Pre mid sem assignment : Paper 1 :

Cyber law and IRM

Submitted by : M S AKHILRAJ
 1) What is Computer Security Incident? List types of it.

An incident that poses a real or potential risk to the privacy, availability, or integrity of an information
system or the data it processes, stores, or transmits; or one that violates or poses a serious risk of
violating security guidelines, protocols, or acceptable use policies.

Types:

 Insider threats
 Viruses
 Computer worms and Trojans
 Botnets
 Phishing attacks
 Ransomware attacks
 Exploit kits
 Malvertising
 Advanced persistent threats (APTs)
 Distributed denial-of-service attacks

2) List seven stages of incident response

Preparation: Developing the policies, guidelines, and tools necessary for effective incident reaction is
part of preparation. It includes developing an emergency response strategy, including responsibilities
and roles, identifying key personnel, and setting up channels of communication.

Detection and analysis: Use intrusion detection systems, log monitoring, network monitoring, or user
reporting to notice a security occurrence. The incident response team should look into any
discovered events to determine the type and seriousness of the problem.

Containment and mitigation: After the occurrence is verified, the focus shifts to containing the
problem to prevent damage or unauthorized access in the future. This means limiting the impact by
isolating and terminating affected systems or by implementing other suitable actions. It is possible to
decrease the incident's potential harm immediately by putting certain mitigation methods into
practice.

Investigation : Investigate thoroughly to ascertain the origin, extent, and nature of the incident. This
include obtaining information, performing forensic examination, reviewing logs, identifying the
exploited access point, and identifying vulnerabilities. The goal is to gather information that will aid
in averting similar circumstances in the future.

Reporting and communication: Encouraging communication is essential to the incident response

procedure. Regular information sharing should be done with management, IT teams, legal counsel,
and, if necessary, law enforcement authorities. Compose a concise report that explains the incident,
the steps taken, and the lessons learned.

Recovery: Once the situation has been managed and looked into, concentrate on getting things back
to normal. Eliminate any potentially harmful or suspicious activity, reconstruct or repair impacted
systems, and confirm their accuracy. The incident response team and IT personnel are in charge of
applying any security upgrades, patches, or modifications that are required in order to stop future
occurrences of the same or similar situations.
Reviews and Improvements: Reviewing the incident and coming to insightful conclusions to improve
security protocols constitutes the last phase. By identifying vulnerabilities, weaknesses, and holes in
the current systems and networks, organizations can take proactive measures to strengthen their
defenses, enhance incident response capabilities, and defend against similar incidents in the future.

3) How can you properly Identify the incident?

Identifying potential security incidents relies on a series of critical indicators. Firstly, it entails a
thorough review of system and network accounting logs, seeking out entries that deviate from the
norm and suggest unusual activities. Secondly, a high number of unsuccessful login attempts per
user, typically exceeding three, can raise suspicions as it may signify unauthorized access attempts by
malicious entities. Thirdly, special attention should be paid to unexplained new user accounts,
especially when dealing with compromised administrative accounts. Furthermore, the sudden
appearance of new files in system directories, without clear justification, can be a cause for concern,
as these additions may be surreptitious. Additionally, the presence of unfamiliar file names, not in
line with typical modern operating systems, may indicate potential malware events. Alterations to
file names and dates, particularly within system executable files, serve as red flags, since hackers
often rename malicious files to blend in with legitimate ones. The review of Intrusion Detection
System (IDS) alerts and alarms is vital, as they may provide early indications of malicious or harmful
activity. External notifications from outside users or emergency personnel can also serve as valuable
early warnings. Lastly, e-mail flooding, a common feature of worm events, may shed light on the
access methods and techniques employed by malicious actors. Together, these indicators play a
crucial role in the determination of whether an event should be classified as a security incident or an
anomalous occurrence.

4) List and explain Incident Categories by Type of Incident. [Low, Medium &
High]

Low level : incidents are characterized by their low severity, having minimal impact on the
organization, and often being isolated and manageable by first-level support staff. These incidents
encompass minor occurrences like spam emails, minor network issues, routine malware infections
that can be easily resolved with antivirus software, minor policy violations such as using personal
email at work, and low-level phishing attacks that lack the sophistication to cause significant harm or
data compromise. They typically do not require substantial resources or specialized expertise, posing
only a slight disruption to the organization's operations.

Medium level incidents significantly impact an organization and demand more resources and
expertise for resolution compared to Level 1 incidents. They encompass cases like malware infections
affecting specific departments or locations, successful phishing attacks resulting in sensitive data
compromise, unauthorized access to critical systems or data, denial of service (DoS) attacks
disrupting services within a department or location, and insider threats involving intentional or
unintentional security breaches. These incidents necessitate extensive investigation and remediation
efforts due to their substantial consequences on an organization's operations and reputation.

High level severity incidents have a profound and immediate impact on the organization, demanding
swift responses from senior management and specialized incident response teams. These incidents
encompass major data breaches, extensive malware outbreaks affecting multiple departments or
locations, ransomware attacks, disruptions to critical infrastructure, and breaches involving large
volumes of sensitive information. Their catastrophic effects endanger an organization's reputation,
financial stability, or public safety. Determining the severity level depends on factors like potential
impact, scope, assets affected, and legal consequences. Establishing consistent severity level
definitions is crucial for resource allocation and effective response protocols, while regular updates
reflect evolving threats and operational changes.

5) Write the steps a responder needs to follow while securing and evaluating
the scene.

■ The first responder should adhere to departmental policy for securing crime scenes when
assessing and securing the scene.

■ As soon as possible, secure every electronic device—personal as well as portable.

■ Make sure that no electronic equipment at the crime site is accessible to unauthorized individuals.

■ Turn down offers of support or technical assistance from unapproved parties.

■ Clear the area around the crime scene and any areas where evidence needs to be gathered of all
people.

Make sure that no electronic device has had its condition changed.

■ If a computer or other electronic equipment is already off, leave it that way.

6) Write the steps a responder needs to follow while packing digital evidence for
transportation

 Document Everything: Write down, label, photograph, or record all digital evidence before
packing it. Make sure to label connections and devices for easy reassembly.
 Preserve Other Evidence: Keep in mind that digital evidence might also contain other types
of evidence like latent, trace, or biological. Protect these before processing digital evidence.
 Use the Right Packaging: Put digital evidence in antistatic packaging, like paper bags,
cardboard boxes, or antistatic containers. Avoid plastic, as it can generate static electricity
and cause damage
 Prevent Damage: Pack digital evidence carefully to avoid bending, scratching, or other
damage.
 Label Clearly: Label all containers used for digital evidence storage properly.
 Handle Phones: Keep cellular, mobile, or smart phones in the same power state (on or off) as
you found them
 Block Signals: Use signal-blocking materials like Faraday bags, shielding material, or
aluminum foil to stop phones from sending or receiving data.
 Gather Accessories: Collect all power supplies and adapters for electronic devices you seize.

7) Explain the NIST Incident Response Lifecycle flowchart.

The NIST Incident Response Lifecycle flowchart provides a well-defined roadmap for organizations to
adeptly address cybersecurity incidents. It underscores the significance of readiness, timely
identification and examination, containment, communication, recovery, post-incident assessment,
and adherence to legal and reporting obligations. Adhering to this flowchart aids organizations in
incident management and enhances their cybersecurity readiness

 Preparation: The lifecycle initiates with preparation, involving the establishment of an

incident response policy, formation of an incident response team, and the implementation of
training and awareness initiatives. The goal is to ensure the organization is well-prepared to
respond effectively to any incident.
  Detection and Analysis: This phase revolves around the identification and examination of
potential incidents. It encompasses continuous monitoring, the detection of suspicious
activities, and the collection of data and evidence to assess the incident's scope and impact.
 Containment, Eradication, and Recovery: When an incident is confirmed, the organization
focuses on containing it to prevent further harm. This may involve isolating affected systems,
removing malware, and restoring systems to their normal operational state.
 Coordination and Notification: Effective communication and collaboration are crucial. The
incident response team collaborates to address the incident, and any legal or regulatory
obligations for incident notification are addressed
 Recovery and Lessons Learned: After containing the incident, the emphasis shifts to recovery.
Systems are brought back to their standard operational state. Concurrently, a post-incident
analysis is conducted to identify lessons learned and areas for enhancement.
 Post-Incident Activity: This phase encompasses analyzing the incident, uncovering root
causes, and implementing improvements in security policies and procedures to prevent
similar incidents in the future.
 Evidence Collection and Legal Actions: If legal actions are necessary, evidence must be
gathered and preserved using forensically sound practices to support investigations and
potential legal proceedings.
 Documentation and Reporting: Comprehensive records are maintained throughout the
incident response process, which are pivotal for reporting the incident to relevant parties,
regulatory entities, or law enforcement
 Incident Closure: The lifecycle culminates with the official closure of the incident. The
organization verifies that the incident has been comprehensively addressed, all required
actions are completed, and systems and operations are returned to their usual state.

8) Discuss Information system vulnerabilities.

Vulnerabilities represent weaknesses within a system or its design that can be exploited by an
unauthorized user to execute commands, gain unauthorized access to data, or carry out denial-of-
service attacks. These vulnerabilities can manifest in various aspects of a system, including hardware,
software, policies, procedures, and even the behaviour of system users. Hardware-related
vulnerabilities often stem from compatibility and interoperability issues and can be time-consuming
to rectify. Software vulnerabilities are typically found in operating systems, application software, and
control software such as communication protocols and device drivers. These software design flaws
can be attributed to factors like human errors and the complexity of software. Technical
vulnerabilities, on the other hand, are often a result of human weaknesses.No system is inherently
immune to cyber threats, and overlooking the risks due to complacency, negligence, or
incompetence can lead to severe consequences.

9) . Discuss Information security attacks and their types.

Because of the impact on vital infrastructure and data, cyberattacks are a significant problem in the
cyber world that require attention. Cybersecurity risks, or "cyber-attacks," are on the rise along with
technology, endangering consumers' security when utilizing these tools. Cyberattacks and dangers
are challenging to recognize and stop. Users are therefore not adopting new technologies because of
the frequent cyberattacks and lower data security. A cyber-attack occurs when someone intentionally
tries to obtain unauthorized access to a computer.

2 types : Untargetted and targeted

Untargeted attacks are characterized by attackers casting a wide net, targeting potential users and
services without discrimination. These attackers identify vulnerabilities within the services or
networks they encounter and make use of various tactics, including:

 Phishing: This deceptive method involves sending fraudulent emails to numerous users,
soliciting personal information such as banking or credit card details. The emails often lure
recipients to counterfeit websites with enticing offers, tricking them into providing sensitive
information.
 Water Holing: Attackers create counterfeit or compromised websites, sometimes infiltrating
legitimate ones, to exploit the personal data of unsuspecting visitors.
 Ransomware: These attacks distribute malicious software that encrypts the data on a victim's
disk, with the attackers demanding a ransom for decryption.
 Scanning: In this approach, attackers launch random assaults across large portions of the
internet, seeking vulnerabilities and potential targets.

Targeted attacks are tailored to specific individuals in the cyber realm and involve tactics such as:

 Spear-phishing: Attackers send targeted individuals links to malicious software and

advertisements through email, enticing them to download harmful software.
 Botnet Deployment: They leverage botnets to execute Distributed Denial of Service
(DDoS) attacks, disrupting online services.
 Subverting the Supply Chain: Attackers target the network or software being delivered to
an organization. Typically, they begin by using tools and techniques to probe systems and
identify service vulnerabilities.

10) What is Threat? List types of different Threats

Cybersecurity risks include a broad spectrum of possibly unlawful online activity. Utility assets are
vulnerable to cyber security risks that have been known for decades. The protection of vital facilities
has received attention as a result of the terrorist assaults. Sensitive information leaks, fraud, and
catastrophic interruptions can result from insecure computer systems. Cyber risks arise when
persons with unauthorized access take advantage of weaknesses in cyber systems .Crimes that
directly target computer networks or services include malware, viruses, and denial-of-service attacks.
Other crimes that are made possible by networks or devices include fraud, identity theft, phishing
schemes, and cyberstalking.

 Cyber Theft: Also known as hacking, this type of cyberattack is most frequently committed by
gaining unauthorized access to computer systems or networks with the intention of stealing
assets or data. Malicious scripts that compromise system or network security without user
permission are used to accomplish this, altering important data. This is a serious cybercrime
that has affected big companies including Microsoft, Amazon, Yahoo, and banks.
Cybercriminals use techniques including identity theft, DNS cache poisoning, espionage,
hacking, and plagiarism.
 Cyber Vandalism: As opposed to theft or improper use, cyber vandalism involves destroying
or abusing data. This may interfere with or stop network functions, making it impossible for
authorized users to access data. It may involve the development and distribution of
 malicious software, the injection of malicious code, or unauthorized network infiltration that
compromises a target system over time.
 Web Jacking:Web jacking involves forcibly taking control of a web server to manipulate the
information on another website.
 Stealing Card Information:This pertains to stealing credit or debit card data by infiltrating e-
commerce servers and misusing the information.
 Cyber TerrorismCyber terrorism refers to politically motivated violence against civilians using
the internet as a tool.
 Child Pornography:It involves using computer networks to produce, share, or access sexually
explicit material featuring underage children, typically found in shared drives of community
networks.
 Cyber ContrabandThis pertains to transferring illegal items or information through the
internet, particularly when banned in certain locations.
 Spam:Spam encompasses the unauthorized transmission of unsolicited marketing material
or morally objectionable content via email, violating the SPAM Act.
 Cyber Trespass:Cyber trespass refers to legally accessing network resources without altering,
disrupting, misusing, or damaging data or systems. This can include accessing private
information or monitoring network traffic for valuable data.
 Logic Bombs:Logic bombs are event-triggered programs, such as the Chernobyl virus, which
acts as a logic bomb by activating on a specific date.
 Drive-by Download:This involves automatic installation of software on a user's computer
while browsing the internet, usually intended to steal confidential information like passwords
and personal data or to use the victim's terminal for further malicious actions.
 Cyber Assault by Threat:It includes using computer networks to threaten a person's life, their
family's safety, or the safety of those they are responsible for. For example, blackmailing
someone to transfer funds to an untraceable bank account through online payment facilities.
 Script Kiddies:Script kiddies are novices who use scripts or programs created by others to
launch computer system and network attacks, gain root access, or deface websites.
 Denial of Service:A denial of service attack (DoS) seeks to make a computer resource
inaccessible to its intended users. This is done by overwhelming the victim's computer with
more requests than it can handle, causing it to crash. It can also take the form of email
bombing when using emails, and entities like eBay, Yahoo, and Amazon have been targeted
by such attacks.