Experiment – 1:

Aim: Part 1: Identify and study main vulnerabilities inherent in applications

Part 2: Study various laws and standards of cyber security
PART 1
1. Objectives: After study of this experiment, the student will be able to

● Identify main vulnerabilities inherent in applications

● Understand different cyber security laws.

● Identify and learn different standards of cyber security.

2. Outcomes: After study of this experiment, the student will be able to

● Demonstrate knowledge of different laws and standards of cyber security.

3. Prerequisite: Programming concepts, Cyber security.

4. Requirements: PC and Internet
5. Brief Theory:
Cyber Security Introduction:
Cyber security is the most concerned matter as cyber threats and attacks are overgrowing. Attackers
are now using more sophisticated techniques to target the systems. Individuals, small-scale
businesses or large organization, are all being impacted. So, all these firms whether IT or non-IT
firms have understood the importance of Cyber Security and focusing on adopting all possible
measures to deal with cyber threats.
What is cyber security?
"Cyber security is primarily about people, processes, and technologies working together to
encompass the full range of threat reduction, vulnerability reduction, deterrence, international
engagement, incident response, resiliency, and recovery policies and activities, including computer
network operations, information assurance, law enforcement, etc." OR
Cyber security is the body of technologies, processes, and practices designed to protect networks,
computers, programs and data from attack, damage or unauthorized access.
 The term cyber security refers to techniques and practices designed to protect digital data.
The data that is stored, transmitted or used on an information system.

OR Cyber security is the protection of Internet-connected systems, including hardware,

software, and data from cyber-attacks.

It is made up of two words one is cyber and other is security.

Cyber is related to the technology which contains systems, network and programs or data.
Whereas security related to the protection which includes systems security, network security
and application and information security.
Why is cyber security important?
Listed below are the reasons why cyber security is so important in what’s become a
predominant digital world:
1. Cyber-attacks can be extremely expensive for businesses to endure. In addition to financial
damage suffered by the business, a data breach can also inflict untold reputational damage.
2. Cyber-attacks these days are becoming progressively destructive. Cybercriminals are using
more sophisticated ways to initiate cyber-attacks.
3. Regulations such as GDPR are forcing organizations into taking better care of the personal data
they hold. Because of the above reasons, cyber security has become an important part of the
business and the focus now is on developing appropriate response plans that minimize the
damage in the event of a cyber-attack.
Types of Cyber Attacks
A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to
alter computer code, logic or data and lead to cybercrimes, such as information and identity
theft.
Cyber-attacks can be classified into the following categories:
1) Web-based attacks
2) System-based attacks
Web-based attacks
These are the attacks which occur on a website or web applications. Some of the important
web-based attacks are as follows
1. Injection attacks
6
 It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information. Example- SQL Injection, code Injection; log
Injection, XML Injection etc.
2. DNS Spoofing DNS spoofing is a type of computer security hacking. Whereby a data is
introduced into a DNS resolver's cache causing the name server to return an incorrect IP
address, diverting traffic to the attackers’ computer or any other computer. The DNS spoofing
attacks can go on for a long period of time without being detected and can cause serious
security issues.
3. Session Hijacking:

It is a security attack on a user session over a protected network. Web applications create
cookies to store the state and user sessions. By stealing the cookies, an attacker can have
access to all of the user data.

4. Phishing:

Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number. It occurs when an attacker is masquerading as a
trustworthy entity in electronic communication.

5. Brute force:

It is a type of attack which uses a trial and error method. This attack generates a large number
of guesses and validates them to obtain actual data like user password and personal
identification number. This attack may be used by criminals to crack encrypted data, or by
security, analysts to test an organization's network security.

6. Denial of Service:

It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a
crash. It uses the single system and single internet connection to attack a server. It can be
classified into the following

● Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is

measured in bit per second.

● Protocol attacks- It consumes actual server resources, and is measured in a packet.

7
 ● Application layer attacks- Its goal is to crash the web server and is measured in request

per second.
7. Dictionary attacks:
This type of attack stored the list of a commonly used password and validated them to get
original password.

8. URL Interpretation:

It is a type of attack where we can change the certain parts of a URL, and one can make a web
server to deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks:

It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of
the include functionality.

10. Man in the middle attacks:

It is a type of attack that allows an attacker to intercepts the connection between client and
server and acts as a bridge between them. Due to this, an attacker will be able to read, insert
and modify the data in the intercepted connection.
System-based attacks:
These are the attacks which are intended to compromise a computer or a computer network.
Some of the important system-based attacks are as follows
1. Virus:
It is a type of malicious software program that spread throughout the computer files without
the knowledge of a user. It is a self-replicating malicious computer program that replicates by
inserting copies of itself into other computer programs when executed. It can also execute
instructions that cause harm to the system.
2. Worm:
It is a type of malware whose primary function is to replicate itself to spread to uninfected
computers. It works same as the computer virus. Worms often originate from email
attachments that appear to be from trusted senders.
3. Trojan horse:
It is a malicious program that occurs unexpected changes to computer setting and unusual

8
 activity, even when the computer should be idle. It misleads the user of its true intent. It
appears to be a normal application but when opened/executed some malicious code will run in
the background.
4. Backdoors:
It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or
other purposes.
5. Bots:
A bot (short for "robot") is an automated process that interacts with other network services.
Some bots program run automatically, while others only execute commands when they
receive specific input. Common examples of bots program are the crawler, chatroom bots, and
malicious bots
PART 2
Laboratory Exercise
Procedure
i. Study and explain various laws of cyber security
ii. Write various standard of cyber security
Theory: Cyber Security Laws
Cyber Law also called IT Law is the law regarding Information-technology including computers and
the internet. It is related to legal informatics and supervises the digital circulation of information,
software, information security, and e-commerce. IT law does not consist of a separate area of law
rather it encloses aspects of contract, intellectual property, privacy, and data protection laws.
Intellectual property is a key element of IT law. The area of software license is controversial and still
evolving in Europe and elsewhere. According to the Ministry of Electronics and Information
Technology, Government of India : Cyber Laws yields legal recognition to electronic documents and a
structure to support e-filing and e-commerce transactions and also provides a legal structure to reduce,
check cyber crimes.
Importance of Cyber Law:
1. It covers all transactions over the internet. 2. It keeps eye on all activities over the internet. 3. It
touches every action and every reaction in cyberspace.
2. Area of Cyber Law: Cyber laws contain different types of purposes. Some laws create rules
for how individuals and companies may use computers and the internet while some laws protect people
from becoming the victims of crime through unscrupulous activities on the internet.
The major areas of cyber law include:
1. Fraud:
Consumers depend on cyber laws to protect them from online fraud. Laws are made to prevent identity
theft, credit card theft, and other financial crimes that happen online. A person who commits identity
theft may face confederate or state criminal charges. They might also encounter a civil action brought
by a victim. Cyber lawyers work to both defend and prosecute against allegations of fraud using the
internet.
2. Copyright:
The internet has made copyright violations easier. In the early days of online communication,copyright
violations were too easy. Both companies and individuals need lawyers to bring an action to impose
copyright protections. Copyright violation is an area of cyber law that protects the rights of individuals
and companies to profit from their creative works.
3. Defamation:
Several personnel uses the internet to speak their mind. When people use the internet to say things that
are not true, it can cross the line into defamation. Defamation laws are civil laws that save individuals
from fake public statements that can harm a business or someone’s reputation. When people use the
internet to make statements that violate civil laws, that is called Defamation law.
4. Harassment and Stalking:
Sometimes online statements can violate criminal laws that forbid harassment and stalking. When a
person makes threatening statements again and again about someone else online, there is a violation of
both civil and criminal laws. Cyber lawyers both prosecute and defend people when stalking occurs
using the internet and other forms of electronic communication.
5. Freedom of Speech:
Freedom of speech is an important area of cyber law. Even though cyber laws forbid certain behaviors
online, freedom of speech laws also allows people to speak their minds. Cyber lawyers must advise
their clients on the limits of free speech including laws that prohibit obscenity. Cyber lawyers may also
defend their clients when there is a debate about whether their actions consist of permissible free
speech.
6. Trade Secrets:
Companies doing business online often depend on cyber laws to protect their trade secrets. For
example, Google and other online search engines spend lots of time developing the algorithms that
produce search results. They also spend a great deal of time developing other features like maps,
intelligent assistance, and flight search services to name a few. Cyber laws help these companies to
take legal action as necessary to protect their trade secrets.
7. Contracts and Employment Law:
Every time you click a button that says you agree to the terms and conditions of using a website, you
have used cyber law. There are terms and conditions for every website that are somehow related to
privacy concerns.
Advantages of Cyber Law:
 Organizations are now able to carry out e-commerce using the legal infrastructure provided by the
Act.
 Digital signatures have been given legal validity and sanction in the Act.
 It has opened the doors for the entry of corporate companies for issuing Digital Signatures
Certificates in the business of being Certifying Authorities.
 It allows Government to issue notifications on the web thus heralding e-governance.
 It gives authority to the companies or organizations to file any form, application, or any other
document with any office, authority, body, or agency owned or controlled by the suitable Government
in e-form using such e-form as may be prescribed by the suitable Government.
 The IT Act also addresses the important issues of security, which are so critical to the success of
electronic transactions.
 Cyber Law provides both hardware and software security.

Cyber Security Standards

The foremost aim of the formulation of cybersecurity standards is to improve the security of IT
infrastructure and IT products used in organizations. Here, I am listing out a comprehensive list of
standards that help you understand the benchmark in IT security.
1. Information security management system (ISMS) (ISO/IEC 27000 Family): It is a set of guidelines
for maintaining infrastructure, mainly the company's data centers, to follow certain legal, technical
and physical policies to ensure confidentiality, integrity, and availability of
data reside in the company's data centers. It consists of a set of
ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27003, ISO/IEC 27004,
ISO/IEC 27005, ISO/IEC 27006, and ISO/IEC 27007.
2. Common Criteria (ISO/IEC 15408): This standard mainly deals with the certification of IT
products. It ensures the evaluation of IT products based on a set of approving standards that are widely
followed by industry and governments. ISO/IEC 15408 consists of three parts: Part 1 (Introduction
and general model), Part 2 (Security functional requirements), and Part 3 (Security assurance
requirements). The Common Evaluation Methodology (CEM) is another document used by
security auditors to evaluate IT products.

3. ISO/IEC 18043: This standard helps an organization in the selection, deployment, and operations of
intrusion detection systems within an organization's IT infrastructure.

4. Center of Internet Security, CIS (https://www.cisecurity.org/): CIS publishes security benchmarks

for mobile devices, network devices, server operating systems, virtualization platforms and cloud,
desktops, and web browsers. These benchmarks are security configuration guides that governments
and the industry widely accept and are available for free. Most security auditing organizations used
these benchmarks to evaluate the configuration of IT infrastructure.

5. ISO 22301:2012: This standard contains requirements for Business continuity management systems.

6. National Information Security Technology (NIST) Standard Specification: NIST is a US-based

agency that publishes cybersecurity related standards. Most of the cryptography-related standards
come from NIST, and different countries across the globe widely follow them.
NIST 800-115 (Technical Guide to Information Security Testing and Assessment) is an important
standard for assessing the IT system.

7. SANS Security Policy Resource: This resource contains templates related to network devices,
servers, and application security.

8. ISO 28000: This ISO standard contains the specification for security management systems for the
supply chain.

9. OWASP Foundation: It is a non-profit organization that regularly publishes the Top 10 security
issues of the web application, mobile, web services, etc. Most security auditing organizations follow
these Top 10 security issues to categorize security vulnerabilities.

10. ISO/IEC 27037: This ISO standard contains guidelines for the identification, collection,
acquisition, and preservation of digital evidence.

11. Payment Card Industry Data Security Standard (PCI DSS): This compliance formulates financial
organizations' and sellers' requirements to transact credit card payments securely.

12. Cloud Security Alliance (CSA): CSA is a non-profit organization that regularly publishes the best
security practices related to cloud security.

13. ISO/SAE 21434: Standard covers the aspects of automotive cybersecurity. This standard includes a
list of requirements related to cyber security risk management. It also covers a cybersecurity process
framework that helps OEMs to come on a common platform and communicate risks related to security.

14. ISO/IEC 20243-1: This Information technology standard refers Open Trusted Technology
ProviderTM Standard (O-TTPS). This particular standard helps in mitigating maliciously tainted and
counterfeit products.

15. ISO/IEC 27400:2022 - This standard provides a set of guidelines for Internet of Things (IoT)
solutions. It provides a list of risks, principles, and controls for security and privacy for IoT solutions.