Security metrics- Classification and their benefits

1. Mean-Time-To-Incident-Discovery

Mean-Time-To-Incident-Discovery (MTTID) characterizes the efficiency of detecting

incidents, by measuring the average elapsed time between the initial occurrence of an
incident and its subsequent discovery. The MTTID metric also serves as a leading
indicator of resilience in organization defenses because it measures detection of attacks
from known vectors and unknown ones.

Description - Mean-Time-To-Incident-Discovery (MTTID) measures the effectiveness

of the organization in detecting security incidents. Generally, the faster an organization
can detects an incident, the less damage it is likely to incur. MTTID is the average
amount of time, in hours, that elapsed between the Date of Occurrence and the Date of
Discovery for a given set of incidents. The calculation can be averaged across a time
period, type of incident, business unit, or severity.
Audience - Operations Question What is the average (mean) number of hours between
the occurrence of a security incident and its discovery?
Answer - A positive decimal value that is greater than or equal to zero. A hypothetical
instant detection.
Formula - For each record, the time-to-discovery metric is calculated by subtracting the
Date of Occurrence from the Date of Discovery. These metrics are then averaged across a
scope of incidents, for example by time, category or business unit:

Units - Hours per incident

Frequency -Weekly, Monthly, Quarterly, Annually
Targets - MTTID values should trend lower over time instant detection times. There is
evidence the metric result may be in a range from weeks to months (2008 Verizon Data
Breach Report). Because of the lack of experiential data from the field, no consensus on
the range of acceptable goal values for MTTIDs exists.
Sources -Since humans determine when an incident occurs, when the incident is
contained, and when the incident is resolved, the primary data sources for this metric are
manual inputs as defined in Security Incident Metrics: Data Attributes. However, these
incidents may be reported by operational security systems, such as anti-malware
software, security incident and event management (SIEM) systems, and host logs.
Usage
Mean-Time-To-Incident-Discovery is a type of security incident metric, and relies on the
common definition of Terms in Definitions.

Optimal conditions would reflect a low value in the MTTID. The lower the value of
MTTID, the healthier the security posture is. The higher the MTTID, the more time
malicious activity is likely to have occurred within the environment prior to containment
and recovery activities. Given the current threat landscape and the ability for malicious
code to link to other modules once entrenched, there may be a direct correlation between
a higher MTTID and a higher level-of-effort value (or cost) of the incident.

MTTIDs are calculated across a range of incidents over time, typically per-week or per-
month. To gain insight into the relative performance of one business unit over another,
MTTIDs may also be calculated for cross-sections of the organization, such as individual
business units or geographies.

Limitations
This metric measures incident detection capabilities of an organization. As such, the
importance of this metric will vary between organizations. Some organizations have
much higher profiles than others, and would thus be a more attractive target for attackers,
whose attack vectors and capabilities will vary. As such, MTTIDs may not be directly
comparable between organizations.

In addition, the ability to calculate meaningful MTTIDs assumes that incidents are, in
fact, detected and reported. A lack of participation by the system owners could cause a
skew to appear in these metrics. A higher rate of participation in the reporting of security
incidents can increase the accuracy of these metrics.
The date of occurrence of an incident may be hard to determine precisely. The date of
occurrence field should be the date that the incident could have occurred no later than
given the best available information. This date may be subject to revision and more
information becomes known about a particular incident.
Mean values may not provide a useful representation of the time to detect incidents if
distribution of data exhibits significantly bi-modal or multi-model. In such cases
additional dimensions and results for each of the major modes will provide more
representative results.

Mean-Time-To-Incident-Discovery (MTTID) measures the effectiveness of the

organization in detecting security incidents. Generally, the faster an organization can
detects an incident, the less damage it is likely to incur. MTTID is the average amount of
time, in hours, that elapsed between the Date of Occurrence and the Date of Discovery
for a given set of incidents. The calculation can be averaged across a time period, type of
incident, business unit, or severity.

Incident Rate
Incident Rate measures the number of security incidents for a given time period.
Mean Time Between Security Incidents

Mean Time Between Security Incidents (MTBSI) calculates the average time, in days,
between security incidents. This metric is analogous to the Mean Time Between Failure
(MTBF) metric found in break-fix processes for data center.

Mean Time to Incident Recovery (MTIR) measures the effectiveness of the

organization to recovery from security incidents. The sooner the organization can
recover from a security incident, the less impact the incident will have on the overall
organization. This calculation can be averaged across a time period, type of incident,
business unit, or severity.

Vulnerability Management

Vulnerability Notification through becoming aware of disclosed vulnerabilities and

performing security assessments.
Vulnerability Identification through manual or automated scanning of technologies
throughout the organization.
Vulnerability Remediation & Mitigation through application of patches, adjustment of
configurations, modification of systems, or acceptance of risk.

Technology Value (CTV, ITV, ATV)

Technology values will be rated by adopting the Common Vulnerability Scoring System
(v2) section 2.3.3 Security Requirements Scoring Evaluation ratings. These Technology
Value scores can be used independently as well as used for the complete scoring of a
vulnerability that affected the technology. Each technology is assigned one of impact
from loss of confidentiality (CTV), integrity (ITV), or availability (ATV). These ratings
are reproduced here:

Low (L). Loss of [confidentiality | integrity | availability] is likely to have only a limited
adverse effect on the organization or individuals associated with the organization (e.g.,
employees, customers).

Medium (M). Loss of [confidentiality | integrity | availability] is likely to have a serious

adverse effect on the organization or individuals associated with the organization (e.g.,
employees, customers).

High (H). Loss of [confidentiality | integrity | availability] is likely to have a catastrophic

adverse effect on the organization or individuals associated with the organization (e.g.,
employees, customers). Not Defined (ND). Assigning this value to the metric will not
influence the score. It is a signal to the equation to skip this metric.

As described in CVSS v2, these values should be based on network location, business
function, and the potential for loss of revenue of life. No specific methodology is defined
to assign these values.
Vulnerability Scan Coverage

Vulnerability Scanning Coverage (VSC) systems under management that were checked
for vulnerabilities during vulnerability scanning and identification processes. This metric
is used to indicate the scope of vulnerability identification efforts.

Percent of Systems Without Known Severe Vulnerabilities

Percent of Systems Without Known Severe Vulnerabilities (PSWKSV) measures the

percentage of systems that when checked were not found to have any known high
severity vulnerabilities during a vulnerability scan. High" severity if they have a CVSS
base score of 7.0-10.0 Since vulnerability management involves both the identification of
new severe vulnerabilities and the remediation of known severe vulnerabilities, the
percentage of systems without known severe vulnerabilities will vary over time.
Organizations can use this metric to gauge their relative level of exposure to exploits and
serves as a potential indicator of expected levels of security incidents (and therefore
impacts on the organization).
This severity threshold is important, as there are numerous informational, local, and
exposure vulnerabilities that can be detected that are not necessarily material to the
organizations risk profile. Managers generally will want to reduce the level of noise to
focus on the greater risks first. This metric can also be calculated for subsets of systems,
such as by asset criticality of business unit

Mean-Time to Mitigate Vulnerabilities

Mean-Time to Mitigate Vulnerabilities measures the average time taken to mitigate

Vulnerabilities identified in The vulnerability management processes consist of the
identification and remediation of known vulnerabilities in an organization in addressing
identified vulnerabilities. The less time required to mitigate vulnerability the more likely
an organization can react effectively to reduce the risk of exploitation of vulnerabilities.
It is important to not that only data from vulnerabilities explicitly mitigated are included
in this metric result. The metric result is the mean time to mitigate vulnerabilities that are
actively addressed during the metric time period, and not a mean time to mitigate based
on the time for all known vulnerabilities to be mitigated.

Number of Known Vulnerability Instances

Number of Known Vulnerability Instances (NKVI) measures the number of known

during the vulnerability identification process.

Patch Management

Many security incidents are caused by exploitation of known vulnerabilities for which
patches are available.
Patches are released by vendors on regular and ad-hoc schedules and the cycle of testing
and deploying patches is are released to directly address security issues in
applications and operating systems and the performance of the patch management
process will directly affect the security posture of the organization.

These metrics are based upon a patching management process with the following
structure:
1. Security and Patch Information Sources
2. Patch Prioritization and Scheduling
3. Patch Testing
4. Configuration (Change) Management
5. Patch Installation and Deployment
6. Patch Verification and Closure

Percent of Changes with Security Review

This metric indicates the percentage of configuration or system changes that were
reviewed for security impacts before the change was implemented.

What is Information Security?

The process of protecting data from unauthorized access, use, disclosure, destruction,
modification, or disruption is called information security.

Information

I A

C-Confidentiality
I-Integrity
A- Availability

What is Information Security LAW

People are familiar with traditional areas of law, such as contracts, criminal law, and
corporations. They are also known of areas of law practice like civil litigation,
technology transactions, and mergers and acquisitions. Some law firms have practice
groups that provide a large variety of services for a single industry. Examples include
groups focusing on construction, entertainment, and transportation. With the rise of the
Internet and information technology, one emerging area of law is information security
law. Information security law is new enough, however, that people may ask the obvious
question: what is information security law? Also, what do information security lawyers
do?
Information security law, or infosec law, is in some ways a new area of law. In other
ways, it is a new area of practice for law firms. And in yet other ways, it has an industry-
specific focus. This article discusses all of these dimensions of information security law.

Information security, as a new area of law, includes a number of components. First and
foremost, information security Law counsel their clients on requirements to keep data
and information systems secure. These requirements may stem from public law (statutes
and regulations) or private arrangements made via contracts. Infosec lawyers help clients
answer the key question: What does my company really need to do to comply with
infosec requirements under applicable law?

Second, infosec law addresses liability that arises from security breaches or defects in
security products or services. Parties injured by a security breach may sue to seek
damages or an injunction against the parties responsible for the breach. When the
perpetrators are unable to be found or it isn't worth suing them, injured parties may sue
others who allowed the breach to occur or failed to stop it. Companies purchasing
security products or services may sue their vendors when the products or services don't
work as advertised or whey they fail to prevent a breach. Infosec lawyers bring suit on
behalf of the injured party or defend these kinds of suits.

Third, infosec law covers secure electronic commerce. Secure electronic commerce
answers these questions such as:-
1. How do parties form contracts online?
Are online contracts treated the same as paper contracts under the law?
2. What must a person or business do to authenticate himself, herself, or itself to
another party online?
3. What must be done to tie an individual or business to an online transaction and
hold that party accountable for it?
4. What can show that a person has agreed to an online transaction: an electronic
signature, a secure form of electronic signature, or a digital signature (a particular
kind of secure electronic signature)?

Information security is at once a new area of law, an area of practice, and an industry focus. As
with new areas of the law in the past, attorneys practicing infosec law are those who have
experience in allied areas of law, who have practices touching on a number of traditional practice
areas, and who have IT and infosec technical expertise. The mix of technical and legal issues,
the need to work with multi-disciplinary teams, and the novelty of the field challenge infosec
lawyers, but make for a fascinating area of the law.

Ethics- Ethical Issues

Ethics involves the sphere of interpersonal, group, and community politics at the level of
values–not just what can be achieved or how to achieve it, but more what should be
sought, in the realm of social harmony and fairness. It is the complexity of the other side
of individualism– other than taking care of oneself, what do we want our collective to do
or refrain from doing? Ethics looks at our proper relations, our duties to each other,
individually and collectively. In the past, ethics–and a good deal of civil law, in addition–
was mixed with the requirements of religious ritual and the establishment of the details of
the priestly caste.

Ethical Issues

 have many potential misuses / abuses of information and electronic

communication that create privacy and security problems
 ethics:
 a system of moral principles relating benefits and harms of particular
actions to rightness and wrongness of motives and ends of them
 ethical behavior here not unique
 but do have some unique considerations
 in scale of activities, in new types of entities

Ethical Hierarchy
Ethical Issues Related to Computers and Info Systems
 some ethical issues from computer use:
 repositories and processors of information
 producers of new forms and types of assets
 instruments of acts
 symbols of intimidation and deception
 those who understand / exploit technology, and have access permission, have
power over these
 issue is balancing professional responsibilities with ethical or moral
responsibilities

Codes of Conduct

 ethics not precise laws or sets of facts

 many areas may present ethical ambiguity
 many professional societies have ethical codes of conduct which can:
1. be a positive stimulus and instill confidence
2. be educational
3. provide a measure of support
4. be a means of deterrence and discipline
5. enhance the profession's public image

 it have some common themes:

1. dignity and worth of other people
2. personal integrity and honesty
3. responsibility for work
4. confidentiality of information
5. public safety, health, and welfare
6. participation in professional societies to improve standards of the
profession
7. the notion that public knowledge and access to technology is equivalent to
social power

Contemporary Ethical Issues

Welfare and charity-Welfare is organized charity, funneled through the collective, the
government. But it raises many issues. How should we help others who are less
fortunate? Can we differentiate between the "deserving poor" and the "undeserving"
poor?

A. How responsible can people be? To what extent can we require that people "pull
themselves up by their own bootstraps." If a college student is raised in a neighborhood
where study is not fashionable, and they didn't study, to what extent are we obligated to
provide "remedial" training in college?

B. What if some folks are disabled, to what extent are we obligated–or would we
choose to be obligated if we were fully enlightened–to help these people. The "how
much" issue is tricky, because new technologies make increasing levels of aid
exponentially more expensive.

C. What if a teenager has been raised in an area that is judged to be significantly

culturally, economically, or technically "behind"–to what degree should we choose to
compassionately support these people? Again, the themes would be remedial education.

D. What about those whose disabilities make them mentally unable to do more than
fairly simple and routine tasks? In our culture, merit is associated with intelligence. What
levels of subsidy should be given? What about the in-between categories, which
represents an expanding sector of the population: Folks not that smart, not smart enough
to get "good" jobs, but smart enough to live independently and have full and dramatic
lives.

E. What about people who say they can't work? They're too burdened with kids–how
much should this role of mothering be challenged? (This of course is a lively socio-
political issue in the legal system right now.)

F. Regarding the broader topic of welfare: General issues of responsibility are raised.
When is helping someone really helping them, and when is it rescuing them and enabling
their own self-defeating behavioral patterns. Can beggars be choosers? Are any "rights"
implicitly forfeited by someone who receives charity? (This varies in different cultures!)
For example, if offered work, is the person who is given welfare obligated to accept that
job, even if they don't like that work? What if the decision as to a job being not
acceptable is viewed as trivial or unworthy by others?

G. What about our obligations to help people in other countries? There's national and
international charity, but is Government aid an ethical obligation?
(1) What about "strings attached"? Can we demand political, human rights, ethical
governmental policy, enforcement of human rights, etc. before we give aid?
(2). what rights do we have on criticizing the ethics and priorities of peoples in other
cultures?

Data security breaches. Identity theft. Stolen laptops. Lost backup tapes.
Announcements of major security breaches are now everyday news.
The consequences of a security breach hit companies in the pocketbook. Besides the cost
of investigating a breach, a company experiencing a breach may face damage to its
brands, loss of reputation, angry customers, lost business, and a hit to its stock value.
Adding to its woes, government regulators may take action against the company, and
private plaintiffs may file class action suits. Companies want to know what the law
requires them to do to prevent security breaches, the legal consequences of a breach, and
what they should do to respond to a breach.

Patent law is a specific area of law that encompasses the legal regulation, jurisprudence,
and enforcement of specific intellectual property rights known as patent rights. A patent
is a government issued right granted to individuals or groups that protects their original
inventions from being made, used, or sold by others without their permission for a set
period of time. While patents can be legally obtained without the use of an attorney, an
attorney who specializes in patent law can help ensure that their patent is enforceable by
law. Because patent law pertains to intellectual property, which is like any other property
in that it can be legally sold, exchanged, traded, or abandoned, the finer points of patent
law are frequently amended as technology changes. This is another reason why an
attorney specializing in patent law is of significant use to those seeking a patent.

Under United States patent law, three criteria must be applicable to the invention before a
patent is granted. The invention must be new, useful, and not obvious to those with
ordinary skills in any area related to the invention. These particular requirements are,
from time to time, subjective. New obviously means that the invention was not previously
in existence. As it pertains to patent law, useful is defined as providing a benefit meant
for a legitimate purpose or use. The one area of patent law that is particularly subjective
is defining whether an invention is obvious or not.

Patent law pertains not only to the processes governing applying for and granting a
patent, but also to enforcing existing patents. It is the patent responsibility to pursue a
violation of his or her patented rights. A patent law violation can be argued in court, but it
is a very complex and expensive procedure. This is one area in which patent law seems
skewed, because small inventors and companies can easily be outdone by larger,
wealthier corporations, and it is difficult for the minority to afford defense or litigation
expenses.

Patents Law-
 grant a property right to the inventor
 to exclude others from making, using, offering for sale, or selling the
invention
 types:
 utility - any new and useful process, machine, article of manufacture, or
composition of matter
 design - new, original, and ornamental design for an article of manufacture
  plant - discovers and asexually reproduces any distinct and new variety of
plant
 e.g. RSA public-key cryptosystem patent

Trademarks
 a word, name, symbol, or device
 used in trade with goods
 indicate source of goods
 to distinguish them from goods of others
 trademark rights may be used to:
 prevent others from using a confusingly similar mark
 but not to prevent others from making the same goods or from selling the
same goods or services under a clearly different mark

Intellectual Property

Intellectual Property Issues and Computer Security

  software programs
 protect using copyright, patent
 database content and arrangement
 protect using copyright
 digital content audio / video / media / web
 protect using copyright
 algorithms
 may be able to protect by patenting

Copyright Law
 protects tangible or fixed expression of an idea but not the idea itself
 is automatically assigned when created
 may need to be registered in some countries

 exists when:
 proposed work is original
 creator has put original idea in concrete form
 e.g. literary works, musical works, dramatic works, pantomimes and
choreographic works, pictorial, graphic, and sculptural works, motion
pictures and other audiovisual works, sound recordings, architectural
works, software-related works.

Copyright Rights
 copyright owner has these exclusive rights, protected against infringement:
 reproduction right
 modification right
 distribution right
 public-performance right
 public-display right

Introduction
Data mining is a promising tool in the fight against terrorism. It already plays a number
of important roles in counter terrorism including locating known suspects, identifying and
tracking suspicious financial and other transactions, and facilitating background checks.
Rapid increases in the power and speed of computing technologies, the capacity of data
storage, and the reach of networks have added exponentially to both the volume of data
available for possible use and the ability of the government to meaningfully examine
them. As a result, as discussed elsewhere in this volume, new data mining applications
are likely to play increasingly important roles in fighting terrorism.
Government data mining also poses significant issues for individual privacy and other
civil liberties. Proposals for enhanced government data mining have provoked serious
controversy, beginning with the first large-scale computerized government benefits
databases created by the then-Department of Health, Education and Welfare. More
recently, public concern over proposals for Total Information Awareness and second-
generation Computer Assisted Passenger Profiling was sufficient to block at least public
development of these systems.

One of the major contributors to the controversies over government data mining is the
absence of clear legal standards. Forty years ago the lack of relevant law was
understandable: the technologies were new, their capacity was largely unknown, and the
types of legal issues they might raise were novel. Today, it is inexplicable and threatens
to undermine both privacy and security.
Data mining is increasingly being looked to as a tool to combat terrorism. For
example, in 2002 the Defense Advanced Research Projects Agency in the Department of
Defense launched “Total Information Awareness”—later renamed “Terrorism
Information Awareness”—a research and development program that included
technologies to search personally identifiable transaction records and recognize patterns
across separate databases for the purpose of combating terrorism. The Advanced
Research and Development Activity center, based in the National Security Agency in
DOD, has a project—Novel Intelligence from Massive Data—to develop tools to
examine large quantities of data to “reveal new indicators, issues, and/or threats
that would not otherwise have been found due to the massiveness of the data.”

Constitutional Protection for Information Privacy

The Fourth Amendment - Historically, the primary constitutional limit on the

government’s ability to obtain personal information about individuals is the Fourth
Amendment. The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated, and no
Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and
particularly describing the place to be searched, and the persons or things to be seized.

Legal Issues

Enhance Public, Policymaker, Press, and Private-Sector Confidence

The Need for Standards
Protect Privacy and Other Civil Liberties
Total Information Awareness
Enhance Security
Improve Policymaking
Facilitate Innovation and Research
Make New Technologies Work
The “special protections for data mining” involving third-party databases from
private industry recommended by TAPAC included: -

• The agency engaging in the data mining should take into account the purpose for which
the data were collected, their age, and the conditions under which they have been stored
and protected when determining whether the proposed data mining is likely to be
effective.

• If data are to be used for purposes that are inconsistent with those for which the data
were originally collected, the agency should specifically evaluate whether the
inconsistent use is justified and whether the data are appropriate for such use.

• Data should be left in place whenever possible. If this is impossible, they should be
returned or destroyed as soon as practicable.

• Government agencies should not encourage any person voluntarily to provide data in
violation of the terms and conditions (usually reflected in a privacy policy) under which
they were collected.

• Government agencies should seek data in the order provided by Executive Order 12333:
from or with the consent of the data subject, from publicly available sources, from
proprietary sources, through a method requiring authorization less than probable cause
(e.g., a pen register or trap and trace device), through a method requiring a warrant, and
finally through a method requiring a wiretap order.

• Private entities that provide data to the government upon request or subject to judicial
Process should be indemnified for any liability that results from the governments
acquisition or use of the data.

• Private entities that provide data to the government upon request or subject to judicial
process should be reasonably compensated for the costs they incur in complying with the
government’s request or order.

Significant advances in data mining technologies, however, now make it possible for the
government to conduct sophisticated analysis, rapidly and affordably, of disparate
databases without ever physically bringing the data together. These Technologies allow
the government to move beyond looking for data on specific people to search data about
millions of people in the search for patterns of activity, subtle relationships, and
inferences about future behavior. These technologies and the terrorist attacks of
September 11 mean that the government now has both the ability and the motivation to
use huge arrays of private-sector data about individuals.

Building Security into Software Life Cycle

One of the largest international telecommunication companies in United States was
developing a wide variety of internal and external software solutions. The solution
required simplicity of operation and applicability for the automation of the nightly and
weekly build process. The results need to be reliable and credible to prompt more build
cycle failures. The build failures need to be added to the defect tracking systems.

Business need:
One of the largest international telecommunication companies in United States was
developing a wide variety of internal and external software solutions. It was necessary to
begin the process of adapting the organization's software development life cycle to
accommodate additional security measures and testing. It was important to the customer
that the changes have minimal impact on an already strained team with tight schedules.

Solution:
Configuring IBM® Rational® AppScan® Source Edition to identify violations of the
enforcement criteria lead to the review of the application, every time it is built. The
solution provides regular and predictable security as release time approaches.

Benefits:
Reduce cost, time, and resource requirements for code review Provide automated
approach to identifying and notifying project owners about defects Integrate defect
notifications within the build and a defect tracking system process Deliver consistent and
reliable results for all new applications

Case Study

Challenge

Code review is a well-regarded practice for improving quality and security, but it has
historically been a seldom-applied technique because of its cost in time and resources.

Solution
The customer began the implementation process with a detailed analysis of their own
internal expectations for the security of their applications. As those expectations matured
into enforcement criteria, the Rational AppScan Source Edition was configured to
identify violations of the criteria. A team of security analysts created the view of the data
that matched the organization's need for consistency.

After the criteria was defined, the team configured automation servers which were added
to the organization’s build servers. With a small number of trained resources to configure
the appropriate context for analyzing the results, new applications can be reviewed every
time the application is built. The solution provides regular and predictable security as
release time approaches. Through the tailored use of the Rational AppScan Source
Edition tools and their output, it is now practical to perform security analysis as an
automated check within the traditional build phase of the software development life
cycle.
Benefits

The build process automatically issued a security scan while the application was being
created. Results of the scan were automatically analyzed. If the output contained
information identifying vulnerabilities, the build process reported a failure. The
appropriate project owners were emailed and the defects were automatically created and
added to the defect tracking system.

Cyber Crime
CONVENTIONAL CRIME-

Crime is a social and economic phenomenon and is as old as the human society. Crime is a legal
concept and has the sanction of the law. Crime or an offence is “a legal wrong that can be
followed by criminal proceedings which may result into punishment.”(1) The hallmark of
criminality is that, it is breach of the criminal law. Per Lord Atkin “the criminal quality of an act
cannot be discovered by reference to any standard but one: is the act prohibited with penal
consequences”. (2)

A crime may be said to be any conduct accompanied by act or omission prohibited by law and
consequential breach of which is visited by penal consequences.

CYBER CRIME

Cyber crime is the latest and perhaps the most complicated problem in the cyber world. “Cyber
crime may be said to be those species, of which, genus is the conventional crime, and where
either the computer is an object or subject of the conduct constituting crime” (13). “Any criminal
activity that uses a computer either as an instrumentality, target or a means for perpetuating
further crimes comes within the ambit of cyber crime”(12)

A generalized definition of cyber crime may be “ unlawful acts wherein the computer is either a
tool or target or both”(3) The computer may be used as a tool in the following kinds of activity-
financial crimes, sale of illegal articles, pornography, online gambling, intellectual property
crime, e-mail spoofing, forgery, cyber defamation, cyber stalking. The computer may however be
target for unlawful acts in the following cases- unauthorized access to computer/ computer
system/ computer networks, theft of information contained in the electronic form, e-mail
bombing, data didling, salami attacks, logic bombs, Trojan attacks, internet time thefts, web
jacking, theft of computer system, physically damaging the computer system.

Cyber crime / Computer Crime

 “criminal activity in which computers or computer networks are a tool, a target, or
a place of criminal activity”
 categorize based on computer’s role:
 as target
 as storage device
  as communications tool
 more comprehensive categorization seen in Cybercrime Convention, Computer
Crime Surveys

Law Enforcement Challenges

DISTINCTION BETWEEN CONVENTIONAL AND CYBER CRIME-

There is apparently no distinction between cyber and conventional crime. However on a deep
introspection we may say that there exists a fine line of demarcation between the conventional
and cyber crime, which is appreciable. The demarcation lies in the involvement of the medium in
cases of cyber crime. The sine qua non for cyber crime is that there should be an involvement, at
any stage, of the virtual cyber medium.

REASONS FOR CYBER CRIME:

Hart in his work “ The Concept of Law” has said ‘human beings are vulnerable so rule of law is
required to protect them’. Applying this to the cyberspace we may say that computers are
vulnerable so rule of law is required to protect and safeguard them against cyber crime. The
reasons for the vulnerability of computers may be said to be:

1. Capacity to store data in comparatively small space-

The computer has unique characteristic of storing data in a very small space. This affords to
remove or derive information either through physical or virtual medium makes it much more
easier.

2. Easy to access-

The problem encountered in guarding a computer system from unauthorised access is that
there is every possibility of breach not due to human error but due to the complex technology.
By secretly implanted logic bomb, key loggers that can steal access codes, advanced voice
recorders; retina imagers etc. that can fool biometric systems and bypass firewalls can be
utilized to get past many a security system.

3.Complex-

The computers work on operating systems and these operating systems in turn are composed
of millions of codes. Human mind is fallible and it is not possible that there might not be a
lapse at any stage. The cyber criminals take advantage of these lacunas and penetrate into the
computer system.

4.Negligence-

Negligence is very closely connected with human conduct. It is therefore very probable that
while protecting the computer system there might be any negligence, which in turn provides a
cyber criminal to gain access and control over the computer system.

5. Loss of evidence-

Loss of evidence is a very common & obvious problem as all the data are routinely
destroyed. Further collection of data outside the territorial extent also paralyses this system of
crime investigation.

CYBER CRIMINALS:

The cyber criminals constitute of various groups/ category. This division may be justified on the
basis of the object that they have in their mind. The following are the category of cyber criminals-
 1. Children and adolescents between the age group of 6 – 18 years –

The simple reason for this type of delinquent behaviour pattern in children is seen mostly due
to the inquisitiveness to know and explore the things. Other cognate reason may be to prove
themselves to be outstanding amongst other children in their group. Further the reasons may
be psychological even. E.g. the Bal Bharati (Delhi) case was the outcome of harassment of
the delinquent by his friends.

2. Organised hackers-

These kinds of hackers are mostly organised together to fulfil certain objective. The reason
may be to fulfil their political bias, fundamentalism, etc. The Pakistanis are said to be one of
the best quality hackers in the world. They mainly target the Indian government sites with the
purpose to fulfil their political objectives. Further the NASA as well as the Microsoft sites is
always under attack by the hackers.

3. Professional hackers / crackers –

Their work is motivated by the colour of money. These kinds of hackers are mostly employed to
hack the site of the rivals and get credible, reliable and valuable information. Further they are ven
employed to crack the system of the employer basically as a measure to make it safer by detecting
the loopholes.

4. Discontented employees-

This group include those people who have been either sacked by their employer or are
dissatisfied with their employer. To avenge they normally hack the system of their employee.

MODE AND MANNER OF COMMITING CYBER CRIME:

1. Unauthorized access to computer systems or networks / Hacking-

This kind of offence is normally referred as hacking in the generic sense. However the framers of
the information technology act 2000 have no where used this term so to avoid any confusion we
would not interchangeably use the word hacking for ‘unauthorized access’ as the latter has wide
connotation.

2. Theft of information contained in electronic form-

This includes information stored in computer hard disks, removable storage media etc. Theft
may be either by appropriating the data physically or by tampering them through the virtual
medium.

3. Email bombing-

This kind of activity refers to sending large numbers of mail to the victim, which may be an
individual or a company or even mail servers there by ultimately resulting into crashing.

4. Data diddling-
This kind of an attack involves altering raw data just before a computer processes it and then
changing it back after the processing is completed. The electricity board faced similar problem
of data diddling while the department was being computerised.

5. Salami attacks-

This kind of crime is normally prevalent in the financial institutions or for the purpose of
committing financial crimes. An important feature of this type of offence is that the alteration is
so small that it would normally go unnoticed. E.g. the Ziegler case wherein a logic bomb was
introduced in the bank’s system, which deducted 10 cents from every account and deposited it
in a particular account.

6. Denial of Service attack-

The computer of the victim is flooded with more requests than it can handle which cause it to
crash. Distributed Denial of Service (DDoS) attack is also a type of denial of service attack, in
which the offenders are wide in number and widespread. E.g. Amazon, Yahoo.

7. Virus / worm attacks-

Viruses are programs that attach themselves to a computer or a file and then circulate
themselves to other files and to other computers on a network. They usually affect the data on a
computer, either by altering or deleting it. Worms, unlike viruses do not need the host to attach
themselves to. They merely make functional copies of themselves and do this repeatedly till
they eat up all the available space on a computer's memory. E.g. love bug virus, which affected
at least 5 % of the computers of the globe. The losses were accounted to be $ 10 million. The
world's most famous worm was the Internet worm let loose on the Internet by Robert Morris
sometime in 1988. Almost brought development of Internet to a complete halt.

8. Logic bombs-

These are event dependent programs. This implies that these programs are created to do
something only when a certain event (known as a trigger event) occurs. E.g. even some viruses
may be termed logic bombs because they lie dormant all through the year and become active
only on a particular date (like the Chernobyl virus).

9. Trojan attacks-

This term has its origin in the word ‘Trojan horse’. In software field this means an
unauthorized programme, which passively gains control over another’s system by representing
itself as an authorised programme. The most common form of installing a Trojan is through e-
mail. E.g. a Trojan was installed in the computer of a lady film director in the U.S. while
chatting. The cyber criminal through the web cam installed in the computer obtained her nude
photographs. He further harassed this lady.

10. Internet time thefts-

Normally in these kinds of thefts the Internet surfing hours of the victim are used up by another
person. This is done by gaining access to the login ID and the password. E.g. Colonel Bajwa’s
 case- the Internet hours were used up by any other person. This was perhaps one of the first
reported cases related to cyber crime in India. However this case made the police infamous as
to their lack of understanding of the nature of cyber crime.

11. Web jacking-

This term is derived from the term hi jacking. In these kinds of offences the hacker gains access
and control over the web site of another. He may even mutilate or change the information on
the site. This may be done for fulfilling political objectives or for money. E.g. recently the site
of MIT (Ministry of Information Technology) was hacked by the Pakistani hackers and some
obscene matter was placed therein. Further the site of Bombay crime branch was also web
jacked. Another case of web jacking is that of the ‘gold fish’ case. In this case the site was
hacked and the information pertaining to gold fish was changed. Further a ransom of US $ 1
million was demanded as ransom. Thus web jacking is a process where by control over the site
of another is made backed by some consideration for it.

CLASSIFICATION:

The subject of cyber crime may be broadly classified under the following three groups. They are-

1. Against Individuals

a. their person &

b. their property of an individual

2. Against Organizationa. Government & Firm, Company, Group of Individuals.

3. Against Society at large

The following are the crimes, which can be committed against the followings group
Against Individuals: –
i. Harassment via e-mails.
ii. Cyber-stalking.
iii. Dissemination of obscene material.
iv. Defamation.
v. Unauthorized control/access over computer system.
vi. Indecent exposure
vii. Email spoofing
viii. Cheating & Fraud

Against Individual Property: -

i. Computer vandalism.
ii. Transmitting virus.
iii. Netrespass
iv. Unauthorized control/access over computer system.
v. Intellectual Property crimes
vi. Internet time thefts
Against Organization: -

i. Unauthorized control/access over computer system

ii. Possession of unauthorized information.
iii. Cyber terrorism against the government organization.
iv. Distribution of pirated software etc.

Against Society at large: -

i. Pornography (basically child pornography).
ii. Polluting the youth through indecent exposure.
iii. Trafficking
iv. Financial crimes
v.Sale of illegal articles
vi.Online gambling
vii. Forgery

The above mentioned offences may discussed in brief as follows:

1. Harassment via e-mails-

Harassment through e-mails is not a new concept. It is very similar to harassing through
letters. Recently I had received a mail from a lady wherein she complained about the
same. Her former boy friend was sending her mails constantly sometimes emotionally
blackmailing her and also threatening her. This is a very common type of harassment via
e-mails.

2. Cyber-stalking-

The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking involves
following a person's movements across the Internet by posting messages (sometimes
threatening) on the bulletin boards frequented by the victim, entering the chat-rooms
frequented by the victim, constantly bombarding the victim with emails etc.

3. Dissemination of obscene material/ Indecent exposure/ Pornography (basically

child pornography) / Polluting through indecent exposure-

Pornography on the net may take various forms. It may include the hosting of web site
containing these prohibited materials. Use of computers for producing these obscene
materials. Downloading through the Internet, obscene materials. These obscene matters
may cause harm to the mind of the adolescent and tend to deprave or corrupt their mind.
Two known cases of pornography are the Delhi Bal Bharati case and the Bombay case
wherein two Swiss couple used to force the slum children for obscene photographs. The
Mumbai police later arrested them.

4. Defamation

It is an act of imputing any person with intent to lower the person in the estimation of the
right-thinking members of society generally or to cause him to be shunned or avoided or
 to expose him to hatred, contempt or ridicule. Cyber defamation is not different from
conventional defamation except the involvement of a virtual medium. E.g. the mail
account of Rohit was hacked and some mails were sent from his account to some of his
batch mates regarding his affair with a girl with intent to defame him.

4. Unauthorized control/access over computer system-

This activity is commonly referred to as hacking. The Indian law has however given a
different connotation to the term hacking, so we will not use the term "unauthorized
access" interchangeably with the term "hacking" to prevent confusion as the term used in
the Act of 2000 is much wider than hacking.

5. E mail spoofing-

A spoofed e-mail may be said to be one, which misrepresents its origin. It shows it's
origin to be different from which actually it originates. Recently spoofed mails were sent
on the name of Mr. Na.Vijayashankar (naavi.org), which contained virus.

Rajesh Manyar, a graduate student at Purdue University in Indiana, was arrested for
threatening to detonate a nuclear device in the college campus. The alleged e- mail was
sent from the account of another student to the vice president for student services.
However the mail was traced to be sent from the account of Rajesh Manyar.(15)

6. Computer vandalism-

Vandalism means deliberately destroying or damaging property of another. Thus

computer vandalism may include within its purview any kind of physical harm done to
the computer of any person. These acts may take the form of the theft of a computer,
some part of a computer or a peripheral attached to the computer or by physically
damaging a computer or its peripherals.

7. Transmitting virus/worms-

This topic has been adequately dealt herein above.

8. Intellectual Property crimes / Distribution of pirated software-

Intellectual property consists of a bundle of rights. Any unlawful act by which the owner
is deprived completely or partially of his rights is an offence. The common form of IPR
violation may be said to be software piracy, copyright infringement, trademark and
service mark violation, theft of computer source code, etc.

The Hyderabad Court has in a land mark judgement has convicted three people and
sentenced them to six months imprisonment and fine of 50,000 each for unauthorized
copying and sell of pirated software. (16)

9. Cyber terrorism against the government organization

 At this juncture a necessity may be felt that what is the need to distinguish between
cyber terrorism and cyber crime. Both are criminal acts. However there is a compelling
need to distinguish between both these crimes. A cyber crime is generally a domestic
issue, which may have international consequences, however cyber terrorism is a global
concern, which has domestic as well as international consequences. The common form
of these terrorist attacks on the Internet is by distributed denial of service attacks, hate
websites and hate emails, attacks on sensitive computer networks, etc. Technology savvy
terrorists are using 512-bit encryption, which is next to impossible to decrypt. The recent
example may be cited of – Osama Bin Laden, the LTTE, attack on America’s army
deployment system during Iraq war.

Cyber terrorism may be defined to be “ the premeditated use of disruptive activities, or

the threat thereof, in cyber space, with the intention to further social, ideological,
religious, political or similar objectives, or to intimidate any person in furtherance of
such objectives” (4)

Another definition may be attempted to cover within its ambit every act of cyber
terrorism.

A terrorist means a person who indulges in wanton killing of persons or in violence or in

disruption of services or means of communications essential to the community or in
damaging property with the view to –

(1) putting the public or any section of the public in fear; or

(2) affecting adversely the harmony between different religious, racial, language or
regional groups or castes or communities; or

(3) coercing or overawing the government established by law; or

(4) endangering the sovereignty and integrity of the nation

and a cyber terrorist is the person who uses the computer system as a means or ends
to achieve the above objectives. Every act done in pursuance thereof is an act of cyber
terrorism.

10.Trafficking

Trafficking may assume different forms. It may be trafficking in drugs, human beings,
arms weapons etc. These forms of trafficking are going unchecked because they are
carried on under pseudonyms. A racket was busted in Chennai where drugs were being
sold under the pseudonym of honey.

11. Fraud & Cheating

Online fraud and cheating is one of the most lucrative businesses that are growing today in
the cyber space. It may assume different forms. Some of the cases of online fraud and
cheating that have come to light are those pertaining to credit card crimes, contractual crimes,
offering jobs, etc.
Recently the Court of Metropolitan Magistrate Delhi (17) found guilty a 24-year-old engineer
working in a call centre, of fraudulently gaining the details of Campa's credit card and bought a
television and a cordless phone from Sony website. Metropolitan magistrate Gulshan Kumar
convicted Azim for cheating under IPC, but did not send him to jail. Instead, Azim was asked to
furnish a personal bond of Rs 20,000, and was released on a year's probation.