Introduction and Overview of Cyber Crime
Introduction and Overview of Cyber Crime
Cybercrime that targets computers often involves viruses and other types of malware.
Cybercriminals may infect computers with viruses and malware to damage devices or stop them working.
They may also use malware to delete or steal data.
Cybercrime that stops users using a machine or network, or prevents a business providing a software service
to its customers is called a Denial-of-Service (DoS) attack.
Cybercrime that uses computers to commit other crimes may involve using computers or networks to spread
malware, illegal information or illegal images.
Sometimes cybercriminals conduct both categories of cybercrime at once. They may target computers with
viruses first. Then, use them to spread malware to other machines or throughout a network.
Cybercriminals may also carry out what is known as a Distributed-Denial-of-Service (D-Dos) attack. This is
similar to a DoS attack but cybercriminals use numerous compromised computers to carry it out.
Cybercrimes against persons - Cybercrimes committed against persons include various crimes like
transmission of child-pornography, harassment of any one with the use of a computer such as e-mail. The
trafficking, distribution, posting, and dissemination of obscene material including pornography and indecent
exposure, constitutes one of the most important Cybercrimes known today. The potential harm of such a crime
to humanity can hardly be amplified.
Cybercrimes against property - The second category of Cyber-crimes is that of Cybercrimes against all
forms of property. These crimes include computer vandalism (destruction of others' property), transmission
of harmful programs.
Cybercrimes against government - The third category of Cyber-crimes relate to Cybercrimes against
Government. Cyber terrorism is one distinct kind of crime in this category. The growth of internet has shown
that the medium of Cyberspace is being used by individuals and groups to threaten the international
governments as also to terrorize the citizens of a country. This crime manifests itself into terrorism when an
individual "cracks" into a government or military maintained website.
Types of cybercrime
Here are some specific examples of the different types of cybercrime:
Email and internet fraud - Email fraud (or email scam) is intentional deception for either personal
gain or to damage another individual by means of email. Internet fraud is the use of Internet services
or software with Internet access to defraud victims or to otherwise take advantage of them.
Identity fraud (where personal information is stolen and used) - is the use by one person of another
person's personal information, without authorization, to commit a crime or to deceive or defraud that
other person or a third person.
Theft of financial or card payment data - The purpose may be to obtain goods or services, or to
make payment to another account which is controlled by a criminal.
Theft and sale of corporate data - Data theft is the act of stealing information stored on corporate
databases, devices, and servers. This form of corporate theft is a significant risk for businesses of all
sizes and can originate both inside and outside an organization.
Cyber extortion (demanding money to prevent a threatened attack) - Cyber extortion is a crime
involving an attack or threat of an attack coupled with a demand for money or some other response in
return for stopping or remediating the attack.
Cyber extortion attacks start with a hacker gaining access to an organization's systems and seeking
points of weakness or targets of value. While ransomware attacks can be automated through malware
spread by email, infected websites or ad networks, these attacks tend to spread indiscriminately, and
they may result in only a small percentage of victims paying the extortionists. More targeted attacks
can produce less collateral damage while providing more lucrative targets for the extortion attempt.
Ransomware attacks (a type of cyber extortion) - Ransomware is a type of malicious
software (malware) that threatens to publish or blocks access to data or a computer system, usually by
encrypting it, until the victim pays a ransom fee to the attacker. In many cases, the ransom demand
comes with a deadline. If the victim doesn‘t pay in time, the data is gone forever.
Crypto jacking (where hackers mine crypto currency using resources they do not own) - Crypto
jacking is the unauthorized use of someone else‘s computer to mine crypto currency. Hackers do this
by either getting the victim to click on a malicious link in an email that loads crypto mining code on
the computer, or by infecting a website or online ad with JavaScript code that auto-executes once
loaded in the victim‘s browser.
Cyberespionage (where hackers access government or company data) - Cyber espionage is a form
of cyber-attack that steals classified, sensitive data or intellectual property to gain an advantage over a
competitive company or government entity.
Drug Trafficking
Drug traffickers generally use encrypted messaging tools to build communications with drug mules. There
have been several instances of dark web site, such as the site ‗Silk Road‘ was a notorious online marketplace
for drugs, before it was shut down by law enforcement. It got reopened again under new management, but got
shut down again later on. Another site emerged later on with the same name just to use the brand value.
A big example of drug trafficking by way of cybercrime would be cyber-attack on the port Antwerp of
Belgium by 2011 - 2013. It was reported that hackers were hired by drug traffickers with the objective of
breaching the IT systems which used to control the movements and location of the containers. Even in a police
raid earlier, large amount of drugs, cash, along with several equipment‘s for computer hacking were seized.
Several persons were charged as well. It was reported by the prosecutors that a Netherlands based trafficking
group had hid drugs like cocaine and other in several legitimate cargo containers. At the same time the hackers
group was in function at the computer networks of Antwerp port. They could access the secure data with
regard to the location and security details of the containers and by a few methods stole their marked cargo
before the legitimate owner arrived. The suspicion first arose when the containers were found to be
disappearing from the port without any reasonable explanation. It was found that hackers had used malicious
software‘s to e-mail the staffs and access data remotely. Even after the initial breach was discovered and a
firewall was created to prevent any attacks, the attackers were reported to have entered the premises and
installed key-loggers into the computers.
To take any measure to prevent illegal drug trafficking is not that easy, and when at the same time it happens
by way of cybercrimes, it becomes more difficult, as cyberspace has no limits. Drug trade is international in
nature, and law enforcement agencies are not always effective because of the wide and complex nature of
cyber attackers. However, since the profit of drug trafficking and cybercrimes are equally big, mere one or
two arrests here and there won‘t bode any measure. International laws and partnerships across nations will
have to be strong. One nation should help another in case of investigation or extradition of a criminal to the
other. Overall, to neutralize drug trafficking by cybercrimes one nation‘s law is never sufficient. These arethe
places where United Nations or INTERPOL can come up with some measures.
Cyber Terrorism
Cyber terrorism is the use of the Internet to conduct violent acts that result in, or threaten, loss of
life or significant bodily harm, in order to achieve political or ideological gains through threat or
intimidation.
It is also sometimes considered an act of Internet terrorism where terrorist activities, including acts of
deliberate, large-scale disruption of computer networks, especially of personal computers attached to
the Internet by means of tools such as computer viruses, computer worms, phishing, and other
malicious software and hardware methods and programming scripts.
Cyber terrorism is a controversial term. Some authors opt for a very narrow definition, relating to
deployment by known terrorist organizations of disruption attacks against information systems for the
primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader
definition, which includes cybercrime. Participating in a cyber-attack affects the terror threat
perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to
distinguish which instances of online activities are cyber terrorism or cybercrime.
Cyber terrorism can be also defined as the intentional use of computers, networks, and public
internetto cause destruction and harm for personal objectives.
Experienced cyber terrorists, who are very skilled in terms of hacking can cause massive damage to
government systems, hospital records, and national security programs, which might leave a country,
community or organization in turmoil and in fear of further attacks. The objectives of such terrorists
may be political or ideological since this can be considered a form of terror.
There is much concern from government and media sources about potential damage that could be
caused by cyber terrorism, and this has prompted efforts by government agencies such as the Federal
Bureau of Investigations (FBI) and the Central Intelligence Agency (CIA) to put an end to cyber-
attacks and cyber terrorism.
Conceptually, its use for this purpose falls into three categories:
(i) weapon of mass destruction;
(ii) weapon of mass distraction; and
(iii) weapon of mass disruption
Need of Information Security
Information system means to consider available countermeasures or controls stimulated through uncovered
vulnerabilities and identify an area where more work is needed. The purpose of data security management is
to make sure business continuity and scale back business injury by preventing and minimizing the impact of
security incidents. The basic principle of Information Security is:
Confidentially
Authentication
Non-Repudiation
Integrity
Threat can be anything that can take advantage of a vulnerability to breach security and negatively alter,
erase, harm object or objects of interest.
Software attacks mean attack by Viruses, Worms, Trojan Horses etc. Many users believe that malware,
virus, worms, bots are all same things. But they are not same, only similarity is that they all are malicious
software that behaves differently.
Malware is a combination of 2 terms- Malicious and Software. So Malware basically means malicious
software that can be an intrusive program code or a anything that is designed to perform malicious operations
on system. Malware can be divided in 2 categories:
1. Infection Methods
2. Malware Actions
Theft of intellectual property means violation of intellectual property rights like copyrights, patents
etc.
Identity theft means to act someone else to obtain person‘s personal information or to access vital
information they have like accessing the computer or social media account of a person by login into
the account by using their login credentials.
Theft of equipment and information is increasing these days due to the mobile nature of devices and
increasing information capacity.
Sabotage means destroying company‘s website to cause loss of confidence on part of its customer.
Information extortion means theft of company‘s property or information to receive payment in
exchange. For example, ransomware may lock victims file making them inaccessible thus forcing
victim to make payment in exchange. Only after payment victim‘s files will be unlocked.
Information Assurance
Information Assurance concerns implementation of methods that focused on protecting and safeguarding
critical information and relevant information systems by assuring confidentiality, integrity, availability, and
non-repudiation. It is strategic approach focused which focuses more on deployment of policies rather than
building infrastructures.
Information States:
1. Transmission – It defines time wherein data is between processing steps.
BTIT 603 Page 6
Cyber and Network Security
Example: In transit over networks when user sends email to reader, including memory and storage
encountered during delivery.
2. Storage –It defines time during which data is saved on medium such as hard drive.
Example: Saving document on file server‘s disk by user.
3. Processing – It defines time during which data is in processing state.
Example: Data is processed in random access memory (RAM) of workstation.
Security Services:
1. Confidentiality – It assures that information of system is not disclosed to unauthorized access and is
read and interpreted only by persons authorized to do so. Protection of confidentiality prevents
malicious access and accidental disclosure of information. Information that is considered to be
confidential is called as sensitive information. To ensure confidentiality data is categorized into
different categories according to damage severity and then accordingly strict measures are taken.
Example: Protecting email content to read by only desired set of users. This can be insured by data
encryption. Two-factor authentication, strong passwords, security tokens, and biometric verification
are some popular norms for authentication users to access sensitive data.
2. Integrity – It ensures that sensitive data is accurate and trustworthy and cannot be created, changed,
or deleted without proper authorization. Maintaining integrity involves modification or destruction of
information by unauthorized access.
To ensure integrity backups should be planned and implemented in order to restore any affected data
in case of security breach. Besides this cryptographic checksum can also be used for verification of
data.
Example: Implementation of measures to verify that e-mail content was not modified in transit. This
can be achieved by using cryptography which will ensure that intended user receives correct and
accurate information.
3. Availability – It guarantees reliable and constant access to sensitive data only by authorized users. It
involves measures to sustain access to data in spite of system failures and sources of interference.
To ensure availability of corrupted data must be eliminated, recovery time must be sped up and
physical infrastructure must be improved.
Example: Accessing and throughput of e-mail service.
4. Authentication – It is security service that is designed to establish validity of transmission of message
by verification of individual‘s identity to receive specific category of information.
To ensure availability of various single factors and multi-factor authentication methods are used. A
single factor authentication method uses single parameter to verify users‘ identity whereas two-factor
authentication uses multiple factors to verify user‘s identity.
Example: Entering username and password when we log in to website is example of authentication.
Entering correct login information lets website verify our identity and ensures that only we access
sensitive information.
5. Non-Repudiation –
It is mechanism to ensure sender or receiver cannot deny fact that they are part of data transmission.
When sender sends data to receiver, it receives delivery confirmation. When receiver receives
message, it has all information attached within message regarding sender.
Example: A common example is sending SMS from one mobile phone to another. After message is
received confirmation message is displayed that receiver has received message. In return, message
received by receiver contains all information about sender.
Security Countermeasures:
1. People – People are heart of information system. Administrators and users of information systems
must follow policies and practice for designing good system. They must be informed regularly
regarding information system and ready to act appropriately to safeguard system.
2. Policy & Practice – Every organization has some set of rules defined in form of policies that must be
BTIT 603 Page 7
Cyber and Network Security
followed by every individual working in organization. These policies must be practiced in order to
properly handle sensitive information whenever system gets compromised.
3. Technology – Appropriate technology such as firewalls, routers, and intrusion detection must be used
in order to defend system from vulnerabilities, threats. The technology used must facilitate quick
response whenever information security gets compromised.
Cyber Security
Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks,
and data from malicious attacks. It's also known as information technology security or electronic information
security. The term applies in a variety of contexts, from business to mobile computing, and can be divided
into a few common categories.
Network security is the practice of securing a computer network from intruders, whether targeted
attackers or opportunistic malware.
Application security focuses on keeping software and devices free of threats. A compromised
application could provide access to the data it‘s designed to protect. Successful security begins in the
design stage, well before a program or device is deployed.
Information security protects the integrity and privacy of data, both in storage and in transit.
Operational security includes the processes and decisions for handling and protecting data assets.
The permissions users have when accessing a network and the procedures that determine how and
where data may be stored or shared all fall under this umbrella.
Disaster recovery and business continuity define how an organization responds to a cyber-security
incident or any other event that causes the loss of operations or data. Disaster recovery policies dictate
how the organization restores its operations and information to return to the same operating capacity
as before the event. Business continuity is the plan the organization falls back on while trying to operate
without certain resources.
End-user education addresses the most unpredictable cyber-security factor: people. Anyone can
accidentally introduce a virus to an otherwise secure system by failing to follow good security
practices. Teaching users to delete suspicious email attachments, not plug-in unidentified USB drives,
and various other important lessons is vital for the security of any organization.
Computer Intrusion
Computer intrusions occur when someone tries to gain access to any part of your computer system. Computer
intruders or hackers typically use automated computer programs when they try to compromise a computer‘s
security. There are several ways an intruder can try to gain access to your computer. They can:
1. Access your computer to view, change, or delete information on your computer.
2. Crash or slow down your computer.
3. Access your private data by examining the files on your system.
4. Use your computer to access other computers on the Internet.
Ways a virus can affect your computer system. The ways are mentioned below −
By downloading files from the Internet.
During the removable of media or drives.
Through pen drive.
Through e-mail attachments.
Through unpatched software & services.
Through unprotected or poor administrator passwords.
Impact of Virus
Let us now see the impact of virus on your computer system −
Disrupts the normal functionality of respective computer system.
Disrupts system network use.
Modifies configuration setting of the system.
Destructs data.
Disrupts computer network resources.
Destructs of confidential data.
Malicious Code - is the kind of harmful computer code or web script designed to create system vulnerabilities
leading to back doors, security breaches, information and data theft, and other potential damages to files and
computing systems. It's a type of threat that may not be blocked by antivirus software on its own. Malware
specifically refers to malicious software, but malicious code includes website scripts that can exploit
vulnerabilities in order to upload malware.
It is an auto-executable application that can activate itself and take on various forms, including Java Applets,
ActiveX controls, pushed content, plug-ins, scripting languages or other programming languages that are
designed to enhance Web pages and email.
The code gives a cybercriminal unauthorized remote access to the attacked system — called an application
back door — which then exposes sensitive company data. By unleashing it, cybercriminals can even wipe out
A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain
access. Hackers are usually skilled computer programmers with knowledge of computer security.
Hackers are classified according to the intent of their actions. The following list classifies types of hackers
according to their intent:
Ethical Hacker (White hat): A security hacker who gains access to systems with a view to fix the
identified weaknesses. They may also perform penetration Testing and vulnerability assessments.
Cracker (Black hat): A hacker who gains unauthorized access to computer systems for personal gain.
The intent is usually to steal corporate data, violate privacy rights, transfer funds from bank accounts
etc.
Grey hat: A hacker who is in between ethical and black hat hackers. He/she breaks into computer
systems without authority with a view to identify weaknesses and reveal them to the system owner.
Script kiddies: A non-skilled person who gains access to computer systems using already made tools.
Hacktivist: A hacker who use hacking to send social, religious, and political, etc. messages. This is
usually done by hijacking websites and leaving the message on the hijacked website.
Phreaker: A hacker who identifies and exploits weaknesses in telephones instead of computers.
Cracking
Cracking is a technique used to breach computer software or an entire computer security system, and
with malicious intent.
Cracking is when someone performs a security hack for criminal or malicious reasons, and the
person is called a ―cracker.‖ Just like a bank robber cracks a safe by skillfully manipulating its lock, a
cracker breaks into a computer system, program, or account with the aid of their technical wizardry.
it‘s always with the aim of doing something naughty when you‘re there: stealing data, impersonating
someone, or even just using paid software for free.
Software Piracy
Software piracy is the act of stealing software that is legally protected. This stealing includes copying,
distributing, modifying or selling the software.
Copyright laws were originally put into place so that the people who develop software (programmers, writers,
graphic artists, etc.) would get the proper credit and compensation for their work. When software piracy
occurs, compensation is stolen from these copyright holders.
Advantages of Intellectual Property Rights
Intellectual property rights are advantageous in the following ways −
Provides exclusive rights to the creators or inventors.
Encourages individuals to distribute and share information and data instead of keeping it confidential.
Provides legal defense and offers the creators the incentive of their work.
Helps in social and financial development.
Mail Bombs
An email bomb is an attack against an email inbox or server designed to overwhelm an inbox or inhibit the
server‘s normal function, rendering it unresponsive, preventing email communications, degrading network
performance, or causing downtime. The intensity of an email bomb can range from an inconvenience to a
complete denial of service. Typically, these attacks persist for hours or until the targeted inbox or server
implements a mitigation tactic to filter or block the attacking traffic. Such attacks can be carried out
intentionally or unintentionally by a single actor, group of actors, or a botnet.
This inundates inboxes with a cascade of emails, which are compounded by automated replies, such
as out-of-office messages. These are often accidental in nature. This can also occur when a malicious
actor spoofs an email address and the automatic replies are directed toward the spoofed address.
Password Cracking
Password cracking techniques are used to recover passwords from the data that have stored in or
transmitted by computer systems.
Attackers use password-cracking techniques to gain unauthorized access to the vulnerable system.
Most of the passwords cracking techniques are successful due to weak or easily guessable
passwords.
Password cracking may use to recover the forgot password of any user to help him/her to recover the
password.
Steganography
Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order
to avoid detection; the secret data is then extracted at its destination.
Use of Steganography
There are many ways to conceal information using Steganography. The most common method is by
embedding information into digital images. We all know that digital images say, a JPEG image, contains
several megabytes of data in the form of pixels. This allows some room for someone to embed steganographic
information within the digital file. With the use of steganographic applications, a hacker alters the least
significant bits of the data file and embeds a malicious code into the image. Once the targeted user downloads
and opens the image file in their computer, the malware is activated. Depending on its programming, the
malware can now open a leeway for the attacker to gain control over the user‘s device or network. The danger
of Steganography is that the difference between the original image and the steganographic image is subtle and
the two cannot be distinguished by the naked eye.
2. Palette Based Technique - This technique also uses digital images as malware carriers. Here, the
attackers first encrypt the message and then hide it in a stretched palette of the cover image. Even
though this technique can carry a limited amount of data, it frustrates threat hunters since the
malware is encrypted and takes a lot of time to decrypt.
3. Secure Cover Selection - This is a very complex technique where the cyber criminals compare the
blocks of the carrier image to the blocks of their specific malware. If an image with the same blocks
as the malware is found, it is chosen as the candidate to carry the malware. The identical malware
blocks are then carefully fitted into the carrier image. The resulting image is identical to the original
and the worst part is that this image is not flagged as a threat by detection software and applications.
These are just but a few methods by which black hat hackers frustrate ethical hackers using Steganography.
Steganography allows attackers to operate in stealth mode while conducting a serious attack. Most of these
attacks are zero-day exploits which give threat hunters sleepless nights. Some preventive measures against
Steganography include the deployment of security patches, updating software, and educating end-users.
Software Key loggers - Software Key loggers are computer programs that install onto your device‘s hard
drive. Common Key logger software types may include:
API-based Key loggers directly eavesdrop between the signals sent from each key press to the
program you‘re typing into. Application programming interfaces (APIs) allow software developers
and hardware manufacturers to speak the same ―language‖ and integrate with each other. API Key
loggers quietly intercept keyboard APIs, logging each keystroke in a system file.
“Form grabbing”-based Key loggers eavesdrop all text entered into website forms once you send
itto the server. Data is recorded locally before it is transmitted online to the web server.
Kernel-based Key loggers work their way into the system‘s core for admin-level permissions. These
loggers can bypass and get unrestricted access to everything entered in your system.
Hardware Key loggers - Hardware Key loggers are physical components built-in or connected to your device.
Some hardware methods may be able to track keystrokes without even being connected to your device. For
brevity, we‘ll include the Key loggers you are most likely to fend against:
Keyboard hardware Key loggers can be placed in line with your keyboard‘s connection cable or built
into the keyboard itself. This is the most direct form of interception of your typing signals.
Hidden camera Key loggers may be placed in public spaces like libraries to visually track keystrokes.
USB disk-loaded Key loggers can be a physical Trojan horse that delivers the keystroke logger
malware once connected to your device.
Spyware
Spyware is a broad category of malware designed to secretly observe activity on a device and send
those observations to a snooper. That data can be used to track your activity online and that information
can be sold to marketers.
Spyware can also be used to steal personal information, such as account passwords and credit card
numbers, which can result in identity theft and fraud.
Spyware is unwanted software that infiltrates your computing device, stealing your internet usage data
and sensitive information.
Spyware is classified as a type of malware — malicious software designed to gain access to or damage
your computer, often without your knowledge. Spyware gathers your personal information and relays
it to advertisers, data firms, or external users.
Types of spyware
Spyware can take a number of forms. They include:
Adware: It eyes your online activity and displays ads it thinks you'll be interested in based on that
information. Although benign compared to some other forms of spyware, adware can have an impact
on the performance of a device, as well as just being annoying.
Tracking cookies: They're similar to adware, although they tend to be less intrusive.
Trojans: After landing on a device, they look for sensitive information, such as bank account
information, and send it to a seedy third-party who will use it to steal money, compromise accounts or
make fraudulent purchases. They can also be used to gain control of a computer through the installation
of a backdoor or a remote access Trojan (RAT).
Key loggers: They allow a miscreant to capture every keystroke from your keyboard, including the
keystrokes you use when you log into your online accounts.
Stalkerware: It's typically installed on a mobile phone so the owner of the phone can be tracked by a
third party. For example, during the trial of Joaquín ―El Chapo‖ Guzmán, it was revealed the drug
kingpin installed spyware on the phones of his wife, associates and female friends so he could read
their text messages, listen to their conversations and follow their movements.
Stealware: It's crafted to take advantage of online shopping sites awarding credits to websites that
send traffic to their product pages. When a user goes to one of those sites, stealware intercepts the
request and takes credit for sending the user there.
System monitors: They record everything that's happening on a device—from keystrokes, emails and
chat room dialogs to websites visited, programs launched, and phone calls made—and send it to a
BTIT 603 Page 19
Cyber and Network Security
snoop or cyber-criminal. They can also monitor a system's processes and identify any vulnerability on
it.
Spyware can be harmful, but it can be removed and prevented by being cautious and using an antivirus tool.
If you‘ve been infected with spyware, take steps to remove it. Be proactive by changing your passwords and
notifying your bank to watch for fraudulent activity.
company. Cybercriminals tend to exploit security holes in outdated software programs. In addition to
operating system updates, you should also check for updates on other software that you use on your
computer.
Protect your accounts with complex, unique passwords. Create a unique password for each account
using a complex combination of letters, numbers, and symbols.
Keep your personal information safe with firewalls.
Back up your files regularly. If a Trojan infects your computer, this will help you to restore your data.
Be careful with email attachments. To help stay safe, scan an email attachment first.
A lot of things you should do come with a corresponding thing not to do — like, do be careful with email
attachments and don‘t click on suspicious email attachments. Here are some more don‘ts.
Don‘t visit unsafe websites. Some internet security software will alert you that you‘re about to visit an
unsafe site, such as Norton Safe Web.
Don‘t open a link in an email unless you‘re confident it comes from a legitimate source. In general,
avoid opening unsolicited emails from senders you don‘t know.
Don‘t download or install programs if you don‘t have complete trust in the publisher.
Don‘t click on pop-up windows that promise free programs that perform useful tasks.
Don‘t ever open a link in an email unless you know exactly what it is.
Phishing
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message
by someone posing as a legitimate institution to lure individuals into providing sensitive data such as
personally identifiable information, banking and credit card details, and passwords.
The information is then used to access important accounts and can result in identity theft and financial
loss.
Phishing is an example of social engineering techniques used to deceive users. Users are lured by
communications purporting to be from trusted parties such as social networking websites, auction sites,
banks, and mails/messages from friends or colleagues/executives, online payment systems or IT
administrators.
Types of phishing
Spear phishing - Phishing attempts directed at specific individuals or companies
Catphishing and catfishing - is a type of online deception that involves getting to know someone
closely in order to gain access to information or resources, usually in the control of the mark, or to
otherwise get control over the conduct of the target.
Clone phishing - is a type of phishing attack whereby a legitimate, and previously delivered, email
containing an attachment or link has had its content and recipient address(es) taken and used to create
an almost identical or cloned email.
Voice phishing - uses fake caller-ID data to give the appearance that calls come from a trusted
organization.
SMS phishing - or smishing uses cell phone text messages to deliver the bait to induce people to
divulge their personal information.
is shown. The settings of the browser should only allow reliable websites to open up.
Many websites require users to enter login information while the user image is displayed. This type of
system may be open to security attacks. One way to ensure security is to change passwords on a regular
basis, and never use the same password for multiple accounts. It‘s also a good idea for websites to use
a CAPTCHA system for added security.
Banks and financial organizations use monitoring systems to prevent phishing. Individuals can report
phishing to industry groups where legal actions can be taken against these fraudulent websites.
Organizations should provide security awareness training to employees to recognize the risks.
Changes in browsing habits are required to prevent phishing. If verification is required, always contact
the company personally before entering any details online.
If there is a link in an email, hover over the URL first. Secure websites with a valid Secure Socket
Layer (SSL) certificate begin with ―https‖. Eventually all sites will be required to have a valid SSL.
DOS Attack
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it
inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or
sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users
(i.e., employees, members, or account holders) of the service or resource they expected.
Victims of DoS attacks often target web servers of high-profile organizations such as banking,
commerce, and media companies, or government and trade organizations. Though DoS attacks do not
typically result in the theft or loss of significant information or other assets, they can cost the victim a
great deal of time and money to handle.
A denial-of-service (DoS) attack is a type of cyber-attack in which a malicious actor aims to render a
computer or other device unavailable to its intended users by interrupting the device's normal
functioning.
DoS attacks typically function by overwhelming or flooding a targeted machine with requests until
normal traffic is unable to be processed, resulting in denial-of-service to addition users.
A DoS attack is characterized by using a single computer to launch the attack.
There are two general methods of DoS attacks: flooding services or crashing services.
Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow
down and eventually stop.
Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these
attacks, input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize
the system, so that it can‘t be accessed or used.
DDOS Attack
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a
targeted server, service or network by overwhelming the target or its surrounding infrastructure with a
flood of Internet traffic.
DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources
of attack traffic. Exploited machines can include computers and other networked resources such as IoT
devices.
From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing
regular traffic from arriving at its destination.
Working
DDoS attacks are carried out with networks of Internet-connected machines.
These networks consist of computers and other devices (such as IoT devices) which have been infected
with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred
to as bots (or zombies), and a group of bots is called a botnet.
Once a botnet has been established, the attacker is able to direct an attack by sending remote
instructions to each bot.
When a victim‘s server or network is targeted by the botnet, each bot sends requests to the target‘s IP
address, potentially causing the server or network to become overwhelmed, resulting in a denial-of- service
to normal traffic.
Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can
be difficult.
SQL Injection
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for
backend database manipulation to access information that was not intended to be displayed. This
information may include any number of items, including sensitive company data, user lists or private
customer details.
The impact SQL injection can have on a business is far-reaching.
A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables
and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly
detrimental to a business.
When calculating the potential cost of a SQLi, it‘s important to consider the loss of customer trust
should personal information such as phone numbers, addresses, and credit card details are stolen.
While this vector can be used to attack any SQL database, websites are the most frequent targets.
In-band SQLi - The attacker uses the same channel of communication to launch their attacks and to gather
their results. In-band SQLi‘s simplicity and efficiency make it one of the most common types of SQLi attack.
There are two sub-variations of this method:
Error-based SQLi—the attacker performs actions that cause the database to produce error messages.
The attacker can potentially use the data provided by these error messages to gather information about
the structure of the database.
Union-based SQLi—this technique takes advantage of the UNION SQL operator, which fuses
multiple select statements generated by the database to get a single HTTP response. This response may
contain data that can be leveraged by the attacker.
Inferential (Blind) SQLi - The attacker sends data payloads to the server and observes the response and
behavior of the server to learn more about its structure. This method is called blind SQLi because the data is
not transferred from the website database to the attacker, thus the attacker cannot see information about the
attack in-band.
Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slower to
execute but may be just as harmful. Blind SQL injections can be classified as follows:
Boolean—that attacker sends a SQL query to the database prompting the application to return a result.
The result will vary depending on whether the query is true or false. Based on the result, the
information within the HTTP response will modify or stay unchanged. The attacker can then work out
if the message generated a true or false result.
Time-based—attacker sends a SQL query to the database, which makes the database wait (for a period
in seconds) before it can react. The attacker can see from the time the database takes to respond,
whether a query is true or false. Based on the result, an HTTP response will be generated instantly or
after a waiting period. The attacker can thus work out if the message they used returned true or false,
without relying on data from the database.
Out-of-band SQLi - The attacker can only carry out this form of attack when certain features are enabled on
the database server used by the web application. This form of attack is primarily used as an alternative to the
in-band and inferential SQLi techniques.
Out-of-band SQLi is performed when the attacker can‘t use the same channel to launch the attack and gather
information, or when a server is too slow or unstable for these actions to be performed. These techniques count
on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker.
Web application firewall - A WAF operating in front of the web servers monitors the traffic which
goes in and out of the web servers and identifies patterns that constitute a threat. Essentially, it is a
barrier put between the web application and the Internet.
Buffer Overflow
Buffers are memory storage regions that temporarily hold data while it is being transferred from one
location to another.
A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of
the memory buffer. As a result, the program attempting to write the data to the buffer overwrites
adjacent memory locations.
For example, a buffer for log-in credentials may be designed to expect username and password inputs
of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than expected), the
program may write the excess data past the buffer boundary.
Buffer overflows can affect all types of software. They typically result from malformed inputs or
failure to allocate enough space for the buffer. If the transaction overwrites executable code, it can
cause the program to behave unpredictably and generate incorrect results, memory access errors, or
crashes.
Buffer overflow example
attacking Structured Exception Handling (SEH), a built-in system for managing hardware and software
exceptions. It thus prevents an attacker from being able to make use of the SEH overwrite exploitation
technique. At a functional level, an SEH overwrite is achieved using a stack-based buffer overflow to
overwrite an exception registration record, stored on a thread‘s stack.
Security measures in code and operating system protection are not enough. When an organization discovers
buffer overflow vulnerability, it must react quickly to patch the affected software and make sure that users of
the software can access the patch.
delayed or reordered to produce an unauthorized effect. For example, a message meaning ―Allow
JOHN to read confidential file X‖ is modified as ―Allow Smith to read confidential file X‖.
3. Repudiation – This attack is done by either sender or receiver. The sender or receiver can deny later
that he/she has sent or receive a message. For example, customers ask his Bank ―To transfer an amount
to someone‖ and later on the sender (customer) denies that he had made such a request. This is
repudiation.
4. Replay – It involves the passive capture of a message and its subsequent the transmission to produce
an authorized effect.
5. Denial of Service – It prevents normal use of communication facilities. This attack may have a specific
target. For example, an entity may suppress all messages directed to a particular destination. Another
form of service denial is the disruption of an entire network withers by disabling the network or by
overloading it by messages so as to degrade performance.
Passive attacks: A Passive attack attempts to learn or make use of information from the system but does not
affect system resources. Passive Attacks are in the nature of eavesdropping on or monitoring of transmission.
The goal of the opponent is to obtain information is being transmitted.
Types of Passive attacks are as following:
1. The release of message content – Telephonic conversation, an electronic mail message or a
transferred file may contain sensitive or confidential information. We would like to prevent an
opponent from learning the contents of these transmissions.
2. Traffic analysis – Suppose that we had a way of masking (encryption) of information, so that the
attacker even if captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could observe the
frequency and length of messages being exchanged. This information might be useful in guessing the
nature of the communication that was taking place.
Data security uses various methods to make sure that the data is correct, original, kept confidentially and is
safe. It includes-
Ensuring the integrity of data.
Ensuring the privacy of the data.
Prevent the loss or destruction of data.
Data security consideration involves the protection of data against unauthorized access, modification,
destruction, loss, disclosure or transfer whether accidental or intentional. Some of the important data security
considerations are described below:
Backups
Data backup refers to save additional copies of our data in separate physical or cloud locations from data files
in storage. It is essential for us to keep secure, store, and backup our data on a regular basis.
Keeping reliable and regular backups of our data protects against the risk of damage or loss due to power
failure, hardware failure, software or media faults, viruses or hacking, or even human errors.
To use the Backup 3-2-1 Rule is very popular. This rule includes:
Three copies of our data
Two different formats, i.e., hard drive+tape backup or DVD (short term)+flash drive
One off-site backup, i.e., have two physical backups and one in the cloud
Some of the top considerations for implementing secure backup and recovery are-
1. Authentication of the users and backup clients to the backup server.
2. Role-based access control lists for all backup and recovery operations.
3. Data encryption options for both transmission and the storage.
4. Flexibility in choosing encryption and authentication algorithms.
5. Backup of a remote client to the centralized location behind firewalls.
6. Backup and recovery of a client running Security-Enhanced Linux (SELinux).
7. Using best practices to write secure software.
Archival Storage
Data archiving is the process of retaining or keeping of data at a secure place for long-term storage.
The data might be stored in safe locations so that it can be used whenever it is required.
The archive data is still essential to the organization and may be needed for future reference.
Also, data archives are indexed and have search capabilities so that the files and parts of files can be
easily located and retrieved.
The Data archival serve as a way of reducing primary storage consumption of data and its related costs.
Data archival is different from data backup in the sense that data backups created copies of data and
used as a data recovery mechanism to restore data in the event when it is corrupted or destroyed. On
the other hand, data archives protect the older information that is not needed in day-to-day operations
but may have to be accessed occasionally.
Data archives may have many different forms. It can be stored as Online, offline, or cloud storage-
Online data storage places archive data onto disk systems where it is readily accessible.
Offline data storage places archive data onto the tape or other removable media using data archiving
software. Because tape can be removed and consumes less power than disk systems.
Cloud storage is also another possible archive target. For example, Amazon Glacier is designed for
data archiving. Cloud storage is inexpensive, but its costs can grow over time as more data is added to
the cloud archive.
The following list of considerations will help us to improve the long-term usefulness of our archives:
1. Storage medium
2. Storage device
3. Revisiting old archives
4. Data usability
5. Selective archiving
6. Space considerations
7. Online vs. offline storage
Storage medium - The first thing is to what storage medium we use for archives. The archived data will be
stored for long periods of time, so we must need to choose the type of media that will be lost as long as our
retention policy dictates.
Storage device - This consideration takes into account about the storage device we are using for our archives
which will be accessible in a few years. There is no way to predict which types of storage devices will stand
the best. So, it is essential to try to pick those devices that have the best chance of being supported over the
long term.
Revisiting old archives - Since we know our archive policies and the storage mechanisms we use for
archiving data would change over time. So we have to review our archived data at least once a year to see that
if anything needs to be migrated into a different storage medium.
For example, about ten years ago, we used Zip drives for archival then we had transferred all of my archives
to CD. But in today‘s, we store most of our archives on DVD. Since modern DVD drives can also read CDs,
so we haven't needed to move our extremely old archives off CD onto DVD.
Data usability - In this consideration, we have seen one major problem in the real world is archived data
which is in an obsolete format.
For example, a few years ago, document files that had been archived in the early 1990s were created by an
application known as PFS Write. The PFS Write file format was supported in the late 80s and early 90s, but
today, there are not any applications that can read that files. To avoid this situation, it might be helpful to
archive not only the data but also copies the installation media for the applications that created the data.
Selective archiving - In this consideration, we have to sure about what should be archived. That means we
will archive only a selective part of data because not all data is equally important.
Space considerations - If our archives become huge, we must plan for the long-term retention of all our data.
If we are archiving our data to removable media, capacity planning might be simple which makes sure that
there is a free space in the vault to hold all of those tapes, and it makes sure that there is a room in our IT
budget to continue purchasing tapes.
Online vs. offline storage - In this consideration, we have to decide whether to store our archives online (on
a dedicated archive server) or offline (on removable media). Both methods of archival contain advantages and
disadvantages. Storing of data online keeps the data easily accessible. But keeping data online may be
vulnerable to theft, tampering, corruption, etc. Offline storage enables us to store an unlimited amount of data,
but it is not readily accessible.
Disposal of Data
Data destruction or disposal of data is the method of destroying data which is stored on tapes, hard
disks and other electronic media so that it is completely unreadable, unusable and inaccessible for
unauthorized purposes.
It also ensures that the organization retains records of data for as long as they are needed.
When it is no longer required, appropriately destroys them or disposes of that data in some other way,
for example, by transfer to an archives service.
The disposal of data usually takes place as part of the normal records management process. There are two
essential circumstances in which the destruction of data needs to be handled as an addition to this process-
The quantity of a legacy record requires attention.
The functions are being transferred to another authority and disposal of data records becomes part of
the change process.
The following list of considerations will help us for the secure disposal of data-
1. Eliminate access
2. Destroy the data
3. Destroy the device
4. Keep the record of which systems have been decommissioned
5. Keep careful records
6. Eliminate potential clues
7. Keep systems secure until disposal
Eliminate access - In this consideration, we have to ensure that eliminating access account does not have any
rights to re access the disposed of data again.
Destroy the Data - In this consideration, there is not necessary to remove data from storage media will be
safe. Even these days reformatting or repartitioning a drive to "erase" the data that it stores is not good enough.
Today's many tools available which can help us to delete files more securely. To encrypt the data on the drive
before performing any deletion can help us to make data more difficult to recover later.
Destroy the device - In the most cases, storage media need to be physically destroyed to ensure that our
sensitive data is not leaked to whoever gets the drives next. In such cases, we should not destroy them itself.
To do this, there should be experts who can make probably a lot better at safely and effectively rendering any
data on our drives unrecoverable. If we can't trust this to an outsider agency that specializes in the secure
destruction of storage devices, we should have a specialized team within our organization who has the same
equipment and skills as outside contractors.
Keep the record of which systems have been decommissioned - In this, we have to make sure that the
storage media has been fully decommissioned securely and they do not consist of something easily misplaced
or overlooked. It is best if storage media that have not been fully decommissioned are kept in a specific
location, while decommissioned equipment placed somewhere else so that it will help us to avoid making
mistakes.
Keep careful records - In this consideration, it is necessary to keep the record of whoever is responsible for
decommissioning a storage media. If more than one person is assigned for such responsibility, he should sign
off after the completion of the decommissioning process. So that, if something happened wrong, we know
who to talk to find out what happened and how bad the mistake is.
Eliminate potential clues - In this consideration, we have to clear the configuration settings from networking
equipment. We do this because it can provide crucial clues to a security cracker to break into our network and
the systems that reside on it.
Keep system secure until disposal of data - In this consideration, we should have to make clear guidelines
for who should have access to the equipment in need of secure disposal. It will be better to ensure that nobody
should have access authentication to it before disposal of data won't get his or her hands on it.
Types of Firewalls
Packet filtering - A small amount of data is analyzed and distributed according to the filter‘s
standards.
Proxy service - Network security system that protects while filtering messages at the application layer.
Stateful inspection - Dynamic packet filtering that monitors active connections to determine which
network packets to allow through the Firewall.
Next Generation Firewall (NGFW) - Deep packet inspection Firewall with application-level
inspection.
Work of Firewall
A Firewall is a necessary part of any security architecture and takes the guesswork out of host level protections
and entrusts them to your network security device. Firewalls, and especially Next Generation Firewalls, focus
on blocking malware and application-layer attacks, along with an integrated intrusion prevention system (IPS),
these Next Generation Firewalls can react quickly and seamlessly to detect and react to outside attacks across
the whole network. They can set policies to better defend your network and carry out quick assessments to
detect invasive or suspicious activity, like malware, and shut it down.
Need of Firewall
Firewalls, especially Next Generation Firewalls, focus on blocking malware and application-layer attacks.
Along with an integrated intrusion prevention system (IPS), these Next Generation Firewalls are able to react
quickly and seamlessly to detect and combat attacks across the whole network. Firewalls can act on previously
set policies to better protect your network and can carry out quick assessments to detect invasive or suspicious
activity, such as malware, and shut it down. By leveraging a firewall for your security infrastructure, you‘re
setting up your network with specific policies to allow or block incoming and outgoing traffic.
VPNs - A virtual private network, or VPN, is an encrypted connection over the Internet from a device to a
network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents
unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely. VPN
technology is widely used in corporate environments.
Working of VPN
When you connect your computer (or another device, such as a smartphone or tablet) to a VPN, the computer
acts as if it‘s on the same local network as the VPN. All your network traffic is sent over a secure connection
to the VPN. Because your computer behaves as if it‘s on the network, this allows you to securely access local
network resources even when you‘re on the other side of the world. You‘ll also be able to use the Internet as
if you were present at the VPN‘s location, which has some benefits if you‘re using pubic Wi-Fi or want to
access geo-blocked websites.
When you browse the web while connected to a VPN, your computer contacts the website through the
encrypted VPN connection. The VPN forwards the request for you and forwards the response from the website
back through the secure connection. If you‘re using a USA-based VPN to access Netflix, Netflix will see your
connection as coming from within the USA.
Types of VPNs
Remote access - A remote access VPN securely connects a device outside the corporate office. These
devices are known as endpoints and may be laptops, tablets, or smartphones. Advances in VPN
technology have allowed security checks to be conducted on endpoints to make sure they meet a certain
posture before connecting. Think of remote access as computer to network.
Site-to-site - A site-to-site VPN connects the corporate office to branch offices over the Internet. Site-
to-site VPNs are used when distance makes it impractical to have direct network connections between
these offices. Dedicated equipment is used to establish and maintain a connection. Think of site-to-site
access as network to network.
Uses of VPN
VPNs are a fairly simple tool, but they can be used to do a wide variety of things:
Access a Business Network While Traveling
Access Your Home Network While Travelling
Hide Your Browsing Activity From Your Local Network and ISP
Access Geo-Blocked Websites
Bypass Internet Censorship
Downloading Files
Intrusion Detections
Intrusion Detection System - is a system that monitors network traffic for suspicious activity and issues alerts
when such activity is discovered. It is a software application that scans a network or a system for harmful
activity or policy breaching. Any malicious venture or violation is normally reported either to an administrator
or collected centrally using a security information and event management (SIEM) system. A SIEM system
integrates outputs from multiple sources and uses alarm filtering techniques to differentiate malicious activity
from false alarms.
Intrusion prevention systems also monitor network packets inbound the system to check the malicious
activities involved in it and at once sends the warning notifications.
Access Control
Access control is a method of restricting access to sensitive data. Only those that have had their identity
verified can access company data through an access control gateway.
At a high level, access control is about restricting access to a resource. Any access control system, whether
physical or logical, has five main components:
1. Authentication: The act of proving an assertion, such as the identity of a person or computer user. It
might involve validating personal identity documents, verifying the authenticity of a website with a
digital certificate, or checking login credentials against stored details.
2. Authorization: The function of specifying access rights or privileges to resources. For example,
human resources staff are normally authorized to access employee records and this policy is usually
formalized as access control rules in a computer system.
3. Access: Once authenticated and authorized, the person or computer can access the resource.
4. Manage: Managing an access control system includes adding and removing authentication and
authorization of users or systems. Some systems will sync with G Suite or Azure Active Directory,
streamlining the management process.
5. Audit: Frequently used as part of access control to enforce the principle of least privilege. Over time,
users can end up with access they no longer need, e.g., when they change roles. Regular audits
minimize this risk.
Types –
1. CPU Protection: CPU protection is referred to as we cannot give CPU to a process forever, it should
be for some limited time otherwise other processes will not get the chance to execute the process. So,
for that, a timer is used to get over from this situation. which is basically give a certain amount of time
a process and after the timer execution a signal will be sent to the process to leave the CPU. Hence
process will not hold CPU for more time.
2. Memory Protection: In memory protection, we are talking about that situation when two or more
processes are in memory and one process may access the other process memory. and to protecting this
situation we are using two registers as:
1. Bare register
2. Limit register
So basically, Base register store the starting address of program and limit register store the size of the
process, so when a process wants to access the memory then it is checked that it can access or cannot
access the memory.
3. I/O Protection: So when we ensuring the I/O protection then some cases will never have occurred in
the system as:
1. Termination I/O of other process
2. View I/O of other process
3. Giving priority to a particular process I/O
If an application process wants to access any I/O device then it will be done through system call so
that OS will monitor the task.
Like In C language write () and read () is a system call to read and write on file. There are two modes
in instruction execute:
User mode - The system performs a task on behalf of user application this instruction. In this
mode, the user cannot directly access hardware and reference memory.
Kernel mode - Whenever a direct access to hardware is required a system call is used by the
application program.
We know that when an application process wants to access any I/O device it should be done through system
call so that the Operating system will monitor the task.
OS Security
Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and
availability.
OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms,
malware or remote hacker intrusions.
Security refers to providing a protection system to computer system resources such as CPU, memory,
disk, software programs and most importantly data/information stored in the computer system.
If a computer program is run by an unauthorized user, then he/she may cause severe damage to
computer or data stored in it. So, a computer system must be protected against unauthorized access,
malicious access to system memory, viruses, worms etc.
OS security encompasses all preventive-control techniques, which safeguard any computer assets
capable of being stolen, edited or deleted if OS security is compromised.
OS security may be approached in many ways, including adherence to the following:
Performing regular OS patch updates
Installing updated antivirus engines and software
Scrutinizing all incoming and outgoing network traffic through a firewall
Creating secure accounts with required privileges only (i.e., user management)
programs with those users. It is the responsibility of the Operating System to create a protection system which
ensures that a user who is running a particular program is authentic. Operating Systems generally
identifies/authenticates users using following three ways −
Username / Password − User need to enter a registered username and password with Operating
system to login into the system.
User card/key − User need to punch card in card slot, or enter key generated by key generator in
option provided by operating system to login into the system.
User attribute - fingerprint/ eye retina pattern/ signature − User need to pass his/her attribute via
designated input device used by operating system to login into the system.
One Time passwords - One-time passwords provide additional security along with normal authentication. In
One-Time Password system, a unique password is required every time user tries to login into the system. Once
a one-time password is used, then it cannot be used again. One-time password are implemented in various
ways.
Random numbers − Users are provided cards having numbers printed along with corresponding
alphabets. System asks for numbers corresponding to few alphabets randomly chosen.
Secret key − User are provided a hardware device which can create a secret id mapped with user id.
System asks for such secret id which is to be generated every time prior to login.
Network password − Some commercial applications send one-time passwords to user on registered
mobile/ email which is required to be entered prior to login.
Program Threats - Operating system's processes and kernel do the designated task as instructed. If a user
program made these process do malicious tasks, then it is known as Program Threats. One of the common
examples of program threat is a program installed in a computer which can store and send user credentials via
network to some hacker. E.g. Trojan horse, Trap door, Logic bomb, Virus, etc.
System Threats - System threats refers to misuse of system services and network connections to put user in
trouble. System threats can be used to launch program threats on a complete network called as program attack.
System threats create such an environment that operating system resources/ user files are misused. E.g. worm,
port scanning, DoS, etc.
Digital Forensics
Digital Forensics is defined as the process of preservation, identification, extraction, and
documentation of computer evidence which can be used by the court of law.
It is a science of finding evidence from digital media like a computer, mobile phone, server, or network.
It provides the forensic team with the best techniques and tools to solve complicated digital-related
cases.
Digital Forensics helps the forensic team to analyses, inspects, identifies, and preserves the
digitalevidence residing on various types of electronic devices.
Malware Forensics: This branch deals with the identification of malicious code, to study their
payload, viruses, worms, etc.
Email Forensics: Deals with recovery and analysis of emails, including deleted emails, calendars, and
contacts.
Memory Forensics: It deals with collecting data from system memory (system registers, cache, RAM)
in raw form and then carving the data from Raw dump.
Mobile Phone Forensics: It mainly deals with the examination and analysis of mobile devices. It
helps to retrieve phone and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio,
videos, etc.
It is difficult to pinpoint when computer forensics history began. Most experts agree that the field of computer
forensics began to evolve more than 30 years ago. The field began in the United States, in large part, when
law enforcement and military investigators started seeing criminals get technical. Government personnel
charged with protecting important, confidential, and certainly secret information conducted forensic
examinations in response to potential security breaches to not only investigate the particular breach, but to
learn how to prevent future potential breaches. Ultimately, the fields of information security, which focuses
on protecting information and assets, and computer forensics, which focuses on the response to hi-tech
offenses, started to intertwine.
Over the next decades, and up to today, the field has exploded. Law enforcement and the military continue to
have a large presence in the information security and computer forensic field at the local, state, and federal
level. Private organizations and corporations have followed suit – employing internal information security and
computer forensic professionals or contracting such professionals or firms on an as-needed basis.
Significantly, the private legal industry has more recently seen the need for computer forensic examinations
in civil legal disputes, causing an explosion in the e-discovery field.
The computer forensic field continues to grow on a daily basis. More and more large forensic firms, boutique
firms, and private investigators are gaining knowledge and experience in the field. Software companies
continue to produce newer and more robust forensic software programs. And law enforcement and the military
continue to identify and train more and more of their personnel in the response to crimes involving technology.
Two methods are widely adopted in acquiring data from a digital device.
1. Software Methods
2. Hardware Methods
Both the methods are interdependent and a clear-cut classification is not possible. The following discusses the
software forensic and the different hardware forensics techniques in use and the theory underlying it.
Software forensics is the science of analyzing software source code or binary code to determine whether
intellectual property infringement or theft occurred. It is the centerpiece of lawsuits, trials, and settlements
when companies are in dispute over issues involving software patents, copyrights, and trade secrets. Software
forensics tools can compare code to determine correlation, a measure that can be used to guide a software
forensics expert.
Hardware Forensics
Rule of forensics - The golden rule of forensics states that we cannot work on the suspect device. It
should be copied and any analysis should be done on the copy of the original one. The data should be
copied at the earliest. There should not be any tampering of the suspect device. Hence design of any
A Drive Lock Scenario - An important requirement in forensics is a drive lock. This device should
lock the suspect drive as to avoid any contamination of data. Software locking is possible by blocking
any write operations. This requires a PC or a laptop running the software to be carried along with the
investigator every time. An improper functioning of the software can cause difficulty in acquiring.
Hardware methods that substitute the software techniques will be compact and easy to use. The device
will be powered from the source or from the suspect machine itself. The hardware into the development
should have all possible connectors available.
Hard Disk Scenario - Acquiring a hard disk using software methods depend on a software running on
a PC. The computation speed of the device depends on the processing capability of the processor. The
acquiring of an 80 GB hard disk takes roughly 4 hours. The processing capacity of processors has
increased with shrinkage in sizes. This can be taken into advantage for the design of speedy acquisition
devices. A portable unit would be a better ease to the investigator. So, development of an embedded
acquisition device will be an advantage in time and cost for the investigator.
Sim Card scenario - GSM Mobile phones use Sim Cards as an important agent in connecting to the
network. Details on the network and connections can be obtained from the Sim Card. There need to be
device to read out the details in the Sim Card. This requires a combination of hardware and software.
Sim Card details should be also copied and replicated further for analysis.
Techniques – The aims of the forensic process are to preserve the evidence; then to use the forensic tools look
at the acquired data for things that may have been deleted, hidden or unusual.
Different techniques or methods for this kind of forensic work can be used at different stages of the
investigative process.
Preserving the evidence: Making an image (an exact copy) of the original data with the use of a 'write
blocker' - write blocker prevents any program or device making changes to the original data. Typical
tools include Forensic Toolkit (FTK), Encase, SIFT, Coroner's toolkit, Sleuth Kit
Using the method of Forensic Duplication by recovering deleted files: Getting back files which might
have been to deleted to hide evidence. Typical tools FTK, Encase, SIFT, Coroner's toolkit, Sleuth Kit
Removing Files: Most files on devices are harmless with known file types and names. One technique
is to filter out or remove these files to leave only those worthy of investigation. The method used here
is to compare md5 hashes of files to a list of known md5 hashes of known files. If they match, they
can be removed. FTK or Encase are popular tools.
File signature verification. Works similar to raw above. A comparison is made between the header
and footer information of suspect files with those of known files. Matching files can be safely removed.
Sleuth Kit, Encase or a written Perl script.
String searching and looking for file fragments: Using the search command to look for keywords or
known text. FTK, Encase
Web activity reconstruction: Getting back web browsing history, accepted cookies and temporary
internet files that where the user has been removing opportunities for deniability. Encase, FTK,
Browser logs
Email activity reconstruction: Using the method of converting email repositories to readable text
FTK, Parabens Network Mail Examiner
Registry activity reconstruction: Discovering any deleted programmes or recent activity by looking
at Windows system and application log files. FTK, RegEdit
Live forensics: Using the method of analysing volatile processes; those files that are loaded in and out
of memory. Windows Forensic Toolchest, COFEE
Recovering hidden files: Actively looking for hidden files or hidden data (stenography) and
attempting to gain access through the methods of Decryption and Cryptanalysis. Steg Break, Steg
detect, Password Cracking and Frequency analysis.
crime scene and reviewing it. It involves proper documentation of the crime scene along with photographing,
sketching, and crime-scene mapping.
Presentation - In this last step, the process of summarization and explanation of conclusions is done.
However, it should be written in a layperson's terms using abstracted terminologies. All abstracted
terminologies should reference the specific details.
TECHNICAL CHALLENGES
As technology develops crimes and criminals are also developed with it. Digital forensic experts use forensic
tools for collecting shreds of evidence against criminals and criminals use such tools for hiding, altering or
removing the traces of their crime, in digital forensic this process is called Anti- forensics technique which is
considered as a major challenge in digital forensics world.
Data hiding in storage Criminals usually hide chunks of data inside the storage medium in
2 space invisible form by using system commands, and programs.
A covert channel is a communication protocol which allows an attacker
to bypass intrusion detection technique and hide data over the network.
3 Covert Channel The attacker used it for hiding the connection between him and the
compromised system.
Legal Challenges
The presentation of digital evidence is more difficult than its collection because there are many instances
where the legal framework acquires a soft approach and does not recognize every aspect of cyber forensics,
as in Jagdeo Singh V. The State and Ors, case Hon‘ble High Court of Delhi held that ―while dealing with the
admissibility of an intercepted telephone call in a CD and CDR which was without a certificate under Sec.
65B of the Indian Evidence Act, 1872 the court observed that the secondary electronic evidence without
certificate u/s. 65B of Indian Evidence Act, 1872 is not admissible and cannot be looked into by the court for
any purpose whatsoever.‖ This happens in most of the cases as the cyber police lack the necessary qualification
and ability to identify a possible source of evidence and prove it. Besides, most of the time electronic evidence
is challenged in the court due to its integrity. In the absence of proper guidelines and the nonexistence of
proper explanation of the collection, and acquisition of electronic evidence gets dismissed in itself.
Legal Challenges
S. no Type Description
In India, there are no proper guidelines for the collection and acquisition of
digital evidence. The investigating agencies and forensic laboratories are
Absence of guidelines
1 working on the guidelines of their own. Due to this, the potential of digital
and standards
evidence has been destroyed.
The Indian Evidence Act, 1872 have limited approach, it is not able to evolve
with the time and address the E-evidence are more susceptible to tampering,
alteration, transposition, etc. the Act is silent on the method of collection of
Limitation of the
e-evidence it only focuses on the presentation of electronic evidence in the
2 Indian Evidence Act,
court by accompanying a certificate as per subsection 4 of Sec. 65B. This
1872
means no matter what procedure is followed it must be proved with the help
of a certificate.
various tools to check the authenticity of the data but dealing with these tools is also a challenge in itself.
Cyber law provides legal protections to people using the internet including both businesses and regular
citizens. It is important for anyone using the internet to be aware of the cyber laws of their country and local
area so that, they know what activity is legal online and what is not. Also, if anything happens with them
online, they know how they can act regarding that matter accordingly.
Conclusion
Implementing laws in cyberspace is an important step to create a safe and secure environment for people on
cyber platforms. To protect from cybercrimes, computer forensic science should focus on ethical hacking
training and implementing cyber security plans addressing people, process, and technology issues arise
nowadays. Strict cyber laws are the need of this era where technology is growing at rapid speed because the
budgets have not been increased to keep up with this rate of change in technology.
Sections and Punishments under Information Technology Act, 2000 are as follows:
SECTION PUNISHMENT
This section of IT Act, 2000 states that any act of destroying, altering or stealing computer
Section 43
system/network or deleting data with malicious intentions without authorization from
owner of the computer is liable for the payment to be made to owner as compensation for
damages.
This section of IT Act, 2000 states that any corporate body dealing with sensitive
Section 43A information that fails to implement reasonable security practices causing loss of other
person will also liable as convict for compensation to the affected party.
Hacking of a Computer System with malicious intentions like fraud will be punished with
Section 66
3 years‘ imprisonment or the fine of Rs.5, 00,000 or both.
Section 66 B, C, Fraud or dishonesty using or transmitting information or identity theft is punishable with
D 3 years‘ imprisonment or Rs. 1, 00,000 fine or both.
This Section is for Violation of privacy by transmitting image or private area is punishable
Section 66 E
with 3 years‘ imprisonment or 2,00,000 fine or both.
This Section is on Cyber Terrorism affecting unity, integrity, security, sovereignty of India
Section 66 F
through digital medium is liable for life imprisonment.
This section states publishing obscene information or pornography or transmission of
Section 67 obscene content in public is liable for imprisonment up to 5 years or fine or Rs. 10,00,000
or both.
As far as the number of cybercrime cases is concerned, Uttar Pradesh with a figure of 2,639 registered the
maximum number of cases followed by Maharashtra (2380), and Karnataka (1101). Among the Metropolitan
cities, Mumbai with 980 cases stood first followed by Bengaluru 762 and Jaipur 532. Chennai city with 26 cases
was ranked 16 among metros.
Social media seems to have turned antisocial at the hands of rumour mongers with more than 20 cases of
lynching being reported in the last two months in our country. The advent of social media appears to have added
fuel to the existing fire, by helping organizers and opposition parties‘ congregate multitudes swiftly, easily,
cheaply and efficiently —whether it be for a cause like Jallikattu or for spreading the message of revolt against
the policies of the establishment.
Quite obviously, social media played a crucial role in mobilizing and engineering some of the major agitations
like the Cauvery river dispute.
If we decide to not give a damn to cyber criminals, we would be doing so at our own peril. We should not forget
the kind of havoc the ill-gotten gains of cybercrime wreaked on the city of Mumbai in 2008 during the terrorist
siege by Lashkar-e-Taiba (LeT). The entire operation was funded by a Filipino hacking cell workingon behalf
of Jamaah Islamiyah an associate of Al-Quaeda. Millions of dollars ripped off by the cybercriminals recruited by
it were channelled to their manipulators in Saudi Arabia who in turn laundered the funds to the Lashkar-e-Taiba
team in Pakistan, which executed the brutal onslaught against the City of Mumbai.
The situation today is that there are several laws protect cybercrime each one having its own scope and
limitations. India is no doubt imposing sanctions to deal with such crimes. However, the conviction rate is found
to be insignificant. However, what is needed a specific law particularly dealing with cybercrimes. Just like what
UK did in 1990, when it enacted the Computer Misuse Act 1990.
A digital signature or digital signature schemeis a mathematical scheme for demonstrating the authenticity of a
digital message or document. A valid digital signature gives a recipient reason to believe that the message was
created by a known sender, and that it was not altered in transit. Digital signatures are based on public key
encryption. It uses prime numbers like 2,3.5.7,9,11 and so on which can be divided only by itself or by 1 and is
incapable of division by other numbers. We have unlimited prime numbers and in DS we use the multiples of
prime numbers.
The functioning of DS is based on the system of public key cryptography. Public-key cryptography refers to a
cryptographic system requiring two separate keys, one of which is secret and one of which is public. Although
different, the two parts of the key pair are mathematically linked. One key locks or encrypts the plain text, and
the other unlocks or decrypts the cipher text. Neither key can perform both functions. One of these keys is
published or public, while the other is kept private.
"Key encryption allows more than just privacy. It can also assure the recipient of the authenticity of a document
because a private key can be used to encode a message that only a public key can decode. If I have information I
want to sign before sending it to you, my computer uses my private key to encipher it. Now the message can be
read only if my public key-which you and everyone else know-is used to decipher it. This message is veritably
from me because no one else has the private key that could have encrypted it in this way".
Justice Yatindra Singh in his book "Cyber laws" has stated that since public key encryption is slow and time
consuming the hash function is used to transform a message into a unique shorter fixed length value called the
Hash result. Hash serves the purpose of an index of the original text. It is an algorithm mapping or translation
of one sequence into another. The hash function is such that the same hash result is obtained every time that
hash function is used on the same electronic record and two electronic records cannot produce the same hash
result using the same hash function. In other words, mapping is one to one and not many to one. It is one way.
One cannot reconstruct the original message from the hash result. The encryption of a hash result of the message
with the private key of the sender is called a Digital signature.
picture of private parts or acts of a woman without such person‘s consent. This section exclusively
deals with the crime of ‗voyeurism‘ which also recognizes watching such acts of a woman as a crime.
If the essentials of this Section (such as gender) are not satisfied, Section 292 of IPC and Section 66E
of IT Act, 2000 is broad enough to take the offenses of a similar kind into consideration. The
punishment includes 1 to 3 years of imprisonment for first-time offenders and 3 to 7 years for second-
time offenders.
Section 354D of IPC: This section describes and punishes ‗stalking‘ including both physical and cyber
stalking. If the woman is being monitored through electronic communication, internet, or email
or is being bothered by a person to interact or contact despite her disinterest, it amounts to cyber-
stalking. The latter part of the Section states the punishment for this offense as imprisonment extending
up to 3 years for the first time and 5 years for the second time along with a fine imposed in both the
instances. In the case of Kalandi Charan Lenka v. The State of Odisha, the victim received certain
obscene messages from an unknown number which are damaging her character. Moreover, emails
were sent and the fake Facebook account was created by the accused which contained morphed
pictures of the victim. Hence, the accused was found prima facie guilty for cyberstalking by the High
Court under various provisions of IT Act and Section 354D of IPC
Section 379 of IPC: If a mobile phone, the data from that mobile or the computer hardware is stolen,
Section 379 comes into the picture and the punishment for such crime can go up to 3 years of
imprisonment or fine or both. But the attention must be given to the fact that these provisions cannot
be applied in case the special law i.e IT Act, 2000 provisions are attracted. In this regard, in the case
of Gagan Harsh Sharma v. The State of Maharashtra, one of the employers found that the software and
data were stolen and someone has breached the computers and gave access to sensitive information to
the employees. The employer gave information to the police and they filed a case under Section 379,
408, and Section 420 of IPC and various other IT Act provisions. The question in front of the court is
whether the police can file a case under IPC or not. The court decided that the case cannot be filed
based on the IPC provisions as the IT Act has an overriding effect.
Section 411 of IPC: These deals with a crime that follows the offenses committed and punished under
Section 379. If anyone receives a stolen mobile phone, computer, or data from the same, they will be
punished in accordance with Section 411 of IPC. It is not necessary that the thief must possess the
material. Even if it is held by a third party knowing it to be others, this provision will be attracted. The
punishment can be imposed in the form of imprisonment which can be extended up to 3 years or fine
or both.
Section 419 and Section 420 of IPC: These are related provisions as they deal with frauds. The crimes
of password theft for the purpose of meeting fraudulent objectives or the creation of bogus websites
and commission of cyber frauds are certain crimes that are extensively dealt with by these two sections
of IPC. On the other hand, email phishing by assuming someone‘s identity demanding password is
exclusively concerned with Section 419 of IPC. The punishments under these provisions are different
based upon the gravity of the committed cybercrime. Section 419 carries a punishment up to 3 years
of imprisonment or fine and Section 420 carries up to 7 years of imprisonment or fine.
Section 465 of IPC: In the usual scenario, the punishment for forgery is dealt with in this provision.
In cyberspace, the offenses like email spoofing and preparation of false documents are dealt with and
punished under this Section which imbibes the imprisonment reaching up to 2 years or fine or both. In
the case of Anil Kumar Srivastava v. Addl Director, MHFW, the petitioner electronically forged
signature of AD and later filed a case making false allegations about the same person. The Court held
that the petitioner was liable under Section 465 as well as under Section 471 of IPC as the petitioner
also tried to use it as a genuine document.
Section 468 of IPC: If the offenses of email spoofing or the online forgery are committed for the
purpose of committing other serious offenses i.e cheating, Section 468 comes into the picture which
contains the punishment of seven years of imprisonment or fine or both.
Section 469 of IPC: If the forgery is committed by anyone solely for the purpose of disrupting a
particular person or knowing that such forgery harms the reputation of a person, either in the form of
a physical document or through online, electronic forms, he/she can be imposed with the imprisonment
up to three years as well as fine.
Section 500 of IPC: This provision penalizes the defamation of any person. With respect to
cybercrimes, sending any kind of defamatory content or abusive messages through email will be
attracted by Section 500 of IPC. The imprisonment carried with this Section extends up to 2 years
along with fine.
Section 504 of IPC: If anyone threatens, insults, or tries to provoke another person with the intention
of effecting peace through email or any other electronic form, it amounts to an offense under Section
504 of IPC. The punishment for this offense extends up to 2 years of imprisonment or fine or both.
Section 506 of IPC: If a person tries to criminally intimidate another person either physically or
through electronic means with respect to the life of a person, property destruction through fire or
chastity of a woman, it will amount to an offense under Section 506 of IPC and punishment of
imprisonment where the maximum period is extended up to seven years or fine or both.
Section 509 of IPC: This Section deals with the offense of uttering a word, showing a gesture, and
committing an act that has the potential to harm the modesty of a woman. It also includes the sounds
made and the acts committed infringing the privacy of a woman. If this offense is committed either
physically or through electronic modes, Section 509 gets attracted and the punishment would be
imprisonment of a maximum period of one year or fine or both.