‭ CS-215‬

M
‭Security and Cyber Laws‬

‭ ues 1. (a) What are the three pillars of digital security? What is the need for digital‬
Q
‭security?‬
‭Ans 1 (a)‬‭Three Pillars of Digital Security:‬

‭1.‬ C ‭ onfidentiality‬‭: Keeps sensitive information private,‬‭accessible only to authorized‬

‭users. Achieved through encryption and access controls.‬
‭2.‬ ‭Integrity‬‭: Ensures data is accurate and unaltered‬‭by unauthorized parties. Protects‬
‭against tampering using hashes and checksums.‬
‭3.‬ ‭Availability‬‭: Ensures systems and data are accessible‬‭when needed. Uses backups‬
‭and redundancies to avoid downtime.‬

‭Need for Digital Security:‬

‭‬
● ‭ ata Protection‬‭: Safeguards personal and sensitive‬‭information from theft or exposure.‬
D
‭●‬ ‭Cyber Attack Prevention‬‭: Defends against malicious‬‭threats like hackers and viruses.‬
‭●‬ ‭Trust Maintenance‬‭: Protects the reputation of organizations‬‭by keeping data safe.‬
‭●‬ ‭Regulatory Compliance‬‭: Ensures adherence to laws like‬‭GDPR and HIPAA.‬
‭●‬ ‭Business Continuity‬‭: Minimizes disruptions, ensuring‬‭operations run smoothly during‬
‭attacks or failures.‬

.‭‭Q
‬ ues 1.(b) Explain the following in the context of security issues/attacks: (i) DDoS‬
‭attacks (ii) Malware (iii)Crypto-jacking‬

‭Ans 1(b)‬‭.‭(‬ i) DDoS Attacks‬‭(Distributed Denial of Service)‬

‭ ‬‭DDoS attack‬‭overwhelms a target's server or network‬‭by flooding it with traffic from multiple‬
A
‭compromised devices. The goal is to make the service unavailable to legitimate users by‬
‭exhausting its resources, causing downtime or disruption.‬

‭(ii) Malware‬

‭ alware‬‭is malicious software designed to harm, exploit,‬‭or disable devices, systems, and‬
M
‭networks. It includes viruses, worms, trojans, ransomware, and spyware, which can steal data,‬
‭damage systems, or provide unauthorized access to attackers.‬
‭(iii) Crypto-jacking‬

‭ rypto-jacking‬‭is the unauthorized use of someone’s computing resources to mine‬

C
‭cryptocurrencies. Attackers covertly install mining software on a victim’s device, causing‬
‭performance degradation and increasing energy consumption, all without the victim's‬
‭knowledge.‬

‭ ues 1(c) Explain the term Cyber Security intrusion detection with the help of an‬
Q
‭example.‬

‭ ns 1(c). Cyber Security Intrusion Detection‬‭is the process of monitoring a system or‬
A
‭network for any suspicious or unauthorized activity. It helps identify potential security threats,‬
‭like hacks or policy violations, so that action can be taken to prevent or minimize damage.‬

‭Example: Intrusion Detection System (IDS)‬

I‭magine a company uses an‬‭Intrusion Detection System‬‭(IDS)‬‭to keep an eye on its network.‬
‭The IDS continuously scans for unusual behavior, like multiple failed login attempts, large data‬
‭transfers, or activity that matches known attack patterns.‬

‭ or instance, if someone tries to hack into the system by repeatedly guessing passwords (a‬
F
‭brute force attack‬‭), the IDS would recognize this‬‭unusual activity. It would then send an alert to‬
‭the company's security team, allowing them to block the attacker and stop the intrusion before it‬
‭causes harm.‬

I‭n this case, the IDS helps spot the attack early and gives the company time to respond quickly‬
‭and protect their systems.‬

‭Ques 1(d). What are the laws related to unauthorized access and web jacking?‬

‭ ns 1(d)‬‭Laws addressing‬‭unauthorized access‬‭and‬‭web jacking‬‭fall under‬‭cybercrime‬

A
‭legislation‬‭aimed at protecting individuals and organizations from malicious online activities‬

‭1.‬ ‭Unauthorized Access‬‭:‬

‭○‬ ‭Computer Fraud and Abuse Act (CFAA) - USA‬‭: Criminalizes‬‭hacking and‬
‭unauthorized access to computer systems.‬
‭○‬ ‭Computer Misuse Act (CMA) - UK‬‭: Prohibits unauthorized‬‭access and data‬
‭modification in computer systems.‬
‭○‬ ‭GDPR - EU‬‭: Imposes penalties for unauthorized access‬‭to personal data.‬
 ‭○‬ I‭T Act, 2000 - India‬‭: Penalizes unauthorized access and hacking, with fines and‬
‭imprisonment.‬
‭2.‬ ‭Web Jacking‬‭:‬
‭○‬ ‭IT Act, 2000 (India)‬‭: Criminalizes website hijacking,‬‭fraud, and misuse of online‬
‭content.‬
‭○‬ ‭CMA (UK)‬‭: Outlaws unauthorized modification of website‬‭content.‬
‭○‬ ‭CFAA (USA)‬‭: Punishes unauthorized control or alteration‬‭of websites for‬
‭malicious purposes.‬

‭ hese laws aim to prevent cybercrimes, protect online systems, and hold perpetrators‬
T
‭accountable.‬
‭Ques 2 Explain the following terms with the help of an example of each.‬

‭Ans 2‬‭(a) Function-Based Substitution Cipher‬

‭ ‬‭substitution cipher‬‭replaces each letter or number‬‭in the plaintext with another value based‬
A
‭on a specific function.‬

‭ xample‬‭: A simple function-based cipher could be to‬‭replace each letter with the next one in‬
E
‭the alphabet (A → B, B → C, etc.). If the plaintext is "HELLO", it would become "IFMMP".‬

‭Ans 2‬‭(b) Five Key Functions of Cryptography‬

‭ ryptography serves five main functions:‬‭Confidentiality‬‭,‬‭Integrity‬‭,‬‭Authentication‬‭,‬

C
‭Non-repudiation‬‭, and‬‭Access Control‬‭.‬

‭Example‬‭:‬

‭‬
● ‭ onfidentiality‬‭: Encryption ensures that only authorized‬‭people can read the message.‬
C
‭●‬ ‭Integrity‬‭: A hash function verifies that the data‬‭has not been altered.‬
‭●‬ ‭Authentication‬‭: Digital signatures confirm the identity‬‭of the sender.‬
‭●‬ ‭Non-repudiation‬‭: Ensures a sender cannot deny sending‬‭a message.‬
‭●‬ ‭Access Control‬‭: Only authorized users can decrypt‬‭and access information.‬

‭Ans 2‬‭(c) Steganography‬

‭ teganography‬‭hides secret information within non-suspicious‬‭data, such as images, audio, or‬

S
‭video files, so that only the intended recipient knows there’s a hidden message.‬

‭ xample‬‭: An image may look normal, but it could contain‬‭hidden text encoded in the pixel‬
E
‭values. A message like "MEET AT 5" could be embedded in an image file and sent without‬
‭arousing suspicion.‬

‭Ans 2‬‭(d) RSA Algorithm‬

‭ SA‬‭is an asymmetric encryption algorithm that uses‬‭two keys: a public key for encryption and‬
R
‭a private key for decryption.‬

‭ xample‬‭: If Alice wants to send a secure message to‬‭Bob, she encrypts the message using‬
E
‭Bob’s public key. Bob can then decrypt it using his private key, ensuring that only Bob can read‬
‭the message.‬

‭Ans 2‬‭(e) Hash Functions‬

‭ ‬‭hash function‬‭takes an input and produces a fixed-size‬‭string of characters, which is unique‬

A
‭to the input data. Hash functions are used to ensure data integrity.‬
‭ xample‬‭: A password system stores hashes of passwords rather than the actual passwords.‬
E
‭When a user enters a password, it is hashed and compared to the stored hash. If they match,‬
‭access is granted.‬

‭Ans 2‬‭(f) Pseudo-Random Number Generator (PRNG)‬

‭ ‬‭PRNG‬‭generates sequences of numbers that appear‬‭random but are actually produced by a‬

A
‭deterministic algorithm. It’s crucial for cryptography and security protocols.‬

‭ xample‬‭: In generating a cryptographic key, a PRNG might be used to produce a sequence of‬
E
‭random numbers that form the basis for the key. This makes it difficult for attackers to guess the‬
‭key.‬
 ‭Ques 3‬

‬ ns 3‬‭(a) Practices for Implementing the CIA Triad in Data Security‬

‭.‭A

‭1.‬ ‭Confidentiality‬‭:‬
‭○‬ ‭Use strong encryption for sensitive data both at rest and in transit.‬
‭○‬ ‭Implement strict access controls and authentication measures (e.g., multi-factor‬
‭authentication).‬
‭○‬ ‭Regularly update permissions and user access based on role changes.‬
‭2.‬ ‭Integrity‬‭:‬
‭○‬ ‭Employ hash functions to verify data integrity and detect alterations.‬
‭○‬ ‭Implement version control and change management processes.‬
‭○‬ ‭Use digital signatures to ensure data authenticity.‬
‭3.‬ ‭Availability‬‭:‬
‭○‬ ‭Ensure regular backups and have a disaster recovery plan in place.‬
‭○‬ ‭Use redundancy for critical systems (e.g., failover servers).‬
‭○‬ ‭Regularly update and patch systems to prevent downtime from vulnerabilities.‬

‭Ans 3‬‭(b)‬‭Explanations‬

‭(i) Phishing Attacks‬

‭ hishing attacks are deceptive attempts to steal sensitive information by pretending to be a‬

P
‭trustworthy source in emails or messages. Attackers often lure victims to fake websites to‬
‭capture personal data.‬

‭ xample‬‭: A user receives an email that appears to be from their bank, asking them to verify‬
E
‭their account by clicking a link, which leads to a fraudulent site designed to steal their login‬
‭credentials.‬

‭(ii) Ransomware Attacks‬

‭ ansomware attacks involve malware that encrypts a victim's files, making them inaccessible‬
R
‭until a ransom is paid. Attackers threaten to delete the data if the ransom isn’t paid.‬

‭ xample‬‭: A company’s network gets infected, and all files are encrypted. The attackers display‬
E
‭a message demanding payment in cryptocurrency for the decryption key.‬

‭(iii) State-Sponsored Attacks‬

‭ tate-sponsored attacks are cyberattacks backed by government entities to achieve political,‬

S
‭economic, or military goals. These attacks often target critical infrastructure or sensitive data.‬
‭ xample‬‭: A nation-state might launch a cyberattack on another country's power grid to cause‬
E
‭outages or to gather intelligence on governmental operations.‬

‭Ans 3(c) Six Principles of Security Management‬

‭1.‬ C ‭ onfidentiality‬‭: Protecting sensitive information from unauthorized access to ensure‬

‭that only authorized individuals can access it.‬
‭2.‬ ‭Integrity‬‭: Ensuring the accuracy and reliability of data by preventing unauthorized‬
‭modification or destruction.‬
‭3.‬ ‭Availability‬‭: Ensuring that information and systems are accessible to authorized users‬
‭when needed, minimizing downtime and disruptions.‬
‭4.‬ ‭Accountability‬‭: Tracking user actions and system changes to hold individuals‬
‭responsible for their actions and ensuring proper logging and monitoring.‬
‭5.‬ ‭Risk Management‬‭: Identifying, assessing, and mitigating risks to protect assets and‬
‭ensure business continuity through proactive measures.‬
‭6.‬ ‭Compliance‬‭: Adhering to laws, regulations, and standards relevant to the organization’s‬
‭operations and industry, ensuring that security practices meet legal requirements.‬

‭Ans 3(d) Explanations of Terms‬

‭(i) Security Audit‬

‭ security audit is a systematic evaluation of an organization's security policies, procedures, and‬

A
‭controls to assess their effectiveness in protecting assets. It often involves reviewing security‬
‭measures, identifying vulnerabilities, and ensuring compliance with regulations.‬

‭ xample‬‭: A company hires a third-party auditor to evaluate its cybersecurity practices, assess‬
E
‭risks, and provide recommendations for improving security posture.‬

‭(ii) Security and Usability‬

‭ ecurity and usability refer to the balance between implementing effective security measures‬
S
‭and ensuring that systems are user-friendly. Strong security measures can sometimes hinder‬
‭usability, leading to frustration and decreased productivity. The goal is to create systems that are‬
‭both secure and easy to use.‬

‭ xample‬‭: Implementing multi-factor authentication enhances security but may inconvenience‬

E
‭users if it’s too complicated or time-consuming, leading to a potential decrease in compliance‬
‭with security protocols.‬
 ‭Ques 4‬

‭Ans 4‬‭(a) Need to Regulate Cyberspace‬

‭ egulating cyberspace is essential for user protection, ensuring safety from threats like‬
R
‭cyberbullying and exploitation (e.g., protecting vulnerable groups). It also combats cybercrime‬
‭and promotes fairness while upholding privacy and human rights.‬

‭Regulating cyberspace is essential for several reasons:‬

‭1.‬ P ‭ rotection of Users‬‭: The internet exposes users to‬‭threats like cyberbullying,‬
‭harassment, and exploitation. Regulation helps create safer environments, particularly‬
‭for vulnerable groups such as children.‬
‭2.‬ ‭Promoting Fairness and Competition‬‭: Regulations‬‭can prevent monopolistic practices‬
‭by large tech companies, ensuring a level playing field for all participants in the digital‬
‭economy.‬

‭Ans 4‬‭(b) Role of Filtering Devices and Rating Scales in Regulating Internet‬
‭Content‬

‭ iltering Devices‬‭: Tools like firewalls block access to inappropriate content, ensuring safer‬
F
‭online environments.‬‭Example‬‭: Schools may use filtering software to block access to adult‬
‭content, violence, or other inappropriate material, ensuring a safe learning environment.‬

‭ ating Scales‬‭: These systems categorize online content‬‭based on appropriateness, helping‬

R
‭users, especially parents, make informed choices about what to access.‬‭Example‬‭: Video‬
‭streaming platforms may use age ratings (like PG, R, etc.) to inform users about the content's‬
‭suitability for children, enabling parents to make decisions about what their children can watch.‬

‭Ans 4‬‭(c) UNCITRAL Model Law‬

‭ he‬‭UNCITRAL Model Law‬‭on Electronic Commerce provides‬‭a framework for recognizing‬

T
‭electronic communications and contracts as legally valid, promoting functional equivalence‬
‭(e.g., treating digital documents like paper).‬

I‭t ensures that electronic transactions are enforceable and encourages the adoption of new‬
‭technologies in international trade.‬

‭Doctrines and Parts‬‭:‬

 ‭1.‬ L ‭ egal Recognition of Electronic Communications‬‭: The law establishes that electronic‬
‭records and signatures are legally recognized and have the same validity as traditional‬
‭paper documents.‬
‭2.‬ ‭Formation of Contracts‬‭: It outlines the rules for‬‭the formation of contracts using‬
‭electronic means, ensuring that agreements made electronically are binding and‬
‭enforceable.‬

‭Ans 4‬‭(d) International Initiatives for the Regulation of Cyberspace‬

I‭nternational initiatives include the OECD guidelines for data protection (promoting balanced‬
‭regulations), the Council of Europe Convention on Cybercrime (enhancing law enforcement‬
‭cooperation), and the GDPR (establishing strict privacy standards in the EU).‬

‭ he UN and APEC also promote frameworks for cybersecurity and cross-border privacy‬
T
‭protection, contributing to a safer digital environment.‬
 ‭Ques 5‬

‭Ans 5‬‭.‭(‬ a) Classification of Cybercrimes‬

‭Cybercrimes can be classified into several categories:‬

‭1.‬ H ‭ acking‬‭: Unauthorized access to computer systems or‬‭networks.‬

‭Example‬‭: A hacker breaks into a company’s database‬‭to steal sensitive information.‬
‭2.‬ ‭Identity Theft‬‭: Stealing someone’s personal information‬‭to impersonate them.‬
‭Example‬‭: An attacker uses another person's Social‬‭Security number to open fraudulent‬
‭credit accounts.‬
‭3.‬ ‭Phishing‬‭: Deceptive attempts to obtain sensitive information‬‭through fake emails or‬
‭websites.‬
‭Example‬‭: A user receives an email pretending to be‬‭from their bank, asking for account‬
‭details.‬
‭4.‬ ‭Malware‬‭: Malicious software designed to harm or exploit‬‭devices.‬
‭Example‬‭: A virus that infects a computer to steal‬‭data or cause damage.‬
‭5.‬ ‭Cyberbullying‬‭: Harassment or intimidation via digital‬‭platforms.‬
‭Example‬‭: Using social media to spread false rumors‬‭or threats about someone.‬
‭6.‬ ‭Ransomware‬‭: Malware that encrypts files and demands‬‭payment for decryption.‬
‭Example‬‭: A business’s files are locked, and a ransom‬‭note demands payment in‬
‭cryptocurrency to unlock them.‬

‭Ans 5‬‭(b) Definition of Computer Contaminant under Section 43 of the‬

‭Information Technology Act 2000‬

‭ nder Section 43 of the Information Technology Act, 2000, a‬‭computer contaminant‬‭is defined‬
U
‭as any software or code that can alter, damage, or cause interference with any computer‬
‭resource. This includes viruses, worms, or other malicious software that disrupts normal‬
‭functioning or harms data integrity.‬

‭Ans 5‬‭(c) Six Offences as per the Information Technology Act, 2000‬

‭ .‬ H
1 ‭ acking‬‭(Section 66): Unauthorized access and alteration‬‭of data in a computer system.‬
‭2.‬ ‭Identity Theft‬‭(Section 66C): Misrepresentation of‬‭oneself as another person using‬
‭electronic signatures or documents.‬
‭3.‬ ‭Cyber Terrorism‬‭(Section 66F): Acts that threaten‬‭the unity, integrity, security, or‬
‭sovereignty of the nation through cyber means.‬
‭4.‬ ‭Sending Offensive Messages‬‭(Section 66A): Sending messages that are grossly‬
‭offensive or menacing in character.‬
 ‭5.‬ D ‭ ata Theft‬‭(Section 43): Unauthorized access and copying of data from a computer‬
‭resource.‬
‭6.‬ ‭Publishing Obscene Material‬‭(Section 67): Publishing‬‭or transmitting material that is‬
‭lascivious or appeals to prurient interest.‬

‭Ans 5‬‭(d) Liabilities of Network Service Providers‬

‭ etwork service providers (NSPs) can be held liable under certain conditions, primarily under‬
N
‭the Information Technology Act, 2000:‬

‭1.‬ I‭ntermediary Liability‬‭: NSPs are not liable for user-generated‬‭content unless they are‬
‭aware of the illegal activity and do not act promptly to remove it. They must follow due‬
‭diligence and have a notice-and-takedown policy.‬
‭2.‬ ‭Compliance with Law Enforcement‬‭: NSPs are required‬‭to assist law enforcement‬
‭agencies in investigations and provide information as needed.‬
‭3.‬ ‭Content Monitoring‬‭: While NSPs are not generally responsible‬‭for monitoring content,‬
‭they must take action if they receive knowledge of illegal activities.‬
‭4.‬ ‭Failure to Act‬‭: If an NSP fails to act upon receiving‬‭notice of illegal content, they may be‬
‭held liable for any resulting damages.‬

I‭n essence, while NSPs enjoy certain protections, they have obligations to maintain a safe‬
‭environment and respond to illegal activities.‬

‭Ans 5‬‭(e) Cyber Forensics‬

‭ yber forensics‬‭is the field that involves collecting,‬‭analyzing, and preserving digital evidence‬
C
‭from computers, networks, and electronic devices for use in legal proceedings. It encompasses‬
‭the investigation of cybercrimes, ensuring that evidence is gathered in a way that maintains its‬
‭integrity for prosecution.‬

‭ xample‬‭: In a cybercrime investigation, forensic experts‬‭may recover deleted files, analyze‬

E
‭malware, and trace online activities to identify and apprehend suspects.‬
 ‭Ques 6‬

‭Ans 6‬‭(a) Forms of IPR and Related Regulatory Framework‬

‭(i) Copyrights and Related Rights‬

‭ opyrights protect original works of authorship, including literary, artistic, musical, and software‬
C
‭creations, granting the creator exclusive rights to reproduce, distribute, and display the work.‬

‭Regulatory Framework‬‭:‬

‭●‬ G ‭ overned by the‬‭Copyright Act‬‭in most countries, which‬‭outlines the duration of‬
‭protection (typically the creator's life plus 70 years) and exceptions like fair use.‬
‭●‬ ‭Related rights protect performers, producers, and broadcasters, ensuring they receive‬
‭recognition and compensation for their contributions.‬

‭(ii) Patents‬

‭ atents grant exclusive rights to inventors for their inventions, preventing others from making,‬
P
‭using, or selling the invention without permission.‬

‭Regulatory Framework‬‭:‬

‭●‬ G ‭ overned by patent laws, such as the‬‭Patent Act‬‭, which‬‭typically requires the invention‬
‭to be novel, non-obvious, and useful.‬
‭●‬ ‭The patent lasts for a limited time (usually 20 years from the filing date) and requires‬
‭formal application and examination processes.‬

‭(iii) Trademarks‬

‭ rademarks protect symbols, names, logos, and phrases that distinguish goods or services of‬
T
‭one entity from another.‬

‭Regulatory Framework‬‭:‬

‭●‬ G ‭ overned by trademark laws, such as the‬‭Trademark‬‭Act‬‭, which provides guidelines for‬
‭registration, enforcement, and protection against infringement.‬
‭●‬ ‭Trademarks can last indefinitely as long as they are in use and renewed periodically.‬

‭Ans 6‬‭(b) Terms in the Context of IPR‬

‭●‬ L
‭ inking‬‭: Creating a hyperlink from one webpage to‬‭another. While linking is generally‬
‭permissible, it may raise IPR issues if the linked content is copyrighted without‬
‭permission.‬
 ‭●‬ I‭n-lining‬‭: Displaying content (like images or videos) from one website on another site‬
‭using a link that allows the content to be viewed without being hosted on the second site.‬
‭This can infringe on copyright if the original content is displayed without authorization.‬
‭●‬ ‭Framing‬‭: Embedding a webpage within another webpage,‬‭making it appear as if the‬
‭content is part of the framing site. This can lead to IPR issues, especially if the original‬
‭site's content is presented without permission or attribution.‬

‭Ans 6‬‭(c) Domain Name Disputes‬

‭ omain name disputes‬‭occur when there is a conflict‬‭over the ownership or use of a domain‬
D
‭name, typically when a party believes their trademark rights are being infringed upon by another‬
‭entity using a similar domain.‬

‭ xample‬‭: Suppose a well-known coffee chain, "Starbrew,"‬‭finds that another company has‬
E
‭registered the domain "starbrewcoffee.com" and is using it to sell coffee. Starbrew may file a‬
‭complaint arguing that the other company is infringing on its trademark rights and misleading‬
‭consumers.‬

‭ hese disputes are often resolved through the‬‭Uniform‬‭Domain-Name Dispute-Resolution‬

T
‭Policy (UDRP)‬‭, which provides a framework for adjudicating‬‭conflicts involving domain names‬
‭and trademarks, allowing for quick resolution without going to court.‬