch of forensics generally deals with
mobile phones. They examine and analyze data from the mobile phone.
Database forensics: This branch of forensics examines and analyzes the
data from databases and their related metadata.
Disk forensics: This branch of forensics extracts data from storage media
by searching modified, active, or deleted files.
Historical background of Cyber Forensics:
Here, are important landmarks from the history of Cyber Forensics:
Hans Gross (1847 -1915): First use of scientific study to head criminal
investigations
FBI (1932): Set up a lab to offer forensics services to all field agents and
other law authorities across the USA.
In 1978 the first computer crime was recognized in the Florida Computer
Crime Act.
Francis Galton (1982 – 1991): Conducted first recorded study of
fingerprints
In 1992, the term Computer Forensics was used in academic literature.
1995 International Organization on Computer Evidence (IOCE) was
formed.
In 2000, the First FBI Regional Computer Forensic Laboratory
established.
In 2002, Scientific Working Group on Digital Evidence (SWGDE)
published the first book about digital forensic called “Best practices for
Computer Forensics”.
In 2010, Simson Garfinkel identified issues facing digital investigations.
Digital Forensics Science:
Digital Forensics is defined as the process of preservation, identification,
extraction, and documentation of computer evidence which can be used by the
court of law. It is a science of finding evidence from digital media like a
computer, mobile phone, server, or network. It provides the forensic team with
the best techniques and tools to solve complicated digital-related cases.
Digital Forensics helps the forensic team to analyzes, inspect, identifies, and
preserve the digital evidence residing on various types of electronic devices.
Types of Digital Forensics:
Types of digital forensics are:
Disk Forensics: It deals with extracting data from storage media by
searching active, modified, or deleted files.
Network Forensics: It is a sub-branch of digital forensics. It is related to
monitoring and analysis of computer network traffic to collect important
information and legal evidence.
Wireless Forensics: It is a division of network forensics. The main aim
of wireless forensics is to offers the tools need to collect and analyze the
data from wireless network traffic.
Database Forensics: It is a branch of digital forensics relating to the
study and examination of databases and their related metadata.
Malware Forensics: This branch deals with the identification of
malicious code, to study their payload, viruses, worms, etc.
Email Forensics: Deals with recovery and analysis of emails, including
deleted emails, calendars, and contacts.
Memory Forensics: It deals with collecting data from system memory
(system registers, cache, RAM) in raw form and then carving the data
from Raw dump.
Mobile Phone Forensics: It mainly deals with the examination and
analysis of mobile devices. It helps to retrieve phone and SIM contacts,
call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.
Note:
Digital forensics is a branch of forensic science encompassing the
recovery, investigation, examination and analysis of material found in
digital devices, often in relation to mobile devices and computer crime.
Computer forensics is a branch of digital forensic science pertaining to
evidence found in computers and digital storage media.
Digital forensics, also known as cyber forensics, is a broad term that
describes activities relating to investigating attacks and cyber incidents
involving various digital assets. This includes everything from mobile
phones and computers to servers, networks and so on.
The Need for Computer Forensics:
In today’s technology driven generation, the importance of cyber forensics is
immense. Technology combined with forensic, forensics paves the way for
quicker investigations and accurate results. Below are the points depicting the
importance of cyber forensics:
Cyber forensics helps in collecting important digital evidence to trace the
criminal.
Electronic equipment stores massive amounts of data that a normal
person fails to see. For example: in a smart house, for every word we
speak, actions performed by smart devices, collect huge data which is
crucial in cyber forensics.
It is also helpful for innocent people to prove their innocence via the
evidence collected online.
It is not only used to solve digital crimes but also used to solve real-world
crimes like theft cases, murder, etc.
Businesses are equally benefitted from cyber forensics in tracking system
breaches and finding the attackers.
Digital Evidence:
Digital evidence is information stored or transmitted in binary form that may be
relied on in court. It can be found on a computer hard drive, a mobile phone,
among other places.
Digital evidence is commonly associated with electronic crime, or e-crime, such
as child pornography or credit card fraud. However, digital evidence is now
used to prosecute all types of crimes, not just e-crime.
For example, suspects' e-mail or mobile phone files might contain critical
evidence regarding their intent, their whereabouts at the time of a crime and
their relationship with other suspects.
In 2005, for example, a floppy disk led investigators to the BTK serial killer
who had eluded police capture since 1974 and claimed the lives of at least 10
victims.
In an effort to fight e-crime and to collect relevant digital evidence for all
crimes, law enforcement agencies are incorporating the collection and analysis
of digital evidence, also known as computer forensics, into their infrastructure.
Law enforcement agencies are challenged by the need to train officers to collect
digital evidence and keep up with rapidly evolving technologies such as
computer operating systems.
E-Mail gateways are the connections between email servers. Mail server
software is a software which controls the flow of email. Mail client is the
software which is used to send and receive (read) emails. An email contains two
parts:
Header
Body
Email header is very important from forensics point of view. A full header view
of an email provides the entire path email’s journey from its source to
destination. The header also includes IP and other useful information. Header is
a sequence of fields (key-value pair).
The body of email contains actual message. Headers can be easily spoofed by
spammers. Header protocol analysis is important for investigating evidence.
After getting the source IP address we find the ISP’s details. By contacting ISP,
we can get further information like:
Name
Address
Contact number
Internet facility
Type of IP address
Any other relevant information
It is important during investigations that logs of all servers in the chain need to
be examined as soon as possible. If the server mentioned in the bottom received
section does not match the server of the email sender, it is a fake email. The
Message-ID will help to find a particular email log entry in a email server.
RFC2822 defines the Internet message format. According to RFC2822:
Each email must have a globally unique identifier
Defines the syntax of Message-ID
Message-ID can appear in three header fields:
a. Message-ID header
b. In-reply-to header
c. References header
Digital Forensics Lifecycle:
The digital forensics process is shown in the following figure. Forensic life
cycle phases are:
1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
UNIT – IV
Cyber Security: Organizational Implications
Introduction:
In the global environment with continuous network connectivity, the
possibilities for cyberattacks can emanate from sources that are local, remote,
domestic or foreign. They could be launched by an individual or a group. They
could be casual probes from hackers using personal computers (PCs) in their
homes, hand-held devices or intense scans from criminal groups.
A key message from this discussion is that cybercrimes do not happen on their
own or in isolation. Cybercrimes take place due to weakness of cybersecurity
practices and “privacy” which may get impacted when cybercrimes happen.
Privacy has following four key dimensions:
1. Informational/data privacy: It is about data protection, and the users’ rights
to determine how, when and to what extent information about them is
communicated to other parties.
2. Personal privacy: It is about content filtering and other mechanisms to
ensure that the end-users are not exposed to whatever violates their moral
senses.
3. Communication privacy: This is as in networks, where encryption of data
being transmitted is important.
4. Territorial privacy: It is about protecting users’ property for example, the
user devices from being invaded by undesired content such as SMS or E-
Mail/Spam messages. The paradigm shift in computing brings many challenges
for organizations; some such key challenges are described here.
The key challenges from emerging new information threats to organizations are
as follows:
1. Industrial espionage: There are several tools available for web
administrators to monitor and track the various pages and objects that are
accessed on their website.
2. IP-based blocking: This process is often used for blocking the access of
specific IP addresses and/or domain names.
3. IP-based “cloaking”: Businesses are global in nature and economies are
interconnected.
4. Cyberterrorism: “Cyberterrorism” refers to the direct intervention of a
threat source toward your organization’s website.
Confidential information leakage: “Insider attacks” are the worst ones.
Typically, an organization is protected from external threats by your firewall
and antivirus solutions
Prepared by:
Amma Madhu
Assistant Professor, MREC(A).