Cyber Security and Cyber Laws 9789390395750, 9789390395835

Table of contents :
Front Cover
Title
Copyright
Preface
Acknowledgements
About the Authors
Contents
Chapter 1 Introduction to Cybercrime
Learning Objectives
1.1 Introduction
1.2 Introduction to Cybercrime
1.2.1 Cyberspace
1.2.2 Cybersquatting
1.2.3 Cyberpunk
1.2.4 Cyberwarfare
1.3 Cybercrime Definition and Origins of Cybercrime of the World
1.3.1 Prevention of Cybercrime
1.3.2 Dateline of Origin of Cybercrime
1.4 Cybercrime and Information Security
1.4.1 Types of Cybercriminals
1.5 Classifications of Cybercrime
1.5.1 Crime against Individuals
1.5.2 Crimes against Property
1.5.3 Crime against Organization
1.5.4 Crime against Society
1.5.5 Cybercrime against Individual
1.5.6 Cybercrime against Property
1.5.7 Cybercrime against Organization
1.5.8 Cybercrime against Society
1.6 Cybercrime and the Indian IT Act, 2000
1.6.1 Need for a Cyber Law
1.6.2 The Information Technology Act, 2000
1.6.3 Objectives of Information Technology Act, 2000 in India
1.6.4 Remarkable Features of Information Technology Act, 2000
1.6.5 Some Important Sections of the Information Technology Act, 2000
1.6.6 Scope of the Information Technology, Act, 2000
1.6.7 Advantages of IT Act, 2000
1.6.8 Shortcomings of IT Act, 2000
1.6.9 Applicability and Non-Applicability of IT Act, 2000
1.6.10 The Information Technology Amendment Act, 2008
1.7 A Global Perspective on Cybercrimes
Summary
Review Questions
References
Chapter 2 Cyber Offences and Cybercrime
Learning Objectives
2.1 Introduction
2.1.1 Introduction to Cyber Offences
2.1.2 Introduction to Cybercrime
2.2 Strategic Attacks
2.2.1 How Do Criminals Plan Attacks?
2.2.2 Social Engineering
2.2.3 Cyberstalking
2.2.4 Cybercafe and Cybercrimes
2.3 Types of Attacks
2.3.1 Botnets
2.3.2 Attack Vector
2.3.3 Cloud Computing
2.3.4 Cybercrime and Cloud Computing
2.4 Proliferation of Mobile and Wireless Devices
2.5 Trends in Mobility Wireless Era
2.5.1 Trends in Mobility
2.5.2 Credit Card Frauds in Mobile and Wireless Computing Era
2.6 Security Challenges Faced by Mobile Devices
2.7 Registry Setting for Mobile Devices
2.8 Authentication Service Security
2.9 Attacks on Mobile Phones
2.10 Security Implications for Organizations
2.11 Organizational Measures for Handling Mobile Phones: Device Related Security Issues
2.12 Security Policies and Measures in Mobile Computing Era and Laptops
2.12.1 Importance of Security Policies relating to Mobile Computing Devices
2.12.2 Operating Guidelines for Implementing Mobile Device Security Policies
Summary
Review Questions
References
Chapter 3 Methods and Tools used in Cyber Line
Learning Objectives
3.1 Introduction
3.2 Password Cracking
3.2.1 What Is Password Cracking?
3.2.2 Most Used Password Cracking Techniques
3.2.3 Prevention Measures of Password Cracking
3.2.4 Best Password Cracking Tools
3.3 Malwares
3.3.1 Keyloggers
3.3.2 Spyware
3.3.3 Virus
3.3.4 Worms
3.3.5 Difference Between Virus and Worms
3.3.6 Trojans and Backdoors
3.3.7 Steganography
3.4 DoS and DDoS Attacks
3.4.1 What Is a DoS Attack?
3.5 SQL Injection and Buffer Overflow
3.5.1 What Is SQL Injection?
3.5.2 How and Why Is an SQL Injection Attack Performed?
3.5.3 Types of SQL Injection
3.5.4 Tools Used for SQL Injection
3.5.5 Preventive Measures to Avoid SQL Injection
3.5.6 What Is Buffer Overflow?
3.5.7 What Are the Different Types of Buffer Overflow Attacks?
3.5.8 How to Prevent Buffer Overflows?
3.6 Phishing and Identity Theft (ID Theft)
3.6.1 What Is Phishing?
3.6.2 Different Phishing Techniques
3.6.3 Common Phishing Scams
3.6.4 Preventive Measures to Avoid Phishing Scams
3.6.5 Identity Theft (ID Theft)
3.6.6 Types of Identity Theft
3.6.7 Techniques for Identity Theft
3.6.8 How to Prevent Identity Theft?
3.7 Enumeration
3.7.1 What Is Enumeration?
3.7.2 Importance of Enumeration
3.7.3 Techniques for Enumeration
3.7.4 Types of Enumeration and How to Prevent Them?
3.8 Attacks on Wireless Networks
3.8.1 Wireless Network Attacks and Their Types
3.8.2 General Techniques for Securing Wireless Network
3.8.3 Tools Used for Wireless Network Attacks
Summary
Review Questions
References
Chapter 4 Concept of Cyberspace and Cyber Law
Learning Objectives
4.1 Introduction to e-Commerce
4.1.1 Concept of Cyberspace
4.1.2 The e-Commerce
4.1.3 Types of e-Commerce
4.1.4 Types of e-Commerce Transactions
4.2 Contract Aspects in Cyber Law
4.2.1 Electronic Contracts (e-Contracts)
4.2.2 Indian Contract Act, 1872
4.2.3 Legal Prerequisites of an e-Contract
4.3 Security Aspects of Cyber Law
4.3.1 Digital Signature
4.3.2 Legal Architecture for the Validity of Digital Signatures
4.4 Intellectual Property Aspect in Cyber Law and Evidence Aspect in Cyber Law
4.4.1 Intellectual Property Aspect in Cyber Law
4.4.2 Intellectual Property Laws and Cyberspace in India
4.4.3 Evidence Aspect in Cyberlaw
4.4.4 Indian Evidence Act, 1872
4.4.5 Amendments to the Indian Evidence Act, 1872
4.5 The Criminal Aspects in Cyber Law
4.5.1 Causes or Factors Contributing to Computer Crime
4.5.2 Strategy for Preventing Computer Crime
4.5.3 Amendments to Indian Penal Code, 1860
4.6 Global Trends in Cyber Law
4.6.1 The Contract Aspect
4.6.2 The Security Aspect
4.6.3 World Intellectual Property Organization (WIPO)
4.7 Legal Framework for Electronic Data Interchange Law Relating to Electronic Banking
4.8 Need for Indian Cyber Law
Summary
Review Questions
References
Chapter 5 Information Technology Act
Learning Objectives
5.1 Introduction of Cybercrime and Cyber Security
5.1.1 Cyberspace
5.1.2 Cyber Security and Cyber Law
5.1.3 Cyber Security Policy
5.2 Information Technology Act, 2000
5.2.1 Introduction
5.2.2 Objectives of Indian Information Technology Act, 2000
5.2.3 Salient Features of Information Technology Act, 2000
5.2.4 Scheme of IT Act
5.2.5 Intermediary Liability
5.3 Penalties, Adjudication and Appeals Under the Information Technology Act, 2000
5.4 Offences Under Information Technology Act, 2000
5.5 Cyber Appellate Tribunal
5.6 Information Technology Act, 2008 and Its Amendments
Summary
Review Questions
References
Chapter 6 Information Security Standard Compliances
Learning Objectives
6.1 Introduction
6.1.1 Importance of Information Security Standards
6.1.2 Information Security Challenges
6.2 Sarbanes–Oxley Act (SOX)
6.2.1 Key Provisions of the Sarbanes–Oxley Act
6.2.2 SOX Benefits to Organization
6.3 Gramm–Leach–Bliley Act (GLBA)
6.3.1 Benefits of GLBA Compliance
6.3.2 How GLBA Compliance Works
6.3.3 Steps to Compliance
6.3.4 Requirements of GLBA
6.4 Health Insurance Portability and Accountability Act (HIPAA)
6.4.1 How HIPAA Works?
6.4.2 HIPAA Rules
6.4.3 HIPAA Key IT Requirements
6.5 Federal Information Security Management Act (FISMA)
6.5.1 Introduction
6.5.2 Requirements of FISMA
6.5.3 Benefits of FISMA
6.5.4 FISMA Penalties
6.5.5 Best Practices for FISMA
6.6 The North American Electric Reliability Corporation (NERC)
6.6.1 NERC Key IT Requirements
6.7 PCI (Payment Card Industry) Compliance
6.7.1 Goals of PCI
6.7.2 Payment Card Industry Security Standards Council (PCI SSC)
6.7.3 The Payment Card Industry Data Security Standard (PCI DSS)
6.7.4 Payment Application Data Security Standard (PA-DSS)
6.8 ISO/IEC 27000
Summary
Review Questions
References
Appendix A Lab Manual
Appendix B Questions and Answers
Index
Back Cover

Citation preview

Cyber
Security
and
Cyber
Laws

7.15” × 9.25”

7.15” × 9.25”

PRELIMS

Cyber
Security
and
Cyber
Laws

Nilakshi
Jain Associate Professor Information Technology Department Shah and Anchor Kutchhi Engineering College Chembur, Mumbai

Ramesh
Menon Chief Architect and US Federal CTO IBM, Washington D.C.

7.15” × 9.25”

PRELIMS

Cyber Security and Cyber Laws Authors: Nilakshi Jain and Ramesh Menon Published by Wiley India Pvt. Ltd., 4436/7, Ansari Road, Daryaganj, New Delhi-110002. Printed at: Yash Printographic First Edition ISBN: 978-93-90395-75-0 ISBN: 978-93-90395-83-5 (ebk) Copyright © 2021 by Wiley India Pvt. Ltd. Cover Image: © Shutterstock All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or scanning without the written permission of the publisher. Limits of Liability: While the publisher and the authors have used their best efforts in preparing this book, Wiley and the authors make no representation or warranties with respect to the accuracy or completeness of the contents of this book, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. There are no warranties which extend beyond the descriptions contained in this paragraph. No warranty may be created or extended by sales representatives or written sales materials. Disclaimer: The contents of this book have been checked for accuracy. Since deviations cannot be precluded entirely, Wiley or its authors cannot guarantee full agreement. As the book is intended for educational purpose, Wiley or its authors shall not be responsible for any errors, omissions or damages arising out of the use of the information contained in the book. This publication is designed to provide accurate and authoritative information with regard to the subject matter covered. It is sold on the understanding that the Publisher is not engaged in rendering professional services. Trademarks: All brand names and product names used in this book are trademarks, registered trademarks or trade names of their respective holders. Wiley is not associated with any product or vendor mentioned in this book. Other Wiley Editorial Offices: John Wiley & Sons, Inc. 111 River Street, Hoboken, NJ 07030, USA Wiley-VCH Verlag GmbH, Pappellaee 3, D-69469 Weinheim, Germany John Wiley & Sons Australia Ltd, 42 McDougall Street, Milton, Queensland 4064, Australia John Wiley & Sons (Asia) Pte Ltd, 1 Fusionpolis Walk #07-01 Solaris, South Tower Singapore 138628 John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada, M9W ILI www.wileyindia.com

Preface Cyber security is not only a question of developing defensive technologies but offensive technologies, as well. —Donald Trump In today’s world, everyone is vulnerable to cyberthreats. In today’s world, everyone is vulnerable to cyberthreats. Almost everyone is using a computer, laptop or mobile phone, thereby making us vulnerable to digital attacks. To know and understand the basic information of security is a must in the modern world. In this regard, cyber security books must be added by education systems as they will serve to enlighten students and provide information on how to protect oneself from digital threats. As there is constant growth in cybercrimes, hence there is acute need for cyber security strategies to fight with cybercrimes. To know what is best to protect your computer and network, you must know the game plan to defend and also to break those defences and how they function. The benefits of cyber security knowledge are precious and every business and government organization loves to have such an employee. This knowledge consists of information about how hackers operate, how attacks are addressed, what techniques exist and how to increase your security. Having a good knowledge of cyber security leads to better results in your current job or landing a career in a dream company. It does not matter if you are not an expert in cyber security, because this book will help you be aware of everything from the basics. Even if you know the basics, you might still discover tips and tricks that would make a difference. Therefore, if you love devices, Apps and everything that the Internet offers, you need this course! Remember that the online world is not that different from the physical world. There are risks in both equally. We need to be able to recognize it as a threat and deal with it. This book gives a crystal-clear introduction to cyber security for people who do not have a technical background. It is also suitable for people who want to learn about cyber security or boost knowledge as an information security employee. We believe that the world has changed as technology has become the main thing that shapes our lives, so we need to learn how to make it safer. The book gives an in-depth insight into how the law is developed outside the regulatory frameworks, case law and the industry standards for security measures. The cyber security law will become highly contentious shortly and will require more and more experts to operationalize matters. Cyber Security and Cyber Laws is a highly valuable book for every information security employee and many organizations. It is also suitable for one who is interested in cyber security law. In the book, you will find topics like cybercrime, cyberspace, cyber offense, various acts, laws, methods and tools used. This book has been customized concerning readers’ perspective. The contents of the book are organized in such a manner that they could be related, and are easy to be navigated throughout the book which benefits both the starter to go in a sequential manner as well as the specialist in the subject who can refer to a particular topic immediately.

Cyber Security and Laws_Chpater FM.indd 5

10/7/2020 6:47:44 PM

vi  •

Preface

Intended Audience of the Book The intended audience for this book includes the following: 1. Graduate and advanced undergraduate-level students in Information Sciences, Information Systems, Computer Science, Systems Engineering, Social Studies and Public Policy. 2. Researchers engaged in cyber security-related research from a wide range of perspectives, including – but not limited to – Informatics, Decision Sciences, Organizational Behaviour and Social Studies and Public Administration. We believe this book will help all the readers. The information is presented here in such a lucid way and simple language that the reader need not be a professional to understand and use it. Let the reader be an expert or a beginner – this book will definitely help you stay safe online.

Chapter Layout For the satisfaction of the readers, this book has been divided into six chapters – each chapter tackles a particular subtopic of cyber security and laws. For better comprehension of the topic, each chapter includes an introduction that explains what the chapter covers; at the end of the chapter, a summary of the chapter and review questions are included to provide readers with the chance to test their understanding.

Chapter 1: Introduction to Cybercrime This chapter introduces the basic concepts of cybercrime, cyber security and cyber laws and provides a basis for all the other chapters. It explains the extent and application of the internet and cyberspace, different types of cybercriminals, cybercrimes and the IT (Information Technology) Act, 2000. It further discusses the need for cyber security and cyber laws and gives a view of different cyber offenses and their penalties. Chapter 2: Cyber Offences and Cybercrime This chapter aims to create an understanding on cyber offenses and cybercrime, different types of attacks and how cybercriminals plan to attack. It also helps to understand recent trends in third generation (3G) era, gives an idea of various attacks on mobile devices, security challenges posed by mobile devices and the registry settings. It also explains the organizational security policies in the mobile computing era as well as use of laptops. Chapter 3: Methods and Tools Used in Cyber Line This chapter discusses different attacks that occur frequently in our day-to-day life. It explains their different types and techniques used for conduction of attacks. It provides understanding on how to detect and prevent those attacks. It also gives understanding of different tools used for conduction and prevention of attacks. Chapter 4: Concepts of Cyberspace and Cyber Law This chapter educates on the concepts of cyberspace and cyber laws.

Cyber Security and Laws_Chpater FM.indd 6

10/7/2020 6:47:44 PM

Preface

•  vii

Chapter 5: Information Technology Act, 2000 This chapter discusses Information Technology Act, 2000. It provides proper sections, guidelines that should be followed in order to achieve proper security of computer systems. This chapter also covers different threats of cybercrime. This chapter further discusses the Information Technology Act, 2008. Chapter 6: Information Security Standard Compliances The chapter focuses on Information Security Standards. Various compliances such as SOX, HIPAA, FISMA and other standards are discussed in this chapter. This chapter further discusses the importance of security of customer information and other private information of any organization. Appendix A: Lab Manual This includes easy-to-understand practical experiments based on important topics of the book, which will help you gain practical knowledge and a better understanding of the chapters. Appendix B: Questions and Answers This includes critical thinking questions that are based on important topics of the book. Therefore, if your interest is into cyber security, this appendix will help you gain knowledge from real-time questions and answers since understanding examples is one of the best means of learning. We welcome your comments and suggestions for the book at www.nilakshijain.com

Instructor Manual The following resource is available for instructors at https://www.wileyindia.com/Instructor_Manuals/ Register/login.php/ 1. Chapter-wise PowerPoint Presentations (PPTs) Nilakshi Jain Ramesh Menon

Cyber Security and Laws_Chpater FM.indd 7

10/7/2020 6:47:45 PM

Cyber Security and Laws_Chpater FM.indd 8

10/7/2020 6:47:45 PM

Acknowledgements First and foremost, I would like to thank God. In the process of putting this book together, I realized how true this gift of writing is for me. God has given me the power to believe in my passion and pursue my dreams. I could never have done this without the faith I have in God – The Almighty. To my mother, Mrs. Alka Jain, and my father, Mr. Pushkar Jain: For the first time in 33 years, I am speechless! I can barely find the words to express all the wisdom, love and support you both have given me. You both are my No. 1 fan and for that I am eternally grateful. If I am blessed to live long enough, I hope I will be as good a parent to Naitik as you are and always have been to me. To my husband, Mr. Subhash Jain: What can I say? You are one of the main reasons who made this journey great! I am so thankful that I have you in my corner pushing me when I am ready to give up. All the good that comes from this book I look forward to sharing with you! You are my Buddy and my Hero! Thanks for not just believing, but knowing that I could do this! I love you always and forever! To my Son, Naitik: You are the best thing that could have ever happened to me! You welcomed me into motherhood and I am so grateful for you. You are the one person in this world I would give my life for. The hard work that went into making this book a reality is only possible ‘All Because of You’! A better life for you than I had is all I ever want. Mommy loves you more than you will ever know. This book is specially dedicated to my nephew Mr. Khyaat Jain – your Bhua will make you an ethical hacker ! Very special thanks to my in-laws for your constant support and help. The special dedication to all my siblings who are blessing me in disguise because this is the first book I have authored when you all are around me: Mukul, Mansi, Moksha, Himank and my sister-in-law Shefali. Mr. Ramesh Menon, thank you for being a leader, a guide whom I trust, honour and respect. I will always welcome the chance to represent you. A person’s achievements are often not his/her alone; so, my heartfelt gratitude to Wiley India for providing us an opportunity and constant motivation for the successful completion of the book. A very special thanks to Mr. Rupnarayan Das and Mr. Ajinkya Modgi for their encouragement; without their initial interest and support, this book would not have been possible. Thank you, Team Wiley India Editorial and Management for all your editorial guidance and staunch support – your editorial support has been invaluable. Your early insights and reviews made me improve my subsequent writings for the intended audience. Having an idea and turning it to a book is as hard as it sounds – the experience is both internally challenging and rewarding. I especially want to thank my editorial team who helped me to make this happen. Complete thanks to my dear editorial team – my seven stars – Yash Nilesh Rane, Rashmi Ramesh Gori, Surbhi Shivaji Desai, Devika Jitendra Satare, Deegesh Sunil Gala, Bhakti Bheda and Chaitanya Gada for your support and assistance throughout the journey. I express my heartfelt gratitude to the Management, Principal, Faculty and my friends of Shah and Anchor Kutchhi Engineering College, Mumbai and for their great support. Last but not the least – my thanks are to every reader of this book. I am sure this book will play creative and constructive role to build your life more digitally secure than ever before. Dr. Nilakshi Jain

Cyber Security and Laws_Chpater FM.indd 9

10/7/2020 6:47:45 PM

x  •

Acknowledgements

I would like to thank my family, friends and Wiley India for enabling this project. My thanks are due to Dr. Nilakshi Jain and all the students and staff of Shah and Anchor Kutchhi Engineering College, Mumbai for their passion and dedication to science and technology. To my colleagues at IBM for continuing to redefine the art of the possible and to all my well-wishers for constantly motivating and pushing me to do my best, to dream, to believe and to act with courage, conviction in the true spirit of science and humanity. Ramesh Menon

Cyber Security and Laws_Chpater FM.indd 10

10/7/2020 6:47:45 PM

About the Authors Dr. Nilakshi Jain is currently serving as an Associate Professor, Research Coordinator at Research Cell SAKEC, Centre Coordinator at SAKEC National Cyber Defense Resource Centre and Coordinator at SAKEC-IQAC in Shah and Anchor Kutchhi Engineering College, Chembur Mumbai, India. She is a certified Ethical Hacker. She graduated from the Pacific Academy of Higher Education and Research University’s Faculty of Computer Engineering PhD program. She has published various research papers in international journals and international conferences including IEEE, ACM, Springer and free journal. She has authored three books, namely, Digital Forensic (Wiley India Publication), Artificial Intelligence (Wiley India Publication) and Digital Forensic: Making as System Intelligent (Wiley India Publication). She is the recipient of ‘Best Employee’ award by SAKEC, Mumbai. She has also delivered and conducted workshops, seminars and expert talks in various institutes and conducted many webinars. She has copyrighted many ideas and projects. Her profile is available at: www.nilakshijain.com Ramesh Menon is a Chief Architect and CTO at IBM who focuses on strategy and technology to accelerate innovation and national capabilities. Currently, he is serving on IBM’s COVID-19 task force and working with national leaders to accelerate response to the pandemic. He is also working on multiple strategic government initiatives. Ramesh has a bachelor’s degree in electrical engineering and an MBA in international business from California State University. Ramesh has published many papers, spoken at international conferences and volunteered as an INTEL science fair judge. He was on the advisory board of CISCO, the Brookings Institution AI expert panel on autonomous weapon systems, and was a member of the U.S. Space Innovation council. Ramesh was also a speaker at NASA on Trusted Autonomy in Space and at the U.S. Air Force Academy on Operational AI. Currently, he is a guest lecturer at Johns Hopkins University on emerging technology, and a member of the IEEE algorithmic bias AI standards work group and a member of the Congressional Delegation on Science and Technology. Ramesh is also a mentor to NASA’s Frontier Development Lab, where his deep space project (astronaut health) was selected as one of the top 30 AI projects in the world. Ramesh has co-authored two books, namely, Bursting the Big Data Bubble which compares the role of human intuition-based decision making in the age of big data and Data Center Handbook published by John Wiley and Sons which elaborates upon software defined data centers enabled by cloud computing. He has a patent pending for secure 3D printing on blockchain for supply chain assurance. His LinkedIn profile is available at: www.linkedin.com/in/menonwa

Cyber Security and Laws_Chpater FM.indd 11

10/7/2020 6:47:45 PM

xii  •

About the Authors

Editorial Team Yash Nilesh Rane is a second-year student who is currently (in 2020) pursuing Engineering in Information Technology from Shah and Anchor Kutchhi Engineering College. He is a Cyber security enthusiast with interests in Cryptography, Robotics, Internet of Things, Blockchain, etc. He wants to continue to learn as much as he can and experience new things in this field. He is looking towards a career in Information Technology that will allow him to make networks, systems, and people ‘Hacker Proof ’. His LinkedIn profile is available at: https://www.linkedin.com/in/yash-rane-8aaa161aa/

Rashmi Ramesh Gori is a fourth-year student currently (in 2020) pursuing Engineering in Information Technology from Shah and Anchor Kutchhi Engineering College. With strong fundamental knowledge and a diverse set of skills to create software solutions, she is interested in new software technologies. She is a software developer enthusiast, who loves learning new technologies. She is quick learner and dedicated to work assigned. She wants to make a career in software engineering. Her LinkedIn profile is available at: https://www.linkedin.com/in/rashmi-gori-a74b001b2/

Surbhi Shivaji Desai is a fourth-year student currently (in 2020) pursuing Engineering in Information Technology from Shah and Anchor Kutchhi Engineering College. She has a keen interest in learning new technologies. She has more interest in handling databases, designing websites, Internet of Things, etc., with strong fundamental knowledge. She loves to communicate with new people. She is looking towards a career in Information Technology that will allow her to channel her creativity by creating visualizations and gaining experiences in new technologies. Her LinkedIn profile is available at: https://www.linkedin.com/in/surbhi-desai-541a651b1/

Devika Jitendra Satare is a fourth-year student currently (in 2020) pursuing Engineering in Information Technology from Shah and Anchor Kutchhi Engineering College. She loves to read books and work around newly emerging technologies. She is interested in Web Development, and works around data to solve real-life problems offering creative and problem-solving skills. She strives to transform the lives of underprivileged children through education and holistic development. She is looking towards a career where her experience, education and ability will be effectively utilized with opportunity for advancement. Her LinkedIn profile is available at: www.linkedin. com/in/devikasatare

Cyber Security and Laws_Chpater FM.indd 12

10/7/2020 6:47:48 PM

edItorIal team

•

xiii

Deegesh Sunil Gala is a fourth-year student currently (in 2020) pursuing Engineering in Information Technology in Shah and Anchor Kutchhi Engineering College. He is a quick learner and conscientious about his work. He always desires to learn something new. His field of interest are Database, Python and IOT. He is looking towards a career in Information Technology that will allow him to channel his creativity by crafting innovative software and gaining experiences. His LinkedIn profile is available at: https://www.linkedin.com/in/deegesh-gala-b2b48416b

Bhakti Bheda is a final-year student currently (in 2020) pursuing Engineering in Shah and Anchor Kutchhi Engineering College. She is an Android application developer with her interests in Cyber Security, Data Science and Database Management System. She is ambitious, hard working and honest about her opinion. She believes in sharing knowledge and giving back to society. She is looking forward to expanding her skills and experience. Her LinkedIn profile is available at: https://www.linkedin.com/in/ bhakti-bheda-a62b70155

Chaitanya Gada is a fourth-year student currently (in 2020) pursuing Engineering in Information Technology in Shah and anchor Kutchhi Engineering College. He is keen to be challenged in his career prospects to grow and further improve his IT skills. His greatest passion in his life is to use his technical skills to benefit other people and organization. He is interested in Web Development and Python. He is excellent in working with others to achieve his objectives with excellence. His LinkedIn profile is available at: www.linkedin.com/in/chaitanya-gada

Cyber Security and Laws_Chpater FM.indd 13

10/7/2020 6:47:52 PM

Cyber Security and Laws_Chpater FM.indd 14

10/7/2020 6:47:52 PM

Contents Prefacev Acknowledgementsix About the Authors xi Chapter 1  Introduction to Cybercrime

1

Learning Objectives 1 1.1 Introduction 1 1.2 Introduction to Cybercrime 2 1.2.1 Cyberspace3 1.2.2 Cybersquatting4 1.2.3 Cyberpunk5 1.2.4 Cyberwarfare5 1.3 Cybercrime Definition and Origins of Cybercrime of the World 6 1.3.1 Prevention of Cybercrime7 1.3.2 Dateline of Origin of Cybercrime8 1.4 Cybercrime and Information Security 12 1.4.1 Types of Cybercriminals15 1.5 Classifications of Cybercrime 17 1.5.1 Crime against Individuals17 1.5.2 Crimes against Property17 1.5.3 Crime against Organization18 1.5.4 Crime against Society18 1.5.5 Cybercrime against Individual18 1.5.6 Cybercrime against Property26 1.5.7 Cybercrime against Organization29 1.5.8 Cybercrime against Society36 1.6 Cybercrime and the Indian IT Act, 2000 38 1.6.1 Need for a Cyber Law38 1.6.2 The Information Technology Act, 200039 1.6.3 Objectives of Information Technology Act, 2000 in India40 1.6.4 Remarkable Features of Information Technology Act, 200040

Cyber Security and Laws_Chpater FM.indd 15

10/7/2020 6:47:52 PM

xvi  •

Contents

1.6.5 Some Important Sections of the Information Technology Act, 200040 1.6.6 Scope of the Information Technology, Act, 200043 1.6.7 Advantages of IT Act, 200043 1.6.8 Shortcomings of IT Act, 200043 1.6.9 Applicability and Non-Applicability of IT Act, 200044 1.6.10 The Information Technology Amendment Act, 200844 1.7 A Global Perspective on Cybercrimes 45 Summary 46 Review Questions 47 References 48

Chapter 2  Cyber Offences and Cybercrime

51

Learning Objectives 51 2.1 Introduction 51 2.1.1 Introduction to Cyber Offences51 2.1.2 Introduction to Cybercrime52 2.2 Strategic Attacks 52 2.2.1 How Do Criminals Plan Attacks?52 2.2.2 Social Engineering54 2.2.3 Cyberstalking56 2.2.4 Cybercafe and Cybercrimes57 2.3 Types of Attacks 59 2.3.1 Botnets59 2.3.2 Attack Vector61 2.3.3 Cloud Computing61 2.3.4 Cybercrime and Cloud Computing64 2.4 Proliferation of Mobile and Wireless Devices 64 2.5 Trends in Mobility Wireless Era 65 2.5.1 Trends in Mobility66 2.5.2 Credit Card Frauds in Mobile and Wireless Computing Era67 2.6 Security Challenges Faced by Mobile Devices 70 2.7 Registry Setting for Mobile Devices 71 2.8 Authentication Service Security 72 2.9 Attacks on Mobile Phones 74 2.10 Security Implications for Organizations 76

Cyber Security and Laws_Chpater FM.indd 16

10/7/2020 6:47:52 PM

Contents

•  xvii

2.11 Organizational Measures for Handling Mobile Phones: Device Related Security Issues 79 2.12 Security Policies and Measures in Mobile Computing Era and Laptops 80 2.12.1 Importance of Security Policies relating to Mobile Computing Devices82 2.12.2 Operating Guidelines for Implementing Mobile Device Security Policies82 Summary 83 Review Questions 83 References 84

Chapter 3  Methods and Tools used in Cyber Line

87

Learning Objectives 87 3.1 Introduction 87 3.2 Password Cracking 87 3.2.1 What Is Password Cracking?87 3.2.2 Most Used Password Cracking Techniques88 3.2.3 Prevention Measures of Password Cracking89 3.2.4 Best Password Cracking Tools90 3.3 Malwares 91 3.3.1 Keyloggers91 3.3.2 Spyware94 3.3.3 Virus96 3.3.4 Worms98 3.3.5 Difference Between Virus and Worms100 3.3.6 Trojans and Backdoors100 3.3.7 Steganography103 3.4 DoS and DDoS Attacks 105 3.4.1 What Is a DoS Attack?105 3.5 SQL Injection and Buffer Overflow 111 3.5.1 What Is SQL Injection?111 3.5.2 How and Why Is an SQL Injection Attack Performed?111 3.5.3 Types of SQL Injection112 3.5.4 Tools Used for SQL Injection114 3.5.5 Preventive Measures to Avoid SQL Injection115 3.5.6 What Is Buffer Overflow?116 3.5.7 What Are the Different Types of Buffer Overflow Attacks?117 3.5.8 How to Prevent Buffer Overflows?117

Cyber Security and Laws_Chpater FM.indd 17

10/7/2020 6:47:52 PM

xviii  •

Contents

3.6 Phishing and Identity Theft (ID Theft) 118 3.6.1 What Is Phishing?118 3.6.2 Different Phishing Techniques119 3.6.3 Common Phishing Scams121 3.6.4 Preventive Measures to Avoid Phishing Scams122 3.6.5 Identity Theft (ID Theft)123 3.6.6 Types of Identity Theft124 3.6.7 Techniques for Identity Theft125 3.6.8 How to Prevent Identity Theft?126 3.7 Enumeration 127 3.7.1 What Is Enumeration?127 3.7.2 Importance of Enumeration127 3.7.3 Techniques for Enumeration127 3.7.4 Types of Enumeration and How to Prevent Them?127 3.8 Attacks on Wireless Networks 131 3.8.1 Wireless Network Attacks and Their Types131 3.8.2 General Techniques for Securing Wireless Network134 3.8.3 Tools Used for Wireless Network Attacks135 Summary 136 Review Questions 137 References 137

Chapter 4  Concept of Cyberspace and Cyber Law

139

Learning Objectives 139 4.1 Introduction to e-Commerce 139 4.1.1 Concept of Cyberspace139 4.1.2 The e-Commerce140 4.1.3 Types of e-Commerce141 4.1.4 Types of e-Commerce Transactions142 4.2 Contract Aspects in Cyber Law 143 4.2.1 Electronic Contracts (e-Contracts)144 4.2.2 Indian Contract Act, 1872144 4.2.3 Legal Prerequisites of an e-Contract145 4.3 Security Aspects of Cyber Law 147 4.3.1 Digital Signature149 4.3.2 Legal Architecture for the Validity of Digital Signatures149

Cyber Security and Laws_Chpater FM.indd 18

10/7/2020 6:47:52 PM

Contents

•  xix

4.4 Intellectual Property Aspect in Cyber Law and Evidence Aspect in Cyber Law 151 4.4.1 Intellectual Property Aspect in Cyber Law151 4.4.2 Intellectual Property Laws and Cyberspace in India155 4.4.3 Evidence Aspect in Cyberlaw156 4.4.4 Indian Evidence Act, 1872156 4.4.5 Amendments to the Indian Evidence Act, 1872157 4.5 The Criminal Aspects in Cyber Law 159 4.5.1 Causes or Factors Contributing to Computer Crime160 4.5.2 Strategy for Preventing Computer Crime161 4.5.3 Amendments to Indian Penal Code, 1860 162 4.6 Global Trends in Cyber Law 164 4.6.1 The Contract Aspect164 4.6.2 The Security Aspect164 4.6.3 World Intellectual Property Organization (WIPO)166 4.7 Legal Framework for Electronic Data Interchange Law Relating to Electronic Banking 167 4.8 Need for Indian Cyber Law 168 Summary 170 Review Questions 171 References 172

Chapter 5  Information Technology Act

173

Learning Objectives 173 5.1 Introduction of Cybercrime and Cyber Security 173 5.1.1 Cyberspace173 5.1.2 Cyber Security and Cyber Law174 5.1.3 Cyber Security Policy175 5.2 Information Technology Act, 2000 176 5.2.1 Introduction176 5.2.2 Objectives of Indian Information Technology Act, 2000177 5.2.3 Salient Features of Information Technology Act, 2000 178 5.2.4 Scheme of IT Act178 5.2.5 Intermediary Liability178 5.3 Penalties, Adjudication and Appeals Under the Information Technology Act, 2000 179 5.4 Offences Under Information Technology Act, 2000 184

Cyber Security and Laws_Chpater FM.indd 19

10/7/2020 6:47:53 PM

xx  • 5.5 5.6

Contents

Cyber Appellate Tribunal Information Technology Act, 2008 and Its Amendments Summary Review Questions References

186 187 188 189 189

Chapter 6  Information Security Standard Compliances

191

Learning Objectives 191 6.1 Introduction 191 6.1.1 Importance of Information Security Standards192 6.1.2 Information Security Challenges192 6.2 Sarbanes–Oxley Act (SOX) 193 6.2.1 Key Provisions of the Sarbanes–Oxley Act194 6.2.2 SOX Benefits to Organization199 6.3 Gramm–Leach–Bliley Act (GLBA) 200 6.3.1 Benefits of GLBA Compliance203 6.3.2 How GLBA Compliance Works203 6.3.3 Steps to Compliance204 6.3.4 Requirements of GLBA205 6.4 Health Insurance Portability and Accountability Act (HIPAA) 206 6.4.1 How HIPAA Works?207 6.4.2 HIPAA Rules207 6.4.3 HIPAA Key IT Requirements210 6.5 Federal Information Security Management Act (FISMA) 210 6.5.1 Introduction210 6.5.2 Requirements of FISMA211 6.5.3 Benefits of FISMA212 6.5.4 FISMA Penalties212 6.5.5 Best Practices for FISMA212 6.6 The North American Electric Reliability Corporation (NERC) 213 6.6.1 NERC Key IT Requirements214 6.7 PCI (Payment Card Industry) Compliance 215 6.7.1 Goals of PCI215 6.7.2 Payment Card Industry Security Standards Council (PCI SSC)217 6.7.3 The Payment Card Industry Data Security Standard (PCI DSS)217 6.7.4 Payment Application Data Security Standard (PA-DSS)218

Cyber Security and Laws_Chpater FM.indd 20

10/7/2020 6:47:53 PM

Contents

6.8

ISO/IEC 27000 Summary Review Questions References

•  xxi

219 221 221 222

Appendix A  Lab Manual 225 Appendix B  Questions and Answers 311 Index343

Cyber Security and Laws_Chpater FM.indd 21

10/7/2020 6:47:53 PM

Cyber Security and Laws_Chpater FM.indd 22

10/7/2020 6:47:53 PM

1

Introduction to Cybercrime

Learning Objectives After reading this chapter, the reader will be able to • Understand the different theoretical and cross-disciplinary approaches (criminological, political, legal and information security/ management) to the study of cybersecurity and the regulation of the Internet and the Internet of  Things. • Understand the structure, mechanics and evolution of the Internet in the context of emerging crime threats and technological and other trends in cyberspace. • Distinguish and classify the forms of cybercriminal activity and the technological and ‘social engineering’ methods used to undertake such crimes. • Investigate assumptions about the behaviour and role of offenders and victims in cyberspace.

• Analyse and assess the impact of cybercrime on government, businesses, individuals and society. • Evaluate the effectiveness of cybersecurity, cyber laws and other countermeasures against cybercrime and cyber warfare. • Analyse global perspective on cybercrime and corelated it with supported law. • Write classification of cybercrime and able to characterize Indian ITA, 2000. • To study and trace cyber law on cybercrime and define information security.

Cybercrime is the greatest threat to every company in the world. —Ginni Rometty

1.1

Introduction

The initiation of the Internet has opened unmatched doors for trade, research, entertainment, education and open communication. A world-wide commercial centre has developed, in which new thoughts and expanded platform for multiculturalism have thrived. The presentation of modernized reference books, global consortia, overall network and interchanges has extraordinarily improved the quality of life for many people. In fact, the Internet can be used as a window to the world, permitting people to satisfy their interest and create world-wide cognizance.

Cyber Security and Laws_Chpater 01.indd 1

10/7/2020 9:57:16 AM

2 

•

Chapter 1/Introduction to Cybercrime

Internet is a virtual networking medium that can be connected and used on a variety of devices these days. It enables the users to send, receive, collect, store, update, delete and many other operations of the data across the world. Internet usage is expanding its boundaries every day as the technological growth is huge. A few of the major uses of Internet (Fig. 1.1) are e-commerce, e-learning, knowledge sharing, social connectivity, variety of media, file transfer, communication, etc. Electronic mail

FTP file transfer

Search engines

E-commerce

Online banking

Cashless transactions

Education

Collaboration

Social networking

Figure 1.1  Uses of the Internet.

Technical advancements have improved day-to-day life – for instance, web-based banking and shopping, the utilization of versatile information administrations and Voice over Internet convention (VoIP) communication are only a few instances of how far the joining of information and communications technology (ICT) into our day-to-day lives has advanced. The evolution of technology and increasing accessibility of smart technologies imply that there are multiple access points within users’ homes for hackers to exploit. While the law enforcement attempts to tackle the growing issue, criminal numbers continue to grow, taking advantage of the anonymity of the Internet.

1.2

Introduction to Cybercrime

Cybercrime is defined as a crime where a computer is the object of the crime or is used as a tool to commit an offense. A cybercriminal may use a device to access a user’s personal information, confidential business information, government information, or disable a device. It is also a cybercrime to sell or elicit the above information online. Cybercrime is tremendously developing in the realm of tech today. Criminals of the World Wide Web abuse web clients’ very own data for their own benefit. They plunge deep into the dark web to purchase and sell illicit items and products. They even access classified government data. Cybercrimes are at an untouched high, costing organizations and people billions of dollars every year. Even more startling is that this figure just speaks of the recent 5 years. The advancement of innovation, technology and expanding availability of smart technologies imply that there are numerous access points inside users’ homes for hackers to abuse. While law authorization tries to handle this growing issue, criminal numbers keep on increasing, exploiting the anonymity of the web. Cybercrime is a generic term that is utilized to characterize crime in which personnel computers (PCs) or PC systems are a tool, a target or a spot of crime and incorporate everything from electronic cracking to denial of service attacks. It additionally covers the customary violations where PCs, networks or systems are utilized to empower the unlawful, illicit activity. Cybercrime or computer-oriented crime is a crime that incorporates a PC and a network system. The PC may have been utilized in the execution of a crime or it might be the objective.

Cyber Security and Laws_Chpater 01.indd 2

10/7/2020 9:57:16 AM

1.2 Introduction to Cybercrime

• 

3

Cybercrime is the utilization of a PC as a weapon for perpetrating violations; for example, committing fraud, identities theft or breaching privacy. Cybercrime, particularly through the Internet, has developed in significance as the PC has gotten fundamental to each field such as trade, entertainment and government. Cybercrime may jeopardize an individual or a country’s security and financial wellbeing. Cybercrime encases a wide scope of exercises; however, these can be categorized into two classes: 1. Crimes that aim computer networks or devices: These types of crimes involve different threats (such as virus, bugs, etc.) and denial-of-service (DoS) attacks. 2. Crimes that use computer networks to commit other criminal activities: These types of crimes include cyberstalking, financial fraud or identity theft.

1.2.1 Cyberspace The Internet is the dynamic and virtual space that such systems of machines generate clones. At the end of the day, cyberspace is the web of customer hardware, PCs and communications networks which interconnect the world (Fig 1.2). Users

Services Database

INTERNET Digital assets

Program Data

Communication infrastructure

Figure 1.2  A conceptual view of cyberspace.

Cyberspace is where users mentally travel through matrices of data. It is a nebulous place where humans can interact over computer networks. In terms of computer science, ‘cyberspace’ is a world-wide network of computer networks that use the transmission control protocol/Internet protocol (TCP/IP) for communication to facilitate Tx and exchange of data. Cyberspace is most definitely a place where you chat, explore and play. Some of the definitions of cyberspace are as follows: 1. A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. 2. The interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. 3. The complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form. In 1984, William Gibson released his science fiction book, Necromancer, which portrays an online universe of PCs and components of the general public who utilize these PCs. The word Cyberspace

Cyber Security and Laws_Chpater 01.indd 3

10/7/2020 9:57:17 AM

4 

•

Chapter 1/Introduction to Cybercrime

initially showed up in this book. In the book, a hacker of databases took information for a charge. The creator depicted the Internet as a three-dimensional virtual scene. Additionally, a system/network of PCs makes this space. According to him, the Internet seemed as though a physical space however was really a PC produced development. Additionally, it represented grasping of information and abstract data. The book got the creative mind of numerous authors and in 1986, significant English language word references presented the terminology ‘The Internet’. As per the New Oxford Dictionary of ­English, ‘The Internet’ is the notional condition wherein individuals impart over PC systems. Since the Internet is a virtual space, it has no limits, mass, or gravity. It basically speaks to the interconnected space between PCs, frameworks and different systems. It exists as bits and bytes; zeroes and ones (0’s and 1’s). Actually, the whole Internet is a powerful dynamic environment of 0’s and 1’s which changes each second. These are basically electronic driving forces. Additionally, it is a non-existent area where the expressions of two gatherings meet in discussion.

1.2.2 Cybersquatting Cybersquatting is registering, selling or using a domain name with the intent of profiting from the goodwill of someone else’s trademark. It generally refers to the practice of buying up domain names that use the names of existing businesses with the intent to sell the names for a profit to those businesses. The term cybersquatting alludes to the unapproved and unauthorized enrolment and utilization of Internet domain names that are indistinguishable or like trademarks, administration marks, organization names, or individual names. Cybersquatting registrants get and utilize the domain name with the dishonesty plan to benefit from the generosity of the genuine trademark proprietor. The practice that is come to be known as cybersquatting began when most organizations were not sharp about the business openings and commercial activities on the Internet. Some enterprising spirits enrolled the names of notable organizations as domain names, with the aim of selling the names back to the organizations when they at last woke up. Panasonic, Fry’s Electronics, Hertz and Avon were among the ‘sitting targets’ of cybersquatters. Opportunities for cybersquatters are quickly reducing, in light of the fact that most organizations presently realize that making sure about domain names is a high need and priority. In contrast to many developed nations, in India, we do not have Domain Name Protection Law and cybersquatting cases are chosen under Trade Mark Act, 1999. Domain name is a unique name that identifies a website. Figure 1.3 illustrates the correct way of writing domain name. ‘mywebsitename’ is the name you choose for your site, and ideally is readily identifiable with your organisation’s name or core business

‘au’ means the company is registered in Australia.

www . mywebsitename . com . au ‘www’ means the site is linked to the World Wide Web

‘com’ indicates that your organisation is engaged in commercial activity

Figure 1.3  Domain name.

Cyber Security and Laws_Chpater 01.indd 4

10/7/2020 9:57:18 AM

1.2 Introduction to Cybercrime

• 

5

In 1999, ICANN embraced and started actualizing the Uniform Domain Name Dispute Resolution Policy (UDNDRP), an approach for goals of domain name questions. This world-wide approach brings about a mediation of the question but not the case. An activity can be brought by any individual who gripes (alluded to the fact that ICANN as the ‘complainant’) that 1. a space name is indistinguishable or confusingly like a trademark or administration mark in which the complainant has rights, 2. the space name proprietor has no rights or genuine interests in the area name and 3. the area name has been enlisted and is being utilized in dishonesty. These components must be built up all together for the complainant to win. In the event that the complainant wins, the space name will be dropped or moved to the complainant. In any case, money related cures are not accessible under the UDNDRP.

1.2.3 Cyberpunk Cyberpunk is a science fiction genre in which the future world is depicted as one in which society is generally constrained by PCs, to the detriment of everyday life and social request. Writing, films and computer games of this sort point to a dread that the world may in the end be run exclusively by PCs, including unordinary situations where non-living structures take on life-like activities and abilities. Resistance to enormous partnerships and built up associations is a key part of cyberpunk. All things considered, principle characters are frequently depicted as estranged and minimized by society. The term cyberpunk was devised by Bruce Bethke in 1983 through the title of his story Cyberpunk. The term joins ‘computer science’ and ‘punk’. Cyberpunk depicts a fast disintegration of cultural standards because of an unavoidable move towards the hard and fast utilization of PCs, to such an extent that the lines between genuine individuals and PCs become obscured. Huge corporations are regularly tossed in with the general mish–mash as the guilty party and the host for the oppressed world that is cyberpunk. Cyberpunk settings are commonly engaged not long from now in a setting of cultural and societal breakdown where PCs are permitted to control everything. This is basically a technology and innovation gone-wild situation. After some time, cyberpunk has pulled in a cult-like audience around the world. Particular kinds of garments designs have even surfaced to mirror the cyberpunk genre. Keeping in mind that it might have had its brilliance during the 80s, many accept that cyberpunk is digging in for the long haul. In the case of nothing else in existence, the cyberpunk development incorporates a great deal of creative mind alongside a sprinkle of sensible cynicism and dread about the repercussions of PC technology and innovation. 1.2.4 Cyberwarfare Sending fighters into channels and onto the frontline is not, at this point, fundamental as the hellfire of war is progressively led on the web. This is called cyberwarfare and it includes the utilization of technology and innovation to assault different countries, governments and residents by attacking their PC frameworks and systems. Cyberwarfare alludes to the utilization of computerized attacks – such as PC viruses and hacking – by one nation to disturb the fundamental PC systems and frameworks of another, with the intent of forging damage, demise and annihilation. Future wars will see programmers and hackers utilizing PC

Cyber Security and Laws_Chpater 01.indd 5

10/7/2020 9:57:18 AM

6 

•

Chapter 1/Introduction to Cybercrime

code to assault an adversary’s foundation, battling close by troops utilizing regular weapons like firearms and rocket missiles. Much the same, as should be expected, fighting which can run from restricted clashes to all out battles, the effect of cyberwarfare will shift by target and seriousness. By and large, the PC frameworks are not the last objective – they are being focused on due to their job in overseeing certifiable foundations such as air terminals or power grids. Take out the PCs and you can close down the air terminal or the force station subsequently. There are a lot of dismal cyberwarfare situations accessible. May be aggressors start with the banks: one day your bank balance drops to zero and afterwards unexpectedly jumps up, demonstrating you have millions in your record. At that point, stock costs begin going insane as programmers modify information streaming into the stock trade. The following day, the trains are not running that the flagging quits working, and you cannot drive anywhere on the roads that the traffic lights are completely stuck on red, and the shops in large urban communities begin coming up short on food. In such scenarios, actually, a nation could be driven to gridlock and mayhem, even without the doomsday situations of programmers crippling power stations or opening dams. Fortunately, at present, there are hardly any instances of potential world cyberwarfare.

POINTS TO REMEMBER 1. Cybercrime is partitioned into two classes: (a) Crimes that aim computer networks or devices and (b) crimes that use computer networks to commit other criminal activities. 2. “Cyberspace” is a world-wide network of computer networks that use the TCP/IP for communication to facilitate Tx and exchange of data. 3. Cybersquatting is registering, selling or using a domain name with the intent of profiting from the goodwill of someone else’s trademark. 4. Cyberpunk depicts a fast disintegration of cultural standards because of an unavoidable move towards the hard and fast utilization of PCs, to such an extent that the lines between genuine individuals and PCs become obscured. 5. Cyberwarfare alludes to the utilization of computerized attacks – such as PC viruses and hacking – by one nation to disturb the fundamental PC systems and frameworks of another, with the intent of forging damage, demise and annihilation.

1.3

Cybercrime Definition and Origins of Cybercrime of the World

Cybercrime is criminal activity done using computers and the Internet. Cybercrime is defined as a crime where a computer is the object of the crime or is used as a tool to commit an offense. This includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary offenses, such as creating and distributing viruses on other computers or posting confidential business information on the Internet.

Cyber Security and Laws_Chpater 01.indd 6

10/7/2020 9:57:18 AM

1.3 Cybercrime Definition and Origins of Cybercrime of the World

• 

7

Educator S.T. Viswanathan has given three definitions in his book, The Indian Cyber Laws with Cyber Glossary, which are as listed in the following: 1. Any illicit activity where a PC is the instrument or object of the cybercrime; for example, any crime, the methods or motivation behind which is to impact the capacity of a computer. 2. Any episode related with computer innovation in which a casualty endured or could have endured misfortune and a culprit, by aim, made or could have made an addition. 3. PC misuse is considered as any unlawful, dishonest or unapproved conduct identifying with the programmed handling and transmission of information. The Oxford Dictionary characterized the term cybercrime as ‘crimes did by methods for computers or the Internet’ as defined in the following: Cybercrime implies any crime or other offense that is encouraged by or includes the utilization of electronic correspondences or data frameworks, including any gadget or the Internet or any at least one of them.

1.3.1 Prevention of Cybercrime It appears in this cutting-edge age of technology; hackers are assuming control over our frameworks and nobody is sheltered. Presently, the normal abide time, or the time it takes an organization to identify a digital breach, is over 200 days. Most web clients are not harping on the way that they may get hacked and once in a while change their certifications or update passwords. This leaves numerous individuals susceptible to cybercrime and it is imperative to get educated. Teach yourself as well as other people on the preventive estimates you can take so as to ensure yourself as an individual or as a business. Some of the measures to fight cybercrime is shown in Fig. 1.4. 1

Become vigilant when browsing websites.

2

Flag and report suspicious emails.

3

Never click on unfamiliar links or ads.

4

Use a VPN whenever possible.

5

Ensure websites are safe before entering credentials.

6

Keep antivirus/application systems up to date.

7

Use strong passwords with 14+ characters.

Figure 1.4  Measures to fight cybercrime.

Cyber Security and Laws_Chpater 01.indd 7

10/7/2020 9:57:19 AM

8 

•

Chapter 1/Introduction to Cybercrime

The following are a few focuses by methods for which we can forestall cybercrime: 1. Utilize strong password: Keep up various password and username mixes for each account. Weak passwords can be effortlessly cracked utilizing certain assaulting techniques like Brute force attack, Rainbow table attack, and so on. 2. Utilize trusted antivirus in gadgets: Continuously utilize reliable and profoundly progressed antivirus programming in portable and PCs. This prompts the counteraction of various infection assault on gadgets. 3. Keep social media private: Continuously keep your social media accounts private just to your companions. Likewise, ensure just to make friend who are known to you. 4. Keep your device software updated: At whatever point your get the updates of the system software update it simultaneously in light of the fact that occasionally the past version can be easily attacked.

1.3.2 Dateline of Origin of Cybercrime • 1834 – French Telegraph System: A couple of thieves hack the French Telegraph System and take money related market data, viably leading the world’s first cyberattack. • 1870 – Switchboard Hack: An adolescent employed as a switchboard administrator can separate and divert calls and utilize the line for individual use. • 1878 – Early Telephone Calls: Two years after Alexander Graham Bell concocts the phone, the Bell Telephone Company dismisses a gathering of adolescent young men from the phone framework in New York for more than once and deliberately misleading and separating client calls. • 1903 – Wireless Telegraphy: During John Ambrose Fleming’s first open exhibit of Marconi’s ‘safe’ remote telecommunication innovation, Nevil Maskelyne disturbs it by sending offending Morse code messages defaming the creation. • 1939 – Military Codebreaking: Alan Turing and Gordon Welchman create BOMBE, an ­electro- mechanical machine, during WWII while filling in as codebreakers at Bletchley Park. It assists with breaking the German Enigma codes. • 1940 – First Ethical Hacker: Rene Carmille, an individual from the Resistance in Nazi-involved France and a punch-card PC master who claims the machines that the Vichy legislature of France uses to process data, discovers that the Nazis are utilizing punch-card machines to process and track down Jews, volunteers to let them utilize his, and afterwards hacks them to upset their arrangement. • 1955 – Phone Hacker: David Condon whistles his ‘Davy Crockett Cat’ and ‘Canary Bird Call Flute’ into his telephone, testing a hypothesis on how telephone frameworks work. The framework perceives the mystery code, accept he is a representative, and interfaces him to a significant distance administrator. She associates him to any telephone number he demands for nothing. • 1957 – Joybubbles: Joe Engressia (Joybubbles), a visually impaired, 7-year-old kid with flawless pitch, hears a shrill tone on a telephone line and starts whistling along to it at a recurrence of 2600  Hz, empowering him to speak with telephone lines and become the first telephone ­programmer or ‘telephone phreak’ of the U.S. • 1962 – Allan Scherr: MIT sets up the main PC passwords, for understudy security and time limits. Understudy Allan Scherr makes a punch-card to fool the PC into printing off all passwords and utilizations them to sign in as others after his time runs out. He, likewise, shares passwords with his companions, prompting the main PC ‘troll’. They hack into their instructor’s record and leave messages ridiculing him.

Cyber Security and Laws_Chpater 01.indd 8

10/7/2020 9:57:19 AM

1.3 Cybercrime Definition and Origins of Cybercrime of the World

• 

9

• 1969 – RABBITS Virus: An unknown individual introduces a program on a PC at the University of Washington Computer Center. The subtle program makes duplicates of itself (reproducing like a hare) until the PC over-burdens and quits working. It is believed to be the main PC infection. • 1970–1995 – Kevin Mitnick: Beginning in 1970, Kevin Mitnick infiltrates probably the most exceptionally protected systems on the planet, including Nokia and Motorola, utilizing elaborate social designing plans, fooling insiders into giving over codes and passwords, and utilizing the codes to get to inwards PC frameworks. He turns into the most-needed cybercriminal of the time. • 1971 – Steve Wozniak and Steve Jobs: When Steve Wozniak peruses an article about Joybubbles and other telephone phreaks, he gets familiar with John Draper – also known as ‘Commander Crunch’ – figures out how to hack into telephone frameworks. He assembles a blue box intended to hack into telephone frameworks, in any event, claiming to be Henry Kissinger and trick calling the Pope. He begins mass-creating the gadget with companion Steve Jobs and offering it to schoolmates. • 1973 – Embezzlement: A teller at a nearby New York bank utilizes a PC to steal over $2 million dollars. • 1981 – Cybercrime Conviction: Ian Murphy, also known as ‘Commander Zap’, hacks into the AT&T system and changes the inner clock to charge off-hour rates at top occasions. The primary individual indicted for a cybercrime, and the motivation for the film ‘Tennis shoes,’ he completes 1000 hours of network administration and 2.5 long periods of probation. • 1982 – The Logic Bomb: The CIA explodes a Siberian Gas pipeline without the utilization of a bomb or a rocket by embeddings a code into the system and the PC framework in charge of the gas pipeline. The code was implanted into gear bought by the Soviet Union from an organization in Canada. • 1984 – US Secret Service: The U.S. Far reaching Crime Control Act gives Secret Service purview over PC extortion. • 1988 – The Morris Worm: Robert Morris makes what might be known as the main worm on the Internet. The worm is discharged from a PC at MIT to recommend that the maker is an understudy there. The conceivably innocuous exercise immediately turned into an awful disavowal of administration assault when a bug in the worm’s spreading component prompts PCs being contaminated and re-infected at a rate a lot quicker than he foresees. • 1988–1991 – Kevin Poulsen: In 1988, an unpaid bill on an extra closet prompts the revelation of clear birth authentications, bogus IDs, and a photograph of programmer Kevin Poulsen, also known as ‘Dull Dante’, breaking into a phone organization trailer. The subject of an across the country manhunt, he keeps hacking, including fixing the telephone lines of a Los Angeles radio broadcast to ensure he is the right guest in a giveaway challenge. He is caught in 1991. • 1989 – Trojan Horse Software: A diskette professing to be a database of AIDS data is sent to a huge number of AIDS specialists and supporters of a UK PC magazine. It contains a Trojan (after the Trojan Horse of Greek folklore), or any other dangerous program, taking on the appearance of a kind-hearted application. • 1994 – DataStream Cowboy and Kuji: Administrators at the Rome Air Development Centre, a U.S. Flying corps research office, find a secret key ‘sniffer’ has been introduced onto their system, trading off in excess of 100 client accounts. Agents discovered that two programmers, known as DataStream Cowboy and Kuji, are behind the assault.

Cyber Security and Laws_Chpater 01.indd 9

10/7/2020 9:57:19 AM

10 

•

Chapter 1/Introduction to Cybercrime

• 1995 – Vladmir Levin: Russian programming engineer Vladimir Levin hacks into Citibank’s New York IT framework from his condo in Saint Petersburg and approves a progression of deceitful exchanges, in the end wiring an expected $10 million to accounts around the world. • 1998–2007 – Max Butler: Max Butler hacks the U.S. government’s sites in 1998 and is condemned to year and a half in jail in 2001. Subsequent to being discharged in 2003, he utilizes Wi-Fi to submit assaults, program malware and take Mastercard data. In 2007, he is captured and, in the end, concedes to wire extortion, taking a great many charge card numbers and around $86 million of fake buys. • 1999 – NASA and Defence Department Hack: Jonathan James, at the age of 15, figures out how to infiltrate U.S. Branch of Defence division PCs and introduce a secondary passage on its servers, permitting him to catch a large number of inside messages from various government associations, including ones containing usernames and passwords for different military PCs. Utilizing the data, he takes a bit of NASA programming. Frameworks are closed down for three weeks. • 1999 – The Melissa Virus: An infection taints Microsoft Word archives, naturally spreading itself as a connection by means of e-mail. It sends out to the initial 50 names recorded in a contaminated PC’s Outlook e-mail address box. The maker, David Smith, says he didn’t mean for the infection, which caused $80 million in harms, to hurt PCs. He is captured and condemned to 20 months in jail. • 2000 – Lou Cipher: Barry Schlossberg, also known as Lou Cipher, effectively blackmails $1.4 ­million from CD Universe for administrations rendered in endeavouring to get the Russian programmer. • 2000 – Mafiaboy: A 15-year-old Michael Calce, also known as MafiaBoy, a Canadian secondary school understudy, releases a distributed denial-of-service (DDoS) assault on a few prominent business sites including Amazon, CNN, eBay and Yahoo! An industry master evaluates the assaults came about in $1.2 billion dollars in harms. • 2002 – Internet Attack: By focusing on the 13 Domain Name System (DNS) root servers, a DDoS assault ambushes the whole Internet for 60 min. Most clients are unaffected. • 2003 – Operation CyberSweep: The U.S. Equity Department declares in excess of 70 arraignments and 125 feelings or captures for phishing, hacking, spamming and other Internet extortion as a component of Operation CyberSweep. • 2003–2008 – Albert Gonzalez: Albert Gonzales is captured in 2003 for being a piece of ShadowCrew, a gathering that took and afterwards sold card numbers on the web, and works with experts in return for his opportunity. Gonzales is later associated with a string of hacking violations, again taking credit and platinum card subtleties, from around 2006 until he is capturing in 2008. He took a huge number of dollars, directed organizations including TJX, Heartland Payment Systems and Citibank. • 2005 – Polo Ralph Lauren/HSBC: HSBC Bank sends letters to in excess of 180,000 Mastercard clients, cautioning that their card data may have been taken during a security penetrate at a U.S. retailer (Polo Ralph Lauren). A DSW information break likewise uncovered exchange data from 1.4 million charge cards. • 2006 – TJX: A cybercriminal pack takes 45 million credit and platinum card numbers from TJX, a Massachusetts-based retailing organization, and utilizations some of the taken cards to support an electronic shopping binge at Walmart. While introductory evaluations of harms came up to around $25 million, later reports include the absolute expense of harms to over $250 million.

Cyber Security and Laws_Chpater 01.indd 10

10/7/2020 9:57:20 AM

1.3 Cybercrime Definition and Origins of Cybercrime of the World

• 

11

• 2008 – Heartland Payment Systems: 134 million Mastercards are uncovered through SQL infusion to introduce spyware on Heartland’s information frameworks. A government amazing jury arraigns Albert Gonzalez and two Russian associates in 2009. Gonzalez, affirmed to have planned the world-wide activity that took the credit and charge cards, is later condemned to 20 years in government jail. • 2008 – The Church of Scientology: A programmer bunch known as Anonymous focuses on the Church of Scientology site. The DDoS assault is a piece of a political dissident development against the congregation called ‘Task Chanology’. In multi-week, the Scientology site is hit with 500 DDoS assaults. • 2010 – The Stuxnet Worm: A malevolent PC infection called the world’s first advanced weapon can target control frameworks used to screen mechanical offices. It is found in atomic influence plants in Iran, where it takes out roughly one-fifth of the improvement axes utilized in the nation’s atomic program. • 2010 – Zeus Trojan Virus: An Eastern European cybercrime ring takes $70 million from the U.S. banks utilizing the Zeus Trojan infection to air out ledgers and occupy cash to Eastern Europe. Many people are charged. • 2011 – Sony Pictures: A hack of Sony’s information stockpiling uncovered the records of more than 100 million clients utilizing their PlayStation’s online administrations. Programmers access all the Mastercard data of clients. The break costs Sony more than $171 million. • 2011 – Epsilon: A cyberattack on Epsilon, which gives e-mail-taking care of and showcasing administrations to customers including Best Buy and JPMorgan Chase, brings about the trade-off of a great many e-mail addresses. • 2011 – RSA Safety: Sophisticated programmers take data about RSA’s SecurID confirmation tokens, utilized by a great many individuals, including government and bank workers. This puts clients depending on them to make sure about their systems in danger. • 2011 – ESTsoft: Hackers uncover the individual data of 35 million South Koreans. Assailants with Chinese IP addresses achieve this by transferring malware to a server used to refresh ESTsoft’sALZip pressure application and take the names, client IDs, hashed passwords, birthdates, sexual orientations, phone numbers, and road and e-mail tends to contained in a database associated with a similar system. • 2009–2013 – Roman Seleznev: Roman Seleznev hacks into in excess of 500 organizations and 3700 budgetary establishments in the U.S., taking card subtleties and selling them web based, making a huge number of dollars. He is inevitably gotten and indicted for 38 charges, including hacking and wire extortion. • 2013–2015 – Global Bank Hack: A gathering of Russian-based programmers accesses secure data from in excess of 100 establishments around the globe. The programmers use malware to penetrate banks’ PC frameworks and accumulate individual information, taking £650 million from world-wide banks. • 2013 – Credit Card Fraud Spree: In the greatest cybercrime case recorded in U.S. history, ­Federal investigators charge 5 men answerable for a hacking and Mastercard misrepresentation binge that cost organizations more $300 million. • 2014–2018 – Marriott International: A penetrate happens on frameworks supporting ­Starwood lodging brands starting in 2014. Assailants stay in the framework after Marriott procures

Cyber Security and Laws_Chpater 01.indd 11

10/7/2020 9:57:20 AM

12 

• • • • • • • • •

•

Chapter 1/Introduction to Cybercrime

S­ tarwood in 2016 and are not found until September 2018. The cheats take information on roughly 500 million clients. Marriott declares it in late 2018. 2014 – eBay: A cyberattack uncovered names, addresses, dates of birth and scrambled passwords of the entirety of eBay’s 145 million clients. 2014 – CryptoWall: CryptoWall ransomware, the forerunner of CryptoDefense, is vigorously dispersed, delivering an expected income of $325 million. 2014 – JPMorgan: Hackers seize one of JPMorgan Chase’s servers and take information around a large number of ledgers, which they use in extortion plans yielding near $100 million. 2015 – Anthem: Anthem reports robbery of individual data on up to 78.8 million current and previous clients. 2015 – LockerPin: LockerPin resets the pin code on Android telephones and requests $500 from casualties to open the gadget. 2015 – Prepaid Debit Cards: An overall group of crooks takes a sum of $45 million very quickly by hacking a database of prepaid check cards and afterwards depleting money machines far and wide. 2016 – DNC e-mail Leaks: Democratic National Committee messages are spilled to and distributed by WikiLeaks before the 2016 U.S. presidential political race. 2017 – Equifax: Equifax, one of the biggest U.S. credit agencies, is hacked, uncovering 143 million client accounts. The touchy spilled information incorporates Social Security numbers, birth dates, addresses, driver’s permit numbers and some charge card numbers. 2017 – WannaCry: WannaCry, the main known case of ransomware working by means of a worm (viral programming that reproduces and circulates itself ), focuses on a powerlessness in more established renditions of Windows OS. Inside days, a huge number of organizations and associations across 150 nations are bolted out of their own frameworks by WannaCry’s encryption. The aggressors request $300 per PC to open the code.

POINTS TO REMEMBER 1. Cybercrime is defined as a crime where a computer is the object of the crime or is used as a tool to commit an offense. 2. Categories of cybercrime: Property, Individual, Government. 3. Prevention of cybercrime: Utilize strong password, utilize trusted antivirus in gadgets, keep social media private, keep your device software updated. 4. Dateline of cybercrime.

1.4

Cybercrime and Information Security

Cybersecurity performs a significant job in the continuous improvement and development of information technology, just as Internet services. Enhancing cybersecurity and ensuring basic data foundations are basic to every country’s security and monetary prosperity. Making the Internet more secure (and ensuring Internet clients) has gotten essential to the advancement of new administrations just as

Cyber Security and Laws_Chpater 01.indd 12

10/7/2020 9:57:20 AM

1.4 Cybercrime and Information Security

• 

13

government policy. Deterring cybercrime is a necessary segment of a national cybersecurity and crucial data infrastructure protection methodology. Information security differs from cybersecurity in terms of scope and objectives as shown in Fig. 1.5(a). There is often confusion regarding these two terms, with many using them interchangeably, and some defining InfoSec as a subcategory of cybersecurity. However, information security is, in fact, the broader category, covering many areas including social media, mobile computing and cryptography as well as aspects of cybersecurity. It is also closely related to information assurance, which involves preserving information from threats like natural disasters and server malfunctions. Cybersecurity exclusively covers threats involving the Internet, so it often overlaps with information security. Information security can also be distinguished from data security. Information can be either physical or digital, and only online information falls under the category of cybersecurity. Cybersecurity that deals with raw data is not classified as information security. Things that are vulnerable through ICT

Information

Analogue information

Digital information

Information

Other things than information

Confidentiality

Data integrity

Availability

Information security

Cybersecurity (a)

 

(b)

Figure 1.5  (a) Information security versus cyber security. (b) CIA: Focus of information security.

Information security focuses on the three objectives, confidentiality, integrity and availability, which are collectively known as CIA [Fig. 1.5(b)] as elaborated in the following: 1. Confidentiality: Preventing the disclosure of information to unauthorized users. This requires implementing access restrictions to protect personal privacy and proprietary information. Failure to maintain confidentiality, whether as a result of an accident or an intentional breach, can have severe consequences for businesses or individuals, who often cannot undo the damage. For ­example, a compromised password is a breach of confidentiality, and once it has been exposed, there is no way to make it secret again. The most publicized security incidents often involve a breach of confidentiality. 2. Data integrity: Ensuring the accuracy and authenticity of data. Only authorized persons may edit data, and they need to follow procedures to prevent former employees from retaining the

Cyber Security and Laws_Chpater 01.indd 13

10/7/2020 9:57:21 AM

14 

•

Chapter 1/Introduction to Cybercrime

ability to alter company data. A failure of integrity could, for example, allow a malicious attacker to redirect traffic from your website, or to edit or delete the content on your website. 3. Availability: Authorized users should have reliable access to information when they need it. This often requires collaboration between departments, such as development teams, network operations and management. An example of a common threat to availability is a DoS attack, where an attacker overloads or crashes the server to prevent users from accessing a website. At the centre of Information Security is Information Assurance, which implies the demonstration of keeping up CIA of data, guaranteeing that data is not undermined in any capacity when basic issues emerge. These issues are not restricted to catastrophic events, PC/server glitches and so on. In this way, the field of data security has developed and advanced altogether as of late. It offers numerous zones for specialization, including making sure about systems and unified foundation, making sure about applications and databases, security testing, data frameworks evaluating, business progression arranging, and so on. Capacity building

International cooperation

Legal measures

Global cybersecurity agenda Technical and procedural measures

Organizational structure

Figure 1.6  Global cybersecurity agenda.

The Global Cybersecurity Agenda has seven main strategic goals, built on five work areas: (Fig. 1.6) as listed in the following: 1. Legal measures: ‘Legal measures’ centres around how to address the authoritative difficulties presented by crimes perpetrated over ICT organizations in a globally perfect way. 2. Technical and procedural measures: ‘Technical and procedural measures’ centres around key measures to advance appropriation of upgraded ways to deal with improved security and hazard the executives in the Internet, including accreditation plans, conventions and guidelines. 3. Organizational structures: ‘Organizational structures’ centres around the avoidance, identification, reaction to and emergency of the executives of cyberattacks, including the insurance of basic data framework frameworks.

Cyber Security and Laws_Chpater 01.indd 14

10/7/2020 9:57:22 AM

1.4 Cybercrime and Information Security

• 

15

4. Capacity building: ‘Capacity building’ centres around expounding methodologies for limit building components to bring issues to light, move know-how and lift cybersecurity on the national approach motivation. 5. International cooperation: ‘International cooperation’ centres around universal participation, discourse and coordination in managing cyberthreats.

1.4.1 Types of Cybercriminals A computer hacker is a skilled computer master who utilizes their specialized technical knowledge to overcome an issue. In spite of the fact that the expression ‘hacker’ can essentially allude to any talented software programmer; it has anyway gotten increasingly interchangeable with the possibility of a security hacker, that is, an individual who, with their specialized information, utilizes bugs or exploits to break into computer frameworks. The Internet permits criminals to target nations from different locales over the world, making it harder to implement the law. Cybercriminals can work from anyplace on the planet, focusing on huge quantities of individuals or organizations across world-wide limits, and there are difficulties presented by the scale and volume of their violations, the specialized multifaceted nature of recognizing the culprits just as the need to work universally to bring them to justice. The web has tragically empowered hopeful criminals to submit offenses, in light of a conviction that law authorization battles to work in the online world. Thought Processes behind Cybercrime

• • • • • • • •

Ravenousness. Want to pick up power. Exposure. Want for vengeance. A feeling of experience. Searching for rush to get to illegal data. Ruinous attitude. Want to sell organize security administrations.

The meaning of a hacker, in this manner, is ‘somebody’ who can subvert computer security. On the offchance that the reasons depend on ulterior motive, the individual can likewise be known as a ‘cracker’. Primarily, there are around four motives behind the activities of hacker’s endeavour to break into PC frameworks, which are listed in the following: 1. The principal intention is monetary gains, particularly, when it includes breaking into frameworks with the particular motivation of stealing credit card numbers or manipulating banking systems. 2. Second, a few hackers represent egoistic thought processes; to expand their notoriety inside the programmer subculture, leaving their marks on the framework or system after a break.

Cyber Security and Laws_Chpater 01.indd 15

10/7/2020 9:57:22 AM

16 

•

Chapter 1/Introduction to Cybercrime

3. Third, corporate government operatives permit associations to have data on administrations and items that might be commandeered or utilized as an influence inside the commercial centre. 4. In conclusion, a few programmers do it for patriotic reasons; as in state-supported digital assaults during wartime. A cybercriminal is a person who conducts some form of illegal activity using computers or the Internet. These cybercriminals use their knowledge of computer, network and human behaviour, and a variety of tools to commit cybercrimes. Cybercrimes can be of the following types: 1. Hackers: Hackers explore others’ computer systems for various reasons depending upon their need. Hackers can be of the following three kinds: (a) White hat hackers: A white hat hacker is an ethical hacker who opposes the abuse of ­computer systems and networks. A white hat generally focuses on securing IT systems. (b) Black hat hackers: A black hat is a hacker who compromises or breaks into the security of a  computer system or network without the permission of authorized party, typically with ­malicious intent. (c) Grey hat hackers: A grey hat is a hacker who sometimes acts legally, sometimes illegally. They are a hybrid between white and black hat hackers. They usually do not hack for personal gain or for malicious intentions, but may or may not occasionally commit crimes. 2. Crackers: These individuals intentionally cause loss to satisfy some antisocial motives or ­sometimes just for fun. Many computer virus creators and distributors fall into this category.  3. Pranksters: These individuals perpetrate tricks on others. They generally do not intend any ­particular or long-lasting harm. 4. Career criminals: These individuals earn part or all of their income from crime. In some cases, they conspire with others or work within organized gangs such as the Mafia. The greatest ­organized crime threat comes from groups in Russia, Italy and Asia. 5. Cyberterrorists: There are many forms of cyberterrorism. Sometimes a hacker may break into a government website to steal information or to post a threat. It was found that around 25 Indian government websites were hacked till May 2019. 6. Cyber bulls: Name calling in chat rooms, posting fake profiles on websites, and sending mean or cruel e-mails or messages are some forms of cyberbullying and cyber bulls indulge in such activities. 7. Salami attackers: Those attacks are used for the commission of financial crimes. The key here is to make the alteration so insignificant that in a single case it would go completely unnoticed e.g. a bank employee inserts a program into bank’s servers, which deducts a small amount from the account of every customer. 8. Drops: These individuals convert the ‘virtual money’ or cryptocurrency into real cash. 9. Kids: They are called so because of their tender age (most are under 18). They buy and resell the elementary building blocks of effective cyber scams such as spam lists, proxies, credit card ­numbers, hacked hosts, scam pages, etc. 10. Coders: They produce ready-to-use tools such as trojans, mailers, custom bots, viruses and other services and sell them to the cybercrime labour force.

Cyber Security and Laws_Chpater 01.indd 16

10/7/2020 9:57:23 AM

1.5 Classifications of Cybercrime

• 

17

POINTS TO REMEMBER 1. Information security objective: Confidentiality, integrity and availability (CIA). 2. Global cybersecurity agenda: Legal measures, technical and procedural measures, organizational structures, capacity building and international cooperation. 3. Types of cybercriminals: Black hat hackers, white hat hackers, crackers, phreakers, whackers.

1.5

Classifications of Cybercrime

The cybercrimes may be broadly classified into four groups (see Fig. 1.7). Crime against individuals

Crimes against property

Classification of cybercrime Crime against organization

Crime against society

Figure 1.7  Classification of cybercrime.

1.5.1 Crime against Individuals Crimes that are committed by the cybercriminals against an individual or a person. A few cybercrimes against individuals are as listed in the following: 1. Harassment via electronic mails. 2. Dissemination of obscene material. 3. Cyberstalking. 4. Defamation. 5. Indecent exposure. 6. Cheating. 7. Unauthorized control/access over computer system. 8. The e-mail spoofing. 9. Fraud.

1.5.2 Crimes against Property These types of crimes include vandalism of computers, intellectual (copyright, patented, trademark, etc.) property crimes, online threatening, etc. Intellectual property crime includes the following: 1. Computer vandalism. 2. Transmitting virus.

Cyber Security and Laws_Chpater 01.indd 17

10/7/2020 9:57:23 AM

18  3. 4. 5. 6.

• 

Chapter 1/IntroduCtIon to CyberCrIme

Net-trespass. Unauthorized access/control over computer system. Internet thefts. Intellectual property crimes such as software piracy, copyright infringement, trademark infringement, etc.

1.5.3 Crime against Organization Crimes done to threaten the international governments or any organization by using Internet facilities. These cybercrimes are known as cybercrimes against Organization. These crimes are committed to spread terror among people. Cyberterrorism is referred as crimes against a government. Cybercrimes against Government includes cyberattack on the government website, military website or cyberterrorism, etc.

• • • •

Unauthorized access/control over computer system. Cyberterrorism against the government organization. Possession of unauthorized information. Distribution of pirated software.

1.5.4 Crime against Society Those cybercrimes which affects the society interest at large are known as cybercrimes against society, which include the following: 1. 2. 3. 4. 5. 6.

Child pornography. Indecent exposure of polluting the youth fi nancial crimes. Sale of illegal articles. Traffi cking. Forgery. Online gambling.

Detailed description is deliberated for each of the four categories of cybercrime in the following subsections.

1.5.5 Cybercrime against Individual The e-mail Spoofing and the Other Online Frauds

CASE STUDY The e-mail Spoofing and the Other Online Frauds There have been numerous reports of ‘black boxes’ that parody the more seasoned or less very much structured caution controllers. In one case, criminals grabbed $1.5 million in jade sculpture and gold adornments imported from China, a robbery which drove the shipper into liquidation. The alert framework securing its stockroom in Hackensack, New Jersey was cut off. Typically, that would have set off an alert at a security organization, however the robbers had appended a hand-crafted electronic gadget to an outside link to guarantee a ceaseless ‘all is well’ signal.

Cyber Security and Laws_Chpater 01.indd 18

10/7/2020 9:57:23 AM

1.5 Classifications of Cybercrime

• 

19

An ‘e-mail spoofing’ is a term used to delineate tricky e-mail development in which the sender address and various bits of the e-mail header are changed to seem like the e-mail began from an alternate source. An e-mail spoofing is a procedure generally utilized for spam e-mail furthermore, phishing to cover the origin of an e-mail message. By changing certain properties of the e-mail, for instance, the From, Return-Path and Reply-To fields (which can be found in the message header), debilitated intentioned customers can make the e-mail give off an impression of being from somebody other than the real sender. It is regularly connected with site spoofing which copy a genuine, notable site yet are controlled by another gathering either with false goals or as a method for analysis of the association’s activities. The e-mail spoofing is conceivable because of Simple Mail Transfer Protocol (SMTP), the principle convention utilized in sending e-mail, does exclude a confirmation component. Albeit a SMTP administration expansion permits a SMTP customer to arrange a security level with a mail server, this safeguard is not frequently taken. In the event that the precautionary measure is not taken, anybody with the essential information can associate with the server and use it to send messages. It is conceivable to communicate something specific that gives off an impression of being from anybody, anyplace, saying whatever the sender needs it to state. Along these lines, someone could send a parody e-mail that appears it is from you. Spoofing involves the spoofing of e-mails or Web sites by using company trademarks and logos to show up to an authentic financial organization or Internet service provider cooperatives. Such tricks use banks and web-based shopping destinations solely. Figure 1.8 portraits an example of an e-mail spoofing.

MX record to attacker

[email protected]

Response

Register YOURCOMPANY.COM

External SMTP

Delivered [email protected] Bob assumes the email is legitimate and makes the wire transfer.

Attacker From: [email protected] To:[email protected] Subject:URGENT We need to transfer $50000 to the following accountbefore the end of the day or production well stop Alice

Figure 1.8  An e-mail spoofing.

Cyber Security and Laws_Chpater 01.indd 19

10/7/2020 9:57:24 AM

20 

• 

Chapter 1/IntroduCtIon to CyberCrIme

One investigation demonstrated that 30% are connected to eBay or PayPal, while roughly 60 percent target U.S. Bank or Citibank.

Phishing and Vishing

CASE STUDY Operation ‘Phish Phry’ In late 2009, the FBI declared the prosecutions of very nearly 100 individuals as a component of Operation ‘Phish Phry’, one of the biggest cyber fraud phishing cases ever. Started by the Los Angeles fi eld offi ce, the two-year examination incorporated the U.S. Mystery Service, state and neighbourhood law implementation, Egyptian law requirement and the Electronic Crimes Task Force in Los Angeles. Plotters included 50 Egyptian residents and 50 people from California, Nevada and North Carolina The suspects were accused of violations extending from PC extortion, illegal tax avoidance, irritated wholesale fraud and trick to submit bank misrepresentation. Activity Phish Phry obviously showed the signifi cance of world-wide activities as it spoke to the principal joint cyber investigation between the United States and Egypt. Phishing is a type of social engineering, portrayed by endeavours to deceitfully get delicate data; for example, passwords and credit card subtleties, by taking on the appearance of a dependable individual or business in a clearly offi cial electronic correspondence; for example, an e-mail or a moment message. The term phishing emerges from the utilization of progressively refi ned draws to ‘fi sh’ for ‘clients’ money related data and passwords. The demonstration of sending an e-mail to a client dishonestly professing to be built up real ventures trying to trick the client into giving up private data that will be utilized for fraud. The e-mail takes the user to a website that asks to refresh individual data; for example, passwords, charge card, government disability and fi nancial balance numbers, that the real association as of now has. The website, in any case, is bogus and set up just to take the customer’s data. Most techniques for phishing utilize some type of specialized double dealing intended to make a connection in an e-mail seem to have a place with the parodied association. Incorrectly spelled URLs or the usage of sub regions are essential tricks used by phishers, might fool an accommodating person, however the association truly directs the program to a page where there is no such customer. This method has since been cut off in the Mozilla and Internet Explorer web programs, while Opera gives an admonition message and the choice not to follow the connection. Spam has advanced from basic ads to focusing on e-mail to explicit individuals, called spearphishing. Such weaponized e-mail utilizes social designing; for example, alluding to occasions probably just insiders would think about (e.g., click here to see my humiliating photos of Friday’s organization cookout or to see changes in your retirement benefi ts) – in this way, tempting clients to open records or inadvertently go to traded off Web destinations. Vishing is like phishing; it is the criminal act accessing personal, private and monetary data from general society with the end goal of money related prize. The term is a mix of ‘voice’ and phishing.

Cyber Security and Laws_Chpater 01.indd 20

10/7/2020 9:57:24 AM

1.5  ClassIfICatIons of CyberCrIme 

•

21

Vishing is typically used to take Mastercard numbers or other data utilized in wholesale fraud plans from people. Sending mass-sends to a huge number of potential victims expands the opportunity of getting somebody trapped. There are generally three separate strides all together for such assaults to work – these are listed as follows: 1. Setting up a copy site. 2. Conveying a convincingly phony e-mail, tricking the clients to that copy site. 3. Getting data at that point divert clients to the genuine site.

Spamming

CASE STUDY Spamming In 2006, Daniel J. Lin became the fi rst individual indicted for damaging the Can-spam act and was condemned to three years in government jail and forced to pay a $10,000 fi ne. Lin, alongside his accomplices, circulated a large number of e-mail messages publicizing different items, including weight reduction patches and ‘nonexclusive’ Viagra. To build deals and to promote his products, Lin sent mass messages with false header data through a variety of zombie computers. The term spamming might be characterized as the maltreatment of electronic messaging systems and frameworks to haphazardly or aimlessly send spontaneous mass messages. While spam might be found in a horde of electronic interchanges (i.e., texting, Usenet newsgroup, sites, cell phones, and so on.), most clients know about the term as it applies to e-mail. Towards the beginning of the decade, spamming was as yet a ‘home-work’ occupation with huge volumes of Spam sent from devoted Server Farms, Open Relays or traded off servers. Truth be told, it seems unlikely that any regular user of e-mail has escaped victimization. It is increasingly utilized by certain promoters to lessen working expenses and departure responsibility. What is more is it may be very well utilized by lawbreakers propelling DDoS assaults regardless of essential inspiration. While many end clients see spam as meagre in excess of an aggravation, a portion of the immediate impacts related with the act of spamming remember the expense for human time of perusing or erasing the messages; decreased profi tability because of decrease of centre; acquisition of antispam programming; and the utilization of PC and system assets. Individuals who make electronic spam are called spammers (Fig. 1.9). Spam is maltreatment of electronic informing frameworks to send spontaneous mass messages aimlessly. The types of spamming are such those listed in the following: 1. 2. 3. 4. 5. 6.

An e-mail spam. Instant messaging spam. Usenet group spam. Web search engine spam. Spam in blogs, wiki spam. Online classifi ed advertisements spam.

Cyber Security and Laws_Chpater 01.indd 21

10/7/2020 9:57:25 AM

22 

• 

Chapter 1/IntroduCtIon to CyberCrIme

Attacker

Control server

Bots

Spam

Figure 1.9 Spamming.

7. 8. 9. 10.

Mobile phone messaging spam. Internet forum spam. Junk fax spam. Social networking spam.

The measure of spam keeps on expanding, and is right now used to spread viruses; deliver trojans or other malware; initiate DDoS attacks; commit identity theft; advance political fanaticism; encourage Internet fraud; and further an assortment of other online criminal activities, similar to coercion and shakedown. In 2010, the main three spam botnets were Rustock, Grum and Cutwail.

Cyberstalking and Harassment

CASE STUDY Cyberstalking and Harassment The Kathuria case was the fi rst reported case of cyberstalking in India that prompted the 2008 amendment to the IT Act. It included the stalking of a lady, Ritu Kohli, by Kathuria. He followed her on a visit site, utilizing foul language, mishandled her, and a while later spread her telephone number to a wide range of individuals. A short time later, he began using Kohli’s personality to chat on the site www.mirc.com. In like manner, she started accepting pretty much 40 revolting calls at odd hours of the night all through the accompanying three days. She revealed the issue to the Delhi Police, who by then followed the IP addresses and caught Kathuria under Section 509, IPC. The IT Act had not come into power by then. While there is no record of any resulting continuing, this case made Indian overseers wake up to the necessity for institution to address digital following.

Cyber Security and Laws_Chpater 01.indd 22

10/7/2020 9:57:28 AM

1.5 Classifications of Cybercrime

• 

23

Stalkers who attempt to stalk the victim by means of electronic media; for example, the Internet and PC spyware are called cyberstalks. They may uncover or veil their personality to attain confidence of the person in question; at that point they may attempt to get data, for example, contact details by joining the victim in places the individual in question visits on the Internet. The utilization of information technology, for example, e-mail or the Internet to over and again undermine or bug another individual, gathering, or association with bogus accusations, identity fraud, solicitation for sexual purposes, or the get-together of data for further harassment. Fig. 1.10 shows the percent of users experiencing different types of online harassment among all Internet users. This conduct is regularly an introduction to progressively genuine physical brutality. All ages

18–29 years old

49 35 27 22

20 15 8

Called offensive names

Purposefully embarassed

Physically threatened

14

8

Stalked

7

Harassed for a sustained period

14 6

Sexually harassed

Figure 1.10  Type of online harassment experienced by people by age (in percent) among all Internet users.

Following are a few practices that can be endeavoured by a stalker: 1. Unwelcome calls. 2. Sending instant messages, messages, or individual letters. 3. Threatening the victim so as to pick up attention. 4. Sending sentimental or pornography related endowments to the victim. 5. Multiple perpetrators’ inclusion (group following). 6. Forcing the victim by means of threatening. 7. Insulting the person in question. There are three sorts of digital stalking as listed in the following: 1. The first is e-mail stalking and can take numerous forms such as spontaneous, obscene or ­compromising mail. 2. At that point, there is web stalking. Here, the stalker utilizes the web to defame and jeopardize the person in question. In such cases, cyberstalking takes on an open as opposed to a private ­dimension. What is upsetting about this type of cyber stalk­ing is that it is probably going to blow into the physical space.

Cyber Security and Laws_Chpater 01.indd 23

10/7/2020 9:57:28 AM

24 

• 

Chapter 1/IntroduCtIon to CyberCrIme

3. The third method of cyberstalking is computer stalking which misuses the functions of the web and the Windows OS so as to accept command over the PC of the intended victim.

Defamation

CASE STUDY Tata Versus Turtle The lawsuit was initiated by Tata Sons, the owner of India’s most valuable – and possibly best protected – trademark, following the launch in May 2010 of a Pac-Man style game called ‘Turtle Vs. Tata’ on Greenpeace India’s website. The game not only uses the Indian company’s ‘Tata’ mark and a stylized version of its ‘T within a circle’ device, but also contains references to ‘Tata demons’. Defamation can be comprehended as the improper and purposeful spread of something either in the composed or oral structure about an individual to hurt his reputation in the general public. Cyber defamation is distributing disparaging material against someone else with the assistance of PCs or the web. In the event that somebody distributes some slanderous articulation about some other individual on a site or sends messages containing abusive material to different people with the aim to defame the other individual about whom the announcement has been made would add up to cyber defamation. The damage caused to an individual by spreading a slanderous explanation about him on a site is across the board and hopeless as the data is accessible to the whole world. Cyber defamation infl uences the welfare of the community as a whole in general and not just the individual victim. It additionally has its effect on the economy of a nation relying on the data distributed and the victim against whom the data has been spread. For a statement to be considered as defamatory, the accompanying fundamental components must be satisfi ed. 1. There must be a spread of the abusive proclamation, which means information going to an outsider. 2. The announcement must allude just to the offended party. 3. The announcement must be disparaging in nature. The following are mediums by which offense of cyber defamation can be committed: 1. 2. 3. 4. 5.

World Wide Web. Discussion groups. Intranets. Mailing lists and bulletin boards. An e-mail.

Defamation can be bifurcated into the following two categories: 1. Libel: A statement that is defamatory and is published in a written form. 2. Slander: A defamatory statement spoken that means a verbal form of defamation. Thus, the fundamental distinction between both the types is the medium in which they are expressed, that is, one is expressed in a written form while the other in oral form.

Cyber Security and Laws_Chpater 01.indd 24

10/7/2020 9:57:29 AM

1.5 Classifications of Cybercrime

• 

25

Pornographic Offences Child pornography is an obscene visual depiction of any kind involving a minor engaging in, or appearing to engage in, sexually explicit conduct, graphic bestiality, sadistic or masochistic abuse, or sexual intercourse of any kind; child pornography also includes the production, distribution, and possession of pornographic material. Child pornography is a serious crime. Child pornography is any work that centres around children in a sexual way. The world-wide community has understood that youngsters are in danger and can experience the ill effects of negative impacts on account of child pornography abuse. Quick expanding PC innovation has offered access to the creation and spread of child pornography. Girls and young men as well as babies are turning out to be victims of such hostile action. Pornographers utilize poor youngsters, impaired minors, and sometimes neighbourhood kids for sexual misuse. Figure 1.11 refers to the pornographic cases of a duration of 6 months. Total population

Female

Male

Responses [%]

40 30 20 10 0 ≤1/month

1/week

>1/week

1/day

>1/day

(a) 100

Responses [%]

80 60 40 20 0 Online videos

Online pictures/ Photographs

Literature

Audio recordings

Anime/ Manga

(b)

Figure 1.11  Pornographic cases of 6 months.

Cyber Security and Laws_Chpater 01.indd 25

10/7/2020 9:57:29 AM

26 

• 

Chapter 1/IntroduCtIon to CyberCrIme

The criminals bring youngsters into pornographic exercises by utilizing the following strategies: 1. 2. 3. 4. 5.

Seduction: They offer kids something alluring. Coercion: They force kids into sexual exercises or threaten them with critical outcomes. Payment: They offer money related advantages to pull in kids. Solicitation: They demand a sexual relationship with the youngsters. Blackmailing: The guilty parties entice or force youngsters or adolescents into hostile exercises and make recordings and pictures of them. Afterwards, they blackmail the people in question or their folks by taking steps to uncover the pictures or recordings.

Voyeurism is another rationale behind pornographic. This includes individuals who infer sexual delight by furtively viewing sexual exercises or others naked. Wrongdoers regularly sell obscene material to bring in pain free income. They additionally construct their own websites that give explicit materials to cash. Kids who are explicitly misused through child pornography experience the ill effects of mental depression, temperament swings, emotion withdrawal, dread, fear and anxiety. Online instant messaging and chat rooms have benefi ted children, but they are also potential sources of sexual abuse. Paedophiles use chat rooms to sexually abuse children by establishing online relationships with them. After establishing a steady relationship, they introduce children to pornography by providing images and videos that have sexually explicit material. paedophiles exploit children for cybersex, which may lead to physical abuse. The arrangements of the law relating to child pornography are as listed in the following: 1. An individual cannot purposely move using any and all means, including however not restricted to through the mail or through a computer child pornography. 2. An individual cannot intentionally get or appropriate child pornography that has been shipped using any and all means, including yet not constrained to through the mail or through a PC. 3. An individual cannot intentionally repeat any child pornography for circulation using any and all means, including yet not constrained to through the mail or through a PC. 4. An individual cannot publicize, advance, present, disperse, or request child pornography. 5. An individual cannot intentionally have or sell child pornography in any structure, including books, magazines, fi lms and computerized media.

1.5.6 Cybercrime against Property Credit Card Fraud

CASE STUDY Credit Card Fraud – Amit Tiwari Versus Mumbai Police Amit Tiwari had numerous names, fi nancial accounts and customers. None of them were real. With an arrangement that was both astute and naive, the 21-year-old engineering understudy from Pune attempted to swindle a Mumbai-based charge card handling organization, CC Avenue, of almost Rs 900,000. He was captured by the Mumbai Police on August 21, 2003 after about a time of fi nd the stowaway with CC Avenue. He has been charged for cheating under Section 420.

Cyber Security and Laws_Chpater 01.indd 26

10/7/2020 9:57:30 AM

1.5 Classifications of Cybercrime

• 

27

Generally speaking, fraud may be defined as an intentional deception, misrepresentation, or falsehood made with the intention of receiving unwarranted compensation or gratification. While statutes and definitions vary across jurisdictions, all have formally recognized the crime in multiple areas. Like any other frauds, in general, credit card fraud can take many forms. It can be perpetrated in the physical world in the old-fashioned way, where criminals use stolen cards to purchase items for retailers which then they use or resell. It can also be accomplished in the physical world through the use of duplicate cards with stolen account numbers. Before the advent of computers, it was difficult to catch individuals with stolen cards as there were no automated stops on credit card activities. Rather, retailers could only identify stolen cards by looking through a book that was distributed. Table 1.1 refers to the frauds in different banking sectors. Table 1.1  Frauds in Different Banking

2017–2018

2018–2019

Bank Group/ Institution

Number of Frauds

Amount Involved (  ` million)

Number of Frauds

Amount Involved (  ` million)

1

2

3

4

5

Public sector banks

2885 (48.8)

382,608.7 (92.9)

3,766 (55.4)

645,094.3 (90.2)

Private sector banks

1975 (33.4)

24,782.5 (6.0)

2090 (30.7)

55,151.4 (7.7)

Foreign banks

974 (16.5)

2560.9 (0.6)

762 (11.2)

9553.0 (1.3)

Financial institutions

12 (0.2)

1647.0 (0.4)

28 (0.4)

5534.1 (0.8)

Small finance banks

65 (0.1)

61.9 (0.0)

115 (0.6)

75.2 (0.0)

Payment banks

3 (0.1)

9.0 (0.0)

39 (0.6)

21.1 (0.0)

Local area banks

2 (0.0)

0.4 (0.0)

 1 (0.0)

0.2 (0.0)

Total

5916 (100.0)

411,670.4 (100.0)

 6801 (100.0)

715,429.3 (100.0)

A progressively complex technique for information robbery includes the perusing and recording of individual data encoded on the magnetic strip of an automated teller machine (ATM) or Visa/credit card. Once stored, the taken information is re-coded onto the magnetic strip of an optional or sham card. This procedure, known as card skimming, brings about a spurious card, which is a full-administration credit or platinum card vague from the first while buying. By definition, “skimming” is the illegal duplication of credit cards achieved by running the card through a reader that captures information stored in the magnetic strip on the back. While card skimming was generally saved to encourage credit card fraud, it is progressively being utilized with the assortment of other individual data to make extra records. Card skimmers arrive in an assortment of shapes and sizes (frequently scaled down cameras or copiers and can be mounted on retail and ATMs). Now and again, cheats have really evolved fake ATMs. In this manner, buyers are firmly urged to just utilize those machines that are kept up by money related establishments, and to be alert for any dubious hardware or member.

Cyber Security and Laws_Chpater 01.indd 27

10/7/2020 9:57:30 AM

28 

• 

Chapter 1/IntroduCtIon to CyberCrIme

Intellectual Property (IP) Crimes

CASE STUDY Mattel, Inc. Versus MGA Entertainment, Inc. Barbie was 42 years of age when the fascinating, puffy-lipped Bratz dolls Cloe, Jade, Sasha and Yasmin walked onto the scene in 2001. Strains heightened as the Bratz seized around 40 percent of Barbie’s turf in only 5 years. The Bratz struck fi rst. In April 2005, their creator MGA Entertainment documented a claim against toy powerhouse Mattel, asserting that the line of ‘My Scene’ Barbies replicated the huge headed and thin bodied physical make-up of Bratz dolls. Mattel then smacked back, charging Bratz originator Carter Bryant for having planned the doll while on Mattel’s fi nance. Bryant worked for Mattel from September 1995 to April 1998 and afterwards again from January 1999 to October 2000, under an agreement that specifi ed that his structures were the property of Mattel. In July 2008, a jury decided for Mattel, driving MGA to pay Mattel $100 million and to expel Bratz dolls from racks (an order that endured about a year). Be that as it may, the two toy organizations proceeded to duke it out. After that, in one more legal dispute, longshot MGA won, demonstrating that Mattel was really the one to steal trade secrets. In the legal fi eld, this term is often used when referring to intellectual property rights, such as patents, copyrights and trademarks. A party that owns the rights to a particular trademark can sue other parties for trademark infringement based on the standard likelihood of confusion. Intellectual property/capital are terms used to describe intangible assets: the results of human endeavour that have value and are original, such as designs, publications, inventions, computer software and music. These assets increasingly making up a large proportion of company net worth. The protection and management of these assets has become a commercial imperative, requiring the development of a set of practices that are encompassed within fi eld of Intellectual Property Management (IPM). Figure 1.12 refers to the different IP management techniques. Patent selling buying, licensing Defending patents

Identification of patent weaknesses

Infrigement of patents Patent analysis for technology trends

Work with external patent consultants Intellectual property management

Patent search Patent mapping with competitors patents

Patent strategy

Patent abstracts Brain maps key know how holder maps Patent writing (competitors)

Figure 1.12 IP Management.

Cyber Security and Laws_Chpater 01.indd 28

10/7/2020 9:57:30 AM

1.5  ClassIfICatIons of CyberCrIme 

•

29

Intellectual property theft includes the theft of the following: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

Unregistered trade secrets. Copyrighted, patented, or registered works. Trademark violations. Confi dential proposals. Confi dential work papers. Technical notes. Strategic business planning. Gray-market distributions. Counterfeiting. Illegal distributions. Unauthorized product diversions. Trade names or partials.

Copyright and trade secrets are the following two forms of IP, which are frequently stolen: 1. Copyright: A product of intellect that includes literary and artistic works. 2. Industrial property: A product of intellect that includes patents, trademarks, industrial designs and geographic indications of the source. According to the USPTO, ‘Copyright is a form of protection provided to the authors of “original works of authorship” including literary, dramatic, musical, artistic, and certain other intellectual works, both published and unpublished.’ A lawsuit can be fi led against anyone who has violated the rights of the copyright owner. Infringers who violate the fair use doctrine and try to commercialize the work of copyrighted owners or portray it as their own will often have to face a lawsuit from the owners of the copyrighted work. In this case, the copyright owner can do the following: 1. Issue orders to prevent escalation of copyrights. 2. Ask for compensation from the infringer for the damage already done. 3. Ask the infringer to pay attorneys’ fees.

1.5.7 Cybercrime against Organization Password Sniffing

CASE STUDY Montreal’s ATM Hack A Bank of Montreal’s ATM was hacked by two 14-year-old children; they used the machine’s default password. Emergency Alert System (EAS)] equipment used to broadcast warnings was hacked by exploiting default passwords. After the breach, the hackers sent out an alert warning the public of a ‘zombie attack.’

Cyber Security and Laws_Chpater 01.indd 29

10/7/2020 9:57:31 AM

30 

• 

Chapter 1/IntroduCtIon to CyberCrIme

‘Passwords are a ubiquitous and critical component of many security systems’. Therefore, it is important to create secure passwords that are diffi cult to compromise. For instance, a strong password policy requires a minimum number of characters, different types of characters and specifi es how frequently users should change their passwords. Password sniffi ng is an assault on the Internet that is utilized to take client names and passwords from the system. Today, it is generally of historical interest, as most conventions these days utilize solid encryption for passwords. In any case, it used to be the most noticeably terrible security issue on the Internet during the 1990s, when updates on signifi cant major password sniffi ng assaults were practically seen weekly. The typical implementation of a password sniffi ng attack involves gaining access to a computer connected to a local area network and installing a password sniffer on it. The password sniffer is a small program that listens to all traffi c in the attached network(s), builds data streams out of TCP/IP packets, and extracts usernames and passwords from those streams that contain protocols that send cleartext passwords.

DoS Attack

CASE STUDY Denial-of-service (DoS) attack by an individual – Shimla Housing Board At the point when a foreigner made an application to profi t from a plan presented by the Shimla Housing Board to purchase land at lower rates it was dismissed in light of the fact that the plan was accessible just for residents of India even though he had been living in Shimla, India for just about 30 years. He chose to render his retribution. Thus, he sent a large number of sends to the Shimla Housing Board and over and over continued sending messages till their servers slammed. DoS and DDoS attacks are another popular type of attack, seeking to exhaust and overwhelm the target network’s bandwidth and computational resources. Similarly, such attackers have a ‘one-to-many relationship’. ‘A denial-of-service (DoS) attack aims to make a computer system unavailable by saturating it with external communication requests, so it cannot respond to legitimate traffic’. A DoS attack (see Fig. 1.13) makes computer resources unavailable to their intended users. By targeting a computer system with more requests than the computer system can handle, offenders can prevent users from accessing the computer system, checking e-mails, reading the news, booking a fl ight or downloading fi les. A DoS assaults often fall in two major categories as listed in the following: 1. Buffer overflow attacks: An assault type in which a memory support fl ood can make a machine expend all accessible hard circle space, memory, or CPU time. This type of adventure frequently brings about drowsy conduct, framework crashes, or different harmful server practices, bringing about disavowal of-administration.

Cyber Security and Laws_Chpater 01.indd 30

10/7/2020 9:57:31 AM

1.5 Classifications of Cybercrime

• 

31

DoS

Server

DDoS

Server

Figure 1.13  DoS and DDoS attacks.

2. Flood attacks: By soaking a focused server with a mind-boggling measure of bundles, a malevolent entertainer can oversaturate server limit, bringing about disavowal of-administration. All together for most DoS flood assaults to be fruitful, the vindictive entertainer must have more accessible data transfer capacity than the objective. A DoS assault is completed with the accompanying three objectives as listed in the following: 1. Destruction: These assaults harm the capacity of the router to work. 2. Resource use: These assaults are accomplished by flooding the router with various requests to open connections simultaneously. 3. Bandwidth utilization: These assaults use the data transfer capacity limit of a router’s system. An assailant who has effectively done a DoS assault would then be able to adjust configuration data and complete an assault on any system the router is associated with.

Virus Attack A virus is a software program written to change the behaviour of a computer or other device on a network, without the permission or knowledge of the user. Viruses are a major cause of shutdown of network components. A virus is a program that spreads from machine to machine, for the most part making harm to every framework (Fig. 1.14). These are a few types of viruses as follows: 1. A polymorphic virus is one that produces different yet operational duplicates of itself. 2. A secrecy virus is one that, while dynamic, shrouds the alterations it has made to documents or boot records. 3. A quick infector taints programs when they are run, yet in addition, when they are basically gotten to. 4. A moderate infector will possibly taint records when they are made or altered.

Cyber Security and Laws_Chpater 01.indd 31

10/7/2020 9:57:31 AM

32 

•

Chapter 1/Introduction to Cybercrime

Virus copies boot sector to unused location X

Virus replaces original boot block with itself

At system boot, it reduces physical memory

It attaches to read write interrupt, manages all disc activity Infects all R/W discs

Blocks attempt to write in boot sector

It has logic bomb to wreck havoc

Figure 1.14  Flowchart of working of virus.

Following are a portion of the reasons why people make virus: 1. It is a method of standing out. 2. Virus essayists increase a feeling of satisfaction from making something that impacts countless individuals. 3. It is roused by monetary benefit. 4. Virus essayists may get amped up for all of the garbage e-mail they get because of their infection. The different types of malwares that can be found on the web are shown in Fig. 1.15. Following are a portion of the structures where an infection can be appropriated: 1. Removable circles: This incorporates floppy plates, CD-ROMs and USB drives. 2. Crack locales: These are destinations that give data on the most proficient method to split various applications and programming. 3. Unsecured destinations: These are web locales that do not utilize the HTTPS convention. 4. Flash welcome: This is the most well-known method of spreading an infection. This is a flash movement or video that conceals an infection. 5. The e-mail connections: Users ought not open connections from obscure people or web destinations. 6. Downloading: Users should check Web locales to ensure they are genuine before downloading.

Cyber Security and Laws_Chpater 01.indd 32

10/7/2020 9:57:32 AM

1.5  ClassIfICatIons of CyberCrIme 

•

33

Virus Spread with user action Worms

Exploit kit Hunts software vulnerabilities

Adware Maliciously feeds you ads

Spread automatically

Your PC

Trojan Disguised as legitimate software

Rootkit Hides deep within PC

Remote access Controls PC from a distance

Blended threat

Spyware

Figure 1.15 Types of malwares that can be found on the web.

Salami Attack

CASE STUDY Hacking into Apps of Axis Bank and SBI In January 2016, police lodged a complaint of hacking against unknown persons, who cheated customers of several lakhs in Karnataka and Telangana. Police learnt that the fraud was committed by hacking into Axis Bank’s mobile wallet app LIME and SBI’s Buddy app. Bank account details of the victims, mobile phone numbers, etc., were stolen by the accused. Status: Seven people, including G Gopalakrishna, deputy manager of Axis Bank’s Peddapalli branch in Karimnagar district of Telangana, and others involved in the crime were arrested.

Cyber Security and Laws_Chpater 01.indd 33

10/7/2020 9:57:32 AM

34 

•

Chapter 1/Introduction to Cybercrime

Salami attack or salami technique (otherwise called salami slicing) alludes to as fake activity by altering of frameworks either by adjustment or addition of noxious program and the fundamental ­motivation behind this for monetary benefit. A salami assault is viewed as a minor assault that can be rehashed many times; a straightforward example is referred to as taking an explicit modest quantity of cash from each client’s ledger in a specific bank. It is extremely difficult for such assaults to be noticed by clients and such assaults are purportedly for the most part directed by crime minded bank’s authorities. This cybercrime for the most part goes undetected and unnoticed in view of nature and type of the crime, in light of the fact that lone modest quantities are deducted severally in a particular time frame. This sort of assault is utilized for perpetrating monetary crimes and it is normal and happens inside money related or budgetary related foundations. No record holder or client will notice such criminal activity as bank officials really secure a sizable measure of cash each month.

Trojan Horse Trojan horses are programs that contain or install malicious programs on targeted systems. These programs serve as back doors and are often used to steal information from systems (Fig. 1.16). A

ACL Executes

Program goodies

Read

File F

Trojan horse Write

File G

A:r A:w

B:r A:w

B can read contents of file F copied to file G.

Figure 1.16  Working of trojan horse.

The different types of trojan are listed as follows: 1. Backdoor: It gives pernicious clients remote access over the tainted PC. They can do anything they desire, for example, sending, accepting, propelling and erasing documents, showing information and rebooting the endpoint. 2. Exploit: It contains information or code that mishandles a weakness inside application ­programming that is working on your endpoint. 3. Rootkit: These are intended to conceal certain items or exercises in your framework. This can successfully forestall pernicious projects being distinguished. 4. Trojan Banker: Its motivation is to take your record information for internet banking ­frameworks, e-instalment frameworks and credit or platinum cards. 5. Trojan DDoS: This Trojan can fire up the DoS assaults. It can influence endpoints, yet in addition sites. By sending numerous solicitations – from your PC and a few other contaminated PCs – the assault can over-burden the objective location which prompts a forswearing of ­administration.

Cyber Security and Laws_Chpater 01.indd 34

10/7/2020 9:57:33 AM

1.5 Classifications of Cybercrime

• 

35

6. Trojan Downloader: Trojan Downloaders can download and put in new forms of pernicious projects onto your PC – including Trojans and adware. 7. Trojan Dropper: Trojan–FakeAV programs duplicate the action of antivirus programming. They are made to blackmail cash from you. Consequently, they will evacuate the discovery and danger expulsion. Despite the fact that, the dangers that they report do not really exist. 8. Trojan GameThief: In case you’re into gaming, you realize that web-based gaming can likewise gather heaps of money. Digital hoodlums likewise made this Trojan infection which takes client account data from web-based gamers. 9. Trojan Ransom: This Trojan can change information on your endpoint. This can prompt endpoint glitch. The digital criminal will request a payoff. They will just supplant your PC’s presentation or unblock your information, after you have paid them. 10. Trojan SMS: This Trojan can change information on your endpoint. This can prompt endpoint glitch. The digital criminal will request a payoff. They will just supplant your PC’s presentation or unblock your information, after you have paid them. 11. Trojan Spy: Trojan Spy projects can keep an eye on how you are utilizing your PC; for instance, by following the information you enter through your console, making screen efforts or getting a rundown of running applications. 12. Trojan Mailfinder: This burglarizes e-mail addresses from your endpoint.

Data Diddling Information diddling (Fig. 1.17) includes changing information contribution to a computer. In ­different words, data is transformed from the manner in which it ought to be entered by an individual composing in the information. Enter’s organization data

Administrator

Database server

Modifies stored data

Attacker

Figure 1.17  Data diddling.

Cyber Security and Laws_Chpater 01.indd 35

10/7/2020 9:57:34 AM

36 

• 

Chapter 1/IntroduCtIon to CyberCrIme

Typically, an infection that changes information or a developer application has pre-customized it to be changed. For instance, an individual entering bookkeeping may change information to show their record, or that or a companion or relative, is forked over the required funds. By changing or neglecting to enter the data, they can take from the organization. To manage this kind of wrongdoing, an organization must execute arrangements and inner controls. This may incorporate performing ordinary reviews, utilizing programming with worked in highlights to battle such issues and administering representatives.

1.5.8 Cybercrime against Society Forgery

CASE STUDY Stamp Paper Scam Stamp paper scam is a racket that fl ourished with get away from provisos in the system. Abdul Karim Telgi, the cerebrums of the multi-crore copying, printed fake stamp papers worth a large number of crores of rupees using printing machines purchased illegally with the help of some plotting specialists of the Central Government. Security Printing Press (India Security Press) arranged in Nasik. These fake stamp papers entered more than 12 states through a broad arrangement of shippers who sold the fakes with no fear and earned solid commissions. The demonstration of manufacturing something, particularly the unlawful demonstration of duplicating a record or article for the reasons for misrepresentation or misdirection. Something that has been manufactured, particularly, a report that has been replicated or revamped to resemble the fi rst. Fake cash notes, postage, income stamps, marksheets, and so on, can be produced utilizing refi ned PCs, printers and scanners.

Web jacking and Clickjacking This term is gotten from the expression ‘seizing’. In these sorts of offenses, the programmer obtains entrance and command over the site of another. He may even change the data on the site. The principal phase of this wrongdoing includes ‘secret phrase sniffi ng’. The genuine proprietor of the site doesn’t have any more command over what shows up on that site. This might be accomplished for satisfying political destinations or for cash. Clickjacking as shown in Fig. 1.18 is an assault that fools a client into clicking a site page component which is undetectable or masked as another component. This can make clients accidentally download malware, visit pernicious site pages, give certifi cations or sensitive data, transfer cash, or buy items on the web. Commonly, clickjacking is performed by showing an undetectable page or HTML component, inside an iframe, on the head of the page the client sees. The client accepts they are tapping the noticeable page however in actuality they are clicking an undetectable component in the extra page transposed on head of it. The imperceptible page could be a malignant page, or a genuine page the client did not expect to visit; for instance, a page on the client’s fi nancial site that approves the exchange of cash.

Cyber Security and Laws_Chpater 01.indd 36

10/7/2020 9:57:34 AM

1.5 Classifications of Cybercrime

• 

37

WWW Attacker

1

Victim

Attacker’s website

The attacker sends a link to a target website through email, social media or other media.

2

The victim opens the link in a browser.

4

The victim clicks a visually harmless UI element and gets clickjacked.

3

The browser opens the target website.

Victim’ browser

Figure 1.18  Clickjacking working.

There are a few varieties of the clickjacking assault; for example, let us see the following two cases: 1. Likejacking: A strategy where the Facebook ‘Like’ button is controlled, making clients ‘Like’ a page they really did not mean to like. 2. Cursor Jacking: A UI reviewing procedure that changes the cursor for the position the client sees to another position. Cursor Jacking depends on vulnerabilities in Flash and the Firefox program, which have now been fixed. There are two general approaches to shield against clickjacking as listed in the following: 1. Customer side techniques: The most widely recognized is called Frame Busting. Customer side strategies can be viable sometimes, however are considered not to be a best practice, since they can be effectively skirted. 2. Server-side techniques: The most well-known is X-Frame-Options. Server-side techniques are suggested by security specialists as a viable method to shield against clickjacking.

POINTS TO REMEMBER 1. Cybercrime against individual: The e-mail spoofing and the other online frauds such as phishing, vishing, spamming, cyberstalking/harassment, defamation, pornographic offences. 2. Cybercrime against property: Credit card fraud, Intellectual property (IP) crimes.

Cyber Security and Laws_Chpater 01.indd 37

10/7/2020 9:57:34 AM

38 

•

Chapter 1/Introduction to Cybercrime

3. Cybercrime against organization: Password sniffing, DOS attack, virus attack, salami attack, trojan horse, data diddling. 4. Cybercrime against society: Forgery, web-jacking, cickjacking.

1.6

Cybercrime and the Indian IT Act, 2000

1.6.1 Need for a Cyber Law With the extended dependence of online business and e-organization, a wide collection of genuine issues identified with utilization of web just as different types of PC or computerized handling gadgets, for example, infringement of protected innovation, robbery, opportunity of articulation, locale and so forth have developed, which should be handled through the instrumentality of law. Since the internet has no geological constraints or limits nor does it have any physical attributes, for example, sex, age, and so on., it represents a major test under the watchful eye of the law requirement offices for directing the internet exchanges of residents inside a nation’s regional jurisdiction. Though in pragmatic terms, a web client is dependent upon the laws of the State inside which he/she goes on the web anyway these general rules battle where the challenges are worldwide in nature. As innovation advanced, the need to direct human conduct developed as well. Digital laws appeared so as to guarantee that individuals use innovation and evade its abuse. In the event that an individual submits a demonstration which disregards the privileges of an individual in the internet, at that point it is treated as the internet infringement and culpable under the arrangements of the digital laws. Since the internet is totally not the same as the physical world, conventional laws are not appropriate here. So as to give digital security to clients, the legislature presented a few digital laws. At the point when the web was planned and created, the designers had no clue that it would have the capability of developing to such an incredible degree. Today, numerous individuals are utilizing the web for unlawful and shameless exercises which need guidelines. In the internet things such as tax evasion, data fraud, psychological oppression, money laundering, identity theft, terrorism and so on have made a requirement for rigid laws to upgrade cybersecurity. Moreover, numerous innovatively qualified crooks like programmers and hackers meddle with web accounts through the Domain Name Server (DNS), IP address, phishing, and so on and increase unapproved access to a client’s PC framework and take information. While there is no away from digital law, it is extensively the legitimate subject which exuded from the improvement of innovation, advancement of PCs, utilization of the web, and so on. Digital Law exemplifies lawful issues which are identified with the utilization of open, value-based, and distributive parts of arranged data advancements and gadgets. It is not as unmistakable as the Property Law or other such laws since it covers numerous zones, the law and guideline. It includes the legitimate, legal, and protected arrangements which influence PCs and systems networks. Further, it concerns itself about people, and organizations which 1. have a significant impact in giving access to the internet, 2. make equipment or programming which permits individuals to get to the internet and 3. utilize their own PCs and enter the Internet.

Cyber Security and Laws_Chpater 01.indd 38

10/7/2020 9:57:34 AM

1.6 Cybercrime and the Indian IT Act, 2000

• 

39

Everything worried about or identified with or radiating from any legitimate viewpoints or concerning any exercises of the residents in the internet comes within the scope of cyber laws. India drafted her first law on electronic exchange; the Electronic Commerce Act, 1998 with Electronic Commerce Support Act, 1998. under the watchful eye of legislators finding some kind of harmony between clashing objectives of defending electronic business and empowering mechanical turn of events.

1.6.2 The Information Technology Act, 2000 The act thoroughly has 13 parts and 90 sections (the last four sections to be specific area 91 to 94 in the ITA, 2000 managed the corrections to the four demonstrations to be specific, the Indian Penal Code 1860, the Indian Evidence Act 1872, the Banker’s Book Evidence Act, 1891 and the Reserve Bank of India 1934). The act has sections that manage confirmation of electronic records, electronic marks, and so on. Detailed operation methods for certifying specialists and electronic signatures have been spelt out. The common offense of information robbery and the procedure of settling and redrafting methodology have been depicted. At that point the act proceeds to characterize and depict a portion of the notable cybercrimes and sets out the disciplines in this manner. At that point the idea of due industriousness, the job of middle people and some random arrangements have been depicted. The electronic trades, as various pieces of the globe, are stylish in India, anyway they were without genuine sacredness before its Foundation Act, 2000. The growing improvement of electronic business, for the most part called online business, made it essential to have legitimate security to such trade. The IT Act is a pioneer demonstration in the field of data innovation in India and the main enactment which commits itself completely to the electronic circumstance. India is the twelfth country on the planet that has digital enactment separated from nations like the U.S., Singapore, France, Malaysia and Japan. Refer Fig. 1.19 to record the cases registered under IT Act, 2000.f 20k

18 495

17.5k 15k

13 635

12.5k 10k 7201

7.5k

8613

4356

5k 2.5k 0

8045

217 2007

288

420

2008

2009

966 2010

1791 2011

2876

2012

2013

2014

2015

2016

2017

2018

Figure 1.19  The number of cases registered under IT Act, 2000.

Cyber Security and Laws_Chpater 01.indd 39

10/7/2020 9:57:35 AM

40 

•

Chapter 1/Introduction to Cybercrime

1.6.3 Objectives of Information Technology Act, 2000 in India This act seeks to achieve various objects, which are discussed succinctly as follows: 1. It is the goal of IT Act, 2000 to give lawful acknowledgement to any exchange which is finished by electronic way or utilization of the web. 2. To give legitimate acknowledgement to advanced marks for tolerating any understanding by means of PC. 3. To give the office of filling archive internet identifying with school confirmation or enlistment in business trade. 4. As indicated by IT Act, 2000, any organization can store their information in electronic capacity. 5. To stop PC wrongdoing and ensure security of web clients. 6. To give legitimate acknowledgment for keeping books of records by investors and different organizations in electronic structure. 7. To make more capacity to IPO, RBI and Indian Evidence represent confining electronic wrongdoing.

1.6.4 Remarkable Features of Information Technology Act, 2000 1. Every single electronic agreement made through secure electronic channels are legitimately substantial. 2. Legitimate acknowledgment for computerized marks. 3. Safety efforts for electronic records and furthermore computerized marks are set up. 4. A system for the arrangement of settling officials for holding requests under the act is finished. 5. Arrangement for setting up a Cyber Regulation Appellate Tribunal under the act. Further, this council will deal with all interests made against the request for the Controller or Adjudicating Officer. 6. An intrigue against the request for the Cyber Appellate Tribunal is conceivable just in the High Court. 7. Computerized Signatures will utilize an awry cryptosystem and furthermore a hash work. 8. Arrangement for the arrangement of the Controller of Certifying Authorities (CCA) to permit and direct the working of Certifying Authorities. The Controller to go about as a store of every single advanced mark. 9. The act applies to offenses or repudiations submitted outside India. 10. Senior cops and different officials can enter any open spot and search and capture without warrant. 11. Arrangements for the constitution of a Cyber Regulations Advisory Committee to exhort the Central Government and Controller.

1.6.5 Some Important Sections of the Information Technology Act, 2000

Section 65:  Trying to tamper with computer resources.  Penalties: Imprisonment up to 3 years and/or a fine of `200,000.   Case laws: Frios Vs. State of Kerala  Realities: For this situation, it was pronounced that the FRIENDS application programming was an ensured framework. The creator of the application tested

Cyber Security and Laws_Chpater 01.indd 40

10/7/2020 9:57:35 AM

1.6 Cybercrime and the Indian IT Act, 2000







• 

41

the warning and the protected legitimacy of programming under Section 70. The court maintained the legitimacy of both. It included messing with source code. PC source code the electronic structure, it very well may be imprinted on paper.  Held: The court held that Tampering with Source code is culpable with 3 years prison as well as a fine of `200,000 for modifying, covering and devastating the source code. Section 66:  Trying to hack into the data stored in the computer.   Penalties: Punished with imprison up to 3 years and a fine of `200,000.  Case laws: Official website of Government of Maharashtra hacked.   The official website of the government of Maharashtra was hacked by hackers Cool Al-Jazeera, and claimed they were from Saudi Arabia. Section 66B: Provision of penalties for misappropriation of information stolen from a computer or any other electronic gadget. Section 66C: Provision of penalties for stealing someone’s identity. Section 66D: Provision of penalties for access to personal data of someone with the help of computer by concealing their identity. Section 66E: Provision of penalties for breach of privacy. Section 66F: Provision of penalties for cyberterrorism. Section 67: Provisions related to the publication of offensive information.  Penalties: Punishment is on first conviction, imprisonment, which may extend up to 5 years.  Fine: up to on first conviction which may extend to one lakh rupees.  Case laws: Avnish Bajaj (CEO of bazzee.com – presently, a piece of the eBay gathering of organizations) case.  Realities: There were three charge – first is the Delhi school kid and IIT, Kharagpur Ravi Raj and the specialist co-operator Avnish Bajaj.  Held: For this situation, the Service supplier Avnish Bajaj was later cleared and the Delhi school kid was conceded bail by Juvenile Justice Board and was taken into police charge and kept in an observation home for 2 days. Section 67A: Provision of penalties for publishing or circulating sex or pornographic information through electronic means. Section 67B: Publication or broadcast of such objectionable material from electronic means, in which children are shown in obscene mode. Section 67C: Provision of penalties for disrupting or blocking information by mediators. Section 68: Power of controller to give directions.   Penalties: Punishment of imprisonment up to a term not exceeding 3 years.  Fine: Not exceeding `200,000. Section 69: Directions of Controller to a subscriber to extend facilities to decrypt information.  Penalties: Punishment of imprisonment for a term which may extend up to 7 years.   The offence is cognizable and non-bailable. Section 70: Provision for making objectionable access to a secured computer.  Penalties: Punishment of the imprisonment which may extend to 10 years and fine.

Cyber Security and Laws_Chpater 01.indd 41

10/7/2020 9:57:35 AM

42 

•

Chapter 1/Introduction to Cybercrime



Section 71: Delivering data or data incorrectly.  Penalties: Punishment of detainment up to 2 years and a fine of `100,000. Section 72: The arrangements identifying with making open the data infringement of the particulars of the protocol.  Penalties: Punishment of a term which may stretch out to 2 years and/or a fine of `100,000. Segment 73: Publication of Ezra Digital Signature.  Punishments: Punishment detainment of a term of which may stretch out to 2 years and/or a fine that may stretch out to `100,000.  Case laws: Bennett Coleman and Co. Vs. Union of India.   For this situation, the distribution has been expressed that ‘distribution implies dispersal and course’. With regards to advanced medium, the term distribution incorporates and transmission of data or information in electronic structure. Segment 78: Inspector level cops reserve the option to examine these cases.

Table 1.2 lists the various offenses under IT Act, 2000. Table 1.2  Various Offenses Under IT Act, 2000

S.No.

Offence

Punishment

After Amendment

1.

Tampering with computer source document.

2.

Hacking with computer system.

-DO-

—

3.

Failure to comply with direction of the controller.

-DO-

—

4,

Breach of confidentiality or privacy.

5.

Publishing false digital certificate.

-DO-

—

6.

Publishing digital certificate for fraudulent purposes.

-DO-

—

7.

Misrepresentation or suppression of material facts.

-DO-

—

8.

Failure to assist to decrypt information.

Imprisonment up to 7 years.

—

9.

Securing access to protected systems.

Imprisonment up to 10 years and fine.

—

Imprisonment up to 3 years, Fine up to `200,000.

Imprisonment up to 2 years, Fine up to `100,000.

—

—

(Continued)

Cyber Security and Laws_Chpater 01.indd 42

10/7/2020 9:57:35 AM

1.6 Cybercrime and the Indian IT Act, 2000

S.No. 10.

Offence Publishing Information which is obscene.

• 

Punishment First conviction: Imprisonment up to 5 years and fine up to `100,000. Second conviction: Imprisonment up to 10 years and fine up to `200,000.

43

After Amendment First conviction: Imprisonment up to 3 years and fine up to `500,000. Second or subsequent conviction: Imprisonment up to 5 years and fine up to `1,000,000.

1.6.6 Scope of the Information Technology, Act, 2000 Each electronic data is under the extent of the IT Act, 2000 however, following electronic exchange is not under IT Act, 2000. 1. Data Innovation Act, 2000 is not pertinent on the validation for making trust by means of electronic way. Physical authentication is must. 2. IT Act 2000 is not pertinent on the validation for making will of anyone. Physical authentication by two observers is must. 3. An agreement of offer of any resolute property. 4. Validation for giving power of attorney of property is absurd by means of electronic record.

1.6.7 Advantages of IT Act, 2000 1. Supportive to advance online business (a) The e-mail is substantial. (b) Digital mark is substantial. (c) Payment by means of a charge card is legitimate. (d) Online agreement is substantial. Over everything, legitimacy in the eyes of Indian law is exceptionally fundamental. In the wake of making IT Act, 2000 every single thing above is legitimate and these things are useful to advance online business in India. 2. Upgrade the corporate business: In the wake of giving advanced marks, authentication by certifying authority, presently, Indian corporate business can improve. 3. Filling on the web structures: In the wake of giving office, filling on the web structures for various purposes has gotten so natural. 4. High punishment for digital wrongdoing: Law has the capacity to punish for doing any digital wrongdoing. Subsequent to creation of this law, the numbers of digital wrongdoing have decreased.

1.6.8 Shortcomings of IT Act, 2000 1. Encroachment of copyright has not been remembered for this law. 2. No assurance for area names.

Cyber Security and Laws_Chpater 01.indd 43

10/7/2020 9:57:36 AM

44 

•

Chapter 1/Introduction to Cybercrime

3. The demonstration is not material on the intensity of the lawyer, trusts and will. 4. The act is quiet on tax assessment. 5. No, arrangement of instalment of stamp obligation on electronic records.

1.6.9 Applicability and Non-Applicability of IT Act, 2000 Applicability As indicated by Section 1(2), the act reaches out to the whole nation, which additionally incorporates Jammu and Kashmir. So as to incorporate Jammu and Kashmir, the act utilizes Article 253 of the constitution. Further, it does not consider citizenship into account and grants extra-territorial jurisdiction. Segment 1(2) alongside Section 75, determines that the act is appropriate to any offense or contradiction submitted outside India also. In the event that the direct of the individual comprising the offense includes a PC or a modernized framework or system situated in India, at that point regardless of his/her nationality, the individual is culpable under the act. Lack of international participation is the main constraint of this arrangement. Non-Applicability As indicated by Section 1(4) of the Information Technology Act, 2000, the act is not applicable to the accompanying records: 1. Formation of Trust under the Indian Trust Act, 1882. 2. Execution of Negotiable Instrument under Negotiable Instruments Act, 1881, aside from cheques. 3. Going into an agreement for the offer of conveyance of unyielding property or any interest for such property. 4. Execution of a Power of Attorney under the Powers of Attorney Act, 1882.

1.6.10   The Information Technology Amendment Act, 2008 The Information Technology Amendment Act, 2008 is a considerable expansion to Information Technology Act (ITA, 2000). The IT Amendment act was passed by the Indian Parliament in October 2008 and came into power a year later. The act is directed by the Indian Computer Emergency Response Team (CERT-In). The first act was created to advance the IT business, direct online business, encourage e-­administration and forestall cybercrime. The act likewise tried to cultivate security rehearsals inside India that would serve the nation in a world-wide setting. The Amendment was made to address the fact that the first bill neglected to cover and to suit further advancement of IT and related security worries since the first law was passed. Changes in the amendment include reclassifying terms, for example, ‘specialized gadget’ to reflect current use; approving electronic marks and agreements; making the proprietor of a given IP address answerable for content got to or dispersed through it; and making partnerships liable for executing powerful information security rehearses and at risk for breaks. The Amendment has been scrutinized for diminishing the punishments for certain cybercrimes and for lacking adequate shields to secure the social liberties of people. Segment 69, for instance, approves the Indian government to catch, screen, unscramble and square information at its tact. As per Pavan Duggal, a digital law advisor and supporter at the Supreme Court of India, ‘The act has furnished Indian government with the intensity of observation, checking and blocking information traffic.

Cyber Security and Laws_Chpater 01.indd 44

10/7/2020 9:57:36 AM

1.7 A Global Perspective on Cybercrimes

• 

45

The new powers under the revision demonstration will in general give Indian government a surface and shade of being a reconnaissance state’.

POINTS TO REMEMBER 1. The IT Act, 2000 has 13 parts and 90 sections. 2. There are seven objectives of Information Technology Act, 2000. 3. Eleven features of IT Act, 2000 are described. 4. Four points are mentioned in scope of IT Act, 2000 5. Advantages and shortcomings of IT Act, 2000 are given. 6.  The Information Technology Amendment Act, 2008 is a considerable expansion to Information Technology Act.

1.7

A Global Perspective on Cybercrimes

Cybercrime has made a significant danger to the individuals who utilize the web, with a great many clients’ data taken inside the previous, typically, any years. It has likewise made a significant scratch in numerous countries’ economies. Figure 1.20 shows the global effect of cybercrime.

The global cost of cybercrime will reach $6 trillion by 2021. According to the Ponemon Institute’s 2016 cost of data breach study, Global analysis organizations that suffered at least one breach in 2016 lost an average of $4 million. 48% of data security breaches are caused by acts of malicious intent. Cybersecurity ventures expects ransomware costs will rise to $11.5 billion in 2019. Cybercrime will more than triple the number of unfilled cybersecurity jobs by 2021.

Figure 1.20  Global effect of cybercrime.

Cyber Security and Laws_Chpater 01.indd 45

10/7/2020 9:57:36 AM

46 

•

Chapter 1/Introduction to Cybercrime

According to the recent reports by Indian Computer Emergency Response Team (CERT-In), maximum number of cyberattacks on official Indian websites are from China, U.S. and Russia. The report was forwarded to National Security Council Secretariat (NSCS) and other security agencies. Taking a world-wide point of view on digital dangers, the reality in advance is as follows: 1. The danger range incorporates a wide cluster of on-screen characters with various goals, inspirations and abilities. 2. Nation–states and their intermediaries keep on introducing the best – which means generally progressed and persevering – danger in the digital space. 3. Foreign terrorists associations positively have the inspiration and purpose yet luckily; they presently cannot seem to completely build up a continued cyberattack capacity. Later ‘doxing’ strategies against U.S. military and law requirement staff by the Islamic State in Iraq and Syria (ISIS) is disturbing and characteristic of a rising danger. All things considered, ISIS, or their supporters, will progressively go to problematic digital assaults. 4. By differentiate, criminal associations have generous capacities, however their inspiration and goal contrasts from psychological oppressors. As opposed to being spurred by philosophy or political concerns, criminal associations are driven by the benefit thought process. Anyway, lawbreakers are progressively working with or for country states, for example, Russia; and this combination of powers increases the threats presented by the two gatherings. 5. Yet different substances, for example, ‘hacktivists’ may likewise have extensive aptitudes and capacities, and when their uncommon advantages or centre concerns are seen to be in play, these people can be a huge problematic power in the case of acting alone or freely couple, basically, as a leaderless development. Their thought process is frequently to cause most extreme shame to their objectives and to focus on their motivation. 6. regarding any danger vector, a most dire outcome imaginable would consolidate motor and digital assaults; and the digital segment would fill in as a power multiplier to expand the lethality or effect of the physical assault. 7. Finally, banking and monetary administrations are essential focuses for cyberattacks and cybercrimes. Coordinated against this really basic framework, digital assaults or a deliberate crusade against U.S. banks, trades, clearinghouses and markets – hold the possibility to subvert trust and trust in the framework itself, regardless of the culprit.



Summary

Cybercrime is a crime that either targets or uses a PC, a PC organization, or an arranged gadget. Most, yet not all, cybercrime is perpetrated by cybercriminals or programmers who need to bring in cash. Cybercrime is completed by people or associations. Some cybercriminals are composed, utilize propelled methods, and are profoundly in fact talented. Others are fledgling programmers. Once in a while, cybercrime plans to harm PCs for reasons other than benefit. These could be political or individual. Cybercrime extends over a range of activities. Towards one side are violations that include key breaks of individual or corporate security, for example, attacks on the uprightness of data held in computerized vaults and the utilization of unlawfully acquired advanced data to coerce a firm or person. Additionally, at this finish of the range is the developing wrongdoing of data fraud. Halfway along the

Cyber Security and Laws_Chpater 01.indd 46

10/7/2020 9:57:36 AM

Review Questions

• 

47

range lie exchange-based violations, for example, misrepresentation, dealing in kid erotic entertainment, advanced theft, tax evasion and duplicating. These are explicit violations with explicit casualties, yet the criminal stows away in the relative obscurity gave by the Internet. Another piece of this kind of wrongdoing includes people inside partnerships or government organizations purposely adjusting information for either benefit or political destinations. At the opposite finish of the range are those wrongdoings that include endeavours to upset the real activities of the Internet. These range from spam, hacking and forswearing of administration assaults against explicit destinations to demonstrations of cyberterrorism – that is, the utilization of the Internet to cause open aggravations and even passing. Cybercrime is on the ascent, which may be somewhat because of the fact that it is so hard to arraign. This is, to some degree, because of the continually developing nature of cybercrime, also the jurisdictional issues it makes. Laws, essentially, should be obviously characterized so as to demonstrate that they were disregarded. It additionally requires some investment, conversation and discussion to pass laws, so the law for the most part lingers a long way behind the innovation cybercriminals use to accomplish their points. At the point when it is hard to characterize the wrongdoing or the methods for executing the wrongdoing itself, it is hard to make laws to ensure people or even organizations against them. In any event, when laws are made, in any case, they have to likewise be doled out an administering organization to uphold the laws. This also is the place things get dubious. Cybercrimes can be perpetrated against nearly anybody, anyplace on the planet by nearly anybody anyplace on the planet. Not exclusively does this frequently make it hard to find the culprits of the wrongdoing, yet regardless of whether they are discovered it brings up issues with regards to who is answerable for indicting the wrongdoing on the off chance that it is even resolved to be a wrongdoing. Government and the private sector jointly have to give cyber security some priority in their security and risk management plan. Cyber awareness must be spread and there should be multi-stakeholder approach- technological inputs, legal inputs, strengthening law enforcements, systems and then dealing with transborder crime involves lot of international cooperation. Notwithstanding, it is certain, that development is irreversible procedure and we can’t step once more from it. What stay in our grasp is to alter the course of progress, and we stick up to our pledge to turn it towards practical turn of events.



Review Questions

1.  Construct a definition for cybercrime and contrast categories of cybercrime in detail. Refer to Section 1.3. 2.  Differentiate between various types of cybercriminals with examples. Refer to Subsection 1.4.1. 3. Explain cybersquatting Refer to Subsection 1.2.2. 4. Explain cyberspace in detail Refer to Subsection 1.2.1.

Cyber Security and Laws_Chpater 01.indd 47

5. Explain cyberwarfare. Refer to Subsection 1.2.4. 6.  Explain the categories of cybercrime with diagram. Refer to Subsection 1.3.1. 7.  List and explain preventive measures against cybercrime. Refer to Subsection 1.3.2. 8.  Explain information security objectives with diagram. Refer to Section 1.4.

10/7/2020 9:57:36 AM

48 

•

Chapter 1/Introduction to Cybercrime

9. List and explain Global Cybersecurity Agenda with diagram. Refer to Section 1.4. 10. Explain in detail about cybercriminals and list the types of cybercriminals. Refer to Subsection 1.4.1. 11. Explain in detail: An e-mail spoofing, phishing, vishing, spamming, defamation, pornographic offences, intellectual ­property (IP) crimes, salami attack, virus attack, ­password sniffing, trojan horse, forgery. Refer to Section 1.5. 12. Explain the need of cyber law. Refer to Subsection 1.6.1. 13. Write a note on The Information Technology Act, 2000. Refer to Section 1.6.2. 14. Write a note on Objectives of Information Technology Act, 2000 in India. Refer to Subsection 1.6.3. 15. List the remarkable features of Information Technology Act, 2000. Refer to Subsection 1.6.4. 16. List and explain important sections of the Information Technology Act, 2000. Refer to Subsection 1.6.5.



17. Organize sections and corresponding offence, description and penalty of the Indian IT Act, 2000 in tabular form. Refer to Subsection 1.6.5. 18. Explain Applicability and Non-­Applicability of the IT Act, 2000. Refer to Subsection 1.6.9. 19. List the prominent features of IT Act, 2000. Refer to Subsection 1.6.4. 20. State the advantages and disadvantages of IT Act, 2000. Refer to Subsection 1.6.7. 21. Explain in detail the Information Technology Amendment Act, 2008. Refer to Subsection 1.6.10. 22. List the timeline of origin of cybercrime Refer to Subsection 1.3.3. 23. Explain the global perspective on cybercrime. Refer to Section 1.7. 24. List and explain different types of trojan. Refer to Section 1.5.

References

1. Akhgar, B., Staniforth, A., Bosco, F. (2014), Cyber Crime and Cyber Terrorism Investigator’s Handbook: Elsevier, Inc. Available at: https://www.elsevier.com/books/ cyber-crime-and-cyber-terrorism-investigators-handbook/akhgar/978-0-12-800743-3 2. Prof. Dr. Gercke, M. (September 2012), Understanding Cybercrime: Phenomena, Challenges and Legal Response: The ITU publication. Available at: https://www.itu. int/pub/D-STR-CYB_CRIME-2015 3. Matoušek, P., Schmiedecker, M. (2017), Digital Forensics and Cyber Crime, 9th edn., Prague, Czech Republic: Springer Interna-

Cyber Security and Laws_Chpater 01.indd 48

tional Publishing AG. Available at: https:// link.springer.com/book/10.1007/978-3642-11534-9 4. Helba, S., Bellegarde, M. (2010), Investigating Network Intrusions and Cybercrime, Vol. 4, 4th edn.: EC-Council. Available at: https://books.google.co.in/books?id=F foFAAAAQBAJ&printsec=frontcover&so urce=gbs_book_other_versions_r&redir_ esc=y#v=onepage&q&f=false 5. Mishra, J.P. (2012), An Introduction to Cyber Laws: Central Law ­Publications. Available at: https://www.pdfdrive.com/introduction-to-indian-cyber-law-e6147197.html

10/7/2020 9:57:37 AM

References

6. Graham, J., Howard, R., Olson, R. (2011), Cyber Security Essentials: Auerbach Publications. Available at: http://index-of. es/Hack/CyberSecuity.pdf 7. Paranjape, V. (2010), Cyber Crimes & Law: Central law Agency, p210. ­Available at: https://sg.inflibnet.ac.in/bitstream/ 10603/120167/6/chapter%204.pdf 8. Prof. Chaubey, R.K. (2012), An Introduction to Cyber Crime and Cyber law: Kamal Law House. Available at: https://shodhganga. inflibnet.ac.in/bitstream/10603/130487/8/08_­ chapter%202.pdf 9. Nair. S. (2019), Selected Case Studies on Cyber Crime: blogspot.com [online].

Cyber Security and Laws_Chpater 01.indd 49

• 

49

Available at: http://satheeshgnair.blogspot. com/2009/06/selected-case-studies-oncyber-crime.html 10. Shah. I. (2002), Important Sections From Information Technology Act 2000: legalserviceindia.com [online], Available at: http:// www.legalserviceindia.com/legal/article807-important-sections-from-informationtechnology-act-2000.html 11. Andress. J, Winterfeld. S. (2014), Non-State Actors in Computer Network Operations: Science Direct, Cyber Warefare, 2nd edn. Available at: https://www.sciencedirect.com/ topics/computer-science/black-hat-hacker

10/7/2020 9:57:37 AM

Cyber Security and Laws_Chpater 01.indd 50

10/7/2020 9:57:37 AM

2

Cyber Offences and Cybercrime

Learning Objectives After reading this chapter, the reader will be able to • • • •

Describe different types of cybercrimes. How criminals plan attack. The steps involved in cybercrimes. Describe the tools used for launching ­attacks. • Explain the role of botnet and attack vector in cybercrime.

• Discuss challenges faced by mobile and wireless devices and their security implications. • Describe the security threats and possible ­attacks on mobile and wireless devices. • Describe organisation security policies for mobile devices.

Until you have experienced something like this, you don’t realise just what can happen, just how serious it can be. I had no intuitive idea on how to move forward. —Maersk CEO Soren Skou on How to survive a cyberattack? Financial Times, 14 August 2017

2.1

Introduction

The increased dependence on information technology (IT) and communication technology for dynamic and fast business solutions has its own side effect. The effect of digital information technologies upon our world certainly poses endless benefits for the citizens of our growing global village. The dark side of it, not surprisingly, is the misuse of IT for criminal activities. Cybercrimes are a new genus of crimes, which use computers and networks for criminal activities. This chapter explains various types of cybercrimes and mobile attacks.

2.1.1 Introduction to Cyber Offences Any interference by an attacker that results in damage, alteration or compression of computer data without the owner’s permission is called cyber offence. The Internet is used by each and every person in day-to-day life. Through cybercrime, a wide range of people can communicate to each other. Despite this, some people utilize its power by creating criminal offenses. Criminal offences can be classified as follows:

Cyber Security and Laws_Chpater 02.indd 51

10/7/2020 9:57:44 AM

52 

•

Chapter 2/Cyber Offences and Cybercrime

1. Offence against unauthorized access of computer data and system. 2. Offence against private contents. 3. Offence against property. 4. Offence against government. Cyber offence is nothing but illegal access to a computer system, that is, when an attacker accesses the entire or part of the computer system without the owner’s permission. Tackling of computer personal data without access rights is termed a cyber offence.

2.1.2 Introduction to Cybercrime Cybercrime is defined as when a computer system is considered as an object of the crime or is used as a tool to commit an offence. Cybercrime may also be referred to as acts of illegal activities performed by hackers. It is also known as computer related crime. The different types of cybercrime are listed in the following: 1. Phishing. 2. Hijacking. 3. Misusing private information. 4. Child pornography.

POINTS TO REMEMBER 1. Cybercrime is defined as a crime in which a computer is the object of the crime or is used as a tool to commit an offense. It is also related as computer crime. 2. Cyber offences are the illegitimate actions, which are carried out in a classy manner where either computer is the tool or target or both.

2.2

Strategic Attacks

Most cybercrimes are committed by individuals or small groups. However, large organized crime groups also take advantage of the Internet. These ‘professional’ criminals find new ways to commit old crimes, treating cybercrime like a business and forming global criminal communities.

2.2.1 How Do Criminals Plan Attacks? Criminals utilize numerous techniques and tools to find the vulnerabilities of their target. The target can be an individual or an organization. 1. Criminals plan ‘passive and active attacks’. 2. Active attacks are normally used to modify the system, while passive attacks endeavour to pick up data about the target. 3. Active attacks may influence the accessibility, trust and legitimacy of information, though passive attacks lead to penetrates of privacy. 4. Attacks can be classified as either ‘inside or outside’. 5. An attack beginning or attempted inside the security edge of an organization is an inside attack. It is normally attempted by an ‘insider’ who accesses a larger number of attacks than anticipated.

Cyber Security and Laws_Chpater 02.indd 52

10/7/2020 9:57:44 AM

2.2 Strategic Attacks

• 

53

6. An outside attack is attempted by a source outside the security border, might be by an insider or an outsider, who is in a roundabout way connected with the organization. 7. An outside attack is attempted through the Internet or a remote access connection. Reconnaissance

Gaining and maintaining system access

Planning attack

Scanning and scrutinizing

Figure 2.1  Phases of hacking.

As depicted in Fig. 2.1, following phases are involved in planning cybercrime: 1. Reconnaissance, which signifies ‘data gathering’. This is the primary stage and is treated as a passive attack. 2. Scanning and scrutinizing the assembled data for the legitimacy of the data just as to recognize the current vulnerabilities. 3. Launching an attack (gaining and maintaining the system access). Let us discuss about these three phases of cybercrime planning in the following.

Reconnaissance 1. Reconnaissance is the demonstration of investigating frequently with the objective of discovering something or somebody to gain data. 2. In the world of hacking, the reconnaissance stage starts with ‘foot-printing’. This includes collecting information about the target’s condition and computer architecture. 3. An attacker attempts to gather information in passive and active attacks. Passive Attack Following is the list of possible passive attack. 1. A passive attack includes gathering data about an objective without his/her insight. 2. It is normally done utilizing Internet searches or by Googling (i.e., looking through the necessary data with the assistance of search engine Google) an individual or organization to pick up data. 3. Individuals search to find data about workers through Google or Yahoo search. 4. Riding on the web local gatherings like Facebook will demonstrate valuable information to gain data about a person. 5. Organization’s site may give a faculty index or data about key employees (e.g., contact subtleties, e-mail, and so on). These can be utilized in a social engineering attack to reach the target. 6. Network sniffing is another method for passive attack to yield valuable data, for example, IP address ranges, concealed servers or systems and other accessible administrations on the network or system. 7. Google Earth, NsLookup, HTTrack are some of the tools used.

Cyber Security and Laws_Chpater 02.indd 53

10/7/2020 9:57:45 AM

54 

•

Chapter 2/Cyber Offences and Cybercrime

Active Attack.  Following is the list of possible passive attack. 1. An active attack includes testing the system to find singular hosts to affirm the data gathered in the passive attack stage. 2. It includes the risk of detection and is likewise called ‘Ratting the door handles’ or ‘Dynamic Reconnaissance’. 3. The various tools used for active attack are Arphound, Arping, Bing, Dig, etc.

Scanning and Scrutinizing Gathered Information 1. Scanning is a key advance to examine intelligently while gathering data about the targets. The goals of scanning are as follows: (a) Port scanning: Identify open/close ports and services. (b) Network scanning: Understand IP addresses and related information about computer network systems. (c) Vulnerability scanning: Understand the existing weaknesses in the system. 2. Scrutinizing phase is always called ‘Enumeration’ in the hacking world. The objective behind this step is to be identify the following: (a) The valid user accounts or groups. (b) Network resources and shared resources. (c) OS and different application that are running on the OS.

Attack (Gaining and Maintaining the System Access) After scanning and enumeration, the attack is launched using following steps: 1. Crack the password. 2. Exploit the privileges 3. Execute malicious commands/applications. 4. Hide the files. 5. Cover the tracks (delete access logs).

2.2.2 Social Engineering Social engineering is a non-specialized strategy, which cyber attackers utilize, which depends intensely on human interaction and regularly includes fooling individuals into breaking standard security practices. 1. Social engineering is the ‘technique to influence’ and ‘influence to trick’ individuals to get the data or play out some activity. 2. Social engineers exploit the characteristic inclination of an individual to confide in social engineers, as opposed to misusing computer security holes. 3. Social engineering includes increasing delicate data or unapproved get to benefits by building improper trust associations with insiders. For example, calling a user and pretending to be someone from the service desk, working on a network issue and then asking questions such as username, password, and so on.

Cyber Security and Laws_Chpater 02.indd 54

10/7/2020 9:57:45 AM

2.2 Strategic Attacks

• 

55

Gather information

Use acquired knowledge

Plan attack

Attack

Acquire tools Social engineering cycle

Figure 2.2  Social engineering cycle.

Let us discuss the components depicted in Fig. 2.2. 1. Gathering information: This is the primary stage; the criminal learns as much as possible about the target victims. The data is accumulated from organization sites, different distributions and some of the time by conversing with the clients of the target system. 2. Plan Attack: The attackers plot how he/she expects to execute the attack. 3. Acquire tools: These incorporate PC programs that an attacker will utilize when launching the attack. 4. Attack: Exploit the shortcomings in the targeted system. 5. Use acquired knowledge: Data accumulated during the social engineering strategies, for example, pet names, birthdates of the association organizers, and so forth is utilized in attacks, for example, secret key guessing.

Classification of Social Engineering There are two categories of social engineering: (1) Human-based social engineering and (2) computerbased social engineering. Human-based social engineering is further categorized as follows: 1. Impersonating an employee or valid user. 2. Posting as an important user. 3. Using a third person. 4. Calling technical support. 5. Shoulder surfing. 6. Dumpster diving. The computer-based social engineering is further categorized as follows: 1. Fake e-mails. 2. An e-mail attachment. 3. Popup windows.

Cyber Security and Laws_Chpater 02.indd 55

10/7/2020 9:57:47 AM

56 

•

Chapter 2/Cyber Offences and Cybercrime

Also, the human-based social engineering refers to individual-to-individual communication to get the required data. The likely instances in this category include the following: 1. 2. 3. 4.

Impersonating an employee or a valid user. Posting oneself as an employee of the same organization. Let someone into the building who forgot his/her badge, etc. Posting as an important user: CEO or high-level manager who needs immediate assistance to gain access to the system. 5. Using a third person: Trick works when the supposed personnel are on vacation or cannot be contacted for verification. 6. Calling technical support: Help desk and technical support personnel are trained to help users, and act as social engineers. 7. Shoulder surfing: It is the technique of gathering information such as usernames and passwords by watching over a person’s shoulders while he/she logs-in to the system. The computer-based social engineering refers to an attempt made to get the required/desired information by using computer software/Internet. For example, sending a fake e-mail to the user and asking him/her to re-enter a password in a web page to confirm it. 1. Fake e-mails: The attacker sends fake e-mails to numerous users such that the user finds it as a legitimate mail. This activity is called ‘phishing’. 2. Phishing: It is an attempt to entice the citizens to reveal their personal sensitive information such as username, password and credit card details, etc. by impersonating as a trustworthy and legitimate organization or individual. 3. An e-mail attachment: The e-mail attachments are utilized to send malicious code to a victim’s system, which will consequently get executed. For example, viruses and worms are used as attachments. 4. Popup window: Popup windows are additionally utilized in a comparable way to e-mail connections. Popup windows with extraordinary offers or free stuff can encourage a client to unintentionally install malicious programming.

2.2.3 Cyberstalking Cyberstalking is characterized as utilization of data and communications technology, especially the Internet, by an individual or gatherings of people to annoy another individual, a gathering or an association. Cyberstalking involves harassing or threatening behaviour, written messages, etc. Following are the two types of stalkers: 1. Online stalkers: They aim to start the interaction with the victim directly with the help of the Internet. For example, e-mail/chat rooms. The stalker makes sure that the victim recognizes the attack attempted on him/her. The stalker can make use of a third party to harass the victim. 2. Offline stalkers: The stalker may begin the attack using traditional methods such as following the victim, watching the daily routine of the victim, etc. Searching on newsgroups, personnel websites etc are the most common ways to gather information about the victim using the Internet.

Cyber Security and Laws_Chpater 02.indd 56

10/7/2020 9:57:47 AM

2.2 Strategic Attacks

• 

57

How Stalking Works? 1. Personal information gathering about the victim. 2. Establishing contact with the victim. 3. Repeated mails/calls/threatening. 4. Stalkers may post the victim’s personal information. For example, posting on website about ‘dating service’ posing as if the victim has posted the information and invite the people to call the victim for dating. Some of the reported cases in this category include the following: 1. Usually men are stalkers and women are victims. 2. In some cases, women act as a stalker and men as victims. 3. Usually stalkers and victims hold a prior relationship. For example, ex-lover, ex-spouse, boss/ subordinator, neighbour, and so on. 4. Cases of some sex cyberstalking also reported. 5. Cases of cyberstalking by strangers reported.

How Stalking Works? It is found out that the stalking works in the following ways: 1. On the off, chance that personal data gathering about the victim. Name; family foundation; contact subtleties such as mobile phone and phone quantities (of home just as office); address of living arrangement just as of the workplace; e-mail address; date of birth, and so forth. 2. Build up an agreement with the victim through phone/mobile phone. When the contact is set up, the stalker may cause calls to the victim to compromise/to bother. 3. Stalkers will quite often set up contact with the victims through e-mail. The letters may have the tone of adoring, undermining or can be explicitly unequivocal. The stalker may utilize various names while reaching the victim. 4. A few stalkers continue sending rehashed e-mails requesting different sorts of favours or compromise the victim. 5. The stalker may post the victim’s personal data on any site identified with illegal administrations, for example, sex-laborers’ administrations or dating administrations, acting like if the victim has posted the data and welcome the individuals to call the victim on the given contact subtleties (phone numbers/wireless numbers/e-mail address) to have sexual administrations. The stalker will utilize terrible and additionally hostile/alluring language to welcome the intrigued people. 6. Whosoever runs over the data, begin calling the victim on the given contact subtleties (phone/ wireless numbers), requesting sexual administrations or connections. 7. A few stalkers buy in/register the e-mail record of the victim to innumerable explicit and sex destinations, in light of which victim will begin getting such sort of spontaneous e-mails.

2.2.4 Cybercafe and Cybercrimes Definition  Refer to Subsections 2.1.1 and 2.1.2.

Cyber Security and Laws_Chpater 02.indd 57

10/7/2020 9:57:47 AM

58 

•

Chapter 2/Cyber Offences and Cybercrime

Cybercrimes, for example, taking bank passwords and ensuing fake withdrawal of cash have likewise occurred through cybercafes. Cybercafes have additionally been utilized consistently for sending vulgar sends to annoy individuals. The public computers in cybercafes hold the following two types of risks: 1. Keyloggers or spyware: Keyloggers is a sort of reconnaissance innovation used to screen and record every keystroke composed on a particular computer’s keyboard. 2. Over-the-shoulder peeping (shoulder surfing): One has to be extremely careful about ­protecting his/her privacy on such systems, as one does not know who will use the computer after him/her. Cybercriminals prefer cybercafes to carry out their activities. Cybercriminals can either install malicious programs such as keylogger and spyware to launch attacks on targets. Following are the facts about cybercafe (based on survey): 1. Pirated software is installed in the computers. 2. Antivirus is not updated. 3. Several cybercafes had installed the software called ‘deep freeze’ for protecting computers from malware attacks. This software protects the core OS, but it wipes out details of all activities carried out on the computer when one clicks on the ‘restart’ button. Thus, it presents a challenge to police or crime investigations, thus helping cyber criminals. 4. Annual maintenance contract was not found for servicing the computer. Here are a few tips for safety and security while using the computer in a cybercafe: 1. Always logout: While checking e-mails or signing into visiting administrations, for example, texting or utilizing whatever other assistance that requires a username and a secret word, consistently click ‘log-out’ or ‘sign out’ before leaving the system. Basically, shutting the program window is not sufficient, supposing that someone utilizes a similar help after you then one can get a simple access to your record. In any case, do not spare your login data through choices that permit programmed login. Cripple such choices before logon. 2. Stay with the computer: While surfing/perusing, one ought not leave the system unattended for any timeframe. On the off chance that one needs to go out, logout and close all program windows. 3. Be alert: One ought to remain cautious and mindful of the environmental factors while utilizing an open PC. Snooping around over the shoulder is a simple method of getting your username and password. 4. Change password. 5. Virtual keyboard: Nowadays almost every bank has used a virtual keyboard on their website. 6. Avoid online financial transactions: In a perfect world, one ought to maintain a strategic distance from web-based banking, shopping or different exchanges that expect one to give individual, secret and delicate data, for example, charge card or financial balance subtleties. In the event of earnestness, one needs to do it; in any case, one should avoid potential risk of changing all the passwords at the earliest opportunity. One should change the passwords utilizing an increasingly confided in PC, for example, at home as well as in office. 7. Clear history and temporary files: Web Explorer spares pages that you have visited in the history envelope and in impermanent Internet files. Your passwords may likewise be put away in the

Cyber Security and Laws_Chpater 02.indd 58

10/7/2020 9:57:47 AM

2.3 Types of Attacks

• 

59

program if that choice has been enabled on the PC that you have used. Therefore, before you begin browsing, do the accompanying if there should be an occurrence of the program Internet Explorer: (a) Go to Tools → Internet alternatives → click the Content tab → click Auto Complete. On the off chance that the checkboxes for passwords are chosen, deselect them. Snap OK twice. (b) After you have got done with perusing, you should clear the history and temporary Internet records envelopes. For this, go to Tools → Internet choices again → click the General tab → go to Temporary Internet Files → click Delete Files and afterward click Delete Cookies. (c) At that point, under history, click clear history. Trust that the procedure will complete before leaving the PC.

POINTS TO REMEMBER 1. There are three phases involved in how hackers plan the attack – Reconnaissance, scanning and scrutinizing gathered information, attack. 2. Reconnaissance is the demonstration of investigating frequently with the objective of discovering something or somebody to gain data. It consists of active and passive attacks. 3. Scanning is the key advance to examine intelligently while gathering data about the targets. 4. Scrutinizing is always called enumeration in the hacking world. 5. Social engineering is the technique ‘technique to influence’ and ‘influence to trick’ individuals to get the data or play out some activity. 6. Cybercrimes, for example, taking bank passwords and ensuing fake withdrawal of cash have likewise occurred through cyber cafes.

2.3

Types of Attacks

There are basically three types of attacks classified.

2.3.1 Botnets 1. The fuel for cybercrime is BoT (computing) – A computerized program for doing some specific task often over a network. 2. A Botnet is an assortment of independent compromised computers that have been hacked by Cyber Criminal who utilizes them to carry out malicious attacks over the Internet. 3. In a Botnet, as shown in Fig. 2.3, every computer is remotely constrained by a hacker. One can give the control to your computer by contaminating them with a virus or malicious code That gives them access. Surprisingly the owner may be unaware that his computer was part of Botnet. 4. Your computer framework might be a part of Botnet despite the fact that it seems to be working normal. 5. Botnets are the most sophisticated method of cybercrimes. Cybercriminals use botnets for a wide scope of exercises, for example, sending spam, spreading viruses, dos attacks and so forth. 6. Because computers in a botnet follow the order of their hacker, they are called ‘zombie’ machines and the criminal is called ‘Botherder’ or ‘Bot Master’. 7. Some botnets may have a few hundred computers, while others may have thousands and even many millions of computers.

Cyber Security and Laws_Chpater 02.indd 59

10/7/2020 9:57:47 AM

60 

•

Chapter 2/Cyber Offences and Cybercrime Botnet Bot / zombie 1

Attacker

Victim Bot / zombie 2

Bot / zombie 3

Figure 2.3  Typical Botnet attack structure.

Following are the security, measures to reduce chance of becoming part of a Bot. 1. Use antivirus and antispyware software and keep it up-to-date: It is critical to evacuate as well as isolate the viruses. The settings of these programming projects ought to be finished during the establishments with the goal that these virtual products get refreshed consequently every day. 2. Set the OS to download and install security patches automatically: Operating system organizations issue the security patches for flaws that are found in these systems. 3. Use a firewall to protect the system from hacking attacks while it is connected on the Internet: A firewall is a software or hardware that is intended to block unapproved get to while allowing approved interchanges. It is a device or set of devices designed to allow, deny, scramble, decode, or intermediary all (in and out) PC traffic between various security spaces dependent on a lot of rules and other standards. A firewall is not quite the same as antivirus insurance. Antivirus software checks approaching correspondences and documents for problematic infections opposite appropriately arranged firewalls that assists with hindering every single approaching correspondence from unapproved sources. 4. Disconnect on the Internet when you are away from your computer: Attackers are unable to get into the system when the system is disconnected from the Internet. Firewall, antivirus and ­anti-spyware softwares are not fool-proof mechanisms to get access to the system. 5. Downloading the freeware only from websites that are known and trustworthy: It is continually speaking to download free software for example, games, document sharing projects, altered toolbars, and so forth. In any case, one ought to recollect that many free software(s) contain other programming, which may incorporate spyware. 6. Check regularly the folders in the mailbox ‘sent items’ or outgoing for those messages you did not send: On the off, chance that you do discover such messages in your outbox, it is an ­indication that your system may have been contaminated with Spyware, and perhaps a piece of a Botnet. This is not secure; numerous spammers have figured out how to conceal their ­unapproved get to. Take an immediate action if your system is infected: the steps involved are as listed in the ­following: (a) Disconnect Internet. (b) Scan the entire system with fully updated ‘antivirus and anti-spyware software’.

Cyber Security and Laws_Chpater 02.indd 60

10/7/2020 9:57:48 AM

2.3 Types of Attacks

• 

61

(c) Report to ISP and legal authorities. (d) Change all passwords immediately.

2.3.2 Attack Vector Attack Vector is a way or means by which an attacker can access a computer or to a Network framework to convey a payload (malicious outcome).Attack vectors empower attackers to exploit system vulnerabilities, including human components. Attack vectors include viruses, e-mail attachments, web pages, pop-up window instant messages, chat rooms. All these strategies include programming except deception, in which a human administrator is tricked into expelling or weakening system defences. To some extent, firewalls and antivirus software can block attack vectors. The most common malicious payloads are viruses, Trojan horses, worms and spyware. Referenced in the following is the way attack vectors are propelled: 1. 2. 2. 3. 4. 5. 6.

Attack by e-mail. Attachments. Attack by deception (social engineering and hoaxes). Hackers. Attack by webpage (counterfeit sites). Such sites look particularly like genuine sites. Attack of the worms: Numerous worms are conveyed as e-mail attachments Malicious macros: A malicious Macros is a macro virus that infects a computer by replacing typical macros with a virus, the macro virus replaces regular command with the same name & runs when the command is selected. 7. Foistware (sneak ware): Foistware is the software that secretly adds hidden components to the framework. Spyware is the most common type of Foistware. Foistware is semi-legal software bundled with some attractive software. 8. Viruses: A virus is a type of malicious software such that when executed, it replicates itself by modifying other computer programs and inserting its own code.

2.3.3 Cloud Computing 1. Cloud computing is a practice of using a network of remote servers hosted on the Internet to store, manage and process data, rather than at local servers or a personal computer. 2. Cloud computing is the on-demand availability of computer system resources, especially in computer storage and computer power, without direct active management by the user. 3. Cloud computing is a term which is used for storing and accessing data over the Internet. It does not store any data on the (HD) of a personal computer (PC). Cloud computing helps you to access your data from remote servers. 4. Following are the top 21 cloud service tools (service providers): 1. 2. 3. 4. 5.

Amazon Web Services (AWS) 8. Microsoft Azure Kamatera 9. Google Cloud platform digital ocean 10. VMware Rackspace 11. Sales force Massive Grid 12. Oracle Cloud

Cyber Security and Laws_Chpater 02.indd 61

15. Navisite 16. IBM Cloud 17. Open Nebula 18. Pivotal 19. Cloudsigma

10/7/2020 9:57:48 AM

62 

•

Chapter 2/Cyber Offences and Cybercrime

6. Alibaba Cloud 7. LiquidWeb

13. Dell Cloud 14. Verizon Cloud

20. Limestone 21. Quadranet

Cloud Computing Services The cloud computing service can be either private or public. A public cloud offers services to anybody on the Internet(see the above list).A private cloud resembles a restrictive network or data centre that provisions the hosted service to a limited number of users. When a service provider uses public cloud resources to create a private cloud, the result is called ‘virtual private cloud’. The distinct characteristics of cloud service which differ from traditional hosting are listed in the following: 1. It is sold on demand – Typically by the minute or hour. 2. It is elastic in terms of usage – a user can have as much or as little of a service as he/she only at any given time. 3. The service is fully managed by the provider – a user just needs PC and Internet connection.

Types of Services Refer to Fig 2.4. The services provided by cloud computing are as follows: 1. Infrastructure-as-a-service (Iaas): It is like Amazon Web service that provides virtual servers with unique IP addresses and blocks of storage on demand. 2. Platform-as-a-Service (Paas): It is a set of software development tools hosted on the provided server. Developers can create applications using the provider’s API. Google apps is one of the most famous Paas providers. 3. Software-as-a service (Saas): In this case the provider allows the customer only to use its applications. The software interacts with the user interface. Examples: Twitter, Gmail, etc. SaaS

SaaS

PaaS

IaaS

Software as a service

Platform as a service

Infrastructure as a service

EIM Incidents EHS Tasks Waste

App development

Networking

Use it

Messaging

Security

Dashboards

System management

Integration

Scalability

Build with it

Move to it

Figure 2.4  Cloud services model.

Advantages Cloud Computing 1. Applications and data can be accessed from anywhere at any time. 2. Data is not held on a hard drive on one user’s computer. 3. Hardware cost comes down, but one would need an Internet connection.

Cyber Security and Laws_Chpater 02.indd 62

10/7/2020 9:57:48 AM

2.3 Types of Attacks

• 

63

4. Organisations do not have to buy a set software licenses for every employee and the organization could pay a metered fee to a cloud computing company. 5. Organization does not have to rent a physical space to the store server and databases. Cloud computing give the option of storing data on someone else’s hardware, thereby, removing a need for physical space at front end. 6. Organisations would be able to save money on IT support because organisation will have to ensure about desktop (client) continuous Internet connectivity instead of servers and other hardware. Table 2.1 lists some of the service providers of cloud computing. Some best examples of cloud computing are as follows: 1. Pinterest. 2. Spotify. 3. Netflix. 4. Siri, Alexa, Google Assistant – cloud based natural language intelligent bots. 5. Skype, WhatsApp – cloud infrastructure. 6. Salesforce, Hubspot Market – Business management application. 7. Dropbox, Google drive, Amazon S3 – cloud backup solution. 8. Amazon Lumberyard – mobile game development tool. 9. Loadstem, Balzemeter – testing tools. 10. Hadoop, Cassandra, HPCC – Open source big data tools 11. Facebook, Linkedin, Myspace, Twitter and social networking. Table 2.1  Cloud Computing Service Providers

S. No.

Service Providers

Weblink

1.

Amazon: It gives a flexible, and easy computing environment in the cloud that allows development of applications.

http://aws.amazon.com/ec2/

2.

3tera: It gives anapp-logic grid operating system that enables infrastructure solutions according to the changing needs of business.

http://www.3tera.com

3.

Force.com: It allows building of core business http://www.salesforce.com/platform/ applications such as enterprise resource planning (ERP), human resource management (HRM) and supply chain management (SCM).

4.

Microsoft Live Mesh: This cloud setup synchronizes the files with all users’ devices such as laptop, Mac, mobile phone, or others and allows access to the files from any device as well as enables sharing of files.

Cyber Security and Laws_Chpater 02.indd 63

https://www.mesh.com/Welcome/default.aspx

10/7/2020 9:57:49 AM

64 

•

Chapter 2/Cyber Offences and Cybercrime

2.3.4 Cybercrime and Cloud Computing Prime area of risk in cloud computing is protection of user data. The risks associated with cloud computing environment are listed as follows: 1. Elevated user access: Any data processed outside the organisation has got an Internet level of risk as it bypasses physical, logical personal control. 2. Regulatory compliance: Cloud computing service providers are not able and/or not willing to undergo external assessment. This can result into non-compliance with various laws/standards. 3. Location of data: The organisations that are obtaining cloud computing services may not be aware about where the data is hosted and may not even know in which country it is hosted. 4. Segregation of data: Encryption mechanism should be strong enough to segregate data from data of other organization saved in same server. 5. Recovery of data: Business continuity in case of any disaster (availability of service and data without any disruption). 6. Information security violation reports: Due to the complex IT environment and several customers, logging in and logging out of the hosts, it becomes difficult to trace inappropriate and/or illegal activity. 7. Long term viability: In case of any major change in the cloud computing service provider (e.g., acquisition and merger, partnerships breakage), the service provided is at stake.

POINTS TO REMEMBER 1. Botnet: A Botnet is an assortment of independent compromised computers that have been hacked by cybercriminal who utilizes them to carry out malicious attacks over the Internet. 2. Attack vector: Attack vector is a way or means by which an attacker can access a computer or to a Network framework to convey a payload (malicious outcome). 3. Cloud computing: Cloud computing is a practice of using a network of remote servers hosted on the Internet to store, manage and process data, rather than at local servers or a personal computer.

2.4

Proliferation of Mobile and Wireless Devices

A simple hand-held mobile phone gives enough processing capacity to run little applications, mess around and music and make voice calls. A smart phone is defined as a mobile phone that performs many of the functions of a computer, typically having a touch screen interface, Internet access and an operating system capable of running downloaded apps. To understand the distinction between mobile devices (MD), wireless devices (WD) and hand-held devices (HD), refer to the following list: 1. 2. 3. 4. 5.

Smartphone – MD, WD and HD Standard PDA – MD and HD Standard laptop – MD Laptop with wireless access – MD and WD Desktop PC with wireless access – MD and WD

Cyber Security and Laws_Chpater 02.indd 64

10/7/2020 9:57:49 AM

2.5 Trends in Mobility Wireless Era

• 

65

Mobile Computing is taking a PC and every single important record and programming out into the field. The various types of mobile computer are listed as follows: 1. Portable computer: General purpose computer that can be easily moved starting from one spot on to another. 2. Tablet PC: It lacks a keyboard, shaped like slate or paper journal and has highlights of a touch screen with styles and handwriting recognition software. 3. Internet tablet: Unlike tablet, the Internet tablet does not have much computing power and its application suite is limited. The Internet tablets typically feature on MP3 and video player, a web browser, chat application and picture viewer. 4. Personal digital assistant (PDA): It is a small, pocket-sized computer with limited functionality. It is intended to synchronize with desktop computers, giving access to contacts, address, books, notes, e-mail and other features. 5. Ultra mobile PC: It is a full featured, PDA-sized computer running a general-purpose operating system (OS). 6. Smart phone: It is a PDA with an integrated cell phone functionality. 7. Fly fusion pen-top computer: It is a computing device with the size and shape of a pen. It functions as a pen, MP3 player, language translator, digital storage device and calculator. 8. Carputer: It is a computing device installed in an automobile. It operates as a wireless computer, sound system, GPS and DVD player. It also contains word processing software and Bluetooth compatible.

POINTS TO REMEMBER 1. A simple hand-held mobile phone gives enough processing capacity to run little applications, mess around and music and make voice calls. 2. To understand the distinction between mobile devices (MD), wireless devices (WD) and handheld device (HD). (a) Smartphone – MD, WD and HD (b) Standard PDA – MD and HD (c) Standard laptop – MD (d) Laptop with wireless access – MD and WD (e) Desktop PC with wireless access – MD and WD

2.5

Trends in Mobility Wireless Era

Mobile computing is moving into a new era, third generation (3G), which promises greater variety in applications and have highly improved usability as well as speedier networking. ‘iPhone’ from Apple and Google-led ‘Android’ phones are the best examples of this trend and there are plenty of other developments that point in this direction. This smart mobile technology is rapidly gaining popularity and the attackers (hackers and crackers) are among its biggest fans.

Cyber Security and Laws_Chpater 02.indd 65

10/7/2020 9:57:49 AM

66 

•

Chapter 2/Cyber Offences and Cybercrime

It is worth noting the trends in mobile computing; this will help readers to readers to realize the seriousness of cybersecurity issues in the mobile computing domain. Figure below shows the different types of mobility and their implications. The new technology 3G networks are not entirely built with IP data security. Moreover, IP data world when compared to voice-centric security threats is new to mobile operators. There are numerous attacks that can be committed against mobile networks and they can originate from two primary vectors. One is from outside the mobile network, that is, public Internet, private networks and other operator’s networks and the other is within the mobile networks, that is, devices such as data-capable handsets and Smartphones, notebook computers or even desktop computers connected to the 3G network.

2.5.1 Trends in Mobility Mobile computing is moving into a new era (2G, 3G, 4G and beyond) where we have numerous applications, improved ease of use and higher data rates. The various types of mobility and their implications are as follows: 1. User mobility: It refers to users who approach the equivalent or comparative telecommunication administrations at better places, that is, users can be portable and administrations can follow him/her. 2. Device mobility: It refers to the physical movement of the device. It can also be called device portability (small size and battery driven). 3. Session mobility: A user should be able to move from one user agent environment to another (e.g., a user downloading with personal Internet. The user loses the connection because of a poor network. The user then returns office and uses Wi-Fi, continuing the unfinished session from where it was when the user got disconnected). 4. Service mobility: A user should be able to move from one service to another. For example, if a user writes an e-mail and to complete the e-mail, the user needs to refer to some other information. The user simply opens another service (e.g., browser) and moves between services using the task bar. This is called service mobility. The popular attacks against mobile networks are as follows: 1. Malware, viruses and worms: Few examples of malware specific to mobile devices are as listed in the following: (a) Skull Trojan: It targets series 60 phones equipped with mobile OS. (b) Cabir worm: It is the first devoted mobile phone worm contaminating the OS and scans other mobile phones to send a duplicate of itself to the primary defenceless telephone it finds through Bluetooth remote innovation. Most exceedingly terrible thing about this worm is that the source cocle for Cabir-H and Cabir-I infections is accessible on the web. (c) Mosquito Trojan: It affects the series 60 smart phones and is a cracked version of mosquitoes mobile phone game. (d) Brador Trojan: It affects the Windows OS. On execution, the trojan sends an e-mail containing the compromised system’s host native and IP address to the attacker. (e) Lasco worm: It targets PDA and mobile phones running the symbian OS. Lasco replicates over Bluetooth connection.

Cyber Security and Laws_Chpater 02.indd 66

10/7/2020 9:57:49 AM

2.5 Trends in Mobility Wireless Era

• 

67

2. Denial-of-service (DOS) attack: This makes the system unavailable to the intended users. Botnets/zombies are used to create unnecessary traffic that floods the target system with data so that response from the target is either stopped or slowed down. This is known as DOS attack. 3. Overbilling attack: Overbilling involves an attacker hijacking a subscriber’s IP address and then using it to initiate downloads or use it for its own use. In this, the legitimate user is charged for the activity. 4. Spoofed policy development process: These types of attacks exploit the vulnerabilities in the GTP [GPRS (general packet radio service) tunnelling protocol]. 5. Signalling level attacks: The VOIP services in mobile use session initiation protocol (SIP). There are several vulnerabilities with SIP based VOIP systems.

2.5.2 Credit Card Frauds in Mobile and Wireless Computing Era Wireless credit card processing is a very desirable system, because it allows businesses to process transactions from mobile locations quickly, efficiently and professionally. Figure 2.5 shows the basic flow of transactions involved in purchases done using credit card. Card holder magnetic strips

Card swiped to obtain magnetic strips data

Security control module

Merchant server

Magnetic strips reader and pin pad

Backend network

Card issuing bank

Acquiring bank

Online environment for credit card transactions

Figure 2.5  Flow of purchases done using credit card.

From Fig. 2.5, the flow of purchases done using credit card is described in steps as follows: 1. The customer places an order and swipes the card. 2. The card details are known through magnetic strip data. 3. Magnetic strip also known as swipe card or magstripe is a card capable of storing data modifying the iron based magnetic particles on band of magnetic material on card. 4. The security control module reads the magnetic strip and acquires the pin. 5. The order is managed, accounting is done by the merchant server. 6. Host security module checks pin inside encrypted pin block with optional pin offset data.

Cyber Security and Laws_Chpater 02.indd 67

10/7/2020 9:57:50 AM

68 

•

Chapter 2/Cyber Offences and Cybercrime

7. The transaction is then routed to the issuing bank to request transaction authorization. 8. The transaction is accepted or declined by the issuing bank. 9. The acquiring bank credits the merchant’s account. Host security module checks personal identity number (PIN) inside an encrypted PIN block with optional pin offset data. There is a system available from Australian company ‘Alacrity’ called closed loop environment for wireless (CLEW). Merchant

Credit card

Bank

e.g., Mswipe No reject transaction YESApprove transaction

Advises bank “yes” or “no”

Individual card holder using cell phone for credit card transaction

Figure 2.6  Flow of events with CLEW.

As depicted in Fig. 2.6, the basic flow of events with CLEW is as follows: 1. Merchant sends a transaction to the bank. 2. The bank transmits the request to the authorised card holder. 3. The cardholder approval or rejects (password protected). 4. The bank (if NO)/merchant (if YES) is notified. 5. The credit card transaction is completed. Some tips to prevent credit card frauds are listed in the following: • Do’s 1. Put your signature on the card quickly upon its receipt. 2. Make a copy of the two sides of the card and protect it at a sheltered spot to recall card number, expiry date if there should arise an occurrence of loss of card. 3. Change default pin from bank before doing any transactions. 4. Always carry details about the contact number of your bank in case of loss of your card. 5. Watch out for your card during the transaction and ensure you get it back right away. 6. Save all receipts to compare with credit card bills. 7. Inform you bank in advance, about any change in your contact details such as home address, cell phone number and e-mail address. 8. Report loss of card immediately to your bank. •

Dont’s 1. Store your card number and PIN in your mobile phone. 2. Lend your card to anyone. 3. Sign a receipt that is not clearly legible.

Cyber Security and Laws_Chpater 02.indd 68

10/7/2020 9:57:50 AM

2.5 Trends in Mobility Wireless Era

• 

69

4. Write card number/PIN on postcard or envelope 5. Destroy credit card receipts by simply dropping into the garbage box/dustbin. The different types and techniques of credit card frauds are listed in the following: I. Traditional techniques: The traditional and first type of credit card fraud is paper based fraud the next is application fraud. In this, a criminal uses stolen or fake documents such as utility bills and bank statements that can build up useful personal identifiable information (PII) to open an account in someone else’s name. Application frauds can be divided into the following two categories: 1. ID Theft: ID Theft is a term used to refer to fraud that involves someone pretending to be someone else to steal money or get other benefits. 2. Financial fraud: Where an individual gives false information about his/her financial status to acquire credit. II. Other traditional techniques: Illegal use of lost and stolen cards and stealing a credit card by either pickpocket or from postal service before it reaches its final destination. III. Modern techniques 1. Sophisticated techniques enable criminals to produce fake credit cards. 2. Skimming: Skimming is where the information held on either a magnetic strip or back of a credit card or data stored on a smart card on smart are copied from one card to another. 3. Site cloning and false merchant site on Internet are becoming a popular method of fraud and to direct user to bogus fake sites is called phishing. 4. Triangulation is a key technique among credit card frauds that work in the following fashion: (a) The criminal offers the goods with heavy discounted rates though a website designed and hosted by him, which appears to be a legitimate merchandise website. (b) The customer registers on this website with his/her name, address, shipping address, valid credit card details. (c) The criminal orders the goods from a legitimate website with the help of stolen credit card details. (d) The criminal keeps on purchasing other words using fraud credit card details of different customers till the criminal closes existing website and starts a new one. (e) Such websites are usually available for a few weeks/months, till the authorities track the websites. IV. Other modern techniques – Credit card generators: It is another modern technique in which computer emulation software that creates valid credit card numbers and expiry dates.

POINTS TO REMEMBER 1. Mobile computing is moving into a new era (2G, 3G, 4G and beyond), where we have numerous applications, improved ease of use and higher data rates. 2. The popular attacks against mobile networks are as follows: (a) Malware, viruses and worms. (b) Skull Trojan. (c) Cabin worm.

Cyber Security and Laws_Chpater 02.indd 69

10/7/2020 9:57:51 AM

70 

•

Chapter 2/Cyber Offences and Cybercrime

(d) Mosquito Trojan. (e) Denial-of-service attack. (f ) Brador Trojan. (g) Overbilling attack. 3. Credit card fraud: Wireless credit card processing is a very desirable system, because it allows business to process transactions from mobile locations quickly, efficiently and professionally. It consists of the merchant, credit card holder, acquiring bank and card issuing bank.

2.6

Security Challenges Faced by Mobile Devices

Mobility brings two main challenges to cybersecurity: (1) On hand-held devices: Information is being taken outside the physically controlled environment and (2) remote access back to the protected environment is being granted. As the number of mobile device users increases, two challenges are presented: (1) One at a device level called micro challenges and (2) another at an organizational level called macro challenges. 1. OS attacks: Loopholes in OS make vulnerabilities that are available to attack. Merchants attempt to tackle these with patches. 2. Mobile app attacks: Poor coding and inappropriate advancement makes loopholes and bargains security. 3. Communication network attacks: Communications, for example, Bluetooth and Wi-Fi associations make gadgets powerless. 4. Malware attacks: There has been a steady ascent in malware for cell phones. The attention is on erasing documents and making chaos. The security challenges faced by mobile devices are as follows: 1. Multiple user logging: Mobile phones have made some amazing progress; however, they are as yet not adaptable machines like PCs. Various clients on cell phones despite everything experience difficulty in opening one of a kind secured account. Basically, what one client does on a cell phone is not really an exclusive arrangement. Adaptable outsider arrangements are accessible, yet it is a lot more secure when telephones are not shared. 2. Secured at a storage: Cell Phones need great record encoding for solid security. All things considered, who needs touchy corporate information to wind up in inappropriate hands? Without the correct encryption, not exclusively are close to home reports available to anyone, yet in addition passwords to bank, credit card and even business applications. Encrypting sensitive information guarantees would-be thieves gain a whole lot of nothing. 3. Mobile browsing: Maybe perhaps the best component of cell phones is the capacity to peruse the web in a hurry; however, this additionally opens up the cell phones to security dangers. The issue is that clients cannot see the entire URL or connection, substantially less confirm whether the connection or URL is protected. That implies that clients could without much of a stretch peruse their way into a phishing-related attack. 4. Mobile device coding issues: Now and then engineers commit legitimate errors, accidentally making security vulnerabilities by means of poor coding efforts.

Cyber Security and Laws_Chpater 02.indd 70

10/7/2020 9:57:51 AM

2.7 Registry Setting for Mobile Devices

• 

71

Commonly, there is bad execution of encoded channels for information transmission or significantly improper secret password security. Ineffectual improvement can prompt security shortcomings whether in PCs or cell phones.

POINTS TO REMEMBER 1. Mobility brings two main challenges to cybersecurity: (a) On hand-held devices: Information is being taken outside the physically controlled environment. (b) Remote access back to the protected environment is being granted. 2. Security challenges faced by mobile devices are as follows: (a) Multiple user logging. (b) Mobile device coding issue. (c) Mobile browsing. (d) Secure data storage.

2.7

Registry Setting for Mobile Devices

Editing the windows mobile registry on a gadget with an insignificant keyboard is troublesome. Be that as it may, mobile registry editor lets us remotely alter the Windows mobile device from our own keyboard as shown in Fig. 2.7. PC

Mobile phone Windows powered

Figure 2.7  Flow of mobile registry. Example: Microsoft ActiveSync.

Note: Registry of a computing device stores the information necessary to configure the syncs for application and hardware devices, information about OS. ActiveSync is a mobile information synchronization application created by Microsoft initially discharged in 1996. It synchronizes information with handheld gadgets and personal computers. ActiveSync acts as a gateway between windows powered PC (WP-PC) and windows powered mobile devices (WP-MD), which is shown in Fig. 2.8. WP-PC

Active sync

WP-MD

(Gateway) Personal computer

Mobile device

Figure 2.8  Flow of Microsoft ActiveSync.

Cyber Security and Laws_Chpater 02.indd 71

10/7/2020 9:57:52 AM

72 

•

Chapter 2/Cyber Offences and Cybercrime

This empowers synchronization of applications, for example, outlook data, Microsoft Office reports, pictures, music, video and applications from a user’s desktop to his/her cell phone. With respect to registry settings, ‘Group policy’ is one of the core operations. Group policy provides centralized management and configuration of operating systems, applications and users settings in an Active Directory environment.

POINTS TO REMEMBER 1. Registry of a computing device stores the information necessary to configure the syncs for application and hardware devices, information about OS. 2. ActiveSync acts as a gateway between windows powered PC (WP-PC) and windows powered mobile devices (WP-MD). 3. With respect to registry settings, ‘Group policy’ is one of the core operations.

2.8

Authentication Service Security

There are two components of security in mobile computing: (1) Security of devices and (2) security of networks. A secure network access involves mutual authentication between the device and base station/ web servers. This is to ensure that only ‘Authenticated’ devices can be connected to the network for obtaining the requested services. Some different types of attacks on mobile devices are as follows: 1. Push attacks: It is creating malicious code on a cell phone by an aggressor and he may spread it to influence different components of the system. 2. Pull attacks: In pull Attack, the aggressor controls the gadget as a source of information by an attacker which acquired information by the gadget itself. 3. Smishing: Smishing has become regular now as cell phones are broadly utilized. Smishing utilizes short message service (SMS) to send misrepresentation instant messages or connections. The criminals cheat the user by calling. Victims may give private data, for example, Mastercard data, account data, and so on. Getting to a site may bring about the user accidentally downloading malware that taints the device. 4. War driving: War driving is a path utilized by attackers to discover passages any place they can be. With the accessibility of free Wi-Fi association, they can drive around and acquire an exceptionally huge measure of data over an extremely brief timeframe. The following lists how authentication service security works (see Fig. 2.9). 1. The user browses to a particular web application 2. In turn the web application redirects to authentication service 3. User credentials to authentication service login page 4. The authentication service grant access token to the user and redirects it to web application. 5. The user provides the access token to the web application. 6. The web application returns response to the token.

Cyber Security and Laws_Chpater 02.indd 72

10/7/2020 9:57:52 AM

2.8 Authentication Service Security

• 

1. User agent browses to web application

73

Web application

2. Web application redirects user agent to authentication service 5. User agent provides access token to web application

User agent (web browser)

6. Web application returns response to user agent 3.

U au ser th ag en en tic t s Au at en t ion d to hen ke ti se s cr cli n to cati rv ed en ice en o t b use n se ’s tia ac r a rv log ls k t ge ice in to o n pa we t a ret ge b nd urn ap re s pli dir ac ca ec ce tio ts ss n

4.

External authentication service

Figure 2.9  Authentication service security.

Authentication service security is important to curb the following attacks on mobile devices through wireless networks: 1. 2. 3. 4. 5.

DOS attack. Traffic analysis. Eaves dropping. Man-in-middle attack. Session hijacking.

POINTS TO REMEMBER 1. A secure network access involves mutual authentication between the device and base station/ web servers. 2. This is to ensure that only ‘authenticated’ devices can be connected to the network for obtaining the requested services. 3. How authentication service security works? (a) The user browses to a particular web application. (b) In turn the web application redirects to authentication service. (c) User credentials to authentication service login page. (d) The authentication service grant access token to the user and redirects it to web application. (e) The user provides the access token to the web application. (f ) The web application returns response to the token.

Cyber Security and Laws_Chpater 02.indd 73

10/7/2020 9:57:53 AM

74 

•

2.9

Chapter 2/Cyber Offences and Cybercrime

Attacks on Mobile Phones

The different possible attacks on mobile phones are shown in Fig. 2.10. Data leakage

Unsecured Wi-Fi

Phishing

Bluetooth hacking

Spyware

Network spoofing

Figure 2.10  Different attacks on mobile phones.

1. Data leakage: Portable applications are regularly the reason for inadvertent information spillage. For instance, ‘riskware’ applications represent a genuine issue for mobile users who grant them expansive consents, yet do not generally check security. These are commonly free applications found in official application stores that proceed as publicized, yet additionally send individual – and possibly corporate – information to a remote server, where it is mined by promoters, and now and again, by cybercriminals. Data leakage can likewise occur through threatening endeavour signed mobile applications. These mobile malware programs utilize circulation code local to well-known mobile OS like iOS and Android to move significant information across corporate systems without raising warnings. To avoid these issues, just give applications the consents that they completely need so as to appropriately work. What is more is that avoid any applications that requests more than would normally be appropriate. The September 2019 updates for Android and Apple iOS both added conventions to make users progressively mindful of it and why apps gather user’s location information. 2. Unsecured Wi-Fi: Nobody needs to consume their cell information when remote problem areas are accessible – yet free Wi-Fi systems are normally unbound. As per V3, indeed, three British government officials who consented to be a piece of a free remote security exploit were effortlessly hacked by innovation specialists. Their Internet-based life, PayPal and even their VoIP discussions were compromised. To be protected, utilize free Wi-Fi sparingly on your cell phone. What is more is that never use it to get to classified or individual administrations, such as banking or charge card data. 3. Network spoofing: Network spoofing is when attackers set up fake passages – associations that resemble Wi-Fi systems, yet are really traps – in high-traffic open areas, for example, coffee shops, libraries and air terminals. Cybercriminals give the passageways normal names like ‘Free Airport Wi-Fi’ or ‘Café’ to urge users to interface. At times, attackers expect users to make an ‘account’ to get to these free administrations, complete with a secret word. Since numerous users utilize a similar e-mail and password for different administrations, programmers are then ready to compromise users’ e-mail, online business and other secure data. 4. Phishing attacks: Since cell phones are constantly powered on, they are the cutting edges of most phishing attacks. As indicated by CSO, mobile users are increasingly defenceless because they frequently monitor theire-mail in real time, opening and perusing messages when they are obtained. Cell phone users are additionally increasingly vulnerable in light of the fact that e-mail applications show less data to suit the litter screen sizes. For instance, in any event, when opened,

Cyber Security and Laws_Chpater 02.indd 74

10/7/2020 9:57:54 AM

2.9 Attacks on Mobile Phones

• 

75

an e-mail may just show the sender’s name except if you grow the header data bar. Never click on new e-mail joins. Furthermore, on the off chance that the issue is not pressing, at that point let the reaction or activity things hold up until you are at your computer. 5. Spyware: Although numerous mobile users stress over malware sending information streams back to cybercriminals, there is a key danger closer to home: Spyware. As a rule, it is not malware from unknown attackers that users ought to be stressed over, but instead spyware introduced by companions, collaborators or bosses to monitor their whereabouts and action. Otherwise called stalkerware, a large number of these application are intended to be stacked on the target’s gadget without their assent or information. An exhaustive antivirus and malware discovery suite should utilize specific examining methods for this sort of program, which requires marginally unexpected taking care of in comparison to other malware inferable from how it gets onto your gadget and its motivation. 6. Hacking – Bluetooth (a) Bluetooth is an open remote technology standard utilized for communication (i.e., trading information) over short separations (i.e., utilizing short length radio waves) among fixed and additionally mobile phones. Bluetooth is a short-run remote correspondence administration/innovation that utilizes the 2.4 GHz recurrence extend for its transmission/ correspondence. (b) When Bluetooth is empowered on a gadget, it basically communicates ‘I am here, and I am ready to interface’ to any. other Bluetooth-based devices inside range. This makes Bluetooth utilize basic and clear, and it likewise makes it simpler to recognize the objective for attackers. The attackers introduce software on a PC and afterward introduces a Bluetooth receiving wire Whenever an attacker moves around open places, the software installed on PC constantly checks the close by environmental factors of the hacker for active Bluetooth connections. When the software tool utilized by the attacker finds and interfaces with a powerless Bluetooth-enabled mobile phone, it can do things like download address book data, photographs, schedules, SIM card details, make significant distance calls utilizing the hacked gadget, bug calls and substantially more. (c) Bluejacking, Bluesnarfing, Bluebugging and Car Whisperer are common attacks that have emerged as Bluetooth-specific security issues. (d) Bluetooth hacking tools are listed as follows: • BlueScanner: This tool empowers to look for Bluetooth empower devices and will attempt to extricate however much data as could associating it with the objective. • BlueSniff: This is a GUI-based utility for finding discoverable and covered up Bluetooth enabledgadgets. • BlueBugger: The buggers abuse the weakness of the gadget and access the pictures, phonebook, messages and other individual data. • Bluesnarffer: In the event that a Bluetooth of a device is turned ON, at that point Bluesnarfing makes it possible to associate with the phone without cautioning the owner and to access a restricted portion of stored information. • Bluediving: Bluediving is trying Bluetooth penetration. It actualizes attacks like Bluebug and BlueSnarf.

Cyber Security and Laws_Chpater 02.indd 75

10/7/2020 9:57:54 AM

76 

•

Chapter 2/Cyber Offences and Cybercrime

POINTS TO REMEMBER The different types of attacks on mobile phones are as listed below. 1. 2. 3. 4. 5.

Data leakage. Unsecured Wi-Fi. Network spoofing. Phishing attacks. Spyware

2.10 Security Implications for Organizations With the quick development of wireless technology, expanded bandwidth, effective and amazing mobile hardware and applications, devices like cell phones, laptops, tablet PCs and PDA are getting progressively omnipresent in the work environment. Mobile technology is presently utilized for calling as well as in business for utility computing. Cell phones untethered employees from landline telephones and workstations changed the capacity of ­workers to work remotely. Yet, these tools could not hope to compare to the present cell phones, whose portability and capacity to get to corporate servers, information and data regardless of where the employee is geographically, are changing the manner in which business is done. ­Telecommunication companies and governing regulators around the globe have perceived this coming and developing ­innovation for a considerable length of time. The move towards mobile phones, replacing the desktops and PCs, is clear, yet many have not considered the centrality of that move being utilized in an absolutely business environment. The advancing mobile phone technology can, if appropriately used, enable the enterprise to achieve several significant benefits: 1. Improved workforce productivity: Alongside onsite job functioning, employees can likewise remotely get access to company data and complete work off-site. 2. Improved customer service: With continuous access to client data, employee can essentially improve turnaround times for problem solving. 3. Increased business process efficiency: Making utilization of cell phones fundamentally improves supply chain management which leads to improvement in general business forms by shortening the time between order, production and shipment. 4. Employee security and safety: Even if employees are going for business related undertaking and not available in the office, they can always be in contact and connected. 5. Employee retention: It gives an improved work–life balance as mobile phones encourage tasks to be performed remotely. In an association, if legitimate and solid security policies are not implemented, there is an enormous risk of loss, theft, or misuse of confidential data available on mobile phones and each business procedure is handled using mobile phones, so heaps of information is being risked on employees’ devices. Mobile phones, regardless of whether conveyed by the organization or essentially those possessing representatives, are in danger if not handled appropriately.

Cyber Security and Laws_Chpater 02.indd 76

10/7/2020 9:57:54 AM

2.10 Security Implications for Organizations

• 

77

All these mobile phones must be seen like existing PCs and workstations as they are likewise susceptible to malicious attacks using viruses, worms, Trojan horses, etc. They can also become the victims of cyberattacks through the use of malicious applications, spam and phishing plans. As they are compact, they are progressively vulnerable to loss, theft and damage. Mobile phone working is distinctive when contrasted and existing PCs as far as the working framework, applications, refreshes, and so forth. One of the unique threats to these devices is jailbreak software. It permits strangers to seize a device and access its data. It might bring about some different attacks by making these devices zombies and controlling them to interface naturally to an unknown Bluetooth device or different device in an open unbound Wi-Fi network. Moreover, with the expanding extension and accessibility of new applications created on open stages for explicit use on mobile phones, there are currently numerous approaches to sabotage the security protocols and policies of most organisations that were designed to pound servers, PCs and laptops. Since the risks are progressively hard to recognize, managers should consciously find a way to protect their business from risks that might be under the corporate security radar. Has your company created systems designed to take advantage of mobile security features that are unique to mobile devices that could pose a risk? These risks can be categorized into the following five areas: 1. Physical access: Mobile phones are little, effectively convenient and extremely lightweight. While their diminutive size makes them perfect travel friends, it also makes them simple to take or abandon in airports, planes or taxis. Similarly, as with increasingly conventional devices, physical access to a mobile phone rises to ‘game over’. The cleverest intrusion–detection system and the best antivirus software are futile against a malicious individual with physical access. Going around a password or lock is a trivial task for a seasoned attacker, even encrypted information can be accessed. This may incorporate not just the corporate information found in the device, yet in addition passwords living in places like the iPhone Keychain, which could concede access to corporate services, for example, e-mail and virtual private network (VPN). To exacerbate the situation, full removal of data is not possible using a device’s built-in factory reset or by re-flashing the operating system. Forensic data retrieval software – which is accessible to the general public – permits information to be recuperated from telephones and other cell phones considerably after it has been physically erased or experienced a reset. 2. Malicious code: Mobile malware threats are normally socially designed and centre around fooling the client into tolerating what the hacker is selling. The most prolific include spam, weaponized links on social networking sites and rogue applications. While mobile users are not yet dependent upon a similar drive-by downloads that PCclients face, portable advertisements are progressively being utilized as a feature of numerous attacks – an idea known as ‘malvertising’. Android devices are the greatest focus as they are broadly utilized and it is anything but difficult to create programming for them. Mobile malware Trojans designed to steal data can operate over either the mobile phone network or any connected Wi-Fi network. They are often sent via SMS (text message). When the client taps on a connection in the message, the Trojan is conveyed by the method of an application, where it is then free to spread to other devices. At the point when these applications transmit their data over mobile phone network, they present an enormous data gap that is hard to overcome in a corporate workplace.

Cyber Security and Laws_Chpater 02.indd 77

10/7/2020 9:57:54 AM

78 

•

Chapter 2/Cyber Offences and Cybercrime

3. Device attacks: Attacks targeted at the device itself are similar to the PC attacks of the past. Browser based attacks, buffer overflow exploitation and other attacks are possible. The short message service (SMS) and multimedia message service (MMS) offered on mobile devices afford additional avenues to hackers. Device attacks are typically designed to either gain control of the device and access data, or to attempt a distributed denial-of-service (DDoS). 4. Communication interception: Wi-Fi-enabled cell phones are vulnerable to similar attacks that influence other Wi-Fi-capable devices. The innovation to hack into remote systems is promptly accessible, and quite a bit of it is available on the Internet, making Wi-Fi hacking and man-in-themiddle (MITM) attacks simple to perform. Cellular data transmission can also be intercepted and decoded. Hackers can misuse shortcomings in these Wi-Fi and cell data protocols to eavesdrop on data transmission, or to hijack clients’ meetings for online services, including e-mail. For organizations with workers who utilize free Wi-Fi hotspot services, the stakes are high. While losing a personal social networking login may be inconvenient, people logging on to enterprise systems may be giving hackers access to an entire corporate database. 5. Insider threats: Mobile phones can also encourage threats from workers and different insiders. People are the most vulnerable connection in any security strategy, and numerous employees have neither the information nor an opportunity to track whether their devices have updated security software installed. The downloading of uses can likewise prompt inadvertent threats. The vast majority download applications from application stores and utilize mobile applications that can get to big business resources, no one has any thought regarding who built up an application, how great it is, or whether there is a danger vector through the application directly back to the corporate system. The abuse of individual cloud benefits through versatile applications is another issue; when used to pass on big business information, these applications can prompt information releases that the association remains completely uninformed of. Not all insider threats are incidental; malicious insiders can utilize a cell phone to misuse information by downloading a lot of corporate data to the devices protected advanced security digital (SD) flash memory card, or by utilizing the device to transmit information by means of e-mail services to outside records, going around even strong observing advances, for example, data loss prevention (DLP), Mobile security threats will keep on progressing as corporate information is gotten to apparently unending pool of devices and hackers attempt to take advantage of the pattern. Ensuring clients completely comprehend the implication of faulty mobile security practices and getting them to hold fast to best practices can be troublesome. Numerous devices users stay unaware of threats, and the devices themselves tend to lack basic tools that are readily available for other platforms, for example, antivirus, against spam and endpoint firewalls.

POINTS TO REMEMBER To achieve security for organisation, the following are the significant benefits: 1. Improved customer service: With continuous access to client data, employee can essentially improve turnaround times for problem solving. 2. Employee security and safety: Even if the employees are going for business related undertaking and not available in the office, they can always be in contact and connected. 3. Employee retention: It gives improved work-life balance as mobile phones encourage tasks to be performed remotely.

Cyber Security and Laws_Chpater 02.indd 78

10/7/2020 9:57:55 AM

2.11 Organizational Measures for Handling Mobile Phones

• 

79

Organizational Measures for Handling Mobile Phones: 2.11 Device Related Security Issues Although cell phones were taking on more abilities some time ago, accessible just on PC’s technical security answers for cell phones are not as complex or broad as those for PCs. This implies the main part of cell phone security depends on the user making wise, mindful decisions. Even the most cautious user can at present fall to attack on their cell phones. The following four key inquiries should be addressed when building up a mobile security strategy: 1. How do we deny access to unauthorized users? Train employees to set a solid password on their cell phone and to transform it every three to a half year. Mobile management systems can robotize implementation. 2. What is our plan if a personal device gets lost or stolen? This, first, lets you freeze a device, which is helpful if there is a decent possibility that it will turn up once more. On the off chance that it is away for acceptable, remote wipe lets you permanently delete stored data. 3. How do we remove corporate data from a personal device whose owner is leaving the company? Management devices can be utilized to segregate enterprise and personal data. At the point when an employee leaves, IT can wipe the enterprise data while leaving individual information unaffected. This ability secures the association without inconveniencing the user. 4. How do we keep prying eyes away from confidential files? Use mobility management software to encrypt enterprise data, both as it is transmitted and when it is ‘at rest’ in the device’s memory Some of the most common security features used to protect mobile assets are: (a) Enforced authentication: Whenever any cell phone is associated with an organization’s network, users should enter verification details. (b) Over-the-air data encryption: An organization should force the utilization of Secure Sockets Layer (SSL) while trading data wirelessly over cell phones. (c) Over-the-air provisioning: IT specialists should have the option to configure and refresh mobile applications remotely from a central platform. (d) Remote wipe and data fading: There should be an arrangement to clear all data remotely and change the settings on a lost or stolen PDA, cell phone or tablet. (e) Full disc encryption: An association should utilize full disc encryption to make it basically inconceivable for anybody without authorization to read private data on mobile phones. (f ) Separation of personal and enterprise information: There should be a facility to secure, control and eradicate corporate data and applications without affecting a user’s individual photographs, music, or games. (g) User access rights and security policies: An association should follow along and control precisely what data users can access with their mobile phones. (h) Network filters: Network filtering should be applied to screen who is attempting access to the corporate system and to block access unless a device management client is installed on the device. (i) Including mobile devices in security strategy: Enterprises that would prefer not to remember cell phones for their surroundings frequently blame security, saying they dread the loss

Cyber Security and Laws_Chpater 02.indd 79

10/7/2020 9:57:55 AM

80 

•

Chapter 2/Cyber Offences and Cybercrime

of sensitive information that could result from a PDA being taken or an unsecured wireless association being utilized. Their interests are not, at this point practical. There are technologies available to appropriately secure mobile phones. These ought to be adequate for most associations. Corporate IT offices simply need to do their homework. For instance, there are approaches to make devices lock or destroy the lost information by sending the machine a ­special message. Likewise, some cell phones have powerful processors that will bolster 128-bit encryption. Although cell phones do present one of a kind difficulty from a cybersecurity point of view, there are some broad advances that the users can take to address them, for example, coordinating security programs for mobile and wireless systems into the general security outline. A couple of things that enterprises can use can be from the following list: • Execute solid resources, the executives, infection checking, misfortune avoidance and ­different controls for mobile systems that will disallow unapproved get to and the section of corrupted data. • Examine alternatives that permit protected access to the organization data through a firewall, for example, mobile VPNs. • Build up an arrangement of progressively audits and intensive security reviews for mobile phones. • Join security mindfulness into your mobile training and support programs so everybody sees exactly how significant an issue security is inside an organization’s general IT strategy. • Inform the suitable law-requirement organization and change passwords. Client accounts are firmly observed for any unusual action for a while.

Security Policies and Measures in Mobile 2.12 Computing Era and Laptops Mobile phones are accepting consideration as innovative headways move profitability tools from desktops to pockets in the midst of expanding dependence on portable applications. Systems and strategies ought to be created to assess and deal with the security highlights of different devices that are as of now in the work environment or corporately deployed. An association ought to hold fast to the accompanying principles for effective mobile device management, should know the following steps: 1. Identify all mobile devices on the network: Normal review ought to be done in the association to distinguish servers and other mobile systems to ensure that there are no unapproved devices. 2. Know which back: Office systems workers need to get to: Identify which representatives can do the trick with just e-mail get to/which need specific reason applications/which need official level access. 3. Formalize user types and set policies: Suitable user gatherings ought to be made and severe administration strategies should be set for every one of the users gathering. 4. Be ready to block access: Filters ought to be utilized to control access to back end systems to block access to devices that do not have an administration customer installed. Add password and encryption policies plus remote wipe: The association should actualize least mobile safety efforts, for example, secret word requirement, on-device information encryption, remote wipe for lost devices and stock administration to recognize which devices are associated with the system.

Cyber Security and Laws_Chpater 02.indd 80

10/7/2020 9:57:55 AM

2.12 Security Policies and Measures in Mobile Computing Era and Laptops

• 

81

5. Consider separating personal data from business data: Mobile phones ought to have the option to store endeavour information in one zone of the device and encrypt and password protect only that area. 6. Enable users to be self-sufficient: Burden on the association ought to be limited by utilizing a customer the executives’ applications that keeps mobile devices in compliance. Users preparing ought to be composed consistently. Compelling remote administration and information assurance tools and strategies are vital to ­forestalling versatile security breaks. Ensuring delicate data on mobile phones requires a comprehension of the numerous manners by which security can be undermined. Giving a bulletproof technique requires ­versatile security arrangements and capacities, security-mindful representatives and an exhaustive arrangement of cell phone management tools. These are some steps to make sure about an association’s cell phones are recorded by configuring mobile devices securely by the following: 1. Enabling auto-lock. 2. Enabling password protection that requires complex passwords. 3. Avoiding the use of auto-complete features that remember usernames or passwords. 4. Ensuring that browser security settings are configured appropriately. 5. Enabling remote wipe. 6. Ensuring the SSL protection is enabled, if available. 7. Interface with secure Wi-Fi networks and cripple Bluetooth, infrared or Wi-Fi when not being used. Also, set Bluetooth-empowered devices to non-discoverable to render them undetectable to unauthenticated devices. Abstain from joining obscure Wi-Fi systems. 8. Use digital certificates on mobile phones. 9. Take appropriate physical security measures to prevent theft or enable recovery of mobile devices. 10. Make use of cable locks for laptops. 11. Use tracking and tracing application software. 12. Never leave your mobile device unattended. 13. Report lost or stolen devices immediately. 14. Remember to back up data on your mobile devices on a regular basis. 15. Develop appropriate sanitisation and disposal procedures for mobile devices. Delete all stored information prior to discarding, exchanging or donating devices. 16. Educate employees about mobile security. 17. Interface with secure Wi-Fi networks and incapacitate Bluetooth, infrared or Wi-Fi when not in use. Additionally, set Bluetooth-empowered gadgets to be non-discoverable to render them imperceptible to unauthenticated gadgets. Avoid joining obscure Wi-Fi systems. 18. Update cell phones every now and again. Select the programmed update choice. Keep up modern programming, including Operating systems and applications. 19. Use antivirus programs, design programmed refreshes and keep up up-to-date signatures. 20. Use an encryption solution to keep portable data secure in transit. 21. Data protection is essential. If confidential data must be accessed or stored using a mobile device, make sure the users have installed an encryption solution (e.g., Guardian Edge Smartphone ­Protection, McAfee Endpoint Encryption, PGP Mobile and Pointsec Mobile Encryption).

Cyber Security and Laws_Chpater 02.indd 81

10/7/2020 9:57:55 AM

82 

•

Chapter 2/Cyber Offences and Cybercrime

22. Do an evaluation or if nothing else knows about the encryption alternatives accessible for cell phones. A few gadgets may offer more developed security arrangements than the others. 23. Teach clients to abstain from utilizing or putting away private information on a cell phone at whatever point conceivable.

2.12.1 Importance of Security Policies relating to Mobile Computing Devices Expansion of mobile devices makes the cybersecurity issue graver than what we would in general think. Individuals have become so used to their mobile they are rewarding them like wallets! For instance, individuals are putting away more kinds of private data on portable figuring gadgets than their bosses or they themselves know; they tune in to music utilizing their-hand-held devices. One should consider not to keep Visa and financial balance numbers, passwords, secret e-mails and key data about association, merger or takeover plans and furthermore other important data that could affect stock qualities in the cell phones. Envision the business sway if a worker’s USB, pluggable drive or PC was lost or taken, uncovering touchy client information, for example, credit reports, standardized savings numbers (SSNs) and contact data. In addition to the fact that this would be an advertising, that is, successful public relations (PR) catastrophe, yet it could likewise disregard laws and guidelines. One should give a profound idea about the likely lawful difficulties for an open organization whose business numbers, representative records or development plans may fall into wrong hands. 2.12.2 Operating Guidelines for Implementing Mobile Device Security Policies In circumstances, for example, those listed above, the perfect arrangement is to disallow every private datum from being put away on cell phones, however this may not generally be handy. Associations can, in any case, diminish the hazard that private data will be gotten to from lost or taken cell phones through the accompanying advances: 1. Decide if the representatives in the association need to utilize portable processing gadgets by any stretch of the imagination, in view of their dangers and advantages inside the association, industry and administrative condition. 2. Execute extra security advances, as suitable to fit both the association and the sorts of gadgets utilized. Most (and maybe all) versatile figuring gadgets should have their local security 3. Expanded with so many instruments as solid encryption, gadget passwords and physical locks. Biometrics procedures can be utilized for validation and encryption and can possibly kill the difficulties related with passwords. 4. Normalize the versatile figuring gadgets and the related security instruments being utilized with them. As an issue of basic rule, security weakens rapidly as the apparatuses and gadgets utilized become progressively different. 5. Build up a particular system for utilizing versatile processing gadgets, including rules for information matching up, the utilization of firewalls and against malware programming and the kinds of data that can be put away on them. 6. Concentrate the board of your versatile figuring gadgets. Keep up a stock so you realize who is utilizing what sorts of gadgets.

Cyber Security and Laws_Chpater 02.indd 82

10/7/2020 9:57:55 AM

Review Questions

• 

83

POINTS TO REMEMBER 1. Mobile phones can also encourage threats from workers and different insiders. People are the most vulnerable connection in any security strategy, and numerous employees have neither the information nor an opportunity to track whether their devices updated software. 2. Mobile phones are accepting consideration as innovative headways move profitability tools from desktops to pockets in the midst of expanding dependence on portable applications.



Summary

In this chapter, we have talked about the systematic methodology utilized by attackers to launch cyberattacks by gathering data about targets utilizing some uninvolved attacks like social engineering. Cyberstalking is one of the basic approaches followed by attackers to threaten targets. A Cyber cafe is a shelter for attackers, they are cleverly utilizing it to game data on a target just as to launch attacks on a remote network an individual target. The Internet has become an essential part of our life and we are utilizing one shared resource for storage and calculation, which can be handily misused by an attacker to launch an attack. Botnets are sold over the Internet, which is a major threat to connected resources in a network. We learned how criminals actually plan the attacks and how we should deal with such kinds of attacks. At present, conventional processing devices are being replaced by mobile devices. These devices increment efficiency and simplicity of work anywhere. But, loss of confidential information is the potential threat for such compact systems. Despite the fact that associations have peripheral security, it would not be applicable constantly to such compact devices. Likewise, these devices are vulnerable to being lost or stolen. This module focuses on how handheld devices can be misused to launch attacks to take sensitive and confidential data about associations. Security challenges presented by wireless devices are talked about and different authentication service security mechanisms are recommended to protect the devices. Different specialized attacks on cell phones are discussed and diverse organizational measures and security policy structure and implementation rules are proposed. And finally, physical security rules to protect or safeguard laptops in organisations are discussed.



Review Questions

1. What are cyber offences? Discuss. Refer to Subsection 2.1.1. 2. Define cybercrime. Refer Subsection 2.1.2. 3. How do criminals plan attacks? Refer to Subsection 2.2.1. 4. Explain in detail active attacks and passive attacks? Refer to Subsection 2.2.1.

Cyber Security and Laws_Chpater 02.indd 83

5. What is social engineering? Explain with the help of an example? Refer to Subsection 2.2.2. 6. Explain the impact of cybercrimes in social engineering? Refer to Subsection 2.2.2. 7. Write a short note on cyberstalking? Refer to Subsection 2.2.3

10/7/2020 9:57:55 AM

84 

•

Chapter 2/Cyber Offences and Cybercrime

8. What are botnets? Explain the significance of botnets in cybercrime? Refer to Subsection 2.3.1.

18. What are the different security challenges posed by mobile devices? Explain. Refer to Section 2.6.

9. What are the different attacks launched with the attack vector? Explain in detail. Refer to Subsection 2.3.2.

19. Discuss authentication service security. Refer to Section 2.8.

10. How are cyber cafes used in cybercrimes? Explain with a suitable example. Refer to Subsection 2.2.4. 11. How are cybercriminals attacking cloud services? Explain with examples. Refer to Subsection 2.3.3. 12. What is the proliferation of mobile and wireless devices? Explain. Refer to Section 2.4. 13. Discuss cybercrime activities in mobile devices. Refer to Subsection 2.5.1. 14. Write about cybercrime activities in wireless devices. Refer to Section 2.5. 15. Explain various types of cloud computing services. Refer to Subsection 2.3.3. 16. What are the different trends in wireless devices? Refer to Subsection 2.5.1. 17. Explain credit card frauds in the era of mobile and wireless computing Refer to Subsection 2.5.2.



20. Explain with examples attacks on mobile devices. Refer to Section 2.9. 21. Discuss the security implications for organizations. Refer to Section 2.10. 22. What different organizational measures are taken for handling mobile devices? Refer to Section 2.11. 23. Explain organizational security policies for mobile devices. Refer to Subsection 2.12.1. 24. What are the different security policies on laptops and wireless devices? Explain. Refer to Section 2.12. 25. Explain different cybersecurity aspects related to mobile and wireless devices. Refer to Section 2.12. 26. Write short notes on: (a) Social engineering. Refer to Subsection 2.2.2. (b) Botnets. Refer to Subsection 2.3.1. (c) Attack vector Refer to Subsection 2.3.2. (d) Trends in mobility. Refer to Subsection 2.5.1.

References

1. Arshi Khan (2019), The First Recorded Cyber Crime Took Place in the Year 1820: Scribd[Online]. Available at: https://www. scribd.com/doc/71120466/The-First-

Cyber Security and Laws_Chpater 02.indd 84

Recorded-Cyber-Crime-Took-Place-in-theYear-1820 [Accessed: 6 June, 2019]. 2. Rivera, B. (2019), United Nations Definition of Cybercrime: Innovative Dynamic

10/7/2020 9:57:55 AM

References

­ etworks [Online]. Available at: https:// N idn-wi.com/united-nations-definitioncybercrime/ [Accessed: 8 June, 2019]. 3. GKToday. (2019), CERT-In: Latest Current Affairs and News: Currentaffairs.gktoday.in [Online]. Available at: https://currentaffairs. gktoday.in/tags/cert-in [Accessed: 8 June 2019]. 4. Rivera, B. (2019), United Nations Definition of Cybercrime: Innovative Dynamic Networks [Online]. Available at: https://idn-wi. com/united-nations-definition-cybercrime/ [Accessed: 6 June, 2019]. 5. Tom, F., Perry, M. (1994), Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing: MIT Press. 6. Girasa, J. R. (2002), Cyberlaw: National and International Perspective: Prentice Hall. 7. Herman, T. T. (2007), Ethics and Technology-Controversies, Questions and ­ Strategies for Ethical Computing: John Wiley and Sons.

Cyber Security and Laws_Chpater 02.indd 85

• 

85

8. Parker, D. (1998), Fighting Computer Crime: A New Framework for Protecting Information. New York: John Wiley and Sons, Inc. 9. Imperva (2019), Cyberthreat Defense Report: Imperva.com [Online]. Available at: https:// www.imperva.com/resources/reports/ CyberEdge-2019-CDR-Report-v1.1.pdf [Accessed: 8 June, 2019]. 10. Moneycontrol. (2019), 6 Brutal Cyber Attacks that Shook the World in 2017, Moneycontrol [Online], Available at: https:// www.moneycontrol.com/news/business/6brutal-cyber-attacks-that-shook-the-worldin-2017-2467803.html [Accessed: 8 June, 2019]. 11. Isoeh. (2019), Biggest Cyber Attacks of 2018, Isoeh.com [Online]. Available at: https://www.isoeh.com/exclusive-blogdetails-­biggest-cyber-attacks-of-2018.html [Accessed 9 June, 2019].

10/7/2020 9:57:55 AM

Cyber Security and Laws_Chpater 02.indd 86

10/7/2020 9:57:56 AM

3

Methods and Tools used in Cyber Line

Learning Objectives After reading this chapter, the reader will be able to • Interpret and document password cracking attacks. • Compare key loggers and spywares, virus and worms, Trojan, Backdoor and Steganography. • Understand and identify DoS and DDoS attacks.

• Understand the concept of SQL injection, buffer overflow. • Assess attacks on wireless networks. • Understand the concept of enumeration. • Predict phishing, identity theft (ID theft) attacks and explore the knowledge of phishing tools used in cyber line.

If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it. —Tim Cook

3.1

Introduction

In this chapter, we are going to learn about various attacks such as phishing, identity theft, password cracking, viruses, worms and many more. Also, we will learn about how they are conducted. We are also going to learn about their different types and methods and the tools that are used for conducting such attacks. You will also get to know about effects that are caused by this attacks and what measures can you take to prevent them. You will be able to differentiate between virus, worms, steganography and cryptography. You will have deeper understanding of denial-of-service (DoS) and distributed denial-ofservice (DDoS) attacks, SQL injection and buffer overflow attacks and also you will get to know about enumeration and some other attacks on wireless networks at the end of this chapter.

3.2

Password Cracking

3.2.1 What Is Password Cracking? Password cracking techniques are used to recover passwords from the data that are stored in computer systems or from the ones that are being transmitted. Attackers use password-cracking techniques to gain passwords thereby gaining unauthorized access to the vulnerable systems. Most of the times cracking

Cyber Security and Laws_Chpater 03.indd 87

10/7/2020 10:02:58 AM

88 

•

Chapter 3/Methods and Tools used in Cyber Line

passwords is easy and successfully done due to weak or easily guessable passwords. Password cracking techniques are also helpful in the recovery of forgotten passwords.

3.2.2 Most Used Password Cracking Techniques Figure 3.1 gives the glimpse of various password cracking techniques. Password cracking techniques used by attackers • Guessing • Dictionary attack • Brute force attack • Rainbow table attack • Phishing

• Social engineering • Offline cracking • Shoulder surfing • Spidering • Malware

Figure 3.1  Various password techniques used by attackers.

1. Dictionary attack: As the name suggests, a dictionary attack is a method that uses certain words which are most commonly used by people. For example, abcd, aaaa, etc.   There are multiple words already defined in the system and one by one they are bombarded to the system until the match is found. There can be a combination of these words as well. If you mix words together to make a phrase, such as ‘smart administrator officer’ to avoid dictionary attacks then this attack will take more time but is able to crack the passwords by using combinations of words. 2. Brute force attack: Brute force attack is a bit more sophisticated then dictionary attack. A dictionary attack uses only words whereas brute force attack includes non-dictionary terms such as alpha–numeric combinations. Therefore, passwords such as a1b2c3, abc123 could be easily recoverable by this attack. This method slows down when larger passwords are used. It needs additional power to reduce hacking time. 3. Rainbow table attack: When an attacker tries to use a rainbow hash table to hack passwords present in the database then it is called a rainbow table attack   A rainbow table is used as a hash function for storing important data such as passwords and their corresponding hash values in the database. This hash function is 1-way which means we cannot decrypt it. Hence, whenever the user enters a password, the password is encrypted every time with the same key and then matched with the stored password.   Firstly, the attackers create the table with the most common passwords and then they search whether these passwords are present in the database. As the match is found the process is terminated and the password is cracked.   However, rainbow tables are huge, they require a huge amount of space to run. If the hash is salted, that is, a random character is added before hashing the password then rainbow tables does not work. 4. Phishing: There is a much easier way to crack password – just ask the user herself/himself for the password. A phishing e-mail leads the unsuspecting reader to a fake login page, requesting the user to provide their credentials and passwords. That page then skims the password and the hacker can

Cyber Security and Laws_Chpater 03.indd 88

10/7/2020 10:02:59 AM

3.2 Password Cracking

• 

89

go use it for any purpose. Why to write such big codes and programs to crack passwords when the users themselves are providing them to you? 5. Social engineering: Social engineering refers to the malicious activities that take place via human interactions. It tricks users into giving away sensitive information.   At first, the attacker gathers information about the victim. Then, they try to acquire the victim’s trust and tries to make user agree to some security practices that grant access to critical resources. This technique relies on human error rather than software vulnerabilities. This type of attack can take many different forms and it works very often. 6. Malware: When an attacker creates malicious software and installs it in the victim’s system without the victim’s knowledge to gain personal info or to damage system is called malware attack. It can record everything during login or signup and copy documents to his computer. Also, the passwords stored in browsing history or the bank and debit/credit card details can be easily accessed. 7. Offline cracking: In offline cracking, the attacker tries to extract the password hash file stored by the victim in computer systems and attempts to crack them without alerting the victim. These kinds of attacks, that is, offline attacks are the most widespread attacks for password cracking. They find security holes in the victim’s infrastructure to make this kind of attack work. 8. Shoulder surfing: It is the oldest and simplest method that always works. It is also called as visual hacking. A sharp-eyed attacker sneaks into your PC’s keyboard or ATM keypad while providing pin or password to some software. They can record/recognize the movement of your fingers and later take advantage of it. This attack can take place anywhere; for example, at ATMs or restaurants while paying a bill or when you perform some bank transaction in public places. 9. Spidering: Spidering technique relies on the victim information intimately. Many companies use passwords that are related to their business. Hence, attackers study business corporate ­literature, mission statement, sales material and create a word list that can be used as a part of a brute force attack. There are some automated tools available for improving the efficiency to crack passwords. 10. Guessing: Guessing passwords is the most basic technique. Most passwords are easy to predict based upon a person’s important details such as birthdate, family member details, etc.

3.2.3 Prevention Measures of Password Cracking A company/user can do the following things to prevent the attacks of passwords cracking: 1. Avoid short and weak passwords. Figure 3.2 depicts the attributes to get to know the importance of long passwords. 2. Avoid using most common and predictable passwords such as 1234, a1b2c3 or 112233, etc. 3. Store encrypted passwords into the database and try to hash it more than once with same or different keys. Add salt to the password. Salting involves adding some word to the provided password before creating the hash. 4. Organizations can use strength detecting techniques to make sure that the strong password is provided by the user. 5. Do not use the same password for every system.

Cyber Security and Laws_Chpater 03.indd 89

10/7/2020 10:02:59 AM

90 

•

Chapter 3/Methods and Tools used in Cyber Line

7 character password: 0.29 seconds 11 character password: 1 decade

Amount of time required to crack password

10 character password: 4 months

8 character password: 5 hours

9 character password: 5 days

Figure 3.2  Amount of time required to crack password.

6. Try to avoid using slang words or dictionary words. 7. Do not save passwords in web browsers and try to install applications from trusted organizations only to prevent malware attacks. 8. Auditing passwords regularly can also help. 9. Apply 2-step verification/multi-factor authentication wherever available. 10. Enter your credentials to the fully secure websites. Do not reply to any e-mails asking for password or information before making sure that it comes from a secure and trusted source to avoid phishing and social engineering attacks. 11. Also, do not agree to terms and conditions before reading them.

3.2.4 Best Password Cracking Tools 1. Brutus: Brutus is one of the most widely used online tools for password cracking. It claims to be the fastest tool which is free for all the users.   HTTP for basic authentication, Telnet, IMAP, NNTP, Pop3, HTTP (HTML Form/CGI), FTP, SMB and other types such as NetBus, etc. are supported in this. This tool has not been updated for years now. However, it can still be used in the current times. 2. RainbowCrack: It falls in the hash cracker tool category that utilizes a large-scale time-memory trade-off process for faster password cracking compared to traditional brute force tools. Time and memory trade-off is a process of computation where all plain text and hash pairs get calculated by using a chosen hash algorithm. The results are then stored in the rainbow table. This process can be very time-consuming. However, once the table is ready, it is capable of cracking passwords much faster than tools using brute force. This tool is for Linux and Windows systems also. 3. Wfuzz: It is a password cracking tool that cracks passwords using brute force. It also finds hidden resources tool like servlets, scripts and directories. It is also capable of identifying different kinds of injections like SQL Injection, LDAP Injection, XSS Injection, etc. in applications of web. 4. Cain and Abel: It is a very popular tool. It can handle varying tasks. It sniffers on the network to crack encrypted passwords by the dictionary attack, brute attacks, recording voice over ­Internet

Cyber Security and Laws_Chpater 03.indd 90

10/7/2020 10:02:59 AM

3.3 Malwares

• 

91

protocol (VoIP) conversations, password boxes revelation, cryptanalysis attacks and analysing protocols of routing. Abel and Cain do not exploit any bugs or vulnerability. It only covers the security weakness of a protocol to grab the password. It was mainly developed for forensics staff, network administrators, testers of penetration and security professionals. 5. John the Ripper: For cracking password in operating systems like Linux, UNIX and Mac OS X and also Windows, John the Ripper is one of the popular software. It detects the weak password and offers great features in pro-version of the tool. 6. THC Hydra: THC Hydra is a tool that works at a faster pace for password cracking. By adding more modules, we can enhance its features. It supports a wide variety of network. This tool is available only for Windows, Linux, Solaris, OS X and Free BSD. Any developer can contribute to improve the tool. 7. Medusa: Similar to THC Hydra, Medusa is another tool for password cracking. Medusa is a command-line tool which should be studied and understood before using it. The Tool’s efficiency is dependent on the network connectivity. It has the ability to test almost 2000 passwords per minute. Attacker can also carry out multiple attacks at a time and can find passwords of multiple e-mail attacks at a time.  8. OphCrack: It is a rainbow-table based tool for password cracking on windows which is freely available to everyone. This tool can also be used on Mac or Linux. It can crack LM and NTLM hashes. Also, free rainbow tables are available for cracking Windows 7 passwords. 9. L0phtCrack: This serves as a substitute to OphCrack. It makes various attempts on cracking Windows passwords from hashes. It utilizes the primary controllers of domain, network server, workstations (windows), also active directory for password cracking. It also makes use of dictionary attack and brute force attacking in guessing and generating of passwords. 10. Aircrack-NG: If one wants to crack Wi-Fi passwords then Aircrack-NG is the best tool for WAP or WEP passwords. Analysing WEPs and trying to crack passwords with some of the algorithms is done by this tool. It is available on Linux and Windows systems.

POINTS TO REMEMBER 1. Password cracking techniques are used to recover passwords from the data that are stored in computer systems or from the ones that are being transmitted. 2. Different methods and techniques are used to crack passwords such as Brute force attack, Dictionary attack, etc. 3. To prevent password from getting cracked, make sure you set strong password having alphanumeric characters and symbols and is at least 8-character long.

3.3

Malwares

3.3.1 Keyloggers Have you heard of any tool that records the keystrokes you make on the keypad? Keylogger is one of those tools which can either be embedded or installed on the computer system and it is difficult to find out about its presence.

Cyber Security and Laws_Chpater 03.indd 91

10/7/2020 10:02:59 AM

92 

•

Chapter 3/Methods and Tools used in Cyber Line

Types of Keyloggers As shown in Fig. 3.3, keyloggers are basically divided into two types – (1) software-based keyloggers and (2) hardware-based keyloggers.

Keyloggers

Software-based keyloggers

Hardware-based keyloggers

Figure 3.3  Types of keyloggers.

Software-based keyloggers. Software-based keyloggers try to monitor keystrokes by recording it and then sending the recording to the hacker by uploading the recordings on some Internet source. They can also track all the information that we enter into websites over the Internet using screen recording. These keyloggers are now being used for keeping an eye on employees or by parents to know about their children’s activity. They are difficult to detect and hence are very famous for spying. Following are some of the keyloggers that are being used nowadays: 1. Kidlogger: Kidlogger has the ability to record keystrokes, capture screenshots and also determine what all applications were used. It comes with three types of accounts: basic, standard and professional. Depending upon the type of account you choose it gives you the storage space and additional features. The format of getting information and details can be as HTML or CSV files or json format. It can also connect to your e-mail and send notifications and reports. The free or basic type of account gives 9 MB space to store data for 9 days. 2. Best Free Keylogger: Best Free Keylogger comes with a very good user interface which can record keyboard activities, capture screenshots, record Internet activities and application tracking. It can filter the content, if something fishy appears, into various categories such as gambling, drug dealing or pornography. It can also restrict the application if the controller wants to. Controllers can also restrict Internet access to certain time periods. There’s an option available as smart read which allows users to view gathered information by date, application, text, etc. 3. Windows Keylogger: Windows Keylogger runs on computers with windows as an operating system. It comes with a free and a paid version. It can also do all the work that previous keyloggers do with the exception of screenshots. They have the calendar facility where the counts of recordings of each day are available. A full report can also be generated based on the user activity in the paid version. This keylogger is the best fit in the 2020 arena. 4. Elite Keylogger: Elite Keylogger only comes with a paid version which offers functionalities such as screen recording, screenshot capturing, keystrokes recording, Internet activity and application usage tracking. Elite keylogger comes with the colourful interface and easily readable and understandable reports.

Cyber Security and Laws_Chpater 03.indd 92

10/7/2020 10:03:00 AM

3.3 Malwares

• 

93

5. Spyrix Free Keylogger: Spyrix keylogger is also a paid software which monitors Internet activity and application usage and records screen. Reports are delivered by means of e-mail or FTP. It has one additional feature that no other keylogger provides that is live view option which makes it better than other keyloggers.  Hardware-based keyloggers.  These types of keyloggers do not need installation, instead they are needed to be fit inside the physical system of a PC. They come in a chip format. Monitor-based keyloggers monitor the keys pressed by the user and record them without the user’s knowledge. Acoustic keyloggers records the sound of the keystrokes which is unique thereby making it predictable. Keyloggers can be attached to any hardware device. So, before connecting any device to your PC, you better be careful. 

How to Detect a Keylogger? To detect whether any keylogger is running in your PC, you just have to go through your task manager. There is a possibility that you might not find it directly because of the names of the processes running in the background. You can search names on the Internet and find it. Also, you can check for a keylogger on the start-up tab. They run all the time on your PC and hence they need to be started with OS. You can check your data usage details to get an idea about the programs that use the Internet and if something shows up then bingo!! Checking browser extensions and disabling them – if not installed – can also help. Anti-Keylogger There is software called Anti-keylogger (Fig. 3.4) that helps in detecting the keylogger, if present. It audits all the running processes, starting from BIOS to background operating system processes and apps running, browsing history, network settings, add-ons, plug-ins, etc. It might be possible that one has to reinstall the operating system in order to completely get away with keylogger.

Figure 3.4  Anti-keylogger.

Cyber Security and Laws_Chpater 03.indd 93

10/7/2020 10:03:02 AM

94 

•

Chapter 3/Methods and Tools used in Cyber Line

3.3.2 Spyware What Is Spyware? Spyware is a type of malware that tries to keep itself hidden while it secretly records information and tracks your online activities on your computers or mobile devices. It can monitor and copy everything you enter, upload, download and store. Some strains of spyware are also capable of activating cameras and microphones to watch and listen to you undetected. By definition, spyware is designed to be invisible, which can be one of its most harmful attributes – the longer it goes undetected, the more damage it can cause. It is like a virtual stalker that follows you through your device usage, collecting your personal data along the way. Figure 3.5 gives idea of the whole concept of spyware.

Figure 3.5  Spyware.

Strictly speaking, there are some valid applications of spyware. For example, your employer might have a security policy that allows them to use software to monitor usage of employee computers and mobile devices. The aim of company spyware is generally either to protect proprietary information or to ­monitor employee productivity. Parental controls that limit device usage and block adult content are also a form of spyware. Chances are you will be aware of any benign spyware when it is on a device you are using. For the purposes of this article, we will focus on malicious spyware; that is, spyware that sneaks its way onto your device without your knowledge, and with ill intent.

Is Spyware a Virus? Spyware and viruses are both common examples of malicious software (malware), but otherwise, they are not closely related. The difference between the two lies in their behaviour: a computer virus inserts itself into a host program to copy itself and spread through networks of devices; spyware is designed to sit undetected on each device it infects.

Cyber Security and Laws_Chpater 03.indd 94

10/7/2020 10:03:07 AM

3.3 Malwares

• 

95

What Does Spyware Do Exactly? Spyware can be used to track and record activity on computers and mobile devices. Specific strains have specific behaviours; generally speaking, cyber thieves use spyware to collect data and personal information. Once it is on your computer or mobile device, spyware can carry out a distressing array of covert operations that include the following: 1. Keylogging (recording everything you type, including usernames, passwords, banking info, etc.) 2. Recording audio and video and screenshot capture. 3. Remote control of the device. 4. Capturing content from e-mail, messaging and social apps. 5. Recording and capturing browser history. Unfortunately, these capabilities have attracted the interest of stalkers and jealous partners; in some circles, spyware is referred to as stalkerware or spouseware.

Types of Spyware Spyware can take a number of forms. They are majorly divided into seven types as shown in Fig. 3.6, which are listed the following: 1. Adware: It eyes your online activity and displays ads it thinks you will be interested in based on that information. Although benign compared to some other forms of spyware, adware can have an impact on the performance of a device, as well as just being annoying. 2. Tracking cookies: They are similar to adware, although they tend to be less intrusive. 3. Trojans: After landing on a device, they look for sensitive information, such as bank account information, and send it to a seedy third-party who will use it to steal money, compromise accounts or make fraudulent purchases. They can also be used to gain control of a computer through the installation of a backdoor or a remote access Trojan (RAT). 4. Keyloggers: They allow a miscreant to capture every keystroke from your keyboard, including the keystrokes you use when you log into your online accounts. 5. Stalkerware: It is typically installed on a mobile phone so the owner of the phone can be tracked by a third party. For example, during the trial of Joaquín ‘El Chapo’ Guzmán, it was revealed the drug kingpin installed spyware on the phones of his wife, associates and female friends so he could read their text messages, listen to their conversations and follow their movements.

Spyware

Adware

Tracking cookies

Trojans

Keyloggers

Stalkware

System monitor

Figure 3.6  Types of spyware.

Cyber Security and Laws_Chpater 03.indd 95

10/7/2020 10:03:07 AM

96 

•

Chapter 3/Methods and Tools used in Cyber Line

6. Stealware: It is crafted to take advantage of online shopping sites awarding credits to websites that send traffic to their product pages. When a user goes to one of those sites, stealware intercepts the request and takes credit for sending the user there. 7. System monitors: They record everything that’s happening on a device – from keystrokes, e-mails and chat room dialogs to websites visited, programs launched and phone calls made – and send it to a snoop or cybercriminal. They can also monitor a system’s processes and identify any vulnerabilities on it.

How to Tell If You Have Spyware? Spyware is designed to be undetectable and untraceable, making it difficult to tell if you have it. To see whether it has infected your computer or mobile system, keep an eye out for these warning signs: 1. Your device runs slower than normal. 2. Your device freezes or crashes frequently. 3. You start getting a ton of pop-ups. 4. Your browser homepage changes unexpectedly. 5. New and/or unidentifiable icons appear in the task bar. 6. Web searches redirect you to a different search engine. 7. You start getting random error messages when using apps that you have never had issues with before. Of course, these are also symptoms of other malware infections. To determine exactly what you are dealing with, you’ll need to dig a bit deeper and scan your device with anti-virus software that includes a spyware scanner.

3.3.3 Virus Virus is a program that damages documents or changes your file contents. A virus may corrupt or eradicate the data available on your computer. Virus can also replicate itself. A computer Virus makes changes or deletes the files and computer worms replicate themselves without making any changes to your file or data. This is why viruses are more harmful than worms. Some examples of virus are as follows: W32.Sfc!mod ABAP.Rivpas.A Accept.3773 Virus could enter your computer as an attachment of images, greeting, or video/audio files. They also enter through downloads on the Internet. Virus can be hidden in a free/trial software or other files that you download. Therefore, before you download anything from the Internet be sure about it first. Mostly all viruses are attached to an executable file .This means the virus might exist on your computer but it actually cannot infect your computer till the time you run or open the malicious program. It is important to mark that a virus cannot be spread without a human action, like running an infected program to keep it going.

Cyber Security and Laws_Chpater 03.indd 96

10/7/2020 10:03:07 AM

3.3 Malwares

• 

97

Types of Viruses Virus is of different types which are given in Fig. 3.7. File virus Stealth virus

Polymorphic virus

Macro virus

Viruses

Multipartile virus

Master boot record file virus

Boot sector virus

Figure 3.7  Types of viruses.

1. File virus: The file virus normally infects program files like .exe, .com, .bat. If this virus remains in the memory it tries to infect all the other programs that are loaded in that memory. 2. Macro virus: These types of viruses infect word, excel, PowerPoint, access and other data files. Documents such as Word, PowerPoint, excel are infected by this type of virus. Once the file is infected by macro virus it becomes difficult to repair these files. 3. Master boot record files: MBR viruses are memory-resident viruses and they copy themselves to the first sector of a storage device which is used for partition tables or OS loading programs. MBR virus infects the particular area of the Storage device instead of normal files. We can remove MBR virus very easily by cleaning the MBR area. It is the easiest way to remove the virus. 4. Boot sector virus: Boot sector virus infects the boot sector of an HDD or FDD. These are also memory resident in nature. Once the computer starts, it infects the computer from the boot sector. This type of virus is very tough to remove. 5. Multipartite virus: Multipartite virus is a mixture of Boot and Program or file viruses. These viruses infect the program files and when the infected program is executed, they infect the boot record. The next time you will boot the computer, the virus from the boot records will load in memory and will start infecting other program files in the disk. 6. Polymorphic viruses: Polymorphic viruses are the viruses that are encrypted. This virus appears differently every time in a new infection due to its ability of encryption. It can encrypt its code in various ways, and this is the main reason that these viruses are difficult to find. 7. Stealth viruses: The stealth viruses use various kinds of techniques to escape from its detection. They can change the size of the infected file in the directory or they can direct the disk head to another sector so that they cannot be found by the user. Whale virus requires 9216 bytes of memory, so it subtracts this amount of memory from the directory having a file on which it resides.

Cyber Security and Laws_Chpater 03.indd 97

10/7/2020 10:03:08 AM

98 

•

Chapter 3/Methods and Tools used in Cyber Line

3.3.4 Worms Worm is the malicious program that copies itself repeatedly. They recreate themselves in local drive, network shares, etc. This is the only purpose of worms as it does not harm any data or file on the computer like a virus. Worms do not need themselves attached to any existing program. They spread by exploiting vulnerabilities in operating systems. Some examples of worm are as follows: W32.SillyFDC.BBY Packed.Generic.236 W32.Troresba Because of its replication nature, it contains massive/more amount of space in the hard drive and also consumes more CPU usage which ends by making PC slower and also by increasing the consumption of more network bandwidth. The computer worms could spread through the following manner: • • • •

Files found in e-mail attachments. Through a web link or FTP resource. Links received through the ‘I seek you’ (ICQ) and Internet relay chat (IRC) message. Via peer-to-peer file-sharing networks.

Types of Worms There is no universal classification of computer worms, but they can be organized into types based on how they are distributed between computers. To get the overview, refer to Fig. 3.8. The five common types of computer worms are as follows: 1. Internet worms: Computer worms target websites which are famous yet they do not have enough security. Once they manage to infect that website, they replicate themselves in each and every computer where that particular website is being accessed. From here these worms are transmitted through Internet and local network connections to other computers which are connected. 2. The e-mail worms: The worms distributed via compromised e-mail attachments are called e-mail worms. These worms usually double their extensions. This results in the recipient unable to find and think that it is a media file instead of the malicious computer program. As the consumers/ victims open the attachment the copy of the same infected file is sent automatically to the addresses from the contact list.   These worms can be transferred even through the link. The recipient just has to click on the link and there will be an infected website which automatically starts downloading malicious software on that computer. Like this even without downloading these worms can be transmitted. Internet worms The e-mail worms Instant messaging worms File sharing worms IRC worms

Figure 3.8  Types of worms.

Cyber Security and Laws_Chpater 03.indd 98

10/7/2020 10:03:10 AM

3.3 Malwares

• 

99

3. Instant messaging worms: The only difference between the e-mail worms and these instant worms is the method of their distribution. Once the user opens the link or an attachment through various popular messaging apps this exact same message is sent to everyone in their contact list. These messages seem to be funny to the recipient and by thinking that it is sent to them by their friend they may open it. If the worm has not replicated itself in the computer then it can be solved by changing the password. 4. File-sharing worms: Although illegal, file-sharing and peer-to-peer file transfers are still used by millions of people around the world. Doing so, they are unknowingly exposing their computers to the threat of file-sharing worms. Like e-mail and instant messaging worms, these programs are disguised as media files with dual extensions.   When the victim opens the downloaded file to view it or listen to it, they will download the worm to their computer. Even if it seems that users have downloaded an actual playable media file, an executable malicious file could be hidden in the folder and discreetly installed when the media file is first opened.   Millions of people from the globe by using unofficial file transfer unknowingly expose their computers to the menace of file-sharing worms. These programs are disguised as media files with the dual extensions. Once the prey opens the file to see it an executable malicious file can be hidden in the folder and installed when it is opened first. 5. IRC Worms: Internet relay chat (IRC) is a messaging app that is mostly outdated nowadays but was all the rage at the turn of the century. Same as with today’s instant messaging platforms, computer worms were distributed via messages containing links and attachments. The latter was less effective due to an extra layer of protection that prompted users to accept incoming files before any transfer could take place.

Examples of Computer Worms The first known computer worm, Jerusalem was discovered in 1987. From then, other computer worms have made the news, only because of their devastating effects or due to the sheer scale of the attack. Some of the most notorious examples of computer worms contain the following: • The Morris worm which was launched by Robert Morris, an American student in 1988 to discover the enlargement of the Internet. To fulfil this purpose, he launched codes of dozens of lines unknowingly that they were riddled with bugs to cause many problems to the affected host. Which ended by resulting in financial damage to thousands of computers overloaded on UNIX ranging from $10million and $100million. • The storm worm was launched in 2007. This is an e-mail worm. The e-mails of a fake unprecedented storm wave which already had killed many people in Europe. In order to create a botnet that targets famed websites in the period of 10 years there were more than 1.2 billion e-mails sent. It is still believed that there are still millions of computers infected and their owners do not even have the hint that they are part of this botnet. • SQL slammer did not use any of the traditional distribution methods. This was the uniqueness of this worm. As a substitute, it used to generate some of the casual IP addresses and send it to itself. They were sent in the hope that they were not protected by any anti-virus. There were more than 75,000 infected without knowing about it which involved DDoS attacks on several major websites.

Cyber Security and Laws_Chpater 03.indd 99

10/7/2020 10:03:10 AM

100 

•

Chapter 3/Methods and Tools used in Cyber Line

3.3.5 Difference Between Virus and Worms The difference between computer virus and computer worms is listed in Table 3.1. Table 3.1  Difference between Virus and Worms

Basics for Comparison

Virus

Worms

Definition

Virus is type of program that attaches itself to exe files, that is, executable files and transfers from one computer to another.

Worm is malicious, self-replicating program that spreads through computer network.

Human action

Human action is required in order to Since it is self-replicating, human run and transmit virus. action is not necessary for running or transmitting worm.

Spreading speed

Slow as compared to worm.

Speed of spreading worm is rapid.

Need of host

Host is needed for spreading virus.

It does not need a host since it can replicate itself.

Removal techniques

1. Anti-virus software can be used. 2. Formatting system.

1. Worm removal tools/softwares can be used. 2. Formatting system.

Prevention

Anti-virus software can be used for preventing virus from entering your computer.

Anti-virus software can be used to detect worms and hence can be used as prevention technique. Firewall is another prevention technique.

Effects

It can alter or erase file and program. It can also corrupt files.

It consumes system resources and hence it slows the system and can also completely halt the system.

3.3.6 Trojans and Backdoors Trojans also known as Trojan horses are malwares used for compromising target device. Backdoors are part of Trojan family. These are nothing but programs. They are attached to some other application so that user will download the application and along with it attached Trojan gets downloaded. These are used be attackers to specially get access to the system. Once these are installed, system becomes slow and sometimes even crashes. These are then used by attackers to gain information about your device. This can cause data theft and other serious issues. Mainly Trojans are used by attackers to conduct DDoS attacks on servers. Apart from this, they are also used as key loggers and can make notes of typed data. They are also capable of capturing screenshots. Trojans are generally transferred via e-mail attachments or by sharing files or by appending them with other programs that can be downloaded via Internet and by using chat/discussion. Advertisements

Cyber Security and Laws_Chpater 03.indd 100

10/7/2020 10:03:10 AM

3.3 Malwares

• 

101

while browsing on some websites can also be source of malware as they show and/or allow free software downloading which in turn can download Trojan to your device. Some common Trojans are as given in the following: Deep Throat: UDP → Port 2140 and 3150 NetBus: TCP → 12345 and 12346 Back Orifice: UDP31337 or 31338

Backdoor Backdoor is Trojan program used by attackers to enter again into the target system. That is, it provides way for attacker to enter into your system. Backdoor is installed on system without the knowledge of the user and one cannot find backdoor files as they often have names that are legitimate and hence often go unnoticed. Remote Aaccess Trojans (RATs) RATs are type of Backdoor used by attackers to gain access to remote machine. These are installed on attacker’s machine as server and on victim’s machine as client. So, whenever client is online, server can access the client’s system remotely. They can be detected if there is movement of mouse on its own or if there are some pop-ups coming in. Refer to Table 3.2 for understanding different types of Trojans. Table 3.2  Different Types of Trojans

Types of Trojans Remote Access Trojan

Gain Remote Control of Victim

Destructive Trojan

Corrupt or delete files.

Denial-of-services Trojan

Launch a DoS attack.

FTP Trojan

Create FTP server and copy files onto it.

Data sending Trojan

Send data from victim to hacker’s computer.

Proxy Trojan

Use victim’s computer as Proxy to attack another victim.

Command shell Trojan

Uses commands to open ports to gain remote access.

The e-mail Trojans

Access to victim’s computer is taken using sending e-mail and having them click a link.

VNC Trojan

VNC servers are used for controlling computer and avoiding being caught by anti-virus.

Botnet Trojans

These are used by attackers to use system as Bot for conducting other attacks.

Cyber Security and Laws_Chpater 03.indd 101

10/7/2020 10:03:11 AM

102 

•

Chapter 3/Methods and Tools used in Cyber Line

Wrappers These are also known as Guleware and are used for binding Trojans with applications that look genuine. They wrap Trojans, so that one cannot find them. Also due to these genuine looking applications, users often download and install them for their use. So, when these are installed, Trojan also gets installed without the knowledge of the user, for example, Kriptomatik. Evading Anti-Virus Now a days, attackers are finding new techniques for conducting attacks. Evading anti-virus is nothing but the technique to avoid anti-virus program. 1. Do not use existing Trojans as they can be easily detected. Instead, they write Trojan programs by themselves. 2. To avoid being caught, they rename file extensions, for example:.exe to .xls or .ppt or .mp4, etc. 3. Divide Trojan file into multiple parts and then send different parts in different ways to the target device and them combine it to make Trojan file. 4. To avoid matching signature and to avoid being caught by IDS, checksum value is changed.

How to Detect Trojan? 1. Use tools like TCPView, CurrPorts to see that ports open without your knowledge. 2. Check processes running on computer. Check if there are some unnecessary services running without your knowledge. Use tools to monitor processes if necessary. 3. Scan device drivers for finding malicious files/applications. 4. Scan registry to check unwanted records. 5. Remove suspicious files and folders. 6. Use tools like Trojan hunter to detect the Trojans.

How to Prevent Trojans? 1. Do not download unknown and unverified applications from internet. Download applications only from trusted sources. 2. Use anti-virus on your devices. Anti-virus will scan files and if anything malicious found, then it will inform you. 3. Use firewall to restrict untrusted sites. 4. Make sure you update your applications whenever new update arrives. 5. Do not use external CDs, pen drives, Floppies directly. First scan and check them and use only if they safe to use. 6. Make sure you protect your system from unauthenticated access and installation of applications. Some tools like Trojan Hunter, Emsisoft Anti-Malware and Trojan Remover can also be used to remove Trojans from infected computers.

Preventing Your Device from Backdoor 1. Do not download unknown and unverified applications from internet. Download applications only from trusted sources.

Cyber Security and Laws_Chpater 03.indd 102

10/7/2020 10:03:11 AM

3.3 Malwares

• 

103

2. Use anti-virus on your devices. Anti-virus will scan files and if anything, malicious found, then it will inform you. 3. Use firewall to restrict untrusted sites. 4. Make sure you update your applications whenever new update arrives. 5. Do not download anything from mails unless the person sending you e-mail is trusted source.

3.3.7 Steganography Steganography is influenced by Greek influences. It means ‘covered writing’. This technique is used for hiding the secret message by fake message to prevent the secret information from getting emerged. Types of Steganography The different types of steganography are shown in Fig. 3.9. 1. Image steganography: The image Steganography is used to hide a secret message inside an image. The most widely used technique to hide a secret bit inside the LSB of the cover image. Because this method uses bits of each pixel in the image, it is necessary to use a lossless compression format, otherwise the hidden information will get lost in the transformations of a lossy compression algorithm. • When using a 24-bit colour image, a bit of each of the red, green and blue colour components can be used, so a total of 3 bits can be used for each pixel. • In this way, we can use more secret bit to hide data in it. 2. Audio steganography: Like image steganography, audio steganography also hides the confidential message in an audio file. This work is done with the help of digital representation. With the help of a typical 16-bit file with 216 sound levels it is very simple to attain as a few levels difference cannot be caught by the human ears. • An observer cannot detect the existence of the secret message which is embedded by the sender. As it is very easy for the sender to embed any data by using a key in a digital cover file to produce a hidden file which cannot be detected by the recipient. • In many schemes, a method of audio Steganography based on modification of least significant bits (LSB) the audio samples in the temporal domain or transform domain have been proposed. 3. Video steganography: Video Steganography brings more possibilities of disguising a large amount of data because it is a combination of image and sound. Therefore, image and audio Steganography techniques can also be employed on the video.   Video files are generally a collection of images and sounds, so most of the presented techniques on images and audio can be applied to video files too.

Image steganography

Audio steganography

Video steganography

Text steganography

Steganography Figure 3.9  Different types of steganography.

Cyber Security and Laws_Chpater 03.indd 103

10/7/2020 10:03:11 AM

104 

•

Chapter 3/Methods and Tools used in Cyber Line



• The great advantage of video is the large amount of data that can be hidden inside and the fact that it is a moving stream of images and sounds. • The Video Steganography is nothing but a combination of Image Steganography and Audio Steganography. • This type of steganography causes more chances to embed a huge amount of secret data. 4. Text Steganography: Steganography can be applied to different types of media including text, audio, image and video, etc. However, text steganography is considered to be the most difficult kind of Steganography due to lack of redundancy in text as compared to image or audio but still has smaller memory occupation and simpler communication. • The method that could be used for text steganography is data compression. Data compression encodes information in one representation into another representation. The new representation of data is smaller in size. • One of the possible schemes to achieve data compression is Huffman coding. Huffman coding assigns smaller length code words to more frequently occurring source symbols and longer length code-words to less frequently occurring source symbols.

Steganography Versus Cryptography Steganography is focused on hiding the presence of information, while cryptography is more concerned with making sure that information cannot be accessed. When steganography is used properly, no one – apart from the intended recipients – should be able to tell that there is any hidden communication ­taking place. This makes it a useful technique for situations where obvious contact is unsafe. In contrast, cryptography tends to be used in situations where the participants are not concerned if anyone finds out that they are communicating, but they need the message itself to be hidden and inaccessible to third parties. Let us go through some examples to understand the differences. If you were a political activist who has been imprisoned and you need to communicate with your organization, the logistics can be challenging. The authorities may monitor everything going in and out of your cell, so you would probably have to hide any communication that takes place. In this kind of situation, steganography would be a good choice. It may be challenging with the resources you have at hand, but you could write a plain sounding letter with a hidden message concealed with different font types or other steganographic techniques. Alternatively, let us say that you are a diplomat discussing secret details with your home country. It is normal for diplomats to talk with officials from their own nation so the communications themselves do not raise any suspicions. However, since the content of the conversation is top secret, the diplomat may want to use cryptography and talk over an encrypted line. If spies or attackers try to intercept the conversation, they will only have access to the ciphertext, and not what the two parties are actually saying. Let us flip things over to examine the differences even further. If the political activist used cryptography to communicate with their organization, the authorities would most likely have intercepted it. The officials would see the ciphertext and know that the activist was trying to send encoded messages, then they would most likely stop its delivery and interrogate the activist about it. This could end very badly, in beatings, torture, or even the activist’s death. That is why steganography would be more suitable in such a scenario.

Cyber Security and Laws_Chpater 03.indd 104

10/7/2020 10:03:11 AM

3.4 DoS and DDoS Attacks

• 

105

Conversely, diplomats are often monitored by their host countries. If a diplomat tried to send steganographically concealed messages back home, they could be intercepted, analysed and the content may be uncovered. In this situation, cryptography is more suitable, because although interceptors will know communication is taking place, they won’t be able to find out what it concerns.

POINTS TO REMEMBER 1. Keyloggers are used for tracking your keystrokes either using software or some hardware. And anti-keylogger is software used for detecting this keyloggers. 2. Spyware is a type of malware that tries to keep itself hidden while it secretly records information and tracks your online activities on your computers or mobile devices. 3. Virus and worms are computer programs where virus attaches itself to executable files and worm self-replicate itself and spreads across the network. 4. Trojan and backdoor are malwares and when installed on system, makes system slow or crash the system or can send information to attackers about the system. 5. Steganography is the technique of hiding secret messages while cryptography is encrypting secret messages.

3.4

DoS and DDoS Attacks

3.4.1 What Is a DoS Attack? A DoS attack is conducted by flooding server with TCP and UDP packets. This flooding of packets causes server overloading. Server cannot take further packets from the users due to overloading. So, the server becomes unavailable and service is denied to the user (see Fig. 3.10).

Figure 3.10  DoS attack.

These types of attacks are specially used for denying-of-services or to shut down network, services or individual machines or to slow down services. Different techniques for conducting this attack are listed in the following: 1. Buffer overflow attacks: This technique is very common across attackers. In this technique, machine consumes available hard disk space, memory or CPU time. This is generally known as memory buffer overflow attack. Due to consumption of memory, it results in system crashes or sluggish behaviour or other deleterious behaviours in servers. This results in denial of service.

Cyber Security and Laws_Chpater 03.indd 105

10/7/2020 10:03:12 AM

106 

•

Chapter 3/Methods and Tools used in Cyber Line

2. Ping of death or ICMP flood: In this kind of attack, attacker takes the misconfigured or unconfigured network device or devices. This device is used to send spoofed packets. These spoofed packets ping every node within that network. Such attacks are known as the Internet control message protocol (ICMP) flood attacks or ping of death (POD) attack. 3. SYN flood: Requests are sent by attackers to the server in this attack. Attacker keeps sending requests but does not complete handshake. As a result, network is flooded with requests. This means now network cannot take more requests. So, it prevents others from connecting to network. 4. Teardrop attack: In this attack, IP data packet fragments are sent to a network. And when the network tries to recompile the fragments, it ends up crashing. Fields in the fragments are designed in such a way that they confuse the system. So, this process of compiling fragments to original packets, results in exhaustion which further results in system crash. 5. Smurf attack: This is type of DoS attack where attacker uses broadcast address of vulnerable network. This is used for sending spoofed packets to target Internet protocol (IP) address. This results in flooding and thereby results in denial of the service. These attacks can bring massive damage. These attacks are very easy to conduct and very harmful for the target. The DoS attacks have become one of the biggest and most pervasive threat that cybersecurity and modern organization has to face. With this kind of attack, a whole organization can be stopped for day or sometimes even for weeks. For victim organisation, the disturbance in service can be ginormous even if data is not lost. The cost for organization for being unable to access the network is in thousands. Also, time spent offline by organisation is added. Apart from this reputation of the organisation gets affected. So, it is very important to prevent DoS attacks in this modern world of technology. Now-a-days, DDoS attacks have taken over DoS attacks due to the effectiveness of this attacks. They are easy to conduct and also tools for conducting these attacks are available easily. DDoS attacks are derived from DoS attacks.

What Is a DDoS Attack? DDoS attack stands for distributed denial-of-services attack. In this attack, multiple systems are used by attackers to conduct attack. Targeted network is attacked from these multiple systems from different locations using packets. Since many systems from different locations are used in this attack, it becomes difficult to find origin of attack. So, it becomes really difficult to find attacker. Attacker requires multiple systems to conduct attack. These systems are known as slave computers and are also known as zombies or bots. Network is formed using these bots and is known as botnet. This botnet is managed by bot master or attacker using commands and control server. Botnets generally have few to hundreds of bots. These bots follow orders given by bot master/attacker and conduct attack. Figure 3.11 gives brief idea of how botnet attacks work. Types of DDoS Attacks There are some types of DDoS attacks discussed in the following: 1. Volume-based DDoS attacks: In volume-based DDoS attacks, attacks depend on the inbound traffic and its volume. Main purpose for conducting this type of attack is to overload bandwidth or to cause IOPS or CPU usage issues. Conducting this type of attack is very easy for attackers as

Cyber Security and Laws_Chpater 03.indd 106

10/7/2020 10:03:12 AM

3.4 DoS and DDoS Attacks

1

Attacker

• 

Attacker compromises vulnerable systems

2

107

Unsuspecting users become part of a Botnet

@ Victim 3

IRC/Web Controller Attacker uses controller to activate botnet and carry out the attack. 4

Botnet sends large amount of traffic to the victim’s servers, bringing the network down.

Figure 3.11  Use of botnet for conducting DDoS attack.

overloading resources or bandwidth or CPU contributes in achieving purpose. Also, it is easy due to the fact that most website owners use shared hosts or the hosts with virtual private server (VPS) environments. These often have small tiers and configurations. The volume-based DDoS attacks include the following: (a) UDP floods: User datagram protocol (UDP) attack uses UDP protocol for conducting attacks. Attacker floods various ports at random using UDP packets, forcing server to respond. Response given by server is in the form of ICMP packets. ICMP is a protocol used for generating error messages to the IP address. And UDP is connectionless protocol so it does not validate source IP address. Due to this, server responds with ICMP packets, in turn chewing resources of web server and leading them to come to halt or die completely. Since this attack is conducted on 3/4 layer, it is also known as Layer 3/4 attack. (b) ICMP floods: As the name suggests, Internet Control Message Protocol is used for sending packets and conducting attack. In this attack, attacker uses large set of source IP addresses and creates spoofed ICMP packets to flood server. This results in exhaustion, leading to failure of server resources and causing them to reboot or slowing down. This impacts extensively on performance. ICMP flood attacks can be random or specifically targeted on servers. (c) Ping floods: Ping packets are used for flooding server in this attack. This attack is evolution of ICMP flood attack. So, here also, a large set of source IP addresses are used and the purpose of attacker is to shut down service or system completely for some time. This attack is very difficult to detect as website owners might mistake this attack as legitimate traffic. 2. Protocol-based DDoS attacks: Internet uses protocols for exchanging information between two systems. DDoS attacks exploit weakness in protocols of Layer 3 and 4 protocols. Purpose

Cyber Security and Laws_Chpater 03.indd 107

10/7/2020 10:03:13 AM

108 

•

Chapter 3/Methods and Tools used in Cyber Line

of conducting this type of attack is to consume server resources and result in service disruption. The protocol-based DDoS attacks include the following: (a) Ping of death: In this attack, attackers send malicious pings by manipulating IP protocols to the server. This was more common in 90s era, even now it is threat to security. Attack is evolved over a period of time and now there are some ping of death attacks used to target applications and hardware, resulting in reboot or complete crash. (b) SYN flood: Transmission control protocol (TCP) is used for conducting SYN flood attack. TCP is protocol used for communication process. It uses three-way handshake method for establishing connection between client, host and server. Attackers use vulnerability of TCP protocol and send SYN packets as a spoofed message. These packets are aimed to server and affect table memory for connection leading to its exhaustion and ultimately shutting down service. 3. Application layer attacks: Application layer attacks are often targeted on applications like web servers like apache, windows IIS, etc. But now a days, these are also evolved and now targeting application platforms like WordPress, Drupal and others. Basically, target is either application or website or some service.   Since, more often, these are conducted on application, these are smaller than the DDoS attacks listed earlier. Being smaller in size, these attacks often go unnoticed and resulting in great damage. These are also called as ‘low and slow attacks’ and ‘slow rate attacks’, as they are small and silent compared to other attacks in network layer and are equally disruptive.   These attacks occur in seventh layer, that is, application layer and hence known as Layer 7 attacks. They target bandwidth and network, apart from targeting applications and are hard to detect than other network layer attacks. The application layer attacks include the following: (a) Attacks targeting the DNS server: Domain Name System (DNS) is used to store information about websites with their domain names. Spoofing, reflection and amplification are performed along with DDoS attacks. In this attack, Botnets are used to send DNS requests to servers. These servers then translate domain names into IP addresses for all the requests received. This request overburdens the server and amplify the records. Records are then spoofed by attackers.   Attack occurs at 3/4 layer and is very popular today. DNS servers are publicly accessible, so your web server can be affected with DNS traffic resulting in slowing down or resources being depleted which in turn affects legitimate DNS traffic. Layer 3 DNS amplification is type of DDoS attack, where it uses amplification technique meaning that if attacker sends 2 bytes of data then targeted server will receive more than 2 bytes of data. This attack is capable of hiding its origin by reflecting that attack is conducted by some third party. (b) Layer 7 HTTP flood–Cache bypass: This attack is known as one of the smartest attacks. In this attack, attacker uses URLs to cause damage by searching random words or keywords like “news” or “government” and many others. This consumes lot of resource caches indirectly and attacker is able to portray him/her legitimate user. Damage is done by making site use its resource caches. (c) Layer 7 HTTP flood attack: Layer 7 HTTP flood attack is specially targeted attack to overload specific parts of server or website. This attack looks legitimate and hence is difficult to detect and consumes resources so that server or site goes down. This attack depends on bandwidth, so even a small number of requests per seconds can consume application and backend

Cyber Security and Laws_Chpater 03.indd 108

10/7/2020 10:03:13 AM

3.4 DoS and DDoS Attacks

• 

109

databases easily. So, the attacks with more than 100 requests per second are able to bring down nearly large number of medium-sized websites. This is very common attack among attackers due to the fact that server level caching cannot stop this attack and every new request from incoming URLs, if not in cache results in creation of new page. We can categorize the HTTP Floods (Layer 7 DDoS attempts) into four major categories: (i) Basic HTTP floods: This is easy and commonly used attack for accessing same webpages over and over again using same user agents, referrers and same range of IP addresses. (ii) Randomized HTTP floods: These are more complex than basic HTTP flood attacks and use very large set of IP addresses, user agents and use randomized URLs and referrers. (iii) Cache-bypass HTTP floods: As discussed earlier, these attacks try to bypass cache of web applications by using randomized HTTP floods.  (iv) WordPress XMLRPC floods: These are specifically targeted to websites using WordPress sites having pingback enabled. By default, pingback is enabled in WordPress sites and can be used against other sites for conducting DDoS attacks. XMLRPC is used for trackbacks, pingbacks, remote access and other features are used by attackers to conduct attacks.

DoS Versus DDoS: What Is the Difference? In DoS attacks, single system is used conduct attack while in DDoS attack, multiple systems are used to conduct attack. This is the main difference between DoS and DDoS attacks and is illustrated properly in Fig. 3.12. Due to use of multiple systems from multiple locations, DDoS attacks are difficult to detect as origin of the attack cannot be detected easily. Single system cannot send the amount of traffic multiple systems can send together. Due to this reason, DDoS is more dangerous than DoS attack. Another difference is how attack is conducted. DoS attack is conducted through script or DoS tools while DDoS attack is conducted by controlling bots and executing attack.

Server

Server

Figure 3.12  Difference between DoS and DDoS attack.

What Are Commonly Used DoS/DDoS Attack Tools? A few commonly used tools include the following: 1. Low orbit ion cannon (LOIC): Low orbit ion cannon is an open source application that have user friendly interface. This tool is very popular for conducting such attacks. It allows both UDP

Cyber Security and Laws_Chpater 03.indd 109

10/7/2020 10:03:13 AM

110 

•

Chapter 3/Methods and Tools used in Cyber Line

and TCP protocol attacks to be carried out. Many derivatives are created due to its popularity and these allow attacks to be conducted through web browser. 2. High orbit ion cannon (HOIC): High Orbit Ion Cannon was created as an advance version of Low Orbit Ion Cannon. This tool can be customized and have more features then LIOC. This tool is mainly used for conducting DDoS attacks. HOIC conducts attacks that are difficult to mitigate. This is done using HTTP protocol. Also, this tool is designed in such a way that minimum 50 people can work together for conducting attack. 3. Slowloris: Slowloris is tool popular among attackers for conducting DoS attack. As the name suggests, Slowloris is designed in such a way that it instigates low and slow attack on targeted network or server. In limited resources, Slowloris can conduct attack that has damaging effect. Due to this speciality, it is one of the popular tools. 4. RUDY (R-U-Dead-Yet): RUDY is also low and slow attack tool used by attackers. It has simple point and click interface that is easy to use for conducting attacks. By sending multiple HTTP Post requests and then keeping them open as long as possible, attack is conducted on targeted server.

How to Prevent DDoS Attacks? One cannot prevent DDoS attack completely but we can definitely try to reduce its effect by following techniques given below. 1. Make sure you develop DDoS prevention plan by properly researching and understanding your network and system so that if ever DDoS attack hits, you can apply this prepared plan directly and save lot of time. This is critical step and needs to be followed properly. 2. Use firewall, VPN, load balancing, anti-spam, content filtering and other techniques to secure network. Securing network is really important as this reduce chances of attacks significantly. Also make sure you use updated applications or products as outdated applications often have security issues that are patched in updated versions. 3. Make sure to use redundant network resources in your network architecture. Try using servers that are located on different locations as this will create difficulty for attacker. And try having backup option like if one server is attacked, then other servers can handle the network traffic. 4. Buy enough bandwidth to handle sudden increase in network traffic that can arise due to DoS or DDoS attacks, so that your service works properly. 5. Make sure you configure your network, firewall or router so that you can drop packets coming from outside of your network. This can prevent DNS and ping-based attacks. 6. Use cloud technology if feasible. As cloud has more bandwidth and more resources as well as better security than most private networks, it is really difficult to attack the cloud.

POINTS TO REMEMBER • DoS is denial-of-services and DDoS is distributed denial-of-services. • Difference between DoS and DDoS is DoS uses single machine while DDoS uses multiple machines for conducting attack.

Cyber Security and Laws_Chpater 03.indd 110

10/7/2020 10:03:13 AM

3.5 SQL Injection and Buffer Overflow

• 

111

• Purpose for conducting these attacks is as follows: The server becomes unavailable and service is denied to the user. • There is no particular way to prevent this attack but some steps can be taken to avoid this attack and minimizing its effect.

3.5

SQL Injection and Buffer Overflow

3.5.1 What Is SQL Injection? SQL Injection attack is also known as SQLi attack. As the name suggests, this attack is linked with structured query language (SQL). In this attack, attacker uses SQL vulnerabilities to execute malicious SQL statements. Web applications and websites use database to store data and this databases use SQL for performing operations on data. So, basically SQL statements can control database server. Attackers use this technique to bypass security measures set by applications. They can also use this technique to add or retrieve or alter data in the database. This attack can affect any website or web application that use SQL database such as Oracle, SQL server, MySQL, etc. – if not addressed these vulnerabilities properly. Attackers can gain access to personal data or customer information or anything else stored in database. This is one of the oldest and favourite attack of attackers due to the fact that it is still working and is considered as one of the most damaging attack. The open web application security project (OWASP) organization has listed top 10 web application security risks, and guess what, SQL injection tops the list! 3.5.2 How and Why Is an SQL Injection Attack Performed? To conduct SQL Injection attack, attacker must have the knowledge of SQL. Also, he/she first needs to find web applications or web pages that are vulnerable to this attack. This means that the web pages and web applications taking user input from users, use directly to SQL query are vulnerable to this attack. Attacker creates user input content to attack database through SQL commands. This is the key part in this attack. As discussed earlier, SQL is query language and is used to create, alter and delete data from relational databases. In some cases, operating system commands can be performed using SQL commands. Hence, there are serious consequences if SQL injection attack is successful. 1. This attack is used by attackers to gain credentials of other users using database. Attackers can then impersonate as these users and in these users, there can be a user who is admin and he/she is having all database privileges. 2. Since SQL is used add and change data in database, this enables attackers to use this attack to modify balances, transfer money or alter transactions in financial applications. 3. Operating system can be accessed using SQL in some database servers. In such cases, attacker can attack internal network behind firewall by using SQL injection as initial vector. 4. SQL vulnerabilities can allow attackers to completely access the database server. This means attackers can access everything stored on database.

Cyber Security and Laws_Chpater 03.indd 111

10/7/2020 10:03:13 AM

112 

•

Chapter 3/Methods and Tools used in Cyber Line

5. Attackers can use this attack to delete data from database. This can include few records or few tables or the whole database. Even if database backup is used to restore data, some recent records cannot be recovered due to the fact that backups are taken manually in particular time period.

3.5.3 Types of SQL Injection There are many types of SQL injection. However, they are majorly classified into three types (see Fig. 3.13) as IN-band SQLi, inferential SQLi and out-of-band SQLi. This are further classified.

SQL injection

In-band SQL injection

Error-based SQL injection

Union-based SQL injection

Inferential SQL injection

Booleanbased blind SQL injection

Out-of-band SQLi

Time-based blind SQL injection

Figure 3.13  Types of SQL injection.

In-band SQLi (Classic SQLi) In-band SQL injection refers to SQL injection where single communication channel is used by attackers to conduct attack and get results. This is very common attack and it is easy to exploit of all SQL injection attacks. This is further classified into two types as error-based SQLi and union-based SQLi. 1. Error-based SQLi: As the name suggest, error-based SQLi attack uses error messages thrown by database servers. This technique is used to understand the structure of database. It can also be used to enumerate whole database in some cases. So, to avoid this attack, it is important to disable errors used for development of web application. Errors should be disabled on live site or they should have restricted access for logs in files. 2. Union-based SQLi: Union-based SQLi uses UNION SQL operator. In this attack, UNION operator is used to combine two or more SQL statements. Results of this individual statements are combined by UNION operator and hence a single result is returned in the form of HTTP response.

Inferential SQLi (Blind SQLi) Inferential SQLi is a type of SQLi where attacker reconstructs database structure. Web application cannot be used to transmit data so result is not seen by attacker. Attackers conduct this attack by sending payloads to servers, and then they observe the response of web application. This response can be seen

Cyber Security and Laws_Chpater 03.indd 112

10/7/2020 10:03:14 AM

3.5 SQL Injection and Buffer Overflow

• 

113

in the form of changed behaviour of server. Though this attack requires more time than In-band SQLi attack, it is as dangerous as In-band SQLi. This is also known as blind SQLi due to the fact that attackers cannot see result directly. Blind Boolean-based SQLi and blind time-based SQLi are two types of blind SQLi. 1. Boolean-based (content-based) blind SQLi: Boolean-based blind SQLi refers to Boolean values TRUE and FALSE returned as a part of SQL injection query. In this technique, attacker sends SQL query to database server. Result of this query depends on Boolean values returned by query.   Attacker can see changes in content of HTTP response based on result of the query. Even if no data is returned from database, using HTTP response, attacker can understand if it is true or false. Attacker needs to enumerate database, character by character to conduct this attack and hence it is comparatively very slow then other SQLi attacks. 2. Time-based blind SQLi: As the name suggests, the time-based blind SQLi attack depends on time taken by database server to response. In this technique, attacker sends query to server. This query forces database server to wait for some seconds. This specific response time is used by attacker to understand whether result is TRUE or FALSE. This is also slow attack compared to other SQLi attacks.

Out-of-band SQLi Out-of-band SQLi attack is not famous among attackers. This is because of the fact that this attack requires specific features enabled on database server. This attack is conducted when attacker cannot use same channel for launching attack and getting results. Out-of-band technique acts as an alternative to time-based SQLi techniques. And they depend on database server where they can make DNS or HTTP requests. These requests are used to get results from database. Oracle database’s UTL_HTTP package uses SQL and PL/SQL to send HTTP requests and xp_dirtree command by Microsoft SQL can be used for making DNS requests. This are just two examples. These requests are then sent to a server controlled by attacker. Some of the examples of SQL injection are listed in the following: SQL injection attack occurs when attacker changes standard query to exploit vulnerabilities in database. Several ways are used to conduct this attack as discussed above. Here are some very common examples to make you understand how this attack works: Example 1 Suppose an e commerce website having SQL injection vulnerability requires input of item id. This input is required to provide information about that specific item. Suppose item id is 46. Now, normal person writes item id as ‘46’ whereas attacker writes item id as ‘46 OR 5 = 5’ Now, look at the query: SELECT ItemName, ItemDescription, ItemCost FROM Items WHERE ItemNo = 46 OR 5 = 5

Cyber Security and Laws_Chpater 03.indd 113

10/7/2020 10:03:14 AM

114 

•

Chapter 3/Methods and Tools used in Cyber Line

As you can see, 5 = 5 will always be true and since OR is used, query is true for every Item in Items table. So, the result will be all item names, their description and their corresponding costs. So, the attacker can now have list of all items, description and their cost even if he/she is not eligible to access all details.

Example 2 Now, consider same scenario again with small change. Now, the attacker enters item id as ‘46; DROP TABLE USERS’ SELECT ItemName, ItemDescription, ItemCost FROM Items WHERE ItemNo = 46; DROP TABLE USERS In this query, attacker used semicolon for completing first query and for writing the second query. This second query deletes the whole table named users. This means the whole user database can be deleted. This is just one example. This example can make you understand how big threat it is to web applications and web pages.

Example 3 Again, consider same example. Attacker now enters item id as ‘46 UNION SELECT Username, Password FROM USERS’ Now, look at the query: SELECT ItemName, ItemDescription, ItemCost FROM Items WHERE ItemID = 46 UNION SELECT Username, Password FROM USERS; As we can see in the query, attacker can combine two queries using UNION keyword. Attacker can now have usernames and passwords of all the users as a result of this query.

3.5.4 Tools Used for SQL Injection BSQL Hacker BSQL hacker is automatic SQL injection tool and is more often used for blind SQL injection. This tool uses multi-threading to perform attack faster. This tool supports both types of blind SQL injection and error-based SQL injection. This tool can extract mostly everything from database through GUI or console support. It supports proxy to perform attack, SSL protected URLs, multiple injection points such as HTTP header, POST, query string and cookies. It can perform attack on MSSQL, ORACLE and MySQL.

Cyber Security and Laws_Chpater 03.indd 114

10/7/2020 10:03:14 AM

3.5 SQL Injection and Buffer Overflow

• 

115

SQLmap SQLmap is open source tool and is very popular SQL injection tool. It supports MySQL, Oracle, Microsoft SQL server, IBM DB2, PostgreSQL, SQLite, Microsoft Access, etc. So, basically most database servers are supported to conduct attacks. It has powerful detection engine that is used to detect vulnerabilities. It can conduct almost every type of SQL injection attack. This tool has built in password hash recognition system. This tool is easy to use and can easily exploit vulnerabilities of web pages and applications to take over database server. SQLninja SQLninja is another tool used to exploit web application using SQL server for database. You need to find injection point to automate working of exploitation process and gain information from server. Attacker can gain remote access of database server and this is the aim of this tool. It is available for Mac OS X, iOS, FreeBSD and Linux. It can be used with Metasploit to get GUI access to remote database and it supports both TCP and UDP direct and reverse bindshell. Safe3 SQL Injector Safe3 SQL injector is automated SQL injection tool and is used for remotely accessing SQL server by exploiting vulnerability. It has AI system for recognizing database server, vulnerabilities of that server, ways to exploit them and injection type to be used. It supports both HTTP and HTTPS web pages. It supports wide range of servers and can perform SQL injection via GET, POST or cookies. It is easy yet powerful tool and supports MD5 crack, full SQL Injection scan, domain query and web path guess. SQLSus SQLSus is open source tool written in Perl language. It is basically used for MySQL injection and since it is open source you can add your features by writing your codes. This is command-based tool and lets you write your queries and perform attacks. It uses multi-threading for faster results. It supports cookies, socks proxy, binary data retrieving, HTTP authentication, HTTPS and can perform attacks using GET and POST. This tool can clone database, columns, rows and tables into local SQLite database. You can also use different sessions to conduct attack. Mole Mole is also open source automatic SQL injection tool written in python language. Attacker just need to find vulnerable website and pass this URL to tool. Tool will detect vulnerability using union-based or Boolean-based technique. It uses command line interface with auto completing commands and arguments feature, so it becomes easy to use. It supports MySQL, Postgres and MSSQL database servers. It supports GET, Post methods and cookie-based attacks. 3.5.5 Preventive Measures to Avoid SQL Injection Now you know that SQL injection is very big threat. To avoid being victim of one, it is important to take preventive measures. Below given are some very important preventive measures to keep your database safe.

Cyber Security and Laws_Chpater 03.indd 115

10/7/2020 10:03:14 AM

116 

•

Chapter 3/Methods and Tools used in Cyber Line

1. Use prepared statements: Using prepared statements with parameterized queries is very useful in preventing SQL injection attacks. It is easy to understand and simple to write. So, basically when user enters a value, this value is taken in variable. This variable is passed as a parameter in query. When user enters ‘56 or 1 = 1’ as input then this will be stored in variable and whole string will be passed as it is in parameter. So, the result will be returned only when database has ‘56 or 1 = 1’ in its field value. This is very effective way to prevent such attacks. 2. Use stored procedures: Using stored procedures along with prepared statements add extra layer of security. Basic difference between stored procedures and prepared statement is that stored procedure is stored in database server and is called from server whenever needed. So, web app or web page treats input as data only and not SQL query. 3. Avoid using root privileged account: Do not use account having root privileges in your database. If you use attack having root privileges on your web apps or pages, then attacker might gain access to whole database. So, it is always better to use account having few privileges on your web apps or web pages. 4. Update system: Whenever you encounter that your web applications or websites have SQL vulnerability, it is important to solve it. Once solved, make sure you apply patch and update system so that you can avoid attacks in future. 5. Validate user input: Even if you use prepared statements and stored procedures, make sure you validate user inputs. User inputs can be validated on the basis of length, format, type, etc. This will eliminate most trivial attacks but cannot fix underlying vulnerability. This is like opening your door for only those who have your validity. 6. Disable unwanted functionalities: It is important to disable functionalities you do not need. As these functionalities can be used by attackers to gain access to important data in your database. Example: Shell access. This can be very helpful to attacker. 7. Hide information of error messages: This is very important as attackers can learn almost everything from error messages. So, try to show only required information and use general error messages to avoid disclosure of error messages. Also, make sure you can be contacted through technical support team in case user encounter any issue. 8. Encrypt credentials and store them separately: Imagine if your database falls in wrong hands then what damage it could create if you have database credentials inside database and without encryption. So, it is very important to encrypt credentials properly and storing them separately in another file. This will prevent disclosure of credentials in wrong hands.

3.5.6 What Is Buffer Overflow? Buffers are temporary storage memory regions. They are used for storing data temporarily. When data is more than the buffer storage capacity, buffer overflow occurs. In this situation, since buffer is full, adjacent memory locations are used. Suppose your buffer is designed for 8 bytes of storage but you get 2 bytes then this extra 2 bytes of memory is stored near buffer boundary (Fig. 3.14). Buffer overflow affects every software. This overwriting can cause lot of issues such as programs behaving unpredictably, memory access errors, crashes and can even generate results incorrectly. The attackers use this as attack to create triggering response that damages files or changes execution of program.

Cyber Security and Laws_Chpater 03.indd 116

10/7/2020 10:03:14 AM

3.5 SQL Injection and Buffer Overflow

• 

Buffer (8 bytes)

117

Overflow (2 bytes)

P

A

S

S

W

O

R

D

1

2

0

1

2

3

4

5

6

7

8

9

Figure 3.14  Buffer overflow example.

3.5.7 What Are the Different Types of Buffer Overflow Attacks? Buffer overflow attacks can be classified on the basis of different strategies used and on the basis of different pieces of code used as a target. Some of those types are listed in the following: 1. Stack overflow attack: This is one of the old methods used by attackers. In this attack, buffer gets more data by the program then the space allocated for it. This extra data is then written on program’s stack, resulting in corruption of data or crashing of program or program operating incorrectly. 2. Heap overflow attack: Heap Overflow occurs when buffer was allocated using malloc( ) routine, so when overflow occurs, heap memory is used to store access attack. This is used by attackers for crashing programs. 3. Integer overflow attack: When arithmetic operations give too large Integer results, buffer cannot store whole result due to predefined Integer capacity. Since this result is integer in nature, and it results in buffer overflow, it is known as integer overflow attack. 4. Unicode overflow attack: Unicode is encoding method just like ASCII. Difference between ASCII and Unicode is that ASCII only covers English characters while Unicode covers almost every written language. Due to this difference Unicode characters are larger than largest ASCII character. So, whenever user inputs Unicode characters instead of ASCII characters, Unicode overflow attack occurs.

3.5.8 How to Prevent Buffer Overflows? Buffer overflow attacks can be prevented by developers. Developers can prevent such attacks by writing code that is more secure and by allowing limited number of bits or bytes of input data and by using languages that offer built-in protection. For example, data of maximum 4 bytes is expected from user then only 4 bytes of data should be written in buffer and this can be done by limiting input data to that size. Developers should test code and fix the issues found while testing. Now-a-days, operating systems are also providing runtime protection, which are discussed in the following: 1. Address space randomization (ASLR): Address space randomization is the technique used by OS to move randomly around address space locations of data regions. To conduct buffer overflow attacks, attacker needs to know the locality of executable code and ASLR technique makes it really difficult for attacker to find address. 2. Data execution prevention: Operating System reserves some memory locations and flag them as non-executable. This means that this memory addresses cannot be used for execution. This prevents attack from running code in this non-executable area, leading to failure of attack.

Cyber Security and Laws_Chpater 03.indd 117

10/7/2020 10:03:15 AM

118 

•

Chapter 3/Methods and Tools used in Cyber Line

3. Structured exception handler overwrite protection (SEHOP): Structured Exception Handler (SEH) is built in function that manages hardware and software exceptions. So structured exception handler overwrite protection (SEHOP) stops malicious code from attacking SEH. This prevents attackers from using SEH. SEH overwriting is done by attackers to overwrite exceptions such as exception registration record. This is usually done using stack-based buffer overflow technique. Such buffer overflow prevention techniques should be used to avoid buffer overflow attacks. Though there are prevention techniques, attackers can still conduct attack. So, it is important to detect attack and understand how it is conducted so that vulnerability can be solved and future attacks can be prevented. Buffer overflow attacks can be detected using intrusion detection system (IDS). IDS analyses traffic to detect signatures that are known to exploit vulnerabilities. IDS can then prevent payload from executing and mitigate attack.

POINTS TO REMEMBER 1. SQL injection also known as SQLi is the structured query language attack. In this attack, vulnerabilities of SQL are used by attackers to gain information from database. 2. SQL injection attack can be prevented by writing clean and secure code, using prepared statements, functions and triggers wherever possible and by giving only those privileges that are actually needed. 3. Buffer Overflow attack uses data more than the size to buffer. So, buffer gets overloaded and adjacent memory locations are used to write remaining extra data. 4. It is mainly used for crashing system and can be prevented by writing codes to allow limited data and can also be prevented by modern operating system techniques.

3.6

Phishing and Identity Theft (ID Theft)

3.6.1 What Is Phishing? In simple terms, Phishing is a cybercrime where attacker pretends being legal to get information from the user. In this attack, attacker contacts user through e-mail, telephone or text messages or using links, websites for getting sensitive data such as banking and credit card details, passwords and personally identifiable information. Attacker pretends to be legitimate to individuals. Information collected is then used by attacker to access important accounts and this can lead to financial loss and identity theft. In 2004, a Californian boy created duplicate website of ‘America Online’. First case was filed against this boy for creating fake website. This website was used by this boy to get sensitive information such as credit card details from user. These details were then used to withdraw the money. Voice phishing is known as ‘vishing’ and SMS phishing is known as ‘smishing’. Cyber criminals are coming up with new methods of phishing every year.’ Common Features of Phishing e-mails 1. Attackers normally use e-mails that are attractive and these e-mails catch attention of the people. Generally, there are e-mails like you have won lottery or car or some other lavish prize are sent by attackers to the users. Do not click on such e-mails as this is the trap.

Cyber Security and Laws_Chpater 03.indd 118

10/7/2020 10:03:15 AM

3.6 Phishing and Identity Theft (ID Theft)

• 

119

2. Another technique used by attackers is, they tell you that you have just limited amount of time to respond. This technique is used with super deals or for updating details of your profile e-mails. After seeing such e-mails, some users panic and click on the links provided in e-mails and may end up giving their personal details to the attacker. So, it is always better to confirm this kind of e-mails from official sources rather than directly clicking on them. 3. Hyperlinks are used to cover the details of actual links. Hovering on link gives you the details of actual link on which you will be directed after clicking. This actual link can either be completely different or it can be very popular website link with just a small change or misspelling. For example, ‘www.bankofarneica.com’. In this URL, if you look carefully, then you will be able to notice that it is the letters ‘r’ and ‘n’ instead of ‘m’. So, this makes word America as Arneica. 4. Another favourite way of attackers is sending attachments in an e-mail. Clicking on this type of attachments can add ransomware or viruses on your PC. So do not open attachments sent from untrusted sources. 5. If you get mails from untrusted sources or from trusted sources but you feel something suspicious about it or you find something unexpected, not ordinary or out of character then do not click on it.

3.6.2 Different Phishing Techniques As technology is advancing, attackers are also advancing. They are finding new techniques for conducting attacks. Different phishing techniques used by attackers are discussed in the following. Also, refer to Fig. 3.15 for having basic idea about different techniques.

Ransomware

Web-based delivery

Spear phishing Link manipulation

Malware

Phishing techniques

Smishing

Key loggers

Trojan

Vishing

Content injection

Session hijacking

Malvertising

Figure 3.15  Different phishing techniques.

Cyber Security and Laws_Chpater 03.indd 119

10/7/2020 10:03:16 AM

120 

•

Chapter 3/Methods and Tools used in Cyber Line

Spear Phishing Spear phishing is the technique used by attackers to make their attack more efficient. In this technique they do not target everyone, instead they select group of people having similarities based on their research. They try to make attack personalised so that targeted people fall into their trap. Here, the similarities between this people can be used as a weapon so that more and more people fall into the trap. Web-Based Delivery Web-based delivery is also known as ‘man-in-the-middle’ technique in phishing. This is very sophisticated phishing technique where attacker is between the phishing system and actual website. Attacker gathers information when user makes transaction from actual website. This information is gathered without the knowledge of user and it can be then used by attacker. Link Manipulation In this technique, attacker uses hyperlink. This hyperlink is used as trap for users. When user click on this kind of links they are directed to malicious website or phisher’s website instead of the website mentioned in hyperlink. Hover your mouse over link to see the link you will be directed to on clicking. This will save you from falling into this attack. Keyloggers Key loggers are used to identify keys pressed from the keyboards in order to understand the words/keys typed by users. It is a malware used by attackers to collect important data such as passwords and other personal data. There are many websites now having their virtual keyboards to prevent key loggers from accessing personal information of the users. Trojan A Trojan horse is malware used to gain unauthorized access to the user account by misleading users with action that looks legitimate. Information is collected can be credentials or personal data using local machine. This information is then sent to the attackers. Malvertising Malvertising refers to malware through advertising. In this technique, advertisements contain scripts that are active. This scripts or codes are used to download unwanted content or malware on your PC. Adobe PDF and Flash exploits are very commonly used for this purpose. Session Hijacking Session hijacking is the technique used by attackers to hijack the session or take the control of the session. Attacker exploits web session control mechanism to hijack session. After taking control of session, attacker sniffs the important and relevant information from the user account and uses this information illegally for their purpose. Content Injection In this technique, attacker changes some content of legitimate website. This change in content is used as a weapon to direct people from legitimate website to attacker’s page. In this technique content is injected or added by attacker to mislead users and hence name of this technique is Content Injection.

Cyber Security and Laws_Chpater 03.indd 120

10/7/2020 10:03:16 AM

3.6 Phishing and Identity Theft (ID Theft)

• 

121

Vishing (Voice Phishing) Vishing is voice phishing where attacker uses phone call to get information from the user. Usually fake ID is used for making calls and information gathered by attackers is either personal information or bank details. Smishing (SMS Phishing) Smishing refers to Short Message Service (SMS) phishing. Here SMS are sent to the users provoking users to click on the links provided in the message. Malware Malwares are attached to e-mails as a downloadable file or as a link through which they get installed on your PC. These malwares are used by phishers to collect information. Ransomware Ransomware is type of malware used by attackers using social engineering attacks where user is provoked to click on links and download attachments. This malware once installed on PC denies access to device or files until certain amount known as ransom is paid. 3.6.3 Common Phishing Scams Many phishing scams are used by phishers but most common phishing scams are e-mail phishing scams and Website phishing scams. The e-mail Phishing Scams 1. What is e-mail Phishing? As discussed earlier, e-mail phishing is sending a fraud e-mail to multiple users for getting sensitive information such as bank details and personal information from the user. This type of e-mails looks similar to legitimate e-mails and contain links or attachments or forms. Some sophisticated phishers use certain services. These services are subscribed by users. When users receive e-mails from these services of companies, they tend to trust them and fill information. All these ways are used to gain personal and financial information from the user for the benefit of attacker. 2. Why e-mail Phishing Works? It has been more than two decades and yet e-mail phishing is popular among attackers due to the fact that e-mail phishing is still efficient. But why e-mail phishing is still efficient? This is not because people are stupid but because of the fact that attackers are smart. They design e-mails so precisely that they look exactly like legitimate e-mails. Also, another reason is people are busy in their lives, so they just scan such e-mails and trust them. Phishers also use ‘urgent’ language in e-mails and this makes this type of phishing more successful. 3. Signs of e-mail Phishing: The e-mail phishing can be recognised by looking for some signs in e-mails. First thing to be looked at is the greeting. Is it a normal greeting for everyone? Or is it having your name in it? Secondly look at header of the e-mail. Read sender’s e-mail address as these addresses normally are designed to look authentic. When you look closely, you can see things that do not make sense. Also, see if they contain hyperlinks. If yes then first hover over hyperlinks to see the link you will be directed to. If it is phishing e-mail, then link will direct you to some malicious website.

Cyber Security and Laws_Chpater 03.indd 121

10/7/2020 10:03:16 AM

122 

•

Chapter 3/Methods and Tools used in Cyber Line

4. Examples of successful e-mail Phishing: In past two decades, many e-mail phishing attacks have been successfully carried out. And this is the main reason that they are still so much popular. PayPal and eBay phishing scams are very famous examples of e-mail phishing. Both companies are very popular and now they provide information on their website regarding ways to avoid such scams. Users of eBay and PayPal received e-mails that looked legitimate to the users. This e-mails urge users to verify their accounts or update their information or update bank details. Users often get scared for losing access and hence they fall in such e-mails. You cannot avoid such e-mails since attackers can use any ids for sending e-mails. What you can do is do not click on the links given in such e-mails. Make habit of verifying such e-mails from official website. If it is illegitimate then try contacting companies about this as this is going to affect other users as well.

Website Phishing Scams 1. What is website phishing? Website phishing refers to usage of websites for phishing purpose. This is very popular among attackers. Attackers create fake websites or websites that look exactly like other legitimate websites for gaining personal and financial information from the user. This information then can be used for identity theft and other malicious things. So, it is always a good idea to not trust the website blindly to avoid falling prey from such attacks. 2. Signs of website phishing: Though there is no particular way to prevent website phishing, you can always avoid using such websites. You can always look for signs so that you can understand whether the website can be trusted or not. 3. If the website contains lot of urgency related messages or content then most probably it is phishing site. As sense of urgency is created by phishers, so that people visiting website willingly give sensitive information to phishers. A legitimate website is not going to be so much desperate and hence it will not have urgent messages all across website. So, if you come across such websites, do check URL to make sure you are not on wrong site. 4. If you visit a website that is unsteady or broken or have design flaws then double check the website you are visiting. As legitimate websites of professional businesses and organizations, generally do not have such flaws. Also, these websites are generally stylish and sleek. So, if you find website having sloppy look then there are chances that you have come across spoofed site. 5. Professional business and organization websites have content written by professional writers. So that they do not have grammatical mistakes and wrong spellings. So, if you see a website having grammatical errors and misspellings then you might have come across phishing website. 6. Pop-ups are used on some websites to gather sensitive information from users. So, if there are lots of pop-up messages on website, then the website is fraud. Legitimate sites do not use lots of popup windows. Use browser that allows you to block pop-ups. Even after blocking, you get pop-ups then it is better to not use this website at all. 3.6.4 Preventive Measures to Avoid Phishing Scams Attackers come up with new techniques constantly but you can always take preventive measures for protection of important information for yourself and your business organisation.

Cyber Security and Laws_Chpater 03.indd 122

10/7/2020 10:03:16 AM

3.6 Phishing and Identity Theft (ID Theft)

• 

123

1. To prevent falling for this type of scams you first need to have knowledge that these scams exist and how they work. So, it is important to keep yourself and people in your organisation updated about such attacks. 2. It is totally okay to click links on trusted websites and e-mails, but on random e-mails, messages and untrusted websites it is not okay. Try to make a habit of hovering on links to see on which page it is going to take you. Also look at salutations, your name in the e-mails to make sure that it is from trusted source. 3. Now a days, browsers have anti-phishing toolbars as an option. Install those in your browser. These toolbars have list of known phishing sites, so if you come across one of these websites then toolbar will give you alert. 4. When you are submitting important information like credit card details, make sure the website starts with ‘https’ and there is closed lock icon near address bar on your browser. Websites having “https” are much more secure then websites having “http”. 5. Do not download files from untrusted/unknown e-mail ids and websites. As these files can contain virus, malware etc. 6. Check your monthly statements carefully to make sure that unknown transactions have not been made. 7. Browser release security patches often to cover loopholes or to add security. Attackers can use these loopholes if you do not update your browser whenever new update is released. So, make sure your browser is updated. 8. Using firewall always helps you to secure your network. As firewalls act as buffers between your PC, your browser and intruders. You can either use software or hardware firewall according your need and requirement. They help in reducing odds of phishers messing with your network or browser or computer drastically. 9. Having anti-virus software on your PC is very important. Anti-virus software guard your computer against loopholes and known technology workarounds. Also, some of them have built in firewall and spywares. They scan each and every file coming through Internet and alert you if your file is infected. So, this will prevent your computer from damages. 10. As discussed earlier, pop-ups are used by phishers more often on their websites. Use browsers that allow you to block pop-ups. Even though if you get pop-ups then click on small “x” button in the upper right corner and do not click on cancel button as clicking on this button will take you to other phishing sites. Remember there is no single fool-proof way to avoid phishing attacks.

3.6.5 Identity Theft (ID Theft) If some unknown person approaches you with official-looking business card and asked your personal details or driver’s license or any other information, then you would not give it to them. This happens when someone approaches you physically, but digitally it is easy to trick people and hence phishing attacks happen so often.

Cyber Security and Laws_Chpater 03.indd 123

10/7/2020 10:03:16 AM

124 

•

Chapter 3/Methods and Tools used in Cyber Line

Figure 3.16  Identity theft.

Phishing attacks help attackers in gaining information from users. This information can be used by attackers for their benefit. Identity theft basically refers to stealing identity of someone. Phishers steal identity of users for several purposes. Identity theft (Fig. 3.16) is one the worst consequence of phishing attack. 1. With small information like your address, occupation, name, gender, credit card number, etc. attacker can do lots of damage to you. This information is generally gained by attackers using phishing attacks. Once attacker gets access to any of your online account, he/she can have this information very easily. Using this data, attacker can use and create bunch of credit cards without your knowledge. They can also use this information for fulfilling their other purposes. 2. Once this information is used by attacker for creating credit card and using it and you become victim, it becomes very difficult to prove to banks that your identity is stolen. Even if you prove your point, till then damage will be done. So, in case of identity theft, ‘Prevention is always better than cure’. 3. Identity theft is mostly done by phishing attacks. So, it is always better to take precautions to avoid phishing attacks. Keep yourself up to date with new techniques and how to avoid them. Learn the difference between legitimate e-mails and websites and illegitimate e-mails and websites. Use other preventive measures and use sensitive information online only when it is secure and actually necessary.

3.6.6 Types of Identity Theft Financial Identity Theft Financial identity theft refers to the identity theft used for financial purpose. This is also known as bank fraud. Example of this is when attacker uses someone else’s personal information to get loan. This type of theft is generally reported to National Consumer Credit Reporting Agency or the credit bureaus. This type of crime is discovered when victim notice changes in credit history or he/she finds new accounts or he/she is contacted by banks.

Cyber Security and Laws_Chpater 03.indd 124

10/7/2020 10:03:19 AM

3.6 Phishing and Identity Theft (ID Theft)

• 

125

Identity Cloning and Concealment Identity cloning and concealment is another type of identity theft. Attackers use personal information collected by them to become that person so that they can conceal themselves from authorities. They use this information to avoid being arrested and to depart from one place to another. This cloning identity can be detected only if authorities find them or else, they cannot be detected at all. Criminal Identity Theft Criminal identity theft refers to identity theft used by criminals. Here, id thief identifies him/her as another individual in front of police. They can use this for obtaining state-issued id or fake id. So, when they get arrested, they can show this id to officers, who in turn will put charges under victim’s name. Victim gets arrested in some cases like traffic violation, etc. Synthetic Identity Theft As name suggests, synthetic identity theft is identity theft used by attacker to make identities that are fabricated partially or entirely. That is, fake name and birthdate is used with actual address and driving licence number. This synthetic IDs are then used by attackers for granting credits from creditors. Victim gets affected only if their names are confused with synthetic identities. Medical Identity Theft When id thief uses information such as person’s name for getting medical services or goods so that their name does not appear on records. Or they use person’s name and existing insurance for this purpose. This is done without victim’s knowledge and results in creating fake medical records or errors in existing records. Since this is used for medical purpose, it is known as medical identity theft. 3.6.7 Techniques for Identity Theft The different techniques are used by attackers for identity theft. Some of them are discussed in the following: 1. Skimming: Special storage device is used to connect to ATM machines for stealing credit/debit card numbers. This device is used to read card details using magnetic strip attached in your card. 2. Dumpster diving: As the name suggests, attacker dives i.e. goes through trash to obtain personal information. They check trash for bills, credit cards, bank statements and other information. So, make sure you shred documents properly before throwing them in trash. 3. Old-fashioned stealing: Attackers use old techniques to conduct attacks. They target purses, wallets, statements of banks, personal records, medical records, checks, tax information, etc. for gaining sensitive information. This technique is evergreen for attackers. 4. Phishing: Attackers use fraud websites or send spam mails or messages or pop-up messages so that you reveal sensitive information. Phishing is one of the big threats and can be avoided by taking proper precautions. 5. Shoulder surfing: Eavesdropping transactions you make publicly allows attackers to collect information. This information is then used by attacker for their purpose.

Cyber Security and Laws_Chpater 03.indd 125

10/7/2020 10:03:19 AM

126 

•

Chapter 3/Methods and Tools used in Cyber Line

6. Victim research: Attackers check Internet search engines, public records, social media accounts and government registers for research work. So, basically they conduct research on victim and then use this information. 7. Computer identity theft: Attacker use computer of victim to gain personal information. Attacker can use viruses, key loggers, etc. or they can hack computer for getting information. 8. Employment scams: In this technique, attackers create bogus job vacancy and advertise it. Those seeking jobs, require to fill personal information for applying for this job. So, it is always better to first check properly before giving personal information to anyone. 9. Social networking: Attackers use social networking sites now a days. Since people post their ­personal information on social networking sites often, it becomes easier for attackers to steal ­personal information to commit fraud.

3.6.8 How to Prevent Identity Theft? 1. Protect your sensitive materials like Xerox copies of important documents, bank statements, insurance forms, medical statements, etc. by shredding or tearing them. 2. Keep your sensitive documents and personal information locked and keep them away from your roommates, maids or workers working in the house. 3. Periodically check your bank and credit card statements. 4. Do not throw credit, debit or ATM card receipts in public or leave them anywhere. Properly ­dispose them. 5. Never provide sensitive information on social media or any website unless you find it secure. 6. Only carry necessary cards (PAN, Aadhar, Credit, Debit, etc.). 7. Change your passwords on the regular basis. 8. Never give personal information via phone or mail or Internet. 9. Protect your identity that is stored on your computer by using a firewall, secure browser, virus protection application, Anti-viruses, etc. 10. Keep your mobile phone, laptop and other devices password protected and only use Wi-Fi from legitimate source. Do not use public network during transfer of any important information. The more we carefully handle our identity on cyber space, the more secure we are, which is the chief mantra of identity theft prevention (Fig. 3.17).

Figure 3.17  Identity theft prevention.

Cyber Security and Laws_Chpater 03.indd 126

10/7/2020 10:03:20 AM

3.7 Enumeration

• 

127

POINTS TO REMEMBER 1. Phishing is a cybercrime where attacker pretends being legal entity to get information from the user. 2. The e-mails and websites are used very often by attackers for conducting phishing attacks and hence e-mail and website scams are popular among attackers. 3. Identity theft is stealing identity of someone and pretending to be that person. 4. Identity theft is usually done using phishing in modern era and can only be prevented by not publishing and giving sensitive information to anyone else.

3.7

Enumeration

3.7.1 What Is Enumeration? Enumeration is the process of extracting information from the system. To do this, attacker first creates active connection and performs queries. These queries result in giving more information about target device. And the information gained by these queries is then used in identifying vulnerabilities and weak points in the system and use them for conducting attacks. Enumeration is mainly used to gather following information: • • • • • • •

Usernames and group names. Hostnames and machine names. Network shares and services. Routing tables and IP tables. Service settings and audit configurations. Application and banners. SNMP and DNS Details.

3.7.2 Importance of Enumeration It is critical phase in penetration testing as the outcome can be used for exploiting system directly. It is researching about system before conducting attack. This is really dangerous as enumeration helps in conducting successful attacks. 3.7.3 Techniques for Enumeration • The e-mail IDs are used for extracting user names. • Use default password to extract information from account. • Use brute force for cracking password to gain information. • Use SNMP to extract user names. • Extracting user names from Windows. • DNS zone transfer is used for extracting information. 3.7.4 Types of Enumeration and How to Prevent Them? Listed in the following is the types of enumeration techniques and tools used to perform enumeration along with preventive measures.

Cyber Security and Laws_Chpater 03.indd 127

10/7/2020 10:03:20 AM

128 

•

Chapter 3/Methods and Tools used in Cyber Line

NetBIOS Enumeration 1. What is NetBIOS? NetBIOS is short form for network basic input output system and is developed by IBM and Sytek. It is application programming interface (API) that enables LAN resources of client’s software. This API uses 16 ASCII character string for identifying device where 15 characters are used for device name and last character, that is, 16th character is used for representing service or name record type. 2. NetBIOS Enumeration: Port 139 is used by NetBIOS software on Windows OS. And only when file and printer service is enabled, attacker can enumerate NetBIOS and perform attack on the remote machine. Attacker depending on availability of shares can read or write on remote machine, can enumerate password policies and can also launch DoS attack on remote machine. 3. NetBIOS Enumeration Tools: Many tools are available in market for conducting NetBIOS enumeration but Nbstat, SuperScan, NetBIOS enumerator, Winfigerprint and hyena are some of the commonly used tools for conducting such attacks. 4. NetBIOS Prevention tips: To prevent NetBIOS enumeration attacks, remove file and printer sharing feature and turn off unnecessary services like Server Message Block (SMB).

SNMP Enumeration 1. What is SNMP? SNMP is simple network management protocol and is used for managing network devices. This protocol runs on UDP and is an application layer protocol. It is based on client server architecture where every device on the network is SNMP agent or client and uses request and responses for communication with SNMP station. Both request and response are variables that are configurable and can be accessed by agent software, require two passwords. It also manages network objects using virtual hierarchical database and are known as “management information base (MIB)’. It is tree like structure that has object id associated with it which represents network object and they can be altered using SNMP passwords. 2. SNMP enumeration: Attackers can use default password to alter or view configuration settings. Attacker will be able to enumerate the following: (a) ARP and routing tables. (b) Information regarding network resources such as devices, routers, shares, etc. (c) Traffic details and statistics. (d) Specific information about device that are connected or were connected. 3. SNMP enumeration tools: SNScan, OpUtils, SNMP scanner, NS auditor and SolarWinds are some of the popular tools used for conducting SNMP enumeration. 4. SNMP prevention tips: Some measures are given below for prevention of SNMP enumeration attack. (a) Use firewall to stop unnecessary connections and use group policy to apply additional restrict anonymous connections. (b) Use IPSEC filtering and block access to TCP and UDP ports 161. (c) Remove SNMP agents whenever not required and change default passwords. (d) Use upgraded version as it provides encryption and authenticate and encrypt using IPSEC.

Cyber Security and Laws_Chpater 03.indd 128

10/7/2020 10:03:20 AM

3.7 Enumeration

• 

129

LDAP Enumeration 1. What is LDAP? Lightweight directory access protocol also known as LDAP is Internet protocol. It is used to access distributed directory services. It is logical and hierarchical structure based on client server architecture and is generally used for storing large number of records. Examples of some directory services are Active Director and OpenLDAP. Basic encoding rules (BER) are used for transmission of information between client and server using TCP. 2. LDAP enumeration: Due to the support to anonymous remote queries, LDAP enumeration can be easily conducted. Query performed will reveal the information that is sensitive. Information that is disclosed is usernames, contact details, address, department details and some other information. 3. LDAP enumeration tools: There are many tools available in market but softerra LDAP administrator, Jxplorer, LDAP Administrator tool, LDAP admin tool are some of the popular tools. 4. LDAP prevention tips: To prevent LDAP enumeration attack, perform steps given in the following list: (a) To control access given, use Kerberos. (b) Encrypt LDAP communication with SSL. (c) To avoid brute force attack, enable account lockout.

NTP Enumeration 1. What is NTP? NTP is Network Time Protocol. It is used for synchronizing clocks between different network systems and have accuracy nearly about 200 milliseconds. It is based on agent server architecture and works on UDP. It can maintain time within 10 milliseconds. 2. NTP Enumeration: NTP server supports querying. So, the attacker can enumerate list of hosts connected to NTP server and find client IP addresses, the device names and operating systems they are using. NTP enumeration is performed by queries such as ntptrace, ntpdc and ntpq. 3. NTP Prevention tips: NTP enumeration can be prevented by restricting NTP usage and use NTPSec instead if possible. Enable logging of messages and events and use IP-Tables for filtering traffic.

SMTP Enumeration 1. What is SMTP? Simple mail transfer protocol (SMTP)is used for transmission of e-mails. It works on TCP and is based on client server architecture. Mail exchange (MX) servers are used by SMTP for sending mails via DNS. 2. SMTP enumeration: SMTP servers use three built-in commands and these are used by attackers for enumeration. Attacker use these commands to validate users from the SMTP servers. The common commands used are listed in the following: • VRFY: Validates users on the SMTP servers. • EXPN: Delivery addresses of aliases and mailing lists. • RCPT TO: Defines the recipients of the message. 3. SMTP enumeration tools: SMTP enumeration can be done with tools like NetScan Tools Pro and SMTP User Enum.

Cyber Security and Laws_Chpater 03.indd 129

10/7/2020 10:03:20 AM

130 

•

Chapter 3/Methods and Tools used in Cyber Line

4. SMTP prevention tips: SMTP enumeration can be prevented if the following steps are adopted: (a) Avoid giving replies to unknown recipients unless it is really required. (b) Do not provide sensitive information in mails and disable open relay functionality.

DNS Enumeration 1. What is DNS? Domain name service (DNS) is decentralized naming system for services, computers and other devices connected to network. It maintains database of hostnames and their IP addresses and also stores information about websites. 2. DNS enumeration: DNS enumeration can be done be attackers by pretending to be client and then requesting for changing zones. In response to this request DNS reveals sensitive domain records to the attacker. 3. DNS enumeration tools: For DNS enumeration, Nslookup, DNS Dumpster and DNS Recon are the tools used by attackers. 4. DNS prevention tips: To prevent DNS enumeration, make sure DNS zone transfers do not contain HINFO data and try to trim zone files. Also make sure for unauthenticated users, you configure DNS servers for not sending zone transfers.

Windows Enumeration Windows OS can be easily enumerated through the use of different tools. Some such tools are listed in Table 3.3. Table 3.3  Windows Enumeration Tools

S.No.

Name of the Tool

Description

1.

PsExec

One can run processes on remote system.

2.

PsFile

Gives information about the files opened on remote system.

3.

PsKill

Processes running on remote device can be killed using this tool.

4.

PsInfo

Gives information about physical memory, kernel build, installation date, processor type and number, etc.

5.

PsList

Gives information about process, CPU, memory, thread statistics.

6.

PsLoggedOn

Local as well as remote logged users can be listed using this tool.

7.

PsLogList

Displays event logs.

Windows prevention tips:  You cannot prevent this completely but you can minimize attack by taking precautions. Remove unnecessary and unused service and use firewall to restrict access to certain sites and applications.

UNIX or Linux Enumeration Linux or Unix OS can be enumerated easily using some tools or utilities. Some of them are given in Table 3.4.

Cyber Security and Laws_Chpater 03.indd 130

10/7/2020 10:03:20 AM

3.8 Attacks on Wireless Networks

• 

131

Table 3.4  Windows Enumeration Tools

S.No.

Name of the Tool

Description

1.

Finger

Can get information of users on remote machine.

2.

rpcInfo

Display information about remote procedure call.

3.

Rpcclient

Lists usernames using Linux.

4.

Showmount

Gives information about shared directories.

LINUX prevention tips: For minimizing impact of this attack, remove unused and unnecessary devices and restrict access by configuring IP tables.

POINTS TO REMEMBER 1. Enumeration is the process of extracting information from the system. 2. It is used by attackers for researching before conducting attacks. 3. Information such as hostname, username, group names, machine names, network shares and connections and IP and routing tables, etc. is acquired by attacker by performing enumeration. 4. NetBIOS, SNMP, LDAP, NTP, SMTP, DNS and windows and Linux or UNIX are different types of enumeration. 5. It can be prevented by securing network using firewall, by removing unused and unwanted devices and restricting access.

3.8

Attacks on Wireless Networks

3.8.1 Wireless Network Attacks and Their Types What Are Wireless Network Attacks? In simple terms, wireless network attacks are attacks done on Wireless networks such as Wi-Fi. Every network system is vulnerable and have some loopholes. These vulnerabilities and loopholes are used to conduct attacks by attackers in order to get Information. Information is shared through this network and hence it is very important to take preventive measures to avoid this kind of attacks. It is important to understand the different types of attacks on wireless networks to identify attacks in case it occurs on your network. Wireless local area networks (WLAN) are local area networks (LAN) wirelessly networked using radio frequency waves. So, the air interface becomes medium of the network. WLAN can run on three different physical media, two based on the spread spectrum and one on diffused infrared. Most of the businesses and industries depend on WLAN. So, it is important to keep this data safe and secure. This data can get leaked and enemies or unauthorized users can misuse or modify or delete this data if attack occurs on network. So, security of this confidential data is extremely important.

Cyber Security and Laws_Chpater 03.indd 131

10/7/2020 10:03:20 AM

132 

•

Chapter 3/Methods and Tools used in Cyber Line

Rogue access point Jamming/Interference Evil twin Packet sniffing WEP attacks Wireless network attacks

WPS attacks Man-in-the middle attack Session hijacking War driving Bluejacking Bluesnarfing Initialization vector

Figure 3.18  Different wireless network attacks.

Some of the common network attacks (Fig. 3.18) are listed in the following: 1. Rouge access point: It is an access point added to the network without the knowledge of owner/ administrator. So, they are totally unaware of this access point. This can create serious threat especially if someone else knows about this. This creates backdoor for that someone, as they can manage network completely. This creates lots of security concerns.   One can very easily add wireless access point in this kind of network. Especially if one does not have any network access control protocols, it becomes very easy to add additional access points and workstations without one’s knowledge.   This can be prevented by occasionally checking network access points and having some network access control protocols on the network. This can also be prevented by checking and monitoring the whole network with the help of network monitoring tools or applications that are available online.   802.1X Network Control Access can also be used on the network. This will authenticate devices either in wireless or wired network. This will not prevent people from plugging in an access point but it will always require to authenticate access point using the methods set by administrator or owner. 2. Jamming/Interference: Interference occurs when two signals or waves come together, they disturb each other and form a resultant wave. Wireless interference is the technique used to disrupt network or jam the network. This interference is created with Bluetooth headset or a microwave oven or a cordless phone. Due to this, wireless transmission of signals and receiving those signals becomes difficult.   This interference can be caused by service degradation. This is to ensure that nodes in network cannot get complete access to a particular service. Jamming can also be used with an evil twin.

Cyber Security and Laws_Chpater 03.indd 132

10/7/2020 10:03:23 AM

3.8 Attacks on Wireless Networks

• 

133



  Use of spectrum analyser helps in narrowing down to what is causing jamming in the system. Using spectrum analyser is difficult and hence requires some training. Some software can also be used to examine the traffic in the network. Here primary goal should be combating interferences.   Boosting the power of existing access points can help in this case. As this will overpower the interference caused by different device. If interference is created using narrow band of frequencies or some particular frequency, then changing frequencies in the network will help. One can find location from where the signal is coming and shut the device or get it out of the system, in order to allow network traffic to communicate normally. 3. Evil twin: When attacker wants to create a rogue access point to gain access of the network or to access information that is passed through the network, in this case Evil twin attack comes into picture. Here, an attacker first purchases a wireless access point, connects it to the network and configures it to look like exactly existing network access point. This can be easily done on open access points that do not have any passwords associated. Once this is done, attacker can plug into the network to overpower other existing access points and become primary access point. Now attacker have a stronger network signal then other access points, so people in the network will choose this. Due to this, now attacker can see all the data transmitted in and out of the network.   Encrypting data is one technique that can prevent Evil twin attack. Due to encryption, even though attacker captures data, he/she will not be able to read or understand it. 4. Packet sniffing: Amongst many challenges in Wireless Networking, packing sniffing is a very big challenge. As we know that data is sent in the form of packets in the network. Packet sniffing refers to capturing these packets or sniffing these packets from the network. Capturing these packets enables attacker to see the information in these packets, as most of the information we send is without encryption. This makes it very easy for attacker to see everything going on the network.   Packet sniffing can only be done successfully if network card is silent, this means if network is busy then network card is not sending information to sender. In this case, it is important to send encrypted information across the network. As encryption, WPA or WPA2 or other techniques of encryptions can be used to prevent the closure of actual information. It becomes difficult for attacker to decrypt information if proper encryption techniques are used. 5. WEP attacks: These occur due to the weakness in WEP encryption methods and systems. This is very common issue in wireless network due to the fact that access point may not allow the use of WEP as a method of encryption and this is very poor method for encryption of data. Legacy wireless access point encrypted with WEP should not be trusted because of the fact that they are vulnerable to this kind of attacks more. 6. WPS attacks: These attacks occur when WPS protocols are not implemented or they are poorly implemented. This attack can be very dangerous. Especially when attacker uses WPS password guessing tools to launch attack on the network. Due to this kind of tools, attacker can retrieve network password. This password can be used to gain access to data and information on the network. This flaw in wireless networking can be avoided using implementation of strong WPS protocols, as this will prevent attacker from retrieving 7. Man-in-the-middle attacks (MITM): These attacks compromise integrity of messages on the network. In this attack, attacker becomes middle man between the user and authentic access point. Here, attacker appears as a user to access point and as an access point to the user. This way

Cyber Security and Laws_Chpater 03.indd 133

10/7/2020 10:03:23 AM

134 

•

Chapter 3/Methods and Tools used in Cyber Line

attacker can see the information passed through the network and he/she can read or modify this information. Masquerading and spoofing is used as a technique to fool both access point and users. In this attack, attacker can also insert malware through the packets, traffic in the network can be dropped to stop the communication in the network. 8. Session hijacking: As the name suggests, in session hijacking, attacker hijacks the session, that is, attacker takes the control of the whole session. This attack similar to MITM attack as here also victim is indirectly attacked. Here, the victim will see that session is no longer in operation, even though it is in operation. This enables attacker to take complete control of the session. This is the position where attacker can exploit data or gain information or use this session for his/her bad purpose. This attack happens in real time and it affects integrity. 9. War driving: This attack is used by attackers to find access points wherever they can be. That means, attacker tries to gather information of all access points and where they are located. This is done using Wi-Fi connection and other GPS technologies. They can gather this information very quickly by taking drive around. Attacker can also use special software to look at all the other access points near one access point. With this information, attacker can gain access to wireless signal much easily or use some unused or open access points. 10. Bluejacking: Bluejacking refers to Bluetooth jacking. In this attack, attacker can send unsolicited messages to other devices via Bluetooth. This is similar to hacking. Bluejacking is limited to distance of ten metres due the range of Bluetooth device. In this attack, users in the range of attacker might end up seeing pop-up messages or attacker can send files to other devices. Since our mobile phones contain Bluetooth now a days, for ease in sending files between two devices, it has become much easier to conduct this kind of attack. Blue jacking can be carried out using specific software. 11. Bluesnarfing: It refers to Bluetooth snarfing. This attack is totally different from blue jacking. In this attack, attacker steals the information from the Bluetooth enabled device. This is done using the vulnerability. Bluetooth enabled device when connected to Bluetooth network is vulnerable, and this vulnerability is used by attacker to get information such as contacts, images, etc. This attack exposes the vulnerability and weakness of Bluetooth devices and network. This creates serious security threat. 12. Initialization vector (IV) attack: This IV attack is serious security issue to wireless network. In this attack, wireless packet having encrypted initialization vector is modified during transmission. This enables attacker to get information of plain text and generate another encryption key. This key is then used to decrypt other packets in the network using same initialization vector. Using this kind of decryption key, attacker can create decryption table. This decryption table can then be used for decrypting every packet transmitted through the network.

3.8.2 General Techniques for Securing Wireless Network To avoid such attacks on wireless networks, we can take preventive measures. Some of them are listed in the following: 1. Apply WPA2 security. And turn off WPS. This will make your network difficult for attackers to break. 2. Keep your router in the centre. This will not just provide network equally, but this will also make sure that signal degrade beyond walls. If central placement is not possible, then try to use directional antennae.

Cyber Security and Laws_Chpater 03.indd 134

10/7/2020 10:03:23 AM

3.8 Attacks on Wireless Networks

• 

135

3. Tools are available in the market for adjusting signal levels in your network. So you can adjust signal such that it is minimum beyond walls. You can also measure how far the reach of your network is using this kind of tools. 4. Firewall is important when it comes to security of wireless network. Standard router firewall and operating system firewalls are enough for household networks. But when it comes to organisation or institution or workplace, it is important to have proper firewall. You can add hardware firewalls to add extra security. But make sure firewall is enabled for all your access points. 5. Do not use open networks. And if you really need to use public Wi-Fi or open network, use VPN. Setting VPN on your devices will add additional security. 6. Make sure you use strong passwords. Long passwords with mix of upper case and lowercase letters, numbers and symbols make your password stronger. Also do not use specific words or birthdate/ names or patterns in your passwords, as this type of passwords are very easy to crack. Make sure your password is minimum 8 characters long. And make sure you do not use same password anywhere. 7. Change your admin login credentials. Do not use admin/admin or admin/password or admin/ admin123, etc. and do not use default password. This is one of the very common mistakes done by people. 8. Make sure you keep your system up to date. Check for AP firmware updates, as this may contain patches for security flaws. Make sure you do not disturb working hours and if you must then inform everyone about it. 9. Take backup of your data regularly. If ever there is an attack on your network and there is modification or deletion in data or there is some virus attack, in this kind of situations your backup saves your work! 10. Use security application such as anti-virus, anti-malware, etc. for keeping your system safe. Also use authorised security applications only.

3.8.3 Tools Used for Wireless Network Attacks 1. Aircrack: Aircrack is the tool used widely around the globe. It is popular as well as very powerful tool in cracking wireless passwords. It analyses packets captured from the network to crack password. It is mainly used as 802.11 WEP and WPA-PSK keys cracking tool. This tool is much faster and efficient and a bit difficult to understand. 2. AirSnort: AirSnort is free and popular tool for Linux and Windows operating systems when it comes to password cracking. This tool can crack WEP keys of Wi-Fi802.11b network using computation done on the basis of regularly monitored transmissions in the network and by capturing packets. It is mainly used for the purpose of wireless LAN password cracking. This is one of the simple tools and hence it is used widely. 3. Kismet: Kismet is free tool used as Wi-Fi 802.11 a/b/g/n layer 2 wireless network sniffer and is also used for intrusion detection system. It captures packets continuously to detect standard and hidden networks. It is mainly used for Wi-Fi troubleshooting purpose and is available for Linux, OS X, BSD platforms and Windows operating system. It supports recent wireless standards and is built on client server architecture and is comparatively faster in sniffing. 4. Cain and Able: It is the tool used to intercept network traffic. This is then used to crack passwords using brute force. This is done by analysing routing protocols of the wireless network. This tool is used for WEP cracking as well as windows password cracking and for cracking other kinds of passwords. Due to all this features, it is popular all around the world.

Cyber Security and Laws_Chpater 03.indd 135

10/7/2020 10:03:23 AM

136 

•

Chapter 3/Methods and Tools used in Cyber Line

5. WireShark: It is a network protocol analyser and is very effective tool in networking. This tool captures live packets from the network. These packets are analysed based on the data they contain. For using this tool, one must have knowledge of networks and protocols used in wireless networking. It is available for OS X, Linux, Solaris, Windows, FreeBSD and other operating systems. It is highly effective and popular tool but is used by only those having proper knowledge of protocols. 6. Fern Wi-Fi wireless cracker: Fern Wi-Fi Wireless Cracker is the tool which checks network to see real-time traffic and identify hosts. This tool was developed to understand security issues in the network and fix them. It is available on Apple, Windows and Linux operating system. It can crack WEP/WPA/WPS keys, can perform network-based attacks, ethernet-based attacks. It uses dictionary-based attacks for WPA/WPA2 password cracking. This tool is regularly updated by developers, and this is very popular tool. 7. Airjack: Airjack is Wi-Fi 802.11 packet injection tool and wireless cracking tool. DoS and MITM attacks can be performed using this tool. This tool can send forged packets in the network to flood the network. This leaves network down due to DoS attack. This tool is also being used for MITM attack and hence it is both powerful and popular among users. 8. NetStumbler: NetStumbler is freely available windows operating system password cracking tool. This tool verifies network configurations, finds open access points, finds unauthorised access points, is used for war driving, finds poor networks and much more. Due to all this features, this tool is very useful in learning purpose.

POINTS TO REMEMBER 1. Wireless network attacks are attacks conducted on wireless networks using vulnerabilities. 2. Jamming/Interference, packet sniffing, man in the middle, evil twin, session hijacking are some of the very common and popular wireless network attacks. 3. Securing wireless network is really necessary and can be done by using firewalls, setting VPN, avoiding using open networks and by taking some other precautions.



Summary

Cyberattacks are rampant in the world of Internet security. Every day the situation is getting worse as new types of malware and new techniques and tools are emerging to attack networks. It is important to understand those attacks both before and after they happen in order to provide better security to our systems. Understanding attack models and types helps in providing more insight into network vulnerability. Cybercriminals have in-depth knowledge about technology and can use either traditional methods or sophisticated methods to break into systems. The attackers or hackers could range from teenagers (script kiddies) to organized crime operators. In this chapter, we have summarized various types of cyberattacks and some of the tools and modus operandi, as well as ways to overcome those attacks. The number of unique ‘cyber incidents in the second quarter of 2018, as defined by Positive Technologies, was 47% higher than the number from just a year previous. There are always new methods proliferating hence one must always keep abreast with the latest in technology and look for tips on how to prevent falling prey to cyberattacks like DoS, DDoS, phishing, identity theft, SQL injection, malware, worms, viruses Trojans and the like.

Cyber Security and Laws_Chpater 03.indd 136

10/7/2020 10:03:23 AM

References



137

Review Questions

1. What are the different ways of password cracking? Refer to Subsection 3.1.2. 2. Differentiate between the two given in the following list: (a) Trojan Horses and Backdoors. Refer to Subsection 3.3.6. (b) Virus and worm. Refer to Subsection 3.3.5. (c) Steganography and cryptography. Refer to Subsection 3.3.7. (d) DoS and DDoS. Refer to Subsection 3.4.4. (e) TCP SYN flood attack and UDP flood attack. Refer to Subsection 3.4.6. 3. Explain various keyloggers in detail. Refer to Subsection 3.3.1. 4. Explain in detail how keyloggers can be used to commit a cybercrime. Refer to Subsection 3.3.1. 5. Explain SQL injection attack. State different countermeasures to prevent the attack. Refer to Subsection 3.5.5. 6. What is blind SQL injection attack? Can it be prevented? Refer to Subsection 3.5.3. 7. What are the various types of DoS attack? Refer to Subsection 3.4.1. 8. What are some countermeasures to DoS and DDoS attacks? Refer to Subsection 3.4.6.



• 

9. Explain different buffer overflow attacks. Refer to Subsection 3.5.7. 10. Explain various attacks on the wireless network. Refer to Subsection 3.8.1. 11. How to secure a wireless network? Refer to Subsection 3.8.2. 12. What is phishing? Explain with example. Refer to Subsection 3.6.1. 13. What are the different methods of phishing attack? Refer to Subsection 3.6.2. 14. What is spear phishing? Explain with an example. Refer to Subsection 3.6.2. 15. What is Identity theft? Explain in detail with an example. Refer Subsection 3.6.5. 16. Explain various types of identity theft. Refer to Subsection 3.6.6. 17. What are the different techniques of ID theft? Refer to Subsection 3.6.7. 18. State and explain various ID theft countermeasures. Refer to Subsection 3.6.8. 19. What is buffer overflow? How does one mitigate buffer overflow attacks? Refer to Subsections 3.5.6 and 3.5.8.

References

1. Brien, P., Madelyn, B. How do buffer overflow attacks work?: Searchsecurity.techtarget. com [Online]. By Available at: searchse-

Cyber Security and Laws_Chpater 03.indd 137

curity.techtarget.com/tip/1048483/Buffer overflow-attacks-how-do-they-work?

10/7/2020 10:03:23 AM

138 

•

2. CWE (2019), CWE-122: Heap-based Buffer Overflow (3.2): CWE.mitre.org [Online]. Available at: https:/cwe.mitre.org/data/definitions/122.html 3. Infosec Institute. (2019), Phishing Countermeasures Unleashed: Infosec Resources [Online]. Posted on General Security Phishing: October 21, 2019. Available at: https:// resources.infosecinstitute.com/phishingcounter-measures-unleashed. 4. Markus, J. (2018), Distributed Phishing Attacks: Citeseerx.ist.psu.edu [Online] Available at: https://citeseerx.ist.psu.edu/ summary?doi=10.1.1.59.100 5. Imperva. Appsec. DDOS Attack Types and Mitigation Methods: Imperva, Learning Center [Online] Available at: https://www. imperva.com/learn/application-security/ ddos-attacks 6. Key-Stroke.com. SpyBuddy Keylogger, Free Download, Parental Control: Key-stroke. com [Online] Available at: https/www.keystroke.com/keylogger/spybuddy-keylogger. html all rights reserved to keystroke.com 7. Marriote. Biggest Cyber Attacks of 2018: Isoeh.com [Online]. Available at: https:// www.isoeh.com/exclusive-blog-details-biggest-cyber-attacks-of-2018.html

Cyber Security and Laws_Chpater 03.indd 138

Chapter 3/Methods and Tools used in Cyber Line

8. NCRB. National Crime Records Bureau, Ncrb.gov.in [Online] Available at: http:// ncrb.gov.in 9. CNET. Keylogger: Free Downloads and Reviews: CNET Download.com, Download [Online] Available at: https://download. cnet.com/s/keylogger/ 10. John (2019) Protection Tips to Avoid Virus, Malware, Trojan and Worm: SSL2BUY Wiki: Solution for SSL Certificate, Queen’s University [Online]. Available at: https:/ www.ssl2buy wiki/8-protection-tips-toavoid-virus-malware-trojan-worm 11. Synopsis Editorial Team. (2019), How to detect prevent and mitigate buffer overflow attacks? Synopsys, Software Integrity Blog [Online]. Available at: https://www. synopsys.com/blogs/software-security/ detect-prevent-and-mitigate-buffer-overflow-attack.2019 12. Safe, H., Rubens, P. (2018), How to Prevent DDOS Attacks: 6 Tips to Keep Your Web Safe: Esecurityplanet.com [Online]. Available at: https://www.esecurityplanet.com/ network-security/how-to-prevent-ddosattacks.html

10/7/2020 10:03:24 AM

4

Concept of Cyberspace and Cyber Law

Learning Objectives After reading this chapter, the reader will be able to • Understand the concept of cyberspace. • Explain e-commerce and its types. • Discuss electronic contracts and the related laws in India. • Discuss digital signatures and their validity in India. • Discuss types of intellectual property and laws in India to protect them.

• Discuss digital evidence and its admissibility in India. • Discuss about various global initiatives for the development of cyber laws. • Explain the electronic data interchange and its process. • Discuss electronic banking in India. • Discuss about the need for an Indian cyber law.

Everybody should want to make sure that we have the cyber tools necessary to investigate cybercrimes, and to be prepared to defend against them and to bring people to justice who commit it. —Janet Reno

4.1

Introduction to e-Commerce

4.1.1 Concept of Cyberspace Cyberspace is a technical term for the use of computers and electronic medium of communication using computer networks. The term ‘cyberspace’ was initially given by William Gibson in his 1984 science fiction book, Neuromancer. Gibson defined cyberspace as a consensual hallucination which is a graphic representation of information preoccupied from banks of each computer in the human system His thoughts of the cyberspace was of a virtual world which allows to create layers of experiences on top of what is ultimately a non-existent space. “Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts ... A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the non-space of the mind, clusters and constellations of data. Like city lights, receding …”  —William Gibson, Neuromancer

Cyber Security and Laws_Chpater 04.indd 139

10/7/2020 10:03:26 AM

140 

•

Chapter 4/Concept of Cyberspace and Cyber Law

Throughout the years, the Internet has become such a virtual space where we have made mechanisms to defeat the constraints of the real world. The instances of what we can do in cyberspace include thing like online business, shopping, e-mails, education, social networking, games, virtual reality and many more. Cyberspace refers to the virtual computer world, and more specifically, is an electronic medium used to form a global computer network to facilitate online communication. With the appearance of the Internet, cyberspace is now able to reach to the worldwide network of computers.

4.1.2 The e-Commerce The e-commerce or electronic commerce is defined as buying and selling of goods, products or services over the Internet. Online transaction of money, funds transfer and data are also included in the process of e-commerce. The e-commerce has many advantages in making difference in the society (Fig. 4.1).

Delivery

Sale

Packaging Payment

1 e-Mail Purchase

Figure 4.1  Advantages of e-commerce.

1. Sellers are able to grow their markets to larger areas, nationally or internationally and even to remote areas. 2. It promotes quicker transactions between businesses. 3. 24/7 buying or selling of products or services is possible. 4. It gives clients more choices and insights concerning the item and services. 5. It reduces the use of paper. 6. Clients can easily choose items from various suppliers without moving around truly. There are many disadvantages of e-commerce too which are listed as follows: 1. Late delivery. 2. Security issues. 3. No possibility of tried and tested products. 4. Some products are difficult to buy online. 5. Lack of privacy. 6. Tax issue.

Cyber Security and Laws_Chpater 04.indd 140

10/7/2020 10:03:28 AM

4.1 Introduction to e-Commerce

• 

141

7. Legal issues. 8. Lack of personal touch.

4.1.3 Types of e-Commerce The e-commerce applications are grouped based on the connection between the participating organization and the type of transaction. The businesses, consumers and the government are the most frequent type of entities which participate in an e-commerce transaction. Based on these entities, the e-commerce applications are classified into different categories (Fig. 4.2). B2C

G2C

B2B

e-Commerce

C2B

C2C

Figure 4.2  Types of e-commerce.

1. Business-to-consumer (B2C): This category is related to transactions between a business and the end consumer or end customer. This type is also called as ‘electronic retailing’ as it copies the physical retailing traditionally. Example: Consumer buying from online shopping store such as Amazon.com and Flipkart.com. 2. Business-to-business (B2B): This category is related to transactions between two business. This transaction is big in terms of volume and value of goods and services. Example: Manufacturer obtaining raw material from the seller online. 3. Consumer-to-consumer (C2C): This category is related to transactions between two end consumers. These transactions are provided by third party platforms or are conducted through the use of social media. Example: If Online platforms like PayPal or social media networks like Facebook marketplace. 4. Consumer-to-business (C2B): This category is related to transactions when an individual consumer provides a service or a good to business and get paid for it. Example: Consumer can take online surveys on websites like SurveyMonkey.com or freelancer jobs on websites like Freelancer.com. 5. Government-to-citizen (G2C): This category is related to transactions between the government organizations and the citizens. The e-governance is implemented through this model, where citizens can interact with the government bodies through the electronic medium and avail services through government websites directly. It helps to reduce the time and make better use of resources of the government and the citizens. Better transparency is achieved in the government processes. Examples: Paying taxes online, registration of birth, marriage or death certificates and more.

Cyber Security and Laws_Chpater 04.indd 141

10/7/2020 10:03:28 AM

142 

•

Chapter 4/Concept of Cyberspace and Cyber Law

4.1.4 Types of e-Commerce Transactions 1. Information access: It provides the customer search and reclaim facility. 2. Interpersonal communication: It gives the technique to exchange data, talk about thoughts and improve their cooperation. 3. Shopping services: It allows the customer to find and buy goods on the Internet or to benefit the services through the Internet. 4. Virtual enterprises: These are the business plans where exchanging accomplices who are isolated by topography and expertise can participate in joint business activities. Every commerce resembles some other exchange however there includes a legally binding connection between executing parties. The Indian Contract Act, 1872 States the law of agreements and the deals of goods act 1930 states the law relating the offer of products. In Information Technology Act, 2000 a few arrangements have been Incorporated identified with the separation idea of e-commerce transaction. In these significant implications on agreement with the need of transaction contract arrangement is given. Each agreement should be custom fitted as per the need of exchange. In India, numerous individuals are not focusing on draft contracts they typically duplicate others contract which will be hurtful at the hour of the dispute. So, it is important to take care in drafting the agreement. The lawyer which is liable for drafting an agreement ought to have appropriately comprehended the brief on the necessities of the exchange and evaluated of the possible areas of dispute which may emerge with the goal that these features are completely covered in the agreement. The Industries that are utilizing information technology (IT) in their arrangement ought to know about different legitimate parts of e-contracts a similar way every shopper must understand the provisions of the agreement before going into an exchange. In e-commerce, e contracts are utilized. An e contract is any sort of agreement form over the span of online business by the connection of at least two people utilizing electronic methods, for example, email the Interaction of a person with an electronic specialist, for example, a computer program or the Interaction of in any event two electronic agent that are program to perceive the presence of a contract. An e-contract is a contract modeled, specified, executed and deployed by a software system.

POINTS TO REMEMBER 1. Cyberspace is a technical term for the use of computers and electronic medium of communication using computer networks. 2. The e-commerce or the electronic commerce is defined as buying and selling of goods, products or services over the Internet. 3. The different types of e-commerce are listed as follows: (a) Business-to-consumer (B2C): This category is related to transactions between a business and the end consumer or end customer. (b) Business-to-business (B2B): Transactions between two businesses. (c) Consumer-to-consumer (C2C): Transactions between two end consumers. (d) Consumer-to-business (C2B): This category is related to transactions when an individual consumer provides a service or a good to business and get paid for it. (e) Government-to-citizen (G2C): This category is related to transactions between the government organizations and the citizens.

Cyber Security and Laws_Chpater 04.indd 142

10/7/2020 10:03:28 AM

4.2 Contract Aspects in Cyber Law

4.2

• 

143

Contract Aspects in Cyber Law

A contract is a legally-binding agreement amongst two or more parties making come into existence a legal obligation for both the parties to act the specific promised duties. Once the obligations of the agreement between the parties are completed, the contract is said to be dismissed. Breach of contract occurs if any of the parties which are part of the contract breaks the agreement. A contract involves two parties: (1) An originator and (2) an addressee. According to IT Act, originator and addressee are defined as follows: 1. Originator: An originator is an individual who sends, produces, stores or passes on any electronic message to be sent, made, put away, or passed on to some other individual and does include a mediator. 2. Addressee: An address is an individual who is proposed by the original to get the electronic record however doesn’t comprise of any mediator. The important points in an e-contract are as follows: 1. The parties do not meet physically in the majority of the cases. 2. There are no physical limits, no handwritten signature, and in many occasions, no handwriting is needed. 3. Jurisdictional issues are a significant difficulty on contracts in the event of breach. 4. There is no one to screen the breach of the process. 5. Digital signatures are used. 6. Electronic documents are made use of as evidence in the court. 7. Three main methods of contracting electronically are email, World Wide Web and cyber contracts. Contracts play a very important role in the world economics. Almost all business activities, trade between businesses, governments and individuals depend on contracts. For example, buying movie tickets, making a flight reservation, booking a cab, online shopping, etc. the main elements of contract are as follows: 1. Offer: In Section 2(a) of Indian Contract Act, an offer is defined as website advertisements are invitation to offer except specified clearly. When a person responds by mail, fill out online forms built into a web page they make an offer which can be either granted or denied and so an invitation to offer is not capable of making a binding contract on its own until it is granted. Thus, an offer may carry the purpose of entering into a binding contract. This is also applicable to online contracts. 2. Acceptance: Once an offer is granted a contract is concluded except the postal acceptance rule applies. The postal acceptance rule is an exception to the general rule that acceptance of a contract must be communicated to the offer or before a contract can be in existence. Under the rule acceptance of a contract is said to occur at the time the acceptance is posted. Thus, the communication of acceptance is accomplished versus the proposer when is placed over the span of transmission to him and as versus the acceptor when the affirmation goes into the assigned computer resource. 3. Lawful consideration: Lawful consideration should be there in contract as per Indian contract act problems may arise at a time when consideration is merely executory. Another problem is that such laws cannot apply when an anonymous computer is used. 4. Lawful object: The contract purpose should be a lawful one. Courts will not enforce contracts that are illegal or violate public policy. Such contracts are considered void.

Cyber Security and Laws_Chpater 04.indd 143

10/7/2020 10:03:28 AM

144 

•

Chapter 4/Concept of Cyberspace and Cyber Law

5. Competent parties: Competent parties are the natural and legal persons. A computer is neither a natural or a legal person and so the operator of a computer comes into the picture. The autonomous computer cannot be a contractual party. 6. Free consent: Autonomous computer, however, clearly cannot be a contractual party. This is quite difficult to determine because sometimes the margin used to determine the strict rule of free consent gets narrower under electronic contracts

4.2.1 Electronic Contracts (e-Contracts) Due to the use of the Internet, trade has increased on a large scale between the individuals, businesses and the government beyond geographic boundaries. With the help of e-commerce, goods and services can be obtained and the payment can be made in seconds. This makes the process rapid, easier and increasingly efficient. The traditional physical contracts are not important for these exchanges which are completed on the web. For example, if two elements vest to two different geographic regions, they will face delay and difficulty in signing the contract. Hence in these cases an e-contract is useful as e-contact can be signed instantly by both the entities. This saves a lot of time and cost as well. The important points of electronic contracts are as listed in the following: 1. The parties included in the contract do not meet physically in most of the cases. 2. There are no physical boundaries and no handwritten signature is required. 3. No authority is present to monitor the process. 4. Digital signatures are used. 5. The e-mail, the World Wide Web and the cyber contracts are the three main methods of contracting electronically. The different types of e-contracts are given as follows: 1. Shrink-wrap contracts: These contracts are originally packed with the products and the license agreement can be read and accepted only after opening the packet. For example, the product can be software which is dispatched with a CD-ROM containing the contract. 2. Click-wrap contracts: These are also known as ‘click through’ contracts. These contracts are found as a part of the software. To accept or to decline the terms and conditions of the agreement are the two options which the users get. 3. Browse-wrap contracts: These contracts are found on a website or on home page of a downloadable product. The terms and conditions must be accepted first by the user in order to further browse the website or to download a resource or software.

4.2.2 Indian Contract Act, 1872 The Indian Contract Act, 1872 defines the term ‘Contract’ under Section 2(h) as ‘An agreement enforceable by law’. The act administers the way in which contracts are made and executed in India. It gives a system of rules and regulations which govern the formation and execution of the contract. The rights and duties of parties entering into the contract and their terms of the agreement is decided by the parties themselves. The key words, expressions and their meaning, related to a contract, used in the Indian Contract Act, 1872 are given in Table 4.1.

Cyber Security and Laws_Chpater 04.indd 144

10/7/2020 10:03:28 AM

4.2 Contract Aspects in Cyber Law

• 

145

Table 4.1  Meaning of Certain Terms in Indian Contract Act, 1872

Proposal/Offer Section 2(a) When one person signifies to another, his willingness to do or to abstain from doing anything with a view to obtaining the assent of that   •  to such act or   •  abstinence, he is said to make a proposal (i.e., offer) (legal obligation) Promise

When the person to whom the proposal is made signifies his assent thereto, the proposal is said to be accepted. A proposal, when accepted, becomes a promise.

Agreement Section 2(e)

Every promise and every set of promises, forming the consideration for each other, is an agreement.

Contract Section 2(h)

An agreement enforceable by law is a contract.

Promisor and Promisee

When a proposal is accepted,   •  the person making the proposal is called as promisor and   •  the person accepting the proposal is called as promisee.

Consideration

When, at the desire of the promisor, the promisee or any other person has done/abstained from doing something or   •  does/abstains from doing something or   •  promises to do/abstain from doing something. Such act/abstinence/promise is called a consideration for the promise.

Void agreement

An agreement not enforceable by law is said to be void.

Voidable contact

An agreement is a voidable contract if   • it is enforceable by law at the option of one or more of the parties thereto   •  it is not enforceable by law at the option of the other or others.

Void contract

A contract which ceases to be enforceable by law becomes void when it ceases to be enforceable.

4.2.3 Legal Prerequisites of an e-Contract The offer and acceptance of an offer are expressed in the form of electronic records. Creation of contract is done by electronic records. The validity and execution of the agreement is in the form of electronic records. For the e-contracts the following provisions have been lawfully recognized. 1. The concepts of originator and addressee: Section 11 in The Information Technology Act, 2000 is given as follows: (a) Attribution of electronic records. (b) An electronic record must be allocated to the originator.

Cyber Security and Laws_Chpater 04.indd 145

10/7/2020 10:03:29 AM

146 

•

Chapter 4/Concept of Cyberspace and Cyber Law



· It was forwarded by the originator on its own. · By an individual who had the position to perform on the account of the originator with respect to the electronic record. · From an Information framework customized by or on account of the originator to work on its own. 2. The concept of acknowledgment of receipt of record/data information as part of the legal process: Section 12 in The Information Technology Act, 2000 is given as follows: (a) Acknowledgment of receipt: Where the originator has not stipulated that the acknowledgement of receipt of electronic record be given in a specific form or by specific method, an acknowledgement might be given by · Any communication by the addressee, automated or something else. · Any conduct of the addressee, adequate to indicate to the originator that the electronic record has been gotten. (b) Where the originator has specified that the electronic record will be restricting just on receipt of an acknowledgement of such electronic record by him, at that point, except if acknowledgement has been so received, the electronic record will be esteemed to have been never sent by the originator. (c) Where the originator has not specified that the electronic record will be restricting just on receipt of such acknowledgement and the affirmation has not been gotten by the originator inside the time determined or concurred or if no time has been indicated or agreed to inside a sensible time, at that point, the originator may pull out to the recipient expressing that no acknowledgement has been gotten by him and indicating a sensible time by which the acknowledgement must be gotten by him and if no affirmation is gotten inside the aforementioned time limit he may subsequent to pulling out to the recipient, treat the electronic record like it has never been sent.   The following are the questions pertaining electronic messages: · Identity of originator. · The e-message receipt. · The identity of the message as fed into the computer for transmission by the originator with the message as received by the addressee. · The contents of electronic messages are not changed. · Contents of electronic messages. As the e-mail messages sent by the originator digital signature so it is identity of the originator and the message. The digital signature in world hash function and encryption of the data. So, the integrity of the evidence can be proved using digital signature. 3. The concept of time and place of dispatch and receipt: Section 13 in The Information Technology Act, 2000 is given as follows: Time and place of dispatch and receipt of electronic record: (a) Save as in any case agreed to amongst the originator and the addressee, the dispatch of an electronic record happens when it gets into a computer asset outside the control of the originator. (b) Spare as in any case concurred amongst the originator and the addressee, the time of receipt of an electronic record will be determined as follows:

Cyber Security and Laws_Chpater 04.indd 146

10/7/2020 10:03:29 AM

4.3 Security Aspects of Cyber Law

• 

147

· If the addressee has assigned a computer asset to get electronic records. i. Receipt happens when the electronic record enters the assigned computer asset. ii. In the event that the electronic record is sent to a computer asset of the addressee that isn’t the assigned computer asset, receipt happens when the electronic record is recovered by the addressee. · In the event that the addressee has not assigned a computer asset alongside indicated timings assuming any, receipt happens when the electronic record enters the computer asset of the addressee. (c) Save as in any case consented to between the originator and the recipient an electronic record is regarded to be dispatched at where the originator has his place of business and is esteemed to get where the addressee has his business.



POINTS TO REMEMBER 1. A contract is a law by necessary an agreement between two or more parties making come into existence a legal obligation for both the parties to act the specific promised duties. Once the obligations of the agreement between the parties are completed, the contract is said to be dismissed. 2. Elements of contract are offer, acceptance, lawful consideration, lawful object, competent parties and free consent. 3. With the help of e-commerce, goods and services can be obtained and the payment can be made in seconds. This makes the process rapid, easier and increasingly efficient. 4. The parties included in the contract do not meet physically in most of the cases. 5. There are no physical boundaries and no handwritten signature is required. 6. No authority is present to monitor the process. 7. Digital signatures are used. 8. The e-mail, the World Wide Web and the cyber contracts are the three main methods of contracting electronically. 9. Shrink-wrap, click-wrap and browse-wrap are the types of e-contracts. 10. The Indian Contract Act, 1872 defines the term ‘Contract’ under Section 2(h) as ‘An agreement enforceable by law. It gives a system of rules and regulations which govern the formation and execution of the contract. The rights and duties of parties entering into the contract and their terms of the agreement is decided by the parties themselves. 11. For the e-contracts the following provisions have been lawfully recognized: · The concepts of originator and addressee. · The concept of acknowledgment of receipt of record/data information as part of the legal process. · The concept of time and place of dispatch and receipt.

4.3

Security Aspects of Cyber Law

Information technology is currently utilized in our day to day life on a very large scale. The amount of data generated has exponentially increased with the appearance of the Internet. Business deals, online

Cyber Security and Laws_Chpater 04.indd 147

10/7/2020 10:03:29 AM

148 

•

Chapter 4/Concept of Cyberspace and Cyber Law

exchanges, trading of personal data, all are being done electronically with the help of the Internet. Guaranteeing the safety of these transactions and data is also very important as every day we face new challenges when it comes to cybersecurity. A legal framework is necessary to protect the data, information and the IT infrastructure. This legal framework consists of processes, tools, document information systems, networks, etc., and helps in the functioning of the legal system for the use of IT infrastructure and the Internet. 1. Electronic information and its transmission are defenseless against attackers or cyber criminals. It is important to guarantee the security of the information and the lawful and technical methods. 2. The information transmitted over the system can be ensured by coding this procedure is known as encryption. 3. Encryption paper records and documents are vulnerable to threats on its privacy such that a large number of clients have built up their own course and information security frameworks as a measure against unauthorized access. With the development of the web there is expanding money related exchanges, for example, banking exchanges. The Internet has become the default mechanism of e-commerce. There are numerous associations on the Internet, for example, corporate bodies, Government Universities banks and different establishments apprehensive that happens or unapproved individuals enter their framework and perform frauds, manipulate records or harm the computerized information. To ensure the information on Internet cryptography is utilized. 4. Cryptography is a science and art of secret writing which keeps the data confidential. Cryptography shields information from unapproved individuals. Cryptography is anything which is written as a cipher. 5. In fact, we can say that encryption is a procedure where length × information is changed into cipher text. The way toward decoding and encrypted information is called decryption. 6. Encryption is done by utilizing the algorithms and the encryption algorithms are the numerical functions which play out the duty of encoding and decoding the information. 7. Encryption keys are utilized in encryption algorithms. The encryption key is a program that changes the cipher text again into the plain content. There are diverse encryption frameworks accessible with various key lengths. 8. There are two sort of encryption algorithm as listed in the following: (a) Private key cryptography: In private key cryptography, the equivalent key is utilized to encode and decode the message. This is otherwise called symmetric key cryptography. (b) Public key cryptography: Public key cryptography is also called Asymmetric key cryptography or cipher. In this cryptosystem, two keys are utilized, named public key and private keys. Public key is utilized to encode the information and private key is utilized to decode the information. The keys are composed of huge numbers and are combined together yet these two keys are not similar. The private key is kept confidential while the public key is visited with everybody. Private key is utilized to make the computerized signature and public key is utilized to check the digital signature as given in IT Act, 2000. It is important to make sure about the private key, to make sure about the private key store. It in floppy or card or pen drive. Try not to store the private key on hard disks as it isn’t viewed as a sheltered practice.

Cyber Security and Laws_Chpater 04.indd 148

10/7/2020 10:03:29 AM

4.3 Security Aspects of Cyber Law

• 

149

4.3.1 Digital Signature A digital signature is a code generated using public key cryptography, also called, asymmetric key cryptography. This code is connected to the electronic document which promises the receiver of the electronic document about the authenticity of the sender. The electronic signatures could be a scanned handwritten signature which is placed on an electronic document, or it can also be a mouse click. It is defined as ‘an electronic sound, symbol or process that is connected to or logically linked with an evidence and is carried out or taken on by a person with the purpose to sign the record’. 4.3.2 Legal Architecture for the Validity of Digital Signatures A wide range of transactions over the system, particularly the Internet, need to address the problems related to authentication, integrity and nonrepudiation. These problems can be dealt with the use of digital signatures. Public key infrastructure (PKI) is an approach for enabling digital signature. It is a prescriptive method and it is dependent highly on the legal framework that can facilitate the utilization of digital signatures for electronic transactions. 1. Certification authorities (a) Under Section 17 of the Information Technology Act, 2000 the controller of certifying authorities (CCA) has been selected by the Central Government to permit and control the functioning of certifying authorities (CAs). CAs issue digital signature certificates for electronic checking of client and advance the development of e-commerce and e-governance through the wide utilization of digital signatures. (b) The CCA has established the root certifying authority (RCAI) of India under Section 18(b) of the Information Technology Act, 2000 to digitally sign the public keys of certifying authorities in India. (c) As per Section 18 of the Information Technology Act, 2000 digital signatures, based on asymmetric cryptosystems, are accepted at par with handwritten signatures. The electronic documents that are digitally signed are treated at par with paper documents. 2. Licensing of Certifying Authorities Under Section 87 of the Information Technology Act, 2000 (21 of 2000), the Central Government made the rules regulating the application and other guidelines for CAs. These rules are called Information Technology (Certifying Authorities) Rules, 2000. It deals with the following issues related to CAs: (a) Creation and verification of digital signatures. (b) The information technology architecture that CAs may support. (c) Information that digital signature certificates must contain (d) Eligibility for licensing of CAs. (e) Form, information and fees to be submitted with an application for license to become a CA. (f ) Requirement for cross certification with other licensed CAs. (g) Validity, renewal and suspension license granted to a CA. (h) Conditions under which the Controller may refuse to grant a license or refuse to renew a license. (i) Security guidelines for CAs. (j) Requirements prior to ceasing activities as a CA.

Cyber Security and Laws_Chpater 04.indd 149

10/7/2020 10:03:29 AM

150 

•

Chapter 4/Concept of Cyberspace and Cyber Law

(k) Database of disclosure records of CAs to be maintained by the controller. (l) Issue of digital signature certificates by a CA. (m) Generation of digital signature certificates. (n) Compromise and revocation of digital signature certificates. (o) Fees that CAs can charge.

Relevant Sections 1. Section 8, Information Technology (Certifying Authorities) Rules, 2000 – Licensing of ­certifying authorities: It specifically provides the requirements to put in for allowance of a license to issue digital signature certificates to an individual or a company 2. Section 35, Information Technology Act, 2000 – Certifying authority to issue electronic ­signature certificate: This section lays down the requirements and the procedure for obtaining the digital signature from the CA. 1. Any individual may make an application to the certifying authority for the issue of a digital signature certificate, such structure as might be endorsed by the Central Government. 2. Every such application shall be accompanied by such charge not surpassing twentyfive rupees as might be recommended by the Central Government to be paid to the certifying authority. 3. Provided that while prescribing fees under sub-section different fees may be prescribed for different classes of applicants. 4. Every application like that shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations. 5. On receipt of an application under Subsection (1), the certifying authority may, after consideration of the certification practice statement or the other statement under Subsection (3) and after making such enquiries as it may deem fit grant the digital signature certificate or for reasons to be recorded in writing, reject the application. 6. Provided that no application shall be rejected unless the applicant been given a reasonable opportunity of showing cause against the proposed rejection.

POINTS TO REMEMBER 1. A legal framework is necessary to protect the data, information and the IT infrastructure. This legal framework consists of processes, tools, document information systems, networks, etc., and helps in the functioning of the legal system for the use of IT infrastructure and the Internet. 2. Electronic information and its transmission are defenseless against attackers or cyber criminals. It is important to guarantee the security of the information and the lawful and technical methods. 3. The information transmitted over the system can be ensured by coding this procedure is known as encryption.

Cyber Security and Laws_Chpater 04.indd 150

10/7/2020 10:03:29 AM

4.4 Intellectual Property Aspect in Cyber Law and Evidence Aspect in Cyber Law

• 

151

4. Cryptography is a science and art of secret writing which keeps the data confidential. ­Cryptography shields information from unapproved individuals. Cryptography is anything which is written as a cipher 5. The way toward decoding and encrypted information is called decryption. 6. There are two types of encryption algorithm private key cryptography and public key ­cryptography. 7. A digital signature is a code generated using public key cryptography, also called, ­asymmetric key cryptography. This code is connected to the electronic document which promises the receiver of the electronic document about the authenticity of the sender. 8. Electronic signatures are defined as ‘an electronic sound, symbol or process that is connected to or logically linked with an evidence and is carried out or taken on by a person with the purpose to sign the record’. 9. Public key infrastructure (PKI) is an approach for enabling digital signature. It is a prescriptive method and it is dependent highly on the legal framework that can facilitate the utilization of digital signatures for electronic transactions.

4.4

Intellectual Property Aspect in Cyber Law and Evidence Aspect in Cyber Law

4.4.1 Intellectual Property Aspect in Cyber Law Intellectual property (IP) refers to the immaterial property that is a creation of the human mind. Being immaterial, protecting intellectual property is more tough as they can simply be taken away and might be hard to recover, leading to loss of cash and loss of reputation. The intellectual property rights aim to provide the innovators and creators legal protection for their thoughts and creations. Copyright written works, applying for licenses for innovations and trademarking brands, names and logos are some of the ways for doing this. The industrial property rights and copyright are included in the intellectual property. The types of intellectual property are as listed in the following: 1. Patents: A patent is a selective right, allowed by government to its innovator, which grants him/her to reject all others from making, utilizing, selling and bringing in the creation, for a constrained time of years, in return for the public disclosure of the development. In India, patents are governed by the provisions of the Patents Act, 1970 as amended by the Patents (Amendment) Act, 2005 and Patents Acts Rules, 2006. The term of each patent in India is 20 years from the date of documenting of the patent application. The patent rights are allowed by the Indian Patent Office and broaden just all through the region of India. For the grant of patent in another nation, the inventor must apply in that particular nation. The Indian Patent Office is managed by the Office of the Controller General of Patents, Designs and Trade Marks (CGPDTM). This is a subordinate office of the Government of India and regulates the Indian law for patents, designs and trademarks. Figure 4.3 shows an example of a patent in the history of aviation.

Cyber Security and Laws_Chpater 04.indd 151

10/7/2020 10:03:29 AM

152 

• 

Chapter 4/ConCept of CyberspaCe and Cyber Law

Figure 4.3 A patent in the history of aviation.

2. Trade secrets: Is an intellectual property in the form of a formula, practice, process, design, instrument, pattern, business technique or compilation of information which is commonly not known public and using which a business can obtain economic benefi ts over to the competitors or clients. Such a business also tries to maintain the secrecy. There is no particular law in India for the protection of trade secrets. However, they are secured under different statutes, including contract law, copyright law, the principles of equity and breach of confi dence. Information Technology Act 2000, under Section 72, also gives certain security to electronic records. Usually, companies use the Employee Non-Disclosure Agreements to ensure the confi dentiality of the secrets of the company during and after the end of their employment. Figure 4.4 shows one of the examples a trade secret in the form of a computer fi le with strong passwords.

Figure 4.4 A trade secret in the form of a computer fi le with strong passwords.

3. Trademarks: A trademark (Fig. 4.5) is a recognizable sign, plan or expression by which a client can recognize an item or the source of an item individually. The symbols ‘TM’ (the trademark symbol) and ‘®’ (the registered trademark symbol), only if enrolled, can be used to indicate trademarks by the owner. Trademarks in India are enrolled and secured by the Trade Marks Ren established in 1940, and acts under the Trade Marks Act, 1999. It gives insurance to the trademark for goods and services, and furthermore to prevent forged utilization of the mark in India.

Cyber Security and Laws_Chpater 04.indd 152

10/7/2020 10:03:31 AM

4.4 Intellectual Property Aspect in Cyber Law and Evidence Aspect in Cyber Law

• 

153

Figure 4.5  A trademark.

4. Geographical indication: A geographical indication (GI) is a name or a sign utilized on items which relates to a particular geographical area or origin [e.g., a town, district or nation (Fig. 4.6)], specifying the source of the product. This might act as a certification of certain qualities, strategies of manufacturing or have a specific reputation because of its geographical origin. The Geographical Indications of Goods (Registration and Protection) Act, 1999 (GI Act), is an Act of the Parliament of India for protection of geographical indications in India, India, as a member of the World Trade Organization (WTO), enacted the act to comply with the consent on trade-related features of Intellectual Property Rights.

Figure 4.6  A geographical indication.

Cyber Security and Laws_Chpater 04.indd 153

10/7/2020 10:03:32 AM

154 

•

Chapter 4/Concept of Cyberspace and Cyber Law

5. Industrial designs: An industrial design comprises the ornamental or aesthetic part of an article (Fig. 4.7). It comprises highlights of the article, for example, composition of patterns, lines and color. An industrial design can be a two- or three-dimensional pattern used to create an item, modern product or handicraft. The enrollment and security of industrial designs in India are administered by the Designs Act, 2000, and corresponding Designs Rules, 2001, with resulting corrections.

Figure 4.7  An example of an industrial design.

6. Copyright: Copyright is a legal method for securing the original creative work of the creator. It gives exclusive publication, distribution and usage rights to the creator and it can’t be utilized, replicated or published by any other individual without his/her consent. Copyright just ensures the original expression of thoughts, and not the basic thoughts for a restricted unit of time, after which the copyrighted item can be utilized openly by others. The creative work that can be copyrighted includes - books, poems, plays, songs, films, fine art, sites, online content and other creations. The Copyright Office is setup, according to Section 9 of the Copyright Act, 1957, which became effective from January 1958 to give copyright protection to a wide range of work. It is under the immediate control of the Registrar of Copyrights who is selected by, and acts, under the administration and directions of the Central Government.

Figure 4.8  Copyright – A legal method for securing the original creative work of the creator.

Cyber Security and Laws_Chpater 04.indd 154

10/7/2020 10:03:35 AM

4.4 Intellectual Property Aspect in Cyber Law and Evidence Aspect in Cyber Law

• 

155

4.4.2 Intellectual Property Laws and Cyberspace in India A lot of content is published on the Internet consistently in various formats. The Internet is the perfect mode for the creators of artistic and academic content to spread their work to bigger crowd. Individuals can likewise alter, modify, distort and redistribute the words, sounds, videos and pictures they find on the Internet, either legally or illegally. This is true for casually posted content on a social networking platform, as well as, content created for business purpose and is called intellectual property theft Piracy of movies, software, etc., which makes an enormous loss of income to the copyright holder and is one of the significant forms of intellectual property theft Stealing of copyrights, trade secrets, patents and published work etc. and are generally predominant. The Indian Information Technology Act, 2000 has no provision for the security of intellectual property rights. The Indian Copyright Act, 1957 deals with the protection of computer software and is inappropriate to address all the views of information technology. A. Indian Copyright Act. 1957: The Copyright Act 1957 (as amended by the Copyright Amendment Act, 2012) governs the subject of copyright law in India. The act has been applicable from 21 January, 1958 and has been amended from time to time. The act defines the term ‘computer’ and ‘computer program’ in Section 2. 1. Section 21(ffb) ‘Computer’ includes any electronic or similar device having information processing capabilities. ‘Computer program’ signifies a lot of guidelines expressed in words, codes, plans or in some other structure including a machine-coherent medium fit for making a computer to perform a particular task or accomplish a specific outcome. 2. Section 2(ffc): Indian Copyright Act, 1957 protects ‘databases’ as ‘Literary Work’ under Section 13(1). The following section of Copyright Act, 1957, is related to the copyright-related infringement of software or computer program and the punishment for the offence. Works in which copyright subsists: Subject to the provisions of this section and the other provisions of this act, copyright shall subsist throughout India in the following classes of works, that is to say, (a) original literary, dramatic, musical and artistic works; (b) cinematograph films; and (c) sound recordings. 3. Section 63B: Knowing use of infringing copy of the computer program to be an offence. Any individual who intentionally utilizes on a PC of a contravene duplicate of a PC program will be prosecutable with detainment for a period which will not be under seven days however which might stretch out to three years and with fine which will not be under fifty thousand rupees but which might reach out to two lakh rupees.

Cyber Security and Laws_Chpater 04.indd 155

10/7/2020 10:03:35 AM

156 

•

Chapter 4/Concept of Cyberspace and Cyber Law

Given that where the PC program has not been utilized for profit or over the span of exchange or business, the court might, for satisfactory and special reasons to be referenced in the judgment, not force any sentence of detainment and might force a fine which might stretch out to fifty thousand rupees.

B. Patent Act, 1970: The Patent Act, 1970 came into existence in the year 1972, altering and including the laws that are already present and relating to Patent and Designs Act, 1911 in India. The Patent (Amendment) Act, 2002 came into effect on 20 May, 2003. Computer software is considered as a valuable property and forms a part of intellectual property. However, software, by itself, is not patentable in India as there is no legal or conclusive definition of a software patent. A mathematical or business method or a computer program per se or algorithms.

4.4.3 Evidence Aspect in Cyberlaw In legal terms, evidence refers to a proof legally introduced in the court of law to find out reality of an issue. Bits of proof in general prove or disprove the fact in question and are required by the courts to arrive at a conclusion in legal cases. Pieces of evidence are created by all the parties in a legal dispute. The various sorts of evidences are given in Table 4.2. Table 4.2  Types of Evidence

S.No.

Type of Evidence

Example

1.

Testimony.

Oral or written statements and affidavit.

2.

Real evidence (physical evidence).

Tangible things such as a weapon and the other objects.

3.

Demonstrative.

Pictures, X-rays, diagrams, maps, drawings, graphs, animation, simulations and models.

4.

Documentary material. Letter, invoice, contract, will, blog post or any other document.

The ‘Law of Evidence’, which is also called ‘Rules of Evidence’, in general, is a very important part of both the civil and criminal systems. It is a set of rules that authorize how to collect, present and apply evidence for each case in courts of law. The Indian Evidence Act, 1872, is the primary law which defines the rules of evidence in India.

4.4.4 Indian Evidence Act, 1872 In India, the Indian Evidence Act was established by the Imperial Legislative Council in 1872 during the British rule, which contained a lot of rules and partnered issues administering the acceptability of

Cyber Security and Laws_Chpater 04.indd 156

10/7/2020 10:03:35 AM

4.4 Intellectual Property Aspect in Cyber Law and Evidence Aspect in Cyber Law

• 

157

proof in the Indian courts of law. The Indian Evidence Act is identified as Act no. 7 of 1872 and called the Indian Evidence Act, 1872. It came into power on 1 September, 1872 and to time from that point forward it has held its unique for with exception of certain changes from time to time.

4.4.5 Amendments to the Indian Evidence Act, 1872 1. In Section 3, (a) in the definition of ‘Evidence’, for the words ‘all document created for the examination of the Court’, the words ‘all documents along with electronic records produced for the examination of the Court’ shall be substituted. (b) after the definition of ‘India, the following shall be inserted, namely, ‘the expressions ‘certifying Authority’, ‘digital signature’, ‘digital signature certificate’, ‘electronic form’, ‘electronic records’, ‘information’, ‘secure electronic record’, ‘secure digital signature’ and ‘subscriber’ shall have the meanings, respectively, assigned to them in the Information Technology Act, 2000. 2. In Section 17, for the words ‘oral or documentary’, words ‘oral or documentary or contained in electronic form’ shall be substituted. 3. After Section 22, the following section shall be inserted, namely, ‘22A’. At the point when oral confirmation as to contents of electronic records are applicable. Oral affirmation as to contents of electronic records are not forthright, aside from if the legitimacy of the electronic record conveyed is being referred to in the inquiry. 4. After Section 65, the following shall be inserted, namely, ‘65A’. Special provisions as to evidence relating to electronic record – the substance of electronic records might be demonstrated as per the arrangements of Section 65B.

Admissibility of Electronic Records 1. Despite anything included in this act, any data included in an electronic record which is imprinted on a paper, put away, recorded or duplicates in optical or magnetic media delivered by a PC (hereinafter referred to as the computer output) will be regarded to be likewise a report, if the conditions referenced in this segment are fulfilled in relation to the data and PC being referred to and will be allowable in any procedures, moving forward without any more confirmation or production of the original, as proof of any substance of the original or of any reality expressed in that of which direct proof would be acceptable. 2. The conditions referred to in Subsection (1) in accordance of a computer output shall be, namely, the ones listed in the following: (a) The computer output comprising the data was delivered by the computer through the duration over which the computer was utilized consistently to store or process data for any exercises normally carried on over that period by the individual having legal power over the utilization of the computer; (b) Throughout the said period, data of the sort comprised in the electronic record or of the sort from which the data so contained is determined was normally taken care of into the computer in the standard course of the said exercises; (c) All through the materialistic part of the said duration, the PC was working appropriately or, in the event that not; at that point in regard of any period where it was not working appropriately

Cyber Security and Laws_Chpater 04.indd 157

10/7/2020 10:03:35 AM

158 

•

Chapter 4/Concept of Cyberspace and Cyber Law

or was out of activity throughout that part of the period, was not, for example, to influence the electronic record or the exactness of its contents; (d) The data comprised in the electronic record recreates or is gotten from such data took care of into the computer in the common course of the said tasks. 3. Where above any period, the capacity of putting away or handling data for the purposes behind any tasks routinely carried on over that the period as referenced in clause (a) of Subsection (2) was normally executed by computers, whether (a) by a mix of computer working over that fraction of time or (b) by various computer working in progression over that fraction of time; or (c) In some alternative way including the progressive activity over that fraction of time, in any order, of at least one computer and at least one mixes of computers, all the computers utilized for that reason throughout that period will be regarded for the purposes behind this segment as establishing only one computer, and references in this area to a computer will be constructed appropriately. 4. In any procedures where it is wanted to give a statement in proof by virtue of this segment, a declaration doing any of the accompanying things, that is to say the ones discussed in the following: (a) Distinguishing the electronic record which contains the statement and depicting the way wherein it was created. (b) Giving such points of interest of any gadget engaged with the creation of that electronic record as might be suitable to show that the electronic record was delivered by a PC. (c) Managing any of the issues to which the conditions referenced in Subsection (2) relate, and indicating to be signed by an individual involving a responsible authority position comparable to the activity of the applicable gadget or the administration of the important exercises (whichever is fitting) will be proof of any matter adequate for a situation to be expressed to the best of information and belief of the individual expressing it. 5. For the occasion of this part: (a) Information must be taken to be provided to a computer on the off chance that it is provided in any suitable form and whether it is so provided straightforwardly or (with or without involvement) by means of any appropriate equipment. (b) Regardless of whether over the span of tasks taken on by any official, data is provided with an objective to it being put away or handled for the reasons of those activities by a computer operated in any case than throughout those activities, that data, in properly provided to that computer will be taken to be provided to it those activities. (c) A computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human involvement) by methods for any proper hardware. After Section 67, the following section shall be inserted, namely, ‘67. Evidence as to digital signature: Except on account of a secure digital signature, if the digital signature of any endorser is claimed to be fastened to an electronic record the way that such digital signature is the digital signature of the subscriber must be demonstrated’.

Cyber Security and Laws_Chpater 04.indd 158

10/7/2020 10:03:35 AM

4.5 The Criminal Aspects in Cyber Law

• 

159

POINTS TO REMEMBER 1. Intellectual property (IP) refers to the immaterial property that is a creation of the human mind. 2. The intellectual property rights aim to provide the innovators and creators legal protection for their thoughts and creations. 3. Industrial property rights and copyright are included in the Intellectual property. 4. Types of intellectual property (a) Patents: A patent is a selective right, allowed by government to its innovator, which grants him/her to reject all others from making, utilizing, selling and bringing in the creation, for a constrained time of years, in return for the public disclosure of the development. (b) Trade secrets: this is an intellectual property in the form of a formula, practice, process, design, instrument, pattern, business technique or compilation of information which is commonly not known public and using which a business can obtain economic benefits over to the competitors or clients. Such a business also tries to maintain the secrecy. There is no particular law in India for the protection of trade secrets. However, they are secured under different statutes, including contract law, copyright law, the principles of equity and breach of confidence (c) Trademarks: A trademark is a recognizable sign, plan or expression by which a client can recognize an item or the source of an item individually. (d) Geographical indication: A geographical indication (GI) is a name or a sign utilized on items which relates to a particular geographical area or origin, specifying the source of the product. (e) Industrial designs: An industrial design comprises the ornamental or aesthetic part of an article. (f ) Copyright: Copyright is a legal method for securing the original creative work of the creator. 5. The Indian Copyright Act, 1957 (as amended by the Copyright Amendment Act, 2012) governs the subject of copyright law in India. The act has been applicable from 21 January, 1958 and has been amended from time to time. The act defines the term ‘computer’ and ‘computer program’ 6. Patent Act, 1970 – Computer software is considered as a valuable property and forms a part of intellectual property. However, software, by itself, is not patentable in India as there is no legal or conclusive definition of a software patent. 7. In legal terms, evidence refers to a proof legally introduced in the court of law to find out reality of an issue. 8. In India, the Indian Evidence Act was established by the Imperial Legislative Council in 1872.

4.5

The Criminal Aspects in Cyber Law

1. Crime: Disobeying of criminal law is called crime. Some examples of crimes are murder, assault, forgery, stealing, etc. These crimes threaten the general public. 2. Criminology: The study of criminal behavior is called criminology.

Cyber Security and Laws_Chpater 04.indd 159

10/7/2020 10:03:36 AM

160 

•

Chapter 4/Concept of Cyberspace and Cyber Law

3. Computer crime (a) Any illegal action in which a computer is a device of a crime is known as computer crime or any crime, the strategies or explanation behind which is to impact the limit of computer. (b) Any event related with computer innovation in which a casualty endured or could have endured misfortune and an offender, by intention, made or likely to have made a pain. (c) Computer crime is any criminal offense – action or issue that involves computers. (d) Computer is used in illegal activities – child pornography, threatening letters, e-mail spam or harassment, extortion, fraud and robbery of Intellectual property, theft. 4. Categorizing computer-related crime: A single category does not suit the wide divergence of ­conduct, culprits, victims and motives found in inspecting computer crimes. Adding upon to this confusion is the fact that computer crimes also can fluctuate depending upon the jurisdiction criminalizing the conduct. Computers serve in many roles related to criminal activity. The three generally accepted categories speak in terms of computers as communication tools, as targets and as storage devices. · The computer as a communication tool presents the computer as the item used to carry out the crime. This category Includes traditional offenses, for example, fraud committed using a computer. For instance, the purchase of fake artwork at an auction held on the Internet utilizes the computer as the tool for carrying out the crime. While the activity could simply occur offline at an auction house, the fact that a computer is utilized for the purchase of this artwork may cause a slowdown in the detection of It being a fraud. The use of the Internet may also make it difficult to track down the culprit of the crime. · A computer can likewise be the object of criminal activity, as observed when hackers acquire unauthorized access to Department of Defense sites. Theft of Information stored on a computer also falls inside this class. The unapproved obtaining of trade secrets for economic increase from a computer system puts the computer in the role of being a target of the criminal activity. · A computer can likewise be objective of crime when, for example, it is used as a storage place for criminal records. For example, a business involved in legal activity might be utilizing a computer to store its records. The capturing of computer hard drives by law enforcement shows the Importance of this function to the evidence gathering process · In certain examples, computers serve in a dual capacity as both the tool and target of criminal conduct. For instance, computer is the item or tool of the criminal conduct when an Individual uses it to Insert a computer virus into the Internet. In this equivalent situation computers also serve in the role of targets in that the computer virus might be planned to disable the computers of organizations all through the world.

4.5.1 Causes or Factors Contributing to Computer Crime Cyber criminals always decide for a simple method to make enormous cash. They target rich individuals or rich associations like banks, casinos and financial firms where a huge amount of money flows day by day and hack sensitive information. Catching such criminals is troublesome. Consequently, that increases the number of cybercrimes over the globe. Computers are helpless so laws are required to ensure and defend them against cybercriminals. We could list the following reasons for the vulnerability of computers: 1. Easy to access: The issue behind defending a computer system from unapproved access is that there are numerous possibilities of breach because of the complex technology. Hackers can steal

Cyber Security and Laws_Chpater 04.indd 160

10/7/2020 10:03:36 AM

4.5 The Criminal Aspects in Cyber Law

• 

161

access codes, retina Images, advanced voice recorders and so forth that can trick biometric frameworks easily and bypass firewalls can be used to move beyond numerous security systems. 2. Capacity to store data in comparatively small space: The computer has the remarkable characteristic of putting away information in a very small space. This makes it a much simpler for the people to steal information from any other storage and use it for own benefit. 3. Complex: The computers run on operating systems and these operating systems are customized of millions of codes. The human brain is imperfect, so they can make mistakes at any stage. The cyber criminals take benefits of these gaps. 4. Negligence: Negligence is one of the characteristics of human conduct. So, there might be a ­possibility that protecting the computer system we may make any negligence which gives a ­cybercriminal the access and authority over the computer system. 5. Loss of evidence: The information related to the crime can be simply destroyed. So, Loss of these proofs has become a very common and clear issue which paralyses the framework behind the Investigation of cybercrime.

4.5.2 Strategy for Preventing Computer Crime To prevent the crime there are two main aspects of the strategy. 1. Systemic methodology (a) Computer crime is another method of criminal offence that gives through transnational borders. (b) Concerted International Corporation is needed to effectively address this crime. (c) International collaborations and exchange of technology identified with information security should be strongly encouraged. (d) It has become essential to develop ideas or rules for computer security. (e) The usage of such manuals, at all levels within an association and between associations should be made mandatory. Such rules or manuals, when truly implemented, hold greater prospects of success than, enacting new legislation for information security. (f ) It should be made obligate tree with respect to organizations or Institutions to give in their yearly reports an assertion such that information security measures made sure about to the manual have been received an exchange arranged framework need license just read distinctly for enquiry just access this offers an extraordinary arrangement assurance than an arrangement of access for programming 2. Legal deterrents (a) Separation of the activities which composed of resources which are non-offences. (b) Amendment of the residential criminal law based on an international understanding to meet the necessity of prevention of computer related crime. (c) Effective prosecution inter-alia by adopting the current criminal procedure and related arrangements. (d) The formulation and selection of a procedure for the examination of computer crime is Cardinal to the powerful interpretation without hesitation of any new piece of legislation for amendment or supplementation of existing law. (e) The guidelines rules should be spell out the procedural aspects relating to search of premises seizure of Incriminating documents for materials the duty of witnesses and so on.

Cyber Security and Laws_Chpater 04.indd 161

10/7/2020 10:03:36 AM

162 

•

Chapter 4/Concept of Cyberspace and Cyber Law

(f ) In addition to the above considering the quick changing nature of computer related crime it is desirable to receive the rules and classification proposed by the Organization for Electronic Cooperation and Development (OECD) with vital corrections to suit National requirements.

4.5.3 Amendments to Indian Penal Code, 1860 The Indian Penal Code (IPC), drafted in 1860, is the official criminal code of India. It gives a general penal code for India and is appropriate all through India, except for the state of Jammu and Kashmir. It includes 23 Chapters with 511 Sections. The Information Technology Act, 2000 has made several amendments to the Indian Penal under IPC (Different Code). Because of this, cybercrime cases in India are likewise enlisted under the areas of IPC pertaining to cybercrime are given in Table 4.3. Table 4.3  IPC Pertaining to Cybercrime Cases in India

Offence

Section of IPC

Offences by/against public servant.

167, 172, 173 and 175

False electronic evidence.

193

Destruction of electronic evidence.

204 and 477

Forgery.

463 to 477A

Criminal breach of trust.

405 to 409

Counterfeiting property mark.

482 to 485

Tampering.

489

Counterfeiting currency/stamps.

489A to 489E

A.  Section 29A – Electronic Record: The most important amendment of the Indian Penal Code by the information Technology Act, 2000 is the substitution of the word ‘document’ for the words ‘document or electronic record’. This has brought many cybercrimes directly under the scope of Indian Penal Code related to electronic records. The term ‘electronic record’ shall have the meaning assigned to them in clause of ­Subsection (1) of Section 2 of the Information Technology Act, 2000 (21 of 2000 Section 2010) of The Information Technology Act, 2000.

Section2(1)(t) of The Information Technology Act, 2000 ‘Electronic record’ means data, record or data generated, image or sound stored, received or sent in an electronic form or microfilm or computer-generated microfiche.

Cyber Security and Laws_Chpater 04.indd 162

10/7/2020 10:03:36 AM

4.5 The Criminal Aspects in Cyber Law

• 

163

B.  Section 463: Forgery Whoever makes any false report or false electronic record or part of an archive or electronic record, with aim to prompt harm or injury, to the general population or to any individual, or to help any claim or title, or to make any individual to part with property, or to go into any express or inferred contract, or with expectation to submit misrepresentation or that extortion might be committed, commits forgery. C.  Section 464: Making a False Document A person is said to make a false document 1. who untrustworthily or falsely makes, signs, seals or executes a record or part of a report, or makes any imprint indicating the execution of a report, with the aim of making it be accepted that such report or some portion of the report was made, signed, sealed or executed by or by the authority of an individual by whom or by whose power he realizes that it was not made, signed, sealed or executed, or at once at which he realizes that it was not made, signed, sealed or executed or 2. who, without legitimate power, deceptively or falsely, by dropping or something else, modifies a record in any material part thereof, after it has been made or executed either without anyone else or by himself, regardless of such individual be living or dead at the hour of such alteration or 3. who untrustworthily or falsely makes any individual sign, seal, execute or adjust a record, realizing that such individual by reason of unsoundness of brain or inebriation cannot, or that by reason of deception rehearsed upon him, he does not have a clue about the substance of the report or the idea of the alteration. D.  Section 499: Defamation Whoever, by words either expressed or planned to be perused, or by signs or by visible representation, makes or distributes any attribution regarding any individual expecting to damage, or knowing or having motivation to accept that such ascription will hurt, the reputation of such individual, is stated, with the exception of in the cases hereinafter excepted, to defame that individual.

POINTS TO REMEMBER 1. Crime: Disobeying of criminal law is called crime. 2. Criminology: The study of criminal behavior is called Criminology. 3. Computer crime: Any illegal action in which a computer is a device of a crime is known as computer crime or any crime, the strategies or explanation behind which is to impact the limit of computer.

Cyber Security and Laws_Chpater 04.indd 163

10/7/2020 10:03:36 AM

164 

•

Chapter 4/Concept of Cyberspace and Cyber Law

4. Computers are helpless so laws are required to ensure and defend them against cybercriminals. 5. Reasons for vulnerability of computers are: (a) Easy to access (b) Capacity to store data in comparatively small space (c) Complex (d) Negligence (e) Loss of evidence 6. To prevent the crime, there are two main aspects of the strategy: (a) Systemic methodology (b) Legal deterrents 7. The Indian Penal Code (IPC), drafted in 1860, is the official criminal code of India. It gives a general penal code for India and is appropriate all through India, except for the state of Jammu & Kashmir. It includes 23 Chapters with 511 Sections.

4.6

Global Trends in Cyber Law

4.6.1 The Contract Aspect In the contract aspect, no much debate and idea with perspective on choice have occurred. In many cases, when security measures through encryption etc., are taken up, the basic need of authenticity, witnessing signatures, non-repudiation, origination, acknowledgement extra is taken care of. Thus, two of the three primary thoughts related to e-commerce that are originator, addressee and acknowledgement of receipt of record automatically attended to while implementing a lawful Framework for encryption or digital sign marks. The idea of time and place of send and received is likely the main part which has been returned to position. 4.6.2 The Security Aspect 1. Initiatives by international organizations: Numerous countries have come to pass laws related to electronic signature. Many others are giving quiet thought to these lines. United Nations Commission on International Trade Law (UNCITRAL) is dealing with a model digital signature law. Some rules related to cryptography have been took up by the Organization for Economic Cooperation and Development (OECD). The OECD having among its parts with great industries nations such as Australia, Canada, European Nations, Japan and The United States of America.   The OECD guidelines are considering the following important points: (a) Cryptographic methods: The cryptographic technique should be safe so as to produce confidence among the uses of news given and communication systems. (b) Choice of cryptographic methods: Users should have a right to pick any cryptographic strategy and it should be subject to the applicable law. (c) Market driven development of cryptographic methods: Cryptographic techniques should be developed in response to the necessities and requests of people, business houses and governments. (d) Standards for cryptographic methods: technical standards, measures and protocols for cryptographic met should be created and proclaimed at National and international level.

Cyber Security and Laws_Chpater 04.indd 164

10/7/2020 10:03:36 AM

4.6 Global Trends in Cyber Law

• 

165

(e) Protection of privacy and personal data: The fundamental rights of people to protection including secrecy of communication and protection of personality it should be regarded in National Cryptography policy and in the usage and utilization of cryptographic methods. (f ) Lawful access: National cryptographic policies might permit access by lawful methods plain content for cryptographic keys of encrypted data. (g) Liability: Weather set up by contract our legislation the risk of individual and institutions that offer cryptographic services should be clearly expressed. (h) International corporation: The government should coordinate cryptographic approaches. The governments should prevent making unjustified of circles to international trade in the name of enforcing cryptography policy. The OECD individuals review these rules at least every 5 years with a view to Improving International cooperation on issues related to cryptography policy. 2. United Nations Initiatives: The United Nations Convention on the utilization of Electronic Communications in International Contracts (also called the ‘Electronic Communications Convention’ or ECC) is an agreement to Facilitate the utilization of electronic communications in international trade by guaranteeing that agreements closed and other communications exchanged electronically are as substantial and enforceable their traditional paper-based equivalents.   It was drafted by the United Nations Commission on International Trade Law (UNCITRAL) and embraced by the United Nations General Assembly on 23rd November 2005 and it entered to force on 1st March 2013.   The UNCITRAL, framed by the United Nations General Assembly, has been playing a significant then harmonization and modernization of the law of global exchange by getting ready and promoting these and adoption of authoritative and non-administrative instruments in a various Keynes of business law since the 1980s.   The Electronic Communications Convention was built upon the UNCITRAL Model Law on Electronic Commerce (MLEC), 1996 and UNCITRAL Model Law on Electronic Signatures (MLES), 2001. 3. Initiatives by European Union: The European Commission has launched an examination on the legal part of digital signatures. The study gives the overview of policies of European Union as well as an insight into the current rules regulations and the de facto practices related to digital signatures and enable message new rules regulations and practices among the individuals of European union’s and its primary exchanging partners. 4. Initiatives by the G7 countries: The G7 countries have suggested following things: Garments industry and clients must agree on the cryptographic methods and products to be utilized in the global data infrastructure. There should be agreement on the procedure for checking that these strategies for items conform to the standard so agreed.   The great techniques at the great confirmation procedures must be made open. Agreed techniques must be based on private sector led, voluntary International standards arrived at by agreement. The products conforming to the agreed techniques should be free from (a) import controls, (b) legal restrictions on its use and (c) licensing restrictions.

Cyber Security and Laws_Chpater 04.indd 165

10/7/2020 10:03:36 AM

166 

•

Chapter 4/Concept of Cyberspace and Cyber Law

The products meeting the requirements to the agreed procedures should be export table nations with the exception of those which are dependent upon to Union embargo and clients and providers of products meeting the necessities to the agreed techniques should be allowed to make technical and economic selection about methods of Implementation and operation. The choice of hardware and software should likewise be permitted.

4.6.3 World Intellectual Property Organization (WIPO) The World Intellectual Property Organization (WIPO) is a professional agency of the United Nations (UN). It was made in 1967 ‘to encourage creative activity, to promote the protection of intellectual property throughout the world’. It promotes the overall protection of both the industrial property (innovations, trademarks and plans) and copyright material. WIPO is committed to ensure intellectual property (IP) by working with overall associations. It enrolls the collaboration of member states through the nine essential objectives of its strategic plan. The strategies adopted by member states and organizations include the following: 1. Developing a global IP infrastructure. 2. Building international respect for IP. 3. Supporting structures used to facilitate financial and administrative functions. 4. Implementing global policy issues related to IP.

WIPO Internet Treaties WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty are all known as the WIPO Internet Treaties. The WIPO set out a global framework for preventing the unapproved access to and utilization of inventive works on the Internet and other digital systems. It was concluded in 1996 and came into power in 2002. India changed its Copyright Act, 1957 to consent to the WIPO Internet Treaties in 2012, yet acceded to it in 2018. The treaties went into power, regarding the Republic of India, on December 25, 2018 WIPO Copyright Treaty It is a Special agreement under Berne Convention for protection of literary and art works. It came in power on May 20, 2002. It has facilities to extend the security of copyrights to the digital surroundings WIPO Performances and Phonograms Treaty It came into power on May 20, 2002. It deals with the rights of the following two kinds of beneficiaries, particularly in the digital surrounding: 1. Performers (actors, singers, musicians). 2. Producers of phonograms (sound recordings), The treaty empowers right owners in their negotiations with new digital platforms and dealers. It recognizes the moral rights of the performers for the first time and gives unique economic rights to them.

Cyber Security and Laws_Chpater 04.indd 166

10/7/2020 10:03:36 AM

4.7 Legal Framework for Electronic Data Interchange LAW

• 

167

POINTS TO REMEMBER 1. Initiatives by international organizations: United Nations Commission on International Trade Law (UNCITRAL) is dealing with a model digital signature law. Some rules related to Cryptography have been took up by the Organization for Economic Cooperation and Development (OECD). 2. United Nations initiatives: The United Nations Convention on the Use of Electronic Communications in International Contracts (also called the ‘Electronic Communications Convention’ or ECC) is an agreement to Facilitate the utilization of electronic communications in international trade by guaranteeing that agreements closed and other communications exchanged electronically are as substantial and enforceable their traditional paper-based equivalent. 3. Initiatives by European Union: The European Commission has launched an examination on the legal part of digital signatures. 4. Initiatives by G7 countries (a) Garments Industry and clients must agree on the cryptographic methods and products to be utilized in the Global data Infrastructure. (b) There should be agreement on the procedure for checking that these strategies for items conform to the standard so agreed. (c) The great techniques at the great confirmation procedures must be made open. Agreed techniques must be based on private sector Led, voluntary International standards arrived at by agreement. (d) The products conforming to agreed techniques should be free from Import controls, legal restrictions on its use and licensing restrictions. 5. WIPO Internet Treaty: The WIPO set out a global framework for preventing the unapproved access to and utilization of inventive works on the Internet and other digital systems.

4.7

Legal Framework for Electronic Data Interchange Law Relating to Electronic Banking

The United nation commission on international trade law proposed the model law on electronic data interchange in 1996; it was also significant for e-commerce in general as electronic trading through other means increased, so UNCITRAL expanded the title to UNCITRAL model law on electronic commerce. UNCITRAL has defined in article 2 of the model law as follows: “electronic data interchange means the electronic transfer from computer to computer of information using an agreed standard to structure the information.” The model law was adapted to assist in the framing of legislation to enable and facilitate electronic commerce. The model law · establish rules and norms that validate and recognize contracts form through electronic means. · set the principles for framing agreements and governing electronic contract execution.

Cyber Security and Laws_Chpater 04.indd 167

10/7/2020 10:03:36 AM

168 

•

Chapter 4/Concept of Cyberspace and Cyber Law

· define the attributes of legitimate electronic writing and an original report. · accommodates the adequacy of electronic signatures for legitimate and business purposes. · spot affirmation of computer proof in courts and mediation processing.

In India, the data innovation act 2000 gives lawful acknowledgment to exchange did by methods for electronic data interchange and different methods for electronic communication.

POINTS TO REMEMBER 1. The e-commerce, in general, as electronic trading through other means has increased, so UNCITRAL expanded the title to UNCITRAL model law on electronic commerce. 2. UNCITRAL has defined in article 2 of the model law as “Electronic data interchange means the electronic transfer from computer to computer of information using an agreed standard to structure the information.”

4.8

Need for Indian Cyber Law

Throughout the years, the web has developed beyond what it has been created for that is research and sharing of data. today it is utilized for social networking online exchange of data and money activities like a business e-commerce, e-governance, e-procurement, etc. According to a 2018 report from the market research firm, Kantar IMRB, published in March 2019, Backed by increased Internet penetration in rural India, the number of internet user in the country will reach 627 million by the end of this year registering an 11% growth over 566 million users in 2018, according to new report on Wednesday. While internet user grew by 7% in urban India, reaching 315 million users in 2018, rural India register 25% growth in internet user for the past year. It is now estimated that there are 251 million Internet users in rural India and this is expected to reach to 290 million by the end of 2019. Alongside cybercrimes, even convention crimes have some aspect of technology included. For instance, utilization of computerized proof in the form of the location of the accused using cell phones, sound/ video recording or digital communication trail from email or chats, which are utilized in examination. Conventional laws are not satisfactory to manage with complex difficulties presented by the utilization of technology for carrying crimes. By 2021 it is evaluated that there will be about 635.8 million Internet users in India. With the rise in the quantity of user and applications of Internet, the increase in its abuse is also unavoidable. India is an incredibly detailed and well-defined legal system. However, the majority of the laws were sanctioned before the rise of the computerized time and were not structured remembering the web and PC frameworks. These traditional laws are not satisfactory to manage complex difficulties presented by the utilization of technology for carrying out violations.

Cyber Security and Laws_Chpater 04.indd 168

10/7/2020 10:03:37 AM

4.8 Need for Indian Cyber Law

• 

169

These laws couldn’t be interpreted to include all viewpoints relating to various exercises in the cyberspace and could not give any legal validity for approval of such exercises. A few sorts of exercises are referenced in the following. Conventional laws are not sufficient to manage with the complex challenges presented by the utilization of technology for carrying out crimes. Today technology has become an important part of almost all our exercises. A portion of the exercises are referenced in the following: 1. Practically all businesses, and numerous peoples, extensively utilize computers and computer network for different business process, online stock trading and for preparing and storing information in the electronic form. 2. Organizations and people are utilizing email, cell phones, social networking platforms for communication. 3. Organizations and people are progressively utilizing electronic payment alternatives like online fund transfer, credit/debit card and other online payment options. 4. With the expansion in e-governance activities, exercises like filing income tax returns, making the application to different government offices through online forms and so on are currently done in the electronic form. 5. Digital signatures and e-contracts are rapidly taking place of traditional ways of transacting business. Because of increment in such exercises, cybercrime cases like online banking frauds, online share trading fraud, source code theft credit/debit/ATM card for tax evasion, virus attack, cyber sabotage, phishing attack, email hijacking, denial of service, etc. are getting normal. Even in conventional, non-cybercrime cases like murder, kidnapping, tax evasion, organized crime, terrorist operation, counterfeit currency, civil matters and so forth important evidence can be extracted from computers, mobile phones. Additionally, the Internet requires an empowering and steady legitimate foundation which must be given by the institution of the important cyber law for instance, web-based business and online exchanges. In such a situation there is an incredible requirement for cyber law which can manage technology perspective in the legitimate system.

POINTS TO REMEMBER 1. Backed by increased Internet penetration in rural India, the number of Internet user in the country will reach 627 million by the end of this year registering an 11% growth over 566 million users in 2018, according to new report on Wednesday. While Internet user grew by 7% in urban India, reaching 315 million users in 2018, rural India register 25% growth in Internet user for the past year. It is now estimated that there are 251 million Internet users in rural India and this is expected to reach to 290 million by the end of 2019. 2. India is an incredibly detailed and well-defined legal system. However, the majority of the laws were sanctioned before the rise of the computerized time and were not structured remembering the web and PC frameworks. 3. These traditional laws are not satisfactory to manage complex difficulties presented by the utilization of technology for carrying out violations.

Cyber Security and Laws_Chpater 04.indd 169

10/7/2020 10:03:37 AM

170 

•

Chapter 4/Concept of Cyberspace and Cyber Law

4. Conventional laws are not sufficient to manage with the complex challenges presented by the utilization of technology for carrying out crimes. Today technology has become an important part of almost all our exercises.



Summary

In this chapter, we discussed about cyberspace and how it contains everything in the virtual environment of computers and the Internet. It discussed e-commerce which is buying and selling of products and goods through the Internet. The e-commerce has its advantages and disadvantages. We also discussed about the types of e-commerce which are as listed in the following: 1. Business-to-consumer (B2C). 2. Business-to-business (B2B). 3. Consumer-to-consumer (C2C). 4. Consumer-to-business (C2B). 5. Government-to-citizen (G2C). We discussed about classifying various contract aspects in cyber law and its elements. we learnt about electronic contracts (e-contracts) which has solved various problems thought the world. Types of e-contracts are also being discussed. We also came through Indian Contract Act, 1872. We discussed about legal prerequisites of e-contract and its lawfully recognized provisions. In this module we came through security aspects of cyber law which helps in securing data and transactions. Digital signature is one of the security aspects of cyber law. A digital signature is a code generated using public key cryptography. This code is connected to the electronic document which promises the receiver of the electronic document about the authenticity of the sender. Legal architecture for validity of digital signature is being discussed which tells us about Public Key Infrastructure (PKI). We also discussed identifying and understanding intellectual property aspects in cyber law and describing the evidence aspect in cyber law. Intellectual property (IP) refers to the immaterial property that is a creation of the human mind. We also talked about the types of intellectual properties which are listed in the following: (a) Patents. (b) Trade secrets. (c) Trademarks. (d) Geographical indication. (e) Industrial designs. (f ) Copyright. We learnt about intellectual property laws and cyberspace in India where we talked about Indian Copyright Act, 1957 and Patent Act, 1970. We also discussed about evidence aspects in cyber law where evidence refers to evidence refers to a proof legally introduced in the court of law to find out the reality of an issue. We also went through its types. Indian evidence Act,1872 and its amendments were also discussed. We also discussed criminal aspects in cyber law where we came through terms like crime,

Cyber Security and Laws_Chpater 04.indd 170

10/7/2020 10:03:37 AM

Review Questions

• 

171

criminology and computer crime. Computer-related crimes were also categorized. We also discussed on the causes and factors related to computer crime. The different strategies for preventing computer crime were discussed which are as follows: 1. Systemic methodology. 2. Legal deterrents. In this chapter, we learnt about Indian Penal Code, 1860 which is the official criminal code of India. In this module we also came with global trends in cyber law. We discussed about contract aspects and security aspects. Security aspects covered the topics such as the following ones: 1. Initiatives by international organizations. 2. Initiative by United Nations. 3. Initiatives by European Union. 4. Initiatives by G7 Countries. We also learnt about World Intellectual Property Organization (WIPO) which is a specialized agency of the United Nations (UN). It was made in 1967 ‘to encourage creative activity, to promote the protection of intellectual property throughout the world’. We came through WIPO Internet Treaties, Copyright Treaty WIPO Performances and Phonograms Treaty. In the end, we learnt about the abstract needs for all aspects in Indian Cyber Law.



Review Questions

1. Explain e-commerce? What are the different types of e-commerce? Refer to Subsections 4.1.2 and 4.1.3. 2. What is an e-contract”? Explain its different types. Refer to Subsection 4.2.1.

7. What are the different types of evidences? Refer to Subsection 4.4.3. 8. Explain the contract aspects of cyber law. Refer to Section 4.2. 9. Explain security aspect of cyber law. Refer to Section 4.3.

3. What are digital signatures? Refer to Subsection 4.3.1.

10. Explain evidence aspect of cyber law. Refer to Subsection 4.4.3.

4. Explain the legal architecture required for the validity of digital signatures. Refer to Subsection 4.3.2.

11. Write short note on intellectual property aspect in cyber law. Refer to Subsection 4.4.1.

5. Explain intellectual property and its different types. Refer to Subsection 4.4.1.

12. Write a short note on World Intellectual Property Organization (WIPO). Refer to Subsection 4.6.3.

6. Explain the term evidence and Indian Evidence Act, 1872 for electronic records. Refer to Subsections 4.4.3 and 4.4.4.

13. Explain the need for an Indian cyber law. Refer to Subsection 4.8.

Cyber Security and Laws_Chpater 04.indd 171

10/7/2020 10:03:37 AM

172 



•

Chapter 4/Concept of Cyberspace and Cyber Law

References

1. The National Informatics Centre, Government of India. The Indian Contract Act, 1872: Indiacode.nic.in [Online]. Available at: http://indiacode.nic.in/ handle/123456789/2187?view_type= browse&sam_handle=1234567 2. The National Informatics Centre, Government of India. Copyright Office, Government of India. Copyright Act, 1957: Copyright.gov.in [Online]. Available at: http://www.copyright.gov.in/Documents/ CopyrightRules1957.pdf 3. The National Informatics Centre, Government of India. The Indian Penal Code, 1860: Indiacode.nic.in [Online]. Available at: https://indiacode.nic.in/ bitstream/123456789/4219/1/THEINDIAN-PENAL-CODE-1860.pdf 4. Henry, C., Raymond, L., Tharam, D., Elizabeth, C. (2007) E-Commerce Fundamentals and Applications, John Wiley and Sons. 5. Council of Europe, France. Budapest Convention and Related Standards: Coe.int [Online]. Available at: https://www.coe.int/en/web/ cybercrime/the-budapest-convention 6. The Commonwealth Office of Civil and Criminal Justice Reform, London, UK. Model Law on Computer and Computer Related Crime: Thecommowealth. org [Online]. Available at: http://thecommonwealth.org/sites/default/files/ key_reform_pdfs/P15370_11_ROL_ Model_Law_Computer_Related_Crime. pdf thecommonwealth.org

Cyber Security and Laws_Chpater 04.indd 172

7. International Telecommunication Union, Geneva, Switzerland. Building Trust in ­Digital Financial Services: Itu.int [Online]. Available at: https://www.itu.int 8. UNODC: United Nations Office for Disarmament Affairs, NY, USA. Crime Prevention and Criminal Justice: Unoda.org [Online]. Available at: https://www.unoda.org 9. World Intellectual Property Organization, Geneva, Switzerland. Convention Establishing the World Intellectual Property Organization: Wipo.in [Online]. Available at: https:// www.wipo.in/treaties/en/convention/ 10. World trade organization, Geneva, Switzerland. Overview the TRIPS Agreement: Wto. org [Online]. Available at: https://www.wto. org/english/tratop_e/trips_elintel2_e.html 11. GDPR, EU. The EU General Data Protection Regulation (GDPR): Eugdpr.org [Online]. Available at https://eugdpr.org 12. EDI Basics. EDI Basics: Edibasics.com [Online]. Available at: https://www.edibasics.com 13. Institute for Development and Research in Banking Technology, Hyderabad, India. Chief Information Security Officers (CISO) Forum: Idrbt.ac.in [Online]. Available at http://www.idrbt.ac.in 14. National Payments Corporation of India. BHIM: India’s Payment Companion: Npci. org.in [Online]. Available at: https://www. npci.org.in

10/7/2020 10:03:38 AM

5

Information Technology Act

Learning Objectives After reading this chapter, the reader will be able to • Describe the objectives and features of ­Information Technology Act, 2000. • Describe the Amendments of Information Technology Act, 2000 for Information Technology Act, 2008.

• Describe various technologies to reduce cybercrime. • Describe the various sections under various information technology acts.

Technology like art is a soaring exercise of the human imagination. —Daniel Bell

5.1

Introduction of Cybercrime and Cyber Security

5.1.1 Cyberspace Cyberspace is a virtual space; it has no boundaries, mass, or gravity. It simply represents the interconnected space between computers, systems and other networks. The cyberspace can be characterized as an unpredictable situation that includes collaborations between people, software, service. It is kept up by the overall appropriation of data and correspondence innovation gadgets and systems. With the advantages conveyed by the technological advancements, cyberspace today has become a typical pool utilized by citizens, organizations, basic data foundation, military and governments in a style that makes it difficult to incite clear limits among these various gatherings. The cyberspace is foreseen to turn out to be much increasingly complex in the up and coming years, with the expansion in systems and gadgets associated with it. Cyberspace Versus Physical World First of all, physical space and cyberspace are two different concepts. Cyberspace is digital and not a physical space. Since these are two different worlds, they are different from each other. Cyberspace is an interactive world and it cannot be defined while the physical world is well defined. The basic differences between physical world and cyberspace is listed in Table 5.1.

Cyber Security and Laws_Chpater 05.indd 173

10/7/2020 6:49:07 PM

174 

•

Chapter 5/Information Technology Act

Table 5.1  Basic Differences between Physical World and Cyberspace

S.No.

Physical World

Cyberspace

1.

It is a static world.

It is a dynamic world.

2.

It is well-defined.

It is undefined.

3.

It is incremental.

It is exponential.

4.

It has fixed contours.

It is vast like human imagination and has no fixed shape.

5.1.2 Cyber Security and Cyber Law As technology evolved, the need to regulate human behaviour evolved too. Cyber laws came into existence in order to ensure that people use technology and avoid its misuse. If an individual commits an act which violates the rights of a person in cyberspace, then it is treated as a cyberspace violation and punishable under the provisions of the cyber laws. Since cyberspace is completely different from the physical world, traditional laws are not applicable here. In order to provide cybersecurity to users, the government introduced several cyber laws. When the Internet was designed and developed, the developers had no idea that it would have the potential of growing to such great an extent. Today, many people are using the Internet for illegal and immoral activities which need regulation. In the cyberspace things like money laundering, identity theft, terrorism, etc. have created a need for stringent laws to enhance cybersecurity. Additionally, many technologically qualified criminals like hackers interfere with Internet accounts through the domain name server (DNS), IP address, phishing, etc. and gain unauthorized access to a user’s computer system and steal data. While there is no clear definition of cyber law, it is broadly the legal subject which emanated from the development of technology, innovation of computers, use of the Internet, etc. Cyber Law Cyber law encapsulates legal issues which are related to the use of communicative, transactional and distributive aspects of networked information technologies and devices. It is not as distinct as the property law or other such laws since it covers many areas the law and regulation. It encompasses the legal, statutory and constitutional provisions which affect computers and networks. Further, it concerns itself with individuals and institutions which 1. play an important part in providing access to cyberspace, 2. create hardware or software which allows people to access cyberspace and 3. use their own computers and enter cyberspace. Cyber law is a generic term referring to all the legal and regulatory aspects of the Internet. Everything concerned with or related to or emanating from any legal aspects or concerning any activities of the citizens in cyberspace comes within the ambit of cyber laws. Currently, there are two main statutes which ensure cybersecurity: 1. The Indian Penal Code, 1860. 2. The Information Technology Act, 2000.

Cyber Security and Laws_Chpater 05.indd 174

10/7/2020 6:49:07 PM

5.1 Introduction of Cybercrime and Cyber Security

• 

175

Cyber Law: The e-Commerce In simple words, e-commerce is the commercial transaction of services in the electronic format. By definition, e-commerce is defined as follows: Any transaction conducted over the Internet or through Internet access, comprising the sale, lease, license, offer or delivery of property, goods, services or information, whether or not for consideration, and includes the provision of Internet access. Further, in order to measure e-commerce, the U.S. Census Bureau looks at the value of the services and/or goods sold online. They look at transactions over open networks like the Internet and also proprietary networks running Electronic Data Interchange systems. 5.1.3 Cyber Security Policy All the users and providers working in Information and Communication Technology (ICT) require developing cybersecurity policy. They can be 1. home users. 2. small, medium and large Enterprises. 3. government and non-government entities. Cybersecurity policies cover the topics like how consultants, employees, board members, partners and the users should use online applications and Internet resources. It also explains how data should be sent in and out of the network and understand the importance of security and practice it responsibly. Cybersecurity policies explain the rules for how employees, consultants, partners, board members and other end-users can access online applications and Internet resources, send data over networks and otherwise practice responsible security. It serves as a framework. It is used to define and guide based on the activities related to cyberspace. The policy gives a brief idea on how to effectively protect information, systems or devices on the network and how to protect networks. It helps in understanding the approach and strategy for security of cyberspace in particular organization. First part of a cybersecurity policy is used to describe the expectations, roles and responsibilities for general security in the organization. Stakeholders are outside consultants, IT staff, financial staff, etc. These details are mentioned under the ‘roles and responsibilities’ or ‘information responsibility and accountability’ section. The policy can have other sections for different areas of cybersecurity, such as requirements and usage for antivirus software or the use of cloud applications. The policy development involves the steps shown in Fig. 5.1. Requirement gathering

Publication

Approval

Proposal definition

Policy development

Figure 5.1  Steps involving a policy development.

Cyber Security and Laws_Chpater 05.indd 175

10/7/2020 6:49:08 PM

176 

•

Chapter 5/Information Technology Act

Requirement gathering, proposal definition, policy development, approval and publication are five essential and basic steps used in creating cybersecurity policy. The security policies are a part of the hierarchy of management control, addressing its audience about what should be done by adhering to various terms and conditions of a company. Security policies could be informative, regulative and advisory in a broad manner, generally, be subdivided into following categories: 1. Physical security: Physical security is a very important category where physical assets are guarded. Physical assets can be anything from doors to surveillance, alarm, etc. It mandates to protect assets from both employees and management. 2. Personnel management: This gives employees the guidelines to securely operate business or conduct day to day activities. Password management, confidential information security, etc. are basic activities for individual employees. 3. Hardware and software: This gives ideas to network and system administrators about what and how networks should be configured and what type of technology should be used. Once policies are designed then security audits come into picture. Security auditing is a high-level analysis of the current project progress and company posture on test information security related to existing policies compliance. Security policy audits assist the company to understand better the threat the organization is exposed to and the effectiveness of your current protection. A successful security audit accomplishes the following: 1. It compares your security policy with the actual practice in place. 2. It determines your exposure to threats from the inside. 3. It also determines the exposure of your organization from an outside attack. This policy should be enforced and the employees should be aware. It is important that security should begin with an initial assessment of all the available security policies. After that identifying objectives and gathering and reviewing requirements are other important steps. Determination of current vulnerability to be used as a baseline for testing the implementation.

POINTS TO REMEMBER 1. Cyberspace is a virtual space; it has no boundaries, mass or gravity. It simply represents the interconnected space between computers, systems and other networks. 2. Cybersecurity is the protection of computer systems and networks from theft of or damage to their hardware, software or electronic data as well as from the disruption or misdirection of the services they provide.

5.2

Information Technology Act, 2000

5.2.1 Introduction Information Technology Act, 2000 was released on 17 May, 2000 to give legal recognition to electronic transactions and facilitate e-commerce. It is the primary law related to information technology (IT) in India. To deal with cybercrime and e-commerce in India, this law was introduced. We will look to the objectives and various features of this act later in this chapter.

Cyber Security and Laws_Chpater 05.indd 176

10/7/2020 6:49:08 PM

5.2 Information Technology Act, 2000

• 

177

The Information Technology Amendment Act, 2008 is a considerable addition to India’s Information Technology Act, 2000. On October 2008, IT Amendment Act was passed in the Indian Parliament. After a year, it came into force. Indian Computer Emergency Response Team (CERT-In) administers this act. Originally Act was propounded to promote the IT industry, regulate e-commerce, facilitate e-governance and prevent cybercrime. United Nations Commission on International Trade Law (UNCITRAL) in 1996 adopted the model law on e-commerce. This was done to bring uniformity in the law in different countries. Before making changes or creating new law, the United Nations commended all countries to refer to this model law. The first draft was created by the Ministry of Commerce, Government of India as ‘The Commerce Act, 1998’; it was redrafted as the ‘The Information Technology Bill, 1999’ and passed in May 2000. India was the 12th country to bring cyber law named Information Technology Act, 2000. The main objective of this law is to review the implementation of IT in the banking industry. Information technology helps industry to open new delivery channels. Taking the help of IT to deal with challenges that the new economic poses. To stop computer crime and protect privacy of Internet users. The Information Technology Act provides legal recognition to the transactions done through electronic data interchange and other electronic means of communication, or electronic commerce transaction. This act also amended the existing laws. This involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers’ Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto. Information Technology Act, 2000 is based on UNCITRAL model law. The Information Technology Amendment Act, 2008 was passed by the Indian Parliament in October 2008 and came into force in 2009. It was introduced to address the issues that were not covered in the IT Act, 2000. The amendments include the following: 1. Redefining terms such as ‘communication device’ to reflect current use. 2. validating electronic signatures and contracts. 3. making the owner of a given IP address responsible for the content accessed or distributed through it. 4. making corporations responsible for implementing effective data security practices and liable for breaches. These amendments are made in the following sections of the Information Technology Act, 2000: 1. Section 43 (data protection). 2. Section 66 (hacking). 3. Section 67 (protection against unauthorized access to data) 4. Section 69 (cyberterrorism). 5. Section 72 (privacy and confidentiality).

5.2.2 Objectives of Indian Information Technology Act, 2000 The Information Technology Act, 2000, amends the following existing laws – the Indian Penal Code, 1860; the Indian Evidence, Act 1872; the Bankers’ Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934.

Cyber Security and Laws_Chpater 05.indd 177

10/7/2020 6:49:08 PM

178 

•

Chapter 5/Information Technology Act

5.2.3 Salient Features of Information Technology Act, 2000 The salient features of the Information Technology Act, 2000 may briefly be stated as follows: 1. It provides legal recognition to the records in the electronic form. 2. It provides legal recognition to the e-commerce and electronic transactions in India. 3. It provides legal recognition to digital signatures issued and authenticated by the certifying ­authorities. 4. It is applicable to cybercrimes and contraventions committed in India and outside India by any person, irrespective of nationality if the cybercrime is committed in India or involves any computer based in India. 5. It has appointed adjudicating officers for holding inquiries under the act. 6. It elaborates on offences, penalties and breaches. 7. It has established the cyber appellate tribunal to hear appeals. 8. It adds a provision to Section 81, which states that the provisions of the act shall have an overriding effect. The provision states that nothing contained in the act shall restrict any person from ­exercising any right conferred under the Copyright Act, 1957.

5.2.4 Scheme of IT Act The following points define the scheme of the IT Act − The IT Act contains 13 chapters and 90 ­sections. 1. The last four sections, namely, Sections 91 to 94 in the IT Act, 2000 deals with the amendments to the Indian Penal Code, 1860; The Indian Evidence Act, 1872; The Bankers’ Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 were deleted. 2. First 14 sections deal with some legal aspects concerning digital signatures. 3. Further other sections deal with certifying authorities who are licensed to issue digital signature certificates. 4. Sections 43 to 47 provide for penalties and compensation. 5. Sections 48 to 64 deals with Tribunals and appeals to the high court. 6. Sections 65 to 79 of the act deals with offences. 7. Sections 80 to 90 deals with miscellaneous of the act.

5.2.5 Intermediary Liability Section 79 of IT (Amendment) Act 2000 gives clear idea for liabilities of Intermediaries and also provides safe harbour provisions. However, before that, what is intermediary? According to Section 2(w) of IT Act, 2000, intermediary is ‘With respect to any particular electronic records means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, Internet service providers, web-­ hosting service providers, search engine, online payment sites, online-auction sites, online marketplaces and cybercafes.’ Section 79 in the amended section of the IT Act says that for third party information, data or communication link made available or hosted by Intermediary shall not be liable, if 1. the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored;

Cyber Security and Laws_Chpater 05.indd 178

10/7/2020 6:49:08 PM

5.3 Penalties, Adjudication and Appeals Under the Information Technology Act, 2000• 

179

2. the intermediary does not initiate the transmission or select the receiver of the transmission, and select or modify the information contained in the transmission; 3. the intermediary observes due diligence while discharging its duties and also observes such other guidelines as the Central Government may prescribe in this behalf. If intermediary fails to expeditiously remove or disable access to material, conspires or abets or aids or induces commission in the unlawful act or it controls computer resources using links or programs residing in the computer system, that is anything unlawful, in such cases, intermediary will not be given immunities.

POINTS TO REMEMBER 1. Enacted on 17 May, 2000 – India is the 12th country in the world to adopt cyber laws. 2. IT Act, 2000 has 13 chapter divided into 90 sections. 3. First 14 sections deal with some legal aspects concerning digital signatures. 4. Further other sections deal with certifying authorities who are licensed to issue digital signature certificates. 5. Sections 43 to 47 provide for penalties and compensation. 6. Sections 48 to 64 deals with Tribunals and appeals to the high court. 7. Section 65 to 79 of the act deals with offences.

5.3

Penalties, Adjudication and Appeals Under the Information Technology Act, 2000

Section 43 Penalty for damage to computer, computer system, etc.:  According to Section 43, a ­person who commits certain prohibited acts, mentioned below, shall be liable to pay damages by way of compensation not exceeding one crore to the affected party. These acts are such as those mentioned in the following:  1.  Accessing computer, computer system or computer network without author.  2. Downloading, copying or extracting any data, database or information from computer, computer system or computer network without authority.  3. Introducing computer contaminant virus into any computer, computer system or ­computer network including information or data held or stored in any removable storage medium.  4. Damaging a computer, computer system or computer network, data, computer database or any other program residing in such computer, computer system or ­computer network.  5.  Disrupting the computer resources.  6.  Denying or causing denial of access to any person authorized to access any computer, computer system or computer network by any means.  7. Providing assistance to any person to access a computer, computer system or computer network in contravention of the provisions of the act, and the rules or regulation made by the act.

Cyber Security and Laws_Chpater 05.indd 179

10/7/2020 6:49:08 PM

180 

•

Chapter 5/Information Technology Act

 8. Charging the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system or computer network.  9. Destructing, deleting or altering any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means. 10. Stealing, concealing, destroying or altering, or causing any person to do the same, to any computer source code used for a computer resource with an intention to cause damage (inserted vide ITAA, 2008).

Section 43 also explains the terms used such as computer contaminant, computer database, computer virus, damage (damaging computer resources) and computer source (code inserted vide ITAA, 2008).



Section 43A Compensation for failure to protect data (IT Act, 2008):  Section 43A was inserted by the Information Technology (Amendment) Act. 2008. It applies to any company which could be a firm, sole proprietorship or an association of individuals engaged in commercial or professional activities collectively called a body corporate.   If such a body corporate is involved with processing. dealing or handling any sensitive personal data or Information in a computer resource which it owns. controls or operates, is found to be negligent in implementing and maintaining reasonable security practices and procedures which causes wrongful loss or gain to any person, then the body corporate shall be liable to damages by way of compensation not exceeding `5 crores to the affected party.   Section 43A also explains terms such as body corporate, reasonable security practices and procedures and sensitive personal data or information in detail.





Section 44 Penalty for failure to furnish information return, etc.:  If any person who is required under this act or any rules or regulations made thereunder to  1.  furnish any document, return or report to the controller or the certifying authority fails to furnish the same, he shall be liable to a penalty not exceeding `105,000 for each such failure;  2.  file any return or furnish any information, books or other documents within the time specified therefor in the regulations fails to file return or furnish the same within the time specified therefore in the regulations, he shall be liable to a penalty not exceeding `5000 for every day during which such failure continues and 3. maintain books of account or records, fails to maintain the same, he shall be liable to a penalty not exceeding `10,000 for every day during which the failure continues.



Section 45

Residuary penalty:  This section provides provision of penalty for contravenes any rules or regulations made under this act, for which no penalty has been separately provided, shall be liable to pay a compensation `25,000 to the person affected by such contravention or a penalty not exceeding `25,000.

Cyber Security and Laws_Chpater 05.indd 180

10/7/2020 6:49:08 PM

5.3 Penalties, Adjudication and Appeals Under the Information Technology Act, 2000• 

181



Section 46 Power to adjudicate:  1.  For the purpose of adjudging under this chapter whether any person has committed a  contravention of any of the provisions of this act or of any rule, regulation, direction or order made thereunder the Central Government shall, subject to the provisions of Subsection (3), appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer for holding an inquiry in the manner prescribed by the Central Government.  2. The adjudicating officer shall, after giving the person referred to in Subsection (1) a ­reasonable opportunity for making representation in the matter and if, on such inquiry, he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.  3. No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of IT and legal or judicial experience as may be prescribed by the Central Government.  4. Where more than one adjudicating officer is appointed, the Central Government shall specify by order the matters and places with respect to which such officers shall exercise their jurisdiction.  5.  Every adjudicating officer shall have the powers of a civil court which are conferred to the Cyber Appellate Tribunal under Subsection (2) of ­Section 58 and (a) all proceedings before it shall be deemed to be judicial proceedings within the meaning of Sections 193 and 228 of the Indian Penal Code; (b) shall be deemed to be a civil court for the purposes of Sections 345 and 346 of the Code of Criminal Procedure, 1973.



Section 47 Factors to be taken into account by the adjudicating officer:  While adjudging the quantum of compensation under this chapter, the adjudicating officer shall have due regard to the following factors, namely, (a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default; (b) the amount of loss caused to any person as a result of the default; (c) the repetitive nature of the default.



Section 62 Appeal to high court:  Any person aggrieved by any decision or order of the Cyber Appellate Tribunal may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him on any question of fact or law arising out of such order Provided that the High Court may, if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days.

Table 5.2 shows the offence and penalties against all the mentioned sections of the IT Act.

Cyber Security and Laws_Chpater 05.indd 181

10/7/2020 6:49:08 PM

182 

•

Chapter 5/Information Technology Act

Table 5.2  Offence and Penalties Against all Mentioned Sections of the IT Act

Section

Offence

Punishment

Bailability and ­Cognizability

65

Tampering with computer source code

Up to 3 years of prison or penalty up to `200,000.

It is cognizable, bailable and triable by Court of JMFC.

66

Offences related to computer.

Up to 3 years of prison or penalty up to `500,000.

It is cognizable, bailable and triable by Court of JMFC.

66A

Sending offensive messages through communication service, etc.

Up to 3 years of prison or penalty.

It is cognizable, bailable and triable by Court of JMFC.

66B

Dishonestly receiving stolen computer resource or communication device.

Up to 3 years of prison and/or It is cognizable, bailable and penalty up to `100,000. triable by Court of JMFC.

66C

Identity theft.

Up to 3 years of prison description and/or penalty up to `100,000.

It is cognizable, bailable and triable by Court of JMFC.

66D

Cheating by personation by using computer resource.

Up to 3 years of prison description and/or penalty up to `100,000.

It is cognizable, bailable and triable by Court of JMFC.

66E

Violation of privacy.

Up to 3 years of prison and/or It is cognizable, bailable and penalty up to `200,000. triable by Court of JMFC.

66-F

Cyberterrorism.

Prison for whole life.

67

Publishing or transmitting obscene material in electronic form.

• Up to 3 years of prison and/ It is cognizable, bailable and or penalty up to `500,000 triable by Court of JMFC. for the first conviction. • From the second conviction onwards, penalty up to `1,000,000 or up to 5 years of prison.

67A

Publishing or transmitting of material containing sexually explicit act, etc. in electronic form.

• Up to 5 years of prison or It is cognizable, non‑ penalty up to `1,000,000 bailable and triable by Court for the first conviction. of JMFC. • From the second conviction onwards, penalty up to `1,000,000 or up to 7 years of prison.

Cyber Security and Laws_Chpater 05.indd 182

It is cognizable, non‑ bailable and triable by the Court of Sessions.

10/7/2020 6:49:08 PM

5.3 Penalties, Adjudication and Appeals Under the Information Technology Act, 2000• 

Punishment

183

Bailability and ­Cognizability

Section

Offence

67B

Publishing or transmitting of material depicting children in sexually explicit act etc. in electronic form.

• Up to 5 years of prison or It is cognizable, non‑ penalty up to `1,000,000 bailable and triable by Court for the first conviction. of JMFC. • From the second conviction onwards, penalty up to `1,000,000 or up to 7 years of prison.

67C

Intermediary intentionally or knowingly contravening the directions about preservation and retention of information.

Up to 3 years of prison and penalty.

It is a cognizable and bailable offence.

68

Failure to comply with the directions given by controller.

Up to 2 years of prison and penalty up to `100,000.

It is a non-cognizable and bailable offence.

69

Failure to assist the agency referred to in Subsection (3) in regard interception or monitoring or decryption of any information through any computer resource.

Up to 7 years of prison and penalty.

It is a cognizable and non‑bailable offence.

69A

Failure of the intermediary to comply with the direction issued for blocking for public access of any information through any computer resource.

Up to 7 years of prison and penalty.

It is a cognizable and non‑bailable offence.

69B

Intermediary who intentionally or knowingly contravenes the provisions of Subsection (2) in regard monitor and collect traffic data or information through any computer resource for cybersecurity.

Up to 3 years of prison and penalty.

It is a cognizable and bailable offence.

70

Any person who secures access Up to 10 years of prison and or attempts to secure access penalty. to the protected system in contravention of provision of Section 70.

It is a cognizable and non‑bailable offence.

(Continued)

Cyber Security and Laws_Chpater 05.indd 183

10/7/2020 6:49:08 PM

184 

•

Chapter 5/Information Technology Act

Section

Offence

Punishment

Bailability and ­Cognizability

70B

Indian Computer Emergency Up to 1 years of prison and/or It is a non-cognizable and Response Team to serve as penalty up to `100,000. bailable offence. national agency for incident response. Any service provider, intermediaries, data centres, etc. who fails to prove the information called for or comply with the direction issued by the ICERT.

71

Misrepresentation to the controller to the certifying authority.

Up to 2 years of prison and/or It is a non-cognizable and penalty up to `100,000. bailable offence.

72

Breach of confidentiality and privacy.

Up to 2 years of prison and/or It is a non-cognizable and penalty up to `100,000. bailable offence.

72A

Disclosure of information in breach of lawful contract,

Up to 3 years of prison and/or It is a cognizable and bailable penalty up to `500,000. offence.

73

Publishing electronic signature certificate false in certain particulars.

Up to 2 years of prison and/or It is a non-cognizable and penalty up to `100,000. bailable offence.

74

Publication for fraudulent purpose

Up to 2 years of prison and/or It is a non-cognizable and penalty up to `100,000. bailable offence.

POINTS TO REMEMBER 1. Penalties: Any person, without permission accesses computer, shall be liable to pay damages by way of compensation. 2. Adjudication: It involves intervention in the dispute by a third party appointed by the ­government for the purpose of deciding the nature of final settlement.

5.4

Offences Under Information Technology Act, 2000

Section 65 Tampering with computer source documents:  Under this section, any person who knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, shall be punishable with imprisonment up to 3 years, or with fine which may extend up to `200,000 or with both.

Cyber Security and Laws_Chpater 05.indd 184

10/7/2020 6:49:08 PM

5.4 Offences Under Information Technology Act, 2000





• 

185

Section 66 Hacking with a computer system:  Under Section 66, any person who intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, person have to face up to 3 years of imprisonment along with a fine.   Whoever commits hacking shall be punished with imprisonment up to 3 years, or with fine which may extend up to `200,000 or with both.



Section 66A Punishment for sending offensive messages through communication service, etc. (IT Act, 2008):  Any person who sends, by means of a computer resource which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently by making use of such computer resource or a communication device, shall be punishable with imprisonment for a term which may extend to 3 years and with fine.



Section 66B Punishment for dishonestly receiving stolen computer resource or communication device (IT Act, 2008):  As per the section, Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to 3 years or with fine which may extend to `100,000 or with both.



Section 66C Punishment for identity theft (IT Act, 2008):  According to section 66C, any person fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment which may extend to 3 years and shall also be liable to fine which may extend to `100,000.



Section 66D Punishment for cheating by personation by using computer resource (IT Act, 2008):  Any person, who by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to 3 years and shall also be liable to fine which may extend to `100,000.



Section 66E Punishment for violation of privacy (IT Act, 2008):  Under this section, any person Who intentionally or knowingly captures, publishes or transmits the image of a ­private area of any person without his or her consent, shall be punished with imprisonment which may extend to 3 years or with fine not exceeding `200,000 or with both.



Section  66F  Punishment for cyberterrorism (IT Act, 2008):  Any person, with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by 1. denying or cause the denial of access to any person authorised to access computer resource or

Cyber Security and Laws_Chpater 05.indd 185

10/7/2020 6:49:08 PM

186 

•

Chapter 5/Information Technology Act

2. attempting to penetrate or access a computer resource without authorisation or exceeding authorised access or 3. introducing or causing to introduce any computer contaminant.





Section 67 Publishing of information which is obscene in electronic form:  As per section 67, any person Who publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, shall be punished on first conviction with imprisonment of either description for a term which may extend to 5 years and with fine which may extend to `100,000 and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to 10 years and also with fine which may extend to `200,000.

5.5



 hoever commits or conspires to commit cyberterrorism shall be punishable with W imprisonment which may extend to imprisonment for life.

Cyber Appellate Tribunal

Establishment of Cyber Appellate Tribunal (Section 48) 1.  The Central Government notifies and establishes appellate tribunals called Cyber Regulations Appellate Tribunal. 2.  The Central Government also specifies in the notification all the matters and places which fall under the jurisdiction of the tribunal. Appeal to Cyber Appellate Tribunal (Section 57) 1.  Subject to the provisions of Subsection (2), a person not satisfied with the Controller or Adjudicating Officer’s order can appeal to the Cyber Appellate Tribunal having jurisdiction in the matter. 2.  No appeal shall lie to the Cyber Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties. 3.  The person filing the appeal must do so within 25 days from the date of receipt of the order from the Controller or Adjudicating Officer. Further, he must accompany the appeal with the prescribed fees. However, if the Tribunal is satisfied with the reasons behind the delay of filing the appeal, then it may entertain it even after the expiry of 25 days. 4.  On receiving an appeal under Subsection (1), the Tribunal gives an opportunity to all the parties to the appeal to state their points, before passing the order. 5.  The Cyber Appellate Tribunal sends a copy of every order made to all the parties to the appeal and the concerned Controller or adjudicating officer. 6.  The Tribunal tries to expeditiously deal with the appeals received under Subsection (1). It also tries to dispose of the appeal finally within 6 months of receiving it.

Cyber Security and Laws_Chpater 05.indd 186

10/7/2020 6:49:09 PM

5.6 Information Technology Act, 2008 and Its Amendments

• 

187

Procedure and powers of the Cyber Appellate Tribunal (Section 58) 1.  The Code of Civil Procedure, 1908 does not bind the Cyber Appellate Tribunal. However, the principles of natural justice guide it and it is subject to other provisions of the act. The Tribunal has powers to regulate its own procedure. 2. In order to discharge its functions efficiently, the Tribunal has the same powers as vested in a Civil Court under the Code of Civil Procedure, 1908, while trying a suit in the following ­matters: (a) Summoning and enforcing the attendance of any person and examining him under oath. (b) Ensuring the availability of the required documents or electronic records. (c) Receiving evidence on affidavits. (d) Issuing commissions for examining witnesses or documents. (e) Reviewing its decisions. (f ) Dismissing an application for default or deciding it ex-parte, etc. Every proceeding before the Cyber Appellate Tribunal is like a judicial proceeding within the meaning of Sections 193 and 228 and for the purposes of Section 196 of the Indian Penal Code. Further, the ­Tribunal is like a Civil Court for the purposes of Section 195 and Chapter XXVI of the Code of ­Criminal Procedure, 1973.

POINTS TO REMEMBER Cyber offenses are the unlawful acts which are carried in a very sophisticated manner in which either the computer is the tool or the target or both. Cybercrime usually includes the following: 1. Unauthorized access of the computers. 2. Data diddling. 3. Virus/worms attack. 4. Theft of computer system. 5. Hacking. 6. Denial of attacks. 7. Logic bombs. 8. Trojan attack. 9. Internet time theft. 10. Web jacking. 11. Email bombing. 12. Salami attacks. 13. Physically damaging computer system.

5.6

Information Technology Act, 2008 and Its Amendments

Some of the prominent features of the IT (Amendment) Act, 2008, are listed in the following: 1. Defines a ‘communication device’ as a mobile device or any other device used to communicate, send or transmit any text video, audio or image.

Cyber Security and Laws_Chpater 05.indd 187

10/7/2020 6:49:09 PM

188 

•

Chapter 5/Information Technology Act

2. Defines ‘cybercafe’ as any facility from where the access to the Internet is offered by any person in the ordinary course of business to the members of the public. 3. Makes any contract concluded electronically, not to be deemed unenforceable solely on the ground that the electronic form or means was used. 4. Makes amendments to the penalties and punishments of the IT Act, 2000. 5. Provides power to the law enforcement agencies to issue directions for interception or monitoring of decryption of any information through any computer resource. 6. Sections 66A to 66F has been added to Section 66 prescribing punishment for offences such as obscene electronic message transmissions, identity theft, cheating by impersonation using ­computer resources, violation of privacy and cyberterrorism. 7. Exempt Intermediaries from being liable for any third-party information data or communication link made available or hosted by him/her or under him/her, if not involved in a crime.

POINTS TO REMEMBER The Information Technology Amendment Act, 2008 was passed by the Indian Parliament in ­October 2008 and came into force in 2009. It was introduced to address the issues that were not covered in the IT Act, 2000. The amendments include the following: 1. Redefining terms such as ‘communication device’ to reflect current use. 2. Validating electronic signatures and contracts. 3. Making the owner of a given IP address responsible for the content accessed or distributed through it. 4. Making corporations responsible for implementing effective data security practices and liable for breaches. These amendments are made in the following sections of the Information Technology Act, 2000: 1. Section 43 (data protection). 2. Section 66 (hacking). 3. Section 67 (protection against unauthorized access to data). 4. Section 69 (cyberterrorism). 5. Section 72 (privacy and confidentiality).



Summary

Information Technology Act is the primary law related to IT in India. It is the law that deals with cybercrime and electronic commerce in India. In this chapter, we discussed at the objectives and features of the Information Technology Act, 2000. It was later amended by passing the Information Technology (Amendment) Act, 2008, which empowers the existing laws in India to deal with crimes using ­technology. The chapter discussed various penalties, offences, adjudication under the Information Technology Act, 2000. It also discussed the Cyber Appellate Tribunal established by the act as a mechanism for hearing appeals under acts. The chapter discussed amendments to the Information Technology Act, 2000.

Cyber Security and Laws_Chpater 05.indd 188

10/7/2020 6:49:09 PM

REFERENCES



• 

189

Review Questions

1. What is the Information Technology Act, 2000? Refer to Subsection 5.1.1.

5. What are the offences under Information Technology Act, 2000? Refer to Section 5.4.

2. Explain objectives and features of the IT Act, 2000. Refer to Subsection 5.1.2.

6. How can the appeal be made under the IT Act, 2000? Refer to Section 5.4.

3. Explain the Information Technology Act, 2008 along with its features (amendments). Refer to Subsection 5.1.4.

7. What is a Cyber Appellate Tribunal? Refer to Subsection 5.3.2.

4. Explain the penalties and adjudication under the IT Act, 2000. Refer to Section 5.3.



8. Compare IT Act, 2000 and IT Act, 2008. Refer to Section 5.1. 9. Explain digital signature and electronic ­certificate under IT Act, 2000. Refer to Section 5.2.

References

1. Report of the Group of Experts on Privacy: Available at http://planningcommission.nic. in/reports/genrep/rep_privacy.pdf (Last Visited: December 29, 2017). 2. Ministry of Electronics and Information Technology, Government of India. Constitution of a Committee of Experts to deliberate on a data protection framework for India, Office Memorandum No. 3(6)j2017-CLES. Available at http://meity.gov.in/writereaddata/ files/MeitY_constitution_Expert_Committee_31.07.2017.pdf 3. Ministry of Electronics and Information Technology, Government of India. White Paper of the Committee of Experts on a Data Protection Framework for India, Available at http://meity.gov.in/writereaddata/files/ white_paper_on_data_protection_in_ india_18122017_final_v2.1.pdf 4. India: Interception of e-mails, Electronic Data, World Data Protection Report, BNA March, 2002.

Cyber Security and Laws_Chpater 05.indd 189

5. Rajinder, K., Rashmi, A. (2013), The Information Technology Act, 2000-Demystified with Reference to Cybercrimes. Available at: https://journals.sagepub.com/doi/abs/10.11 77/0971890720130111?journalCode=para 6. India Code, Digital Repository of all Central and State Acts, Code of Criminal Procedure of India (CrPC), 1973. 7. Srivastava. (2000), E-mail Users: Beware, Big Brother is Watching: Times of India 24 December, 2001. Available at: https:// timesofindia.indiatimes.com/india/Emailusers-beware-Big-Brother-is-watching/articleshow/37906058.cms 8. Wall, D. (2000), Policing the Internet: Maintaining Order and Law on the CyberBeat: Walker, A., Wall, D. (Eds.) The Internet, Law and Society, Pearson Education, ­Harlow, p.159. 9. Cherian, S., Munish, S. (2019), India’s Strategic Options in a Changing Cyberspace:

10/7/2020 6:49:09 PM

190 

•

Institute for Defence Studies and Analysis. Available at: https://idsa.in/system/files/ book/book_indias-­s trategic-options-incyberspace.pdf 10. Arindrajit, B., Elonnai, H. (2018), Cyberspace and External Affairs: A Memorandum

Cyber Security and Laws_Chpater 05.indd 190

Chapter 5/Information Technology Act

for India: The Centre for Internet and society. Available at: https://cis-india.org/ internet-governance/blog/arindrajit-basuand-elonnai-hickok-november-30-2018-­ cyberspace-and-external-affairs

10/7/2020 6:49:09 PM

6

Information Security Standard Compliances

Learning Objectives After reading this chapter, the reader will be able to • Learn various types of security standards compliances. • Describe Sarbanes–Oxley Act and analyse its need in Indian IT Act. • Remember Gramm–Leach–Bliley Act and the use of the act. • Ensure the knowledge of Health Insurance Portability and Accountability Act for data privacy and security provision of medical information. • Reorganize ISO compliance in internal code of conduct where employees follow

the ­principles of one of the ISO standards and able analyse The Federal ­Information ­Security Management Act (FISMA) for ­information security and protection ­program. • Learn North American Electric ­Reliability Corporation (NERC) and assess ­payment card industry (PCI) compliance for the technical and operational standards that ­businesses must follow to ensure that credit card data provided by cardholders is ­protected.

Security is always excessive until it’s not enough. —Robbie Sinclair

6.1

Introduction

The Information Security Standard (ISS) provides the framework for government organizations to meet their goals to protect government information and technology assets. The government should protect the confidentiality, integrity, availability of the public information assets in its care. So that citizens can trust in the government’s ability to maintain the privacy and security of their information. The Information Security Standard applies to all core governments. Contracted service providers conducting business on behalf of the government must comply with the Information Security Standard and the other IT Standards. IT organizations need to be aware of the existing compliance laws that apply to their specific industries.

Cyber Security and Laws_Chpater 06.indd 191

10/6/2020 11:20:26 AM

192 

•

Chapter 6/Information Security Standard Compliances

The term ‘standard’ is sometimes used within the context of  information security standards to ­ istinguish between written policies, standards, procedures. The Information Security Standard cond nects a hazard-based way to deal with security utilizing Security Threat and Risk Assessments. Organizations should maintain all three levels of documentation to help secure their environment. Information security policies are high-level statements or rules about protecting people or systems. The Information security standard helps to manage the security risk and implement security controls that meet legal and regulatory requirements. It recommends the adoption of best practices to achieve performance and cost benefits. Over the years, many standards have been developed for ­information security. The prominent ones are explained in this chapter.

6.1.1 Importance of Information Security Standards Information is one of the most important organizational strengths. For an organization, information is valuable and should be properly protected. Security is to combine systems, operations and internal controls to ensure the integrity and confidentiality of data and operation procedures in an organization. It will protect the data the organization collects and uses. The information which remains unprotected, the information can be accessed by anyone. If the information falls into the wrong hands, it can destroy lives, dropping business, and can also be used to harm. Standards can be compared with another category of documents, generally referred to as guidelines. Both standards and guidelines provide guidance aimed at upgrading cybersecurity, but guidelines usually lack the level of agreement and formality associated with standards. For example, the many U.S. and international organizations and businesses have adoptedNIST Special Publications as standards, even though those documents are published as guidelines for use by U.S. Federal agencies. Some organizations develop both standards and guidelines. For example, in addition to international standards, ISO/IEC issues several types of guidelines, including technical specifications, publicly available specifications (PAS), and technical reports, according to the ISO/IEC Directives. 6.1.2 Information Security Challenges Nowadays, organizations have to deal with various information security risks. 1. The e-commerce requirements: The e-commerce plays a very important role in the growth of the industry. It is a faster method of doing business. As the trend of online transactions continues to grow, there will be an increase in the number of attacks against the security of online payment systems. Such attacks result in systems that may be compromised and less protected, in consumer privacy issues. Consumers may be at the risk of losing their confidential data, since they may be unaware of the security aspect of performing on-line transactions. Therefore, it is very important to make the Internet safe for buying and selling the products online. Global privacy consistency is required, as Internet usage is largely unregulated, which means that the laws in one country are not aligned with the laws in other countries. Information security standards help the organization to manage their information security requirements. 2. Information security attacks: There are 10 types of security attacks as listed in the following: (a) Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. (b) Man-in-the-middle (MitM) attack. (c) Phishing and spear-phishing attacks.

Cyber Security and Laws_Chpater 06.indd 192

10/6/2020 11:20:26 AM

6.2 Sarbanes–Oxley Act (SOX)

• 

193

(d) Drive-by attack. (e) Password attack. (f ) SQL injection attack. (g) Cross-site scripting (XSS) attack. (h) Eavesdropping attack. (i) Birthday attack. (j) Malware attack. 3. Immature information security market: To be cyber ‘immature’ typically means that your company has (a) no ‘top-level’ distinct cyber-defence organization. (b) few or no professional INFOSEC or other security staff members and management. (c) small or no cybersecurity defence operations. (d) no Industry-based governance, compliance and regulation program. (e) no threat intelligence or similar data analysis function distinct from IT management. (f ) small or no cyber-defence budget. 4. Information security staff shortage: Without trained security staff, organizations cannot deploy the right controls or develop specific security processes to detect and prevent cyberattacks. On top of that, current employees face the challenge of an ever-shifting industry. (a) The information security standard (ISS) provides the framework for security risk management. (b) It has different standards for each purpose.

6.2

Sarbanes–Oxley Act (SOX)

Sarbanes–Oxley Act (SOX) is the act of 2002 which is also commonly known as Sarbox. It is also called the ‘Public Company Accounting Reform and Investor Protection Act’ and the ‘Corporate and Auditing Accountability, Responsibility and Transparency Act’. It is a United States federal law that applies to all publicly traded companies. Some provisions of the act also apply to privately held companies and to their auditing, the board of directors, disclosures, improper trading and practices, wilful destruction of evidence to impede a federal investigation, etc. The act contains ten sections and came in response to financial scandals in companies such as Enron Corporation, Tyco International and WorldCom, in the early 2000s. SOX compliance is not just a legal necessity but also a good business practice. Of course, the companies should behave ethically and limit access to internal financial systems. However, implementing SOX ­financial security controls has the side benefit of also helping to protect the company from data theft by insider threat or cyberattack. SOX compliance can encompass many of the same practices as any data ­security initiative. The law also holds corporate management accountable and includes CEOs, CFOs, boards of directors, and the public accounting firms that may work with and conduct audits for public companies. Internal controls on financial reporting is must for higher standards of governance, companies. This controls are important to protect integrity of data that builds annual report and financial records. As information consultant Terumi Laskowsky says, ‘Integrity means people are not able to tamper with the data and that is accurate’. The Sarbanes–Oxley (SOX) Act of 2002 represents landmark legislation in the world of corporate compliance, securities and capital markets, and overall organization governance.

Cyber Security and Laws_Chpater 06.indd 193

10/6/2020 11:20:26 AM

194 

•

Chapter 6/Information Security Standard Compliances

6.2.1 Key Provisions of the Sarbanes–Oxley Act Table 6.1 lists the key provision of SOX. Table 6.1  Key Provision of SOX

SOX Section



Key Provision

Section 302

Corporate responsibility for financial reports.

Section 401

Disclosures in periodic reports.

Section 404

Management assessment of internal controls.

Section 409

Real-time issuer disclosures.

Section 802

Criminal penalties for altering documents.

Section 806

Protection for employees publicly traded companies who provide evidence of fraud.

Section 902

Attempts conspiracies to commit fraud offences.

Section 906

Corporate responsibility for financial reports.

SOX Section 302 Corporate responsibility for financial reports:  The principle of Section 302 of the Sarbanes–Oxley Act states that the CEO and CFO are directly responsible for the accuracy, documentation and submission of all financial reports as well as the internal control structure to the SEC. 1. Regulations required: The commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934, that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such act that (a) the signing officer has reviewed the report; (b) based on the officer’s knowledge, the report does not contain any false statement of a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not confusing; (c) based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report; (d) The signing officers •  are responsible for maintaining and establishing internal controls; • internal controls ensure that material information relating to the issuer within those entities; particularly during the period in which the periodic report is prepared;

Cyber Security and Laws_Chpater 06.indd 194

10/6/2020 11:20:27 AM

6.2 Sarbanes–Oxley Act (SOX)





• 

195



• have evaluated the effectiveness of issuer’s internal control as of a before report; • have presented their report in conclusion. (e) The signing officers have disclosed to persons fulfilling the equivalent function • The issuer’s ability to record, process, summarize financial data and any material weakness in internal control can be affected by significant ­deficiencies in design or operation of internal control. • any fraud that involves management who have a significant role in the issuer’s internal ­control. (f ) The signing officers have indicated in the report whether or not there were significant changes in internal controls that could significantly affect internal controls after the date of their evaluation, including any corrective actions with regard to significant deficiencies and weaknesses of the material. 2. Foreign incorporations have no effect: Section 302 shall be interpreted or applied in any way to allow any issuer to lessen the legal force of the statement required under this section 302, by an issuer having engaged in any other transaction that resulted in the transfer of the corporate domicile or offices of the issuer from inside the United States to outside of the United States of America. SOX Section 401 Disclosures in periodic reports:  Section 401 of the Sarbanes–Oxley Act deals with financial statements and their requirement to be accurate and presented in a manner that does not contain incorrect statements or admit to state material information. Such financial statements should also include all material off-balance sheet liabilities, obligations and transactions. A direct excerpt from the Sarbanes–Oxley Act of 2002 report for Section 401: 1. Disclosures required (a) Accuracy of financial report: Each financial report contains financial statements, and that is required to be prepared by generally accepted accounting principles and regulation of the commission. (b) Off-balance sheet transactions: About 180 days after the date of approving Sarbanes–Oxley Act of 2002, the commission shall issue final rules providing that each annual scion shall disclose all material off-balance sheet transactions, arrangements, obligations (including contingent obligations) and other relationships of the issuer with not consolidated entities. 2. Commission rules on proforma figures: The Commission shall issue final rules providing that pro forma financial information included in any periodic or other report filed with the commission according to the securities laws. 3. Study and report on social purpose entities (a) Study required: The commission will, not later than 1 year after the successful date of reception of reeling sheet revelation rules required

Cyber Security and Laws_Chpater 06.indd 195

10/6/2020 11:20:27 AM

196 



•

Chapter 6/Information Security Standard Compliances





























by Segment 13(j) of the Securities Exchange Act of 1934, as included by this segment, total an investigation of filings by backers and their exposures to decide • the degree of cockeyed sheet exchanges, including resources, liabilities, leases, misfortunes, and the utilization of particular reason elements, and • regardless of whether by and large acknowledged bookkeeping rules bring about fiscal summaries of guarantors mirroring the financial aspects of such wobbly sheet exchanges to ­speculators in a straightforward manner. (b) Report and recommendations: Not later than a half year after the date of fulfilment of the investigation required by Section (1), the commission will present a report to the President, the Committee on Banking, Housing and Urban Affairs of the Senate, and the Committee on Financial Services of the House of Representatives, presenting • the sum or a gauge of the measure of cockeyed sheet exchanges, including resources, ­liabilities, leases and misfortunes of, and the utilization of specific reason substances by, backers recording intermittent reports as per Area 13 or 15 of the Securities Exchange Act of 1934; • the degree to which specific reason elements are utilized to encourage wobbly sheet exchanges; • regardless of whether sound accounting standards or the guidelines of the commission bring about fiscal summaries of guarantors mirroring the financial aspects of such exchanges to speculators in a straightforward manner; • regardless of whether sound accounting guidelines explicitly bring about the combination of specific reason has most of the dangers and awards of the particular reason element; and • any suggestions of the commission for improving the straightforwardness and nature of announcing shaky sheet exchanges in the budget summaries and divulgences required to be recorded by a backer with the commission.

SOX Section 404 Management assessment of internal controls:  Section 404 is the most complicated, most contested and most expensive to implement of all the Sarbanes–Oxley Act sections for compliance. All annual financial reports must include an Internal Control Report stating that management is responsible for an ‘adequate’ internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management assertion that internal accounting controls are in place, operational and effective. A direct excerpt from the Sarbanes–Oxley Act of 2002 report for Section 404:

Cyber Security and Laws_Chpater 06.indd 196

10/6/2020 11:20:27 AM

6.2 Sarbanes–Oxley Act (SOX)





• 

197

1. Rules required: The commission will recommend rules requiring every yearly report required by Area 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an inside control report, which will (a) express the duty of the board for building up and keeping up a satisfactory inward control structure and techniques for budgetary revealing; and (b) contain an evaluation, as of the finish of the latest monetary year of the backer, of the viability of the inward control structure and systems of the guarantor for budgetary revealing. 2. Internal control evaluation and reporting. Concerning the inside control evaluation required by Subsection (an), each enlisted open book-keeping firm that gets ready or issues the review report for the guarantor will validate, and report on, the appraisal made by the administration of the backer. A validation made under this subsection will be made under gauges for verification commitment gave or received by the board. Any such verification will not be the subject of a different commitment.



SOX Section 409 Real-time issuer disclosures:  The essence of Section 302 of the Sarbanes– Oxley Act states that companies are required to disclose on almost real-time basis information ­concerning material changes in their financial condition or operations. Here is a direct excerpt from the Sarbanes–Oxley Act of 2002 report for Section 409: Section 13 of the Securities Exchange Act of 1934, as amended by this act, is amended by adding at the end the following: • Real issuer disclosures: Every guarantor revealing under Area 13(a) or 15(d) will uncover to the general population on a fast and current premise such extra data concerning material changes in the money related condition or tasks of the backer, in plain English, which may incorporate pattern and subjective data and realistic introductions, as the commission decides, by rule, is essential or valuable for the assurance of financial specialists and in the open ­premium.



SOX Section 802 Criminal penalties for altering documents:  Section 802 of the Sarbanes– Oxley Act imposes penalties of up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation. This area additionally forces punishments of as long as 10 years on any bookkeeper, inspector or other who purposely and wilfully damages the prerequisites of support of all review or survey papers for a time of 5 years.



SOX Section 806 Protection for employees publicly traded companies who provide evidence of fraud:  Sarbanes–Oxley empowers the divulgence of corporate extortion by ensuring workers of traded on an open-market organizations or their auxiliaries who report criminal operations. Segment 806 of Sarbanes Oxley Act approves the U.S. Division of Labor to secure informant protests against

Cyber Security and Laws_Chpater 06.indd 197

10/6/2020 11:20:27 AM

198 

•

Chapter 6/Information Security Standard Compliances









managers who fight back and further approves the Department of Justice to criminally charge those liable for the reprisal.   Under Section 806 of SOX, a worker takes part in ensured informant direct by giving data that the person in question sensibly accepts is an infringement of 1.  government mail, wire, bank or protections misrepresentation. 2.  government law identifying with extortion against investors. 3. any standard or guideline of the Securities and Exchange Commission (SEC). 4. Area 806 of SOX stretches out its assurance to any informant who is an official, representative, temporary worker, subcontractor or specialist of • a traded on an open market organization. • an auxiliary of a traded on an open market organization. • a broadly perceived factual evaluations associations (NRSROs). Area 1107 of SOX makes it a wrongdoing for an individual to intentionally fight back against an informant for unveiling honest data to a law requirement official in regards to a supposed government offense.



SOX Section 902 Attempts conspiracies to commit fraud offences:  SOX 902 is recorded under Title IX, which talks about salaried wrongdoing punishment ‘improvement’. An immediate portion from the Sarbanes–Oxley Act of 2002 report for Area 902: (a) In General – Part 63 of title 18, United States Code, is corrected by embeddings after segment 1348 as included by this act the accompanying Section 1349 – Endeavor and Scheme.   Any individual who endeavours or plans to submit any offense under this part will be dependent upon indistinguishable punishments from those endorsed for the offense, the commission of which was the object of the endeavour or trick.



SOX Section 906 Corporate responsibility for financial reports: Segment 906 tends to criminal punishments for guaranteeing a deceptive or false monetary report. Under SOX 906, punishments can be upwards of $5 million in fines and 20 years in jail. An immediate passage from the Sarbanes–Oxley Act of 2002 report for Area 906: 1. Certification of Periodic Financial Reports: Each occasional report containing fiscal reports documented by a guarantor with the Securities Exchange Commission in accordance with Area 13(a) or 15(d) of the Securities Exchange Act of 1934 [15 U.S.C. 78m(a) or 78o(d)] will be joined by a composed explanation by the CEO and CFO (or equal thereof ) of the backer. 2. Content: The announcement required under Subsection (a) will affirm that the occasional report containing the fiscal summaries completely conforms to the prerequisites of Segment 13(a) or 15(d) of the Securities Exchange Act of 1934 [15 U.S.C. 78m or 78o(d)] and that data contained in the intermittent report reasonably presents, in every single

Cyber Security and Laws_Chpater 06.indd 198

10/6/2020 11:20:27 AM

6.2 Sarbanes–Oxley Act (SOX)



• 

199

material regard, the monetary condition and consequences of activities of the backer. 3. Criminal penalties: Whoever (1) ensures any announcement as set out in Subsections (a) and (b) of this segment realizing that the intermittent report going with the announcement doesnot comport with all the prerequisites set out in this segment will be fined not more than $1,000,000 or detained not over 10 years, or both; or (2) obstinately confirms any announcement as set out in Subsections (a) and (b) of this segment realizing that the occasional report going with the announcement does not comport with all the necessities set out in this area will be fined not more than $5,000,000, or detained not over 20 years, or both.

6.2.2 SOX Benefits to Organization See Fig. 6.1 depicting the benefits of SOX.

Risk triage Control structure strengthening Better audits Efficient financial reporting

Figure 6.1  Benefits of SOX.

1. Risk triage: This Risk Vulnerability Response Model is one method of performing triage on a security vulnerability, regardless of vendor. Cisco recommends clients to inspect the model, change it if fundamental, and use it to decide the suitable activity for the security group or other influenced groups in their association. The model should be considered an addition to other common best practices for vulnerability management. One element of this model is the impact of the vulnerability. Cisco provides a Security Impact Rating (SIR) to classify vulnerabilities into four categories: (1) Low, (2) medium, (3) high and (4) critical. 2. Control structure strengthening: With standard control frameworks, organizations are strengthening their control structure and improving the association between control and risk. This also helps streamline the documentation of control processes evaluation. Increasingly effective operations, highly reliable financial reporting, and industry-leading compliance programs by strengthening internal control. 3. Better audits: Order of SOX prompted the foundation of Public Company Accounting Oversight Board (PCAOB) for the appraisal of individual obligation to evaluators, administrators and board

Cyber Security and Laws_Chpater 06.indd 199

10/6/2020 11:20:28 AM

200 

•

Chapter 6/Information Security Standard Compliances

individuals and directing the administration’s bookkeeping choices. This empowered the review to be a free confirmation work and guarantee the working adequacy of an association’s hazard the executives, administration and inner control forms. This smoothed out and decreased the hole between the reason for a review and its satisfaction. 4. Efficient financial reporting: These segments are generally critical and furthermore disputable on account of the expense and endeavours included. It requires a broad trial of Internal Controls and accreditation of exactness from the administration. This urges organizations to make their budgetary detailing effective, of better quality, brought together and robotized. It likewise brings higher responsibility for recording of diary sections and open divulgences. As organizations flourish by making esteem, Sarbanes–Oxley Act is a significant partner in that exertion. A powerful SOX consistency process goes about as a springboard to an increasingly all-encompassing great administration practice and innovation gives the serious edge to business activities.

6.3

Gramm–Leach–Bliley Act (GLBA)

GLBA is the Gramm–Leach–Bliley Act of 1999. It is also called as Financial Modernization Act is a federal law that regulates financial institutions use and disclosure of their customers’ NPI(non-public personal information). NPI defined by GLBA as ‘any information received by a financial institution that is not public’. This refers to ‘personally identifiable financial information’. GLBA compliance regulations include the Financial Privacy Rule and the Safeguards Rule, which help protect customer data security and privacy. GLBA compliance is important in banks and insurance companies. The GLBA requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data by developing a written security plan under the safeguards rule. The GLBA primarily sought to ‘modernize’ financial services–that is, end regulations that prevented the merger of banks, stock brokerage companies and insurance companies. The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use. It requires organizations to disclose their privacy policies to their customers. That is why more people are familiar with the act. It also applies to the financial service like credit reporting agencies, ATM operators, appraisers, couriers and tax preparers. To establish standards for protecting the security, integrity and confidentiality of their customers’ NPI, it requires financial institutions. NPI is any personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available. Section 501(b) of the act specifies the objectives of the following standards: 1. The financial privacy rule: It provides the Federal Trade Commission (FTC) with an order to protect non-public information with administrative, technical and physical safeguards. It secures the privacy of customer information and records.

Cyber Security and Laws_Chpater 06.indd 200

10/6/2020 11:20:28 AM

6.3 Gramm–Leach–Bliley Act (GLBA)

• 

201

2. The safeguards rule: The FTC directives specify safeguards that are appropriate for the individual organization, allowing entities of different sizes to select controls that are cost. 3. There are many federal regulators with overlapping command in the financial sector. The Federal Financial Institutions Examination Council (FFIEC), a unified federal regulatory agency, provides guidance on GLBA compliance requirements to simplify the challenge of complying with GLBA requirements. Its members include the following: (a) The Board of Governors of the Federal Reserve System (FRB): Federal Reserve Board of Federal Reserve System is a seven-member body that governs the Federal Reserve System, the U.S. central bank in charge of making the country’s monetary policy.   It is an independent agency of the Federal Government. The Federal Government has a required command to maximum employment and stable prices at moderate long-term interest rates, and the FRB chair and other officials frequently testify before Congress, but it makes monetary policy independently of the administrative or executive branches and is structured like a private corporation. The Federal Government’s board structure was created to ensure its independence from politics. This independence allows the Federal Government to focus on long-term economic goals. They cannot be pressured to either raise or lower interest rates. (b) The Federal Deposit Insurance Corporation (FDIC): The basic role of the FDIC is to forestall ‘run on the bank’ situations, which crushed numerous banks during the Great Depression. For instance, with the danger of the conclusion of a bank, little gatherings of stressed clients hurried to pull back their cash.   After feelings of dread spread, a charge of clients, trying to do likewise, at last brought about banks being not able to help withdrawal demands. The individuals who were first to pull back their cash from an upset bank would profit, while the individuals who held up gambled losing their reserve funds for the time being. Before the FDIC, there was no assurance for the wellbeing of stores past the trust in the bank’s dependability. (c) The National Credit Union Administration (NCUA): The National Credit Union Administration (NCUA) is an office of the United States’ Federal Government. The Federal ­Government made the NCUA to screen bureaucratic credit associations the nation over.   The NCUA runs the National Credit Union Share Insurance Fund (NCUSIF), which is one of the organization’s most gigantic duties. The NCUSIF utilizes charge dollars to ­guarantee the stores at all government credit associations. Most NCUA protected establishments are government and state-sanctioned credit associations and investment funds banks. Records safeguarded in NCUA guaranteed establishments are reserve funds, share drafts or checking, currency markets, share declarations or CDs, Individual Retirement Accounts and Revocable Trust Accounts.   The NCUA gives a large group of data and effort administrations and assets for credit associations and their individuals. These fall into a few classifications: • Money related reports and disclosures: The NCUA issues customary money related execution reports and keeps up a complete advanced database extending back to the mid‑1990s. • Assets for credit unions: The NCUA gives direction and one-on-one help for an assortment of issues influencing credit associations’ everyday tasks; for example, data innovation and client correspondences.

Cyber Security and Laws_Chpater 06.indd 201

10/6/2020 11:20:28 AM

202 

•

Chapter 6/Information Security Standard Compliances

• Full-text regulations and bylaws: The NCUA keeps up a broad open database of the guidelines and guidelines overseeing government acknowledge associations, for example, the Bank Secrecy Act, Federal Credit Union Act and the different laws covering bank to credit association changes. • MyCreditUnion.Gov: MyCreditUnion.gov is a shopper entrance with broad instructive substance about credit associations, monetary assurance laws and different individual account matters. The gateway likewise has an accessible database of all government credit associations and a different instructive entrance called Pocket Cents, which offers online money exercises, articles, and sight and sound outfitted to explicit ages, and foundations (for example, ‘teenagers’ and ‘administration individuals’). (d) The Office of the Comptroller of the Currency (OCC): Established the National Currency Act of 1863, the Office of the Comptroller of the Currency capacities to sanction, manage, and direct all the national banks and government reserve funds relationship in the United States. The OCC’s are crucial to guarantee these organizations ‘work in a free from any danger way’, treat their clients reasonably, and give reasonable access to money related administrations – in consistency with the U.S. laws and guidelines.   The OCC is an autonomous authority inside the Department of Treasury. Its statement of purpose confirms it is to ‘guarantee that national banks and government investment funds affiliations work in a free from any potential harm way, give reasonable access to budgetary administrations, treat clients decently, and agree to material laws and guidelines.’   Congress does not finance the Office of the Comptroller of the Currency. Rather, financing is from national banks and government investment funds affiliations, who pay for assessments and handling of their corporate applications. The OCC additionally gets income from its speculation salary, which is fundamentally from the U.S. Treasury protections. (e) The Consumer Financial Protection Bureau (CFPB): The Bureau of Consumer Financial Protection (CFPB) is an autonomous department inside the Federal Reserve System that enables buyers with the data they have to settle on budgetary choices to the greatest advantage of them and their families. The CFPB was made under the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd–Frank Act).   The motivation behind the CFPB is to advance decency and straightforwardness for contracts, visas, and other buyer budgetary items and administrations. The CFPB will set and uphold clear, reliable principles that permit banks and other customer money related ­administrations suppliers to contend on a level playing field and that let purchasers see ­obviously the expenses and highlights of items and administrations.   The CFPB added securities that constrained banks to truly think about a borrower’s capacity to reimburse a credit, just as a necessity to give customers ‘know before you owe’ exposures that illuminate homebuyers the amount they have to spending plan for their home loan before they make all necessary endorsements. It is a result of these activities that home purchasers have a greatly improved comprehension of the amount they will wind up paying. (f ) The representative of the state liaison committee (SLC): The SLC comprises five agents of state banking and credit association organizations that administer budgetary establishments.

Cyber Security and Laws_Chpater 06.indd 202

10/6/2020 11:20:28 AM

6.3 Gramm–Leach–Bliley Act (GLBA)

• 

203

Individuals are assigned by CSBS, ACSSS, NASCUS and FFIEC. The SLC part may have their 2-year term stretched out by the selecting association for an extra, 2-year term.

6.3.1 Benefits of GLBA Compliance Following the GLBA puts budgetary establishments at lower danger of punishments or reputational harm brought about by unapproved sharing or loss of private client information. There are likewise a few protection and security benefits required by the GLBA Safeguards Rule for clients, some of which include the following: 1. Private data must be made sure against unauthorized access. 2. Clients must be advised of private data sharing between budgetary foundations and outsiders and can quit private data sharing. 3. Client action must be followed, including any endeavours to get to ensure records. Consistence with the GLBA ensures shopper and client records and will in this way help to manufacture and strengthen buyer unwavering quality and trust. Clients gain confirmation that their data will be kept secure by the foundation; well-being and security develop client faithfulness, bringing about a lift in notoriety, rehash business and different advantages for budgetary establishments.

6.3.2 How GLBA Compliance Works The GLBA necessitates that money related foundations act to guarantee the privacy and security of clients’ ‘non-public individual data’, or NPI. Non-public individual data incorporates Social Security numbers, credit and pay chronicles, credit and bank card account numbers, telephone numbers, locations, names and some other individual client data obtained by a budgetary organization that is not open. The Safeguards Rule expresses that money related foundations must make a composed data security plan depicting the program to ensure their clients’ data. The data security plan must be custommade explicitly to the organization’s size, tasks and multifaceted nature, just as the affectability of the clients’ data. As indicated by the Safeguards Rule, secured monetary organizations must 1. assign at least one representative to organize its data security program; 2. recognize and survey the dangers to client data in each applicable zone of the organization’s activity and assess the viability of the current shields for controlling these dangers; 3. plan and actualize a protections program, and routinely screen and test it; 4. select specialist coops that can keep up proper shields, ensure your agreement expects them to look after protections, and direct their treatment of client data and 5. assess and alter the program considering applicable conditions, remembering changes for the association’s business or tasks, or the consequences of security testing and checking. So as to accomplish GLBA consistency, the Safeguards Rule necessitates that monetary foundations give exceptional consideration to worker the board and preparing, data frameworks, and security the executives in their data security plans and usage.

Cyber Security and Laws_Chpater 06.indd 203

10/6/2020 11:20:28 AM

204 

•

Chapter 6/Information Security Standard Compliances

6.3.3 Steps to Compliance See Fig. 6.2 for the steps of compliance. Understand the regulation and how it applies to you Conduct a risk assessment Ensure effective controls are in place to mitigate risks Protect yourself from the insider threat Service providers need to be GLBA-complaint Confirm you’re meeting the privacy rule requirements Update your DR and BCP plans Prepare a written information security plan Report to the board Review, revise and improve

Figure 6.2  Steps of compliance.

1. Understand the regulation and how it applies to you (a) Audit the act, with assistance from your legitimate group when required, to ensure you comprehend the degree and how it applies to your organization. This may appear to be an essential initial step, yet it will guarantee you have a firm establishment for structuring and executing your consistency program. (b) Utilize the audit to distinguish the fundamental ramifications that should be considered in detail as you work through the rest of the means. 2. Conduct a risk assessment (a) The objectives of the hazard appraisal are to inventory the frameworks utilized for overseeing NPI and to recognize dangers and vulnerabilities that put the data in danger. (b) Outside inspectors, testing consistency against GLBA, will search for proof of a hearty hazard appraisal and the utilization of appropriate controls to alleviate any dangers, so this procedure is fundamental to your consistency program. (c) The FFIEC Cybersecurity Assessment Tool can help design and play out the hazard evaluation. Set up a stock of all frameworks that store, process or transmit NPI – for instance, mail servers, organize gadgets, PCs and PCs. To help choose if a framework is in scope, ask yourself: if the framework was penetrated, could client data be taken or changed? Be careful and, if all else fails, remember the framework for the stock to prevent anything from being missed. (d) Every framework then should be assessed for dangers and vulnerabilities. There are different openly accessible arrangements of vulnerabilities that give valuable information, and working gatherings drawn from business and IT groups would be the best individuals to help with the assessment. 3. Ensure effective controls are in place to mitigate risks (a) It is conceivable your current specialized, physical and the executives control system will alleviate the dangers found by the hazard evaluation, however all things considered, existing controls

Cyber Security and Laws_Chpater 06.indd 204

10/6/2020 11:20:29 AM

6.3 Gramm–Leach–Bliley Act (GLBA)

• 

205

should be improved or new controls applied. Once more, there are arrangements of controls that can enable you to choose what is generally suitable. (b) Inspectors will hope to see proof that all vulnerabilities and dangers are coordinated with a fitting control, so make it simple for them by making a basic table, clarified with the reason for your choice. (c) As an extra check, consider utilizing an outsider to perform arrange outputs and infiltration testing to gauge control adequacy. 4. Protect yourself from the insider threat (a) The insider danger – workers who unintentionally or vindictively bargain the organization – is the greatest danger to most associations and merits additional consideration when building up your consistency program. (b) Use pre-business enrolment looks to channel security dangers, and work agreements should put the onus on representatives to follow security strategies and systems. (c) Job-based security confines NPI use to those that need it and can be handily changed if the representative changes job or leaves the organization. (d) There ought to be normal mindfulness correspondences and a preparation program to reimplement security approaches and stay up to date with any new dangers. Since GLBA expects activity to forestall pretexting, this can be incorporated with the preparation program utilizing modules that emphasize social designing, BEC and comparable kinds of danger. (e) Apparatuses, for example, InfoSec Institute’s SecurityIQ, make the way toward sorting out and conveying preparing clear. You can make customized preparing plans, run phishing recreations, interface student evaluation instruments to prepare plans and screen progress over the organization utilizing adjustable dashboards.

6.3.4 Requirements of GLBA 1. The top information protection requirements of GLBA: The Gramm–Leach–Bliley Act set up a few significant prerequisites to administer the assortment, revelation, and insurance of shoppers’ non-public individual data (PII) or actually recognizable data. • Financial Privacy Rule: This standard requires money related organizations to furnish every shopper with a protection notice at the time the purchaser relationship is set up and yearly from that point. The security notice must clarify the data gathered about the buyer, where that data is shared, how that data is utilized and how that data is ensured. The notification should likewise recognize the buyer’s entitlement to quit the data being imparted to unaffiliated gatherings compliant with the arrangements of the Fair Credit Reporting Act. The unaffiliated gatherings getting the non-public data are held to the acknowledgment terms of the customer under the first relationship understanding. • Safeguards Rule: This standard requires monetary establishments to build up a composed data security plan portraying its procedures and methods for ensuring customers’ NPI. Secured substances must build a careful hazard examination on every division taking care of the non-public data, just as create, screen and test a program to make sure about the data. In the event that there are changes in how data is gathered, put away, and utilized, the shields must be refreshed too. The Federal Government gives a lot of guidelines to protecting client data.

Cyber Security and Laws_Chpater 06.indd 205

10/6/2020 11:20:29 AM

206 

•

Chapter 6/Information Security Standard Compliances

2. Security and encryption requirements for GLBA: Section 501 of the GLBA, ‘Assurance of Nonpublic Personal Information’, requires monetary organizations to set up fitting measures identified with the authoritative, specialized, and physical protections of client records and data. The extent of these shields is characterized in the GLBA Data Protection Rule, which expresses that budgetary foundations must: (a) Guarantee the security and classification of client information (b) Ensure against any sensibly foreseen dangers or perils to the security or uprightness of such information (c) Secure against unapproved access to, or utilization of, such information that would bring about generous mischief or burden to any client. Numerous government organizations manage budgetary establishments, and the Federal Financial Institutions Examination Council (FFIEC) structures and oversees reviews for most of them. The FFIEC distributes the IT Examination Handbook, which gives direction to the IT security controls that can or ought to be utilized to ensure non-public data under GLBA. As per the IT Examination Handbook, budgetary establishments should utilize encryption to moderate the danger of revelation or modification of delicate data away and travel. Encryption usage ought to include the following: 1. Encryption quality adequate to shield the data from revelation until such time as exposure represents no material hazard. 2. Viable key administration rehearses. 3. Strong unwavering quality. 4. Proper insurance of the encoded correspondence’s endpoints.

POINTS TO REMEMBER 1. The GLBA act is used for security of personal, that is, non-public information. 2. Data is secured with companies and customers according to their requirements.

6.4

Health Insurance Portability and Accountability Act (HIPAA)

These days, all information in a patient’s medical record is private. In most cases, it is illegal to show this private information to anyone without that patient’s permission. However, medical records were not always private. In the past, employers could use medical records as a basis for refusing to hire an individual or for terminating employment. Also, insurance companies could access medical records and use the information for financial gain. The Health Insurance Portability and Accountability Act of 1996 is also called the Kennedy–­ Kassebaum Act. It was created to modernize the flow of healthcare information and stipulate a way in which the Personally Identifiable Information could be maintained by the healthcare and healthcare insurance sector. In general, HIPAA applies to organizations that deal with healthcare, medical records, insurance, or any medical-related business. The Health Insurance Portability and Accountability Act is designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors,

Cyber Security and Laws_Chpater 06.indd 206

10/6/2020 11:20:29 AM

6.4 Health Insurance Portability and Accountability Act (HIPAA)

• 

207

hospitals and other health care providers. It Reduces health care fraud and abuse. It provides the ability to transfer and continue health insurance coverage for millions of workers and their families when they change or lose their jobs. The security rule means that any covered entity must maintain the ­appropriate technical, physical and administrative safeguards established for protecting personal information.

6.4.1 How HIPAA Works? Congress attempted HIPAA to improve efficiency in healthcare, eliminate wastage and ensure that health information that can be secure with an individual, and would allow them to be identified is protected and kept private and confidential. HIPAA introduced a set of new standards for healthcare organizations to follow to ensure ­everyone was singing from the same hymn sheet. Standard codes and identifiers were created to make it easier for health information exchange and healthcare providers, health insurers and their business associates were required to use the same codes for electronic transactions to ensure data could be exchanged efficiently. This saved a great deal of time, effort and resulted in substantial cost savings. HIPAA specified the passable uses and revelations of health data, limiting who is permitted to get to health data and under what conditions. HIPAA gave Americans the option to get duplicates of their health information to check their health records for mistakes and to impart their records to whomever they wish. HIPAA likewise set principles for ensuring health information to make it harder for health data to be gotten to by people who reserved no privilege to see the data. 6.4.2 HIPAA Rules Figure 6.3 depicts HIPAA rules.

Privacy

Enforcement

Security

HIPAA rules

Unique identifiers

Transactions and code sets

Figure 6.3  HIPAA rules.

Cyber Security and Laws_Chpater 06.indd 207

10/6/2020 11:20:30 AM

208 

•

Chapter 6/Information Security Standard Compliances

The HIPAA Privacy Rule The HIPAA Privacy Rule sets up national measures to ensure people’s clinical records and other individual well-being data and applies to well-being plans, human services clearinghouses, and those medicinal services suppliers that lead certain social insurance exchanges electronically. The rule requires fitting shields to ensure the protection of individual well-being data, and sets cut-off points and conditions on the utilizations and exposures that might be made of such data without understanding approval. The rule additionally gives patients’ rights over their well-being data, including rights to inspect and acquire a duplicate of their well-being records, and to demand adjustments. Doctors depend with the absolute generally cosy and individual data in a patient’s lifetime – record and character data just as well-being data. Patients anticipate that that data should be kept hidden. At the point when that trust is penetrated, the implications to the social insurance association can be overwhelming. The HIPAA Privacy Rule was given by the United States Department of Health and Human ­Services to limit the utilization and divulgence of by and by recognizable data that relates to a patient or buyer of social insurance administrations. This data is called secured well-being data (PHI). The standard was made to secure patients’ protection. Under HIPAA, a secured element (CE) must put forth handy attempts to utilize, unveil and demand just the base fundamental measure of PHI required for a specific undertaking. The Privacy Rule likewise gives patients’ rights over their well-being data and the option to get to their own clinical records. The HIPAA Security Rule The HIPAA Security Rule requires covered entities to implement security measures to protect ePHI.  Patient health information needs to be available to authorized users, but not improperly accessed or used. There are three types of safeguards that need to be implemented are listed as ­follows (Fig. 6.4): (a) Administrative safeguard. (b) Physical safeguard. (c) Technical safeguard. Types of safeguards

Administrative

Physical

Technical

Figure 6.4  Types of safeguards.

1. Administrative safeguard: Administrative safeguard is the policies and procedures that help protect against an infraction. They determine documentation processes, roles and responsibilities, training requirements, data maintenance policies and more. The administrative safeguards consist of half of the HIPAA security requirements.  Administrative safeguards will require an evaluation of the security controls already in place as well as an accurate and thorough risk analysis. HIPAA administrative safeguards are broken down into several main aspects as listed in the following:

Cyber Security and Laws_Chpater 06.indd 208

10/6/2020 11:20:30 AM

6.4 Health Insurance Portability and Accountability Act (HIPAA)

• 

209

(a) Security management process. (b) Assigned security responsibility. (c) Workforce security. (d) Information access management. (e) Security awareness and training. (f ) Security incident procedures. (g) Contingency plan. (h) Evaluation. (i) Business associate contracts and other arrangements. 2. Physical safeguard: The physical safeguard in the HIPAA Security Rule is ‘physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion (HHS, 2007)’. The Security Rule defines physical safeguards as ‘physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion’. The standards are another line of defence (adding to the security rule’s administrative and technical safeguards) for protecting EPHI. The main areas of the physical safeguard requirements are as listed as follows: (a) Facility access controls. (b) Workstation use. (c) Workstation security. (d) Device and media controls. 3. Technical safeguard: Technical safeguard defines access controls, data in motion and data at rest requirements. A covered entity must implement technical policies and procedures for computing systems that maintain PHI data to restrict access to only those persons that have been granted access rights. Technical Safeguards are the technology and related policies and procedures that protect electronically protected health information (EPHI) and control access to it.

The HIPAA Transactions and Code Sets Rule HIPAA was made to improve medicinal services framework effectiveness by normalizing social insurance exchanges. HIPAA included another Part C named ‘Authoritative Simplification’ that streamlines medicinal services exchanges by requiring well-being intended to normalize social insurance exchanges– for instance, clinical suppliers who record for repayments electronically need to document their electronic cases utilizing HIPAA norms to be paid. The HIPAA Unique Identifiers Rule (National Provider Identifier, NPI) HIPAA secured elements, for example, suppliers finishing electronic exchanges, human services clearinghouses, and enormous well-being plans must utilize just the National Provider Identifier (NPI) to recognize canvassed medicinal services suppliers in standard exchanges. The NPI replaces every single other identifier utilized by well-being plans, Medicare, Medicaid and other government programs. The NPI does not supplant a supplier’s DEA number, state permit number, or expense recognizable proof number. The NPI is 10 digits (might be alphanumeric), with the last digit a checksum. The NPI cannot contain any implanted insight; the NPI is a number that doesnot itself have any extra importance. The NPI is remarkable and national, never re-utilized, and

Cyber Security and Laws_Chpater 06.indd 209

10/6/2020 11:20:30 AM

210 

•

Chapter 6/Information Security Standard Compliances

with the exception of establishments, a supplier ordinarily can have just one. An establishment may get various NPIs for various sub-parts, for example, a detached medical procedure or wound consideration place.

The HIPAA Enforcement Rule • The Enforcement Rule sets common monetary cash punishments for abusing HIPAA rules. • It builds up techniques for examinations and hearings for HIPAA infringement. • The U.S. Department of Health and Human Resources has examined more than 20,000 cases settled by requiring changes in protection practice or by remedial activity. • On the off, chance that resistance is resolved; elements must apply remedial measures. • Grievances have been explored against drug store chains, significant social insurance communities, protection gatherings, medical clinic chains and little suppliers. 6.4.3 HIPAA Key IT Requirements 1. Organizations need to conduct an initial risk assessment, periodic reviews and re-assessments. 2. An organization should have policies for the use of the Internet, various systems (laptops and ­servers), and reusable storage media (USB drives, CDs/DVDs) along with their reuse and disposal plan. 3. Every covered entity and business associate who accesses the PHI must ensure technical, physical, and administrative safeguards are in place and addressed, which ensures the HIPAA Privacy Rule to protect the integrity of PHI. 4. Organizations need to have incident handling policies and written security policies. 5. Organizations should have audit controls, including unique user identifiers, for authenticating users. 6. Organizations should Implement termination policy and procedures. POINTS TO REMEMBER 1. HIPAA is used for security of medical information of any patient with respect to organization. 2. Data of any patient includes medical status as well as personal information which is authorized by the respective organization

6.5

Federal Information Security Management Act (FISMA)

6.5.1 Introduction The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to consolidate information security systems. It requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.

Cyber Security and Laws_Chpater 06.indd 210

10/6/2020 11:20:30 AM

6.5 Federal Information Security Management Act (FISMA)

• 

211

According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, modification, or destruction to provide integrity, confidentiality and availability. The FISMA Implementation Project was established to produce key security standards and guidelines required by Congressional Legislation. This suite of publications provide organizations the guidance necessary to develop, implement and maintain organization-wide, risk-based security and privacy programs. FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires the head of each agency, to conduct annual reviews of information security programs, to keep risks at or below specified acceptable levels in an efficient manner. FISMA is one of the most important regulations for federal data security standards. It was introduced to reduce the security risk to federal information and to manage the federal information. The scope of FISMA has since increased to include state agencies administering federal programs.

6.5.2 Requirements of FISMA 1. Information system inventory: Every federal agency must keep an inventory of all the information systems utilized within the organization. The organization must identify the integration between these information systems and other systems within their networks. This includes systems within an agency’s encrypted cloud. NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems guides determining system boundaries. 2. Categorize the information according to risk level: Organization must categorize the information in order to ensure that sensitive information are given the highest level of security. Standards of security categorization of federal information defines a range of risk levels within the organizations can place their various information systems.  All agency data and IT systems must be categorized according to risk – low, moderate, or high. A low-impact system is generally informational and does not contain sensitive information that requires safeguarding. A moderate-impact system may contain such information and will require a greater degree of safeguarding. A high-impact system contains information where it has been determined that a loss or compromise of such information would present a grave risk to the U.S. Government. An agency’s encrypted cloud environment must be categorized as well. The National Institute for Standards and Technology (NIST) provides guidelines in its NIST SP 800-60 ‘Guide for Mapping Types of Information and Information Systems to Security Categories’. 3. Maintain system security plan: Agencies creates a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls, security policies and the time table for introduction of further controls. All agencies must develop and maintain a plan – officially known as a System Security Plan, or SSP which is defined how the agency will implement security controls. The SSP must be updated regularly and include a Plan of Action and Milestones (POA&M). 4. Implementation of security controls: NIST defines minimum federal security requirements in the FIPS 200 ‘Minimum Security Requirements for Federal Information and Information Systems’ document. Agencies first select the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, ‘Recommended Security Controls for Federal Information Systems’, based on mission requirements. Agencies then document those security controls in the SSP and apply accordingly.

Cyber Security and Laws_Chpater 06.indd 211

10/6/2020 11:20:30 AM

212 

•

Chapter 6/Information Security Standard Compliances

5. Conduct risk assessment: It is a key element of FISMA’s information security assessment. According to the NIST guidelines, risk assessments should be three-tired to identify security risks at the organizational level, the business process level and the information system level. During this risk assessment, agencies also determine if additional controls are necessary to provide extra protection for any information or IT systems. 6. Certification and Accreditation: To achieve FISMA Certification and Accreditation, agencies can go through four phased processes which includes initiation and planning, certification, accreditation and continuous monitoring. This ensure risk are kept at a minimum level. Once this ­certification is complete, the information system is ‘accredited’. The certification and accreditation process is defined in NIST SP 800-37 ‘Guide for the Security Certification and Accreditation of Federal Information Systems’. 7. Conduct Continuous Monitoring: Agencies must monitor systems to detect abnormalities, and perform security impact analyses, ongoing assessment of security controls, status reporting, etc. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls and status reporting. The organization establishes the selection criteria and ­subsequently selects a subset of the security controls employed within the information system for assessment. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved.

6.5.3 Benefits of FISMA FISMA compliance has increased the security of sensitive federal information. Agencies can eliminate vulnerability in a time and cost-effective manner. Keeping up consistency with the Federal Information Security Management Act (FISMA) is basic for government offices or private contractual workers that manage those organizations. Since its proper selection in 2003, FISMA has helped shield basic frameworks and data. Despite the fact that FISMA consistency is obligatory for a few, it conveys with its various unmistakable advantages. In this section, we will separate what FISMA is, the thing that the necessities of FISMA will be, FISMA gauges, and what benefits consistency with FISMA brings for secured elements. This data can help illuminate authoritative choices with respect to in the case of acquiring, or keeping up, FISMA consistency can be advantageous to your association and its ­cybersecurity ­arrangements. 6.5.4 FISMA Penalties The punishments for resistance with FISMA rely upon whether it is the administration organization or a contractual worker that has bombed the review. On the off, chance that an administration organization gets a low FISMA score, the punishments will incorporate reproach and loss of work for various office representatives. On the off, chance that an accomplice (a personal business) neglects to agree, the most widely recognized punishments are the loss of administrative subsidizing and reprimand from entering any future government contracts. 6.5.5 Best Practices for FISMA At a more granular level, companies that implement these best practice steps will move closer to achieving FISMA compliance:

Cyber Security and Laws_Chpater 06.indd 212

10/6/2020 11:20:31 AM

6.6 The North American Electric Reliability Corporation (NERC)

• 

213

1. Start by ordering at its increasingly granular level the data that necessities ensuring. Beginning at the most essential level lets you develop security layers as you add estimates identified with resulting layers of the company. 2. Distinguish suitable gauge controls that will give the base essential standard of security. 3. Utilize a hazard appraisal technique to fine tune the security controls, in view of how the endeavour utilizes, stores, oversees or transmits that particular information. 4. Record the controls as they develop. Recognizing the choices picked all through the procedure gives a guide that can be utilized to clarify and explain the controls-choice procedure. 5. Actualize the controls all through the framework. In numerous organizations, this procedure turns into an ‘execute test-modify’ circle as pragmatic contemplations further refine the security ­technique. 6. Survey the organization level information hazards that don’t show up at the granular level. ­Seeing how information the executives influence the organization’s crucial assistance recognize where extra safety efforts are required. 7. Approve the security framework for entire undertaking usage. Once more, this regularly requires the ‘execute test re-examine’ circle before a really powerful framework is set up. 8. Actualize observing practices to keep up cautiousness over the security framework as it cooperates with labourers, contractual workers and different organizations. If your company requires FISMA compliance, you can use the services of a managed IT provider to help you both attain and retain that highest standard of data security management.

POINTS TO REMEMBER 1. FISMA protects data from other agencies. 2. Data can be accessed by federal government agencies and owners only

6.6

The North American Electric Reliability Corporation (NERC)

North American Electric Reliability Corporation (NERC) was shaped on March 28, 2006 to administer and direct the unwavering quality of the North American mass force frameworks. NERC, a selfmanaged association, and has been assigned as the National Electric Reliability Organisation (ERO) by the U.S. Government Energy Regulatory Commission (FERC). FERC has allowed NERC the lawful position to implement unwavering quality guidelines with all clients, proprietors and mass force framework administrators of the United States of America, Canada and Mexico to fulfil its security guidelines. The key terms defined by NERC are given as follows: 1. Bulk electric system (BES): The electrical age assets, transmission lines, interconnections with neighbouring frameworks and related hardware are for the most part worked at voltages of 100 KV or higher. Securing the BES is the essential focal point of the NERC CIPs. 2. Critical assets: Facilities, frameworks and gear, which, whenever destroyed, debased, or in any case reordered inaccessibility, would affect the unwavering quality or operability of BES. Examples of basic resources incorporate creating plants, significant transmission substations and framework control focuses.

Cyber Security and Laws_Chpater 06.indd 213

10/6/2020 11:20:31 AM

214 

•

Chapter 6/Information Security Standard Compliances

3. Critical cyberassets (CCAs): Programmable electronic gadgets and correspondence systems including equipment, programming and data that are essential to the reliable operation of critical assets. In order to be compliant with the security requirements, FERC approved the critical infrastructure protection cybersecurity standards called NERC Critical Infrastructure Protection (NERC-CIP). NERCCIP is a lot of principles which determines the base security necessities for BESs. The standards are organized by the topics as follows: 1. CIP-001: Sabotage reporting. 2. CIP-002: Critical cyber asset identification. 3. CIP-003: Security management controls. 4. CIP-004: Personnel and training. 5. CIP-005: Electronic security perimeters. 6. CIP-006: Physical security of critical cyber assets. 7. CIP-007: Systems security management. 8. CIP-008: Incident reporting and response planning. 9. CIP-009: Recovery plans for critical cyber assets. NERC Standards CIP-002 through CIP-009 provide a cybersecurity framework for the identification and protection and protection of critical cyber assets to support the reliable operation of BES. NERC applies to companies that generate, provide, or transmit energy. 1. NERC is dependent upon Federal Energy Regulatory Commission (FERC) commands and control. Nuclear Regulatory Commission (NRC) is a related commission for atomic force 2. The essential focal point of NERC is on SCADA, which represents administrative control and information securing gadgets and systems. 3. Most of IT-related strategies will be found in the Critical Infrastructure Protection (CIP) Standards 4. Standard CIP-002 requires recognizable proof and documentation of the basic digital resources related with the basic resources and blueprints the key controls comparative with IT. 5. A key exceptional issue tended to in NERC is the prerequisite to screen log gadgets with no gap surpassing 7 days. This can be a basic review finding with genuine repercussions. 6. Yearly audits of benefits, approaches and strategies are ordered.

6.6.1 NERC Key IT Requirements 1. Electronic security (CIP-002, CIP-003, CIP-005, CIP-007, CIP-009): Under these standards, utilities must (a) keep up a stock of all gadgets that are either part of the basic resources’ rundown or important to the activity of basic resources; (b) ensure access to these basic digital resources on a need-to-know premise; (c) make an electronic security edge that keeps unapproved clients from getting to any basic digital resource, regardless of whether they are outside or inside the corporate system; (d) guarantee that all electronic digital resources are secure by means of client account management, equipment, secret word the board, and secure systems administration strategies; (e) execute and test a basic digital resource recuperation plan.

Cyber Security and Laws_Chpater 06.indd 214

10/6/2020 11:20:31 AM

6.7 PCI (Payment Card Industry) Compliance

• 

215

2. Personnel security, training and awareness (CIP-004) (a) Every individual who gets to basic digital resources, including the utility’s personnel, contract labourers and merchants, must be examined to survey the hazard that the individual in question stances to security. (b) Each and every individual who approaches basic digital resources, including utility personnel, contract labourers and sellers, must be prepared in cybersecurity. 3. Physical security (CIP-006): Utilities must ensure the physical security of all critical cyber assets by (a) guaranteeing that there is a physical security edge around all basic digital resources; (b) all physical passages to basic digital resources must be distinguished and controlled; (c) an entrance log must be kept up for all basic digital resources utilizing manual, advanced and video log. 4. Recovery plans (CIP-009): CIP standards make a recovery plan mandatory. The plan must include the following: (a) Backup strategies; (b) Data restoration strategies; (c) Spare parts and equipment. 5. Audits and documentation (all CIP standards) (a) All CIP standards make it mandatory to document and review all procedures and policies every year. (b) NERC will audit compliance on all the standards on a schedule provided by the organisation.

6.7

PCI (Payment Card Industry) Compliance

1. The Payment Card Industry Data Security Standard is a lot of security principles intended to guarantee that A.U. organizations that acknowledge. procedure, store or transmit credit or data to keep up a safe situation. 2. The Payment Card Industry Security Standards Council was propelled on September 7, 2006 to deal with the progressing advancement of the Payment Card Industry security measures with an emphasis on Improving instalment account security all through the exchange procedure. 3. The PCI DSS directed and oversaw by the PCI SSC an autonomous body that was made by the significant instalment card brands (Visa Card, MasterCard, American Express Card) is essential to take note of that the instalment brands and acquirers are answerable for authorizing consistence not the PCI chamber. 4. The PCI DSS applies to ANY association paying little heed to the site or number of exchanges that acknowledge it. transmits or stores any card holder information.

6.7.1 Goals of PCI 1. Building and maintaining a secure network (a) Introduce and keep up a firewall arrangement to ensure cardholder darts: Companies must make their own firewall setup strategy and build up a setup test method intended to secure cardholder’s information. Your facilitating supplier ought to have firewalls set up to ensure and make a safe, private system.

Cyber Security and Laws_Chpater 06.indd 215

10/6/2020 11:20:31 AM

216 

2.

3.

4.

5.

•

Chapter 6/Information Security Standard Compliances

(b) Try not to utilize merchant provided defaults for framework passwords and other security boundaries: This implies creating, maintaining and refreshing your framework passwords with special and secure passwords made by your organization – not ones that a product seller may as of now have set up when bought. Protect cardholder data (a) Protect stored data: This prerequisite just applies to organizations that store cardholder information. Explicitly organizations that do not consequently store cardholder information are as of now maintaining a strategic distance from a potential information security penetration regularly focused by character theft. A PCI agreeable facilitating supplier ought to give different layers of resistance and a safe information assurance model that consolidates physical and virtual security strategies. Virtual security incorporates approval, verification, passwords and so on. Physical incorporates limited access and server stockpiling and systems administration bureau locks as per PC world.com. (b) Encrypt transmission of cardholder data across open, public networks: Encrypted information is mixed up and unusable to a framework interloper without the property cryptographic keys as indicated by the PCI security principles chamber. Cryptographic keys allude to the procedure wherein plaintext, similar to the words seen here, are changed into ciphertext. Ciphertext contains data garbled to those without the figure or the particular calculation that can interpret the content. As an additional safety effort, touchy confirmation information, including card approval codes or PIN numbers should never be put away after approval regardless of whether this information is encoded. Maintain a vulnerability management program (a) Use and regularly update anti-virus software: An enemy of infection programming administration should be often refreshed to secure against the most as of late created malware. If your information is being facilitated on re-appropriated servers, an oversaw server supplier is answerable for keeping up a sheltered domain Including producing review logs. (b) Develop and maintain secure systems and applications: This incorporates finding recently distinguished security vulnerabilities by means of caution systems. Your PCI consistent facilitating supplier ought to screen and refresh their frameworks to suit any security vulnerabilities. Implement strong access control measures (a) Restrict access to cardholder data by business need-to-know: Limiting the quantity of individuals that approach card holder information will decrease the odds of a security penetration. (b) Assign a unique ID to each person with computer access: User accounts with access ought to follow best works including secret word encryption, approval, verification, secret phrase refreshes like clockwork, sign in time limits, etc. (c) Restrict physical access to cardholder data: If your information is facilitated in an off-site server farm restrict physical access to cardholder data: your server farm supplier ought to have constrained individual access to the touchy data. PCI consistent server farms ought to have full checking, including observation cameras and passage validation to guarantee a protected and PCI agreeable facilitating condition. Implement strong access control measures • Track and monitor all access to network resources and cardholder data: Logging frameworks that track client action and put away files can help your facilitating supplier pinpoint the reason in case of a security break or other issue.

Cyber Security and Laws_Chpater 06.indd 216

10/6/2020 11:20:31 AM

6.7 PCI (Payment Card Industry) Compliance

• 

217

• Regularly test security systems and processes: With customary observing and testing forms set up, your information facilitating supplier ought to have the option to guarantee you that your clients card holder information is protected consistently. 6. Maintain an information security policy (a) Maintain a policy that addresses information security: This strategy should incorporate every single satisfactory utilization of innovation audits and yearly procedures for chance examination, operational security systems and other general regulatory errands. (b) On the off, chance that you are picking an information facilitating supplier request documentation of the procedures that guarantee the 12 PCI consistence necessities can be met.

6.7.2 Payment Card Industry Security Standards Council (PCI SSC) The Payment Card Industry Security Standards Council (PCI SSC) was initially shaped by American Express, Discover Financial Services, JCB International, MasterCard and Visa, Inc. It was framed in light of an expansion in information security breaks prompting misfortunes to the credit card organizations and putting the clients in danger. PCI SSC is an open worldwide gathering answerable for creating and dealing with the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security ­Standard. It is additionally liable for instruction and mindfulness endeavours identified with the principles. 6.7.3 The Payment Card Industry Data Security Standard (PCI DSS) The PCI Council framed the Payment Card Industry Data Security Standard (PCI DSS) in 2004. It is a generally acknowledged arrangement of strategies and systems expected to upgrade the security of credit, charge and money card exchanges and ensure cardholders against the abuse of their own data. The standard comprises 12 noteworthy prerequisites including different sub-requirements, which further contain various orders. Organizations can quantify their own instalment card security strategies, techniques and rules against the following mandates: 1. Introducing and keeping up a firewall setup to ensure cardholder information. The purpose of a  firewall is to examine all system traffic and square untrusted systems from getting to the ­framework. 2. Evolving merchants provided defaults for framework passwords and other security parameters. These passwords are handily found through open data and can be utilized by vindictive people to increase unapproved access to frameworks. 3. Protecting puts away cardholder information. Encryption, hashing, veiling and truncation are strategies used to ensure cardholder information. 4. Scrambling transmission of cardholder information over open, open systems. Solid encryption, including the utilization of just confided in keys and affirmations, diminishes the danger of being focused by malevolent people through hacking. 5. Securing all frameworks against malware and performing normal updates of anti-virus programming. Malware can enter a system through various ways, including Internet use, employee e-mail, cell phones or capacity gadgets. Modern anti-virus programming or supplemental hostile to malware programming will lessen the danger of misuse through malware. Developing and keeping up secure frameworks and applications.

Cyber Security and Laws_Chpater 06.indd 217

10/6/2020 11:20:31 AM

218 

•

Chapter 6/Information Security Standard Compliances

6. Vulnerabilities in frameworks and applications permit deceitful people to increase favoured access. Security Patches ought to be promptly introduced to fix vulnerabilities and forestall abuse and bargain of cardholder information. 7. Restricting access to cardholder information to just approved work force. Frameworks and procedures must be utilized to limit access to cardholder information on a ‘need to know’ premise. 8. Identifying and confirming access to framework segments. Every individual with access to framework segments ought to be allocated a one of a kind distinguishing proof (1D) that permits responsibility of access to basic information frameworks. 9. Restricting physical access to cardholder information. Physical access to cardholder information or frameworks that hold this information must be made sure about to forestall unapproved access or evacuation of information. 10. Tracking and checking all entrance to cardholder information and system assets. Logging components ought to be set up to follow client exercises that are basic to forestall, recognize or limit the effect of information settles. 11. Testing security frameworks and procedures consistently. New vulnerabilities are persistently found. Frameworks, procedures and programming should be tried much of the time to reveal vulnerabilities that could be utilized by pernicious people. 12. Keeping up a data security approach for all faculty. A solid security approach incorporates causing work force to comprehend the affectability of information and their duty to ensure it. The 12 requirements can be organised into the following six major logical groups called ‘control objectives for compliance’: 1. Build and maintain a secure network and systems. 2. Protect cardholder data. 3. Maintain a vulnerability management programme. 4. Implement strong access control measures. 5. Regularly monitor and test networks. 6. Maintain an information security policy

6.7.4 Payment Application Data Security Standard (PA-DSS) The Payment Application Data Security Standard (PA-DSS), once in the past alluded to as the ­Payment Application Best Practices (PABP), is the worldwide security standard made by the Payment Card Industry Security Standards Council (PCI SSC) It is a lot of necessities that are expected to help programming sellers create secure instalment applications that are agreeable to PCI DSS. It applies to outsider applications that store, process or transmit instalment cardholder information as a feature of an authorisation or settlement and keeps them from putting away precluded secure information including attractive stripe, CVV2, or PIN data. This is accomplished by guaranteeing that the programming seller accomplishes PA-DSS consistency by having its product reviewed by a PA. DSS qualified security assessor and includes the following 14 protections: 1. Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CW2) or PIN block data. 2. Protect stored cardholder data. 3. Provide secure authentication features.

Cyber Security and Laws_Chpater 06.indd 218

10/6/2020 11:20:32 AM

6.8 ISO/IEC 27000

• 

219

4. Log payment application activity. 5. Develop secure payment applications. 6. Protect wireless transmissions. 7. Test payment applications to address vulnerabilities and maintain payment application updates. 8. Facilitate secure network implementation. 9. Cardholder data must never be stored on a server connected to the Internet. 10. Facilitate secure remote access to payment application. 11. Encrypt sensitive traffic over public networks. 12. Secure all non-console administrative access. 13. Maintain a PA-DSS implementation guide for customers, resellers and integrators. 14. Assign PA-DSS responsibilities for personnel and maintain training programmes for personnel, customers, resellers and integrators.

POINTS TO REMEMBER 1. NERC and PCI are used for security of data in digital payment. 2. It secures the information of payment as well as personal data of customers.

6.8

ISO/IEC 27000

It is the most recognizable standard as it bears the internationally prestigious name of the International Organization for Standardization and the International Electrotechnical Commission. It was initiated by British Standard Institute in 1995 through BS7799 (Information Security Management System), and later was taken over by the International Organization for Standardization (ISO) and released under the name of ISO/IEC 27000 series (ISMS Family of Standards) and ISO/IEC 17799:2005 ‘Information Technology – Code of practice for information security management’. Secondly, there is the NIST SP800 group of standards, published by the National Institute of Standards and Technology (NIST) from the U.S., which is listed in Table 6.2. Table 6.2  NIST SP800 Group of Standards.

ISO/IEC 27000 Series

Key Focus of Standardization

ISO/IEC 27001

Information security management.

ISO/IEC 27002

Code of practice for information security management.

ISO/IEC 27005

Information security risk management.

ISO/IEC 27006

Requirements for bodies providing audit and certification of information security management systems.

1. ISO/IEC 27001 Information Technology Security Techniques – Information Security ­Management: The 27001 standard sets out the steps required for an organization’s Information Security Management Systems (ISMS) to achieve certification. Using them enables organizations

Cyber Security and Laws_Chpater 06.indd 219

10/6/2020 11:20:32 AM

220 

•

Chapter 6/Information Security Standard Compliances

of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties. 2. ISO/IEC 27002 Information Technology Security Techniques – Code of Practice for Information Security Management: It is entitled Information technology – Security Techniques – Code of practice for information security management. ISO/IEC 27002 contains best practices and ­security controls in the following areas of management of information security: (a) Security policy. (b) Organization of information security. (c) Asset management. (d) Management access control. (e) Information security incidents. (f ) Management, business continuity management. 3. ISO/IEC 27005 Information Technology Security Techniques – Information Security Risk Management: It assists in implementing information security with a basis in risk management. A management system standard offers a framework through which any organization can implement, maintain and continually improve an information security management system specific to that organization’s context. 4. ISO/IEC 27006 Information Technology Security Techniques – Requirements for bodies providing audit and certification of information security management systems: It specifies requirements and guides bodies providing audit and certification of an information security management system lays out formal requirements for accredited organizations that certify other ­organizations compliant with ISO/IEC 27001. The following standards are under development by the ISO/IEC JTC1: 1. ISO/IEC 27000: An introduction and overview for the ISMS Family of Standards and a glossary of common terms. 2. ISO/IEC 27003: An ISMS implementation guide. 3. ISO/IEC 27004: A standard for information security management measurements. 4. ISO/IEC 27007: A guideline for ISMS auditing (focusing on the management system). 5. ISO/IEC 27008: A guideline for information security management auditing (focusing on the security controls). 6. ISO/IEC 27011: An ISMS implementation guideline for the telecommunications industry (also known as X.1051). 7. ISO/IEC 27031: A specification for ICT readiness for business continuity. 8. ISO/IEC 27032: A guideline for cybersecurity (essentially, ‘being a good neighbour’ on the Internet). 9. ISO/IEC 27033: IT network security, a multi-part standard currently known as ISO/IEC 18028:2006. 10. ISO/IEC 27034: A guideline for application security.

Cyber Security and Laws_Chpater 06.indd 220

10/6/2020 11:20:32 AM

References



• 

221

Summary

In this chapter, we have discussed about Information security standard swhich help organizations to manage the risks related to information security and implement appropriate security controls. They ­promote best practices and are developed for meeting legal and regulatory requirements. Most of them are specific to a particular domain. The prominent ones have been explained in this chapter. This chapter explained some of the major information security compliance standards. These include the Sarbanes–Oxley (SOX) Act, Gram–Leach–Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Modernization Act (FISMA), North American Electric Reliability Corporation – Critical Infrastructure Protection standards (NERC-CIP), ISO/IEC Information Security Management Systems (ISMS) standards and Payment Card Industry Security Standards Council (PCI SSC).



Review Questions

1. Define information security standards. Refer to Subsection 6.1.1. 2. Explain series of standards. Refer to Subsection 6.1.2. 3. List all standards. Refer to Subsection 6.1.2. 4. Write a short note ISO/IEC 27001. Refer to Subsection 6.1.2. 5. Write a short note ISO/IEC 27002. Refer to Subsection 6.1.2. 6. Write a short note ISO/IEC 27005. Refer to Subsection 6.1.2. 7. Write a short note ISO/IEC 27006. Refer to Subsection 6.1.2. 8. What is the importance of security standards in information security? Refer to Subsection 6.1.3. 9. What are the challenges of information security? Refer to Subsection 6.1.3. 10. Explain information security attacks. Refer to Subsection 6.1.3.

Cyber Security and Laws_Chpater 06.indd 221

11. What do you mean by the immature information security market? Refer to Subsection 6.1.4. 12. Explain SOX. Refer to Subsection 6.2.1. 13. List key provisions of SOX. Refer to Subsection 6.2.2. 14. What is SOX Section 302? Refer to Subsection 6.2.2. 15. Explain SOX Section 401. Refer to Subsection 6.2.2. 16. Write a short note on SOX Section404. Refer to Subsection 6.2.2. 17. What is SOX Section 409? Refer to Subsection 6.2.2. 18. Explain SOX Section 806. Refer to Subsection 6.2.2. 19. Write a short note on SOX Section 906. Refer to Subsection 6.2.2. 20. What are the benefits of SOX to organizations? Refer to Subsection 6.2.3.

10/6/2020 11:20:32 AM

222 

•

Chapter 6/Information Security Standard Compliances

21. What is GLBA? Refer to Subsection 6.3.1.

28. How does HIPAA work for an organization? Refer to Subsection 6.4.2.

22. Describe FRB, FDIC, NCUA, OCC, CFPB and SLC. Refer to Subsection 6.3.1.

29. What are the requirements of HIPAA? Refer to Subsection 6.4.4.

23. List key requirements of GLBA. Refer to Subsection 6.3.5. 24. Write benefits of GLBA. Referto Subsection 6.3.2. 25. Write steps for GLBA. Refer to Subsection 6.3.4. 26. Write a short note on HIPAA. Refer to Subsection 6.4.1. 27. Describe three safeguards of HIPAA. Refer to Subsection 6.4.3.



30. Explain FISMA. Refer to Subsection 6.5.1. 31. What are benefits and requirements of FISMA? Refer to Subsections 6.5.2 and 6.5.3. 32. Write about FISMA penalties. Refer to Subsection 6.5.4. 33. Write a short note on (a) NERC, (b) PCI and (c) PA DSS. Refer to Subsections 6.6.1. and 6.6.2.

References

1. Erik, G., Tony, B., Gary, H. (2007), Aligning COBIT, ITIL and ISO 17799 for Business Benefit. Available at: http://www.isaca.org (‘Downloads’ page). 2. Jimmy, H. (2007), Cobit Mapping: Overview of International IT Guidance, 2nd edn., IT Governance Institute USA. Available at: http://www.isaca.org (‘Downloads’ page).

Systems, Belcamp, MD (available online at http://www.aladdin.com/pdf/airc/ AIRCAnnual-Threat-Report2008.pdf ). 5. Ernst and Young 2003. Global Information Security Survey, New York, http://www. Security management.com/archive/library/ EY_Survey1103.pdf

3. Al-Kalbani, A, Deng, H, Kam, B. (2015), Investigating the Role of Socio-Organizational Factors in the Information Security Compliance in Organizations: Proceedings of the 26th Australasian Conference on Information Systems (ACIS-2015), pp.1–12), ­Adelaide, Australia.

6. Information Security Compliance (ISC). (2015), Global Information Security Study, Retrieved: 16 July, 2016 from https:// www.cybercompex.org/fileSendAction/ fcType/0/fcOid/445471828686010375/ f i l e Po i n t e r / 4 4 5 4 7 1 8 2 8 6 8 6 0 1 0 5 3 0 / fodoid/445471828686010527/frostsullivan-ISC2-global-information-securityworkforce-2015.pdf (Viewed: July 2016).

4. AIRC. 2008. Attack Intelligence Research Center Annual Threat Report: 2008 ­Overview and 2009 Predictions, Attack Intelligence Research Center, Alladin Knowledge

7. Ahmed, Al-K., Hepu, D., Booi, K., and Xiaojuan, Z. (2017) Information Security Compliance in Organizations: An Institutional Perspective: Data and Information Manage-

Cyber Security and Laws_Chpater 06.indd 222

10/6/2020 11:20:32 AM

REFERENCES

ment, Vol. 1, Issue 2, pp.104–114, eISSN: 2543-9251, DOI: https://doi.org/10.1515/ dim-2017-0006. 8. National Institute for Standards and Technology (NIST). (1995), An introduction to Computer Security: The NIST HandbookSP800-12. Available at: http://csrc.nist.gov/ 9. National Institute for Standards and Technology. (2001), FIPS PUB 140-2: Security Requirements for Cryptographic Modules [Issued May, 2001]. Available at: http:// csrc.nist.gov/publications/fips/fips140-2/ fips1402.pdf.

Cyber Security and Laws_Chpater 06.indd 223

• 

223

10. Gramm–Leach–Bliley Act (GLBA) Compliance U–M Financial Services Information Security Plan. Last revised: November 2017. Available at: https://safecomputing.umich. edu/protect-the-u/safely-use-sensitive-data/ glba 11. Will, K; Reviewed by Anet Berry, J. (2002) Sarbanes–Oxley (SOX) Act of 2002. Lat revised: 4 February, 2020. Available at: https://www.investopedia.com/terms/s/sarbanesoxleyact.asp

10/6/2020 11:20:32 AM

Cyber Security and Laws_Chpater 06.indd 224

10/6/2020 11:20:33 AM

Appendix

A

Lab Manual: Cybersecurity and Cyber Laws

Learning Objectives After reading this appendix, the reader will be able to • Explain computer science terminology related to coding, password protection, social engineering and network security. • Analyse reports of unfolding security breaches and apply their understanding of security networks to them. • Install, configure, use and manage offensive/ defensive security tools on a working network.





• Review and practice computer and network etiquette and ethics found in working environments. • Evaluate and implement new and future technologies into current system. • Evaluate best practices in security concepts to maintain confidentiality, integrity and availability of computer systems.

Role of Blooms Taxonomy in Cybersecurity

With the aforementioned Lab Learning Objectives in mind, it will be helpful to examine them in the context of Bloom’s Taxonomy. In a revised version of Bloom’s Taxonomy there are six cognitive processes identified: (1) Remember, (2) understand, (3) apply, (4) analyse, (5) evaluate and (6) create. This work is based off of the original formulation done half of a century earlier. Merging the constructs of the updated Bloom’s Taxonomy with the depth of knowledge classifications from Webb’s DoK Model is useful when developing specific student learning outcomes as shown in Table A.1.

Cyber Security and Laws_Appendix A.indd 225

10/7/2020 10:04:25 AM

226 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Table A.1  IT Student Learning Taxonomy (Security Related)

Level of Learning Higher Level (Expert)

Bloom’s Updated ‘Six ­Levels of Thinking’ (Webb’s Four ‘Depth of Knowledge’ ­Concepts)

Student Learning Outcomes: ‘Student is able to …’

IT Security Student Learning Examples

6: Creating (Extended Thinking) Can the student create a new product or point of view? Requires investigation, complex reasoning, planning, developing and thinking, probably over an extended period of time.

• Put elements together Create a security risk to form a coherent assessment and disaster or functional whole. recovery plan. Reorganize elements into a new pattern or structure through generating, planning, or producing.

5: Evaluating (Strategic Thinking) Can the student justify a stand or decision? Requires reasoning, developing plans or a sequence of steps, some complexity, more than one possible answer.

Make judgments based on criteria and standards.

Evaluate threats and countermeasures based on a risk assessment.

Break down material into component parts so that its organizational structure may be understood.

Identify and analyse project risk and perform qualitative and quantitative analyses.

4: Analysing (Strategic Thinking) Can the student distinguish between the different parts? Requires reasoning, developing plans or a sequence of steps, some complexity, more than one possible answer higher level of thinking than previous two levels. Intermediate Level

3: Applying (Skill/Concept) Can the student use the Use learned material information in a new way? in new and concrete Engages mental process situations. beyond habitual response using information or conceptual knowledge. Requires two or more steps.

• Apply appropriate physical vs. logical and centralized vs. decentralized access control in various scenarios.

(Continued)

Cyber Security and Laws_Appendix A.indd 226

10/7/2020 10:04:25 AM

Role of Blooms Taxonomy in Cybersecurity

Level of Learning Lower Level (Beginner)

Bloom’s Updated ‘Six ­Levels of Thinking’ (Webb’s Four ‘Depth of Knowledge’ ­Concepts)

• 

Student Learning Outcomes: ‘Student is able to …’

227

IT Security Student Learning Examples

2: Understanding (Recall and Reproduction) Can the student explain ideas or concepts?

Grasp the meaning of the material.

Understand and explain auditing, asset management, standards and enforcement when managing networks.

1: Remembering (Recall and Reproduction) Can the student recall or remember a fact, information, or procedure?

Recall appropriate information

Discuss encrypting user account passwords.

These cognitive processes are generally viewed as a hierarchy in which the sixth process, create, is often considered of higher cognitive complexity and abstraction than the first one, remember. As one moves from the lower cognitive processes to the higher cognitive processes, he/she moves from simplicity and concreteness to greater complexity and abstraction. While there is a hierarchy, it does not necessarily imply that one level is of greater importance than another; rather, that there is value in designing education curriculum that addresses the processes appropriate for the goals of the course.

Cyber Security and Laws_Appendix A.indd 227

10/7/2020 10:04:25 AM

228 

•

Experiment 1

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Updating an Operating System Manually

Aim:  To update an operating system (Windows 10) manually. Learning Objectives 1. Understand the importance of an up-to-date OS 2. Learn how to update Windows 10 Theory:  An operating system (OS) is the most important software which acts as an interface between the user and computer hardware, without the OS the user cannot use any computer programs such as Chrome, MS Word, Games, etc. There are various errors and security problems discovered in every OS; therefore, keeping the OS up-to-date is of utmost importance. Using an out-of-date OS leaves us open to vulnerabilities and security threats such as malware and viruses which can lead to theft of confidential information, unauthorized access, or even destruction of data. Prerequisites:  A computer that runs Windows 10; an Internet connection. Procedure:  To update Windows 10 manually, follow the steps mentioned in the following: 1. Open the ‘Start’ Menu and then click on ‘Settings’. 2. In the Windows Settings App, click on ‘Update & Security’ as shown in Fig. A.1.

Figure A.1  Settings App in Windows 10.

Cyber Security and Laws_Appendix A.indd 228

10/7/2020 10:04:29 AM

Experiment 1 Updating an Operating System Manually

• 

229

3. Click on ‘Windows Update’ (see the squared box shown in the left column in Fig. A.2). 4. Click on the ‘Check for Updates’ button, as shown in Figure 2:

Figure A.2  ‘Windows Update’ screen.

Figure A.3  ‘Checking for updates’ screen.

5. If any updates are found, click on ‘Download’ to download the updates, as shown in Fig. A.4a and A.4b.

Cyber Security and Laws_Appendix A.indd 229

10/7/2020 10:04:35 AM

230 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

(a)

(b)

Figure A.4  (a) Updates found screen. (b) Downloading the updates screen.

6. After the downloads are complete, ‘Restart’ now to install the updates as shown in Fig. A.5.

Figure A.5  Installing the Updates screen.

Note: Keep your device plugged into a power source and do not turn off your computer during an update as it may corrupt your OS. Conclusion:  Successfully updated an operating system to reduce the risk of cyberthreats.

Cyber Security and Laws_Appendix A.indd 230

10/7/2020 10:04:40 AM

Experiment 2 Preventing Unauthorised Changes to a System

Experiment 2

• 

231

Preventing Unauthorised Changes to a System

Aim:  To prevent unauthorised changes to a system (Windows 10). Learning Objectives 1. Understand the Security features available on Windows 10. 2. Learn how to use User Account Control to prevent unauthorised changes to a system. Theory:  An operating system (OS) is the most important software which acts as an interface between the user and computer hardware, without the OS the user cannot use any computer programs such as Chrome, MS Word, Games, etc. The most important goal of Operating System Security is to avoid unauthorized access to the system. This can be easily avoided by using Windows 10’s inbuilt User Account Control (UAC) Settings. Prerequisites:  A computer running Windows 10. Procedure:  To prevent unauthorised changes to a system (Windows 10), follow the steps provided in the following: 1. Open the ‘Control Panel’ (Fig. A.6). 2. Click on ‘Security and Maintenance’ as shown in Fig. A.6.

Figure A.6  ‘Control Panel’ screen.

3. Under ‘Security and Maintenance’, select ‘Change User Account Control settings’ (Fig. A.7).

Cyber Security and Laws_Appendix A.indd 231

10/7/2020 10:04:42 AM

232 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

4. Drive the slider up to select the ‘Always Notify me when’ option and then click on ‘OK’ as shown in Fig. A.7.

Figure A.7  ‘Change User Account Control Settings’ screen.

Conclusion:  Using ‘User Account Control (UAC) Settings’, Windows 10 can be set up to notify the user when apps try to make changes to our system or install an unknown software.

Cyber Security and Laws_Appendix A.indd 232

10/7/2020 10:04:45 AM

Experiment 3 Remove Malware with Windows Defender Anti‑Virus

Experiment 3

• 

233

 emove Malware with Windows Defender R Anti‑Virus

Aim:  To remove Malware with Windows Defender Anti-Virus. Learning Objectives 1. Understand the Security features available on Windows 10. 2. Learn how to recover data using File History. Theory:  Windows Defender is Microsoft’s built-in anti-malware tool which helps protect your PCs from viruses, adware and other types of malware. It provides various security options like 1. virus and threat protection. 2. account protection. 3. firewall and network protection. 4. device security. If you notice any of the following signs, be sure that your computer is compromised with malware and take immediate action: 1. Computer or program freezes or crashes. 2. Unfamiliar error messages, warnings or pop-ups. 3. Low hard drive space. 4. Slow and buggy system. Prerequisites:  A computer that runs Windows 10; administrative privileges. Procedure:  To remove malware with Windows Defender Anti-Virus, follow the steps provided in the following: 1. Open the ‘Start’ menu and then click on ‘Settings’. 2. In the ‘Windows Settings’ App, click on ‘Update & Security’ as shown in Fig. A.8.

Figure A.8  ‘Settings’ App in Windows 10.

Cyber Security and Laws_Appendix A.indd 233

10/7/2020 10:04:48 AM

234 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. On the left select, select ‘Windows Security’. This opens the ‘Windows Security’ window. 4. On the right, under ‘Windows Security’, click on ‘Open Windows Security’, as shown in ­Figure  A.9.

Figure A.9  ‘Windows Security’ in ‘Settings’ App.

5. Click the ‘Virus & threat protection’ tile, as shown in Fig. A.10.

Figure A.10  ‘Windows Security’ Window.

Cyber Security and Laws_Appendix A.indd 234

10/7/2020 10:04:55 AM

Experiment 3 Remove Malware with Windows Defender Anti‑Virus

• 

235

6. Click Quick scan to perform a scan for malware, as shown in Fig. A.11 and A.12.

Figure A.11  Quick scan.

Figure A.12  ‘Quick Scan’ in progress.

Cyber Security and Laws_Appendix A.indd 235

10/7/2020 10:04:58 AM

236 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

7. If any threats are found, select the ‘Remove’ option and click ‘Start actions’ to remove the threat from the system, as shown in Fig. A.13.

Figure A.13  Removing the malware.

Conclusion:  Successfully scanned the files for threats and removed malware from the system using Microsoft’s built-in anti-malware tool that is Windows Defender.

Cyber Security and Laws_Appendix A.indd 236

10/7/2020 10:05:00 AM

Experiment 4 Backing Up Data in Windows 10

Experiment 4

• 

237

Backing Up Data in Windows 10

Aim:  To back up data in Windows 10. Learning Objectives 1. Understand the Backup and Restore features available on Windows 10. 2. Learn how to backup data using ‘File History’. Theory:  Creating backups at regular intervals is one of the best methods to secure your data against hardware failures, software problems, hackers, viruses and malware. To do so, Windows 10 has an automated tool that helps you create system images that is a full back up at regular intervals. A system image is essentially a copy of all the data on your device, including apps, settings, installation files and all the files available in different locations. Prerequisites:  A computer that runs Windows 10; administrative privileges. Procedure:  To back up data in Windows 10, follow these steps: 1. Open the Start Menu and then click on ‘Settings’. 2. In the Windows Settings app click on ‘Update & Security’, as shown in Fig. A.14.

Figure A.14  ‘Settings’ App in Windows 10.

Cyber Security and Laws_Appendix A.indd 237

10/7/2020 10:05:03 AM

238 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. On the left, select ‘Backup’. 4. On the right, under ‘Backup’, click on the plus sign next to the Add a drive option, click on the drive that you wish to use for backup, as shown in Fig. A.15.

Figure A.15  Selecting a drive for backup.

Cyber Security and Laws_Appendix A.indd 238

10/7/2020 10:05:05 AM

Experiment 4 Backing Up Data in Windows 10

• 

239

5. Click on more options to specify various options for your backup, as shown in Fig. A.16.

Figure A.16  More options.

6. Click Back up now button to start the backup right away, as shown in Fig. A.17.

Figure A.17  Backing up in progress.

Conclusion:  Successfully completed a full backup by selecting a backup drive and customizing various options.

Cyber Security and Laws_Appendix A.indd 239

10/7/2020 10:05:11 AM

240 

•

Experiment 5

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Recovering Backed Up Data using File History

Aim:  To recover backed up data using ‘File History’. Learning Objectives 1. Understand the Backup and Restore features available on Windows 10. 2. Learn how to recover data using File History. Theory:  Files backed up using Windows 10’s automated backup tool ‘File History’. File history copies all the data on your device at regular intervals, hence at times of hardware failures, software problems, hackers, viruses and malware attacks, your data can be easily restored by using File History thus preventing data loss. Prerequisites:  A computer running Windows 10 Procedure:  To recover the backed up data using File History, follow the steps listed in the following: 1. Open Control Panel and select System and Security, as shown in Fig. A.18.

Figure A.18  Control Panel screen.

Cyber Security and Laws_Appendix A.indd 240

10/7/2020 10:05:13 AM

Experiment 5 Recovering Backed Up Data using File History

• 

241

2. Under ‘File History’, click on ‘Restore your files with File History’ as shown in Fig. A.19.

Figure A.19  ‘File History’ settings.

3. This will open a window that displays all the folders that are backed up to on your external drive (Fig. A.20). 4. Select the folder or files you want to restore and right-click on the green restore button at the ­bottom, as shown in Fig. A.20.

Figure A.20  Restoring files.

Cyber Security and Laws_Appendix A.indd 241

10/7/2020 10:05:16 AM

242 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

5. Click restore to and choose a folder to save the restored file, as shown in Fig. A.21.

Figure A.21  Saving the restored file.

Conclusion:  Using File History, we could easily recover the backed-up data that can help in situations where the data gets destroyed or corrupted.

Cyber Security and Laws_Appendix A.indd 242

10/7/2020 10:05:18 AM

Experiment 6 Recovering Deleted Data Using Recuva Software

Experiment 6

• 

243

Recovering Deleted Data Using Recuva Software

Aim:  To recover deleted data using Recuva software. Learning Objectives:  Learn how to recover deleted or corrupted data using Recuva software. Theory:  The files that get deleted are not truly deleted but are hidden, waiting to overwritten by something else. The only way a file disappears completely is if the same physical space is occupied on the drive is overwritten; however, until then it is possible to recover the deleted data using various software such as Recuva. Prerequisites:  A computer; an Internet connection. Procedure:  To recover the deleted data using Recuva software, follow the steps provided in the list: 1. Download and install the Recuva software from https://www.ccleaner.com/recuva/download/standard 2. Run the Recuva software and select the file type you want to recover and click next as shown in Fig. A.22.

Figure A.22  Selecting ‘File type’.

Cyber Security and Laws_Appendix A.indd 243

10/7/2020 10:05:20 AM

244 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. Select the file location where it previously belonged and click next as shown in Fig. A.23.

Figure A.23  Selecting ‘File location’.

Cyber Security and Laws_Appendix A.indd 244

10/7/2020 10:05:22 AM

Experiment 6 Recovering Deleted Data Using Recuva Software

• 

245

4. Click Start to scan for the deleted data, as shown in Fig. A.24a:

(a)

(b)

Figure A.24  (a) Start Scanning. (b) Scanning in progress.

Cyber Security and Laws_Appendix A.indd 245

10/7/2020 10:05:24 AM

246 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

5. After completion of the scan, select the data you wish to recover and click ‘Recover’ as shown in Fig. A.25.

Figure A.25  Recovering the files.

Conclusion:  Using Recuva software, we could easily recover the deleted data which can help in situations where the data gets destroyed or corrupted.

Cyber Security and Laws_Appendix A.indd 246

10/7/2020 10:05:26 AM

Experiment 7 Deleting Data Using Eraser Software

Experiment 7

• 

247

Deleting Data Using Eraser Software

Aim:  To delete the data using Eraser software. Learning Objectives 1. Understand the importance of data erasure software to securely delete data. 2. Learn how to use Eraser software. Theory:  Eraser is a free and easy to use software that allows you to completely remove any data by overwriting it several times with random patterns based on Peter Guttmann’s paper titled Secure Deletion of Data from Solid-State and Magnetic Memory. The overwriting process is repeated until the data is no longer recoverable. Prerequisites:  A computer; an Internet connection. Procedure:  To delete the data using Eraser software, follow the steps provided in the following: 1. Download and install the Eraser software from https://eraser.heidi.ie/download/ 2. Navigate to the folder location that you want to securely delete as shown in Fig. A.26.

Figure A.26  Folder location.

Cyber Security and Laws_Appendix A.indd 247

10/7/2020 10:05:28 AM

248 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. Right-click on the folder and select the Eraser option, then select the Erase option from the submenu, as shown in Fig. A.27.

Figure A.27  Erase option.

4. In the ‘Erase’ items box, click ‘Yes’ to securely delete the data as shown in Fig. A.28.

Figure A.28  Securely delete data.

Note: The time required to permanently Erase your folder will depend on the size of the folder. Conclusion:  Using Eraser software, we can permanently delete the data which cannot be recovered using any recovery tools.

Cyber Security and Laws_Appendix A.indd 248

10/7/2020 10:05:30 AM

Experiment 8 Enabling Router Encryption to Protect Wi-Fi

Experiment 8

• 

249

Enabling Router Encryption to Protect Wi-Fi

Aim:  To Enable Router Encryption to Protect Wi-Fi Learning Objectives:  To learn how to protect a wireless network with router encryption. Theory:  Wi-Fi routers support several security protocols and encryption methods to secure wireless networks: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access version 2 (WPA2). However, WPA2 is recommended over its predecessors as it is the most secure, but it is only compatible with hardware manufactured since 2006. Prerequisites:  A computer that runs Windows 10; an Internet connection; wireless router. Procedure:  To encrypt a wireless router, follow the step provided in the following: 1. Login to your router’s administrator console by entering the address of your wireless router as a URL in any browser (usually http://192.168.0.1, http://192.168.1.1 or http://10.0.0.1). If it is neither of those, check the wireless router manufacturer’s website for help. 2. Enter the username and password, and press login to proceed (Fig. A.29).

Figure A.29  Login page.

Cyber Security and Laws_Appendix A.indd 249

10/7/2020 10:05:32 AM

250 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. Go to the ‘Wireless Security’ settings page. 4. Select WPA2-PSK (or WPA2 Personal) for the version as shown in Fig. A.30. 5. Set the encryption to AES as shown in Fig. A.30. 6. Create a strong password for the encrypted Wi-Fi.

Figure A.30  ‘Wireless Security’ page.

7. Click on ‘Save’. 8. Finally, reboot the wireless router and then reconnect all your wireless devices. Conclusion:  Successfully enabled AES router encryption to protect Wi-Fi and secure the network from unwanted threats.

Cyber Security and Laws_Appendix A.indd 250

10/7/2020 10:05:39 AM

Experiment 9 Strengthening Default Security Settings of ‘Internet Explorer’

Experiment 9

• 

251

Strengthening Default Security Settings of ‘Internet Explorer’

Aim:  To strengthen the default security settings of ‘Internet Explorer’. Learning Objectives 1. Understand the security and privacy features and operation of browsers 2. Learn how to customize security settings to improve safety. Theory:  A web browser is an application used to access resources and information from the World Wide Web (www), hence it is mandatory to install a web browser on every computer in order to access any information from the Internet. All web browsers come with their own default security settings; however, these default security settings are not enough to protect your device from spyware, various types of malware, or hackers which makes configuring proper settings manually of utmost importance. Prerequisites:  A computer; an Internet connection, Internet Explorer. Procedure:  To strengthen the default security settings of Internet Explorer, follow the following steps: 1. Navigate to the top–right corner of the browser and click on the ‘Tools’ menu icon (Figure 1) 2. From ‘Tools’ menu, select ‘Internet options’ as shown in Fig. A.31.

Figure A.31  Configuring Security Settings.

3. Click on the ‘Security’ tab (Fig. A.32). 4. Drag the slider to set the security level at ‘High’ and then click on ‘OK’ as shown in Fig. A.32.

Cyber Security and Laws_Appendix A.indd 251

10/7/2020 10:05:40 AM

252 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Figure A.32  Configuring ‘Security’ settings.

5. Click on ‘Privacy’ tab (Fig. A.32). 6. Click on ‘Advanced’ and a Cookies window will pop-up (Fig. A.33). 7. Under ‘Third-party Cookies’, select ‘Block’ (Fig. A.33).

Figure A.33  Configuring Security settings.

8. Click on ‘OK’ as shown in Fig. A.33. Conclusion:  By configuring proper settings, you can secure your system and data from various online threats and risks.

Cyber Security and Laws_Appendix A.indd 252

10/7/2020 10:05:44 AM

Experiment 10 Strengthening Default Security Settings of Microsoft Edge

• 

253

Strengthening Default Security Settings of Experiment 10 Microsoft Edge Aim:  To strengthen the default security settings of Microsoft Edge. Learning Objectives 1. Understand the security and privacy features and operation of browsers. 2. Learn how to customize security settings to improve safety. Theory:  A web browser is an application used to access resources and information from the World Wide Web (www), hence it is mandatory to install a web browser on every computer in order to access any information from the Internet. All web browsers come with their own default security settings; however, these default security settings are not enough to protect your device from spyware, various types of malware, or hackers which makes configuring proper settings manually of utmost importance. Prerequisites:  A computer; an Internet connection; Microsoft Edge browser. Procedure:  To strengthen the default security settings of Microsoft Edge, follow the steps provided in the following: 1. Navigate to the top–right corner of the browser and click Settings and More icon. 2. Click Settings as shown in Fig. A.34.

Figure A.34  Configuring Security settings.

Cyber Security and Laws_Appendix A.indd 253

10/7/2020 10:05:46 AM

254 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. Navigate to the top-left corner of the browser and click Menu icon. 4. Click Privacy and services as shown in Fig. A.35.

Figure A.35  Configuring Security settings.

5. Under privacy, enable Send ‘Do Not Track’ requests as shown in Fig. A.36.

Figure A.36  Configuring Security settings.

Cyber Security and Laws_Appendix A.indd 254

10/7/2020 10:05:50 AM

Experiment 10 Strengthening Default Security Settings of Microsoft Edge

• 

255

6. Under ‘Services’, enable ‘Microsoft Defender SmartScreen’ as shown in Fig. A.37.

Figure A.37  Configuring Security settings.

7. From the options menu, click ‘Site permissions’ as shown in Fig. A.38.

Figure A.38  Configuring Security settings.

Cyber Security and Laws_Appendix A.indd 255

10/7/2020 10:05:52 AM

256 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

8. From ‘Cookies and site data’, enable ‘Block third-party cookies’ as shown in Fig. A.39.

Figure A.39  Configuring Security settings.

9. From ‘Pop-ups and redirects’, enable ‘Block’ as shown in Fig. A.40.

Figure A.40  Configuring Security settings.

10. From ‘Ads’, enable ‘Block on sites that show intrusive or misleading ads’ as shown in Fig. A.41.

Figure A.41  Configuring Security settings.

Conclusion:  By configuring proper settings, you can secure your system and data from various online threats and risks.

Cyber Security and Laws_Appendix A.indd 256

10/7/2020 10:05:55 AM

Experiment 11 Strengthening Default Security Settings of Safari

• 

257

Experiment 11 Strengthening Default Security Settings of Safari Aim:  To strengthen the default security settings of Safari. Learning Objectives 1. Understand the security and privacy features and operation of browsers. 2. Learn how to customize security settings to improve safety. Theory:  A web browser is an application used to access resources and information from the World Wide Web (www), hence it is mandatory to install a web browser on every computer in order to access any information from the Internet. All web browsers come with their own default security settings; however, these default security settings are not enough to protect your device from spyware, various types of malware, or hackers which makes configuring proper settings manually of utmost importance. Prerequisites:  A computer; an Internet connection; Safari browser. Procedure:  To strengthen the default security settings of Safari, follow the steps provided in the ­following: 1. Navigate to the top–right corner of the browser and click the Menu icon (Fig. A.42). 2. Click on ‘Preferences’ as shown in Fig. A.42:

Figure A.42  Configuring Security settings.

Cyber Security and Laws_Appendix A.indd 257

10/7/2020 10:05:57 AM

258 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. Click the AutoFill Tab (Fig. A.43) 4. Under ‘AutoFill web forms’, disable ‘User names and passwords’ as shown in Fig. A.43.

Figure A.43  Configuring Security settings.

5. Click on ‘Security’ tab (Fig. A.44). 6. Under Web Content, enable pop-up windows and disable ‘JavaScript’ as shown in Fig. A.44.

Figure A.44  Configuring Security settings.

7. Click on ‘Privacy’ tab (Fig. A.45). 8. Under ‘Block cookies, select ‘From third parties and advertisers’ option as shown in Fig. A.45.

Figure A.45  Configuring Security settings.

Conclusion:  By configuring proper settings, you can secure your system and data from various online threats and risks.

Cyber Security and Laws_Appendix A.indd 258

10/7/2020 10:05:59 AM

Experiment 12 Strengthening Default Security Settings of Google Chrome

• 

259

Strengthening Default Security Settings of Experiment 12 Google Chrome Aim:  To strengthen the default security settings of Google Chrome. Learning Objectives 1. Understand the security and privacy features and operation of browsers. 2. Learn how to customize security settings to improve safety. Theory:  A web browser is an application used to access resources and information from the World Wide Web (www), hence it is mandatory to install a web browser on every computer in order to access any information from the Internet. All web browsers come with their own default security settings; however, these default security settings are not enough to protect your device from spyware, various types of malware, or hackers which makes configuring proper settings manually of utmost importance. Prerequisites:  A computer; an Internet connection; Google Chrome. Procedure:  To strengthen the default security settings of Google Chrome, follow the steps provided in the following: 1. Navigate to the top–right corner of the browser and click on the Customize and control Google Chrome icon. 2. Click on ‘Settings’ as shown in Fig. A.46.

Figure A.46  Configuring Security settings.

Cyber Security and Laws_Appendix A.indd 259

10/7/2020 10:06:00 AM

260 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. Under’ Privacy and security’, click on ‘Cookies and other site data’ as shown in Fig. A.47.

Figure A.47  Configuring Security settings.

4. Under General settings, select the ‘Block third-party cookies’ option (Fig. A.48). 5. Under General settings, enable the ‘Clear cookies and site data’ when you quit Chrome option (Fig. A.48). 6. Under General settings, enable the ‘Send a “Do Not Track” request with your browsing traffic’ option (Fig. A.48). 7. Under General settings, disable the ‘’Preload pages for faster browsing and searching option (Fig. A.48).

Figure A.48  Configuring Security settings.

Cyber Security and Laws_Appendix A.indd 260

10/7/2020 10:06:03 AM

Experiment 12 Strengthening Default Security Settings of Google Chrome

• 

261

8. Under Privacy and security, click Site Settings, as shown in Fig. A.49.

Figure A.49  Configuring Security settings.

9. Under ‘Content’, select ‘Block sites from running flash’ (Fig. A.50). 10. Under ‘Content’, block ‘Pop-ups and redirects’ (Fig. A.50).

Figure A.50  Configuring Security settings.

Conclusion:  By configuring proper settings, you can secure your system and data from various online threats and risks.

Cyber Security and Laws_Appendix A.indd 261

10/7/2020 10:06:06 AM

262 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Strengthening Default Security Settings of Experiment 13 Mozilla Firefox Aim:  To strengthen the default security settings of Mozilla Firefox. Learning Objectives 1. Understand the security and privacy features and operation of browsers. 2. Learn how to customize security settings to improve safety. Theory:  A web browser is an application used to access resources and information from the World Wide Web (www), hence it is mandatory to install a web browser on every computer in order to access any information from the Internet. All web browsers come with their own default security settings; however, these default security settings are not enough to protect your device from spyware, various types of malware, or hackers which makes configuring proper settings manually of utmost importance. Prerequisites:  A computer; an Internet connection; Mozilla Firefox. Procedure:  To strengthen the default security settings of Mozilla Firefox, follow the steps provided in the following: 1. Navigate to the top–right corner of the browser and click the Menu icon. 2. Click on ‘Options’ as shown in Fig. A.51.

Figure A.51  Configuring Security settings.

Cyber Security and Laws_Appendix A.indd 262

10/7/2020 10:06:07 AM

Experiment 13 Strengthening Default Security Settings of Mozilla Firefox

• 

263

3. On the left pane, click on ‘Privacy and Security’ option (Fig. A.51). 4. Select the ‘Always’ option for ‘Send websites a “Do Not Track” signal’ (Fig. A.51). 5. Under ‘Cookies and Site Data’, select the ‘Delete cookies and site data when Firefox is closed’ option (Fig. A.51). 6. Under ‘Login and Passwords’, deselect the ‘Autofill logins and passwords’ option as shown in Fig. A.52.

Figure A.52  Configuring Security settings.

7. Under ‘History’, select ‘Never remember history’ from the drop-down menu as shown in Fig. A.53.

Figure A.53  Configuring Security settings.

Cyber Security and Laws_Appendix A.indd 263

10/7/2020 10:06:11 AM

264 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

8. Under ‘Permissions’, select ‘Block pop-up windows’ and ‘Warn you when websites try to install add-ons’ option as shown in Fig. A.54.

Figure A.54  Configuring Security settings.

9. Under logins and passwords, select use a master password checkbox where a pop-up window opens (Fig. A.55). 10. In the ‘Enter new password’ field, type your master password (Fig. A.55). 11. In the ‘Re-enter password’ field, type the password again to confirm (Fig. A.55). 12. Click ‘OK’ as shown in Fig. A.55. This will prevent any unauthorized access to the browser.

Figure A.55  Configuring Security settings.

Conclusion:  By configuring proper settings, you can secure your system and data from various online threats and risks.

Cyber Security and Laws_Appendix A.indd 264

10/7/2020 10:06:14 AM

Experiment 14 Identifying Phishing Attacks and Protecting Ourselves

• 

265

Identifying Phishing Attacks and Protecting Experiment 14 Ourselves Aim:  To identify phishing attacks and protect ourselves. Learning Objectives 1. To understand what a phishing attack is. 2. To learn how to protect yourself from phishing attacks. Theory:  Phishing is a type of attack where intruders, scammers or hackers posing as legitimate institutes to try and obtain sensitive user information. For example, you may receive an e-mail from a hacker posing as a financial institute, tricking you into giving out your personal or financial information. Procedure:  To identify the phishing attacks and protect ourselves, follow the steps provided in the following: 1. To identify phishing attacks, we must always look for red flags (see flags in Fig. A.56) in any e-mail we receive from unknown sources. (a) Bad grammar and spelling: If you receive an e-mail with lots of spelling mistakes, it most likely is a scam since a lot of hackers and scammers do not have a lot of time to re-check the e-mail contents again and again. (b) Threat: The e-mails that ask for sensitive user information under the pretext of taking immediate action or your account will be disabled are usually scam e-mails. (c) Malicious websites and spoofed URLs: The e-mails containing links to websites must always be verified by copying the URL and pasting it on VirusTotal (https://www.virustotal.com/ gui/home/url) to avoid landing on a malicious website and getting your system infected by ­malware.

Cyber Security and Laws_Appendix A.indd 265

10/7/2020 10:06:14 AM

266 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

See Fig. A.56 for an example of a phishing e-mail; look carefully for more red flags.

Figure A.56  An example of a phishing e-mail; look carefully for more red flags.

2. If you think that an e-mail you received is a phishing attack, follow the steps provided in the following to protect yourself: (a) Do not download any attachments. (b) Never click the links. (c) Never reply with any information. (d) Delete it immediately. (e) Report it. Conclusion:  One can easily protect themselves from scammers or hackers by looking for red flags and following correct steps if it is suspected as a phishing e-mail.

Cyber Security and Laws_Appendix A.indd 266

10/7/2020 10:06:16 AM

Experiment 15 Scanning E-Mail Attachments for Malware

• 

267

Experiment 15 Scanning E-Mail Attachments for Malware Aim:  To scan e-mail attachments for malware. Learning Objectives:  To learn how to scan attachments for malware before opening them. Theory:  The e-mail still being the primary mode of communication for most people, it remains one of the major thoroughfares for viruses and malware. Attaching malicious software in e-mails is the easiest way to infect one’s device. Hence, it is of utmost importance to always scan attachments before opening them. This could help you avoid the risk of opening malicious attachments and infecting your device. Prerequisites:  A computer; an Internet connection; an e-mail client; any browser. Procedure:  To scan e-mail attachments for malware, follow the steps provided in the following: 1. Download the attachment as shown in Fig. A.57.

Figure A.57  Downloading attachment.

Cyber Security and Laws_Appendix A.indd 267

10/7/2020 10:06:17 AM

268 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

2. Once the download is complete, go to the VirusTotal website (https://www.virustotal.com/gui/ home/upload) from your browser as shown in Fig. A.58.

Figure A.58  VirusTotal upload page.

3. Click choose file and select the downloaded attachment as shown in Fig. A.59.

Figure A.59  Uploading the attachment.

Cyber Security and Laws_Appendix A.indd 268

10/7/2020 10:06:22 AM

Experiment 15 Scanning E-Mail Attachments for Malware

• 

269

4. Click ‘Confirm Upload’ and VirusTotal will scan the downloaded file and display the result as shown in Fig. A.60.

Figure A.60  Result displayed on VirusTotal.

Conclusion:  Successfully scanned the e-mail attachment for malware to avoid the risk of infecting our system by opening a malicious attachment.

Cyber Security and Laws_Appendix A.indd 269

10/7/2020 10:06:25 AM

270 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Experiment 16 Protecting Android OS from Security Threats Aim:  To protect Android OS from security threats. Learning Objectives:  To understand the security and privacy features available to safeguard devices running on Android OS. 1. Understand the security and privacy features and operation of browsers. 2. Learn how to customize security settings to improve safety. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. The most important goal of mobile device security is to avoid unauthorized users to access the data. Prerequisites:  Android devices. Procedure:  To protect Android OS from security threats, follow the steps provided in the following: 1. Stay up-to-date: Software updates include security fixes which reduce the chances of an attack. 2. Avoid third-party download sites: Third-party App stores do not necessarily scan the apps uploaded on them for malware and virus which when downloaded can make our system vulnerable. 3. Enable lock screen password: Enable password protection to prevent anyone from accessing the device. 4. Enable automatic locking: The auto-lock feature helps in locking the device after a short period of inactivity which reduces the risk of unauthorized access. 5. Turn off lock screen notifications: Turning off lock screen notifications will make it impossible for strangers to oversee information showing up on the lock screen. 6. Disable Bluetooth connectivity: If you are not using Bluetooth, disable it to prevent others from connecting to your device without permission. 7. Avoid free Wi-Fi: Avoid connecting to free Wi-Fi as it makes your device vulnerable and open to hackers. 8. Erase all data before decommissioning: Always overwrite the device’s storage before decommissioning as it reduces the chances of recovering sensitive information from the device. Conclusion:  By following these security measures, we can protect our android devices from security threats and safeguard all our data.

Cyber Security and Laws_Appendix A.indd 270

10/7/2020 10:06:25 AM

Experiment 17 Updating Mobile Operating System (Android)

• 

271

Experiment 17 Updating Mobile Operating System (Android) Aim:  To update a mobile operating system (Android). Learning Objectives 1. Understand the importance of an up-to-date OS. 2. Learn how to update Android OS. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. Keeping mobile devices updated with the latest version is a necessity to fix the vulnerabilities present in the Operating System. Updating an Operating system also enhances the performance of apps installed on devices providing an added layer of security. Prerequisites:  Android devices; an Internet connection. Procedure:  To update a mobile operating system (Android), follow the steps provided in the ­following: 1. Open ‘Settings’ and scroll down to ‘Software update’ as shown in Fig. A.61.

Figure A.61  Settings App.

Cyber Security and Laws_Appendix A.indd 271

10/7/2020 10:06:26 AM

272 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

2. Select ‘Software Update’ to check for the latest available update as shown in Fig. A.62.

Figure A.62  ‘Checking for updates’ screen.

3. If new updates are available, the user can download and install them. Note: Keep your device plugged into a power source. Conclusion:  Successfully updated a mobile operating system (Android) to reduce the risk of cyberthreats.

Cyber Security and Laws_Appendix A.indd 272

10/7/2020 10:06:27 AM

Experiment 18 Enabling Screen Lock in Android Devices

• 

273

Experiment 18 Enabling Screen Lock in Android Devices Aim:  To enable screen lock in Android devices. Learning Objectives 1. Understand the security and privacy features available to protect unauthorized access on Android devices. 2. Learn how to enable screen lock. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. The most important goal of mobile device security is to avoid unauthorized users to access the data, which is possible by setting up a screen lock. Using biometric passwords along with other passcodes provide more security to mobile devices. Prerequisites:  Android devices. Procedure:  To enable screen lock in Android devices, follow the steps provided in the following: 1. Open ‘Settings’ and scroll down to ‘Lock Screen’ as shown in Fig. A.63.

Figure A.63  Settings App.

Cyber Security and Laws_Appendix A.indd 273

10/7/2020 10:06:28 AM

274 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

2. Tap ‘Lock screen’ and select ‘Screen lock type’ as shown in Fig. A.64.

Figure A.64  Lock Screen settings.

3. On the ‘Screen Lock type’ screen, you will see various screen lock options such as Swipe, Pattern, Pin, Password and Biometrics as shown in Fig. A.65. Tap and select your screen lock option; for example, ‘Password’.

Figure A.65  ‘Screen lock type’ screen.

Cyber Security and Laws_Appendix A.indd 274

10/7/2020 10:06:30 AM

Experiment 18 Enabling Screen Lock in Android Devices

• 

275

4. Enter a new password and tap ‘Continue’ as shown in Fig. A.66.

Figure A.66  Setting up password.

Cyber Security and Laws_Appendix A.indd 275

10/7/2020 10:06:31 AM

276 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

5. Re-enter the password and tap ‘OK’ as shown in Fig. A.67.

Figure A.67  Setting up password.

Conclusion:  Successfully enabled the screen lock setting to reduce the risk of unauthorized access to mobile devices.

Cyber Security and Laws_Appendix A.indd 276

10/7/2020 10:06:32 AM

Experiment 19 Enabling SIM Card Lock in Android Devices

• 

277

Experiment 19 Enabling SIM Card Lock in Android Devices Aim:  To enable SIM card lock in Android devices. Learning Objectives 1. Understand the security and privacy features available to protect SIM cards on Android devices. 2. Learn how to enable SIM card lock. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. The most important goal of mobile device security is to avoid unauthorized users to access the device. Enabling SIM PIN acts as a layer of protection to secure SIM cards in case of theft to prevent the misuse of SIM cards by the attacker. Prerequisites:  Android devices. Procedure:  To enable SIM card lock in Android devices, follow the steps provided in the following: 1. Open ‘Settings’ and select ‘Device & Privacy’ as shown in Fig. A.68.

Figure A.68  Settings App.

Cyber Security and Laws_Appendix A.indd 277

10/7/2020 10:06:33 AM

278 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

2. Under ‘Encryption and Locking’, select the ‘Set Up SIM Card Lock’ option as shown in Fig. A.69.

Figure A.69  ‘Device & Privacy’ settings window.

3. Enable ‘Lock SIM Card’ as shown in Fig. A.70.

Figure A.70  Enabling SIM card lock.

Cyber Security and Laws_Appendix A.indd 278

10/7/2020 10:06:35 AM

Experiment 19 Enabling SIM Card Lock in Android Devices

• 

279

4. Enter the PIN to lock the SIM and select ‘OK’ as shown in Fig. A.71.

Figure A.71  Setting Up SIM card lock.

Conclusion:  Successfully enabled the SIM card lock setting to prevent the misuse of SIM card in case of theft.

Cyber Security and Laws_Appendix A.indd 279

10/7/2020 10:06:36 AM

280 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Experiment 20 Erasing Android Devices Remotely Aim:  To erase Android devices remotely. Learning Objectives:  Learn how to perform remote erase on Android OS. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. The most important goal of mobile device security is to avoid unauthorized users to access the data. If your Apple device is lost or stolen, you must erase it remotely to delete your personal data and restore the device to its factory settings. This can be done by using ‘Find My Device’ App on any other device. Prerequisites:  Android devices; an Internet connection. Procedure:  To erase Android devices remotely, follow the steps provided in the following: 1. Open the Find My Device app on any Android device (Fig. A.72). 2. Enter your gmail ID and password as shown in Fig. A.72.

Figure A.72  ‘Find My Device’ screen.

3. Choose the device you wish to erase by tapping on it.

Cyber Security and Laws_Appendix A.indd 280

10/7/2020 10:06:37 AM

Experiment 20 Erasing Android Devices Remotely

• 

281

4. Tap the ‘Erase Device’ option at the bottom as shown in Fig. A.73.

Figure A.73  ‘Erase Device’ option.

5. Tap on ‘Erase Device’ to erase your data as shown in Fig. A.74.

Figure A.74  ‘Erase Device’: Final step.

Conclusion:  Successfully erased the data remotely to prevent unauthorized access when an Android device is lost.

Cyber Security and Laws_Appendix A.indd 281

10/7/2020 10:06:38 AM

282 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Experiment 21 Protecting iOS from Security Threats Aim:  To protect iOS from security threats. Learning Objectives:  To understand the security and privacy features available to safeguard devices running on iOS. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. The most important goal of mobile device security is to avoid unauthorized users to access the data. Prerequisites:  Apple devices. Procedure:  To protect iOS from security threats, follow the steps provided in the following: 1. Stay up-to-date: Software updates include security fixes which reduce the chances of an attack. 2. Enable lock screen password: Enable password protection to prevent anyone from accessing the device. 3. Enable automatic locking: The auto-lock feature helps in locking the device after a short period of inactivity which reduces the risk of unauthorized access. 4. Turn off lock screen notifications: Turing off lock screen notifications will make it impossible for strangers to oversee information showing up on the lock screen. 5. Auto-wipe device contents: Enabling these features allows auto-erasure of the device’s data to ensure the confidentiality of any data stored on the device upon excessive passcode failures. 6. Disable Bluetooth connectivity: If you are not using Bluetooth, disable it to prevent others from connecting to your device without permission. 7. Avoid using free Wi-Fi: Avoid connecting to free Wi-Fi as it makes your device vulnerable and open to hackers. 8. Activate find my iPhone: If your device is lost or stolen this functionality enables you to track your device or most importantly erase all the data remotely. 9. Erase all data before decommissioning: Always overwrite the device’s storage before decommissioning as it reduces the chances of recovering sensitive information from the device. Conclusion:  By following these security measures, we can protect our Apple devices from security threats and safeguard all our data.

Cyber Security and Laws_Appendix A.indd 282

10/7/2020 10:06:38 AM

Experiment 22 Updating a Mobile Operating System (iOS)

• 

283

Experiment 22 Updating a Mobile Operating System (iOS) Aim:  To update a mobile operating system (iOS) Learning Objectives 1. Understand the importance of an up-to-date OS. 2. Learn how to update iOS. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. Keeping mobile devices updated with the latest version is a necessity to fix the vulnerabilities present in the operating system. Updating an operating system also enhances the performance of apps installed on devices providing an added layer of security. Prerequisites:  Apple devices; an Internet connection. Procedure:  To update a mobile operating system (iOS), follow the steps provided in the following: 1. Open ‘Settings’ and tap on ‘General’ as shown in Fig. A.75.

Figure A.75  ‘Settings’ App.

Cyber Security and Laws_Appendix A.indd 283

10/7/2020 10:06:40 AM

284 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

2. Select ‘Software Update’ to check for the latest available update as shown in Fig. A.76.

Figure A.76  ‘Checking for Update’ in progress.

3. If new updates are available, the user can download and install them as shown in Fig. A.77.

Figure A.77  ‘Download and Install’ updates.

Note: Keep your device plugged into a power source. Conclusion:  Successfully updated a mobile operating system to reduce the risk of cyberthreats.

Cyber Security and Laws_Appendix A.indd 284

10/7/2020 10:07:10 AM

Experiment 23 Enabling Passcode Protection in Apple Devices

• 

285

Experiment 23 Enabling Passcode Protection in Apple Devices Aim:  To enable passcode protection in Apple devices. Learning Objectives 1. Understand the security and privacy features available to protect unauthorized access on Apple devices. 2. Learn how to enable passcode protection. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. The most important goal of mobile device security is to avoid unauthorized users to access the data, which is possible by setting up a passcode. Using biometric passwords along with other passcodes provide more security to mobile devices. Prerequisites:  Apple devices. Procedure:  To enable passcode protection in Apple devices, follow the steps provided in the f­ ollowing: 1. Open ‘Settings’ and select ‘Passcode’ (Fig. A.78). 2. Tap ‘Turn Passcode On’ as shown in Fig. A.78.

Figure A.78  Passcode settings.

Cyber Security and Laws_Appendix A.indd 285

10/7/2020 10:07:13 AM

286 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. Enter a four-digit passcode as shown in Fig. A.79.

Figure A.79  Setting ‘Passcode’.

4. Re-enter the passcode and tap ‘OK’. Conclusion:  Successfully enabled the passcode protection setting to reduce the risk of unauthorized access to mobile devices.

Cyber Security and Laws_Appendix A.indd 286

10/7/2020 10:07:15 AM

Experiment 24 Enabling SIM PIN Protection in Apple Devices

• 

287

Experiment 24 Enabling SIM PIN Protection in Apple Devices Aim:  To enable SIM PIN protection in Apple devices. Learning Objectives 1. Understand the security and privacy features available to protect SIM cards on Apple devices. 2. Learn how to enable SIM PIN protection. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. The most important goal of mobile device security is to avoid unauthorized users to access the device. Enabling SIM PIN acts as a layer of protection to secure SIM cards in case of theft to prevent the misuse of SIM cards by the attacker. Prerequisites:  Apple devices. Procedure:  To enable SIM PIN protection in Apple devices, follow the steps provided in the following: 1. Open ‘Settings’ and select ‘Mobile Data’ as shown in Fig. A.80.

Figure A.80  Settings App.

Cyber Security and Laws_Appendix A.indd 287

10/7/2020 10:07:16 AM

288 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

2. Scroll down and tap SIM PIN as shown in Fig. A.81.

Figure A.81  Phone Settings window.

3. Enable SIM PIN as shown in Fig. A.82.

Figure A.82  SIM PIN settings window.

Cyber Security and Laws_Appendix A.indd 288

10/7/2020 10:07:17 AM

Experiment 24 Enabling SIM PIN Protection in Apple Devices

• 

289

4. Enter the PIN to lock the SIM as shown in Fig. A.83.

Figure A.83  Setting up SIM PIN.

Conclusion:  Successfully enabled the SIM PIN protection setting to prevent the misuse of SIM card in case of theft.

Cyber Security and Laws_Appendix A.indd 289

10/7/2020 10:07:18 AM

290 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Experiment 25 Limiting Ad Tracking in Apple Devices Aim:  To limit Ad Tracking in Apple devices. Learning Objectives 1. Understand the security and privacy features available to limit Ad tracking on Apple devices. 2. Learn how to limit Ad tracking. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. Based on your searches, usage, browsing history and other installed applications, third-party Apps show advertisements. By limiting Ad tracking, we can prevent third-party Apps from accessing your personal information. Prerequisites:  Apple devices. Procedure:  To limit Ad tracking in Apple devices, follow the steps provided in the following: 1. Open ‘Settings’ and select ‘Privacy’ (Fig. A.84). 2. Under the Privacy option, tap Advertising, as shown in Fig. A.84.

Figure A.84  Privacy settings.

Cyber Security and Laws_Appendix A.indd 290

10/7/2020 10:07:19 AM

Experiment 25

Limiting Ad Tracking in Apple Devices

• 

291

3. Turn ‘Limit Ad Tracking’ on as shown in Fig. A.85.

Figure A.85  Enabling ‘Limit Ad Tracking’.

Conclusion:  Successfully enabled ‘Limit Ad Tracking’ setting to prevent third-party Apps from accessing your personal information.

Cyber Security and Laws_Appendix A.indd 291

10/7/2020 10:07:20 AM

292 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Experiment 26 Erasing Apple Devices Remotely Aim:  To erase Apple devices remotely. Learning Objectives:  To learn how to perform remote erase on iOS. Theory:  Mobile device security refers to the methods designed to secure the data and other sensitive information on devices such as smartphones and tablets. The most important goal of mobile device security is to avoid unauthorized users to access the data. If your Apple device is lost or stolen, you must erase it remotely to delete your personal data and restore the device to its factory settings. This can be done by using ‘Find My iPhone’ App on any other device. Prerequisites:  Apple devices; an Internet connection. Procedure:  To erase Apple devices remotely, follow the steps provided in the following: 1. Open the ‘Find My iPhone’ app on any Apple device (Fig. A.86). 2. Enter your Apple ID and password, as shown in Fig. A.86.

Figure A.86  ‘Find My iPhone’ screen.

3. Choose the device you wish to erase by tapping on it. 4. Tap on the Actions button at the bottom of the screen, and tap Erase iPhone option.

Cyber Security and Laws_Appendix A.indd 292

10/7/2020 10:07:20 AM

Experiment 26 Erasing Apple Devices Remotely

• 

293

5. Enter your Apple ID and password, and then tap on ‘Next’ as shown in Fig. A.87.

Figure A.87  Step 1 of erasing data.

6. Type your phone number and tap Next, as shown in Fig. A.88.

Figure A.88  Step 2 of erasing data.

Cyber Security and Laws_Appendix A.indd 293

10/7/2020 10:07:21 AM

294 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

7. Type a message to be displayed along with your phone number and tap ‘Done’ as shown in Fig. A.89.

Figure A.89  Step 3 of erasing data.

8. Tap on OK to erase your data as shown in Fig. A.90.

Figure A.90  ‘Erase Started’ screen.

Conclusion:  Successfully erased the data remotely to prevent unauthorized access when an Apple device is lost.

Cyber Security and Laws_Appendix A.indd 294

10/7/2020 10:07:23 AM

Experiment 27 Disabling Location Service on Facebook for Mobile Phones

• 

295

D  isabling Location Service on Facebook for Experiment 27 Mobile Phones Aim:  To disable location service on Facebook for mobile phones. Theory:  Geotagging is the process of identifying a location, it can be of a photo or even where you are posting a status. Geotagging can help your followers know where you were when you shot that photo; however, it can be risky as you reveal your location to stalkers and burglars, sometimes so specific that it could give your address away due to the precise location settings. Prerequisites:  A mobile phone; an Internet connection. Procedure:  To disable location services on Facebook, follow the steps provided in the following: 1. Tap the Menu icon ‘≡’as shown in Fig. A.91.

Figure A.91  Facebook home screen.

Cyber Security and Laws_Appendix A.indd 295

10/7/2020 10:07:24 AM

296 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

2. Scroll down and tap ‘Settings & Privacy’ as shown in Fig. A.92.

Figure A.92  Options menu.

3. Tap ‘Settings’ as shown in Fig. A.93.

Figure A.93  ‘Settings & Privacy’ drop-down menu.

Cyber Security and Laws_Appendix A.indd 296

10/7/2020 10:07:26 AM

Experiment 27 Disabling Location Service on Facebook for Mobile Phones

• 

297

4. Under ‘Security’, tap ‘Location’ as shown in Fig. A.94.

Figure A.94  ‘Security’ settings.

5. Tap ‘Location Access’ as shown in Fig. A.95.

Figure A.95  ‘Location’ settings.

Cyber Security and Laws_Appendix A.indd 297

10/7/2020 10:07:27 AM

298 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

6. Turn off the ‘Location Services’ to disable the setting, as shown in Fig. A.96.

Figure A.96  Disabling ‘Location Services’.

Conclusion:  Successfully disabled location service on Facebook to secure our location from stalkers and burglars.

Cyber Security and Laws_Appendix A.indd 298

10/7/2020 10:07:28 AM

Experiment 28 Disabling Location Service on Twitter for Mobile Phones

• 

299

D  isabling Location Service on Twitter for Experiment 28 Mobile Phones Aim:  To disable ‘Location Service’ on Twitter for mobile phones. Learning Objectives 1. Understand the importance of disabling location services on a social networking site. 2. Learn how to disable location services. Theory:  Geotagging is the process of identifying a location, it can be of a photograph or even where you are posting a status. Geotagging can help your followers know where you were when you shot that photograph; however, it can be risky as you reveal your location to stalkers and burglars, sometimes so specific that it could give your address away due to the precise location settings. Prerequisites:  A mobile phone; an Internet connection. Procedure:  To disable location services on Twitter, follow the step provided in the following: Tap the Menu icon ‘≡’ as shown in Fig. A.97.

Figure A.97  Twitter App home screen.

Cyber Security and Laws_Appendix A.indd 299

10/7/2020 10:07:29 AM

300 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

1. Tap ‘Settings and Privacy’ as shown in Fig. A.98.

Figure A.98  ‘Options’ menu.

2. Tap ‘Privacy and safety’ as shown in Fig. A.99.

Figure A.99  ‘Settings and Privacy’ window.

Cyber Security and Laws_Appendix A.indd 300

10/7/2020 10:07:31 AM

Experiment 28 Disabling Location Service on Twitter for Mobile Phones

• 

301

3. Under ‘Location’, tap ‘Precise location’ as shown in Fig. A.100.

Figure A.100  ‘Privacy and safety’ window.

4. Turn off the ‘Precise location’ option to disable the setting as shown in Fig. A.101.

Figure A.101  Turning off ‘Precise location’.

Conclusion:  Successfully disabled location service on twitter to secure our location from stalkers and burglars.

Cyber Security and Laws_Appendix A.indd 301

10/7/2020 10:07:32 AM

302 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

Enabling Two-Factor Authentication on Facebook Experiment 29 for Mobile Phones Aim:  To enable two-factor authentication on Facebook for mobile phones. Learning Objectives 1. Understand the importance of two-factor authentication on a social networking site. 2. Learn how to enable two-factor authentication. Theory:  Two-factor authentication is a very necessary security solution that adds an additional layer of security to your social media accounts. Enabling two-factor authentication requires an additional possession factor like a mobile phone to the existing knowledge factor such as username and password. This helps in keeping your account secure from unauthorized access from hackers or intruders. Prerequisites:  A mobile phone; an Internet connection. Procedure:  To enable two-factor authentication services on Facebook, follow the steps provided in the following: 1. Tap the Menu icon ‘≡’ as shown in Fig. A.102.

Figure A.102  Facebook home screen.

Cyber Security and Laws_Appendix A.indd 302

10/7/2020 10:07:33 AM

Experiment 29 Enabling Two-Factor Authentication on Facebook for Mobile Phones• 

303

2. Scroll down and tap ‘Settings & Privacy’ as shown in Fig. A.103.

Figure A.103  Options menu.

3. Tap ‘Settings’ as shown in Fig. A.104.

Figure A.104  ‘Settings & Privacy’ drop-down menu.

Cyber Security and Laws_Appendix A.indd 303

10/7/2020 10:07:34 AM

304 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

4. Under ‘Security’, tap ‘Security and Login’ as shown in Fig. A.105.

Figure A.105  Security settings.

5. Under two-factor authentication tap use two-factor authentication as shown in Fig. A.106:

Figure A.106  Two-factor authentication settings.

Cyber Security and Laws_Appendix A.indd 304

10/7/2020 10:07:35 AM

Experiment 29 Enabling Two-Factor Authentication on Facebook for Mobile Phones• 

305

6. Select text message (SMS) option and click ‘Continue’ as shown in Fig. A.107.

Figure A.107  Selecting security method.

7. Add your phone number and click ‘Continue’ as shown in Fig. A.108.

Figure A.108  ‘Add Phone Number’ screen.

Cyber Security and Laws_Appendix A.indd 305

10/7/2020 10:07:36 AM

306 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

8. Enter the verification code and click ‘Continue’ as shown in Fig. A.109.

Figure A.109  Verification code.

9. Click Done and this will turn on the two-factor authentication, as shown in Fig. A.110.

Figure A.110  Enabling ‘Two-Factor Authentication’.

Conclusion:  Successfully enabled ‘Two-Factor Authentication’ on Facebook to secure our account from unauthorized access.

Cyber Security and Laws_Appendix A.indd 306

10/7/2020 10:07:37 AM

Experiment 30 Enabling Two-Factor Authentication on Instagram for Mobile Phones• 

307

Enabling Two-Factor Authentication on Instagram Experiment 30 for Mobile Phones Aim:  To enable two-factor authentication on Instagram for mobile phones. Learning Objectives 1. Understand the importance of two-factor authentication on a social networking site. 2. Learn how to enable two-factor authentication. Theory:  Two-factor authentication is a very necessary security solution that adds an additional layer of security to your social media accounts. Enabling two-factor authentication requires an additional possession factor like a mobile phone to the existing knowledge factor such as username and password. This helps in keeping your account secure from unauthorized access from hackers or intruders. Prerequisites:  A mobile phone; an Internet connection. Procedure:  To enable two-factor authentication services on Instagram, follow the steps provided in the following: 1. Tap the Menu icon ‘≡’ (Fig. A.111). 2. Tap ‘Settings’ as shown in Fig A.111.

Figure A.111  ‘Options’ menu.

Cyber Security and Laws_Appendix A.indd 307

10/7/2020 10:07:38 AM

308 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

3. Tap ‘Security’ as shown in Fig. A.112.

Figure A.112  ‘Settings’.

4. Under ‘Login Security’, tap ‘Two-Factor Authentication’ as shown in Fig. A.113.

Figure A.113  ‘Security’ settings.

Cyber Security and Laws_Appendix A.indd 308

10/7/2020 10:07:40 AM

Experiment 30 Enabling Two-Factor Authentication on Instagram for Mobile Phones• 

309

5. Select ‘Text Message’ option as shown in Fig. A.114.

Figure A.114  Choosing ‘Security Method’.

6. Enter the verification code and click ‘Next’ as shown in Fig. A.115.

Figure A.115  ‘Enter Code’ screen.

Cyber Security and Laws_Appendix A.indd 309

10/7/2020 10:07:41 AM

310 

•

Appendix A/Lab Manual: Cybersecurity and CYBER Laws

7. Click ‘Done’ and this will turn on the two-factor authentication setting as shown in Fig. A.116.

Figure A.116  Enabling ‘Two-Factor Authentication’.

Conclusion:  Successfully enabled two-factor authentication on Instagram to secure our account from unauthorized access.

Cyber Security and Laws_Appendix A.indd 310

10/7/2020 10:07:42 AM

Appendix

B



Questions and Answers: Cybersecurity and Cyber Law*

Questions Using Bloom’s Taxonomy

The hierarchy of Bloom’s taxonomy (Fig. B.1) is the widely accepted framework through which all teachers should guide their students through the cognitive learning process. In other words, teachers use this framework to focus on higher order thinking skills. You can think of Bloom’s Taxonomy as a pyramid, with simple knowledge-based recall questions at the base. Building up through this foundation, you can ask your students increasingly challenging questions to test their comprehension of a given material. Utility:  By asking these critical thinking questions or higher order questions, you are developing all levels of thinking. Students will have improved attention to detail, as well as an increase in their comprehension and problem-solving skills. Levels:  There are six levels in the framework; here is a brief look at each of them and a few examples of the questions that you would ask for each component. 1. Knowledge: In this level, students are asked questions to see if they have gained insight from the lesson (‘What is …?’, ‘Where is …?’, ‘How would you describe?’, and so on). 2. Comprehension: During this level, students will be asked to interpret facts that they learned (‘What is the main idea …?’, ‘How would you summarize?’, and so on). 3. Application: Questions asked during this level are meant to have students apply or use the knowledge learned during the lesson (‘How would you use …?, ‘How would you solve it?’, and so on). 4. Analysis: In the analysis level, students will be required to go beyond knowledge and see if they can analyse a problem (‘What is the theme …?’, ‘How would you classify?’, and so on). 5. Synthesis: During the synthesis level of questioning students are expected to come up with a theory about what they learned or use predictions (‘What would happen if …?’, ‘What facts can you compile?’, and so on). 6. Evaluation: The top level of Bloom’s taxonomy is called evaluation. This is where students are expected to assess the information learned and come to a conclusion about it (‘What is your opinion of …?’, ‘How would you evaluate …?’ ‘How would you select …?’ ‘What data was used?’, and so on).

The questions included in Appendix B fall either in ‘5 marks’ or ‘10 marks’ questions category.

*

Cyber Security and Laws_Appendix B.indd 311

10/7/2020 10:08:06 AM

312 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws Bloom’s taxonomy Creating

Evaluating

Use info to create something new

Critically examine info and make judgements

Design, build, plan, construct, produce, devise, invent

Judge, critique, test defend, criticize

Analyzing Take info apart and explore relationships Categorize, examine, organize, compare/contrast

Applying Use info in a new (but similar) form

Use, diagram, make a chart, draw, apply, solve, calculate

Understanding Understanding and making sense out of info Interpret, summarize, explain, infer, paraphrase, discuss

Remembering Find or remember info List, find, name, identify, locate, describe, memorize, define

Figure B.1  The hierarchy of Bloom’s taxonomy.

Corresponding Verb Examples 1. Remembering: Arrange, define, duplicate, label, list, memorize, name, order, recognize, relate, recall, repeat, reproduce, state, and so on. 2. Understanding: Classify, describe, discuss, explain, express, identify, indicate, locate, recognize, report, restate, review, select, translate, and so on. 3. Applying: Apply, choose, demonstrate, dramatize, employ, illustrate, interpret, operate, practice, schedule, sketch, solve, use, write, and so on. 4. Analysing: Analyse, appraise, calculate, categorize, compare, contrast, criticize, differentiate, discriminate, distinguish, examine, experiment, question, test, and so on. 5. Evaluating: Appraise, argue, assess, attach, choose, compare, defend estimate, judge, predict, rate, core, select, support, value, evaluate, and so on. 6. Creating: Arrange, assemble, collect, compose, construct, create, design, develop, formulate, ­manage, organize, plan, prepare, propose, set up, write, and so on. While critical thinking is a foundation rather than a brick, how you build that foundation depends on the learning process itself: exposing students to new thinking and promoting interaction with that thinking in a gradual release of responsibility approach (Table B.1). Question stems can be a powerful part of that process no matter where the learner is. Assessment (pre-assessment, self-assessment, formative and summative assessment) prompting and cueing during discussion, etc.

Cyber Security and Laws_Appendix B.indd 312

10/7/2020 10:08:10 AM

Questions and Answers: Chapter 1

• 

313

Table B.1  Building the Foundation of Cognitive Learning by the Learning Approach

Order Lower Order

Higher Order



Cognitive Level

Key Question

Demonstration Verbs (Examples)

Remembering

Can the student recall or remember the information?

Define, duplicate, list, memorize, recall, repeat, reproduce, state.

Understanding

Can the student explain the ideas or concepts?

Classify, describe, discuss, explain, identify, locate, report, recognize, select, translate, paraphrase.

Applying

Can the student use the information in a new way?

Choose, demonstrate, dramatize, employ, illustrate, interpret, operate, schedule, sketch, solve, use, write

Analysing

Can the student distinguish between the different parts?

Appraise, compare, contrast, criticize, differentiate, question, discriminate, distinguish, test, examine, experiment.

Evaluating

Can the student justify a stand or decision?

Appraise, argue, defend, judge, select, support, value, evaluate.

Creating

Can the student create a new product or point of view?

Assemble, construct, create, design, develop, formulate, write.

Questions and Answers: Chapter 1

1. Compare active attack versus passive attack. [BE-IT, Dec 2019] Answer See Table B.2. Table B.2  Comparison between Active Attacks and Passive Attack

S.No.

Active Attack

Passive Attack

1.

A modification in information takes place.

A modification in the information does not take place

2.

This is dangerous for integrity as well as for availability.

This is dangerous for confidentiality.

3.

Attention is on detection.

Attention is on prevention.

(Continued)

Cyber Security and Laws_Appendix B.indd 313

10/7/2020 10:08:11 AM

314 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

S.No.

Active Attack

Passive Attack

4.

The system is always damaged.

There is no harm to the system.

5.

The victim gets informed about the attack.

The victim does not get informed about the attack.

6.

The system resources can be changed.

The system resources are not changed.

7.

The active attacks influence the services of the system.

The information and messages in the system or network are acquired

8.

The information collected through passive attacks are used during executing.

The passive attacks are performed by collecting the information such as passwords, messages by itself.

9.

Active attack is tough to restrict from entering systems or networks.

Passive attack is easily prohibited in comparison to active attack.

2. Classify the cybercrimes and explain any one briefly. [BE-IT, Dec 2019]. Answer There are three significant classifications (as shown in Fig. B.2) that cybercrime falls into the following three types: (1) Individual, (2) property and (3) government. The kinds of strategies utilized and difficulty levels differ depending upon the category. 1. Property: This is like a real-life instance of a criminal illegally having a person’s bank or credit card subtleties. The hacker steals an individual’s bank subtleties to access funds, make pur-

Property

Categories of cybercrime

Individual

Government

Figure B.2  Categories of cybercrime.

Cyber Security and Laws_Appendix B.indd 314

10/7/2020 10:08:11 AM

Questions and Answers: Chapter 1





• 

315

chases on the web or run phishing scams to get individuals to give away their data. They could likewise utilize a malicious software to access a site page with private data. For example, credit card fraud and intellectual property (IP) crimes. 2. Individual: This classification of cybercrime includes one individual dispersing malicious or unlawful data on the web. This can incorporate cyberstalking, spreading pornography and ­trafficking. For example, e-mail spoofing and other online frauds, phishing, vishing, spamming, cyberstalking and harassment, defamation, pornographic offenses. 3. Government: This is the least common cybercrime, yet is the most genuine offense. A crime against the administration is otherwise called cyberterrorism. Government cybercrime incorporates hacking government sites, military sites or dispersing propaganda. These criminals are normally terrorists or foe government of different countries. For example, password sniffing, denial-of-service (DoS) attack, virus attack, salami attack, Trojan horse, data diddling.

3. Write brief note on cyberterrorism [BE-IT, Dec 2019]. Answer A criminal act perpetrated by the use of computers and telecommunications capabilities resulting in violence, destruction and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a political, social, or ideological agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures or for exchanging information or making threats electronically. Some examples in this category are hacking into computer systems, introducing viruses to vulnerable networks, website defacing, DoS attacks or terroristic threats made via electronic communication. The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks is with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives. The nature of cyberterrorism covers conduct involving computer or Internet technology that 1. is motivated by a political, religious or ideological cause; 2. is intended to intimidate a government or a section of the public to varying degrees; 3. seriously interferes with infrastructure.

There are five main types of cyberterrorism attack which are incursion, destruction, disinformation, denial-of-service and defacement of web sites as listed in the following:

1. Incursion: These types of attacks are carried out with the purposes of gaining access or penetrating into computer systems and networks to get or modify information. 2. Destruction: This method of attack is used to intrude into computer systems and networks with the main purpose of inflicting severe damage or destroying them. 3. Disinformation: This method is used to spread rumours or information that can have severe impact on a particular target. Regardless of whether the rumours are true or not, the use of such attacks recklessly can create uncontrollable chaos to the nation or the organization. 4. Denial-of-service: The main objective of DOS attacks is to disable or disrupt the online operations by flooding the targeted servers with a huge number of packets (requests) which

Cyber Security and Laws_Appendix B.indd 315

10/7/2020 10:08:11 AM

316 



•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

would ultimately lead to the servers being unable to handle normal service requests from legitimate users. The impact from such attacks can be disastrous from both an economic and social perspective where it can cause organizations to suffer from massive losses. 5. Defacement of websites: This type of attack is targeted to deface the websites of the victims. The websites can either be changed totally to include messages from the cyberterrorists for propaganda or publicity purposes which might cause them to be taken down or to redirect the users to other websites which may contain similar messages.

4. Write a short note on Indian Information Technology Act, 2000. [BE-IT, Dec 2019; ME-IT, Dec 2017]. Answer The Parliament of India has passed its first cyber law, the Information Technology Act, 2000 which provides the legal infrastructure for e-commerce in India. The said Act has received the assent of the President of India and has become the law of the land in India. The Act thoroughly has 13 parts and 90 sections (the last four sections to be specific Area 91 to 94 in the ITA 2000 managed the corrections to the four demonstrations to be specific, the Indian Penal Code 1860, the Indian Evidence Act 1872, the Banker’s Book Evidence Act 1891 and the Reserve bank of India 1934).The Act has sections that manage confirmation of electronic records, electronic marks and so on. The object of The Information Technology Act, 2000 as defined therein is as follows: To provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as ‘electronic methods of communication and storage of information, to facilitate electronic filing of documents with the government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Banker’s Book Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto’. Detailed operation methods for certifying specialists and electronic signatures have been spelt out. The common offense of information robbery and the procedure of settling and redrafting methodology have been depicted. At that point the Act proceeds to characterize and depict a portion of the notable cybercrimes and sets out the disciplines in this manner. At that point the idea of due industriousness, the job of middle people and some random arrangements have been depicted. The IT Act is a pioneer demonstration in the field of data innovation in India and the main enactment which commits itself completely to the electronic circumstance. India is the twelfth country on the planet that has digital enactment separated from nations like the U.S., Singapore, France, Malaysia and Japan. The IT Act has brought amendment in four statutes vide Sections 91–94. These changes have been provided in Schedules 1–4. The newly amended act came with following highlights: 1. It stresses on privacy issues and highlights information security. 2. It elaborates digital signature. 3. It clarifies rational security practices for corporations. 4. It focuses on the role of intermediaries. 5. New faces of cybercrime were added.

Cyber Security and Laws_Appendix B.indd 316

10/7/2020 10:08:11 AM

Questions and Answers: Chapter 1

• 

317

5. Give a classification of cybercrime and cybercriminals. [ME-IT, Dec 2017]. Answer There are three significant classifications that cybercrime falls into: (1) Individual, (2) property and (3) government. The kinds of strategies utilized and difficulty levels differ depending upon the category:







1. Property: This is like a real-life instance of a criminal illegally having a person’s bank or credit card subtleties. The hacker steals an individual’s bank subtleties to access funds, make purchases on the web or run phishing scams to get individuals to give away their data. They could likewise utilize a malicious software to access a site page with private data. For example, credit card fraud and intellectual property (IP) crimes. 2. Individual: This classification of cybercrime includes one individual dispersing malicious or unlawful data on the web. This can incorporate cyberstalking, spreading pornography and trafficking. For example, e-mail spoofing and other online frauds, phishing, vishing, spamming, cyberstalking and harassment, defamation, pornographic offenses. 3. Government: This is the least common cybercrime, yet is the most genuine offense. A crime against the administration is otherwise called cyberterrorism. Government cybercrime incorporates hacking government sites, military sites or dispersing propaganda. These criminals are normally terrorists or foe government of different countries. For example, password sniffing, denial-of-service (DoS) attack, virus attack, salami attack, Trojan horse, data diddling. The cybercriminals are individuals or teams who attempt to exploit vulnerabilities for personal or financial gain. Following are the discussion on the classification of cybercriminals:

(a) Black hat hackers: Black hat hackers are malicious hackers, sometimes called crackers. Black hats lack ethics, sometimes violate laws and break into computer systems with malicious intent, and they may violate the confidentiality, integrity or availability of an organization’s systems and data.   Such hackers often have no particular care for the rule of law, the systems that they disrupt, or what ill effects that they cause. (b) White hat hackers: White hat hackers are the good guys, who include professional penetration testers who break into systems with permission, malware researchers who study malicious code to provide better understanding and to disclose vulnerabilities to vendors, etc. White hat hackers are also known as ethical hackers; they follow a code of ethics and obey laws. (c) Crackers: A cracker is someone who breaks into someone else’s computer system, often on a network; bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security. A cracker can be doing this for profit, maliciously, for some altruistic purpose or cause, or because the challenge is there. (d) Phreakers: Phreakers are individuals who specialize in attacks on the telephone system. The word, which got well known in the mid-1980s, is most likely a mix of the words telephone and freak (phreakers are otherwise called ‘phreaks’ or ‘telephone phreaks’). In the good old days, phreakers whistled or utilized an instrument to imitate the tones the telephone framework then used to route calls and identify payment, particularly as an approach to abstain from paying for a costly call. Present-day phreaking includes breaking

Cyber Security and Laws_Appendix B.indd 317

10/7/2020 10:08:12 AM

318 



6.









•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

into and controlling the telephone organization’s computer system, making it a particular sort of hacking. (e) Whackers: These are the novice or apprentice hackers who are studying and learning to become hackers. Moreover, hackers who attack wireless LANs and WANs are sometimes known as whackers. Explain in detail cyberdefamation and various types of cybercriminals. [ME-IT, Dec 2018] Answer Cyberdefamation: Refer to Subsection 1.5.5 (under the heading Defamation) of Chapter 1. The various types of cybercriminals: Cybercriminals are individuals or teams who attempt to exploit vulnerabilities for personal or financial gain. The classification of cybercriminals: 1. Black hat hackers: Black hat hackers are malicious hackers, sometimes called crackers. Black hats lack ethics, sometimes violate laws and break into computer systems with malicious intent, and they may violate the confidentiality, integrity, or availability of an organization’s systems and data. Such hackers often have no particular care for the rule of law, the systems that they disrupt, or what ill effects that they cause. 2. White hat hackers: White hat hackers are the good guys, who include professional penetration testers who break into systems with permission, malware researchers who study malicious code to provide better understanding and to disclose vulnerabilities to vendors, etc. White hat hackers are also known as ethical hackers; they follow a code of ethics and obey laws. 3. Crackers: A cracker is someone who breaks into someone else’s computer system, often on a network; bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security. A cracker can be doing this for profit, maliciously, for some altruistic purpose or cause, or because the challenge is there. 4. Phreakers: Phreakers are individuals who specialize in attacks on the telephone system. The word, which got well known in the mid-1980s, is most likely a mix of the words telephone and freak (phreakers are otherwise called ‘phreaks’ or ‘telephone phreaks’). In the good old days, phreakers whistled or utilized an instrument to imitate the tones the telephone framework then used to route calls and identify payment, particularly as an approach to abstain from paying for a costly call. Present-day phreaking includes breaking into and controlling the telephone organization’\’s computer system, making it a particular sort of hacking. 5. Whackers: These are the novice or apprentice hackers who are studying and learning to become hackers. Moreover, hackers who attack wireless LANs and WANs are sometimes known as whackers.

7. Explain global perspectives of cybercrime [ME-IT, Dec 2019]. Answer Refer to Section 1.7 of Chapter 1.



Questions and Answers: Chapter 2

1. How do criminals plan attacks? Discuss various steps involved. [BE-IT, Dec 2019] (OR) Describe in detail about how criminals plan attacks? [ME-IT, Dec 2017]

Cyber Security and Laws_Appendix B.indd 318

10/7/2020 10:08:12 AM

Questions and Answers: Chapter 2

• 

319

Answer Refer to Subsection 2.2.1 of Chapter 2. 2. What is Bluetooth Hacking? Explain tools in brief. [BE-IT, Dec 2019] Answer Since your device has Bluetooth capabilities, it also has the capability to be hacked. If your smartphone is hacked via Bluetooth connection, you are potentially at risk of losing your phone’s data, pictures, videos, messages, contacts and other information compromised. The various tools of Bluetooth Hacking are as follows: 1. Bluejacking: Bluejacking is probably the most common form of Bluetooth hacking. This happens when a hacker searches for discoverable devices in the area and then sends spam in the form of text messages to the devices. This form of hacking is rather childish and harmless. It was once used mainly to prank people in the past when mobile devices came with Bluetooth that was automatically set to discoverable. Bluejacking is used today for spam messaging and the hackers who use this do it just to frustrate others. The method does not give hackers access to your phone or the information on it. The best way to deal with Bluejacking is to ignore the messages if you receive them. If you keep your Bluetooth settings to ‘invisible’ or ‘non-­ discoverable’ you are not likely to receive these messages. Also, keeping your smartphone or device set to ‘invisible’ while you are in a busy or open Wi-Fi area. This will prevent Bluejacking and the next two popular forms of hacks. 2. Bluesnarfing: This form of hack is more serious then Bluejacking and can leave open some of the private information stored on your smartphone. This is made possible through software. A hacker may purchase software that allows them to request information from your device. Even though this form of hacking is capable of happening while your device is set to ­‘invisible’ or ‘non-discoverable’, it is unlikely to happen due to the time, effort and money needed to complete it. The information stolen may seem important to you, but it might not be as precious as banking information. That data can be accessed by hacking your device through Bluebugging. 3. Bluebugging: If a hacker Bluebugs your phone, they gain total access and control of your device. This makes it capable for them to access all info including photos, apps., contacts, etc. Bluebugging can happen when your device is left in the discoverable state. From here hackers gain access to your phone at the same point they do when performing Bluejacks. This is a much harder form of hacking than Bluesnarfing and Bluejacking. Although this is only feasible on older phones with outdated firmware. Newer smartphones and their owners are less likely to have this happen to them because of the constant updates mobile operating systems ­perform. 3. Discuss basic security precautions to be taken to safeguard laptops and wireless devices. [BE-IT, Dec 2019] (OR) What are the devices related to security issues? [ME-IT, Dec 2019] Answer Keeping your data safe should be a priority for you, here are the best 10 data security measures one can adopt for your devices: 1. Establish strong passwords: This first measure is really easy to put in place. You must put together a combination of capitals, lower-case letters, numbers and symbols to create a strong

Cyber Security and Laws_Appendix B.indd 319

10/7/2020 10:08:12 AM

320 









•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

password. The more characters you put, the better. With that, you must avoid using your birthday or any personal information and change the password accordingly. 2.  Set up a firewall: In order to protect your network, firewalls are an important initiative to consider. They are a must-have for any company, as they control the Internet traffic coming and leaving your business. 3.  Think of anti-virus protection: Anti-virus and anti-malware are indispensable to protecting your data. They are designed to prevent, search for, detect and remove viruses but also adware, worms, trojans, and so on. 4. Updating is important: Your computer must be properly patched and updated. Recent updates allow your data to be more secured. 5.  Secure every laptop: Laptops are portable so there is a higher risk that they can be stolen. As a consequence, it is important to take more security measures in order to protect all laptops. A simple solution is to encrypt them. In doing so, without the right password, your computer’s data is unreadable. 6. Secure mobile phones: Mobile phones are even more easily stolen than laptops but they are as valuable for companies. Equally to laptops, phones can be encrypted- you can put a strong password and enable an automatic lock-out. You can also set up a wiping process if the phone is lost or stolen. 7. Schedule backups: You can schedule backups to external hard drives or in the cloud in order to keep your data stored safely. The right frequency is weekly but you can do incremental ­backups every few days. You can also use Wimi, which centralizes your documents. With it, you can then share your documents with your team, your clients and your partners.  8.  Monitor steadily: Data, software, technologies and everything else is moving so fast. Keep track of them, keep in touch with news to see what is new on the market.  9.  Be smart with e-mails and surfing the web: Downloading apps or files, opening e-mails and clicking on links can infect your computer and your network. Be careful with the sources you find online or you receive. Take every ‘warning box’ seriously. 10. Educate your employees about data security: Prevention is the best way to keep your data safe. Warned employees will always be more attentive.

4. Explain various challenges possessed by mobile devices and their countermeasures. [ME-IT, Dec 2018] Answer Mobile security has become a crucial aspect of protecting sensitive data and information. M ­ alicious attacks once focused on PC’s have now shifted to mobile phones and applications. These categories are a generalization of the various types of attacks: 1. Multiple-user logging: Mobile phones have come a long way, but they are still not ­versatile machines like computers. Multiple users on mobile devices still have trouble in opening unique protected accounts. Simply put, what one user does on a mobile device is hardly a private affair. Customizable third-party solutions are available, but it is much safer when phones are not shared. 2. Secure data storage: Mobile phones need good file encrypting for strong security. After all, who wants sensitive corporate data to end up in the wrong hands? Without the proper encryption,

Cyber Security and Laws_Appendix B.indd 320

10/7/2020 10:08:12 AM

Questions and Answers: Chapter 2











• 

321

not only are personal documents up for grabs, but also passwords to bank, credit card and even business apps. Encrypting sensitive data ensures would-be thieves gain a whole lot of nothing. 3. Mobile browsing: Perhaps one of the best features of mobile devices is the ability to browse the web on the go, but this also opens up the mobile phones to security risks. The problem is that users cannot see the whole URL or link, much less verify whether the link or URL is safe. That means that users could easily browse their way into a phishing-related attack. 4. Application isolation: There are mobile applications for just about everything, from social networking to banking. Before installing any app that comes your way, be sure to read the application access request for permission agreement. This often-overlooked agreement contains valuable information regarding specific permissions on how the app is to access your device. Be mindful of what your application purports to do and what it is that it actually does. Chances are a calculator application does not need access to the Internet or your personal information. 5. System updates: People have a tendency to point fingers at mobile device vendors when it comes to security mishaps, but they are not always to blame. Updates and patches designed to fix issues in mobile devices are not quite as cut and dry as with PCs. Mobile devices vendors often release updates and patches, but unfortunately carriers do not always stream them due to commercial or bureaucratic reasons. Here are some tips on how to ensure your mobile security. 1. Only download safe Apps: Apps are the easiest point of entry for hackers and malware because we willingly download them to our phone. All they have to do is make one attractive enough for us to want to download it. 2. Encrypt your phone: Most of today’s phones have some form of automatic encryption or encryption feature you can enable. Be sure to do so. 3. Update the operating system: I know it is a pain but it needs to be done. When you get the message that says a new OS is available, take the time to set it up and do the download 4. Backup your data: Most mobile users’ backup their data about as often as they update their operating systems, which is to say not too often. You can upload your phone’s settings, data, pictures, music, etc. to the cloud, which in itself poses a risk to your security, or directly to a laptop or PC.

5. How attack vector is used by attacker to gain access of system? [ME-IT, Dec 2017] Answer In cybersecurity, an attack vector is a method or pathway used by a hacker to access or penetrate the target system. Hackers steal information, data and money from people and organizations by investigating known attack vectors and attempting to exploit vulnerabilities to gain access to the desired system. Once a hacker gains access to an organization’s IT infrastructure, they can install a malicious code that allows them to remotely control IT infrastructure, spy on the organization or steal data or other resources. The following list provides the details of how do attackers exploit attack vectors: 1.  Infecting your systems with bots that the hacker can remotely access from an off-site command and control server. Some hackers infect hundreds or thousands of computers with bots

Cyber Security and Laws_Appendix B.indd 321

10/7/2020 10:08:12 AM

322 





•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

to establish a network known as a botnet. Botnets can be used to send spam, perform cyberattacks, steal data or mine cryptocurrency. 2.  Customer data theft is a common motivation for hackers who target organizations that collect and store large amounts of personal data from their customers. Hackers love to steal personalized healthcare information as it can be used to commit insurance or credit card fraud or to illegally obtain prescription drugs. 3.  A denial-of-service (DoS) attack can overload your systems and lead to unplanned service outages. Businesses may initiate DoS attacks against their competitors to damage their IT infrastructure and harm their sales. 4.  Hackers identify a target system that they wish to penetrate or exploit. 5.  Hackers use data collection and observation tools such as sniffing, e-mails, malware or social engineering to obtain more information about the target. 6.  Hackers break the security system using the tools they created, then install malicious software applications. 7.  Securing potential attack vectors against exploitation by hackers requires IT organizations to implement policies and procedures that prevent hackers from obtaining useful information about IT security vulnerabilities.

5. What do you understand by social engineering? Give classification. [ME-IT, Dec 2017] (OR) Explain social engineering. What are the security threats that can emanate from social networking sites? [ME-IT, Dec 2018] Answer Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain. Threat actors use social engineering techniques to conceal their true identities and motives and present themselves as a trusted individual or information source. The objective is to influence, manipulate or trick users into giving up privileged information or access within an organization. Many social engineering exploits simply rely on people’s willingness to be helpful. For example, the attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to additional network resources. Classification of social engineering: Refer to Subsection 2.2.2 of Chapter 2. Security threats that can emanate from social networking sites: Such possible threats are as listed as follows: 1. Baiting: Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive, in a place it is sure to be found. The finder then picks up the device and loads it onto his or her computer, unintentionally installing the malware. 2. Phishing: Phishing is when a malicious party sends a fraudulent e-mail disguised as a legitimate e-mail, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs ­malware.

Cyber Security and Laws_Appendix B.indd 322

10/7/2020 10:08:12 AM

Questions and Answers: Chapter 2





• 

323

3. Spear phishing: Spear phishing is like phishing but tailored for a specific individual or organization. 4. Vishing: Vishing is also known as voice phishing, and it is the use of social engineering over the phone to gather personal and financial information from the target. 5. Pretexting: Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient. 6. Scareware: Scareware involves tricking the victim into thinking his computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker’s malware. 7. Water-holing: A watering hole attack is when the attacker attempts to compromise a specific group of people by infecting websites they are known to visit and trust in order to gain network access.

6. Explain credit card frauds in mobile and wireless computing. [ME-IT, Dec 2019] Answer Refer to Subsection 2.5.2 of Chapter 2. 7.







Explain cloud computing with cyberattacks? [ME-IT, Dec 2019; ME-IT, Dec 2018] Answer Cloud computing: Refer to Subsection 2.3.3 of Chapter 2. The possible attacks on cloud computing are listed as follows: 1. Denial-of-service (DoS) attacks: One of the major threats on cloud computing is DoS attacks. These can shut down your cloud services and make them unavailable both to your users and customers, but also to your staff and business as a whole. Cybercriminals can flood your system with a very large amount of web traffic that your servers are unable to cope up with. 2. Hijacking accounts: The greatest threat to a business that uses cloud computing technologies is the challenge of hijacked accounts. If a criminal can gain access to your system through a staff account, they could potentially have full access to all of the information on your servers without you even realizing any crime has taken place. Cybercriminals use techniques such as password cracking and phishing e-mails in order to gain access to accounts. 3. Insecure application: Sometimes it can be the case that your own system is highly secure, but you are let down by external applications. Third-party services, such as applications, present serious cloud security risks, and you should ensure that your team or cybersecurity experts take the time to establish whether the application is suitable for your network before they have it installed. 4. Data breaches: Perhaps the most common threat to cloud computing is the issue of leaks or loss of data through data breaches. A data breach typically occurs when a business is attacked by cybercriminals who are able to gain unauthorized access to the cloud network or utilize programs to view, copy and transmit data. If you use cloud computing services, a data breach can be extremely damaging, but it can happen relatively easily. Losing data can violate the General Data Protection Regulation (GDPR), which could cause your business to face heavy fines.

Cyber Security and Laws_Appendix B.indd 323

10/7/2020 10:08:12 AM

324 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

8. What do you mean by cyberstalker? Discuss types of stalker and their mitigation techniques? [ME‑IT, Dec 2018] Answer Refer to Subsection 2.2.3 of Chapter 2. 9.





What are the attacks on mobile phones? [ME-IT, Dec 2019] Answer Attacks that take place in 21st century around 2020 are listed in the following: 1. OS attacks: Loopholes in OS make vulnerabilities that are available to attack. Merchants attempt to tackle these with patches. 2. Mobile App attacks: Poor coding and inappropriate advancement makes loopholes and bargains security. 3. Communication network attacks: Communications for example, Bluetooth and Wi-Fi associations make gadgets powerless. 4. Malware attacks: There has been a steady ascent in malware for cell phones. The attention is on erasing documents and making chaos. 5. Data leakage: Data leakage can also happen through hostile enterprise-signed mobile Apps. These mobile malware programs use distribution code native to popular mobile operating systems like iOS and Android to move valuable data across corporate networks without raising red flags. 6. Unsecured Wi-Fi: No one wants to burn through their cellular data when wireless hot spots are available but free Wi-Fi networks are usually unsecured. 7. Network spoofing: Network spoofing is when hackers set up fake access points – connections that look like Wi-Fi networks, but are actually traps – in high-traffic public locations such as coffee shops, libraries and airports. Cybercriminals give the access points common names like ‘free airport Wi-Fi’ or ‘coffeehouse’ to encourage users to connect.

Questions and Answers: Chapter 3

1. Explain various types of keyloggers in brief [BE, Dec 2019] (OR) Write a short note on keyloggers. [ME, Dec 2017] Answer Refer to Subsection 3.3.1 of Chapter 3. 2. Explain various keyloggers along with the role of anti-keyloggers. [BE-IT, Dec 2019] Answer Refer to Subsection 3.3.1 of Chapter 3. 3. Compare vishing, phishing and smishing. [BE, Dec 2019] Answer Table B.3 lists the comparison between vishing, phishing and smishing.

Cyber Security and Laws_Appendix B.indd 324

10/7/2020 10:08:12 AM

Questions and Answers: Chapter 3

• 

325

Table B.3  Comparison between Vishing, Phishing and Smishing

Phishing

Vishing (Voice Phishing)

Smishing (SMS Phishing)

Phishing is a cybercrime where attacker pretends being legal to get information from the user. In this attack, attacker contacts user through e-mail, telephone or text messages or using links, websites for getting sensitive data such as banking and credit card details, passwords and personally identifiable information. Attacker pretends to be legitimate to individuals. Information collected is then used by attacker to access important accounts and this can lead to financial loss and identity theft.

Vishing is voice phishing – where attacker uses phone calls to get information from the user. Usually fake ID is used for making calls and information gathered by attackers is either personal information or bank details. Attacker makes user feel the sense of urgency and thus user provides important information to attacker immediately.

Smishing refers to short message service (SMS) phishing. Here, SMS are sent to the users provoking users to click on the links provided in the message. Attacker pretends to be legitimate to individuals. Thus, users might click on link and send Information to the attacker. This information collected is then used by attackers to access important accounts.

4. What is SQL injection attack? Are there any countermeasures that can be used to prevent the attack? [ME, Dec 2017] Answer SQL injection attack: SQL Injection attack is also known as SQLi attack and this attack is linked with SQL, that is, structured query language. In this attack, attackers use SQL vulnerabilities to execute malicious SQL statements. Web applications and websites use databases to store data and this databases use SQL for performing operations on data. Hence, SQL statements can control database server. Attackers use this technique to add or retrieve or alter data in the database. This attack can affect any website or web application using SQL databases such as Oracle, SQL server, MySQL, etc. if not addressed SQL vulnerabilities properly. Attackers can gain access to personal data or customer information or anything else stored in the database. Preventive measures to avoid SQL injection: Refer to Subsection 3.5.5 of Chapter 3. 5. What is blind SQL injection attacks? Discuss mitigation of SQL injection attack. [ME, Dec 2019] Answer Refer to Subsection 3.5.3 (under the heading Inferential SQLi (Blind SQLi) and Subsection 3.5.5 of Chapter 3. 6. Explain in detail the concept of phishing and identity theft. [ME, Dec 2017] Answer Phishing: Phishing is a cybercrime where an attacker pretends being legal to get information from the user. For conducting this attack, the attacker contacts users through e-mail, telephone or text messages or using links, websites for getting sensitive data such as banking and credit card details, passwords and personally identifiable information. Attacker pretends to be legitimate to ­individuals.

Cyber Security and Laws_Appendix B.indd 325

10/7/2020 10:08:12 AM

326 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

Information collected is then used by attackers to access important accounts and this can lead to financial loss and identity theft. Two main techniques from several techniques of phishing are as follows: Voice phishing also known as vishing and SMS phishing also known as smishing. In vishing, attackers call users to gain personal and sensitive information while in smishing, attackers use SMS service and send SMS messages to users having either contact numbers or e-mails or links to websites. Identity theft basics: Refer to Subsection 3.6.5 of Chapter 3. The different techniques used by attackers for conducting identity theft: Different techniques used by attackers for conducting identity theft can be prevented by taking the following steps: 1.  Periodically check your bank and credit card statements. 2.  Do not throw credit, debit or ATM card receipts in public or leave them anywhere. Properly dispose of them. 3. Never provide sensitive information on social media or any website unless you find it secure. 4. Never give personal information via phone or mail or Internet. 5.  Protect your identity that is stored on your computer by using a firewall, secure browser, virus protection application, anti-viruses, etc. 7. Explain various types of phishing attacks and its countermeasures. [ME, Dec 2018] Answer Phishing: Phishing is a cybercrime where an attacker pretends being legal to get information from the user. For conducting this attack, the attacker contacts users through e-mail, telephone or text messages or using links, websites for getting sensitive data such as banking and credit card details, passwords and personally identifiable information. Attacker pretends to be legitimate to ­individuals. Information collected is then used by attackers to access important accounts and this can lead to financial loss and identity theft. Two main techniques from several techniques of phishing are listed as follows: Voice phishing also known as vishing and SMS phishing also known as smishing. In vishing, attackers call users to gain personal and sensitive information while in smishing, attackers use SMS service and send SMS messages to users having either contact numbers or e-mails or links to websites. Preventive measures to avoid phishing scams: Refer to Subsection 3.6.4 of Chapter 3. 8. Write short note on identity theft [ME, Dec 2018] Answer Refer to Subsections 3.6.5, 3.6.7 and 3.6.8 of Chapter 3. 9.

What do you understand by DoS and DDoS attacks? Explain in detail. [ME, Dec 2017] Answer DoS attack 1. A DoS attack is conducted by flooding the server with TCP and UDP packets. 2. This flooding of packets causes server overloading. 3.  Server cannot take further packets from the users due to overloading. So, the server becomes unavailable and service is denied to the user. 4.  These types of attacks are specially used for denying services or to shut down network services or individual machines or to slow down services.

Cyber Security and Laws_Appendix B.indd 326

10/7/2020 10:08:12 AM

Questions and Answers: Chapter 3

• 

327

5.  These attacks can bring massive damage. With this attack, a whole organization can be stopped for a day or sometimes even for weeks. 6. For victim organisation, the disturbance in service can be enormous even if data is not lost. 7.  The cost for organizations for being unable to access the network is in thousands. Also, the time spent offline by organisation is added. 8. Apart from this reputation of the organisation gets affected. 9. So, it is very important to prevent DoS attacks in this modern world of technology. 10. Now-a-days, DDoS attacks have taken over DoS attacks due to the effectiveness of these attacks. They are easy to conduct and also tools for conducting these attacks are available ­easily. DDoS attacks are derived from DoS attacks. DDoS attack 1. DDoS attack stands for distributed denial-of-services attack. 2. In this attack, multiple systems are used by attackers to conduct attacks. 3.  Targeted networks are attacked using these multiple systems from different locations using packets. 4.  Since many systems from different locations are used in this attack, it becomes difficult to find the origin of the attack and hence finding the attacker becomes difficult. 5. Attackers require multiple systems to conduct attacks. 6.  These systems are known as slave computers and are also known as zombies or bots. Network is formed using these bots and is known as a botnet. 7.  This botnet is managed by bot master or attacker using commands and control server. 8.  Botnets generally have few to hundreds of bots. These bots follow orders given by bot master/ attacker and conduct attack. 9.  For conducting DDoS attacks, bots are used and hence if the attack is successful, the damage is very big for the victim. 10. Explain in detail mitigation techniques for DOS and DDoS attack. [ME, Dec 2018] Answer Refer to Subsection 3.4.1 (under the heading How to Prevent DDoS Attacks?) of Chapter 3. 11. What is the buffer overflow problem? How NOPs are uses to cause buffer overflow problem? ­Discuss three tools used to defend buffer overflow problems. [ME, Dec 2018] Answer Buffer overflow 1. Buffers are temporary storage memory regions. They are used for storing data temporarily. 2. When data is more than the buffer storage capacity, buffer overflow occurs. 3. In this situation, since the buffer is full, adjacent memory locations are used. 4.  Suppose your buffer is designed for 8 bytes of storage but you get 2 bytes then this extra 2 bytes of memory is stored near buffer boundary. 5.  Buffer overflow affects every software. This overwriting can cause a lot of issues such as programs behaving unpredictably, memory access errors, crashes and can even generate results incorrectly. 6.  Attackers use this as an attack to create triggering responses that damages files or changes execution of the program.

Cyber Security and Laws_Appendix B.indd 327

10/7/2020 10:08:12 AM

328 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

NOP-sled 1.  A NOP-sled is a sequence of NOP (no-operation) instructions meant to slide the CPU’s instruction execution flow to the next memory address. 2.  Anywhere the return address lands in the NOP-sled, it is going to slide along the buffer until it hits the start of the shellcode. NOP-values may differ per CPU, but for the OS and CPU we are aiming at, the NOP-value is \x90.

\x90

\x90

\x90

\x90

NOP-sled

\x90

\x90

\x31

\xc0

\x50

\x58

\x2f

Schellcode

Figure B.7  NOP sled and shellcode layout.

3.  With a NOP-sled, it does not matter where the shellcode is in the buffer for the return address to hit it. 4. What we do know is that it will be somewhere in the buffer and its size will be 25 bytes. 5.  With a shellcode of 25 bytes and a payload of 108 bytes, we have 83 bytes left to fill, which we will divide on both sides of the shellcode like this: 6. Payload: [NOP SLED][SHELLCODE][20 × ‘E’] 7. The NOP-sled will be placed at the start of the payload, followed by the shellcode. 8.  After the shellcode we will place a filler, for now consisting of a bunch of ‘E’ characters (0 × 45 in hexadecimal). 9.  This filler will later be replaced by the memory address pointing to somewhere in the NOPsled inside the buffer. 12. What do you mean by computer virus, worms, Trojans and malware and discuss protection mechanisms against them. [ME, Dec 2019] Answer Virus 1. Virus is a program that damages documents or changes your file contents. 2. A virus may corrupt or eradicate the data available on your computer. 3. Virus can also replicate itself. 4.  A computer virus makes changes or deletes the files and computer worms replicate themselves without making any changes to your file or data. 5. This is why viruses are more harmful than worms. 6.  Virus could enter your computer as an attachment of images, greeting, or video/audio files. They also enter through downloads on the Internet. Worms 1. Worm is the malicious program that copies itself repeatedly. 2. They recreate themselves in local drive, network shares, etc. 3.  This is the only purpose of worms as it does not harm any data or file on the computer like a virus. 4.  Worms do not need themselves attached to any existing program. They spread by exploiting vulnerabilities in operating systems.

Cyber Security and Laws_Appendix B.indd 328

10/7/2020 10:08:13 AM

Questions and Answers: Chapter 3

• 

329

5.  Because of its replication nature it contains massive/more amount of space in the hard drive and also consumes more CPU usage which ends by making PC slower and also by increasing the consumption of more network bandwidth. Trojan 1. Trojans also known as Trojan horses are malwares used for compromising target device. 2. These are nothing but programs. 3.  They are attached to some other application so that user will download the application and along with it attached Trojan gets downloaded. 4. These are used by attackers to specially get access to the system. 5. Once these are installed, the system becomes slow and sometimes even crashes. 6. These are then used by attackers to gain information about your device. 7. This can cause data theft and other serious issues. 8.  Trojans are generally transferred via e-mail attachments or by sharing files or by appending them with other programs that can be downloaded via the Internet and by using chat/­ discussion. Malware 1.  Malware is any piece of software that was written with the intent of damaging devices, stealing data and generally causing a mess. 2.  Viruses, Trojans, spyware, and ransomware are among the different kinds of malware. 3.  Malware is often created by teams of hackers: usually, they are just looking to make money, either by spreading the malware themselves or selling it to the highest bidder on the Dark Web. 4.  However, there can be other reasons for creating malware too – it can be used as a tool for protest, a way to test security, or even as weapons of war between governments. Preventive measures 1.  Do not download unknown and unverified applications from the Internet. Download applications only from trusted sources. 2.  Use anti-virus on your devices. Anti-virus will scan files and if anything, malicious is found, then it will inform you. 3. Use a firewall to restrict untrusted sites. 4. Make sure you update your applications whenever a new update arrives. 5. Do not download anything from e-mails unless the person sending you e-mail is a trusted source. 13. What are Botnets? How it is exploited by attacker to cause cyberattack [ME, Dec 2017] Answer 1.  A botnet is nothing more than a string of connected computers coordinated together to perform a task. That can be maintaining a chatroom, or it can be taking control of your computer. 2.  Botnets are just one of the many perils out there on the Internet. Botnets are the workhorses of the Internet. They are connected computers performing a number of repetitive tasks to keep websites going. It is most often used in connection with Internet Relay Chat. These types of botnets are entirely legal and even beneficial to maintaining a smooth user experience on the Internet.

Cyber Security and Laws_Appendix B.indd 329

10/7/2020 10:08:13 AM

330 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

3.  What you need to be careful of are the illegal and malicious botnets. What happens is that botnets gain access to your machine through some piece of malicious coding. In some cases, your machine is directly hacked, while other times what is known as a ‘spider’ (a program that crawls the Internet looking for holes in security to exploit) does the hacking automatically. 4.  More often than not, what botnets are looking to do is to add your computer to their web. That usually happens through a drive-by download or fooling you into installing a Trojan horse on your computer. Once the software is downloaded, the botnet will now contact its master computer and let it know that everything is ready to go. Now your computer, phone or tablet is entirely under the control of the person who created the botnet. 5.  Once the botnet’s owner is in control of your computer, they usually use your machine to carry out other nefarious tasks. Common tasks executed by botnets include the following: (a) Using your machine’s power to assist in distributed denial-of-service (DDoS) attacks to shut down websites. (b) The e-mailing spam out to millions of Internet users. (c) Generating fake Internet traffic on a third-party website for financial gain. (d) Replacing banner ads in your web browser specifically targeted at you. (e) Pop-up ads designed to get you to pay for the removal of the botnet through a phony antispyware package. (f ) The short answer is that a botnet is hijacking your computer to do what botnets do – carry out mundane tasks – faster and better.



Questions and Answers: Chapter 4

1. What is e-commerce? Explain different types of e-commerce with suitable examples. Answer The e-commerce or electronic commerce is defined as buying and selling of goods, products or services over the Internet. Online transaction of money, funds transfer and data are also included in the process of e-commerce. Types of e-commerce: The e-commerce applications are grouped based on the connection between the participating organization and the type of transaction. The businesses, consumers and the government are the most frequent type of entities which participate in an e-commerce transaction. Based on these entities, the e-commerce applications are classified into the following different categories: 1. Business-to-consumer (B2C) (a) This category is related to transactions between a business and the end consumer or end customer. (b) This type is also called as ‘electronic retailing’ as it copies the physical retailing traditionally. (c)  Examples: Consumer buying from online shopping store like Amazon.com or Flipkart.com. 2. Business-to-business (B2B) (a)  This category is related to transactions between two business. (b) This transaction is big in terms of volume and value of goods and services. (c) Example: Manufacturer obtaining raw material from the seller online.

Cyber Security and Laws_Appendix B.indd 330

10/7/2020 10:08:13 AM

Questions and Answers: Chapter 4

• 

331



3. Consumer-to-consumer (C2C) (a) This category is related to transactions between two end consumers. (b) These transactions are provided by third party platforms or are conducted through the use of social media. (c) Examples: Online platforms like PayPal or social media networks like Facebook marketplace. 4. Consumer-to-business (C2B) (a) This category is related to transactions when an individual consumer provides a service or a good to business and get paid for it. (b) Examples: Consumer can take online surveys on websites like SurveyMonkey.com or freelancer jobs on websites like Freelancer.com. 5. Government-to-citizen (G2C) (a) This category is related to transactions between the government organizations and the citizens. (b) The e-governance is implemented through this model, where citizens can interact with the government bodies through the electronic medium and avail services through government websites directly. (c) It helps to reduce the time and make better use of resources of the government and the citizens. (d) Better transparency is achieved in the government processes. (e) Examples: paying taxes online, registration of birth, marriage or death certificates and more. 2. What is e-contract? Discuss e-contract act, 1872. Answer Due to the use of the Internet, trade has increased on a large scale between the individuals, businesses and the government beyond geographic boundaries. With the help of e-commerce, goods and services can be obtained and the payment can be made in seconds. This makes the process rapid, easier and increasingly efficient. The traditional physical contracts are not important for these exchanges which are completed on the web. For example, if two elements vest to two different geographic regions, they will face delay and difficulty in signing the contract. Hence, in these cases, an e-contract is useful as e-­contact can be signed instantly by both the entities. This saves a lot of time and cost as well. For the meaning of certain terms in Indian Contract Act, 1872: Refer to Table 4.1 of ­Chapter  4. 3. How the Indian penal code IPC 1860 addresses cybercrime? Answer Refer to Subsection 4.5.3 of Chapter 4. 4. What are the global trends in cyber law? Answer Refer to Subsections 4.6.2 and 4.6.3 of Chapter 4.

Cyber Security and Laws_Appendix B.indd 331

10/7/2020 10:08:13 AM

332 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

5. Explain the legal framework of electronic data exchange. Answer Refer to Sections 4.7 of Chapter 4. 6. The intellectual property aspect in cyber law. Answer Refer to Sections 4.4.1 of Chapter 4. 7. Laws related to electronic banking. Answer Bankers’ Books Evidence Act, 1891: The Bankers’ Books Evidence Act was enacted to amend the Law of Evidence with respect to Bankers’ Books in 1891. It is applied to legal cases involving financial transactions where the baking records can be cited as evidence. The act contains sections which briefly state the provisions including definitions, scope and objective of the act. Any institution or company which carries out operations of banking is bound by the act if any legal proceeding is initiated against them. They are liable to produce all banking records including ledger, account books or any information related to record keeping if ordered by the court to be produced. The Information Technology Act, 2000, has made amendments to the Bankers’ Books Evidence Act, 1861, Section 2: ‘Definitions’ and have added Section 2A: ‘Conditions in the printout’. Subsection 2(3)(a): Bankers’ books include ledgers, day-books, accounting-books and all other books in the ordinary business of a bank whether kept in the written form or as printouts of data stored in floppy, disc, tape or any other form of electromagnetic data storage device. Subsection 2(8)(b): Certified copy means when the books of a bank consists of printouts of data stored in a floppy disc, tape or any other electromagnetic data storage device, a printout of such entry or a copy of such printout together with such statements certified in accordance with the provisions of Section 2A. Section 2A Conditions in the printout: A printout of entry or a copy of printout referred to in Subsection (8) of Section 2 shall be accompanied by the following, namely, (a) a certificate to the effect that it is a printout of such entry or a copy of such printout by the principal accountant or branch manager and (b) a certificate by a person in-charge of computer system containing a brief description of the computer system and the particulars of · the safeguards adopted by the system to ensure that data is entered or any other operation performed only by authorised person; · the safeguards adopted to prevent and detect unauthorised change of data; · the safeguards available to retrieve data that is lost due to systemic failure or any other ­reasons; · the manner in which data is transferred from the system to removable media like floppies, discs, tapes or other electromagnetic data storage devices; · the mode of verification in order to ensure that data has been accurately transferred to such removable media;

Cyber Security and Laws_Appendix B.indd 332

10/7/2020 10:08:13 AM

Questions and Answers: Chapter 4

• 

333

· the mode of identification of such data storage devices; ·  the arrangements for the storage and custody of such storage devices; ·  the safeguards to prevent and detect any tampering with the system; ·  and any other factor which will vouch for the integrity and accuracy of the system. (c) a further certificate from the person in-charge of the computer system to the effect that to the best of his knowledge and belief, such computer system operated properly at the material time, he was provided with all the relevant data and the printout in question represents correctly, or is appropriately derived from the relevant data. Reserve Bank of India Act, 1934 is the legislative act under which the Reserve Bank of India (RBI), the central bank of India, was formed and commenced its operations on 1st April 1935. It provides a framework for the supervision of banks and other related matters in India. It empowers the Reserve Bank of India to act as the banker to the Government and manage the public debt as per Section 22, only RBI can issue and regulate currency notes in India.   The Reserve Bank of India Act, 1934 was amended by the Indian Information Technology Act, 2000. Addition of clause (p) in Section 58 Subsection (2) was made to facilitate electronic funds transfer and ensure legal admissibility of documents and records related to such transactions. It deals with the regulation of funds transfer through 15 electronic means between banks, which include RTGS, NEFT, IMPS and other modes of transactions. Subsection 58(2)(p) the regulation of clearing-houses for [the banks (including post office savings banks)]: [(pp) the regulation of fund transfer through electronic means between the banks or between the banks and other financial institutions referred to in clause (c) of section 45-1, including the laying down of the conditions subject to which banks and other financial Institutions shall participate in such fund transfers, the manner of such fund transfers and the rights and obligations of the participants in such fund transfers]. The Payment and Settlement Systems Act, 2007. (PSS Act, 2007), was legislated in 2007 to govern and regulate all the modes of payment systems used in India. It gives power to the RBI to direct and regulate the payment systems and the payment system participants in India. The payment systems include the systems to enable payment operations using credit cards, debit cards, smart cards, different methods of electronic fund transfer or any such operation. It does not include payment operations involving the stock exchange or and clearing corporations set up under stock exchanges. Section 2(1)(i) of the PSS Act, 2007 defines Payment System as follows: A system that enables payment to be affected between a payer and a beneficiary, involving clearing, payment or settlement service or all of them, but does not include a stock exchange; RBI has made two Regulations under the PSS Act, 2007, which came into force in 2008.They are as follows: 1. Board for Regulation and Supervision of Payment and Settlement Systems Regulations, 2008 (BPSS Regulations) (a) It is a sub-committee of the Central Board of the RBI and is the highest policy making body on payment systems (b) It is empowered to authorise, prescribe policies and set standards for regulating and supervising al the payment and settlement systems in India

Cyber Security and Laws_Appendix B.indd 333

10/7/2020 10:08:14 AM

334 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws



1.





(c) It acts on behalf of the RBI to regulate and supervise the payment and settlement systems under the PSS Act, 2007 Payment and Settlement Systems Regulations, 2008 (PPS Regulations): It governs the procedural requirements like the form of application for authorisation for commencing/carrying on a payment system and grant of authorisation, payment instructions and determination of standards of payment systems. It also lays the compliance requirements, such as furnishing of returns/­ documenter other information, furnishing of accounts and balance sheets by the system provide, etc. to the RBI.

Questions and Answers: Chapter 5 Explain how the appeals can be made under The IT ACT, 2000. [BE-IT, Dec 2019] Answer According to the IT ACT, 2000, appeals can be made according to section 57 and Section 62. Section 57: Appeal to Cyber Appellate Tribunal 1. Save as provided in Subsection (2), any person aggrieved by an order made by Controller or an adjudicating officer under this Act may prefer an appeal to a Cyber Appellate Tribunal having jurisdiction in the matter. 2.  No appeal shall lie to the Cyber Appellate Tribunal from an order made by an adjudicating officer with the consent of the parties. 3.  Every appeal under Subsection (1) shall be filed within a period of tony-five days from the date on which a copy of the order made by the Controller or the adjudicating officer is received by the person aggrieved and it shall be in such form and be accompanied by such fee as may be prescribed: Provided that the Cyber Appellate Tribunal may entertain an appeal after the expiry of the said period of tony-five days if it is satisfied that there was sufficient cause for not filing it within that period. 4.  On receipt of an appeal under Subsection (1), the Cyber Appellate Tribunal may, after giving the parties to the appeal, an opportunity of being heard, pass such orders thereon as it thinks fit, confirming, modifying or setting aside the order appealed against. 5.  The Cyber Appellate Tribunal shall send a copy of every order made by it to" the parties to the appeal and to the concerned Controller or adjudicating officer. 6.  The appeal filed before the Cyber Appellate Tribunal under sub-section (1) shall be dealt with by it as expeditiously as possible and endeavour shall be made by it to dispose of the appeal finally within six months from the date of receipt of the appeal. Section 62: Appeal to High Court  Any person aggrieved by any decision or order of the Cyber Appellate Tribunal may file an appeal to the High Court within sixty days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him on any question of fact or law arising out of such order Provided that the High Court may, if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days.

Cyber Security and Laws_Appendix B.indd 334

10/7/2020 10:08:14 AM

Questions and Answers: Chapter 5

• 

335

2. What is electronic governance? Explain the role of digital signature in e-governance. [ME-IT, Dec 2017] Answer 1.  Electronic governance or e-governance is the application of IT for delivering government services, exchange of information, communication transactions, integration of various standalone systems between government to citizen (G2C), government-to-business (G2B), government-to-government (G2G), government-to-employees (G2E) as well as back-office processes and interactions within the entire government framework. Through e-governance, government services are made available to citizens in a convenient, efficient and transparent manner. The three main target groups that can be distinguished in governance concepts are government, citizens and businesses/interest groups. In e-governance, there are no distinct boundaries. 2.  The Digital Signature is the method which is used to validate and authorize the content and users who are going to be involved in the E-governance system. The digital signature assures the sender’s identity that is known as non-repudiation, the sender cannot deny that he/she has not sent the particular message of content or document. 3.  If any person without the acquiescence of the title-holder, accesses the owner’s computer, computer system or computer network or downloads copies or any extract or introduces any computer virus or damages computer, computer system or computer network data etc. He/she shall be liable to pay damage by way of compensation not exceeding Rupees One Crore to the person so affected. 4.  In order to facilitate governance and adjudication, the Central Government may appoint any officer, not below the rank of Director to the Government of India or any equivalent officer of any State Government, to be an Adjudicating Officer. The Adjudicating Officer while trying out cases of the above-mentioned nature shall consider the amount of gain of unfair advantage or the amount of loss that may be suffered by a person. 5.  The aforesaid provisions were not incorporated in the Information Technology Act, 2000 instead were suggested by the Select Committee of Parliament. 6.  Under the Act, the Central Government has the power to prescribe the security procedure in relation to electronic records and digital signatures, the ‘Apex Authority’ is to manage the digital signature system which aims at promoting the growth of e-commerce and e- governance. The Central Government may employ a Controller of Certifying Authority [CCA] who shall exercise supervision over the activities of Certifying Authorities. The following are some of the e-governance applications already using the digital signatures: 1.  MCA21 – a Mission Mode project under NeGP which is one of the first few e-governance projects under NeGP to successfully implement digital signatures in their project. 2.  Income tax e-filing. 3.  IRCTC. 4.  DGFT. 5.  RBI Applications (SFMS). 6.  NSDG.

Cyber Security and Laws_Appendix B.indd 335

10/7/2020 10:08:14 AM

336 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

7.  e-Procurement. 8.  e-Office 9.  e-District applications of U.P., Assam, etc. 3.

Explain cybercrime and criminal justice in Indian IT Act, 2000. [ME-IT, Dec 2018] Answer Provisions of Cybercrimes in the IT Act, 2000 The sections of the IT Act, 2000 pertaining to cybercrimes are as follows: 1. Section 4 – Penalty for damage to a computer, computer system, etc.: This section applies if any person, without the permission of the owner or the person in charge of a computer, system, or network: •  Accesses such computer, network or system. • Copies, downloads or extracts any data or information from such computer, network or system (this also includes the information or data stored in a removable storage medium). • Also, introduces or causes any computer containment or virus into such computer, network or system. • Further, he damages any computer, system or data or any other programs residing in them. • Disrupts or causes disruption of any such computer, system or network. • Also, denies or causes the denial of access to an authorized person to such computer, system or network. • Provides any assistance to anyone to facilitate access to such a computer, system or network contrary to the provisions of the act and its rules. • Also, charges the services availed of by one person to the account of another by tampering with such computer, system or network. The penalty is compensation, not exceeding one crore rupees to the affected person. 2. Section 65 – Tampering with the computer’s source code documents: This section applies to a person who intentionally conceals, alters or destroys any computer source code used for a computer, program, system or network when the law requires the owner to keep or maintain the source code. It also applies to a person who intentionally causes another person to do the same.   The penalty is imprisonment of up to 3 years or a fine of up to two lakh rupees, also both in some cases. 3. Section 66 – Hacking of a computer system: This section applies to a person who commits hacking. Hacking is when the person intentionally or knowingly causes a wrongful loss or damage to the public or another person or destroys or deletes any information residing in a computer resource or diminishes its utility or value or injures it by any means.   The penalty is imprisonment of up to 3 years or a fine of up to two lakh rupees, also both in some cases. 4. Section 67 – Publishing obscene information in an electronic form: This section applies to a person who publishes or transmits any obscene material – material which is lascivious or appeals to the prurient interests or tends to deprave or corrupt persons who are likely to read, see or hear the matter embodied in it. It also applies to a person who causes the publishing or transmission of such material.

Cyber Security and Laws_Appendix B.indd 336

10/7/2020 10:08:14 AM

Questions and Answers: Chapter 5

• 

337

  The penalty is in case of the first conviction, imprisonment of up to 5 years and a fine of up

to one lakh rupees. For subsequent convictions, imprisonment of up to 10 years and a fine of up to two lakh rupees. 5. Section 74 – Publication with the intention of fraud: This section applies to a person who knowingly creates, publishes or makes available a digital certificate with the intention of fraud.   The penalty is imprisonment of up to 2 years or a fine of up to one lakh rupees, also both in some cases. Other provisions relating to cybercrimes are listed as follows: 1. Section 44 – Failure to furnish information, returns, etc.: This section applies to a person who (a) fails to furnish any document, return or report to the controller or the certifying authority, (b) fails to file returns or furnish any information as per the regulations or fails to furnish them in time and (c) does not maintain the books of account or records. The following penalties apply: • A monetary fine of up to one lakh and fifty thousand rupees for each such failure. • A fine of up to five thousand rupees for every day if the failure continues. • A fine of up to ten thousand rupees for every day if the failure continues.

2. Section 45 – Residuary penalty: This section applies to a person who contravenes any rules under the IT Act, 2000, especially those for which there are no special provisions.   The penalty is a compensation of up to twenty-five thousand rupees to the affected person. 3. Section 71 – Misrepresentation: This section applies to a person who makes any misrepresentation to or even suppresses any material fact from the Controller or Certifying Authority to obtain the license or a digital signature certificate.   The penalty is the imprisonment of up to 2 years or a fine of up to one lakh rupees, also both in some cases. 4. Section 72 – Breach of confidentiality and privacy: This section applies to a person with secured access to any electronic record, information, or any other material, discloses it to another person without consent.   The penalty is the imprisonment of up to 2 years or a fine of up to one lakh rupees, also both in some cases. 5. Section 73 – Publishing a digital certificate with incorrect details: This section applies to a person who publishes a digital certificate with the knowledge that • the certifying authority listed in the certificate has not issued it; • the subscriber listed in the certificate has not accepted it; • it is a revoked or suspended certificate.   The penalty is imprisonment of up to 2 years or a fine of up to one lakh rupees, also both in some cases. 6. Section 74 – Publication with a fraudulent purpose: This section applies to a person who knowingly creates, publishes or makes available a digital signature for fraudulent purposes.   The penalty is imprisonment of up to 2 years or a fine of up to one lakh rupees, also both in some cases.

Cyber Security and Laws_Appendix B.indd 337

10/7/2020 10:08:14 AM

338 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

7. Section 85 – Company Offences (a) This section applies to a company who commits a contravention to the provisions of the act. In such cases, all the people who were in charge and responsible for the company’s conduct of business as well as the company are guilty of the contravention. Further, those responsible are liable for punishment. However, if a person is not aware of any such contravention, then he is not liable. (b) Notwithstanding anything contained in the Subsection (1), if it is proved that the contravention was with the consent of, or due to the negligence of any director, manager or any other officer, then such people are also held liable.

2. Discuss in detail the amendment made in IT Act 2000. [ME-IT, Dec 2019] Answer The Information Technology (Amendment) Bill, 2006 proposes to amend the IT Act to (a) make the authentication of electronic record technology neutral, (b) provide for protection of personal information, (c) change the name and constitution of the appellate tribunal, (d) limit the liability of intermediaries and (e) establish an examiner of electronic evidence. • The bill makes a company handling sensitive personal data liable to pay compensation up to `5 crore, if it is negligent in implementing reasonable security measures with respect to such data. • The bill does not hold intermediaries liable for third party data or content made available by them. This protection is not absolute and intermediaries are required to remove unlawful data or content on receiving information about it. • The bill proposes to enable authentication of electronic records by any electronic signature technique. • The bill changes the name and the composition of the appellate tribunal. It also establishes an examiner of electronic evidence to give expert opinion on ‘electronic form evidence’. Key Issues and Analysis (a) The bill enables the central government to intercept computer communication for investigation of any offence. Telephones and letters may be intercepted only to protect national interest, sovereignty etc. (b) Neither the IT Act nor any other law covers how personal information may be collected, processed, shared and used. While the bill provides compensation for unlawful loss or gain arising from unauthorised use of data, it does not address the issue of breach of privacy. (c) Any person copying or destroying data without permission of the owner is liable to pay damages. The bill does not cover situations in which an employee who has permission to access certain data misuses such data. (d) Intermediaries are not liable for third party data. They are required to remove unlawful content on receiving ‘actual knowledge’. This term is not defined. (e) The expert committee appointed to suggest amendments to the IT Act had recommended stringent punishment for child pornography. The bill does not address this. The Standing Committee stated that the issue of unwanted commercial e-mails (spam) has not been addressed.

Cyber Security and Laws_Appendix B.indd 338

10/7/2020 10:08:14 AM

Questions and Answers: Chapter 6

• 

339

3. The adjudication and appeals under IT Act, 2008. [ME-IT, Dec 2019] Answer The Information Technology (Amendment) Act, 2008 provides for a new dimension to the applicability of the civil and criminal remedy against the contraventions and computer related offences. In addition to the inclusion of Section 43(i) and 43(j), a separate offence was added under S­ ection 66, which created the nexus between contraventions and computer related offences. Section 66 of The Information Technology Act, 2000 provides that ‘If any person, dishonestly or fraudulently, does any act referred to in Section 43, he shall be punishable with imprisonment for a term which may extend to three years or fine or which may extend to five lakh rupees or with both’. Explanation: for the purpose of this section, 1. the word ‘dishonestly’ shall have the meaning assigned to it in Section 24 of The Indian Penal Code; 2.  The word ‘fraudulently’ shall have the meaning assigned to it in Section 25 of The Indian Penal Code.



Questions and Answers: Chapter 6

1. Write key IT requirements for SOX and HIPAA? [BE-IT, Dec 2019] Answer

The key requirements of HIPAA are listed in the following: • Conduct an initial risk assessment, periodic reviews and reassessments. • Designate security person. • Implement termination policy and procedures. • Have a written security and incident handling policy. • Have a backup, emergency operations and disaster recovery plan. • Have policies for the use of the Internet, various systems (laptops, servers) and reusable storage media (USB Drivers, CDs/DVDs) along with their reuse and disposable plan. • Have audit controls, including unique user identifiers, for authenticating users, recording and auditing user sessions and logout/disconnect inactive sessions. • Have a policy to encrypt sensitive data, monitor and audit access and alterations to sensitive data, protect data in transmission with backup. The key requirements of SOX are listed in the following: • Corporate responsibility for financial reports. • Disclosures in periodic reports. • Management assessment of internal controls. • Real-time issuer disclosures. • Criminal penalties for altering documents. • Protection for employees publicly traded companies who provide evidence of fraud. • Attempts conspiracies to commit fraud offences. • Corporate responsibility for financial reports.

Cyber Security and Laws_Appendix B.indd 339

10/7/2020 10:08:14 AM

340 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

2. Elaborate on information security standard compliances (GLBA, HIPAA). [ME-IT, Dec 2017] Answer Information security compliance: Assessing which rules and regulations apply to an organization is no easy feat. Often, organizations need to comply with multiple frameworks and regulations, many of which have overlapping qualities. Regulations are in place to help companies improve their information security strategy by providing guidelines and best practices based on the company’s industry and type of data they maintain. Non-compliance with these regulations can result in severe fines, or worse, a data breach. Most companies are subject to at least one security regulation. The difficulty comes in determining which ones apply and interpreting what policies and controls are required to reach compliance. The features and benefits of IT compliance services are listed in the following:

• Professionally managed information security compliance. • Outsourced IT regulatory and risk mitigation. • Data security compliance assessments and audits. • Ongoing management, monitoring and reporting. • FISMA, FERPA, HIPAA, SOX, GLBA, PCI DSS solutions.



Following are the information security compliance applications: • Customer, financial and healthcare information. • Credit card processing. • Physical and network security. • LAN–WAN networks and services. • Onsite, data centre, cloud hosted data.

GLBA: The Gramm–Leach–Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution. HIPAA: Health Insurance Portability and Accountability Act of 1996 (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding medical information. This is a very extensive set of regulations that not only was intended to make things simpler for providers and insurance carriers, it is also intended to keep health records private and secure. 3. Elaborate on information security standard compliances. [ME-IT, Dec 2019] Answer Information security compliance: Assessing which rules and regulations apply to an organization is no easy feat. Often, organizations need to comply with multiple frameworks and regulations, many of which have overlapping qualities. Regulations are in place to help companies improve their information security strategy by providing guidelines and best practices based on the company’s industry and type of data they maintain. Non-compliance with these regulations can result in severe fines, or worse, a data breach.

Cyber Security and Laws_Appendix B.indd 340

10/7/2020 10:08:14 AM

Questions and Answers: Chapter 6



• 

341

Most companies are subject to at least one security regulation. The difficulty comes in determining which ones apply and interpreting what policies and controls are required to reach compliance. Features and benefits of IT compliance services • Professionally managed information security compliance. • Outsourced IT regulatory and risk mitigation. • Data security compliance assessments and audits. • Ongoing management, monitoring and reporting. • FISMA, FERPA, HIPAA, SOX, GLBA, PCI DSS solutions. Information security compliance applications • Customer, financial and healthcare information. • Credit card processing. • Physical and network security. • LAN–WAN networks and services. • Onsite, data centre, cloud hosted data. Table B.4 shows the different cybersecurity frameworks and regulations, what they regulate, and which corporations would be subject to the scope of the act.

Table B.4  Different Cybersecurity Frameworks and Regulations and Their Features

The Act

What the Act Regulates?

Company Affected

ISO 27000 Family (International Organization for Standardization)

This family of standards provide security requirements around the maintenance of information security management systems (ISMS) through the implementation of security controls.

These regulations are broad and can fit a wide range of businesses. All businesses can use this family of regulations for assessment of their cybersecurity practices.

HIPAA (Health Insurance Portability and Accountability Act)

This act is a two-part bill. Title I protects the healthcare of people who are transitioning between jobs or are laid off. Title II is meant to simplify the healthcare process by shifting to electronic data. It also protects the privacy of individual patients. This was further expanded through the Rule.

Any organization that handles healthcare data. That includes, but is not limited to, doctor’s offices, hospitals, insurance companies, business associates and employers.

PCI-DSS (Payment Card A set of 12 regulations designed to Industry Data Security reduce fraud and protect customer Standard) credit card information.

Companies handling credit card information.

SOX (Sarbanes–Oxley Act)

U.S. public company boards, management and public accounting firms.

This act requires companies to maintain financial records for up to 7 years. It was implemented to prevent another Enron scandal.

(Continued)

Cyber Security and Laws_Appendix B.indd 341

10/7/2020 10:08:14 AM

342 

•

Appendix B/Questions and Answers: Cybersecurity and CYBER Laws

The Act

What the Act Regulates?

Company Affected

GLBA (Gramm–Leach– Bliley Act)

This act allowed insurance companies, commercial banks and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers.

This act defines “financial institutions’ as: ‘… companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance’.

FISMA (Federal Information Security Modernization Act of 2014)

This act recognizes information security All federal agencies fall under the as a matter of national security. Thus, range of this bill. it mandates that all federal agencies develop a method of protecting their information systems.

NERC CIP Standards Improve the security of North (NERC Critical America’s power system. Infrastructure Protection Standards)

Cyber Security and Laws_Appendix B.indd 342

All bulk power system owners and operators.

10/7/2020 10:08:14 AM

Index A Aircrack-NG, 91 Anthem, 12 Attack Vector, 61 authentication service security, 72–73

B backdoor, 101–103 Banker’s Book Evidence Act, 1891, 39 black hat hacker, 16 Botnets, 59–61 Brutus, 90 BSQL hacker, 114 buffer overflow attacks, 116–118 business-to-business (B2B), 141 business-to-consumer (B2C), 141 Butler, Max, 10

C Cain and Abel, 90–91 ‘capacity building’ centres, 15 card skimming, 27 career criminals, 16 Carmille, Rene, 8 child pornography, 25 Church of Scientology, 11 clickjacking, 36–37 closed loop environment for wireless (CLEW), 68 cloud computing, 61–63 cybercrime and, 64 examples of, 63 service providers, 63 cloud service tools, 61–62 computer-based social engineering, 55–56 computer crime, 160–162 Condon, David, 8 consumer-to-business (C2B), 141 consumer-to-consumer (C2C), 141 crackers, 16 credit card fraud, 26–27 flow of purchases done using, 67

Cyber Security and Laws_Index.indd 343

in mobile and wireless computing era, 67–69 tips to prevent, 68 Credit Card Fraud Spree, 11 crime against individuals, 17 crime against organization, 18 crime against property, 17–18 crime against society, 18 CryptoWall ransomware, 12 Cursor Jacking, 37 Cyber Appellate Tribunal, 186–187 cyber bulls, 16 cybercafes, 58–59 cybercrime, 52, 58–59 classification, 17–18 cloud computing and, 64 definition, 2 definition and origins, 6–11 global perspective on, 45–46 information security and, 12–15 prevention of, 7–8 types, 15–16 utilization of PC in, 2–3 Cybercrime Conviction, 9 cybercriminal, 2 cyber defamation, 24 cyber law, 38–39, 164–166, 174–175 contract aspects, 143–147 criminal aspect in, 159–163 evidence aspect in, 156–158 intellectual property aspect in, 151–154, 151–156 security aspects of, 147–150, 164–166 cyber offences, 51–52 cyberpunk, 5 cybersecurity, 175–176 challenges to, 70–71 cyberspace, 3–4, 139–140, 173–174 conceptual view of, 3 cybersquatting, 4–5 cyberstalking, 3, 23–24, 56–57 cyberterrorists, 16 cyberwarfare, 5–6

02-Oct-20 5:09:49 PM

344  •

Index

D

G

data diddling, 35–36 DataStream Cowboy, 9 DDoS attack, 106–110 defamation, 24 Defence Department Hack, 10 denial-of-service (DoS) attacks, 3, 30–31, 105–106, 109–110 device mobility, 66 digital law, 38–39 digital signature, 149 digital stalking, 23 DNC e-mail Leaks, 12 Domain Name Protection Law, 4

Global Bank Hack, 11 Global Cybersecurity Agenda, 14 3G networks, 65–66 Gonzales, Albert, 10 government-to-citizen (G2C), 141 Gramm–Leach–Bliley Act (GLBA) of 1999, 200–206 grey hat hacker, 16

E eBay, 12 e-commerce, 2, 140–142, 175 e-learning, 2 electronic contracts (e-Contracts), 144 legal prerequisites of, 145–147 electronic data interchange law, 167–168 e-mail spoofing, 18–20 embezzlement, 9 Engressia, Joe (Joybubbles), 8 enumeration, 127 DNS, 130 LDAP, 129 Linux or Unix, 130–131 NetBIOS, 128 NTP, 129 SMTP, 129–130 SNMP, 128 Windows, 130 Epsilon, 11 Equifax, 12 ESTsoft, 11 evading anti-virus, 102

F Federal Information Security Management Act (FISMA), 210–213 file transfer, 2 financial fraud, 3 forgery, 36 Foundation Act, 2000, 39 French Telegraph System, 8

Cyber Security and Laws_Index.indd 344

H hand-held devices (HD), 64 Health Insurance Portability and Accountability Act (HIPAA), 206–210 Heartland Payment Systems, 11 human-based social engineering, 55

I identity theft (ID theft), 3, 123–124 cloning and concealment, 125 criminal, 125 financial, 124 medical, 125 preventing, 126 synthetic, 125 techniques, 125–126 in-band SQL injection, 112 Indian Computer Emergency Response Team (CERT-In), 44 Indian Contract Act, 1872, 144–145 Indian Copyright Act. 1957, 155–156 Indian cyber law, 168–169 Indian Evidence Act, 1872, 39, 156–157 Indian Penal Code, 1860, 39, 162–163 inferential SQLi attack, 112–113 information and communications technology (ICT), 2 information security, 12–15 information security standard (ISS), 191–193 Information Technology Act, 2000, 39, 176–178 advantages, 43 applicability, 44 disadvantages, 43–44 features of, 40 important sections, 40–42 liabilities of intermediaries, 178–179 objectives, 40 offences under, 42–43, 184–186

02-Oct-20 5:09:49 PM

•  345

Index

penalties, adjudication and appeals under, 179–184 scope of, 43 Information Technology Amendment Act, 2008, 44–45, 187–188 infrastructure-as-a-service (Iaas), 62 intellectual property (IP) crimes, 28–29 ‘international cooperation’ centres, 15 Internet, 1–2, 4 attack, 10 uses, 2 IP management techniques, 28 ISO/IEC 27000 series, 219–220

J Jobs, Steve, 9 John the Ripper, 91 JPMorgan Chase, 12

K keyloggers, 91–93, 120 knowledge sharing, 2 Kuji, 9

L ‘legal measures’ centres, 14 Levin, Vladimir, 10 libel, 24 likejacking, 37 LockerPin, 12 Logic Bomb, 9 L0phtCrack, 91

M Mafiaboy, 10 Marriott International, 11–12 Maskelyne, Nevil, 8 Medusa, 91 Melissa Virus, 10 military codebreaking, 8 Mitnick, Kevin, 9 mobile computing, 65 popular attacks against, 66–67 security in, 72–73, 76–78 security policies and measures in, 80–82 third generation (3G), 65–66 mobile devices (MD), 64 organizational measures for handling, 79–80 registry setting for, 71–72

Cyber Security and Laws_Index.indd 345

mobile phones, attacks on, 74–75 Mole, 115 Morris Worm, 9

N NASA, 10 Necromancer (Gibson), 3 network scanning, 54 North American Electric Reliability Corporation (NERC), 213–215

O online business, 39 online harassments, 23 Operation CyberSweep, 10 OphCrack, 91 ‘organizational structures’ centres, 14 out-of-band SQLi attack, 113

P password cracking, 87–91 prevention measures of, 89–90 techniques, 88–89 tools for, 90–91 password sniffing, 29–30 Patent Act, 1970, 156 Payment Application Data Security Standard (PA-DSS), 218–219 Payment Card Industry Data Security Standard (PCI DSS), 217–218 Payment Card Industry (PCI) Compliance, 215–219 Payment Card Industry Security Standards Council (PCI SSC), 217 phishing, 20–21, 88–89 Content Injection, 120 e-mails, 118–119, 121–122 link manipulation, 120 malvertising, 120 malwares, 121 preventing, 122–123 ransomware, 121 scams, 122 session hijacking, 120 smishing, 121 spear, 120 techniques, 119 voice, 121 phone hacking, 8

02-Oct-20 5:09:50 PM

346  •

Index

platform-as-a-service (Paas), 62 Polo Ralph Lauren/HSBC Bank, 10 pornographic offences, 25–26 port scanning, 54 Poulsen, Kevin, 9 pranksters, 16 prepaid debit cards, 12 private cloud, 62 public cloud, 62

T

R

U

RABBITS Virus, 9 RainbowCrack, 90 remote access Trojans (RATs), 101 Roman Seleznev, 11 RSA Safety, 11

S Safe3 SQL injector, 115 salami attack, 16, 33–34 Sarbanes–Oxley Act (SOX) of 2002, 193–200 Scherr, Allan, 8 Schlossberg, Barry (Lou Cipher), 10 service mobility, 66 session mobility, 66 slander, 24 social connectivity, 2 social engineering, 54–55, 89 classification of, 55–56 software-as-a service (Saas), 62 Sony Pictures, 11 spamming, 21–22 spyware, 94–96 SQL Injection attack, 111–112, 115–116 SQLmap, 115 SQLninja, 115 SQLSus, 115 steganography, 103–105 strategic attacks active attack, 54 launch of attack, 54 passive attack, 53 phases of, 52–53 reconnaissance, 53 scanning and scrutinizing gathered information, 54 Stuxnet Worm, 11 switchboard hack, 8

Cyber Security and Laws_Index.indd 346

‘technical and procedural measures’ centres, 14 THC Hydra, 91 TJX, 10 Trade Mark Act, 1999, 4 transmission control protocol/Internet protocol (TCP/IP), 3 Trojan horses, 9, 34–35, 100–101, 102, 120 Turing, Alan, 8

Uniform Domain Name Dispute Resolution Policy (UDNDRP), 5 user mobility, 66 US Secret Service, 9

V virtual private cloud, 62 virus, 96–97 attack, 31–33 differences with worms, 100 vishing, 20–21, 121 voice over Internet convention (VoIP) communication, 2 vulnerability scanning, 54

W WannaCry, 12 web-based banking and shopping, 2 web-based delivery, 120 web jacking, 36 Welchman, Gordon, 8 Wfuzz, 90 white hat hacker, 16 wireless devices (WD), 64 wireless network attacks, 131–134 securing, 134–135 tools used for attacks, 135–136 wireless telegraphy, 8 World Intellectual Property Organization (WIPO), 166 worms, 98–99 differences with virus, 100 Wozniak, Steve, 9 wrappers, 102

Z Zeus Trojan Virus, 11

02-Oct-20 5:09:50 PM