Zulal Bhilajirao Patil College Dhule

Bachelor of Management Studies (E-Commerce)

E 4.3 Cyber Security and IT Act (Sem-IV) (A.Y. 2018-2019)
Sr. Units Syllabus Details Lectures
1 Unit 1. Elements of Information Security 10
1.1 Basics of Information system
1.2 Types of Information System
1.3 Nature of Information Systems
1.4 Meaning of Information Security
1.5 Basic Principles of Information Security
2 Unit 2. 2. Security Threats, Controls and Concept 10
2.1 Information System Threats and attacks
2.2 Security Threats to E Commerce
2.3 Business Transactions on Web
2.4 Concepts in Electronics payment systems:
2.4.1 Internet Banking
2.4.2 E-Cash
2.4.3 Credit/Debit Cards
2.5 Physical Security:
2.5.1 Need of Physical Security
2.5.2 Disaster and Controls
2.5.3 Access Control: Biometrics: Benefits of Biometrics Systems and
Criteria for selection of Biometrics
3 Unit 3. 3. Cyber Security with Cryptography 10
3.1 Model of Cryptographic Systems
3.2 Issues in Documents Security
3.3 Digital Signature, Requirement of Digital Signature System
4 Unit 4. Network Security 10
4.1 Basic Concepts
4.2 Dimensions of Network Security
4.3 Network Attacks
4.4 Intrusion Detection System
4.5 Virtual Private Networks:
5 Unit 5. Introduction to Cyber Crime 10
5.1 Cyber Crime Introduction
5.2 Email Tracing and Tracking
5.3 Email Spoofing
5.4 Mobile Number Hacking
5.5 Data Recovery
5.6 Cyber Fraud Detection
5.7 Hack Website
6 Unit 6. Indian IT Act 10
6.1 Fundamentals of Cyber Law
6.2 Introduction to Indian Cyber Law:
6.2.1 Information Technology Act 2000
6.2.2 Main features of the IT Act2000
6.2.3 Information Technology Amendment Act 2008 and its major strengths

Page | 1
 4. Network Security
4.1 Basic Concepts
4.2 Dimensions of Network Security
4.3 Network Attacks
4.4 Intrusion Detection System
4.5 Virtual Private Networks:
----------------------------------------------------------------------------------
Network security is any activity designed to protect the usability and integrity of your network
and data. It includes both hardware and software technologies. Effective network security manages
access to the network. It targets a variety of threats and stops them from entering or spreading on your
network.
Network security consists of the policies and practices adopted to prevent and monitor
unauthorized access, misuse, modification, or denial of a computer network and network-accessible
resources.
Network security is the security provided to a network from unauthorized access and risks. It is the duty
of network administrators to adopt preventive measures to protect their networks from potential security
threats.
Computer networks that are involved in regular transactions and communication within the
government, individuals, or business require security. The most common and simple way of protecting a
network resource is by assigning it a unique name and a corresponding password.
Types of Network Security Devices
 Active Devices -These security devices block the surplus traffic. Firewalls, antivirus scanning
devices, and content filtering devices are the examples of such devices.
 Passive Devices - These devices identify and report on unwanted traffic, for example, intrusion
detection appliances.
 Preventative Devices - These devices scan the networks and identify potential security
problems. For example, penetration testing devices and vulnerability assessment appliances.
 Unified Threat Management (UTM) - These devices serve as all-in-one security devices.
Examples include firewalls, content filtering, web caching, etc.
Firewalls
A firewall is a network security system that manages and regulates the network traffic based on some
protocols. A firewall establishes a barrier between a trusted internal network and the internet.
Firewalls exist both as software that run on a hardware and as hardware appliances. Firewalls that are
hardware-based also provide other functions like acting as a DHCP server for that network.
Most personal computers use software-based firewalls to secure data from threats from the internet.
Many routers that pass data between networks contain firewall components and conversely, many
firewalls can perform basic routing functions.
Firewalls are commonly used in private networks or intranets to prevent unauthorized access from the
internet. Every message entering or leaving the intranet goes through the firewall to be examined for
security measures.
An ideal firewall configuration consists of both hardware and software based devices. A firewall also
helps in providing remote access to a private network through secure authentication certificates and
logins.
Hardware and Software Firewalls
Hardware firewalls are standalone products. These are also found in broadband routers. Most
hardware firewalls provide a minimum of four network ports to connect other computers. For larger
networks − e.g., for business purpose − business networking firewall solutions are available.
Software firewalls are installed on your computers. A software firewall protects your computer from
internet threats.
Page | 2
Antivirus
An antivirus is a tool that is used to detect and remove malicious software. It was originally
designed to detect and remove viruses from computers.
Modern antivirus software provide protection not only from virus, but also from worms, Trojan-horses,
adwares, spywares, keyloggers, etc. Some products also provide protection from malicious URLs, spam,
phishing attacks, botnets, DDoS attacks, etc.
Content Filtering
Content filtering devices screen unpleasant and offensive emails or webpages. These are used as
a part of firewalls in corporations as well as in personal computers. These devices generate the message
"Access Denied" when someone tries to access any unauthorized web page or email.
Content is usually screened for pornographic content and also for violence- or hate-oriented content.
Organizations also exclude shopping and job related contents.
Content filtering can be divided into the following categories −
 Web filtering
 Screening of Web sites or pages
 E-mail filtering
 Screening of e-mail for spam
 Other objectionable content
Intrusion Detection Systems
Intrusion Detection Systems, also known as Intrusion Detection and Prevention Systems, are the
appliances that monitor malicious activities in a network, log information about such activities, take
steps to stop them, and finally report them.
Intrusion detection systems help in sending an alarm against any malicious activity in the network,
drop the packets, and reset the connection to save the IP address from any blockage. Intrusion detection
systems can also perform the following actions −
 Correct Cyclic Redundancy Check (CRC) errors
 Prevent TCP sequencing issues
 Clean up unwanted transport and network layer options

Dimensions of Network Security

With the increase in use of technologies like big data, data mining and data integration, data security has
become a pertinent question. Breaches reports are raised day by day. Some of the factors which are of
concern are mentioned here:

 Use of big data : the much sophisticated tools not only extract data from your social media
networking websites they even let spiders to enter your system and look into your personal files
stored on your desktop, laptop or even mobile phones.
 Phishing: this is not a new concept, cybercriminials use this for over a decade, they flood the IT
sector with useless information so as to backchannel the information they needed.
 Politically sponsored attacks: government led intelligence agencies attack other governments
power projects, transportation and other facilities in order to create chaos.
 Machine learning: artificial intelligence is the new way of society learning, this brings a tender
touch to explicitly programmed subsets creating data packets.
 Mobile applications: organizations emphasis on use of applications give less time to developers
to check out bugs in their programmed apps which led to hackers in providing a safe way to
access your device without your knowledge.

Page | 3
Page | 4
Ten Dimensions of Cyber Security Performance
I am proposing a framework for managing cyber security performance. As a preview, here are the ten
dimensions:
1. Optimize Exposure: attack surface and vulnerabilities, including assets, people, processes, &
technologies
2. Effective Threat Intelligence: understanding the threat agents
3. Effective Design & Development: security & privacy by design
4. Quality of Protection & Controls
5. Effective/Efficient Execution & Operations
6. Effective Response, Recovery, & Resilience
7. Effective External Engagement: responsibilities and risk drivers
8. Effective Learning & Agility: OODA at an organization level
9. Optimize Total Cost of Risk: (loss distribution approach)
10. Responsibility & Accountability: including governance and compliance
Each of the ten dimensions are explored in subsequent posts (see links above). The interactions
among the first six dimensions are discussed in a post called "Operational Cyber Security & Single Loop
Learning". The interactions among the second four dimensions are discussed in "Agile Cyber Security
and Double Loop Learning".

4.3 Network Attacks:

Understanding Network Attacks
A network attack can be defined as any method, process, or means used to maliciously attempt to
compromise network security.
There are a number of reasons that an individual(s) would want to attack corporate networks.
The individuals performing network attacks are commonly referred to as network attackers, hackers, or
crackers.
A few different types of malicious activities that network attackers and hackers perform are
summarized here:
 Illegally using user accounts and privileges
 Stealing hardware
 Stealing software
 Running code to damage systems
 Running code to damage and corrupt data
 Modifying stored data
 Stealing data
 Using data for financial gain or for industrial espionage
 Performing actions that prevent legitimate authorized users from accessing network services and
resources.
 Performing actions to deplete network resources and bandwidth.

Network attacks can be classified into the following four types:

 Internal threats
 External threats
o Unstructured threats
o Structured threats
Threats to the network can be initiated from a number of different sources, hence the reason for network
attacks being classified as either external or internal network attacks/threats:
1. External threats: Individuals carry out external threats or network attacks without assistance from
internal employees or contractors. A malicious and experienced individual, a group of experienced
individuals, an experienced malicious organization, or inexperienced attackers (script kiddies) carry
Page | 5
 out these attacks. Such attackers usually have a predefined plan and the technologies (tools) or
techniques to carry out the attack. One of the main characteristics of external threats is that they
usually involve scanning and gathering information. Users can therefore detect an external attack by
scrutinizing existing firewall logs. Users can also install an Intrusion Detection System to quickly
identify external threats.

External threats can be further categorized into either structured threats or unstructured threats:
 Structured external threats: These threats originate from a malicious individual, a group of
malicious individual(s), or a malicious organization. Structured threats are usually initiated from
network attackers that have a premeditated thought on the actual damages and losses that they want
to cause. Possible motives for structured external threats include greed, politics, terrorism, racism,
and criminal payoffs. These attackers are highly skilled on network design, avoiding security
measures, Intrusion Detection Systems (IDSs), access procedures, and hacking tools. They have the
necessary skills to develop new network attack techniques and the ability to modify existing hacking
tools for their exploitations. In certain cases, an internal authorized individual may assist the
attacker.
 Unstructured external threats: These threats originate from an inexperienced attacker, typically
from a script kiddie. Script kiddie refers to an inexperienced attacker who uses cracking tools or
scripted tools readily available on the Internet to perform a network attack. Script kiddies are usually
inadequately skilled to create the threats on their own. They can be considered bored individuals
seeking some form of fame by attempting to crash websites and other public targets on the Internet.
External attacks can also occur either remotely or locally:
 Remote external attacks: These attacks are usually aimed at the services that an organization
offers to the public. The various forms that remote external attacks can take are:
o Remote attacks aimed at the services available for internal users. This remote attack
usually occurs when there is no firewall solution implemented to protect these internal
services.
o Remote attacks aimed at locating modems to access the corporate network.
o Denial of service (DoS) attacks to place an exceptional processing load on servers in an
attempt to prevent authorized user requests from being serviced.
o War dialing of the corporate private branch exchange (PBX).
o Attempts to brute force password authenticated systems.
 Local external attacks: These attacks typically originate from situations where computing
facilities are shared and access to the system can be obtained.
2. Internal threats: Internal attacks originate from dissatisfied or unhappy inside employees or
contractors. Internal attackers have some form of access to the system and usually try to hide their
attack as a normal process. For instance, internal disgruntled employees have local access to some
resources on the internal network already. They could also have some administrative rights on the
network. One of the best means to protect against internal attacks is to implement an Intrusion
Detection System and to configure it to scan for both external and internal attacks. All forms of
attacks should be logged and the logs should be reviewed and followed up.
With respect to network attacks, the core components that should be included when users design
network security are:
 Network attack prevention
 Network attack detection
 Network attack isolation
 Network attack recovery
What are some of the more prevalent types of attacks today?

Page | 6
 Malware – short for malicious software which is specifically designed to disrupt, damage, or gain
authorized access to a computer system. Much of the malware out there today is self-replicating:
once it infects one host, from that host it seeks entry into other hosts over the Internet, and from the
newly infected hosts, it seeks entry into yet more hosts. In this manner, self-replicating malware can
spread exponentially fast.
 Virus , Worm and Botnet.
 DoS (Denial of Service) – A DoS attack renders a network, host, or other pieces of infrastructure
unusable by legitimate users. Most Internet DoS attacks fall into one of three categories :
Vulnerability attack ; Bandwidth flooding ; Connection flooding.
 DDoS (Distributed DoS) – DDoS is a type of DOS attack where multiple compromised systems, are
used to target a single system causing a Denial of Service (DoS) attack. DDoS attacks leveraging
botnets with thousands of comprised hosts are a common occurrence today. DDoS attacks are much
harder to detect and defend against than a DoS attack from a single host.
 Packet sniffer – A passive receiver that records a copy of every packet that flies by is called a
packet sniffer. By placing a passive receiver in the vicinity of the wireless transmitter, that receiver
can obtain a copy of every packet that is transmitted! These packets can contain all kinds of sensitive
information, including passwords, social security numbers, trade secrets, and private personal
messages. some of the best defenses against packet sniffing involve cryptography.
 IP Spoofing – The ability to inject packets into the Internet with a false source address is known as
IP spoofing, and is but one of many ways in which one user can masquerade as another user. To
solve this problem, we will need end-point authentication, that is, a mechanism that will allow us to
determine with certainty if a message originates from where we think it does.
 Man-in-the-Middle Attack – As the name indicates, a man-in-the-middle attack occurs when
someone between you and the person with whom you are communicating is actively monitoring,
capturing, and controlling your communication transparently. For example, the attacker can re-route
a data exchange. When computers are communicating at low levels of the network layer, the
computers might not be able to determine with whom they are exchanging data.
 Compromised-Key Attack – A key is a secret code or number necessary to interpret secured
information. Although obtaining a key is a difficult and resource-intensive process for an attacker, it
is possible. After an attacker obtains a key, that key is referred to as a compromised key. An attacker
uses the compromised key to gain access to a secured communication without the sender or receiver
being aware of the attack.
 Phishing – The fraudulent practice of sending emails purporting to be from reputable companies in
order to induce individuals to reveal personal information, such as passwords and credit card
numbers.
 DNS spoofing – Also referred to as DNS cache poisoning, is a form of computer security hacking in
which corrupt Domain Name System data is introduced into the DNS resolver’s cache, causing the
name server to return an incorrect IP address.

4.4 Intrusion Detection System:

An intrusion detection system (IDS) is a device, typically another separate computer, that
monitors activity to identify malicious or suspicious events. An IDS is a sensor, like a smoke detector,
that raises an alarm if specific things occur. A model of an IDS is shown in below figure. The
components in the figure are the four basic elements of an intrusion detection system, based on the
Common Intrusion Detection Framework of [STA96]. An IDS receives raw inputs from sensors. It saves
those inputs, analyzes them, and takes some controlling action.
Types of IDSs
The two general types of intrusion detection systems are signature based and heuristic.
Signature-based intrusion detection systems perform simple pattern-matching and report situations that
match a pattern corresponding to a known attack type. Heuristic intrusion detection systems, also known
Page | 7
as anomaly based, build a model of acceptable behavior and flag exceptions to that model; for the future,
the administrator can mark a flagged behavior as acceptable so that the heuristic IDS will now treat that
previously unclassified behavior as acceptable.
Intrusion detection devices can be network based or host based. A network-based IDS is a stand-
alone device attached to the network to monitor traffic throughout that network; a host-based IDS runs
on a single workstation or client or host, to protect that one host.
Signature-Based Intrusion Detection:
A simple signature for a known attack type might describe a series of TCP SYN packets sent to
many different ports in succession and at times close to one another, as would be the case for a port
scan. An intrusion detection system would probably find nothing unusual in the first SYN, say, to port
80, and then another (from the same source address) to port 25. But as more and more ports receive
SYN packets, especially ports that are not open, this pattern reflects a possible port scan. Similarly,
some implementations of the protocol stack fail if they receive an ICMP packet with a data length of
65535 bytes, so such a packet would be a pattern for which to watch.
Heuristic Intrusion Detection:
Because signatures are limited to specific, known attack patterns, another form of intrusion
detection becomes useful. Instead of looking for matches, heuristic intrusion detection looks for
behavior that is out of the ordinary. The original work in this area focused on the individual, trying to
find characteristics of that person that might be helpful in understanding normal and abnormal behavior.
For example, one user might always start the day by reading e-mail, write many documents using a word
processor, and occasionally back up files. These actions would be normal. This user does not seem to
use many administrator utilities. If that person tried to access sensitive system management utilities, this
new behavior might be a clue that someone else was acting under the user's identity.
Inference engines work in two ways. Some, called state-based intrusion detection systems, see
the system going through changes of overall state or configuration. They try to detect when the system
has veered into unsafe modes. Others try to map current activity onto a model of unacceptable activity
and raise an alarm when the activity resembles the model.
These are called model-based intrusion detection systems. This approach has been extended to networks
in [MUK94]. Later work sought to build a dynamic model of behavior, to accommodate variation and
evolution in a person's actions over time. The technique compares real activity with a known
representation of normality.
Alternatively, intrusion detection can work from a model of known bad activity. For example,
except for a few utilities (login, change password, create user), any other attempt to access a password
file is suspect. This form of intrusion detection is known as misuse intrusion detection. In this work, the
real activity is compared against a known suspicious area.
Stealth Mode:
An IDS is a network device (or, in the case of a host-based IDS, a program running on a network
device). Any network device is potentially vulnerable to network attacks. How useful would an IDS be
if it itself were deluged with a denial-of-service attack? If an attacker succeeded in logging in to a
system within the protected network, wouldn't trying to disable the IDS be the next step?
To counter those problems, most IDSs run in stealth mode, whereby an IDS has two network
interfaces: one for the network (or network segment) being monitored and the other to generate alerts
and perhaps other administrative needs. The IDS uses the monitored interface as input only; it never
sends packets out through that interface. Often, the interface is configured so that the device has no
published address through the monitored interface; that is, a router cannot route anything to that address
directly, because the router does not know such a device exists. It is the perfect passive wiretap. If the
IDS needs to generate an alert, it uses only the alarm interface on a completely separate control network
Goals for Intrusion Detection Systems:
1. Responding to alarms:

Page | 8
Whatever the type, an intrusion detection system raises an alarm when it finds a match. The alarm can
range from something modest, such as writing a note in an audit log, to something significant, such as
paging the system security administrator. Particular implementations allow the user to determine what
action the system should take on what events.
In general, responses fall into three major categories (any or all of which can be used in a single
response):
 Monitor, collect data, perhaps increase amount of data collected
 Protect, act to reduce exposure
 Call a human
2. False Results:
Intrusion detection systems are not perfect, and mistakes are their biggest problem. Although an
IDS might detect an intruder correctly most of the time, it may stumble in two different ways: by raising
an alarm for something that is not really an attack (called a false positive, or type I error in the statistical
community) or not raising an alarm for a real attack (a false negative, or type II error). Too many false
positives means the administrator will be less confident of the IDS's warnings, perhaps leading to a real
alarm's being ignored. But false negatives mean that real attacks are passing the IDS without action. We
say that the degree of false positives and false negatives represents the sensitivity of the system. Most
IDS implementations allow the administrator to tune the system's sensitivity, to strike an acceptable
balance between false positives and negatives.
IDS strength and limitations:
On the upside, IDSs detect an ever-growing number of serious problems. And as we learn more
about problems, we can add their signatures to the IDS model. Thus, over time, IDSs continue to
improve. At the same time, they are becoming cheaper and easier to administer. On the downside,
avoiding an IDS is a first priority for successful attackers. An IDS that is not well defended is useless.
Fortunately, stealth mode IDSs are difficult even to find on an internal network, let alone to
compromise. IDSs look for known weaknesses, whether through patterns of known attacks or models of
normal behavior. Similar IDSs may have identical vulnerabilities, and their selection criteria may miss
similar attacks. Knowing how to evade a particular model of IDS is an important piece of intelligence
passed within the attacker community. Of course, once manufacturers become aware of a shortcoming in
their products, they try to fix it. Fortunately, commercial IDSs are pretty good at identifying attacks.
Another IDS limitation is its sensitivity, which is difficult to measure and adjust. IDSs will never be
perfect, so finding the proper balance is critical.
In general, IDSs are excellent additions to a network's security. Firewalls block traffic to
particular ports or addresses; they also constrain certain protocols to limit their impact. But by
definition, firewalls have to allow some traffic to enter a protected area. Watching what that traffic
actually does inside the protected area is an IDS's job, which it does quite well.
Examples of Intrusion
o remote root compromise
o web server defacement
o guessing / cracking passwords
o copying databases containing credit card numbers
o viewing sensitive data without authorization
o running a packet sniffer
o distributing pirated software
o using an unsecured modem to access internal network
o impersonating an executive to get information
o using an unattended workstation
Hackers
•motivated by thrill of access and/or status
–hacking community is a strong meritocracy
Page | 9
–status is determined by level of competence
•benign intruders consume resources and slow performance for legitimate users
•intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are designed to help counter
hacker threats
–can restrict remote logons to specific IP addresses
–can use virtual private network technology (VPN)
•intruder problem led to establishment of computer emergency response teams (CERTs)
Criminals
•organized groups of hackers now a threat
–corporation / government / loosely affiliated gangs
–meet in underground forums
–common target is credit card files on e-commerce servers
•criminal hackers usually have specific targets
–once penetrated act quickly and get out
•IDS / IPS can be used but less effective
•sensitive data should be encrypted
Insider Attacks
•among most difficult to detect and prevent
•employees have access and systems knowledge
•may be motivated by revenge/entitlement
–employment was terminated
–taking customer data when moving to a competitor
•IDS / IPS can be useful but also need:
–enforcement of least privilege, monitor logs, strong authentication, termination process
•Security Intrusion:
A security event, or a combination of multiple security events, that constitutes a security incident
in which an intruder gains, or attempts to gain, access to a system (or system resource) without
having authorization to do so.
•Intrusion Detection :
A security service that monitors and analyzes system events for the purpose of finding, and
providing real-time or near real-time warning of, attempts to access system resources in an unauthorized
manner

4.5 Virtual Private Networks:

Page | 10