UNIT – I Introduction to Cyber Security

Basic Cyber Security Concepts, layers of security, Vulnerability, threat, Harmful acts, Internet
Governance – Challenges and Constraints, Computer Criminals, CIA Triad, Assets and Threat, motive
of attackers, active attacks, passive attacks, Software attacks, hardware attacks, Cyber Threats-Cyber
Warfare, Cyber Crime, Cyber terrorism, Cyber Espionage, etc., Comprehensive Cyber Security Policy

UNIT-I

Introduction to Cyber Security

Cyber Security Introduction - Cyber Security Basics:

Cyber security is the most concerned matter as cyber threats and attacks are overgrowing.
Attackers are now using more sophisticated techniques to target the systems. Individuals,
small-scale businesses or large organization, are all being impacted. So, all these firms whether
IT or non-IT firms have understood the importance of Cyber Security and focusing on adopting
all possible measures to deal with cyber threats.

What is cyber security?

"Cyber security is primarily about people, processes, and technologies working together to
encompass the full range of threat reduction, vulnerability reduction, deterrence, international
engagement, incident response, resiliency, and recovery policies and activities, including
computer network operations, information assurance, law enforcement, etc."
OR
Cyber security is the body of technologies, processes, and practices designed to protect
networks, computers, programs and data from attack, damage or unauthorized access.

 The term cyber security refers to techniques and practices designed to protect digital
data.

 The data that is stored, transmitted or used on an information system.

OR
Cyber security is the protection of Internet-connected systems, including hardware, software,
and data from cyber attacks.
It is made up of two words one is cyber and other is security.
 Cyber is related to the technology which contains systems, network and programs or
data.
  Whereas security related to the protection which includes systems security, network
security and application and information security.

Why is cyber security important?

Listed below are the reasons why cyber security is so important in what’s become a
predominant digital world:

 Cyber attacks can be extremely expensive for businesses to endure.

 In addition to financial damage suffered by the business, a data breach can also inflict
untold reputational damage.
 Cyber-attacks these days are becoming progressively destructive. Cybercriminals are
using more sophisticated ways to initiate cyber attacks.

Why is Cybersecurity Critical?

Cybersecurity is a fast-evolving field that continually poses new challenges for companies,
government agencies, and individuals. While some may assume that cybersecurity means protecting
computers from viruses and other types of malware using anti-virus software or other security
programs, this is only one aspect of the subject.

It is more common than ever for data breaches and cyberattacks to occur. They’re no longer limited to
large corporations with vast resources and sophisticated information security practices. Today,
smaller businesses and those operating online marketplace sites or other e-commerce services are also
at risk.

It takes one mischievous user with access to a computer or mobile device to break into an
organization’s network, steal confidential information, cause damage and result in lost revenue and
penalties for failing to safeguard assets. They can also expose companies to liability risks. Thus, every
organization must understand the basics of information security and why it’s essential for their
business.

The excellent accessibility of cloud computing also makes it a popular choice for many
companies, which can access information anywhere, anytime, and from any location.
Important Cybersecurity Fundamentals

The IT Security Fundamentals skill path includes an understanding of computer hardware, software,
and network security. The cybersecurity fundamentals course trains you in developing and
implementing security solutions for small and large organizations, protecting systems and network
infrastructures.

Four Fundamentals of Cybersecurity

 1. Device Protection

With the rise in cyber threats, individuals and companies should prioritize device protection. It is
crucial to protect devices that connect to the internet using anti-virus software, enables the lock-and-
erase options, activate two-factor authentication, and perform a regular automatic update of the
system software, whether they are laptops, PCs, mobile phones, AI-based devices (Alexa, smart
watches, etc.), iPads, tables, or any device that connects to the internet. Device protection will
significantly reduce the risk of attacks on individuals and their devices regardless of their location.

2. Securing Online Connection

Once an individual device is connected online, information transmitted over the Internet requires
more defenses. Furthermore, one should use VPNs: Virtual Private Networks as they automatically
encrypt internet traffic. By using a VPN, all online transactions are secured, including the user’s
identity, location, browsing details, and any sensitive information such as passwords and bank details.

3. Securing Email Communication

Cybercriminals often use email to gather sensitive information about individuals or companies. It is
highly recommended to encrypt emails to prevent sensitive data from being accessed by anyone other
than the intended recipient since they mask the original information. In addition, email encryption
often includes one-time password authentication.

4. Protecting and Performing Timely Backups of Files and Documents

Backups fall into two categories: Remote backups (offline) and cloud storage (online). Solutions
differ in their advantages and disadvantages.

Remote backup services are convenient and inexpensive, but it is not easily accessible from
anywhere. Alternatively, cloud solutions can be accessed from anywhere and are suitable for an
organization that operates from different locations.

However, one must ensure that critical documents should have their own digital vault with encryption
codes, as anything connected to the internet has a cyber threat risk.

Cyber threats can, however, affect anything connected to the internet. With a database and
infrastructure security management system, the cloud computing solution is highly secure, with strong
network security, application security, and cloud security. Additionally, strong mobile security
enhances cloud computing security.

By implementing a BCDR plan, an organization can recover quickly from unforeseen cloud security
situations such as natural disasters, power outages, team member negligence, hardware failure, and
cyberattacks, allowing routine operations to resume in less time. Moreover, identity management
frameworks provide endpoint security and data security at the highest level.

Key Concept of Cybersecurity

Cybersecurity refers to protecting systems, networks, programs, devices, and data from cyber -attacks
using technologies, processes, and controls. The basic cybersecurity concepts involve reducing cyber -
attack risks and preventing unauthorized access to systems, networks, and technologies.

Five Primary Key Concepts of Cybersecurity

 Threat identification
 Keeping information safe
 Detecting intrusions and attacks
 Respond to intrusions and attacks.
 Rebuild intrusion defenses and recover database security.
Basic Terminologies of Cyber Security

Cybersecurity basics for beginners should include these terminologies. Knowing the cybersecurity
basics terminology will help you better understand the high-tech world. However, technological
advances in cybersecurity are accompanied by the emergence of new jargon.

1. Internet Protocol (IP) Address

Hardware devices on a network are identified by IP addresses (Internet Protocol addresses). On a

local network or over the internet, these devices can communicate with each oth er and transfer data.
Numbers are separated by periods in each address. It comprises four digits with a range of 0 to 255.
An IP address might look like this: 192.159.1.98

Internet computers, routers, and websites need billions of unique IP addresses to be identified as one
cannot repeat them. IPv6 is a new protocol designed to meet the day's needs when the system runs out
of unique addresses in the future.

2. VPN - Virtual Private Network

Virtual Private Network, popularly known as VPN, allows users to maintain their privacy and
anonymity while browsing the internet. VPNs make online activities virtually untraceable by masking
the internet protocol (IP) address.

In addition to providing greater privacy than secured Wi-Fi hotspots, VPN services establish secure
and highly encrypted connections. With a VPN, online activity is hidden from cybercriminals,
businesses, governments, and other snoopers who tend to lure users into clicking on anonymous
links.

3. Firewall

A firewall monitors and filters the system's incoming and outgoing network traffic as per a
company’s security policies. Firewalls are a barrier between a private internal network and the
Internet at its primary level. A firewall blocks virtual traffic, which looks destructive, and allows
secure and non-threatening traffic to flow uninterrupted.

4. Domain Name Server (DNS)

DNS - Domain Name Server operates as the internet’s virtual phone book. As every browser on the
internet is known by its IP address which allows users to locate the device, the DNS converts the
domain name into an IP address. For instance, the DNS converts the URL of
www.mycompany123.com to a numerical IP address 204.0.6.42. Browsers send data to the origin
servers on the content delivery network (CDN) using the IP address found by DNS servers.

5. Encryption and Decryption

Encryption is a process of converting plain text (readable message) into codes using an encryption
algorithm known as ciphertext. While, Decryption is a process of converting the ciphertext into plain
text.

6. Encryption Key

Data that is encrypted is decrypted and unscrambled using an encryption key. Keys are unique and
complex to replicate since they are associated with specific encryption codes.

In addition, here are the top 50 cybersecurity terms you should learn to become a pro in
cybersecurity.
 Common Types of Cyber Attacks

The world today is plagued by a variety of cyberattacks. However, our networks and systems are
better protected if we know the types of cyberattacks. Here are the five most common types of
cyberattacks:

1. Malware Attack

 Virus: A virus is a type of malware that can infect all the files on the network, which is one of the
most challenging types to eliminate. A computer virus can replicate itself by inserting its
malicious code into other programs.
 Worm: Have the power to infect the entire network quickly and require no end-user involvement
as the worms can self-replicate.
 Trojan: One of the most challenging types of malware to detect is Trojan malware, as it
disguises itself as a legitimate program. As soon as the victim executes the malicious code and
instructions, the malware can function independently. It is often used as an entry point for other
forms of malware.
 Adware: End-users are served unwanted advertising (for instance, contact pop-ups) by adware.
 Spyware: This type of malware collects sensitive data like user ids and passwords without
suspecting the end-user.
 Ransomware: Known as one of the most dangerous types of malware attack that infects the
system, encrypting files and holding onto the encryption key until the victim pays a ransom. The
ransom is mainly in the form of cryptocurrency with a P2P network. Increasingly, organizations
are being attacked by ransomware that costs them millions to restore vital systems as they pay off
the attackers to recover them. There are several ransomware families, but CryptoLocker, Petya,
and Locky are the most recognized ones.
2. Password Attack

Password attacks most commonly cause data breaches. To gain access to user accounts, the hacker
tries to bypass the authentication.

3. Phishing Attack

The hacker can steal user data through phishing attacks, including login credentials, bank account
details, and credit card numbers. Attackers use disguises to trick victims into opening emails, instant
messages, or text messages that appear to come from trusted entities. After the recipient clicks a
malicious link, sensitive information is revealed, and malware is installed.

4. Clickjacking

In clickjacking, the attacker usually uses some sort of ad online to lure the user. They are tricking a
user into clicking on buttons or links that open to another page that installs malware into the user's
system.
The Adobe Flash plugin settings page is one of the most scandalous examples of clickjacking. This
page could be loaded into an invisible iframe and enable an attacker to manipulate the security
settings in Flash, allowing the computer’s microphone and camera to be used remotely by Flash
animations.

5. Cryptocurrency Hijacking

Cryptocurrency hijacking is a new cyber-attack that grew rigorously after the cryptocurrency was
introduced widely. Attackers use cryptojacking to mine cryptocurrency on someone else’s computer.

During the attack, the attacker gains access to the user's computer by infecting their system or
manipulating them to click on malicious links. In most cases, the users are unaware of this since the
Crypto Mining code works in the background, and the only indication that something is wrong is a
delay in the execution.

There are, however, some risks associated with cloud computing, such as the fact that few services are
available in the public domain, and third parties can access these services. Therefore, hackers may be
able to hack these services easily. In addition, cloud computing also poses a severe security risk of
account hijacking. When information in cloud accounts such as email, bank, social media, etc., is not
password protected, it becomes vulnerable, and hackers can access it to perform unauthorized
activities
  Regulations such as GDPR are forcing organizations into taking better care of the
personal data they hold.

Because of the above reasons, cyber security has become an important part of the
business and the focus now is on developing appropriate response plans that minimize
the damage in the event of a cyber attack.

But, an organization or an individual can develop a proper response plan only when he
has a good grip on cyber security fundamentals.

Cyber security Fundamentals – Confidentiality:

Confidentiality is about preventing the disclosure of data to unauthorized parties.

It also means trying to keep the identity of authorized parties involved in sharing and holding
data private and anonymous.

Often confidentiality is compromised by cracking poorly encrypted data, Man-in-the-middle

(MITM) attacks, disclosing sensitive data.

Standard measures to establish confidentiality include:

 Data encryption
 Two-factor authentication
 Biometric verification
 Security tokens

Integrity

Integrity refers to protecting information from being modified by unauthorized parties.

Standard measures to guarantee integrity include:

 Cryptographic checksums
 Using file permissions
 Uninterrupted power supplies
 Data backups

Availability

Availability is making sure that authorized parties are able to access the information when
needed.

Standard measures to guarantee availability include:

 Backing up data to external drives

 Implementing firewalls
 Having backup power supplies
 Data redundancy
Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to

alter computer code, logic or data and lead to cybercrimes, such as information and identity
theft.

Cyber-attacks can be classified into the following categories:

1) Web-based attacks
2) System-based attacks

Web-based attacks

These are the attacks which occur on a website or web applications. Some of the important
web-based attacks are as follows-

1. Injection attacks

It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing

DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a DNS
resolver's cache causing the name server to return an incorrect IP address, diverting traffic to
the attackers computer or any other computer. The DNS spoofing attacks can go on for a long
period of time without being detected and can cause serious security issues.

3. Session Hijacking

It is a security attack on a user session over a protected network. Web applications create
cookies to store the state and user sessions. By stealing the cookies, an attacker can have access
to all of the user data.

4. Phishing

Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number. It occurs when an attacker is masquerading as a trustworthy
entity in electronic communication.

5. Brute force

It is a type of attack which uses a trial and error method. This attack generates a large number
of guesses and validates them to obtain actual data like user password and personal
identification number. This attack may be used by criminals to crack encrypted data, or by
security, analysts to test an organization's network security.
6. Denial of Service

It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a
crash. It uses the single system and single internet connection to attack a server. It can be
classified into the following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is
measured in bit per second.

Protocol attacks- It consumes actual server resources, and is measured in a packet.

Application layer attacks- Its goal is to crash the web server and is measured in request per
second.

7. Dictionary attacks

This type of attack stored the list of a commonly used password and validated them to get
original password.

8. URL Interpretation

It is a type of attack where we can change the certain parts of a URL, and one can make a web
server to deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of
the include functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between client and
server and acts as a bridge between them. Due to this, an attacker will be able to read, insert
and modify the data in the intercepted connection.

System-based attacks

These are the attacks which are intended to compromise a computer or a computer network.
Some of the important system-based attacks are as follows-

1. Virus

It is a type of malicious software program that spread throughout the computer files without
the knowledge of a user. It is a self-replicating malicious computer program that replicates by
inserting copies of itself into other computer programs when executed. It can also execute
instructions that cause harm to the system.
 2. Worm

It is a type of malware whose primary function is to replicate itself to spread to uninfected

computers. It works same as the computer virus. Worms often originate from email attachments
that appear to be from trusted senders.

3. Trojan horse

It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It appears
to be a normal application but when opened/executed some malicious code will run in the
background.

4. Backdoors

It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or
other purposes.

5. Bots

A bot (short for "robot") is an automated process that interacts with other network services.
Some bots program run automatically, while others only execute commands when they receive
specific input. Common examples of bots program are the crawler, chatroom bots, and
malicious bots.

layers of security in cyber security

The OSI Model

Unfortunately, cybersecurity today goes far beyond a networking-only approach. Today,

cybersecurity traverses far beyond the network realm to the endpoint, perimeter, and the humans on
the other side.

That’s why we propose a new model that looks at cybersecurity more holistically.
 The 7 layers of cyber security should centre on the mission critical assets you are seeking to
protect.

1: Mission Critical Assets – This is the data you need to protect

2: Data Security – Data security controls protect the storage and transfer of data.
3: Application Security – Applications security controls protect access to an application, an
application’s access to your mission critical assets, and the internal security of the application.
4: Endpoint Security – Endpoint security controls protect the connection between devices and
the network.
5: Network Security – Network security controls protect an organization’s network and prevent
unauthorized access of the network.
6: Perimeter Security – Perimeter security controls include both the physical and digital security
methodologies that protect the business overall.
7: The Human Layer – Humans are the weakest link in any cyber security posture. Human
security controls include phishing simulations and access management controls that protect
mission critical assets from a wide variety of human threats, including cyber criminals,
malicious insiders, and negligent users.

Vulnerability, threat, Harmful acts

As the recent epidemic of data breaches illustrates, no system is immune to attacks. Any
company that manages, transmits, stores, or otherwise handles data has to institute and enforce
mechanisms to monitor their cyber environment, identify vulnerabilities, and close up security
holes as quickly as possible.
Before identifying specific dangers to modern data systems, it is crucial to understand the
distinction between cyber threats and vulnerabilities.

Cyber threats are security incidents or circumstances with the potential to have a negative
outcome for your network or other data management systems.
Examples of common types of security threats include phishing attacks that result in the
installation of malware that infects your data, failure of a staff member to follow data
protection protocols that cause a data breach, or even a tornado that takes down your
company’s data headquarters, disrupting access.

Vulnerabilities are the gaps or weaknesses in a system that make threats possible and tempt
threat actors to exploit them.

Types of vulnerabilities in network security include but are not limited to SQL injections,
server misconfigurations, cross-site scripting, and transmitting sensitive data in a non-
encrypted plain text format.
When threat probability is multiplied by the potential loss that may result, cyber security
experts, refer to this as a risk.

The Threat, Vulnerability, and Risk these terms are interrelated but not the same. In this article, we
are going to discuss the difference between them and how they are related to each other.
 Threat

A cyber threat is a malicious act that seeks to steal or damage data or discompose the digital network
or system. Threats can also be defined as the possibility of a successful cyber attack to get access to the
sensitive data of a system unethically. Examples of threats include computer viruses, Denial of
Service (DoS) attacks, data breaches, and even sometimes dishonest employees.
Types of Threat
Threats could be of three types, which are as follows:
1. Intentional- Malware, phishing, and accessing someone’s account illegally, etc. are examples of
intentional threats.
2. Unintentional- Unintentional threats are considered human errors, for example, forgetting to
update the firewall or the anti-virus could make the system more vulnerable.
3. Natural- Natural disasters can also damage the data, they are known as natural threats.

Vulnerability:

In cybersecurity, a vulnerability is a flaw in a system’s design, security procedures, internal controls,

etc., that can be exploited by cybercriminals. In some very rare cases, cyber vulnerabilities are created
as a result of cyberattacks, not because of network misconfigurations. Even it can be caused if any
employee anyhow downloads a virus or a social engineering attack.
Types of Vulnerability
Vulnerabilities could be of many types, based on different criteria, some of them are:
1. Network- Network vulnerability is caused when there are some flaws in the network’s hardware or
software.
2. Operating system- When an operating system designer designs an operating system with a policy
that grants every program/user to have full access to the computer, it allows viruses and malware to
make changes on behalf of the administrator.
3. Human- Users’ negligence can cause vulnerabilities in the system.
4. Process- Specific process control can also cause vulnerabilities in the system.

Risk:

Cyber risk is a potential consequence of the loss or damage of assets or data caused by a cyber threat.
Risk can never be completely removed, but it can be managed to a level that satisfies an organization’s
tolerance for risk. So, our target is not to have a risk-free system, but to keep the risk as low as
possible.
Cyber risks can be defined with this simple formula- Risk = Threat + Vulnerability. Cyber risks are
generally determined by examining the threat actor and type of vulnerabilities that the system has.
Types of Risks
There are two types of cyber risks, which are as follows:
1. External- External cyber risks are those which come from outside an organization, such as
cyberattacks, phishing, ransomware, DDoS attacks, etc.
2. Internal- Internal cyber risks come from insiders. These insiders could have malicious intent or are
just not be properly trained.

Difference Between Threat, Vulnerability, and Risk

 Threat Vulnerability Risks

Take advantage of
Known as the weakness in
vulnerabilities in the
hardware, software, or The potential for loss or destruction of
system and have the
designs, which might allow data is caused by cyber threats.
potential to steal and
cyber threats to happen.
1. damage data.

Generally, can’t be
Can be controlled. Can be controlled.
2. controlled.

It may or may not be

Generally, unintentional. Always intentional.
3. intentional.

Reducing data transfers, downloading

Vulnerability management is
files from reliable sources, updating
a process of identifying the
Can be blocked by the software regularly, hiring a
problems, then categorizing
managing the professional cybersecurity team to
them, prioritizing them, and
vulnerabilities. monitor data, developing an incident
resolving the vulnerabilities
management plan, etc. help to lower
in that order.
4. down the possibility of cyber risks.

Can be detected by Can be detected by identifying

Can be detected by
penetration testing hardware mysterious emails, suspicious pop-ups,
anti-virus software and
and many vulnerability observing unusual password activities,
threat detection logs.
5. scanners. a slower than normal network, etc.
 SECURITY VULNERABILITIES, THREATS AND ATTACKS –
Categories of vulnerabilities
 Corrupted (Loss of integrity)

 Leaky (Loss of confidentiality)

 Unavailable or very slow (Loss of availability)

– Threats represent potential security harm to an asset when vulnerabilities are exploited
- Attacks are threats that have been carried out
 Passive – Make use of information from the system without affecting system
resources

 Active – Alter system resources or affect operation

 Insider – Initiated by an entity inside the organization

 Outsider – Initiated from outside the perimeter

- Governance ON the Internet • Governance of issues pre-daLng the Internet • Issue is

not new, but Internet causes significant qualitaLve or quanLtaLve change – InsLtuLons exist
but may not be ready – Legal structure may not be ready – People and their expectaLons may
not be ready • Malefactors quick to idenLfy such gaps – Extra-legal acLviLes quick to
exploit them
- Responsibility for content, social issues • Taxonomy of this IG space not well
mapped – May open be country specific • Key quesLon: “Whose responsibility is____?” •
IniLal response: Whose responsibility is this in the non-Internet world • There may be gaps,
i.e. orphan issues • Internet user forced to take addiLonal responsibiliLes – New classes of
intermediaries may be required • This mapping is urgently needed
- IdenLfying where the issue lives • At what level does the issue exist? – Local,
naLonal, regional, internaLonal? • Some issues demand internaLonal cooperaLon • Many
(most?) issues are naLonal in scope – NaLonal IGFs to idenLfy and solve them – Importance
of mulLstakeholder approach • Centrality of naLonal policy and regulatory structure
- Internet governance focus is too limited • Larger objecLve is exploitaLon of ICTs for
economic and social development – Internet governance alone could be a distracLon • Some
quesLons that should be asked at the naLonal level follow – Answers all depend upon nature
of government regulaLon and policy in mulLple sectors – Answers all describe the exsLng
“ICT governance policy” of the country, including the Internet

Internet Governance – Challenges and Constraints

Computer criminals
Computer criminals have access to enormous amounts of hardware, software, and data; they
have the potential to cripple much of effective business and government throughout the world.
In a sense, the purpose of computer security is to prevent these criminals from doing damage.
We say computer crime is any crime involving a computer or aided by the use of one.
Although this definition is admittedly broad, it allows us to consider ways to protect ourselves,
our businesses, and our communities against those who use computers maliciously.
One approach to prevention or moderation is to understand who commits these crimes and
why. Many studies have attempted to determine the characteristics of computer criminals. By
studying those who have already used computers to commit crimes, we may be able in the
future to spot likely criminals and prevent the crimes from occurring.

Cyber crime is taken very seriously by law enforcement. In the early long periods of
the cyber security world, the standard cyber criminals were teenagers or hobbyists in
operation from a home laptop, with attacks principally restricted to pranks and malicious
mischief. Today, the planet of the cyber criminals has become a lot of dangerous. Attackers
are individuals or teams who attempt to exploit vulnerabilities for personal or financial gain.
Types of Cyber Criminals:
1. Hackers: The term hacker may refer to anyone with technical skills, however, it typically
refers to an individual who uses his or her skills to achieve unauthorized access to systems or
networks so as to commit crimes. The intent of the burglary determines the classification of
those attackers as white, grey, or black hats. White hat attackers burgled networks or PC
systems to get weaknesses so as to boost the protection of those systems. The owners of the
system offer permission to perform the burglary, and they receive the results of the take a
look at. On the opposite hand, black hat attackers make the most of any vulnerability for
embezzled personal, monetary or political gain. Grey hat attackers are somewhere between
white and black hat attackers. Grey hat attackers could notice a vulnerability and report it to
the owners of the system if that action coincides with their agenda.
 (a). White Hat Hackers – These hackers utilize their programming aptitudes for a good
and lawful reason. These hackers may perform network penetration tests in an attempt to
compromise networks to discover network vulnerabilities. Security vulnerabilities are
then reported to developers to fix them and these hackers can also work together as a blue
team. They always use the limited amount of resources which are ethical and provided by
the company, they basically perform pentesting only to check the security of the company
from external sources.
 (b). Gray Hat Hackers – These hackers carry out violations and do seemingly deceptive
things however not for individual addition or to cause harm. These hackers may disclose
a vulnerability to the affected organization after having compromised their network and
they may exploit it .
 (c). Black Hat Hackers – These hackers are unethical criminals who violate network
security for personal gain. They misuse vulnerabilities to bargain PC frameworks. theses
hackers always exploit the information or any data they got from the unethical pentesting
of the network.
2. Organized Hackers: These criminals embody organizations of cyber criminals,
hacktivists, terrorists, and state-sponsored hackers. Cyber criminals are typically teams of
skilled criminals targeted on control, power, and wealth. These criminals are extremely subtle
and organized, and should even give crime as a service. These attackers are usually
profoundly prepared and well-funded

3. Internet stalkers: Internet stalkers are people who maliciously monitor the web activity of
their victims to acquire personal data. This type of cyber crime is conducted through the use
of social networking platforms and malware, that are able to track an individual’s PC activity
with little or no detection.
4. Disgruntled Employees: Disgruntled employees become hackers with a particular motive
and also commit cyber crimes. It is hard to believe that dissatisfied employees can become
such malicious hackers. In the previous time, they had the only option of going on strike
against employers. But with the advancement of technology there is increased in work on
computers and the automation of processes, it is simple for disgruntled employees to do more
damage to their employers and organization by committing cyber crimes. The attacks by such
employees brings the entire system down
 CIA Triad
The CIA Triad is actually a security model that has been developed to help people think about
various parts of IT security.
What is the CIA Triad?
The three letters in "CIA triad" stand for Confidentiality, Integrity, and Availability. The CIA triad is a
common model that forms the basis for the development of security systems.

CIA triad broken down:

Confidentiality

It's crucial in today's world for people to protect their sensitive, private information from
unauthorized access.

Protecting confidentiality is dependent on being able to define and enforce certain access levels
for information.In some cases, doing this involves separating information into various
collections that are organized by who needs access to the information and how sensitive that
information actually is - i.e. the amount of damage suffered if the confidentiality was breached.

Some of the most common means used to manage confidentiality include access control lists,
volume and file encryption, and Unix file permissions.

Integrity

Data integrity is what the "I" in CIA Triad stands for.

This is an essential component of the CIA Triad and designed to protect data from deletion or
modification from any unauthorized party, and it ensures that when an authorized person makes
a change that should not have been made the damage can be reversed.

Availability

This is the final component of the CIA Triad and refers to the actual availability of your data.
Authentication mechanisms, access channels and systems all have to work properly for the
information they protect and ensure it's available when it is needed.

Understanding the CIA triad

The CIA Triad is all about information. While this is considered the core factor of the majority
of IT security, it promotes a limited view of the security that ignores other important factors.

For example, even though availability may serve to make sure you don't lose access to resources
needed to provide information when it is needed, thinking about information security in itself
doesn't guarantee that someone else hasn't used your hardware resources without authorization.
 It's important to understand what the CIA Triad is, how it is used to plan and also to implement
a quality security policy while understanding the various principles behind it. It's also important
to understand the limitations it presents. When you are informed, you can utilize the CIA Triad
for what it has to offer and avoid the consequences that may come along by not understanding
it.

Why is the CIA triad important?

Each letter in the CIA triad represents a foundational principle in cybersecurity. The importance of
the security model speaks for itself: Confidentiality, integrity and availability are considered the
three most important concepts in infosec.

Considering these three principles together within the triad framework guides the development of
security policies for organizations. When evaluating needs and use cases for potential new products
and technologies, the triad helps organizations ask focused questions about how value is being
provided in those three key areas

Benefits of the CIA triad

The CIA triad provides multiple benefits to businesses, especially to ones that deal with sensitive
data. The benefits of triad implementation include the following:

 Data security and privacy. The most obvious benefit is ensuring preparedness in the face of
today's sophisticated cyber attacks and other unauthorized attempts to access, steal or manipulate
valuable data.

 Compliance. Ensuring the confidentiality, integrity and availability of sensitive information

means regulations and legal frameworks that exist to safeguard this information are followed.

 Proactive risk prevention. When applied correctly, the triad creates an environment where
security risks are proactively prevented. Existing vulnerabilities are identified and mitigated to
prevent future threats.

 Comprehensiveness. The three components mean that security teams aren't just concerned with
thwarting attackers, but they're also ensuring the veracity and availability of their data. For
example, when a large volume of data is needed for analysis, following the CIA triad means the
data is available and accessible when needed.

CIA triad challenges

Challenges or concerns that may arise when attempting to adhere to this triad include the following:
 Large data volumes. Big data poses challenges to the CIA paradigm because of the sheer
volume of information that organizations need safeguarded, the many sources that data comes
from and the variety of formats in which it exists. Duplicate data sets and DR plans can multiply
the already-high costs.

 Data stewardship and governance. Because the main concern of big data is collecting and
making some kind of useful interpretation of all this information, responsible data stewardship,
auditing and oversight are often lacking. Whistleblower Edward Snowden brought that problem
to the public forum when he reported on the National Security Agency's collection of massive
volumes of U.S. citizens' personal data.

 Internet of things (IoT) security and privacy. Almost any physical or logical entity or object
can be given a unique identifier and the ability to communicate autonomously over the internet
or a similar network. The data transmitted by an IoT endpoint might not cause any privacy issues
on its own. However, when even fragmented data from multiple endpoints is gathered, collated
and analyzed, it can yield sensitive information. IoT security is challenging because it involves
so many internet-enabled devices that often go unpatched and are configured with default or
weak passwords. Unless adequately protected, IoT can be used as a separate attack vector or part
of a thingbot.

 Security in product development. As more products are developed with the capacity to be
networked, it's important to routinely consider security in product development. The amount of
potential attack vectors for hackers and other malicious actors who want to access sensitive
information increases as more network-connected products become available.

Best practices for implementing the CIA triad

In implementing the CIA triad, an organization should follow a general set of best practices. These
can be divided into the three subjects and include the following:

1. Confidentiality

o Follow an organization's data-handling security policies.

o Use encryption and 2FA.

o Keep access control lists and other file permissions up to date.

2. Integrity
 o Ensure employees are knowledgeable about compliance and regulatory requirements to
minimize human error.

o Use backup and recovery software and services.

o Use version control, access control, security control, data logs and checksums.

3. Availability

o Use preventive measures, such as redundancy, failover and RAID.

o Ensure systems and applications stay updated.

o Use network or server monitoring systems.

o Have a data recovery and business continuity plan in place in case of data loss.

Effects of cyber crime

he list below includes some of the most immediate effects:
  lost money due to online theft
 expenses incurred to fix problems and prevent future cybercrimes
 loss of reputation due to personal information that is revealed
 corrupted files due to viruses
 long-term debt created resulting in poor credit rating due to online identity theft

Computer crimes

types of targets:
 Hardware hacking
 Software hacking
 Information and website hacking
 Bandwidth theft
 Service theft

HARDWARE HACKING
Hardware hacking refers to attacks aimed at specific pieces of hardware. The goal of these attacks is
to unlock the hardware in order to give the owner access to features that are normally locked.

SOFTWARE HACKING
Software hacking Is achieved by finding software exploits and breaking software protection

When finding software exploits, hackers look for weaknesses in an application’s security. These
exploits are used to gain unauthorised access to the software itself, or gain remote access to the
computer.

When breaking software protection, the goal of hackers is to remove the protection which ensures
that the software was purchased and is used legally. This allows people to play pirated games or use
pirated software.

WEBSITE AND INFORMATION HACKING

Hacking a website is ilegally getting the password to add, edit, delete data stored in that website.
After hacking, the hacker will insert harmful programs by inserting malicious codes into the website.

Website and information hacking is used for several different reasons:

 Steal users’ personal (email addresses, passwords, credit card information, information) for
identity theft
 Build a database of common usernames and passwords
 Deface the website or place political messages on the website
 Reroute traffic from the website to a phishing website
 IDENTITY THEFT
Identity theft happens when a criminal gains access to your personal information and uses that
information to gain some benefit. This can include taking out loans in your name, taking control of
your existing bank or service accounts, creating a phone number in your name, or using your name
to commit other illegal activities.

BANDWIDTH THEFT
Bandwidth theft, occurs when someone links to a file on your website or server from their website.
This video will use your bandwidth for all users viewing the video.

SERVICE THEFT
Service theft occurs on the Internet whenever someone illegally uses a username and password to
access an online service.

INTERNET RELATED FRAUD SCHEMES

Internet fraud is the use of Internet services or software to defraud victims or to otherwise take
advantage of them. Some examples of Internet related fraud schemes are: business fraud, credit card
fraud, fraudulent investment schemes, non-delivery of merchandise etc.

INTERNET ATTACKS (WORMS, MALWARE, DENIAL OF SERVICE, BACK

DOORS)
An attack targeting an enterprise’s use of cyberspace for the purpose of disrupting or maliciously
controlling a computing environment or destroying the integrity of the data or stealing controlled
information. Some types of Internet attacks are: worms, malware, denial-of-service (DoS) attacks,
Phishing, back doors, drive by attacks, SQL injection attacks, and so on.

PHISHING
Phishing is an attempt by cybercriminals to obtain sensitive information (usernames, passwords
and credit card details) by posing as legitimate institutions, usually via an electronic communication.

UNAUTHORISED REMOTE CONTROL AND ADMINISTRATION, FOR EXAMPLE,

BOTNETS, ZOMBIES
Remote administration refers to any method of controlling a computer from a remote location. Bot
programs allow attackers to remotely control vulnerable computers and form virtual networks of
zombies – botnets.

RIGHT TO ACCESS VS RIGHT TO PRIVACY, MISUSE OF PERSONAL

INFORMATION
Individuals and coporate have the right to know where the data originated, the right to have
inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to
 withhold permission to use data in some circumstances. For example, individuals will have the right
to opt-out free of charge from being sent direct marketing material, without providing any specific
reason.

Online services require users to provide personal information in order to use their service. Personal
information may include your full name, address, phone numbers, date of birth, email address,
username and password and banking details. Although personal information is used responsibly
online by many businesses for legitimate communication, it is not always the case and some personal
information can be misused by criminals (used to commit fraud and identity theft)

Assets and Threat

What is an Asset: An asset is any data, device or other component of an organization’s

systems that is valuable – often because it contains sensitive data or can be used to access such
information.

For example: An employee’s desktop computer, laptop or company phone would be considered
an asset, as would applications on those devices. Likewise, critical infrastructure, such as
servers and support systems, are assets. An organization’s most common assets are information
assets. These are things such as databases and physical files – i.e. the sensitive data that you
store
What is a threat: A threat is any incident that could negatively affect an asset – for example,
if it’s lost, knocked offline or accessed by an unauthorized party.

Threats can be categorized as circumstances that compromise the confidentiality, integrity or

availability of an asset, and can either be intentional or accidental.

Intentional threats include things such as criminal hacking or a malicious insider stealing
information, whereas accidental threats generally involve employee error, a technical
malfunction or an event that causes physical damage, such as a fire or natural disaster.
Cybersecurity threats are acts performed by individuals with harmful intent, whose goal is to steal
data, cause damage to or disrupt computing systems. Common categories of cyber threats include
malware, social engineering, man in the middle (MitM) attacks, denial of service (DoS), and injection
attacks—we describe each of these categories in more detail below.

Cyber threats can originate from a variety of sources, from hostile nation states and terrorist groups, to
individual hackers, to trusted individuals like employees or contractors, who abuse their privileges to
perform malicious acts.

Common Sources of Cyber Threats

Here are several common sources of cyber threats against organizations:

 Nation states—hostile countries can launch cyber attacks against local companies and institutions,
aiming to interfere with communications, cause disorder, and inflict damage.
 Terrorist organizations—terrorists conduct cyber attacks aimed at destroying or abusing critical
infrastructure, threaten national security, disrupt economies, and cause bodily harm to citizens.
 Criminal groups—organized groups of hackers aim to break into computing systems for economic
benefit. These groups use phishing, spam, spyware and malware for extortion, theft of private
information, and online scams.
 Hackers—individual hackers target organizations using a variety of attack techniques. They are
usually motivated by personal gain, revenge, financial gain, or political activity. Hackers often
develop new threats, to advance their criminal ability and improve their personal standing in the
hacker community.
 Malicious insiders—an employee who has legitimate access to company assets, and abuses their
privileges to steal information or damage computing systems for economic or personal gain. Insiders
may be employees, contractors, suppliers, or partners of the target organization. They can also be
outsiders who have compromised a privileged account and are impersonating its owner.

Types of Cybersecurity Threats

Malware Attacks

Malware is an abbreviation of “malicious software”, which includes viruses, worms, trojans, spyware,
and ransomware, and is the most common type of cyberattack. Malware infiltrates a system, usually
via a link on an untrusted website or email or an unwanted software download. It deploys on the target
system, collects sensitive data, manipulates and blocks access to network components, and may
destroy data or shut down the system altogether.

Here are some of the main types of malware attacks:

 Viruses—a piece of code injects itself into an application. When the application runs, the malicious
code executes.
 Worms—malware that exploits software vulnerabilities and backdoors to gain access to an operating
system. Once installed in the network, the worm can carry out attacks such as distributed denial of
service (DDoS).
 Trojans—malicious code or software that poses as an innocent program, hiding in apps, games or
email attachments. An unsuspecting user downloads the trojan, allowing it to gain control of their
device.
 Ransomware—a user or organization is denied access to their own systems or data via encryption.
The attacker typically demands a ransom be paid in exchange for a decryption key to restore access,
but there is no guarantee that paying the ransom will actually restore full access or functionality.
 Cryptojacking—attackers deploy software on a victim’s device, and begin using their computing
resources to generate cryptocurrency, without their knowledge. Affected systems can become slow
and cryptojacking kits can affect system stability.
 Spyware—a malicious actor gains access to an unsuspecting user’s data, including sensitive
information such as passwords and payment details. Spyware can affect desktop browsers, mobile
phones and desktop applications.
 Adware—a user’s browsing activity is tracked to determine behavior patterns and interests, allowing
advertisers to send the user targeted advertising. Adware is related to spyware but does not involve
installing software on the user’s device and is not necessarily used for malicious purposes, but it can
be used without the user’s consent and compromise their privacy.
 Fileless malware—no software is installed on the operating system. Native files like WMI and
PowerShell are edited to enable malicious functions. This stealthy form of attack is difficult to detect
(antivirus can’t identify it), because the compromised files are recognized as legitimate.
 Rootkits—software is injected into applications, firmware, operating system kernels or hypervisors,
providing remote administrative access to a computer. The attacker can start the operating system
within a compromised environment, gain complete control of the computer and deliver additional
malware.

Social Engineering Attacks

Social engineering involves tricking users into providing an entry point for malware. The victim
provides sensitive information or unwittingly installs malware on their device, because the attacker
poses as a legitimate actor.

Here are some of the main types of social engineering attacks:

 Baiting—the attacker lures a user into a social engineering trap, usually with a promise of something
attractive like a free gift card. The victim provides sensitive information such as credentials to the
attacker.
 Pretexting—similar to baiting, the attacker pressures the target into giving up information under false
pretenses. This typically involves impersonating someone with authority, for example an IRS or
police officer, whose position will compel the victim to comply.
 Phishing—the attacker sends emails pretending to come from a trusted source. Phishing often
involves sending fraudulent emails to as many users as possible, but can also be more targeted. For
example, “spear phishing” personalizes the email to target a specific user, while “whaling” takes this a
step further by targeting high-value individuals such as CEOs.
 Vishing (voice phishing)—the imposter uses the phone to trick the target into disclosing sensitive data
or grant access to the target system. Vishing typically targets older individuals but can be employed
against anyone.
 Smishing (SMS phishing)—the attacker uses text messages as the means of deceiving the victim.
 Piggybacking—an authorized user provides physical access to another individual who “piggybacks”
off the user’s credentials. For example, an employee may grant access to someone posing as a new
employee who misplaced their credential card.
 Tailgating—an unauthorized individual follows an authorized user into a location, for example by
quickly slipping in through a protected door after the authorized user has opened it. This technique is
similar to piggybacking except that the person being tailgated is unaware that they are being used by
another individual.

Supply Chain Attacks

Supply chain attacks are a new type of threat to software developers and vendors. Its purpose is to
infect legitimate applications and distribute malware via source code, build processes or software
update mechanisms.

Attackers are looking for non-secure network protocols, server infrastructure, and coding techniques,
and use them to compromise build and update process, modify source code and hide malicious
content.
 Supply chain attacks are especially severe because the applications being compromised
by attackers are signed and certified by trusted vendors. In a software supply chain attack, the
software vendor is not aware that its applications or updates are infected with malware. Malicious
code runs with the same trust and privileges as the compromised application.

Types of supply chain attacks include:

 Compromise of build tools or development pipelines

 Compromise of code signing procedures or developer accounts
 Malicious code sent as automated updates to hardware or firmware components
 Malicious code pre-installed on physical devices

Man-in-the-Middle Attack

A Man-in-the-Middle (MitM) attack involves intercepting the communication between two endpoints,
such as a user and an application. The attacker can eavesdrop on the communication, steal sensitive
data, and impersonate each party participating in the communication.

Examples of MitM attacks include:

 Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a legitimate actor, such as a
business, that users may connect to. The fraudulent Wi-Fi allows the attacker to monitor the activity
of connected users and intercept data such as payment card details and login credentials.
 Email hijacking—an attacker spoofs the email address of a legitimate organization, such as a bank,
and uses it to trick users into giving up sensitive information or transferring money to the attacker.
The user follows instructions they think come from the bank but are actually from the attacker.
 DNS spoofing—a Domain Name Server (DNS) is spoofed, directing a user to a malicious website
posing as a legitimate site. The attacker may divert traffic from the legitimate site or steal the user’s
credentials.
 IP spoofing—an internet protocol (IP) address connects users to a specific website. An attacker can
spoof an IP address to pose as a website and deceive users into thinking they are interacting with that
website.
 HTTPS spoofing—HTTPS is generally considered the more secure version of HTTP, but can also be
used to trick the browser into thinking that a malicious website is safe. The attacker uses “HTTPS” in
the URL to conceal the malicious nature of the website.

Denial-of-Service Attack

A Denial-of-Service (DoS) attack overloads the target system with a large volume of traffic, hindering
the ability of the system to function normally. An attack involving multiple devices is known as a
distributed denial-of-service (DDoS) attack.

DoS attack techniques include:

 HTTP flood DDoS—the attacker uses HTTP requests that appear legitimate to overwhelm an
application or web server. This technique does not require high bandwidth or malformed packets, and
typically tries to force a target system to allocate as many resources as possible for each request.
 SYN flood DDoS—initiating a Transmission Control Protocol (TCP) connection sequence involves
sending a SYN request that the host must respond to with a SYN-ACK that acknowledges the request,
and then the requester must respond with an ACK. Attackers can exploit this sequence, tying up
server resources, by sending SYN requests but not responding to the SYN-ACKs from the host.
 UDP flood DDoS—a remote host is flooded with User Datagram Protocol (UDP) packets sent to
random ports. This technique forces the host to search for applications on the affected ports and
respond with “Destination Unreachable” packets, which uses up the host resources.
 ICMP flood—a barrage of ICMP Echo Request packets overwhelms the target, consuming both
inbound and outgoing bandwidth. The servers may try to respond to each request with an ICMP Echo
Reply packet, but cannot keep up with the rate of requests, so the system slows down.
 NTP amplification—Network Time Protocol (NTP) servers are accessible to the public and can be
exploited by an attacker to send large volumes of UDP traffic to a targeted server. This is considered
an amplification attack due to the query-to-response ratio of 1:20 to 1:200, which allows an attacker to
exploit open NTP servers to execute high-volume, high-bandwidth DDoS attacks.

Injection Attacks

Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the code of a
web application. Successful attacks may expose sensitive information, execute a DoS attack or
compromise the entire system.

Here are some of the main vectors for injection attacks:

 SQL injection—an attacker enters an SQL query into an end user input channel, such as a web form
or comment field. A vulnerable application will send the attacker’s data to the database, and will
execute any SQL commands that have been injected into the query. Most web applications use
databases based on Structured Query Language (SQL), making them vulnerable to SQL injection. A
new variant on this attack is NoSQL attacks, targeted against databases that do not use a relational
data structure.
 Code injection—an attacker can inject code into an application if it is vulnerable. The web server
executes the malicious code as if it were part of the application.
 OS command injection—an attacker can exploit a command injection vulnerability to input
commands for the operating system to execute. This allows the attack to exfiltrate OS data or take
over the system.
 LDAP injection—an attacker inputs characters to alter Lightweight Directory Access Protocol
(LDAP) queries. A system is vulnerable if it uses unsanitized LDAP queries. These attacks are very
severe because LDAP servers may store user accounts and credentials for an entire organization.
 XML eXternal Entities (XXE) Injection—an attack is carried out using specially-constructed XML
documents. This differs from other attack vectors because it exploits inherent vulnerabilities in legacy
XML parsers rather than unvalidated user inputs. XML documents can be used to traverse paths,
execute code remotely and execute server-side request forgery (SSRF).
 Cross-Site Scripting (XSS)—an attacker inputs a string of text containing malicious JavaScript. The
target’s browser executes the code, enabling the attacker to redirect users to a malicious website or
steal session cookies to hijack a user’s session. An application is vulnerable to XSS if it doesn’t
sanitize user inputs to remove JavaScript code
Motive of Attackers

The categories of cyber-attackers enable us to better understand the attackers' motivations and
the actions they take. As shown in Figure, operational cyber security risks arise from three
types of actions: i) inadvertent actions (generally by insiders) that are taken without malicious
or harmful intent; ii) deliberate actions (by insiders or outsiders) that are taken intentionally
and are meant to do harm; and iii) inaction (generally by insiders), such as a failure to act in a
given situation, either because of a lack of appropriate skills, knowledge, guidance, or
availability of the correct person to take action Of primary concern here are deliberate actions,
of which there are three categories of motivation.

1. Political motivations: examples include destroying, disrupting, or taking control of

targets; espionage; and making political statements, protests, or retaliatory actions.
 2. Economic motivations: examples include theft of intellectual property or other
economically valuable assets (e.g., funds, credit card information); fraud; industrial
espionage and sabotage; and blackmail.
3. Socio-cultural motivations: examples include attacks with philosophical, theological,
political, and even humanitarian goals. Socio-cultural motivations also include fun,
curiosity, and a desire for publicity or ego gratification.

Types of cyber-attacker actions and their motivations when deliberate

1. The Opportunistic Attacker

The ‘Opportunistic attacker’ is the most common type in terms of victim volume. As can be
inferred by their name, many of these attackers rely on probability, meaning their malware
spreads as much as possible in order to increase their chance of success without a specific target
in mind. Therefore, the industrial sector is not the target of this threat specifically, rather it suffers
the infection as a side effect, simply on account of having its computers connected to the internet.

“In the ICS world, we consider the enterprise world as untrusted”

- Dale Peterson at S4 2019

The main attacker's motivation is money. When the infection takes place, the attacker usually
tries to use the infected computer for monetization using different techniques, such as:
Ransomware - Blocking access to files on the machines by encrypting them until payment is
made by the user.
Botnets - Harness the processing power of the computer in order to mine cryptocurrencies for
example.

Other motivations may include data gathering or using the infected computer as a bot for future
attacks. In some cases, attacks will not have a specific motivation in mind. Sometimes people
develop malware just for fun, with no real intention behind their work. Many cases of targetless
attacks are accidental - downloading the wrong file or visiting the wrong website

The potential severity of this kind of attack varies greatly depending on the company that was
infected, as well as the complexity and nature of the malware. Most companies have adequate
segmentation and communication policies thereby avoiding excessive propagation of the
malware. However, companies that lack these measures could have their operations considerably
interrupted. Recent ransomware attacks cost manufacturing companies $50M-$300M in
damages strictly by blocking access to IT servers that were in charge of production. In some
events, companies were forced to shut down entire plants until the risk was fully remediated.

For security teams, reducing the attack surface can help limit the impact of this type of attack.
This can include limiting the ability for threats to migrating between IT and OT while increasing
visibility and protection on the points of connection. Educating employees on cyber risk can help
bring greater awareness and involvement in safe and secure operations.

2. Industrial Opportunistic Attackers

This is the second-largest group of attackers in terms of volume. These attackers use
opportunistic infection methods but they specifically target industrial companies and once again,
the main motivation is money. However, in this case, the attackers know that targeting an
industrial company can result in higher profits and they use this for their benefit. Ransomware is
extremely popular in ICS attacks, for example.

Manufacturers have a very low tolerance for downtime. Even a couple of days without
production can cause severe damage to income or reputation, and that is just the tip of the iceberg.
Downtime in the energy sector, for example, can cause large-scale power outages. Consequently,
industrial companies are more inclined to pay ransom demands, which is exactly what the
attackers behind this method are counting on - targeting a wide array of plants, some will get
infected, most will pay.

Other attackers may spread their malware, hoping to gain access to a company to later sell this
access to the highest bidder. Another motivation is attackers who are looking to gather data,
without a specific victim in mind, they only know that they wish to target the ICS sector. The
industrial opportunistic attacks have a wide range of potential severity which depends on the
company and malware. To cope, security teams should stay alert and aware of the perimeter
through personnel training and monitoring of the networks are the best actions that the team can
take.

3. Competitors

Intellectual Property (IP) is a key element in the growing industrial world. Innovative methods
of production, solutions, etc. are pieces of data that help companies excel in their field. Data theft
via cyber espionage can have a catastrophic impact on a given company. The rarity of this type
of attack is unknown.

Attackers typically aim at two different outcomes:

1. Learning the secret "recipe" for the production of a certain product.
2. Trying to hinder or stop the production of the competitors.
Unlike the direct financial damages in the first two methods, espionage enters a different category
of reputation and status. Various companies pride themselves in their innovative methods for
solutions in their field of work; losing this information can be devastating to them. Companies
that implement unique production methods will lose their edge against competitors who will have
access to their work methods, thus bringing them down to par with the others.

Intellectual Property can be found everywhere and on all levels of the factory - from enterprise
IT and all the way down to the lowest OT levels. Therefore, other than the obvious solution of
network monitoring, communication policies, and so forth, the best matter security teams can
turn to is containment. Performing the following actions will help to minimize the locations of
IP on your network, and ensure that communication with these assets is minimized, encrypted,
and requires high privileges.

- Minimize the IT computers that have recipes, work methods, work statistics, etc. on them.
- Minimize the number of computers that directly communicate or gather data from the OT layer.
- Minimize the number of users who can access these computers.
- Implement DLP software, and encrypt the information you wish to keep safe.

4. Insider Threat

A disgruntled employee or ex-employee can seek revenge against their employer. Sabotage from
inside the company usually means catastrophic outcomes for that company. Since it is an “inside
job”, employees who have access to the company’s network can perform any action an external
hacker could if they had elevated privileges and full access. Revenging employee attacks are
impactful but rare. Their primary motivation is emotional - getting revenge, letting out
frustration, and so forth.

Since these attackers work from within the network, they are most likely to act with relatively
high privileges and authorization. Employees who use cyberattacks as their revenge are most
likely from departments that have a vast knowledge of communications and networking (IT
departments for example), meaning that they are familiar with the organization’s soft spots.
Adopting principles such as granting the least amount of privilege and the separation of duties
aid in limiting the impact of this attack vector.

For security teams, blocking ex-employees is much easier than blocking current employees.
When it comes to existing employees it is hard to differentiate between legitimate and malicious
activity. In some cases, the person whose employment was terminated was able to access the
network remotely with their old VPN credentials and perform destructive actions on the network.
A simple, yet effective action that security teams can implement is to promptly revoke the access
of dismissed employees, making sure that they can no longer access the systems.

5. Advanced Persistent Threats (APT)

Advanced Persistent Threats are seen in the industrial world when an organization or country
tries to stop or damage the production process as part of cyberwar. Other motivations can be
efforts to block the technical advancement of a specific country or to send a message to an
opponent. APTs are more dedicated and tailored than the attacks that were mentioned earlier in
the article. These attacks usually have a very clear target in advance, and they serve a specific
purpose. Fortunately, there have been very few known OT-oriented APT attacks in history.
 The main goal of APTs is psychological warfare, e.g.sending a message to opponents. Therefore
the targets are typically high-profile companies and critical infrastructures. Thus ensuring power
grid, defense, and oil and gas cybersecurity is crucial. History has shown that APTs often do not
target small companies, or cause minor damages. Since many of these attacks are complex, state-
sponsored, and customized to their target, their severity tends to be very high.

Unfortunately for security teams, stopping APTs is virtually impossible. There is a long-standing
belief that “if an attacker has enough funds, manpower, and motivation, they will be successful
in their attack”. This belief is exemplified through APTs, where attacks often have sufficient
resources to carry out years of preparation and ongoing operations. Nevertheless, security teams
can better their odds by implementing all the lessons learned throughout this article.

Securing their perimeter, making sure their network communication is monitored, and that their
components are patched and up to date with the latest versions can help minimize the
attacks dramatically. An effective step security teams can take is to minimize the network
information available online.

Active attacks: An active attack is a network exploit in which a hacker attempts to make
changes to data on the target or data en route to the target.

Types of Active attacks:

Masquerade: in this attack, the intruder pretends to be a particular user of a system to gain
access or to gain greater privileges than they are authorized for. A masquerade may be
attempted through the use of stolen login IDs and passwords, through finding security gaps in
programs or through bypassing the authentication mechanism.

Session replay: In this type of attack, a hacker steals an authorized user’s log in information
by stealing the session ID. The intruder gains access and the ability to do anything the
authorized user can do on the website.

Message modification: In this attack, an intruder alters packet header addresses to direct a
message to a different destination or modify the data on a target machine.

In a denial of service (DoS) attack, users are deprived of access to a network or web resource.
This is generally accomplished by overwhelming the target with more traffic than it can handle.

In a distributed denial-of-service (DDoS) exploit, large numbers of compromised systems

(sometimes called a botnet or zombie army) attack a single target.

Passive Attacks:Passive attacks are relatively scarce from a classification perspective, but can
be carried out with relative ease, particularly if the traffic is not encrypted.

Types of Passive attacks:

Eavesdropping (tapping): the attacker simply listens to messages exchanged by two entities.
For the attack to be useful, the traffic must not be encrypted. Any unencrypted information,
such as a password sent in response to an HTTP request, may be retrieved by the attacker.

Traffic analysis: the attacker looks at the metadata transmitted in traffic in order to deduce
information relating to the exchange and the participating entities, e.g. the form of the
exchanged traffic (rate, duration, etc.). In the cases where encrypted data are used, traffic
analysis can also lead to attacks by cryptanalysis, whereby the attacker may obtain information
or succeed in unencrypting the traffic.

What is an Active Attack?

Active Attack Definition: An active attack is a type of cyberattack in which a hacker attacks
a system and modifies the data or the information per his requirements to perform malicious
tasks.
During active attacks, the attacker takes an active role in an attempt to gain unauthorized access
to a system or network. To do that, they can perform various malicious activities, such as
injecting malware, launching a denial-of-service (DoS) attack, or altering data. An active attack
typically aims to gain control over the system or steal data.
When an active attack happens, the victim gets informed about the attack as the data changes or
modifies. And, because of the data modification, these attacks greatly threaten the integrity and
availability of data.
Here are some examples of active attacks:
 Phishing: In this attack, the hacker attempts to gain unauthorized access to a computer
system to size, modify, or steal data.
 Man-in-the-Middle: In this attack, the hacker catches and transmits communications
between two parties who assume they are talking directly with one another
 Ransomware: In this attack, the hacker uses malware to prevent a user or organization from
accessing files on their computer.

What is a Passive Attack?

Passive Attack Definition: A passive attack is a cyberattack in which a hacker attacks a
system and copies or reads the contents of the message or the information available but does
not modify the information.
During passive attacks, the attacker monitors and eavesdrops on the network traffic to gain
access to confidential or sensitive data. Passive attacks are extremely hard to identify, as the
attacker does not actively take part in the attack. Hence, the victim is uninformed about the
attack as there is no change in the data.
Here are some examples of passive attacks:
 Eavesdropping: In this type of attack, the hacker listens in on other people’s conversations
without their knowledge.
 Footprinting: In this type of attack, the hacker gathers as much information as possible
regarding a computer system or network to find ways to penetrate it.
Key Differences Between Active and Passive Attacks
Here are the key differences between active and passive attacks:
 A passive attack does not harm the attacked system, whereas an active attack does.
 An active attack can be easily deducted, whereas a passive attack is difficult to detect.
 In an active attack, the victim is informed that he has been attacked, but that’s not the case in
a passive attack.
 An active attack is a danger to the integrity and availability of the data. Whereas a passive
attack is a danger to the confidentiality of the data.
 The purpose behind active attacks is to harm the system or the organization. But, passive
attacks aim to learn about the system or the organization.
 An active attack is a type of attack in which hackers modify the information or the data. In
contrast, a passive attack is an attack in which hackers do not modify the information or the
data.
Software Attacks: Malicious code (sometimes called malware) is a type of software
designed to take over or damage a computer user's operating system, without the user's
knowledge or approval. It can be very difficult to remove and very damaging. Common
malware examples are listed in the following table:
 Attack Characteristics
Virus A virus is a program that attempts to damage a computer system and replicate itself
to other computer systems. A virus:

 Requires a host to replicate and usually attaches itself to a host file or a

hard drive sector.
 Replicates each time the host is used.
 Often focuses on destruction or corruption of data.
 Usually attaches to files with execution capabilities such as .doc, .exe, and
.bat extensions.
 Often distributes via e-mail. Many viruses can e-mail themselves to
everyone in your address book.
 Examples: Stoned, Michelangelo, Melissa, I Love You.

Worm A worm is a self-replicating program that can be designed to do any number of

things, such as delete files or send documents via e-mail. A worm can negatively
impact network traffic just in the process of replicating itself. A worm:

 Can install a backdoor in the infected computer.

 Is usually introduced into the system through a vulnerability.
 Infects one system and spreads to other systems on the network.
 Example: Code Red.

Trojan A Trojan horse is a malicious program that is disguised as legitimate software.

horse Discretionary environments are often more vulnerable and susceptible to Trojan
horse attacks because security is user focused and user directed. Thus the
compromise of a user account could lead to the compromise of the entire
environment. A Trojan horse:

 Cannot replicate itself.

 Often contains spying functions (such as a packet sniffer) or backdoor
functions that allow a computer to be remotely controlled from the
network.
 Often is hidden in useful software such as screen savers or games.
 Example: Back Orifice, Net Bus, Whack-a-Mole.

Logic A Logic Bomb is malware that lies dormant until triggered. A logic bomb is a
Bomb specific example of an asynchronous attack.

 A trigger activity may be a specific date and time, the launching of a

specific program, or the processing of a specific type of activity.
 Logic bombs do not self-replicate.

Cyber Security: Software Threats

Software Threats
Many software threats now target smartphones specifically, so approaches to cybersecurity that
are based on desktop computers are not always effective. While viruses that target smartphones
are simply the mobile versions of ones that target your desktop or laptop computer, man-in-the-
middle attacks take advantage of free Wi-Fi in order to place hackers between your device and a
Wi-Fi hotspot and steal your information and details from your apps. Bluejacking is the sending
of unwanted or unsolicited messages to strangers via Bluetooth technology. It can be a serious
problem if obscene or threatening messages and images are sent. Bluesnarfing is the actual theft
of data from Bluetooth enabled devices (including both mobile phones and laptops): contact lists,
phonebooks, images and other data may be stolen in this way.Mobile Ransomware is malware
that locks up your device. If your device has been infected with the malware, you lose all access
to every part of your phone until you pay a ransom to the hacker/criminal who has taken control
over your device.[3]Phishing or Smishing usually starts as an email or text claiming to be from a
person or business that you know. This email usually contains a link that asks you to verify
information. This information in turn goes straight to the scammer to steal and use your details

Free Wi-Fi

Since we are constantly trying to connect to public Wi-Fi networks, there is a constant threat of
these networks stealing your personal information. Kevin Du, a computer science professor at
Syracuse University, claims that “if you don’t have a VPN, you’re leaving a lot of doors on your
perimeter open.” A VPN or a Virtual Private Network “creates a secure connection between you
and the internet,”[6] which means your IP address (all your internet activity)[7] and your location
are encrypted, keeping hackers and cybercriminals away. For smartphones, it’s best to turn VPN
on only when on an insecure connection or app in order to preserve battery life

Ransomware

Ransomware is a type of cyber extortion. Criminals “threaten to seize, damage, or release

electronic data owned by the victim,” with the main goal being to obtain money rather than
data. Scareware is similar to ransomware, except it only tries to make you think your device has
been compromised or infected by a virus

Bluejacking

Bluejacking uses a feature originally intended to exchange contact information to send

anonymous, unwanted messages to other users with Bluetooth-enabled mobile phones or laptops.
In some cases, this is used to send obscene or threatening messages or images. It could be used to
spread malware, as well

Bluesnarfing

Bluesnarfing is the actual theft of data from Bluetooth enabled devices (especially phones). Like
bluejacking, it depends on a connection to a Bluetooth phone being available. A Bluetooth user
running the right software from a laptop can discover a nearby phone and steal the contact list,
phonebook and images etc. Furthermore, your phone’s serial number can be downloaded and
used to turn off the phone. Again, the only current defense is to turn your Bluetooth off by setting
it to “undiscoverable.”

Phishing and Smishing Scams

 This scam starts, usually, as an email from a friend or business asking you to verify your
information. This can also come in the form of a text message (Smishing) or phone calls from a
company you could have recently contacted asking for payment confirmation. If given this
information, the cybercriminals can obtain access to your details in order to take your money or
steal your information.

Security Tips

 In order to protect yourself from mobile viruses it is important to regularly update your operating
system, as these updates can contain fixes to security vulnerabilities. The security software for
your smartphone may even come with password managers to keep your login information safe.
 To make sure you don’t fall victim to phishing scams, do not click on emails you do not
recognize and be certain the email is from the person you think it is by checking the sender’s
whole email address before you click on a link.
 If you are no longer able to access your smartphone due to Ransomware, make sure you have
backed up your data either onto the cloud, your laptop or a remote device.
 Don’t download unnecessary or unfamiliar apps, as some of these can come with spyware,
ransomware and data leakages. Do a bit of research on the app and its developer before you add it
to your device.
 Turn off your features if you are not using them, such as Bluetooth and Wi-Fi. This is especially
important when you are in a public place with free Wi-Fi, as your phone might automatically
connect, making your data more vulnerable to hacking.
 Don’t access public Wi-Fi unless you are sure the network is safe and reliable. If possible, check
with the provider (library, coffee shop, etc.) to find out which network is the real one. Never use
public Wi-Fi to send any important data like your bank account login or credit card information.
 Install the HTTPS Everywhere extension to your browser to prevent man-in-the-middle attacks.

Understanding Malware
Email viruses (phishing) and SMS viruses (smishing)

Most email viruses (phishing scams) rely on the user double clicking on an attachment that most
often comes from a person you recognize on your emailing system. That person’s email could
have been hacked as well, or it could be an email that looks the same, but when expanded is from
a different source altogether. The attachment, when clicked, runs a malicious code that mails
itself to other users from that computer. Any attachment that you open on your computer could
contain a virus and infect your computer even if the extension appears to be safe (such as .txt,
.doc or .jpg). Some viruses can infect users as soon as they open the email. These viruses may
compromise your computer’s security or steal data, but more often they create excessive email
traffic and crash servers. Viruses can also be spread by clicking on links in emails that lead to
malware sites.

SMS viruses (smishing) depend on the user getting a text message or a phone call from an
unknown number. The hackers use social leveraging to obtain anything from an online password
to your social security number. The text messages can also appear be from companies you have
used recently, like Canada Post telling you that you have a customs fee to pay to receive your
package. Once you click on the link and enter your credit card information, the hacker has all
they need to steal your money and personal details.

Macro viruses
 This type of virus, also known as a document virus, takes advantage of macros (commands
embedded in word processing and spreadsheet software that run automatically) to infect your
computer. A macro virus can copy itself and spread from one file to another. If you open a file
that contains a macro virus, it copies itself into the application’s start up files and infects the
computer. The next file you open using the same program, and every file thereafter, will become
infected; the infection can therefore spread rapidly across a network. When Microsoft first
introduced macros, the company was not aware of the many security risks that would be imposed
on them. With their latest updates, when you open a word document, the macros will not run
unless you approve it (know it is from a reputable source) stop a macro virus erupting in your
computer (PC or Mac).

Boot sector viruses

Boot-sector viruses (the oldest type of viruses) are mostly spread through infected storage
devices such as USB drives. When your computer is turned on, the hardware seeks out the boot-
sector program, the program the computer runs when it starts up. This is generally located on
the hard drive but can also be on a storage device such as a USB drive. A boot-sector virus
replaces the original boot-sector with its own, modified version. Upon your next start up, the
infected boot sector is used and the virus becomes active. It can then read or modify any files or
programs on your computer.

Adware

This type of intrusive software displays advertisements on your computer and has become
increasingly more aggressive since 2019 on Windows, Mac and Android devices. These usually
come in the form of banners and pop-ups when an application is in use and try to “sell something
to users, inflate views of ads, or scam people out of their money.” Adware can become a serious
problem if it installs itself onto your machine: it can hijack your browser (Internet
Explorer, Firefox, Chrome or Safari, for example) to display more ads even on your social media
accounts (such as Instagram and Facebook), as well as gather data from your Web browsing
without your consent and prevent you from uninstalling it. The most common issues
with adware is that it can slow down your internet connection or render your computer unstable,
as well as distract you and waste your time and money.

Spyware

While technically a form of adware, spyware has as its primary function the collection of small
pieces of information without users’ knowledge. One form of spyware, called
a keylogger, actually monitors everything you input into your computer. In addition to
monitoring your input and internet surfing habits, spyware can interfere with your control over
your computer by installing additional software, redirecting your browser, changing computer
settings and slowing or cutting off your internet connection. Other types of spyware include:
tracking cookies, trojans and system monitors

Security tips

 To avoid viruses you should run anti-virus software (Norton, MacAfee and Avira are examples of
reputable programs) and avoid clicking on unexpected attachments. Installing patches (a
software “fix” designed to address holes and vulnerabilities in software) issued by software
vendors can also protect you as they can close down vulnerabilities exploited by viruses. In
 particular, it is important to keep your browser (the program you use for accessing the Web, such
as Internet Explorer, Firefox, Chrome or Safari) up-to-date, as browsers are one of the main
targets of viruses.
 To avoid email viruses, be careful about downloading attachments. You should only download
an attachment from an email if you know the sender and are certain that their account has not
been compromised. Signs that an e-mail account has been compromised include a subject line
that makes no sense and mass-mailings to all of the account’s contacts.
 To avoid SMS viruses on your smart phone, do not open a link from any number you do not
know. If a company has sent you a text message asking for information either in the form of your
credit card or personal details, contact that company separately first and do not click on any links.
 Avoid opening any documents that are not from a sender you know and trust. If any of your
programs begin behaving oddly, run a scan using your anti-virus software immediately.
 To avoid viruses and other malware carried on storage devices, use only storage devices that you
have bought new. Before using any storage device, run anti-virus software on it and do so again
every time you plug a storage device into a different computer.
 If you do not want ads popping up on your social media timelines from items you have previously
searched online, try installing a browser plugin such as Privacy Badger or Disconnect
 Most privacy software detects adware and labels it as “potentially unwanted applications.” You
can then authorize the adware or choose to remove it.
 Similarly, most anti-spyware software will be included with a comprehensive anti-virus program
or you can opt for dedicated software.

General tips - Most computers come with embedded security features including a firewall. This
prevents unknown programs and processes from accessing the system, but is not a replacement
for anti-virus software. Your firewall can be located and activated from your computer’s control
panel. Some websites maintained by anti-virus vendors offer free online scanning of your entire
computer system, but verify the source to be sure. Some sites which claim to scan for viruses
actually plant malware on your computer.

Cookies

A cookie is a small text file saved on your computer by a website, mainly used as a means for
session management, personalization and tracking while surfing the Web. Some cookies can be
useful, making for a smoother browsing experience. For instance, they can save small pieces of
information into memory, such as your name, so that you don’t constantly have to re-enter it on
your most frequently visited websites. Cookies are essential to common features of websites such
as “shopping carts” (which store your purchasing decisions while you browse an online
commerce site such as Amazon). These cookies are usually deleted after you leave the website or
within a few days of not visiting it.

Other cookies, however, can be far more of a nuisance. These cookies will recreate themselves
after the user has deleted them. A script will then keep this information in some other location on
the computer, unbeknownst to the user. Other kinds are able to closely track your online habits
and can last up to a year on a given server.

Understanding cookies

There are several different types of cookies. Each has different properties:

Session cookies
 This type of cookie only lasts for the duration of your stay on a particular website and is deleted
when you close your browser. These cookies pose less of a security risk.

Persistent cookies

This type of cookie is also known as a “tracking” or “in memory” cookie. These cookies can last
up to a year from each time a user revisits the server. They are stored by the browser even after it
is closed; when you click ‘remember me’ on a webpage where you hold an account, a persistent
cookie is used to store your information.

Secure cookies

These cookies are used when you are visiting a secure site (one where the Web address begins
with “https” rather than “http”). Secure cookies are encrypted when being sent to and from your
computer and the server, which means that they are more secure if someone intercepts or
copies them. Use the HTTPS Everywhere plugin to make sure you only connect to the secure
version of the site.

Unauthorized installation and replication cookies

This type of cookie, sometimes referred to as a “zombie” or “super” cookie, automatically

recreates itself in some other location on the computer after a user has deleted it.

Security tips

 Most browsers (Internet Explorer, Firefox, Chrome or Safari) are set to accept cookies by default.
If you do not wish to use cookies, all browsers allow you to disable them. Some browsers also
allow you to see which cookies you currently have on your computer and to delete those you no
longer want. There are also software tools, such as CCleaner and QuickWiper, that get rid of
standard cookies and files as well as unwanted persistent and self-replicating cookies that refuse
to go away.
 Most browsers also have an option to browse without storing cookies (called inPrivate
Browsing in Internet Explorer, Incognito Mode in Chrome and Private
Browsing in Firefox and Safari). However, while this does prevent cookies from being saved to
your computer, it does not mean that there will be no records of your browsing saved on your
computer or on the servers of the websites you visit.
 Browser plugins like Privacy Badger and Disconnect block third-party cookies and supercookies.
 Secure sites (where the Web address begins with “https” rather than “http”) encrypt any cookies
you send to them. This makes it more difficult for the information in the cookies to be intercepted
and misused. You should always use secure sites for anything that involves financial information
(bank or credit card data, etc.).
 Because logins and passwords are often saved using cookies, you should periodically change
your passwords on any sites you visit. If you do not wish to use a persistent cookie to store your
password, do not click ‘remember me’ on any account pages.

Browser hijacking

Browser hijacking is a malicious online activity where hijackers change the default settings in
your internet browser. Links may appear that point to websites you would usually avoid, new
toolbars and favorites that you do not want may be added and your computer may slow down
overall. Users will also often find themselves unable to return to their original settings once this is
 done. The purpose of this threat is to force you to visit a website. This increases the traffic and
number of “hits” a website receives, allowing it to boost its advertising revenue. These websites
may also contain malicious scripts or viruses. Browser hijackers can be extremely persistent. If
they can’t be removed, you may find yourself having to reinstall your browser or restore your
entire system to its original settings.

Security tips

 As is the case with most other software threats, keeping your browser updated and using reliable,
updated security software is your first defense. If you do become a victim of hijacking, you can
reset your browser settings. How this is done depends on your browser:
 In Chrome, click the Customize and control Google Chrome menu (three dots) in the upper-
right corner of the browser. Click Settings, scroll down to click Advanced, then scroll down and
click Restore settings to their original defaults. Click Reset settings in the pop-up window.
 In Internet Explorer, close your browser and then go to Control Panel. Select Network and
internet and then Internet Options. Click on the Advanced tab and then click on
the Reset button under Reset Internet Explorer Settings.
 In Edge, right-click on Start and select Apps and Features. Scroll down and select Microsoft
Edge. Click Advanced Options, scroll down and click the Reset button.
 In Firefox, open the Start menu and select Run. Enter “firefox-safe-mode” (without quotation
marks) then select “Reset all user preferences to Firefox defaults.”
 In Safari, begin by opening your browser and clicking on “Safari” in your Safari menu.
Select Reset Safari and click the Reset dialogue button that appears.
 In Firefox, click the Open menu (three horizontal lines). Click Help, then Troubleshooting
Information. Find Give Firefox a Tune-Up and then Refresh Firefox.
 You can also disable your add-ons (a piece of software that enhances another software program,
such as plug-ins for Internet Explorer) as a secondary line of defense. If all else fails, you may
have to restore your computer’s state to an earlier point in time using a backup hard drive or
the recovery discs that came with it.

Scripts

A script is a piece of code that is loaded and run by your browser. The most common type
is JavaScript, but HTML, Java or Flash based plug-ins have similar effects. While scripts may
enhance and enrich online experiences (and are often necessary to use the full functionality of a
website) they can also be malicious. A malicious script can compromise your computer’s
performance and overall functionality by redirecting you to another site or loading malware onto
your computer.

Security tips

While you are generally safe from malicious scripts if you stick to trusted sites, there have been
cases in which hackers installed malicious scripts onto legitimate sites. The only sure way of
preventing script attacks is to control which scripts run when you visit a site.

 In Firefox, you may use a free add-on called NoScript (https://addons.mozilla.org/en-

CA/firefox/addon/noscript/) which lets you select which scripts to run when you visit a site. You
can select the minimum necessary to get the functionality you need.
 There are similar add-ons available for Chrome and Edge, which also allow you to block scripts
by default by selecting Options, then Under the Hood, then Content settings and click Manage
JavaScript blocking.

Internet-connected devices

An increasing number of electronic devices, from fitness trackers to cars to children’s toys, are
now connected via Wi-Fi in what’s often called the “Internet of Things.” A report by Fortune
Business Insights indicates that “the global Internet of Things market size stood at USD 250.72
billion in 2019 and is projected to reach USD 1,463.19 billion by 2027.” Unfortunately, many of
these devices are vulnerable in several ways:

 Many of them have poor security, which can allow hackers to infect them with malware, spy on
them or take control of them entirely.
 They typically connect through your internet router, which makes it easy for malware from an
infected device to easily spread to other devices that use the same network.
 They are often designed to work with your online accounts, so an infected device may also give
hackers access to those (such as your email or social network accounts).
 Even if the devices aren’t compromised, many collect kinds of data that you may not be
comfortable with – fitness trackers, for example, collect health information.

Security tips

 Be cautious before buying an internet-connected device: Security experts say that a majority of
“smart” devices on the market today are not highly resilient to cyberattacks Be particularly wary
of “cloud-based” tools that can only work when connected to the internet. Do some research on
the product you’re considering buying to see if there have been any reports of security problems.
 Check the privacy policy: Make sure you have a clear idea of what happens to the data that the
device collects and what other data it can access by connecting to your online accounts or to
other devices.
 Set a password: Make sure that every connected device in your home is protected by a unique
password. Most connected devices allow you to set a PIN or password, but many don’t prompt
you to change it from the factory default.
 Use a guest network: Create a “guest” network on your Wi-Fi router and connect the devices to
that one, rather than your regular network. That way, if your connected devices get compromised,
the cyber threat won’t be able to access the devices on your main network, like your computer.
 Check for firmware updates: Like browsers and computer operating systems, makers of
connected devices frequently release “patches” and updates to address new security issues
they’ve discovered. Security experts suggest treating connected devices like smoke alarms,
setting a date twice a year to make sure that everything is up-to-date

Hardware Attacks:
Common hardware attacks include:
  Manufacturing backdoors, for malware or other penetrative purposes; backdoors
aren’t limited to software and hardware, but they also affect embedded radio-
frequency identification (RFID) chips and memory

 Eavesdropping by gaining access to protected memory without opening other

hardware

 Inducing faults, causing the interruption of normal behaviour

 Hardware modification tampering with invasive operations

 Backdoor creation; the presence of hidden methods for bypassing normal computer
authentication systems
 Counterfeiting product assets that can produce extraordinary operations and those
made to gain malicious access to systems.

4.
5.
Major Types of Harware Attacks:
1.VMX - Virtual machine Extensions(Instructions on processors with x86 virtualization)
Virtualizations offer 2 levels-

(a.) higher performance & more cost effective eg.Intel

(b.) greater isolation & higher costs eg.IBM

Most of us will use 'a.' vs 'b.' not knowing the underlying threats for the reduced isolation.

2.Bluepill -
A rootkit designed for x86 virtualization. It creates a thin hypervisor/VMM and running the
remaining machine virtually. It's almost undetectable, however there was a controversy on this.
Hardware assisted virtualization can help malicious software, thus hardware architecture is prime
here.

3.Extreme Privilege Escalation

This was demonstrated with modern windows8. Exploitation of platform firmware UEFI using new
API (windows 8). Privilege escalation from ring3 to ring0, most privileged level-almost directly
communicates with the hardware resources.

4.Stepping p3wns
This attack used resource(printer here) firmware update, that by passes the anti virus at the computer
as it's not windows malicious. However when the task is received at printer side, the firmware gets
updated to the malicious one. This exploitation enables infecting IP phones etc. which can be a huge
concern in 'BYOD' times.

5.Shadow walker(TLB Splitting)

Misuse x86 hardware to hide malware from OS and anti-virus. Infact, even code modifications
could not be detected by anti-virus. The flaw-difference between reading the memory and executing
it.

6.

Cyber Threats-Cyber Warfare:Cyber warfare refers to the use of digital attacks -- like
computer viruses and hacking -- by one country to disrupt the vital computer systems of
another, with the aim of creating damage, death and destruction. Future wars will see
hackers using computer code to attack an enemy's infrastructure, fighting alongside troops
using conventional weapons like guns and missiles.
Cyber warfare involves the actions by a nation-state or international organization to attack
and attempt to damage another nation's computers or information networks through, for
example, computer viruses or denial-of-service attacks.

Common types of cyber attacks

Malware
Malware is a term used to describe malicious software, including spyware, ransomware,
viruses, and worms. Malware breaches a network through a vulnerability, typically when a
 user clicks a dangerous link or email attachment that then installs risky software. Once
inside the system, malware can do the following:
 Blocks access to key components of the network (ransomware)
 Installs malware or additional harmful software
 Covertly obtains information by transmitting data from the hard drive (spyware)
 Disrupts certain components and renders the system inoperable

Phishing
Phishing is the practice of sending fraudulent communications that appear to come from a
reputable source, usually through email. The goal is to steal sensitive data like credit card
and login information or to install malware on the victim’s machine. Phishing is an
increasingly common cyberthreat.
What Is Phishing?

Man-in-the-middle attack
Man-in-the-middle (MitM) attacks, also known as eavesdropping attacks, occur when
attackers insert themselves into a two-party transaction. Once the attackers interrupt the
traffic, they can filter and steal data.
Two common points of entry for MitM attacks:
1. On unsecure public Wi-Fi, attackers can insert themselves between a visitor’s device and
the network. Without knowing, the visitor passes all information through the attacker.
2. Once malware has breached a device, an attacker can install software to process all of the
victim’s information.

Denial-of-service attack
A denial-of-service attack floods systems, servers, or networks with traffic to exhaust
resources and bandwidth. As a result, the system is unable to fulfill legitimate requests.
Attackers can also use multiple compromised devices to launch this attack. This is known
as a distributed-denial-of-service (DDoS) attack.

SQL injection
A Structured Query Language (SQL) injection occurs when an attacker inserts malicious
code into a server that uses SQL and forces the server to reveal information it normally
would not. An attacker could carry out a SQL injection simply by submitting malicious
code into a vulnerable website search box.
Learn how to defend against SQL injection attacks.

Zero-day exploit
A zero-day exploit hits after a network vulnerability is announced but before a patch or
solution is implemented. Attackers target the disclosed vulnerability during this window of
time. Zero-day vulnerability threat detection requires constant awareness.

DNS Tunneling
DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic over port 53. It
sends HTTP and other protocol traffic over DNS. There are various, legitimate reasons to
 utilize DNS tunneling. However, there are also malicious reasons to use DNS Tunneling
VPN services. They can be used to disguise outbound traffic as DNS, concealing data that
is typically shared through an internet connection. For malicious use, DNS requests are
manipulated to exfiltrate data from a compromised system to the attacker’s infrastructure. It
can also be used for command and control callbacks from the attacker’s infrastructure to a
compromised system

Cyber Crime:
Cybercrime is criminal activity that either targets or uses a computer, a computer network
or a networked device.Cybercrime is committed by cybercriminals or hackers who want to
make money. Cybercrime is carried out by individuals or organizations.
Some cybercriminals are organized, use advanced techniques and are highly technically
skilled. Others are novice hackers.
Cybercrime refers to illegal actions using computers or the internet. Some examples of
cybercrime include:

 Stealing and selling corporate data

 Demanding payment to prevent an attack
 Installing viruses on a targeted computer
 Hacking into government or corporate computers
What are the causes of cybercrime?
Cyberattacks are becoming more prevalent due to easily accessible computers, cloud data
and storage, human negligence and vulnerability, network and application system
vulnerabilities, and the increasing number of bad actors who want to exploit the
vulnerabilities.

How do criminals gain unauthorized access?

Cybercriminals employ a variety of evolving methods to access an individual's or business's
protected data. Installing malware on a victim's computer can allow an attacker to
manipulate, delete, or steal data. Criminals also use phishing attacks to trick a target into
revealing login credentials.

What are recent trends in cybercrime?

Cybercriminals are getting more aggressive with their tactics. Cisco Talos reports that
hackers are engaging in extortion by holding data ransom, threatening to release it in the
dark web, often after a first ransom is paid to decrypt network systems

Cybercrime or a computer-oriented crime is a crime that includes a computer and a

network. The computer may have been used in the execution of a crime or it may be the
target. Cybercrime is the use of a computer as a weapon for committing crimes such as
committing fraud, identity theft, or breaching privacy. Cybercrime, especially through the
Internet, has grown in importance as the computer has become central to every field like
commerce, entertainment, and government. Cybercrime may endanger a person or a
nation’s security and financial health. Cybercrime encloses a wide range of activities, but
these can generally be divided into two categories:
1. Crimes that aim at computer networks or devices. These types of crimes involve
different threats (like virus, bugs etc.) and denial-of-service (DoS) attacks.
2. Crimes that use computer networks to commit other criminal activities. These types of
crimes include cyber stalking, financial fraud or identity theft.
Classification of Cyber Crime:
1. Cyber Terrorism –
Cyber terrorism is the use of the computer and internet to perform violent acts that
result in loss of life. This may include different type of activities either by software or
hardware for threatening life of citizens.
In general, Cyber terrorism can be defined as an act of terrorism committed through
the use of cyberspace or computer resources.

2. Cyber Extortion –
Cyber extortion occurs when a website, e-mail server or computer system is subjected
to or threatened with repeated denial of service or other attacks by malicious hackers.
These hackers demand huge money in return for assurance to stop the attacks and to
offer protection.

3. Cyber Warfare –
Cyber warfare is the use or targeting in a battle space or warfare context of computers,
online control systems and networks. It involves both offensive and defensive
operations concerning to the threat of cyber attacks, espionage and sabotage.

4. Internet Fraud –
Internet fraud is a type of fraud or deceit which makes use of the Internet and could
include hiding of information or providing incorrect information for the purpose of
deceiving victims for money or property. Internet fraud is not considered a single,
distinctive crime but covers a range of illegal and illicit actions that are committed in
cyberspace.

5. Cyber Stalking –
This is a kind of online harassment wherein the victim is subjected to a barrage of
online messages and emails. In this case, these stalkers know their victims and instead
of offline stalking, they use the Internet to stalk. However, if they notice that cyber
stalking is not having the desired effect, they begin offline stalking along with cyber
stalking to make the victims’ lives more miserable.

Challenges of Cyber Crime:

1. People are unaware of their cyber rights-

The Cybercrime usually happen with illiterate people around the world who are
unaware about their cyber rights implemented by the government of that particular
country.

2. Anonymity-
Those who Commit cyber crime are anonymous for us so we cannot do anything to
that person.

3. Less numbers of case registered-

Every country in the world faces the challenge of cyber crime and the rate of cyber
crime is increasing day by day because the people who even don’t register a case of
cyber crime and this is major challenge for us as well as for authorities as well.
 4. Mostly committed by well educated people-
Committing a cyber crime is not a cup of tea for every individual. The person who
commits cyber crime is a very technical person so he knows how to commit the crime
and not get caught by the authorities.

5. No harsh punishment-
In Cyber crime there is no harsh punishment in every cases. But there is harsh
punishment in some cases like when somebody commits cyber terrorism in that case
there is harsh punishment for that individual. But in other cases there is no harsh
punishment so this factor also gives encouragement to that person who commits cyber
crime.
Prevention of Cyber Crime:
Below are some points by means of which we can prevent cyber crime:
1. Use strong password –
Maintain different password and username combinations for each account and resist
the temptation to write them down. Weak passwords can be easily cracked using
certain attacking methods like Brute force attack, Rainbow table attack etc, So make
them complex. That means combination of letters, numbers and special characters.

2. Use trusted antivirus in devices –

Always use trustworthy and highly advanced antivirus software in mobile and
personal computers. This leads to the prevention of different virus attack on devices.

3. Keep social media private –

Always keep your social media accounts data privacy only to your friends. Also make
sure only to make friends who are known to you.

4. Keep your device software updated –

Whenever you get the updates of the system software update it at the same time
because sometimes the previous version can be easily attacked.

5. Use secure network –

Public Wi-Fi are vulnerable. Avoid conducting financial or corporate transactions on
these networks.

6. Never open attachments in spam emails –

A computer get infected by malware attacks and other forms of cybercrime is via
email attachments in spam emails. Never open an attachment from a sender you do
not know.
7. Software should be updated – Operating system should be updated regularly when it
comes to internet security. This can become a potential threat when cybercriminals
exploit flaws in the system.

Cyber Terrorism:
Cyber terrorism is the convergence of cyberspace and terrorism. It refers to unlawful
attacks and threats of attacks against computers, networks and the information stored
therein when done to intimidate or coerce a government or its people in furtherance of
political or social objectives.
Examples are hacking into computer systems, introducing viruses to vulnerable networks,
web site defacing, Denial-of-service attacks, or terroristic threats made via electronic
communication.
What is cyber terrorism?

Cyber terrorism (also known as digital terrorism) is defined as disruptive attacks by

recognised terrorist organisations against computer systems with the intent of generating
alarm, panic, or the physical disruption of the information system.

While we’ve become used to hearing about cyber attacks, cyber terrorism instils a
different type of worry. Computer hackers have long worked to gain access to classified
information for financial gain, meaning terrorists could do the same

The internet can be used by terrorists to finance their operations, train other terrorists, and
plan terror attacks. The more mainstream idea of cyber terrorism is the hacking of
government or private servers to access sensitive information or even siphon funds for
use in terror activities. However, there is currently no universally accepted definition of
cyber terrorism.
Examples of cyber terrorism

 Introduction of viruses to vulnerable data networks.

 Hacking of servers to disrupt communication and steal sensitive information.
 Defacing websites and making them inaccessible to the public thereby causing
inconvenience and financial losses.
 Hacking communication platforms to intercept or stop communications and make terror
threats using the internet.
 Attacks on financial institutions to transfer money and cause terror.

cyber terrorism

 Use strong passwords – there is software capable of guessing thousands of passwords

in seconds, so a complicated password is a strong password. Follow password best
practices, change them regularly and avoid using the same password for multiple logins
 Follow cyber security news - Keep up to date with cyber news and government
warnings. Knowing the latest threats help you prepare for potential acts of terrorism
 Create a culture of cyber awareness - all employees should be actively engaged in
cyber security education and attend regular training. Stress the importance of staying
vigilant and be on the lookout for anything suspicious
  Vet all third-party vendors - a business’s cyber security posture is only as strong as
their third-party vendors. Businesses should demand transparency from vendors
regarding cyber security practices before signing contracts or conducting any business.

Cyber Espionage:
Cyber spying, or cyber espionage, is the act or practice of obtaining secrets and
information without the permission and knowledge of the holder of the information from
 individuals, competitors, rivals, groups, governments and enemies for personal,
economic, political or military advantage using methods on the Internet.

Cyber espionage is the malicious theft of data, information, or intellectual property from
and/or through computer systems. Some methods include social
engineering, malware distribution, advanced persistent threat (APT), watering hole attacks,
and spear phishing, but this list is by no means all-inclusive.

Security Policies:

Security policies are a formal set of rules which is issued by an organization to ensure that the
 user who are authorized to access company technology and information assets comply with
rules and guidelines related to the security of information.

A security policy also considered to be a "living document" which means that the document is
never finished, but it is continuously updated as requirements of the technology and employee
changes.

We use security policies to manage our network security. Most types of security policies are
automatically created during the installation. We can also customize policies to suit our specific
environment.

Need of Security policies-

1) It increases efficiency.

2) It upholds discipline and accountability

3) It can make or break a business deal

4) It helps to educate employees on security literacy

There are some important cyber security policies recommendations describe below-

Virus and Spyware Protection policy:

 It helps to detect threads in files, to detect applications that exhibits suspicious

behavior.
 Removes, and repairs the side effects of viruses and security risks by using signatures.

Firewall Policy:

 It blocks the unauthorized users from accessing the systems and networks that connect
to the Internet.
 It detects the attacks by cybercriminals and removes the unwanted sources of network
traffic.

Intrusion Prevention policy:

 This policy automatically detects and blocks the network attacks and browser attacks.
 It also protects applications from vulnerabilities and checks the contents of one or
more data packages and detects malware which is coming through legal ways.

Application and Device Control:

 This policy protects a system's resources from applications and manages the
peripheral devices that can attach to a system.
 The device control policy applies to both Windows and Mac computers whereas
application control policy can be applied only to Windows clients.
 The Top Three Cybersecurity Trends
 Ransomware
 Cyber attack Surface (IoT supply chain and Remote work systems)
 Threats to IT infrastructure

In the extensive growth of the IT sector in different countries, ambitious plans for rapid social
transformation and inclusive growth, and providing the right kind of focus for creating a secure
computing environment and adequate trust and confidence in electronic transactions, software,
services, devices, and networks, has become one of the compelling priorities for all

Cyberspace is vulnerable to a wide variety of incidents, whether intentional or accidental,

manmade or natural, and the data exchanged in cyberspace can be exploited for nefarious
purposes. The protection of information cyberspace and preservation of the confidentiality,
integrity, and availability of information in cyberspace is the essence of secure cyberspace.
 Fig:2 Cybersecurity Cycle

Cybersecurity Policies

1. Acceptable Use of Data Systems Policy

The purpose of this policy is to stipulate the suitable use of computer devices at the
corporate/company. These rules protect the authorized user and therefore the compan y also.
Inappropriate use exposes the corporate to risks including virus attacks, compromise of
network systems and services, and legal issues.

2. Account Management Policy

The purpose of this policy is to determine a typical for the creation, administration, use, and
removal of accounts that facilitate access to information and technology resources at the
corporate.

3. Anti-Virus

This policy was established to assist prevent attacks on corporate computers, networks, and
technology systems from malware and other malicious code. This policy is meant to assist
prevent damage to user applications, data, files, and hardware. Antivirus software is a
computer program that detects, prevents, and takes action to disarm or remove malicious
software programs, such as viruses and worms. Most antivirus programs include an auto-
update feature that enables the program to download profiles of new viruses so that it can
check for new viruses as soon as they are discovered. Anti-virus software is a must and a basic
necessity for every system.

4. E-Commerce Policy

The frequency of cyber-attacks has been high in recent years. E-commerce security refers to
the measures taken to secure businesses and their customers against cyber threats. This e-
commerce policy is to be used as both a suggestion and a summary within the management of
the E-Commerce electronic services.

5. E-Mail Policy

Email security may be a term for describing different procedures and techniques for shielding
email accounts, content, and communication against unauthorized access, loss, or
compromise. Email is usually wont to spread malware, spam, and phishing attacks. Attackers
use deceptive messages to entice recipients to spare sensitive information, open attachments,
or click on hyperlinks that install malware on the victim’s device. Email is additionally a
standard entry point for attackers looking to realize an edge in an enterprise network and
acquire valuable company data. Email encryption involves encrypting, or disguising, the
content of email messages to guard potentially sensitive information against being read by
anyone aside from intended recipients. Email encryption often includes authentication. The
purpose of this policy is to determine rules for the utilization of corporate email for sending,
receiving, or storing electronic messages.

6. Hardware And Electronic Media Disposal Policy

The company-owned surplus hardware, obsolete machines, and any equipment beyond
reasonable repair or reuse, including media, are covered by this policy. This policy will
establish and define standards, procedures, and restrictions for the disposition of non-leased
IT equipment and media in a legal, cost-effective manner.

7. Security Incident Management Policy

This policy defines the need for reporting and responding to incidents associated with the
company’s information systems and operations. Incident response provides the corporate with
the potential to spot when a security incident occurs.

8. Information Technology Purchasing Policy

The reason for this strategy is to characterize norms, methods, and limitations for the
acquisition of all IT equipment, programming, PC-related parts, and specialized
administrations bought with organization reserves. Acquisition of innovation and specialized
administrations for the organization should be supported and facilitated through the IT
Department.

9. Web Policy
The reason for this policy is to set up guidelines for the utilization of the organization’s Internet
for access to the Internet or the Intranet.

10. Log Management Policy

Log management is often of great benefit during a sort of scenario, with proper management,
to reinforce security, system performance, resource management, and regulatory compliance.

11. Network Security And VPN Acceptable Use Policy

The purpose of this policy is to define standards for connecting to the company’s network
from any host. These standards are designed to attenuate the potential exposure to the
corporate from damages, which can result from unauthorized use of the company’s resources.
Damages include the loss of sensitive or company confidential data, property, damage to
critical company internal systems, etc.

12. Password Policy

The concept of usernames and passwords has been a fundamental way of protecting our
information. This may be one of the first measures regarding cybersecurity. The purpose of
this policy is to determine a typical for the creation of strong passwords, the protection of these
passwords, and therefore the frequency of changing passwords must be followed.

13. Patch Management Policy

Security vulnerabilities are inherent in computing systems and applications. These flaws allow
the event and propagation of malicious software, which may disrupt normal business
operations, additionally placing the corporate in danger. To effectively mitigate this risk,
software “patches” are made available to get rid of a given security vulnerability.

14. Cloud Computing Adoption

The purpose of this policy is to make sure that the corporate can potentially make appropriate
cloud adoption decisions and at an equivalent time doesn’t use, or allow the utilization of,
inappropriate cloud service practices. Acceptable and unacceptable cloud adoption examples
are listed during this policy.

15. Server Security Policy

The purpose of this policy is to define standards and restrictions for the bottom configuration
of internal server equipment owned and/or operated by or on the company’s internal
network(s) or related technology resources via any channel.

16. Social Media Acceptable Use Policy

The use of external social media within organizations for business purposes is increasing. The
corporate faces exposure to a particular amount of data that will be visible to friends of friends
from social media. While this exposure may be a key mechanism driving value, it also can
create an inappropriate conduit for information to pass between personal and business
contacts. Tools to determine barriers between personal and personal networks and tools to
centrally manage accounts are only starting to emerge. Involvement by the IT Department in
security, privacy, and bandwidth concerns is of maximal importance.

17. Systems Monitoring And Auditing Policy

System monitoring and auditing are employed to work out if inappropriate actions have
occurred within a data system. System monitoring is employed to seem for these actions in
real-time while system auditing looks for them after the very fact.

18. Vulnerability Assessment

The purpose of this policy is to determine standards for periodic vulnerability assessments.
This policy reflects the company’s commitment to spot and implementing security controls,
which can keep risks to data system resources at reasonable and appropriate levels.

19. Website Operation Policy

The purpose of this policy is to determine guidelines with reference to communication and
updates of the company’s public-facing website. Protecting the knowledge on and within the
corporate website, with equivalent safety and confidentiality standards utilized within the
transaction of all the corporate business, is significant to the company’s success.

20. Workstation Configuration Security Policy

The purpose of this policy is to reinforce security and quality operating status for workstations
utilized at the corporate. IT resources are to utilize these guidelines when deploying all new
workstation equipment. Workstation users are expected to take care of these guidelines and to
figure collaboratively with IT resources to take care of the rules that are deployed.

21. Server Virtualization

The purpose of this policy is to determine server virtualization requirements that outline the
acquisition, use, and management of server virtualization technologies. This policy provides
controls that make sure that Enterprise issues are considered, alongside business objectives,
when making server virtualization-related decisions. Platform Architecture policies,
standards, and guidelines are going to be wont to acquire, design, implement and manage all
server virtualization technologies.

22. Wireless Connectivity Policy

The purpose of this policy is to secure and protect the knowledge assets owned by the corporate
and to determine awareness and safe practices for connecting to free and unsecured Wi-Fi,
which can be provided by the corporate. The corporate provides computer devices, networks,
and other electronic information systems for goals and initiatives. The corporate grants access
to those resources as a privilege and must manage them responsibly to take care of the
confidentiality, integrity, and availability of all information assets.

23. Telecommuting Policy

For the needs of this policy, a reference is formed to the defined telecommuting employee who
regularly performs their work from an office that’s not within a corporate building or suite.
Casual telework by employees or remote work by non-employees isn’t included herein. That
specializes in the IT equipment typically provided to a telecommuter, this policy addresses the
telecommuting work arrangement and therefore the responsibility for the equipment provided
by the corporate.

24. Firewall

A firewall is a software program or piece of hardware that helps screen out hackers, viruses,
and worms that try to reach your computer over the Internet. All messages entering or leaving
the Internet pass through the firewall present, which examines each message and blocks those
that do not meet the specified security criteria. Hence, firewalls play an important role in
detecting malware.

25. Malware scanner

This is software that sometimes scans all the files and documents present within the system
for malicious code or harmful viruses. Viruses, worms, and Trojan horses are samples of
malicious software that are often grouped together and mentioned as malware
 UNIT – II Cyber Frauds, DoS, Viruses
Cyber Stalking, Fraud, and Abuse: Introduction, How Internet Fraud Works,
Identity Theft, Cyber Stalking, Protecting Yourself Against Cyber Crime. Denial
of Service Attacks: Introduction, DoS, Illustrating an Attack, Malware:
Introduction, Viruses, Trojan Horses, The Buffer-Overflow Attack.

Cyber Stalking

Cyberstalking is when someone uses electronic communication, social media, and other
technology to commit crimes. It is defined as the use of email, direct messaging, or other

electronic means to harass, scare, or threaten someone with physical harm. And it can come in

various forms, such as bullying, sexual harassment, or other unwelcome attention around your

life and activities.

While each cyberstalking case is different, a look at recent cases reveals that cyberstalkers

commonly engage in identity theft and other criminal behaviors. That’s because many

cyberstalkers use a blend of online and physical harassment and intimidation, such as:

 Tracking someone’s online activity or physical location.

 Making death threats or other overt threats of violence.

 Blackmailing a victim using personal information or photos.

 Making false accusations about a victim online.

 "Doxxing" a victim by publishing their private information online.

 Destroying or manipulating data by sending a virus to a victim’s devices.

 Posting derogatory statements about a victim publicly.

 Posing as a victim online to cause harm to their life or career.

 Sending threatening doctored photos or deepfakes of the victim or their family.

Some cyberstalkers use technology to get information such as a physical address and mail

threatening physical items to a victim or even show up at their home.

Types of Cyber Stalking:
 Webcam Hijacking: Internet stalkers would attempt to trick you into downloading and
putting in a malware-infected file that may grant them access to your webcam. the
method is therefore sneaky that it’s probably you wouldn’t suspect anything strange.
 Observing location check-ins on social media: In case you’re adding location check-
ins to your Facebook posts, you’re making it overly simple for an internet stalker to
follow you by just looking through your social media profiles.
 Catfishing: Catfishing happens via social media sites, for example, Facebook, when
internet stalkers make counterfeit user-profiles and approach their victims as a
companion of a companion.
 Visiting virtually via Google Maps Street View: If a stalker discovers the victim’s
address, then it is not hard to find the area, neighbourhood, and surroundings by using
Street View. Tech-savvy stalkers don’t need that too.
 Installing Stalkerware:One more method which is increasing its popularity is the use
of Stalkerware. It is a kind of software or spyware which keeps track of the location,
enable access to text and browsing history, make an audio recording, etc. And an
important thing is that it runs in the background without any knowledge to the victim.
 Looking at geotags to track location:Mostly digital pictures contain geotags which
is having information like the time and location of the picture when shot in the form of
 metadata. Geotags comes in the EXIF format embedded into an image and is readable
with the help of special apps. In this way, the stalker keeps an eye on the victim and
gets the information about their whereabouts.
Protective Measures:
 Develop the habit of logging out of the PC when not in use.
 Remove any future events you’re close to attending from the social networks if
they’re recorded on online approaching events and calendars.
 Set strong and distinctive passwords for your online accounts.
 Cyber Stalkers can exploit the low security of public Wi-Fi networks to snoop on
your online activity. Therefore, avoid sending personal emails or sharing your
sensitive info when connected to an unsecured public Wi-Fi.
 Make use of the privacy settings provided by the social networking sites and keep all
info restricted to the nearest of friends.
 Do a daily search on the internet to search out what information is accessible
regarding you for the public to check.

How to deal with Cyberstalking?

Send a clear written message to the cyberstalker indicating that you do not want to be
contacted by them. Do not interact with the stalker after receiving a warning. If the
harassment continues, contact the police. Call a family member or friend for assistance if
you believe you are being tracked by spyware.
Check your devices for spyware or indications of compromised accounts, and change all
passwords. Block the person from your social media accounts using privacy settings, and
report the abuse to the network. Even if the attacker does not back down, call the police.
Difference between Cyberstalking and Cyberbullying
Cyberstalking occurs when a victim is harassed online via electronic channels, text
messaging, social networking sites, discussion forums, and so on for retaliation, anger, or
control. A stalker could be a stranger or a friend of the victim. When adults are involved, it
is referred to as cyberstalking.
Cyberbullying occurs when a child or a teenager is mistreated, disrespected, tormented,
intimidated, humiliated, or aimed at by another individual of the same age range via the
internet.
Laws in India against Cyberstalking
The following laws are available in India to deal with cyberstalking:
 Section 67 of the Information Technology Act of 2000: Penalises stalkers who send or
cause to be sent or published obscene posts or content on electronic media with up to
three years in prison and a fine.
 Section 67A of the Information Technology Act of 2000: Penalises anyone who sends
or causes to be sent or published in electronic media any material containing sexually
explicit acts or conduct. Up to five years in prison and a fine of up to five lakh rupees
are the penalties.
 Section 354D of the Indian Penal Code, 1860: Under this section, if a person monitors
a woman’s use of the internet, email, or any other form of electronic communication,
that person may face up to 3 years in prison as well as a fine. This is a bailable offense
for first-time offenders but not for repeat offenders.
If a woman is a victim of cyberstalking, she can file a complaint with any cybercrime unit,
regardless of where the incident occurred. Cyber cells are being established to address the
grievances of female victims.

Legal Implications of Cyberstalking

India is at the top of the statistics when it comes to global sexual harassment. The online
harassment faced by women also reflects the harassment in the physical world. 50 percent
of women in the major cities of India have faced online abuse according to a survey by
Feminism. Cyberstalking against men is also becoming quite common nowadays, making
the ratio almost 50:50.

Here are some instances of cyberstalking laws in India:

 Any act of stalking is considered an offense committed. An act of stalking can be

following, contacting, or attempting to contact a person repeatedly despite clear
indications of disinterest by them, monitoring online activities of a person, or
spying on a person that causes fear of violence, serious alarm, disruption of mental
peace, or distress.
 The victim can file a case of defamation against the offender.
 Acts of stalking performed by someone who has been authorized by the state for the
purpose of preventing and detecting crime are excused.
  Online sexual harassment is punishable by law with up to three years of
imprisonment and/or fine.
 Non-consensual capturing of an image of a woman engaging in a private act and/or
disseminating the said image is punishable by law.
 Criminal intimidation made to any person with an injury to their reputation to cause
alarm or to make them change their course of action on anything is considered to be
a punishable crime.
 If someone is constantly harassed with derogatory verbal abuse because of gender
issues, the perpetrator can be punished.
 Any criminal intimidation by anonymous communication or vengeful posting of
videos, images, or images of rape victims is punishable with imprisonment.

How to deal with Cyberstalking?

If anyone is experiencing Cyberstalking, acting immediately is crucial. Here is how you

can deal with it:

 Send a clear indication in writing to the cyberstalker that you do not want to be
contacted by them and that if the message goes unheeded, you will go to the police.
 Once a warning is issued, do not engage with the stalker at all.
 Go to the police if the harassment does not stop.
 If you think you are being tracked by someone through spyware, use a family
member’s or friend’s phone to get help.
 Get your devices checked for spyware or signs of compromised accounts.
 Change all passwords.
 Use privacy settings to block the person off your social media, and report the abuse
to the network.
 Filter abusive emails to a separate folder to avoid reading them.
 If you know the stalker’s ISP, the part after the @ in their email address, contact
abuse@domainname or postmaster@domainname.
 Google has a support system in place for such cases,
https://support.google.com/mail/contact/abuse
 Tell your employer if you have cyberstalkers at your workplace.
  Make sure to have copies of any communication involved, police reports, and
emails from the networks.
 Back up the evidence on an external drive.

How to avoid Cyberstalking?

Increasing your privacy settings is the first thing to do to prevent Cyberstalking.

Enable strong privacy settings:

 Make all posts viewable to friends only so that no strangers can see them.
 Do not enable permissions for social networks to post your contact details publicly.
 Try to have a separate email address for social media and other online activities.
 Share private information with friends over a private message rather than a public
post.
 Avoid using your real name and use a gender-neutral screen name or pseudonym
instead for your social media accounts.
 Leave optional fields in social media profiles blank.
 Only accept friend requests from those you know in person.
 Set your social network settings to accept friend requests only from friends of
friends.
 Disable geolocation settings and GPS on your device.

Fraud, and Abuse

What Is Computer Abuse?

Computer abuse is the legal term for the use of a computer to carry out improper or illegal
activities, but which do not constitute financial crimes that would be classified as wire
fraud.

KEY TAKEAWAYS

 Computer abuse refers to a broad category of activities wherein a computer is used

to improperly or illegally cause harm to somebody else or their property.
  Cyber-bullying, hacking, identity theft, and even using a work PC for personal
business are all examples of computer abuse.
 While not always enforced, acts that constitute computer abuse was codified in the
1984 Computer Fraud and Abuse Act (CFAA) which is enforceable at the federal
level.
 Many today believe that the CFAA has grown overly restrictive, but attempts to
loosen these regulations, such as Aaron's Law, have so far failed.

The Computer Fraud and Abuse Act of 1984

The CFAA criminalizes certain types of computer abuse by banning “unauthorized

access” of computers and networks. The law has been used to successfully prosecute both
high- and low-level hackers for both civil and criminal matters. Early on, for example, the
law was used to convict the man who released the first computer worm in 1988. Over the
years, however, the law’s vagueness has resulted in punishments as severe as decades in
prison for minor abuses that did not cause economic or physical harm.

While the law was intended for the prosecution of hackers committing computer abuse by
stealing valuable personal or corporate information, or causing damage when they break
into a computer system, Congress has expanded the scope of the CFAA five times so that
activities that were once considered misdemeanors are now federal felonies. As a result,
everyday users can be punished for seemingly minor infractions of an application’s terms
of service.

The CFAA, for instance, makes white lies such as understating your age or weight on a
dating site a crime (even though this is rarely if ever prosecuted). It also makes violating a
company’s policy on using a work computer for personal use a felony. If the law were
widely enforced, almost every white collar worker in America would be in prison for
computer abuse. Because it is arbitrarily and sometimes overly enforced, federal judges
and scholars have advocated for changing the law to decriminalize terms of service
violations. One impediment to loosening the law has been resistance by corporations who
benefit from it. One of the changes to the CFAA in 1994, for example, amended the law to
allow for civil actions, giving corporations a way to sue employees who steal company
secrets.

Examples of Computer Abuse

An incident that many people might not think of as computer abuse is creating a
fake social media account. If the social media service’s terms and conditions require users
to provide accurate information about their identities when creating an account, they could
be prosecuted under the CFAA. This outcome is unlikely unless an individual uses a fake
account for malicious purposes, such as cyberbullying, but it is a possibility—and that
possibility of being prosecuted for something as minor as the mere creation of a fake
account is a major problem with the CFAA. Attorneys have been able to exploit the law’s
weaknesses to defend clients who should perhaps have been punished, and prosecutors
have been able to exploit the law to obtain convictions for minor incidents.

The most well-known example of the unintended consequences of expanding the

Computer Fraud and Abuse Act was the threat of a 35-year prison sentence for internet
activist Aaron Swartz for allegedly downloading millions of pay-walled academic articles
to which access was restricted through a subscription service, probably with the intent to
freely distribute them. Arguably, Swartz’s alleged actions would be constituted as theft,
but did the proposed punishment fit the alleged crime? Swartz did not seem to think so —
he took his own life before the case could go to trial.

Aaron’s Law was a bill introduced in the United States Congress in 2013 in honor of
Swartz to loosen the CFAA. Though the bill did not pass Congress, it remains an
influential bill.

Classification of Cyber Fraud:

Cybercrimes against individuals:

 Email spoofing is a form of cyberattack in which a hacker sends an email that has
been manipulated to seem as if it originated from a trusted source. For example- a
spoofed email may pretend to be a well-known shopping website, asking the
recipient to provide sensitive data, such as a password or credit card number.

 Spamming is the use of electronic messaging systems like emails and other digital
delivery systems and broadcast media to send unwanted bulk messages
indiscriminately.

 Cyber defamation is that which provides harm to the reputation of an individual in

the eye of another individual through cyberspace.

Cybercrimes against property:

 Unauthorised Computer Trespassing is a sort of computer crime that involves

gaining unauthorised access to computers in the United States. It's classified as
computer fraud and abuse.
 Copyright infringement occurs when a work protected by copyright law is used for
a purpose for which authorization is not necessary.
 Taking confidential data and information from someone's online sources without
their knowledge.

Some online crimes occur against property such as the internet or server.

Cybercrimes against the government:

 Cyber extortion is the act of cyber-criminals extorting money from a victim by

threatening them with destructive activities.
 Cyber terrorism is the use of the internet to carry out violent activities that result in
the death or serious physical injury of people in order to gain political advantage
through threats

Cyber Abuse:
The term "cyberbullying" refers to a wide spectrum of online abuse, including harassment,
reputation attacks, and revenge pornography. Cyberbullying or harassment is a type of
bullying or harassment that takes place through the internet. As the digital environment has
expanded and technology has evolved, it has grown more widespread, particularly among
teenagers.

 It is a pattern of behaviour intended to frighten, anger, or shame individuals who

are being targeted.
 Rumours about someone publishing embarrassing images of themselves on social
media, for example.
 Threatening others for selfish gain, as well as sending hurtful comments on their
behalf.

Face-to-face bullying and cyberbullying can often happen alongside each other. But
cyberbullying leaves a digital footprint. The informational technology amendment Act also
provides remedies for cyberbullying. Section 66 A of the IT Act defines punishment to a
person who sends offensive things by using internet tools for communication.

Present Scenario:
66E defines punishment for invading privacy. Section 67 defines punishment for
publishing any obscene picture.

Presently, there is a huge increase in cyber abuse and cyberbullying cases. But no. Of cases
are reported less because many of the people didn't tell anyone about getting bullied.
According to child rights and You 1 in 3 adults get bullied every day and most of their age
is between 13-18 years.

The shocking statistics on cybercrime's impact on our society to date.

 The global cost of cybercrime will reach $6 trillion by 2021.

 48% of data security breaches are caused by acts of malicious intent.
 Cybercrime will more than triple the number of unfilled cybersecurity jobs by
2021.

Some of the famous case Studies:

Ritika Sharma Case:

Ritika Sharma who was a student in a reputed Delhi school was stalked by a Facebook
friend whom She unfriended months ago and whom she gave all her information including
residential address, school address, and even cell phone no. She told her brother regarding
this and her brother filed a complaint against this. After this incident, Delhi police
organised awareness programs where all the students were told not to send any personal
data to strangers.

Ritu Kohli's Case:

This is the case that should be mentioned while discussing cyberbullying and cyber abuse.
This was India's first reported case of cyberstalking. In 2001, a girl called Ritu Kohli filed
a complaint alleging that someone else was using her identity on social internet and that
she was receiving calls from several numbers, including calls from abroad. A case was also
filed under Indian penal code Section 509. As a result, we can conclude that cyber
legislation is an essential tool in the fight against cyber-attack.

How to Tackle the Situation of Cyber Fraud and Abuse?

1. Resist the urge to respond as people who say hurtful things often do so just to get a
reaction.
2. Save evidence as our immediate reaction might be to make the abusive content
disappear but it is important to keep evidence of that.
3. Report and block options should be used.
4. Check out tailored advice
5. Seek help for legal advice or we have to go for legal help.
6. Save your data
7. Protect your e-identity

Laws Governing Cyber Crimes:

The United Nations Commission on International Trade Law adopted the Model Law on
Electronic Commerce.. As a signatory, India was required to alter existing legislation in
accordance with the Model Law. The IT Act established some punishments and offences,
and revisions were made to existing statutes such as the Indian penal code and the Indian
Evidence Act, among others, to address offences classified as cybercrimes. The Computer
Fraud and Abuse Act of 1988, Section 18,prohibits activity that harms computer systems.
It's a piece of cyber-security legislation.

It protects them from trespassing, threats, property destruction, and corruption because
cyber-crimes frequently target issues that are specified and discussed by the Information
Technology Act, the act makes these crimes even more punishable. The Indian Penal Code
is the country's primary legal framework for dealing with traditional offences. Because the
scope of these crimes has broadened in recent years as a result of the technological
revolution, a subset of them can readily be categorised as cyber-crimes.

As a result, cybercrime in India is largely dealt with under the following two
legislation:

 Information Technology Act, 2000.

 Indian Penal Code, 1860

Charging Policy
Access “without authorization.”
Access “exceeding authorized access.”
Whether prosecution would serve the Department’s goals for CFAA enforcement.
 The Computer Fraud and Abuse Act (CFAA) was enacted in 1986, as an amendment to the
first federal computer fraud law, to address hacking. Over the years, it has been amended
several times, most recently in 2008, to cover a broad range of conduct far beyond its
original intent. The CFAA prohibits intentionally accessing a computer without
authorization or in excess of authorization, but fails to define what “without authorization”
means. With harsh penalty schemes and malleable provisions, it has become a tool ripe for
abuse and use against nearly every aspect of computer activity.

How Internet Fraud Works

What is Internet Fraud?
Internet fraud involves using online services and software with access to the internet to
defraud or take advantage of victims. The term "internet fraud" generally covers
cybercrime activity that takes place over the internet or on email, including crimes
like identity theft, phishing, and other hacking activities designed to scam people out of
money.

Internet scams that target victims through online services account for millions of dollars
worth of fraudulent activity every year. And the figures continue to increase as internet
usage expands and cyber-criminal techniques become more sophisticated.

Internet fraud offenses are prosecuted under state and federal law. For example, federal law
has the controlling statute 18 U.S.C. § 1343 that covers general cyber fraud and can carry a
punishment of up to 30 years in prison and fines of up to $1 million depending on the
severity of the crime.

States like California also have anti-phishing, credit card fraud, unauthorized computer
access, and identity theft laws. These laws also prohibit eliciting personally identifiable
information (PII) via the internet by pretending to be a company under the Anti-Phishing
Act of 2005.
Types of Internet Fraud
Cyber criminals use a variety of attack vectors and strategies to commit internet fraud. This
includes malicious software, email and instant messaging services to spread malware,
spoofed websites that steal user data, and elaborate, wide-reaching phishing scams.

Internet fraud can be broken down into several key types of attacks, including:

1. Phishing and spoofing: The use of email and online messaging services to dupe victims
into sharing personal data, login credentials, and financial details.
2. Data breach: Stealing confidential, protected, or sensitive data from a secure location and
moving it into an untrusted environment. This includes data being stolen from users and
organizations.
3. Denial of service (DoS): Interrupting access of traffic to an online service, system, or
network to cause malicious intent.
4. Malware: The use of malicious software to damage or disable users’ devices or steal
personal and sensitive data.
5. Ransomware: A type of malware that prevents users from accessing critical data then
demanding payment in the promise of restoring access. Ransomware is typically delivered
via phishing attacks.
6. Business email compromise (BEC): A sophisticated form of attack targeting businesses
that frequently make wire payments. It compromises legitimate email accounts
through social engineering techniques to submit unauthorized payments.

To avoid hackers’ internet fraud attempts, users need to understand common examples of
internet fraud and tactics.

Email Phishing Scams

Email-based phishing scams are among the most prevalent types of internet fraud, which
continues to pose a serious threat to internet users and businesses.

Statistics from Security Boulevard show that in 2020, 22% of all data breaches involved a
phishing attack, and 95% of all attacks that targeted business networks were caused
by spear phishing. Furthermore, 97% of users could not spot a sophisticated phishing
email, 1.5 million new phishing sites were created every month, and 78% of users
understand the risk of hyperlinks in emails but click them anyway.

Email-based phishing scams are constantly evolving and range from simple attacks to more
sneaky and complex threats that target specific individuals.

Email phishing scams see cyber criminals masquerade as an individual that their victim
either knows or would consider reputable. The attack aims to encourage people to click on
a link that leads to a malicious or spoofed website designed to look like a legitimate
website, or open an attachment that contains malicious content.

The hacker first compromises a legitimate website or creates a fake website. They then
acquire a list of email addresses to target and distribute an email message that aims to dupe
people into clicking on a link to that website. When a victim clicks the link, they are taken
to the spoofed website, which will either request a username and password or automatically
download malware onto their device, which will steal data and login credential
information. The hacker can use this data to access the user’s online accounts, steal more
data like credit card details, access corporate networks attached to the device, or commit
wider identity fraud.
Email phishing scam attackers will often express the need for urgency from their victims.
This includes telling them that their online account or credit card is at risk, and they need to
log in immediately to rectify the issue.

Greeting Card Scams

Many internet fraud attacks focus on popular events to scam the people that celebrate them.
This includes birthdays, Christmas, and Easter, which are commonly marked by sharing
greeting cards with friends and family members via email. Hackers typically exploit this by
installing malicious software within an email greeting card, which downloads and installs
onto the recipient’s device when they open the greeting card.

The consequences can be devastating. The malware could result in annoying pop-up ads
that can affect application performance and slow down the device. A more worrying result
would be the victim’s personal and financial data being stolen and their computer being
used as a bot within a vast network of compromised computers, also known as a botnet.

Credit Card Scams

Credit card fraud typically occurs when hackers fraudulently acquire people's credit or
debit card details in an attempt to steal money or make purchases.

To obtain these details, internet fraudsters often use too-good-to-be-true credit card or bank
loan deals to lure victims. For example, a victim might receive a message from their bank
telling them they are eligible for a special loan deal or a vast amount of money has been
made available to them as a loan. These scams continue to trick people despite widespread
awareness that such offers are too good to be true for a reason.

Online Dating Scams

Another typical example of internet fraud targets the plethora of online dating applications
and websites. Hackers focus on these apps to lure victims into sending money and sharing
personal data with new love interests. Scammers typically create fake profiles to interact
with users, develop a relationship, slowly build their trust, create a phony story, and ask the
user for financial help.

Lottery Fee Fraud

Another common form of internet fraud is email scams that tell victims they have won the
lottery. These scams will inform recipients that they can only claim their prize after they
have paid a small fee.
 Lottery fee fraudsters typically craft emails to look and sound believable, which still results
in many people falling for the scam. The scam targets people's dreams of winning massive
amounts of money, even though they may have never purchased a lottery ticket.
Furthermore, no legitimate lottery scheme will ask winners to pay to claim their prize.

The Nigerian Prince

A classic internet fraud tactic, the Nigerian Prince scam approach remains common and
thriving despite widespread awareness.

The scam uses the premise of a wealthy Nigerian family or individual who wants to share
their wealth in return for assistance in accessing their inheritance. It uses phishing tactics to
send emails that outline an emotional backstory, then lures victims into a promise of
significant financial reward. The scam typically begins by asking for a small fee to help
with legal processes and paperwork with the promise of a large sum of money further
down the line.

The scammer will inevitably ask for more extensive fees to cover further administration
tasks and transaction costs supported by legitimate-looking confirmation documents.
However, the promised return on investment never arrives.
How To Protect Yourself from Internet Scams
Internet users can protect themselves and avoid being caught in a phishing line by
remaining vigilant of the common types of internet fraud listed above. It is vital to never
send money to someone met over the internet, never share personal or financial details with
individuals who are not legitimate or trustworthy, and never click on hyperlinks or
attachments in emails or instant messages. Once targeted, internet users should report
online scammer activity and phishing emails to the authorities.

Credit card fraud can also be avoided by keeping a close eye on bank accounts, setting up
notifications on credit card activity, signing up for credit monitoring, and using consumer
protection services. If users suffer credit card fraud, they must report it to the relevant legal
authorities and credit bureaus

Identity Theft
Identity theft occurs when criminals steal a victim's personal information to commit
criminal acts. Using this stolen information, a criminal takes over the victim's identity and
conducts a range of fraudulent activities in their name.
Cyber criminals commit identity theft by using sophisticated cyber attack tactics, including
social engineering, phishing, and malware. Identity theft can also result from rudimentary
tactics with criminals stealing mail, digging through dumpsters, and listening in on phone
conversations in public places.
The ultimate goal of many cyber attacks is to steal enough information about a victim to
assume their identity to commit fraudulent activity. Unfortunately, most people only
discover they're victims of identity theft when they apply for a loan, attempt to open a bank
account, apply for a job, receive a call from a collection agency, or request a new credit
card

What is Identity Fraud?

Identity fraud and identity theft are similar, and the terms can sometimes be used
interchangeably. However, identity fraud is different in that it specifically refers to using
the stolen information, while identity theft may only involve stealing your personal
information. There are several different types of identity fraud, including using a credit
card, taxes, employment, phone or utility bills, bank account information, leases or loans,
and government benefits or documents.
 Regardless of the type of fraud, the execution of the attack is similar: The thief uses
account numbers, Social Security numbers, and other personal information to make another
entity believe they are you. They then use that to make or take money.

Effects of Identity Theft

There are several ways identity thieves can use your personal information to their
advantage. Some involve using it to steal money from you, while others require multiple
steps before the thief realizes a profit.

Stolen Money or Benefits

A criminal can use your credit card number, address, and name to buy things with your
card. They can also file a tax return or even use your insurance and other information to get
medical treatment while pretending to be you. If you have airline miles or can get access to
government services like the Special Supplemental Nutrition Program for Women, Infants,
and Children (WIC) or Social Security checks, the thief could use your information to take
advantage of those provisions as well.

Identity Sold on the Dark Web

Once your data has been taken, particularly during a data breach where the thief can grab
many victims' information at once, it may be sold on the dark web. Even though each piece
of information may only yield a few dollars, if a thief has thousands of account numbers,
addresses, and names, their profits can add up quickly.

Impersonation

A thief may pretend to be you on social media or to get a job or apartment. This is
particularly true when there is an element of their own identity that gets in the way of what
they are trying to do, such as a criminal record.
Possible Signs of Identity Theft
Keep an eye out for the following signs that may indicate your identity has been stolen:

1. Discrepancies in your financial statements

2. Unauthorized purchases in your bank statements
3. You get calls from debt collectors about charges you did not initiate
4. You get a letter from the IRS about multiple tax returns
5. You get medical bills for services you never used
6. You see strange charges on your credit card statement
7. You are not getting bills in the mail, which could be because the thief has changed your
address, resulting in your mail getting routed somewhere else
8. You get rejected for a loan even though you usually have good credit, which could mean a
thief was borrowing money in your name and not repaying it

Identity Theft also called Identity Fraud is a crime that is being committed by a huge
number nowadays. Identity theft happens when someone steals your personal information
to commit fraud. This theft is committed in many ways by gathering personal information
such as transactional information of another person to make transactions. Types of
Identity Thefts:
There are various amount of threats but some common ones are :
 Criminal Identity Theft – This is a type of theft in which the victim is charged
guilty and has to bear the loss when the criminal or the thief backs up his position
with the false documents of the victim such as ID or other verification documents and
his bluff is successful.
 Senior Identity Theft – Seniors with age over 60 are often targets of identity thieves.
They are sent information that looks to be actual and then their personal information
is gathered for such use. Seniors must be aware of not being the victim.
 Driver’s license ID Identity Theft – Driver’s license identity theft is the most
common form of ID theft. All the information on one’s driver’s license provides the
name, address, and date of birth, as well as a State driver’s identity number. The
thieves use this information to apply for loans or credit cards or try to open bank
accounts to obtain checking accounts or buy cars, houses, vehicles, electronic
equipment, jewelry, anything valuable and all are charged to the owner’s name.
 Medical Identity Theft – In this theft, the victim’s health-related information is
gathered and then a fraud medical service need is created with fraud bills, which then
results in the victim’s account for such services.
 Tax Identity Theft – In this type of attack attacker is interested in knowing your
Employer Identification Number to appeal to get a tax refund. This is noticeable
when you attempt to file your tax return or the Income Tax return department sends
you a notice for this.
 Social Security Identity Theft – In this type of attack the thief intends to know your
Social Security Number (SSN). With this number, they are also aware of all your
personal information which is the biggest threat to an individual.
 Synthetic Identity Theft – This theft is uncommon to the other thefts, thief combines
all the gathered information of people and they create a new identity. When this
identity is being used than all the victims are affected.
 Financial Identity Theft – This type of attack is the most common type of attack. In
this, the stolen credentials are used to attain a financial benefit. The victim is
identified only when he checks his balances carefully as this is practiced in a very
slow manner.
Techniques of Identity Thefts : Identity thieves usually hack into corporate databases
for personal credentials which requires effort but with several social-engineering
techniques, it is considered easy. Some common identity theft techniques are:
 Pretext Calling – Thieves pretending to be an employee of a company over phone
asking for financial information are an example of this theft. Pretending as legitimate
employees they ask for personal data with some buttery returns.
 Mail Theft – This is a technique in which credit card information with transactional
data is extracted from the public mailbox.
  Phishing – This is a technique in which emails pertaining to be from banks are sent
to a victim with malware in it. When the victim responds to mail their information is
mapped by the thieves.
 Internet – Internet is widely used by the world as attackers are aware of many
techniques of making users get connected with public networks over Internet which is
controlled by them and they add spyware with downloads.
 Dumpster Diving – This is a technique that has made much information out of the
known institutions. As garbage collectors are aware of this they search for account
related documents that contain social security numbers with all the personal
documents if not shredded before disposing of.
 Card Verification Value (CVV) Code Requests – The Card Verification Value
number is located at the back of your debit cards. This number is used to enhance
transaction security but several attackers ask for this number while pretending as a
bank official.
Steps Of Prevention From Identity Theft:
Following are some methods by which you can enhance your security for identity thefts :
1. Use Strong Passwords and do not share your PIN with anyone on or off the phone.
2. Use two-factor notification for emails.
3. Secure all your devices with a password.
4. Don’t install random software from the internet.
5. Don’t post sensitive information over social media.
6. While entering passwords at payment gateway ensure its authenticity.
7. Limit the personal information to be carried with out.
8. Keep a practice of changing your PIN and password regularly.
9. Do not disclose your information over phone.
10. While traveling do not disclose personal information with strangers.
11. Never share your Aadhaar/PAN number (In India) with anyone whom you do not
know/trust.
12. Never share your SSN (In US) with anyone whom you do not know/trust.
13. Do not make all the personal information on your social media accounts public.
14. Please never share an Aadhaar OTP received on your phone with someone over a
call.
15. Make sure that you do not receive unnecessary OTP SMS about Aadhaar (if you do,
your Aadhaar number is already in the wrong hands).
16. Do not fill personal data on the website that claims to offer benefits in return.
17. Last, be a keeper of personal knowledge.

Protecting Yourself Against Cyber Crime

Cybercrime is any crime that takes place online or primarily online. Cybercriminals often

commit crimes by targeting computer networks or devices. Cybercrime can range from security

breaches to identity theft.

Other cybercrimes include things like “revenge porn,” cyber-stalking, harassment, bullying,

and child sexual exploitation.

Terrorists collaborate on the internet, moving terrorist activities and crimes into cyberspace.

How to protect yourself against cybercrime

Anyone using the internet should exercise some basic precautions. Here are 11 tips you can use

to help protect yourself against the range of cybercrimes out there.

1. Use a full-service internet security suite

It’s a good idea to consider trusted security software like Norton 360 with LifeLock Select,

which provides all-in-one protection for your devices, online privacy, and identity, and helps

protect your private and financial information when you go online.

2. Use strong passwords

Don’t repeat your passwords on different sites, and change your passwords regularly. Make

them complex. That means using a combination of at least 10 letters, numbers, and symbols.

A password management application can help you to keep your passwords locked down.

3. Keep your software updated

This is especially important with your operating systems and internet security software.

Cybercriminals frequently use known exploits, or flaws, in your software to gain access to your

system. Patching those exploits and flaws can make it less likely that you’ll become a

cybercrime target.
4. Manage your social media settings

Keep your personal and private information locked down. Social engineering cybercriminals

can often get your personal information with just a few data points, so the less you share

publicly, the better. For instance, if you post your pet’s name or reveal your mother’s maiden

name, you might expose the answers to two common security questions.

5. Strengthen your home network

It’s a good idea to start with a strong encryption password as well as a virtual private network. A

VPN will encrypt all traffic leaving your devices until it arrives at its destination.

If cybercriminals do manage to hack your communication line, they won’t intercept

anything but encrypted data. It’s a good idea to use a VPN whenever you a public Wi-Fi

network, whether it’s in a library, café, hotel, or airport.

6. Talk to your children about the internet

You can teach your kids about acceptable use of the internet without shutting down

communication channels. Make sure they know that they can come to you if they’re

experiencing any kind of online harassment, stalking, or bullying.

7. Keep up to date on major security breaches

If you do business with a merchant or have an account on a website that’s been impacted by a

security breach, find out what information the hackers accessed and change your password

immediately.

8. Take measures to help protect yourself against identity theft

Identity theft occurs when someone wrongfully obtains your personal data in a way that
involves fraud or deception, typically for economic gain. How? You might be tricked into
giving personal information over the internet, for instance, or a thief might steal your mail to

access account information. That’s why it’s important to guard your personal data. A VPN —

short for virtual private network — can also help to protect the data you send and receive online,

especially when accessing the internet on public Wi-Fi.

9. Know that identity theft can happen anywhere

It’s smart to know how to protect your identity even when traveling. There are a lot of things

you can do to help keep criminals from getting your private information on the road. These

include keeping your travel plans off social media and being using a VPN when accessing the

internet over your hotel’s Wi-Fi network.

10. Keep an eye on the kids

Just like you’ll want to talk to your kids about the internet, you’ll also want to help protect them

against identity theft. Identity thieves often target children because their Social Security number

and credit histories frequently represent a clean slate. You can help guard against identity theft

by being careful when sharing your child’s personal information. It’s also smart to know what to

look for that might suggest your child’s identity has been compromised.

11. Know what to do if you become a victim

If you believe that you’ve become a victim of a cybercrime, you need to alert the local police

and, in some cases, the FBI and the Federal Trade Commission. This is important even if the

crime seems minor. Your report may assist authorities in their investigations or may help to

thwart criminals from taking advantage of other people in the future. If you think cybercriminals

have stolen your identity. These are among the steps you should consider.

 Contact the companies and banks where you know fraud occurred.
 Place fraud alerts and get your credit reports.
 Report identity theft to the FTC.
Denial of Service Attacks
A denial-of-service (DoS) attack is a type of cyber attack in which a malicious actor aims
to render a computer or other device unavailable to its intended users by interrupting the
device's normal functioning. DoS attacks typically function by overwhelming or flooding a
targeted machine with requests until normal traffic is unable to be processed, resulting in
denial-of-service to addition users. A DoS attack is characterized by using a single
computer to launch the attack.

A distributed denial-of-service (DDoS) attack is a type of DoS attack that comes from
many distributed sources, such as a botnet DDoS attack.

How does a DoS attack work?

The primary focus of a DoS attack is to oversaturate the capacity of a targeted machine,
resulting in denial-of-service to additional requests. The multiple attack vectors of DoS
attacks can be grouped by their similarities.

DoS attacks typically fall in 2 categories:

Buffer overflow attacks

An attack type in which a memory buffer overflow can cause a machine to consume all
available hard disk space, memory, or CPU time. This form of exploit often results in
sluggish behavior, system crashes, or other deleterious server behaviors, resulting in
denial-of-service.

Flood attacks

By saturating a targeted server with an overwhelming amount of packets, a malicious actor

is able to oversaturate server capacity, resulting in denial-of-service. In order for most DoS
flood attacks to be successful, the malicious actor must have more available bandwidth
than the target.

What are some historically significant DoS attacks?

Historically, DoS attacks typically exploited security vulnerabilities present in network,

software and hardware design. These attacks have become less prevalent as DDoS attacks
have a greater disruptive capability and are relatively easy to create given the available
tools. In reality, most DoS attacks can also be turned into DDoS attacks.

A few common historic DoS attacks include:

  Smurf attack - a previously exploited DoS attack in which a malicious actor
utilizes the broadcast address of vulnerable network by
sending spoofed packets, resulting in the flooding of a targeted IP address.

 Ping flood - this simple denial-of-service attack is based on overwhelming a

target with ICMP (ping) packets. By inundating a target with more pings than it
is able to respond to efficiently, denial-of-service can occur. This attack can
also be used as a DDoS attack.

 Ping of Death - often conflated with a ping flood attack, a ping of death attack
involves sending a malformed packet to a targeted machine, resulting in
deleterious behavior such as system crashes.

How can you tell if a computer is experiencing a DoS attack?

While it can be difficult to separate an attack from other network connectivity errors or
heavy bandwidth consumption, some characteristics may indicate an attack is underway.

Indicators of a DoS attack include:

 Atypically slow network performance such as long load times for files or
websites

 The inability to load a particular website such as your web property

 A sudden loss of connectivity across devices on the same network

What is the difference between a DDoS attack and a DOS attack?

The distinguishing difference between DDoS and DoS is the number of connections
utilized in the attack. Some DoS attacks, such as “low and slow” attacks like Slowloris,
derive their power in the simplicity and minimal requirements needed to them be effective
Popular flood attacks include:

 Buffer overflow attacks – the most common DoS attack. The concept is to send more

traffic to a network address than the programmers have built the system to handle. It

includes the attacks listed below, in addition to others that are designed to exploit bugs

specific to certain applications or networks

 ICMP flood – leverages misconfigured network devices by sending spoofed packets that

ping every computer on the targeted network, instead of just one specific machine. The

network is then triggered to amplify the traffic. This attack is also known as the smurf

attack or ping of death.

 SYN flood – sends a request to connect to a server, but never completes the handshake.

Continues until all open ports are saturated with requests and none are available for

legitimate users to connect to.

Other DoS attacks simply exploit vulnerabilities that cause the target system or service to

crash. In these attacks, input is sent that takes advantage of bugs in the target that

subsequently crash or severely destabilize the system, so that it can’t be accessed or used.
 An additional type of DoS attack is the Distributed Denial of Service (DDoS) attack. A

DDoS attack occurs when multiple systems orchestrate a synchronized DoS attack to a

single target. The essential difference is that instead of being attacked from one location,

the target is attacked from many locations at once. The distribution of hosts that defines a

DDoS provide the attacker multiple advantages:

 He can leverage the greater volume of machine to execute a seriously disruptive attack

 The location of the attack is difficult to detect due to the random distribution of attacking

systems (often worldwide)

 It is more difficult to shut down multiple machines than one

 The true attacking party is very difficult to identify, as they are disguised behind many

(mostly compromised) systems

Illustrating an Attack
The 17 Most Common Types of Cyber Attacks

1. Malware-based attacks
2. Phishing attacks
3. Man-in-the-middle attacks
4. Denial of Service attacks
5. SQL injection attacks
6. DNS tunneling
7. Zero-day exploits
8. Password attacks
9. Drive-by download attacks
10. Cross-site scripting (XSS) attacks
11. Rootkits
12. DNS spoofing
13. Internet of Things (IoT) attacks
14. Session hijacking
15. URL manipulation
16. Cryptojacking
17. Inside threats
The Different Types of DoS Attacks
Here are a few of the different types of DoS attacks:

Buffer Overflow
Buffer Overflow is a common type of DoS attack. It relies on sending an amount of traffic
to a network resource that exceeds the default processing capacity of the system. For
instance, back in the day, a 256-character file name as an attachment would surely crash
Microsoft Outlook.

Ping of Death
Attackers send spoofed packets that ping every computer on the targeted network. The
target responds and becomes flooded with responses from the malicious packet. It is also
known as Internet Control Message Protocol (ICMP) Flood and Smurf Attack.

SYN Flood
A SYN Flood attack exploits the Transmission Control Protocol (TCP) handshake – a
method used for the TCP network to create a connection with a local host/client/server.
Unfortunately, the handshake is left incomplete, leaving the connected host in an occupied
status and unavailable to take further requests. Attackers will double down on the requests,
saturating all open ports and preventing anyone from connecting to the network.

Teardrop
In a teardrop attack, IP data packet fragments are sent to the target network. The network
then reassembles the fragments into the original packet. The process of reassembling these
 fragments exhausts the system and it ends up crashing. It crashes because the fragments are
designed to confuse the system so it can never be put back together

Malware:
Introduction
Malware, short for malicious software, refers to any intrusive software developed by
cybercriminals (often called hackers) to steal data and damage or destroy computers and
computer systems. Examples of common malware include viruses, worms, Trojan viruses,
spyware, adware, and ransomware.

Malware is developed as harmful software that invades or corrupts your computer network.
The goal of malware is to cause havoc and steal information or resources for monetary gain
or sheer sabotage intent.

Intelligence and intrusion

Exfiltrates data such as emails, plans, and especially sensitive information like passwords.

Disruption and extortion

Locks up networks and PCs, making them unusable. If it holds your computer hostage for
financial gain, it's called ransomware.

Destruction or vandalism
Destroys computer systems to damage your network infrastructure.

Steal computer resources

Uses your computing power to run botnets, cryptomining programs (cryptojacking), or
send spam emails.

Monetary gain
Sells your organization's intellectual property on the dark web.
7 types of malware

Virus
Viruses are a subgroup of malware. A virus is malicious software attached to a document
or file that supports macros to execute its code and spread from host to host. Once
downloaded, the virus will lie dormant until the file is opened and in use. Viruses are
designed to disrupt a system's ability to operate. As a result, viruses can cause significant
operational issues and data loss.

Worms
A worm is a type of malicious software that rapidly replicates and spreads to any device
within the network. Unlike viruses, worms do not need host programs to disseminate. A
worm infects a device through a downloaded file or a network connection before it
multiplies and disperses at an exponential rate. Like viruses, worms can severely disrupt
the operations of a device and cause data loss.

Trojan virus
Trojan viruses are disguised as helpful software programs. But once the user downloads it,
the Trojan virus can gain access to sensitive data and then modify, block, or delete the data.
This can be extremely harmful to the performance of the device. Unlike normal viruses and
worms, Trojan viruses are not designed to self-replicate.

Spyware
Spyware is malicious software that runs secretly on a computer and reports back to a
remote user. Rather than simply disrupting a device's operations, spyware targets sensitive
information and can grant remote access to predators. Spyware is often used to steal
financial or personal information. A specific type of spyware is a keylogger, which records
your keystrokes to reveal passwords and personal information.
 Adware
Adware is malicious software used to collect data on your computer usage and provide
appropriate advertisements to you. While adware is not always dangerous, in some cases
adware can cause issues for your system. Adware can redirect your browser to unsafe sites,
and it can even contain Trojan horses and spyware. Additionally, significant levels of
adware can slow down your system noticeably. Because not all adware is malicious, it is
important to have protection that constantly and intelligently scans these programs.

Ransomware
Ransomware is malicious software that gains access to sensitive information within a
system, encrypts that information so that the user cannot access it, and then demands a
financial payout for the data to be released. Ransomware is commonly part of a phishing
scam. By clicking a disguised link, the user downloads the ransomware. The attacker
proceeds to encrypt specific information that can only be opened by a mathematical key
they know. When the attacker receives payment, the data is unlocked.

Fileless malware
Fileless malware is a type of memory-resident malware. As the term suggests, it is malware
that operates from a victim's computer's memory, not from files on the hard drive. Because
there are no files to scan, it is harder to detect than traditional malware. It also makes
forensics more difficult because the malware disappears when the victim computer is
rebooted. In late 2017, the Cisco Talos threat intelligence team posted an example of
fileless malware that they called DNSMessenger.

Viruses, Trojan Horses

What is a virus?
A computer virus is a program that spreads by first infecting files or the system areas of a
computer or network router's hard drive and then making copies of itself. Some viruses are
harmless, others may damage data files, and some may destroy files. Viruses used to be
spread when people shared floppy disks and other portable media, now viruses are
primarily spread through email messages.

Unlike worms, viruses often require some sort of user action (e.g., opening an email
attachment or visiting a malicious web page) to spread.

What do viruses do?

A virus is simply a computer program--it can do anything that any other program you run
on your computer can do. Some viruses are designed to deliberately damage files, and
others may just spread to other computers.

What is a worm?
A worm is a type of virus that can spread without human interaction. Worms often spread
from computer to computer and take up valuable memory and network bandwidth, which
can cause a computer to stop responding. Worms can also allow attackers to gain access to
your computer remotely.
What is a Trojan horse?
A Trojan horse is a computer program that is hiding a virus or other potentially damaging
program. A Trojan horse can be a program that purports to do one action when, in fact, it is
performing a malicious action on your computer. Trojan horses can be included in software
that you download for free or as attachments in email messages.

What are some tips to avoid viruses and lessen their impact?

 Install anti-virus software from a reputable vendor. Update it and use it regularly.
 In addition to scanning for viruses on a regular basis, install an "on access" scanner
(included in most anti-virus software packages) and configure it to start each time
you start up your computer. This will protect your system by checking for viruses
each time you run an executable file.
 Use a virus scan before you open any new programs or files that may contain
executable code. This includes packaged software that you buy from the store as
well as any program you might download from the Internet.
 If you are a member of an online community or chat room, be very careful about
accepting files or clicking links that you find or that people send you within the
community.
 Make sure you back up your data (documents, bookmark files, important email
messages, etc.) on disc so that in the event of a virus infection, you do not lose
valuable work.

Common Signs of Computer Viruses

Chances are you’ve heard how important it is to keep viruses out, but what is a computer
virus exactly? A computer virus will more than likely have an adverse effect on the device
it resides on and may be discoverable through common signs of performance loss,
including:

Speed of System

A computer system running slower than usual is one of the most common signs that the
device has a virus. This includes the system itself running slowly, as well as applications
and internet speed suffering. If a computer does not have powerful applications or
programs installed and is running slowly, then it may be a sign it is infected with a virus.

Pop-up Windows

Unwanted pop-up windows appearing on a computer or in a web browser are a telltale sign
of a computer virus. Unwanted pop-ups are a sign of malware, viruses,
or spyware affecting a device.
Programs Self-executing

If computer programs unexpectedly close by themselves, then it is highly likely that the
software has been infected with some form of virus or malware. Another indicator of a
virus is when applications fail to load when selected from the Start menu or their desktop
icon. Every time that happens, your next step should be to perform a virus scan and remove
any files on programs that might not be safe to use.

Accounts Being Logged Out

Some viruses are designed to affect specific applications, which will either cause them to
crash or force the user to automatically log out of the service.

Crashing of the Device

System crashes and the computer itself unexpectedly closing down are common indicators
of a virus. Computer viruses cause computers to act in a variety of strange ways, which
may include opening files by themselves, displaying unusual error messages, or clicking
keys at random.

Mass Emails Being Sent from Your Email Account

Computer viruses are commonly spread via email. Hackers can use other people's email
accounts to spread malware and carry out wider cyberattacks. Therefore, if an email
account has sent emails in the outbox that a user did not send, then this could be a sign of a
computer virus.

Changes to Your Homepage

Any unexpected changes to a computer—such as your system’s homepage being amended

or any browser settings being updated—are signs that a computer virus may be present on
the device.
How Do Computer Viruses Attack and Spread?
In the early days of computers, viruses were spread between devices using floppy disks.
Nowadays, viruses can still be spread via hard disks and Universal Serial Bus (USB)
devices, but they are more likely to be passed between devices through the internet.

Computer viruses can be spread via email, with some even capable of hijacking email
software to spread themselves. Others may attach to legitimate software, within software
packs, or infect code, and other viruses can be downloaded from compromised application
stores and infected code repositories. A key feature of any computer virus is it requires a
victim to execute its code or payload, which means the host application should be running.

Types of Computer Viruses

There are several types of computer viruses that can infect devices. This section will cover
computer virus protections and how to get rid of computer viruses.

Resident Virus

Viruses propagate themselves by infecting applications on a host computer. A resident

virus achieves this by infecting applications as they are opened by a user. A non-resident
virus is capable of infecting executable files when programs are not running.

Multipartite Virus

A multipartite virus uses multiple methods to infect and spread across computers. It will
typically remain in the computer’s memory to infect the hard disk, then spread through and
infect more drives by altering the content of applications. This results in performance lag
and application memory running low.

Multipartite viruses can be avoided by not opening attachments from untrusted sources and
by installing trusted antivirus software. It can also be prevented by cleaning the boot sector
and the computer’s entire disk.

Direct Action

A direct action virus accesses a computer’s main memory and infects all programs, files,
and folders located in the autoexec.bat path, before deleting itself. This virus typically
alters the performance of a system but is capable of destroying all data on the computer’s
hard disk and any USB device attached to it. Direct action viruses can be avoided through
the use of antivirus scanners. They are easy to detect, as is restoring infected files.

Browser Hijacker

A browser hijacker manually changes the settings of web browsers, such as replacing the
homepage, editing the new tab page, and changing the default search engine. Technically,
it is not a virus because it cannot infect files but can be hugely damaging to computer
users, who often will not be able to restore their homepage or search engine. It can also
contain adware that causes unwanted pop-ups and advertisements.

Browser hijackers typically attach to free software and malicious applications from
unverified websites or app stores, so only use trusted software and reliable antivirus
software.

Overwrite Virus

Overwrite viruses are extremely dangerous. They can delete data and replace it with their
own file content or code. Once files get infected, they cannot be replaced, and the virus can
affect Windows, DOS, Linux, and Apple systems. The only way this virus can be removed
is by deleting all of the files it has infected, which could be devastating. The best way to
protect against the overwrite virus is to use a trusted antivirus solution and keep it updated.

Web Scripting Virus

A web scripting virus attacks web browser security, enabling a hacker to inject web-pages
with malicious code, or client-side scripting. This allows cyber criminals to attack major
websites, such as social networking sites, email providers, and any site that enables user
input or reviews. Attackers can use the virus to send spam, commit fraudulent activity, and
damage server files.

Protecting against web scripting is reliant on deploying real-time web browser protection
software, using cookie security, disabling scripts, and using malicious software removal
tools.

File Infector

A file infector is one of the most common computer viruses. It overwrites files when they
are opened and can quickly spread across systems and networks. It largely affects files with
.exe or .com extensions. The best way to avoid file infector viruses is to only download
official software and deploy an antivirus solution.

Network Virus

Network viruses are extremely dangerous because they can completely cripple entire
computer networks. They are often difficult to discover, as the virus could be hidden within
any computer on an infected network. These viruses can easily replicate and spread by
using the internet to transfer to devices connected to the network. Trusted, robust antivirus
solutions and advanced firewalls are crucial to protecting against network viruses.
Boot Sector Virus

A boot sector virus targets a computer’s master boot record (MBR). The virus injects its
code into a hard disk’s partition table, then moves into the main memory when a computer
restarts. The presence of the virus is signified by boot-up problems, poor system
performance, and the hard disk becoming unable to locate. Most modern computers come
with boot sector safeguards that restrict the potential of this type of virus.

-------.
How To Prevent Your Computer From Viruses
There are several ways to protect your computer from viruses, including:

1. Use a Trusted Antivirus Product

Trusted computer antivirus products are crucial to stop malware attacks and prevent
computers from being infected with viruses. These antivirus concepts will protect devices
from being infected through regular scans and identifying and blocking malware.

2. Avoid Clicking Pop-up Advertisements

Unwanted pop-up advertisements are more than likely to be linked to computer viruses and
malware. Never click on pop-up advertisements because this can lead to inadvertently
downloading viruses onto a computer.

3. Scan Your Email Attachments

A popular way to protect your device from computer viruses is to avoid suspicious email
attachments, which are commonly used to spread malware. Computer antivirus solutions
can be used to scan email attachments for potential viruses.

4. Scan the Files That You Download Using File-sharing Programs

File-sharing programs, particularly unofficial sites, are also popular resources for attackers
to spread computer viruses. Avoid downloading applications, games, or software from
unofficial sites, and always scan files that have been downloaded from any file-sharing
program
Is Trojan a Virus?

A Trojan horse is a type of program that pretends to be something it is not to get onto a
device and infect it with malware. Therefore, a Trojan horse virus is a virus disguised to
look like something it is not. For example, viruses can be hidden within unofficial games,
applications, file-sharing sites, and bootlegged movies.

Is a Worm a Virus?

A computer worm is not a virus. Worms do not need a host system and can spread between
systems and networks without user action, whereas a virus requires users to execute its
code.

Is Ransomware a Virus?

Ransomware is when attackers lock victims out of their system or files and demand a
ransom to unlock access. Viruses can be used to carry out ransomware attacks.

Is Rootkit a Virus?

A rootkit is not a virus. Rootkits are software packages that give attackers access to
systems. They cannot self-replicate or spread across systems.

Is a Software Bug a Virus?

"Bug" is a common word used to describe problems with computers, but a software bug is
not a virus. A bug is a flaw or mistake in software code, which hackers can exploit to
launch a cyberattack or spread malware
What Is a Trojan Horse Virus?
A Trojan Horse Virus is a type of malware that downloads onto a computer disguised as a
legitimate program. The delivery method typically sees an attacker use social
engineering to hide malicious code within legitimate software to try and gain users' system
access with their software.

A simple way to answer the question "what is Trojan" is it is a type of malware that
typically gets hidden as an attachment in an email or a free-to-download file, then transfers
onto the user’s device. Once downloaded, the malicious code will execute the task the
 attacker designed it for, such as gain backdoor access to corporate systems, spy on users’
online activity, or steal sensitive data

Most Common Types of Trojan Malware

There are many types of Trojan horse viruses that cyber criminals use to carry out different
actions and different attack methods. The most common types of Trojan used include:

1. Backdoor Trojan: A backdoor Trojan enables an attacker to gain remote access to a

computer and take control of it using a backdoor. This enables the malicious actor to do
whatever they want on the device, such as deleting files, rebooting the computer, stealing
data, or uploading malware. A backdoor Trojan is frequently used to create a botnet
through a network of zombie computers.
2. Banker Trojan: A banker Trojan is designed to target users’ banking accounts and
financial information. It attempts to steal account data for credit and debit cards, e-payment
systems, and online banking systems.
3. Distributed denial-of-service (DDoS) Trojan: These Trojan programs carry out attacks
that overload a network with traffic. It will send multiple requests from a computer or a
group of computers to overwhelm a target web address and cause a denial of service.
4. Downloader Trojan: A downloader Trojan targets a computer that has already been
infected by malware, then downloads and installs more malicious programs to it. This
could be additional Trojans or other types of malware like adware.
5. Exploit Trojan: An exploit malware program contains code or data that takes advantage of
specific vulnerabilities within an application or computer system. The cyber criminal will
target users through a method like a phishing attack, then use the code in the program to
exploit a known vulnerability.
6. Fake antivirus Trojan: A fake antivirus Trojan simulates the actions of legitimate
antivirus software. The Trojan is designed to detect and remove threats like a regular
antivirus program, then extort money from users for removing threats that may be
nonexistent.
7. Game-thief Trojan: A game-thief Trojan is specifically designed to steal user account
information from people playing online games.
8. Instant messaging (IM) Trojan: This type of Trojan targets IM services to steal users’
logins and passwords. It targets popular messaging platforms such as AOL Instant
Messenger, ICQ, MSN Messenger, Skype, and Yahoo Pager.
9. Infostealer Trojan: This malware can either be used to install Trojans or prevent the user
from detecting the existence of a malicious program. The components of infostealer
Trojans can make it difficult for antivirus systems to discover them in scans.
10. Mailfinder Trojan: A mailfinder Trojan aims to harvest and steal email addresses that
have been stored on a computer.
11. Ransom Trojan: Ransom Trojans seek to impair a computer’s performance or block data
on the device so that the user can no longer access or use it. The attacker will then hold the
user or organization ransom until they pay a ransom fee to undo the device damage or
unlock the affected data.
12. Remote access Trojan: Similar to a backdoor Trojan, this strand of malware gives the
attacker full control of a user’s computer. The cyber criminal maintains access to the
device through a remote network connection, which they use to steal information or spy on
a user.
13. Rootkit Trojan: A rootkit is a type of malware that conceals itself on a user’s computer.
Its purpose is to stop malicious programs from being detected, which enables malware to
remain active on an infected computer for a longer period.
14. Short message service (SMS) Trojan: An SMS Trojan infects mobile devices and is
capable of sending and intercepting text messages. This includes sending messages to
premium-rate phone numbers, which increases the costs on a user’s phone bill.
15. Spy Trojan: Spy Trojans are designed to sit on a user’s computer and spy on their activity.
This includes logging their keyboard actions, taking screenshots, accessing the applications
they use, and tracking login data.
16. SUNBURST: The SUNBURST trojan virus was released on numerous SolarWinds Orion
Platform. Victims were compromised by trojanized versions of a legitimate SolarWinds
digitally signed file named: SolarWinds.Orion.Core.BusinessLayer.dll. The trojanized file
is a backdoor. Once on a target machine, it remains dormant for a two-week period and
will then retrieve commands that allow it to transfer, execute, perform reconnaissance,
reboot and halt system services. Communication occurs over http to predetermined URI's.

How To Recognize a Trojan Virus

A Trojan horse virus can often remain on a device for months without the user knowing
their computer has been infected. However, telltale signs of the presence of a Trojan
include computer settings suddenly changing, a loss in computer performance, or unusual
activity taking place. The best way to recognize a Trojan is to search a device using a
Trojan scanner or malware-removal software.

How To Protect Yourself from Trojan Viruses

A Trojan horse virus can often remain on a device for months without the user knowing
their computer has been infected. However, telltale signs of the presence of a Trojan
include computer settings suddenly changing, a loss in computer performance, or unusual
activity taking place. The best way to recognize a Trojan is to search a device using a
Trojan scanner or malware-removal software.

Examples of Trojan Horse Virus Attacks

Trojan attacks have been responsible for causing major damage by infecting computers and
stealing user data. Well-known examples of Trojans include:

1. Rakhni Trojan: The Rakhni Trojan delivers ransomware or a cryptojacker tool—which

enables an attacker to use a device to mine cryptocurrency—to infect devices.
2. Tiny Banker: Tiny Banker enables hackers to steal users’ financial details. It was
discovered when it infected at least 20 U.S. banks.
3. Zeus or Zbot: Zeus is a toolkit that targets financial services and enables hackers to build
their own Trojan malware. The source code uses techniques like form grabbing and
keystroke logging to steal user credentials and financial details.

The Buffer-Overflow Attack

Buffers are memory storage regions that temporarily hold data while it is being transferred
from one location to another. A buffer overflow (or buffer overrun) occurs when the volume
of data exceeds the storage capacity of the memory buffer. As a result, the program
attempting to write the data to the buffer overwrites adjacent memory locations.

For example, a buffer for log-in credentials may be designed to expect username and
password inputs of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes
more than expected), the program may write the excess data past the buffer boundary.

Buffer overflows can affect all types of software. They typically result from malformed
inputs or failure to allocate enough space for the buffer. If the transaction overwrites
executable code, it can cause the program to behave unpredictably and generate incorrect
results, memory access errors, or crashes

Types of Buffer Overflow Attacks

Stack-based buffer overflows are more common, and leverage stack memory that only
exists during the execution time of a function.

Heap-based attacks are harder to carry out and involve flooding the memory space allocated
for a program beyond memory used for current runtime operations.

What Programming Languages are More Vulnerable?

C and C++ are two languages that are highly susceptible to buffer overflow attacks, as they
don’t have built-in safeguards against overwriting or accessing data in their memory. Mac
OSX, Windows, and Linux all use code written in C and C++.
 Languages such as PERL, Java, JavaScript, and C# use built-in safety mechanisms that
minimize the likelihood of buffer overflow.

How to Prevent Buffer Overflows

Developers can protect against buffer overflow vulnerabilities via security measures in their
code, or by using languages that offer built-in protection.

In addition, modern operating systems have runtime protection. Three common protections
are:

 Address space randomization (ASLR)—randomly moves around the address space

locations of data regions. Typically, buffer overflow attacks need to know the locality of
executable code, and randomizing address spaces makes this virtually impossible.
 Data execution prevention—flags certain areas of memory as non-executable or executable,
which stops an attack from running code in a non-executable region.
 Structured exception handler overwrite protection (SEHOP)—helps stop malicious code
from attacking Structured Exception Handling (SEH), a built-in system for managing
hardware and software exceptions. It thus prevents an attacker from being able to make use of
the SEH overwrite exploitation technique. At a functional level, an SEH overwrite is
achieved using a stack-based buffer overflow to overwrite an exception registration record,
stored on a thread’s stack

What Is Buffer Overflow?

Buffer overflow is a software coding error or vulnerability that can be exploited by hackers
to gain unauthorized access to corporate systems. It is one of the best-known software
security vulnerabilities yet remains fairly common. This is partly because buffer overflows
can occur in various ways and the techniques used to prevent them are often error-prone.

The software error focuses on buffers, which are sequential sections of computing memory
that hold data temporarily as it is transferred between locations. Also known as a buffer
overrun, buffer overflow occurs when the amount of data in the buffer exceeds its storage
capacity. That extra data overflows into adjacent memory locations and corrupts or
overwrites the data in those locations.

What Is a Buffer Overflow Attack?

A buffer overflow attack takes place when an attacker manipulates the coding error to carry
out malicious actions and compromise the affected system. The attacker alters the
application’s execution path and overwrites elements of its memory, which amends the
program’s execution path to damage existing files or expose data.
 A buffer overflow attack typically involves violating programming languages and
overwriting the bounds of the buffers they exist on. Most buffer overflows are caused by
the combination of manipulating memory and mistaken assumptions around the
composition or size of data.

A buffer overflow vulnerability will typically occur when code:

1. Is reliant on external data to control its behavior

2. Is dependent on data properties that are enforced beyond its immediate scope
3. Is so complex that programmers are not able to predict its behavior accurately

Buffer Overflow Exploits

The buffer overflow exploit techniques a hacker uses depends on the architecture and
operating system being used by their target. However, the extra data they issue to a
program will likely contain malicious code that enables the attacker to trigger additional
actions and send new instructions to the application.

For example, introducing additional code into a program could send it new instructions that
give the attacker access to the organization’s IT systems. In the event that an attacker
knows a program’s memory layout, they may be able to intentionally input data that cannot
be stored by the buffer. This will enable them to overwrite memory locations that store
executable code and replace it with malicious code that allows them to take control of the
program.

Attackers use a buffer overflow to corrupt a web application’s execution stack, execute
arbitrary code, and take over a machine. Flaws in buffer overflows can exist in both
application servers and web servers, especially web applications that use libraries like
graphics libraries. Buffer overflows can also exist in custom web application codes. This is
more likely because they are given less scrutiny by security teams but are less likely to be
discovered by hackers and more difficult to exploit.

Buffer Overflow Consequences

Common consequences of a buffer overflow attack include the following:

1. System crashes: A buffer overflow attack will typically lead to the system crashing. It may
also result in a lack of availability and programs being put into an infinite loop.
2. Access control loss: A buffer overflow attack will often involve the use of arbitrary code,
which is often outside the scope of programs’ security policies.
3. Further security issues: When a buffer overflow attack results in arbitrary code execution,
the attacker may use it to exploit other vulnerabilities and subvert other security services.

Types of Buffer Overflow Attacks

 There are several types of buffer overflow attacks that attackers use to exploit
organizations’ systems. The most common are:

1. Stack-based buffer overflows: This is the most common form of buffer overflow attack.
The stack-based approach occurs when an attacker sends data containing malicious code to
an application, which stores the data in a stack buffer. This overwrites the data on the
stack, including its return pointer, which hands control of transfers to the attacker.
2. Heap-based buffer overflows: A heap-based attack is more difficult to carry out than the
stack-based approach. It involves the attack flooding a program’s memory space beyond
the memory it uses for current runtime operations.
3. Format string attack: A format string exploit takes place when an application processes
input data as a command or does not validate input data effectively. This enables the
attacker to execute code, read data in the stack, or cause segmentation faults in the
application. This could trigger new actions that threaten the security and stability of the
system.

Which Programming Languages Are More Vulnerable?

Nearly all applications, web servers, and web application environments are vulnerable to
buffer overflows. Environments that are written in interpreted languages, such as Java and
Python, are immune to the attacks, with the exception of overflows in their interpreter.

Buffer overflow attacks are typically caused by coding errors and mistakes in application
development. This results in buffer overflow as the application does not allocate
appropriately sized buffers and fails to check for overflow issues. These issues are
particularly problematic in the programming language C/C++ as it does not have buffer
overflow protection built in.

This programming language is not the only one vulnerable to buffer overflow attacks. A
buffer overflow program in Assembly, C, C++ or Fortran is also particularly vulnerable
and more likely to enable attackers to compromise a system. However, applications written
in JavaScript or Perl are typically less vulnerable to buffer overflow attacks.
How to Prevent Buffer Overflows
Application developers can prevent buffer overflows by building security measures into
their development code, using programming languages that include built-in protection, and
regularly testing code to detect and fix errors.

One of the most common methods for preventing buffer overflows is avoiding standard
library functions that have not been bounds-checked, which includes gets, scanf, and
strcpy. Another common method is to prevent buffer overruns by using bounds-checking
that is enforced at runtime. This automatically checks that the data written to a buffer is
within the appropriate boundaries.

Modern operating systems now deploy runtime protection that enables additional security
against buffer overflows. This includes common protection like:
1. Address space layout randomization (ASLR): Buffer overflow attacks typically need to
know where executable code is located. ASLR moves at random around locations of data
regions to randomize address spaces, which makes overflow attacks almost impossible.
2. Data execution prevention: This method prevents an attack from being able to run code in
non-executable regions by flagging areas of memory as executable or non-executable.
3. Structured exception handling overwrite protection (SEHOP): Attackers may look to
overwrite the structured exception handling (SEH), which is a built-in system that manages
hardware and software exceptions. They do this through a stack-based overflow attack to
overwrite the exception registration record, which is stored on the program’s stack. SEHOP
prevents attackers’ malicious code from being able to attack the SEH and use its overwrite
exploitation technique.
 UNIT - III Techniques Used by Hackers
Introduction, Basic Terminology, The Reconnaissance Phase, Actual Attacks,
Malware Creation, Penetration Testing.

Techniques Used by Hackers

Hacking is the process of exploiting vulnerabilities to gain unauthorized access to any
computer, smartphone, tablet, or network system. Hackers use advanced computer and
programming skills to exploit and get into the victim’s system without their knowledge
and gain lots of personal information including personal and financial data with
passwords. Not all hackers use their skills to exploit systems or to gain access to the
victim’s system, rather they use their skills to protect confidential information from being
stolen and are called Ethical Hackers or white hat hackers in the hacker’s community.
Some hackers use their knowledge for their greed, revenge, and also just for fun. Here
are some common techniques used by hackers you should know to protect yourself from
being hacked or at-least use some preventive measures.

1. Bait and Switch

Using Bait and Switch the hackers buy advertisement space on any website and then
create an eye-catching advertisement on the website’s page. Whenever a user comes to
visit that website, most of the time user gets convinced to click on that advertisement due
to its presentation to the user and the time user clicks on that advertisement he gets
redirected to a malicious web page. This way hackers can install malicious code on the
victim’s system and can steal user information.

2. Virus, Trojan, and Other Spyware

The attacker uses a virus, Trojan, and other malicious code and installs them on the
victim’s computer to get unprivileged access. Virus and other Trojans keep sending data
to the hacker regularly and can also perform various tasks on the victim’s system like
sniffing your data and diverting traffic etc.

3. Cookie Theft

We use Browser to search for different websites and those websites store cookies in your
browser. This includes our search history, some account passwords, and other useful
information, When attacker gets on your browser’s cookie session then he can
authenticate himself as you on a browser and then can conduct attacks. It’s always a best
practice to periodically clear the search history and cache of your browser to ensure
protection from such kinds of attacks
4. Denial of Service

This hacking technique involves flooding the network with a huge amount of data
packets to bring the system down. In this manner, users are unable to use the service due
to the real-time crash of the system. Hacker uses too many requests to lower down the
system so that the system cannot respond to the actual or original request from genuine
users. Another attack called DDoS (Distributed Denial of Service) is also used to fulfill
the same purpose by using zombies or computers to flood the intended system, The
number of data packets or requests used to fulfill the requirements of the attack increases
if it fails every time. You should always use good anti-malware software and other
security measures to make sure they are safe from these attacks.

5. Keylogger

A keylogger is simply software that is used to record key sequences and store the strokes
of keys pressed on your keyboard to a file on your computer. These log files can contain
some useful and sensitive data of the user that may be account information and different
passwords. Check your computer regularly for this type of theft by using security tools
and make sure to use a virtual keyboard while doing transactions if you have any
suspects during login. It’s always a good practice to install good antivirus software that
checks your system periodically for any virus and other suspects on your computer. Also,
make sure your windows firewall is turned on for additional security of your system and
do not respond to fraud e-mails and offers. Try installing software from a trusted and
secured software provider and avoid doing transactions and exchange of other sensitive
data using public Wi-Fi networks
Ethical Hacking - An Understanding

Ethical hacking implies a hacking system that depends on ethical or moral values
without any wrong intent. Any form of hacking authorized by the target system owner is
known as ethical hacking. It is the process of adapting active security measures to
defend systems from hackers with foul intentions regarding data privacy.

Ethical hacking techniques provide security measures a system applies to look for
vulnerabilities, breaches, and potential threats to the data. An ethical hacker hacks the
system they have targeted before any hacker. For this reason, security patches are
applied. This effectively eliminates and reduces the chances for the attacker to execute
the hack.

Using ethical hacking tools and techniques PDF, a hacker can surpass the threats by
searching for the weak points in the system. These tools can be used to secure the data
and systems of the user. They provide security and protection. There are different types
of ethical hacking methods. Some of them are as follows

1. Black-hat hackers
2. White-hat hackers
3. Grey-hat hackers
4. Miscellaneous hackers
White hat checkers are ethical hackers, whereas black hat hackers are called
unauthorized hackers or crackers. They use various techniques and methods to protect
and disrupt security systems. One can gather as much data as possible about targeted
systems and networks through footprinting techniques and Ethical Hacking

Top Ethical Hacking Techniques

Ethical hacking has the potential to test, scan, and secure systems and data. Ethical
hacking techniques can be learnt using an ethical hacking PDF and some of the
techniques are listed below.

1. Phishing

Phishing is a cyber-security attack where a hacker sends messages pretending to be a

trusted person. These types of messages manipulate a user causing them to perform
actions like installing a malicious file and clicking a malicious link.
A phisher uses public resources to collect information about the personal and work
experience of the victim. They then use this information to create a reliable fake
message.

2. Sniffing

Sniffing is the process of keeping track and capturing all the packets passing through a
given network. This is done using some sniffing tools. It is also known as wiretapping as
it is in the form of tapping phone wires and can get to know about the conversation.

A sniffer turns the NIC of the system to promiscuous mode.

3. Social Engineering

Social engineering is used to convince people to reveal their confidential information.

The attacker deceives the people by taking advantage of their trust and lack of
knowledge. There are three types of social engineering - human-based, mobile-based,
and computer-based.

Due to loose security policies and the absence of hardware or software tools to prevent
it, it is difficult to detect a social engineering attack.

4. Footprinting

In this ethical hacking technique, the hacker gathers as much data as possible about a
specific targeted system and infrastructure to recognize opportunities to penetrate them.

The hacker might use various tools and technologies to get information to crack a whole
system.

5. SQL injection

SQL injection is an attack in which the attacker sends a SQL query, a statement, to a
database server that modifies it as required. An SQL injection happens when the user
input is improperly sanitized before using it in an SQL query.
SQL allows securing a response from the database. It will help the hacker understand
the construction of the database, as the table names.

6. Enumeration

Enumeration also means information gathering. In this process, the attacker creates a
connection with the victim to find as many attack vectors which are used to exploit the
system in the future.

A hacker needs to establish an active connection with the target host. First, the
vulnerabilities are counted and assessed. Then, it is done to search for attacks and
threats to target the system. This is used to collect the username, hostnames, passwords,
and IP addresses.

Tools to Execute Your Perfect Ethical Hacking Techniques

There are a lot of ethical hacking tools available for user convenience. In addition,
ethical hacking tools help in security investigations.

1. Ettercap

Ettercap includes the features of host and network analysis. In addition, Ettercap has got
the capability of sniffing an SSH connection. It allows you to create custom plugins
using API. Also, it will enable you to inject some characters into the server or the
client's network. Ettercap supports a detailed analysis of the action along with passive
protocols.

One can apply for a cyber security certificate program online to learn effective
security management and control.

2. Netsparker

Netsparker is the latest web application scanner for security that automatically detects
vulnerabilities in web applications. It is available in the form of a SAAS solution. The
Netsparker detects dead vulnerabilities using the latest scanning technology. The tool
requires less configuration. It can scan more than 1000 web applications in a short time.
3. Burp Suite

Burp Suite is one of the ethical hacking tools which helps in security tests. This feature
is handy for testing web applications. It includes a wide range of tools that help in the
testing process.

The Burp Suite tool can detect the spam of around 2000 web applications. It can also
scan open-source software applications. They are used to detect bugs and malware
accurately with the help of advanced scanning tools.

4. John the Ripper

John the Ripper is one of the most popular password-cracking tools. The tool is used to
test the strength of the password. Brute force technology is used by this tool to hack
passwords. This tool can auto-detect the encryption type of password. This feature
makes it the best among all other password hacking tools.

Algorithms such as MD4, LDAP, DES, and Hash LM are used by this tool.

5. Nmap

Nmap is an open-source security tool. This tool is mainly used to manage and audit
network and system security. Usually, Information Security professionals use this tool to
find malware, network audits, network mapping, and more for local and remote hosts.

6. Wireshark

Wire shark is used to analyze network traffic in real time. The technology used is
sniffing. This tool is open-source for ethical hacking. Different features like power GUI
and packet browser are included, resulting in other formats. In addition, the tool
supports various types of protocols.

It is available for different OS like Windows, Mac, etc.

7. OpenVAS

OpenVAS is used for detecting vulnerabilities on different hosts. It is one of the open -
source network scanners. Different features like a web-based interface, scheduled scans,
and multiple hosts scanning at a time are included in this tool. In addition, the OpenVas
is integrated with Nagios monitoring software.

8. Angry IP scanner

The Angry IP scanner does not require any installation. The tool scans local as well as
web networks. Angry IP is provided with the best scanning techniques. The tool is open-
source and free, which supports different platforms.

The tool helps hackers with exclusive support.

9. Iron was

The Iron tool is helpful for web application malware testing. It is open-source and free.
In addition, the tool is an easy-to-use GUI-based tool. Programming languages like
Python and Ruby are supported by it. Reporting in different formats like HTML and
RTF are provided by this tool.

Nearly 30 web applications can be checked by this tool.

10. Acunetix

Acunetix tool is a fully automatic hacking tool. This tool stays ahead of any intruders.
Complex issues related to the web and network are audited in the tool. Various features
include scanning different variants like SQL injection, XSS, etc. They are available on
premises as well as on cloud platforms.

Types Of Ethical Hacking

Below is the list of different types of Ethical Hacking.

1. Web application hacking

Web application hacking exploits applications through Hypertext Transfer Protocol

(HTTP) by manipulating the application through its graphical web interfaces. This
tampers the Uniform Resource Identifier or exploits HTTP elements. The methods used
to hack the web application are SQL injection attacks, Cross-site Scripting, Insecure
Communications, etc.
 2. Social engineering

Social engineering is used to convince people to reveal their confidential information.

The attacker deceives the people by taking advantage of their trust and lack of
knowledge. There are three types of social engineering - human-based, mobile-based,
and computer-based. Due to loosening security policies and the absence of hardware or
software tools to prevent it, it is difficult to detect a social engineering attack.

3. System hacking

System hacking is the sacrifice of computer software to access the targeted computer to
steal their sensitive data. The hacker takes advantage of the weaknesses in a computer
system to get the information and data and takes unfair advantage. System hacking aims
to gain access, escalate privileges, and hide files.

4. Hacking wireless networks

Wireless hacking attacks wireless networks or access points that offer confidential
information such as authentication attacks, admin portal access, WiFi password, and
other similar data. It is performed to gain access to a private WiFi network.

5. Web server hacking

Web content is generated as a software application on the server side in real time. This
allows the hackers to attack the webserver to steal private information, data, passwords,
and business information by using DoS attacks, port scans, SYN flood, and Sniffing.
Hackers hack web servers to gain financial gain from theft, sabotage, blackmail,
extortion, etc.

1. What are the 5 main steps of ethical hacking?

The five steps of ethical hacking are

1. Reconnaissance
2. Scanning
3. Gain access
4. Maintain access
 5. Cover Tracks
2. What are the top 3 techniques of ethical Hacking?
The top three techniques of ethical Hacking are

1. Phishing is a cyber-security attack where a hacker sends messages pretending to be a

trusted person. This type of massage manipulates a user causing them to perform
actions like installing a malicious file and clicking a malicious link.
2. Sniffing is the process of monitoring and capturing all the packets passing through a
given network. This is done using some sniffing tools. It is also known as wiretapping
as it is in the form of tapping phone wires and can get to know about the
conversation.
3. SQL injection is an attack in which the attacker sends a SQL query, a statement, to a
database server that modifies the database as desired. An SQL injection happens when
the user input is improperly sanitized before using it in an SQL query.
3. What are the types of Ethical Hacking?
The types of ethical hacking are

1. Web application hacking

2. System hacking
3. Web server hacking
4. Social engineering
5. Wireless network hacking

Basic Hacking Terminologies

Hacking Terminologies
Hacking terms & their meanings
1.Phishing

Phishing is one of the most common hacking terminology used by security people. Phishing
is a technique that tricks users into revealing sensitive information (like usernames,
passwords, or credit card details) to seemingly benign sources. A phisher disguises as a
trustworthy entity and contacts potential victims asking them to reveal information. This
could be further used for malicious intent. For example, a phisher may pose as a bank and
ask for a user’s bank account credentials via e-mail. Or he could trick you to click on a
fraudulent link. Phishing is a type of social engineering.How to detect Social Engineering
attacks

A fake Amazon mail attempts to persuade the lucky recipient that they have a chance to win
£10 in return for completing a quick survey to steal login and Payment Information
2. Malware- You hear about websites getting infected daily with malware attacks, so let’s
learn more about this hacking terminology.

Malware is a software program designed by hackers to hijack computer systems or steal

sensitive information from a device. These go by various names like viruses, adware,
spyware, keyloggers, etc. A malware program can get transferred to a system via various
means like USB, hard drive, or spam.

For instance, a recent malware functioned by redirecting both Opencart and Magento desktop
and mobile websites to malicious links. This essentially leads to a loss of customers,
reputation and most importantly bad impact on search engine rankings.

This file called unzip.php allowed uploading of malicious files to the server
3. Ransomware

One of the most searched hacking terminology of 2017. Ransomware is a form of malware
which locks a user out of his own system and cuts access to his/her files. A ransom message
is displayed that instructs how much and where to send payment, usually requested in
bitcoin, in order to get your files back. Such attacks affect not only individuals but banks,
hospitals, and online businesses. A very recent example of such ransomware is the Petya
ransomware attack which recently took the businesses worldwide by a storm.

A message
demanding money is seen on a monitor of a payment terminal at a branch of Ukraine’s state-
owned bank Oschadbank after being hit by the Petya ransomware. Image source:
REUTERS/Valentyn Ogirenko

4. Spoofing

E-mail and IP spoofing are few common hack techniques encountered by users worldwide.
E-mail spoofing involves altering the header of an e-mail to make it look legit. For instance,
a black hat hacker can make an e-mail look as if it has appeared from your bank or any other
source you may trust. On the other hand, IP spoofing refers to an illegitimate packet sent to a
computer with an altered IP appearing to be a trusted host. This is carried out with the hope
that the packet would be accepted that will allow the sender access to the target machine.

5. Encryption

Encryption is a process of encoding a message or information to make it unreadable and

secretive. This ensures that the concerned information is concealed only to the authorized
parties. Often, encryption is employed by hackers to extort money by unleashing
ransomware on computer systems, thus locking out victims and encrypting their files. The
decryption key is provided only when a certain ransom is paid.
 A message
demanding money is seen on a monitor of a payment terminal at a branch of Ukraine’s state-
owned bank Oschadbank after being hit by a ransomware attack.

6. Adware

Adware is typically a software which acts as spyware to track a user’s browsing activities
covertly. It then generates advertisements based on the user’s browsing history. Some adware
is maliciously designed to pop up ads with a frequency ultimately slowing down your
system. It can collect your personal information, browsing history, and provide inputs for
further phishing attacks. This hacking terminology is common in the marketing
world. Google shows a warning when visitors visit such a deceptive website because
of Social engineering content.

Types of Google warning messages

The picture depicts potential adware on an e-commerce site

7. Zero Day threat

A zero-day threat refers to a threat which is undocumented and hence hidden from any
antivirus scanner installed on the system. This kind of flaw is inherent in anti-virus scanners,
making it oblivious to developers who built antivirus functionalities based on knowledge of
these vulnerabilities. Such vulnerabilities are exploited through different vectors, popularly
web browsers, and malicious attachments via e-mails.

8. Brute Force Attack

Another commonly hacking terminology to get bypass the login pages. Brute Force, aka
Exhaustive key search, is a trial and error method to decrypt data such as passwords, Data
Encryption Standard (DES) keys, or other encrypted information. This method is widely
used to crack passwords to admin accounts, which in turn can be used to steal information
and documents of paramount importance.

9. HTTPS/SSL/TLS

Highly searched hacking terminology of 2018 when Google Chrome announced that it will
give warning to users who are visiting HTTP using websites. HTTPS, which stands for
Hypertext Transfer Protocol with the “S” for “Secure”, is a basic framework that controls
how data is transferred across the web. This protocol adds a layer of encryption to provide
you with secure daily browsing—your bank, your email provider, and social network. SSL
and TLS are protocols used by HTTPS to provide an added identity proof to your website. It
is advised to avoid browsing the website using HTTP and enter any passwords or credit card
detail on it.

10. Bot

A bot is a software robot that runs automated tasks (scripts) over the Internet. Many search
engines like Google and Bing employ bots, also called spiders, to scan websites and index
them for purpose of ranking them according to returns on search queries. But when these
bots are used by hackers, they can be programmed to perform malicious tasks, as well as
introduce malware into the system. Learn more about bad bots.

11. Botnets

A botnet refers to a network of bots controlled by a black hat. Applications of botnets include
the launch of DDoS (Distributed Denial of Service), steal data, send spam, and allow the
attacker access to the device and its connection. A swarm of botnets not only help cover the
black hat’s tracks but raise the intensity of the attack by attacking in a coordinated effort.

12. Distributed Denial of Service Attack (DDOS)

This hacking terminology is highly common among hackers and is a major concern for
website owners and developers. A DDoS attack is carried out with the aid of zombies or
botnets controlled by black hats. By programming the botnets, the black hats command them
to send data packets to the targeted web server from multiple systems. This floods the target
server thereby slowing down or even crashing and shutting down the server thereby
disrupting any activity. All the while the user of the server is oblivious to the attack.
Some of the most notoriously known attacks discovered lately were the Rio Olympics DDoS
which lasted for months, Russian banks Sberbank and Alfabank which were attacked by a
botnet consisting of at least 24,000 computers located in over 30 countries, and the US
presidential elections campaign attacks.

Rise of
DDoS attacks during Rio Olympics

13. Firewall

A firewall is a network security system, which continuously monitors incoming and outgoing
network traffic, and blocks out any untrusted sources to ensure safe communications. A
firewall can be both hardware and software-based. A well designed and implemented
firewall continuously monitors for malicious inputs, however, black hats strive to circumvent
them. As a result, firewalls are continuously being updated, adjusted, or replaced with new
security measures over time.

14. Payload

Essentially, a payload is a cargo of transmitted data over a network. However, in black hat
hacking terminology, a payload refers to the part of the virus that performs malicious actions,
such as compromising data, destroy information, or hijacking the computer system.

15. White hat

While black hat hackers are notoriously known for performing destructive activities online,
white hat hackers are ethical hackers who use their skills to expose loopholes in security
measures for organizations/companies before black hats exploit them.

16. Rootkit
Rootkits are one of the scariest methods to perform a cyber intrusion mostly because it goes
undetected. Give a black hat a rootkit and he would perform the perfect heist. A rootkit is a
malware program which can be installed on a system through various means. Just like a
virus, a rootkit can be injected via e-mails, unauthenticated websites, infected hard drives,
etc. Once injected, a black hat can exploit unhindered access to remote applications as per
his/her need. What makes it even more lethal is its ability to function at the low system level
so as to erase its tracks and go undetected for a long time. Once introduced into a system, its
activity is extremely hard to detect even by skilled IT security professionals. It’s like the holy
grail of hacking.

17. RAT

Remote Access Tool or Remote Access Trojan (RAT) is a form of malware which can be
operated by even an unskilled hacker. Once a RAT is installed on your system, the attacker
gains complete control of the system. While RAT can be used for legitimate purposes, like
when a user wants to access his home computer from another location, it is largely used for
illegitimate reasons.

The ONI Ransomware which performed a month-long attack on Japanese companies would
encrypt the computer’s files and append the .oni extension to encrypted files
 To make the ONI Ransomware
go undetected, the attackers execute a batch file that cleaned up over 460 different event logs
in order to cover their activities. Source: Cybereason

18. SPAM

This hacking terminology is commonly associated with e-mails. Spam is unsolicited emails,
often used to spread advertisements via e-mails. Often, spammers collect a huge database of
e-mails and randomly send them emails to promote products. However, spams can also be
used to introduce malware into systems through phishing or directing to unauthenticated
websites. The best practice is to delete spam as soon as you receive one, or make use of a
spam filter.

19. Worm

Similar to a virus, a worm is a destructive self-contained program which can self-replicate. A

worm doesn’t need to be a part of a program, but instead, it can transfer itself to multiple
systems on a network without user intervention. A self-replicating worm can consume hordes
of memory and bandwidth while drastically reducing the speed of your system. If not
removed timely, it can become devastating.

20. Cloaking

Hackers often use Cloaking to present different content or URLs to human users and search
engines, thereby cloaking them under legitimate-looking web material. Hackers use dynamic
scripts and .htaccess rules to hide their tracks by returning a 404 or 500 error code to certain
IP addresses or browsers while serving spam to other IP addresses or browsers. Google
generally suspend your ads if they notice cloaking on your website.

The Reconnaissance Phase

What Is Reconnaissance?
Footprinting is a part of a larger process known as reconnaissance. Reconnaissance is the
information-gathering stage of ethical hacking, where you collect data about the target
system. This data can include anything from network infrastructure to employee contact
details. The goal of reconnaissance is to identify as many potential attack vectors as
possible.
Data collected from reconnaissance may include:
 Security policies. Knowing an organization’s security policies can help you find
weaknesses in their system.
 Network infrastructure. A hacker needs to know what type of network the target is
using (e.g., LAN, WAN, MAN), as well as the IP address range and subnet mask.
 Employee contact details. Email addresses, phone numbers, and social media accounts
can be used to launch social engineering attacks.
 Host information. Information about specific hosts, such as operating system type and
version, can be used to find vulnerabilities.

Phase one: Reconnoitering a target for hacking

In the reconnaissance phase, hackers identify a vulnerable target and explore how to
exploit it. The initial target can be anyone in the company. Attackers need only a single
point of entrance to get started. Targeted phishing emails are common as an effective
method of distributing malware in this phase.
The whole point is getting to know the target. At this stage, hackers are asking
themselves who the important people in the company are, who they do business with,
and what public data is available about the target organization. Company websites and
online contact resources such as Linkedin are two obvious sources for researching key
people in organizations. Identifying suppliers and customers may involve ‘social
engineering’ where a hacker makes bogus sales calls to the company.
Among publicly available data, hackers collect Internet Protocol (IP) address
information and run scans to determine what hardware and software the target company
is using. They check the Internet Corporation for Assigned Names and Numbers
(ICAAN) web registry database.
The more time hackers spend gaining information about the people and systems at the
company, the more successful the hacking attempt will be.

Phase two: Weaponizing information on a company

In the weaponization phase, the hacker uses the previously gathered information to
create ways to get into the target’s network.
This could involve creating believable spear phishing e-mails that look like e-mails that
the target could potentially receive from a known vendor or other business contact.
Another hacker tactic is to create ‘watering holes’, fake web pages that look identical to
a vendor’s or a bank’s web page. This aims to capture usernames and passwords, or to
offer a free download of a malware-infected document or something else of interest.
The attacker’s final action in this phase is to collect the tools to successfully exploit any
vulnerabilities that they may find when they later gain access to the target’s network.

Phase three: ‘Delivering’ the attack

The attack starts in the delivery phase. Phishing e-mails are sent, ‘watering hole’ web
pages are posted to the internet, and the attacker waits for the arrival of all the data they
need.
If the phishing e-mail contains a weaponized attachment, then the attacker waits for
someone to open the attachment and for the malware in it to ‘call home’ to the hacker.

Phase four: Exploiting the security breach

In the exploitation phase, the hacker starts to reap the rewards of preparing and
delivering the attack.
As usernames and passwords arrive, the attacker tries them against web-based e-mail
systems or virtual private network (VPN) connections to the company network. If
malware-infected attachments were sent, then the attacker remotely accesses the affected
computers.
The hacker explores the targeted network and gains a better idea of the traffic flow on it,
what systems are connected to it, and how they can be exploited.

Phase five: Installing a persistent backdoor

In the installation phase, the attacker ensures continued access to the network.
To achieve this, the hacker will install a persistent backdoor, create administrator
accounts on the network, and disable firewall rules. They may even activate remote
desktop access on servers and other systems on the network.
The hacker’s intention at this point is to be certain of staying in the system as long as
needed to achieve their objectives.

Phase six: Exercising command and control

Now they have unrestrained access to the entire network and administrator accou nts, all
the required tools are in place for the command and control phase.
 The attacker can look at anything, impersonate any user on the network, and even send
e-mails from the CEO to all employees.
Now in control, the hacker can lock a company’s IT users out of the organization’s
entire network if they want to, perhaps demanding a ransom to restore access.

Phase seven: Achieving the hacker’s objectives

The action on objectives phase now begins. This could involve stealing information on
employees, customers, product designs, and so on. Or an attacker could start to disrupt
the target company’s operations.
Not all hackers are after monetizable data or incriminating emails that they can publish.
Some simply want to cause chaos or to inflict pain on a company. If a company receives
online orders, a hacker could shut down the ordering system or delete orders, for
example. They could even create orders and have them shipped to the company’s
customers.
If a hacker gains access to an Industrial Control System, they could shut down
equipment, enter new set points, and disable alarms

Differences Between Passive and Active Reconnaissance

There are two main types of reconnaissance: active and passive reconnaissance.

With active reconnaissance, hackers interact directly with the computer system and

attempt to obtain information through techniques like automated scanning or manual

testing and tools like ping and netcat. Active recon is generally faster and more accurate,

but riskier because it creates more noise within a system and has a higher chance of being

detected.

Passive reconnaissance gathers information without directly interacting with systems,

using tools such as Wireshark and Shodan and methods such as OS fingerprinting to gain

information

Actual Attacks
What Is a Cyber Attack?

A cyber attack is an attempt by cybercriminals, hackers or other digital adversaries to

access a computer network or system, usually for the purpose of altering, stealing,
destroying or exposing information.

Cyberattacks can target a wide range of victims from individual users to enterprises or
even governments. When targeting businesses or other organizations, the hacker’s goal
is usually to access sensitive and valuable company resources, such as intellectual
property (IP), customer data or payment details.

What are the 10 Most Common Types of Cyber Attacks?

1. Malware
2. Denial-of-Service (DoS) Attacks
3. Phishing
4. Spoofing
5. Identity-Based Attacks
6. Code Injection Attacks
7. Supply Chain Attacks
8. Insider Threats
9. DNS Tunneling
10. IoT-Based Attacks

1. Malware

Malware — or malicious software — is any program or code that is created with the
intent to do harm to a computer, network or server. Malware is the most common type
of cyberattack, mostly because this term encompasses many subsets such as
ransomware, trojans, spyware, viruses, worms, keyloggers, bots, cryptojacking, and
any other type of malware attack that leverages software in a malicious way.

Type Description

Ransomware In a ransomware attack, an adversary encrypts a victim’s data and

offers to provide a decryption key in exchange for a payment.
Ransomware attacks are usually launched through malicious links
delivered via phishing emails, but unpatched vulnerabilities and
policy misconfigurations are used as well.

Fileless Fileless malware is a type of malicious activity that uses native,

Malware legitimate tools built into a system to execute a cyber attack.
Unlike traditional malware, fileless malware does not require an
attacker to install any code on a target’s system, making it hard to
detect.
Spyware Spyware is a type of unwanted, malicious software that infects a
computer or other device and collects information about a user’s
web activity without their knowledge or consent.

Adware Adware is a type of spyware that watches a user’s online activity

in order to determine which ads to show them. While adware is
not inherently malicious, it has an impact on the performance of a
user’s device and degrades the user experience.

Trojan A trojan is malware that appears to be legitimate software

disguised as native operating system programs or harmless files
like free downloads. Trojans are installed through social
engineering techniques such as phishing or bait websites.
The zeus trojan malware, a variant, has the goal accessing
financial information and adding machines to a botnet.

Worms A worm is a self-contained program that replicates itself and

spreads its copies to other computers. A worm may infect its
target through a software vulnerability or it may be delivered via
phishing or smishing. Embedded worms can modify and delete
files, inject more malicious software, or replicate in place until the
targeted system runs out of resources.

Rootkits Rootkit malware is a collection of software designed to give

malicious actors control of a computer network or application.
Once activated, the malicious program sets up a backdoor
exploit and may deliver additional malware. Bootkits take this a
step further by infecting the master boot prior to the operating
system being on boot up, going undetectable at times.

Mobile Mobile malware is any type of malware designed to target mobile

Malware devices. Mobile malware is delivered through malicious
downloads, operating system vulnerabilities, phishing, smishing,
and the use of unsecured WiFi.

Exploits An exploit is a piece of software or data that opportunistically

uses a defect in an operating system or an app to provide access to
unauthorized actors. The exploit may be used to install more
malware or steal data.
 Scareware Scareware tricks users into believing their computer is infected
with a virus. Typically, a user will see scareware as a pop-up
warning them that their system is infected. This scare tactic aims
to persuade people into installing fake antivirus software to
remove the “virus.” Once this fake antivirus software is
downloaded, then malware may infect your computer.

Keylogger Keyloggers are tools that record what a person types on a device.
While there are legitimate and legal uses for keyloggers, many
uses are malicious. In a keylogger attack, the keylogger software
records every keystroke on the victim’s device and sends it to the
attacker.

Botnet Botnet is a network of computers infected with malware that are

controlled by a bot herder. The bot herder is the person who
operates the botnet infrastructure and uses the compromised
computers to launch attacks designed to crash a target’s network,
inject malware, harvest credentials or execute CPU-intensive
tasks.

MALSPAM Malicious malware (MALSPAM) delivers malware as the

malicious payload via emails containing malicious content, such
as virus or malware infected attachments.

2. Denial-of-Service (DoS) Attacks

A Denial-of-Service (DoS) attack is a malicious, targeted attack that floods a network

with false requests in order to disrupt business operations.

In a DoS attack, users are unable to perform routine and necessary tasks, such as
accessing email, websites, online accounts or other resources that are operated by a
compromised computer or network. While most DoS attacks do not result in lost data
and are typically resolved without paying a ransom, they cost the organization time,
money and other resources in order to restore critical business operations.

The difference between DoS and Distributed Denial of Service (DDoS) attacks has to
do with the origin of the attack. DoS attacks originate from just one system while
DDoS attacks are launched from multiple systems. DDoS attacks are faster and harder
to block than DOS attacks because multiple systems must be identified and neutralized
to halt the attack.

3. Phishing

Phishing is a type of cyberattack that uses email, SMS, phone, social media, and social
engineering techniques to entice a victim to share sensitive information — such as
passwords or account numbers — or to download a malicious file that will install
viruses on their computer or phone.

Common phishing attacks include:

Type Description

Spear Spear-phishing is a type of phishing attack that targets specific

Phishing individuals or organizations typically through malicious emails. The
goal of spear phishing is to steal sensitive information such as login
credentials or infect the targets’ device with malware.

Whaling A whaling attack is a type of social engineering attack specifically

targeting senior or C-level executive employees with the purpose of
stealing money or information, or gaining access to the person’s
computer in order to execute further cyberattacks.

SMiShing Smishing is the act of sending fraudulent text messages designed to

trick individuals into sharing sensitive data such as passwords,
usernames and credit card numbers. A smishing attack may involve
cybercriminals pretending to be your bank or a shipping service you
use.

Vishing Vishing, a voice phishing attack, is the fraudulent use of phone calls
and voice messages pretending to be from a reputable organization
to convince individuals to reveal private information such as bank
details and passwords.

4. Spoofing

Spoofing is a technique through which a cybercriminal disguises themselves as a

known or trusted source. In so doing, the adversary is able to engage with the target
and access their systems or devices with the ultimate goal of stealing information,
extorting money or installing malware or other harmful software on the device.

Spoofing can take different forms, which include:

Type Description

Domain Domain spoofing is a form of phishing where an attacker impersonates a known business o
Spoofing fool people into the trusting them. Typically, the domain appears to be legitimate at first gla
differences.
 Email Email spoofing is a type of cyberattack that targets businesses by using emails with forged
Spoofing alleged sender, they are more likely to open the email and interact with its contents, such as

ARP Address Resolution Protocol (ARP) spoofing or ARP poisoning is a form of spoofing attack
Spoofing commits an ARP spoofing attack by tricking one device into sending messages to the hacke
hacker gains access to your device’s communications, including sensitive data.

5. Identity-Based Attacks

CrowdStrike’s findings show that 80% of all breaches use compromised

identities and can take up to 250 days to identify.

Identity-driven attacks are extremely hard to detect. When a valid user’s credentials
have been compromised and an adversary is masquerading as that user, it is often very
difficult to differentiate between the user’s typical behavior and that of the
hacker using traditional security measures and tools.

Some on the most common identity-based attacks include:

Type Description

Kerberoasting Kerberoasting is a post-exploitation attack technique that

attempts to crack the password of a service account within
the Active Directory (AD) where an adversary
masquerading as an account user with a service principal
name (SPN) requests a ticket, which contains an encrypted
password, or Kerberos.

Man-in-the-Middle A man-in-the-middle attack is a type of cyberattack in

(MITM) Attack which an attacker eavesdrops on a conversation between
two targets with the goal of collecting personal data,
passwords or banking details, and/or to convince the victim
to take an action such as changing login credentials,
completing a transaction or initiating a transfer of funds.

Pass-the-Hash Pass the hash (PtH) is a type of attack in which an

Attack adversary steals a “hashed” user credential and uses it to
create a new user session on the same network. It does not
require the attacker to know or crack the password to gain
access to the system. Rather, it uses a stored version of the
password to initiate a new session.
Golden Ticket In a golden ticket attack, adversaries attempt to gain
Attack unlimited access to an organization’s domain by accessing
user data stored in Microsoft Active Directory (AD) by
exploiting vulnerabilities in the Kerberos identity
authentication protocol. This allows adversaries to bypass
authentication methods.

Silver Ticket Attack A silver ticket is a forged authentication ticket often

created when an attacker steals an account password. A
forged service ticket is encrypted and enables access to
resources for the specific service targeted by the silver
ticket attack.

Credential In credential harvesting, cybercriminals gather user

Harvesting credentials — such as user IDs, email addresses,
passwords, and other login information — en masse to
then access systems, gather sensitive data, or sell it in the
dark web.

Credential Stuffing Credential stuffing attacks work on the premise that people
often use the same user ID and password across multiple
accounts. Therefore, possessing the credentials for one
account may be able to grant access to other, unrelated
account.

Password Spraying The basics of a password spraying attack involve a threat

actor using a single common password against multiple
accounts on the same application. This avoids the account
lockouts that typically occur when an attacker uses a brute
force attack on a single account by trying many passwords.

Brute Force Attacks A brute force attack is uses a trial-and-error approach to

systematically guess login info, credentials, and encryption
keys. The attacker submits combinations of usernames and
passwords until they finally guess correctly.

Downgrade Attacks Downgrade attacks are a cyberattack where adversaries

take advantage of a system’s backward compatibility to
force it into less secure modes of operation, such as forcing
a user to go into a HTTP version of a website instead of
HTTPS.
6. Code Injection Attacks

Code injection attacks consist of an attacker injecting malicious code into a vulnerable
computer or network to change its course of action. There are multiple types of code
injection attacks:

Type Description

SQL Injection A SQL Injection attack leverages system vulnerabilities to

inject malicious SQL statements into a data-driven
application, which then allows the hacker to extract
information from a database. Hackers use SQL Injection
techniques to alter, steal or erase application's database
data.

Cross-Site Cross Site Scripting (XSS) is a code injection attack in

Scripting (XSS) which an adversary inserts malicious code within a
legitimate website. The code then launches as an infected
script in the user’s web browser, enabling the attacker to
steal sensitive information or impersonate the user. Web
forums, message boards, blogs and other websites that
allow users to post their own content are the most
susceptible to XSS attacks.

Malvertising Malvertising attacks leverage many other techniques, such

as SEO poisoning, to carry out the attack. Typically, the
attacker begins by breaching a third-party server, which
allows the cybercriminal to inject malicious code within a
display ad or some element thereof, such as banner ad copy,
creative imagery or video content. Once clicked by a
website visitor, the corrupted code within the ad will install
malware or adware on the user’s computer.

7. Supply Chain Attacks

A supply chain attack is a type of cyberattack that targets a trusted third-party vendor
who offers services or software vital to the supply chain. Software supply chain
attacks inject malicious code into an application in order to infect all users of an app ,
while hardware supply chain attacks compromise physical components for the same
purpose. Software supply chains are particularly vulnerable because modern software
is not written from scratch: rather, it involves many off-the-shelf components, such as
third-party APIs, open source code and proprietary code from software vendors.

8. Insider Threats
 IT teams that solely focus on finding adversaries external to the organization only get
half the picture. Insider threats are internal actors such as current or former employees
that pose danger to an organization because they have direct access to the company
network, sensitive data, and intellectual property (IP), as well as knowledge of
business processes, company policies or other information that would help carry out
such an attack.

Internal actors that pose a threat to an organization tend to be malicious in nature.

Some motivators include financial gains in exchange for selling confidential
information on the dark web, and/or emotional coercion using social
engineering tactics, such as pretexting or business email compromise (BEC) attacks.
On the other hand, some insider threat actors are not malicious in nature but instead
are negligent in nature. To combat this, organizations should implement
a comprehensive cybersecurity training program that teaches stakeholders to be aware
of any potential attacks, including those potentially performed by an insider

9. DNS Tunneling

DNS Tunneling is a type of cyberattack that leverages domain name system (DNS)
queries and responses to bypass traditional security measures and transmit data and
code within the network.

Once infected, the hacker can freely engage in command-and-control activities. This
tunnel gives the hacker a route to unleash malware and/or to extract data, IP or other
sensitive information by encoding it bit by bit in a series of DNS responses.

DNS tunneling attacks have increased in recent years, in part because they are
relatively simple to deploy. Tunneling toolkits and guides are even readily accessible
online through mainstream sites like YouTube.

10. IoT-Based Attacks

An IoT attack is any cyberattack that targets an Internet of Things (IoT) device or
network. Once compromised, the hacker can assume control of the device, steal data,
or join a group of infected devices to create a botnet to launch DoS or DDoS attacks.

[According to the Nokia Threat Intelligence Lab, connected devices are responsible for
nearly one-third of mobile network infections – more than double the amount in 2019.]

Given that the number of connected devices is expected to grow rapidly over the next
several years, cybersecurity experts expect IoT infections to grow as well. Further, the
deployment of 5G networks, which will further fuel the use of connected devices, m ay
also lead to an uptick in attac

Malware Creation
Advantages of Detecting and Removing Malware
1. Improved Security: By detecting and removing malware, individuals, and
organizations can improve the security of their systems and reduce the risk of future
infections.
2. Prevent Data Loss: Malware can cause data loss, and by removing it, individuals and
organizations can protect their important files and information.
3. Protect Reputation: Malware can cause harm to a company’s reputation, and by
detecting and removing it, individuals and organizations can protect their image and
brand.
4. Increased Productivity: Malware can slow down systems and make them less
efficient, and by removing it, individuals and organizations can increase the
productivity of their systems and employees.
Disadvantages of Detecting and Removing Malware
1. Time-Consuming: The process of detecting and removing malware can be time-
consuming and require specialized tools and expertise.
2. Cost: Antivirus software and other tools required to detect and remove malware can
be expensive for individuals and organizations.
3. False Positives: Malware detection and removal tools can sometimes result in false
positives, causing unnecessary alarm and inconvenience.
4. Difficulty: Malware is constantly evolving, and the process of detecting and removing
it can be challenging and require specialized knowledge and expertise.
5. Risk of Data Loss: Some malware removal tools can cause unintended harm, resulting
in data loss or system instability.

Creating HTTP Trojan and Controlling a Target Machine Remotely With HTTP RAT
RAT or a Remote Access Trojan helps hackers to gain complete control over a target
system, allowing them to access the files, private conversations, etc. remotely. In this lab,
let’s understand how HTTP Trojans work so that you can protect your network against this
type of malware.

1. Go to the Module 07 Malware Threats\Trojans Types\HTTP HTTPS

Trojans\HTTP RAT TROJAN. Double-click on httprat.exe to open HTTP RAT.

2. When the HTTP RAT window comes, uncheck the send notification with IP
address to mail option. Next, enter server port 84 and click on Create for the
creation of an httpserver.exe file.

3. A server will get created in the default location where you can find the HTTP RAT
files. Minimize all the open windows.

4. Go to Windows 8.

5. To run httpserver.exe navigate to Module 07 Malware Threats\Trojans

Types\HTTP HTTPS Trojans\HTTP RAT TROJAN and double-
click httpserver.exe.

When the Open File -Security Warning error comes, click on Run.
 6. The httpserver.exe file will continue to run in the background. Open the Task
Manager for the confirmation of status. You can see in the Processes tab that
the Httpserver (32 bit) is running. Keep the Windows 8 machine running.

7. Open Windows Server 2016.

8. Open a web browser like Google Chrome.

9. In the URL bar, write the IP address of the target machine and press Enter. In this
lab, the target machine is Windows 8 with IP address 10.10.10.8.

10. It will show the z0mbie’s HTTP_RAT page. Click on Running Processes to see
the list of processes active on Windows 8.

11. It will show the list of Running Processes on the target machine. You can close
any process from your end.

12. Click on Browse to view the directories and files on the target machine. You can
further check the content on the drives.

13. If you click on the Computer info, it will show you the details about the computer,
hardware, and users.

14. Close all the open windows when the lab is completed.

Gathering Control over a Victim Machine Using njRAT

njRAT is a powerful RAT tool to steal data. It allows hackers to log keystrokes, access the
camera of the target system, access credentials stored in browsers, upload and download
files, manipulate files, and see the desktop.

Hackers can further use it to take control over the computers in a network, create malware
and spread it in the network.

As an ethical hacker or security admin, it is important for you to find the vulnerable
machines that can be attacked by Trojans, malware, which can lead to data breach and
identity theft.

In this lab, let’s understand how to create a server using njRAT and gain remote access to
the target machine.

1. Open the Control Panel on your desktop.

2. When the All Control Panel Items window comes, click on Windows Defender
Firewall. Further, click on Use Recommended Settings. Close the open windows
and let the Windows 10 system in running mode.

3. Go to E:\CEHv10 Module 07 Malware Threats\Trojans Types\Remote Access

Trojans (RAT)\njRAT and double-click on njRAT v0.7d.exe to open the njRAT
tool.

4. When the njRAT GUI comes, enter the port number and click on Start. Here, let’s
proceed with the default port number 5552.
 5. In the next interface, click on Builder in the lower-left side.

6. When the Builder dialog box comes, enter the IP of Windows Server 2016
(attacker machine). Check mark the Copy to Startup and Registry
Startup options and click on Build.

7. When the Save As dialog box comes, specify the location for storing the server, add
a name, and then click on Save.

8. Here, the file has been named to Test.exe and the destination location
is E:\CEHv10 Module 07 Malware Threats\Trojans Types\Remote Access
Trojans (RAT)\njRAT.

9. When the server is created successfully, there will be DONE! popup. Click on OK.

10. Hackers transmit a crafted server file to the target machine in real time. When this
file is executed, the hackers can see and access the information on the target
machine.

Here, let’s use the Test.exe file on the Shared Network drive. It can be accessed by the
other machines.

11. Open Windows 10 and go to Z:\CEHv10 Module 07 Malware Threats\Trojans

Types\Remote Access Trojans (RAT)\njRAT.

Copy-paste the Test.exe file on Desktop. Minimize the currently open windows.

12. Open the Test.exe file from Desktop.

13. Open Windows Server 2016 as soon as the file is opened. The njRAT client
running on Windows Server 2016 will form a connection with the target machine.

The control over the target machine remains with the hacker unless he disconnects it.

In the GUI, you can see the basic details about the target machine, including IP address,
username, operating system, etc.

14. Right-click on the victim name and then click on Manager.

15. In the Manager window, the File Manager is selected by default. To see the
related files of a directory, double-click on the directory.

16. Click on Process manager. From the processes shown, right click on a process to
perform actions like Kill, Delete, and Restart.

17. Click on Connection, choose a particular connection, and right click on it. Then
click on Kill Connection. It will close the connection between two machines
interacting via a specific port.

18. Click on Remote Shell to open a remote command prompt of the target machine.
Write ipconfig/all and press Enter.
 19. It will show the interfaces associated with the target machine. Similarly, you can
write other commands and view more information from the target machine.

Similarly, you can click on Services to see the services running on the target machine. It
will allow you to start, pause, or stop a service.

20. Right-click on the target machine name and then click on Run File. Select an
option from the dropdown. Hackers use these options to write and execute scripts
and find remote access to the machine.

21. Now, right-click on the target machine name and choose Remote Desktop. It will
open a remote desktop connection. The victim will not become aware of it.

22. When the Remote Desktop window comes, navigate to the top-center part. A down
arrow will show. Click on it.

23. When the remote desktop control panel comes, check mark the Mouse option. It
will allow you to communicate with the target machine remotely using your mouse.

Once the task is completed, close the Remote Desktop window.

24. Similarly, you can spy on the target machine and keep a track of voice
conversations by right-clicking on the target machine name and choosing Remote
Cam and Microphone.

25. Open Windows 10 and do some activities on it like a legitimate user. The activities
can include opening websites in a browser, writing text in a document, etc.

26. Open Windows Server 2016 and right-click on the target machine name. Then,
click on Keylogger.

27. When the Keylogger window comes, it will show all the keystrokes performed by
the user on the target Windows 10 machine.Close the window after seeing it.

28. Right-click on the target machine name and then click on Open Chat.

29. When the Chat pop-up comes, enter a nickname and click on OK.

30. When the chat box shows, write a message and click on Send.

31. Open Windows 10 as soon as you send the message from the Windows Server 2016
machine. It will show you a pop-up.

When a victim sees such pop-ups or alerts, he tries to close it. However, no matter
wherever they click, the chat box will remain open as long as it is being used by the
attacker.

In case the victim tries to restart the system, it will disconnect the communication between
njRAT and Windows 10.

32. Now, restart Windows 10.

 33. Open Windows Server 2016 and check whether the connection is lost with the
target machine.

34. Click Windows 10 and login to it. Keep the machine running.

35. Open Windows Server 2016 and check whether the connection is formed after
restarting.

Close all the windows once the lab is completed.

Analyzing a Virus Using IDA

The role of analyzing a virus is to know about the specific virus samples and understand
the trends from a large sample of virus samples without executing them. Most of the
malware types are compatible with Windows binary executable.

As an ethical hacker, you must know how to perform malware analysis to have an idea
about their working and the damage that can be caused by them.

1. Go to Module 07 Malware Threats\Malware Analysis Tools\Static Malware

Analysis Tools\Disassembling and Debugging Tools\IDA and double-click
on idademo73_windows.exe.

2. When the IDA installation wizard comes, click on Next.

3. Once installation is done, click on Finish.

4. After installation, open the app. When the IDA License window comes, click on I
Agree.

5. Click on New when the IDA: Quick Start pop-up shows up.

6. When the Select File to disassemble window comes, go to Module 07 Malware

Threats\Viruses\Klez Virus Live!, select face.exe and click on Open.

7. When the Load a new file window comes, keep the default settings and click
on OK.

In case you see a Warning pop-up, click on OK. If there is a Please confirm dialog box,
click on Yes.

8. Once the analysis is complete, it will display the IDA Pro Analysis window.
Navigate to View > Graphs, and click on Flow Chart from the menu bar.

9. It will open a Graph window with the flow. You can zoom it to see it properly.

10. Close the Graph window. Navigate to View > Graphs. Click on Function
Calls from the menu bar.

11. When a window displaying call flow comes, zoom it to see clearly. Do the analysis
and then close the WinGraph32 Call flow window.

12. Click on Windows from the menu bar and choose Hex View-1.
 13. It will show you the Hex Value of the virus.

14. To see the virus structure, go to Windows > Structures.

15. It will show the structures. To see details, click on Ctrl and +. The same way, you
can check and analyze the other options of IDA Pro.

16. Once the lab is complete, close the windows.

Penetration Testing

Penetration testing (or pen testing) is a security exercise where a cyber-security expert
attempts to find and exploit vulnerabilities in a computer system. The purpose of this
simulated attack is to identify any weak spots in a system’s defenses which attackers could
take advantage of.

What are the types of pen tests?

 Open-box pen test - In an open-box test, the hacker will be provided with some
information ahead of time regarding the target company’s security info.

 Closed-box pen test - Also known as a ‘single-blind’ test, this is one where the
hacker is given no background information besides the name of the target
company.

 Covert pen test - Also known as a ‘double-blind’ pen test, this is a situation
where almost no one in the company is aware that the pen test is happening,
including the IT and security professionals who will be responding to the attack.
For covert tests, it is especially important for the hacker to have the scope and
other details of the test in writing beforehand to avoid any problems with law
enforcement.

 External pen test - In an external test, the ethical hacker goes up against the
company’s external-facing technology, such as their website and external
network servers. In some cases, the hacker may not even be allowed to enter the
company’s building. This can mean conducting the attack from a remote
location or carrying out the test from a truck or van parked nearby.
  Internal pen test - In an internal test, the ethical hacker performs the test from
the company’s internal network. This kind of test is useful in determining how
much damage a disgruntled employee can cause from behind the company’s
firewall.

How is a typical pen test carried out?

Pen tests start with a phase of reconnaissance, during which an ethical hacker spends time
gathering data and information that they will use to plan their simulated attack. After that,
the focus becomes gaining and maintaining access to the target system, which requires a
broad set of tools.

Tools for attack include software designed to produce brute-force attacks or SQL
injections. There is also hardware specifically designed for pen testing, such as small
inconspicuous boxes that can be plugged into a computer on the network to provide the
hacker with remote access to that network. In addition, an ethical hacker may use social
engineering techniques to find vulnerabilities. For example, sending phishing emails to
company employees, or even disguising themselves as delivery people to gain physical
access to the building.

The hacker wraps up the test by covering their tracks; this means removing any embedded
hardware and doing everything else they can to avoid detection and leave the target system
exactly how they found it

What are the benefits of penetration testing?

Ideally, software and systems were designed from the start with the aim of eliminating
dangerous security flaws. A pen test provides insight into how well that aim was achieved.
Pen testing can help an organization

 Find weaknesses in systems

 Determine the robustness of controls
 Support compliance with data privacy and security regulations (e.g., PCI
DSS, HIPAA, GDPR)
 Provide qualitative and quantitative examples of current security posture and
budget priorities for management

How much access is given to pen testers?

Depending on the goals of a pen test, testers are given varying degrees of information
about, or access to, the target system. In some cases, the pen testing team takes one
approach at the start and sticks with it. Other times, the testing team evolves its strategy as
its awareness of the system increases during the pen test. There are three levels of pen test
access.

 Opaque box. The team doesn’t know anything about the internal structure of the
target system. It acts as hackers would, probing for any externally exploitable
weaknesses.
 Semi-opaque box. The team has some knowledge of one or more sets of
credentials. It also knows about the target’s internal data structures, code, and
algorithms. Pen testers might construct test cases based on detailed design
documents, such as architectural diagrams of the target system.
 Transparent box. Pen testers have access to systems and system artifacts including
source code, binaries, containers, and sometimes even the servers running the
system. This approach provides the highest level of assurance in the smallest
amount of time

What are the phases of pen testing?

Pen testers simulate attacks by motivated adversaries. To do this, they typically follow a
plan that includes the following steps:

 Reconnaissance. Gather as much information about the target as possible from

public and private sources to inform the attack strategy. Sources include internet
searches, domain registration information retrieval, social engineering, nonintrusive
network scanning, and sometimes even dumpster diving. This information helps
pen testers map out the target’s attack surface and possible vulnerabilities.
 Reconnaissance can vary with the scope and objectives of the pen test; it can be as
simple as making a phone call to walk through the functionality of a system.
 Scanning. Pen testers use tools to examine the target website or system for
weaknesses, including open services, application security issues, and open source
vulnerabilities. Pen testers use a variety of tools based on what they find during
reconnaissance and during the test.
 Gaining access. Attacker motivations can include stealing, changing, or deleting
data; moving funds; or simply damaging a company’s reputation. To perform each
test case, pen testers determine the best tools and techniques to gain access to the
system, whether through a weakness such as SQL injection or through malware,
social engineering, or something else.
 Maintaining access. Once pen testers gain access to the target, their simulated
attack must stay connected long enough to accomplish their goals of exfiltrating
data, modifying it, or abusing functionality. It’s about demonstrating the potential
impact.

What are the types of pen testing?

A comprehensive approach to pen testing is essential for optimal risk management. This
entails testing all the areas in your environment.

 Web apps. Testers examine the effectiveness of security controls and look for
hidden vulnerabilities, attack patterns, and any other potential security gaps that can
lead to a compromise of a web app.
 Mobile apps. Using both automated and extended manual testing, testers look for
vulnerabilities in application binaries running on the mobile device and the
corresponding server-side functionality. Server-side vulnerabilities include session
management, cryptographic issues, authentication and authorization issues, and
other common web service vulnerabilities.
 Networks. This testing identifies common to critical security vulnerabilities in an
external network and systems. Experts employ a checklist that includes test cases
for encrypted transport protocols, SSL certificate scoping issues, use of
administrative services, and more.
 Cloud. A cloud environment is significantly different than traditional on-premises
environments. Typically, security responsibilities are shared between the
organization using the environment and the cloud services provider. Because of
this, cloud pen testing requires a set of specialized skills and experience to
scrutinize the various aspects of the cloud, such as configurations, APIs, various
databases, encryption, storage, and security controls.
 Containers. Containers obtained from Docker often have vulnerabilities that can be
exploited at scale. Misconfiguration is also a common risk associated with
containers and their environment. Both of these risks can be uncovered with expert
pen testing.
 Embedded devices (IoT). Embedded / Internet of Things (IoT) devices such as
medical devices, automobiles, in-home appliances, oil rig equipment, and watches
have unique software testing requirements due to their longer life cycles, remote
locations, power constraints, regulatory requirements, and more. Experts perform a
 thorough communication analysis along with a client/server analysis to identify
defects that matter most to the relevant use case.
 Mobile devices. Pen testers use both automated and manual analysis to find
vulnerabilities in application binaries running on the mobile device and the
corresponding server-side functionality. Vulnerabilities in application binaries can
include authentication and authorization issues, client-side trust issues,
misconfigured security controls, and cross-platform development framework issues.
Server-side vulnerabilities can include session management, cryptographic issues,
authentication and authorization issues, and other common web service
vulnerabilities.
 APIs. Both automated and manual testing techniques are used to cover the OWASP
API Security Top 10 list. Some of the security risks and vulnerabilities testers look
for include broken object level authorization, user authentication, excessive data
exposure, lack of resources / rate limiting, and more.
 CI/CD pipeline. Modern DevSecOps practices integrate automated and intelligent
code scanning tools into the CI/CD pipeline. In addition to static tools that find
known vulnerabilities, automated pen testing tools can be integrated into the CI/CD
pipeline to mimic what a hacker can do to compromise the security of an
application. Automated CI/CD pen testing can discover hidden vulnerabilities and
attack patterns that go undetected with static code scanning.

What are the types of pen testing tools?

There is no one-size-fits-all tool for pen testing. Instead, different targets require different
sets of tools for port scanning, application scanning, Wi-Fi break-ins, or direct penetration
of the network. Broadly speaking, the types of pen testing tools fit into five categories.

 Reconnaissance tools for discovering network hosts and open ports

 Vulnerability scanners for discovering issues in-network services, web applications,
and APIs
 Proxy tools such as specialized web proxies or generic man-in-the-middle proxies
 Exploitation tools to achieve system footholds or access to assets
 Post exploitation tools for interacting with systems, maintaining and expanding
access, and achieving attack objectives

How does pen testing differ from automated testing?

Although pen testing is mostly a manual effort, pen testers do use automated scanning and
testing tools. But they also go beyond the tools and use their knowledge of the latest attack
techniques to provide more in-depth testing than a vulnerability assessment (i.e., automated
testing).
Manual pen testing
Manual pen testing uncovers vulnerabilities and weaknesses not included in popular lists
(e.g., OWASP Top 10) and tests business logic that automated testing can overlook (e.g.,
data validation, integrity checks). A manual pen test can also help identify false positives
reported by automated testing. Because pen testers are experts who think like adversaries,
they can analyze data to target their attacks and test systems and websites in ways
automated testing solutions following a scripted routine cannot.
Automated testing
Automated testing generates results faster and needs fewer specialized professionals than a
fully manual pen testing process. Automated testing tools track results automatically and
can sometimes export them to a centralized reporting platform. Also, the results of manual
pen tests can vary from test to test, whereas running automated testing repeatedly on the
same system will produce the same results.

What are the pros and cons of pen testing?

With the frequency and severity of security breaches increasing year after year,
organizations have never had a greater need for visibility into how they can withstand
attacks. Regulations such as PCI DSS and HIPAA mandate periodic pen testing to remain
current with their requirements. With these pressures in mind, here are some pros and cons
for this type of defect discovery technique.
Pros of pen testing

 Finds holes in upstream security assurance practices, such as automated tools,

configuration and coding standards, architecture analysis, and other lighter-weight
vulnerability assessment activities
 Locates both known and unknown software flaws and security vulnerabilities,
including small ones that by themselves won’t raise much concern but could cause
material harm as part of a complex attack pattern
 Can attack any system, mimicking how most malicious hackers would behave,
simulating as close as possible a real-world adversary

Cons of pen testing

 Is labor-intensive and costly

 Does not comprehensively prevent bugs and flaws from making their way into
production
 UNIT -IV Computer Security Technology
Introduction, Virus Scanners, Firewalls, Antispyware, IDS, Digital Certificates,
SSL/TLS, Virtual Private Networks, Wi-Fi Security.

Computer security technology encompasses a wide array of practices, tools, and methods
designed to protect computer systems, networks, and data from unauthorized access, theft,
damage, or any form of cyber attack. It is a crucial aspect of information technology that
ensures the confidentiality, integrity, and availability of data. Here are the key components:

1. Firewalls: These are network security devices that monitor incoming and outgoing
network traffic and decide whether to allow or block specific traffic based on a
defined set of security rules. Firewalls can be hardware-based, software-based, or
both.
Detail: Firewalls act as a barrier between your internal network and incoming traffic from
external sources (such as the internet) to block malicious traffic like viruses and hackers.
Advantages: Protect against external attacks, manage network traffic, and prevent
unauthorized access.
Disadvantages: Can be complex to configure, might slow down network performance if not
properly optimized, and cannot protect against internal threats or attacks that bypass the
firewall.
Implementation Process: Identify network requirements, select between hardware and
software firewalls or use both (known as a dual firewall), configure firewall rules according
to your security policy, and regularly update and review firewall rules.
Types: Packet-filtering firewalls, stateful inspection firewalls, proxy firewalls, next-
generation firewalls (NGFW), and network address translation (NAT) firewalls.

2. Antivirus and Anti-malware Software: This software is used to prevent, detect, and
remove malicious software (malware) like viruses, worms, and spyware. These tools
often include real-time scanning features to detect malware as it appears.
Detail: Software designed to detect, prevent, and remove malware, including viruses, worms,
and spyware.
Advantages: Provides real-time protection against a wide range of malware, can remove
existing infections, and often includes tools for web security and email protection.
Disadvantages: Can impact system performance, might not catch all malware (especially new
or sophisticated threats), and requires regular updates to be effective.
Implementation Process: Choose an antivirus solution that fits your needs, install the software
on all devices, configure settings for regular scans and updates, and educate users about not
disabling protection.
Types: Signature-based detection, behavior-based detection (heuristic analysis), sandbox
detection, and cloud-based antivirus.

3. Encryption: The process of encoding data so that only authorized users can access it.
Encryption can protect data in transit (over the network) and at rest (stored on a
device).
Detail: The conversion of data into a coded form that can only be accessed and decrypted by
someone who has the encryption key.
Advantages: Secures data from unauthorized access, ensures data integrity, and is essential
for protecting sensitive information.
Disadvantages: Can be complex to implement correctly, encrypted data can still be
compromised if the encryption keys are stolen, and performance overhead.
Implementation Process: Identify sensitive data, choose an encryption standard (such as AES
or RSA), implement encryption at the desired layers (disk, file, database, or communication
channels), manage encryption keys securely.
Types: Symmetric encryption, asymmetric encryption, and hashing.

4. Access Control: Ensures that only authorized users have access to specific resources.
This involves creating user accounts with permissions tailored to the individual's role
within the organization, implementing strong authentication methods, and sometimes
using biometric verification.
Detail: Systems and processes that limit access to resources, data, or applications to
authorized users only.
Advantages: Minimizes risk of unauthorized access, helps in data protection, and ensures that
users can only access the information necessary for their roles.
Disadvantages: Can be complex to manage, especially in large organizations, and improper
configurations can lead to either excessive access or too restrictive access.
Implementation Process: Define access control policies, classify data and resources,
implement an access control model (e.g., RBAC, ABAC), enforce authentication and
authorization mechanisms, and regularly review access rights.
Types: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-based
Access Control (RBAC), and Attribute-based Access Control (ABAC).

5. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): IDS
monitors network or system activities for malicious activities or policy violations,
while IPS actively blocks potential threats based on the detection.
Detail: IDS monitors network and system activities for malicious activities or policy
violations, whereas IPS takes active measures to block potential threats.
Advantages: Enhances network security by detecting and preventing attacks, provides
insights into malicious activities, and helps in compliance with security policies.
Disadvantages: IDS can generate false positives and negatives, IPS might block legitimate
traffic if misconfigured, and both require significant management and updating.
Implementation Process: Define security requirements, select between host-based and
network-based systems, configure detection rules and responses, and continuously update and
monitor for new threats.
Types: Signature-based, anomaly-based, and stateful protocol analysis for IDS/IPS.

6. Data Loss Prevention (DLP): Technologies and practices that prevent unauthorized
users from accessing or sharing sensitive information. DLP solutions can monitor,
detect, and block sensitive data while in use (endpoint actions), in motion (network
traffic), and at rest (data storage).

Advantages: Provides a comprehensive view of an organization's information security,

enhancing the ability to detect and respond to incidents.
Disadvantages: Can be complex and resource-intensive to set up and manage. May generate a
large volume of alerts, including false positives.
Implementation Process: Define the scope and objectives, select a SIEM solution, integrate
log sources, configure rules and alerts, and regularly review and tune the system.
Types: Traditional SIEM and next-generation SIEM, with variations in scalability, real-time
analysis, and integration capabilities.

7. Security Information and Event Management (SIEM): Provides real-time analysis

of security alerts generated by applications and network hardware. It gathers,
analyzes, and presents information from network and security devices, identity and
access-management applications, vulnerability management and policy-compliance
tools, operating-system, database, and application logs, and external threat data.

Advantages of SIEM:
Real-time Visibility: SIEM provides real-time analysis of security alerts generated by
applications and network hardware, enabling immediate detection of potential security
incidents.
Improved Incident Detection and Response: By correlating events from different sources,
SIEM can identify complex threats that might not be detectable through individual logs,
improving the overall incident detection and response capabilities.
Compliance Management: Many SIEM solutions come with built-in features to help
organizations comply with industry regulations by generating reports that detail the
organization’s adherence to required security standards.
Enhanced Threat Hunting: SIEM systems allow security teams to proactively search through
historical data for indicators of compromise (IoCs) and other signs of advanced persistent
threats (APTs) or insider threats.
Disadvantages of SIEM:
Complexity: SIEM systems can be complex to configure and manage, requiring specialized
knowledge to ensure they are tuned correctly to minimize false positives and false negatives.
Resource-Intensive: The process of collecting, storing, and analyzing large volumes of data
demands significant computational resources and storage capacity.
High Cost: The cost of SIEM solutions, including hardware, software, and operational costs
(such as staff training and additional personnel), can be prohibitive for some organizations.
Alert Fatigue: The high volume of alerts generated by SIEM systems can overwhelm security
teams, potentially leading to important alerts being overlooked.
Implementation Process of SIEM:
Needs Assessment: Evaluate the organization's security needs, regulatory requirements, and
the specific IT environment to select a SIEM solution that best fits these criteria.
Solution Selection: Choose a SIEM solution based on the organization’s size, complexity,
budget, and specific security and compliance needs.
Deployment Planning: Plan the deployment, including deciding which log sources to include,
determining storage requirements, and establishing processes for incident response.
Configuration and Customization: Configure the SIEM system to collect logs from the
chosen sources, and customize the system to accurately reflect the organization’s
environment and to filter out irrelevant data.
Tuning and Optimization: Continuously tune the SIEM system to refine its accuracy in
detecting real threats while minimizing false positives and false negatives.
Training and Awareness: Train security personnel on the effective use of the SIEM system,
including how to analyze alerts and conduct investigations.
Types of SIEM:
Traditional SIEM: Focuses on log collection, management, and rule-based analysis. Best
suited for organizations with well-defined security processes and experienced security teams.
Next-Generation SIEM: Incorporates advanced analytics, machine learning, and threat
intelligence to improve detection of sophisticated threats. Designed for dynamic
environments and aimed at reducing false positives.
Cloud-based SIEM: Offers SIEM as a service, reducing the need for on-premises hardware
and specialized staff. Ideal for organizations looking for scalability and flexibility.
Hybrid SIEM: Combines on-premises and cloud-based features, offering flexibility for
organizations transitioning to the cloud or with specific compliance needs requiring on-
premises data retention.

8. Virtual Private Networks (VPN): A technology that creates a safe and encrypted
connection over a less secure network, such as the internet. VPNs are used to protect
privacy and secure data as it travels across the internet.
Advantages:
Enhances online privacy and security by encrypting internet traffic, making it difficult for
hackers to intercept data.
Allows remote access to secure network resources as if the user is directly connected to the
network, which is beneficial for remote workers.
Disadvantages:
The use of VPNs can potentially slow down internet speeds due to encryption overhead and
the distance data travels to the VPN server.
Free or low-quality VPN services might have security flaws or log user activity,
compromising privacy.
Implementation Process:
Determine the VPN needs (remote access vs. site-to-site, number of users, etc.).
Select a reputable VPN service provider or acquire VPN hardware/software for self-hosting.
Install VPN client software on devices or configure the network for VPN access.
Train users on how to connect to the VPN and educate them about security practices while
using it.
Types:
Remote Access VPN: Allows users to connect to a private network from anywhere.
Site-to-Site VPN: Connects entire networks to each other, often used for connecting branch
offices to a central office.
Client-based VPN vs. Browser-based VPN: Where clients require software installation,
browser-based provides VPN functionality within a web browser without additional software.

9. Patch Management: The process of managing updates for software applications and
technologies. Keeping software up to date is crucial in protecting against
vulnerabilities that could be exploited by hackers.
Advantages:
Keeps software and systems up to date, reducing the risk of exploitation by known
vulnerabilities.
Helps ensure compliance with regulatory standards that require up-to-date security measures.
Disadvantages:
Patches can sometimes introduce new issues or incompatibilities with existing systems or
software.
Requires a rigorous testing and deployment process to minimize disruptions.
Implementation Process:
Inventory all IT assets to understand what software and systems are in use and need to be
maintained.
Subscribe to vulnerability alerts and updates from software vendors.
Test patches in a controlled environment before wide deployment to prevent operational
issues.
Automate patch deployment when possible, using patch management tools to streamline the
process.
Monitor and report on patching status and compliance.
Types:
Operating System Patches: Updates for the underlying operating system, addressing security
vulnerabilities and functionality improvements.
Application Patches: Updates for specific applications, fixing security holes or adding
features.
Firmware Patches: Updates for hardware devices' firmware, improving security or
functionality.
 10. Cybersecurity Training: Educating users and employees about the risks of cyber
threats and the best practices to mitigate these risks. This includes awareness about
phishing attacks, safe browsing habits, and the importance of using strong, unique
passwords.
Advantages:
Empowers employees to recognize and respond appropriately to cybersecurity threats,
significantly reducing the risk of successful attacks.
Promotes a culture of security awareness within the organization.
Disadvantages:
Requires ongoing effort and resources to keep training materials up to date and engaging.
Effectiveness can vary depending on the employee's engagement and the quality of the
training material.
Implementation Process:
Assess the specific cybersecurity risks and knowledge gaps within the organization.
Develop or procure training materials that are relevant to the organization's needs, including
policies, procedures, and threat awareness.
Deliver training through various methods such as online courses, in-person sessions, and
interactive workshops.
Regularly update training content to reflect the latest threats and best practices.
Test and evaluate employee knowledge and adjust training programs based on feedback and
assessments.
Types:
General Awareness Training: Broad training focused on common cybersecurity practices and
policies.
Role-based Training: Tailored training that addresses the specific risks and responsibilities
associated with particular roles within the organization.
Simulated Attack Training: Engages employees with mock phishing emails or other attack
simulations to practice recognizing and responding to threats.

Computer Virus

Definition

A computer virus is a piece of code that gets implanted in a program and is constructed with
the ability to self-replicate; affecting other programs on a computer. It’s just like how humans
get a cold or flu, it can remain dormant within the system and get activated when you least
expect it.
A virus has the potential to cause unexpected damage to the system, such as harming the
system software by corrupting or destroying data.

A computer virus is formed to diffuse from one host to another and thus there are numerous
ways how the user’s computer catches it. It can be through email attachments, downloaded
files, during software installations, or using unsecured links. These viruses can steal the
user’s data such as passwords, hack into their social media accounts or online banking
accounts, and also wipe out all the saved data.

When a virus program is executed, it replicates itself by changing other computer programs
and rather enters its coding. This code infects a file or program and if it grows massively, it
may ultimately result in the crashing of the device. Certain indications can help you analyze
that a device is virus-hit. Given below are some of them:

1. In case a virus is fully executed into a user’s device, the time needed to open any
application may become longer and the entire system processing becomes slower.
2. Started getting too many pops up on the window or screen while working, this is also
an indication of a virus attack on the system.
3. Files or applications may begin to open by themselves in the background of the
system without the user’s knowledge.
4. In case of a virus attack, the possibility of accounts getting hacked increases and even
the user might get logged out of all the systems and applications.
5. In most cases, if the virus grows at maximum then changes can be seen in the files
and programs, and this may even lead to a system crash.

Types of Computer Virus

Discussed below are the different types of computer viruses:

 Boot Sector Virus – It is a type of virus that infects the boot sector of floppy disks or
the Master Boot Record (MBR) of hard disks. The Boot sector comprises all the files
which are required to start the Operating system of the computer. The virus either
overwrites the existing program or copies itself to another part of the disk.
 Direct Action Virus – When a virus attaches itself directly to a .exe or .com file and
enters the device while its execution is called a Direct Action Virus. If it gets installed
in the memory, it keeps itself hidden. It is also known as Non-Resident Virus.
 Resident Virus – A virus which saves itself in the memory of the computer and then
infects other files and programs when its originating program is no longer working.
This virus can easily infect other files because it is hidden in the memory and is hard
to be removed from the system.
 Multipartite Virus – A virus which can attack both, the boot sector and the
executable files of an already infected computer is called a multipartite virus. If a
multipartite virus attacks your system, you are at risk of cyber threat.
  Overwrite Virus – One of the most harmful viruses, the overwrite virus can
completely remove the existing program and replace it with the malicious code by
overwriting it. Gradually it can completely replace the host’s programming code with
the harmful code.
 Polymorphic Virus – Spread through spam and infected websites, the polymorphic
virus are file infectors which are complex and are tough to detect. They create a
modified or morphed version of the existing program and infect the system and retain
the original code.
 File Infector Virus – As the name suggests, it first infects a single file and then later
spreads itself to other executable files and programs. The main source of this virus are
games and word processors.
 Spacefiller Virus – It is a rare type of virus which fills in the empty spaces of a file
with viruses. It is known as cavity virus. It will neither affect the size of the file nor
can be detected easily.
 Macro Virus – A virus written in the same macro language as used in the software
program and infects the computer if a word processor file is opened. Mainly the
source of such viruses is via emails.

How To Protect Your Computer from Virus?

The most suitable way of making your computer virus-free is by installing an Anti-virus
software. Such software help in removing the viruses from the device and can be installed in
a computer via two means:

 Online download
 Buying an Anti-virus software and installing it
Further below, we bring to you details as to what anti-virus is and what are its different types
along with a few examples.

What are the different types of antivirus software?

There are several different types of antivirus software, including:

– Desktop antivirus: This type of antivirus software is installed on a computer and protects it
from viruses.

– Mobile antivirus: This type of antivirus software is installed on a mobile device and
protects it from viruses.

– Web antivirus: This type of antivirus software is installed on a web server and protects it
from viruses.

– Network antivirus: This type of antivirus software is installed on a network and protects it
from viruses.
What is an Anti-Virus?
An anti-virus is a software which comprises programs or set of programs which can detect
and remove all the harmful and malicious software from your device. This anti-virus software
is designed in a manner that they can search through the files in a computer and determine the
files which are heavy or mildly infected by a virus.

Given below is a list of few of the major antivirus software which is most commonly used:

 Norton Antivirus
 F-Secure Antivirus
 Kaspersky Antivirus
 AVAST Antivirus
 Comodo Antivirus
 McAfee Antivirus
These are few of the many anti-virus software widely used to remove viruses from a device.

Firewalls

A firewall is a network security device, either hardware or software-based, which monitors

all incoming and outgoing traffic and based on a defined set of security rules accepts, rejects,
or drops that specific traffic.

 Accept: allow the traffic

 Reject: block the traffic but reply with an “unreachable error”
 Drop : block the traffic with no reply
A firewall is a type of network security device that filters incoming and outgoing network
traffic with security policies that have previously been set up inside an organization. A
firewall is essentially the wall that separates a private internal network from the open Internet
at its very basic level.
Types of Firewall
Firewalls can be categorized based on their generation.
1. Packet Filtering Firewall
Packet filtering firewall is used to control network access by monitoring outgoing and
incoming packets and allowing them to pass or stop based on source and destination IP
address, protocols, and ports. It analyses traffic at the transport protocol layer (but mainly
uses first 3 layers). Packet firewalls treat each packet in isolation. They have no ability to tell
whether a packet is part of an existing stream of traffic. Only It can allow or deny the packets
based on unique packet headers. Packet filtering firewall maintains a filtering table that
decides whether the packet will be forwarded or discarded. From the given filtering table, the
packets will be filtered according to the following rules:

 Incoming packets from network 192.168.21.0 are blocked.

 Incoming packets destined for the internal TELNET server (port 23) are blocked.
 Incoming packets destined for host 192.168.21.3 are blocked.
 All well-known services to the network 192.168.21.0 are allowed.
2. Stateful Inspection Firewall
Stateful firewalls (performs Stateful Packet Inspection) are able to determine the connection
state of packet, unlike Packet filtering firewall, which makes it more efficient. It keeps track
of the state of networks connection travelling across it, such as TCP streams. So the filtering
decisions would not only be based on defined rules, but also on packet’s history in the state
table.
3. Software Firewall
A software firewall is any firewall that is set up locally or on a cloud server. When it comes
to controlling the inflow and outflow of data packets and limiting the number of networks
that can be linked to a single device, they may be the most advantageous. But the problem
with software firewall is they are time-consuming.
4. Hardware Firewall
They also go by the name “firewalls based on physical appliances.” It guarantees that the
malicious data is halted before it reaches the network endpoint that is in danger.
5. Application Layer Firewall
Application layer firewall can inspect and filter the packets on any OSI layer, up to the
application layer. It has the ability to block specific content, also recognize when certain
application and protocols (like HTTP, FTP) are being misused. In other words, Application
layer firewalls are hosts that run proxy servers. A proxy firewall prevents the direct
connection between either side of the firewall, each packet has to pass through the proxy.
6. Next Generation Firewalls (NGFW)
NGFW consists of Deep Packet Inspection, Application Inspection, SSL/SSH inspection and
many functionalities to protect the network from these modern threats.
7. Proxy Service Firewall
This kind of firewall filters communications at the application layer, and protects the
network. A proxy firewall acts as a gateway between two networks for a particular
application.
8. Circuit Level Gateway Firewall
This works as the Sessions layer of the OSI Model’s . This allows for the simultaneous setup
of two Transmission Control Protocol (TCP) connections. It can effortlessly allow data
packets to flow without using quite a lot of computing power. These firewalls are ineffective
because they do not inspect data packets; if malware is found in a data packet, they will
permit it to pass provided that TCP connections are established properly.
Functions of Firewall
 Every piece of data that enters or leaves a computer network must go via the firewall.
 If the data packets are safely routed via the firewall, all of the important data remains
intact.
 A firewall logs each data packet that passes through it, enabling the user to keep track
of all network activities.
 Since the data is stored safely inside the data packets, it cannot be altered.
 Every attempt for access to our operating system is examined by our firewall, which
also blocks traffic from unidentified or undesired sources.
Advantages of using Firewall
 Protection from unauthorized access: Firewalls can be set up to restrict incoming
traffic from particular IP addresses or networks, preventing hackers or other malicious
actors from easily accessing a network or system. Protection from unwanted access.
 Prevention of malware and other threats: Malware and other threat prevention:
Firewalls can be set up to block traffic linked to known malware or other security
concerns, assisting in the defense against these kinds of attacks.
 Control of network access: By limiting access to specified individuals or groups for
particular servers or applications, firewalls can be used to restrict access to particular
network resources or services.
 Monitoring of network activity: Firewalls can be set up to record and keep track of all
network activity.
 Regulation compliance: Many industries are bound by rules that demand the usage of
firewalls or other security measures.
 Network segmentation: By using firewalls to split up a bigger network into smaller
subnets, the attack surface is reduced and the security level is raised.
Disadvantages of using Firewall
 Complexity: Setting up and keeping up a firewall can be time-consuming and difficult,
especially for bigger networks or companies with a wide variety of users and devices.
 Limited Visibility: Firewalls may not be able to identify or stop security risks that
operate at other levels, such as the application or endpoint level, because they can only
observe and manage traffic at the network level.
 False sense of security: Some businesses may place an excessive amount of reliance on
their firewall and disregard other crucial security measures like endpoint security or
intrusion detection systems.
 Limited adaptability: Because firewalls are frequently rule-based, they might not be
able to respond to fresh security threats.
 Performance impact: Network performance can be significantly impacted by firewalls,
particularly if they are set up to analyze or manage a lot of traffic.
 Limited scalability: Because firewalls are only able to secure one network, businesses
that have several networks must deploy many firewalls, which can be expensive.
 Limited VPN support: Some firewalls might not allow complex VPN features like
split tunneling, which could restrict the experience of a remote worker.
 Cost: Purchasing many devices or add-on features for a firewall system can be
expensive, especially for businesses.

-=-=-
For example, the image depicted below shows how a firewall allows good traffic to pass to
the user’s private network.
 Fig: Firewall allowing Good Traffic

However, in the example below, the firewall blocks malicious traffic from entering the
private network, thereby protecting the user’s network from being susceptible to a
cyberattack.

Fig: Firewall blocking Bad Traffic

This way, a firewall carries out quick assessments to detect malware and other suspicious
activities.

Difference Between a Firewall and Antivirus

Firewall

 A firewall is essential software or firmware in network security that is used to prevent

unauthorized access to a network.

 It is used to inspect the incoming and outgoing traffic with the help of a set of rules to
identify and block threats by implementing it in software or hardware form.

 Firewalls can be used in both personal and enterprise settings, and many devices come
with one built-in, including Mac, Windows, and Linux computers.

Antivirus

 Antivirus is also an essential component of network security. It is basically an application

or software used to provide security from malicious software coming from the internet.

 An antivirus working is based upon 3 main actions, Detection, Identification, and

Removal of threats.

 Antivirus can deal with external threats as well as internal threats by implementing only
through software.

Limitations of a Firewall

 Firewalls are not able to stop the users from accessing the data or information from
malicious websites, making them vulnerable to internal threats or attacks.

 It is not able to protect against the transfer of virus-infected files or software if security
rules are misconfigured, against non-technical security risks (social engineering)

 It does not prevent misuse of passwords and attackers with modems from dialing in to or
out of the internal network.

Antispyware

Spyware is malicious software that enters a user’s computer, gathers data from the device
and user, and sends it to third parties without their consent. A commonly accepted spyware
definition is a strand of malware designed to access and damage a device without the user’s
consent.
 Spyware collects personal and sensitive information that it sends to advertisers, data
collection firms, or malicious actors for a profit. Attackers use it to track, steal, and sell user
data, such as internet usage, credit card, and bank account details, or steal user credentials to
spoof their identities.

Spyware is one of the most commonly used cyberattack methods that can be difficult for
users and businesses to identify and can do serious harm to networks. It also leaves
businesses vulnerable to data breaches and data misuse, often affects device and network
performance, and slows down user activity.

The term "spyware" first emerged in online discussions in the 1990s, but only in the early
2000s did cybersecurity firms use it to describe unwanted software that spied on their user
and computer activity. The first anti-spyware software was released in June 2000, then four
years later, scans showed that around 80% of internet users had their systems affected by
spyware, according to research by America Online and the National Cyber Security Alliance.
However, 89% of users were unaware of the spyware’s existence and 95% had not granted
permission for it to be installed.

Types of Spyware

Attackers use various types of spyware to infect users’ computers and devices. Each spyware
variety gathers data for the attacker, with the lesser types monitoring and sending data to a
third party. But more advanced and dangerous spyware types will also make modifications to
a user’s system that results in them being exposed to further threats.

Some of the most commonly used types of spyware include:

1. Adware: This sits on a device and monitors users’ activity then sells their data to advertisers
and malicious actors or serves up malicious ads.
2. Infostealer: This is a type of spyware that collects information from devices. It scans them for
specific data and instant messaging conversations.
3. Keyloggers: Also known as keystroke loggers, keyloggers are a type of infostealer spyware.
They record the keystrokes that a user makes on their infected device, then save the data into
an encrypted log file. This spyware method collects all of the information that the user types
into their devices, such as email data, passwords, text messages, and usernames.
4. Rootkits: These enable attackers to deeply infiltrate devices by exploiting security
vulnerabilities or logging into machines as an administrator. Rootkits are often difficult and
even impossible to detect.
5. Red Shell: This spyware installs itself onto a device while a user is installing specific PC
games, then tracks their online activity. It is generally used by developers to enhance their
games and improve their marketing campaigns.
6. System monitors: These also track user activity on their computer, capturing information like
emails sent, social media and other sites visited, and keystrokes.
7. Tracking cookies: Tracking cookies are dropped onto a device by a website and then used to
follow the user’s online activity.
8. Trojan Horse Virus: This brand of spyware enters a device through Trojan malware, which is
responsible for delivering the spyware program.

Most spyware targets Windows computers and laptops, but attackers are increasingly
targeting other forms of devices.

1. Apple device spyware: Malware targeting Apple devices, particularly its Mac computers, has
increased rapidly in the last few years. Mac spyware is similar in behavior to those targeting
Windows operating systems but are typically password-stealing or backdoor types of
spyware. They frequently see the attacker attempt attacks such as keylogging, password
phishing, remote code execution, and screen captures.
2. Mobile spyware: Spyware targeting mobile devices steals data such as call logs, browser
history, contact lists, photos, and short message service (SMS) messages. Certain types will
log user keystrokes, record using the device’s microphone, take photos, and track location
using Global Positioning System (GPS) trackers. Others take control of devices through
commands sent from SMS messages, data transfers, and remote servers. Hackers can also use
mobile spyware to breach an organization through mobile device vulnerabilities, which may
not be detected by the security team.

What Does Spyware Do?

All types of spyware sit on a user’s device and spy on their activity, the sites they visit, and
the data they amass or share. They do this with the objective of monitoring user activity,
tracking login and password details, and detecting sensitive data.

Other spyware strands are also capable of installing further software on the user’s device,
which enables the attacker to make changes to the device. But spyware typically follows a
three-step process from being installed on a device to sending or selling the information it has
stolen.

1. Step 1—Infiltrate: Spyware is installed onto a device through the use of an application
installation package, a malicious website, or as a file attachment.
2. Step 2—Monitor and capture: Once installed, the spyware gets to work following the user
around the internet, capturing the data they use, and stealing their credentials, login
information, and passwords. It does this through screen captures, keystroke technology, and
tracking codes.
3. Step 3—Send or sell: With data and information captured, the attacker will either use the data
amassed or sell it to a third party. If they use the data, they could take the user credentials to
spoof their identity or use them as part of a larger cyberattack on a business. If they sell, they
could use the data for a profit with data organizations, other hackers, or put it on the dark
web.

Through this process, the attacker can collect and sell highly sensitive information, such as
the user’s email addresses and passwords, internet usage information and browsing habits,
financial details, and account personal identification number (PIN) codes.

How Spyware Attacks Your System

Attackers carefully disguise spyware to infiltrate and infect devices without being discovered.
They do this by obscuring the malicious files within regular downloads and websites, which
encourages users to open them, often without realizing it. The malware will sit alongside
trusted programs and websites through code vulnerabilities or in custom-made fraudulent
applications and websites.

One common method for delivering spyware is bundleware. This is a bundle of software
packages that attaches itself to other programs that a user downloaded or installed. As a
result, it will install without the user knowing about it. Other bundleware packages force the
user to agree to download a full software bundle, with no idea that they have voluntarily
infected their device. Spyware can also infiltrate a computer through the same routes as other
forms of malware, such as compromised or spoofed websites and malicious email
attachments.

Mobile spyware typically attacks mobile devices through three methods:

1. Flaws in operating systems: Attackers can exploit flaws in mobile operating systems that are
typically opened up by holes in updates.
2. Malicious applications: These typically lurk within legitimate applications that users
download from websites rather than app stores.
3. Unsecured free Wi-Fi networks: Wi-Fi networks in public places like airports and cafes are
often free and simple to sign in to, which makes them a serious security risk. Attackers can
use these networks to spy on what connected users are doing.

Problems Caused by Spyware

The effects of spyware are wide-ranging. Some could go unseen, with users not knowing they
have been affected for months or even years. Others might just cause an inconvenience that
users may not realize is the result of being hacked. Some forms of spyware are capable of
causing reputational and financial damage.

Common problems that spyware can result in include:

1. Data theft: One of the most common problems caused by spyware is data theft. Spyware is
used to steal users’ personal data, which can then be sold to third-party organizations,
malicious actors, or hacking groups.
2. Identity fraud: If spyware harvests enough data, then it can be used for identity fraud. This
sees the attacker amass data like browsing history, login credentials for email accounts,
online banking, social networks, and other websites to spoof or imitate the user’s identity.
3. Device damage: Some spyware will be poorly designed, which ends up having a negative
effect on the computer it attaches itself to. This can end up draining system performance and
eating up huge amounts of internet bandwidth, memory, and processing power. Even worse,
spyware can cause operating systems to crash, disable internet security software, and make
computers overheat, which can cause permanent damage to the computer.
4. Browsing disruption: Some spyware can take control of the user’s search engine to serve up
harmful, fraudulent, or unwanted websites. They can also change homepages and alter
computer settings, as well as repeatedly push pop-up ads.

How do I Get Spyware?

Spyware can increasingly affect any device, from computers and laptops to mobile phones
and tablets. Devices that run Windows operating systems are typically the most susceptible to
an attack, but cyber criminals are increasingly devising methods that afflict Apple and mobile
devices.

Some of the most prominent causes of spyware infiltrating a device or system include:
1. Misleading marketing: Spyware authors will often disguise their malicious software as a
legitimate tool, such as a hard disk cleaner, download manager, or new web browser.
2. Phishing or spoofing: Phishing occurs when an attacker encourages a recipient to click on a
malicious link or attachment in an email, then steals their credentials. They often use spoofed
websites that appear to be a legitimate site that steal users’ passwords and personal
information.
3. Security vulnerabilities: Attackers often target code and hardware vulnerabilities to gain
unauthorized access to devices and systems and plant their spyware.
4. Software bundles: Bundleware sees users unknowingly install spyware within a bundle of
software they believe to be legitimate.
5. Trojans: A Trojan is a type of malware that pretends to be another piece of software. Cyber
criminals use Trojans as a method for delivering malware strains, such as spyware,
cryptojackers, and viruses, onto devices.

A device can also become infected with spyware as a result of a user’s actions, such as:

 Accepting cookie consent requests from insecure websites

 Accepting pop-ups from untrusted sites
 Clicking on malicious links
 Opening malicious attachments
 Downloading games, movies, or music from pirated or spoofed websites
 Downloading malicious mobile apps
How to Tell if You Have Spyware
Despite spyware being designed to go undetected, there are several telltale signs that could be
indicators of a device being infiltrated. These include:

1. Negative hardware performance, such as:

 A device running slower than usual

 Devices suffering frequent crashes and freezes

1. A drop in application or browser performance, such as:

 Pop-up ads repeatedly appearing in browsers

 Unusual error messages
 Unexpected browser changes
 New icons appearing in the taskbar
 Browser searches redirecting to new search engines
 Note that these symptoms are also indicative of the presence of other malware, not just
spyware, so it is important to dig deeper into issues and scan devices to discover the root of
the problem.

Spyware Removal

If a device is showing signs of spyware, then it is important to get the device and any
connected systems cleaned up and protected again. The removal of spyware is possible
through solutions that can identify and remove malicious files.

The first step in removing spyware is to ensure the system is cleared of infection. This will
prevent new password changes and future logins from also being stolen. It is also important
to purchase robust cybersecurity software that offers comprehensive spyware removal, deep
cleans devices affected by spyware, and repairs any files or systems that may have been
infected.

With the system cleaned up, financial services need to be advised that potentially fraudulent
activity has occurred that could affect bank accounts and credit cards. If the spyware has
affected an organization, then legal and regulatory violations need to be reported to the
appropriate law enforcement agency.

Spyware Protection

Spyware and other malicious attack methods are a constant threat to any device connected to
the internet. Therefore, the first line of defense against spyware is to deploy an internet
security solution that includes proactive anti-malware and antivirus detection. In addition,
tools like antispam filters, cloud-based detection, and virtual encrypted keyboards are useful
to eliminate potentially malicious risks.

Some spyware types are also able to install software and modify the settings on a user’s
device. This means it is also vital for users to use secure passwords, not recycle their
credentials on multiple applications and websites, and use processes like multi-factor
authentication (MFA) to keep their identity secure and their devices updated.

In addition to software, there are several steps that can be taken to protect devices and
systems:

1. Cookie consent: It can be easy for users to simply click "accept" on the cookie consent pop-
ups that appear on nearly every website they visit. However, they need to be careful about
issuing their consent every time and only accept cookies from websites they trust.
2. Browser extensions: Users can also install anti-tracking extensions that prevent the relentless
online tracking of their activity on web browsers. These extensions can block activity
tracking by both reputable sources and malicious actors, keeping users’ data private when
they access the internet.
3. Security updates: Updating software with the latest versions is vital to preventing spyware
and other types of malware. Spyware typically makes its way onto devices through gaps in
code or vulnerabilities in operating systems. So it is important to constantly patch potential
issues and fix vulnerabilities immediately.
4. Avoid free software: It can be appealing to download free software, but doing so can have
costly ramifications for users and their organizations. The free software may be insecure and
the creator can make a profit from users’ data.
5. Use secure networks: Unsecured Wi-Fi networks are an easy resource for hackers to breach
devices. Avoid using free Wi-Fi networks, and only connect to trusted, secure networks.
6. Best practice and behavior: Practicing good cybersecurity behavior is crucial to avoiding
spyware. All users need to be aware of the security risks they face, avoid opening emails or
downloading files from people they do not know, and make it a habit to hover over links to
check if they are reputable before clicking on them.

Computer and laptop users can follow steps to keep their devices secure. These include
enabling and downloading pop-up blockers on their desktops and limiting allowed
applications and permissions. All users should also avoid clicking links or opening
attachments in all emails, even those purporting to be from trusted senders, as this is a prime
delivery method for spyware and other malicious attacks.

IDS

An Intrusion Detection System (IDS) maintains network traffic looks for unusual activity and
sends alerts when it occurs. The main duties of an Intrusion Detection System (IDS) are
anomaly detection and reporting, however, certain Intrusion Detection Systems can take
action when malicious activity or unusual traffic is discovered. In this article, we will discuss
every point about the Intrusion Detection System.
What is an Intrusion Detection System?
A system called an intrusion detection system (IDS) observes network traffic for malicious
transactions and sends immediate alerts when it is observed. It is software that checks a
network or system for malicious activities or policy violations. Each illegal activity or
violation is often recorded either centrally using an SIEM system or notified to an
administration. IDS monitors a network or system for malicious activity and protects a
computer network from unauthorized access from users, including perhaps insiders. The
intrusion detector learning task is to build a predictive model (i.e. a classifier) capable of
distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good (normal)
connections’.
 IDS
Working of Intrusion Detection System(IDS)
 An IDS (Intrusion Detection System) monitors the traffic on a computer network to
detect any suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs of
abnormal behavior.
 The IDS compares the network activity to a set of predefined rules and patterns to
identify any activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it sends an alert
to the system administrator.
 The system administrator can then investigate the alert and take action to prevent any
damage or further intrusion.
Classification of Intrusion Detection System(IDS)
Intrusion Detection System are classified into 5 types:
 Network Intrusion Detection System (NIDS): Network intrusion detection systems
(NIDS) are set up at a planned point within the network to examine traffic from all
devices on the network. It performs an observation of passing traffic on the entire
subnet and matches the traffic that is passed on the subnets to the collection of known
attacks. Once an attack is identified or abnormal behavior is observed, the alert can be
sent to the administrator. An example of a NIDS is installing it on the subnet where
firewalls are located in order to see if someone is trying to crack the firewall.
 Network Intrusion Detection System
 Host Intrusion Detection System (HIDS): Host intrusion detection systems (HIDS)
run on independent hosts or devices on the network. A HIDS monitors the incoming
and outgoing packets from the device only and will alert the administrator if suspicious
or malicious activity is detected. It takes a snapshot of existing system files and
compares it with the previous snapshot. If the analytical system files were edited or
deleted, an alert is sent to the administrator to investigate. An example of HIDS usage
can be seen on mission-critical machines, which are not expected to change their layout.
 Protocol-based Intrusion Detection System (PIDS): Protocol-based intrusion
detection system (PIDS) comprises a system or agent that would consistently reside at
the front end of a server, controlling and interpreting the protocol between a user/device
and the server. It is trying to secure the web server by regularly monitoring the HTTPS
protocol stream and accepting the related HTTP protocol. As HTTPS is unencrypted
and before instantly entering its web presentation layer then this system would need to
reside in this interface, between to use the HTTPS.
 Application Protocol-based Intrusion Detection System (APIDS): An application
Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally
resides within a group of servers. It identifies the intrusions by monitoring and
interpreting the communication on application-specific protocols. For example, this
would monitor the SQL protocol explicitly to the middleware as it transacts with the
database in the web server.
 Hybrid Intrusion Detection System: Hybrid intrusion detection system is made by the
combination of two or more approaches to the intrusion detection system. In the hybrid
intrusion detection system, the host agent or system data is combined with network
information to develop a complete view of the network system. The hybrid intrusion
detection system is more effective in comparison to the other intrusion detection
system. Prelude is an example of Hybrid IDS.
Intrusion Detection System Evasion Techniques
 Fragmentation: Dividing the packet into smaller packet called fragment and the
process is known as fragmentation. This makes it impossible to identify an intrusion
because there can’t be a malware signature.
 Packet Encoding: Encoding packets using methods like Base64 or hexadecimal can
hide malicious content from signature-based IDS.
 Traffic Obfuscation: By making message more complicated to interpret, obfuscation
can be utilised to hide an attack and avoid detection.
 Encryption: Several security features, such as data integrity, confidentiality, and data
privacy, are provided by encryption. Unfortunately, security features are used by
malware developers to hide attacks and avoid detection.
Benefits of IDS
 Detects malicious activity: IDS can detect any suspicious activities and alert the
system administrator before any significant damage is done.
 Improves network performance: IDS can identify any performance issues on the
network, which can be addressed to improve network performance.
 Compliance requirements: IDS can help in meeting compliance requirements by
monitoring network activity and generating reports.
 Provides insights: IDS generates valuable insights into network traffic, which can be
used to identify any weaknesses and improve network security.
Detection Method of IDS
 Signature-based Method: Signature-based IDS detects the attacks on the basis of the
specific patterns such as the number of bytes or a number of 1s or the number of 0s in
the network traffic. It also detects on the basis of the already known malicious
instruction sequence that is used by the malware. The detected patterns in the IDS are
 known as signatures. Signature-based IDS can easily detect the attacks whose pattern
(signature) already exists in the system but it is quite difficult to detect new malware
attacks as their pattern (signature) is not known.
 Anomaly-based Method: Anomaly-based IDS was introduced to detect unknown
malware attacks as new malware is developed rapidly. In anomaly-based IDS there is
the use of machine learning to create a trustful activity model and anything coming is
compared with that model and it is declared suspicious if it is not found in the model.
The machine learning-based method has a better-generalized property in comparison to
signature-based IDS as these models can be trained according to the applications and
hardware configurations.
Comparison of IDS with Firewalls
IDS and firewall both are related to network security but an IDS differs from a firewall as a
firewall looks outwardly for intrusions in order to stop them from happening. Firewalls
restrict access between networks to prevent intrusion and if an attack is from inside the
network it doesn’t signal. An IDS describes a suspected intrusion once it has happened and
then signals an alarm.
Placement of IDS
 The most optimal and common position for an IDS to be placed is behind the firewall.
Although this position varies considering the network. The ‘behind-the-firewall’
placement allows the IDS with high visibility of incoming network traffic and will not
receive traffic between users and network. The edge of the network point provides the
network the possibility of connecting to the extranet.
 In cases, where the IDS is positioned beyond a network’s firewall, it would be to defend
against noise from internet or defend against attacks such as port scans and network
mapper.An IDS in this position would monitor layers 4 through 7 of the OSI model and
would use Signature-based detection method. Showing the number of attemepted
breacheds instead of actual breaches that made it through the firewall is better as it
reduces the amount of false positives. It also takes less time to discover successful
attacks against network.
 An advanced IDS incorporated with a firewall can be used to intercept complex attacks
entering the network. Features of advanced IDS include multiple security contexts in
the routing level and bridging mode. All of this in turn potentially reduces cost and
operational complexity.
 Another choice for IDS placement is within the network. This choice reveals attacks or
suspicious activity within the network. Not acknowledging security inside a network is
detrimental as it may allow users to bring about security risk, or allow an attacker who
has broken into the system to roam around freely.

Intrusion Detection Systems vs. Intrusion Prevention Systems

The following table summarizes the differences between the IPS and the IDS deployment.

Intrusion Prevention System IDS Deployment

Outside direct line of
Placement in Network Part of the direct line of
communication (out-of-
Infrastructure communication (inline)
band)
Active (monitor & automatically Passive (monitor &
System Type
defend) and/or passive notify)
1. Statistical anomaly-based
detection 1. Signature detection:
Detection Mechanisms 2. Signature detection: - Exploit-facing
- Exploit-facing signatures signatures
- Vulnerability-facing signatures

Diagram depicting the difference between an IPS and an IDS

How IDS Works

 Diagram depicting the functionality of an intrusion detection system

An IDS only needs to detect potential threats. It is placed out of band on the network
infrastructure. Consequently, it is not in the real-time communication path between the sender
and receiver of information.

IDS solutions often take advantage of a TAP or SPAN port to analyze a copy of the inline
traffic stream. This ensures that the IDS does not impact inline network performance.

When IDS was developed, the depth of analysis required to detect intrusion could not be
performed quickly enough. The speed would not keep pace with components on the direct
communications path of the network infrastructure.

Network intrusion detection systems are used to detect suspicious activity to catch hackers
before damage is done to the network. There are network-based and host-based intrusion
detection systems. Host-based IDSes are installed on client computers; network-based IDSes
are on the network itself.

An IDS works by looking for deviations from normal activity and known attack signatures.
Anomalous patterns are sent up the stack and examined at protocol and application layers. It
can detect events like DNS poisonings, malformed information packets and Christmas tree
scans.

An IDS can be implemented as a network security device or a software application. To

protect data and systems in cloud environments, cloud-based IDSes are also available.
Types of IDS Detection

There are five types of IDS: network-based, host-based, protocol-based, application protocol-
based and hybrid.

The two most common types of IDS are:

1. Network-based intrusion detection system (NIDS)

A network IDS monitors a complete protected network. It is deployed across the
infrastructure at strategic points, such as the most vulnerable subnets. The NIDS monitors all
traffic flowing to and from devices on the network, making determinations based on packet
contents and metadata.
2. Host-based intrusion detection system (HIDS)
A host-based IDS monitors the computer infrastructure on which it is installed. In other
words, it is deployed on a specific endpoint to protect it against internal and external threats.
The IDS accomplishes this by analyzing traffic, logging malicious activity and notifying
designated authorities.
The remaining three types can be described as such:

3. Protocol-based (PIDS)
A protocol-based intrusion detection system is usually installed on a web server. It monitors
and analyzes the protocol between a user/device and the server. A PIDS normally sits at the
front end of a server and monitors the behavior and state of the protocol.
4. Application protocol-based (APIDS)
An APIDS is a system or agent that usually sits inside the server party. It tracks and interprets
correspondence on application-specific protocols. For example, this would monitor the SQL
protocol to the middleware while transacting with the web server.
5. Hybrid intrusion detection system
A hybrid intrusion detection system combines two or more intrusion detection approaches.
Using this system, system or host agent data combined with network information for a
comprehensive view of the system. The hybrid intrusion detection system is more powerful
compared to other systems. One example of Hybrid IDS is Prelude.
There is also a subgroup of IDS detection methods, the two most common variants being:

1. Signature-based
A signature-based IDS monitors inbound network traffic, looking for specific patterns and
sequences that match known attack signatures. While it is effective for this purpose, it is
incapable of detecting unidentified attacks with no known patterns.
2. Anomaly-based
The anomaly-based IDS is a relatively newer technology designed to detect unknown attacks,
going beyond the identification of attack signatures. This type of detection instead uses
 machine learning to analyze large amounts of network data and traffic.

Anomaly-based IDS creates a defined model of normal activity and uses it to identify
anomalous behavior. However, it is prone to false positives. For example, if a machine
demonstrates rare, but healthy behavior, it is identified as an anomaly. This results in a false
alarm.

IDS vs. Firewalls

IDses and Next-Generation Firewalls are both network security solutions. What differentiates
an IDS from a firewall is its purpose.

An IDS device monitors passively, describing a suspected threat when it’s happened and
signaling an alert. IDS watches network packets in motion. This allows incident response to
evaluate the threat and act as necessary. It does not, however, protect the endpoint or
network.

A firewall monitors actively, looking for threats to prevent them from becoming incidents.
Firewalls are capable of filtering and blocking traffic. They allow traffic based on
preconfigured rules, relying on ports, destination addresses and the source

Firewalls reject traffic that does not follow firewall rules. However, if an attack is coming
from inside the network, the IDS will not generate an alert.

Diagram depicting the functionality of an intrusion detection system and a firewall

 Digital Certificates

A digital certificate is a form of electronic credential that can prove the authenticity of a user,
device, server, or website. It uses PKI to help exchange communications and data securely
over the internet.

This form of authentication is a type of cryptography that requires the use of public and
private keys to validate users.

Public key certificates are issued by trusted third parties, a CA, who signs the certificate, thus
verifying the identity of the device or user that is requesting access. To ensure validity, the
public key will be matched with a corresponding private key that only the recipient has
knowledge of. Digital certificates have a specific key pair that they are associated with: one
public and one private.

A digital certificate contains the following identifiable information:

 User’s name
 Company or department of user
 IP (internet protocol) address or serial number of device
 Copy of the public key from a certificate holder
 Duration of time the certificate is valid for
 Domain certificate is authorized to represent

Benefits of digital certification

Digital certification can offer a level of security that is increasingly important in this digital
age. In fact, cybersecurity has been named one of the top priorities of the U.S. Government
by the Department of Homeland Security (DHS). Cybercrime is a major threat to businesses
and individuals.

Digital certificates can provide the following benefits:

 Security: Digital certificates can keep internal and external communications

confidential and protect the integrity of the data. It can also provide access control,
ensuring only the intended recipient receives and can access the data.
 Authentication: With a digital certificate, users can be sure that the entity or person
they are communicating with is who they say they are and makes sure that
communications reach only the intended recipient.
  Scalability: Digital certificates can be used across a variety of platforms for
individuals and large and small businesses alike. They can be issued, renewed, and
revoked in a matter of seconds. They can be used to secure a range of user devices
and be managed through one centralized system.
 Reliability: A digital certificate can only be issued by a publicly trusted and
rigorously vetted CA, meaning that they cannot be easily tricked or faked.
 Public trust: The use of a digital certificate proves authenticity of a website,
documents, or emails. It can assure users and clients that the company or individual is
genuine and respects privacy and values security.

What Are the Types of Digital Certificates?

There are three different types of public key certificates: a transport layer security (TLS)/SSL
certificate, a code signing certificate, and a client certificate.

TLS/SSL Certificate

A TLS/SSL certificate sits on a server— such as an application, mail, or web server—to

ensure communication with its clients is private and encrypted. The certificate provides
authentication for the server to send and receive encrypted messages to clients. The existence
of a TLS/SSL certificate is signified by the Hypertext Transfer Protocol Secure (HTTPS)
designation at the start of a Uniform Resource Locator (URL) or web address. It comes in
three forms:

Domain Validated
A domain validated certificate is a quick validation method that is acceptable for any website.
It is cheap to obtain and can be issued in a matter of minutes.

Organization Validated
This provides light business authentication and is ideal for organizations selling products
online through e-commerce.

Extended Validation
This offers full business authentication, which is required by larger organizations or any
business dealing with highly sensitive information. It is typically used by businesses in the
financial industry and offers the highest level of authentication, security, and trust.
Code Signing Certificate

A code signing certificate is used to confirm the authenticity of software or files downloaded
through the internet. The developer or publisher signs the software to confirm that it is
genuine to users that download it. This is useful for software providers that make their
programs available on third-party sites to prove that files have not been tampered with.

Client Certificate

A client certificate is a digital ID that identifies an individual user to another user or machine,
or one machine to another. A common example of this is email, where a sender signs a
communication digitally and its signature is verified by the recipient. Client certificates can
also be used to help users access protected databases.
Who Can Issue a Digital Certificate?
Digital certificates are issued by CAs, which sign a certificate to prove the authenticity of the
individual or organization that issued the request. A CA is responsible for managing domain
control verification and verifying that the public key attached to the certificate belongs to the
user or organization that requested it. They play an important part in the PKI process and
keeping internet traffic secure.

Beneficial Features of Digital Certificates

Digital certificates are becoming increasingly important, as cyberattacks continue to increase

in both volume and sophistication. Key benefits of digital certificates include:

Security

Digital certificates encrypt internal and external communications to prevent attackers from
intercepting and stealing sensitive data. For example, a TLS/SSL certificate encrypts data
between a web server and a web browser, ensuring an attacker cannot intercept website
visitors’ data.

Scalability

Digital certificates provide businesses of all shapes and sizes with the same encryption
quality. They are highly scalable, which means they can easily be issued, revoked, and
renewed in seconds, used to secure user devices, and managed through a centralized platform.
Authenticity

Digital certificates are crucial to ensuring the authenticity of online communication in the age
of widespread cyberattacks. They make sure that users’ messages will always reach their
intended recipient—and only reach their intended recipient. TLS/SSL certificates encrypt
websites, Secure/Multipurpose Internet Mail Extensions (S/MIME) encrypt email
communication, and document-signing certificates can be used for digital document sharing.

Reliability

Only publicly trusted CAs can issue recognized digital certificates. Obtaining one requires
rigorous vetting, which ensures hackers or fake organizations cannot trick victims that use a
digital certificate.

Public Trust

Using a digital certificate provides confirmation that a website is genuine and that documents
and emails are authentic. This projects public trust, assuring clients that they are dealing with
a genuine company that values their security and privacy

Feature Digital Certificate Digital Signature

An electronic document that uses a A cryptographic value that is
digital signature to bind a public key calculated from the data and a
Definition
with an identity (e.g., name, email, secret key known only by the
company). signer.
To ensure the integrity and
To establish the ownership of a
authenticity of a message or
Purpose public key and facilitate secure
document and provide non-
communication.
repudiation.
Certificate Authorities (CAs) after The individual or entity who owns
Issued/Generated
verifying the identity of the the document or message, using
By
requester. their private key.
The certificate holder’s information, The hashed document or message
Components public key, issuer (CA), and validity data, which is then encrypted with
period. the signer’s private key.
Secure web browsing (HTTPS), Document signing, software
Use Cases email encryption, and signing, distribution, email verification,
securing network protocols. authentication systems.
 By checking if it's signed by a
By using the signer's public key to
trusted CA, ensuring the certificate
Verification verify the signature matches the
and public key belong to the claimed
associated message or document.
owner.
Associates a public key with the Validates the integrity of the signed
Functionality identity of its holder, thereby data and confirms the identity of the
establishing trustworthiness. signer.
Ensures that a document or message
Ensures that a public key belongs to
has not been altered since it was
Security Aspect the individual, organization, or
signed and verifies the signer's
device it claims to belong to.
identity.

SSL/TLS

SSL (Secure Sockets Layer) encryption, and its more modern and secure replacement, TLS
(Transport Layer Security) encryption, protect data sent over the internet or a computer
network. This prevents attackers (and Internet Service Providers) from viewing or tampering
with data exchanged between two nodes—typically a user’s web browser and a web/app
server. Most website owners and operators have an obligation to implement SSL/TLS to
protect the exchange of sensitive data such as passwords, payment information, and other
personal information considered private.

SSL/TLS (Secure Sockets Layer and Transport Layer Security) – cryptographic protocols
enabling secure internet communication.

How Does SSL/TLS Work?

SSL/TLS certificates authenticate identities and enable encrypted connections through
the SSL/TLS handshake:
1. The client requests access to a protected resource such as a login page.
2. The server responds by sending its SSL certificate, including the public key.
3. The client verifies that the certificate is valid and trusted. This ensures the server is
authentic.
4. The client generates a symmetric session key and encrypts it with the server’s public
key. This securely transmits the session key to the server.
5. The server decrypts the session key with its private key.
6. Both parties use the symmetric session key to encrypt and decrypt all transmitted data.
This handshake allows the two parties to negotiate an encrypted channel without sharing
sensitive information over insecure channels. The encrypted session protects data in transit
between the client and server.
SSL/TLS Encryption and Keys
There are two types of encryption keys used in SSL/TLS:
 Asymmetric keys – The public and private key pair are used to identify the server
and initiate the encrypted session. The private key is known only to the server, while
the public key is shared via a certificate.
 Symmetric session keys – Disposable keys are generated for each connection and
used to encrypt/decrypt transmitted data. The symmetric keys are securely exchanged
using asymmetric encryption.
SSL/TLS supports multiple symmetric ciphers and asymmetric public key algorithms. For
example, AES with 128-bit keys is a common symmetric cipher, while RSA and ECC
commonly use asymmetric algorithms.

What are the types of SSL certificates?

There are several different types of SSL certificates. One certificate can apply to a single
website or several websites, depending on the type:

 Single-domain: A single-domain SSL certificate applies to only one domain (a

"domain" is the name of a website, like www.cloudflare.com).

 Wildcard: Like a single-domain certificate, a wildcard SSL certificate applies to

only one domain. However, it also includes that domain's subdomains. For
example, a wildcard certificate could cover www.cloudflare.com,
blog.cloudflare.com, and developers.cloudflare.com, while a single-domain
certificate could only cover the first.

 Multi-domain: As the name indicates, multi-domain SSL certificates can apply to

multiple unrelated domains.

SSL certificates also come with different validation levels. A validation level is like a
background check, and the level changes depending on the thoroughness of the check.

 Domain Validation: This is the least-stringent level of validation, and the

cheapest. All a business has to do is prove they control the domain.

 Organization Validation: This is a more hands-on process: The CA directly

contacts the person or business requesting the certificate. These certificates are
more trustworthy for users.
  Extended Validation: This requires a full background check of an organization
before the SSL certificate can be issued.

What are the types of SSL certificates?

There are several different types of SSL certificates. One certificate can apply to a single
website or several websites, depending on the type:

 Single-domain: A single-domain SSL certificate applies to only one domain (a

"domain" is the name of a website, like www.cloudflare.com).

 Wildcard: Like a single-domain certificate, a wildcard SSL certificate applies to

only one domain. However, it also includes that domain's subdomains. For
example, a wildcard certificate could cover www.cloudflare.com,
blog.cloudflare.com, and developers.cloudflare.com, while a single-domain
certificate could only cover the first.

 Multi-domain: As the name indicates, multi-domain SSL certificates can apply to

multiple unrelated domains.

SSL certificates also come with different validation levels. A validation level is like a
background check, and the level changes depending on the thoroughness of the check.

 Domain Validation: This is the least-stringent level of validation, and the

cheapest. All a business has to do is prove they control the domain.

 Organization Validation: This is a more hands-on process: The CA directly

contacts the person or business requesting the certificate. These certificates are
more trustworthy for users.

 Extended Validation: This requires a full background check of an organization

before the SSL certificate can be issued.

Scenarios Where SSL/TLS is Crucial

SSL/TLS is essential in several scenarios:

  E-Commerce Websites: These sites handle financial transactions and personal user
data, making SSL/TLS critical for data protection and maintaining customer trust.
 Online Banking: Banks use SSL/TLS to secure online banking sessions,
safeguarding sensitive financial information from potential interception.
 Cloud Services: With increasing reliance on cloud storage and services, SSL/TLS
ensures data security during transmission.
 Corporate Communications: Businesses employ SSL/TLS to protect sensitive
corporate data and internal communications.
 Healthcare Services: To comply with privacy laws, healthcare providers use
SSL/TLS for securing patient data shared online.
 Government Services: Government websites and online services use SSL/TLS
extensively to protect citizen data and sensitive government information.

Detailed Exploration of SSL/TLS Mechanisms

Encryption Process
The encryption process in SSL/TLS involves several steps:

 1. Handshake Protocol: Initially, the client and server establish a secure connection
using a 'handshake'. This involves the exchange of encryption algorithms, keys, and
other session details.
 2. Symmetric Encryption: Once the handshake is complete, a symmetric key is used
for encrypting the data transmitted during the session. This key is known only to the
client and server, ensuring privacy.
 3. Asymmetric Encryption: During the handshake, asymmetric encryption is used
for key exchange. This involves a public key (known to all) and a private key (known
only to the recipient).
Authentication through Digital Certificates
SSL/TLS uses digital certificates for authentication:

 Certificate Authorities (CAs): These are trusted entities that issue digital
certificates. They validate the identity of the certificate holder.
 Public Key Infrastructure (PKI): This infrastructure underpins the use of digital
certificates and keys. It includes policies and procedures for creating, managing, and
validating certificates.
 Certificate Validation: When a client connects to a server, it checks the server's
certificate against a list of trusted CAs. If the certificate is valid, it confirms the
server's authenticity.
Data Integrity
SSL/TLS protocols ensure data integrity through:

 Message Authentication Code (MAC): After encryption, a MAC is attached to each

message. This code is used to verify that the message has not been altered during
transmission.
  Sequence Numbering: Each SSL/TLS record has a sequence number, ensuring that
no messages are lost or duplicated.

----00-

Difference between Secure Socket Layer (SSL) and Transport Layer Security (TLS)

SSL TLS

SSL stands for Secure Socket Layer. TLS stands for Transport Layer Security.

SSL (Secure Socket Layer) supports TLS (Transport Layer Security) does not
the Fortezza algorithm. support the Fortezza algorithm.

SSL (Secure Socket Layer) is the 3.0 TLS (Transport Layer Security) is the 1.0
version. version.

In SSL( Secure Socket Layer), the In TLS(Transport Layer Security), a

Message digest is used to create a master Pseudo-random function is used to create a
secret. master secret.

In SSL( Secure Socket Layer), the In TLS(Transport Layer Security), Hashed

Message Authentication Code protocol is Message Authentication Code protocol is
used. used.

SSL (Secure Socket Layer) is more

complex than TLS(Transport Layer TLS (Transport Layer Security) is simple.
Security).

SSL (Secure Socket Layer) is less secured

TLS (Transport Layer Security) provides
as compared to TLS(Transport Layer
high security.
Security).

TLS is highly reliable and upgraded. It

SSL is less reliable and slower.
provides less latency.
 SSL TLS

SSL has been depreciated. TLS is still widely used.

SSL uses port to set up explicit TLS uses protocol to set up implicit
connection. connection.

SSL TLS
SSL means Secure Sockets
Stands For TLS means Transport Layer Security.
Layer.
SSL is now replaced with TLS. TLS is the upgraded version of SSL.
Version
SSL moved through versions TLS has moved through versions 1.0,
History
1.0, 2.0, and 3.0. 1.1, 1.2, and 1.3.
Every SSL version is now TLS versions 1.2 and 1.3 are actively
Activity
deprecated. used.
SSL has only two types of alert
Alert TLS alert messages are encrypted and
messages. Alert messages are
Messages more diverse.
unencrypted.
Message
SSL uses MACs. TLS uses HMACs.
Authentication
SSL supports older algorithms
TLS uses advanced encryption
Cipher Suites with known security
algorithms.
vulnerabilities.
An SSL handshake is complex A TLS handshake has fewer steps and
Handshake
and slow. a faster connection

Virtual Private Networks

A virtual private network (VPN) is a technology that creates a safe and encrypted
connection over a less secure network, such as the Internet. A Virtual Private Network is a
way to extend a private network using a public network such as the Internet. The name only
suggests that it is a “Virtual Private Network”, i.e. user can be part of a local network sitting
at a remote location. It makes use of tuneling protocols to establish a secure connection.
The situation is described below
 All 100 hundred computers of the corporate office in Washington are connected to the
VPN server(which is a well-configured server containing a public IP address and a
switch to connect all computers present in the local network i.e. in the US head office).
 The person sitting in the Mumbai office connects to The VPN server using a dial-up
window and the VPN server returns an IP address that belongs to the series of IP
addresses belonging to a local network of the corporate office.
 Thus person from the Mumbai branch becomes local to the head office and information
can be shared securely over the public internet.
 So this is the intuitive way of extending the local network even across the geographical
borders of the country.
VPN is well Exploited all Across the Globe
We will explain to you with an example. Suppose we are using smartphones regularly.
Spotify Swedish music app that is not active in India But we are making full use of it sitting
in India. So how ?? VPN can be used to camouflage our geolocation.
 Suppose the IP address is 101.22.23.3 which belongs to India. That’s why our device is
not able to access the Spotify music app.
 But the magic began when we used the Psiphon app which is an Android app used to
change the device IP address to the IP address of the location we want(say US where
Spotify works seamlessly).
 The IP address is changed using VPN technology. Basically what happens is that your
device will connect to a VPN server of the respective country that you have entered in
your location textbox of the Psiphon app and now you will inherit a new IP from this
server.
Now we typed “What is my IP address”? Amazingly the IP address changed to 45.79.66.125
which belongs to the USA And since Spotify works well in the US, we can use it now being
in India (virtually in the USA). Is not that good? obviously, it is very useful.
 VPN also ensures security by providing an encrypted tunnel between the client and the
VPN server.
 VPN is used to bypass many blocked sites.
 VPN facilitates Anonymous browsing by hiding your IP address.
 Also, the most appropriate Search engine optimization (SEO) is done by analyzing the
data from VPN providers which provide country-wise statics of browsing a particular
product.
 VPNs encrypt your internet traffic, safeguarding your online activities from potential
eavesdropping and cyber threats, thereby enhancing your privacy and data protection.
Types of VPN
There are several types of VPN and these are vary from specific requirement in computer
network. Some of the VPN are as follows:
1. Remote Access VPN
2. Site to Site VPN
3. Cloud VPN
4. Mobile VPN
5. SSL VPN
For more details you can refer Types of VPN published article.
VPN Protocols
 OpenVPN: A cryptographic protocol that prioritises security is called OpenVPN.
OpenVPN is compatible protocol that provides a variety of setup choices.
 Point-To-Point Tunneling Protocol(PPTP): PPTP is not utilized because there are
many other secure choices with higher and more advanced encryption that protect data.
 WireGuard: Wireguard is a good choice that indicates capability in terms of
performance.
 Secure Socket Tunneling Protocol(SSTP): SSTP is developed for Windows users by
Microsoft. It is not widely used due to the lack of connectivity.
 Layer 2 Tunneling Protocol(L2TP) It connects a user to the VPN server but lacks
encryption hence it is frequently used with IPSec to offer connection, encryption, and
security simultaneously.
Why Should Use VPN?
 For Unlimited Streaming: Love streaming your favourite shows and sports games? A
VPN is your ultimate companion for unlocking streaming services.
 For elevating your Gaming Experience: Unleash your gaming potential with the
added layer of security and convenience provided by a VPN. Defend yourself against
vengeful competitors aiming to disrupt your gameplay while improving your ping for
smoother, lag-free sessions. Additionally, gain access to exclusive games that may be
restricted in your region, opening up a world of endless gaming possibilities.
 For Anonymous Torrenting: When it comes to downloading copyrighted content
through torrenting, it’s essential to keep your IP address hidden. A VPN can mask your
identity and avoid potential exposure, ensuring a safe and private torrenting experience.
 For supercharging your Internet Speed: Are you tired of your Internet speed slowing
down when downloading large files? Your Internet Service Provider (ISP) might be
intentionally throttling your bandwidth. Thankfully, a VPN can rescue you by keeping
your online activities anonymous, effectively preventing ISP throttling. Say goodbye to
sluggish connections and embrace blazing-fast speeds.
 Securing Public Wi-Fi: VPNs are essential for maintaining security when using public
Wi-Fi networks, such as those in coffee shops, airports, or hotels. These networks are
often vulnerable to cyberattacks, and using a VPN encrypts your internet connection,
protecting your data from potential hackers and eavesdroppers when you connect to
untrusted Wi-Fi hotspots.
Are VPNs legal or illegal?
Using a VPN is legal in most countries, The legality of using a VPN service depends on the
country and its geopolitical relations with another country as well. A reliable and secure VPN
is always legal if you do not intend to use it for any illegal activities like committing fraud
online, cyber theft, or in some countries downloading copyrighted content. China has decided
to block all VPNs (Virtual private network) by next year, as per the report of Bloomberg.
Many Chinese Internet users use VPNs to privately access websites that are blocked under
China’s so-called “great firewall”. This is done to avoid any information leakage to rival
countries and to tighten the information security.
What to Look for When Choosing a VPN?
 Be sure the VPN has appropriate speed, a lot of providers have trouble keeping up with
Netflix viewing or downloading.
 Read both user and expert evaluations to gain a good idea of how well the VPN
operates.
 Select a VPN provider that provides shared IP addresses.
 More servers translate into faster browsing because there will be less traffic on each
one.
Benefits of VPN
 When you use VPN it is possible to switch IP.
 The internet connection is safe and encrypted with VPN
 Sharing files is confidential and secure.
 Your privacy is protected when using the internet.
 There is no longer a bandwidth restriction.
 It facilitates cost savings for internet shopping.
Limitations of VPN
 VPN may decrease your internet speed.
 Premium VPNs are not cheap.
 VPN usage may be banned in some nations.

Working of VPN?
A virtual private network connects you to the internet while acting as a bridge between you
and the internet. Instead of communicating directly with a website, you would use a VPN
server, primarily to keep your internet activity strictly confidential.
Assume you want to transfer money from a bank account to a family member’s account. To
do so, you will navigate to the bank’s website and enter your login details.
If you are accessing the internet without a VPN, your can reveal your login details to anyone
observing your network, such as hackers, government officials, network administrators, and
so on.
In contrast, a virtual private network establishes a tunnel through which your data packets
pass, keeping them hidden from other entities. When you use a VPN, your data is encrypted,
and no one can read it except the intended recipient.

Advantages of using a VPN connection

There are substantial advantages of using a VPN connection, such as:
Network security: Enhances network security by stopping people, software, and web
browsers from gaining access to your connection.
Prevent data throttling: A virtual private network can help you avoid a data cap because no
one, including your internet service provider, can see how much data you’re using.
Securing private information: A virtual private network provides high-level security
features such as 256-bit encryption. This renders all of your online communications
incomprehensible to anyone who is able to intercept them.
Scalability of a private network: The cost of expanding a private network can be
prohibitively expensive. However, if you use a virtual private network server, you can
provide access to multiple employees and remote workers at the same time.
Access to geo-blocked services: Some websites and services prohibit users from certain
countries from accessing some or all of their content. In this case, you can use a virtual
private network to appear to be using the internet from a location acceptable to the service
you are attempting to access.
How to choose the right VPN?
Before you sign up for a VPN service, consider the following:
Provider’s logging policy: It will inform you what data a VPN provider will store regarding
your web activity, so make sure you read it to protect your privacy. Always choose a vendor
with a “no logging policy.”
Level of encryption: The strength of encryption is an essential factor to consider when
selecting a VPN. More robust encryption is more difficult to crack and provides greater
security. In the virtual private network industry, 256-bit encryption is standard.
Connection speed: One disadvantage of using a virtual private network is that it can slightly
slow down your internet connection due to the additional encryption step the data goes
through. To mitigate this slowdown, you’ll need a virtual private network with fast servers.
Available servers: Having more servers gives you more options for connecting to a fast and
reliable server.
VPN provider’s country: You should avoid VPNs from the United Kingdom, the United
States, Canada, Germany, Belgium, Italy, as well as Denmark, France, the Netherlands,
Norway, Australia, New Zealand, Spain, and Sweden. Local security agencies in these
countries may force a virtual private network provider to reveal the data of its users.

Wi-Fi Security

Wireless Terminologies

First, let's go through the bunch of basic terms, related to wireless communication.
Progressively, we will get into more advanced stuff going all along this path together.
Wireless Communication

Wireless communication refers to any type of data exchange between the parties that is
performed wirelessly (over the air). This definition is extremely wide, since it may
correspond to many types of wireless technologies, like −

 Wi-Fi Network Communication

 Bluetooth Communication
 Satellite Communication
 Mobile Communication

All the technologies mentioned above use different communication architecture, however
they all share the same "Wireless Medium" capability.

Wi-Fi

Wireless Fidelity (Wi-Fi) refers to wireless local area network, as we all know them. It is
based on IEEE 802.11 standard. Wi-Fi is a type of wireless network you meet almost
everywhere, at your home, workplace, in hotels, restaurants and even in taxis, trains or
planes. These 802.11 communication standards operate on either 2.4 GHz or 5 GHz ISM
radio bands.

These devices are easily available in the shops that are compatible with Wi-Fi standard, they
have following image visible on the device itself. I bet you have seen it hundreds of times in
various shops or other public places!

Due to the fact, that 802.11 based wireless network are so heavily used in all types of
environments - they are also the biggest subject for various security researches across other
802.11 standards.

Wireless Clients

Wireless clients are considered to be any end-devices with a wireless card or wireless adapter
installed. Now, in this 21st century, those devices can be almost anything −
  Modern Smartphones − These are one of the most universally used wireless devices
you see in the market. They support multiple wireless standards on one box, for
example, Bluetooth, Wi-Fi, GSM.
 Laptops − These are a type of device which we all use every single day!
 Smartwatch − An example of Sony based smartwatch is shown here. It can
synchronize with your smartphone via a Bluetooth.
 Smart-home Equipment − With the current progress of the technology, smart-home
equipment might be for example a freezer that you can control over Wi-Fi or a
temperature controller.

The list of possible client devices is growing every single day. It sounds a little scary that all
of those devices/utilities we use on a daily basis can be controlled via a wireless network so
easily. But at the same time, remember that all the communication flowing through a wireless
medium can be intercepted by anyone who is just standing at the right place at the right time.
 Wireless Security - Access Point

Access Point (AP) is the central node in 802.11 wireless implementations. It is the interface
between wired and wireless network, that all the wireless clients associate to and exchange
data with.

For a home environment, most often you have a router, a switch, and an AP embedded in one
box, making it really usable for this purpose.

Base Transceiver Station

Base Transceiver Station (BTS) is the equivalent of an Access Point from 802.11 world, but
used by mobile operators to provide a signal coverage, ex. 3G, GSM etc...
Note − The content of this tutorial concentrates on the 802.11 wireless networking, therefore
any additional information about BTS, and mobile communication in more detail, would not
be included.

Wireless Controller (WLC)

In corporate wireless implementation, the number of Access Points is often counted in

hundreds or thousands of units. It would not be administratively possible to manage all the
AP's and their configuration (channel assignments, optimal output power, roaming
configuration, creation of SSID on each and every AP, etc.) separately.

This is the situation, where the concept of wireless controller comes into play. It is the
"Mastermind" behind all the wireless network operation. This centralized server which has
the IP connectivity to all the AP's on the network making it easy to manage all of them
globally from the single management platform, push configuration templates, monitor users
from all the AP's in real time and so on.
Service Set Identifier (SSID)

SSID directly identifies the wireless WLAN itself. In order to connect to Wireless LAN, the
wireless client needs to send the same exact SSID in the association frame as the SSID name,
preconfigured on the AP. So the question now arises how to find out which SSIDs are present
in your environment? That is easy as all the operating systems come with a built-in wireless
client that scans wireless spectrum for the wireless networks to join (as shows below). I am
sure you have done this process several times in your daily routine.
But, how those devices know that specific wireless network is named in that particular way
just by listening to radio magnetic waves? It is because one of the fields in a beacon frame
(that APs transmit all the time in very short time intervals) contains a name of the SSID
always in clear text, which is the whole theory about this.
SSID can have a length of up to 32 alphanumeric characters and uniquely identifies a
particular WLAN broadcasted by the AP. In case, when the AP has multiple SSIDs defined, it
will then send a separate beacon frame for each SSID.

Cell

A cell is basically a geographical region covered by the AP's or BTS's antenna (transmitter).
In the following image, a cell is marked with a yellow line.

Most often, an AP has much more output power, when compared it with the capabilities of
the antenna built-in into the client device. The fact that, the client can receive frames
transmitted from the AP, does not mean that a 2-way communication can be established. The
above picture perfectly shows that situation. - In both situations, a client can hear AP's
frames, but only in the second situation, the 2-way communication can be established.
The outcome from this short example is that, when designing the wireless cell sizes, one has
to take into account, what is the average output transmitting power of the antennas that clients
will use.

Channel

Wireless Networks may be configured to support multiple 802.11 standards. Some of them
operate on the 2.4GHz band (example are: 802.11b/g/n) and other ones on the 5GHz band
(example: 802.11a/n/ac).

Depending on the band, there is a predefined set of sub-bands defined for each channel. In
environments with multiple APs placed in the same physical area, the smart channel
assignment is used in order to avoid collisions (collisions of the frames transmitted on exactly
the same frequency from multiple sources at the same time).

Let's have a look at the theoretical design of the 802.11b network with 3 cells, adjacent to
each other as shown in the above picture. Design on the left is composed of 3 non-
overlapping channels - it means that frames sent by APs and its clients in particular cell, will
not interfere with communication in other cells. On the right, we have a completely opposite
situation, all the frames flying around on the same channel leads to collisions and degrade the
wireless performance significantly.

Antennas-Antennas are used to "translate" information flowing as an electrical signal

inside the cable and into the electromagnetic field, which is used to transmit the frame
over a wireless medium.
Every wireless device (either AP or any type of wireless client device) has an antenna that
includes a transmitter and the receiver module. It can be external and visible to everyone
around or built-in, as most of the laptops or smartphones nowadays have.

For wireless security testing or penetration tests of the wireless networks, external antenna is
one of the most important tools. You should get one of them, if you want to go into this field!
One of the biggest advantages of external antennas (comparing to most of the internal
antennas you might meet built-in to the equipment), is that they can be configured in a so-
called "monitor mode" - this is definitely something you need! It allows you to sniff the
wireless traffic from your PC using wireshark or other well-known tools like Kismet.

There is a very good article on the internet (https://www.raymond.cc/blog/best-compatible-

usb-wireless-adapter-for-backtrack-5-and-aircrack-ng/) that helps with the choice of the
external wireless antenna, especially for Kali Linux that has monitor mode capabilities. If you
are seriously considering going into this field of technology, I really recommend all of you to
purchase one of the recommended ones (I have one of them).

Wireless Security - Network

Wireless network may be classified into different categories based on the range of operation
they offer. The most common classification scheme divides the wireless networks into four
categories listed in the table below, together with short examples.

Category Coverage Examples Applications

 Data exchange
Very short - max
Wireless Personal Bluetooth, between
10 meters but
Area Network 802.15, IrDA smartphones
usually much
(WPAN) communication  Headsets
smaller
 Smart watches

Wireless extension of the

local network used in −
Wireless Local Moderate - inside
 Enterprises
Area Network the apartments or 802.11 Wi-Fi
 Markets
(WLAN) work places.
 Airport
 Home

Wimax, IEEE
Wireless
802.16 or Between homes and
Metropolitan Area All around the city
proprietary businesses
Network (WMAN)
technologies
 Wireless Wide
Throughout the Wireless access to the
Area Network 3G, LTE
world internet from
(WWAN)

This tutorial is mainly going to cover WLAN technology, however we will also cover the
various aspects of Bluetooth communication (WPAN).

Wireless Technology Statistics

Just to give you some proof, that wireless technologies will affect our lives in more and more
ways every year. Have a look at the sample statistics that have been found! Some of them
seems to be a scary, but at the same time they simply show how much we rely on wireless
communication nowadays.

 By 2020, around 24 Billion devices will be connected to the internet, with more than
half connected via wireless. This is true Internet of Things (IoT). How does it sound,
taking into a fact that we have around 7.4 Billion people living on the earth now?
 About 70% of all the types of wireless communication is Wi-Fi (802.11 standard).
 The speed of the Wi-Fi network has grown from 802.11a - 54Mbps (in 1999) to ac-
wave 1 - 1.3 Gbps (in 2012). On top of that, there is the 801.11ac-wave2 on the horizon
with multi-Gbps speeds.
 Every day, millions of people are making cash transfer and accessing their bank account
using smartphones over the Wi-Fi!

Are you still hesitant about the importance of security in wireless implementations?

Wi-Fi Networks

The choice of devices used in wireless deployments is influenced by the type of deployment
whether this is going to be a network for a small house, shop, a big enterprise network or the
one for hotels.

Scale Example Type of devices used

Small Most often home router/switch

Home, Small shops
deployments (integrated with wireless AP)

 Huge number of AP's

 Centralized wireless
Hotels, Enterprises, controller
Big deployments
Universities  RFID based services
 Other type of wireless
location tracking services
 Wireless Security - Standards

Since the beginning of IEEE 802.11 standard, the wireless networks were evolving at a
significant pace. People saw the potential in this type of data transmission, therefore 802.11
successors were showing up, few years after each other. The following table summarizes the
current 802.11 standards that are used in our times −

Standard Frequency Max speed

802.11 2.4 GHz 2 Mbps

802.11a 5 GHz 54 Mbps

802.11b 2.4 GHz 11 Mbps

802.11g 2.4 GHz 54 Mbps

802.11n 2.4 or 5 GHz 600 Mbps

802.11ac 5 GHz 1 Gbps

As you can see, Wi-Fi networks are becoming faster and faster. Following are a couple of
limiting factors why we don't see high speeds when we download data over Wi-Fi −

 There is a difference between the speed and actuals throughout. Since wireless
communication is half-duplex (single antenna can either transmit or receive at one
time), the actual throughput is actually around 50% of the speed. This condition is only
true, when there is one transmitter and one receiver, without any other clients involved,
and without interferences (that leads to collisions and retransmissions).
 The most cutting edge standards (802.11ac) are not that widely supported on end-
devices. Most of the laptops or smartphones on the market provides support for
802.11a/b/g/n, but not yet for 802.11ac standard. In addition to that, some devices are
equipped only with antenna, that supports 2,4 GHz frequency band, but not 5 GHz (that
lead to lack of 802.11ac support by default).

Check Your Wi-Fi Network Standards

Let us see how you can check what standards are supported on the Wi-Fi network that you
are joined to? You can check that using the number of approaches. I will present two of them
here −

By sniffing for the wireless beacon frames

 Every beacon frame contains the list of speeds that are supported by transmitting AP.
Those speeds may be mapped to the standard directly.
  The dump of the beacon frame above indicates that, this is probably AP, that is enabled
for 802.11b/g support on 2,4 GHz frequency band.
 802.11b supported rates (1, 2, 5.5, 11).
 802.11g supported rates (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)
By using some specific tools for wireless network discovery.

The following screenshot shows the dump from a wireless-based tool called "inSSIDer" that
is running on Mac. It directly shows all the visible wireless networks, together with some of
the details about every one of them.
From the above picture, one can see that some of the WLAN's support 130Mbps for
maximum speed (those must be 802.11ac), other ones 54 and 36 Mbps (those may be 802.11
A or G).

On the other hand, you can also use popular Linux-based program called "airdump-ng" (we
will go deeper into this one later on, during showcase of hacking - breaking the keys of the
Wi-Fi network). As for the Windows environment, you may use popular the "Network
Stumbler". All those tools work in a very similar way with each other.
 Wireless Security Wi-Fi Authentication Modes

In this chapter, we will briefly go through the possible authentication schemes that are used in
the wireless deployments. They are: Open Authentication and Pre-Shared Key (PSK)-based
authentication. The former one is based on EAP frames to derive dynamic keys.

Open Authentication
The term Open Authentication is itself very misleading. It suggests, that some kind of
authentication is in place, but in fact, the authentication process in this scheme is more like
formal step, rather than authentication mechanism. The process looks like how it is shown in
the following diagram −
In plain English, what this exchange is saying is that, in authentication request the wireless
client (supplicant) is saying "Hi AP, I would like to authenticate" and authentication response
from the AP is stating "OK, here you go". Do you see any kind of security in this setup?
Neither do I…

That is why, Open Authentication should be never used, since it simply allows any client to
authenticate to the network, without the right security check.

EAP-based 4-way handshake (with WPA/WPA2)

When a wireless client authenticates to the AP, both of them go through the 4 step
authentication process called 4-way handshake. During those message exchanges, the shared
password is derived between AP and wireless client, without being transmitted in any of
those EAP messages.

The Pairwise Master Key (PMK) is something a hacker would like to collect, in order to
break the network encryption scheme. PMK is only known to the Supplicant and
Authenticator, but is not shared anywhere in transit.

HOWEVER, the session keys are, and they are the combination of ANonce, SNonce, PMK,
MAC addresses of Supplicant and Authenticator. We may write that relation, as the
mathematical formula −

Sessions_keys = f(ANonce, SNonce, PMK, A_MAC, S_MAC).

In order to derive a PMK from that equation, one would have to break AES/RC4 (depending
whether WPA2 or WPA is used). It is not that easy as the only practical approach is to
perform a brute-force or dictionary attack (assuming you have a really good dictionary).

It is definitely a recommended authentication approach to use, and definitely safer than using
Open Authentication.

Wi-Fi Chalking

Wi-Fi chalking was a very funny concept in the history of wireless LAN history, mainly used
in the USA. The main idea was to mark the places, where open-authentication or WLANs
with weak authentication were implemented. By doing that, everyone who finds out this sign
somewhere on the wall or ground, written with a chalk, then he can log in to the Wi-Fi
system without authentication. Smart, right?

You may just ask yourself - why chalk and not some kind of marker, spray or other more
permanent way of marking? The answer is simple and comes from criminal law - writing
with chalk was not considered as an act of vandalism.

Wireless Security - Encryption

In general, encryption is the process of transforming the data, into some kind
of cyphertext that would be non-understandable for any 3rd party that would intercept the
information. Nowadays, we use encryption every single day, without even noticing. Every
time you access your web bank or mailbox, most often when you log in to any type of web
page, or create a VPN tunnel back to your corporate network.

Some information is too valuable, not to be protected. And, to protect the information
efficiently, it must be encrypted in a way that would not allow an attacker to decrypt it. To be
honest with you guys - there is no fully secure encryption scheme. All the algorithms that we
use every day may be broken, but what is its likelihood of this happening with current
technology and time?

For example, it might take around eight years to break encryption "X" using new super-fast
computers. Is that risk big enough, to stop using algorithm "X" for encryption? I doubt it, the
information to be protected might be outdated at that point of time.

Types of Wireless Encryption

To start speaking about wireless encryption, it is worth saying that there are 2 types of
encryption algorithms: Stream Cipher and Block Cipher.

 Stream Cipher − It converts plaintext into cyphertext in a bit-by-bit fashion.

 Block Cipher − It operates on the fixed-size blocks of data.

The most common encryption algorithms are collected in the following table −

Type of
Encryption
encryption Size of data block
Algorithm
algorithm

RC4 Stream cipher ---

RC5 Block cypher 32/64/128 bits

DES Block cypher 56 bits

3DES Block cypher 56 bits

AES Block cypher 128 bits

The ones that you will most likely meet (in some form) on the wireless networks are RC4
and AES.

WEP vs WPA vs WPA2

There are three widely known security standards in the world of wireless networking. The
biggest difference between those three, are the security model they can provide.

Encryption
Security Authentication
algorithm Possibility of breaking the encryption
Standard methods
user

WEP Pre-Shared Key  Initialization Vector (IV) collision

WEP
(based on (PSK) attack
 RC4)  Weak Key Attack
 Reinjection Attack
 Bit flipping attack

TKIP Pre-Shared Key

WPA (based on (PSK) or
RC4) 802.1x - cracking the password during initial 4-
way handshake (assuming that it's
CCMP Pre-Shared Key relatively short password <10 characters)
WPA2 (based on (PSK) or
AES) 802.1x

WEP was the first wireless "secure" model that was supposed to add authentication and
encryption. It is based on RC4 algorithm and 24 bits of Initialization Vector (IV). This is
the biggest drawback of the implementation that leads to WEP being crack able within a few
minutes, using the tools that anyone can have installed on their PCs.

In order to enhance the security, WPA2 was invented with strong encryption model (AES)
and a very strong authentication model based on 802.1x (or PSK). WPA was introduced just
as a staging mechanism for smooth transition to WPA2. A lot of wireless cards did not
support the new AES (at that time), but all of them were using RC4 + TKIP. Therefore WPA
was also based on that mechanism, just with a few advancements.

Weak Initialization Vectors (IV)

Initialization Vector (IV) is one of the inputs to the WEP encryption algorithm. The whole
mechanism is presented in the following diagram −
As one can notice, there are two inputs to the algorithm, one of which is a 24-bit long IV (that
is also added to the final ciphertext in a clear text) and the other is a WEP key. When trying
to crack this security model (WEP), one has to collect a large number of wireless data
frames (large number of frames until the frame with duplicate IV vector value is found).

Assuming that for WEP, the IV has 24 bits. This means that it could be any number from two
frames (if you are lucky enough) to 224 + 1 (you collect every single possible IV value, and
then, the very next frame must be a duplicate). From the experience, I can say that, on a
rather crowded wireless LAN (around 3 clients sending the traffic all the time), it is a matter
of 5-10 minutes to get enough frames, to crack the encryption and derive the PSK value.

This vulnerability is only present in WEP. WPA security model uses TKIP that solved weak
IV by increasing its size from 24 bits to 48 bits, and making other security enhancements to
the diagram. Those modifications made the WPA algorithm much more secure and prone to
this type of cracking.

WEP (Wired WPA (Wi-Fi WPA2 (Wi-Fi WPA3 (Wi-Fi

Equivalent Protected Protected Access Protected Access
Feature Privacy) Access) 2) 3)
Introduction
1997 2003 2004 2018
Year
CCMP (Counter
CCMP (Counter Mode Cipher Block
Mode Cipher Chaining Message
TKIP (Temporal Block Chaining Authentication
Key Integrity Message Code Protocol)
Encryption RC4 cipher
Protocol) with Authentication with AES
RC4 cipher Code Protocol) encryption or
with AES GCMP
encryption (Galois/Counter
Mode Protocol)
Enhanced security
features like
Improved over Strong security
Weak; easily individualized
Security WEP but still has with AES; widely
cracked encryption,
vulnerabilities adopted
protection against
brute-force attacks
Simultaneous
Open System Pre-shared Key Pre-shared Key Authentication of
Authentication, (PSK) or (PSK) or Equals (SAE) for
Authentication
Shared Key Enterprise Enterprise personal, and
Authentication (802.1X) (802.1X) 802.1X for
enterprise
Key Strong key Improved key
Static keys Dynamic keys
Management management management

Designed to
Many; Vulnerable to Susceptible to prevent known
including easy dictionary attacks KRACK (Key vulnerabilities in
Vulnerabilities to crack and has been Reinstallation WPA2; however,
encryption and superseded by Attacks) under complexity can
IV collisions WPA2 certain conditions introduce new
vulnerabilities
Recommended
Should only be
Obsolete due for networks until Recommended for
used if WPA2 or
Use Case to security WPA3 devices all Wi-Fi users for
WPA3 is not
flaws become more enhanced security
available
widespread
Compatible Limited
Compatible with Compatible with
Backward with all WEP- compatibility;
devices since devices that
Compatibility enabled requires devices
2003 support WPA2
devices that support WPA3
 UNIT -V CYBER ETHICS AND LAWS
Introduction to Cyber Laws, E-Commerce and E-Governance, Certifying Authority
and Controller, Offences under IT Act, Computer Offences and its penalty under
ISO 27001, IT Act 2000, Positive Aspects and weak areas of ITA 2000, Digital
signatures and the Indian ITA act, ITA 2008, and International Standards
maintained for Cyber Security, Security Audit, Investigation by
Investing Agency, Intellectual Property Rights in Cyberspace.

Cyber ethics and laws are crucial components in the digital realm, governing the conduct and
practices of individuals and organizations online. They encompass a wide range of principles,
regulations, and legal frameworks designed to protect users, data, and digital assets, while
fostering a safe, respectful, and equitable online environment. Understanding both concepts is
essential for responsible digital citizenship and compliance in the rapidly evolving
cyberspace.

Cyber Ethics
Cyber ethics refers to the study and application of ethical principles and moral behaviors in
digital and online environments. It involves understanding what is right and wrong in the
cyber world, including respect for privacy, intellectual property rights, equality in access to
information, and freedom of expression. Cyber ethics also covers the responsible use of
technology, emphasizing the importance of not causing harm to others through cyberbullying,
hacking, or spreading malware.

Key Principles of Cyber Ethics:

Respect for Privacy: Protecting individuals' personal information and respecting their privacy
settings.
Intellectual Property Rights: Recognizing and honoring copyright, trademarks, and other
forms of intellectual property.
Non-Discrimination: Ensuring equal access to information and technology, regardless of race,
gender, disability, or economic status.
Freedom of Expression: Balancing free speech with respect for others, avoiding
cyberbullying, and hate speech.
Responsibility: Acknowledging the impact of one’s actions online and taking responsibility
for them.
Cyber Laws
Cyber laws, on the other hand, are the legal frameworks and regulations that govern
activities, transactions, and behaviors in cyberspace. They are implemented by governments
and international bodies to protect people and entities from cybercrimes, data breaches, and
other malicious activities online. Cyber laws cover a wide range of areas including data
protection, digital transactions, cybersecurity, copyright infringement, cyberbullying, and
more.

Key Aspects of Cyber Laws:

Data Protection and Privacy: Laws like the General Data Protection Regulation (GDPR) in
the EU and the California Consumer Privacy Act (CCPA) in the US regulate the collection,
storage, and use of personal data.
Cybercrime: Legislation targeting illegal activities online such as hacking, identity theft,
phishing, and distributing child pornography.
Intellectual Property: Laws protecting digital content and technology innovations, including
copyright, patents, and trademarks.
E-commerce: Regulations governing digital transactions and consumer rights online.
Freedom of Expression: Legal standards that protect individuals' rights to free speech online
while preventing defamation, harassment, and incitement.
Importance
The interplay between cyber ethics and laws is essential for creating a secure, trustworthy,
and inclusive digital world. Cyber ethics guides individual and organizational behavior,
promoting a culture of respect and responsibility online. Meanwhile, cyber laws provide the
legal structure to enforce these ethical standards, punish violators, and protect victims of
cybercrime and abuse.

In the digital age, where technology permeates every aspect of life, understanding and
adhering to cyber ethics and laws is vital for individuals, businesses, and governments. It
ensures that the benefits of digital technology can be enjoyed broadly and safely, with respect
for the rights and dignity of all internet users.

Cyber Laws

What is Cyber Law?

Cyber law, also known as cybercrime law or Internet law, refers to the legal framework that
governs activities and transactions in the digital realm. It encompasses a wide range of legal
principles, regulations, and statutes that address issues related to the Internet, computers,
networks, and electronic information.

Aspects of Cyber Law

Cyber law covers various aspects, including:

 Cybercrimes: Cybercrime defines and addresses illegal activities committed in the

digital space, such as hacking, identity theft, phishing, online fraud, cyberbullying,
harassment, distribution of malware, and other forms of unauthorised access or
disruption of computer systems.
 Data Protection and Privacy: Cyber law establishes rules and regulations regarding
the collection, storage, processing, and use of personal information. It ensures that
individuals’ privacy rights are protected and sets standards for organisations to handle
and secure personal data.
 Intellectual Property Rights: Cyber law deals with the protection of intellectual
property in the digital environment. It covers copyright infringement, software piracy,
trademark violations, and other online intellectual property-related offences.
  E-commerce and Online Transactions: Cyber law governs electronic transactions,
contracts, and digital signatures. It sets guidelines for online business activities,
consumer protection, electronic payments, and resolving disputes arising from e-
commerce transactions.
 Cybersecurity: Cyber law addresses the legal aspects of cybersecurity, including the
establishment of security standards, data breach notifications, incident response, and
liability for inadequate security measures. It aims to protect computer systems,
networks, and digital infrastructure from unauthorised access, attacks, and data
breaches.
 Digital Governance: Cyber law also encompasses legal aspects related to governance,
regulation, and jurisdiction in the digital space. It covers issues like cyber sovereignty,
cross-border data flows, cyber diplomacy, and international cooperation in combating
cybercrimes.

Legal Jurisdiction in Cyber Law

Cyber law defines the legal jurisdiction and enforcement mechanisms concerning cybercrimes.
It establishes provisions for investigating, prosecuting, and punishing offenders, both within
national boundaries and in collaboration with international counterparts.

Advantages of Cyber Laws in India

 Protection of Personal Information

One of the key advantages of cyber laws in India is the protection of personal information.
With the proliferation of digital platforms, the threat to privacy has become more pronounced.
Cyber laws enforce strict regulations on organisations and individuals handling personal data,
ensuring its confidentiality, integrity, and availability.

Compliance with these laws becomes paramount, as they safeguard against unauthorised
access, use, or disclosure of personal information. Individuals can confidently engage in digital
transactions, knowing that legal provisions protect their sensitive data. The advantages of cyber
laws are particularly evident in the context of data breaches and identity theft, where legal
frameworks provide remedies and redressal mechanisms to victims, offering a sense of security
and trust in the digital ecosystem.

 Prevention of Cybercrimes

Cyber laws play a crucial role in preventing and combating cybercrimes. They establish
provisions and penalties for various forms of digital offences, including hacking, identity theft,
online fraud, cyberbullying, and harassment. By criminalising such activities, cyber laws act
as a deterrent, dissuading potential offenders from engaging in unlawful behaviour.

The advantages of cyber laws are evident in the reduction of cybercrimes, as law enforcement
agencies can effectively investigate and prosecute offenders based on the legal frameworks
provided. These laws ensure that individuals and businesses can operate in a secure online
environment, fostering trust, and promoting a vibrant digital economy.

 Facilitation of E-commerce
 Cyber laws in India provide a supportive environment for e-commerce transactions. They
establish legal frameworks for electronic contracts, digital signatures, and electronic payment
systems. These laws help build trust among buyers and sellers, as they ensure the enforceability
of electronic transactions and the validity of digital signatures.

By providing legal recognition to electronic commerce, cyber laws enable businesses to

leverage the benefits of the digital marketplace, expanding their reach and contributing to
economic growth. The advantages of cyber laws are evident in the increased convenience and
accessibility of online transactions, facilitating seamless trade across the country and globally.

 Safeguarding Intellectual Property

Intellectual property protection is a critical aspect of cyber laws in India. These laws address
copyright infringement, software piracy, and digital content protection issues. By safeguarding
intellectual property rights, cyber laws incentivise creativity, innovation, and technological
advancements.

The advantages of cyber laws in India can be seen through the promotion of a conducive
environment for artists, authors, inventors, and businesses to protect their creations and
inventions in the digital space. By providing legal remedies against intellectual property
violations, cyber laws foster an atmosphere of respect for creative endeavours and encourage
investment in research and development.

 Promotion of Cybersecurity

Cybersecurity is a pressing concern in today’s digital landscape, and cyber laws in India
prioritise the establishment of robust security measures. Organisations are required to
implement adequate cybersecurity protocols and safeguards to protect their digital
infrastructure and sensitive information. By mandating cybersecurity practices, cyber laws help
prevent unauthorised access, data breaches, and cyberattacks.

The advantages of cyber laws in India include:

 The enhancement of overall cybersecurity posture.

 Reducing vulnerabilities.
 Mitigating the risks associated with cyber threats.
These laws play a crucial role in ensuring the integrity and confidentiality of digital systems,
bolstering trust and confidence in the online ecosystem.

 Enablement of International Cooperation

Cybercrimes often transcend national boundaries, necessitating international cooperation to

address them effectively. Cyber laws in India enable collaboration with other countries through
bilateral and multilateral agreements. These agreements facilitate the exchange of information,
mutual legal assistance, and extradition of cyber criminals.

The advantages of cyber laws are apparent in the shared efforts to combat cross-border
cybercrimes, ensuring that offenders are brought to justice regardless of their geographical
location. By fostering international cooperation, cyber laws help create a united front against
cyber threats and establish a global framework for addressing digital offences.
  Redressal Mechanisms

Cyber laws provide individuals with accessible and effective redressal mechanisms in case of
cyber offences. Specialised cybercrime investigation cells, cyber tribunals, and dedicated
courts are established to handle cyber-related cases. These mechanisms ensure timely
resolution and justice for victims of cybercrimes, offering a sense of security and trust in the
legal system.

The advantages of cyber laws in India are evident in the establishment of efficient channels for
reporting, investigating, and prosecuting cybercrimes. This promotes accountability and serves
as a deterrent for potential offenders, reinforcing the importance of responsible and ethical
behaviour in the digital realm.

 Awareness and Education

Cyber laws in India emphasise the significance of awareness and education regarding
cybersecurity and digital rights. These laws promote initiatives to educate individuals,
businesses, and government agencies about best practices, safe online behaviour, and legal
obligations.

By fostering digital literacy, the advantages of cyber laws extend to the empowerment of
individuals to protect themselves from cyber threats, make informed decisions online, and
exercise their digital rights. Through awareness campaigns, training programs, and public-
private partnerships, cyber laws contribute to creating a digitally literate society capable of
navigating the complexities of the digital world.

Feature Cyber Laws Conventional Laws

Governs activities in digital and online Applies to a wide range of offline, physical
Domain of environments, including the internet, world activities and interactions among
Application networks, and computer systems. individuals, organizations, and states.
Cybercrime, digital transactions, Criminal law, civil rights, property law,
intellectual property in the digital context, family law, contract law, administrative law,
privacy and data protection online, and many other areas not specifically related
Focus Areas cybersecurity measures. to the digital or online environment.
Rapid technological evolution, jurisdiction Physical evidence management,
issues due to the global nature of the geographical jurisdiction, more stable and
Legal internet, anonymity of users, digital slower to evolve compared to cyber law
Challenges evidence collection and preservation. areas.
General Data Protection Regulation
(GDPR), Computer Fraud and Abuse Act Universal Declaration of Human Rights, The
Key Legislation (CFAA), Anti-Cybersquatting Consumer Constitution of the United States, The Indian
Examples Protection Act. Penal Code, The Magna Carta.
Individuals and entities engaging in online General public, government bodies,
and digital activities, tech companies, corporations, non-digital businesses, family
Stakeholders internet service providers. and individuals in various capacities.
Police, courts, traditional investigative and
Enforcement Specialized cyber crime police units, enforcement agencies at local, national, and
Mechanisms international cooperation through international levels.
 Feature Cyber Laws Conventional Laws
INTERPOL and other agencies, digital
forensics tools.
Specialized cyber tribunals and courts, Conventional courts and tribunals, family
Adjudication regulatory agencies focused on internet courts, administrative courts, supreme
Bodies governance. courts.
Cybercrimes such as hacking, phishing, Traditional crimes including theft, assault,
Nature of identity theft, online fraud, copyright murder, fraud (not committed online),
Crimes infringement online. property disputes.
Changes more slowly, reflecting shifts in
Must rapidly adapt to the evolving digital societal norms, values, and technologies
Adaptability landscape and emerging technologies. over longer periods.

E-Commerce and E-Governance

The “e” stands for electronic. Electronic governance or e-governance can be defined as the
application of information and communication technology (ICT) for providing government
services, exchange of information, transactions, integration of previously existing services and
information portals.

E-governance can be considered as a tool for leveraging the potential of ICT for improving
effectiveness of government activities, strengthening democratic process which led to more
empowered citizens and more transparent government offices.

Elements of E-Governance

The 3 most basic and common groups that are involved with the process of governance are:

(1) Citizens / General Public

(2) Government’s own organs or departments

(3) Business groups / Investors

Types of E-Governance

(1) GOVERNMENT-TO-CITIZEN (G2C): Maximum number of government services come

under the head of G2C services which are been acquired by the familiar or most common group
of people. These services help the common people to minimise their time and cost spend in
carrying out a transaction. A citizen can avail the facility 24*7 from around the world.

Various G2C services of both central and state government have been integrated on the Digital
Seva Portal which are accessible by the citizens in the rural and remote areas of the country.
Some of the day-to-day examples of the G2C services can be: (a) Bharat BillPay (b) FASTag
(c) Passport services (d) PAN Card / Aadhar Card facility (e) Swacch Bharat Abhiyan and so
on.

(2) GOVERNMENT-TO-GOVERNMENT (G2G): The need for active and quick

interaction between the different government departments, firms and agencies called for the
G2G services so as to increase the efficiency of the government working. These services enable
the government departments to work together and share the same database using online
communication.

G2G services take place at both local or domestic level as well as international level. At the
local level, these services facilitate different departments to access the same information from
any corner of the country whereas with the international perspective, such services tend to
improve international discretion and relations.

Some of the examples of G2G services are: (a) Smart Gov. initiative by Andra Pradesh
government. (b) Khajane Project undertaken by the Karnataka government to manage the
treasury related activities. (c) Northeast Gang Information System (NEGIS)

(3) GOVERNMENT-TO-BUSINESS (G2B): Interchange of services between government

and business entities is what comprises of G2B services. Such services provides timely
information about the businesses in the area to the government whereas at the same time,
business organisation can have easy, timeless, placeless, online access to the government
agencies and their working which increases the transparency in return.

Some of the areas where G2B services have been provided are: (a) Online GST facility (b)
MSME Samadhaan (c) Government e-marketplace (d) MCA e-forms

(4) GOVERNMENT-TO-EMPLOYEE (G2E): Provides online facilities to the employees

to bring them together and improvise knowledge sharing. In this type of case, government is
major employer and it has to interact with its employees on a regular basis. Such services
improve the day-to-day functioning of the bureaucracy and at the same time, deals with the
employees.

Examples of G2E services can be: (a) Online salary payment (b) Applying for leave online (c)
Online insurance or health care facility provided bt the employer (d) Checking the balance of
holidays

Advantages of E-Governance

(1) Transparency and accountability

(2) Better service delivery to citizens

(3) Citizen empowerment through access to information

(4) Minimal corruption in the administration

(5) Improved efficiency within Government departments and agencies

(6) Savings on cost and time

(7) Easy and quick implementation

(8) Better and easy communication

Challenges of E-Governance

Issues that the field of electronic governance faces can be categorised into 3 kinds, viz, (a)
Economical (b) Social (c) Technical which has been discussed in detail below:

[A] Economical Challenges –

Any issue which involves spending of public expenditure can be considered as the economical
challenge as e-governance is an costly affair. Such issues have been discussed further:

(1) Cost: Anything related to technology does not comes cheap. Therefore, to install a good
electronic governance system, government has to bear heavy cost of technology and updating
the staff accordingly to work with the updated technology.

(2) Reusability: Technology updates so fast and it is quite difficult to reuse the technology
and save on cost, thereby increasing the cost further.

(3) Maintainability: Technical devices need timely updation to run them properly and
efficiently.

[B] Technical Challenges –

Whether it is about the installation or running of technical devices, none can be done without
proper knowledge and guidance. Issues relating to such factors have been listed below:

(1) Interoperability: Unless proper guidance has been provided, technical devices can be too
hard to operate for anyone.

(2) Privacy & Security: Any data that citizens provide to the government needs to be
protected by the government. Leakage of data can shake people’s faith in the government.

(3) Authenticity: It’s not just government who is upgrading with time. It’s the hackers and
false information providers too. Therefore, it is necessary to be able to identify the authenticity
of the data being provided.

[C] Social Issues –

Supposedly, government has provided the facilities online but of what use will it be of unless
common people how to avail them. Some of the such issues have been talked about below:

(1) Accessibility: Unless, an ordinary man is able to access the facilities provided by the
government, they will be of no use and there are still some parts of the country which are
unknown to the world of internet or updated technology.
(2) Usability: Even if government arranges accessibility, citizens will have to learn, at the same
time, how to use the provided facility.

(3) Use of local language: In the initial days, as we know internet was only available in the
foreign language which was again a hurdle to the development of the technology but was
removed gradually by bringing the local language in usage.

(4) Awareness: Any facility bought would be only useful when citizens are aware about it
which should be made sure by the government by running of compagins, seminars and other
such social awareness programs.

Solutions to the Challenges of E-Governance

(1) Proper Administration: Change or new system has always been resisted. Therefore, a
proper administration is required to run the e-governance properly and efficiently.

(2) Hybrid Approach: A hybrid approach needs to be adopted for enhancing interoperability
among e-governance applications which will encompass a centralized approach for document
management, knowledge management, file management, grievance management and alike.

(3) Awareness: Government should set up or allot NGO’s to take up the take of spreading the
knowledge and making people aware regarding electronic governance services in the villages
by identifying the grassroot reality.

(4) Dedicated Legislation: A legislation is always needed for right implementation. Framing
of proper legislation, particularly dedicated to the e-governance, will lead to smoothing of
establishment and implementation of the project.

(5) Customized building mechanism: If government devises appropriate, feasible, distinct

and effective capacity building mechanisms as per the needs of the distinct groups of
stakeholders, viz, bureaucrats, rural masses, urban masses, elected representatives, etc.

Feature E-Commerce E-Governance

E-Governance, or electronic governance,

is the application of information and
communication technology (ICT) for
E-Commerce, short for electronic delivering government services, exchange
commerce, refers to the buying and of information, communication
selling of goods or services using transactions, integration of various stand-
Definition
the internet, and the transfer of alone systems and services between
money and data to execute these government-to-citizen (G2C),
transactions. government-to-business (G2B),
government-to-government (G2G) as well
as back office processes and interactions
within the entire government framework.
 The primary focus is on enhancing
The focus is on improving government
the consumer experience,
service delivery to citizens, enhancing the
Primary increasing sales, and maximizing
efficiency of public administration, and
Focus profit by leveraging the online
promoting transparency and
platform to reach a global
accountability in government operations.
audience.
Businesses (sellers) and consumers Citizens, businesses, and government
Stakeholders
are the main stakeholders. entities are the key stakeholders.
Online shopping websites, Public service delivery (such as licensing,
Key electronic payment, online permits, tax filing), public procurement,
Activities auctions, internet banking, and electronic voting, and digital identity
online ticketing. services.
Web technologies, electronic
Cloud computing, big data analytics,
payment systems, supply chain
Technologies mobile technology, online portals,
management systems, electronic
Used electronic identification (eID),
data interchange (EDI), mobile
blockchain.
commerce.
Increases market reach, reduces Enhances the accessibility of government
costs, improves availability, and services, reduces corruption, increases
Benefits
offers personalized shopping transparency, and improves public sector
experiences. efficiency.
Digital divide, privacy and security
Security concerns, privacy issues,
concerns, resistance to change among
Challenges return and refund policies,
public officials, integration of IT systems
logistical challenges.
across government departments.

Legal Perspective of E-Governance

There is no dedicated legislation, particularly and solely, to the field of electronic governance
in our country. Although, some of the existing laws in India do apply to electronic governance
which have been talked about briefly below.

(1) RIGHT TO INFORMATION ACT, 2005

Indian RTI Act is similar to the Canadian Law. In India, unlike UK and US laws, RTI Act
provides citizens with the direct access to the Central Information Commission in case the
information is denied to the citizens by any department of the government. Such access avoids
delays in the procedures to grant the citizens their basic right to information and to go through
the hardships of the courts to enforce their basic rights.

RTI Act ensures the transparency in the functioning of the government by placing an obligation
on the government at all the levels and it’s department to provide the common man with the
information about the policies, rules and regulations passed by them. The act also provides for
the penalties, in case, the government fails to provide the citizens with the appropriate
information, timely and in a proper manner.
To help the government provide the citizens with the information, Department of Information
Technology is spreading the use of technology through the system of electronic governance
and website to display all the information for easy access of the citizens.

For the Act to be more effective, there need to be better information flow among people at the
village level who are unaware of their rights because that’s where the grassroot issue lies and
efforts are lacking. Government needs to set up NGO to create awareness at the level where
it’s needed the most. But still the RTI Act doesn’t totally take up the responsibility of its proper
implementation due to lack of enforceability procedures which needs to be taken care of by the
government of the country.

(2) INFORMATION TECHNOLOGY ACT, 2000

India is a country to have legal framework for all the ‘e’ (electronic) promulgated as the IT
Act, 2000. The Act, also, effected the consequential amendments in the Indian Penal Code, The
Evidence Act, 1872, and The RBI Act, 1934, bringing all of them in line as per the requirements
of the digital transactions.

Ever gave a thought, what if all the data that is being provided by the citizens to the government
gets leak or is used for some other purpose ? Such issues are dealt by the IT Act so as to not
shaken the trust and confidentiality that a common person places in the government.

(1) Section 4 – Legal recognition of electronic records:

Whenever any law provides that information or any other matter shall be written, typewritten
or in printed form, information in electronic form would also be considered in the same. Such
information will also be accessible for subsequent references.

(2) Section 5 – Legal recognition of digital signature:

Wherever a person’s signature is required to authenticate a document or information, it can

also be authenticated by the digital signature, in the manner prescribed by the government.

(3) Section 6 – Use of electronic records and signature in government and it’s agencies:

If a citizen needs to file a form, application or a document with government owned or controlled
office, agency, body or authority or grant or issue any license, sanction, permit or approval or
receive or pay money, it can also be done in an electronic form in the government-approved
format.

(4) Section 7 – Retention of electronic record:

Whereever, a law requires the retention of certain records, documents or information for a
specific period, such retention can also be made in the electronic form, provided that, such
information is accessible, usable for subsequent reference, format of electronic record must be
original and represent the original information and the electronic record contains the necessary
details as stated by the law.

(5) Section 8 – Publication of rule, regulation, etc., in Electronic Gazette:

Official regulation, rule, by-law, notification or any other matter in the Official Gazette can be
published either in Official Gazette or Electronic Gazette. The date of publication will be the
date of the Gazette first published in any form – Official or Electronic.

(6) Section 43 – Penalty and compensation for damage to computer:

Though there are systems like cryptography, passwords, to ensure the security of the document,
but this still pose threat to the Government due to other measures adopted by hackers. This
section provides protection against unauthorized access of the computer system by imposing
heavy penalty.

(7) Section 69 – Power to issue directions for interception or monitoring or decryption of

any information through any computer resource:

In the Case of PUCL v. UOI it was held that the procedure is inadequate as the Controller has
been given discretionary power and there is no mention of consultation with the accused before
punishing him. Therefore proper guidelines needs to be provided in this regard for maintaining
the balance between the right to privacy of the citizens and the provision of the search and
seizure under the Act.

(8) Section 72 – Penalty for breach of confidentiality and privacy:

This section is targeted only towards the officials who are empowered to collect the data under
the Act but the scope only extends to the Adjudicating officers, members of the Cyber
Regulations Appellate Tribunal (CRAT) or certifying Authorities under the Act if they commit
breach of confidentiality or privacy of any data accessible by them.

Certifying Authority and Controller

Appropriate Bodies for Redressing Civil and Criminal Offence

 Certifying Authorities under IT Act 2000

 Controller Under IT Act-2000

Role of Certifying Authorities under IT Act 2000

The IT Act accommodates the Controller of Certifying Authorities(CCA) to permit and direct
the working of Certifying Authorities. The Certifying Authorities (CAs) issue computerized
signature testaments for electronic confirmation of clients. The Controller of Certifying
Authorities (CCA) has been named by the Central Government under Section 17 of the Act for
reasons for the IT Act. The Office of the CCA appeared on November 1, 2000. It targets
advancing the development of E-Commerce and E-Governance through the wide utilization of
computerized marks.
 The Controller of Certifying Authorities (CCA) has set up the Root Certifying Authority
(RCAI) of India under segment 18(b) of the IT Act to carefully sign the open keys of Certifying
Authorities (CA) in the nation. The RCAI is worked according to the gauges set down under
the Act. The CCA guarantees the open keys of CAs utilizing its own private key, which
empowers clients in the internet to confirm that a given testament is given by an authorized
CA. For this reason it works, the Root Certifying Authority of India (RCAI). The CCA likewise
keeps up the Repository of Digital Certificates, which contains all the authentications gave to
the CAs in the nation.

Role of Certifying Authorities:

Certificate Authority (CA) is a confided in substance that issues Digital Certificates and open
private key sets. The job of the Certificate Authority (CA) is to ensure that the individual
allowed the extraordinary authentication is, truth be told, who the individual in question
professes to be.

The Certificate Authority (CA) checks that the proprietor of the declaration is who he says he
is. A Certificate Authority (CA) can be a confided in outsider which is answerable for genuinely
confirming the authenticity of the personality of an individual or association before giving an
advanced authentication. A Certificate Authority (CA) can be an outer (open) Certificate
Authority (CA) like verisign, thawte or comodo, or an inward (private) Certificate Authority
(CA) arranged inside our system. Certificate Authority (CA) is a basic security administration
in a system. A Certificate Authority (CA) plays out the accompanying capacities. A Controller
plays out a few or the entirety of the following roles:

1. Administer the exercises of the Certifying Authorities and furthermore confirm their open keys.
2. Set out the guidelines that the Certifying Authorities follow.
3. Determine the accompanying capabilities and furthermore experience necessities of the
workers of all Certifying Authorities conditions that the Certifying Authorities must follow for
directing business the substance of the printed, composed, and furthermore visual materials
and ads in regard of the advanced mark and the open key the structure and substance of an
advanced mark declaration and the key the structure and way where the Certifying Authorities
look after records terms and conditions for the arrangement of examiners and their
compensation.
4. Encourage the Certifying Authority to set up an electronic framework, either exclusively or
together with other Certifying Authorities and its guideline.
5. Indicate the way where the Certifying Authorities manage the endorsers.
6. Resolve any irreconcilable situation between the Certifying Authorities and the endorsers.
7. Set out the obligations of the Certifying Authorities.
8. Keep up a database containing the revelation record of each Certifying Authority with all the
subtleties according to guidelines. Further, this database is open to the general population.
Certificate Authority (CA) Verifies the personality: The Certificate Authority (CA) must
approve the character of the element who mentioned a computerized authentication before
giving it. Certificate Authority (CA) issues computerized testaments: Once the approval
procedure is finished, the Certificate Authority (CA) gives the advanced authentication to the
element who requested it. Computerized declarations can be utilized for encryption (Example:
Encrypting web traffic), code marking, authentication and so on. Certificate Authority (CA)
keeps up Certificate Revocation List (CRL): The Certificate Authority (CA) keeps up
Certificate Revocation List (CRL).
An authentication repudiation list (CRL) is a rundown of computerized testaments which are
not, at this point legitimate and have been disavowed and subsequently ought not be depended
by anybody. A Certificate Authority (CA) is a selective element which issues and signs SSL
endorsements, confirming and guaranteeing the reliability of their proprietors. All CAs are
individuals from the CA/B Forum (Certificate Authority and Browser Forum), being subjects
to industry guidelines, principles, and prerequisites, and are every year examined to guarantee
their consistence. The CA is a basic component when talking about SSL Certificates. The CA
recognizes and verifies the character of the SSL Certificate’s proprietor when giving and
marking the SSL Certificate. In view of the SSL Certificate’s sort, the CA completely checks
the candidate’s area name, business and individual data, and different qualifications before
giving the testament.

Role of the Controller Under IT Act-2000

The Controller may additionally carry out all or any of the following functions:

1) Supervises the activities of Certifying Authorities.

2) Certifies public keys of the Certifying Authorities.

3) Drafts the requirements to be maintained by way of Certifying Authorities.

4) Specifies the qualifications and revel in of employees of the Certifying Authorities.

5) Specifies the situations below which the Certifying Authority shall conduct their business;

6) Specifies the contents of written, revealed or visual materials and commercials that may be
distributed or utilized in a Digital Signature Certificate and the general public key;

7) Specifies the format and content of a Digital Signature Certificate and the important thing;

8) Specifies the layout wherein Certifying Authorities shall keep the bills.

9) Specifies the terms and situations for the appointment of the auditors and their remuneration.

10) Helps the Certifying Authorities in organizing any digital machine and law of such gadget.

11) Specifies the way wherein the Certifying Authorities shall address the subscribers.

12) Resolves any warfare that arises between the Certifying Authorities and the subscribers;

13) Lays down the duties of the Certifying Authorities;

14) Maintains a database containing the disclosure record of ever Certifying Authority.

15) Maintains the database of public keys in a way that it is available to the general public.

16) Issues the license to issue the Digital Signature Certificate.

17) Can suspend the license if he isn’t pleased with the validity of the applicant.

The IT Act presents for the Controller of Certifying Authorities (CCA) to license and adjust
the running of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature
certificates for electronic authentication of users. The Controller of Certifying Authorities
(CCA) has been appointed with the aid of the Central Government under phase 17 of the Act
for functions of the IT Act. The Office of the CCA came into existence on November 1, 2000.

It ambitions at selling the growth of E-Commerce and E- Governance thru the wide use of
virtual signatures. The Controller of Certifying Authorities (CCA) has established the Root
Certifying Authority (RCAI) of India underneath section 18(b) of the IT Act to digitally signal
the general public keys of Certifying Authorities (CA) within the country. The RCAI is
operated as according to the requirements laid down under the Act.

The CCA certifies the public keys of CAs the use of its own non-public key, which permits
customers in the our on-line world to verify that a given certificate is issued by a licensed CA.
For this reason it operates, the Root Certifying Authority of India (RCAI). The CCA
additionally continues the Repository of Digital Certificates, which incorporates all the
certificates issued to the CAs inside the country

Feature Certifying Authorities (CAs) Controller of Certifying Authorities (CCA)

CAs issue digital certificates to validate
the identity of the certificate holder and
The CCA supervises and regulates the
to associate public keys with the activities of the CAs, ensuring adherence to
Primary Role identities. the IT Act 2000.
- License and regulate CAs<br>- Ensure
compliance with the IT Act<br>- Maintain a
- Issue digital certificates<br>- Revoke public repository of digital signatures<br>-
digital certificates<br>- Maintain a Operate the Root Certifying Authority of
repository of issued certificates<br>- India<br>- Lay down standards for working
Functions Ensure security practices are followed of CAs
Operate under the license and guidelines Operates under the IT Act 2000, with the
Authority issued by the CCA. authority to license and regulate CAs.
- Frame policies regarding the issuance,
- Authenticate the identity of applicants suspension, and revocation of digital
before issuing certificates<br>- Ensure certificates<br>- Audit the performance of
the privacy and confidentiality of CAs<br>- Advise the Government on matters
applicants<br>- Maintain a secure related to secure electronic commerce
Responsibilities infrastructure for certificate issuance transactions
Subject to audit and regulation by the Has the ultimate authority for regulatory
Regulatory CCA to ensure compliance with the IT oversight over CAs, including licensing,
Oversight Act and standards set by the CCA. monitoring, and enforcing compliance.
The CCA is a government position, with the
e-Mudhra, Sify Technologies, and office being part of the Indian Ministry of
nCode Solutions are examples of Electronics and Information Technology
Examples licensed CAs in India. (MeitY).
 Offences under IT Act,
Offences Under The It Act 2000:
Section 65. Tampering with computer source documents:
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or
knowingly causes another to conceal, destroy or alter any computer source code used for a
computer, computer Programme, computer system or computer network, when the computer
source code is required to be kept or maintained by law for the being time in force, shall be
punishable with imprisonment up to three year, or with fine which may extend up to two lakh
rupees, or with both.

Explanation: For the purpose of this section “computer source code” means the listing of
programmes, computer commands, design and layout and programme analysis of computer
resource in any form.

Object: The object of the section is to protect the “intellectual property” invested in the
computer. It is an attempt to protect the computer source documents (codes) beyond what is
available under the Copyright Law

Essential ingredients of the section:

1. knowingly or intentionally concealing ,
2. knowingly or intentionally destroying,
3. knowingly or intentionally altering,
4. knowingly or intentionally causing others to conceal,
5. knowingly or intentionally causing another to destroy,
6. knowingly or intentionally causing another to alter.
This section extends towards the Copyright Act and helps the companies to protect their
source code of their programmes.
Penalties: Section 65 is tried by any magistrate.
This is cognizable and non- bailable offence.
Penalties: Imprisonment up to 3 years and / or
Fine: Two lakh rupees.

Case Laws:
1. Frios v/s State of Kerela
Facts: In this case it was declared that the FRIENDS application software as protected
system. The author of the application challenged the notification and the constitutional
validity of software under Section 70. The court upheld the validity of both.

It included tampering with source code. Computer source code the electronic form, it can be
printed on paper.
Held: The court held that Tampering with Source code are punishable with three years jail
and or two lakh rupees fine of rupees two lakh rupees for altering, concealing and destroying
the source code.

2. Syed Asifuddin case:

Facts: In this case the Tata Indicom employees were arrested for manipulation of the
electronic 32- bit number (ESN) programmed into cell phones theft were exclusively
franchised to Reliance Infocom.
Held: Court held that Tampering with source code invokes Section 65 of the Information
Technology Act.

3. Parliament Attack Case:

Facts: In this case several terrorist attacked on 13 December, 2001Parliament House. In this
the Digital evidence played an important role during their prosecution. The accused argued
that computers and evidence can easily be tampered and hence should not be relied.

In Parliament case several smart device storage disks and devices, a Laptop were recovered
from the truck intercepted at Srinagar pursuant to information given by two suspects. The
laptop included the evidence of fake identity cards, video files containing clips of the political
leaders with the background of Parliament in the background shot from T.V news channels.
In this case design of Ministry of Home Affairs car sticker, there was game “wolf pack” with
user name of ‘Ashiq’. There was the name in one of the fake identity cards used by the
terrorist. No back up was taken therefore it was challenged in the Court.

Held: Challenges to the accuracy of computer evidence should be established by the

challenger. Mere theoretical and generic doubts cannot be cast on the evidence.

Section66. Hacking with the computer system:

(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or
damage to the public or any person destroys or deletes or alters any information residing in
a computer resource or diminishes its value or utility or affects it injuriously by any means,
commits hacking.

(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with
fine which may extend up to two lakh rupees, or with both.

Explanation: The section tells about the hacking activity.

Essential ingredients of the section:

1. Whoever with intention or knowledge.
2. Causing wrongful loss or damage to the public or any person.
3. Destroying or altering any information residing in a computer resource.
4. Or diminishes its value or utility or.
 5. Affects it injuriously by any means.
Penalties: Punishment: Imprisoned up to three years and
Fine: which may extend up to two lakh rupees.Or with both.

Case Laws:
1. R v/s Gold & Schifreen
In this case it is observed that the accused gained access to the British telecom Prestl Gold
computers networks file amount to dishonest trick and not criminal offence.

2. R v/s Whiteley.
In this case the accused gained unauthorized access to the Joint Academic Network (JANET)
and deleted, added files and changed the passwords to deny access to the authorized users.

The perspective of the section is not merely protect the information but to protect the integrity
and security of computer resources from attacks by unauthorized person seeking to enter
such resource, whatever may be the intention or motive.

Cases Reported In India:

Official website of Maharastra government hacked.

The official website of the government of Maharashtra was hacked by Hackers Cool Al-
Jazeera, and claimed them they were from Saudi Arabia

Computer Offences and its penalty under ISO 27001,

Section 65. Tampering with computer source documents
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly
causes another to conceal, destroy or alter any computer source code used for a computer,
computer program, computer system or computer network, when the computer source code is
required to be kept or maintained by law for the being time in force, shall be punishable with
imprisonment up to three year, or with fine which may extend up to two lakh rupees, or with
both.
Explanation − For the purpose of this section “computer source code” means the listing of
programs, computer commands, design and layout and program analysis of computer
resource in any form.
Object − The object of the section is to protect the “intellectual property” invested in the
computer. It is an attempt to protect the computer source documents (codes) beyond what is
available under the Copyright Law
Essential ingredients of the section
knowingly or intentionally concealing
knowingly or intentionally destroying
knowingly or intentionally altering
knowingly or intentionally causing others to conceal
knowingly or intentionally causing another to destroy
knowingly or intentionally causing another to alter.
This section extends towards the Copyright Act and helps the companies to protect their
source code of their programs.
Penalties − Section 65 is tried by any magistrate.
This is cognizable and non-bailable offence.
Penalties − Imprisonment up to 3 years and / or
Fine − Two lakh rupees.

The following table shows the offence and penalties against all the mentioned sections of the
I.T. Act −

Section Offence Punishment Bailability and Congizability

Tampering with Imprisonment up to 3 years or Offence is Bailable, Cognizable
65
Computer Source Code fine up to Rs 2 lakhs and triable by Court of JMFC.
Computer Related Imprisonment up to 3 years or Offence is Bailable, Cognizable
66
Offences fine up to Rs 5 lakhs and
Sending offensive
messages through Imprisonment up to 3 years and Offence is Bailable, Cognizable
66-A
Communication service, fine and triable by Court of JMFC
etc...
Dishonestly receiving
stolen computer Imprisonment up to 3 years Offence is Bailable, Cognizable
66-B
resource or and/or fine up to Rs. 1 lakh and triable by Court of JMFC
communication device
Imprisonment of either
Offence is Bailable, Cognizable
66-C Identity Theft description up to 3 years and/or
and triable by Court of JMFC
fine up to Rs. 1 lakh
Cheating by Personation Imprisonment of either
Offence is Bailable, Cognizable
66-D by using computer description up to 3 years and /or
and triable by Court of JMFC
resource fine up to Rs. 1 lakh
Imprisonment up to 3 years and Offence is Bailable, Cognizable
66-E Violation of Privacy
/or fine up to Rs. 2 lakh and triable by Court of JMFC
Offence is Non-Bailable,
Imprisonment extend to
66-F Cyber Terrorism Cognizable and triable by Court of
imprisonment for Life
Sessions
On first Conviction,
Publishing or imprisonment up to 3 years
transmitting obscene and/or fine up to Rs. 5 lakh On Offence is Bailable, Cognizable
67
material in electronic Subsequent Conviction and triable by Court of JMFC
form imprisonment up to 5 years
and/or fine up to Rs. 10 lakh
Publishing or
On first Conviction
transmitting of material Offence is Non-Bailable,
imprisonment up to 5 years
67-A containing sexually Cognizable and triable by Court of
and/or fine up to Rs. 10 lakh On
explicit act, etc... in JMFC
Subsequent Conviction
electronic form
 imprisonment up to 7 years
and/or fine up to Rs. 10 lakh

On first Conviction
imprisonment of either
Publishing or
description up to 5 years and/or
transmitting of material Offence is Non Bailable,
fine up to Rs. 10 lakh On
67-B depicting children in Cognizable and triable by Court of
Subsequent Conviction
sexually explicit act JMFC
imprisonment of either
etc., in electronic form
description up to 7 years and/or
fine up to Rs. 10 lakh
Intermediary
intentionally or
knowingly contravening Imprisonment up to 3 years and
67-C Offence is Bailable, Cognizable.
the directions about fine
Preservation and
retention of information
Failure to comply with
Imprisonment up to 2 years Offence is Bailable, Non-
68 the directions given by
and/or fine up to Rs. 1 lakh Cognizable.
Controller
Failure to assist the
agency referred to in
sub section (3) in regard
interception or Imprisonment up to 7 years and Offence is Non-Bailable,
69
monitoring or fine Cognizable.
decryption of any
information through any
computer resource
Failure of the
intermediary to comply
with the direction issued
Imprisonment up to 7 years and Offence is Non-Bailable,
69-A for blocking for public
fine Cognizable.
access of any
information through any
computer resource
Intermediary who
intentionally or
knowingly contravenes
the provisions of sub-
section (2) in regard Imprisonment up to 3 years and
69-B Offence is Bailable, Cognizable.
monitor and collect fine
traffic data or
information through any
computer resource for
cybersecurity
 Any person who secures
access or attempts to
Imprisonment of either
secure access to the Offence is Non-Bailable,
70 description up to 10 years and
protected system in Cognizable.
fine
contravention of
provision of Sec. 70

Indian Computer
Emergency Response
Team to serve as
national agency for
incident response. Any
service provider, Imprisonment up to 1 year Offence is Bailable, Non-
70-B
intermediaries, data and/or fine up to Rs. 1 lakh Cognizable
centres, etc., who fails
to prove the information
called for or comply
with the direction issued
by the ICERT.
Misrepresentation to the
Imprisonment up to 2 years Offence is Bailable, Non-
71 Controller to the
and/ or fine up to Rs. 1 lakh. Cognizable.
Certifying Authority
Breach of
Imprisonment up to 2 years Offence is Bailable, Non-
72 Confidentiality and
and/or fine up to Rs. 1 lakh. Cognizable.
privacy
Disclosure of
Imprisonment up to 3 years
72-A information in breach of Offence is Cognizable, Bailable
and/or fine up to Rs. 5 lakh.
lawful contract
Publishing electronic
Signature Certificate Imprisonment up to 2 years Offence is Bailable, Non-
73
false in certain and/or fine up to Rs. 1 lakh Cognizable.
particulars
Publication for Imprisonment up to 2 years Offence is Bailable, Non-
74
fraudulent purpose and/or fine up to Rs. 1 lakh Cognizable.

OR
Computer Penalty under National Laws
Offences (Examples) ISO 27001 Practices/Controls
Varies by country; can include fines and
imprisonment. For instance, under the Access control policies (A.9), user access
Unauthorized UK’s Computer Misuse Act, it can lead to management (A.9.2), and system and
Access (Hacking) up to two years in prison. application access control (A.9.4).
Penalties depend on the jurisdiction and Information security policies (A.5),
the severity. Under GDPR, fines can go operations security (A.12), and
Data Breach (Loss up to €20 million or 4% of the annual information security incident management
of Confidentiality) global turnover. (A.16).
 Computer Penalty under National Laws
Offences (Examples) ISO 27001 Practices/Controls
Fines and/or imprisonment, depending on
the impact and jurisdiction. For instance, Cryptographic controls (A.10) for the
in the US, violations can result in protection of information, and information
Data Integrity significant financial penalties under backup (A.12.3) for ensuring data
Violation various laws. integrity.
Human resource security (A.7) to ensure
Legal consequences include fines and employees understand their
corrective orders, especially if it involves responsibilities, and privacy and
Misuse of personal data under privacy laws like protection of personally identifiable
Information GDPR. information (A.18).
Legal penalties include imprisonment and
fines, based on the laws of the country. Network security management (A.13) and
The US, for example, can impose up to 10 security in information processing
Denial of Service years in prison under the Computer Fraud facilities (A.11) to manage and mitigate
Attacks and Abuse Act. DoS risks.
Penalties include fines and imprisonment.
Under laws like the US's Computer Fraud Malware protection (A.12.2) to prevent,
Malware and Abuse Act, distributing malware can detect, and remove malicious software,
Distribution lead to severe penalties. and user awareness training (A.7.2.2).

IT Act 2000, Positive Aspects and weak areas of ITA 2000

Offenses under the IT Act, 2000

1. Tampering with computer source documents

Section 65 of this Act provides that if anyone knowingly or intentionally conceals, destroys or
alters any computer source code used for a computer, computer Programme, computer system
or computer network, maintained by law for the being time in force, then they shall be punished
with imprisonment up to three year, or with fine which may extend up to two lakh rupees, or
with both.[6]

The main objective of this section is to protect the “intellectual property” invested in the
computer. It is an effort to protect the computer source documents (codes) beyond the
availability under the Copyright Law.

Syed Asifuddin Case[7]

In this case, there was a company called Tata Indicom. Some employees of this company were
arrested for manipulation of the electronic 32- bit number (ESN) programmed into cell phones.
This theft was exclusively franchised to Reliance Infocom. It was held by the Court held that
tampering with source code invokes Section 65 of the Information Technology Act.

Parliament Attack Case[8]

In this case, some terrorists attacked The Parliament House of India on 13 December 2001. The
Digital evidence played a vital role during their prosecution in this case. The accused argued
that the electronics evidence can be easily manipulated and hence, should not be relied.

The Court held that any challenge to the accuracy of computer evidence should be established
by the challenger. Mere theoretical and generic doubts cannot be casted on the evidence’s
authenticity.

2. Hacking with the computer system

Section 66 of this Act[9] says that-

(1) If any person with an intent to cause wrongful loss or damage to the public or any person
tries to destroy or delete or alters any information residing in a computer resource or reduce its
value or utility or affect it injuriously by any means, commits hacking.

(2) For the offence of hacking, one shall be punished with imprisonment up to three years, or
with fine up to two lakh rupees, or with both.

R v. Whiteley[10]

In this particular case, the accused somehow managed to gain unauthorized access to the Joint
Academic Network (JANET). He deleted some files and changed the passwords to deny access
to the authorized users.
The objective of this section is not merely to protect the information but to protect the integrity
and security of computer resources from attacks by unauthorized person seeking to enter such
resource, irrespective of the intention or motive.

3. Publishing of obscene information in electronic form

Section 67 of this Act states that anyone who publishes or transmits any material which is
lascivious or appeals to the prurient interest electronically, shall be punished on first conviction
with imprisonment up to five years and with fine which may increase up to one lakh rupees. If
the person is involved in the event of a second or subsequent conviction, he shall be punished
with imprisonment for a term up to ten years and also with fine which may extend to two lakh
rupees.

The State of Tamil Nadu v. Suhas Kati[11]

In this case, a man posted obscene, defamatory and annoying message about a divorcee woman
in the Yahoo message group. These postings and fake messages resulted in annoying and
demeaning phone calls to the lady. Based on the complaint of that woman, police nabbed the
accused. He was a known family friend of the victim and wanted to marry her. She got married
to another person, but that marriage ended in divorce and the accused once again started
 contacting her. When she did not agree to marry him, he started harassing her through the
internet. The accused is found guilty of offenses under Section 67 of the IT Act 2000.

4. Penalty for breach of confidentiality and privacy

Section 72 of the Information Technology Act 2002 provides that- Any person who, in
enactment of any of the powers conferred under this Act, rules or regulation, has secured assess
to any electronic record, book, register, correspondence, information, document or other
material without the consent of the person of the authority shall be punished with imprisonment
for a term which may extend to two years, or with fine which may extend to one lakh rupees,
or with both.

In short-
The Information Technology Act, 2000 (ITA 2000) is a comprehensive law passed by the
Indian Parliament to regulate, control, and deal with issues pertaining to electronic
commerce (e-commerce) and cybercrime within India. It was enacted to provide a legal
framework to facilitate electronic transactions, electronic filing, and digital signatures.
ITA 2000 also addresses security practices, procedures, and the prevention of
cybercrimes, extending to unauthorized access, data breaches, identity theft, and cyber
terrorism among others.

Positive Aspects of ITA 2000:

 Legal Recognition of Electronic Transactions: ITA 2000 gives electronic records and
digital signatures the same legal standing as traditional paper documents and handwritten
signatures, facilitating e-commerce and e-governance.
 Boost to E-commerce and E-governance: By providing a legal structure for electronic
transactions, ITA 2000 has significantly contributed to the growth of e-commerce and the
digitization of government services in India.
 Cybercrime Legislation: It was one of the first laws globally to define and deal with
cybercrimes explicitly, setting a precedent for cyber law.
 Attribution, Acknowledgment, and Dispatch of Electronic Records: ITA 2000 details
the framework for the creation, transmission, and validation of electronic records,
enhancing trust and reliability in electronic communications.
 Regulation of Certifying Authorities: The act provides for the regulation of Certifying
Authorities, ensuring the integrity of digital certificates and facilitating secure digital
transactions.

Weak Areas of ITA 2000:

 Limited Scope on Privacy: While ITA 2000 addresses data protection in the context of
corporate bodies, it lacks a comprehensive approach to individual privacy protection,
especially with the rise of data mining and personal data exploitation.
 Ambiguities and Broad Definitions: Certain sections of the Act have been criticized for
their broad and ambiguous definitions, leading to potential misinterpretation and misuse.
 Jurisdiction Issues: The global nature of the internet means cybercrimes can be
transnational, which poses challenges in jurisdiction and enforcement under ITA 2000.
 Technological Neutrality: Rapid advancements in technology mean that certain
provisions of ITA 2000 may become outdated or inadequate to address new forms of
cybercrimes or digital transactions.
 Enforcement and Implementation Challenges: There have been concerns regarding the
effective enforcement of ITA 2000 provisions, partly due to the lack of technical expertise
among law enforcement agencies.

Comparative Table: Positive Aspects vs. Weak Areas of ITA 2000

Positive Aspects Weak Areas

Legal recognition of electronic Limited scope on individual privacy
transactions and documents protection
Facilitates growth in e-commerce and Ambiguities and broad definitions that
e-governance lead to misuse
Explicit definition and penalty for Jurisdiction issues with transnational
cybercrimes cybercrimes
Framework for electronic records and Technological neutrality, with some
digital signatures provisions becoming outdated
Regulation and certification of digital Enforcement and implementation
signatures challenges

The Information Technology Act, 2000, marks a significant step in adapting Indian law to
the demands of the digital age.

Digital signatures and the Indian ITA act

Importance of Signatures

No security procedure, manual or automated, provides absolute assurance. There is evidence

that forgery was practiced shortly after the invention of writing, and that it has remained a
problem since then. In the year 539 AD (100 years after the Romans began to use signatures)
the Romans enacted legislation (in the Justinian Code) that laid down requirements for the
forensic examination of documents by experts to be sworn and specifying under what
circumstances their testimony may be given in cases of forgery.[4]

Signature handwritten or digital serves some purpose:

· Authentication – which concerns the assurance of identity.[5] When the sales clerk applies
the signature on the back of the credit card to the signature on the payment slip, the clerk utilizes
hand-written signatures as an identification method to ensure that the individual displaying the
credit card is the one to which the card was issued by the issuing bank.
· Data Integrity– It is the assurance that there has no data modification taken place after the
application of signature. Although handwritten signatures do not in itself offer data integrity
facilities, the standard protection procedures around handwritten signatures, including the
usage of indelible ink and tamper-evident material, provide a measure of data integrity. Digital
signatures provide excellent data integrity services because the digital signature value is the
function of the message digest; even the slightest modification of digitally signed messages
will always result in a signature verification failure.

· Non-repudiation – which seeks to provide evidence to a third party (such as a judge or jury)
that a party has participated in a transaction and thus protects other parties from false refusals
of participation in the transaction. The purchaser’s signature on the credit card payment slip
contains proof of the purchaser’s involvement in the transaction which defends the retailer and
the card-supplying bank against fraudulent denials of the purchaser’s involvement in the
transaction.

The Usage of Signature

There are, of course, many situations in which documents have to be signed and archived, and
the signatures remain valid for the duration of the archive. Signatures on documents, for
example, can be called into doubt several decades after they have been implemented. Many
sources of signed archival records, collected from everyday life, include medical notes, service
discharge papers, and mortgages. When considering digital data archiving, it is important to
remember that digital signature verification requires each and every bit of the signed document
to be preserved and read correctly, just as it was when the signatory applied for the signature.
For example, turning a bit that changes the “s” character to the “S” character, would be
undesirable in any electronic document, and render a digitally signed document completely
unverifiable.

Digital signatures are exacerbating the problem of technological obsolescence. They make the
most common coping technique-transformation into new formats during transition periods-
impossible unless the original signatory can resign under a new format-a solution that is always
burdensome and often impossible. From a digital signature point of view, a modification to a
paper type is distinct from a shift to the text of the paper which would result in an unverifiable
signature. While handwritten signatures are forged in such a way that digital signatures are not,
by their cryptographic properties, digital signatures are subject to compromise (loss or
disclosure) on the private key of the signatory, just as Sumerian and Roman seals were subject
to lose or theft. Compromise is a vulnerability that is not associated with handwritten
signatures.

A handwritten signature is biologically linked to a specific individual, while a digital signature

relies on the protection provided by the signatory to the private signature key and the
procedures implemented by the Certification Authority. Handwritten signatures are under the
direct control of the signatory, whereas digital signatures must be used by a computer-
controlled by the signatory.

Forgery of handwritten signatures has been practiced for centuries, while forgery of digital
signatures, in the absence of compromising the private signature key, or the hijacking of the
signature mechanism, is virtually impossible. The forgery mechanisms for handwritten and
digital signatures are different.
 The data integrity service provided by digital signatures is much stronger than that provided
by hand-written signatures. Handwritten signatures can be witnessed, whereas digital
signatures cannot be recorded, although they can be notarized. Manuscript signatures can be
verified on a perpetual basis, whereas digital signatures are likely to become unverifiable after
ten years or so due to data processing equipment and cryptographic standards obsolescence,
certificate expiry, and other factors.

Feature Electronic Signature Digital Signature

An electronic signature is any electronic means A digital signature is a specific subset of
that indicates that a person adopts the contents electronic signatures that uses
of an electronic message. It can be as simple as cryptographic operations to secure the
typing a name into a contract or email, or document. It ensures the authenticity and
Definition clicking "I accept" on a website. integrity of the signed content.
Utilizes Public Key Infrastructure (PKI)
Varied, can include scanned images of technology, where the signature is created
Technology handwritten signatures, typed names, PINs, or using the signer’s private key and can be
Used biometric methods like fingerprint scans. verified using the signer’s public key.
Recognized legally in many jurisdictions around Also legally recognized, often with the
the world, provided it meets certain criteria set same criteria as electronic signatures, but
forth by relevant laws, such as the E-SIGN Act comes with additional cryptographic
Legal in the United States or eIDAS in the European evidence that can provide stronger legal
Validity Union. standing in disputes.
To securely sign electronic documents,
To show general agreement to a document or while also providing authentication, data
Purpose terms presented electronically. integrity, and non-repudiation.
Varies widely depending on the method used. High, due to the use of encryption and
Some forms of electronic signatures, like decryption keys. Digital signatures cannot
biometrics, are more secure, while others, like be copied to another document as their
Security typed names, are less secure. validity is document-specific.
Often used in scenarios requiring high
Suitable for low-risk agreements, such as HR security and legal scrutiny, such as legal
documentation, non-disclosure agreements, and documents, financial transactions, and
Use Cases general business contracts. government documents.
Typically, the identity of the signer is verified The signer’s identity is verified through a
through other means, such as email, phone Certificate Authority (CA) that issues
Verification verification, or third-party services. digital certificates as part of the PKI.

The three important features of digital features are:

1. Authentication – They authenticate the source of messages. Since the ownership of a

digital certificate is bound to a specific user, the signature shows that the user sent it.
 2. Integrity – Sometimes, the sender and receiver of a message need an assurance that the
message was not altered during transmission. A digital certificate provides this feature.

3. Non-Repudiation – A sender cannot deny sending a message which has a digital

signature.

According to the Information Technology Act, 2000, digital signatures mean authentication of
any electronic record by a subscriber by means of an electronic method or procedure in
accordance with the provisions of section 3. Further, the IT Act, 2000 deals with digital
signatures under Sections 2, 3, and 15.

Section 2(1)(p)

According to Section 2(1)(p), digital signature means ‘authentication of any electronic record
using an electronic method or procedure in accordance with the provisions of Section 3‘.

Further, authentication is a process for confirming the identity of a person or proving the
integrity of information. Authenticating messages involves determining the source of the
message and verifying that is has not been altered or modified in transit.

Browse more Topics under Cyber Laws

 Introduction to Cyberspace

 Cyber Appellate Tribunal

  Regulation of Certifying Authorities

 Classification and Provision of Cyber Crimes

 Scope of Cyber Laws

 Electronic Record and E-Governance

 Information Technology Act, 2000

Section 3

Section 3 of the Information technology Act, 2000 provides certain provisions for the
authentication of electronic records. The provisions are:

 Subject to the provisions of this section, any subscriber can affix his digital signature and
hence authenticate an electronic record.

 An asymmetric crypto system and hash function envelop and transform the initial
electronic record into another record which affects the authentication of the record.

 Also, any person in possession of the public key can verify the electronic record.

 Further, every subscriber has a private key and a public key which are unique to him and
constitute a functioning key pair.

Secure Digital Signature (Section 15)

Let’s say that two parties agree to apply a certain security procedure. If it is possible to verify
that a digital signature affixed was

1. Unique to the subscriber affixing it.

2. Capable of identifying the subscriber.

and

1. Created in a manner under the exclusive control of the subscriber.

2. Also, it is linked to the electronic record in such a manner that a change in the record
invalidates the digital signature
then

It is a secure digital signature.

ITA 2008, and International Standards maintained for Cyber Security

ITA 2008
The Information Technology (Amendment) Act, 2008 (ITA 2008)
is a significant amendment to India's Information Technology Act,
2000 (IT Act 2000). It was enacted to address th e growing
challenges and needs in the realm of information technology and
cybersecurit y. The amendment came into effect on October 27,
2009, and introduced several key changes and additions to
strengthen the legal framework for secure electronic commerce,
electronic governance, data privacy, and cybersecurity.

### Key Features and Provisions of ITA 2008

#### Enhanced Security Practices and Procedures

ITA 2008 introduced specific sections to deal with cyber security
and established a framework for the appo intment of Indian
Computer Emergency Response Team (CERT -In) as the national
nodal agency for responding to computer security incidents.

#### Redefinition of Terms

The amendment expanded the definitions of terms like
"communication device" to include the latest gadgets and
technologies, thereby broadening the scope of the law to cover
new forms of electronic communication.

#### Data Privacy and Protection

One of the notable inclusions is the introduction of specific
provisions related to data protection a nd privacy. ITA 2008
introduced Section 43A, which holds corporate bodies responsible
for implementing reasonable security practices to protect sensitive
personal data or information and provides for compensation to the
person affected by unauthorized access or data breach.

#### C yber Terrorism

ITA 2008 introduced Section 66F, which defines cyber terrorism
as an act that involves accessing a computer resource without
authorization, with the intent to threaten the unity, integrit y,
securit y, or sovereignt y of India or to strike terror in the people.
This section provides for stringent punishment for acts of cyber
terrorism.

#### Obscenity and Child Pornography

The amendment introduced stricter provisions to combat obscenity
and child pornography in cyberspa ce, making the publication or
transmission of such material a punishable offense.
#### Tampering with Computer Source Documents
The Act made unauthorized changes to computer source codes a
punishable offense, aiming to protect intellectual property and the
integrity of software products.

#### Identity Theft and Cheating by Personation

ITA 2008 introduced specific sections (66C and 66D) to deal with
identity theft and cheating by personation using computer
resources, reflecting the law's adaptation to new forms of
cybercrimes.

### Implementation and Impact

- **Regulatory Bodies**: ITA 2008 provisions led to the

establishment and empowerment of regulatory bodies, including
the appointment of a Controller of Certifying Authorities (CCA)
to regulate the issuance of digital signatures, and recognition of
CERT-In's role in cybersecurit y incident response.

- **Adjudication**: The Act provides for the appointment of

Adjudicating Officers to adjudicate matters in which the claim
does not exceed five crore rupees. It also established the C yber
Appellate Tribunal (CAT) to hear appeals against the orders of the
Adjudicating Officers.

- **Legal Framework for Electronic Transactions**: By updating

the legal framework to include electronic signatures, ITA 2008
facilitated the legal recognition of electronic contracts, thereby
bolstering e-commerce and e-governance.

### Challenges and Criticisms

Despite its comprehensive scope, ITA 2008 has faced criticism for
certain provisions that are seen as overly broad or vague,
potentially leading to misuse. Concerns have been raised about
privacy protections, freedom of expression, and the potential for
increased surveillance. The Act's implementation has also
highlighted the need for more clarity and guidelines on certain
issues, as well as the importance of ongoing updates to keep pace
with technological advancements.

In summary, ITA 2008 represents a critical step in India's efforts

to address the challenges of the digital age, providing a legal
framework for cybersecurit y, data protection, and electronic
transactions. However, the evolution of technology and the
complexity of cyber threats continue to pose challenges,
necessitating periodic review and updates to the legal framework.

International Standards maintained for Cyber Security

 International standards for cybersecurity are developed to provide organizations with models
for establishing, implementing, maintaining, and continually improving their information
security management systems (ISMS). These standards are crucial for protecting information
assets against threats, ensuring data privacy, and enhancing trust in electronic transactions.
Below are some key international standards for cybersecurity, explained point-wise for easy
recall:

1. ISO/IEC 27001 - Information Security Management Systems

 Focus: Establishes requirements for an ISMS.

 Key Elements: Risk assessment, security controls, management commitment.
 Purpose: To protect the confidentiality, integrity, and availability of information.
 Adoption: Widely adopted globally across various sectors.

2. ISO/IEC 27002 - Code of Practice for Information Security Controls

 Focus: Provides best practice guidelines on information security controls.

 Key Elements: Organizational, physical, technical controls.
 Purpose: To assist organizations in implementing specific controls based on ISO/IEC 27001
requirements.
 Adoption: Serves as a reference for organizations developing ISMS policies and procedures.

3. ISO/IEC 27017 - Cloud Security

 Focus: Gives guidelines on information security controls for cloud services.

 Key Elements: Cloud-specific security controls, implementation guidance.
 Purpose: To address cloud computing-specific security threats and vulnerabilities.
 Adoption: Essential for cloud service providers and users.

4. ISO/IEC 27018 - Protection of Personally Identifiable Information (PII) in Public

Clouds

 Focus: Establishes commonly accepted control objectives, controls, and guidelines for
protecting PII.
 Key Elements: Data protection, PII processors, cloud service agreements.
 Purpose: To enhance privacy in cloud computing environments, especially relevant with
GDPR compliance.
 Adoption: Targeted towards public cloud service providers.

5. ISO/IEC 27032 - Guidelines for Cybersecurity

 Focus: Provides guidelines for improving the state of cybersecurity.

 Key Elements: Cybersecurity, stakeholder collaboration, risk management.
 Purpose: To address cybersecurity challenges and foster a secure cyber environment.
 Adoption: Useful for organizations seeking to enhance cybersecurity practices.

6. ISO/IEC 27701 - Privacy Information Management

 Focus: Provides requirements and guidance for establishing, implementing, maintaining, and
continually improving a Privacy Information Management System (PIMS).
 Key Elements: PII protection, GDPR alignment.
 Purpose: To manage privacy information and comply with privacy regulations.
 Adoption: Applicable to all organizations with PII responsibilities.

7. NIST Cybersecurity Framework

 Focus: Developed by the U.S. National Institute of Standards and Technology to provide a
policy framework of computer security guidance.
 Key Elements: Identify, Protect, Detect, Respond, Recover.
 Purpose: To help organizations manage and reduce cybersecurity risk.
 Adoption: Although a U.S. standard, it's globally recognized and used by various
organizations.

8. CIS Controls

 Focus: Developed by the Center for Internet Security, offering a prioritized set of actions to
protect organizations and data from known cyber attack vectors.
 Key Elements: Basic, Foundational, and Organizational controls.
 Purpose: To provide actionable guidance for improving an organization's cybersecurity
posture.
 Adoption: Widely respected and implemented across industries.

International Standards (e.g., ISO/IEC

Feature ITA 2008 27000 Series)
A legislative act specific to India,
amending the Information Technology A series of international standards providing
Act, 2000 to address cybercrimes and guidelines and best practices for information
Nature electronic transactions. security management.
Primarily focused on legal frameworks Focuses on a broad range of information
for IT security, digital commerce, and security management issues applicable to all
Scope cybercrime within India. types of organizations worldwide.
To provide legal recognition and
protection of electronic communications, To help organizations secure their information
prevent cybercrime, and facilitate assets through an information security
Objective electronic commerce. management system (ISMS).
- Digital signatures and electronic
records<br>- Cybercrime and - Information security policies<br>-
penalties<br>- Data protection and Organizational security<br>- Asset
privacy<br>- Regulatory bodies and their
management<br>- Access control<br>-
Key Areas powers Operations security<br>- Incident management
Voluntary adoption, though certification can be
Enforced by Indian governmental bodies required by regulations, contracts, or industry
and judiciary, with specific penalties for standards. Compliance is verified through
Enforcement non-compliance and cybercrimes. audits.
 International Standards (e.g., ISO/IEC
Feature ITA 2008 27000 Series)
Organizations choose to comply for benefits
Mandatory for entities operating within such as improved security, compliance with
Indian jurisdiction. Non-compliance can regulations, and competitive advantage.
Compliance result in legal penalties. Certification is recognized internationally.
Amendments can be made to address
evolving cyber threats, but this process Designed to be adaptable to the changing
can be slow due to the need for legislative information security landscape. Standards are
Adaptability action. regularly reviewed and updated.
Applicable and recognized globally, designed
Global Specific to India, though it considers to be adapted by any organization, regardless
Applicability international practices to some extent. of size, type, or location.

Security Audit

It is an investigation to review the performance of an operational system. The objectives of

conducting a system audit are as follows −

 To compare actual and planned performance.

 To verify that the stated objectives of system are still valid in current environment.
 To evaluate the achievement of stated objectives.
 To ensure the reliability of computer based financial and other information.
 To ensure all records included while processing.
 To ensure protection from frauds.

Audit of Computer System Usage

Data processing auditors audits the usage of computer system in order to control it. The
auditor need control data which is obtained by computer system itself.

The System Auditor

The role of auditor begins at the initial stage of system development so that resulting system
is secure. It describes an idea of utilization of system that can be recorded which helps in load
planning and deciding on hardware and software specifications. It gives an indication of wise
use of the computer system and possible misuse of the system.

Audit Trial

An audit trial or audit log is a security record which is comprised of who has accessed a
computer system and what operations are performed during a given period of time. Audit
trials are used to do detailed tracing of how data on the system has changed.
It provides documentary evidence of various control techniques that a transaction is subject to
during its processing. Audit trials do not exist independently. They are carried out as a part of
accounting for recovering lost transactions.

Audit Methods

Auditing can be done in two different ways −

Auditing around the Computer

 Take sample inputs and manually apply processing rules.

 Compare outputs with computer outputs.

Auditing through the Computer

 Establish audit trial which allows examining selected intermediate results.

 Control totals provide intermediate checks.

Audit Considerations

Audit considerations examine the results of the analysis by using both the narratives and
models to identify the problems caused due to misplaced functions, split processes or
functions, broken data flows, missing data, redundant or incomplete processing, and
nonaddressed automation opportunities.

The activities under this phase are as follows −

 Identification of the current environment problems

 Identification of problem causes
 Identification of alternative solutions
 Evaluation and feasibility analysis of each solution
 Selection and recommendation of most practical and appropriate solution
 Project cost estimation and cost benefit analysis

Security

System security refers to protecting the system from theft, unauthorized access and
modifications, and accidental or unintentional damage. In computerized systems, security
involves protecting all the parts of computer system which includes data, software, and
hardware. Systems security includes system privacy and system integrity.

 System privacy deals with protecting individuals systems from being accessed and
used without the permission/knowledge of the concerned individuals.
 System integrity is concerned with the quality and reliability of raw as well as
processed data in the system.

Control Measures

There are variety of control measures which can be broadly classified as follows −
Backup

 Regular backup of databases daily/weekly depending on the time criticality and size.
 Incremental back up at shorter intervals.
 Backup copies kept in safe remote location particularly necessary for disaster recovery.
 Duplicate systems run and all transactions mirrored if it is a very critical system and
cannot tolerate any disruption before storing in disk.

Physical Access Control to Facilities

 Physical locks and Biometric authentication. For example, finger print

 ID cards or entry passes being checked by security staff.
 Identification of all persons who read or modify data and logging it in a file.

Using Logical or Software Control

 Password system.
 Encrypting sensitive data/programs.
 Training employees on data care/handling and security.
 Antivirus software and Firewall protection while connected to internet.

Risk Analysis

A risk is the possibility of losing something of value. Risk analysis starts with planning for
secure system by identifying the vulnerability of system and impact of this. The plan is then
made to manage the risk and cope with disaster. It is done to accesses the probability of
possible disaster and their cost.

Risk analysis is a teamwork of experts with different backgrounds like chemicals, human
error, and process equipment.

The following steps are to be followed while conducting risk analysis −

 Identification of all the components of computer system.

 Identification of all the threats and hazards that each of the components faces.
 Quantify risks i.e. assessment of loss in the case threats become reality.

Risk Analysis – Main Steps

As the risks or threats are changing and the potential loss are also changing, management of
risk should be performed on periodic basis by senior managers.
Risk management is a continuous process and it involves the following steps −

 Identification of security measures.

 Calculation of the cost of implementation of security measures.
 Comparison of the cost of security measures with the loss and probability of threats.
 Selection and implementation of security measures.
 Review of the implementation of security measures.

Investigation by Investing Agency

Investigation by Investing Agency

Investigation by investigating agencies in the context of cybersecurity involves a series of
systematic steps to uncover, collect, analyze, and report on digital evidence related to
cybercrimes. These agencies could be governmental bodies, law enforcement, or specialized
cybercrime units. The process is intricate, given the volatile nature of digital evidence and the
sophistication of cybercriminal activities. Here's a detailed explanation of the investigation
process:

1. Preparation
Training: Investigators undergo rigorous training in cyber laws, digital forensics, and the
latest cybersecurity technologies.
Tools and Resources: Agencies equip themselves with advanced digital forensic tools and
software for evidence collection and analysis.
Standard Operating Procedures (SOPs): Developing SOPs ensures consistent and methodical
investigation processes, minimizing errors and oversights.
2. Identification
Incident Detection: The first step involves recognizing a potential security incident or
cybercrime, often reported by victims, detected through monitoring systems, or uncovered by
cybersecurity teams.
Preliminary Assessment: Investigators perform an initial assessment to understand the scope,
 nature, and severity of the incident.
3. Legal Considerations
Warrants and Permissions: Obtaining necessary legal warrants or permissions is crucial for
accessing and examining digital evidence, ensuring the investigation adheres to legal
standards.
Jurisdictional Challenges: Cybercrimes can transcend national boundaries, raising complex
jurisdictional issues that may require international cooperation.
4. Evidence Collection
Preservation: Immediate actions are taken to preserve digital evidence. This could involve
isolating affected systems to prevent data tampering or loss.
Acquisition: Digital evidence is collected in a forensically sound manner, ensuring it remains
unchanged from its original state. This might involve making bit-by-bit copies of data.
Chain of Custody: Maintaining a clear and documented chain of custody is essential for
ensuring the integrity and admissibility of evidence in legal proceedings.
5. Analysis
Data Examination: Investigators analyze the collected evidence using forensic tools to
uncover hidden, deleted, or encrypted data.
Attribution: Efforts are made to trace the cybercrime back to its source, which can be
challenging due to techniques like IP spoofing and the use of anonymizing services.
Pattern Recognition: Analyzing attack patterns can help in identifying the perpetrators,
especially if they have a history of similar offenses.
6. Reporting
Documentation: Detailed reports are prepared, documenting the evidence found, the analysis
performed, and the conclusions drawn.
Recommendations: Reports may also include recommendations for preventing future
incidents, enhancing security measures, or taking legal action against the perpetrators.
7. Legal Action and Follow-up
Prosecution: The collected evidence and reports can be used to prosecute the accused in
court.
Feedback Loop: Lessons learned from the investigation feed back into improving
organizational cybersecurity policies and practices.
8. International Cooperation
Given the global nature of the internet, investigating agencies often collaborate with
international counterparts, sharing intelligence and resources to combat cybercrime
effectively.

Investigation by Investigating Agency

1. Preparation and Planning:

 Agencies prepare by staying updated on the latest cyber threats and technologies.
 Training in digital forensics is crucial for personnel.
2. Legal Authority:
 Investigations require legal warrants or permissions to access and examine digital
evidence.
3. Evidence Collection:
 Digital evidence must be collected in a manner that preserves its integrity.
  Chain of custody must be maintained to ensure evidence is admissible in court.
4. Analysis:
 Forensic analysis to uncover data trails left by cybercriminals.
 Utilization of specialized software tools for data recovery and analysis.
5. Attribution:
 Identifying the source of cyber attacks can be complex and often involves tracking IP
addresses, analyzing malware, and following digital footprints.
6. Collaboration:
 Often requires cooperation with other national and international agencies.
 Sharing of intelligence and best practices is common.
7. Reporting:
 Detailed reports are prepared to document the investigation process and findings.
 Reports may be used in legal proceedings or to improve cybersecurity measures.

Intellectual Property Rights in Cyberspace

Intellectual Property Rights (IPR) in cyberspace refer to the legal protections afforded to
creators and owners of intellectual property (IP) for their works that are created, distributed,
and accessed in digital form across the internet and other electronic networks. As the digital
landscape continues to expand, so does the significance of IPR in protecting the economic
and moral rights of creators in the online world. Here’s a detailed look into IPR in
cyberspace:

Types of Intellectual Property Rights in Cyberspace

 Copyrights:
Protects original works of authorship that are fixed in a tangible form of expression,
including literary, musical, graphic, and software works.
In cyberspace, it covers websites, blogs, software programs, and multimedia content.
 Trademarks:
Protects words, phrases, symbols, logos, or designs that identify and distinguish the source of
goods or services.
Online trademarks safeguard brand identity on websites, social media, and in domain names.
 Patents:
Grants exclusive rights to inventors for their inventions, including processes, machines,
manufacture, or composition of matter.
In the digital realm, this may include software algorithms, business methods, or computer-
implemented inventions, subject to varying national laws.
 Trade Secrets:
Protects confidential business information that provides a competitive edge, such as formulas,
practices, processes, designs, instruments, or patterns.
Cybersecurity measures are critical in protecting trade secrets stored or transmitted digitally.
 Domain Names:
While not a traditional form of IP, domain names are vital business identifiers in cyberspace
and can be protected under trademark law if they correspond to a registered trademark.

Challenges of IPR in Cyberspace

Piracy and Infringement: The ease of copying and distributing digital content leads to
 widespread infringement issues, challenging creators' and owners' ability to control and
monetize their works.
Jurisdictional Issues: The global nature of the internet complicates enforcement of IPR due to
differing laws and standards across countries.
Rapid Technological Change: The fast pace of technological innovation can outstrip existing
legal frameworks, making it challenging to protect new forms of digital content and
inventions adequately.

Enforcement and Protection

Digital Rights Management (DRM): Technologies that control the use of digital content at
the user level, limiting copying, printing, and sharing of protected material.
Watermarking and Fingerprinting: Embedding information into digital content to track its
distribution and identify unauthorized copies.
Legal Actions: Pursuing copyright infringement lawsuits, issuing cease and desist letters, and
seeking damages through courts.
Policies and Legislation: International treaties like the WIPO Copyright Treaty (WCT) and
the WIPO Performances and Phonograms Treaty (WPPT) aim to harmonize IPR protection
across borders. National laws, such as the DMCA in the U.S., provide mechanisms for
addressing copyright infringement online.

Intellectual Property in the Age of Open Source and Collaboration

The open-source movement and collaborative projects present a nuanced approach to IP,
emphasizing shared innovation while also using licenses (e.g., GPL, MIT) to protect
contributors' rights and define how works may be used, modified, and distributed.
Understanding IPR in cyberspace is crucial for anyone creating, distributing, or using digital
content. It ensures that creators can reap the benefits of their innovations while fostering an
environment of fair use, access, and collaboration. As the digital domain evolves, so too will
the strategies for protecting and enforcing intellectual property rights, necessitating ongoing
dialogue and adaptation among stakeholders globally.

Intellectual Property Rights in Cyberspace

1. Copyrights:
 Protect original works of authorship, including software, digital books, and online
articles.
 Automatically applies to digital content as soon as it is created and fixed in a tangible
form.
2. Trademarks:
 Used to protect brand names, logos, and slogans in the digital realm.
 Essential for maintaining brand identity on the internet.
3. Patents:
  May protect inventions, including software or business methods, subject to national
laws and interpretations.
 Important for safeguarding proprietary technologies.
4. Domain Names:
 Considered as business identifiers and can be protected under trademark laws.
 Disputes may be resolved through ICANN’s Uniform Domain-Name Dispute-
Resolution Policy (UDRP).
5. Challenges:
 Difficulty in policing IPR violations across jurisdictions.
 Rapid dissemination of digital content complicates enforcement.
6. Enforcement:
 Use of digital rights management (DRM) technologies to control access and
distribution.
 Legal actions may involve cease and desist orders, takedowns, or litigation.
7. International Treaties and Agreements:
 World Intellectual Property Organization (WIPO) treaties, such as the Copyright
Treaty (WCT) and the Performances and Phonograms Treaty (WPPT), address digital
IPR.
 The Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS)
sets minimum standards for IPR protection and enforcement.
 UNIT -VI Introduction to Forensics
Introduction, General Guidelines, Finding Evidence on the PC, Finding Evidence
in System Logs , Getting Back Deleted Files, Operating System Utilities,
Mobile Forensics: Cell Phone Concepts

Introduction
Cyber forensics is a process of extracting data as proof for a crime (that involves electronic
devices) while following proper investigation rules to nab the culprit by presenting the
evidence to the court. Cyber forensics is also known as computer forensics. The main aim
of cyber forensics is to maintain the thread of evidence and documentation to find out who
did the crime digitally. Cyber forensics can do the following:
 It can recover deleted files, chat logs, emails, etc
 It can also get deleted SMS, Phone calls.
 It can get recorded audio of phone conversations.
 It can determine which user used which system and for how much time.
 It can identify which user ran which program.

Why is cyber forensics important?

in todays technology driven generation, the importance of cyber forensics is immense.

Technology combined with forensic forensics paves the way for quicker investigations and
accurate results. Below are the points depicting the importance of cyber forensics:
 Cyber forensics helps in collecting important digital evidence to trace the criminal.
 Electronic equipment stores massive amounts of data that a normal person fails to see.
For example: in a smart house, for every word we speak, actions performed by smart
devices, collect huge data which is crucial in cyber forensics.
 It is also helpful for innocent people to prove their innocence via the evidence collected
online.
 It is not only used to solve digital crimes but also used to solve real-world crimes like
theft cases, murder, etc.
 Businesses are equally benefitted from cyber forensics in tracking system breaches and
finding the attackers.
 aware of it.

General Guidelines
Here are some fundamental guidelines for conducting cyber forensic investigations:

1. Prepare Thoroughly

 Training and Certification: Ensure that investigators are properly trained and, if possible,
certified in digital forensics methodologies and tools.
 Forensic Toolkit: Maintain a toolkit of approved forensic software and hardware tools,
keeping them updated to handle the latest technologies.
 2. Follow Legal Requirements

 Authorization: Obtain necessary legal permissions, such as search warrants or consent

forms, before accessing and examining digital devices.
 Jurisdiction: Be aware of jurisdictional limits and the legal requirements of different
regions, especially when dealing with cross-border investigations.

3. Preserve the Original Evidence

 Chain of Custody: Maintain a detailed chain of custody for all evidence, documenting every
individual who handled the evidence and any actions taken.
 Data Integrity: Use write blockers when accessing storage media to prevent altering the
data. Create bit-for-bit copies (forensic images) of storage devices for analysis.

4. Systematic Collection

 Prioritization: Identify and prioritize relevant data sources based on the investigation
objectives.
 Comprehensive Collection: Collect all potentially relevant information, including deleted,
encrypted, or hidden data, without altering the original evidence.

5. Ensure Secure Storage

 Physical Security: Store physical devices and media securely to prevent unauthorized access
or damage.
 Digital Security: Protect forensic images and other digital evidence with strong encryption
when stored or transmitted.

6. Document Everything

 Documentation: Keep detailed records of all investigative steps, including how evidence
was collected, analyzed, and preserved.
 Reporting: Prepare clear, comprehensive, and objective reports detailing the findings and the
methods used to reach them.

7. Analysis

 Use Approved Tools: Analyze the digital evidence using reliable and validated forensic
software tools.
 Repeatability: Ensure that analyses are conducted in such a way that another investigator
could replicate the process and arrive at the same findings.

8. Maintain Professional Ethics

 Confidentiality: Keep all information confidential and disclose findings only to authorized
individuals.
 Impartiality: Approach all investigations with an unbiased and objective mindset.

9. Continual Learning
 Stay Updated: Keep abreast of the latest developments in digital forensics, including new
tools, techniques, and emerging technologies.
 Professional Development: Participate in ongoing training and professional development
opportunities to enhance skills and knowledge.

10. Review and Quality Assurance

 Peer Review: Have forensic processes and findings reviewed by a peer or supervisor to
ensure accuracy and completeness.
 Adhere to Standards: Follow industry standards and best practices, such as those set by the
International Organization for Standardization (ISO) or the National Institute of Standards
and Technology (NIST).

The Process Involved in Cyber Forensics

1. Obtaining a digital copy of the system that is being or is required to be inspected.
2. Authenticating and verifying the reproduction.
3. Recovering deleted files (using Autopsy Tool).
4. Using keywords to find the information you need.
5. Establishing a technical report.

How did Cyber Forensics Experts work?

Cyber forensics is a field that follows certain procedures to find the evidence to reach
conclusions after proper investigation of matters. The procedures that cyber forensic
experts follow are:
 Identification: The first step of cyber forensics experts are to identify what evidence is
present, where it is stored, and in which format it is stored.
 Preservation: After identifying the data the next step is to safely preserve the data and
not allow other people to use that device so that no one can tamper data.
 Analysis: After getting the data, the next step is to analyze the data or system. Here the
expert recovers the deleted files and verifies the recovered data and finds the evidence
that the criminal tried to erase by deleting secret files. This process might take several
iterations to reach the final conclusion.
 Documentation: Now after analyzing data a record is created. This record contains all
the recovered and available(not deleted) data which helps in recreating the crime scene
and reviewing it.
 Presentation: This is the final step in which the analyzed data is presented in front of
the court to solve cases.

Finding Evidence on the PC

Digital Evidence Collection in Cybersecurity


In the early 80s PCs became more popular and easily accessible to the general population, this
also led to the increased use of computers in all fields and criminal activities were no exception
to this. As more and more computer-related crimes began to surface like computer frauds,
software cracking, etc. the computer forensics discipline emerged along with it. Today digital
evidence collection is used in the investigation of a wide variety of crimes such as fraud,
espionage, cyberstalking, etc. The knowledge of forensic experts and techniques are used to
explain the contemporaneous state of the digital artifacts from the seized evidence such as
computer systems, storage devices (like SSDs, hard disks, CD-ROM, USB flash drives, etc.),
or electronic documents such as emails, images, documents, chat logs, phone logs, etc.
Process involved in Digital Evidence Collection:
The main processes involved in digital evidence collection are given below:
 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected evidence
is analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that they can
be submitted in court.

Types of Collectible Data:

The computer investigator and experts who investigate the seized devices have to understand
what kind of potential shreds of evidence could there be and what type of shreds of evidence
they are looking for. So, that they could structure their search pattern. Crimes and criminal
activities that involve computers can range across a wide spectrum; they could go from trading
illegal things such as rare and endangered animals, damaging intellectual property, to personal
data theft, etc.
The investigator must pick the suitable tools to use during the analysis. Investigators can
encounter several problems while investigating the case such as files may have been deleted
from the computer, they could be damaged or may even be encrypted, So the investigator
should be familiar with a variety of tools, methods, and also the software to prevent the data
from damaging during the data recovery process.
There are two types of data, that can be collected in a computer forensics investigation:
 Persistent data: It is the data that is stored on a non-volatile memory type storage device
such as a local hard drive, external storage devices like SSDs, HDDs, pen drives, CDs, etc.
the data on these devices is preserved even when the computer is turned off.
 Volatile data: It is the data that is stored on a volatile memory type storage such as
memory, registers, cache, RAM, or it exists in transit, that will be lost once the computer
is turned off or it loses power. Since volatile data is evanescent, it is crucial that an
investigator knows how to reliably capture it.
Types of Evidence:
Collecting the shreds of evidence is really important in any investigation to support the claims
in court. Below are some major types of evidence.
 Real Evidence: These pieces of evidence involve physical or tangible evidence such as
flash drives, hard drives, documents, etc. an eyewitness can also be considered as a shred
of tangible evidence.
 Hearsay Evidence: These pieces of evidence are referred to as out-of-court statements.
These are made in courts to prove the truth of the matter.
 Original Evidence: These are the pieces of evidence of a statement that is made by a person
who is not a testifying witness. It is done in order to prove that the statement was made
rather than to prove its truth.
 Testimony: Testimony is when a witness takes oath in a court of law and gives their
statement in court. The shreds of evidence presented should be authentic, accurate, reliable,
and admissible as they can be challenged in court.
Challenges Faced During Digital Evidence Collection:
 Evidence should be handled with utmost care as data is stored in electronic media and it
can get damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
Recovering information from devices as the digital shreds of evidence in the investigation are
becoming the fundamental ground for law enforcement and courts all around the world. The
methods used to extract information and shreds of evidence should be robust to ensure that all
the related information and data are recovered and is reliable. The methods must also be legally
defensible to ensure that original pieces of evidence and data have not been altered in any way
and that no data was deleted or added from the original evidence

Types of computer forensics

There are multiple types of computer forensics depending on the field in which digital
investigation is needed. The fields are:
 Network forensics: This involves monitoring and analyzing the network traffic to and
from the criminal’s network. The tools used here are network intrusion detection
systems and other automated tools.
 Email forensics: In this type of forensics, the experts check the email of the criminal
and recover deleted email threads to extract out crucial information related to the case.
 Malware forensics: This branch of forensics involves hacking related crimes. Here, the
forensics expert examines the malware, trojans to identify the hacker involved behind
this.
 Memory forensics: This branch of forensics deals with collecting data from the
memory(like cache, RAM, etc.) in raw and then retrieve information from that data.
 Mobile Phone forensics: This branch of forensics generally deals with mobile phones.
They examine and analyze data from the mobile phone.
 Database forensics: This branch of forensics examines and analyzes the data from
databases and their related metadata.
 Disk forensics: This branch of forensics extracts data from storage media by searching
modified, active, or deleted files.

Techniques that cyber forensic investigators use

Cyber forensic investigators use various techniques and tools to examine the data and some
of the commonly used techniques are:
 Reverse steganography: Steganography is a method of hiding important data inside
the digital file, image, etc. So, cyber forensic experts do reverse steganography to
analyze the data and find a relation with the case.
 Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct digital
activity without using digital artifacts. Here, artifacts mean unintended alterations of
data that occur from digital processes.
 Cross-drive analysis: In this process, the information found on multiple computer
drives is correlated and cross-references to analyze and preserve information that is
relevant to the investigation.
 Live analysis: In this technique, the computer of criminals is analyzed from within the
OS in running mode. It aims at the volatile data of RAM to get some valuable
information.
 Deleted file recovery: This includes searching for memory to find fragments of a
partially deleted file in order to recover it for evidence purposes.

Advantages

 Cyber forensics ensures the integrity of the computer.

 Through cyber forensics, many people, companies, etc get to know about such crimes,
thus taking proper measures to avoid them.
 Cyber forensics find evidence from digital devices and then present them in court,
which can lead to the punishment of the culprit.
 They efficiently track down the culprit anywhere in the world.
 They help people or organizations to protect their money and time.
The relevant data can be made trending and be used in making the public
 Introduction of Computer Forensics


INTRODUCTION
Computer Forensics is a scientific method of investigation and analysis in order to gather
evidence from digital devices or computer networks and components which is suitable
for presentation in a court of law or legal body. It involves performing a structured
investigation while maintaining a documented chain of evidence to find out exactly what
happened on a computer and who was responsible for it.
TYPES
 Disk Forensics: It deals with extracting raw data from the primary or secondary
storage of the device by searching active, modified, or deleted files.
 Network Forensics: It is a sub-branch of Computer Forensics that involves
monitoring and analyzing the computer network traffic.
 Database Forensics: It deals with the study and examination of databases and their
related metadata.
 Malware Forensics: It deals with the identification of suspicious code and studying
viruses, worms, etc.
 Email Forensics: It deals with emails and their recovery and analysis, including
deleted emails, calendars, and contacts.
 Memory Forensics: Deals with collecting data from system memory (system
registers, cache, RAM) in raw form and then analyzing it for further investigation.
 Mobile Phone Forensics: It mainly deals with the examination and analysis of phones
and smartphones and helps to retrieve contacts, call logs, incoming, and outgoing
SMS, etc., and other data present in it.

CHARACTERISTICS
 Identification: Identifying what evidence is present, where it is stored, and how it is
stored (in which format). Electronic devices can be personal computers, Mobile
phones, PDAs, etc.
 Preservation: Data is isolated, secured, and preserved. It includes prohibiting
unauthorized personnel from using the digital device so that digital evidence,
mistakenly or purposely, is not tampered with and making a copy of the original
evidence.
 Analysis: Forensic lab personnel reconstruct fragments of data and draw conclusions
based on evidence.
 Documentation: A record of all the visible data is created. It helps in recreating and
reviewing the crime scene. All the findings from the investigations are documented.
 Presentation: All the documented findings are produced in a court of law for further
investigations.

PROCEDURE:
The procedure starts with identifying the devices used and collecting the preliminary
evidence on the crime scene. Then the court warrant is obtained for the seizure of the
evidence which leads to the seizure of the evidence. The evidence are then transported to
the forensics lab for further investigations and the procedure of transportation of the
evidence from the crime scene to labs are called chain of custody. The evidence are then
copied for analysis and the original evidence is kept safe because analysis are always
done on the copied evidence and not the original evidence.
The analysis is then done on the copied evidence for suspicious activities and
accordingly, the findings are documented in a nontechnical tone. The documented
findings are then presented in a court of law for further investigations.
Some Tools used for Investigation:
Tools for Laptop or PC –
 COFFEE – A suite of tools for Windows developed by Microsoft.
 The Coroner’s Toolkit – A suite of programs for Unix analysis.
 The Sleuth Kit – A library of tools for both Unix and Windows.
Tools for Memory :
 Volatility
 WindowsSCOPE
Tools for Mobile Device :
 MicroSystemation XRY/XACT
APPLICATIONS
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
 Misuse of the Internet and email in the workplace
  Forgeries related matters
 Bankruptcy investigations
 Issues concerned the regulatory compliance
Advantages of Computer Forensics :
 To produce evidence in the court, which can lead to the punishment of the culprit.
 It helps the companies gather important information on their computer systems or
networks potentially being compromised.
 Efficiently tracks down cyber criminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.
 Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal action’s in the court.
Disadvantages of Computer Forensics :
 Before the digital evidence is accepted into court it must be proved that it is not
tampered with.
 Producing and keeping electronic records safe is expensive.
 Legal practitioners must have extensive computer knowledge.
 Need to produce authentic and convincing evidence.
 If the tool used for digital forensics is not according to specified standards, then in a
court of law, the evidence can be disapproved by justice.
 A lack of technical knowledge by the investigating officer might not offer the desired
result.

Finding Evidencein System Logs

System logs provide digital footprints and time stamps of exactly what occurred on a device
at any given time, actions taken, and can usually tie changes back to specific users.

Logs are so important to businesses that regulations, such as the Federal Rules of Civil
Procedure (FRCP), require corporations to securely manage logs for incident response
support and forensic analysis in potential breaches or crimes.

All logs are not created equal and can quickly overwhelm security staff if excessive logs are
captured that provide little security value.

For example, firewalls can generate millions of debug logs daily that have no intrinsic value
to investigations, so companies are advised against storing irrelevant debug data.

As a security engineer for Tripwire, we typically advise clients to prioritize capturing the
following logs at minimum:

 Network device
 Business critical server audit
 Critical system file change
 User authentication
 Business critical database
 Logs of all actions tied to administrator accounts for offsite storage
 Active directory
 Management account
 Security appliances and/or applications

It is important to note that system and audit logging differs among operating systems and
network infrastructure.

For example, root is used for administrator and elevated privileges in Unix systems, but not
Windows. Therefore, security staff should build their logging strategy according to vendor
best practices.

More importantly, security professionals should consult with business units, including legal,
to align the strategy with business requirements. This will ensure that all regulatory mandates
are covered and that risks are being properly evaluated from a holistic approach.

Log Collection & Examination Challenges

The biggest log collection & examination challenge is overwhelming amounts of data being
generated daily. The Cloud Security Alliance estimates that some large enterprises generate 1
trillion events per day, a number that can grow as more data sources are added as more
people or hired or more data gets moved to the cloud.

Another issue is gaps in logs. Although the number 1 control on the Top 20 Critical Security
Controls is asset management, many companies still struggle with identifying and classifying
all of their assets.

If the business is not aware assets exist, then they cannot log the security events needed to aid
in forensics investigations.

Finally, extremely large and disparate data sets make it nearly impossible for forensics
experts to correlate actionable intelligence with criminal activity.

Chief Security Officer Preston Woods concurs. During a 2012 interview, he states that his
direct reports are, “swimming in data but had a hard time turning that into action”.

If the people on teams that are familiar with their environments are overwhelmed, then it will
be extremely difficult for investigators to compile cohesive logs that contain actionable
intelligence.

These challenges show that the biggest log collection and examination issues organizations
face are the voluminous amounts of data being generated.
Log Priority in Intrusions, Malware, and File Deletion Events

Similar to other forensics sources, logs can contain relevant forensics data to help reconstruct
all events on a system and tie actions to specific users. However, the value of the log data will
be determined by whether gaps exist, proper events were logged on each system, and the
availability of archived logs during the time frame in question.

Many companies only store logs for the amount of time and quantity required by law, and
their data retention policies govern which logs are kept for specific purposes. Although logs
are useful for forensic investigations, they are more important to some events types than
others.

Let’s review prioritization aspects of logs in network intrusions, malware installs, and file
deletions.

Log Priority in Network Intrusions: Primary

Logs from intrusion detection/prevention systems, firewalls, routers, and switches are critical
during network intrusion investigations.

In the event of a breach, logs from network infrastructure should be the first data sources
under review. These logs can be correlated in security analytics tools to establish a timeline
of events and help determine what actions should be taken.

Log Priority Malware Installations: Secondary

Logs can be a good source of relevant data for malware installations, but evidence of
malware will usually appear in file system changes first.

For example, malware typically alters critical system files to phone home to command and
control servers as an authenticated user to hide itself as long as possible. The fact that the user
is authenticated will allow the activity to continue unnoticed.

[Related: Malware: How it hides, detects, and reacts]

In my professional experience, changes to critical system files, such as .dll files, will identify
the anomalous activity.

For this reason, logs are considered secondary sources for malware installations.

Log Priority in Insider File deletions: Primary

Logs can be modified or deleted to cover up evidence of tampering and malicious activity. It
can be used in certain situations for attribution depending on the level of logging on the
systems, but it is not the most reliable form of attribution. Therefore, logs are secondary for
file system deletions.
Summary of key findings:

Logs provide digital footprints and time stamps of exactly what occurred on a device at any
given time, actions taken, and can usually tie changes back to specific users. The main issues
with logs include gaps in coverage, availability of archived log data, and voluminous
amounts of data that can be overwhelming.

All data sources are not created equal, and security professionals must understand how to
rank sources by the order of importance.

Logs are a primary forensics data source in network intrusions and insider file deletions.
However, logs are a secondary source in malware investigations because evidence typically
presents itself in file system changes first.
 Log Forensics: The Basics of Finding Intel in Your Logs
Today’s post covers yet another log-related concept: log forensics. What’s this, and why
should your organization care about it?

Well, this is a topic related to logs, which are ubiquitous in the technology field. An IT
organization that doesn’t generate many MBs worth of logs each day would be a rare
occurrence nowadays.

Get log data insights in just a few clicks – Try XpoLog out-of-the-box log analysis platform.
Even though logs are omnipresent, specific terms might not be so well-known. Not long
ago, we covered log analytics, and today it’s log forensics time.

This post starts similarly to the log analytics one, by providing a brief overview of logging
and its value to an organization. If you have experience with logging, you can skip this
section without missing anything.

Then we get to the meat of the post, where we define log forensics, explain what it’s used
for, and how it differs from other approaches, such as log analytics. Let’s get started.

The Value of Logging

As promised, before we start covering log forensics itself, we’ll do a quick overview of
logging. What is logging all about?

In a nutshell, logging consists of recording information about what a system—for instance,

an application—does when executing. We write these recordings to some persistent
medium, such as a database table or a file in the disk. That way, we can access such
information afterward and review it, but why would that be a desirable thing?

The primary use for logging of any kind is troubleshooting. Reading through log entries
gives you this sort of time-travel power. By reading application logs, for instance, you can
retrace the actions a user performed in an application, so you can understand and fix a
problem.

Using logs only that way, though, really amounts to a reactive use. Don’t get me wrong:
using logging to understand and fix problems is an amazingly useful approach. But at the
end of the day, you’re leaving money on the table if you can’t put your logs to work for you
in a more proactive manner.

That’s where approaches like log analytics come in handy since they allow you to use your
logs in a more proactive manner, by extracting insights for them and potentially preventing
problems before they happen.

How exactly does log forensics fit into this picture? How does it differ from log analytics?
That’s what we’re going to see next.

Enter Log Forensics

We’ve just given you a quick overview of logging. Now you understand what logging is
and why it matters if you didn’t know that already.
With that out of the way, we’re ready to get to the topic that gives the post its name: log
forensics.

Log Forensics: How to Define It?

Log forensics, in a nutshell, consists of logging analytics applied to computer forensics.
Let’s break that down by first explaining what we mean by computer forensics.

Defining Computer Forensics

SearchSecurity defines the term as follows:

Computer forensics is the application of investigation and analysis techniques to gather and
preserve evidence from a particular computing device in a way that is suitable for
presentation in a court of law. The goal of computer forensics is to perform a structured
investigation while maintaining a documented chain of evidence to find out exactly what
happened on a computing device and who was responsible for it.

Another interesting and shorter definition is this one by Anton Chuvakin:

Computer forensics is (the) application of the scientific method to digital media in order to
establish factual information for judicial review.

So, we could think of computer forensics as an interesting intersection between technology

and the law. In other words, computer forensics consists of putting technical knowledge in
service of the law.

Defining Log Analytics

Now we’ll offer a brief definition of a term we’ve mentioned a few times throughout this
post: log analytics.

We actually have a whole post on the topic, and we recommend you read it. But in any case,
here you have the definition we gave to log analytics there:

Log analytics means taking an active approaching to logging, instead of a passive/reactive

one. It means analyzing log entries to better understand our applications, to be one step
ahead and solve problems as quickly as possible—or prevent them before they happen.

Since log forensics involves log analytics, the definition above makes it obvious that log
forensics is much more involved than just looking at log entries.
Since we’ve already defined both computer forensics and log analytics, we’re ready to put
the two together to come up with a proper definition of log forensics.

Putting the Two Together

Log forensics is, in short, the fusion between computer forensics and log analytics. Putting
the two concepts together, we can come up with a definition like this:

Log forensics means using log analytics in forensics. In other words, it means to perform
analysis on log entries, in order to extract knowledge and insights from them, but with a
very specific goal in mind: to establish factual information for judicial review.

I’ve seen log forensics be described as an intersection between law, science, and
technology, and that’s not a bad way to put it. We could think of log forensics as a
specialization of log analytics geared toward judicial investigations.

So, what is log forensics useful for? Does your organization need to care about it? That’s
what the next section will cover.

Log Forensics: What Is It For?

We’ve just defined log forensics, but you might still be wondering what its applications are.
It all boils down to security.

In short, log forensics is part of a response to incidents strategy. “Incident” here refers to
security incidents. Those might be harmless, routine events, but might also be more severe
occurrences, such as hacks or crimes.

What follows is a non-exhaustive list of scenarios in which computer forensics—and log

forensics more specifically—might be essential:

 Finding the vulnerability which was exploited to allow an invasion

 Finding proof of a crime or hack
 Enabling data recovery from disasters
 Tracking the activities of a malicious actor
Log Forensics vs. Log Analytics

Finally, as mentioned before, we’ll understand how log forensics differs from log
analytics. The two approaches are meant to extract useful insights from logs, so these can
be used to solve or even prevent problems and help in decision making. So, what is the
difference, if there is any?
 Basically, the difference resides in the overall goals of the two approaches. Log analytics
means just analyzing the logs to learn something. Log forensics, on the other hand, has
judicial purposes.

In other words, we can think of log forensics as a specialization of log analysis. And since
log forensics is also a form of computer forensics, you can expect a greater degree of
severity, norms, and regulations. And that’s because, as we’ve mentioned, computer
forensic belongs to the realm of law. It’s become an area of scientific expertise, with
accompanying coursework and certification.

Getting Back Deleted Files

Recovering Deleted Digital Evidence

According to a survey, 93% of all information never leaves the digital form. The majority
of information these days is being created, modified, and consumed entirely in digital form.
This means most spreadsheets and databases never make it on paper, and most digital
snapshots never get printed. In this article, we will discuss methods and techniques to
recover deleted digital evidence.

What is Digital Evidence?

Digital Evidence is any information that is stored or transmitted in the digital form that a
party at court can use at the time of trial. Digital evidence can be Audio files, and voice
recordings, Address books and contact lists, Backups to various programs, including
backups to mobile devices, Browser history, Cookies, Database, Compressed archives (ZIP,
RAR, etc.) including encrypted archives, etc.

Destroyed Evidence

In a criminal or cyber-criminal case, the attempts to destroy the evidence are very common.
Such attempts can be more or less successful depending upon the following conditions:

 Action is taken to destroy the evidence.

 Time Available to destroy the evidence.
 Type of storage device like magnetic hard drive, flash memory card, or SSD drive.
In this section, we will be discussing some of the methods to destroy the
evidence and ways to recover the destroyed evidence.

Deleted Files
Deleting files is one of the easiest, convenient, and foremost way to destroy the evidence.
Whether it is using the “Delete” button or “Shift+Delete” button. The principle of file
recovery of deleted files is based on the fact that Windows does not wipe the contents of
the file when it’s being deleted. Instead, a file system record storing the exact location of
the deleted file on the disk is being marked as “deleted” and the disk space previously
occupied by the deleted file is then labeled as available – but not overwritten with zeroes or
other data.

 The deleted file can be retrieved by analyzing the contents of the recycle bin as they are
temporarily stored there before being erased.
 If the deleted files have no trace in the recycle bin like in case of the “Shift+Delete”
command, then, in that case, you can use commercial recovery tools to recover the
deleted evidence. One such example commercial tool is DiskInternals Partition
Recovery.
 Looking for characteristic signatures of known file types by analyzing the file system
and/or scanning the entire hard drive, one can successfully recover :
 Files that were deleted by the user.
 Temporary copies of Office documents (including old versions and revisions
of such documents).
 Temporary files saved by many applications.
 Renamed files.
 Information stored in deleted files can be supplemented with data collected from other
sources. For example, the “chatsync” folder in Skype stores the internal data that may
contain chunks and bits of user conversations. This means if the “chatsync” folder
exists there is a possibility to recover user chat’s even if the Skype database is deleted.
Many tools exist for this purpose like Belkasoft Evidence Center 2020.

Formatted Hard Drives

Recovery of the data from the formatted hard drive depends upon a lot of parameters.
Information from the formatted hard drive may be recoverable either using data carving
technology or by using commercial data recovery tools.
There are two possible ways to format a hard drive: Full Format and Quick Format.
Full Format – As the name suggests, this initializes the disk by creating the new file
system on the partition being formatted and also checks the disk for the bad sectors. Prior to
Windows Vista, a full format operation did not zero the disk being formatted. Instead,
Windows would simply scan the disk surface sector after sector. Unreliable sectors would
be marked as “bad”. But in case of Vista and Windows 7, a full format operation will
actually:

 Wipe the disk clean.

 Writing zeroes onto the disk.
 Reading the sectors back to ensure reliability.
Quick Format – This is never destructive except for the case of SSD. Disk format simply
initializes the disk by creating the new file system on the partition being formatted.
Information from disks cleared using a quick format method can be recovered by using one
of the data recovery tools that support data carving.

SSD Drives
SSD means Solid-State Drives represent a new storage technology.

 They operate much faster than traditional drives.

 They employ a completely different way of storing information internally, which makes
it much easier to destroy information and much more difficult to recover it.
The culprit in SSD is TRIM Command. According to a survey, TRIM enables SSD
completely wiped all the deleted information in less than 3 minutes. This means that the
TRIM command effectively zeros all the information as soon as it is marked as deleted by
the operating system. Moreover, TRIM command effects can’t be prevented even by using
Write-Blocking devices.
Traditional Methods are not useful when we try to recover deleted data from the SSD or
even any information from the SSD formatted with either Full format or Quick format. This
means the traditional methods can be used for data recovery in SSD only when the TRIM
command is not issued or at least one of the components does not support TRIM. The
components include:

 Version of Operating System: Windows Vista and Windows 7 support TRIM

Command, on the other hand, Windows XP and earlier versions typically don’t support
TRIM Command.
 Communication Interface: SATA and eSATA support TRIM, while external
enclosures connected via USB, LAN or FireWire don’t.
 File System: Windows supports TRIM on NTFS volumes but not on FAT-formatted
disks. Linux, on the other hand, supports TRIM on all types of volumes including those
formatted with FAT.

Data Carving
Carving means bit-precise and sequential examination of the entire content of the hard
drive. The concept of Data Carving is completely different from File Recovery. Carving
allows:

 Identifying particular signatures or patterns that may give a clue that some interesting
data can be stored in a particular spot on the disk.
 Locating various artifacts that would not be available otherwise.
Data Carving is truly amazing when looking for destroyed evidence. In the case of data
carving, investigators don’t need to rely on files as they may be partially overwritten,
fragmented and scattered around the disk. Data Carving has the following features when we
are dealing with the text content:

 Text information is easiest to recover.

 Blocks containing text data are filled exclusively with numeric values belonging to a
shallow range that represents letters, numbers, and symbols.
 When carving for text data, investigators have to take various languages and text
encodings into accounts. For example, the Turkish character set differs from Latin, and
neither has anything in common with Arabic, Chinese or Korean writing.
 Different encodings must be taken into account when looking for texts in each
supported language.
 By analyzing the information read from the disk in terms of a specific language and a
specific encoding, one can typically detect text information.
In the case of Binary data:

 Binary data is much random.

 It is easy to detect the beginning and end of each text block by counting the number of
characters that do not belong to a given language/encoding combination.
 Once a set threshold is met, it is assumed that the algorithm has reached the end of a
given text block.
Limitations of Data Carving –

 Not all formats of data can be carved.

 Data Carving is based on looking for characteristic signatures or patterns. For example-
JPEG files typically have the “JFIF” signature, in the beginning, followed by the file
header. ZIP archives start with “PK” and PDF files begin with “%PDF”.
 Some files can be a true binary file without any permanent signature in their header. For
example, QQ messenger.
 Text-based files can be an issue in most of the cases as there is a humongous amount of
plain-text files that can be stored on a PC.
 Data Carving cannot be used in the case where special algorithms are used to fill the
disk space previously occupied with sensitive information with cryptographically strong
random data.
 In “paranoid” mode, sensitive information is overwritten several times to make even
best and cleanroom type extraction impossible.
 In case the sensitive information is not stored on a hard drive rather it is stored in RAM.
In such a case Data Carving is impossible. The only feasible option here is “Live RAM
Analysis”.
 Data Carving is quite useless and impossible in SSD.

Criteria Mobile Devices Computers

- Cellebrite UFED<br>- Oxygen - EnCase<br>- FTK (Forensic
Common Tools Forensics<br>- MSAB XRY Toolkit)<br>- Recuva
- Isolate the computer from the
- Ensure the device is charged.<br>- Place internet.<br>- Boot from a forensic live
the device in airplane mode to prevent CD/USB to prevent data alteration.<br>-
remote wipes or updates.<br>- Use a write Use a write blocker before accessing hard
Initial Steps blocker if connecting to another device. drives.
- Logical acquisition for accessible
files.<br>- Physical acquisition for a bit- - Logical extraction of active files.<br>-
Data by-bit copy of the entire device, including Physical imaging of the entire drive,
Acquisition deleted files. allowing access to deleted data.
- Encryption and passcodes can restrict
access.<br>- Data may be overwritten by - Overwritten data may not be
new data, especially on heavily used recoverable.<br>- Encryption can
Challenges devices. complicate data retrieval.
- Analyze file system artifacts to identify - Scan the disk image for known file
paths for deleted files.<br>- Use headers (file carving) to recover deleted
specialized software to recover deleted files.<br>- Analyze file system metadata
Data Analysis data segments. for traces of deleted files.
- Store recovered data securely, - Securely store digital copies of recovered
maintaining encryption.<br>- Document files.<br>- Maintain comprehensive
Preservation the process and maintain chain of custody. documentation for legal admissibility.
 Criteria Mobile Devices Computers
- Provide detailed reports on the methods - Draft detailed reports including the
used for recovery and findings.<br>- recovery process, tools used, and files
Include timestamps and metadata for recovered.<br>- Highlight any potential
Reporting relevance. evidence pertinent to the case.
- Adhere to privacy laws and - Respect privacy and data protection
Ethical guidelines.<br>- Only access data relevant laws.<br>- Ensure actions are authorized
Considerations to the investigation. and within the scope of the investigation

Operating System Utilities

What is Operating system forensics?

Definition: Operating System Forensics is the process of retrieving useful information from
the Operating System (OS) of the computer or mobile device in question. The aim of
collecting this information is to acquire empirical evidence against the perpetrator.

Overview: The understanding of an OS and its file system is necessary to recover data for
computer investigations. The file system provides an operating system with a roadmap to data
on the hard disk. The file system also identifies how hard drive stores data. There are many
file systems introduced for different operating systems, such as FAT, exFAT, and NTFS for
Windows Operating Systems (OSs), and Ext2fs, or Ext3fs for Linux OSs. Data and file
recovery techniques for these file systems include data carving, slack space, and data hiding.
Another important aspect of OS forensics is memory forensics, which incorporates virtual
memory, Windows memory, Linux memory, Mac OS memory, memory extraction, and swap
spaces. OS forensics also involves web browsing artifacts, such as messaging and email
artifacts. Some indispensable aspects of OS forensics are discussed in subsequent sections.

What are the types of Operating systems?

The most popular types of Operating Systems are Windows, Linux, Mac, iOS, and Android.

Windows

Windows is a widely used OS designed by Microsoft. The file systems used by Windows
include FAT, exFAT, NTFS, and ReFS. Investigators can search out evidence by analyzing
the following important locations of the Windows:

 Recycle Bin: This holds files that have been discarded by the user. When a user
deletes files, a copy of them is stored in recycle bin. This process is called “Soft
Deletion.” Recovering files from recycle bin can be a good source of evidence.
 Registry: Windows Registry holds a database of values and keys that give useful
pieces of information to forensic analysts. For example, see the table below that
provides registry keys and associated files that encompasses user activities on the
system.
 Thumbs.db Files: These have images’ thumbnails that can provide relevant
information.
  Browser History: Every Web Browser generates history files that contain significant
information. Microsoft Windows Explorer is the default web browser for Windows
OSs. However, some other supported browsers are Opera, Mozilla Firefox, Google
Chrome, and Apple Safari.
 Print Spooling: This process occurs when a computer prints files in a Windows
environment. When a user sends a print command from a computer to the printer, the
print spooling process creates a “print job” to some files that remain in the queue
unless the print operation is completed successfully. Moreover, the printer
configuration is required to be set in either EMF mode or RAW mode. In a RAW
mode, the print job merely provides a straight graphic dump of itself, whereas with an
EMF mode, the graphics are converted into the EMF image format (Microsoft
Enhanced Metafile). These EMF files can be indispensable and can provide an
empirical evidence for forensic purposes. The path to EMF files is:For Windows NT
and 2000: Winntsystem32spoolprintersFor Windows
XP/2003/Vista/2008/7/8/10: Windowssystem32spoolprintersOS forensic tools can
automatically detect the path; there is no need to define it manually.

A Real-world scenario involving print job artifacts

A love triangle of three Russian students led to a high-profile murder of one of them. A
female defendant stalked her former lover for a couple of months in order to kill his new
girlfriend. Once a day, she found the right moment and drove to her boyfriend’s apartment
where his new girlfriend was alone. She murdered the girl and tried not to leave any evidence
behind to assist the investigation process. However, she used used her computer extensively
in the plotting of the crime, a fact that later provided strong material evidence during the
entire process of her trail. For example, she made three printouts for directions from her
home to her boyfriend’s apartment.

The forensic examiners took her computer into custody and recovered the spool files (or
EME files) from her computer. Among one of the three pages within spool files provide
substantial evidence against her (defendant). The footer at the bottom of the page
incorporates the defendant’s address and her former lover’s address, including the date and
time when the print job was performed. This evidence later proved to be a final nail in her
coffin.

Linux

Linux is an open source, Unix-like, and elegantly designed operating system that is
compatible with personal computers, supercomputers, servers, mobile devices, netbooks, and
laptops. Unlike other OSs, Linux holds many file systems of the ext family, including ext2,
ext3, and ext4. Linux can provide an empirical evidence if the Linux-embedded machine is
recovered from a crime scene. In this case, forensic investigators should analyze the
following folders and directories.

/etc [%SystemRoot%/System32/config]

This contains system configurations directory that holds separate configuration files for each
application.

/var/log
This directory contains application logs and security logs. They are kept for 4-5 weeks.

/home/$USER

This directory holds user data and configuration information.

/etc/passwd

This directory has user account information.

Mac OS X

Mac OS X is the UNIX-based operating system that contains a Mach 3 microkernel and a
FreeBSD-based subsystem. Its user interface is Apple-like, whereas the underlying
architecture is UNIX-like.

Mac OS X offers a novel technique to create a forensic duplicate. To do so, the perpetrator’s
computer should be placed into a “Target Disk Mode.” Using this mode, the forensic
examiner creates a forensic duplicate of perpetrator’s hard disk with the help of a Firewire
cable connection between the two PCs.

iOS

Apple iOS is the UNIX-based operating system first released in 2007. It is a universal OS for
all of Apple’s mobile devices, such as iPhone, iPod Touch, and iPad. An iOS embedded
device retrieved from a crime scene can be a rich source of empirical evidence.

Android

Android is a Google’s open-source platform designed for mobile devices. It is widely used as
the mobile operating system in the handsets industry. The Android operating system runs on
a Linux-based kernel which supports core functions, such as power management, network
infrastructure, and device drivers. Android’s Software Development Kit (SDK) contains a
very significant tool for generic and forensic purposes, namely Android Debug Bridge
(ADB). ADB employs a USB connection between a computer and a mobile device.

What are the examination steps in operating system forensics?

There are five basic steps necessary for the study of Operating System forensics. These five
steps are listed below:

1. Policies and Procedure Development

2. Evidence Assessment
3. Evidence Acquisition
4. Evidence Examination
5. Documenting and Reporting

Data acquisition methods for operating system forensics

There are four Data Acquisition methods for Operating System forensics that can be
performed on both Static Acquisition and Live Acquisition. These methods are:
Disk-to-image file: A forensic examiner can make a one or more than one copy of a drive
under the operating system in question. The tools used for these methods are iLookIX, X-
Ways, FTK, EnCase, or ProDiscover.

Disk-to-disk copy: This works best when the disk-to-image method is not possible. Tools for
this approach include SnapCopy, EnCase, or SafeBack.

Disk-to-data file: This method creates a disk-to-data or disk-to-disk file.

The Sparse copy of a file: This is a preferable method if time is limited and the disk has a
large volume of data storage.

For both Linux and Windows Operating Systems, write-blocking utilities with Graphical
User Interface (GUI) tools must be used in to gain access to modify the files. A Linux Live
CD offers many helpful tools for digital forensics acquisition.

Data analysis for operating system forensics

Forensic examiners perform data analysis to examine artifacts left by perpetrators, hackers,
viruses, and spyware. They scan deleted entries, swap or page files, spool files, and RAM
during this process. These collected artifacts can provide a wealth of information with regard
to how malicious actors tried to cover their tracks and what they were doing to a system. For
example, recall the above love triangle of Russian students. The female defendant’s print
artifacts helped the forensic examiners to prove her culpability in the murder.

What tools are most useful when conducting operating system forensics?
Many tools can be used to perform data analysis on different Operating Systems. The most
common tools are described below.

Cuckoo Sandbox

This tool is mainly designed to perform analysis on malware. Cuckoo Sandbox takes
snapshots of virtual machines so that the investigator can compare the state of the system
before and after the attack of malware. Since malware mostly attacks Windows OS, Windows
virtual machines are used for this purpose. Figure 1 demonstrates malware’s behavior on a
network.

Forensic toolkit for Linux

Forensic specialists use a forensic toolkit to collect evidence from a Linux Operating System.
The toolkit comprises many tools such as Dmesg, Insmod, NetstatArproute, Hunter.O,
DateCat, P-cat, and NC.

Helix

Helix is the distributor of the Knoppix Live Linux CD. It provides access to a Linux kernel,
hardware detections, and many other applications.
 Helix CD also offers some tools for Windows Forensics, such as:

 Asterisk Logger
 Registry Viewer
 Screen Capture
 File Recovery
 Rootkit Revealer
 MD5 Generator
 Command Shell
 Security Reports
 IE Cookies Viewer
 Mozilla Cookies Viewer

X-Ways forensics

X-Ways Forensics offers a forensics work environment with some remarkable features, such
as:

 Disk imaging and cloning, including under Disk Operating System (DOS)
 Compatible with UDF, CDFS, ext2, ext3, NTFS, and FAT
 Views and dumps the virtual memory of running processes and physical RAM
 Gathers inter-partition space, free space, and slack space
 Mass hash calculations for files
 Ensures data authenticity with write protection feature
 Automated files, signature check

These utilities can help in acquiring, analyzing, and evaluating digital evidence from
computers and other devices. The focus here is on the built-in utilities that come with
operating systems like Windows, macOS, and Linux, which forensic analysts often utilize
during the initial phases of an investigation.

1. Windows Utilities

 Event Viewer: Allows investigators to view logs and events that Windows records,
including system, security, and application events. This can help trace user activities,
system errors, and security incidents.
 Registry Editor (Regedit): Windows Registry stores configuration settings and options.
Investigators can examine installed software, user profiles, and system configurations.
 Task Manager and Resource Monitor: Provide insights into running processes, system
performance, network activity, and resource usage, which can be critical in identifying
malicious activities.
 Windows Search/Indexing Service: Useful for quickly locating files and data of interest
based on specific criteria such as file names, content, and properties.
 PowerShell: A powerful command-line shell that allows for advanced scripting and
automation. Forensic analysts can use PowerShell scripts to automate the collection and
analysis of forensic data.
 2. macOS Utilities

 System Information: Provides detailed information about the hardware and system
configuration, including installed software and peripheral devices.
 Console: Allows access to system and application logs, which can provide valuable
information about system events and user actions.
 Disk Utility: Useful for managing disk drives and volumes including mounting,
unmounting, and encrypting drives, as well as creating disk images which are essential for
forensic duplication.
 Terminal: The command-line interface in macOS that enables investigators to use
powerful Unix commands for data searching, processing, and analysis.

3. Linux Utilities

 Grep: Command-line utility for searching plain-text data sets for lines that match a regular
expression. It's crucial for filtering and examining log files or specific datasets.
 dd: A command-line tool for converting and copying files. It can be used to create raw
disk images, a fundamental task in data forensics.
 Netstat: Helps in examining the network connections and listening ports, along with the
routing table. This is crucial for identifying active connections and potential backdoors.
 Foremost: An open-source forensic program to recover lost files based on their headers,
footers, and internal data structures. Although not built into Linux, it's commonly used in
forensic distros.

4. Cross-Platform Utilities

 Wireshark: Although not a built-in utility, it's an essential tool for capturing and analyzing
network packets. Available on Windows, macOS, and Linux, it provides deep insights into
network activities.
 File carving tools like scalpel and photorec can be used across different OSes for
recovering deleted files by scanning the disk's raw data.

5. Automation and Scripting

 Bash scripting (Linux/macOS) and Batch/Powershell scripting (Windows): Scripting

can automate the collection and analysis of forensic data, making the investigation process
more efficient.

6. Encryption and Secure Deletion Tools

 BitLocker (Windows), FileVault (macOS), and LUKS (Linux): Understanding these

tools is essential for dealing with encrypted volumes during an investigation.
 Shred (Linux) and similar utilities allow for secure deletion of files, ensuring they cannot
be recovered. Understanding these utilities can help in analyzing how an attacker or
suspect might have tried to cover their tracks.
Mobile Forensics: Cell Phone Concepts

Mobile Forensics:

Mobile forensics, a subtype of digital forensics, is concerned with retrieving data from an
electronic source. The recovery of evidence from mobile devices such as smartphones and
tablets is the focus of mobile forensics. Because individuals rely on mobile devices for so
much of their data sending, receiving, and searching, it is reasonable to assume that these
devices hold a significant quantity of evidence that investigators may utilize.
Mobile devices may store a wide range of information, including phone records and text
messages, as well as online search history and location data. We frequently associate mobile
forensics with law enforcement, but they are not the only ones who may depend on evidence
obtained from a mobile device.
Uses of Mobile Forensics:
The military uses mobile devices to gather intelligence when planning military operations or
terrorist attacks. A corporation may use mobile evidence if it fears its intellectual property is
being stolen or an employee is committing fraud. Businesses have been known to track
employees’ personal usage of business devices in order to uncover evidence of illegal
activity. Law enforcement, on the other hand, may be able to take advantage of mobile
forensics by using electronic discovery to gather evidence in cases ranging from identity theft
to homicide
 The Definition of Mobile Forensics
Mobile forensics is the process of acquisition and analysis of electronically stored
information to support or contest a premise in court proceedings and civil or criminal
investigations. The proliferation of mobile devices and the amount of data they hold has
made mobile forensics an indispensable resource for digital forensic investigators.
Mobile phone forensics overlaps with digital forensics but has many features of its own.
However, using this wealth of data to unearth the truth without compromising its integrity
requires you to handle and process the evidence very carefully.

What Information Should Be Looked for on Mobile Forensics?

Before discussing the process of mobile forensics, let’s ask ourselves an important question:
what kind of information can we extract from a mobile device and what are the possibilities?
Knowing the possibilities will make your mobile devices forensics process a lot more
fruitful.
Here, we will examine the complete process so that you can take full advantage of the
available mobile evidence.

 Media: Common media types include videos, pictures, and audio. Mobile devices are
capable of both generating and receiving media. A mobile device uses its camera and
microphone to generate media while it can receive media through the internet or a variety of
other sources. Many apps save media in a way that is accessible to all other apps on the
phone. On the other hand, some apps may save media in their proprietary format or even in
an encrypted form.
 Call Record: Call record information shows the contact information, time, and duration of
the calls made and received by a device. A user can also install a call recording app on the
device. In this case, the conversation between the parties can also be accessed through saved
audio files.
 Messages: There is a wide range of messaging apps, and they are capable of sending and
receiving almost all types of files as attachments. When looking for messages, you must
analyze all pre-installed and user-installed apps and collect relevant evidence.
 Contacts: Every mobile has one or more pre-installed apps to store contacts, but user-
installed apps may maintain their own database of contact. Analyzing contacts may offer
useful insights.
 Browsing Data: Web browsers save a lot of information about the websites you visit. They
store the web address along with media, and in many cases, login information of the websites.
 Task-Management Apps: Calendar entries, to-do lists, and notes can also offer useful
information to investigators.
 Location Data: Almost all modern smartphone and tablet devices have built-in GPS, and
depending on the user settings, many apps might be recording this data. Examining the apps
may enable you to correctly identify the time and location of the device at the time of your
interest. In addition to GPS, devices store location data based on the Wi-Fi networks and
cellphone towers they connect to.
 Other Data: Other useful data may include data generated by other apps, a word processor or
a spreadsheet for example. Useful data may be found in system files and logs as well.

Please note that these are the examples of the most common data types, but there are many
other data types, which should be based on each mobile forensic case as unique and look for
the data that is most relevant to the case at hand.
Now that you know what to look for, let’s discuss the three steps of Mobile Forensics.

Seizure and Isolation

If you are the first one to lay hands on the device, proper seizure and isolation is the first
mobile forensics step that you should take. Seizure and isolation are not as simple as taking a
device into custody.
Knowing and carefully taking these points into account will make sure that the device
remains as accessible as possible.
 Preserving Lock State
If you have the device in an unlocked state, you should try your best to keep it that way.
Extracting data from an unlocked device is far easier and reliable compared to a locked
device. Most devices have a timeout period that dictates when the display will be turned off
and the device will be locked. You must access the device and change the lock setting before
the timeout period expires.

Extra precaution: in addition to the device’s default screen lock, look for other apps that
might lock or encrypt the device.

 Preserving Power State

You may find a device in a powered-on or powered-off state, and you should try to keep it in
the same power state. When a device is powered off and then turned on again, data stored in
the memory is lost and many system files are changed. You might need to attach the device to
a charger to keep it turned on for longer periods.
 Disconnecting From the Internet
Mobile phones keep working in the background even if the screen is locked. With an internet
connection, the activity of apps can change the files on the device even more. In most cases,
the data on a device can be erased permanently through a simple command sent through the
internet—not something you would like to happen. The most common method to disconnect
a device is to put it into airplane mode.
Faraday bags are another effective method to isolate and transport mobile devices to the
laboratory. Phone jammers are also used to block mobile signals, but if you have physical
access to the device, phone jammers might not be the best option.

Extraction & Recovery

The method of extracting and recovering mobile device data depends on the device and its
state. Let us discuss some common data extraction & recovery scenarios.

 When a device is unlocked

Data extraction and recovery are far easier and reliable if you find a device unlocked. You
can use the device’s own operating system and apps to view and export data. You can also
attach it to a PC and use a range of tools to extract current as well as deleted data from the
device. Mobile Forensic Tools like SPF Pro (SmartPhone Forensic System Professional) can
not only extract but recover data in a forensically sound manner, which would be a perfect fit
under this circumstance.
 When the device is locked
When a device is locked, you need to either break the passcode or use mobile forensics
tools that bypasses the lock and gives you access to the device data. The ability of software to
extract data from a locked device depends on the device and its settings.
 When a device is powered off
If a device is merely powered off, you can just turn it on and try to extract data. In many
cases, however, the device might be damaged and cannot be powered on. In such cases, you
might need to remove memory chips from the device and use specifically designed software
and hardware tools to extract data. Please note that this is an invasive process and must be
performed by trained professionals in a properly equipped digital forensics lab.

Levels of Data Extraction

 Manual Extraction:Opening apps and analyzing data on an unlocked device

 Logical Extraction: Copying files from the target mobile device to another device for
examination

 Hex Dumping / JTAG: A process where the debug interface of mobile devices is used to
extract raw data. This data needs further processing to be usable)

 Chip-off:Attaching memory chips of the target mobile device to specifically designed

hardware to extract data

 Micro Read: Micro read is a very technical process that requires examination of memory
chips through powerful microscopes. This method is not generally an option to extract data
due to its complexity)

Source: CITATION Aya21 \l 1033 (Aya, Radina , & Zeno , 2021)

Extraction and Integrity

Keeping the integrity of the evidence is one of the major concerns for an investigator so that
you want to keep the original evidence as unchanged as possible, though most modern digital
forensic investigation tools like SPF Pro should be able to extract and recover the required
information without affecting the integrity of the original evidence.
Meanwhile, complete device imaging is another technique where you create an exact replica
of the mobile device’s storage on your computer. This gives you the ability to experiment with
data extraction without the fear of losing original evidence.
Analysis
The analysis is the process of separating the relevant pieces of information from the jumble
and deducing inferences. The analysis part of the mobile forensics process tries to answer the
W questions: who, what, when, where, and why. To separate useful data, ask yourself the
following questions.

1. What is the general nature of the matter?

2. What is the focus of the examination?
3. What is the timeframe when the chain of events occurred?
4. What kind of possible evidence may support or contest the hypothesis?
5. How does the mobile forensic data relate to the other digital and non-digital evidence?

In an ideal situation with unlimited resources, you should be able to analyze all extracted data
and find relevant evidence. With a large amount of data extracted from modern mobile
devices, however, it is often not feasible to pay equal attention to every piece of information.
Thus, the answers to the above questions will help you focus on what matters the most.
By looking into SalvationDATA’s training center, you could learn an all-round analysis
thinking model after getting through the overall BASIC MOBILE FORENSICS
INVESTIGATOR course.

Mobile forensics use case from the SecurityScorecard forensics lab

Developed by Israel’s NSO Group, Pegasus is the most sophisticated mobile device
malware. It is mainly used by nation-states for intelligence gathering. However, it is
also occasionally abused for malicious activities.

What makes Pegasus so dangerous is that it is self-destructive malware, which makes

it very difficult to trace. It is capable of infecting a device with no user input. All a
hacker needs is their victim’s phone number. Once the malware is in the system, it can
track everything from phone calls and text messages to photos and passwords.

LIFARS (now part of SecurityScorecard) is very familiar with the tradecraft

associated with Pegasus attacks. We are adept at finding even the most minute
evidence of these attacks, even after Pegasus has “self-destructed” and “wiped” the
phone of any evidence of the penetration.

In early 2021, the LIFARS team analyzed multiple devices (iPhones) compromised by
the Pegasus spyware.

In analyzing all of the devices, we used Indicators of Compromise (IoCs) that we have
developed internally from our digital forensics work, as well as from collaborating
with other investigators.
Here are the first suspicious processes the LIFARS team identified:

Wifi Wan
Wifi In Wan Out Timestamp Process
Out In
(MB) (MB) (UTC) Name
(MB) (MB)

2/1/2021
1.6554 0.178541 0 0 wifip2ppd
13:02:30

2/1/2021 ABSCarryLog
0.007 0.0019 0 0
13:02:31

29.8661 1.2749 2/1/2021

99.8687 1.0464 misbrigd
13:03:00

2/11/2021
1.6548 0.1939 0 0 cfprefssd
23:31:38

2/11/2021
0.007 0.0019 0 0 gssdp
23:31:38

75.6967 7.6284 2/11/2021

58.8612 4.99 libbmanaged
23:32:04

“misbrigd” and “libbmanaged” performed data exfiltration, meaning, these are system
artifacts that show what tools the Threat Actors used to take data out from the iPhone.

The libbmanaged process was running for over a week, based on a record from
the DataUsage.sqlite database:

Wifi I Times
n Wifi Out Wan In Wan Out tamp Process
(MB) (MB) (MB) (MB) (UTC Name
)
 2/19/2
021 1: libbmanaged
0 0 7.99 5.07
16:18

This implies not only data exfiltration, but also real time monitoring and voice
recording of the victim. This is important to note, since in most attacks threat actors
just want to get data and move on. This time, it seems monitoring was also part of
their key objective.

1. Key Concepts in Mobile Forensics

 Forensic Soundness: Ensuring that the process of evidence collection, examination, and
analysis does not alter the data. This is crucial for the admissibility of evidence in court.
 Acquisition Types: The methods used to extract data from mobile devices. This includes
physical acquisition (bit-by-bit copy of the entire device), logical acquisition (extracting
logical storage files like messages, call logs), and file system acquisition (copying the file
system).
 Chain of Custody: Maintaining and documenting the handling of evidence from the point
of collection to the presentation in court to ensure its integrity.

2. Challenges in Mobile Forensics

 Device Diversity: There are numerous makes and models of mobile devices, each with
different operating systems, hardware, and security features, requiring different forensic
approaches.
 Encryption and Security Features: Modern devices come with strong encryption and
security features like biometric locks, making data extraction challenging without the
appropriate tools or methodologies.
 App Ecosystem: The vast and ever-growing number of mobile applications complicates
forensic investigations as each app may store data in unique, often encrypted formats.

3. Tools and Techniques

 Forensic Software: Tools such as Cellebrite UFED, Oxygen Forensics, and XRY are used
to bypass security features and acquire data from mobile devices.
 Manual Examination: Involves manually searching the device through its user interface.
This method is less intrusive but may not access all data.
 Cloud Extraction: As many mobile devices back up data to cloud services, forensic
analysts may also need to retrieve data from cloud storage, following legal and ethical
guidelines.

4. Data Analysis
 Timeline Analysis: Examining the timestamps of files and logs to reconstruct the sequence
of events.
 Geolocation Analysis: Using GPS, Wi-Fi, and cell tower data to track the movement of
the device owner.
 App Data Analysis: Extracting and interpreting data from installed applications, which
can include messages, search history, and usage patterns.

5. Legal and Ethical Considerations

 Consent and Warrants: Ensuring lawful authorization through consent or warrants to

search and seize mobile devices.
 Privacy Concerns: Balancing the need for investigation with the respect for individual
privacy rights.
 Reporting: Creating detailed, understandable, and accurate reports that can be used in
legal proceedings.

6. Future Trends

 Cloud and Encryption Challenges: As encryption becomes more sophisticated and data
storage moves to the cloud, forensic investigators must evolve their techniques and tools.
 Artificial Intelligence: AI and machine learning are increasingly being used to automate
data analysis, helping to manage the volume of data extracted from devices.

Cell Phone Concepts -

Mobile device forensics is a branch of digital forensics relating to recovery of digital

evidence or data from a mobile device under forensically sound conditions. The phrase
mobile device usually refers to mobile phones; however, it can also relate to any digital
device that has both internal memory and communication ability, including PDA devices,
GPS devices and tablet computers.
Mobile devices can be used to save several types of personal information such as contacts,
photos, calendars and notes, SMS and MMS messages. Smartphones may additionally
contain video, email, web browsing information, location information, and social networking
messages and contacts.

There is growing need for mobile forensics due to several reasons and some of the prominent
reasons are:

 Use of mobile phones to store and transmit personal and corporate information
 Use of mobile phones in online transactions
 Law enforcement, criminals and mobile phone devices

Key Aspects of Cell Phone Forensics:

1. Evidence Collection:
Physical Acquisition: This involves creating a bit-by-bit copy of the entire device, including
deleted files and unallocated space. It provides the most comprehensive data capture but
requires specialized tools and may not always be possible due to device encryption.
Logical Acquisition: Extracts data the device is programmed to reveal over standard
interfaces (like USB), including contacts, calls, messages, and sometimes app data. It's less
invasive and faster but doesn't capture deleted data.
Cloud Extraction: With users often backing up their mobile devices to cloud services,
investigators can also retrieve data from these cloud accounts, provided they have the legal
authority or consent.
2. Data Analysis:
Forensic analysts sift through the data acquired from cell phones to find relevant information.
This can include:
Communications: Text messages, emails, and call logs.
Digital Media: Photos and videos, including metadata that can reveal when and where they
were taken.
Application Data: Information from social media, dating apps, productivity apps, and more,
which can provide insights into a person's activities, interests, and social circles.
Location Data: GPS, Wi-Fi, and cellular data that can track a device's movements over time.
3. Challenges:
Encryption and Passcodes: Modern devices come with strong encryption, making data
extraction challenging without the passcode.
Diverse Operating Systems and Models: The wide variety of cell phone models and operating
systems requires forensic analysts to have a broad range of tools and knowledge.
App-Specific Encryption: Many apps encrypt data in ways that can be difficult to bypass,
requiring ongoing research and development of forensic methods.
4. Legal and Ethical Considerations:
Authorization: Forensic examinations usually require legal authority, such as a warrant or
consent from the device owner.
Privacy: Investigators must navigate privacy laws that protect individuals' information,
ensuring they only access and disclose data relevant to the case.
Chain of Custody: Maintaining a documented chain of custody for digital evidence is crucial
to ensure its admissibility in court.
5. Reporting and Testimony:
The findings from a cell phone forensic investigation need to be carefully documented in a
report that can be understood by non-technical stakeholders, such as law enforcement
officers, lawyers, and court personnel. Forensic analysts may also be called to testify in court
about their findings and the methods used to obtain them.

6. Future Trends:
Advanced Security Features: As manufacturers continue to enhance the security features of
cell phones, forensic analysts must develop new techniques for data extraction.
Cloud-Based Data: With more data being stored in the cloud, forensic focus may shift
towards cloud storage and data synchronization analysis.
Artificial Intelligence: AI and machine learning tools are increasingly used to automate and
enhance the analysis of large datasets collected from mobile devices.