Unit 2: Cyberattacks, Cybersecurity, and Cyber Law (12Hrs.

Threat Landscape — Computer Incidents, Types of Exploits; CIA Security Triad;

Confidentiality, Integrity, Availability, Implementing CIA at Organizational,
Network, Application, and End-User Level; Response to Cyber Attack – Incident
Notification Protection of Evidence and Activity Logs Incident Containment
Eradication Incident Follow-Up Using an MSSP, and Computer Forensics; Cyber
Law; Provision of Cyber Law and Electronic Transaction Act of Nepal

Threat Landscape

The threat landscape refers to the overall scope and variety of potential cybersecurity threats
that organizations, individuals, and systems face in the digital environment. This landscape
is dynamic and constantly evolving as technology advances and cybercriminals develop new
techniques.

Computer Incidents

Computer incidents refer to events or occurrences involving the compromise, disruption, or

unauthorized access to computer systems, networks, or data. These incidents can have
various causes, ranging from unintentional errors to malicious activities, and they pose
potential risks to the confidentiality, integrity, and availability of information. Here are some
common types of computer incidents:

1. Malware Infections: Malicious software, such as viruses, worms, trojans, and

ransomware, can infect computers and networks, causing damage to files, stealing
sensitive information, or disrupting system operations.

2. Data Breaches: Unauthorized access to and disclosure of sensitive or confidential data,

often resulting in the exposure of personal information, financial data, or intellectual
property.

3. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks: These

attacks aim to overwhelm a system, network, or service with excessive traffic, making
it unavailable to legitimate users.

4. Phishing Attacks: Deceptive attempts to trick individuals into revealing sensitive

information, such as usernames, passwords, or financial details, by posing as
trustworthy entities.
 5. Insider Threats: Actions or compromises initiated by individuals within an
organization, whether intentionally or unintentionally, that could lead to unauthorized
access, data leaks, or other security breaches.

6. Unauthorized Access: Intrusions into computer systems or networks by individuals or

entities without proper authorization, potentially leading to data theft, manipulation,
or disruption.

7. Ransomware Incidents: Malicious software that encrypts data, rendering it

inaccessible until a ransom is paid. This type of incident can result in significant
financial and operational impact.

8. Social Engineering Attacks: Manipulative tactics that exploit human psychology to gain
access to sensitive information or perform unauthorized actions. This can include
impersonation, pretexting, or baiting.

9. Software and Hardware Vulnerabilities: Exploitation of weaknesses in software or

hardware, often through the use of zero-day exploits, which target previously
unknown vulnerabilities.

10.Physical Security Incidents: Events that compromise the physical security of computer
systems or data centers, such as theft, vandalism, or natural disasters.

11.Supply Chain Attacks: Compromising the security of products or services by targeting

vulnerabilities within the supply chain, potentially impacting a wide range of
organizations and users.

Why Computer Incidents Are So Widespread?

• Increasing Complexity Increases Vulnerability

• Expanding and Changing Systems Introduce New Risks

• Increasing Popularity of BYOD Policies

• Growing Reliance on Commercial Software with Known Vulnerabilities

• Increasing Sophistication of Those Who Would Do Harm

1. Increasing Complexity Increases Vulnerability:

• As computer systems become more intricate and interconnected, they

inherently introduce more potential points of failure or vulnerability. Complex
systems often have numerous components and dependencies, making it
 challenging to identify and secure every potential weakness. This complexity can
lead to oversight or difficulty in managing and patching vulnerabilities
effectively.

2. Expanding and Changing Systems Introduce New Risks:

• The constant evolution of technology, coupled with the rapid deployment of

new systems and software, introduces a continuous stream of potential
vulnerabilities. New technologies and features are often added to meet user
demands or improve functionality, but they may also bring unforeseen security
risks. Additionally, integration of legacy systems with new technologies can
create compatibility challenges and security gaps.

3. Increasing Popularity of BYOD Policies:

• Bring Your Own Device (BYOD) policies, which allow employees to use personal
devices for work, have become more common. While BYOD policies offer
flexibility and convenience, they also introduce security challenges. Personal
devices may lack the same level of security controls as corporate devices, and
their use in work environments can lead to increased exposure to threats,
especially if not properly managed and secured.

4. Growing Reliance on Commercial Software with Known Vulnerabilities:

• Many organizations rely on commercial off-the-shelf (COTS) software for their

operations. However, this software may have vulnerabilities that are known to
both the software vendors and potential attackers. If organizations fail to
promptly apply patches and updates, attackers can exploit these known
vulnerabilities to compromise systems. The challenge lies in the timely
deployment of patches and the difficulty of maintaining a secure and up-to-date
software environment.

5. Increasing Sophistication of Those Who Would Do Harm:

Cybercriminals and threat actors continually evolve their tactics, techniques, and procedures.
Their increasing sophistication, often fueled by financial motives or geopolitical interests,
allows them to develop advanced and targeted attacks. This includes the creation of
sophisticated malware, use of zero-day exploits, and social engineering techniques that can
trick even well-informed individuals. The arms race between cybersecurity defenses and
malicious actors contributes to the widespread nature of computer incidents.
Introduction to Exploit

An exploit is a piece of code, software, or method used by attackers to take advantage of

vulnerabilities or weaknesses in applications, systems, or networks, allowing them to gain
unauthorized access or perform malicious actions. Exploits can target vulnerabilities,
including software bugs, design flaws, configuration weaknesses, or human errors. By
exploiting these vulnerabilities, attackers can execute malicious code, gain unauthorized
access to sensitive information, manipulate or disrupt system operations, or escalate their
privileges within a compromised system.

Categories of Exploits

Exploits can be classified into several broad categories based on the nature of the
vulnerabilities they target and the methods they use. Here are some common categories:

• Network exploits: These exploits target vulnerabilities in network protocols, services,

or devices.

• Web application exploits: These exploits target vulnerabilities in web applications,

such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Remote File
Inclusion (RFI) attacks.

• Operating system exploits: These exploits take advantage of vulnerabilities in

operating systems to gain unauthorized access, escalate privileges, or execute
arbitrary code.

• Application exploits: These exploits target vulnerabilities in specific software

applications, such as office suites, media players, web browsers, or content
management systems.

• Social engineering exploits: These exploits manipulate human psychology to obtain

unauthorized access to systems or private information.

• Physical exploits: These exploits involve physical access to systems or devices such as
hardware keyloggers, USB-based attacks, tampering with hardware or firmware, etc.

• Wireless exploits: These exploits target vulnerabilities in wireless networks, such as

Wi-Fi or Bluetooth.

• Cryptographic exploits: These exploits focus on weaknesses or vulnerabilities in

cryptographic algorithms, protocols, or implementations.

Different Types of Exploits

Exploits are commonly classified into two types: known or unknown exploits.

Known exploits: Known exploits refer to vulnerabilities or attack methods that have already
been discovered, documented, and made public, either by security researchers, software
vendors, or malicious actors. They are typically associated with specific software, operating
systems, or network configurations. Once a vulnerability becomes known, security
researchers, hackers, and software vendors work to address and patch the vulnerability to
prevent further exploitation. Here are some examples of known exploits:

• EternalBlue: EternalBlue is a powerful exploit that targeted a vulnerability in the

Windows operating system, enabling remote code execution.

• Heartbleed: Heartbleed is a notorious exploit that targeted systems utilizing the

OpenSSL cryptographic software library, allowing attackers to extract sensitive
information from affected systems.

• Shellshock: Shellshock is an exploit that allows the execution of arbitrary commands

on systems utilizing the Bash shell.

Unknown Exploits: Unknown exploits, also known as zero-day exploits, refer to

vulnerabilities or attack methods that are not yet known or disclosed to the public. They
exploit undocumented or patched security weaknesses, giving attackers an advantage since
no defenses or countermeasures exist. Zero-day exploits are typically more dangerous
because defenders have no prior knowledge of the vulnerability, leaving systems exposed
until a patch or mitigation is developed.

Both known and unknown exploits pose significant risks to IT systems and networks, such as
unauthorized access, data loss or theft, service disruption, malware distribution, privacy
breaches, financial fraud, etc. Organizations and individuals should maintain strong security
practices, including regular updates, employing intrusion detection systems, network
monitoring, and practicing safe browsing habits to minimize the impact of known and
unknown exploits.

The CIA security triad

The CIA security triad, also known as the CIA triad, is a fundamental framework in
information security that represents three core principles essential for safeguarding
data and systems. The three components of the CIA triad are:

1. Confidentiality:
 • Confidentiality ensures that information is protected from unauthorized access
and disclosure. It involves controlling access to sensitive data, ensuring that only
authorized individuals or systems can view or access it. Encryption, access
controls, and secure communication channels are common measures used to
maintain confidentiality.

2. Integrity:

• Integrity focuses on maintaining the accuracy and trustworthiness of data

throughout its lifecycle. It ensures that information remains unaltered and
reliable. Measures to ensure data integrity include using checksums, digital
signatures, and access controls to prevent unauthorized modifications. Regular
data validation and auditing are also critical for detecting and addressing
integrity issues.

3. Availability:

• Availability ensures that information and systems are accessible and usable by
authorized users when needed. This involves preventing disruptions or outages
due to various factors, such as hardware failures, software glitches, or malicious
attacks. Redundancy, disaster recovery planning, and robust infrastructure
design are strategies to enhance availability.

Best practices for implementing the CIA triad

In implementing the CIA triad, an organization should follow a general set of best
practices. These can be divided into the three subjects and include the following:

1. Confidentiality o Follow an organization's data-handling security policies. o Use

encryption and 2FA. o Keep access control lists and other file permissions up to date.

2. Integrity
o Ensure employees are knowledgeable about compliance and regulatory
requirements to minimize human error.
o Use backup and recovery software and services. o Use version control, access
control, security control, data logs and checksums.

3. Availability
o Use preventive measures, such as redundancy, failover and RAID. o Ensure
systems and applications stay updated. o Use network or server monitoring
systems. o Have a data recovery and business continuity plan in place in case
of data loss.
Implementing CIA security triad at organizational level
Implementing the CIA security triad at an organizational level involves developing and
enforcing comprehensive security policies, procedures, and technical controls.
Here are key steps and considerations for implementing the CIA triad:

1. Risk Assessment:

• Conduct a thorough risk assessment to identify and prioritize potential threats

and vulnerabilities. This assessment forms the basis for developing a risk
management strategy aligned with the CIA triad principles.

2. Security Policies and Procedures:

• Develop clear and comprehensive security policies and procedures that align
with the principles of confidentiality, integrity, and availability. These
documents should cover aspects such as data handling, access controls,
encryption, incident response, and acceptable use.

3. Access Controls:

• Implement robust access controls to ensure that only authorized individuals

have access to sensitive information. This includes user authentication,
authorization mechanisms, role-based access control (RBAC), and the principle
of least privilege.

4. Encryption:

Implement encryption mechanisms to protect data both in transit and at rest. This
is crucial for maintaining the confidentiality and integrity of sensitive
information. Encryption protocols such as SSL/TLS for communication and disk
encryption for stored data are common practices.

5. Data Backups and Recovery:

Establish regular and reliable backup procedures to ensure the availability of data
in the event of system failures, disasters, or ransomware attacks. Develop and
test disaster recovery plans to minimize downtime and data loss.

6. Security Awareness Training:

Conduct regular security awareness training for employees to educate them on

security best practices, social engineering risks, and the importance of
 safeguarding sensitive information. Awareness programs contribute to
maintaining confidentiality and preventing insider threats.

7. Incident Response and Monitoring:

Implement incident response procedures to detect, respond to, and recover from
security incidents. Establish monitoring systems for realtime detection of
anomalies or suspicious activities that could impact the confidentiality, integrity,
or availability of data.

8. Physical Security Measures:

Implement physical security controls to protect against unauthorized access or

damage to hardware infrastructure. This includes measures such as controlled
access to data centers, surveillance, and environmental controls.

9. Patch Management:

Develop and maintain a robust patch management program to promptly address

and apply security updates to software and systems. Timely patching is essential
for closing vulnerabilities and preserving system integrity.

10.Regular Audits and Assessments:

Conduct regular security audits and assessments to evaluate the effectiveness of

implemented security controls and ensure ongoing compliance with security
policies. This includes vulnerability assessments, penetration testing, and
security reviews.

11.Continuous Improvement:

Establish a culture of continuous improvement by regularly reviewing and

updating security measures based on evolving threats, technology changes, and
lessons learned from security incidents.

Implementing CIA security triad at network level

Implementing the CIA security triad at the network level involves applying specific technical
measures to safeguard the confidentiality, integrity, and availability of data and systems
within the organization's network. Here are key considerations and measures for
implementing the CIA triad at the network level:

1. Firewalls:
 • Deploy firewalls at network entry points to control and monitor incoming and
outgoing traffic. Configure firewall rules to enforce security policies and restrict
unauthorized access.

2. Intrusion Detection and Prevention Systems (IDPS):

• Implement IDPS to detect and prevent unauthorized activities or potential

security breaches. These systems can analyze network traffic patterns and alert
or block suspicious behavior.

3. Virtual Private Network (VPN):

• Use VPN technology to secure communication over untrusted networks. VPNs

provide encrypted tunnels, ensuring the confidentiality of data transmitted
between remote locations.

4. Network Segmentation:

• Divide the network into segments or zones based on different levels of trust and
sensitivity. This helps contain and isolate potential security incidents, preventing
lateral movement of threats.

5. Access Controls:

• Enforce access controls at the network level to restrict unauthorized users from
accessing sensitive resources. Utilize technologies such as VLANs (Virtual Local
Area Networks) and implement role-based access control (RBAC) policies.

6. In-Transit Encryption:

• Use encryption protocols such as SSL/TLS for securing communication between

devices and servers. This ensures the confidentiality and integrity of data while
it is in transit across the network.

7. Network Monitoring and Logging:

• Implement robust network monitoring and logging systems to track activities,

detect anomalies, and facilitate incident response. Regularly review logs to
identify and investigate security incidents.

8. Network-Based Antivirus and Anti-Malware Solutions:

 • Employ network-based antivirus and anti-malware solutions to scan and block
malicious content before it reaches endpoints. This helps prevent the spread of
malware within the network.

9. Wireless Network Security:

• Secure wireless networks by implementing strong encryption (e.g., WPA3), using

strong authentication methods, and regularly auditing wireless configurations
to prevent unauthorized access.

10.Load Balancing and Redundancy:

• Ensure high availability by implementing load balancing and redundancy

mechanisms. Distributing traffic across multiple servers and maintaining backup
systems helps ensure continuous availability in case of failures.

11.Network Device Hardening:

• Apply security best practices to harden network devices, such as routers,

switches, and firewalls. This includes disabling unnecessary services, changing
default credentials, and keeping firmware/software up-todate.

12.Denial-of-Service (DoS) Protection:

• Deploy DoS protection mechanisms to mitigate the impact of DoS attacks. This
can include rate limiting, traffic filtering, and the use of specialized appliances or
services.

Types of intrusion detection system

Intrusion Detection Systems (IDS) are security tools designed to detect and respond to
unauthorized or malicious activities within a computer network. There are two main types
of intrusion detection systems: Network-based Intrusion Detection Systems (NIDS) and Host-
based Intrusion Detection Systems (HIDS). Additionally, some systems incorporate elements
of both and are known as Hybrid Intrusion Detection Systems (HIDS/NIDS). Here's an
overview of each:

1. Network-Based Intrusion Detection Systems (NIDS):

• Function: NIDS monitor network traffic in real-time to identify suspicious

patterns or anomalies that may indicate a security threat.
 • Deployment: Typically placed at strategic points within the network, such as at
network gateways or in-line with network segments.

• Advantages:

• Provides visibility into overall network activities.

• Can detect attacks that may be missed by host-based systems.

• Challenges:

• May not capture activities on encrypted channels without proper decryption

capabilities.

2. Host-Based Intrusion Detection Systems (HIDS):

• Function: HIDS focus on monitoring activities on individual hosts or endpoints,

such as servers, workstations, or other devices.

• Deployment: Installed directly on the host systems they protect, allowing them
to monitor local events and detect deviations from normal behavior.

• Advantages:

• Offers detailed insight into activities on specific hosts.

• Can detect local threats that may not be visible at the network level.
Challenges:

• Limited to the scope of the host it monitors.

• May require more resources on individual hosts.

3. Hybrid Intrusion Detection Systems (HIDS/NIDS):

• Function: Combines features of both NIDS and HIDS to provide a more

comprehensive approach to intrusion detection.

• Deployment: Integrates network monitoring capabilities with hostbased

monitoring on individual systems.

• Advantages:

• Offers a broader perspective by combining network-wide and host-specific

insights.

• Can provide a more holistic view of the security posture.

 • Challenges:

• Can be resource-intensive, especially in large environments.

4. Signature-Based Intrusion Detection Systems:

• Function: Relies on a database of known attack signatures or patterns to

identify and alert on malicious activities.

• Pros:

• Effective at detecting known threats.

• Low false-positive rates.

• Cons:

• May miss novel or previously unseen attacks (zero-day exploits).

5. Anomaly-Based Intrusion Detection Systems:

• Function: Establishes a baseline of normal network or host behavior and

triggers alerts when deviations or anomalies are detected.

• Pros:

• Capable of detecting new and previously unseen threats.

• Can adapt to changes in the network environment.

• Cons:

• Higher potential for false positives.

• Requires continuous updating of baseline profiles.

6. Behavior-Based Intrusion Detection Systems:

• Function: Focuses on detecting deviations from normal behavior

patterns, both at the network and host levels.

• Pros:

• Can detect subtle, sophisticated attacks.

• More adaptive to evolving threats.

• Cons:
 • May generate false positives.

• Requires accurate profiling of normal behavior.

Authentication Methods

1. Single factor authentication

2. 2FA
3. Token based authentication
4. Single sign-on

Implementing CIA security triad at Application level

1. Authentication Methods:

Authentication is a crucial component of the CIA security triad, particularly in ensuring the
confidentiality and integrity of information at the application level. Authentication methods
involve the verification of the identity of users and entities accessing the application.
Common authentication methods include username/password combinations, multifactor
authentication (MFA), biometric authentication (such as fingerprint or facial recognition),
and token-based authentication. These methods help prevent unauthorized access to
sensitive data and functionality within the application. By implementing robust
authentication measures, organizations can enhance the confidentiality of user credentials
and ensure that only authorized individuals have access to specific resources or actions.
Additionally, secure authentication mechanisms contribute to maintaining the integrity of
user accounts and the overall application environment.

2. User Roles and Accounts:

Assigning specific roles and privileges to users is a key aspect of implementing the CIA
security triad at the application level. User roles and accounts play a critical role in
maintaining both confidentiality and integrity within the application. By defining different
roles based on job responsibilities or organizational hierarchy, access controls can be
enforced to limit users' permissions to only what is necessary for their roles. This ensures
that users have the appropriate level of access to perform their tasks without unnecessary
exposure to sensitive information. Additionally, user account management practices, such as
regular reviews, account provisioning, and de-provisioning, contribute to maintaining the
integrity of user account information. Properly configured user roles and accounts contribute
to a secure and wellcontrolled environment, reducing the risk of unauthorized access and
potential data breaches.
3. Data Encryption:

Data encryption is a fundamental measure for safeguarding the confidentiality and integrity
of sensitive information within an application. Encryption involves converting plaintext data
into ciphertext using cryptographic algorithms, making it unreadable without the
appropriate decryption key. At the application level, encryption is applied to various aspects,
including data in transit and data at rest. For data in transit, implementing secure
communication protocols such as TLS/SSL ensures that information exchanged between the
application and users remains confidential during transmission. Data at rest, stored within
databases or file systems, can be protected using encryption to prevent unauthorized access
or tampering. Strong encryption practices contribute significantly to preserving the
confidentiality of sensitive data, preventing unauthorized interception or access.
Furthermore, the use of encryption helps maintain the integrity of data by ensuring that it
remains unchanged and secure from tampering or unauthorized modifications.

Authentication Factors

Authentication factors are the elements or pieces of information used to verify the identity
of an individual or entity attempting to access a system, application, or resource. Multi-factor
authentication (MFA) typically involves the use of two or more of these factors to enhance
the security of the authentication process. The five main categories of authentication factors
are:

1. Knowledge Factors:

• Something the user knows.

• Examples:

• Passwords: Traditional and widely used, passwords are secret phrases or

combinations known only to the user.

• PINs (Personal Identification Numbers): Numeric codes entered by the user

to authenticate their identity.

2. Possession Factors:

• Something the user has.

• Examples:
 • Smart Cards: Physical cards embedded with integrated circuits, often
requiring a card reader for authentication.

• Security Tokens: Physical devices that generate one-time passcodes or

use cryptographic functions for authentication.

• Mobile Devices: Authentication through possession of a specific mobile

device or smartphone.

3. Inherence (Biometric) Factors:

• Something inherent to the user's physical or behavioral characteristics.

• Examples:

• Fingerprints: Biometric authentication based on unique patterns on a

person's fingers.

• Retina or Iris Scans: Analyzing unique patterns in the eye for

authentication.

• Facial Recognition: Using facial features to verify identity.

• Voice Recognition: Analyzing vocal characteristics for

authentication.

4. Location Factor:

• Definition: The location factor involves verifying the geographical

location from which an authentication attempt is made.

• Implementation:

• IP Geolocation: Analyzing the IP address of the device to determine its

approximate physical location.

• GPS Coordinates: Leveraging the GPS capabilities of mobile devices to

verify the user's physical location.

• Wi-Fi Network Analysis: Identifying the Wi-Fi networks the device is

connected to and cross-referencing them with known locations.

• Use Case:
 • If a user typically accesses an application from a specific geographic region
and suddenly attempts to log in from a different, unexpected location, the
system may flag this as a suspicious activity.

5. Time Factor:

• Definition: The time factor involves considering the specific time at which
an authentication attempt occurs.

• Implementation:

• Time-Based One-Time Passwords (TOTP): Generating one-time

passcodes that are valid only for a short period, often synchronized with
a clock or a counter.

• Access Time Policies: Defining acceptable time windows during which a

user is allowed to authenticate.

• Behavioral Analysis: Monitoring patterns of user behavior, such as login

times, to detect anomalies.

• Use Case:

• If a user typically logs in during regular business hours and suddenly

attempts to authenticate during the middle of the night, it may trigger
additional scrutiny or require additional verification.
Implementing CIA security triad at End-User level

Implementing the CIA security triad at the end-user level involves several key considerations:

1. Security Awareness Training:

• Users must be educated on the significance of safeguarding sensitive

information and recognizing phishing attempts to uphold confidentiality. This
includes understanding the potential risks associated with oversharing on social
media platforms.

2. Password Policies and Best Practices:

• Reinforcing strong password policies, such as using complex passwords and

avoiding password sharing, contributes to confidentiality and integrity.
Encouraging the use of password managers helps maintain the integrity of login
credentials.

3. Device Security:

• Users should be instructed to secure devices with passcodes or biometric

authentication to prevent unauthorized access and protect confidentiality.
Keeping software and applications updated enhances data integrity, and the use
of antivirus tools safeguards against unauthorized modifications.

4. Safe Internet Practices:

• Promoting safe internet practices involves instructing users to verify the

authenticity of websites and exercise caution in sharing personal information
online. Awareness about the risks of downloading files or clicking on untrusted
links helps maintain confidentiality and integrity.

5. Incident Reporting Procedures:

• Clear incident reporting procedures need to be established for users to promptly

report potential data breaches, supporting the confidentiality aspect.
Encouraging a reporting culture helps address incidents effectively.

6. Regular Security Updates and Training:

Users should be kept informed about the latest security threats through regular
updates and training sessions. Ongoing education ensures users understand
how to recognize and mitigate threats, reinforcing the principles of
confidentiality, integrity, and availability.
Response to Cyberattack

An organization should be prepared for the worst—a successful attack that defeats all or
some of a system's defenses and damages data and information systems.

A response plan should be developed well in advance of any incident and be approved by
both the organization's legal department and senior management.

A well-developed response plan helps keep an incident under technical and emotional
control. In a security incident, the primary goal must be to regain control and limit damage,
not to attempt to monitor or catch an intruder. Sometimes system administrators take the
discovery of an intruder as a personal challenge and lose valuable time that should be used
to restore data and information systems to normal.

Some of the activities performed in case of cyberattack are:

1. Incident notification
2. Protection of evidence and activity logs
3. Incident containment
4. Eradication
5. Incident follow-up
6. Using an MSSP (managed security service provider)
7. Computer Forensics

1. Incident Notification:

• Rapid communication is essential to coordinate an effective response. All

relevant parties, including IT teams, executives, legal departments, and
potentially law enforcement, need to be notified promptly. A designated
incident response team should be activated to lead the response efforts.

2. Protection of Evidence and Activity Logs:

• Preserving digital evidence is critical for understanding the scope and nature of
the cyberattack. This involves creating backups of affected systems, capturing
network traffic, and maintaining detailed activity logs. Properly handled
evidence is crucial for both internal investigations and potential legal
proceedings.

3. Incident Containment:
 • Containment aims to limit the impact of the cyberattack by preventing its
spread. This may involve isolating compromised systems, blocking malicious
network traffic, or temporarily disabling compromised user accounts. The goal
is to minimize further damage and create a controlled environment for
investigation and recovery.

4. Eradication:

• Once the incident is contained, the focus shifts to identifying and eliminating the
root cause. This involves conducting a thorough analysis of affected systems,
identifying vulnerabilities, removing malware, and applying patches to prevent
similar incidents in the future. Eradication is crucial for closing security gaps and
strengthening overall cybersecurity defenses.

5. Incident Follow-Up:

• Post-incident analysis is essential for learning from the attack and improving
cybersecurity practices. The incident response team reviews the attack's tactics,
techniques, and procedures (TTPs), identifies areas for improvement, and
updates security policies and procedures accordingly. Lessons learned during
the follow-up process contribute to a more resilient security posture.

6. Using an MSSP (Managed Security Service Provider):

• Leveraging the expertise of an MSSP provides organizations with additional

resources and capabilities for threat detection, response, and mitigation. MSSPs
often offer real-time monitoring, threat intelligence, and specialized skills to
enhance an organization's ability to defend against cyber threats effectively.

7. Computer Forensics:

• Computer forensics involves a systematic examination of digital evidence to

reconstruct the sequence of events during a cyberattack. Forensic analysts investigate
compromised systems, analyze malware, and trace the actions of attackers. The
findings are crucial for understanding the nature of the breach, attributing the attack,
and supporting any legal actions that may follow.

Cyber Law

Cyber law, also known as internet law or digital law, refers to the legal framework that
governs activities in the digital realm, encompassing the internet, electronic communication,
and cyberspace. It is a branch of law that addresses legal issues and challenges arising from
the use of technology, particularly in the context of computer systems, networks, and the
online environment.

Importance

• Protection Against Cybercrimes:

Cyber laws act as a deterrent by offering legal recourse and prescribing penalties for various
cybercrimes. This proactive approach helps curb illegal online activities and provides a safer
digital environment for individuals and businesses alike.

• Data Privacy:

Safeguarding individuals' digital information is a paramount concern addressed by cyber

laws. These regulations ensure that organizations handle personal data responsibly,
establishing a foundation of trust in digital transactions and interactions. E-commerce
Regulation:

The legal framework provided by cyber laws is crucial for the regulation of ecommerce. It
defines rules for online transactions, contracts, and consumer protection, thereby fostering
a fair and secure online marketplace.

• Intellectual Property Protection:

Cyber laws play a pivotal role in protecting intellectual property rights in the vast digital
domain. These laws prevent the unauthorized use and distribution of digital content,
encouraging innovation and creativity by safeguarding the fruits of intellectual labor.

Types of Cyber Law

Privacy Laws:

Privacy laws focus on protecting individuals' personal information from unauthorized access
and use. They establish guidelines for the responsible handling of personal data by
organizations, ensuring individuals' privacy rights are upheld.

• Cybercrime Laws:

Cybercrime laws define and penalize various cybercrimes, ensuring legal consequences for
offenders. These laws play a crucial role in deterring individuals from engaging in illegal
online activities and provide a legal framework for prosecuting cybercriminals.

• Intellectual Property Laws:

Intellectual property laws in the digital domain protect patents, copyrights, and trademarks
from unauthorized use. They provide a legal foundation for creators and innovators to
protect their digital assets.

• E-commerce Laws:

E-commerce laws regulate online business transactions, defining rules for contracts,
transactions, and consumer protection. These laws contribute to the establishment of a
secure and fair online marketplace.

• Cyber Defamation Laws:

Cyber defamation laws address libel and slander in the digital space. They provide legal
remedies for individuals or entities whose reputations may be tarnished by false or damaging
information circulated online.

• Cybersecurity Laws:

Cybersecurity laws establish standards for securing digital systems and data. These laws
mandate organizations to implement measures to protect against cyber threats, contributing
to the overall resilience of digital infrastructure.

• Social Media Laws:

Social media laws address legal issues related to social media platforms, including user rights
and content regulations. These laws aim to strike a balance between freedom of expression
and the prevention of online abuse or misinformation.

• Cyber Contracts and E-signature Laws:

Governing the validity and enforceability of contracts formed online, cyber contracts and e-
signature laws provide legal certainty for electronic transactions. They facilitate the growth
of online commerce by ensuring the legal recognition of digital agreements.

• International Cyber Laws:

With the increasing prevalence of cross-border cybercrimes, international cyber laws address
the need for cooperation between nations. These laws facilitate collaboration in
investigating and prosecuting cybercriminals operating across borders.

• Data Breach Notification Laws:

Mandating organizations to inform individuals and authorities in the event of a data breach
of data breach notification laws enhances transparency and accountability. They ensure
prompt action in response to security incidents, minimizing the potential impact on
individuals and businesses.

Categories of Cyber crime

Individual- Cybercrimes against individuals involve crimes like online harassment,

distribution and trafficking of child pornography, manipulation of personal information, use
of offensive data, and identity theft for personal benefit.

Property- Usage, and transmission of harmful programs, theft of information and data from
financial institutions, intruding cyberspace, computer vandalism, and unauthorized
possession of information digitally are some of the crimes under the property.

Government- The crimes that come under this are cyber terrorism, manipulation, threats,
and misuse of power against the Government and citizens. Groups or Individuals terrorizing
Government websites is when this form of cyber terrorism occurs.

The Electronic Transactions Act, 2063 (2008):

This is Nepal's first cyber law. Cyber crimes were dealt with under the Country's criminal code
before this law came into force. Since the cases of Cyber crime increased, it became
necessary to enact a separate law. Chapter 9 of the Act deals with offences relating to
computers, the main highlights of which are as follows:

* Pirating or destroying any computer system intentionally without authority carries

imprisonment for three years, or a fine of two hundred thousand rupees, or both.

* Accessing any computer system without authority results in imprisonment for three
years, or a fine of two hundred thousand rupees, or both.

* Intentional darnage to or deleting data from a computer system carries imprisonment

for three years, ora fine of two hundred thousand rupees, or both.

* Publication of illegal material in electronic form carries imprisonment for 5 years, or a

fine of one hundred thousand rupees, or both.

* Commission of a computer fraud carries imprisonment for two years, or a fine of one
hundred thousand rupees, or both,

Ten commandments of Cyber ethics

1. Thou shalt not use a computer to harm other people
2. Thou shalt not interfere with other people’s computer work
3. Thou shalt not access other people’s computer files
4. Thou shalt not use a computer to steal
5. Thou shalt not use a computer to bear false witness
6. Thou shalt not copy or use proprietary software for which you have not paid (without
permission)
7. Thou shalt not use other people’s computer resources without authorisation or proper
compensation
8. Thou shalt not appropriate other people’s intellectual output
9. Thou shalt think about the social consequences of the programme you are writing or
the system you are designing
10.Thou shalt always use computers in ways that ensure consideration and respect for
other humans

• .