Systems Vulnerability Scanning

Prof. Vihang N Patel, Assistant Professor

Computer Science & Engineering – Cyber Security
 CHAPTER-4

Introduction to Cyber Crime and law

Cyber Crimes

• Cyber-crime is simply defined as crimes that are directly or indirectly related

to computers, mobile, network, communication or storage devices and using
all or any of them.
• A crime conducted in which a computer was directly and significantly
instrumental.
• Cyber crime in more detail, “Offences that are committed against individuals
or groups of individuals with a criminal motive to harm the reputation of the
victim or cause physical or mental or economical harm, or loss to the victim
directly or indirectly, using modern telecommunication networks such as
Internet (networks including but not limited to Chat rooms, emails, notice
boards and groups) and mobile phones (Bluetooth/SMS/MMS)”.
Cyber Law

• Cyber Law is a framework created to give legal recognition to all risks arising
out of the usage of computers, computer network or related technology.

• “Cyber Law” is a term used to describe the legal issues related to use of
Computer and Communications Technology.

• The Indian Parliament passed the Information Technology Bill on 17th May
2000, known as the ITA 2000, aimed at providing legal infrastructure for
E-Commerce in India.
Cyber Crime Classification
• We can categorize Cyber crimes in two ways

– The Computer as a Target :- using a computer to attack other

computers. e.g. Hacking, Virus/Worm attacks, DOS attack etc.
– The Computer as a Weapon :- using a computer to commit real world
crimes. e.g. Cyber Terrorism, IPR violations, Credit card frauds, EFT
frauds, Pornography etc.

• Types of Cybercrime

1. Cybercrime against individual

2. Cybercrime against property
3. Cybercrime against organization
Types of Cyber crimes
Cont...
Cont...
• Cybercrime against individual
The term cybercrime against the individual refers to those criminal
offences which are committed against an individual. Such cybercrime
affects the individual’s personality.
Cont...
• Electronic mail (E-Mail) Spoofing: E-mail spoofing is the forgery of an e-mail
header so that the message appears to have originated from someone or
somewhere other than the actual source.
• Phishing: It is an act of criminally fraudulent process of attempting to acquire
sensitive information such as usernames, passwords and credit card details by
masquerading as a trustworthy entity in an electronic communication.
• Spear Phishing: Spear phishing is an email or electronic communications scam
targeted towards a specific individual, organization or business.
• Vishing: Vishing is the criminal practice of using social engineering over the
telephone system, most often using features facilitated by VoIP, to gain access
to personal and financial information from the public for the purpose of
financial reward. The term is a combination of V-voice and Phishing.
Cont...
• Smishing: The name is derived from “SMs PhISHING”. Smishing uses cell phone
text messages to deliver a lure message to get the victim to reveal his/her
personal information.
• Spamming: Spam is sending undesired junk emails and commercial messages
over internet. People who create electronic spam are called ‘spammers’.
• Cyber defamation: The act of defaming, insulting, offending or otherwise
causing harm through false statements about a person, company or nation etc.
through internet.
• Cyber stalking and harassment: Cyber stalking refers to the use of internet
and/or other electronic communication devices to stalk another person. It
involves repeatedly harassing or threatening an individual via the internet or
other electronic means of communication.
• Computer Sabotage: Computer sabotage involves deliberate attacks intended
to disable computers or networks.
Cont...
• Pornographic offenses: Cyber pornography is the act of using cyberspace to
create, display, distribute, import, or publish pornography or obscene
materials. Child pornography means any visual depiction, including but not
limited to the following: Any photograph that can be considered obscene
and/or unsuitable for the age of child viewer.
• Password Sniffing: Password sniffers are the programs that can monitor and
records passwords that are used or broadcasted on a computer or network
interface. It listens to all incoming and outgoing network traffic and records
any instance of a data packet that contains a password.
• Identity Theft: it is a fraud involving another person’s identity for an illicit
purpose. It occurs when a criminal uses someone else’s identity for his/her
own illegal purpose. Phishing and identity theft are related offenses.
Cont...
Classifications of Cybercrimes

• Cybercrime against property

The second category of cybercrime is that of cybercrimes which affects person’s

property. These cybercrimes are known as cybercrimes against property.
1. Credit cards frauds
2. Intellectual property (IP) crimes
3. Internet time theft
Cont...
• Credit cards frauds: Credit card (or debit card) fraud is a form of identity theft
that involves an unauthorized person taking of another's credit card information
for the purpose of charging purchases to the account or removing funds from it.
The purpose may be to obtain goods without paying, or to obtain unauthorized
funds from an account.
• Intellectual property (IP) crimes: Basically, IP crimes include software piracy,
copyright infringement, trademarks violations, theft of computer source code,
etc.
• Internet time theft: Occurs when an unauthorized person uses the internet
hours paid for by another person. The person who gets access to someone else’s
ISP user ID and password, either by hacking or by gaining access to it by illegal
means, uses it to access the internet without the other person’s knowledge.
Cont...
• Cybercrime against organization
There are certain offences done by group of persons intending to threaten the
international governments or firm, company, group of Individuals by using internet
facilities. These cybercrimes are known as cybercrimes against Organizations.

1. Unauthorized accessing of computer 2. Password sniffing

3. Denial-of-Service (DoS) attacks 4. Virus attack
5. E-mail bombing 6. Salami attack
7. Logic bomb 8. Trojan horse
9. Data diddling
10. Industrial spying/Industrial espionage
11. Computer network intrusions
12. Software piracy
Cont...
• Unauthorized accessing of computer: Hacking is one method of doing this. Hackers
make use of the weaknesses and loop holes present in systems to destroy data and
steal important information from victim's computer. Every act committed toward
breaking into a computer and/or network is hacking and it is an offense.
• Password sniffing: Password sniffers are the programs that can monitor and records
passwords that are used or broadcasted on a computer or network interface. It listens
to all incoming and outgoing network traffic and records any instance of a data packet
that contains a password.
• Denial-of-Service (DoS) attacks: A denial-of-service attack (DoS attack) is the intrusion
into a system by disabling the network with the intent to deny service to authorized
users. Attackers achieve this by flooding a network with more traffic than it can handle.
• Virus attack: Computer virus is a program that can ‘infect’ legitimate programs by
modifying them to include a possibly ‘evolved’ copy of itself. Virus spread themselves,
without the knowledge or permission of the users, to potentially large number of
programs on many machines.
Cont...
• E-mail bombing/mail bombs: E-mail bombing refers to sending a large number
of E-mails to the victims to crash victim’s E-Mail account or to make victim’s
mail servers crash.
• Salami attack/Salami technique: Salami attack is when small attacks add up to
one major attack that can go undetected due to the nature of this type of
cybercrime. Salami attacks are used for committing financial crimes and are
difficult to detect and trace. For example, a fraud activity in a bank, where an
employee steals a small amount of funds from several accounts, can be
considered a salami attack.
• Logic bomb: These are event dependent programs. This implies that these
programs are created to do something only when a certain event (known as a
trigger event) occurs. For example, some viruses may be termed logic bombs
because they lie dormant all through the year and become active only on a
particular date (like the Chernobyl virus).
Cont...
• Trojan horse: Trojan horse is a program in which malicious or harmful code is
contained inside apparently harmless programming or data in such a way that it
can get control and cause harm.
• Industrial spying/industrial espionage: It is the illegal practice of investigating
competitors to gain a business advantage. The target of investigation might be a
trade secret such as product specification or formula or information about
business plans.
• Computer network intrusions:Computer network intrusion, often referred to
simply as network intrusion, is a malicious activity where unauthorized
individuals or entities gain unauthorized access to a computer network or
system with the intent to compromise its confidentiality, integrity, or
availability. Network intrusions are a common form of cybercrime and can have
serious consequences for individuals, organizations, and even governments.
Cont...
• Software piracy: Theft of software through the illegal copying of genuine
programs is known as software piracy.
Examples:
▪ End user copying
▪ Hard disk loading with illicit means
▪ Counterfeiting
▪ Illegal downloads from the Inter

• Cybercrime against society

Those cybercrimes which affects the society interest at large are known as
cybercrimes against society.
1. Forgery: alteration of digital documents, signatures, or credentials
2. Cyber terrorism
3. Web jacking
Cont...
• Forgery: The act of forging something, especially a document or object for the
purpose of fraud or deception.
Examples:
▪ Counterfeit currency notes
▪ Postage and revenue stamps
▪ Mark sheets or even degree certificates can be forged using
▪ sophisticated computers, printers and scanners.
• Cyber terrorism: Cyber terrorism is the convergence of cyberspace and
terrorism. It is the activity carried out by terrorist on the internet to disrupt
large number of system networks with the means of computer virus.
• Web jacking: Web jacking occurs when someone forcefully takes control of a
website. The first stage of this crime involves “password sniffing”. The actual
owner of the website does not have any more control over what appears on
that website.
Hacking

• The term hacker was originally a term of respect for computer experts
who knew all about computers, and could do cool things with them

• The person who is able to discover weakness in a system and managed to

exploit it to accomplish his goal referred as a Hacker, and the process is
referred as Hacking

• Some hackers crossed over to the dark side, and these villains were more
properly known as "crackers“

• A hacker is an unauthorized user who attempts tor gains access tan

information system
Purpose of Hacking
Greed
Power
Publicity
Revenge
Adventure
Desire to access forbidden information
Destructive mindset
Cont...
• Every act committed toward breaking into a computer and/or network is
hacking.
• A commonly used hacking definition is the act of compromising digital
devices and networks through unauthorized access to an account or
computer system. Hacking is not always a malicious act, but it is most
commonly associated with illegal activity and data theft by cyber criminals.
• Hacking in cyber security refers to the misuse of devices like computers,
smartphones, tablets, and networks to cause damage to or corrupt systems,
gather information on users, steal data and documents, or disrupt
data-related activity.
Cont...
Cont...
• Black Hat Hackers: Black hat hackers are the "bad guys" of the hacking scene.
They go out of their way to discover vulnerabilities in computer systems and
software to exploit them for financial gain or for more malicious purposes, such
as to gain reputation, carry out corporate espionage, or as part of a nation-state
hacking campaign. These individuals’ actions can inflict serious damage on both
computer users and the organizations they work for. They can steal sensitive
personal information, compromise computer and financial systems, and alter or
take down the functionality of websites and critical networks.
• White Hat Hackers: White hat hackers can be seen as the “good guys” who
attempt to prevent the success of black hat hackers through proactive hacking.
They use their technical skills to break into systems to assess and test the level
of network security, also known as ethical hacking. This helps expose
vulnerabilities in systems before black hat hackers can detect and exploit them.
Cont...
• Grey Hat Hackers: Grey hat hackers sit somewhere between the good and the
bad guys. Unlike black hat hackers, they attempt to violate standards and
principles but without intending to do harm or gain financially. Their actions
are typically carried out for the common good. For example, they may exploit
a vulnerability to raise awareness that it exists, but unlike white hat hackers,
they do so publicly. This alerts malicious actors to the existence of the
vulnerability.
Hierarchy of Contemporary Cyber-Criminals
• Hierarchy of Contemporary Cyber-Criminals
There are four general categories of Cyber-criminals.
1. Script Kiddies
2. Cyberpunks
3. Hackers/crackers
4. Cyber-criminal organizations
• Script Kiddies: Also known as Skidiots, Skiddie or Victor Skill Deficiency
(VSD).These are lowest form of cyber-criminal.Inexperienced hackers who
employ scripts or other programs authored by others to exploit security
vulnerabilities or otherwise compromise computer systems.
▪ Technologically the least sophisticated of all cyber-criminals.
▪ Generally not capable of writing their own programs.
Cont...
• Cyberpunks: Refers to individuals that create havoc via the internet. The term
was initially used to refer to an emerging genre which marries science fiction,
information technology, and radical change in social order.
• Hackers/Crackers: Sophisticated computer criminals that are capable of
programming, writing code and breaching complex systems are categorized as
hackers or crackers. Hackers are those individuals who identify and exploit
system vulnerabilities but who lack economic motivation.
Crackers are those sophisticated users who employ their knowledge for personal
gain.
• Cyber-criminal organizations: Groups comprised of criminally minded
individuals who have used the internet to communicate, collaborate, and
facilitate cyber_x0002_crime. Criminal hackers are those who target data
which is valuable i.e. for example trade secrets, proprietary data, credit card
data etc which may be used to further other criminal activity.
Prevention from Getting Hacked
• Software Update
• Use Unique Passwords for Different Accounts
• HTTPS Encryption
• Avoid Clicking on Ads or Strange Links
• Change the Default Username and Password on Your Router and Smart Devices
• Download from First-party Sources
• Install Antivirus Software
• Use a VPN
• Do Not Login as an Admin by Default
• Use a Password Manager
• Use Two-factor Authentication
• Brush Up on Anti-phishing Techniques
ATTACK VECTORS

• An attack vector is a path or means by which a hacker (or cracker) can gain
access to a computer or network server in order to deliver a payload or
malicious outcome.

• Attack vectors are routes or methods used to get into computer systems,
usually for malicious purposes.

• They take advantage of known weak spots to gain entry. Many attack
vectors take advantage of the human element in the system, because that's
often the weakest link.
Cont...
Cont...
• An attack vector is a path or means by which a hacker can gain access to a
computer or network server in order to deliver a malicious payload or malware.
• Attack vectors enable hackers to exploit system vulnerabilities, including the
human element.
• Attack vectors include viruses, e-mail attachments, Web pages, pop-up windows,
instant messages, chat rooms, and deception. All of these methods involve
programming except deception
• To some extent, firewalls and anti-virus software can block attack vectors. But no
protection method is totally attack-proof.
• A defense method that is effective today may not remain so for long, because
hackers are constantly updating attack vectors, and seeking new ones to gain
unauthorized access to computers and servers.
• The most common malicious payloads are viruses, Trojan horses, worms, and
spyware.
Cont...
Different ways to launch attack vectors
1. Attack by E-Mail
2. Attachments (and other files)
3. Attack by deception
4. Hackers
5. Heedless guests (attack by webpage)
6. Attack of the worms
7. Malicious macros
8. Foistware (sneakware)
9. Viruses
Cont...
Attack by E-mail: The hostile content is either embedded in the message or linked
to
by the message. Sometimes attacks combine the two vectors, so that if the
message does not get you, the attachment will.
• Spam is almost always carrier for scams, fraud, dirty tricks, or malicious
actions of some kind.
• Any link that offers something “free” or tempting is a suspect.
Attachments (and other files): Malicious attachments install malicious computer
code.
• The code could be a virus, Trojan horse, Spyware, or any other kind of
malware.
• Attachments attempt to install their payload as soon as you open them.
Cont...
Attack by deception: Deception is aimed at the user/operator as a vulnerable
entry point.
• It is not just malicious computer code that one needs to monitor.
• Fraud, scams, hoaxes, and to some extent spam, not to mention viruses,
worms and such require the unwitting cooperation of the computer’s
operator to succeed.
• Social engineering and hoaxes are other forms of deception that are often an
attack vector too.
Hackers: Hackers/crackers are a formidable attack vector because, unlike
ordinary malicious code, people are flexible and they can improvise.
Cont...
Heedless guests (attack by webpage): Counterfeit websites are used to extract
personal information. Such websites look very much like the genuine websites
they imitate.
• One may think he/she is doing business with someone you trust.
However he/she is really giving their personal information, like address, credit
card number, and expiration date.
• They are often used in conjunction with Spam, which gets you there in the
first place.
• Pop-up webpages may install Spyware, Adware or Trojans.
Cont...
Attack of the worms: Many worms are delivered as E-Mail attachments, but
network
• worms use holes in network protocols directly. Any remote access service, like
file sharing, is likely to be vulnerable to this sort of worm. In most cases,
firewalls will block system worms.
• Many of these system worms install Trojan Horses. Next, they begin scanning
the internet from the computer they have just infected and start looking for
other computers to infect.
• If the worm is successful, it propagates rapidly.
• The worm owner soon has thousands of “zombie” computers to use for more
mischief.
Cont...
Malicious macros: Malicious macros refer to a type of cyber threat that involves
the use of macros, which are small scripts or commands, typically written in
scripting languages like Visual Basic for Applications (VBA), to carry out malicious
activities within documents such as Microsoft Word or Excel files.

Social Engineering.

Macro Execution.

Payload Delivery
Cont...
Foistware (sneakware): Foistware is the software that adds hidden components
to the system on the sly.
• Spyware is the most common form of foistware.
• Foistware is quasi-legal software bundled with some attractive software.
• Sneak software often hijacks your browser and diverts you to some
“revenue opportunity” that the foistware has set up.
Viruses: These are the malicious computer codes that hitch a ride and make the
payload.
• Now-a-days, virus vectors include E-Mail attachments, downloaded files,
worms, etc.
cyber space and criminal behaviour
• Cyberspace refers to the virtual space that provides the infrastructure, electronic
medium and related elements necessary for online global communication.
• It can be thought of as the second life space where human beings operate for
social interactions, entertainment, business operations as well as for personal
activities and interests.
• The term cyberspace is derived from the word cybernetics which in turn is
extracted from ancient Greek word kubernētēs, that refers to steersman or to give
direction.
• The term cyberspace first came into existence in various contexts in visual arts and
science fiction during 1940, 1960 and 1984.
• However, the first reference was made by the founder of Electronic Frontier
Foundation, in the year 1990 and later in 1991 by Mr. Benedict, which is close to
the existing relationship of computer and telecommunication systems.
Cont...
• A cybercriminal is an individual who commits cybercrimes, where he/she makes
use of the computer either as a tool or as a target or as both.
• Cybercriminals tries to use the computers in three broad ways.
• Firstly, they use the computer as their target for attacking other people's
computers for the purpose of fulfilling their malicious activities like spreading
viruses, data theft, identity theft, etc.
Cont...
• Secondly, they use the computer as their weapon for the purpose of carrying
out conventional crime like spam, fraud, illegal gambling, etc.
• Thirdly, they use the computer as their accessory for the purpose of saving
stolen or illegal data.
• Thus cyberspace provides a platform for all criminal activities.
• The advantages of cyberspace include
i. Informational resources
ii. Entertainment
iii. Social networking
Cont...

• Cyberspace is worldwide network of computer networks for communication

and exchange of data using TCP/IP.

• Cyberspace is most definitely a place where you chat, explore, research and
play.

• The Information or Digital Revolution has created a new forum for both
terrorist activity and criminal behavior.

• The cybercriminals are categorized based on motive into following groups:

• Cybercriminals- hungry for recognition

– Hobby hackers, IT professionals, Politically motivated hackers, Terrorist

Cont...

Cybercriminals- not interested in recognition

• Psychological perverts, Financially motivated hackers, State-sponsored
hacking, Organized criminals

Cybercriminals- the insiders

• Former employees seeking revenge
• Competing companies using employees to gain economic advantage through
damage and/or theft
Criminal Behavior

• The advent of the computer has changed the way individuals behave.

• A similar point can be made about Criminal behavior; namely, a significant

amount of crimes are connected to technology.

• In common fraud scams the criminals gathers the information by phishing

and spoofing leading to identity theft.

• Crimes related to health care, insurances are also performed by hacking and
forging identities.

• Cyber harassment and defamation especially the cases of pedophiles' and

stalkers use false identities to trap the children and teenagers.
Cont...

• spamming and unsolicited bulk messages leads to lost productivity.

• The criminal steals this information from certain unsecured websites or by
identity theft and doing frauds like auction frauds, non-delivery of
existent/non-existent merchandize.
• Forgery is often achieved by hacking wherein the hacker attack the target
computer and retrieve personal information of the victims and use it for
their personal monetary gains.
• The Industrial espionage are achieved through “spying”.
Traditional Problems

• Criminals adapt changing technologies while law enforcement agencies

and government institutions, bounded by traditional system

• The law enforcement agencies are struggling to keep up with criminal

innovations.

• Computer crime has proven and significant challenge to Law

Enforcement personnel

• Indeed, the law-enforcement community has often failed to recognize.

• Many computer-related crime involves non-specialist users (e.g., child

pornography, drug dealers, harassment, etc.).
Traditional Problems Associated with Computer Crime

1. Physicality and Jurisdictional Concerns

2. Perceived Insignificance, Stereotypes, and Incompetence
3. Prosecutorial Reluctance
4. Lack of Reporting
5. Lack of Resources
6. Jurisprudential Inconsistency
Cont...
• Physicality and Jurisdictional Concerns
Individuals sitting at their desk can enter various countries without the use of
passports or documentation.
For successful prosecution it is necessary to get the specification of the crime
scene i.e.,
1. Where did the crime actually occur?
2. Which laws apply?
3. Which agency is responsible for the investigation of a
particular incident?
4. Which agency has primary jurisdiction over the thief?
Cont...
• Perceived Insignificance, Stereotypes, and Incompetence
• Investigators and administrators have displayed great reluctance to pursue
computer criminals.
• In a study conducted by the department of justice, computer crime
investigators recognized the threat posed by employees and insiders.
• Thus, timely detection of these individuals who are most trusted employees
with authorized access is often unlikely.
• Two-thirds of all agencies dealt with computer-related incident.
• Most viewed “harassment/stalking” via the internet as most prevalent of calls
for assistance with child pornography a close second. Other crimes reported
are forgery, counterfeiting, identity theft, e-commerce fraud etc.
Cont...
• Perceived Insignificance, Stereotypes, and Incompetence
• Even in situations where law enforcement authorities recognize the
insidious nature of computer or cybercrime, many do not perceive
themselves or others in their department to investigate such criminal
activity.
• Out of 34.4% of agencies, at least one individual had taken training, only
18.8% felt that person can investigate computer related crime and 12.3% is
capable of forensic examinations.
• 70% of those who indicated that they received training were characterized
as “basic”, “general”, or “introductory”.
Cont...
• Prosecutorial Reluctance
• Like their law enforcement counterparts, prosecutors across the country
lack sufficient knowledge and experience to effectively prosecute computer
crime.
• In addition, many do not perceive electronic crime as serious and often
grant it the lowest priority.
• Even those jurisdictions which have granted electronic crime high priority
are often thwarted in their efforts by a lack of cooperation in extradition
requests, the victim’s reluctance to prosecute, the labor-intensive nature of
case preparation, and/or the lack of resources for offender tracking.
Cont...
• Lack of Reporting
• Early studies indicate that only 17% of victimizations were reported to law
enforcement authorities.
• One of the primary reasons that businesses fail to report computer
intrusions is their need to assure consumers of data security.
• In addition, many corporations are uncomfortable with the release of
information to any entity, including law enforcement, and want to maintain
control of the investigation of all times. Thus, they choose to handle things
internally.
• A further reason that companies do not report is the perception that
reporting will not result in capture or identification of a suspect.
• Intrusions are detected long after the violation occurred, making
investigations more difficult.
Cont...
• Lack of Resources
• Traditional budget constraints.
• Nature of technology - Changes in the technology requires frequent training
and updation.
• Cost of training - Extremely expensive training which is out of reach for
many agencies. Cost of additional personnel for every officer transferred to
technology crime, another must be recruited, hired, and trained to take
his/her place.
• Cost of hardware.
• Cost of software.
• Cost of laboratory.
• Inability to compete with private industry.
Cont...
• Jurisprudential Inconsistency
• The Supreme Court has remained resolutely averse to deciding matters of
law in the newly emerging sphere of cyberspace.
• They have virtually denied cert on every computer privacy case to which
individuals have appealed and have refused to determine appropriate levels
of Fourth amendment protections of individuals and computer equipment.
• As such, the country is remarkably divided on fundamental elements of law
– establishing a legality standard of behaviour in one jurisdiction which
negates or supersedes the standard in another..
Incident Response
Cont...
1) Preparation
• Preparation is crucial to effective incident response. Even the best Cyber
Security Incident Response Team (CSIRT) cannot effectively respond to an
incident without predetermined instructions.
• Preparedness involves:

• Design, development, training, and implementation of enterprise-wide IR

plan
• Creating communication guidelines to enable seamless communication
during and after an incident
• Conducting cyber simulation exercises to evaluate the effectiveness of
incident response plan
Cont...
2) Detection
• The objective of this phase is to monitor networks and systems to detect,
alert, and report on potential security incidents.

• Adopt cyber threat intelligence (CTI) capabilities to develop a comprehensive

cyber monitoring program and to support ongoing monitoring and detection

• Conduct cyber compromise assessments to detect unknown compromises

Cont...
3) Analysis
• The majority portion of the efforts to properly understand the security
incident take place during this step. It involves:

• Gathering information and then prioritizing individual incidents and steps for
a response.

• Forensic preservation and analysis of data to determine the extent and

impact of the incident.
Cont...
During the event of an incident, the incident response team should focus on
three areas:
• Endpoint Analysis
Determine tracks left behind by the malicious actor.
Analyze a bit-for-bit copy of systems to determine what occurred on a device
during the incident.
• Binary Analysis
Analyze malicious tools or binaries used by the malicious actor and document
the functionalities of those programs. The analysis can be performed through
Behaviour Analysis or Static Analysis.
• Enterprise Hunting
Analyze existing systems and event logs to determine the scope of the incident.
Document all the compromised systems, devices, and accounts.
Cont...
4) Containment
• This is the most critical stage of incident response. The strategy for
containing an incident is based on the intelligence and indicators of
compromise gathered during the analysis phase. The security team should
focus on taking risk-mitigating actions to prevent further impact and damage
to the organization.
• Coordinated Shutdown: Once identifying the compromised systems, perform
a coordinated shutdown of these devices. The IR team should be instructed
to ensure proper timing.
• Wipe and Rebuild: Wipe the compromised systems and rebuild the operating
systems from scratch. Change the login credentials of all the compromised
accounts.
Cont...
5) Eradication
Once you have identified domains or IP addresses leveraged by the malicious
actors for command and control, issue ‘threat mitigation requests’ to block the
communication from all channels connected to these domains. The IR team
should remove the known existing threats from the networks.

6) Recovery
• Develop a near-term remediation strategy and roadmap
• Focus on resuming normal business operations
• Develop a long-term risk mitigation strategy
• Document the incident to improve the IR plan and update security measures
to avoid such incidents in future
Cont...
Digital Forensics
• Digital forensics is a fairly novel science.

• Digital forensics is as “the collection of techniques, proven methods and

tools used to find digital evidence derived from digital sources ”.

• Computer forensics generally focuses on particular methods for extracting

evidence from a specific platform, whereas digital forensics needs to be
formed in such a way that it covers all types of digital devices, including
future digital technologies.

• Regrettably, there is no regular or consistent digital forensic methodology.

• However there are a number of procedures and tools based on experiences

of law enforcement, system administrators and hackers.
COMPUTER LANGUAGE
• Computers are the mechanism through which raw information (i.e., data) is
processed.
• Although raw data may seem complex to understand, the structure of data is
actually very basic, and is based on a binary language.
• The smallest piece of data is called a bit.
• Each bit has two possible electrical states, on (1) or off (0).
• Thus, raw data is a series of 1s and 0s. Of course, raw data is difficult to interpret
by users, so computers group bits together to provide identifiable meaning.
• The smallest such grouping occurs when eight bits are combined to form a byte.
• Each byte of data represents a letter, number, or character. Forexample, the raw
data sequence of 01000001 appears to the user as the capital letter “A.”
• As stored information has increased, the data capacity of computers is also
increased from kilobytes (KB) to megabytes (MB) to gigabytes (GB), terabytes
(TB).
Network Language
• Few most commonly used terms in network language are as follows:
1. TCP/IP
2. IMAP
3. POP
4. Routers
5. Hubs
6. Packets
7. Cookies
8. DNS
Cont...
TCP/IP
• TCP/IP stands for Transmission Control Protocol/Internet Protocol.
• It refers to the suite of protocols that define the Internet.
• TCP is a method of communication between programs which enables a
bit-stream transfer of information.
• Originally proposed and designed as the standard protocol for ARPANet, but
now TCP/IP software is available for every major kind of computer operating
system.
• Luckily, it is now built into many of the most common operating
systems.
Cont...
IMAP
• IMAP stands for Internet Message Access Protocol.
• It is an internet standard protocol used by email clients to retrieve email
messages from a mail server over a TCP/IP connection.
• E-mail stored on an IMAP server can be manipulated from anywhere without
the need to transfer messages or files back and forth between the computers.
Routers
• Routers are defined as special-purpose computers that handle the connection
between two or more networks.
• Routers spend all their time looking at the destination addresses of the packets
passing through them and deciding which route to send them on.
Cont...
POP
• POP stands for Post Office Protocol.
• Post Office Protocol is a standard mail protocol used to receive emails from a
remote server to a local email client.
• It allows you to download email messages on your local computer and read
them even when you are offline.
• It was designed to support offline/local email processing.
• Once the messages are downloaded, they are deleted from the mail server.
• This mode of access is not compatible with access from multiple computers.
Cont...
Hubs
• Hub is used for connecting multiple computers or segments of a LAN.
• Hubs are central switching devices for communications lines in a star topology.
• Hubs may be added to bus topologies, for example, a hub can turn an Ethernet
network into a star topology to improvetroubleshooting.
Packets
• Packets are the basic units of communication over a TCP/IP network.
• They are defined as units of data exchanged between host computers.
• A packet is a string of bits divided into three main sections:
1. A set of headers
2. The payload, the actual data being transmitted
3. The trailer, sometimes called the footer
Cont...
Cookies
• Cookies are small pieces of information that an HTTP server sends to the individual
browser upon the initial connection.
• Not all browsers support cookies. However, most popular browsers such as MS Internet
Explorer 3.0 or higher and Netscape Navigator 2.0 and higher.
• Cookies might contain information such as login or registration information, online
“shopping cart” information, user preferences, and so on.
• When a server receives a request from a browser that includes a cookie, the server is
able to use the information stored in the cookie.
• Cookies do not steal information. They simply act as storage platforms for information
that a user has supplied.
Cont...
DNS
• DNS stands for Domain Name System.
• Domain Name System is a hierarchical and decentralized naming system for
computers, services, or other resources connected to the Internet or a private network.
• DNS eases the translation of IP addresses through the utilizationof hierarchical
principles.
• Traditional top-level domain names include com (commercial organization), edu
(educational institutions), gov (government organizations), org (nonprofit
organizations), and net (Internet
access providers).
Realms of the Cyber world
• Basically, there are three different levels of networked systems: intranets,
internets, and the Internet.

• Intranets are small, local networks connecting computers which are within one
organization and which are controlled by a common system administrator.

• internets, on the other hand, connect several networks, and are distinguished
in the literature by a lower case (i.e., internet as opposed to Internet).

• These networks are usually located in a small geographic area, and share a
common protocol (usually TCP-Transmission Control Protocol/ IP-Internet
Protocol).

• The Internet, on the other hand, is the largest network in the world, an
international connection of all types and sizes of computer systems and
Recognizing and Defining Computer Crime
• It is unclear exactly when and where the first “computer crime” actually
occurred.

• Contextually, theft of an abacus or a simple adding machine would constitute

a computer crime.

• It is safe to assume that these types of activities occurred long before written
or formal documentation was in vogue.

• However, the first documented instance of computer disruption occurred in

the early Nineteenth Century, when a textile manufacturer named Joseph
Jacquard developed what would soon become the precursor to the
computer card.

• His invention, which allowed repetitive automation of a series of steps in the

Contemporary Crime (Modern Crime)
• Legislative bodies have been slow to respond to the potentiality of
contemporary computer crime in the Twenty-first Century.

• In fact, the steps made in electronic communications and point-and-click

platforms have enabled a variety of criminally minded people to expand their
limits.

• Actually, promise of anonymity has encouraged criminal activity among the

masses.

• who would never walk into an adult book store in search of photographs or
videos, download those same materials in the privacy of their home from
web.

• Instead of looting bank with a gun criminal may feel comfortable altering
Contaminants and Destruction of Data
• Data destruction is the process of destroying data stored on tapes, hard disks and
other forms of electronic media so that it is completely unreadable and cannot be
accessed or used for unauthorized purposes.

• Data contamination The alteration, maliciously or accidentally, of data in a

computer system.

• Environment surrounding of data storage area may affect on the stored data. Like
environment polluted with Ferrous metal particles, Corrosive gases,
Chlorides/salts, Electrostatic dust, electricity generation,

• five most commonly experienced culprits of data loss

1. Power Outage

2. Virus, Malware, or Attack

Indian IT ACT 2000

• IT Act: Aim and Objectives

• The Information Technology Act,2000, is an important law relating to Indian

cyber laws. It aims

• at promoting E-Commerce and facilitating E-Governance. The Act strives to

achieve the following objectives:
– To give legal recognition to transactions done by electronic way or by
use of the internet.
– To grant legal recognition to digital signature for accepting any
agreement via computer.
Cont...

– To provide facility of filling documents online.

– To authorize any undertaking to store their data in electronic storage.
– To prevent cyber-crime by imposing high penalty for such crimes and
protect privacy of internet users.
– To give legal recognition for keeping books of account by bankers and
other undertaking in electronic form.
Amendments - Indian IT ACT 2008
• Notable features of the ITAA 2008 are:

– Focusing on data privacy

– Focusing on Information Security
– Defining cyber café
– Making digital signature technology neutral
– Defining reasonable security practices to be followed by corporate
– Redefining the role of intermediaries
– Recognizing the role of Indian Computer Emergency Response Team
– Inclusion of some additional cyber-crimes like child pornography and
Cyber-Crime Scenarios and Applicability of Legal Sections

• Let us look into some common cyber-crime scenarios which can attract
prosecution as per the penalties and offences prescribed in IT Act 2000
(amended via 2008) Act.
1. Harassment via fake public profile on social networking site
– A fake profile of a person is created on a social networking site with the
correct address, residential information or contact details but he/she is
labeled as ‘prostitute’ or a person of ‘loose character’. This leads to
harassment of the victim.
– Provisions Applicable: Sections 66A, 67 of IT Act and Section 509 of the
Indian Penal Code.
Cont...
2. Online Hate Community
Online hate community is created inciting a religious group to act or pass
objectionable remarks against a country, national figures etc.
Provisions Applicable: Section 66A of IT Act and 153A & 153B of the Indian Penal
Code.

3. Email Account Hacking

If victim’s email account is hacked and obscene emails are sent to people in
victim’s address book.
Provisions Applicable: Sections 43, 66, 66A, 66C, 67, 67A and 67B of IT Act.

4.Credit Card Fraud

Unsuspecting victims would use infected computers to make online transactions.
Provisions Applicable: Sections 43, 66, 66C, 66D of IT Act and section 420 of the
IPC.
Cont...
5. Web Defacement
– The homepage of a website is replaced with a pornographic or
defamatory page. Government sites generally face the wrath of hackers
on symbolic days.
– Provisions Applicable: Sections 43 and 66 of IT Act and Sections 66F, 67
and 70 of IT Act also apply in some cases.
6. Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs
– All of the above are some sort of malicious programs which are used to
destroy or gain access to some electronic information.
– Provisions Applicable: Sections 43, 66, 66A of IT Act and Section 426 of
Indian Penal Code.
Cont...
7. Cyber Terrorism
Many terrorists are use virtual (GDrive, FTP sites) and physical storage
media(USB’s, hard drives) for hiding information and records of their illicit
business.
Provisions Applicable: Conventional terrorism laws may apply along with Section
69 of IT Act.

8.Online sale of illegal Articles

Where sale of narcotics, drugs weapons and wildlife is facilitated by the Internet.
Provisions Applicable: Generally conventional laws apply in these cases.

9.Cyber Pornography
Among the largest businesses on Internet. Pornography may not be illegal in many
countries, but child pornography is.
Provisions Applicable: Sections 67, 67A and 67B of the IT Act.
Cont...
10. Phishing and Email Scams
– Phishing involves fraudulently acquiring sensitive information through
masquerading a site as a trusted entity. (E.g. Passwords, credit card
information).
– Provisions Applicable: Section 66, 66A and 66D of IT Act and Section 420
of IPC.
11. Theft of Confidential Information
– Many business organizations store their confidential information in
computer systems. This information is targeted by rivals, criminals and
disgruntled employees.
– Provisions Applicable: Sections 43, 66, 66B of IT Act and Section 426 of
Cont...
12. Source Code Theft
– A Source code generally is the most coveted and important "crown jewel"
asset of a company.
– Provisions applicable: Sections 43, 66, 66B of IT Act and Section 63 of
Copyright Act.
13. Tax Evasion and Money Laundering
– Money launderers and people doing illegal business activities hide their
information in virtual as well as physical activities.
– Provisions Applicable: Income Tax Act and Prevention of Money
Laundering Act. IT Act may apply case-wise.
Cont...

14. Online Share Trading Fraud

It has become mandatory for investors to have their demat accounts linked
with their online banking accounts which are generally accessed
unauthorized, thereby leading to share trading frauds.
Provisions Applicable: Sections 43, 66, 66C, 66D of IT Act and Section 420 of
IPC
References
1. https://project-management.com/project-management-phases/
2. https://www.villanovau.com/resources/project-management/5-phases-pr
oject-management-lifecycle/
3. https://www.hhilifting.com/importance-of-construction-industry-in-the-ec
onomy-and-use-of-construction-equipments/
www.paruluniversity.ac.in