Cyber Security and Privacy CS121

Jul-Oct ( 12 week )
Week 7

Week 1 07/09/2024
Riya Mullick
NPTEL TA
Q1 Answer
A leased circuit from a service provider is a dedicated, private communication line that connects two or more
locations, providing a consistent and reliable connection with guaranteed bandwidth and low latency. It is
commonly used by organizations for secure, high-performance data transmission over long distances. To add
flexibility and security to this dedicated connection, packet switching can be conducted over the leased circuit
using a transport VPN. The transport VPN encrypts data packets and routes them securely over the leased line,
allowing multiple types of traffic (like voice, video, and data) to be transmitted simultaneously. This combination
leverages the stability of leased circuits with the added security and scalability of VPN technology, making it ideal
for businesses needing robust and secure communication networks.
Virtual Private Network
A VPN is a technology that creates a secure and encrypted connection over a less
secure network, such as the internet. VPNs are used to enhance online privacy,
security, and anonymity by masking a user's IP address and encrypting their internet
traffic. This prevents unauthorized parties, such as hackers, internet service providers
(ISPs) or government agencies, from monitoring or intercepting the data being
transmitted over internet.

Key Features of VPN Technology:

1. Encryption:VPNs encrypt data transferred between the user’s device and the VPN
server, protecting it from eavesdroppers.
2. Anonymity:By masking your IP address, VPNs make it more difficult for websites and
online services to track your online activities.
3. Geo-Spoofing:VPNs allow users to appear as if they are accessing the internet from a
different location, which can be useful for accessing geo-restricted content.
4. Security on Public Networks: VPNs provide security when using public Wi-Fi
networks, reducing the risk of data theft.

Common Uses of VPNs:

- Protecting sensitive data, especially on unsecured networks.
- Bypassing geo-restrictions or censorship.
- Preventing tracking by websites.
- Secure remote access to corporate networks for remote workers.

VPNs are available as software for various devices, such as computers, smartphones,
and tablets, and can also be set up on routers.
Common terms you might hear from VPN vendors: ( https://www.okta.com/au/identity-101/what-is-a-vpn)

Encryption: Data moves through an algorithm, and it's scrambled accordingly. The scrambled data moves from one server to
another, and once it arrives, it's decoded.

IP address: Numbers and periods uniquely identify your device and its location in the world.

IP count: This is the number of IP addresses a provider has available.

IPSec: Internet Protocol Security, or IPSec, refers to rules that VPNs use to connect two points privately.

ISP: Your internet service provider (or ISP) connects you with the internet.

Proxy: Proxy services hide your real IP address from websites and other resources you might visit. Some experts say companies
that claim to offer VPN services offer simple proxy services instead. They're not the same thing.

VPN client: This is software on your device that makes connecting with your VPN quick and easy.

●
VPN vendors may use more acronyms you don't know or understand. If so, ask for clarification before you sign up. VPNs
vendors provide the virtual IP address to its user . This virtual IP address replaces the user's original IP address when they connect
to the internet through a VPN server and it gives anonymity.

VPN Providers: ExpressVPN,NordVPN,Surfshark,CyberGhost,Private Internet Access (PIA),ProtonVPN,Hotspot Shield,IPVanish. Their

Subscription charge comes only 200-300 for 2 year plan. Check yourself!

VPN Protocols:

All VPNs use protocols, or rules that help them transmit data between devices. Each one is a little different, and some
come with security issues.

Common VPN protocols include:

● IPSec. Encryption protects the data, and this tool can be combined with others to enhance security.
● Secure sockets layer (SSL). An authentication, or handshake, happens before the two connect. The parameters of
the connection are set during the handshake.
● Transport layer security (TLS). This method also includes a handshake.
● Point-to-point tunnelling protocol (PPTP). This method doesn't encrypt data, but it can tunnel and encapsulate it
Laws and Regulations Regarding use of VPNs in India

VPN has become a topic of legal scrutiny, especially in recent years. The legal landscape for VPN usage in India involves regulations set forth by
the Indian government and various agencies to address concerns related to privacy, cybersecurity, and national security.

1. Legality of VPN Usage

-Legal for Personal Use: Using a VPN for personal privacy and security is generally ‘legal’ in India. Individuals often use VPNs to protect their
online privacy, secure their data on public Wi-Fi networks, or access content restricted by geo-blocks.
-Illegal for cybercrime activities: While using a VPN is legal, using it to carry out illegal activities, such as accessing banned websites, engaging
in cybercrime, or bypassing government censorship, is illegal. VPN use in such cases can result in penalties or legal action.

2. CERT-In Directive (2022):

- In April 2022, the Indian Computer Emergency Response Team (CERT-In), an agency under the Ministry of Electronics and Information
Technology (MeitY), issued a directive requiring VPN providers to maintain customer logs for at least 5 years. This directive came into effect on
June 27, 2022.
- The directive mandates VPN providers to collect and store the following information:
● Validated names of subscribers/customers hiring the services
● Period of hire including dates
● IPs allotted to / being used by the members
● Email address and IP address and time stamp used at the time of https://www.cert-in.org.in/PDF/CERT-In_Dire
registration / on-boarding ctions_70B_28.04.2022.pdf
● Purpose for hiring services
● Validated address and contact numbers
● Ownership pattern of the subscribers / customers hiring service
 ##Compliance Issues: Some international VPN providers have opted to remove their physical servers from India to avoid compliance with this directive. They offer
virtual servers that are still accessible to Indian users.After removing physical servers from India, VPN providers set up virtual servers in nearby countries (such as
Singapore, the UK, or the Netherlands). These virtual servers are physically located outside India but are configured to appear as if they are located in India. When
users connect to these virtual servers, they are assigned an Indian IP address, giving them the experience of browsing from within India. This allows users to access
Indian-specific content and websites that might be geographically restricted without the VPN provider having to store user data under Indian regulations.

3. Privacy and Data Protection

- While India currently lacks a comprehensive data protection law, the “Digital Personal Data Protection Act (DPDP Act) 2023” was passed to provide a framework
for protecting personal data. Although the DPDP Act does not specifically address VPNs, the increasing emphasis on data protection could lead to future regulations
that affect VPN usage and operations.

4. Access to Banned Websites:

- The Indian government frequently issues directives to internet service providers (ISPs) to block access to certain websites deemed illegal or harmful. Accessing these
websites using a VPN could lead to legal consequences, as circumventing government-imposed bans is illegal.Ambiguity of law,its interpretation still exists.

5. National Security Concerns

- The Indian government views the use of VPNs by cybercriminals and bad actors as a national security concern. Law enforcement agencies monitor VPN usage to
prevent activities related to terrorism, financial fraud, and other cybercrimes.

6. Corporate Use of VPNs

- Companies and organizations often use VPNs to provide secure access to their internal networks for remote employees. Corporate use of VPNs is generally
allowed, but businesses must ensure that their usage complies with data localization and other cybersecurity regulations in India.
Potential Consequences for Non-Compliance

- Penalties: Failing to comply with the CERT-In directive could result in penalties for VPN providers, and
individuals could face legal consequences if their VPN use is associated with illegal activities.
- Account Termination: VPN providers that do not comply with Indian regulations may terminate accounts or
restrict access to their services in India.

Actions Taken by VPN Providers in Response to Regulations

- Some prominent VPN providers, such as ExpressVPN, NordVPN, and Surfshark, have removed their
physical servers from India and now offer virtual servers that provide Indian IP addresses while being
physically located in other countries. This helps them avoid compliance with the CERT-In directive while still
serving Indian users.

Key Considerations for VPN Users in India

- Choose Reputable VPN Providers: Ensure the VPN provider has a transparent privacy policy and operates
in a privacy-friendly jurisdiction.
- Understand the Laws: Be aware of the laws and regulations surrounding VPN use in India and avoid using
VPNs for any illegal activities.
Secure VPN

● Description: A Secure VPN focuses on encryption and security measures to ensure data privacy and integrity while being
transmitted over a network. Secure VPNs use strong encryption protocols like IPsec, SSL/TLS, WireGuard, and OpenVPN.

● Common Use Cases: Remote work, secure browsing, bypassing censorship, and protecting data on public Wi-Fi.

Hybrid VPN

● Description: A Hybrid VPN is a combination of different types of VPN technologies and network security features, such as
MPLS (Multiprotocol Label Switching) and IPsec. It often combines a traditional VPN with another network security layer.

● Common Use Cases: Large organizations and enterprises that need a mix of private, secure connections over both public and
private networks.
Trusted VPN

● Description: A Trusted VPN is a less commonly used term, but it generally refers to VPNs that provide strong privacy and
security assurances, such as a no-log policy or independent audits. It could also refer to VPNs within a trusted network
environment where the traffic is controlled and monitored.
● Common Use Cases: Organizations that require compliance with data protection regulations, or users who prioritize privacy
and trust in a VPN provider.

Transport VPN

● Description: A Transport VPN is another term that can refer to the IPsec Transport Mode, where only the payload (data) of
the packet is encrypted, not the headers. This contrasts with Tunnel Mode, where the entire packet, including headers, is
encrypted.
● Common Use Cases: Typically used in situations where encryption is needed between specific devices, like a server-to-server
connection, without the need to hide the originating IP address.
Q2 Ans
For biometric devices, several metrics are used to evaluate their performance and reliability. These include the False Reject Rate
(FRR), False Accept Rate (FAR), Crossover Error Rate (CER), and concepts like Accountability Rate. Here's an explanation of
each:

1. False Reject Rate (FRR)

● Definition: The rate at which a biometric system incorrectly rejects an authorized or legitimate user.
● Explanation: It occurs when the system fails to recognize an enrolled user, mistakenly treating them as an imposter.
● Importance: A high FRR can lead to user frustration as legitimate users are denied access. Lowering the FRR often requires
reducing system sensitivity.

2. False Accept Rate (FAR)

● Definition: The rate at which a biometric system incorrectly accepts an unauthorized or illegitimate user.
● Explanation: It happens when the system mistakenly identifies or verifies an unauthorized user as an authorized one.
● Importance: A high FAR indicates poor security, as unauthorized users can gain access. Reducing FAR usually involves
increasing system sensitivity, which could increase FRR.
3. Crossover Error Rate (CER)

● Definition: The rate at which the False Reject Rate (FRR) equals the False Accept Rate (FAR).
● Explanation: Also known as the Equal Error Rate (EER), the CER is a single value that reflects the overall accuracy of a
biometric system. A lower CER indicates a more accurate system.
● Importance: It is often used as a standard metric to compare the performance of different biometric systems since it represents
the balance between security (FAR) and usability (FRR).

4. Accountability Rate

● Definition: While not a standard biometric term like FRR, FAR, or CER, Accountability Rate may refer to the system’s ability to
log, monitor, and report on access events to ensure accountability.
● Explanation: It deals with the system’s capability to keep a record of all access attempts, both successful and unsuccessful,
ensuring that each access attempt can be traced back to a specific individual.
● Importance: High accountability is crucial for security compliance and forensic analysis, particularly in environments where
security breaches must be investigated.

All above metrics are crucial when evaluating and choosing a biometric device to ensure the right balance between security and user
convenience.
All terms mentioned—cybersecurity trap, honeypot, trace, and sniffer—are related to cybersecurity practices and tools used
to detect, prevent, or analyze malicious activities. Here's an overview of each:

1. Cybersecurity Trap
● Description: A general term for any deceptive method used to lure, detect, or neutralize malicious activities or attackers.
A cybersecurity trap can involve a range of strategies and tools designed to trick attackers into revealing themselves or their
techniques. Example: Deploying fake credentials, fake systems, or deliberately exposed vulnerabilities to attract
cybercriminals and study their behavior.

2. Honeypot
● Description: A honeypot is a decoy system or network setup designed to attract cyber attackers and study their tactics,
techniques, and procedures (TTPs). It acts as a cybersecurity trap, but more specifically, it is an intentionally vulnerable
system.
● Types:
○ Low-Interaction Honeypots: Simulate services that are frequently attacked (e.g., FTP, SSH) but don't have a full
operating system.
○ High-Interaction Honeypots: Mimic real systems and allow attackers to interact deeply with them, providing
more data but also posing a higher risk if not properly isolated.
● Purpose: To detect and analyze attacks, divert attackers from valuable assets, and improve security measures.
3. Trace

● Description: In cybersecurity, tracing generally refers to tracking or monitoring the network activities of an attacker or user to gather information on
their behavior, origin, and methods.
● Application:
○ Network Tracing: Capturing and analyzing network traffic to follow the path of an attack.
○ System Tracing: Monitoring system calls, processes, and files accessed to understand how malware or an intruder behaves.
● Tools Used: traceroute (for network paths), log analyzers, and forensic analysis tools.

4. Sniffer

● Description: A sniffer is a tool used to monitor and capture network traffic passing through a network. It can be a legitimate tool used for network
diagnostics or a malicious tool used by attackers to capture sensitive information.
● Types:
○ Packet Sniffers: Capture data packets traversing a network.
○ Protocol Analyzers: Examine specific network protocols to provide a deeper analysis of captured packets (e.g., Wireshark).
● Purpose:
○ For Network Administrators: To troubleshoot network issues, monitor traffic, and enhance security.
○ For Attackers: To capture sensitive information like passwords, session cookies, or confidential data.

Summary

These tools and techniques—honeypots, sniffers, traces, and cybersecurity traps—are part of a broader arsenal of cybersecurity measures used to detect, analyze,
and respond to threats. Honeypots and traps focus on deception and study, sniffers capture data, and traces monitor activity, all aimed at improving overall
network security.
Signature-Based Intrusion Detection and Prevention Systems (IDPS) are a type of cybersecurity technology designed to detect and
prevent malicious activities by comparing network traffic or system activities against a database of known attack patterns,or signatures.

Intrusion Detection and Prevention Systems (IDPS)

Intrusion Detection System (IDS): Monitors network or system activities for malicious activities or policy violations and typically generates
alerts when such events are detected.

Intrusion Prevention System (IPS): Acts upon these alerts to prevent the potential attack from succeeding, for example, by blocking traffic,
resetting connections, or quarantining malicious files.

Signature-Based Detection: A method of identifying threats based on the recognition of specific patterns (signatures) of known attacks, such
as a particular sequence of bytes in network traffic, a specific string in a file, or known malicious IP addresses.

How It Works:

Signature Database: Maintains a database of signatures that represent known attack patterns (e.g., virus signatures, malware behavior,
network-based exploits).

Real-Time Monitoring: Continuously scans network traffic or system activities to match them against these signatures.

Detection and Response: If a match is found, an alert is generated, and actions such as blocking traffic, shutting down the system, or
quarantining files can be taken to prevent or mitigate the attack.
Types of Signatures

Network Signatures: Patterns associated with network-based attacks (e.g., port scans, buffer overflow exploits).

Host-Based Signatures: Indicators of malicious activities on an endpoint (e.g., file integrity checks, malware executable signatures).

Protocol Signatures: Abnormal use of standard protocols (e.g., HTTP, SMTP) that may indicate exploitation attempts.

Advantages of Signature-Based IDPS

○ Accuracy: Highly effective at detecting known threats with minimal false positives because signatures are precise patterns of malicious
behavior.
○ Ease of Deployment: Straightforward to implement and manage, especially in environments where attack patterns are well-known.
○ Low Resource Consumption: Compared to more complex detection methods, signature-based systems typically require fewer resources to
operate.

Limitations of Signature-Based IDPS

○ Ineffectiveness Against Unknown Threats: Cannot detect new, unknown, or zero-day attacks that do not match existing signatures.
○ Signature Maintenance: Requires frequent updates to the signature database to keep up with emerging threats.
○ High False Negatives: If an attacker modifies a known attack just slightly, it might not match the existing signature and go undetected.

Applications of Signature-Based IDPS

○ Network-Based IDPS (NIDPS): Monitors network traffic to detect threats in real time.
○ Host-Based IDPS (HIDPS): Monitors activities on individual devices, such as file integrity, process behavior, and system logs.

Signature-Based IDPS is an essential component of a multi-layered cybersecurity strategy, especially effective at detecting and preventing well-known
attacks. However, organizations often use it in conjunction with other detection methods, such as anomaly-based detection and behavioral analysis, to
provide comprehensive protection against both known and unknown threats.
In cybersecurity, the concepts of attribute, accountability, access control, and auditability are fundamental to protecting and managing
information systems.

Attribute

● Definition: An attribute is a property or characteristic associated with an object, user, or system in a cybersecurity context. Attributes
can include user roles, permissions, resource identifiers, and more.
● Types:
○ User Attributes: Details about a user, such as their role, department, or clearance level.
○ Resource Attributes: Characteristics of resources like files or databases, such as sensitivity level or ownership.
○ System Attributes: Properties of systems or devices, like their operating system or security configuration.
● Role in Security: Attributes are used to define access rights and permissions, enforce security policies, and manage user and
resource relationships.

Accountability

● Definition: Accountability in cybersecurity refers to the ability to trace and attribute actions performed on a system or network to
specific users or entities. It ensures that users can be held responsible for their actions.
● Components:
○ Logging: Recording events and activities in logs (e.g., login attempts, file access).
○ Monitoring: Continuously observing system and network activities to detect and respond to anomalies.
○ Reporting: Generating reports to review and analyze activities and security incidents.
● Importance: Ensures compliance with security policies, supports forensic investigations, and deters malicious behavior by providing a
means to track actions back to individuals.
Access Control

● Definition: Access control is the process of regulating who can view or use resources in a computing environment. It involves defining and enforcing
policies that restrict access based on various criteria.
● Types:
○ Discretionary Access Control (DAC): Users have control over their own resources and can grant access to others.
○ Mandatory Access Control (MAC): Access rights are regulated by a central authority based on classification levels and labels.
○ Role-Based Access Control (RBAC): Access is granted based on a user's role within an organization.
○ Attribute-Based Access Control (ABAC): Access decisions are made based on attributes of users, resources, and the environment.
● Purpose: To protect resources from unauthorized access and ensure that only legitimate users have access to sensitive information.

Auditability

● Definition: Auditability refers to the ability to review and examine the records of actions and events within a system. It involves collecting and
analyzing logs and records to ensure compliance and security.
● Components:
○ Audit Logs: Detailed records of system activities, including user actions, system changes, and security events.
○ Auditing Tools: Software used to collect, analyze, and generate reports from audit logs.
○ Compliance Checks: Reviewing audit logs to ensure adherence to security policies and regulatory requirements.
● Importance: Supports security assessments, helps detect and investigate security incidents, and ensures compliance with policies and regulations.

Summary

● Attribute: Characteristics associated with users, resources, or systems used in managing access and security policies.
● Accountability: Ensuring actions can be traced back to specific users or entities, supporting responsibility and forensic analysis.
● Access Control: Mechanisms and policies for regulating who can access what resources and under what conditions.
● Auditability: The ability to review and analyze logs and records to ensure security, compliance, and proper functioning of systems.
In the context of biometric devices, Type I Error and Type II Error refer to two key types of errors that occur when a biometric system fails to correctly identify or verify an
individual. These errors are closely related to the False Reject Rate (FRR) and False Accept Rate (FAR).

1. Type I Error (False Reject)

● Definition: A Type I Error occurs when a biometric system incorrectly rejects an authorized or legitimate user.
● Also Known As: False Reject Error.
● Metric: This is measured by the False Reject Rate (FRR), which is the probability that a legitimate user is denied access.
● Example: A person trying to unlock their phone with their fingerprint, but the system fails to recognize the fingerprint, even though it is registered.
● Impact: High FRR (Type I Error) can cause inconvenience and frustration for users due to being wrongly denied access.

2. Type II Error (False Accept)

● Definition: A Type II Error occurs when a biometric system incorrectly accepts an unauthorized or impostor user.
● Also Known As: False Accept Error.
● Metric: This is measured by the False Accept Rate (FAR), which is the probability that an impostor is incorrectly granted access.
● Example: An unauthorized person gains access to a secure area because their fingerprint or facial features are mistakenly matched to an authorized user.
● Impact: High FAR (Type II Error) poses a significant security risk, as it can allow unauthorized access to sensitive information or areas.

Summary

● Type I Error (False Reject): Authorized user is incorrectly rejected.

● Type II Error (False Accept): Unauthorized user is incorrectly accepted.

Both errors are critical in the design and deployment of biometric systems. A balance between FRR and FAR is essential to ensure both security and user convenience. The
Crossover Error Rate (CER) is often used to find this balance point, where the rates of Type I and Type II errors are equal, indicating the overall accuracy of a biometric
system.
Detection-Related Programs and Technologies

1. Intrusion Detection Systems (IDS): Tools designed to monitor network and system activities for malicious activities or policy violations.Examples:

○ Snort (can be configured for both signature-based and anomaly-based detection)

○ Suricata (high-performance IDS/IPS that supports multiple detection methods)

2. Intrusion Prevention Systems (IPS): Systems that not only detect potential threats but also take action to prevent them. Examples:

○ Cisco Firepower (integrates IDS/IPS functionalities)

○ Palo Alto Networks (Next-Generation Firewall with integrated IPS)

3. Security Information and Event Management (SIEM): Platforms that aggregate and analyze security data from various sources to provide real-time threat detection and
incident response.Examples:

○ Splunk Enterprise Security

○ IBM QRadar

4. Endpoint Detection and Response (EDR): Solutions focused on monitoring and responding to threats on endpoints like computers and servers.Examples:

○ CrowdStrike Falcon
○ Microsoft Defender for Endpoint

Signature-Based Detection: Effective for detecting known threats by matching patterns against a database of signatures. Limited to
predefined attack patterns and requires regular updates.

Anomaly-Based Detection: Identifies deviations from normal behavior to detect both known and unknown threats. Can be prone to
false positives and requires complex modeling.
Signature-Based Detection and Anomaly-Based Detection are two primary methods used in intrusion detection and prevention systems (IDPS) to
identify potential threats. Each method has its own strengths and weaknesses and is often used in conjunction with other techniques for comprehensive
security coverage. 1.Signature-Based Detection

Definition: Signature-based detection involves identifying known threats by comparing observed behaviors or patterns against a database of predefined attack
signatures. These signatures represent known attack patterns, such as specific sequences of bytes, strings, or behaviors.

How It Works:

● Database of Signatures: Maintains a collection of known attack signatures.

● Pattern Matching: Compares incoming data or system activities to these signatures to identify potential threats.
● Alerts: Generates alerts when a match is found between the observed activity and a signature.

Advantages:

● Accuracy: Highly effective at detecting known threats with minimal false positives due to precise pattern matching.
● Performance: Typically faster and less resource-intensive as it involves straightforward pattern comparisons.

Disadvantages:

● Limited to Known Threats: Cannot detect new, unknown, or zero-day attacks that do not match existing signatures.New kind of attack cannot be
identified.
● Maintenance: Requires regular updates to the signature database to stay current with new threats.

Examples of Signature-Based Detection Programs:

● Nessus (vulnerability scanner with signature-based detection capabilities)

● Snort (network intrusion detection system with signature-based rules)
● McAfee Network Security Platform
2. Anomaly-Based Detection

Definition: Anomaly-based detection identifies potential threats by monitoring and analyzing network or system activities for deviations from normal or expected
behavior. It detects anomalies that may indicate malicious activity.

How It Works:

● Baseline Behavior: Establishes a baseline of normal behavior through historical data or predefined models.
● Behavior Analysis: Continuously monitors activities and compares them to the baseline to detect deviations.
● Alerts: Generates alerts when deviations from normal behavior are detected.

Advantages:

● Detection of Unknown Threats: Can identify new, previously unknown threats by detecting deviations from established norms.
● Adaptive: Can adapt to changes in normal behavior over time, making it useful for dynamic environments.

Disadvantages:

● False Positives: May generate more false positives due to benign activities being classified as anomalies.
● Complexity: Requires complex algorithms and models to accurately establish and maintain baselines.

Examples of Anomaly-Based Detection Programs:

● IBM QRadar (SIEM platform with anomaly detection capabilities)

● Splunk Enterprise Security (SIEM tool with anomaly detection features)
● Darktrace (uses machine learning to detect anomalies in network traffic)
Q10
In cybersecurity, vulnerability scanners are tools designed to identify security weaknesses in systems, networks, and applications. They generally fall into two
categories: active and passive vulnerability scanners. Here’s a breakdown of each type:

1. Active Vulnerability Scanner

Definition: An active vulnerability scanner actively interacts with the target system by sending probes or requests to identify potential security vulnerabilities.

How It Works:

● Scanning Techniques: The scanner sends various types of queries and tests to the target system (e.g., port scans, protocol checks) to identify known
vulnerabilities.
● Testing: It often performs intrusive tests, such as exploiting known vulnerabilities to verify their presence.
● Interaction: Active scanners typically require direct access to the system or network being tested.

Advantages:

● Detailed Detection: Can detect vulnerabilities that passive scanners might miss by actively probing and testing the target.
● Comprehensive Analysis: Provides detailed information about potential weaknesses, including potential exploits and remediation advice.

Disadvantages:

● Intrusive: Can potentially disrupt services or cause system instability due to the active nature of the testing.
● Performance Impact: May slow down the system or network during the scanning process.
● False Positives/Negatives: May produce false positives (reporting non-existent vulnerabilities) or false negatives (missing real vulnerabilities).

Examples:

● Nessus
● OpenVAS
● Qualys
2. Passive Vulnerability Scanner

Definition: A passive vulnerability scanner monitors and analyzes network traffic and system behavior without actively interacting with
the target systems.

How It Works:

● Monitoring: Observes network traffic, system logs, and other passive data sources to detect potential vulnerabilities and
weaknesses.
● Analysis: Analyzes patterns and behaviors to identify vulnerabilities based on observed activities, rather than actively probing
the system.
● Non-Intrusive: Operates by collecting and analyzing data without sending any requests or tests to the target systems.

Advantages:

● Non-Intrusive: Does not affect the performance or stability of the target systems since it does not actively interact with them.
● Stealthy: Useful for environments where active scanning could be detected or where system stability is a concern.
● Continuous Monitoring: Can provide ongoing visibility into vulnerabilities and security posture without periodic scans.

Disadvantages:

● Limited Detection: May not identify all vulnerabilities, especially those that require active testing to reveal.
● Less Detailed: Often provides less detailed information about vulnerabilities compared to active scanners.
● Delayed Detection: Might not detect vulnerabilities until they are reflected in observed traffic or logs.
Examples:

● Passive Vulnerability Scanner by Tenable (the same company that produces Nessus, which is an active scanner as well).
● Snort (primarily an IDS but can be used in a passive mode to detect vulnerabilities).

Summary

● Active Vulnerability Scanner: Actively tests and interacts with target systems to find vulnerabilities. It is detailed and thorough
but can be intrusive and impact system performance.
● Passive Vulnerability Scanner: Monitors network and system traffic without interacting with the systems. It is non-intrusive and
stealthy but may provide less detailed or comprehensive vulnerability information.

Both types of scanners play important roles in a comprehensive security assessment strategy. Active scanners are useful for in-depth
vulnerability assessments, while passive scanners are valuable for ongoing monitoring and detection with minimal disruption.
Q11
As a security manager, how would you explain the primary goal of a security awareness
program to senior management? (Information Security & Risk Management Domain)

a) Provide a vehicle for communicating security procedures

b) Provide a clear understanding of potential risk and exposure
c) Provide a forum for disclosing exposure and risk analysis
d) Provide a forum to communicate user responsibilities
Q12
Which statement below most accurately reflects the goal of risk mitigation? (Information Security & Risk
Management Domain)

a) Defining the acceptable level of risk the organization can tolerate, then reduce risk to that
level.
b) Analyzing and removing all vulnerabilities and threats to security within the organization.
c) Defining the acceptable level of risk the organization can tolerate, and assigning any costs
associated with loss or disruption to a third party such as an insurance carrier.
d) Analyzing the effects of a business disruption and preparing the company’s response.
Q13
In computer security, ......................... means that computer system assets can be

modified only by authorized parities.

A) Confidentiality
B) Integrity
C) Availability

D) Authenticity
Q14

The kind of crime involves altering raw data just before the computer processes it
and then changing it back after the processing is completed_____
A. Data diddling
B. Data tampering
C. Salami attacks
D. None of above
Data Diddling

Data diddling involves altering or manipulating data before it is entered into a computer system or processed. After processing, the
data is often changed back to its original form to avoid detection. This type of crime is usually committed by someone who has access
to the data before or after processing, such as employees or system administrators.

Data Tampering

Data tampering involves the unauthorized modification, deletion, or corruption of data within a system, often to cause harm or gain an
unfair advantage. It can occur during data transmission or when data is stored, making it a significant threat to data integrity and
confidentiality. Cybercriminals, hackers, or malicious insiders typically carry out data tampering attacks to manipulate records, change
configurations, or exploit systems.

Salami Attacks

Salami attacks are a form of cybercrime where small amounts of money or data are stolen or manipulated in a way that is nearly
imperceptible over time. The term "salami" comes from the idea of slicing off tiny pieces, each too small to be noticed individually but
significant when accumulated. This technique is often used in financial fraud, where minor, seemingly insignificant amounts are
diverted from many accounts to the attacker’s account.
Q15
Information Technology Act 2000 in India was amended in _____

a. 2000

b. 2004

c. 2008

d. 2010
Q16
Which of the following are the Cyber crimes ?

1. Cyber crimes against persons.

2. Cyber crimes against property.

3. Cyber crimes against government.

4. Cyber crimes against animal?

● 1, 2, 3 only
● 2, 3, 4 only
● 1, 3, 4 only
● 2, 3 only
Q17
Risk management in cyber security involves three key steps. These steps are:
A. Monitoring, auditing, and reporting.
B. Identifying risks, assessing risk, and controlling risks.
C. Training employees, patching vulnerabilities, and using firewalls.
D. Investigating incidents, recovering data, and learning lessons.
Q18
In mandatory access control, what determines the assignment of data classifications? (Information
Security & Risk Management Domain)

a) The analysis of the users in conjunction with the audit department

b) The assessment by the information security department
c) The user’s evaluation of a particular information element
d) A security classification policy / guideline
Q19
Operational Risk arises from
i. Inadequate or failed internal processes
ii. People and systems
iii. External Events
iv. Defaults Which of the above is true ?
a) All of them
b) None of them
c) (i) , (ii) and (iii)
d) (i) , (ii)
Q20

. Which of the following is the primary objective of the Information Technology

(IT) Act, 2000 in India?
- a) To regulate e-commerce
- b) To provide legal recognition for electronic transactions
- c) To promote digital payments
- d) To enforce international trade laws
Q21
As an information systems security manager (ISSM), how would you explain the purpose a
system security policy? (Information Security & Risk Management Domain)
a) A definition of the particular settings that have been determined to provide optimum
security
b) A set of brief, high-level statements that defines what is and is not permitted during the
operation of the system
c) A definition of those items that must be excluded on the system
d) A listing of tools and applications that will be used to protect the system
Q22

The "attack surface" in cyber security is a visualization tool that helps to understand:
A. The effectiveness of different security tools.
B. The relationship between various types of threats and the organization's assets.
C. The complexity of the organization's network infrastructure.
D. The cost of implementing different security controls.
The "attack surface" in cybersecurity helps to visualize and understand the various points where an organization's assets (like servers, databases,
applications, etc.) are exposed to potential threats. By mapping the attack surface, organizations can see the connections between assets and possible attack
vectors, which aids in identifying where security measures are needed and prioritizing them based on risk.

Attack surface refers to all the potential points where an unauthorized user (an attacker) could attempt to enter or extract data from an environment.
Visualizing the attack surface helps organizations understand where they are vulnerable by plotting potential threats on the Y-axis and organizational
assets (like applications, systems, networks, etc.) on the X-axis. This visualization helps in identifying points of vulnerability, understanding the potential
impact, and prioritizing risk reduction efforts based on the likelihood and severity of threats.

By mapping these out, security teams can more effectively allocate resources and implement defenses to reduce the risk of security breaches.

Minimizing the Attack Surface:

● Reduce Unnecessary Services: Disable or remove unused services, applications, or accounts that could be exploited.
● Patch and Update Regularly: Ensure all systems, applications, and devices are updated with the latest security patches.
● Implement Network Segmentation: Divide the network into segments to limit the spread of potential attacks.
● Conduct Regular Security Audits: Identify vulnerabilities through vulnerability assessments, penetration testing, and continuous monitoring.
● Employee Training: Train employees on recognizing social engineering attacks and following cybersecurity best practices.

b) The relationship between various types of threats and the organization's assets.
Q23
During the Risk Identification phase, assets are classified into which of the
following categories?
A. Financial assets, Intellectual property, and Human resources
B. Assets, Liabilities, and Equity
C. Tangible assets, Intangible assets, and Fixed assets
D. People, Procedures, Data and information, Software, Hardware, and
Networking elements
The correct answer is:

d) People, Procedures, Data and information, Software, Hardware, and Networking elements

During the Risk Identification phase in cybersecurity, assets are typically classified into categories that encompass all critical
components of an organization's information system. This classification includes people (e.g., employees), procedures (e.g., policies
and processes), data and information, software (e.g., applications), hardware (e.g., servers and computers), and networking elements
(e.g., routers and switches). This comprehensive classification helps in identifying potential risks to each category and planning
appropriate security measures.
Q24
Under the IT Act, 2000, which section deals with the punishment for hacking with
computer systems?
- a) Section 65
- b) Section 66
- c) Section 67
- d) Section 68
Q25
In mandatory access control, what determines the assignment of data classifications? (Information Security
& Risk Management Domain)

a) The analysis of the users in conjunction with the audit department

b) The assessment by the information security department
c) The user’s evaluation of a particular information element
d) A security classification policy / guideline
Q26
Which formula accurately represents the calculation of risk in cyber security risk assessment?
A. Risk = Loss frequency + Loss magnitude
B. Risk = Loss frequency x Loss magnitude + Measurement Uncertainty
C. Risk = (% Risk Mitigated by Controls) / (Loss Frequency x Loss Magnitude)
D. Risk = Loss frequency - Loss magnitude + Measurement Uncertainty
Q27
You are a security analyst for a company that manages an online store with a customer database. Industry reports
indicate a 10 percent chance of an attack this year, based on an estimate of one attack every 10 years. A successful attack
could result in the theft of customer data. There is a 20% chance of the threat being able to materialize and achieve its
objectives even in place of robust secure protection mechanisms. The customer database is most valued being an
e-commerce company at 90 in a 1-100 scale. The IT department informed that 60% of the assets will be exposed after a
successful attack. The estimation of measurements is 80% accurate. Calculate the risk associated to the asset with a
potential SQL injection attack.
A. 3.756
B. 4.196
C. 3.276
D. 1.296
Calculation
Risk=LM*LF+ Uncertainty

LF=0.1*0.2=0.02

LM=0.6*90=54

LM*LF=54*0.02=1.08

0.216+1.08=1.296
Q28
What is the role of a CIRT (Cyber Incident Response Team)?
a) To perform routine system maintenance
b) To manage and respond to cybersecurity incidents
c) To develop new software applications
d) To perform backups
Q29

What is the first step in the incident response process?

a) Containment
b) Eradication
c) Identification
d) Recovery
Question 30

What does "pivoting" mean in ethical hacking?**

a) Changing attack vectors
b) Using a compromised system to access other systems
c) Moving laterally within a network
d) Encrypting data for security
In ethical hacking, pivoting refers to a technique where an attacker gains access to one system within a network (compromised
system) and then uses that system as a launchpad to compromise other systems.

Here’s a breakdown of how it works:

1. Initial Compromise: The attacker starts by exploiting a vulnerability or misconfiguration on a particular system.
2. Establish Access: Once access is gained, the attacker establishes a foothold on this initial system, often by installing malware
or using legitimate credentials.
3. Network Exploration: The attacker then explores the internal network from this compromised system, gathering information
about other connected systems and services.
4. Further Compromise: Using the information gathered and possibly exploiting additional vulnerabilities, the attacker then
moves to compromise other systems in the network.

In ethical hacking, this technique is used to assess and improve network security by identifying potential weaknesses and
vulnerabilities that could be exploited in a real atta
Q31:

What is the first phase of ethical hacking?**

a) Scanning
b) Gaining access
c) Reconnaissance
d) Maintaining access
Q32:

What does EDR stand for in cybersecurity?

a) Endpoint Detection and Response
b) Enhanced Data Recovery
c) Emergency Data Restoration
d) Encrypted Data Routing
EDR stands for Endpoint Detection and Response. It's a cybersecurity solution designed to monitor, detect, and respond to threats and
suspicious activities on endpoint devices, such as laptops, desktops, and servers.

Here’s a breakdown of its key functions:

1. Continuous Monitoring: EDR solutions provide real-time monitoring of endpoint activities to detect anomalies and potential threats.
2. Threat Detection: They use various methods, including behavioral analysis, signatures, and machine learning, to identify malicious
activities or indicators of compromise (IoCs).
3. Incident Response: EDR tools often include features for responding to threats, such as isolating affected devices, blocking malicious
processes, and removing threats.
4. Forensic Analysis: They provide detailed logs and data about endpoint activities, which helps in investigating and understanding the
nature of attacks.
5. Integration: EDR solutions can integrate with other security tools, such as Security Information and Event Management (SIEM) systems,
to provide a comprehensive view of the organization’s security posture.

Overall, EDR helps organizations improve their security posture by providing visibility into endpoint activities and enabling rapid response to
potential threats.
Q33
Which of the following is NOT a cybercrime under the Information Technology Act, 2000?
- a) Hacking
- b) Sending offensive messages through communication service
- c) Tax evasion
- d) Identity theft
c) Tax evasion

Tax evasion is a financial crime related to the non-payment or underpayment of taxes, and it is governed by tax laws, not the
Information Technology Act, 2000. The other options—hacking, sending offensive messages through communication services, and
identity theft—are considered cybercrimes and are covered under various sections of the IT Act, 2000 in India.
Q34

What is the maximum penalty for someone found guilty of data theft under Section
43 of the IT Act, 2000?
- a) ₹1 lakh
- b) ₹5 lakh
- c) ₹10 lakh
- d) ₹1 crore
Q35

What is the formula for calculating risk in cybersecurity?

● a) Risk = Threat x Vulnerability
● b) Risk = Threat x Vulnerability x Asset Value
● c) Risk = Impact x Likelihood
● d) Risk = Threat x Impact
Q36
What is the minimum and customary practice that constitutes “responsible protection of
information assets that affects a community or societal norm”? (Information Security &
Risk Management Domain)

a) Due diligence
b) Risk mitigation
c) Asset protection
d) Due care
1. Due Care

Due care refers to the level of responsibility an organization is expected to exercise in protecting its information assets. It means implementing reasonable and appropriate
measures to safeguard data and ensure compliance with legal and regulatory requirements. Due care focuses on taking proactive steps to prevent harm or damage, ensuring
that security practices are in line with industry standards and best practices.

2. Risk Mitigation

Risk mitigation involves identifying, assessing, and taking steps to reduce or control risks to an acceptable level. This can include implementing security controls, creating
contingency plans, and employing various strategies to minimize the impact of potential threats. The goal of risk mitigation is to manage risks effectively and reduce the
likelihood or impact of adverse events.

3. Asset Protection

Asset protection refers to the measures and strategies put in place to safeguard an organization’s valuable assets, including physical, intellectual, and digital assets. This can
involve physical security, cybersecurity measures, data encryption, access controls, and more. Asset protection aims to prevent loss, theft, or damage to these valuable
resources.

4. Due Diligence

Due diligence involves a comprehensive assessment of risks and thorough investigation of potential issues related to information assets. It means performing all necessary
and reasonable actions to understand and address risks, ensuring that the organization is informed and prepared to handle potential issues. Due diligence ensures that
adequate precautions are taken to comply with legal, regulatory, and contractual obligations.

Summary:

● Due Care: The standard level of protection expected to be implemented to safeguard information assets.
● Risk Mitigation: Actions taken to reduce or control risks.
● Asset Protection: Strategies to safeguard valuable assets.
● Due Diligence: Comprehensive assessment and proactive actions to manage risks and ensure compliance.

Each of these concepts plays a role in ensuring robust information security and effective risk management.
Q37
What type of access control is implemented where a database administrator can grant “Update”
privilege in a database to specific users or group? (Application Security Domain)
a) Supplemental

b) Discretionary

c) Mandatory
d) System
b) Discretionary

Discretionary Access Control (DAC) is a type of access control where the owner or administrator of a resource, such as a database,
has the discretion to grant or revoke access rights to other users. In this case, if a database administrator can grant "Update" privileges
to specific users or groups, it is an example of discretionary access control, as the administrator has the authority to decide who has
access to certain actions or resources based on their discretion.
a) Supplemental

Supplemental refers to additional measures or controls that are used to enhance or complement existing security practices. These are
not necessarily required but are added to improve security posture or address specific needs.

b) Discretionary

Discretionary typically refers to security controls or policies that are optional and based on the organization's judgment. For example,
discretionary access control (DAC) allows users to control access to their own resources.

c) Mandatory

Mandatory refers to security controls or policies that are required and enforced by regulations or standards. Mandatory measures are
not optional and must be implemented to ensure compliance with laws, regulations, or organizational policies.

d) System

System generally refers to the entire set of components (hardware, software, networks) that work together to achieve a specific
function. In security terms, this can also relate to system security controls that protect the entire system from various threats
Q38
What is the purpose of biometrics in access control?

a) Authorization

b) Authentication
c) Confirmation
d) none of the mentioned
Q39
What security implementation principle is used for granting users only the rights that are necessary for
them to perform their work? (Information Security & Risk Management Domain)

a) Discretionary Access
b) Least Privilege
c) Mandatory Access
d) Separation of Duties
 ● Discretionary Access Control (DAC): This allows users to control access to their own resources. Owners of the resources can
decide who has access.
● Least Privilege: This principle dictates that users should only have the minimum level of access necessary to perform their
tasks.
● Mandatory Access Control (MAC): This enforces access control policies based on classifications and security labels, typically
used in environments where strict control is needed.
● Separation of Duties: This principle ensures that no single individual has control over all aspects of a critical process, to
prevent fraud and errors.

In your case, for granting users only the rights necessary for their work, Least Privilege is the correct principle. Least Privilege (option
b). This principle involves granting users only the permissions they need to perform their job functions and no more, which helps
minimize the risk of accidental or intentional misuse of resources.
Q40

What is the primary goal of risk management in cybersecurity?

A) To eliminate all security threats
B) To reduce the impact of threats and vulnerabilities
C) To increase the cost of security measures
D) To avoid any form of risk