CS UNIT-I_merged

UNIT I
Introduction and Overview of Cyber crime

 Cybercrime is criminal activity that either targets or uses a computer, a computer network or a
networked device.
 Most, but not all, cybercrime is committed by cybercriminals or hackers who want to make money.
Cybercrime is carried out by individuals or organizations.
 Some cybercriminals are organized, use advanced techniques and are highly technically skilled. Others
are novice hackers.
 Rarely, cybercrime aims to damage computers for reasons other than profit. These could be political
or personal.
Most cybercrime falls under two main categories:

 Criminal activity that targets
 Criminal activity that uses computers to commit other crimes.
Cybercrime that targets computers often involves viruses and other types of malware.
Cybercriminals may infect computers with viruses and malware to damage devices or stop them working.
They may also use malware to delete or steal data.
Cybercrime that stops users using a machine or network, or prevents a business providing a software service
to its customers, is called a Denial-of-Service (DoS) attack.
Cybercrime that uses computers to commit other crimes may involve using computers or networks to spread
malware, illegal information or illegal images.
Sometimes cybercriminals conduct both categories of cybercrime at once. They may target computers with
viruses first. Then, use them to spread malware to other machines or throughout a network.
Cybercriminals may also carry out what is known as a Distributed-Denial-of-Service (DDos) attack. This is
similar to a DoS attack but cybercriminals use numerous compromised computers to carry it out.
Nature and Scope of Cyber crime

Nature – Cyber crime is Transnational in nature. These crimes are committed without being physically present
at the crime location. These crimes are committed in the im-palpable world of computer networks.
To commit such crimes the only thing a person needs is a computer which is connected with the internet. With
the advent of lightening fast internet, the time needed for committing the cybercrime is decreasing.
The cyberspace, being a boundary-less world has become a playground of the perpetrators where they commit
crimes and remain conspicuously absent from the site of crime. It is an Open challenge to the law which derives
its lifeblood from physical proofs and evidence.
The cybercrime has spread to such proportion that a formal categorization of this crime is no more possible.
Every single day gives birth to a new kind of cybercrime making every single effort to stop it almost a futile
exercise.
Identification possess major challenge for cybercrime. One thing which is common it comes to identification part
in cybercrime is Anonymous identity. It is quite an easy task to create false identity and commit crime over
internet using that identity. Cybercrime being technology driven evolves continuously and ingeniously making
it difficult for cyber investigators in finding solution related to cyber law crimes. Crimes committed over internet
are very different in nature when compared to the physical world. In crimes relating to cyber space there is
nothing sort of physical foot prints, tangible traces or objects to track cyber criminals down. Cybercrimes possess
huge amount complications when it comes to investigation. There can be scenario where crimes committed over
internet involve two or more different places in completely different direction of the world. This complicates the
jurisdictional aspect of crimes relating to internet.
Scope – Cybercrime can be basically categorized into three parts:

 Cybercrimes against persons.
 Cybercrimes against property.
 Cybercrimes against government.
Cybercrimes against persons - Cybercrimes committed against persons include various crimes like
transmission of child-pornography, harassment of any one with the use of a computer such as e-mail. The
trafficking, distribution, posting, and dissemination of obscene material including pornography and indecent
exposure, constitutes one of the most important Cybercrimes known today. The potential harm of such a crime
to humanity can hardly be amplified.
Cybercrimes against property - The second category of Cyber-crimes is that of Cybercrimes against all forms
of property. These crimes include computer vandalism (destruction of others' property), transmissionof
harmful programmes.
Cybercrimes against government - The third category of Cyber-crimes relate to Cybercrimes against
Government. Cyber terrorism is one distinct kind of crime in this category. The growth of internet has shown
that the medium of Cyberspace is being used by individuals and groups to threaten the international governments
as also to terrorize the citizens of a country. This crime manifests itself into terrorism when an individual "cracks"
into a government or military maintained website.
Types of cybercrime
Here are some specific examples of the different types of cybercrime:
 Email and internet fraud - Email fraud (or email scam) is intentional deception for either personal gain
or to damage another individual by means of email. Internet fraud is the use of Internet servicesor
software with Internet access to defraud victims or to otherwise take advantage of them.
 Identity fraud (where personal information is stolen and used) - is the use by one person of another
person's personal information, without authorization, to commit a crime or to deceive or defraud that
other person or a third person.
 Theft of financial or card payment data - The purpose may be to obtain goods or services, or to
make payment to another account which is controlled by a criminal.
 Theft and sale of corporate data - Data theft is the act of stealing information stored on corporate
databases, devices, and servers. This form of corporate theft is a significant risk for businesses of all sizes
and can originate both inside and outside an organization.
 Cyberextortion (demanding money to prevent a threatened attack) - Cyberextortion is a crime
involving an attack or threat of an attack coupled with a demand for money or some other response in
return for stopping or remediating the attack.
Cyberextortion attacks start with a hacker gaining access to an organization's systems and seeking points
of weakness or targets of value. While ransomware attacks can be automated through malware spread by
email, infected websites or ad networks, these attacks tend to spread indiscriminately, and they may result
in only a small percentage of victims paying the extortionists. More targeted attacks can produce less
collateral damage while providing more lucrative targets for the extortion attempt.
 Ransomware attacks (a type of cyberextortion) - Ransomware is a type of malicious software
(malware) that threatens to publish or blocks access to data or a computer system, usually by encrypting
it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand comes with a
deadline. If the victim doesn’t pay in time, the data is gone forever.
 Cryptojacking (where hackers mine cryptocurrency using resources they do not own) -
Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. Hackersdo
this by either getting the victim to click on a malicious link in an email that loads cryptomining code on
the computer, or by infecting a website or online ad with JavaScript code that auto-executes once loaded
in the victim’s browser.
 Cyber espionage (where hackers access government or company data) - Cyber espionage is a form
of cyber attack that steals classified, sensitive data or intellectual property to gain an advantage over a
competitive company or government entity.
Drug Trafficking
Drug traffickers generally use encrypted messaging tools to build communications with drug mules. There
have been several instances of dark web site, such as the site ‘Silk Road’ was a notorious online marketplace
for drugs, before it was shut down by law enforcement. It got reopened again under new management, but got
shut down again later on. Another site emerged later on with the same name just to use the brand value.
A big example of drug trafficking by way of cyber crime would be cyber attack on the port Antwerp of Belgium
by 2011 - 2013. It was reported that hackers were hired by drug traffickers with the objective of breaching the
IT systems which used to control the movements and location of the containers. Even in a police raid earlier,
large amount of drugs, cash, along with several equipments for computer hacking were seized. Several persons
were charged as well. It was reported by the prosecutors that a Netherlands based trafficking group had hid drugs
like cocaine and other in several legitimate cargo containers. At the same time the hackers group was in function
at the computer networks of Antwerp port. They could access the secure data with regard to the location and
security details of the containers, and by a few methods stole their marked cargo before the legitimate owner
arrived. The suspicion first arose when the containers were found to be disappearing from the port without any
reasonable explanation. It was found that hackers had used malicious softwares to e-mail the staffs and access
data remotely. Even after the initial breach was discovered and a firewall was created to prevent any attacks, the
attackers were reported to have entered the premises and installed key-loggers into the computers.
To take any measure to prevent illegal drug trafficking is not that easy, and when at the same time it happens
by way of cyber crimes, it becomes more difficult, as cyberspace has no limits. Drug trade is international in
nature, and law enforcement agencies are not always effective because of the wide and complex nature of cyber
attackers. However, since the profit of drug trafficking and cyber crimes are equally big, mere one ortwo
arrests here and there won’t bode any measure. International laws and partnerships across nations willhave
to be strong. One nation should help another in case of investigation or extradition of a criminal to the other.
Overall, to neutralise drug trafficking by cyber crimes one nation’s law is never sufficient. These arethe places
where United Nations, or INTERPOL can come up with some measures.
Cyber Terrorism
 Cyber terrorism is the use of the Internet to conduct violent acts that result in, or threaten, loss of life
or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation.
 It is also sometimes considered an act of Internet terrorism where terrorist activities, including acts of
deliberate, large-scale disruption of computer networks, especially of personal computers attached to the
Internet by means of tools such as computer viruses, computer worms, phishing, and other malicious
software and hardware methods and programming scripts.
 Cyberterrorism is a controversial term. Some authors opt for a very narrow definition, relating to
deployment by known terrorist organizations of disruption attacks against information systems for the
primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broaderdefinition,
which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it
isn't done with a violent approach. By some definitions, it might be difficult to distinguish which
instances of online activities are cyberterrorism or cybercrime.
 Cyberterrorism can be also defined as the intentional use of computers, networks, and public internet
to cause destruction and harm for personal objectives.
 Experienced cyberterrorists, who are very skilled in terms of hacking can cause massive damage to
government systems, hospital records, and national security programs, which might leave a country,
community or organization in turmoil and in fear of further attacks. The objectives of such terrorists may
be political or ideological since this can be considered a form of terror.
 There is much concern from government and media sources about potential damage that could be caused
by cyberterrorism, and this has prompted efforts by government agencies such as the Federal Bureau of
Investigations (FBI) and the Central Intelligence Agency (CIA) to put an end to cyberattacks and
cyberterrorism.
 Conceptually, its use for this purpose falls into three categories:
(i) weapon of mass destruction.
(ii) weapon of mass distraction.
(iii) weapon of mass disruption.
Need of Information Security
Information system means to consider available countermeasures or controls stimulated through uncovered
vulnerabilities and identify an area where more work is needed. The purpose of data security management is
to make sure business continuity and scale back business injury by preventing and minimizing the impact of
security incidents. The basic principle of Information Security is:
 Confidentially
 Authentication
 Non-Repudiation
 Integrity
The need for Information security:

1. Protecting the functionality of the organisation: The decision maker in organisations must set policy
and operates their organisation in compliance with the complex, shifting legislation, efficient and capable
applications.
2. Enabling the safe operation of applications: The organisation is under immense pressure to acquire
and operates integrated, efficient and capable applications. The modern organisation needs to create an
environment that safeguards application using the organisations IT systems, particularly thoseapplication
that serves as important elements of the infrastructure of the organisation.
3. Protecting the data that the organisation collects and use: Data in the organisation can be in two forms
that are either in rest or in motion, the motion of data signifies that data is currently used or processed by
the system. The values of the data motivated the attackers to seal or corrupts the data. This is essential
for the integrity and the values of the organisation’s data. Information security ensures protection on both
data in motion as well as data in rest.
4. Safeguarding technology assets in organisations: The organisation must add intrastate servicesbased
on the size and scope of the organisation. Organisational growth could lead to the need for public key
infrastructure, PKI an integrated system of the software, encryption methodologies. The information
security mechanism used by the large organisation is complex in comparison to a small organisation. The
small organisation generally prefers symmetric key encryption of data.
Threats to Information Systems

In Information Security threats can be many like Software attacks, theft of intellectual property, identity theft,
theft of equipment or information, sabotage, and information extortion.
Threat can be anything that can take advantage of a vulnerability to breach security and negatively alter, erase,
harm object or objects of interest.
Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that malware, virus,
worms, bots are all same things. But they are not same, only similarity is that they all are malicious software that
behave differently.
Malware is a combination of 2 terms- Malicious and Software. So Malware basically means malicious software
that can be an intrusive program code or a anything that is designed to perform malicious operations on system.
Malware can be divided in 2 categories:
1. Infection Methods
2. Malware Actions
Malware on the basis of Infection Method are following:

1. Virus – They have the ability to replicate themselves by hooking them to the program on the host
computer like songs, videos etc and then they travel all over the Internet. The Creeper Virus was first
detected on ARPANET. Examples include File Virus, Macro Virus, Boot Sector Virus, Stealth Virus etc.
2. Worms – Worms are also self replicating in nature but they don’t hook themselves to the program on
host computer. Biggest difference between virus and worms is that worms are network aware. They can
easily travel from one computer to another if network is available and on the target machine they
will not do much harm, they will for example consume hard disk space thus slowing down the computer.
3. Trojan – The Concept of Trojan is completely different from the viruses and worms. The name Trojan
derived from the ‘Trojan Horse’ tale in Greek mythology, which explains how the Greeks were able
to enter the fortified city of Troy by hiding their soldiers in a big wooden horse given to the Trojans
as a gift. The Trojans were very fond of horses and trusted the gift blindly. In the night, the soldiers
emerged and attacked the city from the inside.
Their purpose is to conceal themselves inside the software that seem legitimate and when that software
is executed they will do their task of either stealing information or any other purpose for which they are
designed.
They often provide backdoor gateway for malicious programs or malevolent users to enter your system
and steal your valuable data without your knowledge and permission. Examples include FTP Trojans,
Proxy Trojans, Remote Access Trojans etc.
4. Bots –: can be seen as advanced form of worms. They are automated processes that are designed to
interact over the internet without the need of human interaction. They can be good or bad. Malicious bot
can infect one host and after infecting will create connection to the central server which will provide
commands to all infected hosts attached to that network called Botnet.
Malware on the basis of Actions:

1. Adware – Adware is not exactly malicious but they do breach privacy of the users. They display ads
on computer’s desktop or inside individual programs. They come attached with free to use software, thus
main source of revenue for such developers. They monitor your interests and display relevant ads. An
attacker can embed malicious code inside the software and adware can monitor your system activities
and can even compromise your machine.
2. Spyware – It is a program or we can say a software that monitors your activities on computer and reveal
collected information to interested party. Spyware are generally dropped by Trojans, viruses or worms.
Once dropped they installs themselves and sits silently to avoid detection. One of the
most common examples of spyware is KEYLOGGER. The basic job of keylogger is to record user
keystrokes with timestamp. Thus, capturing interesting information like username, passwords, credit card
details etc.
3. Ransomware – It is type of malware that will either encrypt your files or will lock your computer making
it inaccessible either partially or wholly. Then a screen will be displayed asking for moneyi.e.,
ransom in exchange.
4. Scareware – It masquerades as a tool to help fix your system but when the software is executed it will
infect your system or completely destroy it. The software will display a message to frighten you and force
to take some action like pay them to fix your system.
5. Rootkits – are designed to gain root access or we can say administrative privileges in the user system.
Once gained the root access, the exploiter can do anything from stealing private files to private data.
6. Zombies – They work similar to Spyware. Infection mechanism is same but they don’t spy and steal
information rather they wait for the command from hackers.
7. Theft of intellectual property means violation of intellectual property rights like copyrights, patents etc.
8. Identity theft means to act someone else to obtain person’s personal information or to access vital
information they have like accessing the computer or social media account of a person by login into
the account by using their login credentials.
9. Theft of equipment and information is increasing these d ays due to the mobile nature of devices and
increasing information capacity.
10. Sabotage means destroying company’s website to cause loss of confidence on part of its customer.
11. Information extortion means theft of company’s property or information to receive payment in
exchange. For example, ransomware may lock victims file making them inaccessible thus forcingvictim
to make payment in exchange. Only after payment victim’s files will be unlocked.
Information Assurance
Information Assurance concerns implementation of methods that focused on protecting and safeguarding
critical information and relevant information systems by assuring confidentiality, integrity, availability, and non-
repudiation. It is strategic approach focused which focuses more on deployment of policies rather than building
infrastructures.
Information Assurance Model:

The security model is multidimensional model based on four dimensions:
1. Information States – Information is referred to as interpretation of data which can be found in three
states stored, processed, or transmitted.
2. Security Services – It is fundamental pillar of the model which provides security to system and consists
of five services namely availability, integrity, confidentiality, authentication, and non- repudiation.
3. Security Countermeasures – This dimension has functionalities to save system from immediate
vulnerability by accounting for technology, policy & practice, and people.
4. Time – This dimension can be viewed in many ways. At any given time, data may be available offline
or online, information and system might be in flux thus, introducing risk of unauthorized access.
Therefore, in every phase of System Development Cycle, every aspect of Information Assurance model
must be well defined and well implemented in order to minimize risk of unauthorized access.
Information States:
1. Transmission – It defines time wherein data is between processing steps.
Example: In transit over networks when user sends email to reader, including memory and storage
encountered during delivery.
2. Storage –It defines time during which data is saved on medium suc b h as hard drive.
Example: Saving document on file server’s disk by user.
3. Processing – It defines time during which data is in processing state.
Example: Data is processed in random access memory (RAM) of workstation.
Security Services:
1. Confidentiality – It assures that information of system is not disclosed to unauthorized access and is read
and interpreted only by persons authorized to do so. Protection of confidentiality prevents malicious
access and accidental disclosure of information. Information that is considered to be confidential is called
as sensitive information. To ensure confidentiality data is categorized into different categories according
to damage severity and then accordingly strict measures are taken.
Example: Protecting email content to read by only desired set of users. This can be insured by data
encryption. Two-factor authentication, strong passwords, security tokens, and biometric verification
are some popular norms for authentication users to access sensitive data.
2. Integrity – It ensures that sensitive data is accurate and trustworthy and can not be created, changed, or
deleted without proper authorization. Maintaining integrity involves modification or destruction of
information by unauthorized access.
To ensure integrity backups should be planned and implemented in order to restore any affected data
in case of security breach. Besides this cryptographic checksum can also be used for verification of data.
Example: Implementation of measures to verify that e-mail content was not modified in transit. This can
be achieved by using cryptography which will ensure that intended user receives correct and accurate
information.
3. Availability – It guarantees reliable and constant access to sensitive data only by authorized users. It
involves measures to sustain access to data in spite of system failures and sources of interference.
To ensure availability of corrupted data must be eliminated, recovery time must be sped up and physical
infrastructure must be improved.
Example: Accessing and throughput of e-mail service.
4. Authentication – It is security service that is designed to establish validity of transmission of message
by verification of individual’s identity to receive specific category of information.
To ensure availability of various single factors and multi-factor authentication methods are used. A single
factor authentication method uses single parameter to verify users’ identity whereas two-factor
authentication uses multiple factors to verify user’s identity.
Example: Entering username and password when we log in to website is example of authentication.
Entering correct login information lets website verify our identity and ensures that only we access
sensitive information.
5. Non-Repudiation –
It is mechanism to ensure sender or receiver cannot deny fact that they are part of data transmission.
When sender sends data to receiver, it receives delivery confirmation. When receiver receives message,
it has all information attached within message regarding sender.
Example: A common example is sending SMS from one mobile phone to another. After message is
received confirmation message is displayed that receiver has received message. In return, message
received by receiver contains all information about sender.
Security Countermeasures:
1. People – People are heart of information system. Administrators and users of information systems
must follow policies and practice for designing good system. They must be informed regularly regarding
information system and ready to act appropriately to safeguard system.
2. Policy & Practice – Every organization has some set of rules defined in form of policies that must be
followed by every individual working in organization. These policies must be practiced in order to
properly handle sensitive information whenever system gets compromised.
3. Technology – Appropriate technology such as firewalls, routers, and intrusion detection must be used
in order to defend system from vulnerabilities, threats. The technology used must facilitate quick
response whenever information security gets compromised.
Cyber Security
Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and
data from malicious attacks. It's also known as information technology security or electronic information
security. The term applies in a variety of contexts, from business to mobile computing, and can be divided into
a few common categories.
 Network security is the practice of securing a computer network from intruders, whether targeted
attackers or opportunistic malware.
 Application security focuses on keeping software and devices free of threats. A compromised
application could provide access to the data its designed to protect. Successful security begins in the
design stage, well before a program or device is deployed.
 Information security protects the integrity and privacy of data, both in storage and in transit.
 Operational security includes the processes and decisions for handling and protecting data assets.
The permissions users have when accessing a network and the procedures that determine how and where
data may be stored or shared all fall under this umbrella.
 Disaster recovery and business continuity define how an organization responds to a cyber-security
incident or any other event that causes the loss of operations or data. Disaster recovery policies dictate
how the organization restores its operations and information to return to the same operating capacity
as before the event. Business continuity is the plan the organization falls back on while trying to operate
without certain resources.
 End-user education addresses the most unpredictable cyber-security factor: people. Anyone can
accidentally introduce a virus to an otherwise secure system by failing to follow good security practices.
Teaching users to delete suspicious email attachments, not plug-in unidentified USB drives, and various
other important lessons is vital for the security of any organization.
Security Risk analysis

Risk analysis refers to the review of risks associated with the particular action or event. The risk analysis is
applied to information technology, projects, security issues and any other event where risks may be analysed
based on a quantitative and qualitative basis. Risks are part of every IT project and business organizations. The
analysis of risk should be occurred on a regular basis and be updated to identify new potential threats. The
strategic risk analysis helps to minimize the future risk probability and damage.
Enterprise and organization used risk analysis:

 To anticipates and reduce the effect of harmful results occurred from adverse events.
 To plan for technology or equipment failure or loss from adverse events, both natural and human-
caused.
 To evaluate whether the potential risks of a project are balanced in the decision process when
evaluating to move forward with the project.
 To identify the impact of and prepare for changes in the enterprise environment.
Benefits of risk analysis

Every organization needs to understand about the risks associated with their information systems to effectively
and efficiently protect their IT assets. Risk analysis can help an organization to improve their security in many
ways. These are:
 Concerning financial and organizational impacts, it identifies, rate and compares the overall impact of
risks related to the organization.
 It helps to identify gaps in information security and determine the next steps to eliminate the risks of
security.
 It can also enhance the communication and decision-making processes related to information security.
 It improves security policies and procedures as well as develop cost-effective methods for
implementing information security policies and procedures.
 It increases employee awareness about risks and security measures during the risk analysis process
and understands the financial impacts of potential security risks.
Steps in the risk analysis process

The basic steps followed by a risk analysis process are:
1. Conduct a risk assessment survey: Getting the input from management and department heads is critical
to the risk assessment process. The risk assessment survey refers to begin documenting the specific risks
or threats within each department.
2. Identify the risks: This step is used to evaluate an IT system or other aspects of an organization to
identify the risk related to software, hardware, data, and IT employees. It identifies the possible adverse
events that could occur in an organization such as human error, flooding, fire, or earthquakes.
3. Analyse the risks: Once the risks are evaluated and identified, the risk analysis process should analyse
each risk that will occur, as well as determine the consequences linked with each risk. It also determines
how they might affect the objectives of an IT project.
4. Develop a risk management plan: After analysis of the Risk that provides an idea about
which assets are valuable and which threats will probably affect the IT assets negatively, we
would develop a plan for risk management to produce control recommendations that can be
used to mitigate, transfer, accept or avoid the risk.
5. Implement the risk management plan: The primary goal of this step is to implement the
measuresto remove or reduce the analyses risks. We can remove or reduce the risk from
starting with the highest priority and resolve or at least mitigate each risk so that it is no
longer a threat.
6. Monitor the risks: This step is responsible for monitoring the security risk on a regular basis
for identifying, treating and managing risks that should be an essential part of any risk
analysis process.
Types of Risk Analysis

The essential number of distinct approaches related to risk analysis are:
Qualitative Risk Analysis
 The qualitative risk analysis process is a project management technique that prioritizes risk
on the project by assigning the probability and impact number. Probability is something a
risk event will occur whereas impact is the significance of the consequences of a risk event.
 The objective of qualitative risk analysis is to assess and evaluate the characteristics of
individually identified risk and then prioritize them based on the agreed-upon characteristics.
 The assessing individual risk evaluates the probability that each risk will occur and effect on
the projectobjectives. The categorizing risks will help in filtering them out.
 Qualitative analysis is used to determine the risk exposure of the project by multiplying the
probability and impact.
Quantitative Risk Analysis
 The objectives of performing quantitative risk analysis process provide a numerical
estimate of theoverall effect of risk on the project objectives.
 It is used to evaluate the likelihood of success in achieving the project objectives and
to estimatecontingency reserve, usually applicable for time and cost.
 Quantitative analysis is not mandatory, especially for smaller projects. Quantitative risk
analysis helpsin calculating estimates of overall project risk which is the main focus.

The Indian IT Act
The Information Technology Act, 2000 also Known as an IT Act is an act proposed by the Indian
Parliament reported on 17th October 2000. This Information Technology Act is based on the United
Nations Model lawon Electronic Commerce 1996 (UNCITRAL Model) which was suggested by the
General Assembly of United Nations by a resolution dated on 30th January, 1997. It is the most
important law in India dealing with Cybercrime and E-Commerce.
The main objective of this act is to carry lawful and trustworthy electronic, digital and online
transactions and alleviate or reduce cybercrimes. The IT Act has 13 chapters and 90 sections. The
last four sections that starts from ‘section 91 – section 94’, deals with the revisions to the Indian
Penal Code 1860.
The IT Act, 2000 has two schedules:

 First Schedule – Deals with documents to which the Act shall not apply.
 Second Schedule – Deals with electronic signature or electronic authentication method.
The offences and the punishments in IT Act 2000:

The offences and the punishments that falls under the IT Act, 2000 are as follows:
1. Tampering with the computer source documents.
2. Directions of Controller to a subscriber to extend facilities to decrypt information.
3. Publishing of information which is obscene in electronic form.
4. Penalty for breach of confidentiality and privacy.
5. Hacking for malicious purposes.
6. Penalty for publishing Digital Signature Certificate false in certain particulars.
7. Penalty for misrepresentation.
8. Confiscation.
9. Power to investigate offences.
10. Protected System.
11. Penalties for confiscation not to interfere with other punishments.
12. Act to apply for offence or contravention committed outside India.
13. Publication for fraud purposes.
14. Power of Controller to give directions.
Sections and Punishments under Information Technology Act, 2000 are as follows:
SECTION PUNISHMENT
This section of IT Act, 2000 states that any act of destroying, altering or stealing computer
Section 43
system/network or deleting data with malicious intentions without authorization from
owner of the computer is liable for the payment to be made to owner as compensation for
damages.
This section of IT Act, 2000 states that any corporate body dealing with sensitive information
Section 43A that fails to implement reasonable security practices causing loss of other person will also
liable as convict for compensation to the affected party.
Hacking of a Computer System with malicious intentions like fraud will be punished with
Section 66
3 years imprisonment or the fine of Rs.5,00,000 or both.
Section 66 B, C, Fraud or dishonesty using or transmitting information or identity theft is punishable with
D 3 years imprisonment or Rs. 1,00,000 fine or both.
This Section is for Violation of privacy by transmitting image or private area is punishable
Section 66 E
with 3 years imprisonment or 2,00,000 fine or both.
This Section is on Cyber Terrorism affecting unity, integrity, security, sovereignty of India
Section 66 F
through digital medium is liable for life imprisonment.
This section states publishing obscene information or pornography or transmission ofobscene
Section 67 content in public is liable for imprisonment up to 5 years or fine or Rs. 10,00,000 or both.
Cybercrime scenario in India

The cybercrime scenario in our country does not truly reflect the existing situation on the ground.
According to the National Crime Records Bureau (NCRB), in 2016 a total of 12,187 cybercrime
cases were registered all over India when compared to 11,331 cases registered in 2015. There was
20.50 per cent increase in the number of cybercrime cases in 2015 over 2014 and 6.3 per cent
increase in cases in 2016 over 2015.
As far as the number of cybercrime cases is concerned, Uttar Pradesh with a figure of 2,639 registered
the maximum number of cases followed by Maharashtra (2380), and Karnataka (1101). Among the
Metropolitan cities, Mumbai with 980 cases stood first followed by Bengaluru 762 and Jaipur 532.
Chennai city with 26 cases was ranked 16 among metros.
Social media seems to have turned antisocial at the hands of rumour mongers with more than 20
cases of lynching being reported in the last two months in our country. The advent of social media
appears to have added fuel to the existing fire, by helping organisers and opposition parties
congregate multitudes swiftly, easily, cheaply and efficiently —whether it be for a cause like
Jallikattu or for spreading the message of revolt against the policies of the establishment.
Quite obviously, social media played a crucial role in mobilising and engineering some of the major
agitations like the Cauvery river dispute.
If we decide to not give a damn to cyber criminals, we would be doing so at our own peril. We should
not forget the kind of havoc the ill-gotten gains of cybercrime wreaked on the city of Mumbai in
2008 during the terrorist siege by Lashkar-e-Taiba (LeT). The entire operation was funded by a
Filipino hacking cell workingon behalf of Jamaah Islamiyah an associate of Al-Quaeda. Millions of
dollars ripped off by the cybercriminals recruited by it were channelled to their manipulators in Saudi
Arabia who in turn laundered the funds to the Lashkar-e-Taiba team in Pakistan, which executed the
brutal onslaught against the City of Mumbai.
The situation today is that there are several laws protect cybercrime each one having its own scope
and limitations. India is no doubt imposing sanctions to deal with such crimes. However, the
conviction rate is found to be insignificant. However, what is needed a specific law particularly
dealing with cybercrimes. Just like what UK did in 1990, when it enacted the Computer Misuse Act
1990.
Digital Signature and the Indian IT Act
The advent of information technology revolutionised the whole world and fortunately India led a
leading role and captured global attention. India passed Information technology Act 2000 (The Act)
which came into force on 17-10-2000. The Act applies to the whole of India and even to persons
who commit offence outside India. The Act validates "DIGITAL SIGNATURE" and provides for
enabling a person to use it just like thetraditional signature. The basic purpose of digital signature is
not different from our conventional signature. The purpose therefore is to authenticate the document,
to identify the person and to make the contents of the document binding on person putting digital
signature. Let us see what digital signature is in technical terms.
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the
authenticity of a digital message or document. A valid digital signature gives a recipient reason to
believe that the message was created by a known sender, and that it was not altered in transit.
Digital signatures are based on public key encryption. It uses prime numbers like 2,3.5.7,9,11 and so
on which can be divided only by itself or by 1 and is incapable of division by other numbers. We
have unlimited prime numbers and in DS we use the multiples of prime numbers.
The functioning of DS is based on the system of public key cryptography. Public-key cryptography
refers to a cryptographic system requiring two separate keys, one of which is secret and one of which
is public. Althoughdifferent, the two parts of the key pair are mathematically linked. One key locks
or encrypts the plain text, and the other unlocks or decrypts the cipher text. Neither key can perform
both functions. One of these keys is published or public, while the other is kept private.
"Key encryption allows more than just privacy. It can also assure the recipient of the authenticity of
a document because a private key can be used to encode a message that only a public key can decode.
If I have information I want to sign before sending it to you, my computer uses my private key to
encipher it. Now the message can be read only if my public key-which you and everyone else know-
is used to decipher it. This message is veritably from me because no one else has the private key that
could have encrypted it in this way".
Justice Yatindra Singh in his book "Cyber laws" has stated that since public key encryption is slow
and time consuming the hash function is used to transform a message into a unique shorter fixed
length value called the Hash result. Hash serves the purpose of an index of the original text. It is an
algorithm mapping or translationof one sequence into another. The hash function is such that the
same hash result is obtained every time that hash function is used on the same electronic record and
two electronic records cannot produce the same hash result using the same hash function. In other
words, mapping is one to one and not many to one. It is one way. One cannot reconstruct the original
message from the hash result. The encryption of a hash result of the message with the private key of
the sender is called a Digital signature.
Cybercrimes and Punishment

Apart from punishments in IT Act, 2000, there are certain crimes that are attracted by IPC provisions
as well. The following is the enumeration of the IPC provisions along with various cybercrimes that
are attracted by respective Sections and the punishment for the same.
 Section 292 of IPC: Although this Section was drafted to deal with the sale of obscene
material, it has evolved in the current digital era to be concerned with various cybercrimes.
The publication and transmission of obscene material or sexually explicit act or exploit acts
containing children, etc which are in electronic form are also governed by this section.
Though the crimes mentioned above seem tobe alike, they are recognized as different crimes
by the IT Act and IPC. The punishment imposed upon the commission of such acts is
imprisonment and fine up to 2 years and Rs. 2000. If any of the aforementioned crimes are
committed for the second time, the imprisonment could be up to 5 yearsand the fine could
be imposed up to Rs. 5000.
 Section 354C of IPC: The cybercrime dealt with under this provision is capturing or
publication of a picture of private parts or acts of a woman without such person’s consent.
This section exclusivelydeals with the crime of ‘voyeurism’ which also recognizes watching
such acts of a woman as a crime.If the essentials of this Section (such as gender) are not
satisfied, Section 292 of IPC and Section 66Eof IT Act, 2000 is broad enough to take the
offenses of a similar kind into consideration. The punishment includes 1 to 3 years of
imprisonment for first-time offenders and 3 to 7 years for second- time offenders.
 Section 354D of IPC: This section describes and punishes ‘stalking’ including both physical
and cyberstalking. If the woman is being monitored through electronic communication,
internet, or email or is being bothered by a person to interact or contact despite her disinterest,
it amounts to cyberstalking. The latter part of the Section states the punishment for this
offense as imprisonment extendingup to 3 years for the first time and 5 years for the second
time along with a fine imposed in both the instances. In the case of Kalandi Charan Lenka v.
The State of Odisha, the victim received certain obscene messages from an unknown
number which are damaging her character. Moreover, emails were sent and the fake
Facebook account was created by the accused which contained morphed pictures of the
victim. Hence, the accused was found prima facie guilty for cyberstalking by the High Court
under various provisions of IT Act and Section 354D of IPC
 Section 379 of IPC: If a mobile phone, the data from that mobile or the computer hardware
is stolen, Section 379 comes into the picture and the punishment for such crime can go up to
3 years of imprisonment or fine or both. But the attention must be given to the fact that these
provisions cannot be applied in case the special law i.e IT Act, 2000 provisions are attracted.
In this regard, in the caseof Gagan Harsh Sharma v. The State of Maharashtra, one of the
employers found that the software and data were stolen and someone has breached the
computers and gave access to sensitive information to the employees. The employer gave
information to the police and they filed a case under Section 379, 408, and Section 420 of
IPC and various other IT Act provisions. The question in front of the court is whether the
police can file a case under IPC or not. The court decided that the case cannot be filed based
on the IPC provisions as the IT Act has an overriding effect.
 Section 411 of IPC: This deals with a crime that follows the offenses committed and
punished under Section 379. If anyone receives a stolen mobile phone, computer, or data
from the same, they will be punished in accordance with Section 411 of IPC. It is not
necessary that the thief must possess the material. Even if it is held by a third party knowing
it to be others, this provision will be attracted. The punishment can be imposed in the form
of imprisonment which can be extended up to 3 years or fineor both.
 Section 419 and Section 420 of IPC: These are related provisions as they deal with frauds.
The crimesof password theft for the purpose of meeting fraudulent objectives or the creation
of bogus websites and commission of cyber frauds are certain crimes that are extensively
dealt with by these two sections of IPC. On the other hand, email phishing by assuming
someone’s identity demanding password is exclusively concerned with Section 419 of IPC.
The punishments under these provisions are different based upon the gravity of the committed
cybercrime. Section 419 carries a punishment up to 3 yearsof imprisonment or fine and
Section 420 carries up to 7 years of imprisonment or fine.
 Section 465 of IPC: In the usual scenario, the punishment for forgery is dealt with in this
provision.In cyberspace, the offenses like email spoofing and preparation of false documents
are dealt with and punished under this Section which imbibes the imprisonment reaching up
to 2 years or fine or both. In the case of Anil Kumar Srivastava v. Addl Director, MHFW, the
petitioner electronically forged signature of AD and later filed a case making false allegations
about the same person. The Court held that the petitioner was liable under Section 465 as
well as under Section 471 of IPC as the petitioner also tried to use it as a genuine document.
 Section 468 of IPC: If the offenses of email spoofing or the online forgery are committed
for the purpose of committing other serious offenses i.e cheating, Section 468 comes into the
picture which contains the punishment of seven years of imprisonment or fine or both.
 Section 469 of IPC: If the forgery is committed by anyone solely for the purpose of
disreputing a particular person or knowing that such forgery harms the reputation of a
person, either in the form of a physical document or through online, electronic forms, he/she
can be imposed with the imprisonment up to three years as well as fine.
 Section 500 of IPC: This provision penalizes the defamation of any person. With respect to
cybercrimes, sending any kind of defamatory content or abusive messages through email will
be attracted by Section 500 of IPC. The imprisonment carried with this Section extends
up to 2 yearsalong with fine.

 Section 504 of IPC: If anyone threatens, insults, or tries to provoke another person with the
intention of effecting peace through email or any other electronic form, it amounts to an
offense under Section 504 of IPC. The punishment for this offense extends up to 2 years of
imprisonment or fine or both.
 Section 506 of IPC: If a person tries to criminally intimidate another person either physically
or through electronic means with respect to the life of a person, property destruction
through fire or chastity of a woman, it will amount to an offense under Section 506 of IPC
and punishment of imprisonment where the maximum period is extended up to seven years
or fine or both.
 Section 509 of IPC: This Section deals with the offense of uttering a word, showing a
gesture, and committing an act that has the potential to harm the modesty of a woman. It also
includes the sounds made and the acts committed infringing the privacy of a woman. If this
offense is committed either physically or through electronic modes, Section 509 gets attracted
and the punishment would be imprisonment of a maximum period of one year or fine or both.
UNIT II
Active attacks: An Active attack attempts to alter system resources or effect their operations. Active attack
involves some modification of the data stream or creation of false statement.
Types of active attacks are as following:
1. Masquerade – Masquerade attack takes place when one entity pretends to be different entity. A
Masquerade attack involves one of the other forms of active attacks.
2. Modification of messages – It means that some portion of a message is altered or that message is
delayed or reordered to produce an unauthorised effect. For example, a message meaning “Allow JOHN
to read confidential file X” is modified as “Allow Smith to read confidential file X”.
3. Repudiation – This attack is done by either sender or receiver. The sender or receiver can deny later that
he/she has send or receive a message. For example, customer ask his Bank “To transfer an amount to
someone” and later on the sender(customer) deny that he had made such a request. This is repudiation.
4. Replay – It involves the passive capture of a message and its subsequent the transmission to produce an
authorized effect.
5. Denial of Service – It prevents normal use of communication facilities. This attack may have a specific
target. For example, an entity may suppress all messages directed to a particular destination. Another
form of service denial is the disruption of an entire network wither by disabling the network or by
overloading it by messages so as to degrade performance.
Passive attacks: A Passive attack attempts to learn or make use of information from the system but does not
affect system resources. Passive Attacks are in the nature of eavesdropping on or monitoring of transmission.
The goal of the opponent is to obtain information is being transmitted.
Types of Passive attacks are as following:
1. The release of message content – Telephonic conversation, an electronic mail message or a transferred
file may contain sensitive or confidential information. We would like to prevent an opponent from
learning the contents of these transmissions.
2. Traffic analysis – Suppose that we had a way of masking (encryption) of information, so that the
attacker even if captured the message could not extract any information from the message. The
opponent could determine the location and identity of communicating host and could observe the
frequency and length of messages being exchanged. This information might be useful in guessing the
nature of the communication that was taking place.
Cybercrime prevention methods
1. Use Strong Passwords - Use different user ID / password combinations for different
accounts and avoid writing them down. Make the passwords more complicated by combining
letters, numbers, special characters (minimum 10 characters in total) and change them on a
regular basis.
2. Secure your computer -
 Activate your firewall - Firewalls are the first line of cyber defence; they block
connectionsto unknown or bogus sites and will keep out some types of viruses and
hackers.
 Use anti-virus/malware software - Prevent viruses from infecting your computer
by installingand regularly updating anti-virus software.
 Block spyware attacks - Prevent spyware from infiltrating your computer by
installing andupdating anti-spyware software.
3. Be Social-Media Savvy - Make sure your social networking profiles (e.g., Facebook,
Twitter, YouTube, MSN, etc.) are set to private. Check your security settings. Be careful
what information you post online. Once it is on the Internet, it is there forever!
4. Secure your Mobile Devices - Be aware that your mobile device is vulnerable to viruses
and hackers. Download applications from trusted sources.
5. Install the latest operating system updates - Keep your applications and operating system
(e.g. Windows, Mac, Linux) current with the latest system updates. Turn on automatic
updates to prevent potential attacks on older software.
6. Protect your Data - Use encryption for your most sensitive files such as tax returns or
financial records, make regular back-ups of all your important data, and store it in another
location.
7. Secure your wireless network - Wi-Fi (wireless) networks at home are vulnerable to
intrusion if they are not properly secured. Review and modify default settings. Public Wi-
Fi, a.k.a. “Hot Spots”, are also vulnerable. Avoid conducting financial or corporate
transactions on these networks.
8. Protect your e-identity - Be cautious when giving out personal information such as your
name, address, phone number or financial information on the Internet. Make sure that
websites are secure (e.g., when making online purchases) or that you’ve enabled privacy
settings (e.g. when accessing/using social networking sites).
9. Avoid being scammed - Always think before you click on a link or file of unknown origin.
Don’t feel pressured by any emails. Check the source of the message. When in doubt, verify
the source. Never reply to emails that ask you to verify your information or confirm your
user ID or password.
10. Call the right person for help - Don’t panic! If you are a victim, if you encounter illegal
Internet content (e.g., child exploitation) or if you suspect a computer crime, identity theft or
a commercial scam, report this to your local police. If you need help with maintenance or
software installation on your computer, consult with your service provider or a certified
computer technician.
Stalking and Obscenity in Internet

Cyberstalking
 Cyberstalking is the use of the Internet or other electronic means to stalk or harass an
individual, group,or organization. It may include false accusations, defamation, slander and
libel. It may also include monitoring, identity theft, threats, vandalism, solicitation for sex,
or gathering information that may be used to threaten, embarrass or harass.
 Cyberstalking is often accompanied by real time or offline stalking. In many jurisdictions,
such as California, both are criminal offenses. Both are motivated by a desire to control,
intimidate or influencea victim. A stalker may be an online stranger or a person whom the
target knows. They may be anonymous and solicit involvement of other people online who
do not even know the target.
 Cyberstalking is a criminal offense under various state anti-stalking, slander and harassment
laws. A conviction can result in a restraining order, probation, or criminal penalties against
the assailant, including jail.
Cyberstalking can take many forms, including:

1. harassment, embarrassment and humiliation of the victim
2. emptying bank accounts or other economic control such as ruining the victim's credit score
3. harassing family, friends and employers to isolate the victim
4. scare tactics to instil fear and more
Key factors in cyberstalking:

 False accusations
 Attempts to gather information about the victim
 Monitoring their target's online activities and attempting to trace their IP address in an
effort to gathermore information about their victims.
 Encouraging others to harass the victim
 False victimization
 Attacks on data and equipment
 Arranging to meet
 The posting of defamatory or derogatory statements

Obscenity in Internet
Obscenity refers to a narrow category of pornography that violates contemporary community
standards and has no serious literary, artistic, political or scientific value. For adults at least, most
pornography — material of a sexual nature that arouses many readers and viewers — receives
constitutional protection. However, two types of pornography receive no First Amendment
protection: obscenity and child pornography. Sometimes, material is classified as “harmful to
minors” (or obscene as to minors), even though adults can have access to the same material.
Password Cracking
 Password cracking techniques are used to recover passwords from the data that have
stored in ortransmitted by computer systems.
 Attackers use password-cracking techniques to gain unauthorized access to the vulnerable
system.
 Most of the password cracking techniques are successful due to weak or easily guessable
passwords.
 Password cracking may use to recover the forgot password of any user to help him/her to
recover thepassword.
Types of Password Attacks

 Non-Technical Attacks – The attacker need not possess the technical knowledge to crack
the password, hence known as a non-technical attack.
These types of attacks involve the following terms:
 Shoulder Surfing - is the technique that we need to do when we are in contact with
that person,Basically, we guess the password by seeing their hands moving or his/her
shoulder movements.
 Social Engineering - is one of the best concepts in the non-technical attacks. Social
Engineering is to collect more and more information about the target to get or guess
the password by direct contact or indirectly.
 Dumpster Diving - In the dumpster diving technique we try to collect info about
passwords through the dump of that person’s office or from home. Sometimes it
really works too good.
 Active Online Attack -
 Dictionary Attack - is loaded into the cracking application that runs against user
accounts.
 Brute Forcing Attack - The program tries every combination of characters until the
passwordis broken.
 Rule-Based Attack - This attack is used when the attacker gets some information
about the password.
 Password Guessing - The attacker crates a list of all possible passwords from the
information collected through social engineering or any other way and tries them
manually on the victim’s machine to crack the passwords.
 Trojan/Spyware/Keylogger - The attacker installs Trojan/Spyware/Keylogger on
the victim’s machine to collect the victim’s user names and passwords.
Trojan/Spyware/Keylogger runs in the background and sends back all user
credentials to the attacker.
 Hash Injection Attack - allows an attacker to inject a compromised hash into a local
session and use the hash to validate network resources. The attacker finds and extracts
a logged on domain admin account hash. The attacker uses the extracted hash to log
on to the domain controller.
 Passive Online Attacks -

 Wire Sniffing - Attackers run packet sniffer tools on the local area network (LAN) to
access and record the raw network traffic. The captured data may include sensitive
information such as passwords (FTP, login sessions, etc.) and emails. Sniffed
credentials are used to gain unauthorized access to the target system.
 Man-in-the-Middle and Replay Attack - Gain access to the communication
channels: In a MITM attack, the attacker acquires access to the communication
channels between victim and server to extract the information. Use Sniffer: In a replay
attack, packets and authentication tokens are captured using a sniffer. After the
relevant into is extracted, the tokens are placed back on the network to gain access.
 Default Password - A default password is a password supplied by the manufacturer
with new equipment (switches, hubs, routers) that is password protected. Attackers
use default passwords in the list of words or dictionary that they use to perform
password guessing attack.
 Offline Attack -
 Rainbow Table Attack - is a precomputed table that contains word lists like dictionary
files and brute force lists and their hash values. Capture the hash of passwords and
compare them withthe precomputed hash table. If a match is found then the password
is cracked.
Botnet:
A botnet is a network of computers infected with malware that are controlled by a bot herder. The bot
herder is the person who operates the botnet infrastructure and uses the compromised computers to
launch attacks designed to crash a target’s network, inject malware, harvest credentials or execute CPU-
intensive tasks. Each individual device within the botnet network is called a bot.
How are Botnets Controlled?

Bot herders control their botnets through one of two structures: a centralized model with direct
communication between the bot herder and each computer, and a decentralized system with multiple
links between all the infected botnet devices.
Centralized, Client-Server Model
The first generation of botnets operated on a client-server architecture, where one command-and-control
(C&C) server operates the entire botnet. Due to its simplicity, the disadvantage of using a centralized
model over a P2P model is that it is susceptible to a single point of failure.
The two most common C&C communication channels are IRC and HTTP:
IRC (Internet Relay Chat) botnet

IRC botnets are among the earliest types of botnet and are controlled remotely with a pre-configured
IRC server and channel. The bots connect to the IRC server and await the bot herder’s commands.
HTTP botnet
An HTTP botnet is a web-based botnet through which the bot herder uses the HTTP protocol to send
commands. Bots will periodically visit the server to get updates and new commands. Using HTTP
protocol allows the herder to mask their activities as normal web traffic.
Decentralized, Peer-to-Peer Model

The new generation of botnets are peer-to-peer, where bots share commands and information with each
other and are not in direct contact with the C&C server.
P2P botnets are harder to implement than IRC or HTTP botnets, but are also more resilient because
they do not rely on one centralized server. Instead, each bot works independently as both a client and a
server, updating and sharing information in a coordinated manner between devices in the botnet.
How Does a Botnet Work?

The stages of creating a botnet can be simplified into these steps:
 Expose
 Infect and Grow
 Activate
In stage 1, the hacker will find a vulnerability in either a website, application, or user behavior in order
to expose users to malware. A bot herder intends for users to remain unaware of their exposure and
eventual malware infection. They may exploit security issues in software or websites so that they can
deliver malware through emails, drive-by downloads, or trojan horse downloads.
In stage 2, victims’ devices are infected with malware that can take control of their devices. The initial
malware infection allows hackers to create zombie devices using techniques like web downloads,
exploit kits, popup ads, and email attachments. If it’s a centralized botnet, the herder will direct the
infected device to a C&C server. If it’s a P2P botnet, peer propagation begins and the zombie devices
seek to connect with other infected devices.
In stage 3, when the bot herder has infected a sufficient amount of bots, they can then mobilize their
attacks. The zombie devices will then download the latest update from the C&C channel to receive its
order. The bot then proceeds with its orders and engages in malicious activities. The bot herder can
continue to remotely manage and grow their botnet to carry out various malicious activities. Botnets do
not target specific individuals since the bot herder’s goal is to infect as many devices as possible so they
can carry out malicious attacks.
Types of Botnet Attacks

Once an adversary is in control of a botnet, the malicious possibilities are extensive. A botnet can be
used to conduct many types of attacks, including:
1. Phishing
Botnets can be used to distribute malware via phishing emails. Because botnets are automated and
consist of many bots, shutting down a phishing campaign is like playing a game of Whack-A-Mole.
2. Distributed Denial-of-Service (DDoS) attack

During a DDoS attack, the botnet sends an overwhelming number of requests to a targeted server or
application, causing it to crash. Network layer DDoS attacks use SYN floods, UDP floods, DNS
amplification, and other techniques designed to eat up the target’s bandwidth and prevent legitimate
requests from being served. Application-layer DDoS attacks use HTTP floods, Slowloris or RUDY
attacks, zero-day attacks and other attacks that target vulnerabilities in an operating system, application
or protocol in order to crash a particular application.
Many will remember the massive Mirai botnet DDoS attack. Mirai is an IoT botnet made up of hundreds
of thousands of compromised IoT devices, which in 2016, took down services like OVH, DYN, and
Krebs on Security.
3. Spambots
Spambots harvest emails from websites, forums, guestbooks, chat rooms and anyplace else users enter
their email addresses. Once acquired, the emails are used to create accounts and send spam messages.
Over 80 percent of spam is thought to come from botnets.
How to Protect Against Botnets:

To prevent your devices from becoming part of a botnet, we recommend your organization consider the
following recommendations:
1. A regular security awareness training program that teaches users/employees to identify

malicious links.
2. Always keep your software updated to decrease the chances of a botnet attack exploiting
weaknesses in the system.
3. Use two-factor authentication to prevent botnet malware from breaking into devices and
accounts if a password has been compromised.
4. Update passwords across all devices, especially the privacy and security options on those that
connect device-to-device or to the internet.
5. A quality antivirus solution that is kept up to date and scans the network regularly.
6. Deploy an intrusion detection system (IDS) across your network.
7. An endpoint protection solution that includes rootkit detection capability and that can detect
and block malicious network traffic.
CHAPTER-III
Cyber Crime-Mobile and Cellular Devices
Cybercrime is defined as a crime in which a computer is the object of the crime (hacking,
phishing, spamming) or is used as a tool to commit an offense (child pornography, hate crimes).
Cybercriminals may use computer technology to access personal information, business trade
secrets oruse the internet for exploitative or malicious purposes. Criminals can also use computers
for communication and document or data storage. Criminals who perform these illegal activities
are oftenreferred to as hackers.
Cybercrime may also be referred to as computer crime.
Mobile, Wireless Devices and hand-held devices
Fig: Mobile, wireless and hand-held devices.

1. Portable Computer
It is a general-purpose computer that can be easily moved from one place to another, but
cannot be used while in transit, usually because it requires some “setting-up” and an AC power
source.
2. Tablet PC
It lacks a keyboard, is shaped like a slate or a paper notebook and has features of a
touch- screen with a stylus and handwriting recognition software. Tablets may not be best suited
for applications requiring a physical keyboard for typing, but are otherwise capable of carrying
out most tasks that an ordinary laptop would be able to perform.
3. Internet Tablet
It is the Internet appliance in tablet form. Unlike a Tablet PC, the Internet tablet does not
have much computing power and its applications suite is limited. Also it cannot replace a
general-purpose computer. The Internet tablets typically feature an MP3 and video player, a
Web browser, a chat application and a picture viewer.
1
4. Personal Digital Assistant (PDA)
It is a small, usually pocket-sized, computer with limited functionality. It is intended to
supplement and synchronize with a desktop computer, giving access to contacts, address book, notes,
E-Mail and other features.
5. Ultra Mobile PC
It is a full-featured, PDA-sized computer running a general-purpose operating system (OS).
6. Smartphone
It is a PDA with an integrated cell phone functionality. Current Smartphones have a wide
range of features and installable applications.
7. Carputer
It is a computing device installed in an automobile. It operates as a wireless computer, sound
system, and global positioning system (GPS) and DVD player. It also contains word processing
software and is Bluetooth compatible.
8. Fly Fusion Pentop Computer
It is a computing device with the size and shape of a pen. It functions as a writing utensil, MP3
player, language translator, digital storage device and calculator.
 Trends in Mobility
Mobile computing is moving into a new era, third generation (3G), which promises greater
variety in applications and have highly improved usability as well as speedier networking. “iPhone”
from Apple and Google-led “Android” phones are the best examples of this trend and there are plenty
of other developments that point in this direction. This smart mobile technology is rapidly gaining
popularity and the attackers (hackers and crackers) are among its biggest fans.
Fig: Mobility types and implications.
2
1. Key Findings for Mobile Computing Security Scenario
1. With usage experience, awareness of mobile users gets enhanced
2. People continue to remain the weakest link for laptop security
3. Wireless connectivity does little to increase burden of managing laptops
4. Laptop experience changes the view of starting a smart hand-held pilot
5. There is naivety and/or neglect in smart hand-held security
6. Rules rather than technology keep smart hand-helds’ usage in check
2. Popular types of attacks against 3G mobile networks
1. Malwares, viruses and worms
2. Denial-of-service (DoS)
3. Overbilling attack
4. Spoofed policy development process (PDP)
5. Signaling-level attacks
 Authentication Service Security
1. There are two components of security in mobile computing: security of devices
and security in networks.
2. A secure network access involves mutual authentication between the device and
the base stations or Webservers.
3. This is to ensure that only authenticated devices can be connected to the network for
obtaining the requested services.
4. No Malicious Code can impersonate the service provider to trick the device into
doing something it does not mean to.
5. Thus, the networks also play a crucial role in security of mobile devices. Some
eminent kinds of attacks to which mobile devices are subjected to are: push attacks,
pull attacks and crash attacks.
6. Authentication services security is important given the typical attacks on mobile
devices through wireless networks: DoS attacks, traffic analysis, eavesdropping, man-
in-the-middle attacks and session hijacking.
1. Cryptographic Security for Mobile Devices
We will discuss a technique known as cryptographically generated addresses
(CGA). CGA is Internet Protocol version 6 (IPv6) that addresses up to 64 address bits that
are generated by hashing owner’s public-key address. The address the owner uses is the
corresponding private key to assert address ownership.
3
Fig: Push attack on mobile devices. DDos implies distributed denial-of-service attack.
2. LDAP Security for Hand-Held Mobile Computing Devices

Lightweight directory access protocol (LDAP) is a protocol that helps users find data about
organizations, persons, and more. LDAP has two main goals: to store data in the LDAP directory
and authenticate users to access the directory. It also provides the communication language that
applications require to send and receive information from directory services. A directory service
provides access to where information on organizations, individuals, and other data is located within
a network.
The most common LDAP use case is providing a central location for accessing and managing
directory services. LDAP enables organizations to store, manage, and secure information about the
organization, its users, and assets–like usernames and passwords. This helps simplify storage access
by providing a hierarchical structure of information, and it can be critical for corporations as they
grow and acquire more user data and assets.
LDAP also functions as an identity and access management (IAM) solution that targets user
authentication, including support for Kerberos and single sign-on (SSO), Simple Authentication
Security Layer (SASL), and Secure Sockets Layer (SSL).
LDAP v.s. Active Directory
LDAP is the core protocol used in–but not exclusive to–Microsoft’s Active Directory (AD)
directory service, a large directory service database that contains information spanning every user
account in a network. More specifically, LDAP is a lightweight version of Directory Access
Protocol (DAP) and provides a central location for accessing and managing directory services
running on the Transmission Control Protocol/Internet Protocol (TCP/IP). The most recent version
is LDAPv3.
AD provides the authentication and management of users and groups, and it is what ultimately
authenticates a user or computer. The database contains a higher volume of attributes than what is
pulled into LDAP. However, LDAP specializes in finding a directory object with little information,
so it doesn’t need to extract all of its attributes from AD, or whichever directory service it is pulling
from.
The main goal of LDAP is to communicate with, store, and extract objects (i.e. domains, users,
groups, etc.) from AD into a usable format for its own directory, located on the LDAP server.
4
Think of it this way: AD is the largest library in the world, and you’re looking for a book with a
title that mentions zombies. In the world of LDAP, the details of whether or not the book was
published in the U.S., contains over 1,000 pages, or is a how-to guide on surviving the zombie
apocalypse don’t matter–although they do help narrow down the options available. LDAP is the
experienced librarian who knows exactly where to find all of the options that satisfy your request
and verify you’ve found what you’re looking for.
LDAP authentication process

What prompts an LDAP search, and how does it work?
The LDAP authentication process is a client-server model of authentication, and it consists of these
key players:
Directory System Agent (DSA): a server running the LDAP on its network
Directory User Agent (DUA): accesses DSAs as a client (ex. a user’s PC)
DN: the distinguished name, which contains a path through the Directory Information Tree (DIT)
for LDAP to navigate through (ex. cn=Susan, ou=users, o=Company)
Relative Distinguished Name (RDN): each component in the path within the DN (ex. cn=Susan)
Application Programming Interface (API): lets your product or service communicate with other
products and services without having to know how they’re implemented
The process starts when a user tries to access an LDAP-enabled client program, like a business
email application, on their PC. With LDAPv3, users will go through one of two possible user
authentication methods: simple authentication, like SSO with login credentials, or SASL
authentication, which binds the LDAP server to a program like Kerberos. The login attempt sends a
request to authenticate the DN assigned to the user. The DN is sent through the client API or service
that launches the DSA.
The client automatically binds to the DSA, and LDAP uses the DN to search for the matching object
or set of objects against the records in the LDAP database. The RDNs in the DN are very important
at this stage, as they provide each step in LDAP’s search through the DIT to find the individual. If
the path is missing a connecting RDN on the backend, the result could turn up as invalid. In this
case, the object LDAP is searching for is the individual user account (cn=Susan), and it can only
validate the user if the account in the directory has the matching uid and userPassword. User groups
are also identified as objects within the LDAP directory.
Once the user receives a response (valid or not valid), the client unbinds from the LDAP server.
Authenticated users are then able to access the API and its services, including necessary files, user
information, and other application data, based on the permissions granted by the system
administrator.
Understanding LDAP components

LDAP’s lightweight structure and use of a DIT make it possible to quickly run an LDAP search and
successfully provide results. Understanding the DIT is vital to successfully navigating an LDAP
server and understanding how the LDAP searches work.
The DIT makes it possible to quickly navigate through the different levels of the LDAP directory to
narrow down search results and provide a response to a query. The DIT starts at the root directory,
followed by countries, which then branches out to two subclasses: the Domain Component (dc) and
Organization Name (o).
5
Domain Access Component (dc)
The dc (i.e. dc=com, dc=example) uses domain name system (DNS) mapping to locate Internet
domain names and translate them into IP addresses.
Most users don’t know the domain name and/or IP address of the individual they’re searching for.
In this case, LDAP uses the Distinguished Name (DN) assigned to the user as a path to quickly
navigate through the DIT and find the search result. This is where the o subclass comes in.
Organization Name (o)
The o subclass (ex. o-Company) is one of the most general subclasses listed in the DN, and it is
usually where LDAP starts when it runs a search. For example, a simple path usually starts with the
o subclass, branching off to the Organizational Unit (ou), followed by a user account or group.
Organizational Unit (ou)
As previously mentioned, the ou is a subclass of o and is often seen as ou=users or ou=group, with
each containing a list of user accounts or groups. Here’s how this might look in a directory:
o-Company
ou=groups
cn=developers
ou=users
cn=Susan
Common name (cn)
A common name, or cn, is used to identify the name of a group or individual user account (ex.
cn=developers, cn=Susan). A user can belong to a group, so if Susan is a developer, they could also
live under cn=developers.
Attributes and values
Each subclass in the LDAP DIT (i.e. o, ou, cn) contains attributes and values, or schema that
contains information on a LDAP directory’s structure that can help narrow down a search.
Attributes are similar to what you would find in an address book entry, with labels like name, phone
number, and address, and there are values assigned to each attribute. For example, Susan would be
the value of the name attribute.
In the cn=Susan account, user id (uid) and userPassword are attributes and a user’s login credentials
are the values. However, in a group like cn=developers, Susan would have the uniqueMember
attribute (ex. uniqueMember=cn-Susan,ou-Users,o-Company). This maps a path to where Susan’s
individual user account is located, along with the information LDAP is searching for. A user
account is the end of the line in the DIT, and it is where LDAP ultimately extracts the results of the
search.
There are many other attribute types and syntaxes that can help narrow down a search, including
ObjectClasses, like organizationalPerson (structural) or personal (structural). However, the number
of attributes on LDAP is limited in order to keep it lightweight and easy to use.
6
Why LDAP?
Enterprise network admins are typically managing thousands of users at a time. This means they are
responsible for assigning access controls and policies based on a user’s role and access to files for
everyday tasks, like a company intranet.
LDAP simplifies the user management process, saves network admins valuable time, and
centralizes the authentication process. Before integrating LDAP into your environment, it’s
important to consider the following:
Capacity: how much user management data do you need to store? Consider if products that
implement LDAP solutions have the capacity to store and manage all the data you need.
Search frequency: are there pieces of data that a user needs to access daily, like a company intranet,
email application or service? If so, LDAP may be for you.
Organization: will the simple DIT in LDAP provide enough organization for your data, or do you
need a more detailed system?
Fig: Pull attack on mobile devices

While LDAP is commonly used in AD, it can also be used to authenticate users for other tools
and client environments, including Red Hat Directory Servers on UNIX, and OpenLDAP, an
open source application, on Windows. You can also take advantage of LDAP’s authentication
and user management capabilities for API management, role-based access control (RBAC), or
other applications and services like Docker and Kubernetes.
.
3. RAS(Remote Access Service) Security for Mobile Devices
RAS is an important consideration for protecting the business sensitive data that may reside on
the employees "mobile devices. In terms of cybersecurity, mobile devices are sensitive. Figure 2
illustrates how access to an organization's sensitive data can happen through mobile hand-held
devices carried by employees. In addition to being vulnerable to unauthorized access on their
own, mobile devices also provide a route into the systems with which they connect. By using a
mobile device to appear as a registered user to these systems, a would-be cracker is then able to
steal data or compromise corporate systems in other ways.
7
Another threat comes from the practice of port scanning. First, attackers use a domain name
system (DNS) server to locate the IP address of a connected computer. A domain is a
connection of sites that are related in some sense. Second, they scan the ports on this known IP
address, working their way through its Transmission Control Protocol (TCP)/User Datagram
Protocol (UDP) stack to see what communication ports are unprotected by firewalls. For
instance, File Transfer Protocol (FTP) transmissions are typically assigned to port 21 If this port
is left unprotected, it can be misused by the attackers.
Protecting against port scanning requires software that can trap unauthorized incoming data
packets and prevent a mobile device from revealing its existence and ID. A personal firewall on
a pocket PC or Smartphone device can be an effective protective screen against this form of
attack for the users connecting through a direct Internet or RAS connection. For situations
8
where all connections to the corporate network pass through a gateway, placing the personal
firewall on the gateway itself could be the simplest solution, because it avoids the need to place
a personal firewall on each mobile device. In either case, deploying secure access methods that
implement strong authentication keys will provide an additional protection.
4. Media Player Control Security

1. Given the lifestyle of today’s young generation, it is quite common to expect them
embracing the mobile hand-held devices as a means for information access, remote
working and entertainment.
2. Music and video are the two important aspects in day-to-day aspects for the young
generation.
3. Given this, it is easy to appreciate how this can be a source for cyber security breaches.
Various leading software development organizations have been warning the users about
the potential security attacks on their mobile devices through the “music gate ways.”
4. There are many examples to show how a media player can turn out to be a source of threat
to information held on mobile devices.
5. For example, in the year 2002, Microsoft Corporation warned about this.
6. According to this news item, Microsoft had warned people that a series of flaws in its
Windows Media Player could allow a malicious hacker to hijack people’s computer
systems and perform a variety of actions.
7. According to this warning from Microsoft, in the most severe exploit of a flaw, a hacker
could take over a computer system and perform any task the computer’s owner is allowed
to do, such as opening files or accessing certain parts of a network.
8. As another example, consider the following news item of the year 2004: corrupt files
posing as normal music and video files could allow an attacker to gain control of the
downloader's computer. With this happening, there are three vulnerabilities:
(a) Files could be created that will open a website on the user's browser (e.g, the user
could be accessing from his/her hand held device) from where remote JavaScript can
be operated;
(b) Files could be created which allow the attacker to download and use the code on a
user's machine.
(c) Media files could be created that will create buffer overrun errors.
5. Networking API Security for Mobile Computing Applications
1. With the advent of electronic commerce (E-Commerce) and its further off -shoot into M-
Commerce, online payments are becoming a common phenomenon with the payment
gateways accessed remotely and possibly wirelessly.
2. With the advent of Web services and their use in mobile computing applications
consideration.
3. Already, there are organizations announcing the development of various APIs to enable
software and hardware developers to write single applications that can be used to target
9
multiple security platforms present in a range of devices such as mobile phones,
portablemedia players, set-top boxes and home gateways.
4. Most of these developments are targeted specifically at securing a range of embedded and
consumer products, including those running OSs such as Linux, Symbian, Microsoft
Windows CE and Microsoft Windows Mobile, Android and IOS.
5. Technological developments such as these provide the ability to significantly improve
cyber security of a wide range of consumer as well as mobile devices.
6. Providing a common software framework, APIs will become an important enabler of new
and higher value services.
Attacks on Mobile/Cell Phones

1. Mobile Phone Theft
1. Mobile phones have become an integral part of ever body’s life and the mobile phone
has transformed from being a luxury to a bare necessity.
2. Increase in the purchasing power and availability of numerous low cost handsets have
also lead to an increase in mobile phone users.
3. Theft of mobile phones has risen dramatically over the past few years.
4. Many Insurance Companies have stopped offering Mobile Theft Insurance due to a large
number of false claims.
The following factors contribute for outbreaks on mobile devices
1. Enough target terminals: The first Palm OS virus was seen after the number of Palm
OS devices reached 15 million. The first instance of a mobile virus was observed during
June 2004 when it was discovered that an organization “Ojam” had engineered an
antipiracy Trojan virus in older versions of their mobile phone game known as Mosquito.
This virus sent SMS text messages to the organization without the users’ knowledge.
2. Enough functionality: Mobile devices are increasingly being equipped with office
functionality and already carry critical data and applications, which are often protected
insufficiently or not at all. The expanded functionality also increases the probability of
malware.
3. Enough connectivity: Smartphones off er multiple communication options, such as SMS,
MMS, synchronization, Bluetooth, infrared (IR) and WLAN connections. Therefore,
unfortunately, the increased amount of freedom also off ers more choices for virus writers.
2. Mobile Viruses
1. A mobile virus is similar to a computer virus that targets mobile phone data or
applications/software installed in it.
2. Virus attacks on mobile devices are no longer an exception or proof-of-concept
nowadays. In total, 40 mobile virus families and more than 300 mobile viruses have
10
been identified.
3. First mobile virus was identified in 2004 and it was the beginning to understand that
mobile devices can act as vectors to enter the computer network.
4. Mobile viruses get spread through two dominant communication protocols – Bluetooth
and MMS.
5. Bluetooth virus can easily spread within a distance of 10–30 m, through Bluetooth-
activated phones (i.e., if Bluetooth is always ENABLED into a mobile phone) whereas
MMS virus can send a copy of itself to all mobile users whose numbers are available in
the infected mobile phone’s address book.
Following are some tips to protect mobile from mobile malware attacks.
1. Download or accept programs and content (including ring tones, games, video clips and
photos) only from a trusted source.
2. If a mobile is equipped with Bluetooth, turn it OFF or set it to non-discoverable mode
when it is not in use and/or not required to use.
3. If a mobile is equipped with beam (i.e., IR), allow it to receive incoming beams, only
from the trusted source.
4. Download and install antivirus software for mobile devices.
3. Mishing
1. Mishing is a combination of mobile phone and Phishing Mishing attacks are attempted
using mobile phone technology.
2. M-Commerce is fast becoming a part of everyday life. If you use your mobile phone for
purchasing goods/services and for banking, you could be more vulnerable to a Mishing
scam.
3. A typical Mishing attacker uses call termed as Vishing or message (SMS) known as
Smishing.
4. Attacker will pretend to be an employee from your bank or another organization and
will claim a need for your personal details.
5. Attackers are very creative and they would try to convince you with different reasons
why they need this information from you.
4. Vishing
Vishing is the criminal practice of using social engineering over the telephone
system, most often using features facilitated by VoIP, to gain access to personal and
financial information from the public for the purpose of financial reward. The term is a
combination of V – voice and Phishing.
Vishing is usually used to steal credit card numbers or other related data used in ID
theft schemes from individuals.
The most profitable uses of the information gained through a Vishing attack include
11
1. ID theft;
2. Purchasing luxury goods and services;
3. Transferring money/funds;
4. Monitoring the victims’ bank accounts;
5. Making applications for loans and credit cards.
How Vishing Works
The criminal can initiate a Vishing attack using a variety of methods, each of
which depends upon information gathered by a criminal and criminal’s will to reach a
particular audience.
12
1. Internet E-Mail: It is also called Phishing mail.
2. Mobile text messaging.
3. Voicemail: Here, victim is forced to call on the provided phone number, once he/she
listens to voicemail.
4. Direct phone call: Following are the steps detailing on how direct phone call works:
• The criminal gathers cell/mobile phone numbers located in a particular region and/or
steals cell/ mobile phone numbers after accessing legitimate voice messaging
company.
• The criminal often uses a war dialer to call phone numbers of people from aspecific
region, and that to from the gathered list of phone numbers.
• When the victim answers the call, an automated recorded message is played to alert
the victim that his/her credit card has had fraudulent activity and/or his/her bank
account has had unusual activity.
• When the victim calls on the provided number, he/she is given automated instructions
to enter his/her credit card number or bank account details with the help of phone
keypad.
• Once the victim enters these details, the criminal (i.e., visher) has the necessary
information to make fraudulent use of the card or to access the account.
• Such calls are often used to harvest additional details such as date of birth, credit card
expiration date, etc.
Some of the examples of vished calls, when victim calls on the provided number after
receiving phished E-Mail and/or after listening voicemail, are as follows:
1. Automated message: Thank you for calling (name of local bank). Your business is
important to us. To help you reach the correct representative and answer your query
fully, please press the appropriate number on your handset after listening to options.
• Press 1 if you need to check you’re banking details and live balance.
• Press 2 if you wish to transfer funds.
• Press 3 to unlock your online profile.
• Press 0 for any other query.
2. Regardless of what the victim enters (i.e., presses the key), the automated system
prompts him to authenticate himself: “The security of each customer is important to
us. To proceed further, we require that you authenticate your ID before proceeding.
Please type your bank account number, followed by the pound key.”
3. The victim enters his/her bank account number and hears the next prompt: “Thank
you. Now please type your date of birth, followed by the pound key. For example,
01 January 1950 press 01011950.”
13
4. The caller enters his/her date of birth and again receives a prompt from the
automated system:
“Thank you. Now please type your PIN, followed by the pound key.”
5. The caller enters his PIN and hears one last prompt from the system: “Thank you.
We will now transfer you to the appropriate representative.”
How to Protect from Vishing Attacks
Following are some tips to protect oneself from Vishing attacks.
1. Be suspicious about all unknown callers.
2. Do not trust caller ID. It does not guarantee whether the call is really coming from
that number, that is, from the individual and/or company – caller ID Spoofing is easy.
3. Be aware and ask questions, in case someone is asking for your personal or financial
information.
4. Call them back.
5. Report incidents:
5. Smishing
Smishing is a criminal offense conducted by using social engineering techniques similar
to Phishing. The name is derived from “SMS PhISHING.” SMS – Short Message Service– is
the text messages communication component dominantly used into mobile phones. To know
how SMS can be abused by using different methods and techniques other than information
gatheringunder cybercrime.
How to Protect from Smishing Attacks
Following are some tips to protect oneself from Smishing attacks:
1. Do not answer a text message that you have received asking for your PI.
2. Avoid calling any phone numbers, as mentioned in the received message, to cancel a
membership and/or confirming a transaction which you have not initiated but
mentioned in the message.
3. Always call on the numbers displayed on the invoice and/or appearing in the bank
statements/passbook.
3. Never click on a hot link received through message on your Smartphone or PDA. Hot
links are links that you can click, which will take you directly to the Internet sites.
6. Hacking Bluetooth
1. Bluetooth is an open wireless technology standard used for communication (i.e.,
exchanging data) over short distances between fixed and/or mobile devices.
2. Bluetooth is a short-range wireless communication service/technology that uses the 2.4-
GHz frequency range for its transmission/communication.
14
Name of the
S. No. Description
Tool
This tool enables to search for Bluetooth enable device and will try to extract
1 BlueScanner asmuch information as possible for each newly discovered device after
connecting it with the target.
This is a GUI-based utility for finding discoverable and hidden Bluetooth
2 BlueSniff enabled devices.
The buggers exploit the vulnerability of the device and access the images,
3 BlueBugger
phonebook, messages and other personal information.
If a Bluetooth of a device is switched ON, then Bluesnarfing makes it possible
4 Bluesnarfer to connect to the phone without alerting the owner and to gain access to
restricted portions of the stored data.
Bluediving is testing Bluetooth penetration. It implements attacks like Bluebug
5 BlueDiving
and BlueSnarf.
Bluejacking, Bluesnarfing, Bluebugging and Car Whisperer are common attacks that have
emerged as Bluetooth-specific security issues.
1. Bluejacking: It means Bluetooth Jacking where Jacking is short name for hijack – act of
taking over something. Bluejacking is sending unsolicited messages over Bluetooth to
Bluetooth-enabled devices such as mobile phones, PDAs or computers.
2. Bluesnarfing: It is the unauthorized access from a wireless device through a Bluetooth
connection between cell phones, PDAs and computers. This enables the attacker to access a
calendar, contact list, SMS and E-Mails as well as enable attackers to copy pictures and
private videos.
3. Bluebugging: It allows attackers to remotely access a user’s phone and use its features
without user’s attention.
4. Car Whisperer: It is a piece of software that allows attackers to send audio to and receive
audio from a Bluetooth-enabled car stereo.
Mobile Devices: Security Implications for Organizations
1. Managing diversity and proliferation of hand-held devices
We have talked about the micro issues of purely technical nature in mobile device
security. Given the threats to information systems through usage of mobile devices, the
organizations need to establish security practices at a level appropriate to their security
objectives, subject to legal and other external constraints.
15
2. Unconventional/stealth storage devices
We would like to emphasize upon widening the spectrum of mobile devices and focus
on secondary storage devices, such as compact disks (CDs) and Universal Serial Bus (USB)
drives (also called zip drive, memory sticks) used by employees.
As the technology is advancing, the devices continue to decrease in size and emerge in
new shapes and sizes – unconventional/stealth storage devices available nowadays are
difficult to detect and have become a prime challenge for organizational security.
Fig: Unconventional/stealth storage devices.

The features of the software allows system administrator to:
1. Monitor which users or groups can access USB Ports,
2. Wi-Fi and Bluetooth adapters, CD read-only memories (CD-ROMs) and other
removable devices.
3. Control the access to devices depending on the time of the day and day of the week.
4. Create the white list of USB devices which allows you to authorize only specific
devices that will not be locked regardless of any other settings.
5. Set devices in read-only mode.
6. Protect disks from accidental or intentional formatting.
3. Threats through lost and stolen devices
This is a new emerging issue for cyber security. Often mobile hand-held devices are
lost while people are on the move. Lost mobile devices are becoming even a larger security
risk to corporations.
A report based on a survey of London’s 24,000 licensed cab drivers quotes that
2,900 laptops, 1,300 PDAs and over 62,000 mobile phones were left in London in cabs in
the year 2001 over the last 6-month period.
4. Protecting data on lost devices
Readers can appreciate the importance of data protection especially when it resides
on a mobile hand-held device. At an individual level, employees need to worry about this.
16
5. Educating the laptop users
Often it so happens that corporate laptop users could be putting their company’s
networks at risk by downloading non-work-related software capable of spreading viruses
and Spyware.
Fig: Most important management or support issues for laptops.

Organizational Measures for Handling Mobile Devices-Related Security Issues
We have discussed micro- and macro level security issues with mobile devices used for
mobile computing purposes and what individuals can do to protect their personal data on mobile
devices. We discuss what organizations can do toward safeguarding their information systems
in the mobile computing paradigm.
1. Encrypting Organizational Databases
Critical and sensitive data reside on databases [say, applications such as customer
relationship management (CRM) that utilize patterns discovered through data warehousing and
data mining (DM) techniques] and with the advances in technology, access to these data is not
impossible through hand-held devices. It is clear that to protect the organizations’ data loss,
such databases need encryption.
2. Including Mobile Devices in Security Strategy
These discussions so far make a strong business case – in recognition of the fact that
our mobile workforce is on the rise, organizational IT departments will have to take the
accountability for cyber security threats that come through inappropriate access to
organizational data from mobile-device–user employees. Encryption of corporate databases is
not the end of everything.
17
A few things that enterprises can use are:
1. Implement strong asset management, virus checking, loss prevention and other
controls for mobile systems that will prohibit unauthorized access and the entry of
corrupted data.
2. Investigate alternatives that allow a secure access to the company information through a
firewall, such as mobile VPNs.
3. Develop a system of more frequent and thorough security audits for mobile devices.
4. Incorporate security awareness into your mobile training and support programs so
that everyone understands just how important an issue security is within a
company’s overall IT strategy.
5. Notify the appropriate law-enforcement agency and change passwords. User
accounts are closely monitored for any unusual activity for a period of time.
Organizational Security Policies and Measures in Mobile Computing Era
1. Importance of Security Policies relating to Mobile Computing Devices
Proliferation of hand-held devices used makes the cyber security issue graver
than what we would tend to think. People (especially, the youth) have grown so used to
their handhelds that they are treating them like wallets! The survey asked the
participants about the likelihood of six separate scenarios involving the use of cell
phones to communicate sensitive and confidential information occurring in their
organizations.
The scenarios described the following:
1. A CEO’s administrative assistant uses a cell phone to arrange ground transportation that
reveals the CEO’s identity and location.
2. The finance and accounting staff discusses earnings of press release and one
participant onthe call is using a cell phone.
3. A conference call among senior leaders in the organization in which cell
phones aresometimes used.
4. A sales manager conducting business in Asia uses, his/her cell phone to
communicate withthe home office.
5. An external lawyer asks for proprietary and confidential information while using
his cellphone.
6. A call center employee assists a customer using a cell phone to establish an
account andcollects personal information (including SSN).
1
2. Operating Guidelines for Implementing Mobile Device Security Policies
In situations such as those described above, the ideal solution would be to
prohibit all confidential data from being stored on mobile devices, but this may not
always be practical. Organizations can, however, reduce the risk that confidential
information will be accessed from lost or stolen mobile devices through the following
steps:
1. Determine whether the employees in the organization need to use mobile

computing devices at all, based on their risks and benefits within the organization,
industry and regulatory environment.
2. Implement additional security technologies, as appropriate to fit both the
organization andthe types of devices used.
3. Standardize the mobile computing devices and the associated security tools being
used with them. As a matter of fundamental principle, security deteriorates quickly
as the tools and devices used become increasingly disparate.
4. Develop a specific framework for using mobile computing devices, including
guidelines for data- syncing, the use of firewalls and anti-malware software and the
types of information that can be stored on them.
5. Centralize management of your mobile computing devices. Maintain an inventory
so that you know who is using what kinds of devices.
6. Establish patching procedures for software on mobile devices. This can often be
simplified by integrating patching with syncing or patch management with the
centralized inventory database.
7. Label the devices and register them with a suitable service that helps return
recovered devices to the owners.
8. Establish procedures to disable remote access for any mobile devices reported as
lost or stolen. Many devices allow the users to store usernames and passwords for
website portals, which could allow a thief to access even more information than on
the device itself.
9. Remove data from computing devices that are not in use or before re-assigning those devices to
new owners (in case of company-provided mobile devices to employees). This is to preclude
incidents through which people obtain “old” computing devices that still had confidential
company data.
10. Provide education and awareness training to personnel using mobile devices. People cannot be
expected to appropriately secure their information if they have not been told how.
3. Organizational Policies for the Use of Mobile Hand-Held Devices

Securing mobile devices is creating company policies that address the unique
issues these devices raise. Such questions include what an employee should do if a
2
device is lost or stolen.
There are many ways to handle the matter of creating policy for mobile devices.
One way is creating a distinct mobile computing policy. Another way is including such
devices under existing policy.
3
UNIT IV
Unauthorized computer access, popularly referred to as hacking, describes a criminal action whereby someone
uses a computer to knowingly gain access to data in a system without permission to access that data.
Computer Intrusion
Computer intrusions occur when someone tries to gain access to any part of your computer system. Computer
intruders or hackers typically use automated computer programs when they try to compromise a computer’s
security. There are several ways an intruder can try to gain access to your computer. They can:
1. Access your computer to view, change, or delete information on your computer.
2. Crash or slow down your computer.
3. Access your private data by examining the files on your system.
4. Use your computer to access other computers on the Internet.
Computer Viruses and Malicious codes

Viruses –
 A virus is a computer code or program, which is capable of affecting your computer data badly by
corrupting or destroying them.
 Computer virus has the tendency to make its duplicate copies at a swift pace, and also spread it across
every folder and damage the data of your computer system.
 A computer virus is actually a malicious software program or "malware" that, when infecting your
system, replicates itself by modifying other computer programs and inserting its own code.
 Infected computer programs may include data files, or even the "boot" sector of the hard drive.
Ways a virus can affect your computer system. The ways are mentioned below −
 By downloading files from the Internet.
 During the removable of media or drives.
 Through pen drive.
 Through e-mail attachments.
 Through unpatched software & services.
 Through unprotected or poor administrator passwords.
Impact of Virus
Let us now see the impact of virus on your computer system −
 Disrupts the normal functionality of respective computer system.
 Disrupts system network use.
 Modifies configuration setting of the system.
 Destructs data.
 Disrupts computer network resources.
 Destructs of confidential data.
Malicious Code - is the kind of harmful computer code or web script designed to create system vulnerabilities
leading to back doors, security breaches, information and data theft, and other potential damages to files and
computing systems. It's a type of threat that may not be blocked by antivirus software on its own. Malware
specifically refers to malicious software, but malicious code includes website scripts that can exploit
vulnerabilities in order to upload malware.
It is an auto-executable application that can activate itself and take on various forms, including Java Applets,
ActiveX controls, pushed content, plug-ins, scripting languages or other programming languages that are
designed to enhance Web pages and email.
The code gives a cybercriminal unauthorized remote access to the attacked system — called an application back
door — which then exposes sensitive company data. By unleashing it, cybercriminals can even wipe outa
computer's data or install spyware.
Internet Hacking and Cracking
Hacking is the activity of identifying weaknesses in a computer system or a network to exploit the security to
gain access to personal data or business data. An example of computer hacking can be: using a password cracking
algorithm to gain access to a computer system.
Computers have become mandatory to run a successful business. It is not enough to have isolated computers
systems; they need to be networked to facilitate communication with external businesses. This exposes them
to the outside world and hacking. System hacking means using computers to commit fraudulent acts such as
fraud, privacy invasion, stealing corporate/personal data, etc. Cybercrimes cost many organizations millions
of dollars every year. Businesses need to protect themselves against such attacks.
A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain
access. Hackers are usually skilled computer programmers with knowledge of computer security.
Hackers are classified according to the intent of their actions. The following list classifies types of hackers
according to their intent:
 Ethical Hacker (White hat): A security hacker who gains access to systems with a view to fix the
identified weaknesses. They may also perform penetration Testing and vulnerability assessments.
 Cracker (Black hat): A hacker who gains unauthorized access to computer systems for personal gain.
The intent is usually to steal corporate data, violate privacy rights, transfer funds from bank accounts etc.
 Grey hat: A hacker who is in between ethical and black hat hackers. He/she breaks into computer
systems without authority with a view to identify weaknesses and reveal them to the system owner.
 Script kiddies: A non-skilled person who gains access to computer systems using already made tools.
 Hacktivist: A hacker who use hacking to send social, religious, and political, etc. messages. This is
usually done by hijacking websites and leaving the message on the hijacked website.
 Phreaker: A hacker who identifies and exploits weaknesses in telephones instead of computers.
Cracking
 Cracking is a technique used to breach computer software or an entire computer security system, and
with malicious intent.
 Cracking is when someone performs a security hack for criminal or malicious reasons, and the
person is called a “cracker.” Just like a bank robber cracks a safe by skilfully manipulating its lock, a
cracker breaks into a computer system, program, or account with the aid of their technical wizardry.
 it’s always with the aim of doing something naughty when you’re there: stealing data, impersonating
someone, or even just using paid software for free.
Some common types of cracking:

 Password cracking - is the act of obtaining a password from stored data. Most common password
cracking methods.
 Brute force cracking: The cracking algorithm outputs random strings of characters until it
gets a match.
 Dictionary cracking: It’s similar to brute-force cracking, but rather than using random
characters, dictionary cracking limits itself to actual words.
 Rainbow table cracking: A rainbow table uses precomputed hash values to figure out the
encryption used to hash a password.
 Software cracking - is when someone alters a piece of software to disable or entirely remove one or
more of its features. Most software cracking uses at least one of the following tools or techniques:
 Keygen: Short for “key generator,” a keygen is a program a cracker builds to generate valid serial
numbers for a software product.
 Patch: Patches are small bits of code that modify existing programs. Developers release patches
for software all the time. Crackers can make them too, and when they do, the patch’sjob is to
alter the way the program works by removing the unwanted features.
 Loader: A loader’s job is to block the software’s protection measures as the software starts up.
Some loaders bypass copy protections, while others are popular with gamers who enjoy cheating
in online multiplayer games.
 Network cracking - is when someone breaks through the security of a LAN, or “local area network.”
Cracking a wired network requires a direct connection, but cracking a wireless network is much more
convenient, because the cracker just needs to be close to the wireless signal. A common example of a
wireless LAN is the Wi-Fi system in your home.
Viruses and Worms

1. Worms: Worms is similar to virus but it does not modify the program. It replicates itself more and more to
cause slow down the computer system. Worms can be controlled by remote. The main objective of worms to
eat the system resources.
2. Virus: A virus is a malicious executable code attached to another executable file which can be harmless or
can modify or delete data. When the computer program runs attached with virus it performs some action such
as deleting a file from the computer system. Virus can’t be controlled by remote.
Difference between Worms and Virus:

S.No. WORMS VIRUS
A Worm is a form of malware that replicatesitself A Virus is a malicious executable code attached
1. and can spread to different computers via Network. to another executable file which can be harmless or
can modify or delete data.
The main objective of worms to eat the system The main objective of virus is to modify the
2.
resources. information.
It doesn’t need a host to replicate from one
3. It require host is needed for spreading.
computer to another.
4. It is less harmful as compared. It is more harmful.
Worms can be detected and removed by the Antivirus software are used for protection against
5.
Antivirus and firewall. viruses.
6. Worms can be controlled by remote. Virus can’t be controlled by remote.
7. Worms are executed via weaknesses in system. Viruses are executed via executable files.
Morris Worm, Storm Worm and SQL Slammer Resident and Non -resident viruses are two types
8.
are some of the examples of worms. of Virus.
9. It does not needs human action to replicate. It needs human action to replicate.
10. Its spreading speed is faster. Its spreading speed is slower as compared.
Software Piracy
Software piracy is the act of stealing software that is legally protected. This stealing includes copying,
distributing, modifying or selling the software.
Copyright laws were originally put into place so that the people who develop software (programmers, writers,
graphic artists, etc.) would get the proper credit and compensation for their work. When software piracy occurs,
compensation is stolen from these copyright holders.
Types of Software Piracy

There are five main types of software piracy.
 Soft lifting - is when someone purchases one version of the software and downloads it onto multiple
computers, even though the software license states it should only be downloaded once. This often occurs
in business or school environments and is usually done to save money. Softlifting is the most common
type of software piracy.
 Client-server overuse - is when too many people on a network use one main copy of the program at the
same time. This often happens when businesses are on a local area network and download the
software for all employees to use. This becomes a type of software piracy if the license doesn’t entitle
you to use it multiple times.
 Hard disk loading - is a type of commercial software piracy in which someone buys a legal version
of the software and then reproduces, copies or installs it onto computer hard disks. The person then
sells the product. This often happens at PC resale shops and buyers aren’t always aware that the additional
software they are buying is illegal.
 Counterfeiting - occurs when software programs are illegally duplicated and sold with the appearance
of authenticity. Counterfeit software is usually sold at a discounted price in comparison to the legitimate
software.
 Online Piracy - also known as Internet piracy, is when illegal software is sold, shared or acquired by
means of the Internet. This is usually done through a peer-to-peer (P2P) file-sharing system, which is
usually found in the form of online auction sites and blogs.
The Dangers of Software Piracy

Software piracy may have a cheaper price point, but there are many dangers that software pirates should be
aware of. Consequences of software piracy are:
 Increased chances that the software will malfunction or fail
 Forfeited access to support for the program such as training, upgrades, customer support and bug fixes
 No warranty and the software can’t be updated
 Increased risk of infecting your PC with malware, viruses or adware
 Slowed down PC
 Legal repercussions due to copyright infringement
Intellectual property Rights

Intellectual property rights are the legal rights that cover the privileges given to individuals who are the owners
and inventors of a work, and have created something with their intellectual creativity. Individuals related to areas
such as literature, music, invention, etc., can be granted such rights, which can then be used in the business
practices by them.
The creator/inventor gets exclusive rights against any misuse or use of work without his/her prior information.
However, the rights are granted for a limited period of time to maintain equilibrium.
Types of Intellectual Property Rights

Intellectual Property Rights can be further classified into the following categories −
 Copyright
 Patent
 Patent
 Trade Secrets, etc.
Advantages of Intellectual Property Rights
Intellectual property rights are advantageous in the following ways −
 Provides exclusive rights to the creators or inventors.
 Encourages individuals to distribute and share information and data instead of keeping it confidential.
 Provides legal defense and offers the creators the incentive of their work.
 Helps in social and financial development.
Intellectual Property in Cyber Space

 Every new invention in the field of technology experiences a variety of threats. Internet is one such threat,
which has captured the physical marketplace and have converted it into a virtual marketplace.
 To safeguard the business interest, it is vital to create an effective property management and protection
mechanism keeping in mind the considerable amount of business and commerce taking place in the Cyber
Space.
 Today it is critical for every business to develop an effective and collaborative IP management mechanism
and protection strategy. The ever-looming threats in the cybernetic world can thus be monitored and
confined.
 Various approaches and legislations have been designed by the law-makers to up the ante in delivering
a secure configuration against such cyber-threats. However, it is the duty of the intellectual property right
(IPR) owner to invalidate and reduce such mala fide acts of criminals by taking proactive measures.
Mail Bombs
An email bomb is an attack against an email inbox or server designed to overwhelm an inbox or inhibit the
server’s normal function, rendering it unresponsive, preventing email communications, degrading network
performance, or causing downtime. The intensity of an email bomb can range from an inconvenience to a
complete denial of service. Typically, these attacks persist for hours or until the targeted inbox or server
implements a mitigation tactic to filter or block the attacking traffic. Such attacks can be carried out intentionally
or unintentionally by a single actor, group of actors, or a botnet.
There are five common email bomb techniques:

1. Mass mailing – intentionally or unintentionally sending large quantities of random email traffic to
targeted email addresses. This attack is often achieved using a botnet or malicious script, such as by
the automated filling out of online forms with the target email inserted as the requesting/return address.
2. List linking – signing targeted email addresses up for numerous email subscriptions, which indirectly
flood the email addresses with subscribed content. Many subscription services do not ask for verification,
but if they do these emails can be used as the attack emails. This type of attack is difficult to prevent
because the traffic originates from multiple legitimate sources.
3. ZIP bomb – sending very large compressed archive files to an email address, which when decompressed,
consume available server resources to damage performance.
4. Attachment – sending multiple emails with large attachments designed to overload the storage space
on a server and cause the server to stop responding.
5. Reply-all – responding “Reply All” to large dissemination lists instead of just to the original sender. This
inundates inboxes with a cascade of emails, which are compounded by automated replies, suchas out-
of-office messages. These are often accidental in nature. This can also occur when a malicious actor
spoofs an email address and the automatic replies are directed toward the spoofed address.
Effects of Mail Bombs

Email bombs can create denial of service conditions that may impede election offices from conducting routine
or election day activities. For example, a successful email bomb may inhibit election offices from accessing
inboxes for citizen engagement, voter registration, or other services. The impact of such an attack is highly likely
to compound if occurring around polling or registration dates. Additionally, cyber actors sometimes use email
bomb attacks to mask other malicious activity, distract users, or prevent the regular flow of notifications
associated with critical or abnormal account activity.
Exploitation
An exploit is a code that takes advantage of a software vulnerability or security flaw. It is written either by
security researchers as a proof-of-concept threat or by malicious actors for use in their operations. When used,
exploits allow an intruder to remotely access a network and gain elevated privileges, or move deeper into the
network.
In some cases, an exploit can be used as part of a multi-component attack. Instead of using a malicious file, the
exploit may instead drop another malware, which can include backdoor Trojans and spyware that can steal user
information from the infected systems.
Common types of computer exploit

 Known exploits - When someone discovers a software vulnerability, they’ll often alert the software’s
developer, who can then fix the vulnerability immediately with a security patch. They may also spread
the word about the vulnerability on the internet to warn others. Either way, the developer will (hopefully)
be able to respond and repair the vulnerability before an exploit can take advantage of it.
 Zero-day exploits (unknown exploits) - Sometimes, exploits catch everyone by surprise. When a hacker
discovers a vulnerability and immediately creates an exploit for it, it’s called a zero-day exploit
— because the exploit attack happens on the same day the vulnerability is found. At that point, the
developer has known about the vulnerability for “zero days.”
 Hardware exploits - While software exploits get most of the media attention, they’re not the only types
of exploits out there. Sometimes, hackers can exploit flaws in the physical hardware (and its firmware)
in your device.
Steganography
Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order
to avoid detection; the secret data is then extracted at its destination.
Use of Steganography
There are many ways to conceal information using Steganography. The most common method is by embedding
information into digital images. We all know that digital images say, a JPEG image, contains several megabytes
of data in the form of pixels. This allows some room for someone to embed steganography information within
the digital file. With the use of steganography applications, a hacker alters the least significant bits of the data
file and embeds a malicious code into the image. Once the targeted user downloads and opens the image file in
their computer, the malware is activated. Depending on its programming, the malware can now open a leeway
for the attacker to gain control over the user’s device or network. The danger of Steganography is that the
difference between the original image and the steganography image is subtle and the two cannot be distinguished
by the naked eye.
3 Techniques used in Steganography

1. Least Significant Bit - In this Steganography method, the attacker identifies the least significant bits
of information in the carrier image and substitutes it with their secret message, in this case, malicious
code. When the target downloads the carrier file, they introduce the malware into their computer which
allows the attacker access to this device and the hack begins. Cybersecurity professionals commonly
use sandboxes to detect these corrupt files. However, black hat hackers have invented various
methods of bypassing sandboxes like sleep patching. Sleep patched malwareis not easily detected by
the sandbox since it poses as benign and buys time while studying the timingartifacts of the sandbox
and executes when the sandbox is vulnerable.
2. Palette Based Technique - This technique also uses digital images as malware carriers. Here, the
attackers first encrypt the message and then hide it in a stretched palette of the cover image. Even
though this technique can carry a limited amount of data, it frustrates threat hunters since the malware
is encrypted and takes a lot of time to decrypt.
3. Secure Cover Selection - This is a very complex technique where the cyber criminals compare the
blocks of the carrier image to the blocks of their specific malware. If an image with the same blocks as
the malware is found, it is chosen as the candidate to carry the malware. The identical malware blocks
are then carefully fitted into the carrier image. The resulting image is identical to the original and the
worst part is that this image is not flagged as a threat by detection software and applications.
These are just but a few methods by which black hat hackers frustrate ethical hackers using Steganography.
Steganography allows attackers to operate in stealth mode while conducting a serious attack. Most of these
attacks are zero-day exploits which give threat hunters sleepless nights. Some preventive measures against
Steganography include the deployment of security patches, updating software, and educating end-users.
Key loggers and spyware

Key logger –
 Keyloggers are a serious threat to users and the users' data, as they track the keystrokes to intercept
passwords and other sensitive information typed in through the keyboard. This gives hackers the benefit
of access to PIN codes and account numbers, passwords to online shopping sites, email ids, email logins,
and other confidential information, etc.
 When the hackers get access to the users' private and sensitive information, they can take advantage
of the extracted data to perform online money transaction the user's account. Keyloggers can sometimes
be used as a spying tool to compromise business and state-owned company's data.
 The main objective of Keyloggers is to interfere in the chain of events that happen when a key is pressed
and when the data is displayed on the monitor as a result of a keystroke.
 A Keyloggers can be done by introducing a wiring or a hardware bug in the keyboard, to achieve video
surveillance; terminating input and/or output; or by also implementing the use of a filter driver in the
keyboard stack; and demanding data from the user's keyboard using generalized documented methods.
There are two other rootkit methods used by hackers: masking in kernel mode and masking in user mode.
Types of Keyloggers
Key logger tools are mostly constructed for the same purpose. But they’ve got important distinctions in terms
of the methods they use and their form factor.
Here are the two forms of Keyloggers
1. Software Keyloggers
2. Hardware Keyloggers
Software Keyloggers - Software Keyloggers are computer programs that install onto your device’s hard drive.
Common Keyloggers software types may include:
 API-based Keyloggers directly eavesdrop between the signals sent from each keypress to the program
you’re typing into. Application programming interfaces (APIs) allow software developers and hardware
manufacturers to speak the same “language” and integrate with each other. API keyloggers quietly
intercept keyboard APIs, logging each keystroke in a system file.
 “Form grabbing”-based Keyloggers eavesdrop all text entered into website forms once you send it
to the server. Data is recorded locally before it is transmitted online to the web server.
 Kernel-based keyloggers work their way into the system’s core for admin-level permissions. These
loggers can bypass and get unrestricted access to everything entered in your system.
Hardware Keyloggers - Hardware keyloggers are physical components built-in or connected to your device.
Some hardware methods may be able to track keystrokes without even being connected to your device. For
brevity, we’ll include the keyloggers you are most likely to fend against:
 Keyboard hardware keyloggers can be placed in line with your keyboard’s connection cable or built
into the keyboard itself. This is the most direct form of interception of your typing signals.
 Hidden camera keyloggers may be placed in public spaces like libraries to visually track keystrokes.
 USB disk-loaded keyloggers can be a physical Trojan horse that delivers the keystroke logger malware
once connected to your device.
Prevention from Keystroke logging
 Always read your terms of service or any contracts before accepting.
 Install internet security software on all your devices.
 Make sure your security programs are updated on the latest threats.
 Don’t leave your mobile and computer devices unsupervised.
 Keep all other device software updated.
 Do not use unfamiliar USB drives or external hard drives.
Spyware
 Spyware is a broad category of malware designed to secretly observe activity on a device and send
those observations to a snooper. That data can be used to track your activity online and that information
can be sold to marketers.
 Spyware can also be used to steal personal information, such as account passwords and credit card
numbers, which can result in identity theft and fraud.
 Spyware is unwanted software that infiltrates your computing device, stealing your internet usage data
and sensitive information.
 Spyware is classified as a type of malware — malicious software designed to gain access to or damage
your computer, often without your knowledge. Spyware gathers your personal information and relays
it to advertisers, data firms, or external users.
Types of spyware
Spyware can take a number of forms. They include:
 Adware: It eyes your online activity and displays ads it thinks you'll be interested in based on that
information. Although benign compared to some other forms of spyware, adware can have an impact on
the performance of a device, as well as just being annoying.
 Tracking cookies: They're similar to adware, although they tend to be less intrusive.
 Trojans: After landing on a device, they look for sensitive information, such as bank account
information, and send it to a seedy third-party who will use it to steal money, compromise accounts or
make fraudulent purchases. They can also be used to gain control of a computer through the installation
of a backdoor or a remote access Trojan (RAT).
 Keyloggers: They allow a miscreant to capture every keystroke from your keyboard, including the
keystrokes you use when you log into your online accounts.
 Stalkerware: It's typically installed on a mobile phone so the owner of the phone can be tracked by a
third party. For example, during the trial of Joaquín “El Chapo” Guzmán, it was revealed the drug kingpin
installed spyware on the phones of his wife, associates and female friends so he could read their text
messages, listen to their conversations and follow their movements.
 Stealware: It's crafted to take advantage of online shopping sites awarding credits to websites that send
traffic to their product pages. When a user goes to one of those sites, stealware intercepts the request and
takes credit for sending the user there.
 System monitors: They record everything that's happening on a device—from keystrokes, emails and
chat room dialogs to websites visited, programs launched, and phone calls made—and send it to a snoop
or cyber-criminal. They can also monitor a system's processes and identify any vulnerabilitieson it.
Prevention from spyware

Here are four main steps to help prevent spyware.
 Don’t open emails from unknown senders.
 Don’t download files from untrustworthy sources.
 Don’t click on pop-up advertisements.
 Use reputable antivirus software.
Spyware can be harmful, but it can be removed and prevented by being cautious and using an antivirus tool.
If you’ve been infected with spyware, take steps to remove it. Be proactive by changing your passwords and
notifying your bank to watch for fraudulent activity.
Trojan and backdoors

 A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software.
 Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems.
 Users are typically tricked by some form of social engineering into loading and executing Trojans on
their systems.
 Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain
backdoor access to your system. These actions can include:
 Deleting data
 Blocking data
 Modifying data
 Copying data
 Disrupting the performance of computers or computer networks
 Unlike computer viruses and worms, Trojans are not able to self-replicate.
Trojan and its impact
 Backdoor - A backdoor Trojan gives malicious users remote control over the infected computer. They
enable the author to do anything they wish on the infected computer – including sending, receiving,
launching and deleting files, displaying data and rebooting the computer. Backdoor Trojans are often
used to unite a group of victim computers to form a botnet or zombie network that can be used for criminal
purposes.
 Exploit - are programs that contain data or code that takes advantage of a vulnerability within application
software that’s running on your computer.
 Rootkit - are designed to conceal certain objects or activities in your system. Often their main purpose
is to prevent malicious programs being detected – in order to extend the period in which programs can
run on an infected computer.
 Trojan-Banker - programs are designed to steal your account data for online banking systems, e-
payment systems and credit or debit cards.
 Trojan-Downloader - can download and install new versions of malicious programs onto your computer
– including Trojans and adware.
Protection against Trojan

Here are some dos and don’ts to help protect against Trojan malware. First, the dos:
 Computer security begins with installing and running an internet security suite. Run periodic diagnostic
scans with your software. You can set it up so the program runs scans automatically during regular
intervals.
 Update your operating system’s software as soon as updates are made available from the software
company. Cybercriminals tend to exploit security holes in outdated software programs. In addition to
operating system updates, you should also check for updates on other software that you use on your
computer.
 Protect your accounts with complex, unique passwords. Create a unique password for each account using
a complex combination of letters, numbers, and symbols.
 Keep your personal information safe with firewalls.
 Back up your files regularly. If a Trojan infects your computer, this will help you to restore your data.
 Be careful with email attachments. To help stay safe, scan an email attachment first.
A lot of things you should do come with a corresponding thing not to do — like, do be careful with email
attachments and don’t click on suspicious email attachments. Here are some more don’ts.
 Don’t visit unsafe websites. Some internet security software will alert you that you’re about to visit an
unsafe site, such as Norton Safe Web.
 Don’t open a link in an email unless you’re confident it comes from a legitimate source. In general,
avoid opening unsolicited emails from senders you don’t know.
 Don’t download or install programs if you don’t have complete trust in the publisher.
 Don’t click on pop-up windows that promise free programs that perform useful tasks.
 Don’t ever open a link in an email unless you know exactly what it is.
Phishing
 Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message
by someone posing as a legitimate institution to lure individuals into providing sensitive data such as
personally identifiable information, banking and credit card details, and passwords.
 The information is then used to access important accounts and can result in identity theft and financial
loss.
 Phishing is an example of social engineering techniques used to deceive users. Users are lured by
communications purporting to be from trusted parties such as social networking websites, auction sites,
banks, mails/messages from friends or colleagues/executives, online payment systems or IT
administrators.
Types of phishing
 Spear phishing - Phishing attempts directed at specific individuals or companies
 Catphishing and catfishing - is a type of online deception that involves getting to know someone closely
in order to gain access to information or resources, usually in the control of the mark, or to otherwise get
control over the conduct of the target.
 Clone phishing - is a type of phishing attack whereby a legitimate, and previously delivered, email
containing an attachment or link has had its content and recipient address(es) taken and used to create
an almost identical or cloned email.
 Voice phishing - uses fake caller-ID data to give the appearance that calls come from a trusted
organization.
 SMS phishing - or smishing uses cell phone text messages to deliver the bait to induce people to divulge
their personal information.
Prevention against Phishing

 To protect against spam mails, spam filters can be used. Generally, the filters assess the origin of the
message, the software used to send the message, and the appearance of the message to determine if it’s
spam. Occasionally, spam filters may even block emails from legitimate sources, so it isn’t always 100%
accurate.
 The browser settings should be changed to prevent fraudulent websites from opening. Browsers keep
a list of fake websites and when you try to access the website, the address is blocked or an alert message
is shown. The settings of the browser should only allow reliable websites to open up.
 Many websites require users to enter login information while the user image is displayed. This type of
system may be open to security attacks. One way to ensure security is to change passwords on a regular
basis, and never use the same password for multiple accounts. It’s also a good idea for websites to use
a CAPTCHA system for added security.
 Banks and financial organizations use monitoring systems to prevent phishing. Individuals can report
phishing to industry groups where legal actions can be taken against these fraudulent websites.
Organizations should provide security awareness training to employees to recognize the risks.
 Changes in browsing habits are required to prevent phishing. If verification is required, always contact
the company personally before entering any details online.
 If there is a link in an email, hover over the URL first. Secure websites with a valid Secure Socket Layer
(SSL) certificate begin with “https”. Eventually all sites will be required to have a valid SSL.
DOS Attack
 A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it
inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or
sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users
(i.e., employees, members, or account holders) of the service or resource they expected.
 Victims of DoS attacks often target web servers of high-profile organizations such as banking, commerce,
and media companies, or government and trade organizations. Though DoS attacks do not typically result
in the theft or loss of significant information or other assets, they can cost the victim a great deal of time
and money to handle.
 A denial-of-service (DoS) attack is a type of cyber attack in which a malicious actor aims to render a
computer or other device unavailable to its intended users by interrupting the device's normal functioning.
 DoS attacks typically function by overwhelming or flooding a targeted machine with requests until
normal traffic is unable to be processed, resulting in denial-of-service to addition users.
 A DoS attack is characterized by using a single computer to launch the attack.
There are two general methods of DoS attacks: flooding services or crashing services.
Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow
down and eventually stop.
Popular flood attacks include:
 Buffer overflow attacks – the most common DoS attack. The concept is to send more traffic to a
network address than the programmers have built the system to handle. It includes the attacks listed
below, in addition to others that are designed to exploit bugs specific to certain applications or
networks
 ICMP flood – leverages misconfigured network devices by sending spoofed packets that ping every
computer on the targeted network, instead of just one specific machine. The network is then triggered
to amplify the traffic. This attack is also known as the smurf attack or ping of death.
 SYN flood – sends a request to connect to a server, but never completes the handshake. Continues until
all open ports are saturated with requests and none are available for legitimate users to connectto.
Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these attacks,
input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize the system,
so that it can’t be accessed or used.
Protection from DoS attack

A general rule: The earlier you can identify an attack-in-progress, the quicker you can contain the damage. Here
are some things you can do.
 Method 1: Get help recognizing attacks - Companies often use technology or anti-DDoS services to help
defend themselves. These can help you recognize between legitimate spikes in network trafficand a
DDoS attack.
 Method 2: Contact your Internet Service provider - If you find your company is under attack, you should
notify your Internet Service Provider as soon as possible to determine if your traffic can be rerouted.
Having a backup ISP is a good idea, too. Also, consider services that can disperse the massiveDDoS
traffic among a network of servers. That can help render an attack ineffective.
 Method 3: Investigate black hole routing - Internet service providers can use “black hole routing.” It
directs excessive traffic into a null route, sometimes referred to as a black hole. This can help prevent the
targeted website or network from crashing. The drawback is that both legitimate and illegitimate traffic
is rerouted in the same way.
 Method 4: Configure firewalls and routers - Firewalls and routers should be configured to reject bogus
traffic. Remember to keep your routers and firewalls updated with the latest security patches.
 Method 5: Consider front-end hardware - Application front-end hardware that’s integrated into the
network before traffic reaches a server can help analyze and screen data packets. The hardwareclassifies
the data as priority, regular, or dangerous as they enter a system. It can also help block threatening data.
DDOS Attack
 A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a
targeted server, service or network by overwhelming the target or its surrounding infrastructure with a
flood of Internet traffic.
 DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources
of attack traffic. Exploited machines can include computers and other networked resources such as IoT
devices.
 From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing
regular traffic from arriving at its destination.
Working
 DDoS attacks are carried out with networks of Internet-connected machines.
 These networks consist of computers and other devices (such as IoT devices)which have been infected
with malware, allowing them to be controlled remotely by an attacker. These individual devices are
referred to as bots (or zombies), and a group of bots is called a botnet.
 Once a botnet has been established, the attacker is able to direct an attack by sending remote instructions
to each bot.
 When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP
address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-
service to normal traffic.
 Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can
be difficult.
Identification of DDOS Attack

The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. But
since a number of causes — such a legitimate spike in traffic — can create similar performance issues, further
investigation is usually required. Traffic analytics tools can help you spot some of these telltale signs of a DDoS
attack:
 Suspicious amounts of traffic originating from a single IP address or IP range
 A flood of traffic from users who share a single behavioral profile, such as device type, geolocation,
or web browser version
 An unexplained surge in requests to a single page or endpoint
 Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g.
a spike every 10 minutes)
Types of DDOS attack

 Application layer attacks - Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer
of the OSI model), the goal of these attacks is to exhaust the target’s resources to create a denial- of-
service. The attacks target the layer where web pages are generated on the server and delivered in
response to HTTP requests. A single HTTP request is computationally cheap to execute on the client
side, but it can be expensive for the target server to respond to, as the server often loads multiple files
and runs database queries in order to create a web page. Layer 7 attacks are difficult to defend against,
since it can be hard to differentiate malicious traffic from legitimate traffic.
 Protocol attacks - also known as a state-exhaustion attacks, cause a service disruption by over-
consuming server resources and/or the resources of network equipment like firewalls and load balancers.
Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target
inaccessible.
 Volumetric attacks - This category of attacks attempts to create congestion by consuming all available
bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using
a form of amplification or another means of creating massive traffic, such as requests from a botnet.
 Fragmentation Attacks - are another common form of a DDoS attack. The cybercriminal exploits
vulnerabilities in the datagram fragmentation process, in which IP datagrams are divided into smaller
packets, transferred across a network, and then reassembled. In Fragmentation attacks, fake data packets
unable to be reassembled, overwhelm the server.
Protection from DDOS attack

Method 1: Take quick action
Method 2: Configure firewalls and routers
Method 3: Consider artificial intelligence
Method 4: Secure your Internet of Things devices
SQL Injection
 SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend
database manipulation to access information that was not intended to be displayed. This information may
include any number of items, including sensitive company data, user lists or private customer details.
 The impact SQL injection can have on a business is far-reaching.
 A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and,
in certain cases, the attacker gaining administrative rights to a database, all of which are highly
detrimental to a business.
 When calculating the potential cost of an SQLi, it’s important to consider the loss of customer trust should
personal information such as phone numbers, addresses, and credit card details be stolen.
 While this vector can be used to attack any SQL database, websites are the most frequent targets.
Types of SQL Injections

SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-
of-band SQLi. You can classify SQL injections types based on the methods they use to access backend data and
their damage potential.
In-band SQLi - The attacker uses the same channel of communication to launch their attacks and to gather their
results. In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi attack. There
are two sub-variations of this method:
 Error-based SQLi—the attacker performs actions that cause the database to produce error messages.
The attacker can potentially use the data provided by these error messages to gather information about
the structure of the database.
 Union-based SQLi—this technique takes advantage of the UNION SQL operator, which fuses multiple
select statements generated by the database to get a single HTTP response. This response may contain
data that can be leveraged by the attacker.
Inferential (Blind) SQLi - The attacker sends data payloads to the server and observes the response and behavior
of the server to learn more about its structure. This method is called blind SQLi because the data isnot
transferred from the website database to the attacker, thus the attacker cannot see information about the attack
in-band.
Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slower to
execute but may be just as harmful. Blind SQL injections can be classified as follows:
 Boolean—that attacker sends a SQL query to the database prompting the application to return a result.
The result will vary depending on whether the query is true or false. Based on the result, the information
within the HTTP response will modify or stay unchanged. The attacker can then work outif the message
generated a true or false result.
 Time-based—attacker sends a SQL query to the database, which makes the database wait (for a period
in seconds) before it can react. The attacker can see from the time the database takes to respond, whether
a query is true or false. Based on the result, an HTTP response will be generated instantly or after a
waiting period. The attacker can thus work out if the message they used returned true or false, without
relying on data from the database.
Out-of-band SQLi - The attacker can only carry out this form of attack when certain features are enabled on the
database server used by the web application. This form of attack is primarily used as an alternative to the in-band
and inferential SQLi techniques.
Out-of-band SQLi is performed when the attacker can’t use the same channel to launch the attack and gather
information, or when a server is too slow or unstable for these actions to be performed. These techniques count
on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker.
SQL Injection Prevention Techniques

 Input validation - The validation process is aimed at verifying whether or not the type of input submitted
by a user is allowed. Input validation makes sure it is the accepted type, length, format, and so on. Only
the value which passes the validation can be processed. It helps counteract any commands inserted in the
input string.
 Parametrized queries - are a means of pre-compiling an SQL statement so that you can then supply the
parameters in order for the statement to be executed. This method makes it possible for the database to
recognize the code and distinguish it from input data.
 Stored procedures - require the developer to group one or more SQL statements into a logical unit to
create an execution plan. Subsequent executions allow statements to be automatically parameterized.
Simply put, it is a type of code that can be stored for later and used many times.
 Escaping - Always use character-escaping functions for user-supplied input provided by each database
management system (DBMS). This is done to make sure the DBMS never confuses it with the SQL
statement provided by the developer.
 Avoiding administrative privileges - Don't connect your application to the database using an account
with root access. This should be done only if absolutely needed since the attackers could gain access to
the whole system.
 Web application firewall - A WAF operating in front of the web servers monitors the traffic which goes
in and out of the web servers and identifies patterns that constitute a threat. Essentially, it is a barrier put
between the web application and the Internet.
Buffer Overflow
 Buffers are memory storage regions that temporarily hold data while it is being transferred from one
location to another.
 A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of
the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent
memory locations.
 For example, a buffer for log-in credentials may be designed to expect username and password inputs of
8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than expected), the program
may write the excess data past the buffer boundary.
 Buffer overflows can affect all types of software. They typically result from malformed inputs or failure
to allocate enough space for the buffer. If the transaction overwrites executable code, it can cause the
program to behave unpredictably and generate incorrect results, memory access errors, or crashes.
Buffer overflow example
Buffer Overflow Attack

 Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes
the execution path of the program, triggering a response that damages files or exposes private
information. For example, an attacker may introduce extra code, sending new instructions to the
application to gain access to IT systems.
 If attackers know the memory layout of a program, they can intentionally feed input that the buffer cannot
store, and overwrite areas that hold executable code, replacing it with their own code. For example, an
attacker can overwrite a pointer (an object that points to another area in memory) and point it to an
exploit payload, to gain control over the program.
Types of Buffer Overflow Attacks

 Stack-based buffer overflows are more common, and leverage stack memory that only exists during
the execution time of a function.
 Heap-based attacks are harder to carry out and involve flooding the memory space allocated for a
program beyond memory used for current runtime operations.
Protection against Buffer overflow

Developers can protect against buffer overflow vulnerabilities via security measures in their code, or by using
languages that offer built-in protection.
In addition, modern operating systems have runtime protection. Three common protections are:
 Address space randomization (ASLR)—randomly moves around the address space
locations of data regions. Typically, buffer overflow attacks need to know the locality of
executable code, and randomizing address spaces makes this virtually impossible.
 Data execution prevention—flags certain areas of memory as non-executable or executable,
which stops an attack from running code in a non-executable region.
 Structured exception handler overwrites protection (SEHOP)—helps stop malicious
code from attacking Structured Exception Handling (SEH), a built-in system for managing
hardware and software exceptions. It thus prevents an attacker from being able to make use
of the SEH overwrite exploitation technique. At a functional level, an SEH overwrite is
achieved using a stack-based buffer overflow to overwrite an exception registration record,
stored on a thread’s stack.
Security measures in code and operating system protection are not enough. When an organization
discovers a buffer overflow vulnerability, it must react quickly to patch the affected software and
make sure that users of the software can access the patch.
Unit-5
Cybersecurity: Organizational Implications
In the global environment with continuous network connectivity, the possibilities for
cyberattacks can emanate from sources that are local, remote, domestic or foreign. They could be
launched by an individual or a group. They could be casual probes from hackers using personal
computers (PCs) in their homes, hand-held devices or intense scans from criminal groups.
Fig: A cybersecurity perspective. EU is the European Union.
PI is information that is, or can be, about or related to an identifiable individual. It includes any
information that can be linked to an individual or used to directly or indirectly identify an individual.
Most information the organization collects about an individual is likely to come under “PI”
category if it can be attributed to an individual. For an example, PI is an individual’s first name or
first initial and last name in combination with any of the following data:
1. Social security number (SSN)/social insurance number.

2. Driver’s license number or identification card number.
3. Bank account number, credit or debit card number with personal identification number such
as an access code, security codes or password that would permit access to an individual’s
financial account.
4. Home address or E-Mail address.
5. Medical or health information.
An insider threat is defined as “the misuse or destruction of sensitive or confidential
information, as well as IT equipment that houses this data by employees, contractors and other
‘trusted’ individuals.”
Insider threats are caused by human actions such as mistakes, negligence, reckless
behavior, theft, fraud and even sabotage. There are three types of “insiders” such as:
1. A malicious insider is motivated to adversely impact an organization through a range
of actions that compromise information confidentiality, integrity and/or availability.
2. A careless insider can bring about a data compromise not by any bad intention but
simply by being careless due to an accident, mistake or plain negligence.
3. A tricked insider is a person who is “tricked” into or led to providing sensitive or

private company data by people who are not truthful about their identity or purpose
via “pretexting” (known as social engineering).
Insider Attack Example 1: Heartland Payment System Fraud
A case in point is the infamous “Heartland Payment System Fraud” that was uncovered
in January 2010. This incident brings out the glaring point about seriousness of “insider attacks.
In this case, the concerned organization suffered a serious blow through nearly 100 million
credit cards compromised from at least 650 financial services companies. When a card is used
to make a purchase, the card information is transmitted through a payment network.
Insider Attack Example 2: Blue Shield Blue Cross (BCBS)
Yet another incidence is the Blue Cross Blue Shield (BCBS) Data Breach in October
2009 the theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility
puts the private information of approximately 500,000 customers at risk in at least 32 states.
The two lessons to be learnt from this are:
1. Physical security is very important.
2. Insider threats cannot be ignored.
What makes matters worse is that the groups/agencies/entities connected with

cybercrimes are all linked. There is certainly a paradigm shift in computing and work practices;
with workforce mobility, virtual teams, social computing media, cloud computing services
being off ered, sharp rise is noticed in business process outsourcing (BPO) services, etc. to name
a few.
Fig: Cybercrimes – the flow and connections.
A key message from this discussion is that cybercrimes do not happen on their own or
in isolation. Cybercrimes take place due to weakness of cybersecurity practices and “privacy”
which may get impacted when cybercrimes happen.
Privacy has following four key dimensions:

1. Informational/data privacy: It is about data protection, and the users’ rights to
determine how, when and to what extent information about them is communicated to
other parties.
2. Personal privacy: It is about content filtering and other mechanisms to ensure that the
end-users are not exposed to whatever violates their moral senses.
3. Communication privacy: This is as in networks, where encryption of data being
transmitted is important.
4. Territorial privacy: It is about protecting users’ property for example, the user devices
from being invaded by undesired content such as SMS or E-Mail/Spam messages. The
paradigm shift in computing brings many challenges for organizations; some such key
challenges are described here.
Fig: Security threats – paradigm shift.
The key challenges from emerging new information threats to organizations are as follows:
1. Industrial espionage: There are several tools available for web administrators to
monitor and track the various pages and objects that are accessed on their website.
2. IP-based blocking: This process is often used for blocking the access of specific IP
addresses and/or domain names.
3. IP-based “cloaking”: Businesses are global in nature and economies are interconnected.
4. Cyberterrorism: “Cyberterrorism” refers to the direct intervention of a threat source
toward your organization’s website.
5. Confidential information leakage: “Insider attacks” are the worst ones. Typically, an
organization is protected from external threats by your firewall and antivirus solutions.
Cost of Cybercrimes and IPR Issues: Lessons for Organizations
Reflecting on the discussion in the previous sections brings us to the point that
cybercrimes cost a lot to organizations.
IV- II SEM CSE, Cyber Security Unit - V
Fig: Cost of cybercrimes.
When a cybercrime incidence occurs, there are a number of internal costs associated
with it for organizations and there are organizational impacts as well.
Detection and recovery constitute a very large percentage of internal costs. This is
supported by a benchmark study conducted by Ponemon Institute USA carried out with the sample
of 45 organizations representing more than 10 sectors and each with a head count of at least 500
employees.
Organizations have Internal Costs Associated with Cybersecurity Incidents
The internal costs typically involve people costs, overhead costs and productivity losses.
The internal costs, in order from largest to the lowest and that has been supported by the
benchmark study mentioned:
1. Detection costs.
2. Recovery costs.
3. Post response costs.
4. Investigation costs.
5. Costs of escalation and incident management.
6. Cost of containment.
The consequences of cybercrimes and their associated costs, mentioned
1. Information loss/data theft.
2. Business disruption.
3. Damages to equipment, plant and property.
4. Loss of revenue and brand tarnishing.
5. Other costs.
There are many new endpoints in today’s complex networks; they include hand-held
devices.
Again, there are lessons to learn:
1. Endpoint protection: It is an often-ignored area but it is IP-based printers, although they
are passive devices, are also one of the endpoints.
2. Secure coding: These practices are important because they are a good mitigation control to
protect organizations from “Malicious Code” inside business applications.
3. HR checks: These are important prior to employment as well as after employment.
4. Access controls: These are always important, for example, shared IDs and shared laptops
are dangerous.
5. Importance of security governance: It cannot be ignored policies, procedures and their

effective implementation cannot be over-emphasized.
Organizational Implications of Software Piracy

Use of pirated software is a major risk area for organizations.
From a legal standpoint, software piracy is an IPR violation crime. Use of pirated
software increases serious threats and risks of cybercrime and computer security when it comes
to legal liability.
The most often quoted reasons by employees, for use of pirated software, are as follows:
1. Pirated software is cheaper and more readily available.

2. Many others use pirated software anyways.
3. Latest versions are available faster when pirated software is used.
Web Threats for Organizations: The Evils and Perils
Internet and the Web is the way of working today in the interconnected digital economy.
More and more business applications are web based, especially with the growing adoption of
cloud computing.
Overview of Web Threats to Organizations
The Internet has engulfed us! Large number of companies as well as individuals have a
connection to the Internet. Employees expect to have Internet access at work just like they do at
home.
IT managers must also find a balance between allowing reasonable personal Internet use
at work and maintaining office work productivity and work concentration in the office.
Employee Time Wasted on Internet Surfing
This is a very sensitive topic indeed, especially in organizations that claim to have a
“liberal culture.” Some managers believe that it is crucial in today’s business world to have the
finger on the pulse of your employees.
People seem to spend approximately 45-60 minutes each working day on personal web
surfing at work.
Enforcing Policy Usage in the Organization
An organization has various types of policies. A security policy is a statement produced
by the senior management of an organization, or by a selected policy board or committee to
dictate what type of role security plays within the organization.
Fig: Policy hierarchy chart.

Monitoring and Controlling Employees’ Internet Surfing
A powerful deterrent can be created through effective monitoring and reporting of
employees’ Internet surfing.
Even organizations with restrictive policies can justify a degree of relaxation; for
example, allowing employees to access personal sites only during the lunch hour or during
specified hours.
Keeping Security Patches and Virus Signatures Up to Date
Updating security patches and virus signatures have now become a reality of life, a
necessary activity for safety in the cyberworld! Keeping security systems up to date with security
signatures, software patches, etc. is almost a nightmare for management.
Surviving in the Era of Legal Risks
As website galore, most organizations get worried about employees visiting
inappropriate or offensive websites. We mentioned about Children’s Online Privacy Protection.
Serious legal liabilities arise for businesses from employee’s misuse/inappropriate use of
the Internet.
Bandwidth Wastage Issues
Today’s applications are bandwidth hungry; there is an increasing image content in
messages and that too, involving transmission of high-resolution images.
There are tools to protect organization’s bandwidth by stopping unwanted traffic before
it even reaches your Internet connection.
Mobile Workers Pose Security Challenges
Use of mobile handset devices in cybercrimes. Most mobile communication devices for
example, the personal digital assistant
Challenges in Controlling Access to Web Applications

Today, a large number of organizations’ applications are web based. There will be more
in the future as the Internet offers a wide range of online applications, from webmail or through
social networking to sophisticated business applications.
The Bane of Malware
Many websites contain malware. Such websites are a growing security threat. Although
most organizations are doing a good job of blocking sites declared dangerous, cyber attackers,
too, are learning. Criminals change their techniques rapidly to avoid detection.
The Need for Protecting Multiple Offices and Locations
Delivery from multi-locations and teams collaborating from multi-locations to deliver a
single project are a common working scenario today. Most large organizations have several
offices at multiple locations.
Social Media Marketing: Security Risks and Perils for Organizations
Social media marketing has become dominant in the industry.
According to fall 2009 survey by marketing professionals, usage of social media sites
by large business-to-business (B2B) organizations shows the following:
1. Facebook is used by 37% of the organizations.
2. LinkedIn is used by 36% of the organizations.
3. Twitter is used by 36% of the organizations.
4. YouTube is used by 22% of the organizations.
5. My Space is used by 6% of the organizations.
Although the use of social media marketing site is rampant, there is a problem related to
“social computing” or “social media marketing” – the problem of privacy threats.
Exposures to sensitive PI and confidential business information are possible if due care
is not taken by organizations while using the mode of “social media marketing.”
Fig: Social media - online tools.

Understanding Social Media Marketing
Most professionals today use social technologies for business purposes. Most common
usage include: marketing, internal collaboration and learning, customer service and support,
sales, human resources, strategic planning, product development.
Following are the most typical reasons why organizations use social media marketing to promote
their products and services:
1. To be able to reach to a larger target audience in a more spontaneous and instantaneous
manner without paying large advertising fees.
2. To increase traffic to their website coming from other social media websites by using Blogs
and social and business-networking. Companies believe that this, in turn, may increase their
“page rank” resulting in increased traffic from leading search engines.
3. To reap other potential revenue benefits and to minimize advertising costs because social
media complements other marketing strategies such as a paid advertising campaign.
4. To build credibility by participating in relevant product promotion forums and responding
to potential customers’ questions immediately.
5. To collect potential customer profiles. Social media sites have information such as user
profile data, which can be used to target a specific set of users for advertising
There are other tools too that organizations use; industry practices indicate the following:
1. Twitter is used with higher priority to reach out to maximum marketers in the technology
space and monitor the space.
2. Professional networking tool LinkedIn is used to connect with and create a community
of top executives from the Fortune 500.
3. Facebook as the social group or social community tool is used to drive more traffic to
Websense website and increase awareness about Websense.
4. YouTube (the video capability tool to run demonstrations of products/services, etc.) is used
to increase the brand awareness and create a presence for corporate videos.
5. Wikipedia is also used for brand building and driving traffic.
Security and Privacy Implications from Cloud Computing

There are data privacy risks associated with cloud computing. Basically, putting data in
the cloud may impact privacy rights, obligations and status. There is much legal uncertainty about
privacy rights in the cloud. Organizations should think about the privacy scenarios in terms of
“user spheres.”
There are three kinds of spheres and their characteristics are as follows:
1. User sphere: Here data is stored on users’ desktops, PCs, laptops, mobile phones, Radio
Frequency Identification (RFID) chips, etc. Organization’s responsibility is to provide access to
users and monitor that access to ensure misuse does not happen.
2. Recipient sphere: Here, data lies with recipients: servers and databases of network providers,
service providers or other parties with whom data recipient shares data.
3. Joint sphere: Here data lies with web service provider’s servers and databases. This is the in
between sphere where it is not clear to whom does the data belong.
Protecting People’s Privacy in the Organization
The costs associated with cybercrimes. A key point in that discussion is that people perceive
their PI/SPI to be very sensitive. From privacy perspective, people would hate to be monitored in
terms of what they are doing, where they are moving.
In the US, Social Security Number is a well-established system/mechanism for uniquely
identifying all American citizens; however, similar thoughts are now emerging in India. The UID
Project was started by Government of India and is running through an agency called Unique
Identification Authority of India (UIDAI) based on the similar concept.
Fig: Anonymity by web proxy.
Forensics Best Practices for Organizations
This section focuses on forensics readiness of organizations. Organization’s forensics
readiness is important forensics readiness is defined as the ability of an organization to maximize
its potential to use digital evidence while minimizing the costs of an investigation.
Preparation to use digital evidence is not easy – it involves system and staff monitoring,
technical, physical and procedural means to secure data to evidential standards of admissibility,
processes and procedures. All this becomes essential for ensuring that staff recognizes the
importance and legal sensitivities of evidence, and appropriate legal advice and interfacing with
law enforcement.
The prime factor in understanding the need for forensics readiness is a risk assessment.
Fig: Cyber forensics and case investigation: Where it ends.

Organizations must Understand Digital Forensics Investigation and Digital Evidences
Organizations must appreciate that the quality and availability of evidence is a passive
aspect of the DFI.
Cybercriminals are known to exploit the fact that investigation is costly and takes time.
The categories of guiding procedures and activities that facilitate DFI are as follows:
1. Retaining information;
2. Planning the response;
3. Training;
4. Accelerating the investigation;
5. Preventing anonymous activities;
6. Protecting the evidence.
Concerns with Being a Forensically Ready Organization
An effective incident response system is pertinent to an organization’s forensics readiness

this is because digital evidence is required whenever it can be used to support a legal process.
Key Activities for Organizations Getting Forensically Ready
In the context of forensic readiness discussion, the key activities are presented. These are
the activities that an organization should consider if they wish to be forensically ready.
Benefits of Being a Forensically Ready Organization
To conclude the discussion on forensics readiness, we present the benefits that an

organization can derive from its forensics readiness:
1. The ability to gather evidence that can serve in the company’s defense if subjected to a
lawsuit.
2. Comprehensive evidence gathering can be developed as a deterrent to the insider threat
3. In case of a major incident, a rapid and efficient investigation can be conducted and actions
can be taken with a view to minimal disruption to the business.
4. Reduction in cost and time of an internal investigation through a systematic approach to
evidence storage.
5. A structured approach to evidence storage can reduce the costs of any court-ordered
disclosure or regulatory or legal need to disclose data.
6. Forensics readiness can widen the scope of information security to the wider threat from
cybercrime, such as IP protection, fraud or extortion.
7. It demonstrates due diligence and good corporate governance of the company’s information
assets.
8. It can improve and facilitate the interface to law enforcement, if involved.
9. It can improve the prospects for a successful legal action.
10. It can provide evidence to resolve a commercial dispute.
It can support employee sanctions based on digital evidence.

CS UNIT-I_merged

Uploaded by

Copyright:

Available Formats

CS UNIT-I_merged

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CS UNIT-I_merged

Uploaded by

Copyright:

Available Formats

UNIT I

Introduction and Overview of Cyber crime

Most cybercrime falls under two main categories:

Nature and Scope of Cyber crime

Scope – Cybercrime can be basically categorized into three parts:

The need for Information security:

Threats to Information Systems

Malware on the basis of Infection Method are following:

Malware on the basis of Actions:

Information Assurance Model:

Security Risk analysis

Enterprise and organization used risk analysis:

Benefits of risk analysis

Steps in the risk analysis process

Types of Risk Analysis

The IT Act, 2000 has two schedules:

The offences and the punishments in IT Act 2000:

Cybercrime scenario in India

Digital Signature and the Indian IT Act

Cybercrimes and Punishment

Stalking and Obscenity in Internet

Cyberstalking can take many forms, including:

Key factors in cyberstalking:

Types of Password Attacks

 Passive Online Attacks -

How are Botnets Controlled?

IRC (Internet Relay Chat) botnet

Decentralized, Peer-to-Peer Model

How Does a Botnet Work?

Types of Botnet Attacks

2. Distributed Denial-of-Service (DDoS) attack

How to Protect Against Botnets:

1. A regular security awareness training program that teaches users/employees to identify

Fig: Mobile, wireless and hand-held devices.

Fig: Mobility types and implications.

2. LDAP Security for Hand-Held Mobile Computing Devices

LDAP v.s. Active Directory

LDAP authentication process

Understanding LDAP components

Organization Name (o)

Organizational Unit (ou)

Common name (cn)

Attributes and values

Fig: Pull attack on mobile devices

4. Media Player Control Security

Attacks on Mobile/Cell Phones

Fig: Unconventional/stealth storage devices.

Fig: Most important management or support issues for laptops.

1. Determine whether the employees in the organization need to use mobile

3. Organizational Policies for the Use of Mobile Hand-Held Devices

Computer Viruses and Malicious codes

Some common types of cracking:

Viruses and Worms

Difference between Worms and Virus:

Types of Software Piracy

The Dangers of Software Piracy

Intellectual property Rights

Types of Intellectual Property Rights

Intellectual Property in Cyber Space

There are five common email bomb techniques: