Cyber Security

Cyber security is the practice of defending computers, servers, mobile devices,

electronic systems, networks, and data from malicious attacks. It's also known as
`information technology security or electronic information security. It is made up of two
words one is cyber and other is security. Cyber is related to the technology which
contains systems, network and programs or data. Whereas security related to the
protection which includes systems security, network security and application and
information security.
The term applies in a variety of contexts, from business to mobile computing, and can
be divided into a few common categories.

 Network security is the practice of securing a computer network from intruders, whether
targeted attackers or opportunistic malware.
 Application security focuses on keeping software and devices free of threats. A
compromised application could provide access to the data its designed to protect.
Successful security begins in the design stage, well before a program or device is
deployed.
 Information security protects the integrity and privacy of data, both in storage and in
transit.
 Operational security includes the processes and decisions for handling and protecting
data assets. The permissions users have when accessing a network and the procedures
that determine how and where data may be stored or shared all fall under this umbrella.
 Disaster recovery and business continuity define how an organization responds to a
cyber-security incident or any other event that causes the loss of operations or data.
Disaster recovery policies dictate how the organization restores its operations and
information to return to the same operating capacity as before the event. Business
continuity is the plan the organization falls back on while trying to operate without
certain resources.
 End-user education addresses the most unpredictable cyber-security factor: people.
Anyone can accidentally introduce a virus to an otherwise secure system by failing to
follow good security practices. Teaching users to delete suspicious email attachments, not
plug in unidentified USB drives, and various other important lessons is vital for the
security of any organization.
Cybercrime
Cybercrime is criminal activity that either targets or uses a computer, a computer
network or a networked device. Most cybercrime is committed by cybercriminals or
hackers who want to make money. However, occasionally cybercrime aims to damage
computers or networks for reasons other than profit. These could be political or
personal.
Cybercrime can be carried out by individuals or organizations. Some cybercriminals are
organized, use advanced techniques and are highly technically skilled. Others are
novice hackers.
Types of cybercrime include:

 Email and internet fraud.

 Identity fraud (where personal information is stolen and used).
 Theft of financial or card payment data.
 Theft and sale of corporate data.
 Cyberextortion (demanding money to prevent a threatened attack).
 Ransomware attacks (a type of cyberextortion).
 Cryptojacking (where hackers mine cryptocurrency using resources they do not own).
 Cyberespionage (where hackers access government or company data).
 Interfering with systems in a way that compromises a network.
 Infringing copyright.
 Illegal gambling.
 Selling illegal items online.

Types of Attacks in cyber

Malware
Malware is a term used to describe malicious software, including spyware, ransomware,
viruses, and worms. Malware breaches a network through a vulnerability, typically when
a user clicks a dangerous link or email attachment that then installs risky software.
Once inside the system, malware can do the following:

 Blocks access to key components of the network (ransomware)

 Installs malware or additional harmful software
 Covertly obtains information by transmitting data from the hard drive (spyware)
 Disrupts certain components and renders the system inoperable
Phishing
Phishing is the practice of sending fraudulent communications that appear to come from
a reputable source, usually through email. The goal is to steal sensitive data like credit
card and login information or to install malware on the victim’s machine. Phishing is an
increasingly common cyberthreat.

Man-in-the-middle attack
Man-in-the-middle (MitM) attacks, also known as eavesdropping attacks, occur when
attackers insert themselves into a two-party transaction. Once the attackers interrupt the
traffic, they can filter and steal data.
Two common points of entry for MitM attacks:
1. On unsecure public Wi-Fi, attackers can insert themselves between a visitor’s device
and the network. Without knowing, the visitor passes all information through the
attacker.
2. Once malware has breached a device, an attacker can install software to process all
of the victim’s information.
Denial-of-service attack
A denial-of-service attack floods systems, servers, or networks with traffic to exhaust
resources and bandwidth. As a result, the system is unable to fulfill legitimate requests.
Attackers can also use multiple compromised devices to launch this attack. This is
known as a distributed-denial-of-service (DDoS) attack.
SQL injection
A Structured Query Language (SQL) injection occurs when an attacker inserts malicious
code into a server that uses SQL and forces the server to reveal information it normally
would not. An attacker could carry out a SQL injection simply by submitting malicious
code into a vulnerable website search box.
Zero-day exploit
A zero-day exploit hits after a network vulnerability is announced but before a patch or
solution is implemented. Attackers target the disclosed vulnerability during this window
of time. Zero-day vulnerability threat detection requires constant awareness.
DNS Tunneling
DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic over port 53. It
sends HTTP and other protocol traffic over DNS. There are various, legitimate reasons
to utilize DNS tunneling. However, there are also malicious reasons to use DNS
Tunneling VPN services. They can be used to disguise outbound traffic as DNS,
concealing data that is typically shared through an internet connection. For malicious
use, DNS requests are manipulated to exfiltrate data from a compromised system to the
attacker’s infrastructure. It can also be used for command and control callbacks from
the attacker’s infrastructure to a compromised system.

Security technologies
It is known to everyone that everything had two sides: pros and cons, and the same
applies to the Internet as well. With the rapid growth in the Internet, cyber security has
become a major concern to organizations throughout the world. The fact that the
information and tools & technologies needed to penetrate the security of corporate
organization networks are widely available has increased that security concern.

Virtual Private Networks

VPN stands for "Virtual Private Network" and describes the opportunity to establish a
protected network connection when using public networks. VPNs encrypt your internet
traffic and disguise your online identity. This makes it more difficult for third parties to
track your activities online and steal data. The encryption takes place in real time. A
VPN hides your IP address by letting the network redirect it through a specially
configured remote server run by a VPN host. This means that if you surf online with a
VPN, the VPN server becomes the source of your data. This means your Internet
Service Provider (ISP) and other third parties cannot see which websites you visit or
what data you send and receive online.

Advantages/Application of VPN
Secure encryption: To read the data, you need an encryption key. Without one, it
would take millions of years for a computer to decipher the code in the event of a brute
force attack . With the help of a VPN, your online activities are hidden even on public
networks.
Disguising your whereabouts: VPN servers essentially act as your proxies on the
internet. Because the demographic location data comes from a server in another
country, your actual location cannot be determined. In addition, most VPN services do
not store logs of your activities. Some providers, on the other hand, record your
behavior, but do not pass this information on to third parties. This means that any
potential record of your user behavior remains permanently hidden.
Access to regional content: Regional web content is not always accessible from
everywhere. Services and websites often contain content that can only be accessed
from certain parts of the world. Standard connections use local servers in the country to
determine your location. This means that you cannot access content at home while
traveling, and you cannot access international content from home. With VPN location
spoofing, you can switch to a server to another country and effectively “change” your
location.
Secure data transfer: If you work remotely, you may need to access important files on
your company’s network. For security reasons, this kind of information requires a secure
connection. To gain access to the network, a VPN connection is often required. VPN
services connect to private servers and use encryption methods to reduce the risk of
data leakage.

Firewall
Firewall is a network security system designed to prevent unauthorized access to or
from a private network. A firewall can be hardware, software, or both. Firewalls prevent
unauthorized internet users from accessing private networks connected to the internet,
especially intranets. Firewall monitors and controls incoming and outgoing network
traffic based on predetermined security rules. A firewall typically establishes a barrier
between a trusted network and an untrusted network, such as the Internet.
The primary purpose of a firewall is to allow non-threatening traffic and prevent
malicious or unwanted data traffic for protecting the computer from viruses and attacks.
A firewall is a cyber security tool that filters network traffic and helps users block
malicious software from accessing the Internet in infected computers.
A firewall system analyzes network traffic based on pre-defined rules. It then filters the
traffic and prevents any such traffic coming from unreliable or suspicious sources. It
only allows incoming traffic that is configured to accept.
Typically, firewalls intercept network traffic at a computer's entry point, known as a port.
Firewalls perform this task by allowing or blocking specific data packets based on pre-
defined security rules. Incoming traffic is allowed only through trusted IP addresses, or
sources.
Encryption
Encryption is a process that encodes a message or file so that it can be only be read by
certain people. Encryption uses an algorithm to scramble, or encrypt, data and then
uses a key for the receiving party to unscramble, or decrypt, the information. Basic
forms of encryption may be as simple as switching letters. As cryptography advanced,
cryptographers added more steps, and decryption became more difficult.
The various components of an encryption are as follows –
Plaintext: It is the data to be protected during transmission.
Encryption Algorithm: It is a mathematical process that produces a cipher text for any
given plaintext and encryption key. It is a cryptographic algorithm that takes plaintext
and an encryption key as input and produces a cipher text.
Cipher text: It is the scrambled version of the plaintext produced by the encryption
algorithm using a specific the encryption key. The cipher text is not guarded. It flows on
public channel. It can be intercepted or compromised by anyone who has access to the
communication channel.
Decryption Algorithm: It is a mathematical process, that produces a unique plaintext
for any given cipher text and decryption key. It is a cryptographic algorithm that takes a
cipher text and a decryption key as input, and outputs a plaintext. The decryption
algorithm essentially reverses the encryption algorithm and is thus closely related to it.

Types of Encryptions
Symmetric Key Encryption
An encryption system in which the sender and receiver of a message share a single,
common key that is used to encrypt and decrypt the message is called Symmetric key
encryption.
Symmetric key encryption algorithm uses same cryptographic keys for both encryption
and decryption of cipher text. Symmetric-key systems are simpler and faster, but their
main drawback is that the two parties must somehow exchange the key in a secure
way. Symmetric encryption is also known as private-key encryption and secure-key
encryption.
Asymmetric Key Encryption (Public Key Encryption)
Asymmetric cryptography uses encryption that splits the key into two smaller keys. One
of the keys is made public and one is kept private. You encrypt a message with the
recipient's public key. The recipient can then decrypt it with their private key. And they
can do the same for you, encrypting a message with your public key so you can decrypt
it with your private key.
Asymmetric cryptography is usually implemented by the use of one-way functions. In
mathematic terms, these are functions that are easy to compute in one direction but
very difficult to compute in reverse. This is what allows you to publish your public key,
which is derived from your private key. It is very difficult to work backwards and
determine the private key.

Intrusion Detection
An intrusion detection system (IDS) is a network security tool that monitors network
traffic and devices for known malicious activity, suspicious activity or security policy
violations.
It is software that checks a network or system for malicious activities or policy violations.
Each illegal activity or violation is often recorded either centrally using a SIEM(Security
information and event management) system or notified to an administration. IDS
monitors a network or system for malicious activity and protects a computer network
from unauthorized access from users, including perhaps insiders. The intrusion detector
learning task is to build a predictive model (i.e. a classifier) capable of distinguishing
between ‘bad connections’ (intrusion/attacks) and ‘good (normal) connections’.
An IDS cannot stop security threats on its own. Today IDS capabilities are typically
integrated with—or incorporated into—intrusion prevention systems (IPSs), which can
detect security threats and automatically take action to prevent them.
Detection Method of IDS
Signature-based Method: Signature-based IDS detects the attacks on the basis of the
specific patterns such as the number of bytes or a number of 1s or the number of 0s in
the network traffic. It also detects on the basis of the already known malicious
instruction sequence that is used by the malware. The detected patterns in the IDS are
known as signatures. Signature-based IDS can easily detect the attacks whose pattern
(signature) already exists in the system but it is quite difficult to detect new malware
attacks as their pattern (signature) is not known.
Anomaly-based Method: Anomaly-based IDS was introduced to detect unknown
malware attacks as new malware is developed rapidly. In anomaly-based IDS there is
the use of machine learning to create a trustful activity model and anything coming is
compared with that model and it is declared suspicious if it is not found in the model.
The machine learning-based method has a better-generalized property in comparison to
signature-based IDS as these models can be trained according to the applications and
hardware configurations.

Anti-Malicious Software
An anti-malicious is a software that protects the computer from malware such as
spyware, adware, and worms. It scans the system for all types of malicious software
that manage to reach the computer. An anti-malicious program is one of the best tools
to keep the computer and personal information protected. An anti-malicious is designed
to eliminate malware from the computer. Although it has similarities with antivirus, an
anti-malware program is different from antivirus. An anti-malware program has more
advanced features and broader coverage. It addresses spyware, spam, and other threat
issues that antivirus doesn’t. Anti-malicious software is designed to find known viruses
and oftentimes other malware such as Ransomware, Trojan Horses, worms, spyware,
adware, etc., that can have a detrimental impact to the user or device.

Benefits of Anti Malware Software

An anti-malware program has many benefits, particularly keeping your computer
secure. But that’s not all anti malware has to offer, you can benefit from anti malware in
many ways.
• You’re protected from hackers - hackers gain access to your computer through
malware. With the anti-malware installed, you can browse the web safely.
• Your privacy is protected - cyber criminals use your personal information to their
advantage. An anti-malware prevents any software that steal personal from installing.
• Your valuable files are secured - if malware and viruses are out of the computer, you
can be assured that your data are protected.
• Your software is up-to-date - nobody wants outdated software. An anti-malware keeps
your software updated. It will remind you if a new version or an update is available
online.
• Your computer is free of junk - an antimalware notifies you if junks are consuming your
computer memory, so you can free up some space. This eliminates useless files stored
in your computer.

Software security
Software security is the concept of implementing mechanisms in the construction of
security to help it remain functional (or resistant) to attacks. This means that a piece of
software undergoes software security testing before going to market to check its ability
to withstand malicious attacks.
The idea behind software security is building software that is secure from the get-go
without having to add additional security elements to add additional layers of security
(although in many cases this still happens). The next step is teaching users to use the
software in the right manner to avoid being prone or open to attacks.
Software security is critical because a malware attack can cause extreme damage to
any piece of software while compromising integrity, authentication, and availability. If
programmers take this into account in the programming stage and not afterward,
damage can be stopped before it begins.

Best Practices for Software Security

1. Updated Software: Every software program occasionally has problems. There is no

avoiding that. However, this is one of the hackers' most popular methods of targeting
software users. To ensure software security, it is crucial to patch systems regularly and keep
software up to date.
2. Least Privilege: Giving software users the absolute minimum amount of access to the
programs they need to complete their jobs is known as the least privilege. To put it another
way, deny them access to features, privileges, and controls they won't utilize.
3. Software Automation: Big corporations or enterprises cannot manually keep track of the
various jobs they need to execute regularly. Automation becomes important in this situation.
IT departments should automate routine processes crucial for computer security software,
like assessing firewall updates and security configuration.
4. Document & Measure: Tracking and gauging activity over time is crucial. Doing this
ensures that your users are utilizing computer security software appropriately and aren't
abusing their privileges or committing any other negative actions.
Browser security
Browser security is the application of Internet security to web browsers in order to
protect networked data and computer systems from breaches of privacy or malware.
Security exploits of browsers often use JavaScript, sometimes with cross-site scripting
(XSS). Security exploits can also take advantage of vulnerabilities (security holes) that
are commonly exploited in all browsers.
How to keep browser secure
• Keep your browser software up-to-date.
• Review your browser's security settings and preferences.
• If you do not need pop-ups, disable them or install software that will prevent pop-up
windows. Pop-ups can be used to run malicious software on your computer.
• Install an adblocker.
• Install browser add-ons, plug-ins, toolbars, and extensions sparingly(in small amount)
and with care.
• Private Web Browsing.
• Use VPN.

SSL
SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It was
first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication,
and data integrity in Internet communications. A website that implements SSL/TLS has
"HTTPS" in its URL instead of "HTTP."
How does SSL work
In order to provide a high degree of privacy, SSL encrypts data that is transmitted
across the web. This means that anyone who tries to intercept this data will only see a
garbled mix of characters that is nearly impossible to decrypt. SSL initiates
an authentication process called a handshake between two communicating devices to
ensure that both devices are really who they claim to be. SSL also digitally signs data in
order to provide data integrity, verifying that the data is not tampered with before
reaching its intended recipient.
IPSec
IPSec is a set of communication rules or protocols for setting up secure connections
over a network. Internet Protocol (IP) is the common standard that determines how data
travels over the internet. IPSec adds encryption and authentication to make the protocol
more secure. For example, it scrambles the data at its source and unscrambles it at its
destination. It also authenticates the source of the data.
Computers exchange data with the IPSec protocol through the following steps.

1. The sender computer determines if the data transmission requires IPSec

protection by verifying against its security policy. If it does, the computer initiates
secure IPSec transmission with the recipient computer.
2. Both computers negotiate the requirements to establish a secure connection.
This includes mutually agreeing on the encryption, authentication, and other
security association (SA) parameters.
3. The computer sends and receives encrypted data, validating that it came from
trusted sources. It performs checks to ensure the underlying content is reliable.
4. Once the transmission is complete or the session has timed out, the computer
ends the IPSec connection.

Information Security and Cryptography:

Classical Encryption Methods
1. Substitution Method
2. Transposition Method
3. Rotor Machines
4. Steganography

Substitution Method:
A substitution technique is one in which the letters of plaintext are replaced by other
letters or by numbers or symbols.
i. Caesar Cipher:
▪ This is the earliest known example of a substitution cipher.
▪ Each character of a message is replaced by a character three position down in the
alphabet.
▪ plaintext: are you ready
▪ ciphertext: DUH BRX UHDGB
ii. Monoalphabetic and Polyalphabetic Cipher
▪Monoalphabetic cipher is a substitution cipher, where the cipher alphabet for each plain
text alphabet is fixed, for the entire encryption.
▪ In simple words, if the alphabet ‘p’ in the plain text is replaced by the cipher alphabet
‘d’. Then in the entire plain text wherever alphabet ‘p’ is used, it will be replaced by the
alphabet ‘d’ to form the ciphertext.
▪ Polyalphabetic cipher is far more secure than a monoalphabetic cipher. As
monoalphabetic cipher maps a plain text symbol or alphabet to a ciphertext symbol and
uses the same ciphertext symbol wherever that plain text occurs in the message. But
polyalphabetic cipher, each time replaces the plain text with the different ciphertext.
iii. Playfair Cipher
▪ Playfair cipher is a substitution cipher which involves a 5X5 matrix. Let us discuss the
technique of this Playfair cipher with the help of an example:
▪ Plain Text: meet me tomorrow
▪ Key: KEYWORD
▪ Step 1: Create a 5X5 matrix and place the key in that matrix row-wise from left to right.
Then put the remaining alphabets in the blank space.

▪Note: If a key has duplicate alphabets, then fill those alphabets only once in the matrix, and I
& J should be kept together in the matrix even though they occur in the given key.
▪Step 2: Now, you have to break the plain text into a pair of alphabets.

▪Plain Text: meet me tomorrow

▪ Pair: me et me to mo rx ro wz
Note
o Pair of alphabets must not contain the same letter. In case, pair has the same letter then
break it and add ‘x’ to the previous letter. Like in our example letter ‘rr’ occurs in pair so, we
have broken that pair and added ‘x’ to the first ‘r’.
o In case while making pair, the last pair has only one alphabet left then we add ‘z’ to that
alphabet to form a pair as in our above example, we have added ‘z’ to ‘w’ because ‘w’ was left
alone at last.
o If a pair has ‘xx’ then we break it and add ‘z’ to the first ‘x’,
i.e. ‘xz’ and ‘x_’.

▪Step 3: In this step, we will convert plain text into ciphertext. For that, take the first pair of plain
text and check for cipher alphabets for the corresponding in the matrix. To find cipher alphabets
follow the rules below.

Note
o If both the alphabets of the pair occur in the same row replace them with the alphabet to their
immediate right. If an alphabet of the pair occurs at extreme right then replace it with the first
element of that row, i.e. the last element of the row in the matrix circularly follows the first
element of the same row.
o If the alphabets in the pair occur in the same column, then replace them with the alphabet
immediate below them. Here also, the last element of the column circularly follows the first
element of the same column.

o If the alphabets in the pair are neither in the same column and nor in the same row,
then the alphabet is replaced by the element in its own row and the corresponding
column of the other alphabet of the pair.
▪ Pair: me et me to mo rx ro wz
▪Cipher Text: kn ku kn kz ks ta kc yo
iv. Hill Cipher
• Hill cipher is a polygraphic substitution cipher based on linear algebra. Each letter is
represented by a number modulo 26 with a scheme A = 0, B = 1, …, Z = 25
• To encrypt a message, column vector n x 1 is multiplied key n × n matrix, against
modulus 26.
• To decrypt the message, each block is multiplied by the inverse of the matrix used for
encryption.

Example:
• Plain Text: Hello
• Key: four

Step 1: create a matrix based on key [𝐹𝑂𝑈𝑅]= [5142017]

Step 2. Write the plain text as a column vector and write their corresponding number
➔ [ℎ𝑒][𝑙𝑙][𝑜𝑧] = [74][1111][1425]

Step 3: multiply each column vector with key matrix and find the mod 26 of each
element
Example
91/26=3.5-3=0.5*26=13
208/26=8-8=0*26=0
➔ [5142017]∗[74] = [91208] (mod 26) = [130]
➔ [5142017]∗[1111] = [209407] (mod 26) = [117]
➔ [5142017]∗[1425] = [420705] (mod 26) = [42]

Step 4: convert the result column vector to their respective characters

➔ [130] = [𝑛𝑎], [117]=[𝑏𝑟], [42]= [𝑒𝑐]

Cipher Text = NABREC

v. One-time Pad
• One-time Pad (Vernam Cipher) is a method of encrypting alphabetic text
• In this mechanism we assign a number to each character of the Plain-Text, like (a = 0,
b = 1, c = 2, … z = 25). In this algorithm, the length should be equal to the length of the
plain text.

Example:
Plain text: Are you there
Key this is hello
Step 1: Assign the number for both plaintext and the key
Plain text: A R E Y O U T H E R E
0 17 4 24 14 20 19 7 4 17 4
Key: T H I S I S H E L L O
19 7 8 18 8 18 7 4 11 11 14
Step 2 : Add the number of plain text and number of key.
19 17 12 42 22 38 26 11 15 28 18
Step 3: If the number is greater than or equal to 26 then subtract from 26 and rewrite
19 17 12 16 22 12 0 11 15 2 18
Step 4: Write the alphabets for the corresponding character
TRMQWMALPCS
Cipher text= TRMQWMALPCS

2. Transposition Method
• Transposition Ciphers are a bit different to Substitution Ciphers.
• In a Transposition cipher, the letters are just moved around.
• The letters or words of the plaintext are reordered in some way, fixed by a given rule
(the key).
• One of the examples for the transposition is given below
Plain Text: meet me Tomorrow
• The plain text is written in diagonal form as given below

The first row : memtmro

The second row: eteoorw
• Combine first row and second row.
• Cipher Text: MEMTMROETEOORW

3. Rotor Machines
• Electric rotor machines were mechanical devices that allowed to use encryption
algorithms that were much more complex than ciphers, which were used manually.
• They were developed in the middle of the second decade of the 20th century.
• They became one of the most important cryptographic solutions in the world for the
next tens of years.
• The main idea that lies behind rotor machines is relatively simple.
• One can imagine a simple device, similar to a typewriter, with a number of keys used
to input text produces some random text based on the machine’s algorithm.

4. Steganography
• Steganography is the technique of hiding secret data within an ordinary, non-secret,
file or message in order to avoid detection.
• The secret data is then extracted at its destination.
• The word steganography is derived from the Greek words steganos (meaning hidden
or covered) and the Greek root graph (meaning to write).
• Since steganography is more of an art than a science, there is no limit to the ways
steganography can be used. Below are a few examples:
i. Playing an audio track backwards to reveal a secret message
ii. Playing a video at a faster frame rate (FPS) to reveal a hidden image
iii. Embedding a message in the red, green, or blue channel of an RGB image
Asymmetric Key Cryptography
Asymmetric cryptography is a cryptographic system that uses pairs of keys: public keys
and private keys. You encrypt a message with the recipient's public key. The recipient
can then decrypt it with their private key. And they can do the same for you, encrypting
a message with your public key so you can decrypt it with your private key.
Asymmetric cryptography is usually implemented by the use of one-way functions. In
mathematic terms, these are functions that are easy to compute in one direction but
very difficult to compute in reverse. This is what allows you to publish your public key,
which is derived from your private key. It is very difficult to work backwards and
determine the private key.
With public-key cryptography, robust authentication is also possible. A sender can
combine a message with a private key to create a short digital signature on the
message. Anyone with the sender's corresponding public key can combine that
message with a claimed digital signature; if the signature matches the message, the
origin of the message is verified.

Confidentiality: This component is often associated with secrecy and the use of
encryption. Confidentiality in this context means that the data is only available to
authorized parties. When information has been kept confidential it means that it has not
been compromised by other parties; confidential data are not disclosed to people who
do not require them or who should not have access to them. Ensuring confidentiality
means that information is organized in terms of who needs to have access, as well as
the sensitivity of the data. A breach of confidentiality may take place through different
means, for instance hacking or social engineering.
Integrity: Data integrity refers to the certainty that the data is not tampered with or
degraded during or after submission. It is the certainty that the data has not been
subject to unauthorized modification, either intentional or unintentional. There are two
points during the transmission process during which the integrity could be
compromised: during the upload or transmission of data or during the storage of the
document in the database or collection.

Authentication: In authentication, the user or computer has to prove its identity to the
server or client. Usually, authentication by a server require the use of a user name and
password. Other ways to authenticate can be through cards, retina scans, voice
recognition, and fingerprints.
Non-Repudiation: The certainty that someone cannot dispute the legitimacy of
anything is known as non-repudiation. Non-repudiation is a regulatory notion commonly
used in cybersecurity and refers to the service that confirms the origin and integrity of
data. It assures that no party can deny sending or receiving a communication using
encryption and digital signatures. It cannot also contest the legitimacy of its digital
signature on a document.
Non-repudiation provides evidence of data's origin, authenticity, and integrity. It verifies
the sender that the information is sent and the recipient's identity to the receiver. Neither
side can dispute that communication happened or was processed in this manner.

Digital signatures
A digital signature is a cryptographic output used to verify the authenticity of data. A
digital signature algorithm allows for two distinct operations:

i. A signing operation, which uses a signing key to produce a signature over raw data
ii. A verification operation, where the signature can be validated by a party who has no
knowledge of the signing key

The main purposes of a digital signature are:

i. Verification of the integrity of the signed data

ii. Non-repudiation if the signer claims the signature is not authentic

Digital signatures rely on asymmetric cryptography, also known as public key

cryptography. An asymmetric key consists of a public/private key pair. The private key is
used to create a signature, and the corresponding public key is used to verify the
signature.
Unit 4
Legal Issues in Cyber Crime
Cyber Law in Nepal
In Nepal, the Nepal Police have been using the Electronic Transactions Act 2063
(Hereafter referred ETA ) to regulate cybercrimes. Section 47 of the Act is the most
used section to prevent cybercrime in Nepal. This section stipulates(state clearly) that if
a person publishes or displays material against morals, etiquette, hatred, or malice on a
computer, internet, and other electronic media, the culprit can be punished with a fine of
1 lakh rupees or imprisonment for up to 5 years or both.

Section 48 of the Act is also used customarily, which stipulates that if any person who
has access to any record, book, register, correspondence, information, documents or
any other material under the authority conferred under this Act or Rules framed
hereunder divulges or causes to divulge confidentiality of such record, books, registers,
correspondence, information, documents or materials to any unauthorized person,
he/she shall be liable to the punishment with a fine not exceeding Ten Thousand
Rupees or with imprisonment not exceeding two years or with both, depending on the
degree of the offense.

Security Policies
Security policies are a formal set of rules which is issued by an organization to ensure
that the user who are authorized to access company technology and information assets
comply with rules and guidelines related to the security of information. It is a written
document in the organization which is responsible for how to protect the organizations
from threats and how to handles them when they will occur. A security policy also
considered to be a "living document" which means that the document is never finished,
but it is continuously updated as requirements of the technology and employee
changes.
Need of Security policies-
1) It increases efficiency
The best thing about having a policy is being able to increase the level of consistency
which saves time, money and resources. The policy should inform the employees about
their individual duties, and telling them what they can do and what they cannot do with
the organization sensitive information.
2) It upholds discipline and accountability
When any human mistake will occur, and system security is compromised, then the
security policy of the organization will back up any disciplinary action and also
supporting a case in a court of law. The organization policies act as a contract which
proves that an organization has taken steps to protect its intellectual property, as well as
its customers and clients.
3) It can make or break a business deal
It is not necessary for companies to provide a copy of their information security policy to
other vendors during a business deal that involves the transference of their sensitive
information. It is true in a case of bigger businesses which ensures their own security
interests are protected when dealing with smaller businesses which have less high-end
security systems in place.
4) It helps to educate employees on security literacy
A well-written security policy can also be seen as an educational document which
informs the readers about their importance of responsibility in protecting the
organization sensitive data. It involves on choosing the right passwords, to providing
guidelines for file transfers and data storage which increases employee's overall
awareness of security and how it can be strengthened.

We use security policies to manage our network security. Most types of security policies
are automatically created during the installation. We can also customize policies to suit
our specific environment. There are some important cyber security policies
recommendations describe below-
1. Virus and Spyware Protection policy
This policy provides the following protection:

 It helps to detect, removes, and repairs the side effects of viruses and security risks.
 It helps to detect the threats in the files which the users try to download.
 It helps to detect the applications that exhibit suspicious behaviour by using SONAR
heuristics and reputation data.

2. Firewall Policy
This policy provides the following protection:

 It blocks the unauthorized users from accessing the systems and networks that connect to the
Internet.
 It detects the attacks by cybercriminals.
 It removes the unwanted sources of network traffic.

3. Intrusion Prevention policy

This policy automatically detects and blocks the network attacks and browser attacks. It
also protects applications from vulnerabilities. It checks the contents of one or more
data packages and detects malware which is coming through legal ways.
4. LiveUpdate policy
This policy can be categorized into two types one is LiveUpdate Content policy, and
another is LiveUpdate Setting Policy. The LiveUpdate policy contains the setting which
determines when and how client computers download the content updates from
LiveUpdate. We can define the computer that clients contact to check for updates and
schedule when and how often clients computer check for updates.
5. Application and Device Control
This policy protects a system's resources from applications and manages the peripheral
devices that can attach to a system. The device control policy applies to both Windows
and Mac computers whereas application control policy can be applied only to Windows
clients.
6. Exceptions policy
This policy provides the ability to exclude applications and processes from detection by
the virus and spyware scans.
7. Host Integrity policy
This policy provides the ability to define, enforce, and restore the security of client
computers to keep enterprise networks and data secure. We use this policy to ensure
that the client's computers who access our network are protected and compliant with
companies' securities policies. This policy requires that the client system must have
installed antivirus.

Managing Risk
Cyber risk management, also called cybersecurity risk management, is the process of
identifying, prioritizing, managing, and monitoring risks to information
systems. Companies across industries use cyber risk management to protect
information systems from cyberattacks and other digital and physical threats.
These risks cannot be eliminated, but cyber risk management programs can help
reduce the impact and likelihood of threats. Companies use the cybersecurity risk
management process to pinpoint their most critical threats and select the right IT
security measures based on their business priorities, IT infrastructures, and resource
levels.
Risk Management Process
1. Risk framing
Risk framing is the act of defining the context in which risk decisions are made. By
framing risk at the outset, companies can align their risk management strategies with
their overall business strategies. This alignment helps avoid ineffective and expensive
mistakes, like deploying controls that interfere with key business functions.
2. Risk assessment
Companies use cybersecurity risk assessments to identify threats and vulnerabilities,
estimate their potential impacts, and prioritize the most critical risks. How a company
conducts a risk assessment will depend on the priorities, scope, and risk tolerance
defined in the framing step.
3. Responding to risk
The company uses the risk assessment results to determine how it will respond to
potential risks. Risks deemed highly unlikely or low-impact may simply be accepted, as
investing in security measures may be more expensive than the risk itself. Likely risks
and risks with higher impacts will usually be addressed.
4. Monitoring
The organization monitors its new security controls to verify that they work as intended
and satisfy relevant regulatory requirements.
The organization also monitors the broader threat landscape and its own IT ecosystem.
Changes in either one—the emergence of new threats, the addition of new IT assets—
can open up new vulnerabilities or make previously effective controls obsolete. By
maintaining constant surveillance, the company can tweak its cybersecurity program
and risk management strategy in nearly real time.

Information Security Process

Information security is a process that moves through phases building and strengthening
itself along the way.
Security is a journey not a destination. Although the Information Security process has
many strategies and activities, we can group them all into three distinct phases -
prevention, detection, and response.
The ultimate goal of the information security process is to protect three unique attributes
of information. They are:

 Confidentiality – Information should only be seen by those persons authorized to see it.
Information could be confidential because it is proprietary information that is created and
 owned by the organization or it may be customers’ personal information that must be kept
confidential due to legal responsibilities.
 Integrity – Information must not be corrupted, degraded, or modified. Measures must be
taken to insulate information from accidental and deliberate change.
 Availability – Information must be kept available to authorized persons when they need it.

 Prevention: Preventing an incident requires careful analysis and planning. Information is an

asset that requires protection commensurate with its value. Security measures must be taken
to protect information from unauthorized modification, destruction, or disclosure whether
accidental or intentional. During the prevention phase, security policies, controls and
processes should be designed and implemented.
 Detection: Detection of a system compromise is extremely critical. With the ever-increasing
threat environment, no matter what level of protection a system may have, it will get
compromised given a greater level of motivation and skill. Intrusion detection systems (IDS)
are utilized for this purpose. IDS have the capability of monitoring system activity and
notifies responsible persons when activities warrant investigation.
 Response: For the detection process to have any value there must be a timely response. The
response to an incident should be planned well in advance. Making important decisions or
developing policy while under attack is a recipe for disaster. Many organizations spend a
tremendous amount of money and time preparing for disasters such as tornados, earthquakes,
fires and floods. A Computer Security Incident Response Team (CSIRT) should be
established with specific roles and responsibilities identified. These roles should be assigned
to competent members of the organization. A team leader/manager should be appointed and
assigned the responsibility of declaring an incident, coordinating the activities of the CSIRT,
and communicating status reports to upper management.

Information Security Best Practice

1. Install anti-virus software and keep all computer software patched. Update operating
systems, applications, and antivirus software regularly.
2. Use a strong password and don’t reuse same passwords for different accounts.
3. Log off (Log out) from public computers such as office, hotel or café etc.
4. Back up important information and verify that you can restore it.
5. Keep personal information safe.
6. Be wary of suspicious e-mails and never ever respond to emails asking you to
disclose any personal information.
7. Pay attention to browser warnings and shop smart online and don’t click everywhere.
8. Download files legally.
9. Secure your laptop, smart phone or other mobile devices
10. Never leave devices unattended

Unit 5
Forensics and Incident Analysis
Cyber Forensics
Cyber forensics is the science of collecting, inspecting, interpreting, reporting, and
presenting computer-related electronic evidence. Evidence can be found on the hard
drive or in deleted files.
It is the process of examining, acquiring, and analyzing data from a system or device so
that it can be transcribed into physical documentation and presented in court.
During the inspection, it is critical to create a digital or soft copy of the system’s special
storage cell. The purpose of carrying out a detailed cyber forensics investigation is to
determine who is to blame for a security breach. The entire inquiry is carried out on the
software copy while ensuring that the system is not affected. In the technological age,
cyber forensics is an inevitable factor that is incredibly important.

Common computer forensics techniques

When conducting an investigation and analysis of evidence, computer forensics
specialists use various techniques; here are a few examples:

 Deleted file recovery. This technique involves recovering and restoring files or fragments
deleted by a person—either accidentally or deliberately—or by a virus or malware.
 Reverse steganography. The process of attempting to hide data inside a digital message or
file is called steganography. Reverse steganography happens when computer forensic
specialists look at the hashing of a message or the file contents. A hashing is a string of data,
which changes when the message or file is interfered with.
 Cross-drive analysis. This technique involves analyzing data across multiple computer
drives. Strategies like correlation and cross-referencing are used to compare events from
computer to computer and detect anomalies.
 Live analysis. This technique involves analyzing a running computer's volatile data, which is
data stored in RAM (random access memory) or cache memory. This helps pinpoint the
cause of abnormal computer traffic.
Digital Evidence Collection
Process involved in Digital Evidence Collection:
The main processes involved in digital evidence collection are given below:

 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected evidence
is analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that they can be
submitted in court.

There are two types of data,that can be collected in a computer forensics investigation:

 Persistent data: It is the data that is stored on a non-volatile memory type storage device
such as a local hard drive, external storage devices like SSDs, HDDs, pen drives, CDs, etc.
the data on these devices is preserved even when the computer is turned off.
 Volatile data: It is the data that is stored on a volatile memory type storage such as memory,
registers, cache, RAM, or it exists in transit, that will be lost once the computer is turned off
or it loses power. Since volatile data is ephemeral, it is crucial that an investigator knows
how to reliably capture it.

Evidentiary Reporting
All incidents should be reported to management as soon as possible. Prompt internal
reporting is crucial to collect and preserve potential evidence. It is important that
information about the investigation be limited to as few people as possible. Information
should be given on a need-to-know basis, which limits the possibility of the investigation
being leaked. In addition, all communications related to the incident should be made
through an out-of-band method to ensure that the intruder does not intercept any
incident-related information. In other words, Email should not be used to discuss the
investigation on a compromised system. Based on the type of crime and type of
organization it may be necessary to notify –

 Executive management.
 The information security department.
 The physical security department.
 The internal audit department.
 The legal department.
Incident Preparation

Preparation is the key to effective incident response.

Even the best incident response team cannot effectively address an incident without
predetermined guidelines.
A strong plan must be in place to support team. In order to successfully address
security events, these features should be included in an incident preparation plan: o
Develop and Document IR Policies: Establish policies, procedures, and agreements
for incident response management.

 Define Communication Guidelines: Create communication standards and

guidelines to enable seamless communication during and after an incident.
 Incorporate Threat Intelligence Feeds: Perform ongoing collection, analysis,
and synchronization of threat intelligence feeds.
 Conduct Cyber Hunting Exercises: Conduct operational threat hunting
exercises to find incidents occurring within environment. This allows for more
proactive incident response.
 Assess Threat Detection Capability: Assess current threat detection capability
and update risk assessment and improvement programs.

Incident Detection and Analysis

Incident detection is the process of identifying, investigating and recovering from a

cyber-attack.
Sometimes, even the best defenses are breached and sensitive data is
compromised.
Incident detection and analysis process focuses on these key areas:

 Ensuring threat actors are no longer present in the network,

 Developing and implementing the incident response plan,
 Identifying the scope of the breach and the data impacted,
 Closing the vulnerability that allowed the data breach occur.

Questions to address during incident detection and analysis

When did the event happen?

How was it discovered?
Who discovered it?
Have any other areas been impacted?
What is the scope of the compromise?
Does it affect operations?
Has the source (point of entry) of the event been discovered?
Have artifacts/malware from the attacker been securely removed?
Has the system been hardened, patched, and updates applied?
Can the system be re-imaged?
Containment, Eradication, and Recovery
Containment

 Once a threat has been identified, the IR (incident response) team should work to
contain the threat to prevent further damage to other systems and the organization
at large.
 The responder quickly isolates any infected machine and works on backing up any
critical data on an infected system, if possible.
 Next, a temporary fix should be implemented on an infected machine to prevent the
threat from escalating. The goal is to minimize the threat.
 Damaged systems removed from production; devices are isolated, compromised
accounts are locked down — the bleeding stops here.

Eradication

 Eradication is removing and remediating any damage discovered in the identification

phase.
 This is normally done by restoring systems from backup and re-imaging workstation
systems.
 It's important to note that proper eradication of a cyber infection should be done by
trained professionals and should only be done after comprehensive investigation into
the incident is completed.
 During the eradication phase, the IR team should also be documenting all actions
required to eradicate the threat.
 In addition, any defenses in the network should be improved so that the same
incident doesn’t occur again.

Recovery

 Recovery is the testing of the fixes in the eradication phase and the transition back
to normal operations.
 Vulnerabilities are remediated, compromised accounts have passwords changed or
are removed altogether and replaced with other more secure methods of access.
 At the recovery stage, any production systems affected by a threat will be brought
back on line.
 This includes any data recovery or restoration efforts that need to take place as well.
 To ensure that they are back to normal operation, test, check, and track the affected
systems.

Proactive and Post Incident Cyber Services

This step provides the opportunity to learn from our experience so we can better
respond to future security events.
Take a look at the incident with a humble but critical eye to identify areas for
improvement.
Then add those improvements to documentation.
A central part of the incident response methodology is learning from previous
incidents to improve the process.
This helps analyze and document everything about the breach. Determine what
worked well in response plan, and where there were some holes.
Lessons learned from both mock and real events will help strengthen systems
against the future attacks.