Cyber Security

NOTES

Website:- www.arjun00.com.np
 Unit-I Introduction to Cyber Security:
1.1 Concept of Cyber Security

1.2 Cyber Crimes

1.3 Types of Attacks in cyber

1.4 Hacker Techniques

Concept of Cyber Security:

The International Telecommunications Union [ITU] defines Cyber security as “the collection of
tools, policies, security concepts, security safeguards, guidelines, risk management approaches,
actions, training, best practices, assurance and technologies that can be used to protect the cyber
environment and organization and user’s assets. Organization and user’s assets include connected
computing devices, personnel, infrastructure, applications, services, telecommunications systems,
and the totality of transmitted and/or stored information in the cyber environment.”

Cyber security strives to ensure the attainment and maintenance of the security properties of the
organization and user’s assets against relevant security risks in the cyber environment - the
internet.

Cyber Security Goals

The objective of Cybersecurity is to protect information from being stolen, compromised or

attacked. Cybersecurity can be measured by at least one of three goals-

1. Protect the confidentiality of data.

2. Preserve the integrity of data.
3. Promote the availability of data for authorized users.

Functions of a Cyber Security Center:

Ideally, a Cyber Security Center should strive to ensure a secure and resilient cyber and
communications infrastructure that supports national/ regional security, a vibrant economy, and
the health and safety of all citizens. To achieve this, a Cyber Security Center should:

• Focus on proactively coordinating the prevention and mitigation of those cyber and
telecommunications threats that pose the greatest risk to the Nation;

• Pursue whole-of-nation operational integration by broadening and deepening engagement

with its partners through information sharing to manage threats, vulnerabilities, and
incidents.

WWW.ARJUN00.COM.NP
 • Break down the technological and institutional barriers that impede collaborative
information exchange, situational awareness, and understanding of threats and their
impact.

• Maintain a sustained readiness to respond immediately and effectively to all cyber and
telecommunications incidents of national security.

• Serve stakeholders as a national center of excellence and expertise for cyber and
telecommunications security issues.

• Protect the privacy and constitutional rights of the citizens in the conduct of its mission.

What is cybercrime?

Cybercrime is criminal activity that either targets or uses a computer, a computer network or a
networked device.
Most, but not all, cybercrime is committed by cybercriminals or hackers who want to make money.
Cybercrime is carried out by individuals or organizations.
Some cybercriminals are organized, use advanced techniques and are highly technically skilled.
Others are novice hackers.
Rarely, cybercrime aims to damage computers for reasons other than profit. These could be
political or personal.
Types of cybercrime

Here are some specific examples of the different types of cybercrime:

• Email and internet fraud.
• Identity fraud (where personal information is stolen and used).
• Theft of financial or card payment data.
• Theft and sale of corporate data.
• Cyberextortion (demanding money to prevent a threatened attack).
• Ransomware attacks (a type of cyberextortion).
• Cryptojacking (where hackers mine cryptocurrency using resources they do not own).
• Cyberespionage (where hackers access government or company data).
Most cybercrime falls under two main categories:
• Criminal activity that targets
• Criminal activity that uses computers to commit other crimes.

WWW.ARJUN00.COM.NP
Example of Cybercrime

Here, are some most commonly occurring Cybercrimes:

• The fraud did by manipulating computer network

• Unauthorized access to or modification of data or application
• Intellectual property theft that includes software piracy
• Industrial spying and access to or theft of computer materials
• Writing or spreading computer viruses or malware
• Digitally distributing child pornography

Cyber-Attack:

Farhat, et.al. (2011) define a cyber-attack as an attack initiated from a computer against a website,
computer system or individual computer (collectively, a single computer) that compromises the
confidentiality, integrity or availability of the computer or information stored on it. They further
noted that cyber-attacks may take the following forms:

• Gaining, or attempting to gain, unauthorized access to a computer system or its data;

• Unwanted disruption or denial of service attacks, including the take down of entire web
sites;

• Installation of viruses or malicious code (malware) on a computer system;

• Unauthorized use of a computer system for processing or storing data;

• Changes to the characteristics of a computer system’s hardware, firmware or software

without the owner’s knowledge, instruction or consent;

• Inappropriate use of computer systems by employees of former employees.

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter
computer code, logic or data and lead to cybercrimes, such as information and identity theft.

We are living in a digital era. Now a day, most of the people use computer and internet. Due to the
dependency on digital things, the illegal computer activity is growing and changing like any type of
crime.

Cyber-attacks can be classified into the following categories:

WWW.ARJUN00.COM.NP
Web-based attacks

These are the attacks which occur on a website or web applications. Some of the important web-
based attacks are as follows-

1. Injection attacks

It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing

DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a DNS
resolver's cache causing the name server to return an incorrect IP address, diverting traffic to the
attacker?s computer or any other computer. The DNS spoofing attacks can go on for a long period of
time without being detected and can cause serious security issues.

3. Session Hijacking

It is a security attack on a user session over a protected network. Web applications create cookies
to store the state and user sessions. By stealing the cookies, an attacker can have access to all of the
user data.

4. Phishing

Phishing is a type of attack which attempts to steal sensitive information like user login credentials
and credit card number. It occurs when an attacker is masquerading as a trustworthy entity in
electronic communication.

5. Brute force

WWW.ARJUN00.COM.NP
It is a type of attack which uses a trial and error method. This attack generates a large number of
guesses and validates them to obtain actual data like user password and personal identification
number. This attack may be used by criminals to crack encrypted data, or by security, analysts to
test an organization's network security.

6. Denial of Service

It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a crash.
It uses the single system and single internet connection to attack a server. It can be classified into
the following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured
in bit per second.

Protocol attacks- It consumes actual server resources, and is measured in a packet.

Application layer attacks- Its goal is to crash the web server and is measured in request per
second.

7. Dictionary attacks

This type of attack stored the list of a commonly used password and validated them to get original
password.

8. URL Interpretation

It is a type of attack where we can change the certain parts of a URL, and one can make a web server
to deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of the
include functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between client and server
and acts as a bridge between them. Due to this, an attacker will be able to read, insert and modify
the data in the intercepted connection.

System-based attacks

These are the attacks which are intended to compromise a computer or a computer network. Some
of the important system-based attacks are as follows-

WWW.ARJUN00.COM.NP
1. Virus

It is a type of malicious software program that spread throughout the computer files without the
knowledge of a user. It is a self-replicating malicious computer program that replicates by inserting
copies of itself into other computer programs when executed. It can also execute instructions that
cause harm to the system.

2. Worm

It is a type of malware whose primary function is to replicate itself to spread to uninfected

computers. It works same as the computer virus. Worms often originate from email attachments
that appear to be from trusted senders.

3. Trojan horse

It is a malicious program that occurs unexpected changes to computer setting and unusual activity,
even when the computer should be idle. It misleads the user of its true intent. It appears to be a
normal application but when opened/executed some malicious code will run in the background.

4. Backdoors

It is a method that bypasses the normal authentication process. A developer may create a backdoor
so that an application or operating system can be accessed for troubleshooting or other purposes.

5. Bots

A bot (short for "robot") is an automated process that interacts with other network services. Some
bots program run automatically, while others only execute commands when they receive specific
input. Common examples of bots program are the crawler, chatroom bots, and malicious bots.

Cyber Crime Tools

There are many types of Digital forensic tools

Kali Linux:

Kali Linux is an open-source software that is maintained and funded by Offensive Security. It is a
specially designed program for digital forensics and penetration testing.

Ophcrack:

This tool is mainly used for cracking the hashes, which are generated by the same files of windows.
It offers a secure GUI system and allows you to runs on multiple platforms.

EnCase:

This software allows an investigator to image and examine data from hard disks and removable
disks.

WWW.ARJUN00.COM.NP
SafeBack:

SafeBack is mainly using for imaging the hard disks of Intel-based computer systems and restoring
these images to some other hard disks.

Data dumper:

This is a command-line computer forensic tool. It is freely available for the UNIX Operating system,
which can make exact copies of disks suitable for digital forensic analysis.

Md5sum:

A tool to check helps you to check data is copied to another storage successfully or not.

Definition of Hackers:

Hackers can be classified into different categories such as white hat, black hat, and grey hat, based
on their intent of hacking a system. These different terms come from old Spaghetti Westerns,
where the bad guy wears a black cowboy hat and the good guy wears a white hat.

White Hat Hackers

White Hat hackers are also known as Ethical Hackers. They never intent to harm a system, rather
they try to find out weaknesses in a computer or a network system as a part of penetration testing
and vulnerability assessments.
Ethical hacking is not illegal and it is one of the demanding jobs available in the IT industry. There
are numerous companies that hire ethical hackers for penetration testing and vulnerability
assessments.

Black Hat Hackers

Black Hat hackers, also known as crackers, are those who hack in order to gain unauthorized
access to a system and harm its operations or steal sensitive information.
Black Hat hacking is always illegal because of its bad intent which includes stealing corporate data,
violating privacy, damaging the system, blocking network communication, etc.

Grey Hat Hackers

Grey hat hackers are a blend of both black hat and white hat hackers. They act without malicious
intent but for their fun, they exploit a security weakness in a computer system or network without
the owner’s permission or knowledge.
Their intent is to bring the weakness to the attention of the owners and getting appreciation or a
little bounty from the owners.

Miscellaneous Hackers
Apart from the above well-known classes of hackers, we have the following categories of hackers
based on what they hack and how they do it −

WWW.ARJUN00.COM.NP
Red Hat Hackers
Red hat hackers are again a blend of both black hat and white hat hackers. They are usually on the
level of hacking government agencies, top-secret information hubs, and generally anything that
falls under the category of sensitive information.

Blue Hat Hackers

A blue hat hacker is someone outside computer security consulting firms who is used to bug-test a
system prior to its launch. They look for loopholes that can be exploited and try to close these
gaps. Microsoft also uses the term BlueHat to represent a series of security briefing events.

Elite Hackers
This is a social status among hackers, which is used to describe the most skilled. Newly discovered
exploits will circulate among these hackers.

Script Kiddie
A script kiddie is a non-expert who breaks into computer systems by using pre-packaged
automated tools written by others, usually with little understanding of the underlying concept,
hence the term Kiddie.

Neophyte
A neophyte, "n00b", or "newbie" or "Green Hat Hacker" is someone who is new to hacking or
phreaking and has almost no knowledge or experience of the workings of technology and hacking.

Hacktivist
A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or
political message. In general, most hacktivism involves website defacement or denialof-service
attacks.

Hacking Techniques:

Usually a hacker deploys multiple techniques to reach their goal, sometimes the simplest ways are
the moste efficient. Using social engineering techniques exploiting human kindness, greed and
curiosity to gain access is not uncommon.

Phishing:

The hacker makes a perfect copy of a popular website and uses a URL that is closed enough to the
original to go unnoticed. He then sends a legitimate-looking email to the target containing a link to
the phishing site. The target will unknowingly sign in to the fake websites giving the hacker his
login credentials.

SQL Injections:

Most websites use an SQL database to store information about their customers. An application
communicating with that database can be exploited with SQL-injections if it’s poorly coded. The

WWW.ARJUN00.COM.NP
attack is executed on the website’s user-input fields(search box, login box,etc) that accept illegal
input, giving the hacker access to the database.

DoS/DDoS:

In a Denial of Service attack, the hacker uses a Botnet(network of hijacked computers) to flood a
specific server with massive amounts of traffic. The server is quickly overloaded, and all websites
hosted on it will be offline.

Brute Force:

Essentially it’s guessing password until the hacker get’s it right. If a user has a weak password, i.e.
“1234” or “password”, the hacker can try to guess it either by hand or using specialized tools.

Fake WAP:

Free wifi is common in public spaces like airports and coffee shops making it an ideal target for a
hacker to exploit. The hacker creates a fake wireless Access Point(WAP) mimicking the name of the
real WIFI, so user connect to it. While the users is connected to the fake WiFi the hacker can read all
information going through it, login credentials, credit card, and personal messages.

Sniffing/Snooping:

The hacker monitors traffic on unsecured networks to find relevant information that can be used in
a future attack.

Bait & Switch

In this attack, the hacker buys advertising space on popular websites, and the ads will redirect the
target to a page full of malware. The hackers ads will look legitimate and very appealing to the
target, but as soon as the target clicks them they will be infected. It’s called Bait & Switch since the
hacker’s baiting with good ads and then switching the link to a bad page.

Cookie Theft:

Most websites use cookies to store user data and make them load faster, this can be passwords,
browsing history, etc. if the connections are not secured through SSL the hacker can steal this data
and use the cookie to authenticate themselves as the target.

Waterhole Attacks:

The hacker studies the target’s daily routines to find out his favorite physical locations(cafe)),these
are the waterholes. Once the hacker knows the waterholes and the timing of the target he sets his
trap using a combination of waterholes and the timing of the target he sets his trap using a
combination of techniques.

UI Redress/ClickJacking:

WWW.ARJUN00.COM.NP
In essence, the hacker tricks the target to click on a specific link by making it look like something
else. It’s very common on movie streaming or torrent download pages, when the user clicks on
“Download” or “Play”, it’s an advertising link they are clicking. In other cases it can be used to trick
the target to transfer money to the hacker from their online bank.

***************************************************************************************************

WWW.ARJUN00.COM.NP
 Security Technologies
2.1 Firewalls
2.2 Virtual Private Networks
2.3 Encryption
2.4 Intrusion Detection
2.5 Anti-Malicious Software
2.6 Secure Software & Browser Security
2.7 SSL and IPSec

Security Technologies
With the rapid growth in the Internet, cybersecurity has become a major concern to organizations throughout the
world. The fact that the information and tools & technologies needed to penetrate the security of corporate
organization networks are widely available has increased that security concern.
Today, the fundamental problem is that much of the security technology aims to keep the attacker out, and when
that fails, the defences have failed. Every organization who uses internet needed security technologies to cover the
three primary control types - preventive, detective, and corrective as well as provide auditing and reporting. Most
security is based on one of these types of things: something we have (like a key or an ID card), something we know
(like a PIN or a password), or something we are (like a fingerprint).
Some of the important security technologies used in the cybersecurity are described below-

Firewall
Firewall is a computer network security system designed to prevent unauthorized access to or from a private
network. It can be implemented as hardware, software, or a combination of both. Firewalls are used to prevent
unauthorized Internet users from accessing private networks connected to the Internet. All messages are entering
or leaving the intranet pass through the firewall. The firewall examines each message and blocks those that do not
meet the specified security criteria.

The primary purpose of a firewall is to allow non-threatening traffic and prevent malicious or unwanted data
traffic for protecting the computer from viruses and attacks. A firewall is a cybersecurity tool that filters network
traffic and helps users block malicious software from accessing the Internet in infected computers.

WWW.ARJUN00.COM.NP Page 1
Firewall: Hardware or Software

This is one of the most problematic questions whether a firewall is a hardware or software. As stated above, a
firewall can be a network security device or a software program on a computer. This means that the firewall comes
at both levels, i.e., hardware and software, though it's best to have both.

Each format (a firewall implemented as hardware or software) has different functionality but the same purpose. A
hardware firewall is a physical device that attaches between a computer network and a gateway. For example, a
broadband router. On the other hand, a software firewall is a simple program installed on a computer that works
through port numbers and other installed software.

Apart from that, there are cloud-based firewalls. They are commonly referred to as FaaS (firewall as a service). A
primary advantage of using cloud-based firewalls is that they can be managed centrally. Like hardware firewalls,
cloud-based firewalls are best known for providing perimeter security.

Why Firewall

Firewalls are primarily used to prevent malware and network-based attacks. Additionally, they can help in
blocking application-layer attacks. These firewalls act as a gatekeeper or a barrier. They monitor every attempt
between our computer and another network. They do not allow data packets to be transferred through them
unless the data is coming or going from a user-specified trusted source.

Firewalls are designed in such a way that they can react quickly to detect and counter-attacks throughout the
network. They can work with rules configured to protect the network and perform quick assessments to find any
suspicious activity. In short, we can point to the firewall as a traffic controller.

Some of the important risks of not having a firewall are:

Open Access

If a computer is running without a firewall, it is giving open access to other networks. This means that it is
accepting every kind of connection that comes through someone. In this case, it is not possible to detect threats or
attacks coming through our network. Without a firewall, we make our devices vulnerable to malicious users and
other unwanted sources.

Lost or Comprised Data

Without a firewall, we are leaving our devices accessible to everyone. This means that anyone can access our
device and have complete control over it, including the network. In this case, cybercriminals can easily delete our
data or use our personal information for their benefit.

Network Crashes

In the absence of a firewall, anyone could access our network and shut it down. It may lead us to invest our
valuable time and money to get our network working again.

Therefore, it is essential to use firewalls and keep our network, computer, and data safe and secure from unwanted
sources.

WWW.ARJUN00.COM.NP Page 2
Brief History of Firewall

Firewalls have been the first and most reliable component of defense in network security for over 30 years.
Firewalls first came into existence in the late 1980s. They were initially designed as packet filters. These packet
filters were nothing but a setup of networks between computers. The primary function of these packet filtering
firewalls was to check for packets or bytes transferred between different computers.

Firewalls have become more advanced due to continuous development, although such packet filtering firewalls are
still in use in legacy systems.

As the technology emerged, Gil Shwed from Check Point Technologies introduced the first stateful inspection
firewall in 1993. It was named as FireWall-1. Back in 2000, Netscreen came up with its purpose-built
firewall 'Appliance'. It gained popularity and fast adoption within enterprises because of increased internet speed,
less latency, and high throughput at a lower cost.

The turn of the century saw a new approach to firewall implementation during the mid-2010. The 'Next-
Generation Firewalls' were introduced by the Palo Alto Networks. These firewalls came up with a variety of
built-in functions and capabilities, such as Hybrid Cloud Support, Network Threat Prevention, Application and
Identity-Based Control, and Scalable Performance, etc. Firewalls are still getting new features as part of continuous
development. They are considered the first line of defense when it comes to network security.

How does a firewall work?

A firewall system analyzes network traffic based on pre-defined rules. It then filters the traffic and prevents any
such traffic coming from unreliable or suspicious sources. It only allows incoming traffic that is configured to
accept.

Typically, firewalls intercept network traffic at a computer's entry point, known as a port. Firewalls perform this
task by allowing or blocking specific data packets (units of communication transferred over a digital network)
based on pre-defined security rules. Incoming traffic is allowed only through trusted IP addresses, or sources.

WWW.ARJUN00.COM.NP Page 3
Functions of Firewall

As stated above, the firewall works as a gatekeeper. It analyzes every attempt coming to gain access to our
operating system and prevents traffic from unwanted or non-recognized sources.

Since the firewall acts as a barrier or filter between the computer system and other networks (i.e., the public
Internet), we can consider it as a traffic controller. Therefore, a firewall's primary function is to secure our network
and information by controlling network traffic, preventing unwanted incoming network traffic, and validating
access by assessing network traffic for malicious things such as hackers and malware.

Generally, most operating systems (for example - Windows OS) and security software come with built-in firewall
support. Therefore, it is a good idea to ensure that those options are turned on. Additionally, we can configure the
security settings of the system to be automatically updated whenever available.

Firewalls have become so powerful, and include a variety of functions and capabilities with built-in features:

o Network Threat Prevention

o Application and Identity-Based Control
o Hybrid Cloud Support
o Scalable Performance
o Network Traffic Management and Control
o Access Validation
o Record and Report on Events

Limitations of Firewall

When it comes to network security, firewalls are considered the first line of defense. But the question is whether
these firewalls are strong enough to make our devices safe from cyber-attacks. The answer may be "no". The best
practice is to use a firewall system when using the Internet. However, it is important to use other defense systems

WWW.ARJUN00.COM.NP Page 4
to help protect the network and data stored on the computer. Because cyber threats are continually evolving, a
firewall should not be the only consideration for protecting the home network.

The importance of using firewalls as a security system is obvious; however, firewalls have some limitations:

o Firewalls cannot stop users from accessing malicious websites, making it vulnerable to internal threats or
attacks.
o Firewalls cannot protect against the transfer of virus-infected files or software.
o Firewalls cannot prevent misuse of passwords.
o Firewalls cannot protect if security rules are misconfigured.
o Firewalls cannot protect against non-technical security risks, such as social engineering.
o Firewalls cannot stop or prevent attackers with modems from dialing in to or out of the internal network.
o Firewalls cannot secure the system which is already infected.

Therefore, it is recommended to keep all Internet-enabled devices updated. This includes the latest operating
systems, web browsers, applications, and other security software (such as anti-virus). Besides, the security of
wireless routers should be another practice. The process of protecting a router may include options such as
repeatedly changing the router's name and password, reviewing security settings, and creating a guest network for
visitors.

Types of Firewall

Depending on their structure and functionality, there are different types of firewalls. The following is a list of some
common types of firewalls:

o Proxy Firewall
o Packet-filtering firewalls
o Stateful Multi-layer Inspection (SMLI) Firewall
o Unified threat management (UTM) firewall
o Next-generation firewall (NGFW)
o Network address translation (NAT) firewalls

Difference between a Firewall and Anti-virus

Firewalls and anti-viruses are systems to protect devices from viruses and other types of Trojans, but there are
significant differences between them. Based on the vulnerabilities, the main differences between firewalls and anti-
viruses are tabulated below:

WWW.ARJUN00.COM.NP Page 5
Attributes Firewall Anti-virus

Definition A firewall is defined as the system Anti-virus is defined as the special type of
which analyzes and filters incoming software that acts as a cyber-security
or outgoingdata packets based on mechanism. The primary function of Anti-
pre- defined rules. virus is tomonitor, detect, and remove any
apprehensive or distrustful file or software
from the device.

Structure Firewalls can be hardware and software Anti-virus can only be used as software.
both. The router is an example of a Anti-virus is a program that is installed on
physical firewall, and a simple firewall the device, justlike the other programs.
program on the system is an example of a
software firewall.

Implementation Because firewalls come in the form of Because Anti-virus comes in the form of
hardware and software,a firewall can be software, therefore, Anti-virus can be
implemented either way. implemented only atthe software level.
There is no possibility of implementing
Anti-virus at the hardware level.

Responsibility A firewall is usually defined as anetwork Anti-viruses are primarily responsible for
controlling system. It means that detecting and removing viruses from
firewalls are primarily responsible for computersystems or other devices. These
monitoring and filtering network traffic. viruses can be in the form of infected files
or software.

Scalability Because the firewall supports both types Anti-viruses are generally considered less-
of implementations,hardware, and scalable than firewalls. This is because anti-
software, therefore, it is more scalable viruscan only be implemented at the
than anti-virus. software level. They don't support
hardware-level implementation.

Threats A firewall is mainly used to prevent Anti-virus is mainly used to scan, find, and
network related attacks. It mainly remove viruses, malware, and Trojans,
includes external network threats?for which can harm system files and software
example- Routing attacks and IPSpoofing. and sharepersonal information (such as
logincredentials, credit card details, etc.)
with hackers

WWW.ARJUN00.COM.NP Page 6
Types of Firewall

Packet-filtering Firewalls

A packet filtering firewall is the most basic type of firewall. It acts like a management program that monitors
network traffic and filters incoming packets based on configured security rules. These firewalls are designed to
block network traffic IP protocols, an IP address, and a port number if a data packet does not match the established
rule-set.

While packet-filtering firewalls can be considered a fast solution without many resource requirements, they also
have some limitations. Because these types of firewalls do not prevent web-based attacks, they are not the safest.

Circuit-level Gateways

Circuit-level gateways are another simplified type of firewall that can be easily configured to allow or block traffic
without consuming significant computing resources. These types of firewalls typically operate at the session-level
of the OSI model by verifying TCP (Transmission Control Protocol) connections and sessions. Circuit-level
gateways are designed to ensure that the established sessions are protected.

WWW.ARJUN00.COM.NP Page 7
Typically, circuit-level firewalls are implemented as security software or pre-existing firewalls. Like packet-
filtering firewalls, these firewalls do not check for actual data, although they inspect information about
transactions. Therefore, if a data contains malware, but follows the correct TCP connection, it will pass through the
gateway. That is why circuit-level gateways are not considered safe enough to protect our systems.

Application-level Gateways (Proxy Firewalls)

Proxy firewalls operate at the application layer as an intermediate device to filter incoming traffic between two
end systems (e.g., network and traffic systems). That is why these firewalls are called 'Application-level
Gateways'.

Unlike basic firewalls, these firewalls transfer requests from clients pretending to be original clients on the web-
server. This protects the client's identity and other suspicious information, keeping the network safe from
potential attacks. Once the connection is established, the proxy firewall inspects data packets coming from the
source. If the contents of the incoming data packet are protected, the proxy firewall transfers it to the client. This
approach creates an additional layer of security between the client and many different sources on the network.

Stateful Multi-layer Inspection (SMLI) Firewalls

Stateful multi-layer inspection firewalls include both packet inspection technology and TCP handshake verification,
making SMLI firewalls superior to packet-filtering firewalls or circuit-level gateways. Additionally, these types of
firewalls keep track of the status of established connections.

In simple words, when a user establishes a connection and requests data, the SMLI firewall creates a database
(state table). The database is used to store session information such as source IP address, port number, destination
IP address, destination port number, etc. Connection information is stored for each session in the state table. Using
stateful inspection technology, these firewalls create security rules to allow anticipated traffic.

In most cases, SMLI firewalls are implemented as additional security levels. These types of firewalls implement
more checks and are considered more secure than stateless firewalls. This is why stateful packet inspection is
implemented along with many other firewalls to track statistics for all internal traffic. Doing so increases the load
and puts more pressure on computing resources. This can give rise to a slower transfer rate for data packets than
other solutions.

Next-generation Firewalls (NGFW)

Many of the latest released firewalls are usually defined as 'next-generation firewalls'. However, there is no
specific definition for next-generation firewalls. This type of firewall is usually defined as a security device
combining the features and functionalities of other firewalls. These firewalls include deep-packet inspection
(DPI), surface-level packet inspection, and TCP handshake testing, etc.

NGFW includes higher levels of security than packet-filtering and stateful inspection firewalls. Unlike traditional
firewalls, NGFW monitors the entire transaction of data, including packet headers, packet contents, and sources.
NGFWs are designed in such a way that they can prevent more sophisticated and evolving security threats such as
malware attacks, external threats, and advance intrusion.

Threat-focused NGFW

WWW.ARJUN00.COM.NP Page 8
Threat-focused NGFW includes all the features of a traditional NGFW. Additionally, they also provide advanced
threat detection and remediation. These types of firewalls are capable of reacting against attacks quickly. With
intelligent security automation, threat-focused NGFW set security rules and policies, further increasing the security
of the overall defense system.

In addition, these firewalls use retrospective security systems to monitor suspicious activities continuously. They
keep analyzing the behavior of every activity even after the initial inspection. Due to this functionality, threat-focus
NGFW dramatically reduces the overall time taken from threat detection to cleanup.

Network Address Translation (NAT) Firewalls

Network address translation or NAT firewalls are primarily designed to access Internet traffic and block all
unwanted connections. These types of firewalls usually hide the IP addresses of our devices, making it safe from
attackers.

When multiple devices are used to connect to the Internet, NAT firewalls create a unique IP address and hide
individual devices' IP addresses. As a result, a single IP address is used for all devices. By doing this, NAT firewalls
secure independent network addresses from attackers scanning a network for accessing IP addresses. This results
in enhanced protection against suspicious activities and attacks.

In general, NAT firewalls works similarly to proxy firewalls. Like proxy firewalls, NAT firewalls also work as an
intermediate device between a group of computers and external traffic.

Cloud Firewalls

Whenever a firewall is designed using a cloud solution, it is known as a cloud firewall or FaaS (firewall-as-
service). Cloud firewalls are typically maintained and run on the Internet by third-party vendors. This type of
firewall is considered similar to a proxy firewall. The reason for this is the use of cloud firewalls as proxy servers.
However, they are configured based on requirements.

The most significant advantage of cloud firewalls is scalability. Because cloud firewalls have no physical resources,
they are easy to scale according to the organization's demand or traffic-load. If demand increases, additional
capacity can be added to the cloud server to filter out the additional traffic load. Most organizations use cloud
firewalls to secure their internal networks or entire cloud infrastructure.

Unified Threat Management (UTM) Firewalls

UTM firewalls are a special type of device that includes features of a stateful inspection firewall with anti-virus and
intrusion prevention support. Such firewalls are designed to provide simplicity and ease of use. These firewalls can
also add many other services, such as cloud management, etc.

Which firewall architecture is best?

When it comes to selecting the best firewall architecture, there is no need to be explicit. It is always better to use a
combination of different firewalls to add multiple layers of protection. For example, one can implement a hardware
or cloud firewall at the perimeter of the network, and then further add individual software firewall with every
network asset.

WWW.ARJUN00.COM.NP Page 9
Besides, the selection usually depends on the requirements of any organization. However, the following factors can
be considered for the right selection of firewall:

Size of the organization

If an organization is large and maintains a large internal network, it is better to implement such firewall
architecture, which can monitor the entire internal network.

Availability of resources

If an organization has the resources and can afford a separate firewall for each hardware piece, this is a good
option. Besides, a cloud firewall may be another consideration.

Requirement of multi-level protection

The number and type of firewalls typically depend on the security measures that an internal network requires.
This means, if an organization maintains sensitive data, it is better to implement multi-level protection of firewalls.
This will ensure data security from hackers.

VPN(Virtual Private Network):

A VPN stands for virtual private network. It is a technology which creates a safe and an encrypted connection on
the Internet from a device to a network. This type of connection helps to ensure our sensitive data is transmitted
safely. It prevents our connection from eavesdropping on the network traffic and allows the user to access a
private network securely. This technology is widely used in the corporate environments.
A VPN works same as firewall like firewall protects data local to a device wherever VPNs protects data online. To
ensure safe communication on the internet, data travel through secure tunnels, and VPNs user used an
authentication method to gain access over the VPNs server. VPNs are used by remote users who need to access
corporate resources, consumers who want to download files and business travellers want to access a site that is
geographically restricted.

WWW.ARJUN00.COM.NP Page 10
 Virtual Private Networking (VPN)
❑ Virtual private networking (VPN) is a technology
that allows private networks to be safely extended over
long physical distances by making use of a public
network, such as the Internet, as a means of transport.

❑ VPN provides guarantees of data confidentiality,

integrity, and authentication, despite the use of an
untrusted network for transmission.

❑ There are two primary types of VPNs, remote access

VPN and site-to-site VPN.

22

Types of VPNs
❑ Remote access VPNs allow authorized clients to access
a private network that is referred to as an intranet.
❑ E.g., UCF VPN. Computer has internal IP when connected.
❑ Set up a VPN endpoint, network access server (NAS)
❑ Clients install VPN client software on their machines.

❑ Site-to-site VPN solutions are designed to provide a

secure bridge between two or more physically distant
networks.
❑ Before VPN, organizations wishing to safely bridge their private
networks purchased expensive leased lines to directly connect
their intranets with cabling.

23

What is Encryption?

Encryption is a process that encodes a message or file so that it can be only be read by certain people. Encryption
uses an algorithm to scramble, or encrypt, data and then uses a key for the receiving party to unscramble, or
decrypt, the information. In computing, unencrypted data is also known as plaintext, and encrypted data is
called ciphertext. The formulas used to encode and decode messages are called encryption algorithms, or ciphers.

WWW.ARJUN00.COM.NP Page 11
Basic forms of encryption may be as simple as switching letters. As cryptography advanced, cryptographers added
more steps, and decryption became more difficult. Wheels and gears would be combined to create
complex encryption systems. Computer algorithms have now replaced mechanical encryption.

Importance of encryption

Encryption plays an important role in securing many different types of information technology (IT) assets. It
provides the following:

1. Confidentiality encodes the message's content.

2. Authentication verifies the origin of a message.

3. Integrity proves the contents of a message have not been changed since it was sent.

4. Nonrepudiation prevents senders from denying they sent the encrypted message.

How is it used?

Encryption is commonly used to protect data in transit and data at rest. Every time someone uses an ATM or buys
something online with a smartphone, encryption is used to protect the information being relayed. Businesses are
increasingly relying on encryption to protect applications and sensitive information from reputational damage
when there is a data breach.

There are three major components to any encryption system: the data, the encryption engine and the key
management. In laptop encryption, all three components are running or stored in the same place: on the laptop.

In application architectures, however, the three components usually run or are stored in separate places to reduce
the chance that compromise of any single component could result in compromise of the entire system.

How does encryption work?

At the beginning of the encryption process, the sender must decide what cipher will best disguise the meaning of
the message and what variable to use as a key to make the encoded message unique. The most widely used types of
ciphers fall into two categories: symmetric and asymmetric.

1. Symmetric ciphers, also referred to as secret key encryption, use a single key. The key is sometimes referred
to as a shared secret because the sender or computing system doing the encryption must share the secret
key with all entities authorized to decrypt the message. Symmetric key encryption is usually much faster
than asymmetric encryption. The most widely used symmetric key cipher is the Advanced Encryption
Standard (AES), which was designed to protect government-classified information.

2. Asymmetric ciphers, also known as public key encryption, use two different -- but logically linked -- keys.
This type of cryptography often uses prime numbers to create keys since it is computationally difficult to
factor large prime numbers and reverse-engineer the encryption. The Rivest-Shamir-Adleman (RSA)
encryption algorithm is currently the most widely used public key algorithm. With RSA, the public or the
private key can be used to encrypt a message; whichever key is not used for encryption becomes the
decryption key.

WWW.ARJUN00.COM.NP Page 12
Today, many cryptographic processes use a symmetric algorithm to encrypt data and an asymmetric algorithm to
securely exchange the secret key.

Benefits of encryption

1. The primary purpose of encryption is to protect the confidentiality of digital data stored on computer
systems or transmitted over the internet or any other computer network.

2. In addition to security, the adoption of encryption is often driven by the need to meet compliance
regulations.

3. A number of organizations and standards bodies either recommend or require sensitive data to be
encrypted in order to prevent unauthorized third parties or threat actors from accessing the data.

For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants to encrypt
customers' payment card data when it is both stored at rest and transmitted across public networks.

Disadvantages of encryption

While encryption is designed to keep unauthorized entities from being able to understand the data they have
acquired,

1. In some situations, encryption can keep the data's owner from being able to access the data as well.

2. Key management is one of the biggest challenges of building an enterprise encryption strategy because the
keys to decrypt the cipher text have to be living somewhere in the environment, and attackers often have a
pretty good idea of where to look.

3. There are plenty of best practices for encryption key management. It's just that key management adds
extra layers of complexity to the backup and restoration process.

WWW.ARJUN00.COM.NP Page 13
 4. If a major disaster should strike, the process of retrieving the keys and adding them to a new backup server
could increase the time that it takes to get started with the recovery operation.

5. Having a key management system in place isn't enough. Administrators must come up with a
comprehensive plan for protecting the key management system. Typically, this means backing it up
separately from everything else and storing those backups in a way that makes it easy to retrieve the keys
in the event of a large-scale disaster.

Types of encryption

Bring your own encryption (BYOE) is a cloud computing security model that enables cloud service customers to
use their own encryption software and manage their own encryption keys. BYOE may also be referred to as bring
your own key (BYOK). BYOE works by enabling customers to deploy a virtualized instance of their own encryption
software alongside the business application they are hosting in the cloud.

Cloud storage encryption is a service offered by cloud storage providers whereby data or text is transformed
using encryption algorithms and is then placed in cloud storage. Cloud encryption is almost identical to in-house
encryption with one important difference: The cloud customer must take time to learn about the provider's
policies and procedures for encryption and encryption key management in order to match encryption with the
level of sensitivity of the data being stored.

Column-level encryption is an approach to database encryption in which the information in every cell in a
particular column has the same password for access, reading and writing purposes.

Deniable encryption is a type of cryptography that enables an encrypted text to be decrypted in two or more
ways, depending on which decryption key is used. Deniable encryption is sometimes used for misinformation
purposes when the sender anticipates, or even encourages, interception of a communication.

Encryption as a Service (EaaS) is a subscription model that enables cloud service customers to take advantage of
the security that encryption offers. This approach provides customers who lack the resources to manage
encryption themselves with a way to address regulatory compliance concerns and protect data in a multi-tenant
environment. Cloud encryption offerings typically include full-disk encryption (FDE), database encryption or file
encryption.

End-to-end encryption (E2EE) guarantees data being sent between two parties cannot be viewed by an attacker
that intercepts the communication channel. Use of an encrypted communication circuit, as provided by Transport
Layer Security (TLS) between web client and web server software, is not always enough to ensure E2EE; typically,
the actual content being transmitted is encrypted by client software before being passed to a web client and
decrypted only by the recipient. Messaging apps that provide E2EE include Facebook's WhatsApp and Open
Whisper Systems' Signal. Facebook Messenger users may also get E2EE messaging with the Secret Conversations
option.

Field-level encryption is the ability to encrypt data in specific fields on a webpage. Examples of fields that can be
encrypted are credit card numbers, Social Security numbers, bank account numbers, health-related information,
wages and financial data. Once a field is chosen, all the data in that field will automatically be encrypted.

FDE is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form
that cannot be understood by anyone who doesn't have the key to undo the conversion. Without the proper
WWW.ARJUN00.COM.NP Page 14
authentication key, even if the hard drive is removed and placed in another machine, the data remains inaccessible.
FDE can be installed on a computing device at the time of manufacturing, or it can be added later on by installing a
special software driver.

Homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it
were still in its original form. This approach to encryption enables complex mathematical operations to be
performed on encrypted data without compromising the encryption.

HTTPS enables website encryption by running HTTP over the TLS protocol. To enable a web server to encrypt all
content that it sends, a public key certificate must be installed.

Link-level encryption encrypts data when it leaves the host, decrypts it at the next link, which may be a host or a
relay point, and then reencrypts it before sending it to the next link. Each link may use a different key or even a
different algorithm for data encryption, and the process is repeated until the data reaches the recipient.

Network-level encryption applies cryptoservices at the network transfer layer -- above the data link level but
below the application level. Network encryption is implemented through Internet Protocol Security (IPsec), a set of
open Internet Engineering Task Force (IETF) standards that, when used in conjunction, create a framework for
private communication over IP networks.

Quantum cryptography depends on the quantum mechanical properties of particles to protect data. In particular,
the Heisenberg uncertainty principle posits that the two identifying properties of a particle -- its location and its
momentum -- cannot be measured without changing the values of those properties. As a result, quantum-encoded
data cannot be copied because any attempt to access the encoded data will change the data. Likewise, any attempt
to copy or access the data will cause a change in the data, thus notifying the authorized parties to the encryption
that an attack has occurred.

Encryption vs. decryption

Encryption, which encodes and disguises the message's content, is performed by the message sender. Decryption,
which is the process of decoding an obscured message, is carried out by the message receiver.

The security provided by encryption is directly tied to the type of cipher used to encrypt the data -- the strength of
the decryption keys required to return ciphertext to plaintext. In the United States, cryptographic algorithms
approved by the Federal Information Processing Standards (FIPS) or National Institute of Standards and
Technology (NIST) should be used whenever cryptographic services are required.

Encryption algorithms

AES is a symmetric block cipher chosen by the U.S. government to protect classified information; it is implemented
in software and hardware throughout the world to encrypt sensitive data. NIST started development of AES in
1997 when it announced the need for a successor algorithm for the Data Encryption Standard (DES), which was
starting to become vulnerable to brute-force attacks.

DES is an outdated symmetric key method of data encryption. DES works by using the same key to encrypt and
decrypt a message, so both the sender and the receiver must know and use the same private key. DES has been
superseded by the more secure AES algorithm.

WWW.ARJUN00.COM.NP Page 15
Diffie-Hellman key exchange: also called exponential key exchange, is a method of digital encryption that uses
numbers raised to specific powers to produce decryption keys on the basis of components that are never directly
transmitted, making the task of a would-be code breaker mathematically overwhelming.

Elliptical curve cryptography (ECC) uses algebraic functions to generate security between key pairs. The
resulting cryptographic algorithms can be faster and more efficient and can produce comparable levels of security
with shorter cryptographic keys. This makes ECC algorithms a good choice for internet of things (IoT) devices and
other products with limited computing resources.

Quantum key distribution (QKD) is a proposed method for encrypted messaging by which encryption keys are
generated using a pair of entangled photons that are then transmitted separately to the message. Quantum
entanglement enables the sender and receiver to know whether the encryption key has been intercepted or
changed before the transmission even arrives. This is because, in the quantum realm, the very act of observing the
transmitted information changes it. Once it has been determined that the encryption is secure and has not been
intercepted, permission is given to transmit the encrypted message over a public internet channel.

RSA was first publicly described in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman of the Massachusetts
Institute of Technology (MIT), though the 1973 creation of a public key algorithm by British mathematician Clifford
Cocks was kept classified by the U.K.'s Government Communications Headquarters (GCHQ) until 1997. Many
protocols, like Secure Shell (SSH), OpenPGP, Secure/Multipurpose Internet Mail Extensions (S/MIME) and Secure
Sockets Layer (SSL)/TLS, rely on RSA for encryption and digital signature functions.

Popular encryption algorithms and hash functions

Intrusion Detection System (IDS)

WWW.ARJUN00.COM.NP Page 16
 Intrusion Detection Systems
❑ Intrusion
❑ Actions aimed at compromising the security of the target
(confidentiality, integrity, availability of computing/networking
resources)

❑ Intrusion detection
❑ The identification through intrusion signatures and report of
intrusion activities

❑ Intrusion prevention
❑ The process of both detecting intrusion activities and managing
automatic responsive actions throughout the network

24

An IDS is a security system which monitors the computer systems and network traffic. It analyses that traffic for
possible hostile attacks originating from the outsider and also for system misuse or attacks originating from the
insider. A firewall does a job of filtering the incoming traffic from the internet, the IDS in a similar way
compliments the firewall security. Like, the firewall protects an organization sensitive data from malicious attacks
over the Internet, the Intrusion detection system alerts the system administrator in the case when someone tries to
break in the firewall security and tries to have access on any network in the trusted side.
Intrusion Detection System have different types to detects the suspicious activities-
1. NIDS-
It is a Network Intrusion Detection System which monitors the inbound and outbound traffic to and from all the
devices over the network.
2. HIDS-
It is a Host Intrusion Detection System which runs on all devices in the network with direct access to both internet
and enterprise internal network. It can detect anomalous network packets that originate from inside the
organization or malicious traffic that a NIDS has failed to catch. HIDS may also identify malicious traffic that arises
from the host itself.
3. Signature-based Intrusion Detection System-
It is a detection system which refers to the detection of an attack by looking for the specific patterns, such as byte
sequences in network traffic, or known malicious instruction sequences used by malware. This IDS originates from
anti-virus software which can easily detect known attacks. In this terminology, it is impossible to detect new
attacks, for which no pattern is available.
4. Anomaly-based Intrusion Detection System-
This detection system primarily introduced to detect unknown attacks due to the rapid development of malware. It
alerts administrators against the potentially malicious activity. It monitors the network traffic and compares it
against an established baseline. It determines what is considered to be normal for the network with concern to
bandwidth, protocols, ports and other devices.

WWW.ARJUN00.COM.NP Page 17
 IDS Components
❑ IDS manager compiles data from the IDS sensors to
determine if an intrusion has occurred.
❑ If an IDS manager detects an intrusion, then it sounds
an alarm. IDS Manage r
Untrusted
Internet

router

IDS Se ns or IDS Se ns or
Fire wall

rou ter router

25

Types of Intrusion Detection Systems

❑ Rule-Based Intrusion Detection
❑ Rules and signatures identify the types of actions that match
certain known profiles for an intrusion attack
❑ Alarm raised can indicate what attack triggers the alarm
❑ Problem: Cannot deal with unknown attacks
❑ Statistical Intrusion Detection
❑ Statistical representation (profile) of the typical ways that a
user acts or a host is used
❑ Determine when a user or host is acting in highly unusual,
anomalous ways.
❑ Alarm when a user or host deviates significantly from the stored
profile for that person or machine
❑ Problem: High false positive rate, cannot tell which attack
triggers the alarm

29

Secure Software is defined as software developed or engineered in such a way that its operations and
functionalities continue as normal even when subjected to malicious attacks. The systems and resources in its
environment remain safe and the attacks detected and removed.

Characteristics of Secure Software

WWW.ARJUN00.COM.NP Page 18
Secure Database
One of the most common database attacks are SQL injections. These involve the injection of malicious code into the
design code of the software accessing its back-end database and executing malicious queries or actions. With
access to the back-end database the intruder has control over the data and damage can be limitless. Securing
against database SQL attacks may involve isolating the database from the running code.

Encode Data Prior to Execution

One of the vulnerabilities that facilitate many injection attacks is when the database is not adequately isolated from
the running code. Though isolation may curtail, to some extent, some of these attacks, a better standard security
measure is to encode data, making it safe before it is used. Encoded data is transformed into unrecognizable
executable statements before being passed to the respective interpreter.

Input Data Validation

Data validation is the process of ensuring that input data is accurate and complies with the requirement of the
input field. All data originating from outside the software, whether from clients' or other interface applications,
must always be treated as questionable. Issues arising from vulnerabilities at input are carried through the system
to output.

Access Control
Access Controls are security rules that define who has access to what resource or functionality within the
software. Access rules must be carefully planned and implemented. Default access rights on all user profiles must
be set at 'minimal' or 'no access' preventing any unauthorized access.
Data Protection and Privacy
Software must not only enforce access control but in addition, encryption as well. Encryption provides better data
security and privacy. SSL (Secure Socket Layer) which secures data transmitted between two systems and TLS
(Transport Layer Security) which provides encryption of communication over a network must be properly set up
wherever applicable. Data is vulnerable in any state and should be encrypted both in transit and at rest. Data
violations and exposure have cost companies millions of dollars and hence, must be taken seriously.

Browser security:
Browser security is the application of Internet security to web browsers in order to protect networked data
and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript,
sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also
take advantage of vulnerabilities (security holes) that are commonly exploited in all browsers (including Mozilla
Firefox, Google Chrome, Opera, Microsoft Internet Explorer, and Safari).

Web browsers can be breached in one or more of the following ways:

1. Operating system is breached and malware is reading/modifying the browser memory space in privilege
mode.
2. Operating system has a malware running as a background process, which is reading/modifying the
browser memory space in privileged mode
3. Main browser executable can be hacked
4. Browser components may be hacked
5. Browser plugins can be hacked
6. Browser network communications could be intercepted outside the machine
7. The browser may not be aware of any of the breaches above and may show user a safe connection is made.
Browsers can use more secure methods of network communication to help prevent some of these attacks:
• DNS: DNSSec and DNSCrypt, for example with non-default DNS servers such as Google Public
DNS or OpenDNS.

WWW.ARJUN00.COM.NP Page 19
 • HTTP: HTTP Secure and SPDY with digitally signed public key certificates or Extended Validation
Certificates.

Plugins and extensions

Although not part of the browser per se, browser plugins and extensions extend the attack surface, exposing
vulnerabilities in Adobe Flash Player, Adobe (Acrobat) Reader, Java plugin, and ActiveX that are commonly
exploited. Researchers have extensively studied the security architecture of various web-browsers in particular
those relying on plug-and-play designs. This study has identified 16 common vulnerability types, and 19 potential
mitigations. Malware may also be implemented as a browser extension, such as a browser helper object in the case
of Internet Explorer.] Browsers like Google Chrome and Mozilla Firefox can block—or warn users of—insecure
plugins.

Adobe Flash
An August 2009 study by the Social Science Research Network found that 50% of websites using Flash were also
employing Flash cookies, yet privacy policies rarely disclosed them, and user controls for privacy preferences were
lacking. Most browsers' cache and history delete functions do not affect Flash Player's writing Local Shared Objects
to its own cache, and the user community is much less aware of the existence and function of Flash cookies than
HTTP cookies. Thus, users having deleted HTTP cookies and purged browser history files and caches may believe
that they have purged all tracking data from their computers while in fact Flash browsing history remains. As well
as manual removal, the BetterPrivacy addon for Firefox can remove Flash cookies. Adblock Plus can be used to
filter out specific threats and Flashblock can be used to give an option before allowing content on otherwise trusted
sites.
Charlie Miller recommended "not to install Flash"] at the computer security conference CanSecWest. Several other
security experts also recommend to either not install Adobe Flash Player or to block it.

Secure Sockets Layer (SSL) Secure Sockets Layer (SSL) is an asymmetric encryption protocol used to secure
communication sessions. SSL has been superseded by Transport Layer Security (TLS), although SSL is still the
more commonly used terminology.
Secure Sockets Layer (SSL) is a cryptographic protocol for managing authentication and encrypted communication
between a client and server to protect the confidentiality and integrity of data exchanged in the session. Transport
Layer Security (TLS) is the successor to SSL (although it is still commonly referred to as SSL).
An SSL VPN can be deployed as an agent-based or “agentless” browser-based connection. An agentless SSL VPN
only requires users to launch a web browser, open a VPN portal or webpage using the HTTPS protocol, and log in
to the network with their user credentials. An agent-based SSL client is used within the browser session, which
persists only as long as the connection is active, and removes itself when the connection is closed. This type of VPN
can be particularly useful for remote users that are connecting from an endpoint device they do not own or control,
such as a hotel kiosk, where full client VPN software cannot be installed. SSL VPN technology has become the de
facto standard and preferred method of connecting remote endpoint devices back to the enterprise network, and
IPsec is most commonly used in site-to-site or device-to-device VPN connections such as connecting a branch office
network to a headquarters location network or data center.

IP Security (IPSec) IPSec provides security at the IP-level and addresses the problems of authentication, integrity,
and confidentiality. The authentication mechanism ensures that the IP datagram was actually sent by the party
identified from the source IP address contained in the datagram header. The same mechanism also ensures the
integrity of the datagram, i.e. it has not been altered in transit. The confidentiality mechanism ensures through
encryption that a datagram's content is meaningless to any party except the sender and receiver(s).
In August 1995, the IETF IP Security Working Group published five proposed standards which define a set of
requirements for IP-level security. Together this set of standards is known as IP Security, or IPSec. The IPSec
documents are:
• RFC 1825 - Security Architecture for the Internet Protocol
• RFC 1826 - IP Authentication Header

WWW.ARJUN00.COM.NP Page 20
• RFC 1827 - IP Encapsulating Security Payload
• RFC 1828-IP Authentication using Keyed MD5
• RFC 1829- The ESP DES-CBC Transform

IPSec
❑ IPSec defines a set of protocols to provide
confidentiality and authenticity for IP packets

❑ Authentication Header (AH)

❑ provide connectionless integrity and data origin authentication
for IP datagrams
❑ provides protection against replay attacks
❑ No confidentiality (packets are still unencrypted)

❑ Encapsulating Security Payload (ESP)

❑ provide confidentiality, data-origin authentication,
connectionless integrity, and limited traffic-flow confidentiality.
❑ Port numbers are encrypted, poses challenge for NAT
❑ http://en.wikipedia.org/wiki/IPsec

19

Digital
s ignature

20

WWW.ARJUN00.COM.NP Page 21
 21

WWW.ARJUN00.COM.NP Page 22
Unit-3: Information Security and Cryptography

(Unit-3: Compiled By Arjuni)

Unit-3: Information Security and Cryptography 1

Classical Encryption Methods 1

Symmetric Cipher Model 2
Terminology 2
Substitution Techniques 3
Transposition (Permutation) Ciphers 3
Product Ciphers 3
Steganography 4

Asymmetric Key Cryptography 4

Confidentiality, Integrity, Authentication, and Non-Repudiation 5

Confidentiality 5
Integrity 5
Authentication 5
Non-Repudiation 5

Digital Signature 6
Digital Signature Model 6
Importance of Digital Signature 6

Classical Encryption Methods

1. Symmetric Cipher Model

2. Substitution Techniques
3. Transposition Techniques
4. Product Ciphers
5. Steganography
Symmetric Cipher Model

Terminology

Plaintext - original message

Ciphertext - coded message

Cipher - algorithm for transforming plaintext to ciphertext

Key - info used in cipher known only to sender/receiver

Encipher (encrypt) - converting plaintext to ciphertext

Decipher (decrypt) - recovering ciphertext from plaintext

Cryptography - study of encryption principles/methods

Cryptanalysis (code-breaking) - the study of principles/ methods

Cryptology - field of both cryptography and cryptanalysis

Substitution Techniques

Transposition (Permutation) Ciphers

Product Ciphers

Use several ciphers in succession to make it harder, but:

● Two substitutions make a more complex substitution

● Two transpositions make the more complex transposition
● But a substitution followed by a transposition makes a new much harder
cipher

This is a bridge from classical to modern ciphers.

Steganography

● Hide characters in a text, hide bits in a photograph

● The least significant bit (LSB) of a digital photograph may be a message.
● Drawback: high overhead to hide relatively few info bits.
● Advantage: Can obscure encryption use

Asymmetric Key Cryptography

Asymmetric cryptography is a cryptographic system that uses pairs of keys: public

keys and private keys. The generation of such key pairs depends on cryptographic
algorithms which are based on mathematical problems termed one-way functions.
Effective security requires keeping the private key private; the public key can be
openly distributed without compromising security.

In such a system, any person can encrypt a message using the intended receiver's
public key, but that encrypted message can only be decrypted with the receiver's
private key. This allows, for instance, a server program to generate a cryptographic
key intended for suitable symmetric-key cryptography, then to use a client's openly
shared public key to encrypt that newly generated symmetric key. The server can
then send this encrypted symmetric key over an insecure channel to the client; only
the client can decrypt it using the client's private key. With the client and server
both having the same symmetric key, they can safely use symmetric key encryption
to communicate over otherwise insecure channels. This scheme has the advantage
of not having to manually pre-shared symmetric keys while gaining the higher data
throughput advantage of symmetric-key cryptography.

With public-key cryptography, robust authentication is also possible. A sender can

combine a message with a private key to create a short digital signature on the
message. Anyone with the sender's corresponding public key can combine that
message with a claimed digital signature; if the signature matches the message, the
origin of the message is verified.

Confidentiality, Integrity, Authentication, and Non-Repudiation

Confidentiality

1. Confidentiality is the most commonly addressed the goal

2. The meaning of a message is concealed by encoding it
3. The sender encrypts the message using a cryptographic key
4. The recipient decrypts the message using a cryptographic key that may or
may not be the same as the one used by the sender

Integrity

1. Integrity Ensures that the message received is the same as the message that
was sent
2. Uses hashing to create a unique message digest from the message that is
sent along with the message
3. The recipient uses the same technique to create a second digest from the
message to compare to the original one
4. This technique only protects against unintentional alteration of the message
5. A variation is used to create digital signatures to protect against malicious
alteration

Authentication

1. A user or system can prove their identity to another who does not have
personal knowledge of their identity
2. Accomplished using digital certificates
3. Kerberos is a common cryptographic authentication system

Non-Repudiation

Non-repudiation refers to the assurance that the owner of a signature key pair that
was capable of generating an existing signature corresponding to certain data
cannot convincingly deny having signed the data.
Digital Signature

Digital signatures are the public-key primitives of message authentication. In the

physical world, it is common to use handwritten signatures on handwritten or typed
messages. They are used to bind signatory to the message.

Similarly, a digital signature is a technique that binds a person/entity to the digital

data. This binding can be independently verified by the receiver as well as any third
party.

The digital signature is a cryptographic value that is calculated from the data and a
secret key known only by the signer.

In the real world, the receiver of the message needs assurance that the message
belongs to the sender and he should not be able to repudiate the origination of that
message. This requirement is very crucial in business applications since the
likelihood of a dispute over exchanged data is very high.

Digital Signature Model

Importance of Digital Signature

1. Message authentication
2. Data Integrity
3. Non-repudiation
 Legal Issues in Cyber Crime:
4.1 Legal Issues in Information Security
4.2 Cyber Law in Nepal
4.3 Security Policy
4.4 Managing Risk
4.5 Information Security Process
4.6 Information Security Best Practices

Legal Issues in Information Security

There are many legal issues with regard to information security

1. Breaking into computer is against the law, most of the time.
2. Civil issues of liability and privacy.
3. Risks with regard to employees and other organizations on the network if internal security is lax.
4. Violations of new laws that address banking customers and medical privacy.

Cyber law is the part of the overall legal system that deals with the Internet, cyberspace, and their respective legal
issues. Cyber law covers a fairly broad area, encompassing several subtopics including freedom of expression, access to
and usage of the Internet, and online privacy. Generically, cyber law is referred to as the Law of the Internet.
The first cyber law was the Computer Fraud and Abuse Act, enacted in 1986. Known as CFAA, this law prohibits
unauthorized access to computers and includes detail about the levels of punishment for breaking that law.

Important Statistics
There are a total of 10.21 million people in Nepal who used the internet in 2020. The number of users increased by
315,000 between 2019 and 2020. Around 10 million people in Nepal use social media. It appears that the country’s
citizens have been reluctant to report cyber crime, with only 53 cases being registered in 2017. However, 2018 saw
a sharp rise in the number of cases to 132. In 2018 and 2019, a total of 180 cases were registered. Out of these 180,
125 cases were from the capital city, Kathmandu and the rest from others.

Cyber Laws in Nepal

1. The Electronic Transactions Act, 2008

This was Nepal’s first cyber law. Cyber crimes were dealt with under the Country’s criminal code before this law
came into force. Since the cases of cyber crime increased, it became necessary to enact a separate law. Chapter 9 of
the Act deals with offences relating to computers, the main highlights of which are as follows:

• Pirating or destroying any computer system intentionally without authority carries imprisonment for three
years, or a fine of two hundred thousand rupees, or both.

Www.arjun00.com.np Page 1
• Accessing any computer system without authority results in imprisonment for three years, or a fine of two
hundred thousand rupees, or both.
• Intentional damage to or deleting data from a computer system carries imprisonment for three years, or a
fine of two hundred thousand rupees, or both.
• Publication of illegal material in electronic form carries imprisonment for 5 years, or a fine of one hundred
thousand rupees, or both.
• Commission of a computer fraud carries imprisonment for two years, or a fine of one hundred thousand
rupees, or both.

2. The Children’s Act, 1992

The aim of this Act is to protect and uphold the rights of children. It also prohibits child pornography. Section 16(2)
of the Act prohibits individuals from capturing any immoral picture of a child. Section 16(3) of the Act prohibits
publication and distribution of any such photographs of children.

3. The Copyright Act, 2002

This act protects the copyright of ideas, including a computer program. It prohibits people from copying and
modifying the original work of others, and using it for their own advantage or economic benefits.

4. The Individual Privacy Act, 2018

This act is the first legislation in Nepal to protect the right to privacy of its people, and define personal information.
It protects the privacy of body, family life, residence, property, and communication. It puts the responsibility on
public entities to protect the personal data of individuals. They cannot transfer such data to anyone without the
consent of the owner. The Act prescribes a general punishment for violation of privacy as three years of
imprisonment, or a fine of NPR 30,000, or both.

End notes
All the above laws that Nepal has promulgated for cyber crimes are yet not enough. The country needs to address
loopholes in these laws and encourage its citizens to report cyber crime incidents. There is also a need for
comprehensive laws on e-commerce, social media, and cyber terrorism, among other spheres of cyber space.
Another requirement is that of a clear definition of child pornography. A dedicated cyber crime cell is also a need of
the hour. Nepal needs to work further on its cyber laws to survive in this technologically advanced world.

Security Policies

Security policies are a formal set of rules which is issued by an organization to ensure that the user who are
authorized to access company technology and information assets comply with rules and guidelines related to the
security of information. It is a written document in the organization which is responsible for how to protect the
organizations from threats and how to handles them when they will occur. A security policy also considered to be a
"living document" which means that the document is never finished, but it is continuously updated as
requirements of the technology and employee changes.

Www.arjun00.com.np Page 2
Need of Security policies-

1) It increases efficiency.

The best thing about having a policy is being able to increase the level of consistency which saves time, money and
resources. The policy should inform the employees about their individual duties, and telling them what they can do
and what they cannot do with the organization sensitive information.

2) It upholds discipline and accountability

When any human mistake will occur, and system security is compromised, then the security policy of the
organization will back up any disciplinary action and also supporting a case in a court of law. The organization
policies act as a contract which proves that an organization has taken steps to protect its intellectual property, as
well as its customers and clients.

3) It can make or break a business deal

It is not necessary for companies to provide a copy of their information security policy to other vendors during a
business deal that involves the transference of their sensitive information. It is true in a case of bigger businesses
which ensures their own security interests are protected when dealing with smaller businesses which have less
high-end security systems in place.

4) It helps to educate employees on security literacy

A well-written security policy can also be seen as an educational document which informs the readers about their
importance of responsibility in protecting the organization sensitive data. It involves on choosing the right
passwords, to providing guidelines for file transfers and data storage which increases employee's overall
awareness of security and how it can be strengthened.

We use security policies to manage our network security. Most types of security policies are automatically created
during the installation. We can also customize policies to suit our specific environment. There are some important
cybersecurity policies recommendations describe below-

1. Virus and Spyware Protection policy

his policy provides the following protection:

o It helps to detect, removes, and repairs the side effects of viruses and security risks by using signatures.
o It helps to detect the threats in the files which the users try to download by using reputation data from
Download Insight.
o It helps to detect the applications that exhibit suspicious behaviour by using SONAR heuristics and
reputation data.

2. Firewall Policy

This policy provides the following protection:

Www.arjun00.com.np Page 3
 o It blocks the unauthorized users from accessing the systems and networks that connect to the Internet.
o It detects the attacks by cybercriminals.
o It removes the unwanted sources of network traffic.

3. Intrusion Prevention policy

o This policy automatically detects and blocks the network attacks and browser attacks. It also protects
applications from vulnerabilities. It checks the contents of one or more data packages and detects malware
which is coming through legal ways.

4. LiveUpdate policy

o This policy can be categorized into two types one is LiveUpdate Content policy, and another is LiveUpdate
Setting Policy. The LiveUpdate policy contains the setting which determines when and how client
computers download the content updates from LiveUpdate. We can define the computer that clients
contact to check for updates and schedule when and how often clients computer check for updates.

5. Application and Device Control

o This policy protects a system's resources from applications and manages the peripheral devices that can
attach to a system. The device control policy applies to both Windows and Mac computers whereas
application control policy can be applied only to Windows clients.

6. Exceptions policy

This policy provides the ability to exclude applications and processes from detection by the virus and spyware
scans.

7. Host Integrity policy

This policy provides the ability to define, enforce, and restore the security of client computers to keep enterprise
networks and data secure. We use this policy to ensure that the client's computers who access our network are
protected and compliant with companies? securities policies. This policy requires that the client system must have
installed antivirus.

Managing Risk:

What is cyber risk management?

Cyber risk management is the process of identifying, analysing, evaluating and addressing your organisation’s
cyber security threats.
The first part of any cyber risk management programme is a cyber risk assessment. This will give you a snapshot of
the threats that might compromise your organisation’s cyber security and how severe they are.
Based on your organisation’s risk appetite, your cyber risk management programme then determines how to
prioritise and respond to those risks.

Www.arjun00.com.np Page 4
The cyber risk management process
Although specific methodologies vary, a risk management programme typically follows these steps:

1. Identify the risks that might compromise your cyber security. This usually involves identifying cyber
security vulnerabilities in your system and the threats that might exploit them.
2. Analyse the severity of each risk by assessing how likely it is to occur, and how significant the impact might
be if it does.
3. Evaluate how each risk fits within your risk appetite (your predetermined level of acceptable risk).
4. Prioritise the risks.
5. Decide how to respond to each risk. There are generally four options:
o Treat – modify the likelihood and/or impact of the risk, typically by implementing security controls.
o Tolerate – make an active decision to retain the risk (e.g. because it falls within the established risk
acceptance criteria).
o Terminate – avoid the risk entirely by ending or completely changing the activity causing the risk.
o Transfer – share the risk with another party, usually by outsourcing or taking out insurance.
6. Since cyber risk management is a continual process, monitor your risks to make sure they are still
acceptable, review your controls to make sure they are still fit for purpose, and make changes as required.
Remember that your risks are continually changing as the cyber threat landscape evolves, and your
systems and activities change.

Information Security Process

Information security is a process that moves through phases building and strengthening itself along the way.
Security is a journey not a destination. Although the Information Security process has many strategies and
activities, we can group them all into three distinct phases - prevention, detection, and response.

The ultimate goal of the information security process is to protect three unique attributes of information. They are:

Www.arjun00.com.np Page 5
· Confidentiality – Information should only be seen by those persons authorized to see it. Information could be
confidential because it is proprietary information that is created and owned by the organization or it may be
customers’ personal information that must be kept confidential due to legal responsibilities.

· Integrity – Information must not be corrupted, degraded, or modified. Measures must be taken to insulate
information from accidental and deliberate change.

· Availability – Information must be kept available to authorized persons when they need it.

Attacks compromise systems in a number of ways that affect one if not all of these attributes. An attack on
confidentiality would be unauthorized disclosure of information. An attack on integrity would be the destruction or
corruption of information and an attack on availability would be a disruption or denial of services. Information
security protects these attributes by:

· Protecting confidentiality

· Ensuring integrity

· Maintaining availability

An organization succeeds in protecting these attributes by proper planning. Proper planning before an incident
will greatly reduce the risks of an attack and greatly increase the capabilities of a timely and effective detection and
response if an attack occurs. Lets now examine each phase of the prevent, detect, respond cycle in turn, illustrating
the individual process and how they relate with the whole.

Prevention: There is an age-old advisory that says, “It’s too late to sharpen your sword when the drum beats for
battle”. Make no mistake, we are in a war and we must prepare for the cyber battles by sharpening our skills.
Information security professionals must continuously mature their capabilities by working smarter not harder. It is
always better to prevent, then to pursue and prosecute. Preventing an incident requires careful analysis and
planning. Information is an asset that requires protection commensurate with its value. Security measures must be
taken to protect information from unauthorized modification, destruction, or disclosure whether accidental or
intentional. During the prevention phase, security policies, controls and processes should be designed and
implemented. Security policies, security awareness programs and access control procedures, are all interrelated
and should be developed early on. The information security policy is the cornerstone from which all else is built.

Security Policy: The first objective in developing a prevention strategy is to determine “what” must be protected
and document these “whats” in a formal policy. The policy must define the responsibilities of the organization, the
employees and management. It should also fix responsibility for implementation, enforcement, audit and review.
Additionally, the policy must be clear, concise, coherent and consistent in order to be understood. Without clear
understanding, the policy will be poorly implemented and subsequent enforcement, audit and review will be
ineffective. Once management endorses a completed policy, the organization needs to be made aware of its
requirements.

Security Awareness: Security awareness is a process that educates employees on the importance of security, the
use of security measures, reporting procedures for security violations, and their responsibilities as outlined in the
information security policy. Security awareness programs should be utilized for this purpose. The program should
be a continuous process that maintains an awareness level for all employees. The program should be designed to
address organization wide issues as well as more focused specialized training needs. The program should stress

Www.arjun00.com.np Page 6
teamwork and the importance of active participation. To motivate individuals, a recognition process should be
adopted to give out awards or rewards for employees that perform good security practices.

Access Controls: Access is the manner by which the user utilizes the information systems to get information.
Naturally all users should not have the ability to access all systems and its information. Access should be restricted
and granted on a need to know basis. To manage this access we establish user accounts by issuing identifiers,
authentication methods to verify these identifiers and authorization rules that limit access to resources.

· Identification – Identification is a unique identifier. It is what a user – (person, client, software application,
hardware, or network) uses to differentiate itself from other objects. A user presents identification to show who
he/she is. Identifiers that are created for users should not be shared with any other users or groups. Once a user
has an identifier the next step taken to access a resource is authentication.

· Authentication – Authentication is the process of validating the identity of a user. When a user presents its
identifier, prior to gaining access, the identifier (identification) must be authenticated. Authentication verifies
identities thereby providing a level of trust. There are three basic factors used to authenticate an identity. They are:

1. Something you know – The password is the most common form used. However, secret phrases and PIN numbers
are also utilized. This is known as one-factor or single authentication. This form is weakened due to poor password
selection and storage.

2. Something you have – This authentication factor is something you have, such as an identification card,
smartcard or token. Each requiring the user to possess “something” for authentication. A more reliable
authentication process would require two factors such as something you know with something you have. This form
is known as the two-factor or multilevel authentication.

3. Something you are – The strongest authentication factor is something you are. This is a unique physical
characteristic such as a fingerprint, retina pattern or DNA. The measuring of these factors is called biometrics. The
strongest authentication process would require all three factors. Facilities or applications that are highly secret or
sensitive will utilize all three factors to authenticate a user. However, biometrics on the surface appears to be a
panacea, its not. There are weaknesses and to work the verifier needs to verify two things. These requirements are
outlined in a Counterpane.com article by Bruce Schneier, titled “Biometrics: Uses and Abuses”. The author indicates
that the verifier needs to verify two things. The first is that the biometric came from the person at the time of
verification and secondly, that the biometric matches the master biometric on file. Without these two biometric
authentication requirements this factor won’t work.

· Authorization– Authorization is the process of allowing users who have been identified and authenticated to use
certain resources. Limiting access to resources by establishing permission rules provides for better control over
users actions. Authorization should be granted on the principle of least privilege. Least privilege is granting no
more privilege than is required to perform a task/job, and the privilege should not extend beyond the minimum
time required to complete the task. This restrictive process limits access, creates a separation of duties and
increases accountability. Once an organization has adopted a policy, created an awareness program and has
established access controls, it must implement detection strategies and response plans. It would behoove an
organization to take a more proactive stance in preparing for an attack or disaster rather than a reactive ad hock
response to an underestimated threat. The process of detecting malicious or accidental misuse of resources is
much more than sounding an alarm. Also, responding to an incident is much more than just showing up. An
organization to be successful must know what to detect and once alerted know how to effectively coordinate
resources for a response. With both of these processes time is of the essence.

Www.arjun00.com.np Page 7
 Detection: Detection of a system compromise is extremely critical. With the ever increasing threat environment,
no matter what level of protection a system may have, it will get compromised given a greater level of motivation
and skill. There is no full proof “silver bullet” security solution. A defense in layers strategy should be deployed so
when each layer fails, it fails safely to a known state and sounds an alarm. The most important element of this
strategy is timely detection and notification of a compromise. Intrusion detection systems (IDS) are utilized for this
purpose.

Response: For the detection process to have any value there must be a timely response. The response to an
incident should be planned well in advance. Making important decisions or developing policy while under attack is
a recipe for disaster. Many organizations spend a tremendous amount of money and time preparing for disasters
such as tornados, earthquakes, fires and floods. The fact is, the chances are greater that a computer security
incident will occur than any one of these scenarios. Equivalent if not more effort and resources should be expanded
on a computer security incident response plan The response plan should be written and ratified by appropriate
levels of management. It should clearly prioritize different types of events and require a level of notification and/or
response suitable for the level of event/threat. A Computer Security Incident Response Team (CSIRT) should be
established with specific roles and responsibilities identified. These roles should be assigned to competent
members of the organization. A team leader/manager should be appointed and assigned the responsibility of
declaring an incident, coordinating the activities of the CSIRT, and communicating status reports to upper
management.

Information Security Best Practices

1. Consider biometric security. ...

2. Form a hierarchical cybersecurity policy. ...
3. Employ a risk-based approach to security. ...
4. Back up your data. ...
5. Manage IoT security. ...
6. Use multi-factor authentication. ...
7. Handle passwords securely. ...
8. Use the principle of least privilege
9. Keep an eye on privileged users

10. Monitor third-party access to your data

11. Be wary of phishing

12. Raise employee awareness

1. Consider biometric security

Biometrics ensures fast authentication, safe access management, and precise employee monitoring.

Verifying users’ identities before providing access to valuable assets is vital for businesses. Voice recognition,
fingerprint scans, palm biometrics, facial recognition, behavioral biometrics, and gait analysis are perfect
options to identify whether or not users are who they claim to be.

Www.arjun00.com.np Page 8
. Form a hierarchical cybersecurity policy

Why is a written cybersecurity policy so essential?

First, a written policy serves as a formal guide to all cybersecurity measures used in your company.

3. Employ a risk-based approach to security

Regulatory compliance can’t protect your data.

Each industry has its own specific and hidden risks, so focusing on compliance and meeting all the standard
regulations isn’t enough to protect your sensitive data.

It allows your security specialists and employees to be on the same page and gives you a way to enforce rules that
protect your data. However, the workflow of each department can be unique and can easily be disrupted by
needless cybersecurity measures

4. Back up your data

Ensure the security of your data by regularly backing it up.

Backing up data is one of the information security best practices that has gained increased relevance in recent
years. With the advent of ransomware, having a full and current backup of all your data can be a lifesaver.

5. Manage IoT security

he most challenging thing about IoT devices is their access to sensitive information.

Security cameras, doorbells, smart door locks, heating systems, office equipment – all of these small parts of your
business network are potential access points.

A compromised printer, for instance, can allow malicious actors to view all documents that are being printed or
scanned.

6. Use multi-factor authentication

Multi-factor authentication (MFA) is a must-have solution for advanced security strategies.

Though it’s a basic implementation, MFA still belongs among the cybersecurity best practices. It’s so effective that
the National Cyber Security Alliance has even added MFA to its safety awareness and education campaign.

MFA helps you protect sensitive data by adding an extra layer of security, leaving malicious actors with almost no
chance to log in as if they were you.

7. Handle passwords securely

It always pays to mention the importance of thoughtful passwords and secure password handling.

Www.arjun00.com.np Page 9
Password management is a key part of corporate security, especially when it comes to privileged access
management (PAM). Privileged accounts are gems for cyber criminals who attempt to gain access to your sensitive
data and the most valuable business information.

The best way to ensure proper security is to use specialized tools, such as password vaults and PAM solutions. This
way, you can prevent unauthorized users from accessing privileged accounts and simplify password management
for employees at the same time.

9. Keep an eye on privileged users

Are users with privileged accounts one of the greatest assets to the company or one of the greatest threats to data
security?

Privileged users have all the means necessary to steal your sensitive data and go unnoticed. No matter how much
you trust your employees with privileged accounts, anything can happen.

10. Monitor third-party access to your data

Controlling third-party access is a vital part of your security strategy.

Remote employees, subcontractors, business partners, suppliers, and vendors – this is only a short list of the
people and companies that may access your data remotely.

Third-party access not only entails a higher risk of insider attacks but also opens the way for malware and hackers
to enter your system.

A great way to protect your sensitive data from breaches via third-party access is to monitor third-party actions.
You can limit the scope of access that third-party users have and know who exactly connects to your network and
why.

11. Be wary of phishing

Are all of your employees aware of phishing?

It’s worth noting that insider threats don’t end with malicious employees. More often, well-meaning employees
inadvertently help perpetrators by providing them with a way to get into your system.

Cyber attackers use phishing techniques such as spam emails and phone calls to find out information about
employees, obtain their credentials, or infect systems with malware.

12. Raise employee awareness

It may be hard to believe, but your employees are the key to protecting your data.

Www.arjun00.com.np Page 10
 A sure way to deal with negligence and security mistakes by your employees is to educate them on why safety
matters:

• Raise awareness about cyber threats your company faces and how they affect the bottom line.

• Explain to your employees the importance of each computer security measure.

• Show examples of real-life security breaches, their consequences, and the difficulty of the recovery process.

• Ask employees for feedback regarding the current corporate security system.

Www.arjun00.com.np Page 11
 Unit-5 Forensics and Incident Analysis

5.1 Forensic Technologies

5.2 Digital Evidence Collection
5.3 Evidentiary Reporting
5.4 Incident Preparation
5.5 Incident Detection and Analysis
5.6 Containment, Eradication, and Recovery
5.7 Proactive and Post Incident Cyber Services

WHAT IS COMPUTER FORENSICS?

Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.)
for evidence. In other words, computer forensics is the collection, preservation, analysis, and presentation of
computer-related evidence.
Computer forensics also referred to as computer forensic analysis, electronic discovery, electronic evidence
discovery, digital discovery, data recovery, data discovery, computer analysis, and computer examination.
Computer evidence can be useful in criminal cases, civil disputes, and human resources/ employment
proceedings.

USE OF COMPUTER FORENSICS IN LAW ENFORCEMENT

Computer forensics assists in Law Enforcement. This can include:

1. Recovering deleted files such as documents, graphics, and photos.
2. Searching unallocated space on the hard drive, places where an abundance of data often resides.
3. Tracing artifacts, those tidbits of data left behind by the operating system.
4. Our experts know how to find these artifacts and, more importantly, they know how to evaluate the value
of the information they find.
5. Processing hidden files — files that are not visible or accessible to the user — that contain past usage
information. Often, this process requires reconstructing and analyzing the date codes for each file and
determining when each file was created, last modified, last accessed and when deleted.
6. Running a string-search for e-mail, when no e-mail client is obvious.

BENEFITS OF PROFESSIONAL FORENSIC METHODOLOGY

A knowledgeable computer forensics professional should ensure that a subject computer system is carefully
handled to ensure that:
1. No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to investigate
the computer.
2. No possible computer virus is introduced to a subject computer during the analysis process.
3. Extracted and possibly relevant evidence is properly handled and protected from later mechanical or
electromagnetic damage.
4. A continuing chain of custody is established and maintained.
5. Business operations are affected for a limited amount of time, if at all.
6. Any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and
legally respected and not divulged

STEPS TAKEN BY COMPUTER FORENSICS SPECIALISTS

The computer forensics specialist should take several careful steps to identify and attempt to retrieve possible
evidence that may exist on a subject’s computer system. For example, the following steps should be taken:

Www.arjun00.com.np Page 1
1. Protect the subject computer system during the forensic examination from any possible alteration, damage, data
corruption, or virus introduction.
2. Discover all files on the subject system. This includes existing normal files, deleted yet remaining files, hidden
files, password-protected files, and encrypted files.
3. Recover all of discovered deleted files.
4. Reveal the contents of hidden files as well as temporary or swap files used by both the application programs and
the operating system.
5. Access the contents of protected or encrypted files.
6. Analyze all possibly relevant data found in special areas of a disk. This includes but is not limited to what is
called unallocated space on a disk, as well as slack space in a file (the remnant area at the end of a file in the last
assigned disk cluster, that is unused by current file data, but once again, may be a possible site for previously
created and relevant evidence).
7. Print out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and
discovered file data.
8. Provide an opinion of the system layout; the file structures discovered; any discovered data and authorship
information; any attempts to hide, delete, protect, and encrypt information; and anything else that has been
discovered and appears to be relevant to the overall computer system examination.
9. Provide expert consultation and/or testimony, as required.

TYPES OF LAW ENFORCEMENT COMPUTER FORENSIC TECHNOLOGY

Computer forensics tools and techniques have become important resources for use in internal investigations, civil
lawsuits, and computer security risk management. Law enforcement and military agencies have been involved in
processing computer evidence for years. Computer Evidence Processing Procedures Processing procedures and
methodologies should conform to federal computer evidence processing standards.
1. Preservation of Evidence
Computer evidence is fragile and susceptible to alteration or erasure by any number of occurrences. Computer
evidence can be useful in criminal cases, civil disputes, and human resources/employment proceedings.
Black box computer forensics software tools are good for some basic investigation tasks, but they do not offer a
full computer forensics solution.
SafeBack software overcomes some of the evidence weaknesses inherent in black box computer forensics
approaches. SafeBack technology has become a worldwide standard in making mirror image backups since 1990.

TROJAN HORSE PROGRAMS

The computer forensic expert should be able to demonstrate his or her ability to avoid destructive programs and
traps that can be planted by computer users bent on destroying data and evidence.
Such programs can also be used to covertly capture sensitive information, passwords, and network logons.

COMPUTER FORENSICS DOCUMENTATION

Without proper documentation, it is difficult to present findings. If the security or audit findings become the
object of a lawsuit or a criminal investigation, then documentation becomes even more important.

FILE SLACK
Slack space in a file is the remnant area at the end of a file in the last assigned disk cluster, that is unused by
current file data, but once again, may be a possible site for previously created and relevant evidence.
Techniques and automated tools that are used by the experts to capture and evaluate file slack.

DATA-HIDING TECHNIQUES

Www.arjun00.com.np Page 2
Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is
possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. Computer
forensic experts should understand such issues and tools that help in the identification of such anomalies.

E-COMMERCE INVESTIGATIONS
Net Threat Analyzer can be used to identify past Internet browsing and email activity done through specific
computers. The software analyzes a computer’s disk drives and other storage areas that are generally unknown to
or beyond the reach of most general computer users. Net Threat Analyzer avail-able free of charge to computer
crime specialists, school officials, and police.

DUAL-PURPOSE PROGRAMS
Programs can be designed to perform multiple processes and tasks at the same time. Computer forensics experts
must have hands-on experience with these programs.

TEXT SEARCH TECHNIQUES

Tools that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap
files.

FUZZY LOGIC TOOLS USED TO IDENTIFY UNKNOWN TEXT

Computer evidence searches require that the computer specialist know what is being searched for. Many times
not all is known about what may be stored on a given computersystem. In such cases, fuzzy logic tools can provide
valuable leads as to how the subject computer was used.

2. Disk Structure
Computer forensic experts must understand how computer hard disks and floppy diskettes are structured and
how computer evidence can reside at various levels within the structure of the disk. They should also demonstrate
their knowledge of how to modify the structure and hide data in obscure places on floppy diskettes and hard disk
drives.

3. Data Encryption
Computer forensic experts should become familiar with the use of software to crack security associated with the
different file structures

4. Matching a Diskette to a Computer

Specialized techniques and tools that make it possible to conclusively tie a diskette to a computer that was used to
create or edit files stored on it. Computer forensic experts should become familiar how to use special software
tools to complete this process.

5. Data Compression
Computer forensic experts should become familiar with how compression works and how compression programs
can be used to hide and disguise sensitive data and also learn how password- protected compressed files can be
broken.

6. Erased Files
Computer forensic experts should become familiar with how previously erased files can be recovered by using
DOS programs and by manually using data-recovery technique & familiar with cluster chaining.

7. Internet Abuse Identification and Detection

Www.arjun00.com.np Page 3
 Computer forensic experts should become familiar with how to use specialized software to identify how a
targeted computer has been used on the Internet. This process will focus on computer forensics issues tied to data
that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files).

8. The Boot Process and Memory Resident Programs

Computer forensic experts should become familiar with how the operating system can be modified to change data
and destroy data at the whim of the person who configured the system. Such a technique could be used to covertly
capture keyboard activity from corporate executives, for example. For this reason, it is important that the experts
understand these potential risks and how to identify them.

EVIDENCE COLLECTION AND DATA SEZIURE

Why Collect Evidence?
The simple reasons for collecting evidence are:
Future Prevention: Without knowing what happened, you have no hope of ever being able to stop someone else
from doing it again.
Responsibility: The attacker is responsible for the damage done, and the only way to bring him to justice is with
adequate evidence to prove his actions. The victim has a responsibility to the community. Information gathered
after a compromise can be examined and used by others to prevent further attacks.

Collection Options Once a compromise has been detected, you have two options:
1. Pull the system off the network and begin collecting evidence: In this case you may find that you have
insufficient evidence or, worse, that the attacker left a dead man switch that destroys any evidence once the
system detects that its offline.
2. Leave it online and attempt to monitor the intruder: you may accidentally alert the intruder while
monitoring and cause him to wipe his tracks any way necessary, destroying evidence as he goes.

Types of Evidence
Real Evidence: Real evidence is any evidence that speaks for itself without relying on anything else. In
electronic terms, this can be a log produced by an audit function— provided that the log can be shown to be free
from contamination.
Testimonial Evidence: Testimonial evidence is any evidence supplied by a witness. As long as the witness can
be considered reliable, testimonial evidence can be almost as powerful as real evidence.
Hearsay: Hearsay is any evidence presented by a person who was not a direct witness. Hearsay is generally
inadmissible in court and should be avoided.

The Rules of Evidence

1. Admissible: Admissible is the most basic rule. The evidence must be able to be used in court.
2. Authentic: You must be able to show that the evidence relates to the incident in a relevant way.
3. Complete: It’s not enough to collect evidence that just shows one perspective of the incident.
4. Reliable: Your evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity
and veracity.
5. Believable: The evidence you present should be clearly understandable and believable to a jury.

Methods of Collection
There are two basic forms of collection:
1. freezing the scene and honeypotting. Freezing the Scene It involves taking a snapshot of the system in
its compromised state. You should then start to collect whatever data is important onto removable
nonvolatile media in a standard format. All data collected should have a cryptographic message digest
created, and those digests should be compared to the originals for verification.

Www.arjun00.com.np Page 4
 2. Honeypotting It is the process of creating a replica system and luring the attacker into it for further
monitoring. The placement of misleading information and the attacker’s response to it is a good method
for determining the attacker’s motives.

Collection Steps
1. Find the Evidence: Use a checklist. Not only does it help you to collect evidence, but it also can be used to
double-check that everything you are looking for is there.
2. Find the Relevant Data: Once you’ve found the evidence, you must figure out what part of it is relevant to the
case.
3. Create an Order of Volatility: The order of volatility for your system is a good guide and ensures that you
minimize loss of uncorrupted evidence.
4. Remove external avenues of change: It is essential that you avoid alterations to the original data.
5. Collect the Evidence: Collect the evidence using the appropriate tools for the job.
6. Document everything: Collection procedures may be questioned later, so it is important that you document
everything you do. Timestamps, digital signatures, and signed statements are all important

Computer Evidence Processing Steps

There really are no strict rules that must be followed regarding the processing of computer evidence. The following
are general computer evidence processing steps:

1. Shut down the computer. Depending on the computer operating system, this usually involves pulling the plug or
shutting down a network computer using relevant commands required by the network involved. Generally, time is
of the essence, and the computer system should be shut down as quickly as possible.

2. Document the hardware configuration of the system. Be-fore dismantling the computer, it is important that
pictures are taken of the computer from all angles to document the system hardware components and how they
are connected. Labeling each wire is also important, so that it can easily be reconnected when the system
configuration is restored to its original condition at a secure location.

3. Transport the computer system to a secure location. A seized computer left unattended can easily be
compromised. Don’t leave the computer unattended unless it is locked up in a secure location.

4. Make bit stream backups of hard disks and floppy disks. All evidence processing should be done on a restored
copy of the bit stream backup rather than on the original computer. Bit stream backups are much like an insurance
policy and are essential for any serious computer evidence processing.

5. Mathematically authenticate data on all storage devices. You want to be able to prove that you did not alter any
of the evidence after the computer came into your possession. Since 1989, law enforcement and military agencies
have used a 32- bit mathematical process to do the authentication process.

6. Document the system date and time. If the system clock is one hour slow because of daylight-savings time, then
file timestamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and
time settings at the time the computer is taken into evidence is essential.

7. Make a list of key search words. it is all but impossible for a computer specialist to manually view and evaluate
every file on a computer hard disk drive. Gathering information from individuals familiar with the case to help
com-pile a list of relevant keywords is important. Such keywords can be used in the search of all computer hard
disk drives and floppy diskettes using automated soft-ware.

Www.arjun00.com.np Page 5
Evidentiary Reporting

All incidents should be reported to management as soon as possible. Prompt internal reporting is imperative to
collect and preserve potential evidence. It is important that information about the investigation be limited to as
few people as possible. Information should be given on a need-to-know basis, which limits the possibility of the
investigation being leaked. In addition, all communications related to the incident should be made through an out-
of-band method to ensure that the intruder does not intercept any incident-related information. In other words, E-
mail should not be used to discuss the investigation on a compromised system. Based on the type of crime and type
of organization it may be necessary to notify –

• Executive management.
• The information security department.
• The physical security department.
• The internal audit department.
• The legal department.
What is Incident Response?
• The National Institute of Standards and Technology (NIST) defines incident response (or incident
handling) as “the mitigation of violations of security policies and recommended practices,” while SANS
Institute defines incident handling as an “action plan for dealing with intrusions, cyber-theft, denial of
service, fire, floods, and other security-related incidents.”

Incident Response Life Cycles

The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection
and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.

Phase 1: Preparation
The Preparation phase covers the work an organization does to get ready for incident response, including
establishing the right tools and resources and training the team. This phase includes work done to prevent
incidents from happening.

• Preparing the organization This area includes topics such as identifying risk, policies for a successful IR,
working with outsourced IT, global infrastructure concerns, and user education.

• Preparing the IR team This area includes communication procedures and resources such as hardware,
software, training, and documentation.

• Preparing the infrastructure This area includes asset management, instrumentation, documentation,
investigative tools, segmentation, and network services.

Phase 2: Detection and Analysis

Accurately detecting and assessing incidents is often the most difficult part of incident response for many
organizations, according to NIST.

Phase 3: Containment, Eradication, and Recovery

This phase focuses on keeping the incident impact as small as possible and mitigating service disruptions.

The proper steps need to be taken to handle the situation once an incident or event has been validated:

Www.arjun00.com.np Page 6
Containment: The actions required to prevent the incident or event from spreading across the network

Eradication: The actions that are required to completely wipe the threat from the network or system

Recovery: The actions required to bring back the network or system to its former functionality and use

Phase 4: Post-Event Activity

Learning and improving after an incident is one of the most important parts of incident response and the most
often ignored. In this phase the incident and incident response efforts are analyzed. The goals here are to limit the
chances of the incident happening again and to identify ways of improving future incident response activity.

Proactive and Post Incident Cyber Services

A proactive approach to cybersecurity includes preemptively identifying security weaknesses and adding
processes to identify threats before they occur

There are obvious benefits of a proactive cybersecurity strategy. Most importantly, digital threats are becoming
smarter and more complex, so more than ever, you need to stay ahead of these threats before they can damage
your organization.

A proactive approach helps define a baseline level of cybersecurity consisting of the necessary starting point at
which processes, software and professionals are needed to protect your business. Once that’s established,
reporting potential threats and responding to incidents can be automated so your IT security team will
immediately be notified and take action in real time.

Additionally, not shoring up your technological defenses as the value of data and digital information continues to
grow can cost you. For example, harsher regulatory penalties are being doled out for not properly securing third-
party data as politicians and regulators crack down on companies that don’t secure their data.

**************************************************************************************************************

Www.arjun00.com.np Page 7
 Unit-VI(Ethics in Cyber security & Cyber Law)
6.1 Privacy
6.2 Intellectual Property
6.3 Professional Ethics
6.4 Freedom of Speech
6.5 Fair User and Ethical Hacking
6.6 Trademarks
6.7 Internet Fraud
6.8 Electronic Evidence

CYBER LAW AND ETHICS

1. Cyber law refers to all the legal and regulatory aspects of Internet and World Wide Web.
It is important because for the following reasons:
i. It is required to overcome the cybercrime in the internet.
ii. It is important for the eradication of the illegal activities done in the internet.
iii. It touches all the aspects of transactions and activities on and concerning the internet and Cyberspace.

2. The provisions provided by the Cyber Law 2061 B.S. are as follows:
i. It has a strong provision for punishment against cyber-crimes. The cyber-criminal can be fined up to Rs. 5, 00,000
or liable to imprisonment of up to five years or both.
ii. The act has provision for office of the controllers that issue license of certification to the IT facilities.

3. Digital Signature is the mathematical scheme for demonstrating the authenticity of a digital message or
document. It is important in e commerce because it provides a legal framework to facilitate and safeguard
electronic transactions in electric medium.

4. Computer ethics is the branch of practical principles that deals with how the computer experts should make
decisions in regard to the social and professional behavior. It is a set of moral principles that regulates the use of
computers.

5. The cyber law that enforces the discipline of usage of computer, world-wide is called the International Cyber
Law.
The International Cyber Law is illustrated below:
i. Freedom of Information Act 1970: This act states that, each individual has the rights to view each information
provided by the state.
ii. Video Privacy Act 1988: This act states that the individual record cannot be viewed by any other without the
permission of the court.
iii. Fair credit reporting Act 1970: This act ensures that each individual can view rights to view their credit
information in free of cost basis.
iv. Federal Privacy Act 1974: This act states enforces the concept that a state can view any record if it is needed.

Www.arjun00.com.np Page 1
6. Formation of an efficient information technology will place country's disadvantages as the result of its
geographical conditions towards the minority. There remains the prominent economic disparity between the
countries with and without sufficient development. So, it is very much possible that the international community
will extend its support to developing countries for the development of information technology. Such assistance will
definitely be significant for the national development of a developing country like Nepal. Hence, Information
Technology (IT) policy is essential for the development of information technology. Development of IT in turn will
upgrade the standard of the national economy.

7.
Objectives
i. To make information technology accessible to the general public and increase employment through this means.
ii. To build a knowledge through this means.
iii. To establish knowledge-based industries.
Strategies
i. Legalize and promote e-commerce.
ii. Assists in e-governance by using information technology.
iii. Include computer education in curriculum from the school level.
Action Plan
i. Infrastructure Development
ii. Promotion Of E-Commerce
iii. Human Resource Development.

8. Computer ethics is the branch of practical principles that deals with how the computer experts should make
decisions in regard to the social and professional behavior. It is a set of moral principles that regulates the use of
computers.
The computer ethics are as follows:
i. One should not interfere with other computer's work.
ii. One should not provide fake information.
iii. One should not use the computer to steal.
iv. One should not copy or use proprietary software for which they have not paid.
v. One should not create a virus and use it.

9. Cyber Law was implemented in Nepal in 2061 B.S. It was implemented to stop cyber-crimes, hacking, piracy,
harassments etc.

10. The points of ethics to be followed by the computer users are as follows:
i. Hacking: Computer hacking is the transferring illegal items through the internet (such as encryption technology)
that is banned in some locations. It is the activity of breaking into a computer system to gain an unauthorized
access.

Www.arjun00.com.np Page 2
ii. Privacy: Privacy is the ability of an individual or group to stop information about them from becoming known to
people other than those whom they chose to give the information. Of anybody uses such private data without
permission of the owner, it becomes the cyber-crime.
Privacy can be decomposed to the limitation of others' access to an individual with "three elements of secrecy,
anonymity, and solitude" (Gavison, 1984).[3] Anonymity refers to the individual's right to protection from
undesired attention. Solitude refers to the lack of physical proximity of an individual to others. Secrecy refers to the
protection of personalized information from being freely distributed.

iii. Piracy: The theft of software and the copying of licensed software without permission are some examples of
piracy. These are not only a matter for the security personnel. It can involve custom officers, agencies who to
protect consumers.
iv. Copyright: It is literally the right to copy an original creation. In most cases, these rights are of limited duration.
Copyright law covers only the particular form or manner of ideas or information can be used.

11. The standards listed under Cyber Law 2061 B.S. of Nepal are as follows:
i. Provides a legal framework to facilitate and safeguard electronic transactions in the electronic medium.
ii. To facilitate electronic filing of documents with the Government agencies and to promote efficient delivery of
government services by means of reliable electronic records.
iii. Provides a detailed provision for the Controller of Certifying Authorities to regulate Certifying Authorities.
iv. Provides legal status to digital signatures sent by the electronic media, which would be an important provision
to introduce e-banking.
v. Provides legal status for various banking signatures sent through the electronic media, which will be
instrumental in boosting economic activities throughout the world via Internet.

12. No, in my opinion I don't think it is sufficient to cover all the electronic data transmission just by Cyber Law
2061 and IT Policy 2002. Only making law and policy and not implementing is not a reasonable thing to stop cyber-
crimes. In order to cover all the electronic data transmission, the Law and policy should be changed and should be
implemented strictly, then only there might be chance of covering the data transmission.

13. The subjects included in Cyber Law are as follows:

I. Intellectual Property
II. Jurisdiction Law
III. Privacy
IV. Computer Crime Law
v. Digital Signatures System
vi. Freedom of Expression

B.
1. Intellectual Property Law
It presents a bunch of exclusive rights in relation to the manner in which intellectual ideas or information are
expressed and used Some of the intellectual property law are as follows:

Www.arjun00.com.np Page 3
Types of intellectual property

Copyright
i. Copyright exists in many computer related creative works like software, source code discovery etc.
Copyright is a legal term used to describe the rights that creators have over their literary and artistic works. Works
covered by copyright range from books, music, paintings, sculpture and films, to computer programs, databases,
advertisements, maps and technical drawings

ii. Trademark is a distinctive sign that distinguishes the products and software of one business from that of
another. A trademark is a sign capable of distinguishing the goods or services of one enterprise from those of other
enterprises. Trademarks date back to ancient times when artisans used to put their signature or "mark" on their
products.
iii. A trade secret is confidential information related to the work procedure of the organization.
Patent
A patent is an exclusive right granted for an invention. Generally speaking, a patent provides the patent owner with
the right to decide how - or whether - the invention can be used by others. In exchange for this right, the patent
owner makes technical information about the invention publicly available in the published patent document.
Industrial Designs
An industrial design constitutes the ornamental or aesthetic aspect of an article. A design may consist of three-
dimensional features, such as the shape or surface of an article, or of two-dimensional features, such as patterns,
lines or color.
Geographical indications
Geographical indications and appellations of origin are signs used on goods that have a specific geographical origin
and possess qualities, a reputation or characteristics that are essentially attributable to that place of origin. Most
commonly, a geographical indication includes the name of the place of origin of the goods
Trade secrets
Trade secrets are IP rights on confidential information which may be sold or licensed. The unauthorized
acquisition, use or disclosure of such secret information in a manner contrary to honest commercial practices by
others is regarded as an unfair practice and a violation of the trade secret protection.
2. Copyright Law
It is literally the right to copy an original creation. In most cases, these rights are of limited duration. Copyright law
covers only the particular form or manner of ideas or information can be used. It is not designed to cover the actual
idea, concepts, facts, styles, or techniques which may be represented by the copyright work.
Professional Ethcs:
In our study of professions and the people who profess the deep knowledge of the profession, we focus on four
themes: (1) evolution of professions, (2) the making of an ethical professional, (3) the professional decision-
making process, and (4) professionalism and ethical responsibilities. These four themes cover all the activities
of a professional life.
Requirements of a Professional
There are three basic professional requirements, and over the years as the profes sions evolved, these three
elements have taken different forms. They are as follows:
1. A set of highly developed skills and deep knowledge of the domain. Although professional skills are
developed through long years of experience, such skills must be backed up by a very well-developed
knowledge base acquired through long years of formal schooling.

Www.arjun00.com.np Page 4
 2. Autonomy. Because professionals provide either products or services, there is always a relationship
between the provider of the service and the receiver of the service or the provider of the product and the
receiver of the product. In this relationship, we are concerned with the power balance. In the case of a
professional, the power is in favor of the professional. Take the relationship between a lawyer and a
client or a physician and a patient, for example. In either case, there is a power play in favor of the
provider of the service.
3. . Observance of a code of conduct. A working professional usually observes these four types of codes
i. The professional code: A set of guidelines provided to the professional by the profession
spelling out what a professional ought to do and not do. A professional code protects both
the image of the profession and that of the individual members. Thus, it is a requirement
for the profession that members adhere to the code.
ii. A personal code: A set of individual moral guidelines on which professionals operate. In
many ways, these guidelines are acquired by professionals from the cultural environment
in which they grow up or live in and the religious beliefs they may practice. Whatever the
case, a personal code supplements the professional code significantly.
iii. The institutional code: A code imposed by the institution for which the professional is
working. This code is meant to build and maintain the public’s confidence in the
institution and its employees.
iv. The community code: A community standard code developed over a period of time based
on either the religion or culture of the indigenous people in the area. It may be imposed
by civil law or the culture of the community in which the professional works
Pillars of Professionalism
Professionalism is supported by four pillars: commitment, integrity, responsibility, and accountability.
Commitment Commitment, according to Humphreys, has these six characteristics
1. The person making the commitment must do so willingly without duress.
2. 2. The person responsible must try to meet the commitment, even if help is needed.
3. There must be agreement on what is to be done, by whom, and when.
4. The commitment must be openly and publicly stated.
5. The commitment must not be made easily.
6. Prior to the committed date, if it is clear, it cannot be met, advance notice must be given, and a new
commitment negotiated.
Integrity
Integrity means a state of undivided loyalty to self-belief. It is honesty, uncom promising self-value, and
incorruptible. The word integrity comes from the Latin word integratas, which means entire, undivided, or
whole. To stay undivided in one’s beliefs professionally requires three maxims of integrity, namely, vision, love
of what one is doing, and commitment to what one has to do.
Responsibility
Responsibility deals with roles, tasks, and actions and their ensuing consequences. For example, as parents, we
have an obligation and a duty to bring up our offspring. That is parental responsibility. But responsibility also
depends on a person’s value system, which is based on his or her environment and culture. There are various
types of responsibilities, including personal, communal, parental, and professional, and these responsibilities
vary depending on the age of the individual and his or her position in society. For example, the responsibilities
Www.arjun00.com.np Page 5
of a 5-year-old are far different from those of a 40-year-old. Clearly, the responsibilities of a country’s chief
executive are different from those of a janitor. When individuals choose a lifestyle implied in a career or a
vocation, they choose and must accept the package of responsibilities that go with that lifestyle.
Accountability
One way we can define accountability is the obligation to answer for the execution of one’s assigned
responsibilities. This process involves a cycle of setting mea surable outcomes and achievable goals, planning
what needs to be done to meet those goals, reporting progress toward goals, evaluating the reports, and using
that feedback to make improvements. Accountability involves these three key elements:
1. A set of outcome measures that reliably and objectively evaluate performance:
2. A set of performance standards defined in terms of these outcome measures:
3. A set of incentives for meeting the standards and/or penalties for failing to meet them:

Professional ethics encompasses an ethical code governing the conduct of persons engaged in the practice of law
as well as persons engaged in the legal sector. All members of the legal profession have a paramount duty to the
court and towards the administration of justice. This duty prevail over all other duties, especially in the
circumstances where there may be a conflict of duties. It is important that legal practitioners conduct themselves
with integrity, provide proper assistance to the court, and promote public confidence in the legal system. In
carrying out their duties, they are required and expected to deal with other members of the legal profession with
courtesy and integrity. Advocates, apart from being professionals, are also officers of the court and play a vital role
in the administration of justice.

Accordingly, the set of rules that govern their professional conduct arise out of the duties that they owe to the
court, the client, their opponents and other advocates. Rules on the professional standards that an advocate needs
to maintain are mentioned in Chapter II, Part VI of the Bar Council of India Rules. These Rules have been provided
under section 49(1)(c) of the Advocates Act, 1961.

Freedom of Speech
Freedom of information, that is the freedom of speech as well as the freedom to seek, obtain and impart
information brings up the question of who or what, has the jurisdiction in cyberspace. The right of freedom of
information is commonly subject to limitations dependent upon the country, society and culture concerned.
Generally there are three standpoints on the issue as it relates to the internet. First is the argument that the
internet is a form of media, put out and accessed by citizens of governments and therefore should be regulated by
each individual government within the borders of their respective jurisdictions. Second, is that, "Governments of
the Industrial World... have no sovereignty [over the Internet] ... We have no elected government, nor are we likely
to have one,... You have no moral right to rule us nor do you possess any methods of enforcement we have true
reason to fear."[13] A third party believes that the internet supersedes all tangible borders such as the borders of
countries, authority should be given to an international body since what is legal in one country may be against the
law in another
Computer fraud, closely linked to internet fraud, is defined as 1) the use of a computer or computer system to
help execute a scheme or illegal activity and 2) the targeting of a computer with the intent to alter, damage, or
disable it. Computer fraud breaks down roughly into three categories:

▪ Theft of information
▪ Theft of or denial of service
▪ Hacking into or damaging a computer’s hardware system

Www.arjun00.com.np Page 6
THEFT OF INFORMATION

Theft of information refers to the theft of information from a secure or private computer system, as when a hacker
illegally breaks into a government system to obtain top secret information. The theft of trade secrets and the
computer-aided duplication of copyrighted materials—such as video games, movies, and music—also fall into this
category.

THEFT OF SERVICE

Theft of service is when a hacker uses a computer to access web sites or Internet connections for which he did not
pay. It may also include using a computer to break into long distance systems to “steal” service for free calls.
Usually, theft of service is classified as Internet fraud, Often lumped together with computer fraud, Internet fraud
includes any scheme that uses a Web site, chat room, email account, or all three to defraud a company or
individual. Examples of crimes include offering nonexistent goods to a buyer (such as with an online auction),
stealing someone’s funds by hacking into his bank or credit card account, or illegally using access devices, such as
those of a paid news subscription service. Conversely, denial of service includes “mailbombing", which is when
someone purposely attempts to disable an email account by sending massive amounts of emails to its address.

HACKING

Hacking refers to illegal entry into a computer’s hardware system. Hackers obtain passwords and delete
information, create programs to steal passwords, or even rummage through company garbage to find secret
information. Such criminals might pose as computer repairmen in order to gain easy access to computer systems,
or they might create and send out dangerous computer viruses.
Online sex crimes such as stalking and child pornography are also classified as computer fraud.

COMBATING COMPUTER AND INTERNET FRAUD

Many task forces and organizations have been formed to tackle computer and Internet crimes. For example, the
U.S. Government created the Internet Fraud Complaint Center, a division of the Federal Bureau of Investigation
(FBI), to track computer fraud and to catch those who commit it. The U.S. Department of Justice formed the
National Cybercrime Training Partnership (NCTP), which trains local, state and federal law enforcement agencies
to recognize and fight Internet crimes. Additionally, the Business Software Alliance (BSA) was created to provide
education about copyright issues, computer and Internet security, and trade secret protection to companies and
individuals.

PUNISHMENTS FOR COMPUTER OR INTERNET FRAUD

A perpetrator of computer or Internet fraud may be found guilty of a felony and face a fine of up to $250,000
and/or up to 20 years in jail. Often, those charged with computer and/or Internet fraud are also charged with wire
fraud, mail fraud, conspiracy, identity theft, or other white collar crimes.

What Is Electronic Evidence?

Electronic evidence is any electronically stored information (ESI) that may be used as evidence in a lawsuit or trial.
Electronic evidence includes any documents, emails, or other files that are electronically stored. Additionally,
electronic evidence includes records stored by network or Internet service providers.

Www.arjun00.com.np Page 7
Which Laws Govern Electronic Evidence?
There are two sources of law which govern the collection of electronic evidence:

1) The Fourth Amendment – the amendment that protects individual privacy interests by preventing
unreasonable searches and seizures.

• Searches with a warrant: Under the Fourth Amendment, the police may seize and search your computer if
they have a valid search warrant. A valid search warrant allows them to take your personal computer and
search it.
• Searches without a warrant: The police may search your computer for incriminating evidence. In some
cases, they do not need a search warrant to do so. These warrantless searches are constitutional when
there is no reasonable expectation of privacy, or there is an exception.

2) Statutory Privacy Laws – Various Federal laws regulate how and when electronic evidence may be collected.

• Electronic Communications Privacy Act regulates how police can get the following: Stored account records
from network service providers, Internet service providers (ISP’s), telephone companies, cell phone service
providers, satellite service providers. The ECPA also limits how electronic surveillance may be conducted.
• The Patriot Act expands the power of the police to collect electronic evidence. It eased the restrictions
placed on investigators and allows police to more easily access ESI.

How Can Electronic Evidence Be Used Against Me?

Prosecutors can use electronic evidence to establish the elements of the crime you are being charged with. Emails
or saved instant messaging conversations may be incriminating, especially in cyber bullying and Internet
stalking criminal cases. Internet browser histories may be used to show that you researched topics associated with
the crime. Word processing or spreadsheet documents may be used to show elements of various white collar
crimes.

Digital photos or movies may also be uses as evidence of your involvement in a crime, especially in the case
of revenge porn. In short, electronic evidence may be used against you in the same ways as traditional tangible
evidence.

Should I Get an Attorney If the Police Have Seized Electronic Evidence?

Yes. If the police have seized evidence on you, it is important that you contact an attorney immediately. A criminal
defense attorney can help you defend yourself against any charges. Your attorney will also be able to make sure
that your rights were not violated in the search and seizure of electronic evidence.

3. Hacking
Computer hacking is the transferring illegal items through the internet (such as encryption technology) that is
banned in some locations. It is the activity of breaking into a computer system to gain an unauthorized access.
There are mainly tow types of hacking:
i. White Hacking
ii. Black Hacking

4. Plagiarism

Www.arjun00.com.np Page 8
It is the use of another person's work for personal advantage, without proper acknowledgement of the original
work. Generally this is done with the intention of presenting other's work as ones work. This includes the
unauthorized and unethical copy of one's words, products or ideas.
***********************************************************************************************************

Www.arjun00.com.np Page 9
 Unit-VII(Professional and Ethical Responsibilities):
7.1 Community values and the laws by which we live
7.2 The nature of professionalism in IT
7.3 Various forms of professional credentialing
7.4 The role of the professional in public policy
7.5 Maintaining awareness of consequences
7.6 Ethical dissent and whistle-blowing
7.7 Codes of ethics, conduct, and practice (IEEE, ACM, SE, AITP, and so forth)
7.8 Dealing with harassment and discrimination

7.1 Community values and the laws by which we live

DEFINITION OF LIVING VALUES:

Living Values is re-discovering human potential (values) and developing them for a better living. Human values is
an expression of internal state of self worthiness of a person, or recognition of inherent worth of a person; the
value of human life. Noting that each human has potential for a peaceful, loving life, we train our minds to see only
good in people or the value of their living. What we think, so we become. If we think evil, we become evil, if we
think good we become good. The knowledge of Living Values help us to focus our minds on the potential or positive
side and worth of humanness.

Focusing on reaffirming faith in the dignity and worth of the human person, the individual can uncover a capacity
to stretch his mind beyond the limits of the current reality and recognizes his or her full potential not only in
relation to self but also to others. A person who really understands his or her own inherent worth and respects that
of others will come to know that worth is not something assigned by external forces, but rather comes from a
source that is universal. Living Values education helps us to touch the source, guiding the learner toward a more
profound understanding of the true nature of self worth, the uniqueness and the dignity of man, created or made
by one God for a purpose on earth.

HUMAN VALUES
Basic human values refer to those values which are at the core of being human. The values which are considered
basic inherent values in humans include truth, honesty, loyalty, love, peace, etc. because they bring out the
fundamental goodness of human beings and society at large.

Importance of Human Values

• Provides understanding of the attitudes, motivation and behaviours
• Influences our perception of the world around us
• Represents interpretation of “right and wrong”
• Provides a way to understand humans and organisation.

The five human values which are expected in all human beings, irrespective of whether they are employees or not
in whichever profession or service, are:
1. Right Conduct – Contains values like self-help skills (modesty, self-reliance, hygiene etc.), social skills•
(good behavior, good manners, environment awareness etc.), ethical skills (courage, efficiency, initiative,
punctuality etc.) and Ownership.

WWW.ARJUN00.COM.NP Page 1
 2. Peace – Contains values like equality, focus, humility, optimism, patience, self-confidence, self control,
self-esteem etc.•
3. Truth – Contains values like accuracy, fairness, honesty, justice, quest for knowledge, determination• etc.
4. Peaceful co-existence – Contains values like psychological (benevolence, compassion, consideration,•
morality, forgiveness etc.) and social (brotherhood, equality, perseverance, respect for others,
environmental awareness etc.)
5. Discipline – Contains values like regulation, direction, order etc.

Professionalism In Information Technology

Professionalism may be considered as behaving in an appropriate manner and adhering to accepted principles and
practices. It is not only vital in the field of Information Technology but it is also very important in other fields. Some
of the key aspects of IT Professionalism are competence in IT, knowledge, various skills such as soft skills, ethical
behaviour and certification. Professionalism and ethics must be taught and practised at the secondary level of
schooling. Professionalism is required not only in the field of Information Technology but also in other fields in
order to bring about reputation, ethical behaviour and add value to any organization.

CODE OF PROFESSIONAL ETHICS

• Professionally accepted standards of personal and business behaviour, values and guiding principles.
• Codes of professional ethics are often established by professional organizations to help to guide members
in performing their job functions according to sound and consistent ethical principles
• Professional ethics may be understood as professionally acknowledged measures of individual and
business conduct, values, and guiding principles.
• Professional ethics is nothing but a code of conduct applicable to different professions and is set up by the
expert members of such profession or professional organizations.
• The underlying philosophy of having professional ethics is to make the persons performing in such jobs to
follow the sound, uniform ethical conduct.
• Hippocratic Oath undertaken by medical students is one such example of professional ethics that is
adhered by even today. Some of the important components of professional ethics that professional
organizations necessarily include in their code of conduct are integrity, honesty, transparency,
respectfulness towards the job, confidentiality, objectivity etc.
Let us look at some of the qualities which describe a professional (ACM, 2000)
1. Trustworthiness: Professional trusts himself in whatever he does and trusts other people.
2. Honesty: Professional is honest when working and follows right code of conduct.
3. Punctuality: It is one of the most important aspects of professionalism.
4. Responsibility: Professional is responsible towards his work and handles work effectively.
5. Leadership: Professional has good leadership skills and is a good team player.
6. Confidentiality: Maintains confidentiality of information in an organization.
7. Competency: Professional is technically competent in his field.

Why IT professionalism is needed and why is it important?

Need for Professional Ethics Professional ethics are accepted standards of personal and business behaviour, values
and guiding principles. Codes of professional ethics are established by professional organizations to help to guide
members in performing their job functions according to sound and consistent ethical principles. Professional ethics
is set up by the expert members of such profession or professional organizations. The underlying philosophy of
having professional ethics is to make the persons performing in such jobs to follow the sound, uniform ethical
WWW.ARJUN00.COM.NP Page 2
conduct. Professional organizations necessarily include components like integrity, honesty, transparency,
respectfulness towards the job, confidentiality, objectivity etc. in their code of conduct.

A computing professionalshould...
1. Strive to achieve high quality in both the processes and products of professional work.
2. Maintain high standards of professional competence, conduct, and ethical practice.
3. Know and respect existing rules pertaining to professional work.
4. Accept and provide appropriate professional review.
5. Give comprehensive and thorough evaluations of computersystems and their impacts, including analysis of
possible risks.
6. Perform work only in areas of competence.
7. Foster public awareness and understanding of computing, related technologies, and their consequences.
8. Access computing and communication resources only when authorized or when compelled by the public
good.
9. Design and implementsystemsthat are robustly and usably secure.

Various forms of professional credentialing

Credentialing is a process for granting a designation, such as a certificate or license, by measuring an individual’s
competence in a specific knowledge, skill, or performance area. The purpose of credentialing is to assure the public
that an individual meets the minimum requirements within an area of competence, typically an occupation or
profession.

There are three principal types of credentialing.

1. Licensure, the most restrictive type, refers to the mandatory government requirement needed to practice
an occupation or profession. Mandatory process by which a governmental agency grants time-limited
permission to an individual to engage in a given occupation after verifying that he or she has met
predetermined and standardized criteria. Examples: Licensed Real Estate Agent, Licensed Practical Nurse,
Licensed Cosmetologist, Professional Engineer, Registered Nurse Professional Certification:
2. The second type, certification, is a voluntary process that is traditionally established by nongovernmental
agencies. Voluntary process by which a nongovernmental entity grants a time-limited recognition to an
individual after verifying that he or she has met predetermined and standardized criteria. Examples:
Certified Association Executive (American Society of Association Executives), Certified Meeting Planner
(Meeting Planners International), Certified Project Manager (Project Management Institute)
3. The final type of credentialing, registration, is the least restrictive and typically requires individuals to
apply for a credential through a governmental or private agency.

GENERAL ETHICAL PRINCIPLES.

A computing professional should…

1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing.
This principle, which concerns the quality of life of all people, affirms an obligation of computing professionals,
both individually and collectively, to use their skills for the benefit of society, its members, and the environment
surrounding them.

WWW.ARJUN00.COM.NP Page 3
Avoid harm.

In this document, “harm” means negative consequences, especially when those consequences are significant and
unjust. Examples of harm include unjustified physical or mental injury, unjustified destruction or disclosure of
information, and unjustified damage to property, reputation, and the environment

Be honest and trustworthy.

Honesty is an essential component of trustworthiness. A computing professional should be transparent and

provide full disclosure of all pertinent system capabilities, limitations, and potential problems to the appropriate
parties. Making deliberately false or misleading claims, fabricating or falsifying data, offering or accepting bribes,
and other dishonest conduct are violations of the Code.

Be fair and take action not to discriminate.

The values of equality, tolerance, respect for others, and justice govern this principle. Fairness requires that even
careful decision processes provide some avenue for redress of grievances.

Respect the work required to produce new ideas, inventions, creative works, and computing artifacts.

Developing new ideas, inventions, creative works, and computing artifacts creates value for society, and those who
expend this effort should expect to gain value from their work. Computing professionals should therefore credit
the creators of ideas, inventions, work, and artifacts, and respect copyrights, patents, trade secrets, license
agreements, and other methods of protecting authors’ works.

Respect privacy.

The responsibility of respecting privacy applies to computing professionals in a particularly profound way.
Technology enables the collection, monitoring, and exchange of personal information quickly, inexpensively, and
often without the knowledge of the people affected. Therefore, a computing professional should become
conversant in the various definitions and forms of privacy and should understand the rights and responsibilities
associated with the collection and use of personal information.

Honor confidentiality.

Computing professionals are often entrusted with confidential information such as trade secrets, client data,
nonpublic business strategies, financial information, research data, pre-publication scholarly articles, and patent
applications. Computing professionals should protect confidentiality except in cases where it is evidence of the
violation of law, of organizational regulations, or of the Code.

PROFESSIONAL RESPONSIBILITIES.

A computing professional should…

2.1 Strive to achieve high quality in both the processes and products of professional work.
Computing professionals should insist on and support high quality work from themselves and from colleagues. The
dignity of employers, employees, colleagues, clients, users, and anyone else affected either directly or indirectly by
the work should be respected throughout the process.

WWW.ARJUN00.COM.NP Page 4
Maintain high standards of professional competence, conduct, and ethical practice.

High quality computing depends on individuals and teams who take personal and group responsibility for
acquiring and maintaining professional competence. Professional competence starts with technical knowledge and
with awareness of the social context in which their work may be deployed.

Know and respect existing rules pertaining to professional work.

“Rules” here include local, regional, national, and international laws and regulations, as well as any policies and
procedures of the organizations to which the professional belongs. Computing professionals must abide by these
rules unless there is a compelling ethical justification to do otherwise. Rules that are judged unethical should be
challenged

Accept and provide appropriate professional review.

High quality professional work in computing depends on professional review at all stages. Whenever appropriate,
computing professionals should seek and utilize peer and stakeholder review. Computing professionals should also
provide constructive, critical reviews of others’ work.

2.5 Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of
possible risks.
Computing professionals are in a position of trust, and therefore have a special responsibility to provide objective,
credible evaluations and testimony to employers, employees, clients, users, and the public. Computing
professionals should strive to be perceptive, thorough, and objective when evaluating, recommending, and
presenting system descriptions and alternatives. Extraordinary care should be taken to identify and mitigate
potential risks in machine learning systems.

Perform work only in areas of competence.

A computing professional is responsible for evaluating potential work assignments. This includes evaluating the
work’s feasibility and advisability, and making a judgment about whether the work assignment is within the
professional’s areas of competence.

Ethical awareness
Ethical awareness is the eagerness and ability to designate moral situations and dilemmas; critically analyze,
evaluate, and additionally change one’s own moral esteems; and look up the effects of one’s own attitude for the
lives of others. All sizes of enterprises must be conscious of the ethical implications of their way of acting. Ethical
awareness begins with watchful thinking to guarantee an enterprise’s activities are morally right.
A person is ethically aware if he/she realizes that a problem he/she experiences incorporates an ethical problem .
A person can make right and moral decisions only if that person is aware of an ethical problem
Additionally, that person can identify the potential effects of a problem on the benefits, desires, and welfare of all
related parties.
Most of the people think acting ethically is its personal reward, however, an enterprise likely consumes monetary
motivations too. Unethical behaviors may spoil the position, reputation, and relations of an employee. Moreover, it
may damage an enterprise’s image, which will end up with losing current and potential customers. Indorsing
ethical awareness among employees stops issues from developing in any way.

WWW.ARJUN00.COM.NP Page 5
Ethical dissent and whistle-blowing

ethical dissent is a process, not a single action

The IEEE has guidelines for ethical dissent that include:
1. Establish a clear technical foundation
2. Be professional, impersonal, objective.
3. Catch problems early, keep issues at lowest managerial level possible
4. Make sure you think the issue is important enough to make your case
5. Help establish and use organizational dispute resolution mechanisms
6. Keep records

What is Whistleblowing?
It is a special form of dissent in which a member or former member of an organization goes outside the
organization or outside normal organizational channels to reveal organizational wrongdoing, illegally, or actions
that threaten the public.
Definition of Whistle Blowing:
Whistle blowing basically is done by an employee where he finds that the ethical rules are broken knowingly or
unknowingly and an imminent danger for the company, consumers or the public. When an employee is working in
an organization is part of the group where the decisions are made and executed.

The whistle blowing needs a relook at the same work and requires breaking with the very group that the whistle-
blower viewed as critical to financial success of the group and the company or very survival of the company. The
decision of whistle blowing may involve destabilizing one’s life and placing the entire organization under scrutiny.

Whistle-blowing can be internal, in which case the attention is sought internally and remains within organizational
channels, or it can be public, in which case it alerts everyone. Everyday people, especially employees, witness
wrongdoing on the job. What they witness usually can jeopardize not only their health, safety, or lives but also the
well-being of others.

The conditions in which whistle blowing is morally justified are:

1. A product or policy that will commit serious and considerable harm to the public.

2. When the employee identifies a serious threat of harm to the consumers, employees, other stakeholder, state
and things against his or her moral concern.

3. Immediate supervisor does not act, should exhaust the internal procedures and chain of command to the board
of directors. No action is taken in spite of best efforts of the employees to remedy the situation of unethical actions.

4. The employee must have documented evidence that is convincing to a reasonable level so that the facts can be
proved to the outside public and to the test of the law.

5. Valid reasons to believe that revealing the wrongdoing to the public will result in the changes in the organisation
are necessary to remedy the situation. The chance of succeeding must be equal to the risk and danger the employee
takes to blow the whistle.

WWW.ARJUN00.COM.NP Page 6
The areas of special importance are:
i. Confidential information of the company to maintain its competitive edge or perform work efficiently.

ii. Whistle blower should not involve himself in personal acquisitions or bringing down the morale of the
organisation.

iii. Accusing manager about incompetent decisions that do not involve ethical issues.

iv. Whistle blowing against violations of code of conduct of the company.

Codes of ethics, conduct, and practice (IEEE, ACM, SE, AITP, and so forth)

COMPLIANCE WITH THE CODE.

A computing professional should…

4.1 Uphold, promote, and respect the principles of the Code.
The future of computing depends on both technical and ethical excellence. Computing professionals should adhere
to the principles of the Code and contribute to improving them. Computing professionals who recognize breaches
of the Code should take actions to resolve the ethical issues they recognize, including, when reasonable, expressing
their concern to the person or persons thought to be violating the Code.

4.2 Treat violations of the Code as inconsistent with membership in the ACM.
Each ACM member should encourage and support adherence by all computing professionals regardless of ACM
membership. ACM members who recognize a breach of the Code should consider reporting the violation to the
ACM, which may result in remedial action as specified in the ACM’s Code of Ethics and Professional Conduct
Enforcement Policy.

The Task Force was organized by the ACM Committee on Professional Ethics. Significant contributions to the Code
were also made by the broader international ACM membership. This Code and its guidelines were adopted by the ACM
Council on June 22nd, 2018.

WWW.ARJUN00.COM.NP Page 7
Association of International Certified Professional Accountants (AICPA)
The AICPA, founded in 1887, represents the accountancy profession as the rule-making and standard-setting body
nationally and in the global marketplace. The AICPA distinguishes itself by having rigorous educational
requirements, a strict code of professional ethics, a licensing status and a commitment to serving the public
interest. State boards regulate accountancy in the United States. The AICPA revised their Code of Professional
Conduct effective December 15, 2014. The AICPA hopes to see state boards of accountancy adopt these new, more
robust, ethical standards. There are six principles of professional conduct for all CPAs in the new Code of
Professional Conduct.

National Society of Professional Engineers (NSPE) In 1934, the NSPE was established as an organization
dedicated to the non-technical concerns of licensed professional engineers. The NSPE statement of principles has
been overwhelmingly endorsed by the professional engineer (PE) members.
The NSPE Code of Ethics for engineers, revised in 2007, breaks six fundamental canons into five rules of practice
and nine professional obligations (National Society of Professional Engineers, 2007). The rules of practice state,
engineers shall:
1. Hold paramount the safety, health and welfare of the public.
2. Perform services only in their competence.
3. Issue public statements only in an objective and truthful manner.
4.Act for each employer or client as faithful agents or trustees.
5.Avoid deceptive acts.

Institute of Electrical and Electronic Engineers (IEEE)

The IEEE has a Code of Ethics has members commit and agree to a list of ten statements which was adopted by the
IEEE Board of Directors in August 1990 (IEEE Board of Directors, 1990). The IEEE also has a Code of Conduct
approved in June 2014 (IEEE Board of Directors, 2014). The Code of Conduct has five major sections (National
Society of Professional Engineers, 2018):
1. Be respectful of others; including being respectful of the privacy of others and the protection of personal
information and data.
2. Treat people fairly; including not engaging in harassment (whether in person or via cybertechnology) and not
discriminating against a person based on characteristics protected by law.
3. Avoid injuring others, their property, reputation or employment; including by false or malicious action or
spreading of malicious rumors, defamation or verbal or physical abuses on the Internet or otherwise.
4. Refrain from retaliation; including those who report a violation of the IEEE Code of Ethics or Code of Conduct and
those who make IEEE aware of a violation of laws, rules or regulations in connection with IEEE activities.
5. Comply with laws in all countries where IEEE does business and with IEEE policies and procedures.

Association for Computing Machinery (ACM)

In 1947, ACM was established; soon after the first stored-program digital computer, ENIAC was created
(Association of Computing Machinery, 2018). The ACM code of ethics and professional conduct was adopted by the
ACM Council in 1992. The code consists of 24 imperatives formed as statements of personal responsibility broken
into four sections. The sections and statements are:
1. General Moral Imperatives: As an ACM member I will...Contribute to society and human well-being. Avoid
harm to others. Be honest and trustworthy. Be fair and take action not to discriminate. Honor property rights
including copyrights and patents. Give proper credit for intellectual property Respect the privacy of others. Honor
confidentiality.
2. More specific Professional Responsibilities: As an ACM computing professional I will...Strive to achieve the
highest quality in both the process and products of professional work. Acquire and maintain professional

WWW.ARJUN00.COM.NP Page 8
competence. Know and respect existing laws pertaining to professional work. Accept and provide appropriate
professional review. Give comprehensive and thorough evaluations of computer systems and their impacts,
including analysis of possible risks. Honor contracts, agreements, and assigned responsibilities. Improve public
understanding of computing and its consequences. Access computing and communication resources only when
authorized to do so.
3. Organizational Leadership Imperatives: As an ACM member and an organizational leader, I will...Articulate
social responsibilities of members of an organizational unit and encourage full acceptance of those responsibilities.
Manage personnel and resources to design and build information systems that enhance the quality, effectiveness
and dignity of working life.
4. Compliance with the Code: As an ACM member, I will...Uphold and promote the principles of this Code. Treat
violations of this Code as inconsistent with membership in the ACM.

Harassment and Discrimination

Harassment is to verbally or physically create an environment that is hostile, intimidating, offensive, severe,
pervasive, or abusive based on a number of parameters including one’s race, religion, sex, sexual orientation,
national origin, age, disability, political affiliation, marital status, citizenship, or physical appearance.
Discrimination on the other hand is a process of making decisions that Ethics and the Professions negatively
affect an individual, such as denial of a service, based wholly, or partly, upon the real or perceived facts of one’s
race, religion, sex, sexual orientation, national origin, age, disability, political affiliation, marital status, or physical
appearance. Harassment and discrimination are serious breaches of human rights. In fact, harassment is a form
of discrimination. If not attended to, harassment does not only affect a few individuals, but it eventually grows to
affect everyone in the organization.
The following steps are needed in fight against harassment and discrimination:
1. Awareness. There are no clear signs of harassment, but in most cases harassment is manifested in the following
signs: unhappiness, anxiety, discomfort, stress, and lifestyle changes. If some or all of these signs start to appear in
the environment where an individual is, then there is harassment. Discrimination is even harder to detect than
harassment. However, there is discrimination if the decisions made are based upon the discriminatory factors
above.
2. Prevention. The main tool for the prevention of harassment and discrimination is for an organization to have a
clear and simple written policy framework setting out the procedures that must be taken if harassment and
discrimination occur. The procedures must include the following: awareness/education, com plaint process,
sanctions, and redress.
******************************************************************************************************************

WWW.ARJUN00.COM.NP Page 9
 Unit-VIII
(Risks and Liabilities of Computer-Based Systems: )
8.1 Software risks
8.2 Safety and the engineers
8.3 Implications of software complexity
8.4 Risk assessment and management

Definitions
Software is a set of computer programs made up of a sequence of short commands called instructions that tell
the computer what to do. Normally, software is in two forms: either built into the computer’s more permanent
memory, called ROM (read-only memory), or loaded on demand at runtime in less permanent but more volatile
memory called RAM (random access memory). A software producer, or developer, creates or develops a set of
programs to meet the specifications of a user, if there is a contract, or of a specific problem if it is a general
software. Developers are either individuals working alone or companies such as Microsoft, which employs
hundreds of software engineers including analysts and programmers. Software buyers, or customers, obtain
the finished software from the developer to satisfy a need, basing their decision on developer claims. The buyer
may be an individual or a company.

Causes of Software Failures

Failure or poor performance of a software product can be attributed to a variety of causes, most notably human
error, the nature of software itself, and the environment in which software is produced and used.
Human Factors
In the human factor category, poor software performance can be a result of:
1. Memory lapses and attentional failures: For example, someone was supposed to have removed or added a
line of code, tested, or verified but did not because of simple forgetfulness.
2. Rush to finish: The result of pressure, most often from management, to get the product on the market either
to cut development costs or to meet a client deadline, can cause problems.
3. Overconfidence and use of nonstandard or untested algorithms: Before algorithms are fully tested by
peers, they are put into the product line because they seem to have worked on a few test runs.
4. Malice: Software developers, like any other professionals, have malicious people in their ranks. Bugs,
viruses, and worms have been known to be embedded and downloaded in software as is the case with Trojan
horse software, which boots itself at a timed location.
5. Complacency: When either an individual or a software producer has significant experience in software
development, it is easy to overlook certain testing and other error control measures in those parts of software
that were tested previously in a similar or related product, forgetting that no one software product can conform
to all requirements in all environments

Nature of Software:
Complexity Both software professionals and nonprofessionals who use software know the differences between
software programming and hardware engineering. It is in these differences that many of the causes of software
failure and poor performance lie. Consider the following:
1. Complexity: Unlike hardwired programming in which it is easy to exhaust the possible outcomes of a given
set of input sequences, in software programming, a similar program may present billions of possible outcomes
on the same input sequence. Therefore, in software programming, one can never be sure of all the possibilities
on any given input sequence.
2. Difficult testing: There will never be a complete set of test programs to check software exhaustively for all
bugs for a given input sequence.
3. Ease of programming: The fact that software programming is easy to learn encourages many people with
little formal training and education in the field to start developing programs, but many are not knowledgeable
about good programming practices or able to check for errors.
4. Misunderstanding of basic design specifications: This affects the subsequent design phases including
coding, documenting, and testing. It also results in improper and ambiguous specifications of major
components of the software and in ill-chosen and poorly defined internal program structures.

WWW.ARJUN00.COM.NP Page 1
Risk

The first step in understanding the nature of software is to study the concept of risk, software risk in particular.
However, before we define risk, let us define hazard. A hazard is a state or set of conditions of a system or an
object that, together with other conditions in the environment of the system, or object, will lead inevitably to an
accident . According to Leveson, hazard has two components: severity and likelihood of occurrence. These two
form the hazard level. Risk is a hazard level together with the likelihood of an accident to occur and the severity
of the potential consequences.
Risk can also be defined in simpler terms as the potential or possibility of suffering harm or loss—danger, in
short. Peter Neumann defines risk as a potential problem, with causes and effects.
Risk can be both voluntary, with activities that we knowingly decide to undertake, or involuntary with activities
that happen to us without our prior consent or knowledge as a result of nature’s actions such as lightning, fires,
floods, tornados, and snowstorms. Since our focus here is on the big picture of the dangers of software in
particular and computer systems in general, we will leave the details of the definitions at that. How does risk
play in software? Because we have defined risk as a potential problem with causes and effects, software risks,
therefore, have causes and effects.
Among the causes of software risks are poor software design, a mismatch of hardware–software interfaces,
poor support, and maintenance. Others include :
1. Personnel shortfalls
2. Unrealistic schedules and budgets
3. Developing the wrong functions and properties
4. Developing the wrong user interface
5. Continuing stream of requirement changes
6. Shortfalls in externally furnished components
7. Shortfalls in externally performed tasks
8. Real-time performance shortfalls
9. Straining computer science capabilities

Safety
Recent advances in computer technology have resulted in wider computer applications in previously
unthinkable areas such as space exploration, missile and aircraft guidance systems, and life-sustaining systems.
In these areas, the safety of software has become one of the most prominent components of the whole security
system.
Such a system cannot afford an accident or an error because of software failure without dire consequences to
human life, property, and the environment.
A software system is unsafe if a condition is created whereby there is a likelihood of an accident, a hazard, or a
risk.
The function of software safety in system safety is that software executes within a prescribed context so as not
to contribute to hazards or risk either by outputting faulty values and timing or by failing to detect and respond
to hardware failures that may cause a system to go into a hazardous state.
According to Leveson , software safety depends on the design and environment in which such software is used.
So software that is considered safe in one environment may be unsafe in another. Because software is designed
and produced by different people in different environments and used in different applications in a variety of
environments, no one software product can conform to all requirements in all environments; in other words,
one cannot assume that because a software product is hazard-free in one environment, it is hazard-free in all
environments.
In the final analysis, good and safe software depends on good programming practice, which includes control
techniques, application of various types of safety analysis during the development cycle, and evaluation of the
effectiveness of these techniques.
Whether these techniques are enough depends on the chosen and acceptable risk level, which tends to vary
with the application environments.

Risk Assessment and Management

Risk management is a process to estimate the impact of risk. It is an approach for system managers to measure
the system’s assets and vulnerabilities, assessing the threat and monitoring security. For software, we look at

WWW.ARJUN00.COM.NP Page 2
risk management both during the design phase and during use. Risk is an important aspect of the design
process. Because it is so important, two constituent components must be included.
These are assessment and control. To implement these two components, there must be a requirement that no
software project may be delivered or accepted until and unless a risk assessment or risk control evaluation has
been carried out on it.
There must be documentation of the probability and consequences of hazards and accidents to help figure out
what the risks are and what to do about them.
The assessment aspects in the documentation should involve a list of all the potential dangers that are likely to
affect the project, the probability of occurrence and potential loss of each item, and how each item ranks among
all the listed items.
The control component in the documentation should consist of :
1. Techniques and strategies to mitigate the highest ordered risks
2. Implementation of the strategies to resolve the high-order risks factors
3. Monitoring the effectiveness of the strategies and the changing levels of risk throughout the design
process .
4. After the design process, when software is in use, risk management then involves the following phases:
assessment, planning, implementation, and monitoring.

Assessment
This involves identifying the software’s security vulnerabilities and may consist of a variety of techniques
including question and answer, qualitative assessment, or methodology and calculation.
A simple equation for calculating risk is
Risk = Assets X Threats X Vulnerabilities

Planning
Planning involves outlining the policies for security management.

Implementation
A good implementation may seek to match the security needs of the system with all available security tools.

Monitoring
Risk management is an ongoing process that needs constant monitoring. This helps to determine the necessary
changes and new security applications to the system. The monitoring tools must be chosen based on the nature
and applications of the system being protected. For example, if the system being protected is a network, the
tools may include a firewall as well as intrusion detection and network forensics software.

Risks and Hazards in Workplace Systems

The workplace is only second to our homes in the amount of time we spend there. For most people with nine to
five work schedules, work comprises about 40 h of the 168-h week. When you figure in commuting to and from
work and other work-related activities, we spend on the average 84 h a week at home.

Because we spend so much time outside our homes and in close contact with people from all walks of life and
most often work with workplace machinery and people, which we call workplace systems, there is always a
high risk associated with these systems, as well as with the commute to and from work.

In a workplace environment, accidents resulting from this three-faceted model of hardware, software, and
human ware are caused by the intertwining of the components whereby each part affects the others. According
to Leveson, an accident is then a coincidence of factors related to one another through this intertwining. Each
component’s contribution to system accidents depends on the environment the system is in. Different
environments may cause different types of accident. In some accidents, software may contribute more than the
other two, while in others, human ware may contribute more, especially in cases where there is lack of
effectivetraining of the human component.
**************************************************************************************************************

WWW.ARJUN00.COM.NP Page 3