CYBER SECURITY ESSENTIALS

UNIT-I

Introduction to Cyber Security

Basics cyber security
concepts:

Cyber Security is referred to the security offered through online services to protect the online
information.
With an increasing amount of people getting connected to the Internet, the security threats are also
massively increasing.

Cyber Security:
It is the body of technologies, processes and practices designed to protect networks, devices,
programs and data from attack, theft, damage, modification or unauthorized access. It is also called as
Information Technology Security.
OR
Cyber Security is the setoff principles and practices designed to protect the computing resources
and online information against threats.
Understanding Cyber Security:

Page 1
Security Problems & Maintaining Security in Cyber field:

Viruses & Worms:

A virus is a program that is loaded into the computer without user’s knowledge and runs against
the user’s wish.

Maintenance:
Install a security suite that protects the computer against threats such as viruses and worms. (eg.,
Antivirus)

Hackers:
A hacker is a person who uses computers to gain unauthorized access to data.

Types of Hackers:
 Black Hat Hackers: (Unethical Hacker or Security Cracker)
These people hack the system illegally to steal money or to achieve their own illegal goals.
They find the banks or organization with weak security and steal money or credit card
information, they can also modify or destroyconfidential data.
 White Hat Hackers: (Ethical Hacker or Penetration Tester)
These people use the same technique used by the black hat hackers, but they can only
hack the system that they have permission to hack inorder to test the securityof the
system.
They focus on securing and protecting IT System. White Hat Hacker is legal.
 Grey Hat Hackers:
Grey Hat Hackers are hybrid of Black hat hackers & White hat hackers
They can hack any system even if they don’t have permission to test the security of
the system but theywill never steal money or damage the system.
Maintenance:
It may be impossible to prevent computer hacking, however effective securitycontrols including
strong passwords and the use of firewalls.

Malware: (MALicious softWARE)

Malware is any software that infects and damages a computer system without the owner’s
knowledge or permission.

Maintenance:
Download an anti-malware program that also helps prevent infection. Activate network protection
firewall, antivirus.

Trojan Horse:
Trojan horse are email viruses that can duplicate themselves, steal information or harm the computer
system. These viruses are the most serious threats to computers.

Maintenance:
Page 2
Security suits such as Avast Internet Security, which will prevent from downloading Trojan Horses.

Page 3
Password Cracking:
Password attacks are attacks by hackers that are able to determine passwords or find passwords to
different protected electronic areas and social network sites.

Maintenance:
Use always strong password. Never use same password for two different sites.

Page 4
LAYERS OF SECURITY

The 7 layers of cyber security should center on the mission critical assets.

1. Mission Critical Assets: This is the data which need to be protected.

2. Data Security: It protects the storage and transfer of data.
3. Application Security: It protects access to an application which handles the
mission criticalassets and internal security of the application.
4. Endpoint Security: It protects the connection between devices and the network.
5. Network Security: It protects an organization’s network to prevent unauthorized access
of thenetwork.
6. Perimeter Security: It includes both the physical and digital security methodologies
that protectthe overall business.
7. The Human Layer: Humans are the weakest link in any cyber security posture. Human
security control includes phishing simulations and access management control that protect
mission critical assets from a wide variety of human threats, including cyber criminals,
malicious insiders and negligent users.

Vulnerability, Threats and Harmful Acts:

Vulnerabilities are the gaps or weaknesses in a system that make threats possible and tempt
threat actors to exploit them.

Types of vulnerabilities in network security:

SQL injections,
Server misconfigurations,

Page 5
 Cross-site scripting, and
Transmitting sensitive data in a non- encrypted plain text format.
Cyber threats are security incidents or circumstances with the potential to have a negative
outcome for your network or other data management systems.
Examples:
Phishing attacks that result in the installation of malware that infects your data, failure of a
staff member to follow data protection protocols that cause a data breach, or even a tornado that
takes down your company’s data headquarters, disrupting access.
Vulnerabilities is not risk without a threat exploiting it.
Threat is not a risk without a vulnerability to be
exploited.

Internet Governance – Challenges and Constraints:

Internet Governance is defined as the development and application by Government. The private
sector and civil sector in their respective roles of shared principles, norms, rules, decision making
procedures and programs that shape the evolution and use of the Internet.
The definition developed by the Working Group of Internet Governance (WGIG) dates back to
2005, and has remained unchanged ever since then and is now a complex system involving a
multitude of issues, actors, mechanisms, procedures and instruments.

Internet Governance Actors:

According to the definition, there is no single organization incharge of the Internet but various
stakeholders – Governments, Inter Governmental Organizations, the private sector, the technical
community and Civil Society share roles and responsibilities in shaping the evolution and use of this
network.
There are multiple actors which are involved in one wayor another in the governance of Internet.
1. Internet Corporation for Assigned Names and Numbers (ICANN)
2. Internet Engineering Task Force (IETF)
3. International Telecommunication Union (ITU)
4. World Intellectual Property Organization (WIPO)
5. Internet Governance Forum (IGF)

Computer Criminals:
Computer crimes have quickly become on of the fastest rising forms of modern crime. According to
cyber experts, approx., 1 million potential cyber attacks are attempted per day.
Types of Cyber Criminals:
Cyber criminals are also known as hackers. Hackers are extremely difficult to identify on both
Page 6
individual and group level, due to their various security measures.

Page 7
 Cyber Security expert assert that Cyber Criminals are using more ruthless methods to achieve their
objectives and the proficiency of attacks are expected to advance as they continue to develop new
methods of cyber attacks.

Identity Thieves:
Identity thieves are cyber criminals who try to gain access to their victim’s personal
information. They use their information to make financial transaction while impersonating their
victims. Identity theft is one of the oldest cyber crime.

Internet Stalkers:
Internet Stalkers are individuals who maliciously monitor the online activity of their
victims to acquire personal information.
This form of cyber crime is conducted through the use of social networking platforms and
malware, which are able to track an individual’s computer activity with very little detection.
Businesses should be aware of Internet Stalkers.
Phishing Scammers:
Phishing are cyber criminals who attempt to get hold of personal or sensitive information
through victim’s computer.
This is often done via phishing websites that are designed to copycat small business,
corporateor government websites.
Once such information is obtained, phishers either use the information themselves for
identity fraud scams or sell it in the dark web.
Cyber Terrorists:
Cyber Terrorism is a well-developed politically inspired cyber attack in which the cyber
criminal attempts to steal data or corrupt corporate or Government computer systems and networks
resulting in harm to countries, business, organizations and even individuals.
The key difference between an act of cyber terrorism and a regular cyber attack is that
within an attack of cyber terrorism, hackers are politically motivated as opposed to just
seeking financial gain.

CIA Triad
The CIA Triad is actually a security model that has been developed to help people think about
various parts of IT security.

CIA triad broken down:

Confidentiality:

Page 8
Protecting confidentiality is dependent on being able to define and enforce certain access levels
for information. This process involves separating information into various collections that are
organized by authorized user, who needs to access the information and how sensitive that
information actually is - i.e. the amount of damage suffered if the confidentiality was breached.
 Standard measures to establish confidentiality
include: Data Encryption
Two-factor authentication
Biometric Verification
Security Tokens.

Integrity

This is an essential component of the CIA Triad and designed to protect data from deletion or
modification from any unauthorized party, and it ensures that when an authorized person makes a
change that should not have been made the damage can be reversed.

 Standard measures to guarantee Integrity

include: Cryptography checksums
Using file permissions
Uninterrupted power
supplies Data backups.
Availability

This is the final component of the CIA Triad and refers to the actual availability of your data.
Authentication mechanisms, access channels and systems all have to work properly for the
information theyprotect and ensure it's available when it is needed.
 Standard measures to guarantee Availability
include: Backing up data to external drives
Implementing firewalls
Having backup power supplies
Data redundancy

Assets and Threat

An asset is any data, device or other component of an organization’s systems that is

valuable – often because it contains sensitive data or can be used to access such information.
For example: An employee’s desktop computer, laptop or company phone would be
considered an asset, as would applications on those devices. Likewise, critical infrastructure,
such as servers and support systems, are assets. An organization’s most common assets are

Page 9
 information assets. These are things such as databases and physical files – i.e. the sensitive
data that you store
A threat is any incident that could negatively affect an asset – for example, if it’s lost,
knocked offline or accessed by an unauthorized party.
 Threats can be categorized as circumstances that compromise the confidentiality, integrity
or availability of an asset, and can either be intentional or accidental.
 Intentional threats include things such as criminal hacking or a malicious insider stealing
information, whereas accidental threats generally involve employee error, a technical
malfunction or an event that causes physicaldamage, such as a fire or naturaldisaster.

Motive of Attackers

The categories of cyber-attackers enable us to better understand the attackers' motivations

and the actions they take. As shown in Figure, operational cyber security risks arise from
three types of actions:
i) inadvertent actions (generally by insiders) that are taken without malicious or
harmful intent;
ii) deliberate actions (by insiders or outsiders) that are taken intentionally and are
meant to do harm; and
iii) inaction (generally by insiders), such as a failure to act in a given situation, either
because of a lack of appropriate skills, knowledge, guidance, or availability of the
Correct personto take action Of primary concern here are deliberate actions, of which there are
three categories ofmotivation.

1. Political motivations: examples include destroying, disrupting, or taking control of

targets; espionage; and making political statements, protests, or retaliatory actions.
2. Economic motivations: examples include theft of intellectual property or other
economically valuable assets (e.g., funds, credit card information); fraud; industrial
espionage and sabotage; and blackmail.
3. Socio-cultural motivations: examples include attacks with philosophical,
theological, political, and even humanitarian goals. Socio-cultural motivations also
include fun, curiosity, and a desire for publicity or ego gratification.

Page 10
Page 11
Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to

alter computer code, logic or data and lead to cybercrimes, such as information and identity
theft.
Cyber-attacks can be classified into the following categories:
1) Web-based attacks
2) System-based
attacks Web-based attacks
These are the attacks which occur on a website or web applications. Some of the important
web-based attacks are as follows-
1. Injection attacks
It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.
Example- SQL Injection, code Injection, log Injection, XML Injection etc.
2. DNS Spoofing
DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a
DNS resolver's cache causing the name server to return an incorrect IP address, diverting
traffic to the attackers computer or any other computer. The DNS spoofing attacks can go on
for a long period of time without being detected and can cause serious security issues.
3. Session Hijacking
It is a security attack on a user session over a protected network. Web applications create
cookies to store the state and user sessions. By stealing the cookies, an attacker can have
access to all of the user data.
4. Phishing
Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number. It occurs when an attacker is masquerading as a
trustworthyentity in electronic communication.
5. Brute force
It is a type of attack which uses a trial and error method. This attack generates a large number
of guesses and validates them to obtain actual data like user password and personal
identification number. This attack may be used by criminals to crack encrypted data, or by
security, analysts to test an organization's network security.

Page 12
6. Denial of Service
It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a
crash. It uses the single system and single internet connection to attack a server. It can be
classified into the following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is
measured in bit per second.
Protocol attacks- It consumes actual server resources, and is measured in a packet.
Application layer attacks- Its goal is to crash the web server and is measured in request per
second.
7. Dictionary attacks
This type of attack stored the list of a commonly used password and validated them to get
original password.
8. URL Interpretation
It is a type of attack where we can change the certain parts of a URL, and one can make a
web server to deliver web pages for which he is not authorized to browse.
9. File Inclusion attacks
It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of
the include functionality.
10. Man in the middle attacks
It is a type of attack that allows an attacker to intercepts the connection between client and
server and acts as a bridge between them. Due to this, an attacker will be able to read, insert
and modify the data in the intercepted connection.

System-based attacks
These are the attacks which are intended to compromise a computer or a computer network.
Some of the important system-based attacks are as follows-
2. Virus
It is a type of malicious software program that spread throughout the computer files without
the knowledge of a user. It is a self-replicating malicious computer program that replicates by
inserting copies of itself into other computer programs when executed. It can also execute
instructions that cause harmto the system.

Page 13
3. Worm
It is a type of malware whose primary function is to replicate itself to spread to uninfected
computers. It works same as the computer virus. Worms often originate from email
attachments that appear to be fromtrusted senders.
4. Trojan horse
It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It
appears to be a normal application but when opened/executed some malicious code will run
in the background.
5. Backdoors
It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or
other purposes.
6. Bots
A bot (short for "robot") is an automated process that interacts with other network services.
Some bots program run automatically, while others only execute commands when they
receive specific input. Common examples of bots program are the crawler, chatroom bots,
and malicious bots.
Active attacks: An active attack is a network exploit in which a hacker attempts to
make changes to data onthe target or data en route to the target.
Types of Active attacks:

Masquerade: in this attack, the intruder pretends to be a particular user of a system to gain
access or to gain greater privileges than they are authorized for. A masquerade may be
attempted through the use of stolen login IDs and passwords, through finding security gaps in
programs or through bypassing the authentication mechanism.
Session replay: In this type of attack, a hacker steals an authorized user’s log in information
by stealing the session ID. The intruder gains access and the ability to do anything the
authorized user can do onthe website.
Message modification: In this attack, an intruder alters packet header addresses to direct a
message to a different destination or modify the data on a target machine.
In a denial of service (DoS) attack, users are deprived of access to a network or web
resource. This is generally accomplished by overwhelming the target with more traffic than it
can handle.
In a distributed denial-of-service (DDoS) exploit, large numbers of compromised systems
Page 14
(sometimes called a botnet or zombie army) attack a single target.

Passive Attacks:Passive attacks are relatively scarce from a classification perspective, but
can be carried out with relative ease, particularly if the traffic is not encrypted.

Types of Passive attacks:

Eavesdropping (tapping): the attacker simply listens to messages exchanged by two entities.
For the attack to be useful, the traffic must not be encrypted. Any unencrypted information,
such as a password sent in response to an HTTP request, may be retrieved bythe attacker.
Traffic analysis: the attacker looks at the metadata transmitted in traffic in order to deduce
information relating to the exchange and the participating entities, e.g. the form of the
exchanged traffic (rate, duration, etc.). In the cases where encrypted data are used, traffic
analysis can also lead to attacks by cryptanalysis, whereby the attacker may obtain
information or succeed in unencrypting the traffic.
Software Attacks:
Malicious code (sometimes called malware) is a type of software designed to take over or
damage a computer user's operating system, without the user'sknowledge or approval. It
can be very difficult to remove and very damaging. Commonmalware examples are listed
in the following table:

Attack Characteristics
Virus A virus is a programthat attempts to damage a computer system and replicate itself
to other computer systems. A virus:

 Requires a host to replicate and usuallyattaches itself to a host file or a

hard drive sector.
 Replicates each time the host is used.
 Often focuses on destruction or corruption of data.
 Usuallyattaches to files with execution capabilities such as .doc, .exe, and
.bat extensions.
 Often distributes via e-mail. Many viruses can e-mail themselves
to everyone in your address book.
 Examples: Stoned, Michelangelo, Melissa, I Love You.

Page 15
Worm A worm is a self-replicating program that can be designed to do any number of
things, such as delete files or send documents via e-mail. A worm can negatively
impact network traffic just in the process ofreplicating itself. A worm:

 Can install a backdoor in the infected computer.

 Is usually introduced into the system through a vulnerability.
 Infects one system and spreads to other systems on the network.
 Example: Code Red.

Trojan A Trojan horse is a malicious program that is disguised as legitimate software.

horse Discretionary environments are often more vulnerable and susceptible to Trojan
horse attacks because security is user focused and user directed. Thus the
compromise of a user account could lead to the compromise of the entire
environment. A Trojan horse:

 Cannot replicate itself.

 Often contains spying functions (such as a packet sniffer) or
backdoor functions that allow a computer to be remotely controlled
from the network.
 Often is hidden in useful software such as screen savers or games.
 Example: Back Orifice, Net Bus, Whack-a-Mole.

Logic A Logic Bomb is malware that lies dormant until triggered. A logic bomb is a
Bomb specific example of an asynchronous attack.

 A trigger activity may be a specific date and time, the launching of

a specific program, or the processing of a specific type of activity.
 Logic bombs do not self-replicate.

Page 16
Hardware Attacks:
Common hardware attacks include:
 Manufacturing backdoors, for malware or other penetrative purposes; backdoors
aren’t limited to software and hardware, but they also affect embedded radio-
frequency identification (RFID) chips and memory
 Eavesdropping by gaining access to protected memory without opening
other hardware
 Inducing faults, causing the interruption of normal behavior
 Hardware modification tampering with invasive operations
 Backdoor creation; the presence of hidden methods for bypassing normal
computer authentication systems
 Counterfeiting product assets that can produce extraordinary operations and those
made to gain malicious access to systems.
Spectrum of attacks:
Types of spectrum
Anxiety, stress, and dissociation. Several types of spectrum are in use in these areas.
Obsessions and compulsions. An obsessive–compulsive spectrum – this can include a Wide
range of disorders.
General developmental disorders. An autistic spectrum – in its simplest form this Joins
together autism and Asperger.
Psychosis. The schizophrenia spectrum or psychotic spectrum – there are numerouspsychotic
spectrum disorders
Taxonomy of various attacks
The purpose of the Cyber Attacks section is to provide a general overview regarding cyber
attacks, and to show some pragmatic ways to classify them and organize them via taxonomies.
Cyber attack: An offensive action by a malicious actor that is intended to undermine the
functions of networked computers and their related resources, including unauthorized access,
unapproved changes, and malicious destruction. Examples of cyber attacks include Distributed
Denial of Service (DDoS) and Man-in-the- Middle (MITM) attacks.
The terms cyber attack, cyber threat, and cyber risk are interrelated as follows. A cyber attack is
an offensive action, whereas a cyber threat is the possibility that a particular attack may occur,
and the cyber risk associated with the subject threat estimates the probability of potential losses
that may result.

Page 17
 For example, a Distributed Denial of Service (DDoS) cyber attack by a botnet is a cyber threat
for many enterprises with online retail websites, where the
associated cyber risk is a function of lost revenues due to website downtime and the
probability that a DDoS cyber attack will occur.
Cyber Attack Malware Taxonomy

MALW REQUI SELF- APPEAR CAN CAN CAN

ARE RES SPREAD S CARR COMM ATTAC
TYPE HOST ING? LEGITIM Y O K
FILE ATE HARM WITH
TO (HARML FUL COMM OS
INFEC ESS)? PAYLO AND & KERNE
T? AD? CONTR L &
OL FIRMW
SERVE ARE?
R?

Virus A A N/A A N/A A

Worm A A N/A A N/A A

Trojan A A A A N/A A

Bots/Botne N/A N/A N/A A A A

t

Spyware A A N/A A A A

Rootkit N/A N/A N/A A N/A A

Blended A A A A A A
Threat

IP Spoofing:
IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source
address in order to either hide the identity of the sender, to impersonate another computer system,
or both. It is a technique often used by bad actors to invoke DDoS attacks against a target device
or the surrounding infrastructure.
Sending and receiving IP packets is a primary way in which networked computers and other
devices communicate, and constitutes the basis of the modern internet. All IPpackets contain a
header which precedes the body of the packet and contains important routing information,

Page 18
including the source address. In a normal packet, the source IP address is the address of the
sender of the packet. If the packet has been spoofed, the source address will be forged.
IP Spoofing is analogous to an attacker sending a package to someone with the wrong return
address listed. If the person receiving the package wants to stop the sender from sending
packages, blocking all packages from the bogus address will do little good, as the return address
is easily changed. Relatedly, if the receiver wants to respond to the return address, their
response package will go somewhere other than to the real sender. The ability to spoof the
addresses of packets is a core vulnerability exploited by many DDoS attacks.
DDoS attacks will often utilize spoofing with a goal of overwhelming a target with traffic while
masking the identity of the malicious source, preventing mitigation efforts. If the source IP
address is falsified and continuously randomized, blocking malicious requests becomes
difficult. IP spoofing also makes it tough for law enforcement and cyber security teams to track
down the perpetrator of the attack.
spoofing is also used to masquerade as another device so that responses are sent to that targeted
device instead. Volumetric attacks such as NTP Amplification and DNS amplification make
use of this vulnerability. The ability to modify the source IP is inherent to the design of
TCP/IP, making it an ongoing security concern.
Tangential to DDoS attacks, spoofing can also be done with the aim of masquerading as another
device in order to sidestep authentication and gain access to or “hijack” a user’s session.

To protect against IP spoofing (packet filtering):

While IP spoofing can’t be prevented, measures can be taken to stop spoofed packets from
infiltrating a network. A very common defense against spoofing is ingress filtering, outlined in
BCP38 (a Best Common Practice document). Ingress filtering is a form of packet filtering usually
implemented on a network edge device which examines incoming IP packets and looks at their
source headers. If the source headers on those packets don’t match their origin or they otherwise
look fishy, the packets are rejected. Some networks will also implement egress filtering, which
looks at IP packets exiting the network, ensuring that those packets have legitimate source
headers to prevent someone within the network from launching an outbound malicious attack
using IP spoofing.
Methods of defense
The legal and ethical restrictions on computer-based crime. But unfortunately, computer crime
is certain to continue for the foreseeable future. For this reason, we must look carefully at
controls for preserving confidentiality, integrity, and availability. Sometimes these controls can
prevent or mitigate attacks; other, less powerful methods can only inform us that security has

Page 19
 been compromised, by detecting a breach as it happens or after it occurs.

Harm occurs when a threat is realized against vulnerability. To protect

against harm, then, we can neutralize the threat, close the vulnerability, or both. The
possibility for harm to occur is called risk. We can deal with harm in several ways.
We can seek to prevent it, by blocking the attack or closing the vulnerabilitydeter it,
by making the attack harder but not impossible deflect it, by making another target
more attractive (or this one less so)detect it, either as it happens or some time after the
fact recover from its effects

Security models

The Cyber Security Model (CSM) is part of the Defence Cyber Protection Partnership
(DCPP) which was set up by the Ministry of Defence (MOD) to manage and
strengthen cyber security for the defence sector and its suppliers.

The model, which is a joint initiative between the MOD and industry, is in place to
ensure that suppliers to the MOD are managing their cyber security risk appropriately,
and that theyare capable of protecting the MOD’s sensitive information.

The CSM is also the DCPP’s response to the task of designing an appropriate and
proportionate set of controls to build on the Government’s Cyber Essentials scheme.
Since January 2016, all suppliers dealing with contracts which include sensitive,
MOD-identifiable information must be Cyber Essentials certified as a minimum.

However, some contracts carry an additional risk and require stricter security controls
to be in place. The MOD felt that the Cyber Essentials scheme did not represent a
broad enough degree of security because it only covered five major security controls
and did not include wider aspects of cyber security such as governance and risk
management, and this is why the CSM was introduced.

Risk management

Cyber Security Risk Management

Risk management refers to the process of identifying, assessing, and controlling threats
to a company’s finances. These risks or threats could come from a number of sources
including legal liabilities, strategic management mistakes, accidents, and natural
disasters. As we move toward an increasingly digital way of life, cyber security
introduces additional risks that have to be managed appropriately.

It’s possible to invest in various types of insurance to protect physical assets from
losses, but digital data isn’t tangible – and therefore isn’t covered under these kinds of
policies.

Cyber security risk management relies on user education, strategy, and technology to
protect an organization against attacks that could compromise systems, allow data to be
Page 20
stolen, and ultimately damage the company’s reputation. The rate of cyber attacks
continues to grow both in terms of volume and severity. As such, businesses who want
to protect themselves to the best of their ability must begin focusing efforts on cyber
securityrisk management.

Cybersecurity Risk Management Process

You want to begin the process by starting with a cyber security framework that’s been
developed from each area of your business to determine what your desired risk posture
should be.

It’s a good idea to use technology that can help you find an app data across the
organization. Once the data is mapped, you’ll be able to make better decisions on how
the data is governed and reduce your risk. For instance, even with training and strong
security culture, it’s possible for sensitive information to leave a company by accident.
Leaving data stored in hidden rows across spreadsheets or included in notes within
employee presentations or email threads leave your room for accidental data leakage.
By scanning the company for sensitive data at rest and then removing any of that data
stored where it does not belong, you greatly reduce the risk of accidental data loss.

Use the Community Maturity Model

Initial

This is the starting point for using a new or undocumented repeat process.Repeatable

At this stage, the process is documented well enough that repeating the same steps
canbe attempted.

Defined

At this level, the process has been defined and is confirmed as a standard business
process.

Managed

At this level, the process is quantitatively managed according to the agreed-upon

metrics.

Optimizing

At the final stage, the process management process includes deliver it action to
optimize and improve it.

Once you’ve determined the desired risk posture, take a look at your existing
technology infrastructure to set the baseline for the current risk posture, then determine
what must be done to move fromthe current state to the desired state.

As long as your organization is taking proactive steps to understand all the potential
risks, you decrease the likelihood of running into a security incident that could hurt the

Page 21
company.

A vital part of the risk management process is to conduct a risk and reward calculation.
This helps prioritize security enhancements that will give you the greatest
improvements at the lowest cost. Some companies may be comfortable with 99% of all
security upgrades being made but others especially those in highly regulated industries,
will want to be closer to 100%. Because of this, there should be incremental steps and
goals such as a 5% Improvement achieved within 6 months, that can be measured to
determine if the company is making progress toward its final goal.
That said, even small security vulnerabilities can lead to massive losses if systems are
connected in a way that allows access to an unimportant area to bridge entry into
systems that contain sensitive data.

The only way to ensure a system is fully secure is to make sure no one can access it –
which isn’t practical. The more you lock down a system, the harder it becomes for
authorized personnel to conduct business as usual. If authorized users determine they
cannot access the data they need to perform their jobs, they may look for workarounds
that could easily result in compromised systems.

Mitigating Security Risks

So you will never be able to eliminate all cyber threats and security risks, there are a
number of precautions you can take to mitigate risks when it comes to cybersecurity.
Among these are the option to:

Limit devices with internet access

Limit the number of staff members with administrator credentials and control the rights
for each administrator

Limit administrative rights

Use antivirus programs and endpoint security

Require users to implement two-factor authentication to gain access to certain files and
systems

Install network access controls

Allow automatic updates and patches for

operating systemsPlace limits on older operating

systems

Use firewalls

To take risk mitigation a step further, your organization may also want to consider
advanced encryption, redaction, an element level security. Advanced encryption hasto
be implemented systematically and strategically to protect data from cybercriminalsand
insider threats. This includes standards-based cryptography, advanced key management,
Page 22
granular role-based access and separation of duties, and algorithms that drastically

Page 23
 decrease exposure.

Data encryption can help protect against outside breaches, but it doesn’t do much to
prevent internal data theft. Employees with access to sensitive data will have the
credentials needed to decrypt it as part of their daily work, so organizations must also
take action to prevent that data from being removed from the corporate system through
flash drives and other removable media.
Redaction creates a balance between data protection and the ability to share it. With
redaction, companies can share the information they need to share with minimal effort
by hiding sensitive information such as names, social security numbers, addresses, and
more.

Redaction is an important part of data security, but companies need to be able to do it at

the property level based on employee roles. Companies also need to be able to
implement custom and out of the box rules as necessary. With Purchase Control, user
permission can be controlled at a highly granular level should go a long way toward
preventing accounts payable fraud.

Cyber Threats:
Cyber Warfare: Cyber warfare refers to the use of digital attacks -- like computer
viruses and hacking -- by one country to disrupt the vital computer systems of another,
with the aim of creating damage, death and destruction. Future wars will see hackers
using computer code to attack an enemy's infrastructure, fighting alongside troops using
conventional weapons like guns and missiles.

Cyber warfare involves the actions by a nation-state or international organization to attack

and attempt to damage another nation's computers or information networks through, for
example, computer viruses or denial-of-service attacks.

Cyber Crime:
Cybercrime is criminal activity that either targets or uses a computer, a computer network
or a networked device. Cybercrime is committed by cybercriminals or hackers who want
to make money. Cybercrime is carried out by individuals or organizations.
Some cybercriminals are organized, use advanced techniques and are highly technically
skilled. Others are novice hackers.

Cyber Terrorism:
Cyber terrorism is the convergence of cyberspace and terrorism. It refers to unlawful
attacks and threats of attacks against computers, networks and the information stored
therein when done to intimidate or coerce a government or its people in furtherance of
political or social objectives.

Page 24
 Examples are hacking into computer systems, introducing viruses to vulnerable
networks, web site defacing, Denial-of-service attacks, or terroristic threats made via
electronic communication.

Cyber Espionage:
Cyber spying, or cyber espionage, is the act or practice of obtaining secrets and
information without the permission and knowledge of the holder of the information from

individuals, competitors, rivals, groups, governments and enemies for personal,

economic, political or military advantage using methods onthe Internet.

Security Policies:

Security policies are a formal set of rules which is issued by an organization to ensure that
the user who are authorized to access company technology and information assets comply
with rules and guidelines related to the securityof information.
A security policy also considered to be a "living document" which means that the document
is never finished, but it is continuously updated as requirements of the technology and
employee changes.
We use security policies to manage our network security. Most types of security policies are
automatically created during the installation. We can also customize policies to suit our
specific environment.

Need of Security policies-

1) It increases efficiency.

2) It upholds discipline and accountability

3) It can make or break a business deal

4) It helps to educate employees on security literacy

Page 25
 There are some important cyber securitypolicies recommendations describe below-

Virus and Spyware Protection policy:

It helps to detect threads in files, to detect applications that exhibits suspicious

behavior.
Removes, and repairs the side effects of viruses and security risks by using signatures.
Firewall Policy:

It blocks the unauthorized users from accessing the systems and networks that connect
to the Internet.
It detects the attacks bycybercriminals and removes the unwanted sources of network
traffic.
Intrusion Prevention policy:

This policy automatically detects and blocks the network attacks and browser attacks.
It also protects applications from vulnerabilities and checks the contents of one or
more data packages and detects malware which is coming through legal ways.

Application and Device Control:

This policy protects a system's resources from applications and manages the
peripheral devices that can attach to a system.
The device control policy applies to both Windows and Mac computers whereas
application control policy can be applied only to Windows clients.

What Is the SSDLC (Secure SDLC)?

A secure software development life cycle (SSDLC) framework incorporates security throughout
the development process. The traditional SDLC framework defines the process of building an
application from initial planning to production operations, maintenance, and eventual
decommissioning. Common SDLC models include waterfall, iterative, and agile development.

The traditional SDLC implements security activities as part of the testing phase at the end of the
cycle. Performing security after the development phase is complete results in missing security
issues or discovering them too late. Fixing these issues, at that point, becomes a time-consuming
and expensive endeavor.

Page 26
A secure SDLC framework integrates security across the entire lifecycle to help identify and
minimize vulnerabilities at early stages when it is easier to fix them. The SSDLC helps ensure that
security assurance activities like penetration testing, architecture analysis, and code review become
an integral part of the cycle.

The Importance of a Secure SDLC

Developers often view security and testing requirements as obstacles to a smooth development
process. Secure SDLC helps break down the security process into easily implemented stages
throughout the development pipeline. It provides a mechanism to unite developers and security
team members with shared responsibility and ownership over the project, helping to ensure
software protection without delaying the development process.

Developers can start with learning secure coding best practices and frameworks. They can use
automated tools to help discover security risks in their code while they write it. Developers should
also check for security vulnerabilities in the open source code they introduce.

Management teams can also benefit from SSDLC because it helps them implement a strategy for
building secure products. For instance, a manager might conduct a gap analysis to learn about
existing security policies and practices, identify missing security processes, and verify the
effectiveness of the organization’s security strategy at each SDLC stage.

Establishing and enforcing a security policy is essential to implementing a streamlined SSDLC that
allows development teams to meet software release deadlines. This policy should address high-
priority issues such as compliance without manual reviews or intervention. You might use a
security expert to evaluate your security requirements and build a plan to help improve your
organization’s security profile.

6 Phases of the Secure Software Development Life Cycle

The SSDLC incorporates security across all phases, implementing unique security tools and
mechanisms for each phase. It includes automated detection, prioritization, and remediation tools
throughout the entire lifecycle. You can integrate these tools with existing IDEs, build servers,
code repositories, and bug tracking tools to quickly address potential risks.

Page 27
1. Planning

The planning phase includes product and project management tasks such as resource allocation,
capacity planning, provisioning, cost estimation, and project scheduling. During this phase, teams
work to create schedules, project plans, procurement requirements, and cost estimations.

The SSDLC ensures the planning phase is a collaborative effort between project managers,
development staff, operations personnel, and security teams. The goal is to ensure all perspectives
are represented in the planning.

2. Requirements and Analysis

The second phase of the SSDLC involves making decisions regarding the project’s technology,
languages, and frameworks. A secure SSDLC requires considering potential vulnerabilities that
can impact the development tools and choosing the appropriate security mechanism for the design
and development, building for security right from the beginning.

3. Design

The design process involves established patterns for software development and application
architecture. Software architects typically use an architecture framework to compose the
application from existing components, promoting standardization and reuse. Proven design
patterns help solve algorithmic problems consistently.

The design phase can also include rapid prototyping (a spike) to compare solutions and find the
most suitable option. This phase specifies design documents listing the patterns and components
Page 28
selected for the project and produces code by spikes as a starting point for development.

4. Development

A secure SDLC requires using secure coding standards during the development phase. It involves
performing code reviews to ensure the project includes all specified functions and features and
finding and remediating security vulnerabilities in the code.

5. Deployment

This phase releases working software to production. The modern SDLC utilizes automation during
the deployment phase. High-maturity SSDLC implementations turn this phase into an almost
invisible component, automatically deploying software the instant it is ready.

Implementations working with highly regulated industries typically require manual approvals but
can often utilize a continuous deployment (CD) model. Application release automation (ARA)
tools help automate the deployment of applications to production. ARA systems are typically
integrated with continuous integration (CI) tools.

6. Maintenance

Security does not end after deployment. Testing phases can include thorough checks, but
production is never the same as a testing environment. SSDLC should include mechanisms to
address previously undetected risks and errors and ensure all configurations are performing as
intended.

Security practices need to follow into software maintenance cycles. Ideally, the SSDLC should
continuously update the product to ensure it remains secure from new vulnerabilities and
compatible with newly integrated tools.

Page 29
 Secure SDLC Best Practices
Use the following best practices to implement an SSDLC.

Train Your Staff

Implementing a secure SDLC requires educating developers to ensure they incorporate security
practices throughout the development life cycle. Training should include:

 Guidelines to help developers implement secure coding practices.

 Security awareness training.
 Remediation SLAs to clarify how quickly teams should address issues they discover in production.

Introduce Frictionless Security Processes

The modern software development pipeline should automate tasks wherever possible and minimize
friction slowing down the development process. Developers often focus on writing and releasing
code as quickly as possible, so they should leverage automation to achieve fast release cycles.

Developers often neglect security because they consider it an inconvenient burden compared to
their primary objective of shipping code quickly to production. A secure SDLC requires removing
the friction from security processes. For example, organizations can automate static and dynamic
application security testing (SAST/DAST) and code reviews. These automated security pipelines
should run seamlessly without delaying releases.

Control Code Repository Access

Embedding security in the SDLC helps ensure secure code, but it doesn’t protect against threats
Page 30
posed by malicious actors who infiltrate the development environment and insert arbitrary code.

Protecting access to all code repositories is an essential aspect of software security. Organizations
should restrict access so that only verified users and entities can submit code to the repositories. It
will prevent attackers from impersonating in-house developers and creating a backdoor.

Leverage Threat Modeling Where Appropriate

Threat modeling involves investigating a system’s design, operations, and data flows to identify
potential vulnerabilities. It takes place early in the SDLC to allow security and development teams
to redesign or reconfigure the system to address these vulnerabilities and prevent attackers from
exploiting the system.

However, threat modeling is often time-consuming because it requires manual intervention to

identify attack vectors. Thus, threat modeling often creates a bottleneck in the development process
where most other components are automated. Organizations should use threat modeling sparingly
and avoid wasting unnecessary time.

Threat hunting can provide a comprehensive list of all attack vectors, but identifying every
potential attack window can hinder production without significantly increasing security.

Page 31
 Unit II
CYBER THREATS & ATTACKS

CYBERSPACE
Cyberspace can be defined as an intricate environment that involves interactions between
people, software, and services. It is maintained by the worldwide distribution of information
and communication technology devices and networks.
With the benefits carried by the technological advancements, the cyberspace today has
become a common pool used by citizens, businesses, critical information infrastructure,
military and governments in a fashion that makes it hard to induce clear boundaries among
these different groups. The cyberspace is anticipated to become even more complex in the
upcoming years, with the increase in networks and devices connected to it.

REGULATIONS
There are five predominant laws to cover when it comes to cybersecurity:
Information Technology Act, 2000 The Indian cyber laws are governed by the Information
Technology Act, penned down back in 2000. The principal impetus of this Act is to offer
reliable legal inclusiveness to eCommerce, facilitating registration of real-time records with
the Government.
But with the cyber attackers getting sneakier, topped by the human tendency to misuse
technology, a series of amendments followed.
The ITA, enacted by the Parliament of India, highlights the grievous punishments and
penalties safeguarding the e-governance, e-banking, and e-commerce sectors. Now, the scope
of ITA has been enhanced to encompass all the latest communication devices.
The IT Act is the salient one, guiding the entire Indian legislation to govern cybercrimes
rigorously:
Section 43 - Applicable to people who damage the computer systems without permission
from the owner. The owner can fully claim compensation for the entire damage in such cases.
Section 66 - Applicable in case a person is found to dishonestly or fraudulently committing
any act referred to in section 43. The imprisonment term in such instances can mount up to
three years or a fine of up to Rs. 5 lakh.
Section 66B - Incorporates the punishments for fraudulently receiving stolen communication
devices or computers, which confirms a probable three years imprisonment. This term can
also be topped byRs. 1 lakh fine, depending upon the severity.
Section 66C - This section scrutinizes the identity thefts related to imposter digital
signatures, hacking passwords, or other distinctive identification features. If proven guilty,
imprisonment of three years might also be backed by Rs.1 lakh fine.

Page 32
Section 66 D - This section was inserted on-demand, focusing on punishing cheaters doing
impersonation using computer resources.
Indian Penal Code (IPC) 1980
Identity thefts and associated cyber frauds are embodied in the Indian Penal Code (IPC),
1860 - invoked along with the Information Technology Act of 2000.
The primaryrelevant section ofthe IPC covers cyber frauds:
Forgery (Section 464)
Forgery pre-planned for cheating (Section
468) False documentation (Section 465)
Presenting a forged document as genuine (Section 471)
Reputation damage (Section 469)
Companies Act of 2013
The corporate stakeholders refer to the Companies Act of 2013 as the legal obligation
necessary for the refinement of daily operations. The directives of this Act cements all the
required techno-legal compliances, putting the less compliant companies in a legal fix.
The Companies Act 2013 vested powers in the hands of the SFIO (Serious Frauds
Investigation Office) to prosecute Indian companies and their directors. Also, post the
notification of the Companies Inspection, Investment, and Inquiry Rules, 2014, SFIOs has
become even more proactive and stern in this regard.
The legislature ensured that all the regulatory compliances are well-covered, including cyber
forensics, e-discovery, and cybersecurity diligence. The Companies (Management and
Administration) Rules, 2014 prescribes strict guidelines confirming the cybersecurity
obligations and responsibilities upon the company directors and leaders.
NIST Compliance
The Cybersecurity Framework (NCFS), authorized by the National Institute of Standards and
Technology (NIST), offers a harmonized approach to cybersecurity as the most reliable
global certifying body.
NIST Cybersecurity Framework encompasses all required guidelines, standards, and best
practices to manage the cyber-related risks responsibly. This framework is prioritized on
flexibility and cost-effectiveness.
It promotes the resilience and protection of critical infrastructure by: Allowing better
interpretation, management, and reduction of cybersecurity risks – to mitigate data loss, data
misuse, and the subsequent restoration costs Determining the most important activities and
critical operations - to focus on securing them Demonstrates the trust-worthiness of
organizations who secure critical assets Helps to prioritize investments to maximize the
cybersecurity ROI Addresses regulatory and contractual obligations Supports the wider
information security program By combining the NIST CSF framework with ISO/IEC 27001 -
cybersecurity risk management becomes simplified. It also makes communication easier

Page 33
throughout the organization and across the supply chains via a common cybersecurity
directive laid by NIST.
Final Thoughts As human dependence on technology intensifies, cyber laws in India and
across the globe need constant up-gradation and refinements. The pandemic has also pushed
much of the workforce into a remote working module increasing the need for app security.
Lawmakers have to go the extra mile to stay ahead of the impostors, in order to block them at
their advent.
Cybercrimes can be controlled but it needs collaborative efforts of the lawmakers, the
Internet or Network providers, the intercessors like banks and shopping sites, and, most
importantly, the users. Only the prudent efforts of these stakeholders, ensuring their
confinement to the law of the cyberland - can bring about online safetyand resilience.
ROLE OF INTERNATIONAL LAWS
In various countries, areas of the computing and communication industries are regulated by
governmental bodies There are specific rules on the uses to which computers and computer
networks may be put, in particular there are rules on unauthorized access, data privacy and
spamming There are also limits on the use of encryption and of equipment which may be
used to defeat copy protection schemes There are laws governing trade on the Internet,
taxation, consumer protection, and advertising There are laws on censorship versus
freedom of expression, rules on public access to government information, and individual
access to information held on them by private bodies Some states limit access to the
Internet, by law as well as by technical means.
INTERNATIONAL LAW FOR CYBER CRIME
Cybercrime is "international" that there are ‘no cyber-borders between countries’ The
complexity in types and forms of cybercrime increases the difficulty to fight back fighting
cybercrime calls for international cooperation Various organizations and governments have
already made joint efforts in establishing global standards of legislation and law enforcement
bothon a regional and on an international scale

THE INDIAN CYBERSPACE

Indian cyberspace was born in 1975 with the establishment of National Informatics Centre
(NIC) with an aim to provide govt with IT solutions. Three networks (NWs) were set up
between 1986 and 1988 to connect various agencies of govt. These NWs were, INDONET
which connected the IBM mainframe installations that made up India’s computer
infrastructure, NICNET (the NIC NW) a nationwide very small aperture terminal (VSAT)
NW for public sector organisations as well as to connect the central govt with the state govts
and district administrations, the third NW setup was ERNET (the Education and Research
Network), to serve the academic and research communities.

New Internet Policy of 1998 paved the way for services from multiple Internet service
providers (ISPs) and gave boost to the Internet user base grow from 1.4 million in 1999 to
over 150 million by Dec 2012. Exponential growth rate is attributed to increasing Internet

Page 34
access through mobile phones and tablets. Govt is making a determined push to increase
broadband penetration from its present level of about 6%1. The target for broadband is 160
million households by 2016 under the National Broadband Plan.
NATIONAL CYBER SECURITY POLICY
National Cyber Security Policy is a policy framework by Department of Electronics and
Information Technology. It aims at protecting the public and private infrastructure from
cyberattacks. The policy also intends to safeguard "information, such as personal information
(of web users), financial and banking information and sovereign data". This was particularly
relevant in the wake of US National Security Agency (NSA) leaks that suggested the US
government agencies are spying on Indian users, who have no legal or technical safeguards
against it. Ministry of Communications and Information Technology
(India) defines Cyberspace as a complex environment consisting of interactions between
people, software services supported by worldwide distribution of information and
communication technology.
VISION
To build a secure and resilient cyberspace for citizens, business, and government and also to
protect anyone from intervening in user's privacy.
MISSION
To protect information and information infrastructure in cyberspace, build capabilities to
prevent and respond to cyber threat, reduce vulnerabilities and minimize damage from cyber
incidents through a combination of institutional structures, people, processes, technology,
and cooperation.
OBJECTIVE
Ministry of Communications and Information Technology (India) define objectives as
follows:

To create a secure cyber ecosystem in the country, generate adequate trust and
confidence in IT system and transactions in cyberspace and thereby enhance adoption
of IT in all sectors of the economy.
To create an assurance framework for the design of security policies and promotion
and enabling actions for compliance to global security standards and best practices by
wayof conformity assessment (Product, process, technology & people).
To strengthen the Regulatory Framework for ensuring a SECURE CYBERSPACE
ECOSYSTEM.
To enhance and create National and Sectoral level 24X7 mechanism for obtaining
strategic information regarding threats to ICT infrastructure, creating scenarios for
response, resolution and crisis management through effective predictive, preventive,
protective response and recovery actions.

Page 35
INTRODUCTION: CYBER FORENSICS
CYBER FORENSICS:
Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence.
Forensic examiners typically analyze data from personal computers, laptops, personal digital
assistants, cell phones, servers, tapes, and any other type of media. This process can involve
anything from breaking encryption, to executing search warrants with a law enforcement
team, to recovering and analyzing files from hard drives that will be critical evidence in the
most serious civil and criminal cases.

The forensic examination of computers, and data storage media, is a complicated and highly
specialized process. The results of forensic examinations are compiled and included in
reports. In many cases, examiners testify to their findings, where their skills and abilities are
put to ultimate scrutiny.

DIGITAL FORENSICS:

Digital Forensics is defined as the process of preservation, identification, extraction, and

documentation of computer evidence which can be used by the court of law. It is a science of
finding evidence from digital media like a computer, mobile phone, server, or network. It
provides the forensic team with the best techniques and tools to solve complicated digital-
related cases.

Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the
digital evidence residing on various types of electronic devices.

Digital forensic science is a branch of forensic science that focuses on the recovery and
investigation of material found in digital devices related to cybercrime.

THE NEED FOR COMPUTER FORENSICS

Computer forensics is also important because it can save your organization money From a
technical standpoint, the main goal of computer forensics is to identify, collect, preserve, and
analyze data in a way that preserves the integrity of the evidence collected so it can be used
effectively in a legal case.

CYBER FORENSICS AND DIGITAL EVIDENCE:

Digital evidence is information stored or transmitted in binary form that may be relied on in
court. It can be found on a computer hard drive, a mobile phone, among other places. Digital
evidence is commonly associated with electronic crime, or e-crime, such as child
pornography or credit card fraud. However, digital evidence is now used to prosecute all
types of crimes, not just e-crime. For example, suspects' e-mail or mobile phone files might
contain critical evidence regarding their intent, their whereabouts at the time of a crime and
their relationship with other suspects. In 2005, for example, a floppy disk led investigators to
the BTK serial killer who had eluded police capture since 1974 and claimed the lives of at
least 10 victims.

Page 36
In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law
enforcement agencies are incorporating the collection and analysis of digital evidence, also
known as computer forensics, into their infrastructure. Law enforcement agencies are
challenged by the need to train officers to collect digital evidence and keep up with rapidly
evolving technologies such as computer operating systems.

FORENSICS ANALYSIS OF EMAIL:

E-mail forensics refers to the study of source and content of e-mail as evidence to identify the
actual sender and recipient of a message, data/time of transmission, detailed record of e-mail
transaction, intent of the sender, etc. This study involves investigation of metadata, keyword
searching, port scanning, etc. for authorship attribution and identification of e-mail scams.

Various approaches that are used for e-mail forensic are:

Header Analysis – Meta data in the e-mail message in the form of control
information i.e. envelope and headers including headers in the message body contain
information about the sender and/or the path along which the message has traversed.
Some of these may be spoofed to conceal the identity of the sender. A detailed
analysis ofthese headers and their correlation is performed in header analysis.

Bait Tactics – In bait tactic investigation an e-mail with http: “<imgsrc>” tag having
image source at some computer monitored by the investigators is send to the sender of
e-mail under investigation containing real (genuine) e-mail address. When the e-mail
is opened, a log entry containing the IP address of the recipient (sender of the e-mail
under investigation) is recorded on the http server hosting the image and thus sender
is tracked. However, if the recipient (sender of the e-mail under investigation) is using
a proxy server then IP address of the proxy server is recorded. The log on proxy
server can be used to track the sender of the e-mail under investigation. If the proxy
server’s log is unavailable due to some reason, then investigators may send the tactic
e-mail containing a) Embedded Java Applet that runs on receiver’s computer or b)
HTML page with Active X Object. Both aiming to extract IP address of the receiver’s
computer and e-mail it to the investigators.

Server Investigation – In this investigation, copies of delivered e-mails and server

logs are investigated to identify source of an e-mail message. E-mails purged from the
clients (senders or receivers) whose recovery is impossible may be requested from
servers (Proxy or ISP) as most of them store a copy of all e-mails after their
deliveries. Further, logs maintained by servers can be studied to trace the address of
the computer responsible for making the e-mail transaction. However, servers store
the copies of e-mail and server logs only for some limited periods and some may not
co-operate with the investigators. Further, SMTP servers which store data like credit
card number and other data pertaining to owner of a mailbox can be used to identify
person behind an e-mail address.

Network Device Investigation – In this form of e-mail investigation, logs maintained

by the network devices such as routers, firewalls and switches are used to investigate

Page 37
 the source of an e-mail message. This form of investigation is complex and is used
only when the logs of servers (Proxy or ISP) are unavailable due to some reason, e.g.
when ISP or proxy does not maintain a log or lack of co-operation by ISP’s or failure
to maintain chain of evidence.

Software Embedded Identifiers – Some information about the creator of e-mail,

attached files or documents may be included with the message by the e-mail software
used by the sender for composing e-mail. This information may be included in the
form of custom headers or in the form of MIME content as a Transport Neutral
Encapsulation Format (TNEF). Investigating the e-mail for these details may reveal
some vital information about the senders e-mail preferences and options that could
help client side evidence gathering. The investigation can reveal PST file names,
Windows logon username, MAC address, etc. of the client computer used to send e-
mail message.

Sender Mailer Fingerprints – Identification of software handling e-mail at server

can be revealed from the Received header field and identification of software
handling e-mail at client can be ascertained by using different set of headers like “X-
Mailer” or equivalent. These headers describe applications and their versions used at
the clients to send e-mail. This information about the client computer of the sender
can be used to help investigators devise an effective plan and thus prove to be very
useful.

EMAIL FORENSICS TOOLS

Erasing or deleting an email doesn’t necessarily mean that it is gone forever. Often emails
can be forensically extracted even after deletion. Forensic tracing of e-mail is similar to
traditionaldetective work. It is used for retrieving information from mailbox files.

MiTec Mail Viewer – This is a viewer for Outlook Express, Windows

Mail/Windows Live Mail, Mozilla Thunderbird message databases, and single EML
files. It displays a list of contained messages with all needed properties, like an
ordinary e-mail client. Messages can be viewed in detailed view, including
attachments and an HTML preview. It has powerful searching and filtering capability
and also allows extracting email addresses from all emails in opened folder to list by
one click. Selected messages can be saved to eml files with or without their
attachments. Attachments can be extracted fromselected messages by one command.

OST and PST Viewer – Nucleus Technologies’ OST and PST viewer tools help you
view OST and PST files easily without connecting to an MS Exchange server. These
tools allow the user to scan OST and PST files and they display the data saved in it
including email messages, contacts, calendars, notes, etc., in a proper folder structure.

eMailTrackerPro – eMailTrackerPro analyses the headers of an e-mail to detect the

IP address of the machine that sent the message so that the sender can be tracked
down. It can trace multiple e-mails at the same time and easily keep track of them.
The geographical location of an IP address is key information for determining the
threat level or validity of an e-mail message.

Page 38
 EmailTracer – EmailTracer is an Indian effort in cyber forensics by the Resource
Centre for Cyber Forensics (RCCF) which is a premier centre for cyber forensics in
India. It develops cyber forensic tools based on the requirements of law enforcement
agencies.

DIGITAL FORENSICS LIFECYCLE:

Collection: The first step in the forensic process is to identify potential sources of data and
acquire data from them.
Examination:After data has been collected, the next phase is to examine the data, which
involves assessing and extracting the relevant pieces of information from the collected data.
This phase may also involve bypassing or mitigating OS or application features that obscure
data and code, such as data compression, encryption, and access control mechanisms.
Analysis: Once the relevant information has been extracted, the analyst should study and
analyze the data to draw conclusions from it. The foundation of forensics is using a
methodical approach to reach appropriate conclusions based on the available data or
determine that no conclusion can yet be drawn.
Reporting: The process of preparing and presenting the information resulting from the
analysis phase. Many factors affect reporting, including the following:
a. Alternative Explanations:When the information regarding an event is incomplete, it
may not be possible to arrive at a definitive explanation of what happened. When an
event has two or more plausible explanations, each should be given due consideration
in the reporting process. Analysts should use a methodical approach to attempt to
prove or disprove each possible explanation that is proposed.

b. Audience Consideration. Knowing the audience to which the data or information

will be shown is important.

Page 39
 c. Actionable Information. Reporting also includes identifying actionable information
gained fromdata that mayallow an analyst to collect new sources of information
FORENSICS INVESTIGATION:
Forensics are the scientific methods used to solve a crime. Forensic investigation is the
gathering and analysis of all crime-related physical evidence in order to come to a conclusion
about a suspect. Investigators will look at blood, fluid, or fingerprints, residue, hard drives,
computers, or other technology to establish how a crime took place. This is a general
definition, though, since there are a number of different types of forensics.
TYPES OF FORENSICS INVESTIGATION

Forensic Accounting /
Auditing Computer or Cyber
Forensics Crime Scene
Forensics Forensic
Archaeology Forensic
Dentistry
Forensic Entomology
Forensic Graphology
Forensic Pathology
Forensic Psychology
Forensic Science
Forensic Toxicology

CHALLENGES IN COMPUTER FORENSICS

Digital forensics has been defined as the use of scientifically derived and proven methods
towards the identification, collection, preservation, validation, analysis, interpretation, and
presentation of digital evidence derivative from digital sources to facilitate the reconstruction
of events found to be criminal.But these digital forensics investigation methods face some
major challenges at the time of practical implementation. Digital forensic challenges are
categorized into three major heads as per Fahdi, Clark, and Furnell are:

Technical challenges
Legal challenges
Resource Challenges

TECHNICAL CHALLENGES

As technology develops crimes and criminals are also developed with it. Digital forensic
experts use forensic tools for collecting shreds of evidence against criminals and criminals
use such tools for hiding, altering or removing the traces of their crime, in digital forensic this
process is called Anti- forensics technique which is considered as a major challenge in digital
forensics world.

Anti-forensics techniquesare categorized into the following types:

S. No. Type Description

1 Encryption It is legitimately used for ensuring the privacy of

Page 40
 information by keeping it hidden from an
unauthorized user/person. Unfortunately, it can also
be used by criminals to hide their crimes
2 Data hiding in storage space Criminals usually hide chunks of data inside the
storage medium in invisible form by using system
commands, and programs.
3 Covert Channel A covert channel is a communication protocol
which allows an attacker to bypass intrusion
detection technique and hide data over the network.
The attacker used it for hiding the connection
between him and the compromised system.

Other Technical challenges are:

Operating in the cloud

Time to archive data
Skill gap
Steganography

LEGAL CHALLENGES

The presentation of digital evidence is more difficult than its collection because there are
many instances where the legal framework acquires a soft approach and does not recognize
every aspect of cyber forensics, as in Jagdeo Singh V. The State and Ors case Hon’ble High
Court of Delhi held that “while dealing with the admissibility of an intercepted telephone call
in a CD and CDR which was without a certificate under Sec. 65B of the Indian Evidence Act,
1872 the court observed that the secondary electronic evidence without certificate u/s. 65B of
Indian Evidence Act, 1872 is not admissible and cannot be looked into by the court for any
purpose whatsoever.” This happens in most of the cases as the cyber police lack the
necessary qualification and ability to identify a possible source of evidence and prove it.
Besides, most of the time electronic evidence is challenged in the court due to its integrity. In
the absence of proper guidelines and the nonexistence of proper explanation of the collection,
and acquisition of electronic evidence gets dismissed in itself.

Legal Challenges

S.No. Type Description

1 Absence of guidelines and In India, there are no proper guidelines for the
standards collection and acquisition of digital evidence. The
investigating agencies and forensic laboratories are
working on the guidelines of their own. Due to this,
the potential of digital evidence has been destroyed.
2 Limitation of the Indian The Indian Evidence Act, 1872 have limited
Evidence Act, 1872 approach, it is not able to evolve with the time and
address the E-evidence are more susceptible to
tampering, alteration, transposition, etc. the Act is
silent on the method of collection of e-evidence it
only focuses on the presentation of electronic
evidence in the court by accompanying a certificate
as per subsection 4 of Sec. 65B[12]. This means no

Page 41
 matter what procedure is followed it must be proved
with the help of a certificate.

Other Legal Challenges

Privacy Issues
Admissibility in
Courts
Preservation of electronic evidence
Power for gathering digital
evidence Analyzing a running
computer

Resource Challenges

As the rate of crime increases the number of data increases and the burden to analyze such
huge data is also increasing on a digital forensic expert because digital evidence is more
sensitive as compared to physical evidence it can easily disappear. For making the
investigation process fast and useful forensic experts use various tools to check the
authenticity ofthe data but dealing with these tools is also a challenge in itself.

Types of Resource Challenges are:

Change in technology

Due to rapid change in technology like operating systems, application software and hardware,
reading of digital evidence becoming more difficult because new version software’s are not
supported to an older version and the software developing companies did provide any
backward compatible’s which also affects legally.

Volume and replication

The confidentiality, availability, and integrity of electronic documents are easily get
manipulated. The combination of wide-area networks and the internet form a big network
that allows flowing data beyond the physical boundaries. Such easiness of communication
and availability of electronic document increases the volume of data which also create
difficulty in the identification of original and relevant data.

Techniques for Forensics Auditing:

A Forensic Audit is an examination of a company’s financial records to derive

evidence which can be used in a court of law or legal proceeding.
For example, Telemart, on the recommendation of its Chief Financial Officer (CFO),
entered into a contract with RJ Inc for the supply of carts. At the time, RJ Inc was not
authorized to conduct business, as its license was suspended due to certain irregularities
in taxes paid. The CFO had knowledge of this fact, but still recommended
that Telemart enter into a contract with RJ Inc because he was secretly receiving
compensation from RJ for doing so.
Page 42
A forensic audit can reveal such cases of fraud.

Page 43
Why is a forensic audit conducted?

Forensic audit investigations are made for several reasons, including the following:

Corruption In a Forensic Audit, while investigating fraud, an auditor would look out

for: Conflicts of interest – When a fraudster uses his/her influence for personal

gains detrimental to the company. For example, if a manager allows and approves

inaccurate expenses of an employee with whom he has personal relations. Even

though the manager is not directly financially benefitted from this approval, he is

deemed likely to receive personal benefits after making such inappropriate

approvals.

Bribery – As the name suggests, offering money to get things done or influence a
situation in one’s favor is bribery. For example, Telemith bribing an employee of
Technosmith company to provide certain data to aid Telesmith in preparing a tender
offer to Technosmith.

Extortion – If Technosmith demands money in order to award a contract to Telemith,

then that would amount to extortion.
Asset Misappropriation

This is the most common and prevalent form of fraud. Misappropriation of cash, creating
fake invoices, payments made to non-existing suppliers or employees, misuse of assets,
or theft of Inventory are a few examples of such asset misappropriation.

Financial statement fraud

Companies get into this type of fraud to try to show the company’s financial
performance as better than what it actually is. The goal of presenting fraudulent numbers
may be to improve liquidity, ensure top management continue receiving bonuses, or to
deal with pressure for market performance. Some examples of the form that financial
statement fraud takes are the intentional forgery of accounting records, omitting
transactions – either revenue or expenses, non-disclosure of relevant details from the
financial statements, or not applying the requisite financial reporting standards.

Procedure for a forensic audit investigation

A forensic auditor is required to have special training in forensic audit techniques

andin the legalities of accounting issues.

A forensic audit has additional steps that need to be performed in addition to regular
audit procedures.

Page 44
 Plan the investigation – When the client hires a Forensic auditor, the auditor is
required to understand what the focus of the audit is. For example, the client might be

Page 45
suspicious about possible fraud in terms of the quality of raw materials supplied. The
forensic auditor will plan their investigation to achieve objectives such as:

Identify what fraud, if any, is being carried out

Determine the time period during which the fraud has occurred

Discover how the fraud was concealed

Identify the perpetrators of the fraud

Quantify the loss suffered due to the

fraud

Gather relevant evidence that is admissible in the court

Suggest measures that can prevent such frauds in the company in future

Collecting Evidence – By the conclusion of the audit, the forensic auditor is required to
understand the possible type of fraud that has been carried out and how it has been
committed. The evidence collected should be adequate enough to prove the identity ofthe
fraudster(s) in court, reveal the details of the fraud scheme, and document the amount of
financial loss suffered and the parties affected bythe fraud.

A logical flow of evidence will help the court in understanding the fraud and the
evidence presented. Forensic auditors are required to take precautions to ensure that
documents and other evidence collected are not damaged or altered byanyone.

Common techniques used for collecting evidence in a forensic audit include the
following:

Substantive techniques – For example, doing a reconciliation, review of documents, etc

Analytical procedures – Used to compare trends over a certain time period or to get
comparative data from different segments

Computer-assisted audit techniques – Computer software programs that can be used

to identify fraud

Understanding internal controls and testing them so as to understand the loopholes

which allowed the fraud to be perpetrated.

Interviewing the suspect(s)

Reporting – A report is required so that it can be presented to a client about the fraud.
The report should include the findings of the investigation, a summary of the evidence,
an explanation of how the fraud was perpetrated, and suggestions on how internal
controls can be improved to prevent such frauds in the future. The report needs to be
presented to a client so that they can proceed to file a legal case if they so desire.

Court Proceedings – The forensic auditor needs to be present during court proceedings
Page 46
to explain the evidence collected and how the suspect was identified. They should

Page 47
simplify the complex accounting issues and explain in layman’s language so that people
who have no understanding of the accounting terms can still understand the fraud that
was carried out.

Page 48
Page 49