UNIT - 01

Network and Information security Fundamentals: Network Basics, Network Components,

Network Types, Network Communication Types, Introduction to Networking Models, Cyber Security
Objectives and Services, Other Terms of Cyber Security, Myths Around Cyber Security, Myths Around
Cyber Security, Recent Cyber Attacks, Generic Conclusion about Attacks, Why and What is Cyber
Security, Categories of Attack

Network Basics:
1.Need for Network:

 Exchanging of information between sender and receiver is called communication. This can be
achieved with the help of Networking. Few examples are as below.

 Samson sending an email to Margaret over internet (data)

 Various teams connecting over conference call (voice)

 Two users video-chatting over Skype application (video)

Network is required in every communication, let us see what is communication system.

Communication System:

 Communication system is a collection of systems which are connected together to make

communication. A typical communication system consists of the following components.

 Sender - person or Device who sends the data. Example: Computer, Telephone, Radio
Broadcasting station.
  Receiver - person or Device who receives the data. Example: Computer, Telephone, Radio
sets.

 Transmission Media - physical medium through which the message travels from the sender
to the receiver. Example: Optical fibers, Coaxial Cables, Radio waves.

 Protocol - set of rules and regulations agreed upon by both the sender and receiver that
govern the message exchange.

Let us understand what is Network.

What is Network?

 Network is a collection of various devices and end user systems connected with each other
to achieve the purpose of communication. Networking has changed the way we do business
and day to day activities. With the help of Networking, we can get the information
instantaneously through email, telephone, fax etc.

 Networking enables us to exchange data like text, audio and video across geographies. Let us
move ahead in understanding the various components of Network.

Components of a Network:

 The major components of a Network are End user devices, Switch, Router and
Interconnections. A typical network looks as below.
  Repeater, Hub, Bridge and Gateway are also components of Network. However components
are varied since every Network does not contain same type of devices.

 Let us understand the functions of each component in detail.

Components of Network:
End User Devices

 These are the end points in the Network

 They help the end users to send and receive messages

 Examples: Computers, Servers, Smart Phones, Mobile Phones, Printers etc.

Hub

 It is typically the least expensive and it is a dumb device

 Performs very simple job - anything that comes in one port is sent out through all the other
ports

 It is used to form small networks

 Note: port is an endpoint of communication in an operating system

Switch

 Switches contains multiple ports

 It connects various systems to form a simple local network

  Every switch maintains a database with source and destination information, it is called as
MAC Address table

 It also provide intelligent switching of the message with in the local network

Router

 Routers connect multiple networks

 They choose the best path between the networks

 Every router maintains a database for source and destination information, it is called as
Routing Table

 Routers usually connect different networks working in different locations. For example: One
network in a campus might have to communicate with a distant network connected through
fiber optics.

Interconnections

 They help in providing a means for message to travel from one point to another. The types of
Interconnections are

 NIC (Network Interface Card) - it is a hardware part residing in all the machines which
efficiently translates the user data into a format that is fit to be transmitted in the network

 Media can be cables or wireless, they provide the channel to transmit the signals between
devices

 Connectors are the connection end points for the media

Let us understand about type of networks

Types of Networks:
Following are the types of network.

1.LAN (Local Area Network)

2.WAN (Wide Area Network)

3.MAN (Metropolitan Area Network)

LAN:

LAN is used to connect networking devices that are in a very close geographic area, such as a floor of
a building, a building itself, or a campus environment. Switches and Hubs are the primary devices to
build a LAN. We can also build small network using only Hub.

WAN

WAN is used to connect Local Area Networks together. Typically, Wide Area Networks are used to
connect Local Area Networks which are separated by a large distance. Router is the primary device to
build a WAN.

MAN

 MAN consists of a computer network across an entire city, college campus or small region. A
MAN is larger than a LAN, which is typically limited to a single building or site. Depending on
the configuration, this type of network can cover an area from several miles to tens of miles.
A MAN is often used to connect several LANs together to form a bigger network.

 Let us understand about different type of communication in network.

Network Communication Types:

There are three types of communication which are used for different purposes:

 Unicast

 Multicast

 Broadcast
Unicast:

 In Unicast type of communication , there is only one source and one destination. In other
words, it is one to one communication. Example: Telephone call between two persons.

Multicast

 In Multicast type of communication, source communicates with a group of destinations. In

other words, it is one to many. Example: A Manager sending a mail to his team.

Broadcast

 In Broadcast communication, one to all. We have only one source and all the other hosts are
the destinations. Example: Radio Broadcasting service.

Introduction to Networking Models:

Need for networking Models:
Host to Host Communication:

 The main aim of computer network is communication and information sharing. Suppose
computer A wants to communicate with computer B through a computer network. The two
systems might be few meters away or in different continents.

While communicating, data has to pass through many intermediate nodes which can be switch,
router etc.

 To ensure that data from sender A reaches receiver B correctly and securely, we need to
have a set of rules which guides the communication between A and B. These set of rules are
called as Protocols. These protocols grouped together constitute a communication model.
The agreed upon set of rules are called as Standards.

 Let us see a business scenario to understand host to host communication.

  Boson, CEO of a British Company wants to send a letter to Lawrence, CEO of a French
company. Let us see how they communicate with each other. Boson and Lawrence have
employed secretaries to assist them.

The communication between Boson and Lawrence happens as given below

The above scenario depicts a layered architecture wherein the person serves the person in the above
and gets the service from the person below.

Similarly, in the communication system, various services are categorized into layers. Each service in
higher layer uses the service from the layer below it. This is also termed as layered architecture for
networking. Let us understand the layered architecture in detail.
 Anand sends a text message from his iPhone to his friend Vaishnavi who is using Samsung
Galaxy Note. In this scenario, though both the users are using devices manufactured by different
companies there are able to communicate with each other. This is because of a set of rules agreed
upon by the vendors to exchange the information. These rules are defined in Networking Models.

 Two important Networking Models are OSI (Open System Interconnection) reference
model and TCP/IP (Transmission Control Protocol / Internet Protocol) Protocol suite

 The reference model is a conceptual framework for understanding communication

 Networking Models assist in exchanging the data between dissimilar hosts

 E.g. you can communicate between a PC with Windows OS and a PC with Unix OS

OSI Reference Model:

OSI stands for Open System Interconnection. OSI means that every system participating in this
model, is open for communicating with other systems. OSI reference model is developed by an
organization called ISO (International Organization for Standardization) which works on the
standardization of protocols. OSI Model is an ideal model that helps us in understanding how data
transfer happens between systems.

 How the OSI Model look like?

 OSI model has been divided in seven separate layers

 Layer is a logical group of related functionalities

 Each layer has its own functionality and provides support to other layers

 All layers work together to move data through a network

Let us understand the properties and functions of each layer.

Properties of OSI Layers:

Application Layer

 This layer serves as the window for users and application processes to access the network
services. An end user program that opens what was sent or creates what is to be sent

 Functionalities: Remote file access, resource sharing

 Protocols: HTTP/FTP/SMTP

 Data format (PDU - Protocol Data Unit) in this layer is called as user data

Presentation Layer

 This layer presents the data in the required format which may include:
encryption/decryption, compression/decompression, encoding/decoding

 It is a syntax layer which can be viewed as a “translator” for the network

 Functionalities: data conversion, data compression

 Protocols: ASCII/JPEG/GIF/EBCDIC/ASN.1

 Data format (PDU) in this layer is called as formatted data

Session Layer

 This layer establishes, manages, and terminates sessions between two communicating hosts

 Functionalities: Perform security, Name recognition, Logging

 Protocols: RPC/SQL/NFS

 Data format (PDU) in this layer is called as formatted data

Transport Layer

 This layer breaks up the data from the sending host and then reassembles it in the receiver.
This Host to Host layer used for flow control

 It ensures that messages are delivered error-free, in sequence, and with no losses or
duplications

 Functionalities: Message segmentation, Message acknowledgement, Traffic control

 Data Format (PDU) in this layer is called as segment

 Protocols: TCP/UDP/SPX

TCP (Transmission Control Protocol)

 It is a connection-oriented protocol

 It incurs an additional overhead to gain functions of order delivery, reliable delivery, and flow
control
  Applications that use TCP: Web Browsers, E-mail, File Transfers etc.

UDP (User Datagram Protocol)

 It is a simple, connection less protocol

 It provisions for low overhead data delivery

 The pieces of communication in UDP are called as datagrams. The datagrams are sent using
"best effort" service by this Transport layer protocol

 Applications that use UDP: Domain Name System (DNS),Video Streaming, Voice over IP (VoIP)
etc

Network Layer

 This layer makes “Best Path Determination” decisions based on logical addresses (usually IP
addresses)

 Functionalities: Routing, Network traffic control, Logical (ip)-Physical(mac) address mapping

 Protocols: IP/IPX

 Associated device in this layer: Router

 Data format (PDU) in this layer is called as packet

Data Link Layer

 This layer provides error free transfer of data frames from one node to another over the
physical layer

 It makes decisions based on physical addresses (usually MAC addresses)

 Functionalities: Frame traffic control, Frame sequencing, Frame error checking

 Protocols: Ethernet, PPP/HDLC

 Associated device in this layer: Switch/Bridge

 Data format (PDU) in this layer is called as frame

Physical Layer

 This layer is concerned with the transmission and reception of the unstructured raw bit
stream over the physical medium (cables, hubs, etc.)

 Functionalities: Data encoding, Physical Medium attachments, Transmission technique,

physical medium transmission bits & volts

 Associated device in this layer: Hub/Repeater

 Data format (PDU) in this layer is called as bit

Interaction between Layers

 The application (upper) layers

 Layer 7: Application layer

 Layer 6: Presentation layer

 Layer 5: Session layer

 The data-flow (lower) layers

 Layer 4: Transport layer

 Layer 3: Network layer

 Layer 2: Data link layer

 Layer 1: Physical layer

 The communication between a same layer on source and destination is known as peer layer
communication.

Data Flow in OSI Model:

 System A wants to communicate with system B over the network.

 They are the end systems connected by a network.

 The top 4 layers are implemented by end systems and bottom 3 layers are implemented by
all nodes in the path.

 Every layer has some protocol using which it communicates with the corresponding layer in
the other system. Application layer protocol, Presentation layer protocol, Session layer
protocol etc. are such protocols. Every layer communicates with the layer above and below
it. Also it provides some service to the layer above it. Protocols works between same layers
of different machines, where services works with different layers within same machine.
The intermediate nodes implement only the bottom 3 layers of communication. Since their task is to
pass on the data along the navigation path.

TCP/IP Model:
Before OSI Reference Model was developed, the most widely used reference model was TCP/IP
Protocol Suite. This was developed as a result of a researched program sponsored by United States
Department of Defense. Unlike OSI reference model, TCP/IP has only 4 layers. This model is as given
below.

 Although the OSI reference model is universally recognized, the historical and technical open
standard of the internet is TCP/IP (Transmission Control Protocol / Internet Protocol)
  The TCP/IP reference model and the TCP/IP protocol stack make data communication
possible between any two computers, anywhere in the world, at nearly the speed of light

 The U.S. Department of Defense (DoD) created the TCP/IP reference model

 let us understand the functions of each layer in TCP/IP model.

Application Layer

 This layer contains all the higher level protocols including file transfer, email, web services
etc.

 Application, Presentation and Session layers in OSI model together, correspond to

Application layer of TCP/IP model

Transport Layer

 This layer takes care of the conversation between source and destination. The conversation
can be connection oriented or connection less. Protocols in this layer are TCP and UDP. TCP
functionalities are fragmenting the original message into discrete pieces and reassembling
the same when they reach the destination. On the other hand, UDP is unreliable protocol.

 Transport layer in both the models are same.

Internet Layer

 This layer was the result of packet switching network. The main functionality of this layer is
to transmit packets to any network through the best path from the source. The major
protocol in this layer is IP (Internet Protocol)

 Network layer of OSI model corresponds to Internet layer in TCP/IP model.

Network Access Layer

 TCP/IP protocol suite does not specify much below the Internet layer. This layer is quite
undefined

 The data link layer and physical layer of OSI form the Network Access layer in TCP/IP Protocol
suite.

Data Flow in TCP/IP Model:

 et's say that you are browsing Sparsh. By the time the Sparsh page loads in your desktop, the
data has gone through so many software and hardware.This is sort of like how the postal
system works. Many people in the postal department, do their respective jobs to make sure
your parcel reaches to your friend.
 Like the postal department, in computer networks, many layers of software and hardware
must do their respective jobs to ensure smooth communication. It is called as the TCP/IP
model. It defiles how networks should work. TCP/IP is a set of four layers of protocols. Each
layer focuses on how to package the data so that the corresponding layer on the receving
device can understand it. It does not bother how the data is handled by subsequent layers.

Application Layer

 This layer is responsible for converting the data in a form understandable by the destination
application. Layer is just a concept. It is implemented in a software or a hardware. This
application and application layer are not the same.

Transport Layer

 This layer ensures that the data has reached the destination. It does this by looking for an
acknowledgement from the receiver. It sends a unique sequence number for each data and
expects it back in the acknowledgement. If it does not receive an acknowledgement within a
certain time, it resends the data.
Internet Layer

 This layer is responsible for finding the best possible route for the data to reach the
destination. Router is the network device works in this layer and it actively use this layer to
find the best route.

Link Layer:

1.Here the Network Access layer referred as link layer. The link layer is responsible for ensuring the
data delivery to the correct host with error-free using CRC (Cyclic Redundancy Check) checks.

2.The sender uses CRC algorithm to generate a unique number for the data. The CRC and data are
transmitted to the destination. The receiver uses the same CRC algorithm and checks if the
generated CRC matches with the transmitted CRC. If both are matched, then the data has arrived
uncorrected. If not, the received data is discarded.

Physical Layer

This layer is outside of the TCP/IP model. It coverts data to appropriate signals for transmission
through wired and wireless media.
Protocol Stack

 There can be many combination of protocols to make up a stack.

 Following is the comparison between OSI model and TCP/IP along with protocols.

Network Topology:

 The components of a Network are connected with each other based on certain requirements
like cost, area, efficiency, reliability, etc. The way of connecting the components is termed as
topology, in other words topology defines the structure of the network.

 Arrangement of various devices to design a Network is referred as Topology.

 Types of Network Topology

 Various types of network topologies are as follows.

Features of Network Topologies:
About Cyber Security:
Technology has covered almost all facets of today’s world. From dusk to dawn, we are engaged
digitally.

From Smartphone at home to meet all our daily needs, to making a fund transfer, to ordering a
refill of grocery, everything is just a click away. A typical day at work place involves dealing with
desktops/laptops connecting to intranet/internet servers. A relaxed weekend at dine-in will involve
the attender taking customer's order through a tablet and the customer paying the bill through
Credit/Debit card. All these transactions involve accessing the internet. Hence it becomes important
that everyone is aware of the risks involved in using digital data and its protection. Cyber Security is
the protection of internet-connected systems, including hardware, software and data, from cyber
attacks.

Since majority of the cyber attacks are reported through web applications, it is imperative that
web application designers are aware of the common mistakes, to avoid during building and
maintaining of web applications.

In this course we will learn about various cyber-attacks, the reasons behind such attacks and the
guidelines to avoid them. It is recommended that web application developers are aware of the Top
10 web application mistakes suggested by OWASP (Open Web Application Security Project). This
course will explain each of these mistakes and its counter measure. We will also understand the
concept of threat modelling and tools that help in designing secure web applications.

Today’s Digital World:

Online applications these days can be accessed through desktops, laptops, cell phones, etc. These
applications are highly inter-connected. Their ease of access makes them vulnerable. For instance,
using the same cell phone a user can update his status on a social media website and can transfer
funds online the next minute. He/she might also use the same cell phone to access their Aadhaar
card details. To top it all, he/she might use the same email account for registering in various banking,
social networking applications etc.

 A weak password to this account is a temptation for hackers, as by gaining access to this
gmail account they might be able to access other applications linked with this account.
Also, a spam mail can be sent through this account to lure a user to disclose confidential
information that might help the attacker to intrude into his/her banking
application. A vulnerable email account can make other applications vulnerable too.
  Vulnerability is a quality or state of being exposed to the possibility of being attacked or
harmed. In IT systems, vulnerability may exist due to a flaw in a computer, human error, flaw
in a network etc. Many cases on attacks have been reported in the recent past.

 Let us see some of these cases.

Recent Cyber Attacks(2016 Uber Attack):

What was it all about?

 Uber’s CEO, Dara Khosrowshahi, stated that hackers stole personal data of nearly 57 million
Uber users. This personal data included names, phone numbers, email addresses,
debit/credit card numbers of customers and also, license numbers of the drivers serving the
company.

How was the attack carried out?

 Hackers hacked into Uber's account on GitHub. GitHub is a site that many engineers and
companies use to store code of IT projects.

 From Uber’s GitHub account, they found the username and password that gave access to
Ubers' data stored in a third party cloud server.

 Developers accidentally left the login credentials in code which was uploaded to GitHub and
hence, the hackers successfully got access to the Uber’s server.

 What was its impact?

 Uber faced lawsuits filed by many users as their personal data was leaked

 Uber allegedly paid $100,000 ransom to hackers to get the data deleted.

2016 Indian Debit Card Breach:

What was it all about?

 Indian debit card breach took place in October 2016.

 It was estimated 3.2 million debit cards were compromised. Major Indian banks including
SBI, HDFC, ICICI, YES Bank and Axis Bank were among the worst hit.

How was the attack carried out?

 Reportedly, the breach was not the result of direct attack on the banks instead it was due to
a malware injected in ATMs and Point-of-Sale (POS) terminals. The malware was injected into
the payment gateway network of Hitachi Payment Systems which facilitates a transaction
either from an ATM or an online payment gateway.

What was its impact?

 Complaints from customers on unauthorized debits were reported

 Subsequently, resulted in one of the biggest card replacement drive in India's banking history

 SBI announced the blocking and replacement of almost 600,000 debit cards
Generic Conclusion about Attacks:
 These examples show that the cyber-attacks are not limited to IT sector. Every organization
reliant on IT for pursuing their mission – education, government, military, healthcare, retail
etc needs to protect itself from such attacks.

 Cyber attacks have increased to such a large extent that even a minute flaw in the system can
cost a lot as we have seen in some of the discussed attacks.

 Hackers have keen interest in vulnerabilities existing in an organization or in any information

system. Carelessness of employees or organization is one of the main reasons due to which a
system becomes vulnerable.

 Financial gain is one of the main motive behind these attacks but it is not the only motive.
Attacks might just happen to cause chaos within the organization. In some of the cases,
hackers have hacked into the system just to pacify their intellectual quest.

 The number of attacks is increasing day by day. Let us see the impact of such attacks.

Impacts of Cyber Attacks:

 Once organizations are attacked by hackers, the organization gets affected in multiple ways.

 Following are the commonly seen impact on businesses after a cyber attack.

 Organization name hits the headlines: As the news about the breach hits the headline, it
adversely harms the reputation of the organization hence its market value goes down

 Loss in business: The main causes of loss in business are due to loss of customers,
reputation/brand damage, revealing of trade secrets, strategies and plans, etc

 Legal penalties: The data leaked due to the breach may contain customers’ personal data
(who have put their trust in the organization). This may force the customers to file lawsuits
for breach of privacy
  Regular functioning crippled: The cyber-attack has the potential of affecting the regular
functioning, for instance, email systems going down, automated payroll processing going
down, network outage etc

 Defamation: Confidential email leaks, internal communication leak etc. may defame an
organization or a person

 Hence, it becomes very important to ensure security of assets, information, people etc. Let
us understand the basics of Cyber security.

Why Cyber Security is:

 Cyber attacks are a great threat to global economy as well as to our personal data.

 In 2015, a computer security group Veracode reported that defending UK businesses against
cyber-attacks and repairing the damage done by hackers costs businesses £34 billion per
year.

 There are two important aspects that needs to be protected:

Information: Customer's data, source code, design documents, financial reports, employee records,
intellectual property, etc

Information systems: Computers, Networks, cables etc

 A good Cyber security approach plays a vital role in minimizing and controlling damage,
recovering from a Cyber-breach and its consequences.

 Let us understand more about what Cyber Security is

What is Cyber Security?

 Cyber Security is a set of techniques used to protect systems, networks, and applications
from attacks, damage or unauthorized access emerging from internet.

 These attacks are usually aimed at accessing, changing, or destroying sensitive information;
extorting money from users; or interrupting normal business processes.

 With comparatively more devices than people around, implementation of effective Cyber
Security measures is a challenge in today's world.

 According to Forbes, the IT security spending is expected to reach around $170 billion
on Cyber Security solutions by the year 2020.

 Let us understand the various Categories of Attacks through an example.

Categories of Attack:
 An IT company SSV Limited is managing a banking application for one of its leading client ZSC
Bank. Sensitive data like finger prints, account numbers, passwords, login ids and phone
numbers of customers of ZSC Bank are stored in a database server managed by the database
team of the company. The application team of the company handles the user interfaces.
Inputs from the user are taken through an HTML form.

 A malicious hacker attacked the website of ZSC bank with the help of an insider (Bank Teller)
and demanded a ransom. Failing to pay the ransom might lead the company to compromise
on the confidentiality aspect of the data that was stolen.

 Also, the bank started getting the following complaints from customers.

 Unauthorized fund transactions taking place in their accounts

 Non delivery of messages for transactions and usual bank updates

 The bank immediately reported the issue to their vendor SSV Limited.

These attacks violate basic Objectives and Services of Cyber Security. Let us see the Cyber Security
Objectives and Services that got violated.
Cyber Security Objectives and Services:
 Each of these attacks violate a specific desired property of security. These properties are
termed as security objectives. Security objectives are also known as security goals,
characteristics of information and information systems.

 The three standard pillars (Security Objectives) of Cyber security are:

Confidentiality

 Makes sure that data remains private and confidential. It should not be viewed by
unauthorized people through any means

Integrity

 Assures that data is protected from accidental or any deliberate modification

Availability

 Ensures timely and reliable access to information and its use.

 These three principles are together called as the CIA (Confidentiality, Integrity
and Availability) triad. An alternate way of referring CIA is
through DAD (Disclosure, Alteration and Denial) triad.

 There are three more important concepts in information security to support these
pillars known as AAA (Authentication, Authorization and Accounting) services. These
services are used to support the CIA principles.

1. Authentication

• Authentication is verifying an identity

2. Authorization

• Authorization is determining whether a particular user is allowed to access a particular

resource or function

3. Accounting (Non-repudiation)

• Accounting includes two other components - auditing & non-repudiation

• Auditing is recording a log of activities of a user in a system

• Accounting refers to reviewing the log file to check for violations and hold users
answerable to their actions. It includes non-repudiation

• This table is a mapping between the attack category listed in the previous scenario to their
corresponding security objective/service that got violated.
Other Terms of Cyber Security:

 Apart from the CIA Objectives and the AAA services, you must also be aware of
some frequently referred terms in Cyber Security space.

 Asset

 Vulnerability

 Exploit

 Threat

 Threat Agent

 Risk

 Attack Vectors

 Control

Let us understand each of these through examples.

Asset

 Anything that has value to an organization or person including computing device,

information technology (IT) system, IT network, IT circuit, software (both an installed
instance and a physical instance), virtual computing platform (common in cloud and
virtualized computing), and related hardware (e.g., locks, cabinets, keyboards) are termed as
assets.
Information asset

 Information or data that has economic value to the organization is termed as Information
asset. It has the following features.

 It is a part of the organization's identity

 It may be highly confidential(top secret)

 It may also include

 Information about people and procedures

 Software or hardware details

 Networking elements

 E.g. Confidential emails, identity information, system data, bank transactions, newly
developed design schema of a project, etc are a few to be named under information assets
of an organization.

Vulnerability

 A flaw or weakness in system security procedures, design, implementation, or internal

controls that might result in a security breach is termed as Vulnerability.

 E.g. Software bugs, Inefficient controls, Hardware flaws, Human errors

Exploit

 An exploit is a piece of software or a sequence of commands that takes advantage of a

vulnerability to cause unintended or unanticipated behavior to occur on a computer
software or hardware.

 E.g. Computer virus, malware or flooding of requests to the server by a bot.

Threat

 Threat is any potential danger that is associated with the exploitation of a vulnerability. A
threat is an undesirable event that can happen to assets.

 E.g. An organization running on windows operating system was targeted and blocked until a
ransom of $300 was credited to hackers account to unlock the data. Threat here is the leak of
data.

Threat agent

 Threat agent is a term used to represent an individual or group that can cause a threat.

 It is important to identify who would want to exploit the assets of a company (capabilities),
and how they might utilize those (intentions) against the company.

 Threat agent = Capabilities + Intentions + Past activities

 E.g. The threat agent in the above example is a hacker.

Risk

 Risk is a function of likelihood of a given threat agent exploiting a particular vulnerability, and
the resulting impact of the adverse event on the organization.

Risk = Likelihood * Impact

• Likelihood is the probability of occurrence of the threat.

• Impact is the magnitude of harm that could be caused by the threat. Impact can be a
business impact or a technical impact.

Need for Risk to be calculated

 Risk needs to be calculated to estimate the impact that will occur to the organization
(monetary/technical/reputation) if a vulnerability is exploited by a threat agent. Moreover,
some industry standards and government regulations mandate calculation of risk. By
calculating risk for every application, organizations can prioritize which application needs
more and/or immediate attention for security enhancements.

Attack vector aka paths

 Attackers can potentially find many different paths to cause a harm to business through their
application. Each of these paths represents a risk that may, or may not be serious enough to
warrant attention.

 Paths could be easy or hard to exploit. Sometimes, these paths are trivial to find and exploit
and sometimes they are extremely difficult. Similarly, the harm that is caused may lead to
any or no consequence.

Controls

 Control is a mitigation to protect the asset from risks.

 E.g. The organizations would not have faced WannaCry ransomware attack if the latest
Microsoft patches were updated to systems running Windows O.S released the previous
week.

 In today's digital era, most of the communication is over the internet. Critical
transactions like money exchange, shopping on the internet (web
transactions). Communication between devices such as phones, fridges, cars, elevators, ACs
(Internet of Things).

 Cyber security is a basic need in every communication or transactions as

communication over internet can also be leveraged for spreading viruses and malware.
Personal data, identity can be stolen during transits. Knowledge and testing of CIA and AAA
principles is very important while designing, coding or testing applications.
Myths Around Cyber Security:
 There are lot of myths that are commonly associated with Cyber Security which are very
different from the facts.

 Myth 1: “Digital and physical security are separate systems”

 Reality: The world is moving towards automation and artificial intelligence. Most physical
devices such as Bio-metric systems, CCTV cameras, smart watches etc. are connected and
controlled digitally. Hackers can affect even physical infrastructure causing catastrophic levels
of damage to physical resources.

 Myth 2: “Cyber security is just an IT issue”

 Reality: Once data is digitized, it has to be protected whether it is in the data center or
employees’ mobile phone.

 Myth 3: “Protecting yourself is good enough.”

Reality: Organizations must have an eye on everything and everyone. Third parties from
subcontractors to subsidiaries, vendors and accounting firms, etc. can be a threat vector.

 Myth 4: “Going back to paper minimizes risk.”

 Reality: One can’t know if paper copies of data have been unlawfully copied or removed.

 Myth 5: “Using antivirus software is enough.”

 Reality: Hackers have found multiple ways to intrude into antivirus software and hide their
own attacks in a system, in many cases for an average of six months. With the advent of
ransomware, the time frame from infection to damage has become almost instantaneous.

 Myth 6: “We have a firewall. We’re in good shape.”

 Reality: Firewall is used to allow expected traffic in and restrict all remaining traffic. This is
done by creating Access Control Lists (ACL's). However, most cyber security assessments
depict that the greatest cyber threats are associated with the behavior of authorized users of
the systems allowed inside the firewall.

 Hence, it's important to understand what needs to be secured.

What Needs to be Secured?
 As we know by now, Cyber Security is not just about installing the latest anti-virus or having a
strong firewall, it is ensuring that all the aspects of your organization are well secured.

 Any IT organization comprises of the following security layers.

 Information Security- is about protecting the information that is valuable to the

organization. It is about protection of information in all its form – electronic, printed, hand
written, verbal etc. This applies to all aspects of safeguarding or protecting data, in whatever
form within the organization

 E.g. protection of intellectual property, trade secrets, email communications, blood

group of employees, etc from being leaked or tampered

 Network Security- is about ensuring the availability of networks and confidentiality and
integrity of data flowing within the network. The organization’s network is a trusted
zone. Traffic entering the Intranet (trusted zone) from the Internet (untrusted zone) must be
carefully scrutinized. There should be mechanisms to prevent malicious traffic from entering
the network

 E.g. use of firewall to control all inbound and outbound traffic in the network

 Hosts' Security- is about taking specified measures to protect the host (Operating System)
from threats, viruses, worms, malware or remote hacker intrusions. OS security looks up to
all the preventive control techniques, which safeguards the computer assets capable of being
stolen, edited or deleted

 E.g. installation of antivirus.

 Application Security - is ensuring that the web applications are developed following the
secure design and coding guidelines. It involves preventing the security bugs and flaws in any
application.

 E.g. building applications which can block injection attacks, etc.

 Human(People) Security - is about creating and leveraging awareness among employees to

become cautious about sharing sensitive information, downloading an attachment from
unauthorized sources and handling organization's resource as per policies

 E.g. protecting organization from phishing emails sent to employees by creating

awareness, etc.