Unit 2 Cryptographic Techniques

2.1.1 Conventional Substitution and transposition ciphers

Transposition techniques
Difference Between Substitution Cipher Technique and Transposition Cipher Technique

Substitution Cipher Technique Transposition Cipher Technique

In substitution Cipher Technique, plain text In transposition Cipher Technique, plain text
characters are replaced with other characters, characters are rearranged with respect to the
numbers and symbols. position.

Substitution Cipher’s forms are: Mono alphabetic Transposition Cipher’s forms are: Key-less
substitution cipher and poly alphabetic substitution transposition cipher and keyed transposition
cipher. cipher.
Substitution Cipher Technique Transposition Cipher Technique

In substitution Cipher Technique, character’s While in transposition Cipher Technique, The

identity is changed while its position remains position of the character is changed but
unchanged. character’s identity is not changed.

While in transposition Cipher Technique, The

In substitution Cipher Technique, The letter with
Keys which are nearer to correct key can
low frequency can detect plain text.
disclose plain text.

The example of transposition Cipher is Rail

The example of substitution Cipher is Caesar Cipher,
Fence Cipher, columnar transposition cipher,
monoalphabetic cipher, and polyalphabetic cipher.
and route cipher.

Involves replacing plaintext letters or groups of Involves rearranging the order of the plaintext
letters with ciphertext letters or groups of letters letters or groups of letters according to a
according to a specific algorithm or key. specific algorithm or key.

The frequency distribution of the plaintext

The frequency distribution of the plaintext letters is
letters remains the same, but the order is
typically obscured, but patterns can still be
scrambled, making it difficult to detect patterns
detected with statistical analysis.
with statistical analysis.

Vulnerable to frequency analysis attacks, where the

Less vulnerable to frequency analysis attacks,
most commonly used letters or letter combinations
but still susceptible to attacks such as brute
in the language can be identified and used to
force and known plaintext attacks.
deduce the key.

Relatively easy to understand and implement, Can be more difficult to implement and
making it suitable for simple applications. understand, but can be more secure than
substitution ciphers for certain applications.
2.1.2 One-time pad

One Time Pad algorithm is the improvement of the Vernam Cipher, proposed by An Army Signal Corp
officer, Joseph Mauborgne. It is the only available algorithm that is unbreakable(completely secure). It is
a method of encrypting alphabetic plain text. It is one of the Substitution techniques which converts plain
text into ciphertext. In this mechanism, we assign a number to each character of the Plain-Text.

The two requirements for the One-Time pad are

• The key should be randomly generated as long as the size of the message.

• The key is to be used to encrypt and decrypt a single message, and then it is discarded.

So encrypting every new message requires a new key of the same length as the new message in one-time
pad.

The ciphertext generated by the One-Time pad is random, so it does not have any statistical relation with
the plain text.

The assignment is as follows:

A B C D E F G H I J

0 1 2 3 4 5 6 7 8 9

K L M N O P Q R S T

10 11 12 13 14 15 16 17 18 19

U V W X Y Z

20 21 22 23 24 25
2.1.3 Block cipher and stream cipher

Block Cipher: A block cipher takes a block of plaintext bits and generates a block of ciphertext bits,
generally of same size. The size of block is fixed in the given scheme. The choice of block size does not
directly affect to the strength of encryption scheme. The strength of cipher depends up on the key length.
Stream Cipher:

A stream cipher is a method of encrypting text (to produce ciphertext) in which a cryptographic key and
algorithm are applied to each binary digit in a data stream, one bit at a time. The main alternative method
to stream cipher is, in fact, the block cipher, where a key and algorithm are applied to blocks of data rather
than individual bits in a stream.

2.1.4 Steganography

Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in
order to avoid detection; the secret data is then extracted at its destination.

The use of steganography can be combined with encryption as an extra step for hiding or protecting data.

It stems from two Greek words, which are steganos, means covered and graphia, means writing

Examples:
2.2 Symmetric and Asymmetric Cryptographic techniques:

2.2.1 RSA
2.2.2 Data Encryption Standard (DES)
2.2.3 Advanced Encryption Standard (AES)
Encryption Process:
Unit 3 Authentication and Digital Signatures

3.1 use of Cryptography for authentication

Cryptography is a crucial tool for authentication, providing a strong foundation for verifying the identity
of individuals or devices. Here's how it works:

1. Hashing:

• A hash function is applied to a piece of data (e.g., a password) to generate a unique, fixed-length
hash value.

• This hash value is stored securely.

• When a user tries to log in, their provided password is hashed and compared to the stored hash.

• If the hashes match, the user is authenticated.

2. Symmetric Encryption:

• A shared secret key is used to encrypt and decrypt data.

• This key can be used to generate a hash value for authentication purposes.

• The user's password or other credentials are encrypted using the shared key, and the resulting
ciphertext is compared to the stored ciphertext.

3. Asymmetric Encryption (Public-key Cryptography):

• Each user has a public key and a private key.

• The public key is used to encrypt data, while the private key is used to decrypt it.

• A challenge-response mechanism can be used for authentication:

o The server generates a random challenge and sends it to the user.

o The user encrypts the challenge using their private key and sends the result back.

o The server decrypts the response using the user's public key and verifies that it matches
the original challenge.

4. Digital Signatures:

• A digital signature is a cryptographic technique that verifies the authenticity and integrity of a
message.

• The sender uses their private key to sign the message, creating a digital signature.

• The recipient uses the sender's public key to verify the signature.

• This can be used for authentication by signing a challenge-response message.

3.2 Secure Hash Function:

A secure hash function is a cryptographic algorithm that takes an input (often referred to as a message or
data) of arbitrary size and produces a fixed-size output known as a hash value or digest. The hash value is
designed to be unique for each input, making it difficult to find two different inputs that produce the same
hash.

Key Properties of a Secure Hash Function:

• Deterministic: For a given input, the hash function will always produce the same output.

• Efficient: The hash function should be computationally efficient to compute, even for large inputs.

• Resistant to Preimage Attacks: It should be difficult to find an input that produces a given hash
value.

• Resistant to Second Preimage Attacks: It should be difficult to find two different inputs that
produce the same hash value.

• Resistant to Collision Attacks: It should be difficult to find two different inputs that produce the
same hash value.

Commonly Used Secure Hash Functions:

• SHA-1 (Secure Hash Algorithm 1): While still used in some legacy systems, SHA-1 is no longer
considered secure due to known vulnerabilities.

• SHA-2 (Secure Hash Algorithm 2): A family of hash functions, including SHA-256, SHA-384, and
SHA-512. SHA-2 is widely used and considered secure.

• SHA-3 (Keccak): A sponge function designed to be resistant to attacks that have compromised
other hash functions. SHA-3 is a newer alternative to SHA-2.

• MD5 (Message Digest 5): MD5 is no longer considered secure due to known vulnerabilities.

3.3 Key management-Kerberos:-

Kerberos is a network authentication protocol that provides secure access to network services. It uses
symmetric-key cryptography to authenticate users to servers and other services. Kerberos is widely used
in enterprise environments, particularly those that require strong authentication and authorization.

How Kerberos Works

1. Ticket Granting Service (TGS): A central server that issues tickets to clients.

2. Key Distribution Center (KDC): Manages the secret keys used for authentication.

3. Client: The entity requesting access to a service.

4. Server: The service that the client wants to access.

The Kerberos authentication process involves the following steps:

 1. Initial Authentication:

o The client sends a request to the KDC, including its principal (identity) and the desired
service.

o The KDC generates a session key and encrypts it using the client's secret key.

o The KDC also generates a ticket granting ticket (TGT) for the client, containing the session
key and other information.

o The KDC sends the encrypted session key and TGT to the client.

2. Service Request:

o The client sends the TGT to the TGS, along with the desired service.

o The TGS decrypts the TGT and extracts the session key.

o The TGS generates a service ticket for the client, containing the session key and other
information.

o The TGS sends the service ticket to the client.

3. Service Access:

o The client presents the service ticket to the server.

o The server decrypts the service ticket using its secret key and extracts the session key.

o The server and client use the session key to communicate securely.

Unit 4 Application Security

Application security aims to protect software application code and data against cyber threats. You can and
should apply application security during all phases of development, including design, development, and
deployment.

Types of Application Security:

1. Web Application Security

A web application is software that runs on a web server and is accessible via the Internet.
The client runs in a web browser. By nature, applications must accept connections from
clients over insecure networks. This exposes them to a range of vulnerabilities. Many web
applications are business critical and contain sensitive customer data, making them a
valuable target for attackers and a high priority for any cyber security program.
The evolution of the Internet has addressed some web application vulnerabilities – such
as the introduction of HTTPS, which creates an encrypted communication channel that
protects against man in the middle (MitM) attacks. However, many vulnerabilities remain.
The most severe and common vulnerabilities are documented by the Open Web
Application Security Project (OWASP), in the form of the OWASP Top 10.
Due to the growing problem of web application security, many security vendors have
introduced solutions especially designed to secure web applications. Examples include the
web application firewall (WAF), a security tool designed to detect and block application-
layer attacks.
2. API Security:

Application Programming Interfaces (API) are growing in importance. They are the basis
of modern microservices applications, and an entire API economy has emerged, which
allows organizations to share data and access software functionality created by
others. This means API security is critical for modern organizations.
APIs that suffer from security vulnerabilities are the cause of major data breaches.
They can expose sensitive data and result in disruption of critical business operations.
Common security weaknesses of APIs are weak authentication, unwanted exposure of
data, and failure to perform rate limiting, which enables API abuse.
Like web application security, the need for API security has led to the development of
specialized tools that can identify vulnerabilities in APIs and secure APIs in production.
3. Cloud Native Application Security:

Cloud native applications are applications built in a microservices

architecture using technologies like virtual machines, containers,
and serverless platforms. Cloud native security is a complex
challenge, because cloud native applications have a large number
of moving parts and components tend to be ephemeral—
frequently torn down and replaced by others. This makes it
difficult to gain visibility over a cloud native environment and
ensure all components are secure.

In cloud native applications, infrastructure and environments are

typically set up automatically based on declarative configuration—
 this is called infrastructure as code (IaC). Developers are
responsible for building declarative configurations and application
code, and both should be subject to security considerations.
Shifting left is much more important in cloud native environments,
because almost everything is determined at the development
stage.

Cloud native applications can benefit from traditional testing tools,

but these tools are not enough. Dedicated cloud native security
tools are needed, able to instrument containers, container
clusters, and serverless functions, report on security issues, and
provide a fast feedback loop for developers.

UNIT 5 PROGRAM SECURITY

5.1 Non-malicious program errors:

Being human, programmers and other developers make many mistakes, most of which are unintentional
and nonmalicious. Many such errors cause program malfunctions but do not lead to more serious security
vulnerabilities. However, a few classes of errors have plagued programmers and security professionals for
decades, and there is no reason to believe they will disappear. In this section we consider three classic
error types that have enabled many recent security breaches.

5.1.1 Buffer Overflows

A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-liter pitcher:
Some water is going to spill out and make a mess. And in computing, what a mess these errors have made!

Definition

A buffer (or array or string) is a space in which data can be held. A buffer resides in memory. Because
memory is finite, a buffer's capacity is finite. For this reason, in many programming languages the
programmer must declare the buffer's maximum size so that the compiler can set aside that amount of
space.

Let us look at an example to see how buffer overflows can happen. Suppose a C language program contains
the declaration:

char sample[10];

The compiler sets aside 10 bytes to store this buffer, one byte for each of the ten elements of the array,
sample[0] through sample[9]. Now we execute the statement:

sample[10] = 'A';

The subscript is out of bounds (that is, it does not fall between 0 and 9), so we have a problem. The nicest
outcome (from a security perspective) is for the compiler to detect the problem and mark the error during
compilation. However, if the statement were

sample[i] = 'A';

we could not identify the problem until i was set during execution to a too-big subscript. It would be useful
if, during execution, the system produced an error message warning of a subscript out of bounds.
Unfortunately, in some languages, buffer sizes do not have to be predefined, so there is no way to detect
an out-of-bounds error. More importantly, the code needed to check each subscript against its potential
maximum value takes time and space during execution, and the resources are applied to catch a problem
that occurs relatively infrequently. Even if the compiler were careful in analyzing the buffer declaration
and use, this same problem can be caused with pointers, for which there is no reasonable way to define a
proper limit. Thus, some compilers do not generate the code to check for exceeding bounds.

Let us examine this problem more closely. It is important to recognize that the potential overflow causes
a serious problem only in some instances. The problem's occurrence depends on what is adjacent to the
array sample. For example, suppose each of the ten elements of the array sample is filled with the letter
A and the erroneous reference uses the letter B, as follows:

for (i=0; i<=9; i++) sample[i] = 'A'; sample[10] = 'B'

All program and data elements are in memory during execution, sharing space with the operating system,
other code, and resident routines. So there are four cases to consider in deciding where the 'B' goes.

5.1.2 Incomplete Mediation:

Incomplete mediation is another security problem that has been with us for decades. Attackers are
exploiting it to cause security problems.

Example

The two parameters look like a telephone number and a date. Probably the client's (user's) web browser
enters those two values in their specified format for easy processing on the server's side. What would
happen if parm2 were submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or 1Aardvark2Many?

Something would likely fail. As with buffer overflows, one possibility is that the system would fail
catastrophically, with a routine's failing on a data type error as it tried to handle a month named "Min" or
even a year (like 1800) which was out of range. Another possibility is that the receiving program would
continue to execute but would generate a very wrong result. (For example, imagine the amount of interest
due today on a billing error with a start date of 1 Jan 1800.) Then again, the processing server might have
a default condition, deciding to treat 1Aardvark2Many as 3 July 1947. The possibilities are endless.

One way to address the potential problems is to try to anticipate them. For instance, the programmer in
the examples above may have written code to check for correctness on the client's side (that is, the user's
browser). The client program can search for and screen out errors. Or, to prevent the use of nonsense
data, the program can restrict choices only to valid ones. For example, the program supplying the
parameters might have solicited them by using a drop-down box or choice list from which only the twelve
conventional months would have been possible choices. Similarly, the year could have been tested to
ensure that the value was between 1995 and 2005, and date numbers would have to have been
appropriate for the months in which they occur (no 30th of February, for example). Using these verification
techniques, the programmer may have felt well insulated from the possible problems a careless or
malicious user could cause.

However, the program is still vulnerable. By packing the result into the return URL, the programmer left
these data fields in a place accessible to (and changeable by) the user. In particular, the user could edit the
URL line, change any parameter values, and resend the line. On the server side, there is no way for the
server to tell if the response line came from the client's browser or as a result of the user's editing the URL
directly. We say in this case that the data values are not completely mediated: The sensitive data (namely,
the parameter values) are in an exposed, uncontrolled condition.

5.3 Time-of-Check to Time-of-Use Errors

The third programming flaw we investigate involves synchronization. To improve efficiency, modern
processors and operating systems usually change the order in which instructions and procedures are
executed. In particular, instructions that appear to be adjacent may not actually be executed immediately
after each other, either because of intentionally changed order or because of the effects of other processes
in concurrent execution.

Definition

Access control is a fundamental part of computer security; we want to make sure that only those who
should access an object are allowed that access. (We explore the access control mechanisms in operating
systems in greater detail in Chapter 4.) Every requested access must be governed by an access policy
stating who is allowed access to what; then the request must be mediated by an access policy enforcement
agent. But an incomplete mediation problem occurs when access is not checked universally. The time-of-
check to time-of-use (TOCTTOU) flaw concerns mediation that is performed with a "bait and switch" in
the middle. It is also known as a serialization or synchronization flaw.

To understand the nature of this flaw, consider a person's buying a sculpture that costs $100. The buyer
removes five $20 bills from a wallet, carefully counts them in front of the seller, and lays them on the table.
Then the seller turns around to write a receipt. While the seller's back is turned, the buyer takes back one
$20 bill. When the seller turns around, the buyer hands over the stack of bills, takes the receipt, and leaves
with the sculpture. Between the time when the security was checked (counting the bills) and the access
(exchanging the sculpture for the bills), a condition changed: what was checked is no longer valid when
the object (that is, the sculpture) is accessed.

5.2 Viruses:

A computer virus is a tpe of malicious software, or malware, that spreads between computers and causes
damage to data and software.

Computer viruses aim to disrupt systems, cause major operational issues, and result in data loss and
leakage. A key thing to know about computer viruses is that they are designed to spread across programs
and systems. Computer viruses typically attach to an executable host file, which results in their viral codes
executing when a file is opened. The code then spreads from the document or software it is attached to
via networks, drives, file-sharing programs, or infected email attachments.

Common Signs of Computer Viruses:

1. Speed of system
2. Pop-up windows
3. Programs self-execution
4. Accounts being logged-out
5. Crashing of the device
6. Mass emails being sent from you email account
7. Changes to your homepage

A computer virus is a type of malicious software program (“malware“) that, when executed, replicates
itself by modifying other computer programs and inserting its code. When this replication succeeds, the
affected areas are then said to be “infected“. Viruses can spread to other computers and files when the
software or documents they are attached to are transferred from one computer to another using
a network, a disk, file-sharing methods, or through infected email attachments.

What is a Computer Virus?

A computer virus is a type of harmful program. When it runs, it makes copies of itself and adds its code to
other programs and files on your computer. These viruses come in different types, and each type can
affect your device differently. Simply put, a computer virus changes how your computer
works and aims to spread to other computers. It does this by attaching itself to normal programs or
documents that can run code, known as macros.

What Does a Computer Virus Do?

A virus can harm or destroy data, slow down system resources, and log keystrokes, among other things.
A virus can have unexpected or harmful outcomes during this procedure, such as destroying system
software by corrupting data. Some viruses are made to mess things up by deleting files, messing up
programs, or even wiping out your hard drive completely. Even if they’re not super harmful, viruses can
still slow down your computer a lot, using up memory and making it crash often. Others might just make
copies of themselves or send so much stuff over the internet that it’s hard to do anything online.

Virus vs. Malware – What is the difference?

Viruses and malware are often used interchangeably, but they’re not quite the same. Here’s how they
differ:

Aspect Virus Malware

Definition A type of malicious software A broader category of harmful software

Behavior Self-replicating Can include viruses, worms, trojans, etc.

Can spread through various methods,

Spread Often requires user interaction
including email, downloads, and vulnerabilities

Can cause a range of harm, including data

Damage Can corrupt or delete files
theft, system damage, and spying

Can be detected by antivirus Requires comprehensive security measures and

Detection
software practices
Aspect Virus Malware

Examples Morris Worm, ILOVEYOU WannaCry ransomware, Zeus trojan

History of Computer Virus

Viruses have been attacking various devices for a long time, spreading through the Internet or other
means. They are often created to steal information or completely ruin devices. The first computer virus,
called the “Creeper system,” appeared in 1971 as an experimental virus that could copy itself. Following
that, in the mid-1970s, the “Rabbit” virus emerged, which replicated very quickly and caused significant
damage at the same pace. The virus known as “Elk Cloner” was created in 1982 by Rich Skrenta. It spread
through a floppy disk containing a game and attached itself to the Apple II operating system.

The first virus for MS-DOS, called “Brain,” appeared in 1986. It was designed by two Pakistani
brothers and overwrote the boot sector of floppy disks, making it impossible for the computer to start. It
was originally meant to be a copy protection system. In 1988, more destructive viruses began to surface.
Until then, most viruses were considered pranks with funny names and messages. However, in 1988, “The
Morris” became the first widely spreading virus.

How To Prevent Your Computer From Viruses?

Keeping your computer safe from viruses is a lot like keeping yourself from catching a cold. Just as you
might wash your hands regularly or avoid sick friends, there are simple steps you can take to protect your
computer. Here are some easy tips:

1. Install Antivirus Software: Think of antivirus software as your computer’s doctor. It works around
the clock to detect and block viruses before they can infect your system. Make sure to keep it updated!

2. Update Regularly: Keep your operating system, software, and apps up to date. Updates often include
fixes for security vulnerabilities that viruses could exploit.

3. Be Cautious with Emails and Downloads: Don’t open emails or download attachments from unknown
sources. If an email looks suspicious, even if you know the sender, it’s best to delete it.

4. Use Strong Passwords: Protect your accounts with strong, unique passwords. Consider using a
password manager to keep track of them all.

5. Backup Your Data: Regularly back up your data to an external drive or cloud storage. If a virus does slip
through, you won’t lose everything.

By following these steps, you can help keep your computer virus-free and running smoothly.

How To Remove Computer Viruses?

To remove a computer infection, you can choose from two options:

Do-it-yourself manual approach: This means you try to fix the problem on your own. Usually, you start
by searching online for solutions. Then, you might have to do a lot of tasks to clean up your computer. It
can take time and might need some experience to finish everything.

Get help from a reliable antivirus product: Another option is to use antivirus software. This software is
designed to find and remove viruses from your computer. You just need to install it and let it do its job.

5.3 Trapdoors:

In cryptography, a trapdoor is a secret backdoor hidden within an algorithm or individual piece of

data. The idea is that people can’t find the backdoor without knowing about it in advance. It makes
trapdoors extremely useful in cryptography, which keeps information secure by converting it into
unbreakable codes.

Cryptography is based on a few fundamental principles. Given a piece of information or plaintext, we

produce an encrypted version of the plaintext, known as the ciphertext, with the help of a secret key and
an encryption algorithm. Similarly, in order to generate the plaintext back from the ciphertext, we apply
a decryption algorithm with a secret key:

Therefore, it’s impossible to know if a piece of information is secure unless you have access to the
encryption key and algorithm used in the encryption process. Additionally, there’re no easy solutions to
reverse engineering cryptographic algorithms. However, trapdoors bypass this stage and make it easier to
break into an encrypted system.

Trapdoors are a cornerstone of modern cryptography. We use them to protect bank account passwords
and government secrets. A trapdoor operates by allowing a user or system with access to the trapdoor to
quickly get in while making it impossible for others to find the backdoor. It makes trapdoors unbreakable
as long as the developer keeps them secret.

3. Working Procedure

We can use trapdoors to create one-time pad encryption (OTP). OTP is an unbreakable form of encryption
that uses a secret key to convert a given phrase into a long string of seemingly random letters. In a one-
time pad, we can use the secret key only once to create a unique code that can be decrypted only with
the same key. Hence, we can utilize one secret key only once in OTP.
We can often hide trapdoors inside algorithms to generate OTPs, making them almost impossible to find
without knowing the exact sequence of steps. In cryptography, we can use trapdoors in four ways: a
secret key, a special algorithm, a weak algorithm, and a back door.

A secret key is a piece of code that’s kept hidden from everyone. Only authorized and intended users have
access to it. A special algorithm is another form of a trapdoor that includes a set of instructions used to
solve a problem or accomplish a specific goal. A special algorithm in the form of a trapdoor provides access
to the intended users to get inside a system quickly while making it impossible for other users.

Cryptographers often use algorithms that are flawed by design. It’s an example of a weak algorithm. They
do this to keep their code unbreakable, even when other people figure out the algorithm. Finally, a back
door is a secret way to get into a computer or system. It’s often used to install viruses or spyware so one
can access the system without getting caught.

Different types of trapdoors:-

5.4 Salami Attack:

A salami attack is a method of cybercrime that attackers or a hacker typically used to commit financial
crimes. Cybercriminals steal money or resources from financial accounts on a system one at a time. This
attack occurs when several minor attacks combine to create a sturdy attack. because of this sort of
cybercrime, these attacks frequently go undetected. Salami attacks are used for the commission of
economic crimes Those who are found guilty of such an attack face punishment under Section 66 of the
IT Act.

Working of Salami attack:

During this kind of attack, an awfully insignificant change is introduced that goes completely unnoticed.
as an example, a bank accountant inserts a program, into the bank’s servers, that deducts a satiny low
amount of cash from the account of each customer. No account holder will probably notice this
Unauthorized debit, but the bank accountant will make an outsized amount of cash each month. as an
example, an employee of a bank in the USA was terminated from his job. Disgruntled at having been
supposedly mistreated by his employers the person first introduced a logic bomb into the bank’s systems.

Types of Salami attacks:

• Salami Slicing: Salami Slicing occurs when the attackers/hacker get customer information, like
Bank/credit card details and other similar sort of detail by using an online database the
attacker/hacker deduct an awfully touch of cash from each account and these amounts add up to
an oversized amount of cash and this can be often invisibly to deduct such amount. because the
amount is tiny. thanks to the limited amount of cash the bulk of individuals doesn’t report the
deduction. as an example, suppose an attacker/hacker withdraws ₹0.0001 from each checking
account. Nobody will notice so, an oversized sum is produced when one dollar is deducted from
each account holder at that bank and the attacker got a stack of cash.

• Penny Shaving: when the attackers/hacker steal money in small amounts. By using rounding to
the closest within the transactions. so, change is so small so, nobody can detect such dough in a
single transaction

Prevention From Salami attack:

Users are encouraged to oversee their weekly transactions and month-to-month bank statements to shield
their bank accounts from being hindered by a salami attack. you’ll monitor any potential charges on your
account by actively scanning through these activities. If you have got any issues with any strange charges
on your account, contact your bank. Financial institutions, like banks, should also update their security so
that the attacker doesn’t become conversant in how the framework is meant. Banks should advise
customers on the due to report any money deduction that they weren’t tuned in to.

5.5 Man-in-the-middle attacks:

A man-in-the-middle (MITM) attack is a form of cyberattack in which criminals exploiting weak web-
based protocols insert themselves between entities in a communication channel to steal data.

None of the parties sending email, texting, or chatting on a video call are aware that an attacker has
inserted their presence into the conversation and that the attacker is stealing their data.

While most cyberattacks are silent and carried out without the victims' knowledge, some MITM attacks
are the opposite. They might include a bot generating believable text messages, impersonating a person's
voice on a call, or spoofing an entire communications system to scrape data the attacker thinks is
important from participants' devices.

Types of Man-in-the Middle (MITM) Attacks:

1. Email hijacking

As its name implies, in this type of attack, cyber criminals take control of the email accounts of banks,
financial institutions, or other trusted companies that have access to sensitive data—and money. Once
inside, attackers can monitor transactions and correspondence between the bank and its customers.
In more malicious scenarios, attackers spoof, or fake, the bank's email address and send customers emails
instructing them to resend their credentials—or worse, send money—to an account controlled by the
attackers. In this MITM attack version, social engineering, or building trust with victims, is key for success.

2. Wi-Fi eavesdropping

In Wi-Fi eavesdropping, cyber criminals get victims to connect to a nearby wireless network with a
legitimate-sounding name. But in reality, the network is set up to engage in malicious activity. The wireless
network might appear to be owned by a nearby business the user frequents or it could have a generic-
sounding, seemingly harmless name, such as "Free Public Wi-Fi Network." In some cases, the user does
not even need to enter a password to connect.

Once victims are connected to the malicious Wi-Fi, the attacker has options: monitor the user's online
activity or scrape login credentials, credit or payment card information, and other sensitive data.

To guard against this attack, users should always check what network they are connected to. With mobile
phones, they should shut off the Wi-Fi auto-connect feature when moving around locally to prevent their
devices from automatically being connected to a malicious network.

3. DNS spoofing

Domain Name System (DNS) spoofing, or DNS cache poisoning, occurs when manipulated DNS records
are used to divert legitimate online traffic to a fake or spoofed website built to resemble a website the
user would most likely know and trust.

As with all spoofing techniques, attackers prompt users to log in unwittingly to the fake website and
convince them that they need to take a specific action, such as pay a fee or transfer money to a specific
account. The attackers steal as much data as they can from the victims in the process.

4. Session hijacking

Session hijacking is a type of MITM attack in which the attacker waits for a victim to log in to an application,
such as for banking or email, and then steals the session cookie. The attacker then uses the cookie to log
in to the same account owned by the victim but instead from the attacker's browser.

A session is a piece of data that identifies a temporary information exchange between two devices or
between a computer and a user. Attackers exploit sessions because they are used to identify a user that
has logged in to a website. However, attackers need to work quickly as sessions expire after a set amount
of time, which could be as short as a few minutes.

5. Secure Sockets Layer (SSL) hijacking

Most websites today display that they are using a secure server. They have "HTTPS," short for Hypertext
Transfer Protocol Secure, instead of "HTTP" or Hypertext Transfer Protocol in the first portion of the
Uniform Resource Locator (URL) that appears in the browser's address bar. Even when users type in
HTTP—or no HTTP at all—the HTTPS or secure version will render in the browser window. This is a standard
security protocol, and all data shared with that secure server is protected.

SSL and its successor transport layer security (TLS) are protocols for establishing security between
networked computers. In an SSL hijacking, the attacker intercepts all data passing between a server and
the user’s computer. This is possible because SSL is an older, vulnerable security protocol that necessitated
it to be replaced—version 3.0 was deprecated in June 2015—with the stronger TLS protocol.

5. ARP cache poisoning

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link
layer address, such as a media access control (MAC) address, associated with a given internet
layer address. The ARP is important because it translates the link layer address to the Internet Protocol
(IP) address on the local network.

In this scheme, the victim's computer is tricked with false information from the cyber criminal into thinking
that the fraudster's computer is the network gateway. As such, the victim's computer, once connected to
the network, essentially sends all of its network traffic to the malicious actor instead of through the real
network gateway. The attacker then utilizes this diverted traffic to analyze and steal all the information
they need, such as personally identifiable information (PII) stored in the browser.

6. IP spoofing

IP spoofing is similar to DNS spoofing in that the attacker diverts internet traffic headed to a legitimate
website to a fraudulent website. Instead of spoofing the website’s DNS record, the attacker modifies the
malicious site's IP address to make it appear as if it is the IP address of the legitimate website users
intended to visit.

7. Stealing browser cookies

In computing, a cookie is a small, stored piece of information. A browser cookie, also known as an HTTP
cookie, is data collected by a web browser and stored locally on a user's computer. The browser cookie
helps websites remember information to enhance the user's browsing experience. For example, with
cookies enabled, a user does not have to keep filling out the same items on a form, such as first name and
last name.

Stealing browser cookies must be combined with another MITM attack technique, such as Wi-Fi
eavesdropping or session hijacking, to be carried out. Cyber criminals can gain access to a user's device
using one of the other MITM techniques to steal browser cookies and exploit the full potential of a MITM
attack. With access to browser cookies, attackers can gain access to passwords, credit card numbers, and
other sensitive information that users regularly store in their browsers.

How Does a Man-in-the-Middle (MITM) Attack Work?

Regardless of the specific techniques or stack of technologies needed to carry out a MITM attack, there is
a basic work order:

1. Person A sends Person B a message.

2. The MITM attacker intercepts the message without Person A's or Person B's knowledge.
 3. The MITM attacker changes the message content or removes the message altogether, again,
without Person A's or Person B's knowledge.

In computing terms, a MITM attack works by exploiting vulnerabilities in network, web, or browser-based
security protocols to divert legitimate traffic and steal information from victims.

5.6 Covert Channels:

Covert channels are a type of security vulnerability that allows information to be transmitted in a way that
is not intended or explicitly designed by the system. In the context of cryptography, covert channels can
be used to bypass security measures and leak sensitive information.

Types of Covert Channels in Cryptography

1. Timing Channels:

o Side Channel Attacks: These attacks exploit the timing differences in cryptographic
operations to extract secret information. For instance, by measuring the time it takes to
decrypt different ciphertexts, an attacker might be able to infer information about the
secret key.

o Power Analysis Attacks: These attacks measure the power consumption of a

cryptographic device to infer information about the secret key. Variations of power
analysis attacks include simple power analysis (SPA), differential power analysis (DPA), and
template attacks.

2. Storage Channels:

o Data Hiding: This involves embedding hidden information within seemingly innocuous
data. For example, an attacker might modify the least significant bits of an image file to
conceal a secret message.

o Covert Storage: This involves storing secret information in unexpected places within a
system, such as unused memory locations or hidden files.

3. Network Channels:

o Traffic Analysis: This involves analyzing network traffic patterns to infer information about
the communication. For instance, an attacker might be able to determine the frequency
of communications between two parties, which could reveal sensitive information.

o Protocol Flaws: Vulnerabilities in communication protocols can be exploited to create

covert channels. For example, an attacker might be able to manipulate the timing of
messages to convey secret information.
Unit 6 Security in Networks

6.1 Threats in networks

A network security threat is any malicious activity that compromises the confidentiality and integrity of
online data and systems. It is performed by individuals or groups hoping to gain unauthorized access to
systems and steal data. Additionally, perpetrators usually disrupt network operations or
perform ransomware by taking advantage of weak spots in the network. As a result, victims of network
threats experience substantial financial losses, reputational damage, or legal penalties.

1. Malware

Malware is a form of malicious software that poses a major threat to computer systems as it jeopardizes
devices and causes extensive damage to data and systems. It spreads through various vectors, including
emails, links, and websites.

This threat can manifest in different forms once inside a system, such
as ransomware, viruses, worms, Trojan horses, and spyware. Threat actors use malware to steal sensitive
data, block file access, disrupt system operations, or render systems inoperable.

Defending against malware

• Install reputable antivirus and anti-malware software and keep them updated to scan malicious
software and prevent infections.

• Be vigilant about email attachments, downloads from untrusted websites, and popup ads to
reduce risks.

• Enable automatic software updates for operating systems, applications, and security patches.

2. Phishing

Phishing attacks encompass different attempts to deceive individuals into opening suspicious links or
downloading malicious programs through emails built for specific targets. Attackers impersonate
reputable entities to distribute harmful attachments or links, which can extract confidential data like
passwords, credit card information, or login credentials.

Defending against phishing attacks

• Provide employee training on how to identify phishing and understand its risks.

• Exercise caution when clicking on links or opening email attachments from unknown or suspicious
sources.

• Check emails and messages for signs of phishing, such as misspellings, grammatical errors, or
requests for sensitive information.

• Use email filters and spam detection mechanisms to identify and block phishing attempts.

3. Ransomware
Ransomware is a type of malware that encrypts an organization’s data and blocks system access. Attackers
hold data hostage and promise to release it when the victim pays the ransom. Ransomware attacks are
often financially motivated, and the criminals aim to extort money from individuals, businesses, or
organizations.

Defending against ransomware

• Administer up-to-date antivirus software and regular system updates.

• Regularly back up critical data.

• Enforce strong access controls and user privileges.

• Perform regular network monitoring.

• Develop an incident response plan.

4. Distributed denial of service (DDoS)

DDoS is an advanced technique that disrupts the availability of targeted resources by overwhelming them
with a flood of fake traffic. Usually, DDoS attacks are orchestrated through a botnet consisting of numerous
compromised machines controlled by the attacker.

The goals of these attacks can be twofold: to distract IT and security teams while conducting a separate,
more damaging attack, or simply to overload the targeted systems to make them unresponsive or shut
down completely.

By overburdening servers with an excessive volume of information requests, DDoS attacks can effectively
deny service to legitimate users.

Defending against DDoS

• Use firewalls and intrusion prevention systems (IPS) to filter and block suspicious traffic.

• Configure network devices to limit incoming requests and traffic.

• Employ load-balancing techniques to distribute traffic across multiple servers.

• Apply a content delivery network (CDN) to handle traffic spikes and absorb attacks.

• Utilize traffic monitoring and detection tools for real-time identification and mitigation.

• Employ a DDoS protection service to monitor and protect your network.

5. Social engineering

Social engineering attacks are a type of network threat that relies on manipulating human emotions, such
as curiosity, fear, or trust, to deceive individuals into taking actions that breach network security.

Attackers use several techniques, including phishing, baiting, tailgating, and pretexting, to trick users into
divulging sensitive information or unwittingly deploying malware.

Defending against social engineering attacks

 • Train employees to be cautious when disclosing sensitive information, even from trusted sources.

• Establish procedures to verify the identity of users requesting sensitive information or access.

• Use multi-factor authentication (MFA) to reduce the risk of unauthorized access.

• Provide regular security awareness training to enhance employees’ understanding and ability to
identify and report suspicious activities.

6. Insider threats

Insider threats are a serious concern in the cybersecurity realm since the attack stems from within an
organization itself.

Insider threats materialize when individuals with legitimate access privileges to the network misuse them,
resulting in detrimental consequences for the organization’s systems and data. They can manifest in both
intentional and unintentional actions, resulting in breached confidentiality, availability, and integrity of
enterprise resources.

Insider threats pose a distinct challenge because they blend in with regular user behavior, making it
difficult for security professionals and systems to distinguish between harmless actions and malicious
intent.

Defending against insider threats

• Impose stringent access controls and user privileges.

• Grant users only necessary access and permissions.

• Regularly review and audit user accounts and permissions for unauthorized activities.

• Monitor and log systems to track user activities and identify anomalies.

• Establish clear security policies and procedures, emphasizing employee responsibilities and
consequences for protocol violations.

• Adopt a zero-trust security approach to validate all users and activities, regardless of their location
or network.

7. Advanced Persistent Threats (APT)

APTs are well-coordinated and highly complex attacks conducted by organized hacker groups.
Cybercriminals use different tactics — including social engineering, malware deployment, and exploiting
vulnerabilities — to infiltrate targeted networks, evade security measures, and maintain a low profile.

The main objective of APT attacks is generally focused on data theft rather than causing immediate
network disruption. APTs can persist for extended periods, ranging from months to even years, allowing
the attackers to access valuable assets and exfiltrate data undetected. This network security threat
predominantly targets high-value entities, such as large corporations and even sovereign nations.

Defending against APTs

• Implement two-factor authentication (2FA) and strong passwords.

 • Regularly patch systems and monitor network activity.

• Encrypt sensitive information, even in the cloud.

• Carry out regular system audits and close vulnerabilities.

• Use network segmentation and strong access controls.

• Deploy robust endpoint protection.

• Educate employees on APT recognition and reporting.

8. Network hacking

Network hacking involves various tactics by hackers to gain unauthorized access to network resources or
devices. They typically target weaknesses in operating systems or applications. Password cracking, SQL
injection, and cross-site scripting (XSS) are examples of methods hackers use to take advantage of security
flaws and control systems.

Defending against network hacking

• Guide users in creating strong and unique passwords for all network devices and accounts.

• Enable 2FA for added security.

• Regularly update and patch network devices, operating systems, and applications to address flaws.

• Employ ethical hacking measures to combat illicit invaders.

9. SQL injection (SQLi) attacks

SQLi attacks specifically target databases, enabling the extraction of private information. By injecting
malicious SQL code, attackers illegally access and compromise private data.

The consequences of a successful SQL injection attack can be severe, ranging from identity spoofing, data
tampering, complete data disclosure, data destruction, and data unavailability, all the way up to the
possibility of assuming total control over the database servers.

Defending against SQLi attacks

• Implement 2FA and strong passwords.

• Regularly patch systems and monitor network activity.

• Encrypt sensitive information, even in the cloud.

• Carry out regular system and network audits and close vulnerabilities.

• Use network segmentation and strong access controls.

• Deploy robust endpoint protection.

• Educate employees on APT recognition and reporting.

10. Man-in-the-middle (MitM) attacks

An MitM attack is a type of network threat where an unauthorized individual intercepts and modifies
communication between two parties without their knowledge, positioning themselves covertly between
the sender and receiver.

Through techniques like ARP spoofing, DNS spoofing, or Wi-Fi eavesdropping, the attacker aims to access
sensitive data, manipulate communication, or impersonate the parties involved.

These attacks mainly target users of financial applications, e-commerce sites, and platforms that require
login credentials, aiming to steal personal information. Stolen data can then be used for identity theft,
unauthorized fund transfers, or illicit password changes.

Defending against MitM attacks

• Use secure protocols like HTTPS and VPNs to protect against interception.

• Utilize certificates and digital signatures to verify the identity of communicating parties.

• Regularly update and patch network devices and software to address known weaknesses.

• Track network traffic for signs of tampering or unauthorized interception.

• Educate users about the risks associated with public Wi-Fi networks and promote using secure
connections to access sensitive information.

What is a network threat?

A network threat is any malicious act designed to corrupt or illegally obtain data or damage an
organization’s digital systems. It can endanger networks by gaining unauthorized access to data and
stealing sensitive information. Network security threats can negatively impact business operations and
lead to productivity, financial, and data loss.

Network threats can be categorized into two types: active network attacks and passive network attacks.

Active network attacks

Active network attacks are deliberate attempts to gain unauthorized access to a network for the purpose
of manipulating, encrypting, damaging, or deleting data. They involve direct interaction with the network
and its resources, and their effect is often easy to detect due to noticeable unapproved changes and data
loss.

The key objective of these attacks is to harm the targeted data and disrupt network operations. Active
attacks can cause service interruptions, data corruption, and system crashes, making them a serious
cybersecurity concern.

Passive network attacks

Passive network attacks aim to secretly infiltrate an organization’s network and steal or monitor its
information. Unlike active attacks, passive attacks do not involve network or data alterations, making them
harder to catch.
Instead, passive network attacks try to intercept sensitive data, such as usernames, passwords, and
confidential information, without changing the transmitted data. Attackers may maintain access for
extended periods, undetected.

Knowing the differences between passive and active attacks enable organizations to select appropriate
defense strategies and administer security measures to protect against both types of threats.

6.2 Network Security Controls:

This section examines controls available to ensure network security from the various threat identified
listed earlier. The controls are listed under the following broad heads.

• Architecture
• Cryptography/Encryption
• Content Integrity
• Strong Authentication
• Remote Access Security
• Firewalls
• Intrusion Detection System
• Monitoring (Security incident and Event Management (SIEM)

6.2.1 Architecture:
6.2.5 Access Controls(Physical and Logical):-
Access control is a broad term used to describe systems that manage, authenticate, and authorize people
who can use an asset, tangible, or abstract. Basically, physical and logical access control systems work by
identifying users and authenticating their credentials.
Main Types of Access Control:-
#Physical Access Control
• Essentially, physical access control manages, restricts, and limits access to physical locations, premises,
and spaces. Such locations may include rooms, offices, facilities, buildings, areas, and IT assets. In a
nutshell, physical access control policies permit or deny access to tangible assets. Common examples
of physical access control are keys, badges, barricades and fences, RFID doors, fob controlled gates,
and password-protected IT systems.
• For quality assurance, it’s recommended that access control strategies are adaptable, flexible, and
scalable to accommodate dynamic access requirements. This will enable the access control policies to
smoothly transit between access and restriction hassle-free. Furthermore, this smooth transitioning
should also be carefully balanced with security to forestall attacks, invasion, and security
vulnerabilities.
#Logical Access Control
• Logical access control strategies limit and restrict virtual access, manage connections and permissions
to use computer networks, digital resources, system files, and data. Compared to physical access
control which utilizes some form of tokens to grant access to restricted areas, this type of access
control technique essentially combines identification, authentication, and authorization protocols.
• Today, organizations, businesses, and other entities employ a wide range of logical access control
systems to protect their corporate assets. Usually, the level of sophistication and complexity of an
 organization’s logical access control system is often a function of the sensitivity and confidentiality of
the resources it has.
• Depending on the organization, a company’s logical access control model may incorporate the use of
advanced biometric security features or sophisticated password programs. Sometimes, it can even
include other methods of identifying, screening, and authenticating users, such as multifactor
authentication.
• For instance, government facilities, federal agencies, and defense headquarters often deploy high-
level logical access security to inhibit external attacks from terrorists, rival governments, and hackers.
However, depending on the size, business logical access security are not usually that complex. Most
often, an organization’s logical access policies depend on its size, type of industrial transactions, and
management processes.

6.2.6 Wireless Security:-

• Wireless Network provides various comfort to end users but actually they are very complex in their
working. There are many protocols and technologies working behind to provide a stable connection
to users. Data packets traveling through wire provide a sense of security to users as data traveling
through wire probably not heard by eavesdroppers.
• To secure the wireless connection, we should focus on the following areas –
• Identify endpoint of wireless network and end-users i.e., Authentication.
• Protecting wireless data packets from middleman i.e., Privacy.
• Keeping the wireless data packets intact i.e., Integrity.
• We know that wireless clients form an association with Access Points (AP) and transmit data back and
forth over the air. As long as all wireless devices follow 802.11 standards, they all coexist. But all
wireless devices are not friendly and trustworthy, some rogue devices may be a threat to wireless
security. Rogue devices can steal our important data or can cause the unavailability of the network.
• Wireless security is ensured by following methods-
• Authentication
• Privacy and Integrity
• In this article, we talk about Authentication. There are broadly two types of Authentication process:
Wired Equivalent Privacy (WEP), and Extensible Authentication Protocol (802.1x/EAP).
These are explained as following below.
1. Wired Equivalent Privacy (WEP) :
For wireless data transmitting over the air, open authentication provides no security.
WEP uses the RC4 cipher algorithm for making every frame encrypted. The RC4 cipher also encrypts data
at the sender side and decrypt data at the receiving site, using a string of bits as key called WEP key.
WEP key can be used as an authentication method or encryption tool. A client can associate with AP
only if it has the correct WEP key. AP tests the knowledge of the WEP key by using a challenge phrase.
The client encrypts the phrase with his own key and send back to AP. AP compares the received
encrypted frame with his own encrypted phrase. If both matches, access to the association is granted.
 2. Extensible Authentication Protocol (802.1x/EAP) :
In WEP authentication, authentication of the wireless clients takes place locally at AP. But Scenario
gets changed with 802.1x. A dedicated authentication server is added to the infrastructure. There is
the participation of three devices –
1. Supplicant –
Device requesting access.
2. Authenticator –
Device that provides access to network usually a Wlan controller (WLC).
3. Authentication Server –
Device that takes client credentials and deny or grant access.

EAP is further of four types with some amendments over each other –
• LEAP
• EAP-FAST
• PEAP
• EAP-TLS
6.2.7 Honeypots:-
A honeypot is a cybersecurity method that uses a simulated attack target to distract
criminals(attackers) away from authentic systems. These methods can simulate a variety of digital
assets, including software applications, servers, and even a whole network. Organizations utilize this
data to improve their cybersecurity methods and discover potential weaknesses in their current
infrastructure. In this article, we will discuss every point about Honeypot.
• What is Honeypot?
A Honeypot is a network-attached system used as a trap for cyber-attackers to detect and study the
tricks and types of attacks used by hackers. It acts as a potential target on the internet and informs the
defenders about any unauthorized attempt at the information system. Honeypots are mostly used by
large companies and organizations involved in cybersecurity. It helps cybersecurity researchers to
learn about the different types of attacks used by attackers. It is suspected that even cybercriminals
use these honeypots to decoy researchers and spread wrong information. The cost of a honeypot is
generally high because it requires specialized skills and resources to implement a system such that it
appears to provide an organization’s resources while still preventing attacks at the backend and access
to any production system.
• Types of Honeypot
Honeypots are classified based on their deployment and the involvement of the intruder.
• 1. Based on their deployment, Honeypots are divided into
• Research honeypots: These are used by researchers to analyze hacker attacks and deploy different
ways to prevent these attacks.
• Production honeypots: Production honeypots are deployed in production networks along with the
server. These honeypots act as a frontend trap for the attackers, consisting of false information
and giving time to the administrators to improve any vulnerability in the actual system.
• 3. Based on interaction, honeypots are classified into
• Low interaction honeypots: Low interaction honeypots gives very little insight and control to the
hacker about the network. It simulates only the services that are frequently requested by the
attackers. The main operating system is not involved in the low interaction systems and therefore
it is less risky. They require very fewer resources and are easy to deploy. The only disadvantage of
these honeypots lies in the fact that experienced hackers can easily identify these honeypots and
can avoid it.
• Medium Interaction Honeypots: Medium interaction honeypots allows more activities to the
hacker as compared to the low interaction honeypots. They can expect certain activities and are
designed to give certain responses beyond what a low-interaction honeypot would give.
• High Interaction honeypots: A high interaction honeypot offers a large no. of services and activities
to the hacker, therefore, wasting the time of the hackers and trying to get complete information
about the hackers. These honeypots involve the real-time operating system and therefore are
comparatively risky if a hacker identifies the honeypot. High interaction honeypots are also very
costly and are complex to implement. But it provides us with extensively large information about
hackers.
• How do Honeypots Work?
• Detection and Monitoring: By analyzing the activity on honeypots, security teams gain insights
into attack techniques, patterns, and vulnerabilities. They can identify new threats or zero-day
exploits.
 • Diversion: Honeypots divert attackers away from critical systems. Instead of compromising actual
assets, cybercriminals waste time and resources on the decoy.
• Research and Analysis: Researchers study attacker behavior, tactics, and tools by observing
honeypot interactions. This knowledge informs better defense strategies.
• Early Warning: If an attacker targets a honeypot, it triggers an alert. Security teams can respond
promptly to potential threats
• Advantages of Honeypot
• Acts as a rich source of information and helps collect real-time data.
• Identifies malicious activity even if encryption is used.
• Wastes hackers’ time and resources.
• Improves security.
• Disadvantages of Honeypot
• Being distinguishable from production systems, it can be easily identified by experienced
attackers.
• Having a narrow field of view, it can only identify direct attacks.
• A honeypot once attacked can be used to attack other systems.
• Fingerprinting(an attacker can identify the true identity of a honeypot ).

6.2.8 Traffic Flow Security:

Traffic-flow security is the use of various measures or methods to hide the presence of messages across a
communicational medium, or to otherwise cloak messaging to prevent the observation of traffic levels
across an IT infrastructure.
• The idea behind traffic-flow security is that even in highly protected systems, it might still be possible
for outsiders to ascertain the amount of traffic over a system at any given time. The use of traffic-flow
security tools makes it impossible for external observers to see whether traffic is changing in real time,
or when any individual message goes from one location to another.
• Techopedia Explains Traffic-Flow Security
• There are several methods for traffic-flow security. One involves the use of dummy traffic in addition
to the encryption of actual messages, and sender and receiver addresses. This can make it look like a
system is experiencing a consistently high level of traffic in order to obscure the actual volume of traffic
in the network. Another option is to send a continuous encrypted signal even when a network is not
being used.
• The principle behind traffic-flow security shows how businesses and other parties may guard even
seemingly basic data such as the date and time that someone accesses a platform, or when they send
a message. In some situations, this data is not regarded as necessarily private; in other cases, it may
be necessary to hide traffic on a platform where knowledge of access times and traffic levels could be
used inappropriately by an outside observer.
Firewalls:
Network Firewalls are the devices that are used to prevent private networks from unauthorized access. A
Firewall is a security solution for the computers or devices that are connected to a network, they can
be either in the form of hardware as well as in form of software. It monitors and controls the incoming
and outgoing traffic (the amount of data moving across a computer network at any given time ).
The major purpose of the network firewall is to protect an inner network by separating it from the outer
network. An inner Network can be simply called a network created inside an organization and a
network that is not in the range of an inner network can be considered an Outer Network.
Types of Network Firewalls

• Packet Filters
It is a technique used to control network access by monitoring outgoing and incoming packets and
allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses,
protocols, and ports. This firewall is also known as a static firewall.

Stateful Inspection Firewalls

It is also a type of packet filtering that is used to control how data packets move through a firewall. It
is also called dynamic packet filtering. These firewalls can inspect that if the packet belongs to a
particular session or not. It only permits communication if and only if, the session is perfectly
established between two endpoints else it will block the communication.

• Application Layer Firewalls

These firewalls can examine application layer (of OSI model) information like an HTTP request. If finds
some suspicious application that can be responsible for harming our network or that is not safe for
our network then it gets blocked right away.
• Next-generation Firewalls
 These firewalls are called intelligent firewalls. These firewalls can perform all the tasks that are
performed by the other types of firewalls that we learned previously but on top of that, it includes
additional features like application awareness and control, integrated intrusion prevention, and cloud-
delivered threat intelligence.
• Circuit-level Gateways
A circuit-level gateway is a firewall that provides User Datagram Protocol (UDP) and Transmission
Control Protocol (TCP) connection security and works between an Open Systems Interconnection (OSI)
network model’s transport and application layers such as the session layer.

• Software Firewall
The software firewall is a type of computer software that runs on our computers. It protects our
system from any external attacks such as unauthorized access, malicious attacks, etc. by notifying us
about the danger that can occur if we open a particular mail or if we try to open a website that is not
secure.
• Hardware Firewall
A hardware firewall is a physical appliance that is deployed to enforce a network boundary. All network
links crossing this boundary pass-through this firewall, which enables it to perform an inspection of
both inbound and outbound network traffic and enforce access controls and other security policies.

• Cloud Firewall
These are software-based, cloud-deployed network devices. This cloud-based firewall protects a
private network from any unwanted access. Unlike traditional firewalls, a cloud firewall filters data at
the cloud level.
• Working of Firewalls
• Firewalls can control and monitor the amount of incoming or outgoing traffic of our network. The data
that comes to our network is in the forms of packets(a small unit of data), it is tough to identify
whether the packet is safe for our network or not, this gives a great chance to the hackers and intruders
to bombard our networks with various viruses, malware, spam, etc.

6.3.2 Personal Firewalls

A personal firewall is a type of firewall that’s designed to protect an individual computer from
malicious traffic. Also known as a host firewall, it differs from traditional network firewalls in one major
way: A personal firewall only analyzes and filters traffic for a single computer. In comparison, a network
firewall analyzes and filters traffic for an entire network, such as a business’s Local Area Network (LAN).
How Personal Firewalls Work
Most personal firewalls work on the application layer of the Open Systems Interconnection (OSI)
Model. As a result, they are considered application layer firewalls. When using a computer with a
personal firewall, the firewall will analyze incoming and outgoing traffic on the application layer. Data
consists of packets that are transferred to and from the computer. The personal firewall will check
these data packets against a set of rules to determine whether to reject or allow them.

6.3.3 Intrusion Detection System (IDS) and its types

• A system called an intrusion detection system (IDS) observes network traffic for malicious transactions
and sends immediate alerts when it is observed. It is software that checks a network or system for
malicious activities or policy violations. Each illegal activity or violation is often recorded either
centrally using an SIEM system or notified to an administration. IDS monitors a network or system for
malicious activity and protects a computer network from unauthorized access from users, including
perhaps insiders. The intrusion detector learning task is to build a predictive model (i.e. a classifier)
capable of distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good (normal)
connections’.
• Working of Intrusion Detection System(IDS)
• An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect any
suspicious activity.
• It analyzes the data flowing through the network to look for patterns and signs of abnormal
behavior.
• The IDS compares the network activity to a set of predefined rules and patterns to identify any
activity that might indicate an attack or intrusion.
• If the IDS detects something that matches one of these rules or patterns, it sends an alert to the
system administrator.
• The system administrator can then investigate the alert and take action to prevent any damage or
further intrusion.
• Classification of Intrusion Detection System(IDS)
• Intrusion Detection System are classified into 5 types:
• Network Intrusion Detection System (NIDS): Network intrusion detection systems (NIDS) are set
up at a planned point within the network to examine traffic from all devices on the network. It
performs an observation of passing traffic on the entire subnet and matches the traffic that is
passed on the subnets to the collection of known attacks. Once an attack is identified or abnormal
behavior is observed, the alert can be sent to the administrator. An example of a NIDS is installing
it on the subnet where firewalls are located in order to see if someone is trying to crack
the firewall.
• Host Intrusion Detection System (HIDS): Host intrusion detection systems (HIDS) run on
independent hosts or devices on the network. A HIDS monitors the incoming and outgoing packets
from the device only and will alert the administrator if suspicious or malicious activity is detected.
It takes a snapshot of existing system files and compares it with the previous snapshot. If the
analytical system files were edited or deleted, an alert is sent to the administrator to investigate.
An example of HIDS usage can be seen on mission-critical machines, which are not expected to
change their layout.
•
• Intrusion Detection System (IDS)
• Protocol-Based Intrusion Detection System (PIDS): Protocol-based intrusion detection system
(PIDS) comprises a system or agent that would consistently reside at the front end of a server,
controlling and interpreting the protocol between a user/device and the server. It is trying to
secure the web server by regularly monitoring the HTTPS protocol stream and accepting the
related HTTP protocol. As HTTPS is unencrypted and before instantly entering its web presentation
layer then this system would need to reside in this interface, between to use the HTTPS.
• Application Protocol-Based Intrusion Detection System (APIDS): An application Protocol-based
Intrusion Detection System (APIDS) is a system or agent that generally resides within a group of
servers. It identifies the intrusions by monitoring and interpreting the communication on
application-specific protocols. For example, this would monitor the SQL protocol explicitly to the
middleware as it transacts with the database in the web server.
• Hybrid Intrusion Detection System: Hybrid intrusion detection system is made by the
combination of two or more approaches to the intrusion detection system. In the hybrid intrusion
 detection system, the host agent or system data is combined with network information to develop
a complete view of the network system. The hybrid intrusion detection system is more effective
in comparison to the other intrusion detection system. Prelude is an example of Hybrid IDS.

6.3.4 Intrusion Protection System (IPS)

What is an Intrustion Prevention System? An essential part of Intrusion Prevention System is the
network security technology that constantly monitors network traffic to identify threats. Under the
general meaning of IPS, IPS technology is also an intrusion detection prevention system (IDPS).

Intrusion Prevention System is also known as Intrusion Detection and Prevention System. It is a
network security application that monitors network or system activities for malicious activity. Major
functions of intrusion prevention systems are to identify malicious activity, collect information about
this activity, report it and attempt to block or stop it.

Intrusion prevention systems are contemplated as augmentation of Intrusion Detection Systems

(IDS) because both IPS and IDS operate network traffic and system activities for malicious activity.
IPS typically record information related to observed events, notify security administrators of important
observed events and produce reports. Many IPS can also respond to a detected threat by attempting
to prevent it from succeeding. They use various response techniques, which involve the IPS stopping
the attack itself, changing the security environment or changing the attack’s content.
How Does an IPS Work?
An IPS works by analyzing network traffic in real-time and comparing it against known attack patterns
and signatures. When the system detects suspicious traffic, it blocks it from entering the network.
• Types of IPS
There are two main types of IPS:
1. Network-Based IPS: A Network-Based IPS is installed at the network perimeter and monitors all
traffic that enters and exits the network.
2. Host-Based IPS: A Host-Based IPS is installed on individual hosts and monitors the traffic that goes
in and out of that host.

6.4 Email Security:

• Pretty Good Privacy (PGP)
PGP is an open-source software package that is designed for email security. Phil Zimmerman
developed it. It provides the basic or fundamental needs of cryptography. In this multiple steps are
taken to secure the email, these are,
1. Confidentiality
2. Authentication
3. Compression
4. Resemble
5. Segmentation
6. E-mail compatibility
• Secure/Multipurpose Internet Mail Extension (S/MIME)
 S/MIME is a security-enhanced version of Multipurpose Internet Mail Extension (MIME). In this, public
key cryptography is used for digital signs, encrypting, or decrypt email. The user acquires a public-
private key pair with a trusted authority and then makes appropriate use of those keys with email
applications.
• Difference Between PGP and S/MIME

• S/MIME
S.NO PGP

It is designed for processing While it is designed to process email as well as many

1. multimedia files.
plain texts

PGP is less costly as While S/MIME is comparatively expensive.

2.
compared to S/MIME.

PGP is good for personal as While it is good for industrial use.

3.
well as office use.

PGP is less efficient than While it is more efficient than PGP.

4.
S/MIME.

Whereas it relies on a hierarchically valid certificate for

5. It depends on user key exchange. key exchange.

PGP is comparatively less While it is more convenient than PGP due to the secure
6. transformation of all the applications.
convenient.

PGP contains 4096 public While it contains only 1024 public keys.
7.
keys.

PGP is the standard for While it is also the standard for strong encryption but
8. has some drawbacks.
strong encryption.

While it is not used in VPNs, it is only used in email

9. PGP is also be used in VPNs. services.
 • S/MIME
S.NO PGP

PGP uses Diffie hellman digital While it uses Elgamal digital signature.
10.
signature.

In PGP Trust is established using In S/MIME Trust is established using Public Key
11. Infrastructure.
Web of Trust.

PGP is used for Securing text S/MIME is used for Securing Messages and
12. attachments.
messages only.

Their is less use of PGP in industry While S/MIME is widely used in industry.
13.
.

14. Convenience of PGP is low. Convenience of S/MIME is High.

Administrative overhead of PGP Administrative overhead of S/MIME is low.

15.
is high.
Unit 7 Database Security

7.1 Security requirements

Authentication and Authorization

• Strong authentication: Implement multi-factor authentication (MFA) to require users to provide

multiple forms of identification (e.g., password, biometrics, token).

• Role-based access control (RBAC): Assign permissions based on a user's role or job function,
ensuring they only have access to the data they need to perform their tasks.

• Least privilege principle: Grant users only the minimum privileges necessary to do their jobs,
reducing the risk of unauthorized access.

Encryption

• Data encryption at rest: Encrypt data stored on disk or other storage devices to protect it from
unauthorized access if the storage device is compromised.

• Data encryption in transit: Encrypt data transmitted over networks to prevent eavesdropping and
interception.

• Column-level encryption: Encrypt specific columns within a database table to protect sensitive
data fields.

Access Control

• Network segmentation: Isolate database servers on a separate network segment to restrict access
and minimize the attack surface.

• Firewall rules: Configure firewalls to allow only authorized traffic to access the database server.

• Audit logging: Track user activity and system events to identify suspicious behavior and potential
security breaches.

Patch Management

• Regular updates: Keep database software and operating systems up-to-date with the latest
security patches to address vulnerabilities.

• Vulnerability scanning: Conduct regular vulnerability scans to identify and remediate security
weaknesses.

Physical Security

• Data center security: Implement physical security measures to protect the data center or server
room from unauthorized access.

• Backup and recovery: Maintain regular backups of database data and have a disaster recovery
plan in place to restore data in case of a security incident or system failure.

Monitoring and Alerting

 • Security monitoring: Use tools to monitor database activity for signs of suspicious behavior,
unauthorized access, or data breaches.

• Real-time alerts: Set up alerts to notify administrators of security incidents or anomalies.

• Incident response plan: Develop a plan to respond to security incidents effectively and minimize
damage.

Additional Considerations

• Data classification: Classify data based on sensitivity and importance to determine appropriate
security controls.

• Security awareness training: Educate users about security best practices and the importance of
protecting sensitive data.

• Regular security assessments: Conduct regular security assessments to evaluate the effectiveness
of security measures and identify areas for improvement.

7.2 Reliability and Integrity:

Reliability and Integrity in Database Security

Reliability and integrity are fundamental aspects of database security, ensuring that data is accurate,
consistent, and accessible when needed. Here's a breakdown of these concepts:

Reliability

Reliability in database security refers to the ability of a database system to consistently perform its
intended functions without failures. This includes:

• Data availability: Ensuring that data is accessible to authorized users when needed.

• Fault tolerance: The system's ability to continue operating even in the event of hardware or
software failures.

• Redundancy: Implementing redundant components (e.g., backups, replication) to minimize

downtime and data loss.

• Disaster recovery: Having a plan in place to restore data and systems in case of a major disaster.

Integrity

Integrity in database security refers to the accuracy, consistency, and validity of data stored in the
database. It ensures that data is not modified or corrupted unintentionally or maliciously. This involves:

• Data validation: Implementing data validation rules to ensure that data entered into the
database is accurate and consistent.

• Transaction management: Using transactions to group related database operations and ensure
that they are either all committed or all rolled back to maintain data integrity.
 • Concurrency control: Managing concurrent access to the database to prevent data
inconsistencies.

• Backup and recovery: Regular backups and a robust recovery process help maintain data
integrity in case of accidental deletions or corruption.

Sensitive Data in Database Security

Sensitive data, often referred to as personally identifiable information (PII), is any data that can be used
to identify, locate, or contact an individual. This includes information such as:

• Names

• Addresses

• Social Security numbers

• Credit card numbers

• Driver's license numbers

• Medical records

• Financial information

• Biometric data (e.g., fingerprints, facial recognition)

Why is sensitive data important to protect?

• Privacy violations: Unauthorized access to sensitive data can lead to privacy violations, identity
theft, and financial loss.

• Legal and regulatory compliance: Many industries (e.g., healthcare, finance) have strict
regulations governing the handling and protection of sensitive data. Non-compliance can result in
hefty fines and penalties.

• Reputation damage: A data breach involving sensitive information can damage an organization's
reputation and lead to loss of customer trust.

Best practices for protecting sensitive data in databases:

• Data classification: Categorize data based on sensitivity levels to determine appropriate security
controls.

• Encryption: Encrypt sensitive data both at rest and in transit to protect it from unauthorized
access.

• Access controls: Implement strong access controls to limit access to sensitive data to authorized
users only.

• Regular backups: Maintain regular backups of sensitive data to ensure data recovery in case of a
breach or loss.
 • Incident response plan: Develop a comprehensive incident response plan to address data
breaches and minimize damage.

• Employee training: Educate employees about the importance of data security and the risks
associated with mishandling sensitive information.

• Regular security assessments: Conduct regular security assessments to identify vulnerabilities

and improve data protection measures.

7.4 Inference:

Inference in database security refers to the ability of an unauthorized user to deduce

sensitive information from publicly available data. This can occur when an attacker combines seemingly
harmless information to infer confidential details.

Common Inference Attacks:

• Membership inference: An attacker determines whether a specific individual's data is present

in a database.

• Attribute inference: An attacker infers the value of a sensitive attribute (e.g., age, income) based
on other available data.

• Property inference: An attacker infers a property or relationship between individuals or entities

based on the data.

How Inference Attacks Work:

• Data mining: Attackers use data mining techniques to discover patterns and relationships within
the data.

• Statistical analysis: By analyzing statistical properties of the data, attackers can infer hidden
information.

• Social engineering: Attackers may combine publicly available data with social engineering
techniques to gather additional information.

Mitigating Inference Attacks:

• Data anonymization: Remove or generalize identifying information to make it difficult to link

individuals to specific data records.

• Data aggregation: Combine data from multiple individuals to hide specific details.

• Query filtering: Restrict the types of queries that can be executed to prevent sensitive
information from being inferred.

• Differential privacy: Add noise to the data to make it harder to identify specific individuals.
 • Access controls: Implement strong access controls to limit who can access sensitive data.

• Security awareness training: Educate users about the risks of inference attacks and the
importance of protecting sensitive data.

Challenges in Mitigating Inference Attacks:

• Complexity: Mitigating inference attacks can be complex, especially as data sets become larger
and more diverse.

• Trade-offs: Some mitigation techniques may impact data utility or usability.

• Evolving threats: Attackers constantly develop new techniques to circumvent existing defenses.

7.5 Multilevel database:

Multilevel databases are designed to store and manage data at different classification levels, ensuring
that sensitive information is only accessible to authorized users. This is particularly important in
environments where data security is paramount, such as government agencies, military organizations, and
financial institutions.

Key Characteristics of Multilevel Databases:

• Classification levels: Data is categorized into different classification levels based on its sensitivity
(e.g., public, confidential, secret, top secret).

• Access control: Strict access controls are implemented to ensure that users can only access data
at their authorized classification level.

• Separation: Data at different classification levels is physically or logically separated to prevent

unauthorized access.

• Mandatory access control (MAC): MAC policies are enforced to prevent users from accessing data
at a higher classification level than their own.

• Labeling: Each data item is labeled with its classification level to facilitate access control.

Security Benefits of Multilevel Databases:

• Confidentiality: Sensitive data is protected from unauthorized access, ensuring confidentiality.

• Integrity: The integrity of data is maintained by preventing unauthorized modifications.

• Availability: Multilevel databases can be designed to provide high availability and fault tolerance.

• Compliance: They can help organizations comply with security regulations and standards.

Executive Summary

This proposal outlines a comprehensive approach to implementing multilevel security in a database

system. By leveraging a combination of technical, administrative, and organizational controls, we aim to
protect sensitive data from unauthorized access, modification, or disclosure.

Problem Statement
The increasing volume and sensitivity of data stored in databases necessitate robust security measures.
Traditional security models may not be sufficient to protect highly classified information from
unauthorized access. Multilevel security provides a framework for granular control over data access,
ensuring that only authorized individuals can view and manipulate sensitive data.

Proposed Solution

1. Classification Levels:

• Define clear classification levels based on the sensitivity of the data (e.g., public, confidential,
secret, top secret).

• Assign labels to data items according to their classification level.

2. Mandatory Access Control (MAC):

• Implement a MAC policy to enforce strict access controls based on the classification levels of users
and data.

• Ensure that users can only access data at their authorized classification level.

3. Separation of Duties:

• Separate duties to prevent a single individual from having excessive control over sensitive data.

• Assign different roles and responsibilities for data creation, modification, and access.

4. Encryption:

• Encrypt sensitive data both at rest and in transit to protect it from unauthorized access.

• Use strong encryption algorithms and regularly update encryption keys.

5. Access Controls:

• Implement granular access controls to restrict access to sensitive data to authorized users only.

• Use role-based access control (RBAC) to assign permissions based on a user's role.

6. Audit Logging:

• Track user activity and system events to identify suspicious behavior and potential security
breaches.

• Regularly review and analyze audit logs.

7. Security Awareness Training:

• Educate users about the importance of data security and the risks associated with mishandling
sensitive information.

• Provide training on proper security practices and procedures.

8. Regular Security Assessments:

 • Conduct regular security assessments to identify vulnerabilities and improve data protection
measures.

• Stay updated on emerging threats and best practices.

9. Incident Response Plan:

• Develop a comprehensive incident response plan to address data breaches and minimize damage.

• Test the plan regularly to ensure its effectiveness.

10. Compliance with Regulations:

• Ensure compliance with relevant security regulations and standards (e.g., HIPAA, GDPR).

• Conduct regular compliance audits to identify and address any gaps.

Benefits of Implementing Multilevel Security

• Improved data confidentiality and integrity

• Reduced risk of data breaches and unauthorized access

• Enhanced compliance with security regulations

• Increased trust and confidence in the organization

Conclusion

By implementing a multilevel security approach, organizations can effectively protect sensitive data and
mitigate the risks associated with unauthorized access. This proposal provides a framework for
implementing such a solution, considering both technical and organizational aspects.

Unit 8 Security Administration

8.1 Security Planning:

A security plan identifies and organizes the security activities for a computing system. The plan is both a
description of the current situation and a plan for improvement. Every security plan must address seven
issues.

• policy, indicating the goals of a computer security effort and the willingness of the people involved to
work to achieve those goals
• current state, describing the status of security at the time of the plan
• requirements, recommending ways to meet the security goals
• recommended controls , mapping controls to the vulnerabilities identified in the policy and
requirements
• accountability, describing who is responsible for each security activity
• timetable, identifying when different security functions are to be done
• continuing attention, specifying a structure for periodically updating the security plan
There are many approaches to creating and updating a security plan. Some organizations have a formal,
defined security planning process, much as they might have a defined and accepted development or
maintenance process

8.2 Risk Analysis:

• Risk analysis is performed in many different contexts; for example, environmental and health risks are
analyzed for activities such as building dams, disposing of nuclear waste, or changing a manufacturing
process. Risk analysis for security is adapted from more general management practices, placing special
emphasis on the kinds of problems likely to arise from security issues. By following welldefined steps,
we can analyze the security risks in a computing system.
• The basic steps of risk analysis are listed below.
1. Identify assets.
2. Determine vulnerabilities.
3. Estimate likelihood of exploitation.
4. Compute expected annual loss.
5. Survey applicable controls and their costs.
6. Project annual savings of control.

8.3 Organizational Security Policies:

A security policy is a highlevel management document to inform all users of the goals of and constraints
on using a system. A policy document is written in broad enough terms that it does not change frequently.
The information security policy is the foundation upon which all protection efforts are built. It should be
a visible representation of priorities of the entire organization, definitively stating underlying assumptions
that drive security activities. The policy should articulate senior management's decisions regarding
security as well as asserting management's commitment to security. To be effective, the policy must be
understood by everyone as the product of a directive from an authoritative and influential person at the
top of the organization.

People sometimes issue other documents, called procedures or guidelines, to define how the policy
translates into specific actions and controls. In this section, we examine how to write a useful and effective
security policy.
Purpose

Security policies are used for several purposes, including the following:

o recognizing sensitive information assets

o clarifying security responsibilities

o promoting awareness for existing employees

o guiding new employees

Audience

A security policy addresses several different audiences with different expectations. That is, each group
”users, owners , and beneficiaries ”uses the security policy in important but different ways.

Users

Users legitimately expect a certain degree of confidentiality, integrity, and continuous availability in the
computing resources provided to them. Although the degree varies with the situation, a security policy
should reaffirm a commitment to this requirement for service.

Users also need to know and appreciate what is considered acceptable use of their computers, data, and
programs. For users, a security policy should define acceptable use.

Owners

Each piece of computing equipment is owned by someone, and the owner may not be a system user . An
owner provides the equipment to users for a purpose, such as to further education, support commerce,
or enhance productivity. A security policy should also reflect the expectations and needs of owners.

Beneficiaries

A business has paying customers or clients ; they are beneficiaries of the products and services offered by
that business. At the same time, the general public may benefit in several ways: as a source of employment
or by provision of infrastructure. For example, you may not be a client of BellSouth, but when you place a
telephone call from London to Atlanta, you benefit from BellSouth's telecommunications infrastructure.
In the same way, the government has customers: the citizens of its country, and "guests"who have visas
enabling entry for various purposes and times. A university's customers include its students and faculty;
other beneficiaries include the immediate community (which can take advantage of lectures and concerts
on campus) and often the world population (enriched by the results of research and service).

To varying degrees, these beneficiaries depend, directly or indirectly, on the existence of or access to
computers, their data and programs, and their computational power. For this set of beneficiaries,
continuity and integrity of computing are very important. In addition, beneficiaries value confidentiality
and correctness of the data involved. Thus, the interests of beneficiaries of a system must be reflected in
the system's security policy.

Balance Among All Parties

A security policy must relate to the needs of users, owners, and beneficiaries. Unfortunately, the needs of
these groups may conflict. A beneficiary might require immediate access to data, but owners or users
might not want to bear the expense or inconvenience of providing access at all hours. Continuous
availability may be a goal for users, but that goal is inconsistent with a need to perform preventive or
emergency maintenance. Thus, the security policy must balance the priorities of all affected communities.

Contents

A security policy must identify its audiences: the beneficiaries, users, and owners. The policy should
describe the nature of each audience and their security goals. Several other sections are required,
including the purpose of the computing system, the resources needing protection, and the nature of the
protection to be supplied. We discuss each one in turn .

Purpose

The policy should state the purpose of the organization's security functions, reflecting the requirements
of beneficiaries, users, and owners. For example, the policy may state that the system will "protect
customers' confidentiality or preserve a trust relationship," "ensure continual usability," or "maintain
profitability." There are typically three to five goals, such as:

o Promote efficient business operation.

o Facilitate sharing of information throughout the organization.

o Safeguard business and personal information.

o Ensure that accurate information is available to support business processes.

o Ensure a safe and productive place to work.

o Comply with applicable laws and regulations.

The security goals should be related to the overall goal or nature of the organization. It is important that
the system's purpose be stated clearly and completely because subsequent sections of the policy will
relate back to these goals, making the policy a goal-driven product.

Protected Resources

A risk analysis will have identified the assets that are to be protected. These assets should be listed in the
policy, in the sense that the policy lays out which items it addresses. For example, will the policy apply to
all computers or only to those on the network? Will it apply to all data or only to client or management
data? Will security be provided to all programs or only the ones that interact with customers? If the degree
of protection varies from one service, product, or data type to another, the policy should state the
differences. For example, data that uniquely identify clients may be protected more carefully than the
names of cities in which clients reside.

8.4 Physical Security:

Many threats to security involve human or natural disasters, events that should also be addressed in the
security plan.
Typical physical security controls include guards , locks, and fences to deter direct attacks. In addition,
there are other kinds of protection against less direct disasters, such as floods and power outages; these,
too, are part of physical security.

1. Natural Disasters
▪ Flood
▪ Fire
▪ Storms
▪ Earthquakes
▪ Volcanoes
2. Power Loss
3. Uninterruptible power supply
4. Surge Suppressor
5. Human Vandals
6. Unauthorize access and use
7. Theft
8. Preventing Access

8.5 Legal, Privacy and Ethical Issues in Computer Security:

In this chapter we study human controls applicable to computer security: the legal system and ethics. The
legal system has adapted quite well to computer technology by reusing some old forms of legal protection
(copyrights and patents) and creating laws where no adequate ones existed (malicious access). Still, the
courts are not a perfect form of protection for computer resources, for two reasons. First, the courts tend
to be reactive instead of proactive. That is, we have to wait for a transgression to occur and then adjudicate
it, rather than try to prevent it in the first place. Second, fixing a problem through the courts can be time
consuming (sometimes taking years ) and expensive; the latter characteristic prevents all but the wealthy
from addressing most security issues.

On the other hand, ethics has not had to change, because ethics is more situational and personal than the
law. For example, the privacy of personal information is becoming a very important part of computer
security. And although technically this issue is just an aspect of confidentiality, practically it has a long
history in both law and ethics. The purpose of this chapter is to round out our study of protection for
computing systems by understanding the context in which security is assessed and applied.

Not always are conflicts resolved pleasantly. Some people will think that they have been treated unfairly,
and some people do indeed act unfairly. In some countries , a citizen reacts to a wrongful act by going to
court . The courts are seen as the ultimate arbiters and enforcers of fairness. But, as most lawyers will tell
you, the courts' definition of fair may not coincide with yours. Even if you could be sure the courts would
side with you, a legal battle can be emotionally draining. Our purpose in this section is not only to
understand how the legal system helps protect computer security but also to know how and when to use
the legal system wisely.

Law and computer security are related in several ways. First, international, federal, state, and city laws can
affect privacy and secrecy. These statutes often apply to the rights of individuals to keep personal matters
private. Second, laws regulate the use, development, and ownership of data and programs. Patents,
copyrights, and trade secrets are legal devices to protect the rights of developers and owners of programs
and data. Similarly, one aspect of computer security is controlling access to programs and data; that access
control is supported by these mechanisms of the law. Third, laws affect actions that can be taken to protect
the secrecy , integrity, and availability of computer information and service. These basic concerns in
computer security are both strengthened and constrained by applicable laws. Thus, legal means interact
with other controls to establish computer security.

However, the law does not always provide an adequate control. When computer systems are concerned ,
the law is slowly evolving because the issues are similar to but not the same as those for property rights.
Computers are new, compared to houses , land, horses, or money. As a consequence, the place of
computer systems in law is not yet firmly established. As statutes are written and cases decided, the roles
of computers and the people, data, and processes involved are becoming more defined in the law.
However, laws do not yet address all improper acts committed with computers. Finally, some judges,
lawyers, and police officers do not understand computing, so they cannot determine how computing
relates to other, more established, parts of the law.

The laws dealing with computer security affect programmers, designers, users, and maintainers of
computing systems and computerized data banks. These laws protect, but they also regulate the behavior
of people who use computers. Furthermore, computer professionals are among the best qualified
advocates for changing old laws and creating new ones regarding computers. Before recommending
change, however, professionals must understand the current state of computers and the law. Therefore,
we have three motivations for studying the legal section of this chapter:

o to know what protection the law provides for computers and data

o to appreciate laws that protect the rights of others with respect to computers, programs, and data

o to understand existing laws as a basis for recommending new laws to protect computers, data,
and people

The next few sections address the following aspects of protection of the security of computers.

o Protecting computing systems against criminals . Computer criminals violate the principles of
confidentiality, integrity, and availability for computer systems. Preventing the violation is better
than prosecuting it after the fact. However, if other controls fail, legal action may be necessary. In
this section we study several representative laws to determine what acts are punishable under
the law.

o Protecting code and data . Copyrights, patents, and trade secrets are all forms of legal protection
that can be applied to programs and, sometimes, data. However, we must understand the
fundamental differences between the kind of protection these three provide and the methods of
obtaining that protection.

o Protecting programmers' and employers ' rights . The law protects both programmers and people
who employ programmers. Generally, programmers have only limited legal rights to access
programs they have written while employed. This section contains a survey of the rights of
employees and employers regarding programs written for pay.

o Protecting private data about individuals . We also consider the legal right of privacy. The private
affairs of every individual are protected by laws. Computer security systems must be adequate to
 prevent unauthorized disclosure of sensitive data about individuals. This section describes
sensitive data that must be protected.

o Protecting users of programs . When you buy a program, you expect it to work properly. If it
doesn't, you want the legal system to protect your rights as a consumer. This section surveys the
legal recourse you have to address faulty programs.

Computer law is complex and emerging rather rapidly as it tries to keep up with the rapid technological
advances in and enabled by computing. We present the fundamentals in this book not in their full detail
as you would expect by someone with a law degree, but as a situational analysis to heighten the awareness
of those who are not lawyers but who must deal with the law's implications. You should consult a lawyer
who understands and specializes in computer law in order to apply the material of this section to any
specific case. And, as most lawyers will advise , ensuring legal protection by doing things correctly from
the beginning is far easier ”and cheaper ”than hiring a lawyer to sort out a web of conflict after things have
gone wrong.

8.5.1 Protecting Programs and Data

Copyrights, patents, and trade secrets are legal devices that can protect computers, programs, and data.
However, in some cases, precise steps must be taken to protect the work before anyone else is allowed
access to it.
8.5.2. Information and the law

Source code, object code, and even the "look and feel" of a computer screen are recognizable, if not
tangible , objects. The law deals reasonably well, although somewhat belatedly, with these things. But
computing is in transition to a new class of object, with new legal protection requirements. Electronic
commerce, electronic publishing, electronic voting, electronic banking ”these are the new challenges to
the legal system
8.5.3. Rights of Employees and Employers

Employers hire employees to generate ideas and make products. The protection offered by copyrights,
patents, and trade secrets appeals to employers because it applies to the ideas and products. However,
the issue of who owns the ideas and products is complex. Ownership is a computer security concern
because it relates to the rights of an employer to protect the secrecy and integrity of works produced by
the employees. In this section we study the respective rights of employers and employees to their
computer products.

Ownership of Products

Suppose Edye works for a computer software company. As part of her job, she develops a program to
manage windows for a computer screen display. The program belongs to her company because it paid
Edye to write the program: she wrote it as a part of a work assignment. Thus, Edye cannot market this
program herself. She could not sell it even if she worked for a non-software- related company but
developed the software as part of her job. Most employees understand this aspect of their responsibilities
to their employer.

Instead, suppose Edye develops this program in the evenings at home; it is not a part of her job. Then she
tries to market the product herself. If Edye works as a programmer, her employer will probably say that
Edye profited from training and experience gained on the job; at the very least, Edye probably conceived
or thought about the project while at work. Therefore, the employer has an interest in (that is, owns at
least part of) the rights to her program. However, the situation changes if Edye's primary job does not
involve programming. If Edye is a television newscaster, her employer may have contributed nothing that
relates to her computer product. If her job does not involve programming, she may be free to market any
computer product she makes. And if Edye's spare-time program is an application that tracks genealogy,
her employer would probably not want rights to her program, since it is far from its area of business. (If
you are in such a situation yourself, you should check with your employer to be sure.)

Finally, suppose Edye is not an employee of a company. Rather, she is a consultant who is self-employed
and, for a fee, writes customized programs for her clients . Consider her legal position in this situation. She
may want to use the basic program design, generalize it somewhat, and market it to others. Edye argues
that she thought up, wrote, and tested the program; therefore, it is her work, and she owns it. Her client
argues that it paid Edye to develop the program, and it owns the program, just as it would own a bookcase
she might be paid to build for the station.

Clearly, these situations differ , and interpreting the laws of ownership is difficult. Let us consider each
type of protection in turn .

Ownership of a Patent

The person who owns a work under patent or copyright law is the inventor ; in the examples described
earlier, the owner is the programmer or the employer. Under patent law, it is important to know who files
the patent application. If an employee lets an employer patent an invention, the employer is deemed to
own the patent and therefore the rights to the invention.

The employer also has the right to patent if the employee's job functions included inventing the product.
For instance, in a large company a scientist may be hired to do research and development, and the results
of this inventive work become the property of the employer. Even if an employee patents something, the
employer can argue for a right to use the invention if the employer contributed some resources (such as
computer time or access to a library or database) in developing the invention.

Ownership of a Copyright

Owning a copyright is similar to owning a patent. The author (programmer) is the presumed owner of the
work, and the owner has all rights to an object. However, a special situation known as work for hire applies
to many copyrights for developing software or other products.

Work for Hire

In a work for hire situation, the employer, not the employee, is considered the author of a work. Work for
hire is not easy to identify and depends in part on the laws of the state in which the employment occurs.
The relationship between an employee and employer is considered a work for hire if some or all of the
following conditions are true. (The more of these conditions that are true, the more a situation resembles
work for hire.)

o The employer has a supervisory relationship, overseeing the manner in which the creative work is
done.

o The employer has the right to fire the employee.

 o The employer arranges for the work to be done before the work was created (as opposed to the
sale of an existing work).

o A written contract between the employer and employee states that the employer has hired the
employee to do certain work.

In the situation in which Edye develops a program on her job, her employer will certainly claim a work for
hire relationship. Then, the employer owns all copyright rights and should be identified in place of the
author on the copyright notice.

Licenses

An alternative to a work for hire arrangement is licensed software . In this situation, the programmer
develops and retains full ownership of the software. In return for a fee, the programmer grants to a
company a license to use the program. The license can be granted for a definite or unlimited period of
time, for one copy or for an unlimited number, to use at one location or many, to use on one machine or
all, at specified or unlimited times. This arrangement is highly advantageous to the programmer, just as a
work for hire arrangement is highly advantageous to the employer. The choice between work for hire and
license is largely what the two parties will agree to.

Trade Secret Protection

A trade secret is different from either a patent or a copyright in that there is no registered inventor or
author; there is no registration office for trade secrets. In the event a trade secret is revealed, the owner
can prosecute the revealer for damages suffered. But first, ownership must be established because only
the owner can be harmed.

A company owns the trade secrets of its business-confidential data. As soon as a secret is developed, the
company becomes the owner. For example, as soon as sales figures are accumulated , a company has trade
secret right to them, even if the figures are not yet compiled, totaled, summarized, printed, or distributed.
As with copyrights, an employer may argue about having contributed to the development of trade secrets.
If your trade secret is an improved sorting algorithm and part of your job involves investigating and testing
sorting algorithms, your employer will probably claim at least partial ownership of the algorithm you try
to market.

Employment Contracts

An employment contract often spells out rights of ownership. But sometimes the software developer and
possible employer have no contract. Having a contract is desirable both for employees and employers so
that both will understand their rights and responsibilities.

Typically, an employment contract specifies that the employee be hired to work as a programmer
exclusively for the benefit of the company. The company states that this is a work for hire situation. The
company claims all rights to any programs developed, including all copyright rights and the right to market.
The contract may further state that the employee is receiving access to certain trade secrets as a part of
employment, and the employee agrees not to reveal those secrets to anyone .

More restrictive contracts (from the employee's perspective) assign to the employer rights to all inventions
(patents) and all creative works (copyrights), not just those that follow directly from one's job. For
example, suppose an employee is hired as an accountant for an automobile company. While on the job,
the employee invents a more efficient way to burn fuel in an automobile engine. The employer would
argue that the employee used company time to think about the problem, and therefore the company was
entitled to this product. An employment contract transferring all rights of inventions to the employer
would strengthen the case even more.

An agreement not to compete is sometimes included in a contract. The employee states that simply having
worked for one employer will make the employee very valuable to a competitor. The employee agrees not
to compete by working in the same field for a set period of time after termination. For example, a
programmer who has a very high position involving the design of operating systems would understandably
be familiar with a large body of operating system design techniques. The employee might memorize the
major parts of a proprietary operating system and be able to write a similar one for a competitor in a very
short time. To prevent this, the employer might require the employee not to work for a competitor
(including working as an independent contractor). Agreements not to compete are not always enforceable
in law; in some states the employee's right to earn a living takes precedence over the employer's rights.

8.5.4. Software failures

Program development is a human process of design, creation, and testing, involving a great deal of
communication and interaction. For these reasons, there will always be errors in the software we produce.
We sometimes expect perfect consumer products, such as automobiles or lawn mowers. At other times,
we expect products to be "good enough" for use, in that most instances will be acceptable. We do not
mind variation in the amount of cheese in our pizza or a slight flaw in the glaze on a ceramic tile. If an
instance of a product is not usable, we expect the manufacturer to provide some appropriate remedy,
such as repair or replacement. In fact, the way in which these problems are handled can contribute to a
vendor's reputation for quality service; on the rare occasions when there is a problem, the vendor will
promptly and courteously make amends.

But the situation with software is very different. To be fair, an operating system is a great deal more
complex than many consumer products, and more opportunities for failure exist. For this reason, this
section addresses three questions:

o What are the legal issues in selling correct and usable software?

o What are the moral or ethical issues in producing correct and usable software?

o What are the moral or ethical issues in finding, reporting, publicizing, and fixing flaws?

In some ways, the legal issues are evolving. Everyone acknowledges that all vendors should produce good
software, but that does not always happen. The more difficult concerns arise in the development and
maintenance communities about what to do when faults are discovered .

8.5.5. Computer Crime

he law related to contracts and employment is difficult, but at least employees , objects, contracts, and
owners are fairly standard entities for which legal precedents have been developed over centuries. The
definitions in copyright and patent law are strained when applied to computing because old forms must
be made to fit new objects; for these situations, however, cases being decided now are establishing legal
precedents . But crimes involving computers are an area of the law that is even less clear than the other
areas. In this section we study computer crime and consider why new laws are needed to address some
of its problems.

Why a Separate Category for Computer Crime Is Needed

Crimes can be organized into certain recognized categories, including murder, robbery , and littering . We
do not separate crime into categories for different weapons, such as gun crime or knife crime , but we
separate crime victims into categories, depending on whether they are people or other objects .
Nevertheless, driving into your neighbor's picture window can be as bad as driving into his evergreen tree
or pet sheep. Let us look at an example to see why these categories are not sufficient, and why we need
special laws relating to computers as subjects and objects of crime.

Rules of Property

Parker and Nycom [PAR84] describe the theft of a trade secret proprietary software package. The theft
occurred across state boundaries by means of a telephone line; this interstate aspect is important because
it means that the crime is subject to federal law as well as state law. The California Supreme Court ruled
that this software acquisition was not theft because

Implicit in the definition of "article" in Section 499c(a) is that it must be something tangible ... Based on
the record here, the defendant did not carry any tangible thing ... from the computer to his terminal unless
the impulses which defendant allegedly caused to be transmitted over the telephone wire could be said
to be tangible. It is the opinion of the Court that such impulses are not tangible and hence do not
constitute an "article ."

The legal system has explicit rules about what constitutes property. Generally , property is tangible, unlike
magnetic impulses. For example, unauthorized use of a neighbor's lawn mower constitutes theft, even if
the lawn mower was returned in essentially the same condition as it was when taken. To a computer
professional, taking a copy of a software package without permission is clear-cut theft. Fortunately, laws
evolve to fit the times, and this interpretation from the 1980s has been refined so that bits are now
recognized items of property.

A similar problem arises with computer services. We would generally agree that unauthorized access to a
computing system is a crime. For example, if a stranger enters your garden and walks around, even if
nothing is touched or damaged, the act is considered trespassing. However, because access by computer
does not involve a physical object, not all courts punish it as a serious crime.

Rules of Evidence

Computer printouts have been used as evidence in many successful fraud prosecutions. Under the rules
of evidence, courts prefer an original source document to a copy, under the assumption that the copy may
be inaccurate or may have been modified in the copying process.

However, magnetic and optical media are often the primary means of storing data today. In some
instances, the magnetic copy is the only copy; there is no paper copy. Thus, as technology advances,
devices such as smart cards, disks, CDs, and memory chips are being accepted as evidence.
The biggest difficulty with computer-based evidence in court is being able to demonstrate the authenticity
of the evidence. Law enforcement officials operate under a chain of custody requirement: from the
moment a piece of evidence is taken until it is presented in court, they track clearly and completely the
order and identities of the people who had personal custody of that object. The reason for the chain of
custody is to ensure that nobody has had the opportunity to alter the evidence in any way before its
presentation in court. With computer-based evidence, it can be difficult to establish a chain of custody. If
a crime occurred on Monday but was not discovered until Wednesday, who can verify that the log file was
not altered? In fact, it probably was altered many times as different processes generated log entries. The
issue is to demonstrate convincingly that the log entry for 2:37 on Monday does in fact correspond to the
event that took place at that time on Monday, not some attempt on Thursday to plant a false clue long
after the crime took place.

8.5.6. Privacy

In this information age, private data can have value. A new class of crime, called identity theft , occurs
when one person takes on the identity of another person, perhaps creating massive debt or even
perpetrating crimes in the victim's identity. With a victim's credit card details, an attacker can run up huge
charges in a short time. An attacker can commit and be convicted of crimes under another name or trade
on someone else's education and work experience to get a job. Sorting out who did (or didn't do) what
can be a monumental task. People expect privacy for certain aspects of their private lives, such as income,
taxes, criminal records, medical data, and even library reading patterns. Since much of this information is
now stored electronically , privacy is an important computer security issue.

Sometimes the patterns themselves make the individual data valuable . For example, marketing agencies
are eager to acquire lists of likely purchasers . What are private data worth? To most people, it largely
depends on whether they are your private data or, by extension, whether you could foresee the same loss
of privacy coming to you. Although difficult to assess, there certainly is a value to privacy.

In this section first we explore some of the conditions that can cause loss of privacy, and then we examine
some of the controls to prevent or limit those losses.

Threats to Privacy

Many of the threats to privacy are not new. Bribing insiders, especially poorly paid ones, has worked for
centuries. A break-in usually involves loss of some valuables, such as jewelry , silver, or electronics. But
who can say whether the laptop computer was stolen just because it was a computer or because it
contained sensitive data? And public records have been, by definition, open to the public. So loss of the
privacy in those records is not new. Or is it?

Aggregation and Data Mining

In 1950 you could have gone to the government records office, recorded names of all property owners ,
recorded the names of all drivers, looked up military veterans , tracked birth announcements in
newspapers, and bought magazine subscription lists. Plenty of data was available. A private investigator
might have used sources such as these to investigate the background of a single, target individual. But it
was too laborious to cross-correlate many large lists to find all veterans who owned homes , drove
Chevrolets, and had children under five years old. Details on consumers, especially attributes that can
distinguish potential customers, are extremely valuable to marketers.

Database management systems have made large-scale correlation possible. Not only can computers sift,
sort , and correlate, there is also much more raw data on which to operate . Often, you don't realize how
much information about you can be gleaned from your electronic transactions. For example, your bank,
or another bank whose ATM you use, obtains your identity. A toll booth transponder system can record
the time and date at which a particular transponder passes the toll booth . (Consider the possibility for
the government to mail you a ticket if your transponder passes one receiver and then passes another
receiver so soon after that the only way to cover the distance between the two would be to exceed the
speed limit.) Credit card transactions or cell phone records demonstrate you are not in your home city.
And peaks in your home's electrical usage suggest when you are home and when you are away. In a day,
the ordinary person may cause twenty database records to be generated (ignoring records from Internet
activity, which is a huge but separate issue.)

Poor System Security

People are the weak link in any security system, and insiders are involved in the majority of computer
security incidents [CSI02, DTI02]. Whether through carelessness, poor understanding, pressure, or simple
human error, insiders unintentionally expose private data. Personal details are discarded in unprotected
trash, inadvertently displayed on web sites, or unknowingly stored in files on a computer (such as in a
cookie or as part of a query embedded in a "favorite" URL). Add to that the malicious approaches in which
workers are bribed, coerced, or tricked into compromising security.

8.5.7. Ethical issues in Computer Security

Ethics is a set of principles or norms for justifying what is right or wrong in a given situation. To understand
what ethics is we may start by trying to understand what it is not. Ethical principles are different from
religious beliefs. Religion is based on personal notions about the creation of the world and the existence
of controlling forces or beings. Many moral principles are embodied in the major religions, and the basis
of a personal morality is a matter of belief and conviction , much the same as for religions. However, two
people with different religious backgrounds may develop the same ethical philosophy, while two
exponents of the same religion might reach opposite ethical conclusions in a particular situation. Finally,
we can analyze a situation from an ethical perspective and reach ethical conclusions without appealing to
any particular religion or religious framework. Thus, it is important to distinguish ethics from religion.

Ethical Principles Are Not Universal

Ethical values vary by society, and from person to person within a society. For example, the concept of
privacy is important in Western cultures. But in Eastern cultures, privacy is not desirable because people
associate privacy with having something to hide. Not only is a Westerner's desire for privacy not
understood , but in fact it has a negative connotation. Therefore, the attitudes of people may be affected
by culture or background.
Also, an individual's standards of behavior may be influenced by past events in life. A person who grew up
in a large family may place greater emphasis on personal control and ownership of possessions than would
an only child who seldom had to share. Major events or close contact with others can also shape one's
ethical position. Despite these differences, the underlying principles of how to make moral judgment are
the same.

Although these aspects of ethics are quite reasonable and understandable, they lead people to distrust
ethics because it is not founded on basic principles all can accept. Also, people from a scientific or technical
background expect precision and universality.

Ethics Does Not Provide Answers

Ethical pluralism is recognizing or admitting that more than one position may be ethically justifiableeven
equally soin a given situation. Pluralism is another way of noting that two people may legitimately disagree
on issues of ethics. We expect and accept disagreement in such areas as politics and religion.

However, in the scientific and technical fields, people expect to find unique, unambiguous, and
unequivocal answers. In science one answer must be correct or demonstrable in some sense. Science has
provided life with fundamental explanations . Ethics is rejected or misunderstood by some scientists
because it is "soft," meaning that it has no underlying framework or it does not depend on fundamental
truths.

One need only study the history of scientific discovery to see that science itself is founded largely on
temporary truths. For many years the earth was believed to be the center of the solar system. Ptolemy
developed a complicated framework of epicycles, orbits within orbits of the planets, to explain the
inconsistency of observed periods of rotation. Eventually his theory was superseded by the Copernican
model of planets that orbit the sun. Similarly, Einstein's relativity theory opposed the traditional quantum
basis of physics. Science is littered with theories that have fallen from favor as we learned or observed
more and as new explanations were proposed. As each new theory is proposed, some people readily
accept the new proposal, while others cling to the old.

But the basis of science is presumed to be "truth." A statement is expected to be provably true, provably
false, or unproven, but a statement can never be both true and false. Scientists are uncomfortable with
ethics because ethics does not provide these clean distinctions.

Worse, there is no higher authority of ethical truth. Two people may disagree on their opinion of the ethics
of a situation, but there is no one to whom to appeal for a final determination of who is "right." Conflicting
answers do not deter one from considering ethical issues in computer security. Nor do they excuse us from
making and defending ethical choices.

Ethical Reasoning

Most people make ethical judgments often, perhaps daily. (Is it better to buy from a home-town merchant
or from a nationwide chain? Should I spend time with a volunteer organization or with my friends ? Is it
acceptable to release sensitive data to someone who might not have justification for access to that data?)
Because we all engage in ethical choice, we should clarify how we do this so that we can learn to apply
the principles of ethics in professional situations, as we do in private life.
Study of ethics can yield two positive results. First, in situations where we already know what is right and
what is wrong, ethics should help us justify our choice. Second, if we do not know the ethical action to
take in a situation, ethics can help us identify the issues involved so that we can make reasoned judgments.

Examining a Case for Ethical Issues

How, then, can issues of ethical choice in computer security be approached? Here are several steps to
making and justifying an ethical choice.

1. Understand the situation. Learn the facts of the situation. Ask questions of interpretation or
clarification . Attempt to find out whether any relevant forces have not been considered .

2. Know several theories of ethical reasoning. To make an ethical choice, you have to know how those
choices can be justified.

3. List the ethical principles involved. What different philosophies could be applied in this case? Do
any of these include others?

4. Determine which principles outweigh others. This is a subjective evaluation. It often involves
extending a principle to a logical conclusion or determining cases in which one principle clearly
supersedes another.

8.5.8. Case studies of ethics

To understand how ethics affect professional actions, ethicists often study example situations. The
remainder of this section consists of several representative examples. These cases are modeled after
ones developed by Parker [PAR79] as part of the AFIPS/NSF study of ethics in computing and technology.
Each case study is designed to bring out certain ethical points, some of which are listed following the
case. You should reflect on each case, determining for yourself what the most influential points are.
These cases are suitable for use in a class discussion, during which other values will certainly be
mentioned. Finally, each case reaches no conclusion because each individual must assess the ethical
situation alone. In a class discussion it may be appropriate to take a vote. Remember, however, that
ethics are not determined by majority rule. Those siding with the majority are not "right," and the rest
are not "wrong."

Case I: Use of Computer Services

This case concerns deciding what is appropriate use of computer time. Use of computer time is a
question both of access by one person and of availability of quality of service to others. The person
involved is permitted to access computing facilities for a certain purpose. Many companies rely on an
unwritten standard of behavior that governs the actions of people who have legitimate access to a
computing system. The ethical issues involved in this case can lead to an understanding of that
unwritten standard.

The Case

Dave works as a programmer for a large software company. He writes and tests utility programs such as
compilers. His company operates two computing shifts: during the day program development and
online applications are run; at night batch production jobs are completed. Dave has access to workload
data and learns that the evening batch runs are complementary to daytime programming tasks ; that is,
adding programming work during the night shift would not adversely affect performance of the
computer to other users.

Dave comes back after normal hours to develop a program to manage his own stock portfolio. His drain
on the system is minimal, and he uses very few expendable supplies , such as printer paper. Is Dave's
behavior ethical?

Values Issues

Some of the ethical principles involved in this case are listed below.

o Ownership of resources . The company owns the computing resources and provides them for its
own computing needs.

o Effect on others . Although unlikely , a flaw in Dave's program could adversely affect other users,
perhaps even denying them service because of a system failure.

o Universalism principle . If Dave's action is acceptable, it should also be acceptable for others to
do the same. However, too many employees working in the evening could reduce system
effectiveness.

o Possibility of detection, punishment . Dave does not know whether his action would be wrong
or right if discovered by his company. If his company decided it was improper use, Dave could
be punished.

What other issues are involved? Which principles are more important than others?

Analysis

The utilitarian would consider the total excess of good over bad for all people. Dave receives benefit
from use of computer time, although for this application the amount of time is not large. Dave has a
possibility of punishment, but he may rate that as unlikely. The company is neither harmed nor helped
by this. Thus, the utilitarian could argue that Dave's use is justifiable.

The universalism principle seems as if it would cause a problem because clearly if everyone did this,
quality of service would degrade. A utilitarian would say that each new user has to weigh good and bad
separately. Dave's use might not burden the machine, and neither might Ann's; but when Bill wants to
use the machine, it is heavily enough used that Bill's use would affect other people.

Alternative Situations

Would it affect the ethics of the situation if any of the following actions or characteristics were
considered ?

o Dave began a business managing stock portfolios for many people for profit.

o Dave's salary was below average for his background, implying that Dave was due the computer
use as a fringe benefit.
 o Dave's employer knew of other employees doing similar things and tacitly approved by not
seeking to stop them.

o Dave worked for a government office instead of a private company and reasoned that the
computer belonged "to the people."

Case II: Privacy Rights

In this case the central issue is the individual's right to privacy. Privacy is both a legal and an ethical issue
because of the pertinent laws discussed in the previous section.

The Case

Donald works for the county records department as a computer records clerk, where he has access to
files of property tax records. For a scientific study, a researcher, Ethel, has been granted access to the
numerical portion ”but not the corresponding names ”of some records.

Ethel finds some information that she would like to use, but she needs the names and addresses
corresponding with certain properties. Ethel asks Donald to retrieve the names and addresses so she
can contact these people for more information and for permission to do further study.

Should Donald release the names and addresses?

Some Principles Involved

Here are some of the ethical principles involved in this case. What are other ethical principles? Which
principles are subordinate to which others?

o Job responsibility . Donald's job is to manage individual records, not to make determinations of
appropriate use. Policy decisions should be made by someone of higher authority.

o Use . The records are used for legitimate scientific study, not for profit or to expose sensitive
data. (However, Ethel's access is authorized only for the numerical data, not for the private
information relating property conditions to individuals.)

o Possible misuse . Although he believes Ethel's motives are proper, Donald cannot guarantee that
Ethel will use the data only to follow up on interesting data items.

o Confidentiality . Had Ethel been intended to have names and addresses, they would have been
given initially.

o Tacit permission . Ethel has been granted permission to access parts of these records for
research purposes, so she should have access to complete her research.

o Propriety . Because Ethel has no authority to obtain names and addresses and because the
names and addresses represent the confidential part of the data, Donald should deny Ethel's
request for access.

Analysis

A rule-deontologist would argue that privacy is an inherent good and that one should not violate the
privacy of another. Therefore, Donald should not release the names.
Extensions to the Basic Case

We can consider several possible extensions to the scenario. These extensions probe other ethical issues
involved in this case.

o Suppose Donald were responsible for determining allowable access to the files. What ethical
issues would be involved in his deciding whether to grant access to Ethel?

o Should Ethel be allowed to contact the individuals involved? That is, should the health
department release individuals' names to a researcher? What are the ethical issues for the
health department to consider?

o Suppose Ethel contacts the individuals to ask their permission, and one-third of them respond
giving permission, one-third respond denying permission, and one-third do not respond. Ethel
claims that at least one-half of the individuals are needed to make a valid study. What options
are available to Ethel? What are the ethical issues involved in deciding which of these options
to pursue ?

To show that ethics can be context dependent, let us consider some variations of the situation. Notice
that these changes affect the domain of the problem, but not the basic question: access to personal
data.

If the domain were medical records, the case would be covered by HIPAA, and so we would first consider
a legal issue, not an ethical one. Notice, however, how the case changes subtly depending on the medical
condition involved. You may reach one conclusion if the records deal with "ordinary" conditions (colds,
broken legs, muscle injuries), but a different conclusion if the cases are for sexually transmitted diseases
or AIDS. You may also reach a different conclusion if the research involves genetic conditions of which
the subject may be unaware (for example, being a carrier for Huntington's disease or hemophilia).

But change the context once more, and consider web surfing habits. If Donald works for an Internet
service provider and could determine all the web sites a person had visited, would that be fair to
disclose?

Case III: Denial of Service

This case addresses issues related to the effect of one person's computation on other users. This
situation involves people with legitimate access, so standard access controls should not exclude them.
However, because of the actions of some, other people are denied legitimate access to the system. Thus,
the focus of this case is on the rights of all users.

The Case

Charlie and Carol are students at a university in a computer science program. Each writes a program for
a class assignment. Charlie's program happens to uncover a flaw in a compiler that ultimately causes
the entire computing system to fail; all users lose the results of their current computation. Charlie's
program uses acceptable features of the language; the compiler is at fault. Charlie did not suspect his
program would cause a system failure. He reports the program to the computing center and tries to find
ways to achieve his intended result without exercising the system flaw.
The system continues to fail periodically, for a total of ten times (beyond the first failure). When the
system fails, sometimes Charlie is running a program, but sometimes Charlie is not. The director contacts
Charlie, who shows all of his program versions to the computing center staff. The staff concludes that
Charlie may have been inadvertently responsible for some, but not all, of the system failures, but that
his latest approach to solving the assigned problem is unlikely to lead to additional system failures.

On further analysis, the computing center director notes that Carol has had programs running each of
the first eight (of ten) times the system failed. The director uses administrative privilege to inspect
Carol's files and finds a file that exploits the same vulnerability as did Charlie's program. The director
immediately suspends Carol's account, denying Carol access to the computing system. Because of this,
Carol is unable to complete her assignment on time, she receives a D in the course, and she drops out
of school.

Analysis

In this case the choices are intentionally not obvious. The situation is presented as a completed scenario,
but in studying it you are being asked to suggest alternative actions the players could have taken. In this
way, you build a repertoire of actions that you can consider in similar situations that might arise.

o What additional information is needed?

o Who has rights in this case? What rights are those? Who has a responsibility to protect those
rights? (This step in ethical study is used to clarify who should be considered as the reference
group for a deontological analysis.)

o Has Charlie acted responsibly? By what evidence do you conclude so? Has Carol? How? Has the
computing center director acted responsibly? How? (In this step you look for past judgments
that should be confirmed or wrongs that should be redressed.)

o What are some alternative actions Charlie or Carol or the director could have taken that would
have been more responsible?