Subject Code: AUC-002

Cyber Security
Suggested Reading Books:

1. Information Security and Cyber Laws, Pankaj Sharma, Ketson Books

2. Information Security and Cyber Laws, Saurabh Sharma, Vikas
Publication
 Information System

Information System provides information in the form of pre-specified reports

and displays to support business decision process.
Such as Sales analysis report, production performance etc.

Computer-based information system or manual information system that

transforms data into information, which is useful in decision making. MIS can
be classified as performing three functions:

(1) To generate reports-for example, financial statements, inventory status

reports, or performance reports needed for routine or non-routine purposes.

(2) To answer what-if questions asked by management. For example, questions

such as "What would happen to cash flow if the company changes its credit term
for its customers?" can be answered by MIS. This type of MIS can be called
Simulation.

(3) To support decision making. This type of MIS is appropriately called

Decision Support System (DSS). DSS attempts to integrate the decision maker,
the data base, and the quantitative models being used.
Narendra Singh, FCIS, NMBA018,
2
G.L. Bajaj, Gr. Noida
There are so many factors responsibility for enhancing the importance of
Information System such as:
1.Dynamic and competitive nature of market place.
2.Globalization of resources/economy.
3.Reduce the complexity of business operations.
4.The information revolution (Credit card, overnight package delivery).

Traditionally, the Information System operated manually in which human

being were major source for providing information and all the working was
carried out through pen and paper. This approach posed certain
drawbacks:

1.It did not provide timely and accurate information.

2.It could not store volume of information for future use.
3.Paper work involved was vast.
4.Costly in terms of cost as well as time consuming.
5. Security problem of confidential data.

Narendra Singh, FCIS, NMBA018,

3
G.L. Bajaj, Gr. Noida
 Characteristics of Information System

• Information System supports structured and semi-structured decisions at the

middle level of management.

• Information System is useful for planning purpose for seniors.

• Information System is generally reporting and control oriented.

• Information System helps in decision making using past and present data.

• Management Information System has an internal orientation.

Narendra Singh, FCIS, NMBA018,

4
G.L. Bajaj, Gr. Noida
 Management Information System (MIS)
(Provides a common platform to all departments )

HR Department Inventory
Human Resource Department
Information System Inventory
Information System

Marketing Finance Production

Department Department Department
Marketing Information Finance Information Production
System System Information System

Also It is an example of Cross Functional

Information
Narendra System
Singh, FCIS, NMBA018,
5
G.L. Bajaj, Gr. Noida
 Classification of Information System
We have categorized information systems on the basis of their roles in the
operations and management of a business. Accordingly information systems have
been primarily categorized as under:
Operation Support System
Management Support System

Information System

Operation Support System Management Support System

Transaction Process Enterprises Management Decision Executive

Processing Control Collaboration Information Support Information
System System System System System System
(TPS) (PCS) (ECS) (MIS) (DSS) (EIS)

Narendra Singh, FCIS, NMBA018,

6
G.L. Bajaj, Gr. Noida
Operation Support System
Every business organization requires information system to process data
generated by business organization and used in business operations. These
systems produce various types of information product for internal and external
use. The Operation Support Systems are further divided into three basic
categories.

Transaction Processing System

Transaction Processing System is responsible for recording and processing of data
resulting from business transaction. For example Information System that process
sale, purchases, and inventory are changes which help in updating the customer,
inventory and other organizational database.
The product of transaction processing system provides a base or input fro MIS,
DSS and Executive Information System.

Narendra Singh, FCIS, NMBA018,

7
G.L. Bajaj, Gr. Noida
Process Control Systems:
Process Control Systems means use of computer to control on current physical
process. Process Control Systems also make routine decisions that control
operational process. Examples are automatic inventory recorder decisions and
production control decisions. The petroleum refinery uses electronic sensor
linked to computer to continually monitor chemical processes. The computer
monitors a chemical process, capture and processes data detected by sensor
and make instant adjustments to appropriate refinery process.

Enterprises Collaboration System:

Enterprises Collaboration Systems is an information system which uses
information technology to help people help together. This system helps us to
communicate, ideas, share, recourses coordinate our co-operative work efforts.
Such group of persons or team would heavily depend upon the internet,
intranet and collaboration software known as “groupware”. They communicate
with the help of E-mail, video conferencing, audio conferencing, voice mail
etc.

Narendra Singh, FCIS, NMBA018,

8
G.L. Bajaj, Gr. Noida
Decision Support System:
They comprise of major category of management support systems. They
are computer based information system that provide interactive
information support during the decision making process.

Characteristics of Management

•DSS offers users flexibility, adaptability and quick response.

•DSS are intelligent support systems designed to provide information to

top and middle level managers to make decisions that require judgment
and intuition.

•DSS allow users to generate and control the inputs and outputs.

•DSS uses sophisticated analysis and modeling tools.

•DSS operates with little or no assistance from professionals such as

programmers etc.

•DSS provides support for Narendra

decisions andNMBA018,
Singh, FCIS, problems whose solutions can9
G.L. Bajaj, Gr. Noida
not be pre-specified.
Executive Information System: This “Information System” product serves the
strategic information needs of top management and it is basically a “Hybrid Information
System” of both Management Information System and DSS. The basic purpose of EIS is
to provide top management with immediate and easy access to information about firm’s
critical success factors.

Narendra Singh, FCIS, NMBA018,

10
G.L. Bajaj, Gr. Noida
 Differences Between TPS and MIS

Transaction Processing Management Information

Points of Comparison
System System
Output from TPS, High
Input Transaction, Events
Volume data
Routing reports, simple
Data entry, listing, sorting,
Processing models, Low Level
merging and updating
analysis
Detailed reports, lists, Summary and exception
Output
summary of transactions reports.
Operations personnel, Low
Users Level Managers, Middle-Level-Managers
Supervisor
Record and process Production of summary and
Goal
transactions exception reports
Provide decision support to Provide decision support to
Decision and Support
Lower Level Managers tactical level manager.
Narendra Singh, FCIS, NMBA018,
11
G.L. Bajaj, Gr. Noida
 Differences Between MIS and DSS

Management Information Decision Support

Points of Comparison
System System
Output of TPS, high- Output from TPS and MIS
Input
volume data low-volume data
Extraction and
Analytical modeling of
Processing manipulation of business
business data
data
Periodic, Exceptions,
Interactive queries and
Output demand and reports and
responses
responses.
Top-level managers,
Users Middle-level managers professionals, Information
workers.
Provide information about Provide decision support
Goal the performance of the techniques to analyze
organization specific problems.
Production of summary
Decision and Support Narendra Singh, FCIS, NMBA018, Ad-hoc query handling
and exception reports.
G.L. Bajaj, Gr. Noida
12
 Type of Input Process Output Users Examples
System
Transaction Transaction, Data Entry, Detailed lower level Sales
Processing Events Listing, reports, lists, managers, Transaction,
System (TPS) Sorting, summary of supervisors Purchases
Merging, transactions transaction,
Updating Claims etc.
Management Output from Routine Summary Middle Level Monthly Sales
Information TPS, high Reports, and Managers Reports
System (MIS) volume of Simple model, Exception
data low level reports
analysis
Decision Output from Analytical Interactive Top-level Investment
Support TPS, and Modeling of queries and managers, Portfolio, Plant
System (DSS) MIS, Low business data responses Professionals Expansion
level data

Executive Aggregate Graphics, Projections, Executive Enterprises-

Information data Interactive responses to Directors Wide
Systems (EIS) (External & queries performances
Internal)

Narendra Singh, FCIS, NMBA018,

13
G.L. Bajaj, Gr. Noida
Development of Information System

Narendra Singh, FCIS, NMBA018,

14
G.L. Bajaj, Gr. Noida
System Investigation
Every system investigation steps requires a beginning study because
the cost of developing a major information system is high. This
beginning study is called feasibility study. This face also records the
actual problems of existing system.
Feasibility Analysis
Because the process of development can be costly, the systems
investigation stage may require a preliminary study called a
feasibility analysis. Where the information needs of prospective
users and the resources requirement, costs, benefits and feasibility
of a proposed project are determined. System projects feasibility is
accessed in three in three principal ways:
1. Operationally Feasibility
2. Technically Feasibility
3. Economically Feasibility
Narendra Singh, FCIS, NMBA018,
15
G.L. Bajaj, Gr. Noida
1. Operationally Feasibility:

 Employee, Customer, Supplier Acceptance

 Management Support
 Government or other requirement

2. Technically Feasibility
 Hardware , Software and Network Capability, Reliability, and Availability

3. Economically Feasibility
 Cost Saving
 Increased Revenue
 Decreased Investment Requirement
 Increased Profits

Narendra Singh, FCIS, NMBA018,

16
G.L. Bajaj, Gr. Noida
System Analysis

System analysis includes the three main basic functions that are 1)
Organizational analysis 2) Analysis to present system and 3)
functional requirement analysis.

To improve an information system it is necessary to know

something, about the organization, its management structure, its
employee, its business activities etc. you have to analysis that how
this system uses hardware, software, people resources, network etc.
Functional requirements should be developed in the following area:

• User Interface Requirement

• Storage Requirement
• Control Requirement
• Processing Requirement
Narendra Singh, FCIS, NMBA018,
17
G.L. Bajaj, Gr. Noida
System owner, users, designer and builders have different
perspective on information system. Some of them are technical
person and others are non technical, one owner may be interested in
overall or general view of information while designer is interested
in each and every details of the system. This situation represents
the gap that has always existed when one wants to use the benefits
of information technology or computer based solution to their
business problem. Only system analyst would be able to fill these
gaps.
System
Designer

System Owner System Analyst System User

System Builders

Narendra Singh, FCIS, NMBA018,

18
G.L. Bajaj, Gr. Noida
System analyst is a specialist who studies the problems and need of an
organization to determine how people, data, process and information technology
can best accomplish improvements for the business. The system analyst is a
unique stockholder because he serves as a facilitators, bridges the communication
gaps that can naturally developed between the technical system designer and
builder and non technical system owners and users.

A successful system analyst is one who posses following skills,

knowledge and traits:

•They need to be capable in one or more higher level programming languages.

•They must know the general knowledge of business processes, and
terminologies.
•They must have problem-solving skills.
•They should be flexible.
•They must be able to communicate effectively, both orally and in writing.
•The nature of the system analyst’s job requires a strong character and a sense of
right and wrong.

Narendra Singh, FCIS, NMBA018,

19
G.L. Bajaj, Gr. Noida
System Design

A technical expert is someone who translates system users, business

requirements and constraints into technical solutions. They design the
computerized data base, input, output, software that will fulfill these
requirements. System designer make an information system in terms of a design
blueprint to guide the construction of the final system.

It specifies how the system will accomplish the objective. System Designing
includes the designing the user interface, data and process.

User Interface Design: screen, form, report, dialog boxes.

Data Design: Data element structure, data design, relationship between data.

Process Design: It is design the software resources and procedures

Narendra Singh, FCIS, NMBA018,

20
G.L. Bajaj, Gr. Noida
System Implementation

Hardware and Software arrangement  Software Installation

Testing of programs and procedures  Development of
documentation  Variety of Installation activities  End user
training.
System Maintenance & Review
•Changes in functions or module
•Timely updating of the software
•Changing in Software as required
•Taking Feedback from the users
•Find the scope of improvement
•Conversation with the users

Narendra Singh, FCIS, NMBA018,

21
G.L. Bajaj, Gr. Noida
 Important Glossary of Cyber Security
1. Access Control: The Process of limiting access to the resources of a system to
only authorized persons, programs, processes or other system.
2. Application: A software which provides the solutions of the problems.
3. Authenticated User: A user who has accessed a MIS with a valid identifier and
authentication.
4. Bad Reputation Domains: Sites appear on one or more security industry
blacklists for repeated bad behavior.
5. Botnet: Sites used or controlled by cyber criminals.
6. Cipher: An algorithm for encryption or decryption.
7. Critical Assets: Those assets, which directly support to the organization’s
ability to sustain mission.
8. Cryptography: A method, to hide the information through algorithm.
9. Data Encryption Standard (DES): It is an encryption block cipher defined and
endorsed by the US Government in 1977.
10. Data Integrity: Data Integrity refers to the validity of data, meaning data is
consistent and correct.
11. Deciphering: The translation of encrypted text or data (called cipher text) into
original text or data (called plain text).
12. Decryption: The translation of encrypted text or data (called cipher text) into
original text or data (called plain text).
22
13. Enciphering: The conversion of plain text or data into unintelligible form by
means of a reversible translation that is based on a translation table or algorithm.
14. Encryption: The conversion of plain text or data into unintelligible form by
means of a reversible translation that is based on a translation table or algorithm.
15. Facsimile: A document that has been sent, or is about to be sent, via a fax
machine.
16. Firewall: Firewall protects the organization's network from unauthorized
outside entries or network.
17. Firmware: Software program that has been written onto read only memory
(ROM). Firmware is a combination of software and hardware.
18. Gateway: A machine or set of machines that provides relay services between
two networks.
19. Intruder: An individual who is unauthorized access to a computer system
20. Malware: Malware is an umbrella term used to refer to a variety of forms of
hostile (Unfriendly) software including computer viruses, worms, Trojan horse
and spyware etc.
21. Spyware: It is a software that aids in gathering information about a person or
organization without their knowledge.

23
22. Trojan Horse: It is generally non self replicating type of malware program. It
does typically causing loss or theft of data, and possibly system harm .

23. Virus: A computer virus is a malware program that, when executed, replicates
by inserting copies of itself.

24. Worm: A worm self replicating virus that does not alter files but resides in
active memory and duplicates itself. Worm use part of an operating system that
are automatically and usually invisible to the user.

25. Phishing: It is the attempt to acquire sensitive information such as username,

password and credit card details etc. by profess as a trustworthy entity in an
electronic communication.

26. Virtual Private Network: A virtual private network (VPN) extends a private
network across a public network, such as Internet.

24
 What is cyber security?
• Cyber security standards are security standards which
enable organizations to practice safe security
techniques to minimize the number of successful cyber
security attacks.

• Cyber security refers to the technologies and processes

designed to protect computers, networks and data from
unauthorized access, weakness and attacks delivered
via the Internet by cyber criminals.

• Though, cyber security is important for network, data

and application security.
• Communication security-protecting organization
communication media , technology , and content.

• Network security-is the protection of networking

components, connection and content.

• Information security-protection of information

and its critical elements , including the systems
and hardware that use , store or transmit that
information.
 What is cyber crime?

• The former descriptions were "computer crime",

"computer-related crime" or "crime by computer". With
the pervasion of digital technology, some new terms
like "high-technology" or "information-age" crime were
added to the definition. Also, Internet brought other
new terms, like "cybercrime" and "net" crime.

• Other forms include "digital", "electronic", "virtual" ,

"IT", "high-tech" and technology-enabled" crime .
 Cyber crimes includes

• Illegal access
• Illegal Interception
• System Interference
• Data Interference
• Misuse of devices
• Fraud
 Why should we care?
• It is a criminal activity committed on the
internet.

• Cyber crime-Where computer is either a tool

or target or both.
 How can we protect?
• Read Privacy policy carefully when you
submit the data through internet.

• Encryption: lots of website uses SSL (secure

socket layer)to encrypt a data.

• Disable remote connectivity.

 Advantage of cyber security
• It will defend from hacks and virus.

• The application of cyber security used in our

PC needs update every week.

• The security developers will update their

database every week once. Hence the new
virus also deleted.
 Safety tips …
• Use antivirus software
• Insert firewalls , pop up blocker
• Uninstall unnecessary software
• Maintain backup
• Check security settings
• Use secure connection
• Open attachments carefully
• Use strong passwords , don’t give personal
information unless required
India stands 11th in the ranking for Cyber Crime in
the World, constituting 3% of the Global Cyber
Crime.
 Why India?
A rapidly growing online user base
 151 Million Internet Users
 85 Million Active Internet Users, up by 28% from
65 million in 2010
 68 Million users shop online on Ecommerce and
Online Shopping Sites
 52+ Million Social Network Users
 456 million mobile users had subscribed to Data
Packages.

Source: IAMAI; Juxt; wearesocial 2015

 Threats to Information System
There classification of threats could be:

1. Physical Threats: Damages of hardware, software, theft of the computer

system, vandalism (Harm), natural disaster such as flood, fire, war,
earthquakes, acts of terrorism such as the attack on the world trade centre.

2. Accidental Error: It includes corruption of data caused by programming error,

user or operator error.

3. Unauthorized Access: A person who accessing the data, information ,software

and hardware etc without permission of related organization. It may happen
internally or externally.

4. Malware Threats: Malware is an umbrella term used to refer to a variety of

forms of hostile (Unfriendly) software including computer viruses, worms,
Trojan horse and spyware etc.

35
 Information Assurance
Information Assurance is defined as the set of measures applied to protect
information systems and the information of an organization. It ensures about the
followings:

1. Availability

2. Integrity

3. Authentication

4. Confidentiality
5. Non – repudiation: It refers to the ability to ensure that a party to a contract or
a communication cannot deny the authenticity of their signature of a message
that they originated.

36
 Security Risk Analysis
Risk analysis process acts as a link between both risk assessment and risk
management processes.

The common terminology that comes out from the process of security risk analysis
is described as follows:

Assets: Assets for an organization means everything that has some value and
needs to be safeguarded.

Threats: Threats are defined as potential actions having the possibilities of

damaging the assets of an organization.

Vulnerabilities (Weakness) : Vulnerabilities refers to some weaknesses

or loopholes in securing assets.

Countermeasures: Countermeasures are the devices or actions with an

intent and capabilities to reduce system vulnerabilities.
37
The process of risk analysis involves the following three
key elements:

1. Impact Statement: The impact statement describes the damages that

may be caused by threats.

2. Effectiveness Measure: The effective measures presents the calculated

effectiveness of individuals actions taken to counter the impact of threats.

3. Recommended Countermeasures: The recommended

countermeasures involve possible actions that are cost effective and maintain
security of assets in a proper manner.

38
 Data Security
Database security deals with all various aspects of protecting the database contents,
its owners, and it users. It ranges from protection from international unauthorized
database uses to unintentional database accesses by unauthorized entities.

Following is a list of requirements for database security.

1. Physical Database Security

2. Logical Database Security
3. Element Integrity
4. Access Control
5. User Authentication
6. Availability

39
 Threats in Networks

1. Employee Behavior

2. E-mail

3. Viruses

4. Hackers

40
A security threat is a circumstances, condition, or event to cause
economic hardship to data or network resources in the form of
destruction, disclosure, and modification of data, denial of services
fraud and waste.
In addition, organization must be concerned about the inherent
security threats that is associated with businesses over the web
such as: unauthorized user access, eavesdropping and tempering.
To overcome this strong network security, solution is necessary
which can transparently and automatically control the access of
corporate intranets or extranets. The solution must be given
identification and authentication of users, encryption of all traffic
from the application to the user, and access control to all
information.
E-Security can be divided into following parts:
•Client-server network security
•Data & transaction security
•Web Security 41
E-Security can be divided into following parts:
•Client-server network security
•Data & transaction security
•Web Security

Client-server network security:

Client-server security ensures that only authorized users
can access the information. This type of mechanism includes password
protection, encrypted smart cards, biometrics system and firewalls. Followings
are security problems in client–server security.
•Physical Security: When an unauthorized user gain physical access to
computer. This is a common problem in case of network, as hackers gain access
to network systems, and they can guess passwords of various users.
•Software Security: When program/software is compromised into doing things
they should not. Example: "rlogin" hole in the IBM RS-6000 workstations,
which enabled a cracker to create a “root” shell or super user access mode. This
could be used to delete the complete file system or a file of password or create an
own new account.
•Inconsistent Usage: When a system administrator assembles the system by
combination of Hardware and Software such that the system is seriously flawed
from a security point of view. This type of problem is becoming common as
42
software becomes more complex.
To overcome above security threats, various protection methods are given. This
protection method is also called authorization or access control.
Protection methods are:
•Trust-based security
•Security through
•Passwords Schemes
•Biometric System
Trust-based security: Trust based security tells to trust everyone and do nothing
extra for protection and there is not access restriction on any kind of data access.
All users work in a network can shared information, this approach assume that no
any user make an expensive break as detection of files or modification of data or
unauthorized access of data. Now a days this approach do not work, it used in
past.
•Security through Obscurity: Any network can be secure as long as nobody
outside its management group is allowed to find out anything about its operational
details.
•For this they can hide account password details in binary files or script so that
“nobody will ever find them”.

43
•But its usefulness is minimal in the UNIX world. Where users are free to move
around the file system, have a great understanding of programming techniques.
•They can easily guess at the bits of knowledge considered confidential. These
bypass the whole basis of STO and make this method of security useless.

•Password Schemes: One security is password schemes. However it can also

break when we use some common words or names for password.
1)The simplest method used by most hackers is dictionary comparison.
Comparing a list of encryption user passwords against a dictionary of
encryption common words. This scheme often works because users tend to
choose relatively simple or familiar words as passwords as passwords.
2)As a solution we use mixed-case passwords containing at least one non
alphanumeric character and change passwords every 30 to 60 days
3)We can also include one-time passwords, smart card randomized tokens.
This scheme provides high level security.
•Biometric System: Biometric system involve some identical aspects which
related to human body such as compare the finger prints, palm prints and voice
recognition. Biometric Systems are very expensive to implement. Biometric
System use one to one relationship and one to many relationships.
44
 Client-Server security threats can be divided into two major categories.
• Threats to client
• Threats to server
Threats to client:
Client threats mostly arise from malicious data or code, malicious code refers
to viruses, worms, Trojan horses and deviant.
Virus: Virus is a code segment that replicate by attaching copies of itself to
existing executable (EXE files). The new copy of the viruses is executed when
users executes the host programs, some viruses displaying a text string or delete
all files on the hard disk on a specified date.
Trojan Horse: A program that performs a desired task but also performs
unexpected functions. For example editing program for multi-user system. This
program could be modified to randomly delete one of the user’s files or create
new file or edit existing file or program. Trojan horse examples include
BackOrifice, VBS/Freelink, and Backdoor G.
WORM: It is a self-replicating program that a self continued and does not
need any host program to execute. Clients must scan for malicious data and
executable program fragment that are transferred from the server to the client.
WORM examples include VBS/Loveletter and Happy99.
45
 Threat to servers:
Threat to server consist unauthorized modification of source data.
• Unauthorized eavesdropping
• Denial of services
• Modification of incoming data packets.

Eavesdropping: Hackers can use electronic eavesdropping to trap

user names & unencrypted password sent over that network. It is difficult
to delete that some one is eavesdropping encryption can prevent
eavesdropping from obtaining data traveling over unsecured network.

Denial of Services:
In this type of threats, a user can render the system unusable for
legitimate users by “hogging” a resources or destroying the resources so
that they cannot be used. The two most common types of these attacks
are:
1) Service Overloading 2) Messaging Overloading

46
 Service Overloading: One can easily overload a www server by writing a
small loop that sends requests continually for a particular file for example: A
home page.
Message Overloading: Occurs when someone sends a very large file to a
message box every few minutes. The message box rapidly grows in size &
begins to occupy all space on the disk and increase the no. of receiving process
on the recipients’ machine and causing a disk crash.
Packet Replay: Refer to the recording & retransmission of message packets in
the network. Hacker could replay legitimate authentication sequences message to
gain access to a secure system. When a security association has been established
between sender and a receiver then initially their counters are initialized at zero.
The first message packet sent, will have a sequence number of 1, 2 as so on. Each
time a message packet is sent and the receiver verifies that the number is not that
of a previously sent packet. When detection of a replayed message packet occurs,
the program sends an error message, discards the replayed packet and logs the
event – including in the log entry identifiers such as the date or time when this
error has received, source address, destination address, and the sequence number.
Packet Modification: It is an integrity threats that involve modifying a message
packet or destroyed the message packet. In many cases, packet information not
only be modified, but its contents may be destroyed before legitimate users can47see
them.
IP Spoofing: IP spoofing is a technique where an attacker tries to gain unauthorized
access through a false source address to make it appear as though communication have
originated in a part of the network with high privileges. IP spoofing is the most
common forms of on-line camouflage. Message is coming from a trusted machine or
party, by ‘spoofing’ the Internet Protocol (IP) address of that machine. Now we will
examine the concepts of IP spoofing such as how it is possible, how it works, what it is
used for, and how to protect from it.

48
Encryption is the important technique for data and messaging security:
Encryption is a cryptography technology to scramble (encrypted) the data with a key so that
no one can make sense of it while it’s being transmitted. When data reaches its destination,
the information is unscramble (decrypted) using same or different key. Let consider
following term that is use to understand the concept of encryption.
Cryptography: The terms used commonly in a cryptography system are as follows:
Intruder: Intruder is a person who is not authorized to access the information or the
network.
Plain Text: Intelligible message that is to be converted into unintelligible message
(Encrypted message).
Cipher Text: Message in an encrypted form.
Example:
(Encrypt Form) (Decrypt
Form)
Plain Text Algorithm Cipher Text Algorithm Plain Text
Goods Next Two Word Iqqfu Previous Two word Goods
Sales Previous One Word rzkdr Next One word
Sales
Encryption: Technique of converting plain text into cipher text.
Decryption: Technique of converting cipher text to plain text.
Algorithm: A cryptography algorithm is a mathematical function.
Key: String of digits.
49
There are two types of cryptography or methods of encryption
•Secret Key or Private Key or Symmetric key Cryptography
•Public Key or Asymmetric key Cryptography
Secret Key Cryptography: In this scheme, both the sender and recipient
possess the same key to encrypt and decrypt the data.

Original Encrypted

Message Message

Secret Key Encrypt

Internet

Encrypted Original

Message Message

Secret Key Decrypt

50
Public Key Cryptography

This scheme operates on double key called pair key one of which is used to
encrypt the message and only the other one in the pair is used decrypt. This can
viewed as two parts, one part of the key pair, called private key known only by the
designated by the owner, the other part, called the public key, is published widely
but still associated with owner. The public key is use to decrypt information at the
receiver and is not kept secret. The private key is use to encrypt information by the
user and hence it is kept secret. One advantage of public key cryptography is that
no one can detect out the private key from the corresponding public key. The need
for sender and receiver to share secret information over public channels is
completely eliminated. All transaction involves only public keys, and no private
key is ever transmitted or shared over network. Public cryptography can be used
for sender authentication, known as digital signatures.
Example of Public key cryptography is RSA.

51
 Original Encrypted
Message Message
Encrypt
with Public
(Plain Text) Key of (Cipher Text)
receiver

Internet

Encrypted Original
Message Message
Decrypt
with Private
(Cipher Text) Key of (Plain Text)
receiver
52
Encryption and Decryption
•Data encrypted with public key can only be decrypted with private
key.
•Data encrypted with private key can only be decrypted with public
key.
Strong points of this scheme
The key can be used in two different ways:
1. Message confidentiality can be proved: The sender uses the
recipients public key to encrypt a message, so that only the private
key holder can decrypt the message, non other.
2. Authenticity of the message originator can be proved: The
receiver uses his private key to encrypt a message, to which only the
sender has access
3. Easy to distribute public key: Public key of the pair can be
easily distributed.

53
Firewalls:

The term firewall is a method of placing a device - a computer or a router-

between the network and the internet to control and monitor all traffic between
the outside world & the local network. Or we can say firewall is like a barrier
between public network (Internet) and private or trusted network.

•A firewall system is usually located at a gateway point such as a site’s

connection to the internet.

•A firewall is simply a barrier between two networks-in most cases an internal

network often called the trusted network and case an external network called un-
trusted.

Firewalls examine incoming & outgoing packets according to a set of policies

defined by administrator either let them through or block them.

54
55
Firewall Policy: There are two basic design policies of firewall.
•Premises Approach
•Restrictive Approach
Permissive Approach: Allows all the services to pass the site by default, with
the exception of those services that the network services access policy has
designated as disallowed.

Restrictive Approach: A firewall that implement the second policy by default it

denies all services, but allow those services that have been designated or
identified as allowed.
•The first policy is desirable, because it offers more a venues for getting around
the firewall.
•Second policy follows the classic access model used in all areas of information
security.
•We have certain services, such as FTP, Archie & RPC that are difficult to filter,
for this reason, they may be better suited by a firewall that implements the first
policy or permissive approach.
•The second policy is stronger and safer, but it is more restrictive for users.

56
Nature of Firewall: Two types of firewalls
•Static Firewall
•Dynamic Firewall
Static Firewall: Static firewalls are generally pre-configured and they allow or deny
the access from the outside world by default. Default allows the inbound traffic, in
such a mechanism only the specified user will be denied access to the network of the
enterprises. In the default deny policy, only the specific users who display their
authentication are permitted to access the network.

Dynamic Firewall: The dynamic firewall uses allow and denial of services policy at
the network on the time basis.
•Some service on the network may be allowed and other may be denied for a specific
time interval.
•The configuration of such firewall is slightly more complex.

57
Limitation of Firewall:
•Firewall can not protect against attacks that do not go through it.
•Firewalls do not protect against threats emanating from internal users i.e., those who are
part of the trusted network.
•Firewall is concerned with monitoring the traffic and permitting only authenticated and
legitimate traffic flow. It does not concern itself with integrity issues related to application
and data.
•Firewall are concerned with the controlled flow of data traffic and do not provide
confident of data. However application proxies at the firewall machine can provide
encryption and decryption of all the data passing through as it becomes a single access
point to the application.
•Firewall can not protect very well against viruses. In general, a firewall can not protect
against a data driven attack-attacks in which something is mailed or copied to an internal
host, where it is then executed.
Importance of Firewall:
•You can monitor incoming and outgoing security alerts and the firewall company will
record and track down an intrusion attempt depending on the severity.
•Some firewalls can be tested for effectiveness by using products that test for leaks or probe
for open ports.
•Some firewalls but not all can delete Viruses, Worms, Trojan horses, or data collectors.
•Firewall can also be used to prevent employee from accessing games, newsgroup or audit
sites on the WWW.
58
 E-Commerce business transactions for authentication the digital
signature are used. The authentications refer the legal, financial &
other document related issues.
•Digital Signature is just like hand written signature which
determined presence & absence of authentications.

The digital signature consist of two parts

•Signature in the document: Signer authentication
•Document Authentication
Signer Authentication: A signature should indicate who signed a
document, message or record and should be difficult for another
person to produce without authorization.
Document Authentication: A signature should identify what is
signed.
•Sender can not remove the content of messages after signing it.
•The receiver can not do any change in the message.
59
60
Cyber Law
 IT ACT 2000

The Information Technology act , 2000 received the assent of

president of India on 9 June 2000 and came into force from 17
October in that same year .The act was enacted to provide legal
recognition for transaction carried out by means of electronic data
interchange and other means of electronic communication ,
commonly referred to as “Electronic Commerce” , to facilitate
electronic filling of documents with governments agencies which
involve the use of alternative to paper based method of
communication and storage information This law applies to any
kind of information in the form of data message used in the context
of commercial activities.
 Objective

 to grant legal recognition for transaction carried out by

means of electronic data interchange and other means of
electronic communication;
 To give legal recognition to digital signature / electronic
signature for authentication accepting of any information
or matter which require authentication under any law;
 To facilitate electronic of documents with Government
departments;
 To facilitate electronic storage of data ;
 To facilitate and give legal sanction to electronic fund
transfer between banks and financial institution ;
 To give legal recognition for keeping books of account by
bankers in electronic form.
 The Act does not apply to:
1.a negotiable instrument as defined in section 13 of the
Negotiable Instruments Act,1881;
2.a power-of-attorney as defined in section 1A of the Powers-
of-Attorney Act, 1882;
3.a trust as defined in section 3 of the Indian Trusts Act, 1882;
4.a will as defined in clause (h) of section 2 of the Indian
Succession Act, 1925 including any other testamentary
disposition by whatever name called;
5.any contract for the sale or conveyance of
immovable property or any interest in such property;
6.any such class of documents or transactions as may be
notified by the Central Government in the Official Gazette.
 Amendment act 2008
Being the first legislation in the nation on technology, computers and
ecommerce and e-communication, the Act was the subject of
extensive debates, elaborate reviews and detailed criticisms, with one
arm of the industry criticizing some sections of the Act tobe draconian
and other stating it is too diluted and lenient. There were some
conspicuous omissions too resulting in the investigators relying more
and more on the time-tested (one and half century-old) Indian Penal
Code even in technology based cases with the I.T. Act also being
referred in the process and the reliance more on IPC rather on the ITA.
Thus the need for an amendment – a detailed one – was felt forthe I.T.
Act almost from the year 2003-04 itself. Major industry bodies were
consulted and advisory groups were formed to go into the perceived
lacunae in the I.T. Act and comparing it with similar legislations in other
nations and to suggest recommendations.
 Continue……..

Such recommendations were analyzed and subsequently taken up

as a comprehensive Amendment Act and after considerable
administrative procedures, the consolidated amendment called the
Information Technology Amendment Act 2008was placed in the
Parliament and passed without much debate, towards the end
of2008 (by which time the Mumbai terrorist attack of 26 November
2008 had taken place). This Amendment Act got the President
assent on 5 Feb 2009 and was made effective from 27
October2009.
Some of the notable features of the ITAA are as follows:
 Focusing on data privacy
 Focusing on Information Security
 Defining cyber café
 Making digital signature technology neutral
 Defining reasonable security practices to be followed by corporate
 Continue….

 Redefining the role of intermediaries

 Recognizing the role of Indian Computer Emergency Response Team
 Inclusion of some additional cyber crimes like child pornography and
cyber terrorism
 authorizing an Inspector to investigate cyber offences (as against the
DSP earlier)
 DIGITAL SIGNATURE

A digital signature is an electronic scheme for demonstrating

the authenticity of a digital message or document. A valid digital
signature gives recipient a reason to believe that the message was
created by a known sender and that it was not altered in transit.
Digital signatures are commonly used for software distribution,
financial transactions, and in other cases where it is important to
detect imitation or tampering.
Authentication of Digital Signature

A digital signature shall –

 be created and verified by cryptography that concerns itself with
transforming electronic records.

 use “Public Key Cryptography” which employs an algorithm using

two different mathematical “keys” – one for creating a digital
signature or transforming it and another key for verifying the
signature or returning the electronic record to original form. Hash
function shall be used to create this signature. Software utilizing
such keys are termed as “asymmetric cryptography” [Rule 3 of IT
Rules, 2000].
 Continued……

Digital signatures can be used to authenticate the source of

messages. When ownership of a digital signature secret key is bound
to a specific user, a valid signature shows that the message was sent
by that user. The importance of high confidence in sender authenticity
is obvious in a financial context.

For example, suppose a bank's branch office sends instructions to the

central office requesting a change in the balance of an account. If the
central office is not convinced that such a message is truly sent from
an authorized source, acting on such a request could be a grave
mistake.
 Verification of Digital Signature

Verification means to determine whether –

 the initial record was affixed with the digital signature by
using the “keys” of the subscriber.

 the original record is retained intact or has been altered since

such electronic record was bounded with the digital signature
[Sec.2(1)(zh)].
DIGITAL SIGNATURE CERTIFICATE
A digital signature certificate is an electronic document which uses
a digital signature to bind an identity — information such as the name
of a person or an organization, their address, and so forth. The
certificate can be used to verify that it belongs to an individual.
Any person can make an application to the Certifying Authority for
the issue of this digital certificate. The Authority charges fees (as
prescribed by the Central Government) for the issue of “digital
signature certificate”.
 Generation of Digital Certificate
The generation of digital signature certificate shall involve –
 receipt of an approved and verified certificate request.
 creating a new digital signature certificate.
 a distinguished name associated with the digital certificate
owner.
 a recognized and relevant policy as defined in certification
practice statement [Rule 24 of the IT rules].
 Compromise of Digital Certificate

Digital signature certificate shall be deemed to be compromised where

the integrity of –
 the key associated with the certificate is in doubt.

 the certificate owner is in doubt, as to the attempted use of his key

pairs, or otherwise for malicious or unlawful purposes.
The digital certificate shall remain in the compromise state for only such
time as it takes to arrange for revocation.
Expiry of Digital Signature Certificate

A digital signature certificate shall be issued with a designated expiry

date. It will expire automatically and on expiry, it shall not be re-
used. The period for which a digital certificate has been issued shall
not be extended, but a new digital signature certificate may be
issued after the expiry of such period [Rules 26 of IT Act, 2000].
 Cyber crime and Cyber law

What is a cyber crime?

Cyber crime is a generic term that refers to all criminal activities done
using the medium of computers, the Internet, cyber space and the
world wide web . There isn’t really a fixed definition for cyber crime.
The Indian Law has not given any definition to the term ‘cyber crime’.
In fact, the Indian Penal Code does not use the term ‘cyber crime’ at
any point even after its amendment by the Information Technology
(amendment) Act 2008, the Indian Cyber law. But “Cyber Security” is
defined under Section (2) (b) meansprotecting information,
equipment, devices computer, computer resource, communication
device and informationstored therein from unauthorized access,use,
disclosure, disruption, modification or destruction.
 United Nations’ Definition of
Cybercrime
At the Tenth United Nations Congress on the Prevention of Crime and
Treatment of Offenders, in a workshop devoted to the issues of crimes
related to computer networks, cyber crime was broken into two categories
and defined thus:
a. Cybercrime in a narrow sense (computer crime): Any illegal
behavior directed by means of electronic operations that targets the security
of computer systems and the data processed by them.
b. Cybercrime in a broader sense (computer-related crime): Any
illegal behavior committed by means of, or in relation to, a computer
system or network, including such crimes as illegal possession [and]
offering or distributing information by means of a computer systemor
network.
What is Cyber law…?
Cyber law is a term used to describe the legal issues related to use
of communications technology, particularly“cyberspace”, i.e. the
Internet. It is less of a distinct field of law in the way that property or
contract are, as it is an intersection of many legal fields including
intellectual property, privacy, freedom of expression, and jurisdiction.
In essence, cyber law is an attempt to apply laws designed for the
physical world, to human activity on the Internet. In India, The IT Act,
2000 as amended by The IT (Amendment) Act, 2008 is known as
the Cyber law. It has a separate chapter XI entitled “Offences” in
which various cyber crimes have been declared as penal offences
punishable with imprisonment and fine.
OFFENCES, COMPENSATION AND PENALTIES

1. Penalty and compensation for damage computer, computer system etc: If any person,
without permission of the owner or any other person who is in charge of a computer, computer
system or computer network-
a. Accesses or secures access to such computer . Computer system or computer
network or computer resource;
b. Downloads, copies or extracts any data ,computer database or information from such
computer, computer system or computer network including information data held or
stored in any removable storage medium.
c. Introduces or causes to be introduced any computer contaminant or computer virus
into any computer , computer system or computer network.
d. Damages or cause to be damage to any computer , computer system or computer
network , data, computer database or any other programmes residing in such
computer , computer system or computer network .
e. Disrupts or cause of disruption of any computer , computer system or computer
network .
 Continue….
f. denies or causes the denial of access to any person authorized to access any
computer , computer system or computer network by any means;
g. provides any assistance to any computer to facilitate access to a computer ,
computer system or computer network in contravention of the provision of
the Act , rules or regulations made there under;
h. Charges the service availed of by a person to the account of any other
person by tampering or manipulating with or manipulating any computer ,
computer system or computer network ;
i. destroy, delete or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by nay means;
j. steals , conceals , destroys or alters or cause any person to steel , conceal,
destroy or alter any computer source code used for computer resource with
an intention to cause damage,
he shall be liable to pay damage by way of compensation to the person so
affected.
 Continued…
2. Compensation for failure to protect data[Sec. 43-A] : where a body corporate ,
possessing, dealing or handling any sensitive personal data or information in
a computer resource which it owns , control or operates , is negligent in
implementing and maintaining reasonable security practices and produces and
thereby causes wrongful loss and wrongful gain to any person , such body
corporate shall be liable to pay damage s by way of compensation to the
person so affected.

3. Penalty to failure to furnish information , return etc.[Sec. 44] :If any person is
required to
a. furnish any document , return or report to the controller or the
Certifying Authority, fails to furnish the same , he shall be liable to penalty
not exceeding rupees one lakh and fifty thousand for each such failure.
b. maintain books of account or records , fails to maintain the
same, he shall be a liable to a penalty not exceeding rupees ten
thousand for every day during which the failure continues;
 Continue..
4. Penalty for securing access to a protected system[Sec 70]: The appropriate
government may declare that any computer resource which directly or
indirectly affects the facility of critical Information Infrastructure to be
protected system and may , by in order in writing , authorize the person who
are to access protected notified system. Any person who secure access or
attempts to secure to such a protected system unauthorisely shall be
punished with imprisonment
of a term which may extend to 10 years and shall also be liable to fine. The
central Government has prescribed the Information Technology (Security
Procedure) Rules, 2004.
5 Tampering with computer source documents [sec.65] :Whoever knowingly or
intentionally conceal , destroy or alters any computer source code used for
computer , computer programmed , computer system is required to be
maintained by law, shall be punishable with imprisonment up to three years
or with fine which may extend up to rupees two lacs or with both .
 Continued….
6. Punishment for sending offensive message through communication service
, etc[Sec.66-A] : Any person who sends . by means of a computer resource
or a communication device –
a. any information that is grossly offensive or have menacing character
; or
b. any information which he knows to be false , but for the purpose
of annoyance , inconvenience, danger, obstruction , insult, injury ,
criminal intimidation, hatred, persistently by making use of such
computer resource or a communication device;
c. any electronic mail or electronic mail message for the purpose
of causing annoyance or inconvenience or to device or to mislead
the address or recipient about the origin of such message, shall be
punishable with imprisonment for a term which may extend to three
years with fine.
 PUNISHMENT FOR VIOLATION OF PRIVACY

7. PUNISHMENT FOR VIOLATION OF PRIVACY

Whoever, intentionally or knowingly capture, publishes or transmit the
image of a private area of any person without his or her consent, under
circumstances violating the privacy of that person, shall be punished with
imprisonment of at least three years or with a fine no exceeding Rs 2 lacks,
or with both.
 PUNISHMENT FOR CYBER TERRORISM
An offence of cyber terrorism is committed when whoever –

(a) With intent to threaten the unity, integrity, security or sovereignty of India
or to strike terror in the people by –

(1) Denying or cause the denial of access to any person authorised to access
computer resource; or

(2) Attempting to penetrate or access a computer resource without

authorisation or exceeding authorised access.
 CONTINUE...

(b) Knowingly or intentionally penetrates or access a computer resource

without authorisation or exceeding authorised access and by means of
such conduct obtains access to information, data or computer database
that is restricted for reasons for the security of the State of foreign
relations; or any restricted information, data or computer database, with
reasons to believe that such information, data or computer database so
obtained may be used to cause injury to the interests of the sovereignty &
integrity of India.
Whoever commits cyber terrorism shall be punishable with imprisonment
which may extend to imprisonment for life.
 PUNISHMENT FOR PUBLISHING OR TRANMITTING OF
MATERIAL CONTAINING SEXUALLY EXPLICIT ACT, ETC. IN
ELECTRONIC FORM

Whoever publishes or transmits or causes to be published or transmitted in

the electronic form, any material which contains sexually explicit act or
conduct shall be punished on first conviction with imprisonment of either
description for a term which may extend to five years and with fine which
may extend to Rs 10 lacks. In the event of second or subsequent conviction
with imprisonment of either description for a term which may extend to
seven years and also with fine which may extend to Rs 10 lacks.
 Typical Cyber Crime Cases

State of Tamil Nadu Vs Suhas Katti

This case related to posting of obscene, defamatory and annoying message
about a divorcee woman in the yahoo message group. E-Mails were also
forwarded to the victim for information by the accused through a false e-mail
account opened by him in the name of the victim. The posting of the message
resulted in annoying phone calls to the lady in the belief that she was
soliciting. Based on a complaint made by the victim in February 2004, the
Police traced the accused to Mumbai and arrested him within the next few
days. The accused was a known family friend of the victim and was
reportedly interested in marrying her. She however married another person.
This marriage later ended in divorce and the accused started contacting her
once again. On her reluctance to marry him, the accused took up the
harassment through the Internet.
 Continue….

On 24-3-2004 Charge Sheet was filed u/s 67 of IT Act 2000, 469 and 509
IPC before The Hon’ble Addl. CMM Egmore by citing 18 witnesses and 34
documents and material objects. The same was taken on file in
C.C.NO.4680/2004. On the prosecution side 12 witnesses were examined
and entire documents were marked as Exhibits. The Defence argued that
the offending mails would have been given either by ex-husband of the
complainant or the complainant her self to implicate the accused as accused
alleged to have turned down the request of the complainant to marry her.
Further the Defence counsel argued that some of the documentary evidence
was not sustainable under Section 65 B of the Indian Evidence Act.
However, the court relied upon the expert witnesses and other evidence
produced before it, including the witnesses of the Cyber Cafe owners and
came to the conclusion that the crime was conclusively proved.
 Continue…
Ld. Additional Chief Metropolitan Magistrate, Egmore, delivered the
judgement on 5-11-04 as follows:

" The accused is found guilty of offences under section 469, 509 IPC
and 67 of IT Act 2000 and the accused is convicted and is sentenced
for the offence to undergo RI for 2 years under 469 IPC and to pay
fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1
year Simple imprisonment and to pay fine of Rs.500/- and for the
offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine
of Rs.4000/- All sentences to run concurrently."
The accused paid fine amount and he was lodged at Central Prison,
Chennai. This is considered as the first case convicted under section 67 of
Information Technology Act 2000 in India
 Bazee.com case

CEO of Bazee.com was arrested in December 2004 because a CD with

objectionable material was being sold on the website. The CD was also
being sold in the markets in Delhi. The Mumbai city police and the Delhi
Police got into action. The CEO was later released on bail. This opened up
the question as to what kind of distinction do we draw between Internet
Service Provider and Content Provider. The burden rests on the accused
that he was the Service Provider and not the Content Provider.