Noida Institute of Engineering and Technology, Greater Noida

Secure System Development

Unit: 3

Cyber Security
Dr Harsha Gupta
ANC0301
Assistant Professor
(B Tech IIIrd Sem) (IT)
NIET, Gr. Noida

Dr Harsha Gupta Cyber security ANC0301 Unit 3

1
08/07/2024
 Faculty Profile

FACULTY PROFILE

Name of Faculty: Dr Harsha Gupta

Designation & Department: Assistant Professor, IT Dept.

Qualification: B.Tech, M.Tech & PhD

Experience: Have 3 years experience of teaching subjects

such as Cyber Security, Software Engineering, Software
Project management, Human computer Interface.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 2

 Evaluation Scheme

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 3

 Syllabus

Introduction:
Introduction to Information Systems: Types of Information Systems, Development of Information
Systems, Need for Information Security, Threats to Information Systems, Information Assurance,
Guidelines for Secure Password and WI-FI Security and social media and Windows Security,
Security Risk Analysis and Risk Management.

Application Layer Security:

Data Security Considerations-Backups, Archival Storage and Disposal of Data, Security
Technology-Firewall, Intrusion Detection, Access Control, Security Threats -Viruses, Worms,
Trojan Horse, Bombs, Trapdoors, Spoofs, E-mail Viruses, Macro Viruses, Malicious Software,
Network and Denial of Services Attack, Security Threats to E-Commerce: Electronic Payment
System, e- Cash, Issues with Credit/Debit Cards.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 4

 Syllabus

Secure System Development:

Application Development Security, Architecture & Design, Security Issues in Hardware: Data
Storage and Downloadable Devices, Mobile Protection, Security Threats involving in social media,
Physical Security of IT Assets, Access Control, CCTV and Intrusion Detection Systems, Backup
Security Measures.

Cryptography and Network Security:

• Public key cryptography: RSA Public Key Crypto with implementation in Python, Digital
Signature Hash Functions, Public Key Distribution.

• Symmetric key cryptography: DES (Data Encryption Standard), AES (Advanced Encryption
Standard), Secure hash algorithm (SHA-1).

• Real World Protocols: Basic Terminologies, VPN, Email Security Certificates, Transport Layer
Security, TLS, IP security, DNS Security.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 5

 Syllabus

Security Policy:
• Policy design Task, WWW Policies, Email based Policies, Policy Revaluation Process-
Corporate Policies-Sample Security Policies, Publishing and Notification Requirement of the
updated and new Policies.

• Recent trends in security.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 6

 Applications

There are many cyber security real-life examples where financial organizations like banks
and social organizations, weather channels etc. have faced cyber-attacks and have lost
valuable information and resources. To fix these problems, you'll need comprehensive cyber
security awareness.

According to KPMG, the annual compensation for cyber security heads ranges from 2 Cr to 4
Cr annually. The industry also reports a satisfaction level of 68%, making it a mentally and
financially satisfying career for most.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 7

 Course Objective

Students will learn about :

• Security of Information system and Risk factors.

• Examine security threats and vulnerability in various scenarios.

• Understand concept of cryptography and encryption technique to

protect the data from cyber-attack

• Provide protection for software and hardware.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 8

 Course Outcome

• After successful completion of this course student will be able to -

COURSE COURSE OUTCOMES Bloom’s
OUTCOME Knowledge
NO. Level (KL)

CO1 Analyze the cyber security needs of an organization. K4

CO2 Identify and examine software vulnerabilities and security solutions. K1, K3

CO3 Comprehend IT Assets security (hardware and Software) and K2

performance indicators.

CO4 Measure the performance and encoding strategies of security systems. K3, K5

CO5 Understand and apply cyber security methods and policies to enhance K2, K3
current scenario security.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 9

 Program Outcomes

1. Engineering knowledge

2. Problem analysis

3. Design/development of solutions

4. Conduct investigations of complex problems

5. Modern tool usage

6. The engineer and society

7. Environment and sustainability

Dr Harsha Gupta Cyber security ANC0301

08/07/2024 10
Unit 3
 Program Outcomes…(cont.)

8. Ethics

9. Individual and team work

10. Communication

11. Project management and finance

12. Life-long learning

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 11

Unit 3 11
 CO-PO Mapping

CO-PO Mapping
PO No.
PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11 PO12
CO No.
CO1 2 2 1 2 - - - 1 2 1 2 2
CO2 2 2 2 2 2 1 - 1 2 1 2 2
CO3 2 2 1 2 2 - - 1 2 1 2 2
CO4 2 2 1 2 2 1 - 1 2 1 2 2
CO5 2 2 1 2 2 - - 1 2 1 2 2

*3= High *2= Medium *1=Low

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 12

 Program Specific Outcomes

Program Specific Outcomes (PSOs) are what the students should be able to do at
the time of graduation. The PSOs are program specific. PSOs are written by the
department offering the program.
On successful completion of B. Tech. (CSE) Program, the Information and
Technology engineering graduates will be able to:
PSO1 : Work as a software developer, database administrator, tester or
networking engineer for providing solutions to the real world and industrial
problems.
PSO2 : Apply core subjects of information technology related to data structure
and algorithm, software engineering, web technology, operating system, database
and networking to solve complex IT problems
PSO3 : Practice multi-disciplinary and modern computing techniques by lifelong
learning to establish innovative career
PSO4 : Work in a team or individual to manage projects with ethical concern to be
a successful employee
or employer in IT industry.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 13

13
 PSO Mapping

Program Specific Outcomes and Course Outcomes Mapping

CO PSO1 PSO2 PSO3 PSO4

CO1 2 2 - 2
CO2 2 2 1 2
CO3 2 2 - 2
CO4 2 2 - 2
CO5 2 2 - 2

*3= High *2= Medium *1=Low

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 14

 Program Educational Objectives

• The Program Educational Objectives (PEOs) of an engineering degree program are

the statements that describe the expected achievements of graduates in their
career, and what the graduates are expected to perform and achieve during the
first few years after graduation.

PEO1: To have an excellent scientific and engineering breadth so as to comprehend,

analyze, design and solve real-life problems using state-of-the-art technology.

PEO2: To lead a successful career in industries or to pursue higher studies or to

understand entrepreneurial endeavors.

PEO3: To effectively bridge the gap between industry and academics through
effective communication skill, professional attitude and a desire to learn.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 15

 Result Analysis

Faculty Name Subject Name Code Result

Dr Harsha Gupta Cyber Security ANC0301 100%

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 16

 Question Paper Template
SECTION – A CO

1. Attempt all parts- [10×1=10]

Question-
1-a. -1

1-b. Question- -1
1-c. Question- -1
1-d. Question- -1
1-e. Question- -1
1-f. Question- -1
1-g. Question- -1
1-h. Question- -1
1-i. Question- -1
1-j. Question- -1

2 Attempt all parts- [5×2=10] CO

2-a. Question- -2
2-b. Question- -2
2-c. Question- -2
2-d. Question- -2
2-e. Question- -2

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 17

 Question Paper Template
SECTION – B CO

3 Answer any five of the following- [5×6=30]

3-a. Question- -6

3-b. Question- -6

3-c. Question- -6

3-d. Question- -6

3-e. Question- -6

3-f. Question- -6

3-g. Question- -6

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 18

 Question Paper Template
SECTION – C ​ ​ CO​
​ ​ ​
4​ Answer any one of the following-​ [5×10=50]​ ​
​ 4-a.​ Question- ​ -10​ ​
​ ​ ​ ​ ​
​ 4-b.​ Question- ​ -10​ ​
5​ Answer any one of the following-​ ​ ​
​ 5-a.​ Question- ​ -10​ ​
​ ​ ​ ​ ​
​ 5-b.​ Question- ​ -10​ ​
6​ Answer any one of the following-​ ​ ​
​ 6-a.​ Question- ​ -10​ ​
​ ​ ​ ​ ​
​ 6-b.​ Question- ​ -10​ ​
7​ Answer any one of the following-​ ​ ​
​ 7-a.​ Question- ​ -10​ ​
​ ​ ​ ​ ​
​ 7-b.​ Question- ​ -10​ ​
​ ​ ​ ​ ​
8​ Answer any one of the following-​ ​ ​
​ 8-a.​ Question- ​ -10​ ​
​ ​ ​ ​ ​
​ 8-b.​ Question- ​ -10​ ​

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 19

 Prerequisite/Recap

• Basics recognition in the domain of Computer Science.

• Concept of network and operating system.
• Commands of programming language.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 20

 Brief Introduction about the Subject

• Modern life depends on online services, so having a better

understanding of cyber security threats is vital.
• The course will improve your online safety in the context
of the wider world, introducing concepts like malware,
trojan virus, network security, cryptography, identity theft,
and risk management.

1. https://www.javatpoint.com/cyber-security-introduction
2. https://www.edureka.co/blog/what-is-cybersecurity/
3. http://natoassociation.ca/a-short-introduction-to-cyber-security/

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 21

 Unit Content

• Developing Secure Information Systems

• Application Development Security,
• Information Security Governance & Risk Management,
• Security Architecture & Design
• Security Issues in Hardware, Data Storage & Downloadable Devices,
• Physical Security of IT Assets, Access Control, CCTV and Intrusion
Detection Systems
• Backup Security Measures.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 22

 Unit Objective
Topic Objective
Application Develop an understanding of Secure Information
Development System Development and integration of security in
Security development phases
IS Governance & Study of Information Security Governance & Risk
Risk Management Management
Security Examine the Security Architecture and Design
Architecture & Security Issues in Hardware
Design Security
Issues in Hardware
Understand the security issues in data storage and
Data Storage Downloadable Devices
Physical Security of Develop an understanding of Access Control, CCTV
IT Assets and IDS
Backup Security Study of concept of Backup Security Measures
Measures

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 23

 Objective of Topics

Topic Objective CO Mapping

Develop an understanding
Application of Secure Information
Development System Development and CO3
Security integration of security in
development phases

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 24

 Prerequisite

• Denial of Services Attack

• Threats to E-Commerce
• Mobile, cloud security

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 25

 Secure Information System Development(CO3)

• During secure system development, stakeholders have to decide and select the
development activities.
• Traditional system and software engineering lifecycles, such as Waterfall, V-
model, Spiral, Prototype development, Agile, Incremental development, could
be a good starting option. However, traditional development lifecycles do not
take into account security concerns in particular.

Therefore, there exist approaches which focus on security development

techniques, methods, and tools. The three secure system development lifecycles:
1. Microsoft Secure System Development Lifecycle
2. Open Web Application Security Project (OWASP) and Comprehensive
Lightweight Application Security Process (CLASP)
3. Seven Touchpoints for Software Security

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 26

 Integration of Security in SDLC Phases

Elicitation
Phase

Maintenance
Phase Analysis
Security in Phase
SDLC

Implementation Design
Phase Phase

Source: Springer link

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 27
 Integration of Security in SDLC Phases

The Elicitation Phase:

• Determines the security requirements of the software application by

executing a simple risk analysis exercise
• Information asset identification and valuation
• Threat identification and assessment
• Risk (asset/threat) identification
• Determine the level of vulnerability
• Risk assessment
• Risk prioritisation.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 28

 Integration of Security in SDLC Phases

The Analysis Phase:

• Determines the security services to be used to satisfy the security

requirements;

• During the analysis phase, security services are selected according

to their ability to mitigate the security risks identified.

• The output of this phase is a refined set of security requirements.

• Identify the relevant security services and level of protection

required to mitigate each risk

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 29

 Integration of Security in SDLC Phases

The Design Phase:

• determines how the security services will be implemented
• Map security services to security mechanisms;
• Consolidate security services and mechanisms.
The Implementation Phase:
• Identifies and implements appropriate software security tools and
components
• Map security mechanisms to software security components.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 30

 Integration of Security in SDLC Phases

The Maintenance phase :

• During this phase, it is important to find ways to evaluate the
security of the system to ensure that the system is as secure as
intended
• Improve the auditability of the software application .
• Users and operations staff need to be educated in using the software
application in a secure manner.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 31

 Application Development Security (CO3)

• Information is available for organizations in the form of assets,

which need to be used (collected, stored, shared, and deleted) in an
intelligent manner.

• An intelligent use of information assets helps organizations in

maintaining themselves ahead of their competitor organizations.
• Therefore, these assets need to be protected from any kind of threats
that may result into breach of confidentiality, integrity, or
availability of resources.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 32

 Issues related to the secure development of
applications

• Less trained/ skilled developers

• Less educational focus on secure development

• Difficulty of finding the right information related to specific security

measures for particular applications or application development
strategies.

• Lifecycle systems considering security mostly in the last phases

only.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 33

 Common Framework for Application Security

Secure applications can be developed by following certain

specifications that contains foundation, principles, and design
guidelines.
• Foundation: Foundation is the basic knowledge of the development
procedure and security issues to consider before starting to develop
the application.
• Principles: Principles are the basic rules to be followed during the
application development process.
• Design Guidelines: Design guidelines include the best code
implementation methods that are tested and have been proven
successful over time.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 34

 Daily Quiz

1. What is application security?

2. Mention some Information Security consideration?

3. What is SDLC?

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 35

 Topic Links

• https://youtu.be/snJGzyXzVec
• https://youtu.be/8caqok3ah8o

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 36

 Recap

Integration of Security in SDLC Phases(Sec SDLC)

1. Elicitation Phase

2. Analysis Phase

3. Design Phase

4. Implementation Phase

5. Maintenance Phase

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 37

 Objective of Topics

Topic Objective CO Mapping

Security
Architecture & Examine the Security
Design Security Architecture and Design CO3
Issues in Security Issues in Hardware
Hardware

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 38

 Architecture and Design (CO3)

• Security Architecture Components-

- Hardware
- Operating System
- Software

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 39

 Architecture and Design (CO3)

Security
Architecture and
Design

Hardware and Evaluation

Models
Software Methods

Describes the level

Explains the way to of security of a
Provides the way to
maintain the security of system.
design secure system
this system

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 40

 Concepts for Secure System Design

1- Layering:
• Layering is a concept that arranges hardware, drivers for kernel and
devices, operating system, and applications in a sequential order.
• The layering approach is used to differentiate the hardware from the
software into different tiers.
• A generic list of security architecture layers is as follows
1. Hardware (bottom layer)
2. Kernel (a part of OS) and device drivers
3. Operating System
4. Application software (Top Layer)

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 41

 Concepts for Secure System Design

2-Abstraction :
• The purpose of abstraction is to hide unnecessary details from users.
• We will only increase the risk of threats if we increase the
complexity of the system.
• Abstraction provides a way to manage that complexity.

– For example ,while music is being played from a file through the
speaker of the computer system. The user is only concerned with
playing of music just with click without knowing the internal
working of music player.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 42

 Concepts for Secure System Design

3-Security Domain :
A security domain is the list of objects a subject is allowed to access.
• With respect to kernels, two domains are user mode and kernel
mode.
Kernel mode (also known as supervisor mode) is where the kernel
lives, allowing low-level access to memory, CPU, disk, etc. It is the
most trusted and powerful part of the system.
User mode is where user accounts and their processes live. The two
domains are separated: an error or security lapse in user mode should
not affect the kernel.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 43

 Concepts for Secure System Design

4-The Ring Model:

• The ring model is a form of CPU hardware layering that separates
and protects domains (such as kernel mode and user mode) from
each other.
• Many CPUs, such as the Intel 86 family, have four rings, ranging
from ring 0 (kernel) to ring 3.
The rings are (theoretically) used as follows:
Ring 0: Kernel
Ring 1: Other OS components that do not fit into ring 0
Ring 2: Device drivers
Ring 3: User applications

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 44

 Concepts for Secure System Design

5- Open and Closed Systems:

• An open system uses open hardware and standards, using
standard components from a variety of vendors.
– Ex - Assembled Desktop computer
• Close systems- only use proprietary hardware or software from
specific vendor.
– Ex- Branded Desktop (HP)

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 45

 Daily Quiz

1. What does secure architecture design means?

2. What are Security Issues with Hardware?

3. What is security analysis?

4. What are the principles for secure system design?

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 46

 Weekly Assignment

1. What do you mean by Application Security? Name the two protocol

use for Email Security and Explain?
2. Elaborate the term access control? What is include in authorization
process for (File, Program, Data rights) and explain the all types of
control?
3. Define Vendor challenges and user challenges for application security?
4. Write a short note on data disposal.
5. What do you mean by physical security of IT assets?
6. Explain Information security governance.
7. Write design Security Issues in Hardware, Data Storage &
Downloadable Devices?
8. What are the different Measures of Backup Security
9. What are the different types of Biometric?
10. Explain the Principles for Secure System Design
08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 47
 Topic Link

• https://youtu.be/cUvMIOdaSBs

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 48

 Security Issues with Hardware (CO3)

• Hardware mainly faces security issues related to:

-Stealing
-Destruction,
-Gaining unauthorized access
-Breaching the security code of conduct.

• Example- if an organization has given laptops to some of its

employees, it can be possible that they are using their laptop for
illegitimate activities, which result into threats for the organizations’
data integrity and confidentiality.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 49

 Ways to Secure Hardware

• Locks and access control mechanisms-

– Biometric access control,
– Authentication codes/tokens,
– Radio Frequency Identification (RFID), etc.

• You also need to apply Local intranet and Virtual Private Networks
(VPNs) to provide complete security for your system.

• However, network routers are also subjected to eavesdropping and

other kinds of attack that may harm your organization’s internal
security.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 50

 Daily Quiz

1. What is hardware security?

2. Differentiate breaching and stealing.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 51

 Topic Link

• https://youtu.be/Ye2H1n2MtIc
• https://youtu.be/xwgecIX3E4I

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 52

 Objective of Topics

Topic Objective CO Mapping

Data Storage and Understand the security

Downloadable issues in data storage and CO3
Devices Downloadable Devices

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 53

 Security Issues with Downloadable
(Peripheral)Devices (CO3)

• Peripheral devices : The term peripheral device refers to all

hardware components that are attached to a computer and are
controlled by the computer system, but they are not the core
components of the computer.
• Peripherals can also be defined as devices that can be easily removed
and plugged into a computer system. Types are:
1. Input device sends data or instructions to the computer, such as
Mouse, Keyboard, Scanner.
2. Output device provides output data from the computer, such as
a Monitor, printer, projector.
3. Storage Device which performs both input and output functions,
such as CDs, DVDs, Pen drive, Memory card.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 54

 Security Issues with Downloadable
(Peripheral)Devices (CO3)

.The threats to the security of data storage devices can be External or

Internal.

1. Internal : If you have stored some data on a CD and some

unauthenticated user gets access to that CD, he/she may use it
unlawfully. If the device has inbuilt security mechanisms, then it can
be destroyed, thereby resulting in loss of some crucial data. This can
create problems for data integrity and availability.
2. External : In external threat, unseen entity can create a change which
cannot be easily detected. Such change of information if is allowed in
the data storage device, then a person may alter the data in such a way
that it is no longer available for authenticated users.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 55

 Security Issues with Downloadable
(Peripheral)Devices (CO3)

Their loss and theft, disposal, stealing of data, denial of data, malware
introduction, etc.

Specific security measures should be applied to protect information from

being damaged, stolen, or corrupted by internal or external threats.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 56

 Introduction to Mobile Device Security(CO3)

• At present around the world, up to five billion people are using mobile
phones

• This has led to the rapid increase of cyber criminals

• They make use of the information obtained through mobile phones to

earn profit and pushing users to become victims of cybercrimes

• Hence, mobile users must be aware of the potential threats caused by

the cybercriminals as they are usually casted in wide nets

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 57

 Various Attacks on Mobile Devices

Operating
System
Attacks

Attacks on
Malware Mobile App
Mobile
Attacks Devices Attacks

Communicat
ion Network
Attacks

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 58

 Components of Mobile Device Security

Endpoint
Security

Virtual Cloud Access

Private Security
Network
(VPN)
Mobile Broker
(CASB)
Device
Security

Secure Web Email

Gateway Security

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 59

 Components of Mobile Device Security

Endpoint security

Source: swayam
08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 60
 Components of Mobile Device Security

VPN

Source: swayam

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 61

 Components of Mobile Device Security
Secure web gateway

Source: swayam

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 62

 Components of Mobile Device Security
Email security

Source: swayam

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 63

 Components of Mobile Device Security
Cloud Access Security Broker (CASB)

Source: swayam
08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 64
 Common Mobile Device Security
Threats

Data
leakage
Improper
session Unsecured
handling Wi-Fi

Reasons for
Data Loss
Broken Network
cryptography spoofing

Phishing
Spyware
attacks

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 65

 Common risks in Mobile Devices

Serious Physical
Multiple
threats in security
user
new
logging
features
Secure
Malware
data
on rise
storage
Mobile Device
Risks
Bluetooth Mobile
attacks browsing
Mobile
device Applicatio
coding System n
issues updates isolation

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 66

 Steps to maintain Mobile Device Security

Source: swayam
08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 67
 Recap

• Security Architecture Components

• Security Architecture and Design
• Concepts for Secure System Design
• Secure Issues with Downloadable devices

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 68

 Daily Quiz

1. What are security issues with storage devices?

2. What are security issues with peripheral devices?

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 69

 Weekly Assignment

1. What do you mean by Application Security? Name the two protocol

use for Email Security and Explain?
2. Elaborate the term access control? What is include in authorization
process for (File, Program, Data rights) and explain the all types of
control?
3. Define Vendor challenges and user challenges for application security?
4. Write a short note on data disposal.
5. What do you mean by physical security of IT assets?
6. Explain Information security governance.
7. Write design Security Issues in Hardware, Data Storage &
Downloadable Devices?
8. What are the different Measures of Backup Security
9. What are the different types of Biometric?
10. Explain the Principles for Secure System Design
08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 70
 Topic Link

• https://youtu.be/Ye2H1n2MtIc
• https://youtu.be/xwgecIX3E4I

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 71

 Objective of Topics

Topic Objective CO Mapping

Physical Study of concept of

Security of IT Physical Security of IT CO3
Assets Assets

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 72

 Physical Security of IT Assets(CO3)

• When it comes to providing security to your IT assets, you should

keep it as simple, coherent, and standardized as possible. The
primary threats for the physical security are as follows:
– Physical access exposure to human beings:
• Organizations’ own employees => theft, fraud, accidents, and
sabotage.
• Data Tampering by unauthorized users
– Physical access exposure to natural disasters:
• Natural disasters may destroy your computer systems or all
data storage systems.
• They might even interrupt your network. (fire, lightening, or
electric interruption)

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 73

 Mechanisms to Solve Physical Security

Physical access controls :

• The physical access control measures can be applied in various
forms, such as locks, biometric authentication systems, photo IDs,
Entry logs, magnetic locks using electronic key card, and computer
terminal locks.
Electronic and visual surveillance systems: Through closed circuit
television(CCTV), RFID sensors
• CCTV cameras are also called the third eye because if human being
missed noticing some people entering a restricted zone, these
cameras could capture the event or photos.
Intrusion Detection Systems (IDS): IDS is a way of dealing with
unauthorized access to information system assets.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 74

 Biometrics and its types

• Biometrics involves something a person is, or a person does

• It recognizes people based on two types

• Physiological characteristics - fingerprints, face, retina, iris

• Behavioural characteristics - gait, signature

• Another class of biometrics is esoteric biometrics - vein pattern, lip

print, brain wave pattern

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 75

 Biometrics and its types

Source: swayam

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 76

 Access Control(CO3)

• Access control is a mechanism that defines and controls access

rights for individuals who can use specific resources in the OS.
• The access control is a security feature through which the system
permits or revokes the right to access any data and resource in a
system.
• The permission to access a resource is called authorization.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 77

 Access Control

Access control
systems

Program Data rights

File permissions permissions permissions

User can create, read, edit, User can execute a User can retrieve or
or delete file on the server program on an update information in a
application server database

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 78

 Access Control

Rule-Based Access Mandatory Access

Control Control

Access
Control

Role-Based Access Discretionary Access

Control Control

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 79

 CCTV (CO3)

• CCTV, or closed-circuit television, is a system that allows you to

keep an eye on what's going on in and around your business/area.
• It helps in crime prevention and as a security measure.
• Cameras collect images and transfer them to a monitoring-recording
device where they are available to be watched, reviewed and/or
stored. It links a camera to a video monitor using a direct
transmission system. This differs from broadcast television where the
signal is transmitted over the air and viewed with a television.
• If a business owner, security guard or employee is suspicious of a
potential crime, the surveillance tapes can be used to observe and
check for any suspicious activity.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 80

 Intrusion Detection Systems(IDS)

• IDS monitors network traffic for suspicious activity

• Issues alerts in case of illicit activity
• Anomaly detection and reporting are two main functions
• Administers two jobs namely, forensic analysis and alert generation
• Prone to false alarms or false positives

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 81

 Components of Intrusion Detection
System

• An IDS comprises Management console and sensors

• It has a database of attack signatures

• Sensors detect any malicious activity

• It also matches the malicious packet against the database

• If found a match, the sensor reports the

• malicious activity to the management console

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 82

 Types of Intrusion Detection Systems

• IDS is classified based on its level of operations

IDS

NIDS HIDS

Source: cyber security, G Padmavathi, swayam

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 83
 Types of Intrusion Detection Systems

Source: cyber security, G Padmavathi, swayam

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 84
 Types of Intrusion Detection
System
(NIDS) : A network intrusion detection system is deployed at a strategic point or
points within the network, where it can monitor inbound and outbound traffic to
and from all the devices on the network.

(HIDS) : A host intrusion detection system runs on all computers or devices in the
network with direct access to both the internet and the enterprise's internal
network.
A HIDS has an advantage over an NIDS in that it may be able to detect anomalous
network packets that originate from inside the organization or malicious traffic
that an NIDS has failed to detect.
A HIDS may also be able to identify malicious traffic that originates from the host
itself, such as when the host has been infected with malware and is attempting
to spread to other systems.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 85

 Components of Intrusion Detection
System

Decision Alarm
Detection Engine
Table
Monitors Malicious Response
Detection
Configuration
Sensor Decision Engine
Hosts and Manages and Reports
Networks Action
Information Recorded
Report
Management Console

Source: cyber security, G Padmavathi, swayam

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 86
 Objective of Topics

Topic Objective CO Mapping

Backup Security Study of concept of CO3

Measures Backup Security Measures

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 87

 Backup Security Measures (CO3)

• Data backups are taken to secure important data files and systems
from being lost due to natural disasters or human errors and recover
in case any kind of disaster has led to the loss of information.
Therefore, it is very important to secure data backups.
• Following practices should be performed for maintaining proper
data backup security-
– Assigning responsibility, authority and accountability.
– Assessing risks.
– Developing data protection processes.
– Communicating the processes to the concerning people.
– Executing and testing the process.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 88

 Backup Security Measures

1. Assign Accountability, Responsibility and Authority

• Make storage security a function of overall information security
policies and architecture
• Divide duties where data is highly sensitive.
• Ensure that the person authorizing access is not the person charged
with responsibility for execution.
2. Assessing Risk
• Perform a Risk Analysis of the Entire Backup Process.
• Execute a Cost/Benefit Analysis on Backup Data Encryption
• Identify Sensitive Data.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 89

 Backup Security Measures

3. Develop Data Protection Process

• Adopt a Multi-Layered Security Approach
• Authentication: Authorization: Encryption Auditing:
• Copy Your Backup Tapes
4. Communicating the processes to the concerning people
• It is important to ensure that the people responsible for carrying out
its security are informed and trained.
• Security policies are the most important aspect of assigning
accountability, responsibility and authority.
5. Executing and testing the process
• Once the end-to-end plan has been developed, defined and
communicated to the appropriate people, it is time to begin
execution and testing process.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 90

 Daily Quiz

1. What is Biometric security?

2. Differentiate authentication and authorization.

3. What are Security Issues with Hardware?

4. What is memory protection?

5. What are the Open and Closed Systems?

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 91

 Weekly Assignment

1. What do you mean by Application Security? Name the two protocol

use for Email Security and Explain?
2. Elaborate the term access control? What is include in authorization
process for (File, Program, Data rights) and explain the all types of
control?
3. Define Vendor challenges and user challenges for application security?
4. Write a short note on data disposal.
5. What do you mean by physical security of IT assets?
6. Explain Information security governance.
7. Write design Security Issues in Hardware, Data Storage &
Downloadable Devices?
8. What are the different Measures of Backup Security
9. What are the different types of Biometric?
10. Explain the Principles for Secure System Design.
08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 92
 Topic Links

• https://youtu.be/snJGzyXzVec
• https://youtu.be/8caqok3ah8o
• https://youtu.be/WPU2eisvqXE
• https://youtu.be/cUvMIOdaSBs
• https://youtu.be/0a264Edp5l0
• https://youtu.be/Ye2H1n2MtIc
• https://youtu.be/xwgecIX3E4I

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 93

 MCQ s
 Secure information systems are developed by:
a)Integrating security with the system after it has been
developed
b) Never integrating security with the information system
c) Keeping security as a separate action until the last step of
the system development
d) Integrating risk analysis and management activities at
the start of the system development lifecycle and
continuing throughout the cycle
 Which of the following is a control gate in the development phase?
a) Authorizing the decision
b) Reviewing the architecture and design
c) Reviewing the confidentiality and availability
d) Reviewing the operational readiness

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 94

 MCQ s
 The risk management process involves:
a) Framing, deciding, executing, and deleting
b) Framing, assessing, monitoring, and responding
c) Monitoring, assessing, executing, and deleting
d)All of the above
 Which of the following is used to provide physical security of IT
assets?
a) Physical access control technique
b) CCTV surveillance technique
c) IDS technique
d) None
 Which of the following is a part of the secure system design?
a) Layering b)Abstraction
c) Security domains d) None

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 95

 MCQ s
 Which of the following is an issue faced by data storage devices?
a) Excessive data mounting
b) Theft, destruction, and damage
c) Too small size
d) All of the above
 Express the correct relationship between vulnerabilities, threats and
risks.
a) Risk=threat x vulnerability b) Threat=risk x vulnerability
c) Vulnerability=risk +threat d) Risk=threat – vulnerability
 Characterize the type of hackers who use their knowledge for good
purposes.
a) Black hat b)White hat
c) Gray hat d)Blue hat

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 96

 Glossary Questions

Fill the right options:

Intrusion Detection System, NIDS and HIDS, Software Development Life
Cycle, Responding to the risks, CCTV

1. IDS stands for ____________

2. IDS can be broadly classified as ______ and ______.

3. SDLC stands for _________.

4. To take preventive or corrective measures so that systems can be kept

protected from any kind of threats, whether internal or external is
________

5. __________ is used for physical security of an organization.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 97

 Past Sessional Papers

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 98

 Past Sessional Papers

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 99

 Past Sessional Papers

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 100

 Past Sessional Papers

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 101

 Old Question Papers

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 102

 Old Question Papers

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 103

 Old Question Papers

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 104

 Old Question Papers

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 105

 Expected Questions for University Exam

1. Do vulnerabilities play a vital role in cyber security? Justify

2. Elaborate the term access control? What is include in authorization
process for (File, Program, Data rights)?
3. Describe in brief the application development security.
4. Describe Risk Management Process.
5. Discuss backup security measures Types
6. What do you mean by Security Architecture & Design

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 106

 Recap of Unit

The major topics covered are Application Development Security,

Information Security Governance & Risk Management, Security
Architecture & Design Security Issues in Hardware, Data Storage
& Downloadable Devices, Physical Security of IT Assets, Backup
Security Measures.
Biometric technology has proved itself as a powerful alternative to
traditional password-based and token-based authentication
technology.

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 107

 References

1. Charles P. Pfleeger, Shari Lawerance Pfleeger, “Analysing Computer

Security ”, Pearson Education India.
2. V.K. Pachghare, “Cryptography and information Security”, PHI
Learning Private Limited, Delhi India.
3. Dr. Surya Prakash Tripathi, Ritendra Goyal, Praveen kumar
Shukla ,”Introduction to Information Security and Cyber Law”
Willey Dreamtech Press.(prefer)
4. https://link.springer.com/content/pdf/10.1007/978-0-387-73269-5
_6.pdf
5. http://www.m2sys.com/blog/biometric-resources/what-are-the-bi
ometrics-
6. https://onlinecourses.swayam2.ac.in/cec20_cs09/unit?unit=5
9&lesson=66

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 108

 Thank You

08/07/2024 Dr Harsha Gupta Cyber security ANC0301 Unit 3 109