UNIT - II

SECURITY INVESTIGATION

The security investigation underlines the organization’s responsibility to develop and

maintain a successful information security program that is to be executed in all levels of
management. An organization must understand that securing an asset is a continuous process
rather than an event.

1. NEED FOR SECURITY

There are two types of needs in securing an asset:

 Business need

 Technology need
Any organization will have confusion in deciding which of the above need should be
compromised. Business needs should always be given higher priority. Compromising business
needs for the sake of security may hinder the development of the organization.

Business needs first, Technology needs last

Primary mission of information security to ensure systems and contents stay the
same .If no threats, could focus on improving systems, resulting in vast improvements in ease
of use and usefulness. Attacks on information systems are a daily occurrence, and the need for
information security increases as the sophistication of such attacks increase.

2. BUSINESS NEEDS
The needs for securing the information asset of an organization are listed below:
 Protects the organization’s ability to function
2.2 Information Security

 Enables the safe operation of applications implemented on the

organization’s IT systems
 Protects the data the organization collects and uses
 Safeguards the technology assets in use at the organization
Organization’s ability to function

 The top level management is responsible for framing a security policy that is suitable
to the organizations needs.

 Information security is confronted both as management issue and people issue.

 The measures taken by the management in securing the information will lower the
occurrences of people issues.

 All the communities of interest in the organization must understand the importance of
information security and should insist the top management to follow a proper security
policy.

 The impact of information loss and the cost of the security process must be analyzed
by the management before framing a security policy.
Enabling Safe Operation

 The organizations may involve people, machines, process and procedures as

applications in their business.

 They must take great care in creating integrated, efficient, and capable applications.

 The environment in which the applications function must safeguard the applications in
all dimensions.

 The management is responsible for framing policies and enforcement of decisions that
support the infrastructures of the organization.

 The infrastructure may vary from e-mails to Instant Messenger (IM) applications.

 Loss of information or damage of applications will cause severe loss to the

organization and may put the reliability of the applications in question.

 To avoid this people handling any application must be given proper training and
education regarding the application by the experts.

 Though the IT department is responsible for handling all data and information, the
management must involve all the departments of the organization in making choices
and enforce decisions regarding the security.
 Security Investigation 2.3

Protecting Data

 The most valuable and non recoverable asset in an organization is data.

Most important and non recoverable asset is data.

 It is the most valuable asset and the most difficult one to secure.

 Organization must ensure proper security to both data in motion and data in rest.

 Without data, an organization loses its record of transactions and/or its ability to
deliver value to its customers.

 An effective information security program is essential to the protection of the

integrity and value of the organization’s data.

 Loss of confidential data may lead to great disasters which would pave way to
framing of new security policy from the scratch.

 Developing a new security policy after data loss would consume more resources.

Safeguarding Technology Assets

 Technology assets are costly and its installation is also very expensive.

 Organizations must have secure infrastructure services based on the size and scope
of the enterprise and the technologies they use.

 Additional security services may have to be provided if needed.

 More robust solutions may be needed to replace the out dated security programs.

 PKI (Public Key Infrastructure) is one among the security measure that safeguards
the data.

3. THREATS
 A threat is an object, person, or other entity that represents a constant danger to an
asset.

 Management must have a detailed knowledge of the various kinds of threats the
organization would face.

 The management must ensure that sufficient protection is given to its information
through framing policy, giving proper educating and training to people, and
technology controls (replacing the out dated technologies by the recent trends).
2.4 Information Security

Know the enemy and know yourself.

 A business firm can build more effective security strategies by identifying and
ranking the severity of the potential threats to its act of securing the information.

 Consistent reviews and checks must be performed by the organizations to ensure

the proper functioning of the counter measures for the threats.

 The 2002 CSI/FBI survey found:

 90% of organizations responding detected computer security breaches

within the last year.

 80% lost money to computer breaches, totaling over $455,848,000 up

from $377,828,700 reported in 2001.

 The number of attacks that came across the Internet rose from 70% in
2001 to 74% in 2002 .

 Only 34% of organizations reported their attacks to law enforcement.

 The above mentioned survey details clearly shows the ignorance of the top
management, middle management and employees in securing their information
assets.

 People responsible for that information must begin with an understanding of

the threats facing the information, and then must examine the vulnerabilities
inherent in the systems that store, process, and transmit the information, and
then find the all possible threats faced by the information.

Profiling the enemy

 The organization’s view of security is diverted by the changes in the identification

of threats, in the rollout of new technologies, and the identification of new threats
that are likely to occur in the future.

 The following questions must be answered by the organizations to understand the

threats:

1. What are the threats to information security?

2. Which of these threats are the most serious?

3. How frequently (per month) are these threats observed?

 There are five groups of real and present danger:

 Security Investigation 2.5

 Inadvertent acts

 Deliberate acts

 Acts of God

 Technical failures

 Management failures

 The above mentioned group, classify the threats in broad sense. The following
categories could help an organization to identify the threats to be assessed in a very
detailed manner:
 Act of Human Error or Failure (accidents, employee mistakes)
 Compromises to Intellectual Property (piracy, copyright infringement)
 Deliberate Acts of Espionage or Trespass(unauthorized access and/or data
collection
 Deliberate Acts of Information Extortion (blackmail of information disclosure)
 Deliberate Acts of Sabotage or Vandalism (destruction of systems or
information)
 Deliberate Acts of Theft (illegal confiscation of equipment or information)
 Deliberate Software Attacks(viruses, worms, macros, denial of service)
 Forces of Nature (fire, flood, earthquake, lightning).
 Quality of Service Deviations from Service Providers(power and WAN service
issues)
 Technical Hardware Failures or Errors (equipment failure)
 Technical Software Failures or Errors (bugs, code problems, unknown
loopholes)
 Technological Obsolescence (antiquated or outdated technologies)

 Each organization must prioritize the real and present dangers listed above based on
the security situation, strategy and level of exposure.
Threat group 1: Inadvertent acts

 The attacker does not have any malicious intent or his attack could not be proven in
the categories of theft. These acts are termed as inadvertent acts. Acts of human error
2.6 Information Security

or failure, deviations in the quality of service from service providers will come under
this group.
a) Acts of Human Error or Failure

 This includes acts done without malicious intent by an authorized person in the
organization.

 The main reasons for this type of threat would be

 Employing less experienced people to handle applications.
 Lack of sufficient training to people.
 Incorrect assumptions made by humans.
 Other circumstances.

Employees are the greatest threat to information security

 Minor mistakes committed by the employees can easily lead to the following:
 disclosing classified data
 entry of erroneous data
 unintentional or accidental deletion or modification of data
 storage of data in insecure and unprotected areas
 failure to protect information

 All of the above mentioned threats can easily be prevented by exercising suitable
controls like making the user to type a critical command twice, making the accessing
procedures more complex, verification of commands by another party.
 Security Investigation 2.7

Figure 1: Some forms of acts of human error or failure

b) Deviations in Quality of Service by Service Providers
 The organizations will depend on some kind of services from the service
providers.
 The magnitude of the service may vary between the type and size of the
organization.
 The services may range from water supply and other essential needs, to the
transportation services.
 The product or services may not be delivered as expected or as committed by the
service providers to the organization.
 Though this seem to be a minor issue, the impact of deviations in quality of
service to the information security is great.
 The degradation of service is a form of availability disruption.
 Information systems are not autonomous units.

Information Systems depends on many inter-dependent support

systems.
 The following sets of service issues affect the availability of information and
systems to a larger extent:
 Internet service
2.8 Information Security

 Communications
 Power irregularities
Internet Service Issues
 Loss of Internet service can lead to considerable loss in the availability of information
since the organizations have staff and telecommuters working at remote locations.
 Globalization has resulted in working at remote site for the organization.
 Non availability of internet services may affect the normal functioning of the
organization since the services done at the remote site may not be available in time.
 When an organization outsources its web servers, the outsourcer assumes
responsibility for:
 All Internet Services
 The hardware and operating system software used to operate the web
site.
 The services rendered by the outsourcer will be recorded and duly signed by the
outsourcer and the chief of the organization. This document is known as Service Level
Agreement (SLA). This is an agreement stating the minimum service levels.
 The SLA’s may be in printed form or in electronically signed form.

 Deviations in issuing internet services could be easily tracked using this document and
legal measures could be taken.
Communications and Other Services

 Apart from technical services like internet, other utility services also have a potential
impact on the functioning of the organization.

 The following are some of the utility services:

 Telephone
 water & waste water treatment
 trash pickup
 cable television
 natural or propane gas
 custodial services
 physical security service
 Security Investigation 2.9

 cleaning service
 transportation

 The threat of loss of services the above mentioned service lead to the inability of the
proper functioning of the organization.
Power Irregularities

 Power supply is the hottest issue today.

 Uninterrupted power supply is desired by any organization.

 Apart from providing uninterrupted power supply, the quality of power being supplied
is vital for the efficient functioning of electrical and electronic equipments used by the
organization.

 The fluctuations in voltage levels can harm all the equipments in the organization
which may cause permanent damage to machineries and equipments.
 The following classifications are made based on the increase, decrease, or cease of
voltage levels:
 spike – momentary increase
 surge – prolonged increase
 sag – momentary low voltage
 brownout – prolonged drop
 fault – momentary loss of power
 blackout – prolonged loss
 The electronic and electrical equipment susceptible to voltage fluctuations must be
given proper voltage regulating controls to manage power quality.
Threat group 2: Deliberate acts
The activities by the people or organization to engage in purposeful acts to harm the
organization will come under deliberate acts.
a) Acts of Espionage/Trespass
 Espionage literally means the activity of spying a person’s activity, thereby
using the stolen information to the advantage of the spy.
 In terms of information security espionage is defined as human or electronic
activities that breach the confidentiality of an organization’s information.
2.10 Information Security

 The following activities are termed as acts of trespass or espionage:

a. Unauthorized accessing of information
b. Competitive intelligence vs. espionage
c. Shoulder surfing can occur at any place whose a person is accessing
confidential information
 Competitive intelligence is an information gathering technique that is termed
as legal form of research.
 When the above mentioned information gathering crosses the threshold of what
is legal or ethical, it is termed as industrial espionage.
 Trespass means entering of premises or systems that have not been authorized
to enter.
 All possible controls must be implemented to mark the boundaries of an
organization’s virtual territory giving notice to trespassers that they are
encroaching on the organization’s cyberspace.
 The people who use and create computer software to gain access to information
illegally are termed as Hackers.
 Hackers use their skill, guile (ability to trick people), knowledge or fraud to
steal the property of someone else to their benefit.

Figure 2: Shoulder Surfing

 Generally hacker exhibit two levels of skill set:

 Security Investigation 2.11

 Expert hacker
a. The hacker who develops software scripts and codes to exploit the
organization ’s information asset is termed as expert hacker.
b. He/ She is usually a master of many skills.
c. He will often create applications that attack the software owned by
the organization and will share the confidential and disclosed
information with others.
 Script kiddies( Unskilled Hackers)
a. The hacker with limited skill who don’t develop any strategy for
hacking but will use the expert- written software or strategy to exploit
an organization‘s information system.
b. They don’t possess a detailed knowledge about the system but will
attempt to hack the system.

 Apart from the above mentioned rule breakers, the following types of espionage is also
common in modern world:
 Cracker - An individual who “cracks” or removes the protective mechanism
that is designed to prevent unauthorized duplication. He will pave way to the
hacker to access the system by breaking the protection mechanism.
 Phreaker – An individual who hacks the public telephone network and gains
information from the communication.

 Hackers could also be classified into two broad categories based on their profiles:
 Traditional Hacker profile- Hacker would be within the age limit of 13-18,
positively a male with a limited supervision who spends all his leisure time in
the system.
 Modern Hacker profile-Hacker would be within the age limit of 12-60, whose
background will be unknown. He may possess good technical skill and may be
located internal or external to the organization.
2.12 Information Security

Figure 3: Hacker Profiles

b) Deliberate acts of information extortion

 Information extortion is an attacker or formerly trusted insider stealing information

from a computer system and demanding compensation for its return or non-use
from the organization.

 The most common extortion could be found in credit card number theft.

 The attacker may demand monetary benefits from the owner or may seek any other
favor in return for the non-use of the stolen information.

 This type of threat is a criminal offense and governments have framed laws against
this form of information theft.
c) Deliberate Acts of Sabotage (damaging machines) or Vandalism

 Individual or group who want to deliberately sabotage the operations of a computer

system or business, or perform acts of vandalism to either destroy an asset or
damage the image of the organization.

 The attacker could damage either the physical components of the organization like
machineries or they could spoil the reputation of the organization.

 These threats can range from petty vandalism to organized sabotage that is pre
planned.

 The damage to the image of the organizations can lead to losing consumer
confidence and sales thereby affecting the business.

 Cyber-activist or hacktivist operations –The confidential data could be disclosed

to unauthorized person.

 Cyber-terrorism- Usage of hacking as a method for conducting terrorist activities

through internet of any other network. Example : Defacement of NATO web
pages during Kosovo war.
 Security Investigation 2.13

Cyber-terrorism: The greatest threat to the country

d) Deliberate Acts of Theft

 Theft is illegal taking of another’s property in physical, electronic, or intellectual

means.

 The value of information suffers when it is copied and taken away without the
owner’s knowledge.

 Physical theft can be controlled by wide a variety of control measures used from
locked doors to guards or alarm systems.

 Electronic theft is a more complex problem to manage and control that the
organizations may not even know that it has occurred.

 Intellectual theft is even more complex to detect. It’s very difficult to protect the
intellectual properties.

 Protection of intellectual property is provided by Intellectual Protection Rights

(IPR).

Intellectual property Rights will control the Intellectual Theft.

e) Deliberate Software Attacks

 Software attacks are very hard to detect and the control measures taken to prevent
this type of attack must be updated periodically.

 Malware is malicious code or part of software created by an individual or group to

attack the software used by the organization. They will damage, destroy, or deny
service to the target systems thereby causing serious loss to the organization.

 The following are some of the types of software attacks:

 Virus- Virus is a segment of code that attaches itself to an executable file.
 macro virus- A macro virus is a computer virus that infects an application
and causes a sequence of actions to be performed automatically when the
application is started or something else triggers it. One common example
for macro virus is Melissa virus.
 boot virus- Boot virus infects the boot records on floppy diskettes and hard
drives and is designed to self-replicate from one disk to another.
2.14 Information Security

 Worms – Worm is similar to a virus by design and is considered to be a

sub-class of a virus. Worms spread from computer to computer, but unlike
a virus, it has the capability to travel without any human action. A worm
takes advantage of file or information transport features on your system,
which is what allows it to travel unaided. Example: Nimda, Code red,
Sircam.
 Trojan horses - Trojan horse gives a hacker remote access to a targeted
computer system. Once a Trojan has been installed on a targeted computer
system, the hacker has remote access to the computer and can perform all
kinds of operations. They are generally readme.exe files.
 Logic bombs- A logic bomb is a piece of code intentionally inserted into a
software system that will set off a malicious function when specified
conditions are met.
 Back door or trap door-A backdoor in a computer system is a method of
bypassing normal authentication, securing remote access to a computer,
obtaining access to plaintext, and so on, while attempting to remain
undetected.
 Denial-of-service attacks-A denial-of-service attack (DoS attack) is an
attempt to make a computer or network resource unavailable to its intended
users.
 Polymorphic virus- Polymorphic virus changes its virus signature (i.e. its
binary pattern) every time it replicates and infects a new file in order to
keep from being detected by an antivirus program since the anti virus
program will look only for the pre configured signatures.
 Hoaxes – A deceptive alert disseminated via forwarded email warning
users of a computer virus, Internet worm, or other security threat which in
reality does not exist. A widely circulated alert warning PC users of an
alleged security threat from the harmless Budweiser Frogs Screen Saver is
one of the best-known examples of a virus hoax.
 Security Investigation 2.15

Figure 4: Trojan Horse attack

f) Compromises to Intellectual Property

 Intellectual property is defined as the ownership of ideas and control over the
tangible or virtual representation of those ideas.

 Many organizations are in business to create intellectual property.

 The following are some of the intellectual property:

a. trade secrets
b. copyrights
c. trademarks
d. patents

 Most common IP (Intellectual Property )breaches involve software piracy.

 The two common ways to preserve Intellectual Property are:

 Watchdog organizations: They are responsible for preserving Intellectual
Properties. Some common organizations are:
1. Software & Information Industry Association (SIIA) - This is the
principal trade association for the software and digital content industries.
SIIA provides global services in government relations, business
development, corporate education and intellectual property protection to the
leading companies that are setting the pace for the digital age.
2.16 Information Security

2. Business Software Alliance (BSA)-This is a trade group representing a

number of the world's largest software makers and is a member of the
International Intellectual Property Alliance. Its principal activity is trying to
stop copyright infringement of software produced by its members.
 Enforcement of copyright has been attempted with technical security
mechanisms like water marking, embedded code, copy right codes etc.
Threat group 3: Acts of God
These types of threats are created by nature and could not be controlled or prevented.
a) Forces of Nature

 Forces of nature or acts of God are dangerous because they are unexpected and
occur with very little warning.

 They disrupt not only the lives of individuals, but also the storage, transmission,
and use of information and all devices associated with information.

 It is not possible to avoid many of these threats. But management must implement
controls to limit the damage and also prepare contingency plans for continued
operations even after the occurrence of these natural disasters.

 Some of the forces of nature that could cause damage are:

 Fire
 Flood
 Earthquake
 Lightening
 Landslide
 Tornado
 Hurricane
 Tsunami
 Electro-static discharge
 Dust
Threat group 4: Technical Failures
a) Technical Hardware Failures or Errors
 Security Investigation 2.17

 Technical hardware failures or errors occur when a manufacturer distributes the

equipments containing flaws to users that may either be known or unknown to the
manufacturer.

 These defects can cause the system to perform outside the expected parameters,
resulting in unreliable service or lack of availability.

 Some errors are terminal, (i.e.) they result in the unrecoverable loss of the
equipment.

 Some errors are intermittent, (i.e.) they only periodically manifest themselves,
resulting in faults that are not easily repeated.
b) Technical software failures or errors

 This category of threats comes from purchasing software with unrevealed faults.

 Large quantities of computer code are written, debugged, published, and sold. Not
all bugs were resolved in that code.

 The faults may range from bugs to total failure of the software.

 Sometimes, unique combinations of certain software and hardware reveal new

bugs

 Sometimes, these items could not be termed as errors, but they may be purposeful
shortcuts left by the programmers for honest or dishonest reasons.
Threat group 5: Management Failures
a) Technological Obsolescence

 When the infrastructure becomes antiquated or outdated, it leads to the building

of unreliable and untrustworthy systems.

 Management must always be updated of recent developments in technology

and they must recognize that when technology becomes outdated, there is a risk
of loss of data integrity to threats and attacks.

 Ideally, proper planning by management should prevent the risks from

technology obsolesce, but when obsolescence is identified, management must
take action.

 IT professionals must assist the management in upgrading the technologies

used by the organization.
Top 10 threats
1. Malware
2.18 Information Security

2. Malicious insiders
3. Exploited vulnerabilities
4. Careless employees
5. Mobile devices
6. Social networking
7. Social Engineering
8. Zero-day exploits - Zero-day exploits are when an attacker can compromise a
system based on a known vulnerability but no patch or fix exists, and they have
become a very serious threat to information security.
9. Cloud computing security threats
10. Cyber espionage

Figure 5: Various threats

4. ATTACKS

An attack is the deliberate act that exploits vulnerability.

 Security Investigation 2.19

 An attack is the deliberate act that exploits vulnerability.

 It is accomplished by a threat-agent to damage or steal an organization’s information
or physical asset.
 An exploit is a technique to compromise a system.
 A vulnerability is an identified weakness of a controlled system whose
controls are not present or are no longer effective.
 An attack is then the use of an exploit to achieve the compromise of a
controlled system.
 The term Threat Agent is used to indicate an individual or group that can manifest a
threat.
 It is fundamental to identify who would want to exploit the assets of a company, and
how they might use them against the company.
 Threat Agent = Capabilities + Intentions + Past Activities
 Threat agents can take one or more of the following actions against an asset:
 Access – simple unauthorized access
 Misuse – unauthorized use of assets (e.g., identity theft, setting up a porn
distribution service on a compromised server, etc.)
 Disclose – the threat agent illicitly discloses sensitive information
 Modify – unauthorized changes to an asset
 Deny access – includes destruction, theft of a non-data asset, etc.
 Threat Communities- Subsets of the overall threat agent population that share key
characteristics
 The following threat communities are examples of the human malicious threat
landscape many organizations face:
 Internal
 Employees
 Contractors (and vendors)
 Partners
 External
 Cyber-criminals (professional hackers)
2.20 Information Security

 Spies
 Non-professional hackers
 Activists
 Nation-state intelligence services (e.g., counterparts to the CIA, etc.)
 Malware (virus/worm/etc.) authors
 The following are the major types of attacks:
 Malicious code
 Hoaxes
 Back doors
 Password crack
 Brute force
 Dictionary
 Denial of Service(DOS) or Distributed Denial of Service(DDOS)
 Spoofing
 Man-in –the middle attack
 Mail bombing
 Spam
 Social engineering
 Sniffers
 Timing attack
 Buffer overflow
a) Malicious code
 This kind of attack includes the execution of viruses, worms, Trojan horses, and active
web scripts with the intent to destroy or steal information.
 The state of the art in attacking systems in the year 2002 is the multi-vector worm
using up to six attack vectors to exploit a variety of vulnerabilities in commonly found
information system devices.
 There are six categories of malicious code:
 Security Investigation 2.21

 IP Scan and Attack- The infected system scans range of IP address and finds
the vulnerable systems as targets for attack.
 Web browsing- If the infected system has granted write access to web pages, it
will make all the web content infectious.
 Virus- The infected system will infect the executable and script files of all
systems in the network.
 Shares- It first detects the various vulnerabilities in the file system and copies
the viral content to all the reachable locations.
 Mass mail- Sending e-mails to all the address found in the address book of
infected system.
 Simple Network Management Protocol (SNMP) - Exploiting the
vulnerabilities in SNMP protocol.
b) Hoaxes
 A hoax is an indirect approach to attack computer systems (i.e.) the transmission of
a virus hoax, with a real virus attached to it.
 A hoax will look like a legitimate message but the attack will be hidden or masked.
 These viruses would be sent to the addresses in our e-mail’s address book thus
infecting many users along the way.
c) Backdoors
 An attacker can gain access to a system or network resource using a known or
previously unknown and newly discovered access mechanism through backdoors
of the system.
 The backdoors are unknowingly set by the maintenance staff or system engineers.
 This type of attack is very hard to find since the same programmer who has
devised the logic of the system will try to attack the system through the trap doors
or back doors he has previously set up.
d) Password crack
 Password crack is attempting to reverse calculate a password.
 All passwords could be cracked if a copy of Security Account Manager (SAM)
file is obtained.
 SAM file contains the user’s password in hashed notation. The same algorithm that
is used to hash the password could reverse hash the password.
e) Brute force
2.22 Information Security

 The application of computing and network resources to try every possible

combination of options of a password is Brute force attack.

 This attack is sometimes referred as password attack, since this is an attempt to

repeatedly guess or crack the passwords.

 This type of attack is more prevalent in systems that use the security measures as
recommended by the manufacturers.

 To prevent this attack, the number of times a user enters the password must be
confined to a small number.

f) Dictionary

 The dictionary password attack narrows the field by selecting specific accounts to
attack and uses a list of commonly used passwords (the dictionary) to guide
guesses.

 This is another type of brute force attack.

 This type of attack could be reduced by frequent resetting of passwords, using

special characters in passwords, avoiding the usage of easy-to-guess passwords.

g) Denial of Service (DOS) or Distributed Denial of Service(DDOS)

 In the Denial-of-service (DoS) the attacker sends a large number of connection or

information requests to a target that the target system cannot handle them
successfully along with other, legitimate requests for service.

 This will obviously result in a system crash, or merely an inability to perform

ordinary functions.

 Distributed Denial-of-service (DDoS) is an attack in which a coordinated stream of

requests is launched against a target from many locations at the same time.

 The origination of requests will be from different remote locations.

 Pre preparation phase will occur in DDOS attack, in which thousands of systems
are compromised. Those compromised systems will turn as zombies.

 Zombies will be executed remotely targeted towards the system.

 The systems that render services with TCP as its underlying protocol are more
prone to DDOS attack.
 Security Investigation 2.23

Figure 6: DOS and DDOS attacks

h) Spoofing

 This technique is used to gain unauthorized access. The intruder sends messages to
a computer with an IP address indicating that the message is coming from a trusted
host.

 The intruder will change the IP address in the packet header to make the packet
appear as legitimate one.

 The firewalls and routers are some of the protection mechanisms against IP
spoofing.

Figure 7: IP Spoofing
i) Man-in-middle
2.24 Information Security

 An attacker sniffs packets from the network, modifies them, and inserts them back
into the network without the knowledge of both the sender and receiver is called as
man-in-middle attack. This is otherwise known as TCP hijacking attack.

 The attacker can change, delete, reroute, add, forge or divert the data sent.

 To enter into the communicating network, the attacker uses IP spoofing to gain a
valid IP address.

 In TCP hijacking, the attacker may intercept even the keys exchanged and thus use
the key to decrypt the information.

Figure 8: Man-in-the-middle attack

j) Spam

Spam is unsolicited commercial e-mail.

 Spam is considered more as a nuisance causing our mail to get overloaded rather
than as an attack.
 But it may open the doors for some types of attacks.
k) Mail bombing
 In this type of attack, the attacker routes large number of e-mail to the target and
floods the inbox.
 This type of attack could be done by exploiting the vulnerabilities in the network
such as flaws in SMTP.
 Security Investigation 2.25

 The mails reaching the target systems will have forged header data that could not
be detected by poorly configured firewalls.
l) Sniffers
 A program and/or device that can monitor data traveling over a network are called
sniffers.
 Sniffers can be used both for legitimate network management functions and for
stealing information from a network.
 When the sniffers are sent in TCP networks, they are termed as packet sniffers.
 It is very tedious to detect a sniffer program invaded inside a network because it
could be inserted anywhere in the network.
 When sniffers are present in a locally connected network, like the intranet of an
organization, the vulnerability of the attack will increase two folds, since the data
travelling in a local connection will be in clear text form not in encrypted form.
 Some of the above mentioned data may be sensitive information like passwords.
m) Social Engineering
 The process of using social skills to convince people to reveal access credentials or
other valuable information to the attacker within the context is called as social
engineering.
 As mentioned earlier people are the weakest link of an organization.
 Invaders may lure the organizational structure and may try to get information from the
employees.

 A common way of obtaining information through social engineering is calling to the

main control room in the name of a higher official and demanding some important
information.
 Social engineering is a typically unintentional human error on the part of an employee,
but it is the result of a deliberate action on the part of an attacker

 Kevin Mitnick served several years in a federal prison. Upon his release, he opened
his own consulting firm, advising companies on how to deter people like him.
n) Buffer overflow
 This is actually an application error that occurs when more data is sent to a buffer than
its limit.
 When the buffer overflows, the attacker can make the target system execute
instructions, or the attacker can take advantage of some other unintended consequence
of the failure and get the information.
2.26 Information Security

 This buffer overflow could sometimes result in Denial-of-Service attack. When the
buffer overflow occurs, the system may restart.
 Other way of getting information while buffer overflows is: the attacker could gain
control over the system as a legitimate user.
o) Timing Attack
 This type of attack occurs by exploring the web browser’s cache memory.
 In this type of attack, the attacker will create malicious cookie in the web page that
will collect information about visitors and will store them.
 This is a common phenomenon in password-protected sites.
 Another form of attack is attempting to intercept cryptographic elements to determine
keys and encryption algorithms.

5. LEGAL, ETHICAL & PROFESSIONAL ISSUES IN INFORMATION

SECURITY

 The information security professionals must be aware of the various laws and
legislations that could be enforced within the scope of the organization‘s legal and
ethical boundaries.
 A clear knowledge about the laws will reduce the risks and losses faced by the
organization.
 Proper education should be given by the top management to all the employees
handling information to keep the organization focused towards legal aids in securing
the information.
Laws and Ethics in Information Security
 There are primary differences between laws and ethics.
 Laws are rules adopted for determining expected behavior and violation of which will
be an offense.

Laws are drawn from ethics.

 Ethics are defined as socially acceptable behaviors and violation of which is not an
offense but will cause damage to the person’s repudiation.
 Ethics in turn are based on culture. Ethics in one culture may not be acceptable in
another culture. They are more of fixed moral attitudes or customs of a particular
group.
 Security Investigation 2.27

 But certain actions like theft, murder, assault are considered as unethical and illegal
acts universally.
Types of Law
 There are five major types of laws as listed below:
 Civil law
 Criminal law
 Tort law
 Private law
 Public law
 Civil law- They are large volumes of recorded laws to be followed by all citizens of
the country. They also keep a check over the individuals who are violating their duties
towards the country like payment of tax.
 Criminal law- These laws handles actions that are harmful to the society. These laws
are exercised by the state. Examples: laws against murder.
 Tort law- These laws helps individuals when they are affected personally, physically
or financially by other persons. They could obtain recourse against any individual. In
tort laws evidences are brought by the persons not by the state as in criminal law.
Example: laws against spoiling the repudiation of an organization.
 Private law- These laws regulate the relationships between individual and the
organization, family laws, commercial and labor laws. Example: Laws related to
provident fund.
 Public law- These laws regulates the structure and administration of governmental
agencies and their relationships with citizens, employees and other governments.
Example: Right to information act.
Relevant U.S. laws
 United States is seen as a leader in the development of Information Security. So it has
many legal checks over information threat.
General Computer Crime Laws

 The Computer fraud and Abuse Act of 1986 (CFA Act) – This contains many
computer related federal laws and enforcement efforts.

 National Information Infrastructure Protection Act of 1996- This is a modified

version of the previous act that increased the penalties for criminal activity. When the
person has been found using the information in any of the following manner, he will
be penalized by this law:
2.28 Information Security

 For purposes of commercial advantage.

 For private financial gain.
 In furtherance of a criminal act.

 U.S.A. Patriot Act of 2001- This act will deal with electronic technology. The hands
of this act extend to actions related to combat terrorist activities.

 Telecommunications Deregulation and Competition Act of 1996- This is a revised

form of Communication Act of 1934. This updates many of the recent technological
attacks.

 Communication Decency Act (CDA) - This law is framed to inculcate decency in the
transmission of electronic media.

 Computer Security Act of 1987- This attempts to protect the federal computer
systems by establishing minimal security practices.
Privacy of Customer Information

 Many organizations are collecting and processing personal information.

 The organizations collect information from the persons directly, or from separate
sources, or by merging some other information.

Privacy is defined as state of being free from unsanctioned intrusion.

 Private information is very sensitive. A number of statutes addressing an individual’s

right to privacy have been formed.

 The U.S. legal code underlines the responsibilities of protecting the privacy of
information by the organizations that process or move data for hire.

 The privacy of Customer Information Section places a check over the usage of
customer information for marketing purposes and the information carriers shall not
disclose the information while rendering services.

 This law also prevents aggregation of information.

 Aggregate information is created by combining pieces of data that are not considered
private in themselves but when combined together it may raise a privacy issue. This is
a common activity of cookies placed in web pages.

 The Federal Privacy Act of 1974 emphasis the government‘s duty to protect the
individual’s privacy.
 Security Investigation 2.29

 It’s the government’s duty to protect the privacy of individual’s and business
information and make those agencies responsible if any part of the information is
released without permission of the owner.

 However the following agencies are exempted from some of the regulations to perform
some of the administrative duties:
 Bureau of the census
 National Archives and Records Administration
 Congress
 Comptroller General
 Court orders
 Credit agencies
 Information to be used to protect the Health or safety of the individual.

 The Electronic Communications Privacy Act of 1986 is a collection of laws that

regulates the interception of wire, electronic, and oral communications.

 The Health Insurance Portability & Accountability Act Of 1996 (HIPAA) also known
as the Kennedy-Kassebaum Act protects the confidentiality and security of health-care
data.

 It enforces many standards and standardizes the exchange of electronic data. All the
health care organizations will be under the HIPPA.

 Through these standards the patients has the right to know who has the access to the
information and who has accessed their private information without their consent.

 The health-care organizations must frame polices and procedures to maintain the
information security.

 The HIPAA assess the organizations for the information security systems, policies and
procedures followed by the organizations.

 HIPAA provides guidelines for the usage of electronic signatures to ensure message
integrity, user authentication and non repudiation and also restricts the dissemination
and distribution of health data in any form without proper documented consent.

 HIPAA has implemented the following five fundamental principles to cope up with
the changes and advancement in technology :
 The customer has the sole control of their medical information.
 HIPAA fixes the boundaries on the use of medical information.
2.30 Information Security

 The health care agencies are accountable for the privacy of information.
 Balance of public responsibility for the use of medical information for a greater
good measured against the impact of disclosure of information.
 Security of health related information.

 The Financial Services Modernization Act or Gramm-Leach-Bliley Act of 1999

requires all the financial institutions to disclose their privacy policies on the sharing of
non public personal information.

 This act gives the customer the right to protect their information from reaching the
third parties without their knowledge.

 Also this act paves way for the customers to get a detailed knowledge about the
privacy policies of the financial organizations they are dealing with.
Export and Espionage Laws

 These laws attack the theft of information and impose penalties in case of any theft.

 They are focused in the protection of national security, trade secrets and a variety of
other assets.

 The Economic Espionage Act (EEA) of 1996 prevents the illegal sharing of trade
secrets.

 This law was passed by the Congress to protect the American ingenuity and
Intellectual property.

 The Security and Freedom through Encryption Act of 1999 provides guidance to the
usage of encryption techniques and also prevents the intervention of government in the
encryption activities.

 This law concentrates on:

 Individual’s right to use or sell encryption algorithms without minding the key
registration. Key escrow or key registration is storing the cryptographic keys
at the third parties to intercept and break the encrypted data.
 Prohibiting the federal government from using encryption for contracts or any
other official documents.
 Usage of encryption techniques is not a criminal activity.
 By the Export Administration Act of 1979 the export restrictions has been
relaxed.
 Charging extra penalties for the usage of encryption for criminal activities.
 Security Investigation 2.31

U.S. Copyright Law

 The U.S. Copyright law extends the intellectual property rights to all the published
word documents including the electronic format.

 The copyrighted materials could be used only to support news reporting, teaching,
scholarship or any other educational purposes.

 These materials could not be used for profit by any organization.

 With proper permission from the author, it is totally fair to use a part of someone’s
work as reference.

Freedom of Information Act of 1966(FOIA)

 This act gives right to any individual the right to request access to the federal agency
records ( if the records demanded does not deal with national security).

 The federal agency must disclose the requested information only on written request.

 This law is not applicable to local government agencies, private or business individual.

 Many states have their own version of FOIA.

State and Local Regulations

 The above mentioned laws are practiced in national and international levels.

 Apart from those laws each state or locality may have a number of other laws and
regulations that supports information security.

 When the information security professionals work in a cross cultural platform, it is

important for them to understand the laws and regulations exercised in the states they
are dealing with.

INTERNATIONAL LAWS AND LEGAL BODIES

 IT professionals and Information Security practitioners do global business. So they
must be aware of the laws and ethics across the globe.

 A number of different security bodies and laws are available to secure privacy of
information.

 But the political complexities between nations and cultural differences makes majority
of the laws to be ineffective.

 The laws are discussed below but these laws could not be enforced to its maximum.
2.32 Information Security

European Council Cyber-Crime Convention

 This creates an international task force to keep a check over the security in internet
activities and standardize cross cultural technology laws.

 The main objective of this convention is to provide information regarding the

international laws at the occurrence of certain types of international crimes.

 The adversaries of this law feel that this could be a threat to the interests of national
agencies over the rights of business, organizations and individuals.

 This convention is very effective in implementing Intellectual Property Rights (IPR).

Digital Millennium Copyright Act (DMCA)

 This was framed to reduce the impact of copyright, trademark and privacy
infringement.

 More emphasis is provided to acts related to the removal of technological copyright

protection measures.

 The European Union framed Directive 95/46/EC to protect the processing of

individuals personal data without their permission.

 The above mentioned right was implemented by the United Nations in the name of
Database Right.
United Nations Charter

 United Nations Charter has provisions to implement information security during

Information warfare.

 Information warfare (IW) is defined as the usage of information as a part of

organized and lawful military operations to conduct offensive operations against any
state.

 Few operations of early information warfare are jamming, intercepting and spoofing
during the periods of war.

POLICY VERSUS LAW

 Policy is defined as a formalized body of expectations that provides a clear distinction
of acceptable and unacceptable employee behaviors.

 Law is defined as properly executed policies. Laws will be complimented with

penalties, judicial practices and sanctions to be enforced when laws are violated.

 Laws must be fairly applied to everyone in the workplace.

 Security Investigation 2.33

 Ignorance of policy acceptable but ignorance of law could not be used for self defense
when an individual is found guilty for any activity against the law.

 The following are the expected characteristics of a policy:

 Policy must be distributed to all individuals who are to work with it.
 Availability of a policy for reference by an employee is a must.
 Policy must be easily understandable. It should support multilingual format and
should also be available to visually impaired people.
 Policies should be acknowledged by all employees in signed format.

ETHICAL CONCEPTS IN INFORMATION SECURITY

It is important for Information security professionals to know the ten commandments
of computer ethics framed by the computer ethics institute.
Ten Commandments of computer ethics
a. Thou shall not use the computer to harm other people.
b. Thou shall not interfere with other people’s computer work.
c. Thou shall not snoop around in other people’s computer files.
d. Thou shall not use a computer to steal.
e. Thou shall not use a computer to bear false witness.
f. Thou shall not copy or use proprietary software for which you have not paid.
g. Thou shall not use other people’s computer resources without authorization or
without proper compensation.
h. Thou shall not appropriate other people’s intellectual output.
i. Thou shall think about the social consequences of the program you are writing or
the system you are designing.
j. Thou shall always use a computer in ways that insure consideration and respect
for fellow humans.
Cultural Differences in Ethical Concepts

 Cultural differences always cause problems while demarcating what is ethical and
what is unethical behavior.

 When people are working in cross-cultural environments ethical sensitivity becomes a

big question mark.
2.34 Information Security

 Its very common that ethical behavior in one nation is considered as unethical in
another nation.

The globally accepted unethical behaviors includes: software license

infringement, illicit use and misuse of resources.
Software License Infringement
 Software piracy is Software License Infringement
 According to a study conducted individuals understood what is infringement but never
felt that usage of pirated software also comes under the same terminology.
 Few reasons why the people could not be tracked are: peer pressure, lack of legal
disincentives, lack of punitive measures etc.
Illicit Use
 Viruses, hacking and other forms of system abuses are considered to be illicit usage.
 The degree of tolerance of illicit use varies between nations.
 When the degree of tolerance is low, the system will easily become a prey for breaking
and entering, trespassing, theft and destruction of property.
Misuse of Corporate Resources
 Usage of company’s computer resources like internet facilities for personal use will
come under misuse of corporate resources.
 This happen when there is no proper indication of established policy towards personal
use of computer resources.
Ethics and Education
 Education is defined as the overriding factor in leveling the ethical perceptions within
a small population.
 Employees must always be aware of topics related to information security and also
about the ethical behavior.
 Proper ethical and legal training is a must to create an informed, well prepared and low
risk system user.
Deterrence to Unethical and illegal behavior
 It is the responsibility of information security personnel to prevent the illegal, immoral
or unethical behavior.

 This is possible only by framing proper policies, providing education and training and
usage of technology in protecting the assets.
 Security Investigation 2.35

 The following are the three categories of unethical and illegal behavior:

1. Ignorance:
 Ignorance of policies and procedures are excused but ignorance of
laws is not excused.
 The only way to eliminate ignorance is education.
 Education could be accomplished through design, publication,
dissemination and agreement to organizational policy and laws.
 Continuous awareness is brought by reminders, training and
awareness programs.
2. Accident
 Authorized individuals may cause harm or damage information
accidentally.
 This could be avoided by exercising proper controls that prevents
accidental modification to systems and data.
3. Intent

Intent refers to state of mind of the individual

performing the act.

 Indented activities are liable to legal actions whether or not the crime
is performed from ignorance, accident or specific intent.
 This could not be avoided but could be fought through litigation,
prosecution and other technical measures.
Deterrence

 Deterrence or prevention by frightening is the best method to prevent illegal or

unethical activity.

 The laws, policies and other technical controls are various ways of implementing the
deterrence.
2.36 Information Security

 However, the holding laws, policies and all other penalties will deter only if the
following conditions are present:
1. Fear of Penalty

 The individuals wishing to commit the unethical activity must fear the penalty
being imposed on them.

 Threat of imprisonment or forfeiture of pay will have greater impact than

verbal warnings or informal rebuke.

2. Probability of being caught

 The individuals must always know that when they commit a criminal activity
there is a strong likelihood that they will be caught.

 The severity of penalties and other counter measures would go waste if the
there is no deter among the individuals who commit the criminal activity.

3. Probability of being administered

 The individuals committing the criminal activity must be aware of the fact that
they will be caught and presented before that hands of the law and will receive
the penalty.

 This could happen only if there is a proper administrative channel.

CODES OF ETHICS, CERTIFICATIONS AND PROFESSIONAL

ORGANISATIONS
 A number of professional organizations have framed codes of ethics or codes of
conduct that the members are expected to follow.

Codes of ethics have a positive impact on individual’s judgment of computer

use.

 The security professionals must act ethically according to the policies and procedures
of their employees, their professional organizations, and laws of the society.

 Henceforth it is the responsibility of the organization to develop, disseminate and

enforce its policies among all employees.

 Individuals caught for violating the code of conduct should be penalized with the loss
of accreditation or certification which would reduce the individuals marketability and
earning power in future.
 Security Investigation 2.37

 We shall discuss some of the professional organizations in the interest of information

security.

1. Association of Computing Machinery (ACM)

ACM is the world’s first educational and scientific computing society.

 This was formed in the year 1947 and is the most respected professional society.
 This society strongly promotes education and provides discounts for student members
to foster their technical development.
 ACM’s code of ethics demands the members to perform their duties in the beneficial
manner to a ethical computer professional.
 Its code contains references to protecting confidentiality of information, causing no
harm or damage to information through viruses, privacy protection and respecting the
intellectual property rights.
 The “Communications of ACM” is a well known professional computing
publication.
2. International Information Systems Security Certification Consortium, Inc (ISC) 2
 It is a non profit organization that focuses on the development of security certifications
rather than acting as a professional organization rendering membership services.
 This contains a body that administers and examines the certifications for information
security.
 Currently there are two professional certifications being issued by the (ISC) 2 . They
are :
 Certification for Information Systems Security Professionals (CISSP)
 Systems Security Certifies Professional (SSCP)
 The individuals who has received certification from (ISC) 2
are expected to follow the
code of ethics put forth by them.
 The four major clauses in their code of ethics are:
 Protect society, the commonwealth and the infrastructure.
 Act honorably, justly, responsibly, and legally.
 Provide diligent and competent service.
 Advance and protect the profession.
2.38 Information Security

 The (ISC)2 promotes reliability on the ethical and trustworthy nature of the information
security professionals as the guardian of the information they handle.
3. System Administration, Networking and Security Institute (SANS)

 This was founded in 1989 as a professional research and education cooperative

organization for the protection of information systems.

 Currently this has 156,000 members around the world.

 The set of certifications issued by SANS is called as Global Information Assurance

Certification (GIAC).

 The GIAC Security Engineer (GSE) will have combinations of various certifications.

 The GIAC Information Security Officer (GISO) certification combines basic

technical knowledge with understanding threats, risks and best practices.

 The individuals desiring to obtain any certifications must write a complete practical
assignment that demonstrates their abilities and skills.

 These assignments are reviewed by Information Security Reading Room which

consists of security practitioners, potential applicants, and others in the interest of
information security.

4. Information Systems Audit and Control Association (ISACA):

 This is a professional association which focuses on information security in three

dimensions:

 Auditing

 Control

 Security

 The membership in this association requires both technical and managerial skills and
this provides IT control practices and standards.

 The Certified Information Systems Auditor (CISA) certification contains many

information security components.

5. Computer Security Institute (CSI):

 This was found in 1974.

 This provides information and certification to support the computer, networking and
information security professional.
 Security Investigation 2.39

 This publishes a newsletter and threat advisory to its members.

 It is well known among the industry for its annual computer threat survey of threats
which is conducted in cooperation with FBI.

 It provides a wide range of technical training classes in the areas of internet security,
intrusion management, network security, forensics and technical networking.
6. Information Systems Security Association (ISSA)

 Its primary objective is to bring together the qualified information security

practitioners for exchange of ideas and educational development.

 This schedules a number of conferences, meetings, publications and information

resources to promote information security and create awareness.

 This also holds a code of ethics stating “ promoting management practices that will
ensure the confidentiality, integrity, and availability of organizational
information resources”
7. Internet Society (ISOC)

 This is a non profitable, non governmental, international organization that promotes

education, training, standards and policy to promote the usage of internet.

 Initially the global membership was free. Since it was not effective many other ISOC
organizations actives review and promote these issues.

 Internet Engineering Task Force (IETF) is one among these that contains members
from computing, networking and telecommunication industries.

 IETF is primarily responsible for technical foundations of internet and its standards.

 Internet Engineering Steering Group (IESG) is associated with Internet

Architecture Board that reviews the various standards developed by IETF.

 The reviews of these standards are published through Request for Comments (RFC).

 RFC’s contains many related information for the development of protocols for internet
and other related technology.
8. Computer Security Division (CSD)

 This belongs to National Institute for Standards (NIST) and contains a resource center
called Computer Security Resource Center (CSRC).

 CSRC contains information on security related topics.

 The five major research areas of CSD are:

2.40 Information Security

 Cryptographic standards and applications

 Security Testing
 Security Research and emerging Technologies
 Security Management and guidance
 Outreach, awareness and education
9. CERT Coordination Center (CERT /CC)

 It is located at Software Engineering Institute and is a center of internet security

expertise.

 CERT/CC analyses the various security issues and publishes alerts the computer
community regarding the various threats in information security.

 This acts as research center and also as an outside consultant in the incident response
plans and other security practices.
10. Computer Professionals for Social Responsibility (CPSR)

 This promotes ethical development in computer field.

 This is a public organization that contains people with great concern on computing as
its members.

CPSR acts as ethical watchdog for the development of ethical computing.

 This informs the public and private policy and lawmakers in this field.
Key U.S. Federal Agencies

 National Infrastructure Protection Center (NIPC) is the U.S. government’s center

for threat assessment, warning, investigation and response to all types of threats and
attacks to information security.

 It also plays a vital role in educating, training and providing information to the public
regarding information security.

 National Infra Gard Program was launched to combat cyber and physical threats.

 This program servers its members in the following ways:

 By maintaining an intrusion alert network using encrypted e-mails.
 Security Investigation 2.41

 By maintaining a secure web site for communication about suspicious activity

or intrusions.
 Through local chapter activities
 By operating help desk.

 National Security Agency (NSA) is another agency for signal intelligence and
information systems security.

 This provides security solutions including technologies, specification and criteria,

products and its configurations, tools, standards, operational doctrine, and support
activities to implement the protect, detect, report and respond elements.

 This also promotes Information Assurance Framework Forum to provide guidance

and technical specifications for security solutions.

 U.S. Secret Service is responsible for detecting and taking measures against the
individuals who involve themselves in computer fraud and false identification crimes.

 This protects networks and data.

ORGANIZATIONAL LIABILITY AND THE NEED FOR COUNSEL

Liability is the legal obligation of an entity.

 Liability for a wrongful act must include compensation for the wrong.

 When an employee of the organization performs an illegal activity that causes harm to
the organization must be held by the organization financially.

 An organization increases its liability if it refuses to take strong measures known as

due care.

 Due care means the employees in an organization knows the acceptable and
unacceptable behaviors and the after effects of legal and illegal actions.

 Due diligence is that the organization makes a valid effort to protect others and
maintain the level of effort.

 Jurisdiction or long arm Jurisdiction is the court’s right to hear a case in its court.

 The name long arm Jurisdiction signifies that the hands of the law extend throughout
the entire state or territory.
2.42 Information Security

REVIEW QUESTIONS
PART – A
1. What is attack?
2. What is hacking?
3. What is security blue print?
4. Define E-mail spoofing
5. What are the four important functions, the information security performs in an
organization?
6. What are the different categories of threat? Give Examples.
7. What are different acts of Human error or failure?
8. How human error can be prevented?
9. What is Intellectual property?
10. How Intellectual property can be protected?
11. What are deliberate acts of espionage or trespass?
12. Who are Hackers? What are the two hacker levels?
13. What is information extortion?
14. What are deliberate acts of sabotage and vandalism?
15. What is Cyber terrorism?
16. What are the deliberate acts of theft?
17. What are deliberate software attacks?
18. What are the forces of Nature affecting information security?
19. What are technical hardware failures or errors?
20. What are technical software failures or errors?
 Security Investigation 2.43

21. What is technological obsolescence?

22. What is an attack?
23. What is a malicious code?
24. Define Virus.
25. Define Hoaxes
26. What is Distributed Denial-of-service (DDoS)?
27. What is Back Door?
28. Define Dictionary attack
29. What are the attack replication vectors?
30. What are the various forms of attacks.
31. What is Denial-of-service (DoS) ?
32. Define Spoofing
33. Define Man-in-the-Middle
34. Distinguish skilled and unskilled hacker.
35. What are script kiddies?
36. What is trojan horse?
37. What is macro virus?
38. What is boot virus?
39. What is software piracy?
40. Define exploit.
41. Define vulnerability.
42. What is brute force attack?
43. What is password attack?
44. Define sniffer.
45. What is social engineering?
46. Define law.
2.44 Information Security

47. Define ethics.

48. Distinguish law and ethics.
49. What are the types of laws? Define each.
50. What is CFA?
51. What is CDA?
52. What is HIPAA?
53. What is EEA?
54. List the U.S. copyright laws.
55. Distinguish policy and law.
56. What is DCMA?
57. What is software infringement?
58. What are the illegal behaviors?
59. What is ACM?
60. What is the importance of IETF?
61. Define due diligence.
62. Define due care.
PART – B
1. Explain the four important functions, the information security performs in an
organization.
2. What are deliberate acts of Espionage or trespass? Give examples.
3. What deliberate software attacks?
4. Enumerate different types of attacks on computer based systems.
5. What are different US laws and International laws on computer based crimes?
6. Explain in detail the Legal, Ethical and Professional issues during the security
investigation.
7. What are threats? Explain the different categories of threat.
8. What is Intellectual property? How it can be protected?
 Security Investigation 2.45

9. Who are Hackers? Explain its levels.

10. Discuss in detail the forces of Nature affecting information security.
11. Explain deliberate software attacks.
12. Describe about various professional security organizations.