Department of CSE Chandigarh University

EXPERIMENT 1

Problem: Installation Process of Windows and Linux.

Objective: The objective of this experiment is to know about Installation of different operating
systems like Windows, Linux and MacOS.

Windows Operating System:

Windows, is a multifamily of graphical operating developed, marketed, and sold by Microsoft. It
consists of several families of operating systems, each of which cater to a certain sector of the
computing industry with the OS typically associated with IBM PC compatible architecture.
Microsoft introduced an operating environment named Windows on November 20, 1985, as a
graphical operating system shell for MS-DOS in response to the growing interest in graphical
user interfaces (GUIs). Microsoft Windows came to dominate the world's personal computer
(PC) market with over 90% market share, overtaking Mac OS, which had been introduced in
1984.

Installation Process of Windows Operating System

1. Enter your computer's BIOS. Turn off the computer that you want to install Windows
on then turn it back on. When the BIOS screen appears or you are prompted to do so,
press Del , Esc , F2 , F10 , or F9 (depending on your computer’s motherboard) to
enter the system BIOS. The key to enter the BIOS is usually shown on the screen.
2. Find your BIOS's boot options menu. The boot options menu of your BIOS may vary
in location or name from the illustration, but you may eventually find it if you search
around.

o If you can't find the boot options menu, search the name of your BIOS (most
likely located in the BIOS menu) online for help.

3. Select the CD-ROM drive as the first boot device of your computer.
a. Although this method may vary among computers, the boot options menu is
typically a menu of movable device names where you should set your CD-

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

ROM drive as the first boot device. It can also be a list of devices that you can
set the order of their boot on. Consult a manual or the internet for help if
you're stuck.

4. Save the changes of the settings. Press the button indicated on the screen or select the
save option from the BIOS menu to save your configuration.
5. Shut off your computer. Either turn off the computer by choosing the shut-down
option in your current operating system, or hold the power button until the computer
powers off.
6. Power on the PC and the insert the Windows 7 disc into your CD/DVD drive.

7. Start your computer from the disc. After you have placed the disc into the disc drive,
start your computer. When the computer starts, press a key if you are asked if you
would like to boot from the disc by pressing any key. After you choose to start from
the disc, Windows Setup will begin loading.
a. If you are not asked to boot from the disc, you may have done something
wrong. Retry the previous steps to solve the problem.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

8. Choose your Windows Setup options. Once Windows Setup loads, you'll be presented
with a window. Select your preferred language, keyboard type, and time/currency
format, then click Next.
9. Click the Install Now button.
10. Accept the License Terms. Read over the Microsoft Software License Terms, check I
accept the license terms, and click Next.
11. Select the Custom installation.

12. Decide on which hard drive and partition you want to install Windows on. A hard
drive is a physical part of your computer that stores data, and partitions "divide" hard
drives into separate parts.
a. If the hard drive has data on it, delete the data off of it, or format it.
i. Select the hard drive from the list of hard drives.
ii. Click Drive options (advanced).
iii. Click Format from Drive options.
b. If your computer doesn't have any partitions yet, create one to install
Windows on it.
i. Select the hard drive from the list of hard drives.
ii. Click Drive options (advanced).
iii. Select New from Drive options.
iv. Select the size, and click OK.
13. Install Windows on your preferred hard drive and partition. Once you've decided on
where to install Windows, select it and click Next. Windows will begin installing.

Linux Operating System:

Linux is a Unix-like computer operating system assembled under the model of free and open-
source software development and distribution. The defining component of Linux is the Linux
kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. The
Free Software Foundation uses the name GNU/Linux to describe the operating system, which
has led to some controversy.

Linux was originally developed for personal computers based on the Intel x86 architecture, but
has since been ported to more platforms than any other operating system.[ Because of the
dominance of the Linux kernel-based Android OS on smartphones, Linux has the largestinstalled
base of all general-purpose operating systems.[19] Linux is also the leading operating system on
15BCS1361 Ishav Saxena
Department of CSE Chandigarh University

servers and other big iron systems such as mainframe computers, and is used on 99.6% of the
TOP500supercomputers.

Installation Process of Linux Operating System

1. Download the Ubuntu ISO file. You can get the ISO file from the Ubuntu website. An
ISO file is a CD image file that will need to be burned before you can use it. There are
two options available from the Ubuntu website (you can also buy official Ubuntu CDs,
which come in packs of 10):

 16.04 LTS has continuous updates and provides technical support. It is scheduled to be
supported until April 2021. This option will give you the most compatibility with your
existing hardware.
 Ubuntu builds (not yet released) 16.10, 17.04, and 17.10 will come with limited support.
They will have the newest features, though they may not work with all hardware. These
releases are geared more towards experienced Linux users.
 If you have a Windows 8 or 10 PC or a PC with UEFI firmware, download the 64-bit
version of Ubuntu. Most older machines should download the 32-bit version.

2. Burn the ISO file.Open up your burning program of choice. There are free and paid
programs available that can burn an ISO to a CD or DVD.

 Windows 7, 8, 10, and Mac OS X can all burn ISO files to a disc without having to
download a separate program.

3. Boot from the disc. Once you have finished burning the disc, restart your computer and
choose to boot from the disc. You may have to change your boot preferences by hitting
the Setup key while your computer is restarting. This is typically F12, F2, or Del.
4. Try Ubuntu before installing. Once you boot from the disc, you will be given the option
to try Ubuntu without installing it. The operating system will run from the disc, and you
will have a chance to explore the layout of the operating system.

 Open the Examples folder to see how Ubuntu handles files and exploring the operating
system.
 Once you are done exploring, open the Install file on the desktop.

5. Install Ubuntu. Your computer will need at least 4.5 GB of free space. You will want
more than this if you want to install programs and create files. If you are installing on a
laptop, make sure that it is connected to a power source, as installing can drain the battery
faster than normal.

 Check the “Download updates automatically” box, as well as the “Install this third-party
software” box. The third-party software will allow you to play MP3 files as well as watch
Flash video (such as YouTube).

6. Set up the wireless connection. If your computer is not connected to the internet via
Ethernet, you can configure your wireless connection in the next step.
15BCS1361 Ishav Saxena
Department of CSE Chandigarh University

 If you didn’t have an internet connection in the previous step, hit the Back button after
setting up the wireless connection so that you can enable automatic updates.

7. Choose what to do with your existing operating system. If you have Windows installed
on your system, you will be given a couple options on how you’d like to install Ubuntu.
You can either install it alongside your previous Windows installation, or you can replace
your Windows installation with Ubuntu.

 If you install it alongside your old version of Windows, you will be given the option to
choose your operating system each time you reboot your computer. Your Windows files
and programs will remain untouched.
 If you replace your installation of Windows with Ubuntu all of your Windows files,
documents, and programs will be deleted.

8. Set your partition size. If you are installing Ubuntu alongside Windows, you can use the
slider to adjust how much space you would like to designate for Ubuntu. Remember that
Ubuntu will take up about 4.5 GB when it is installed, so be sure to leave some extra
space for programs and files. Once you are satisfied with your settings, click Install Now.
9. Choose your location. If you are connected to the internet, this should be done
automatically. Verify that the timezone displayed is correct, and then click the Continue
button.
10. Set your keyboard layout. You can choose from a list of options, or click the Detect
Keyboard Layout button to have Ubuntu automatically pick the correct option.
11. Enter your login information. Enter your name, the name of the computer (which will be
displayed on the network), choose a username, and come up with a password. You can
choose to have Ubuntu automatically log you in, or require your username and password
when it starts.
12. Wait for the installation process to complete. Once you choose your login info, the
installation will begin. During setup, various tips for using Ubuntu will be displayed on
the screen. Once it is finished, you will be prompted to restart the computer and Ubuntu
will load.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

EXPERIMENT 2

Problem: Knowledge about the CA server Using Certificates and SSL in windows.

Goals:

1) Learn about default Certificate Authorities (CAs) for your browser.

2) Install and configure in-house CA server.

3) Learn how to configure a Web server to use the SSL and SSL certificates.

4) Experiment with SSL for authentication via certificates.

Tools:

1) Windows XP Pro

2) Windows Server

3) Ethereal for analyzing captured session

Certification Authorities:

A certificate authority (CA) is a trusted third-party organization or company that issues digital
certificates used to create digital signatures and encryption keys. The role of the CA in this
process is to guarantee the identity of the party granted the certificate. Usually, this means that
the CA has an arrangement with a financial institution that provides information to validate the
grantee's identity.
To install digital certificates for secure messaging, you must select a CA from whom to obtain
the certificates. There are many CAs to choose from, and most of them do business on the
World Wide Web. Some of the best known are:
·Verisign, Inc.
·Entrust Technologies.
·Baltimore Technologies.
·Thawte.
There are also numerous lesser known CAs, which might be appropriate if they are well known
in a particular geographical region or industry. One of the systems participating in a secure
integration might even serve as CA for the other participants. Each CA provides a unique set of
security services and has its own way of handling digital certificates.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

Before you implement secure messaging with PeopleSoft Integration Broker, investigate the
available CAs, select one or more from whom you will obtain digital certificates, and
familiarize yourself with their policies and procedures.
Certificate Authorities, or Certificate Authorities / CAs, issue Digital Certificates. Digital
Certificates are verifiable small data files that contain identity credentials to help websites,
people, and devices represent their authentic online identity (authentic because the CA has
verified the identity). CAs play a critical role in how the Internet operates and how transparent,
trusted transactions can take place online. CAs issue millions of Digital Certificates each year,
and these certificates are used to protect information, encrypt billions of transactions, and enable
secure communication.

An SSL Certificate is a popular type of Digital Certificate that binds the ownership details of a
web server (and website) to cryptographic keys. These keys are used in the SSL/TLS protocol to
activate a secure session between a browser and the web server hosting the SSL Certificate. In
order for a browser to trust an SSL Certificate, and establish an SSL/TLS session without
security warnings, the SSL Certificate must contain the domain name of website using it, be
issued by a trusted CA, and not have expired.

What goes into running a CA?

As a trust anchor for the Internet, CAs have significant responsibility. As such running a CA
within the auditable requirements is a complex task. A CA’s infrastructure consists of
considerable operational elements, hardware, software, policy frameworks and practice
statements, auditing, security infrastructure and personnel. Collectively the elements are referred
to as a trusted PKI (Public Key Infrastructure).

Certificates come in many different formats to support not just SSL, but also authenticate people
and devices, and add legitimacy to code and documents. Visit the GlobalSignProducts section for
more

The Problem with SSL Certificates

Years ago, certificate authorities used to verify a website’s identity before issuing a certificate.
The certificate authority would check that the business requesting the certificate was registered,
call the phone number, and verify that the business was a legitimate operation that matched the
website.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

Eventually, certificate authorities began offering “domain-only” certificates. These were cheaper,
as it was less work for the certificate authority to quickly check that the requester owned a
specific domain (website).

Phishers eventually began taking advantage of this. A phisher could register the domain
paypall.com and purchase a domain-only certificate. When a user connected to paypall.com, the
user’s browser would display the standard lock icon, providing a false sense of security.
Browsers didn’t display the difference between a domain-only certificate and a certificate that
involved more extensive verification of the website’s identity.

Public trust in certificate authorities to verify websites has fallen – this is just one example of
certificate authorities failing to do their due diligence. In 2011, the Electronic Frontier .

How to install an SSL certificate on a Linux Server USING Plesk.

It is a web hosting platform that has a very simple configuration. This simple configuration helps
all web hosting providers to manage a lot of virtual hosts easily and on a single server. Ever
since its conception, Plesk has been coming up as a preferred choice for all the web hosting
companies

1. First Log into the control panel of Plesk.

2. Then, Select Domain;

3. The third step implies choosing the domain to be updated.

4. In the next step click on the ‘Add New Certificate’ icon.

5. Save the certificate name in the ‘Certificate Name’ box.

One would have the certificate and key files saved on the local computer. These certificate and
key files are provided by the certificate authority and are important for the installation.

6. The next step is to find these files. Open these in a Notepad or in other similar text formats
from where one can copy the text.

7. Copy the entire text of the files.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

8. Paste them in the correct boxes. Reading through the content and the box name in Plesk will
give one an idea where to paste it.

9. Next, click on the ‘Send Text’ button.

10. Go to the ‘Hosting Section’. It is on the domain screen.

11. Click ‘Set-up’ from this section. A drop down list will follow.

12. The next step is to click on the ‘new certificate’ from the drop down list.

13. Click ‘Ok’ to finish.

How to install SSL Certificate on Linux servers that do not have Plesk.

1. The first and foremost step is to upload the certificate and important key files. One can upload
the files to the server using – S/FTP.

2. Login to Server. It is important to log in via SSH. Logging in via SSH will help the user to
become the root user.

3. Give Root Password.

4. One can see /etc/httpd/conf/ssl.crt in the following step. Move the certificate file here

5. Next move key file also to /etc/httpd/conf/ssl.crt

It is important to ensure the security of the files that has been moved. One can keep the files
secure by restricting permission. Using ‘chmod 0400’ will help users to securely restrict
permission to the key.

6. Next Go to etc/httpd/conf.d/ssl.conf. Here the user will find Virtual Host Configuration set up
for the domain.

7. Edit Virtual Host Configuration.

8. Restart Apache.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

EXPERIMENT 3

Problem: Familiarization with the VI editor.

Linux offers various types of editor like ex,sed,ed,vietc to create and edit your files(data files,text
files etc).the famous one is vi editor created by Bill Joy at the university of California at Berkley.

Starting Vi Editor:- This editor can be invoked by typing vi filename at the prompt.If you specify
a filename as an argument to vi,then the vi will edit the specified file,if it exists.

Vi<filename>

A status line at the bottom of the screen (25th line) shows the filename,current line & character
position in the edited file.

Vi<line no><file name>

VI Modes:- The editor works on 3 modes as follows:-

a) Insert Mode:-

(1) The text should be entered in this mode and any key pressed is created as text.

(2) We can enter in this mode through command mode by pressing any of the

keysior I.

b) Command Mode:-

(1) It is the default mode when we start up vi Editor.

(2) All the commands an vi Editor should be used in this mode.

(3) We can enter into this mode from insert mode by pressing.[Esc] key and from

Ex mode by pressing Enter.

c) Ex Mode:-

(1) The ex mode command can be entered at the last line of the screen of the Mode.

(2) We can enter into this mode directly from input mode or vice-versa.

The following are some commands that are used:

Insert Command:-

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

(1) i :-Insert before cursor.

(2) I :-Insert at the end of current line.

(3) a :-Append after cursor.

(4) A:- Append at the end of the current line.

(5) o :-Insert a blank line below the current line.

(6) O :-Insert a blank line above the current line.

Delete Command:-

(1) x:-Delete the character at current position.

(2) <n>xn is any no.)Delete specified no of character from current position.

(3) X:-Delete the character before the cursor.

(4) (n)X:-Delete the no. of characters before the cursor.

(5) dw:- Delete from cursor position to the end of the current word.It stops at any
punctuation that appears with in the word.

(6) dW :-same as ‘dw’but ignores the punctuation character.

(7) db :- Deletes from cursor position to beginning of the current word.It stops at any
punctuation that appear with in the word.

(8) dB :-same as’db’ but ignores punctuations.

(9) dd :-Deletes the current line.

Replace Commands:-

(1) r:-Replace single character at the cursor position.

(2) R:-Replace character until escape key is pressed from current cursor position.

(3) s :-Replace single character at cursor position with no of characters.

(4) S:- Replace the entire line.

Cursor Movement Commands:-

(1) h :-Moves cursor to the left.

(2) l :-Moves cursor to the right

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

(3) k :-Moves cursor to the up.

(4) j :-Moves cursor to the down

(5) w :-Forwards to the first letter of next word but stops at any punctuations that appears
with the word.

(6) b :-Backword to the first letter of previous word that stops at any punctuation that appears
with the word.

(7) e :-Moves forward to the end of the current word but stops at any punctuation that
appears with the word.

(8) W :-same as w but ignores punctuations.

(9) E :-same as e but ignores punctuations.

(10) B:- same as b but ignores punctuations.

(11) [Enter]:- Forward to the beginning of the next line.

Redo Command:-

(period):-Repeats the most recent editing operation performed.

Undo Command:-

u :-undo’s the most editing operation performed.

Ex Mode Commands:-

Some of the Ex mode commands are given below.

These commands should be used in Ex mode prefixed by ( : )colon.

(1) :w :-Saves without quiting.

(2) :w<filename> :-Saves the content into a file specified in the filename.

(3) :mnw<filename> :-saves the lines m to n into the specified file name.

(4) :.w<filename> ;-Saves the current line into specified file.

(5) :$w<filename> :-Saves the last line of text into the specified file.

(6) :wq :-Saves file and quit from vi editor.

(7) :q! :-Quit without saving.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

EXPERIMENT 4

Problem: Familiarization with the Windows Client Configuration.

Materials and Setup You will need the following:

• Windows 7

• Windows 2008 Server

Lab Steps at a Glance

Step 1: Start the Windows 2008 Server and Windows 7 PCs. Log on only to the Windows 7
machine.

Step 2: View the network card configuration using the ipconfig command.

Step 3: Change the IP address of the Windows 7 machine.

Step 4: Verify the new IP address. Use the ipconfig command to verify that the IP address has
changed.

Step 5: Change the IP address of the Windows 7 machine back to the original address.

Step 6: Ping the Windows 2008 Server machine from the Windows 7 PC.

Step 7: View and modify the ARP table.

Step 8: Log off from the Windows 7 PC.

Lab Steps
Step 1: Start the Windows 2008 Server and Windows 7 PCs. Log on only to the Windows 7
machine. To log on to the Windows 7 PC, follow these steps:

1. At the Login screen, click the Admin icon.

2. In the password text box, type the password adminpass and press ENTER.

Step 2: View the network card configuration using the ipconfig command. On the Windows 7
PC, you will view the network card configuration using ipconfig. This utility allows
administrators to view and modify network card settings.

1. To open the command prompt, click Start; in the Search Programs And Files box, type cmd
and then press ENTER.

2. At the command prompt, type ipconfig /? and press ENTER.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

a. Observe the options available for ipconfi g. You may have to scroll up to see all of the
information.

b. Which options do you think would be most useful for an administrator?

c. Which option would you use to obtain an IP configuration from a Dynamic Host
Configuration Protocol (DHCP) server?

3. Type ipconfi g and press ENTER.

a. What is your IP address?

b. What is your subnet mask?

4. Type ipconfi g /all and press ENTER.

a. Observe the new information.

b. What is the MAC address (physical address) of your computer?

c. What is your DNS server address?

5. Type exit and press ENTER.

Step 3: Change the IP address of the Windows 7 machine. You will access the Local Area
Connection Properties dialog box and change the host portion of the IP address.

1. Click Start | Control Panel | Network and Internet | Network and Sharing Center. 2. Click
Change adapter settings.

3. Right-click Local Area Connection and select Properties.

4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

5. In the IP Address text box, you will see the IP address 192.168.100.101. Change the last octet
(101) to 110.

6. Click OK.

7. In the Local Area Connection Properties window, click Close.

8. Click Close to close the Network Connections window.

Step 4: Verify the new IP address. Use the ipconfig command to verify that the IP address has
changed.

1. To open the command prompt, click Start; in the Search Programs And Files box, type cmd
and then press ENTER.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

2. Type ipconfi g and press ENTER.

3. Observe that your IP address has changed. 4. Type exit and press ENTER.

Step 5: Change the IP address of the Windows 7 machine back to the original address.

1. Click Start | Control Panel | Network and Internet | Network and Sharing Center. 2. Click
Change Adapter Settings.

3. Right-click Local Area Connection and select Properties.

4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

5. In the IP Address text box, you will see the IP address 192.168.100.110. Change the last octet
(110) to 101

6. Click OK.

7. In the Local Area Connection Properties window, click Close.

8. Click Close to close the Network Connections window.

Step 6: Ping the Windows 2008 Server machine from the Windows 7 PC. 1. On the Windows 7
PC, click Start; in the Search Programs And Files box, type cmd and then press ENTER. 2. To
view the ping help fi le, type ping /? at the command line and then press ENTER.

3. To ping the IP address of the Windows 2008 Server computer, type ping 192.168.100.102 at
the command line and press ENTER.

a. Observe the information displayed.

b. What is the time value observed for all four replies?

c. What is the TTL observed?

d. What does this number refer to?

e. How can you be sure that this response is actually coming from the correct computer?

Step 7: View and modify the ARP table. At the Windows 7 machine, you are now going to view
the ARP cache, using the arp utility.

1. Close the current Command Prompt window.

2. Select Start | All Programs | Accessories and then right-click Command Prompt. 3. Click Run
as administrator.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

4. In the User Account Control dialog box, click Yes.

5. At the command line, type arp /? and press ENTER.

a. Observe the options for this command.

b. Which command displays the current ARP entries?

6. At the command line, type arp –a and press ENTER.

7. Observe the entry. Notice that the MAC address for the Windows 2008 Server machine is
listed.

8. At the command line, type arp –d and press ENTER. (The –d option deletes the ARP cache.)

9. Observe the entries. (Do not worry if no entries are listed; you are simply deleting what is in
the ARP cache.)

10. At the command line, type arp –a and press ENTER.

11. Observe that the ARP cache now has no entries.

12. At the command line, type ping 192.168.100.102 and press ENTER.

13. At the command line, type arp –a and press ENTER.

a. Observe any entry. Notice that the MAC address is once again listed.

b. How does using the ping utility cause the machine’s MAC address to be populated in the ARP
cache?

c. How can you be sure that this is actually the correct MAC address for the computer?

Step 8: Log off from the Windows 7 PC. At the Windows 7 PC, follow these steps: 1. Choose
Start | Shutdown arrow | Log off.

2. In the Log Off Windows dialog box, click Log Off.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

EXPERIMENT 5:

Problem: To research the Various System Vulnerabilitiesfor the target machine (Internet -
access CVE database of vulnerabilities)

Goals:

1) Identifying vulnerabilities for the target machine.

2) Finding utilities to test these vulnerabilities.

Tools:

1) Google to find CVE (at Mitre Corp.)

2) CVE database

3) Packet Storm Website

Background

The concept of vulnerability has held a central place in research ethics guidance since its
introduction in the United States Belmont Report in 1979. It signals mindfulness for researchers
and research ethics boards to the possibility that some participants may be at higher risk of harm
or wrong. Despite its important intended purpose and widespread use, there is considerable
disagreement in the scholarly literature about the meaning and delineation of vulnerability,
stemming from a perceived lack of guidance within research ethics standards. The aim of this
study was to assess the concept of vulnerability as it is employed in major national and
international research ethics policies and guidelines.

All policies in our sample reference vulnerability and/or vulnerable subjects, but only three out
of eleven explicitly define these terms (Table 1). Of these, the Council for International
Organizations of Medical Sciences (CIOMS) and the Tri-Council Policy Statement: Ethical
Conduct for Research Involving Humans (TCPS2) guidelines define vulnerability itself, while
the International Conference on Harmonization, Good Clinical Practice (ICH GCP) instead
provides a definition of vulnerable subjects. These definitions share similar structures, all
defining vulnerability or vulnerable subjects and identifying paradigmatic sources (or causes) of
vulnerability. The ICH GCP definition focuses on issues of consent, where a lack of
voluntariness in a subject’s decision to participate establishes their vulnerability. The CIOMS
and TCPS2 guidelines employ broader language, both stating that vulnerability arises from a
subject’s lack of ability to protect their own interests. Both identify sources of vulnerability
located within the subject (e.g. a lack of decision-making capacity) and in their environment (e.g.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

a lack of access to medical care). Only the definition provided by the TCPS2 makes explicit
reference to another central ethical concept – that of autonomy. This reference suggests an
important link between vulnerability and autonomy,

Table 1

Content regarding definitions of vulnerability and detailing the use of qualifying language

Policy/Guideline Explicit definition of Use of qualifying

vulnerability or vulnerable languages
subjects

Intl

Intl Declaration of – • Some groups and

Helsinki individuals are
“particularly
vulnerable”

CIOMS “‘Vulnerability’ refers to a • Persons with serious,

substantial incapacity to protect potentially disabling
one’s own interests owing to such or life-threatening
impediments as lack of capability diseases are “highly
to give informed consent, lack of vulnerable”
alternative means of obtaining
medical care or other expensive
necessities, or being a junior or • Selection of the

subordinate member of a “least vulnerable”

hierarchical group” subjects required for

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

research.

UNESCO – • Certain individuals

Declaration and groups are of
“special vulnerability”

US, ICH GCP Glossary defines vulnerable –

EU, subjects as individuals whose
JP, willingness to volunteer in a
AUS, clinical trial may be unduly
CA influenced by the expectation,
whether justified or not, of
benefits associated with
participation, or of a retaliatory
response from senior members of
a hierarchy in case of refusal to
participate”

National

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

National Statement – • Where “potential

AUS participants [in
dependent or
unequal
relationships] are
especially
vulnerable” special
measures may be
required.
• Neonates in
intensive care have a
“unique
developmental
vulnerability”
• People with a
cognitive
impairment,
intellectual
disability, or mental
illness have
“distinctive
vulnerabilities as
research
participants” and are
“more-than-usually
vulnerable to various
forms of discomfort
or stress”

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

CA TCPS2 “Vulnerability – A diminished • Participants,

ability to fully safeguard one’s researchers, and
own interests in the context of a research ethics board
specific research project. This members may be
may be caused by limited rendered “more
decision-making capacity or vulnerable” during
limited access to social goods, publicly declared
such as rights, opportunities and emergencies
power. Individuals or groups • “The least
may experience vulnerability to organisationally
different degrees and at different developed
times, depending on their communities are the
circumstances. See also most vulnerable to
‘Autonomy’” exploitation”
• Participants may be
“in highly vulnerable
circumstances”
because of social or
legal stigmatisation.

UK Research – –
Governance
Framework

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

US Belmont Report – • “Also, inducements

that would ordinarily
be acceptable may
become undue
influences if the
subject is especially
vulnerable”

Ethical justifications for the concept of vulnerability

Many guidelines and policies (CIOMS, UNESCO Declaration, Declaration of Helsinki,

Australian National Statement, TCPS2, Belmont Report) provide explicit ethical argumentation
relating to vulnerability and/or vulnerable subjects. There is significant overlap across the sample
between the principles from which obligations or considerations relating to vulnerability arise. In
all cases where guiding ethical principles are provided by a policy or guideline, vulnerability-
related concerns are discussed in the application of each principle.

Identifying vulnerable groups and individuals

All guidelines and policies in the sample provide means through which vulnerability can be
identified. The majority identify subject groups who are likely to be vulnerable. Vulnerable
groups identified in our sample are captured in Table 4, along with the corresponding
explanations of why a subject group is considered vulnerable or what they are vulnerable to,
when these details are available. Notably, while the EU Clinical Trials Directive and Clinical
Trials Regulation, as well as the United Kingdom Research Governance Framework, all identify
vulnerable subject groups, none of these policies provide any supporting explanation. Further,
only four policies (CIOMS, Australian National Statement, TCPS2, and the Common Rule)
provide any explanations of what certain identified groups are vulnerable to.

Implications of vulnerability in research

All policies in our sample identify practical implications of vulnerability in research, i.e.
responses to vulnerability in the design and review of research and to vulnerable participants
themselves. A wide range of implications were identified, some directed explicitly towards REBs

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

and/or investigators but the majority formulated more broadly with no specific group targeted.
Further, these implications span the research process, from considerations important in the
design of research to actions that must be taken when vulnerable persons are participating in
research.

Table 6

Implications of vulnerability, grouped by theme

Restrictions for research with vulnerable groups or individuals Policy/Guideline

When research is carried out with vulnerable participants it should be responsive to Declaration of Helsinki;
the needs, conditions, or priorities of the vulnerable group involved

CIOMS

Vulnerable subjects should be involved in research only when it cannot be carried CIOMS
out with less vulnerable subjects

Special justification is required for involving vulnerable groups in research and CIOMS;
appropriateness ought to be demonstrated

Belmont Report

Children should not be included in early-phase research until therapeutic effects CIOMS
have been shown in adults

Opportunities to participate in and influence research affecting their welfare should TCPS2
not be withheld from vulnerable groups

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

Members of vulnerable groups are entitled to access the benefits of research CIOMS

Children must be involved in studies of medicinal products likely to be of value to EU Clinical Trials
them Directive

People with a cognitive impairment, intellectual disability, or mental illness are Australian National
entitled to participate in research, which need not be limited to their particular Statement
impairment, disability, or illness

Research with communities vulnerable to exploitation should strive to enhance TCPS2

capacity for participation

Patients receiving high-risk clinical care should not be inappropriately included in TCPS2
or excluded from research

Risk to vulnerable subjects is justified when it arises from interventions that will CIOMS
provide a direct health benefit, or when it will benefit the subject’s population
group

Special protections and obligations

Individuals and groups of special vulnerability should be protected UNESCO Declaration

Special ethical obligations exist towards vulnerable subjects TCPS2

Vulnerable subjects should receive special/specific protections Declaration of Helsinki

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

Groups or individuals in vulnerable circumstances may need or desire special TCPS2

measures to ensure their safety in a specific research project

Vulnerable subjects should be afforded security against harm or abuse CIOMS

Special (or additional) protections for the rights and welfare of vulnerable CIOMS; Common Rule
subjects should be applied

Attention and consideration

Special attention should be paid to trials involving vulnerable subjects ICH GCP

Special attention or regard should be paid to vulnerable communities, groups, or UNESCO

persons Declaration;TCPS2

Researchers and REBs should recognise and address changes in participants’ TCPS2
circumstances that may impact their vulnerability

Research ethics board composition

REBs reviewing research with vulnerable subjects should include members with Common Rule;EU
expertise on these populations Clinical Trials
Regulation

Community members on REBs ought to reflect participant’s perspectives, TCPS2

particularly important when participants are vulnerable and/or risks are high

Assessing harms, risks and benefits

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

For those gauging the severity of harm in research, the vulnerability of a Australian National
population will be relevant Statement

The existence of vulnerable circumstances may require greater effort to TCPS2

minimise risks/maximise benefits to participants

Care must be taken to ensure the risks and burdens of proposed research with Australian National
persons with a cognitive impairment, intellectual disability, or mental illness are Statement
justified by potential benefits

Recruitment practices

The vulnerability of persons in unequal, dependent relationships must be taken National Statement
into account when considering recruiting these persons

Process of informed consent

Consent may need to be re-confirmed in research where participants are National Statement
vulnerable

The method of consent in qualitative research depends, in part, on the National Statement;
vulnerability of the research participant; the method must be tailored for their
protection

TCPS2

When requirements of free, informed, ongoing consent cannot be met, TCPS2

vulnerable participants ought to be involved in decision-making, i.e. obtaining
assent, asking about their feelings regarding participation

Clinician-researchers must take care not to overplay the benefits of research TCPS2
participation to vulnerable patients, who may be misled to enter research with false
hope

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

Inducements that may not be excessive or inappropriate for other participants Belmont Report
may be undue influences if the subject is especially vulnerable

Care should be taken in the informed consent process to ensure that women CIOMS
vulnerable to coercion have adequate time and a proper environment in which to
take decisions

Care should be taken in the informed consent process for adults with mental UK Research
health problems or learning difficulties to ensure that information is provided in Governance Framework
the appropriate format and that the roles and responsibilities of those involved are
clearly explained and understood

Additional consent from a parent or guardian may be required for young people National Statement
who are vulnerable through immaturity in ways that warrant this

Researchers should invite participants in dependent or unequal relationships to National Statement

discuss their participation with someone who can support them in making their
decision; especially vulnerable participants in these circumstances should be
offered participant advocates

Debriefing

REBs must assess risks and benefits of debriefing participants and whether TCPS2
debriefing plan is appropriate for participants, especially when they are vulnerable

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for
publicly known information-securityvulnerabilities and exposures. The National Cybersecurity
FFRDC, operated by the Mitre Corporation, maintains the system, with funding from the
National Cyber Security Division of the United States Department of Homeland Security.

The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE's
system[2] as well as in the US National Vulnerability Database.

15BCS1361 Ishav Saxena

Department of CSE Chandigarh University

MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE
numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known
information-security vulnerabilities in publicly released software packages. Historically, CVE
identifiers had a status of "candidate" ("CAN-") and could then be promoted to entries ("CVE-"),
however this practice was ended some time ago and all identifiers are now assigned as CVEs.
The assignment of a CVE number is not a guarantee that it will become an official CVE entry
(e.g. a CVE may be improperly assigned to an issue which is not a security vulnerability, or
which duplicates an existing entry).
CVEs are assigned by a CVE Numbering Authority (CNA);[3] there are three primary types of
CVE number assignments:
1. The Mitre Corporation functions as Editor and Primary CNA
2. Various CNAs assign CVE numbers for their own products (e.g. Microsoft,
Oracle, HP, Red Hat, etc.)
3. A third-party coordinator such as CERT Coordination Center may assign CVE
numbers for products not covered by other CNAs
When investigating a vulnerability or potential vulnerability it helps to acquire a CVE number
early on. CVE numbers may not appear in the MITRE or NVD CVE databases for some time
(days, weeks, months or potentially years) due to issues that are embargoed (the CVE number
has been assigned but the issue has not been made public), or in cases where the entry is not
researched and written up by MITRE due to resource issues. The benefit of early CVE candidacy
is that all future correspondence can refer to the CVE number. Information on getting CVE
identifiers for issues with open source projects is available from Red Hat.[4]
CVEs are for software that has been publicly released; this can include betas and other pre-
release versions if they are widely used. Commercial software is included in the "publicly
released" category, however custom-built software that is not distributed would generally not be
given a CVE. Additionally services (e.g. a Web-based email provider) are not assigned CVEs for
vulnerabilities found in the service (e.g. an XSS vulnerability) unless the issue exists in an
underlying software product that is publicly distribute.

15BCS1361 Ishav Saxena