UNIT-III

 Overview of Cyber security Concepts:

 CIA Triad:
In the information security (InfoSec) community, “CIA” has nothing to do with a certain
well-recognized US intelligence agency. These three letters stand for confidentiality, integrity,
and availability, otherwise known as the CIA triad.
Together, these three principles form the cornerstone of any organization’s security
infrastructure; in fact, they (should) function as goals and objectives for every security program.
The CIA triad is so foundational to information security that anytime data is leaked, a system is
attacked, a user takes phishing bait, an account is hijacked, a website is maliciously taken down, or
any number of other security incidents occur, you can be certain that one or more of these
principles has been violated.

Security professionals evaluate threats and vulnerabilities based on the potential impact
they have on the confidentiality, integrity, and availability of an organization’s assets—namely, its
data, applications, and critical systems. Based on that evaluation, the security team implements a
set of security controls to reduce risk within their environment.

Confidentiality: Only authorized users and processes should be able to access or modify data
Integrity: Data should be maintained in a correct state and nobody should be able to improperly
modify it, either accidentally or maliciously
Availability: Authorized users should be able to access data whenever they need to do so

These three principles are obviously top of mind for any infosec professional. But
considering them as a triad forces security pros to do the tough work of thinking about how they
overlap and can sometimes be in opposition to one another, which can help in establishing
priorities in the implementation of security policies. We'll discuss each of these principles in more
detail in a moment, but first let's talk about the origins and importance of the triad.

Confidentiality
Confidentiality refers to an
organization’s efforts to keep their data
private or secret. In practice, it’s about
controlling access to data to prevent
unauthorized disclosure. Typically, this
involves ensuring that only those who are
authorized have access to specific assets and
that those who are unauthorized are actively
prevented from obtaining access. As an
example, only authorized Payroll employees
should have access to the employee payroll database. Furthermore, within a group of authorized
users, there may be additional, more stringent limitations on precisely which information those
authorized users are allowed to access. Another example: it’s reasonable for ecommerce customers
to expect that the personal information they provide to an organization (such as credit card, contact,
shipping, or other personal information) will be protected in a way that prevents unauthorized
access or exposure.

VIJAYAM BUSINESS SCHOOL [MCA] Page 1

CHITTOOR Cyber Security
 Confidentiality can be violated in many ways, for example, through direct attacks designed
to gain unauthorized access to systems, applications, and databases in order to steal or tamper with
data. Network reconnaissance and other types of scans, electronic eavesdropping (via a man-in-the-
middle attack), and escalation of system privileges by an attacker are just a few examples. But
confidentiality can also be violated unintentionally through human error, carelessness, or
inadequate security controls. Examples include failure (by users or IT security) to adequately
protect passwords; sharing of user accounts; physical eavesdropping (also known as shoulder
surfing); failure to encrypt data (in process, in transit, and when stored); poor, weak, or nonexistent
authentication systems; and theft of physical equipment and storage devices.

Countermeasures to protect confidentiality include data classification and labeling; strong

access controls and authentication mechanisms; encryption of data in process, in transit, and in
storage; steganography; remote wipe capabilities; and adequate education and training for all
individuals with access to data.
CIA triad confidentiality examples
Much of what laypeople think of as "cybersecurity" — essentially, anything that restricts
access to data — falls under the rubric of confidentiality. This includes infosec's two big As:
Authentication, which encompasses processes that allows systems to determine if a user is who
they say they are. These include passwords and the panoply of techniques available for establishing
identity: biometrics, security tokens, cryptographic keys, and the like.
Authorization, which determines who has the right to access which data: Just because a
system knows who you are, it doesn't necessarily open all its data for your perusal! One of the most
important ways to enforce confidentiality is establishing need-to-know mechanisms for data access;
that way, users whose accounts have been hacked or who have gone rogue can't compromise
sensitive data. Most operating systems enforce confidentiality in this sense by having many files
only accessible by their creators or an admin, for instance.
Confidentiality can also be enforced by non-technical means. For instance, keeping
hardcopy data behind lock and key can keep it confidential; so can air-gapping computers and
fighting against social engineering attempts.
Integrity
In everyday usage, integrity refers to the quality of something being whole or complete. In
InfoSec, integrity is about ensuring that data has not been tampered with and, therefore, can be
trusted. It is correct, authentic, and reliable. Ecommerce customers, for example, expect product
and pricing information to be accurate, and that quantity, pricing, availability, and other
information will not be altered after they place an order. Banking customers need to be able to trust
that their banking information and account balances have not been tampered with. Ensuring
integrity involves protecting data in use, in transit (such as when sending an email or uploading or
downloading a file), and when it is stored, whether on a laptop, a portable storage device, in the
data center, or in the cloud.
Countermeasures that protect data integrity include encryption, hashing,
digital signatures, digital certificatesTrusted certificate authorities (CAs) issue digital certificates to
organizations to verify their identity to website users, similar to the way a passport or driver’s
license can be used to verify an individual's identity. , intrusion detection systems, auditing, version
control, and strong authentication mechanisms and access controls.

VIJAYAM BUSINESS SCHOOL [MCA] Page 2

CHITTOOR Cyber Security
CIA triad integrity examples
The techniques for maintaining data integrity can span what many would consider disparate
disciplines. For instance, many of the methods for protecting confidentiality also enforce data
integrity: you can't maliciously alter data that you can't access, after all. We also mentioned the
data access rules enforced by most operating systems: in some cases, files can be read by certain
users but not edited, which can help maintain data integrity along with availability.
But there are other ways data integrity can be lost that go beyond malicious attackers
attempting to delete or alter it. For instance, corruption seeps into data in ordinary RAM as a result
of interactions with cosmic rays much more regularly than you'd think. That's at the exotic end of
the spectrum, but any techniques designed to protect the physical integrity of storage media can
also protect the virtual integrity of data.
Availability
Systems, applications, and data are of little value to an organization and its customers if
they are not accessible when authorized users need them. Quite simply, availability means
that networks, systems, and applications are up and running. It ensures that authorized users have
timely, reliable access to resources when they are needed.

Many things can jeopardize availability, including hardware or software failure, power
failure, natural disasters, and human error. Perhaps the most well-known attack that threatens
availability is the denial-of-service attack, in which the performance of a system, website, web-
based application, or web-based service is intentionally and maliciously degraded, or the system
becomes completely unreachable.

Countermeasures to help ensure availability include redundancy (in servers, networks,

applications, and services), hardware fault tolerance (for servers and storage), regular software
patching and system upgrades, backups, comprehensive disaster recovery plans, and denial-of-
service protection solutions.
Applying the Principles
Depending on an organization’s security goals, the industry, the nature of the business, and
any applicable regulatory requirements, one of these three principles might take precedence over
another.
A key concept to understand about the CIA triad is that prioritizing one or more
principles can mean the tradeoff of others. For example, a system that requires high confidentiality
and integrity might sacrifice lightning-speed performance that other systems (such as ecommerce)
might value more highly. This tradeoff is not necessarily a bad thing; it is a conscious choice. Each
organization must decide how to apply these principles given their unique requirements, balanced
with their desire to provide a seamless and safe user experience.

 Non-Repudiation
Non-repudiation is the assurance that someone cannot deny the validity of
something. Non-repudiation is a legal concept that is widely used in information security
and refers to a service, which provides proof of the origin of data and the integrity of the
data. In other words, non-repudiation makes it very difficult to successfully deny
who/where a message came from as well as the authenticity and integrity of that message.

VIJAYAM BUSINESS SCHOOL [MCA] Page 3

CHITTOOR Cyber Security
 Digital signatures (combined with other measures) can offer non-repudiation when
it comes to online transactions, where it is crucial to ensure that a party to a contract or a
communication can't deny the authenticity of their signature on a document or sending the
communication in the first place. In this context, non-repudiation refers to the ability to
ensure that a party to a contract or a communication must accept the authenticity of their
signature on a document or the sending of a message.
Non-repudiation Principles
Non-repudiation requires the creation of artifacts which may be used to dispute the claims of an
entity or organization that denies being the originator of an action or communication. These
artifacts consist of:
 An identity
 The authentication of that identity
 Tangible evidence connecting the identified party to a particular communication or action
Non-repudiation Techniques
For email transmission, non-repudiation typically involves using methods designed to
ensure that a sender can’t deny having sent a particular message, or that a message recipient can’t
deny having received it. Techniques would include email tracking.
Cryptographic hash functions may be used to establish the integrity of transmitted
documents. No encryption keys are involved, and strong hash functions are designed to be
irreversible. Moreover, they’re designed to avoid collision, which occurs in the rare cases where
two separate documents give rise to the same hash value.
Why is the CIA triad important?
It's instructive to think about the CIA triad as a way to make sense of the
bewildering array of security software, services, and techniques that are in the marketplace. Rather
than just throwing money and consultants at the vague "problem" of "cybersecurity," we can ask
focused questions as we plan and spend money: Does this tool make our information more secure?
Does this service help ensure the integrity of our data? Will beefing up our infrastructure make our
data more readily available to those who need it?
In addition, arranging these three concepts in a triad makes it clear that they exist, in many
cases, in tension with one another. We'll dig deeper into some examples in a moment, but some
contrasts are obvious: Requiring elaborate authentication for data access may help ensure its
confidentiality, but it can also mean that some people who have the right to see that data may find
it difficult to do so, thus reducing availability. Keeping the CIA triad in mind as you establish
information security policies forces a team to make productive decisions about which of the three
elements is most important for specific sets of data and for the organization as a whole.
CIA triad examples
Consider the example of a bank ATM, which can offer users access to bank balances and
other information. An ATM has tools that cover all three principles of the triad:
It provides confidentiality by requiring two-factor authentication (both a physical card and a PIN
code) before allowing access to data
The ATM and bank software enforce data integrity by ensuring that any transfers or withdrawals
made via the machine are reflected in the accounting for the user's bank account
The machine provides availability because it's in a public place and is accessible even when the
bank branch is closed.

VIJAYAM BUSINESS SCHOOL [MCA] Page 4

CHITTOOR Cyber Security
  Incidence Response
When a security incident occurs, every second matters. Malware infections rapidly
spread, ransomware can cause catastrophic damage, and compromised accounts can be used for
privilege escalation, leading attackers to more sensitive assets.
Whatever the size of your organization, you should have a trained incident response team
tasked with taking immediate action when incidents happen. Read on to learn a six-step process
that can help your incident responders take action faster and more effectively when the alarm
goes off.
 Key Concepts
Steps: 6 Steps for Responding to Security Incidents
What is incident response?
Incident response (IR) is a structured methodology for handling security incidents, breaches, and
cyber threats. A well-defined incident response plan (IRP) allows you to effectively identify,
minimize the damage, and reduce the cost of a cyber attack, while finding and fixing the cause to
prevent future attacks.
During a cybersecurity incident, security teams face many unknowns and a frenzy of
activity. In such a hectic environment, they may fail to follow proper incident response
procedures to effectively limit the damage. This is important because a security incident can be a
high-pressure situation, and your IR team must immediately focus on the critical tasks at hand.
Clear thinking and swiftly taking pre-planned incident response steps during a security incident
can prevent many unnecessary business impacts and reputational damage.
Why should you immediately report a cybersecurity incident?
When a cybersecurity incident is confirmed by security analysts, it is important to inform
relevant parties as soon as possible. Privacy laws such as GDPR and California’s CCPA require
public notification, and in some cases personal notification to data subjects, in the event of a data
breach.
Depending on the severity of the breach, legal, press and executive management should
be involved. In many cases, other departments such as customer service, finance or IT need to
take immediate action. Your incident response plan should clearly state, depending on the type
and severity of the breach, who should be informed. The plan should include full contact details
and how to communicate with each relevant party, to save time in the aftermath of an attack.
What are the 6 steps of incident response?
The first priority when implementing incident response cyber security is to prepare in
advance by putting a concrete IR plan in place. Your incident response methodology should be
battle-tested before a significant attack or data breach occurs. It should address the following
response phases as defined by NIST Computer Security Incident Handling Guide (SP 800-61).
 Preparation – Planning in advance how to handle and prevent security incidents
 Detection and Analysis – Encompasses everything from monitoring potential attack
vectors, to looking for signs of an incident, to prioritization
 Containment, Eradication, and Recovery – Developing a containment strategy,
identifying and mitigating the hosts and systems under attack, and having a plan for
recovery
 Post-Incident Activity – Reviewing lessons learned and having a plan for evidence
retention

VIJAYAM BUSINESS SCHOOL [MCA] Page 5

CHITTOOR Cyber Security
Figure 1 – The NIST recommended phases for responding to a cybersecurity incident

Building on the outlined NIST phases, here are specific incident response steps
to take once a critical security event has been detected:
1. Assemble your team:
It’s critical to have the right people with the right skills, along with
associated tribal knowledge. Appoint a team leader who will have overall
responsibility for responding to the incident. This person should have a direct
line of communication with management so that important decisions—such as
taking key systems offline if necessary—can be made quickly.
In smaller organizations, or where a threat isn’t severe, your SOC team or
managed security consultants may be sufficient to handle an incident. But for the more
serious incidents, you should include other relevant areas of the company such as
corporate communications and human resources.
If you have built a Security Incident Response Team (CSIRT), now is the time
to activate your team, bringing in the entire range of pre-designated technical and non-
technical specialists.
If a breach could result in litigation, or requires public notification and
remediation, you should notify your legal department immediately.
2. Detect and ascertain the source.
The IR team you’ve assembled should first work to identify the cause of the
breach, and then ensure that it’s contained.
Security teams will become aware that an incident is occurring or has occurred
from a very wide variety of indicators, including:
 Users, system administrators, network administrators, security staff, and others
from within your organization reporting signs of a security incident
 SIEMs or other security products generating alerts based on analysis of log data
 File integrity checking software, using hashing algorithms to detect when
important files have been altered
 Anti-malware programs
 Logs (including audit-related data), which should be systematically reviewed to
look at anomalous and suspicious activity with:
 Users
 External storage
 Real-time memory
 Network devices
 Operating systems
 Cloud services
 Applications
3. Contain and recover:

VIJAYAM BUSINESS SCHOOL [MCA] Page 6

CHITTOOR Cyber Security
 A security incident is analogous to a forest fire. Once you’ve detected an
incident and its source, you need to contain the damage. This may involve disabling
network access for computers known to be infected by viruses or other malware (so
they can be quarantined) and installing security patches to resolve malware issues or
network vulnerabilities. You may also need to reset passwords for users with accounts
that were breached, or block accounts of insiders that may have caused the incident.
Additionally, your team should back up all affected systems to preserve their current
state for later forensics.
Next, move to any needed service restoration, which includes two critical steps:
1. Perform system/network validation and testing to certify all systems as
operational.
2. Recertify any component that was compromised as both operational and secure.
Ensure your long-term containment strategy includes not only returning all systems to
production to allow for standard business operation, but also locking down or purging
user accounts and backdoors that enabled the intrusion.
4. Assess the damage and severity
Until the smoke clears it can be difficult to grasp the severity of an incident and
the extent of damage it has caused. For example, did it result from an external attack
on servers that could shut down critical business components such as an e-commerce
or reservation systems? Or, for example, did a web application layer intrusion perform
a SQL Injection attack to execute malicious SQL statements on a web application’s
database or potentially use a web server as a pathway to steal data from or control
critical backend systems? If critical systems are involved, escalate the incident and
activate your CSIRT or response team immediately.
5. Begin the notification process
A data breach is a security incident in which sensitive, protected or confidential
data is copied, transmitted, viewed, stolen or used by an individual unauthorized
person. Privacy laws such as GDPR and California’s CCPA require public notification
in the event of such a data breach. Notify affected parties so they can protect
themselves from identity theft or other fallout from the disclosure of confidential
personal or financial data.
6. Start now to prevent the same type of incident in the future
Once a security incident has been stabilized, examine lessons learned to
prevent recurrences of similar incidents. This might include patching server
vulnerabilities, training employees on how to avoid phishing scams, or rolling out
technologies to better monitor insider threats. Fixing security flaws or vulnerabilities
found during your post-incident activities is a given.
Also, review lessons learned from the incident and implement appropriate
changes to your security policies with training for staff and employees. For example, if
the attack resulted from an unwitting employee opening an Excel file as an email

VIJAYAM BUSINESS SCHOOL [MCA] Page 7

CHITTOOR Cyber Security
attachment, implement a company-wide policy and training on how to recognize and
respond to a phishing email.
Every organization will have different incident response steps based on their
unique IT environment and business needs. Study industry guides such as those
published by NIST to ensure your IR planning includes all the necessary incident
response steps to protect your organization when a cybersecurity incident occurs.
Conclusion
An incident response methodology enables organizations to define response
countermeasures in advance. There is a wide range of approaches to IR. The majority
of security professionals agree with the six incident response steps recommended by
NIST, including preparation, detection and analysis, containment, eradication,
recovery, and post-incident audits.
When it comes to preparation, many organizations leverage a combination of
assessment checklists, detailed incident response plans, summarized and actionable
incident response playbooks, as well as policies that can automate some of the
processes. While well-planned, an incident response methodology should remain
flexible, allowing for continuous improvement.
 Introduction to frame work and Best Practices
Framework Basics
The Framework provides a common language for understanding, managing, and
expressing cybersecurity risk to internal and external stakeholders. It can be used to help identify
and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business,
and technological approaches to managing that risk. It can be used to manage cybersecurity risk
across entire organizations or it can be focused on the delivery of critical services within an
organization. Different types of entities – including sector coordinating structures, associations,
and organizations – can use the Framework for different purposes, including the creation of
common Profiles.
1 Framework Core
The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and
references examples
of guidance to
achieve those
outcomes. The Core
is not a checklist of
actions to perform.
It presents key
cybersecurity
outcomes identified
by stakeholders as
helpful in managing
cybersecurity risk.
The Core comprises
four elements: Functions, Categories, Subcategories, and Informative References, depicted in

VIJAYAM BUSINESS SCHOOL [MCA] Page 8

CHITTOOR Cyber Security
Figure 1:
Figure 1: Framework Core Structure

The Framework Core elements work together as follows:

 Functions organize basic cybersecurity activities at their highest level. These Functions
are Identify, Protect, Detect, Respond, and Recover. They aid an organization in
expressing its management of cybersecurity risk by organizing information, enabling risk
management decisions, addressing threats, and improving by learning from previous
activities. The Functions also align with existing methodologies for incident management
and help show the impact of investments in cybersecurity. For example, investments in
planning and exercises support timely response and recovery actions, resulting in reduced
impact to the delivery of services.
 Categories are the subdivisions of a Function into groups of cybersecurity outcomes
closely tied to programmatic needs and particular activities. Examples of Categories
include “Asset Management,” “Identity Management and Access Control,” and
“Detection Processes.”
 Subcategories further divide a Category into specific outcomes of technical and/or
management activities. They provide a set of results that, while not exhaustive, help
support achievement of the outcomes in each Category. Examples of Subcategories
include “External information systems are catalogued,” “Data-at-rest is protected,” and
“Notifications from detection systems are investigated.”
 Informative References are specific sections of standards, guidelines, and practices
common among critical infrastructure sectors that illustrate a method to achieve the
outcomes associated with each Subcategory. The Informative References presented in the
Framework Core are illustrative and not exhaustive. They are based upon cross-sector
guidance most frequently referenced during the Framework development process.
The five Framework Core Functions are defined below. These Functions are not intended to
form a serial path or lead to a static desired end state. Rather, the Functions should be performed
concurrently and continuously to form an operational culture that addresses the dynamic
cybersecurity risk
 Identify – Develop an organizational understanding to manage cybersecurity risk to
systems, people, assets, data, and capabilities.
The activities in the Identify Function are foundational for effective use of the
Framework. Understanding the business context, the resources that support critical
functions, and the related cybersecurity risks enables an organization to focus and
prioritize its efforts, consistent with its risk management strategy and business needs.
Examples of outcome Categories within this Function include: Asset Management;
Business Environment; Governance; Risk Assessment; and Risk Management Strategy.
 Protect – Develop and implement appropriate safeguards to ensure delivery of
criticalservices.The Protect Function supports the ability to limit or contain the impact of
a potential cybersecurity event. Examples of outcome Categories within this Function
include: Identity Management and Access Control; Awareness and Training; Data Security;
Information Protection Processes and Procedures; Maintenance; and Protective

VIJAYAM BUSINESS SCHOOL [MCA] Page 9

CHITTOOR Cyber Security
 Technology.
 Detect – Develop and implement appropriate activities to identify the occurrence of a
cybersecurity event.
The Detect Function enables timely discovery of cybersecurity events. Examples of
outcome Categories within this Function include: Anomalies and Events; Security
Continuous Monitoring; and Detection Processes.
 Respond – Develop and implement appropriate activities to take action regarding a
detected cybersecurity incident.
The Respond Function supports the ability to contain the impact of a potential
cybersecurity incident. Examples of outcome Categories within this Function include:
Response Planning; Communications; Analysis; Mitigation; and Improvements.
 Recover – Develop and implement appropriate activities to maintain plans for resilience
and to restore any capabilities or services that were impaired due to a cybersecurity
incident.
The Recover Function supports timely recovery to normal operations to reduce the
impact from a cybersecurity incident. Examples of outcome Categories within this
Function include: Recovery Planning; Improvements; and Communications.
2 Framework Implementation Tiers
The Framework Implementation Tiers (“Tiers”) provide context on how an organization
views cybersecurity risk and the processes in place to manage that risk. Ranging from Partial
(Tier 1) to Adaptive (Tier 4), Tiers describe an increasing degree of rigor and sophistication in
cybersecurity risk management practices. They help determine the extent to which cybersecurity
risk management is informed by business needs and is integrated into an organization’s overall
risk management practices. Risk management considerations include many aspects of
cybersecurity, including the degree to which privacy and civil liberties considerations are
integrated into an organization’s management of cybersecurity risk and potential risk responses.
The Tier selection process considers an organization’s current risk management
practices, threat environment, legal and regulatory requirements, information sharing practices,
business/mission objectives, supply chain cybersecurity requirements, and organizational
constraints.
Organizations should determine the desired Tier, ensuring that the selected level meets
the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical
assets and resources to levels acceptable to the organization. Organizations should consider
leveraging external guidance obtained from Federal government departments and agencies,
Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis
Organizations (ISAOs), existing maturity models, or other sources to assist in determining their
desired tier.
While organizations identified as Tier 1 (Partial) are encouraged to consider moving
toward Tier 2 or greater, Tiers do not represent maturity levels. Tiers are meant to support
organizational decision making about how to manage cybersecurity risk, as well as which
dimensions of the organization are higher priority and could receive additional resources.
Progression to higher Tiers is encouraged when a cost-benefit analysis indicates a feasible and
cost-effective reductionof cybersecurity risk.

VIJAYAM BUSINESS SCHOOL [MCA] Page 10

CHITTOOR Cyber Security
 Successful implementation of the Framework is based upon achieving the outcomes
described in the organization’s Target Profile(s) and not upon Tier determination. Still, Tier
selection and designation naturally affect Framework Profiles. The Tier recommendation by
Business/Process Level managers, as approved by the Senior Executive Level, will help set the
overall tone for how cybersecurity risk will be managed within the organization, and should
influence prioritization within a Target Profile and assessments of progress in addressing gaps.
The Tier definitions are as follows:
Tier 1: Partial
 Risk Management Process – Organizational cybersecurity risk management practices are
not formalized, and risk is managed in an ad hoc and sometimes reactive manner.
Prioritization of cybersecurity activities may not be directly informed by organizational
risk objectives, the threat environment, or business/mission requirements.
 Integrated Risk Management Program – There is limited awareness of cybersecurity risk
at the organizational level. The organization implements cybersecurity risk management
on an irregular, case-by-case basis due to varied experience or information gained from
outside sources. The organization may not have processes that enable cybersecurity
information to be shared within the organization.
 External Participation – The organization does not understand its role in the larger
ecosystem with respect to either its dependencies or dependents. The organization does
not collaborate with or receive information (e.g., threat intelligence, best practices,
technologies) from other entities (e.g., buyers, suppliers, dependencies, dependents,
ISAOs, researchers, governments), nor does it share information. The organization is
generally unaware of the cyber supply chain risks of the products and services it provides
and that it uses.
Tier 2: Risk Informed
 Risk Management Process – Risk management practices are approved by management
but may not be established as organizational-wide policy. Prioritization of cybersecurity
activities and protection needs is directly informed by organizational risk objectives, the
threat environment, or business/mission requirements.
 Integrated Risk Management Program – There is an awareness of cybersecurity risk at
the organizational level, but an organization-wide approach to managing cybersecurity
risk has not been established. Cybersecurity information is shared within the organization
on an informal basis. Consideration of cybersecurity in organizational objectives and
programs may occur at some but not all levels of the organization. Cyber risk assessment
of organizational and external assets occurs, but is not typically repeatable or reoccurring.
 External Participation – Generally, the organization understands its role in the larger
ecosystem with respect to either its own dependencies or dependents, but not both. The
organization collaborates with and receives some information from other entities and
generates some of its own information, but may not share information with others.
Additionally, the organization is aware of the cyber supply chain risks associated with
the products and services it provides and uses, but does not act consistently or formally
upon those risks.

VIJAYAM BUSINESS SCHOOL [MCA] Page 11

CHITTOOR Cyber Security
Tier 3: Repeatable
 Risk Management Process – The organization’s risk management practices are formally
approved and expressed as policy. Organizational cybersecurity practices are regularly
updated based on the application of risk management processes to changes in
business/mission requirements and a changing threat and technology landscape.
 Integrated Risk Management Program – There is an organization-wide approach to
manage cybersecurity risk. Risk-informed policies, processes, and procedures are
defined, implemented as intended, and reviewed. Consistent methods are in place to
respond effectively to changes in risk. Personnel possess the knowledge and skills to
perform their appointed roles and responsibilities. The organization consistently and
accurately monitors cybersecurity risk of organizational assets. Senior cybersecurity and
non-cybersecurity executives communicate regularly regarding cybersecurity risk.
Senior executives ensure consideration of cybersecurity through all lines of operation in
the organization.
 External Participation - The organization understands its role, dependencies, and
dependents in the larger ecosystem and may contribute to the community’s broader
understanding of risks. It collaborates with and receives information from other entities
regularly that complements internally generated information, and shares information
with other entities. The organization is aware of the cyber supply chain risks associated
with the products and services it provides and that it uses. Additionally, it usually acts
formally upon those risks, including mechanisms such as written agreements to
communicate baseline requirements, governance structures (e.g., risk councils), and
policy implementation and monitoring.
Tier 4: Adaptive
 Risk Management Process – The organization adapts its cybersecurity practices based on
previous and current cybersecurity activities, including lessons learned and predictive
indicators. Through a process of continuous improvement incorporating advanced
cybersecurity technologies and practices, the organization actively adapts to a changing
threat and technology landscape and responds in a timely and effective manner to
evolving, sophisticated threats.
 Integrated Risk Management Program – There is an organization-wide approach to
managing cybersecurity risk that uses risk-informed policies, processes, and procedures
to address potential cybersecurity events. The relationship between cybersecurity risk and
organizational objectives is clearly understood and considered when making decisions.
Senior executives monitor cybersecurity risk in the same context as financial risk and
other organizational risks. The organizational budget is based on an understanding of the
current and predicted risk environment and risk tolerance. Business units implement
executive vision and analyze system-level risks in the context of the organizational risk
tolerances. Cybersecurity risk management is part of the organizational culture and
evolves from an awareness of previous activities and continuous awareness of activities
on their systems and networks. The organization can quickly and efficiently account for
changes to business/mission objectives in how risk is approached and communicated.

VIJAYAM BUSINESS SCHOOL [MCA] Page 12

CHITTOOR Cyber Security
  External Participation - The organization understands its role, dependencies, and
dependents in the larger ecosystem and contributes to the community’s broader
understanding of risks. It receives, generates, and reviews prioritized information that
informs continuous analysis of its risks as the threat and technology landscapes evolve.
The organization shares that information internally and externally with other
collaborators. The organization uses real-time or near real-time information to
understand and consistently act upon cyber supply chain risks associated with the
products and services it provides and that it uses. Additionally, it communicates
proactively, using formal (e.g. agreements) and informal mechanisms to develop and
maintain strong supplychain relationships.
3 Framework Profile
The Framework Profile (“Profile”) is the alignment of the Functions, Categories, and
Subcategories with the business requirements, risk tolerance, and resources of the
organization. A Profile enables organizations to establish a roadmap for reducing
cybersecurity risk that is well aligned with organizational and sector goals, considers
legal/regulatory requirements and industry best practices, and reflects risk management
priorities. Given the complexity of many organizations, they may choose to have multiple
profiles, aligned with particular components andrecognizing their individual needs.
Framework Profiles can be used to describe the current state or the desired target state of
specific cybersecurity activities. The Current Profile indicates the cybersecurity outcomes that
are currently being achieved. The Target Profile indicates the outcomes needed to achieve the
desired cybersecurity risk management goals. Profiles support business/mission requirements
and aid in communicating risk within and between organizations. This Framework does not
prescribe Profile templates, allowing for flexibility in implementation.
Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be
addressed to meet cybersecurity risk management objectives. An action plan to address these
gaps to fulfill a given Category or Subcategory can contribute to the roadmap described
above. Prioritizing the mitigation of gaps is driven by the organization’s business needs and
risk management processes. This risk-based approach enables an organization to gauge the
resources needed (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective,
prioritized manner. Furthermore, the Framework is a risk-based approach where the
applicability and fulfillment of a given Subcategory is subject to the Profile’s scope.
Coordination of Framework Implementation
Figure 2 describes a common flow of information and decisions at the following levels within
anorganization:
 Executive
 Business/Process
 Implementation/Operations
The executive level communicates the mission priorities, available resources, and overall risk
tolerance to the business/process level. The business/process level uses the information as
inputs into the risk management process, and then collaborates with the
implementation/operations level to communicate business needs and create a Profile. The

VIJAYAM BUSINESS SCHOOL [MCA] Page 13

CHITTOOR Cyber Security
 implementation/operations level communicates the Profile implementation progress to the
business/process level. The business/process level uses this information to perform an impact
assessment. Business/process level management reports the outcomes of that impact
assessment to the executive level to inform the organization’s overall risk management
process and to the implementation/operationslevel for awareness of business impact.

Figure 2: Notional Information and Decision Flows within an Organization

Basic Review of Cybersecurity Practices
The Framework can be used to compare an organization’s current cybersecurity
activities with those outlined in the Framework Core. Through the creation of a Current
Profile, organizations can examine the extent to which they are achieving the outcomes
described in the Core Categories and Subcategories, aligned with the five high-level
Functions: Identify, Protect, Detect, Respond, and Recover. An organization may find that it
is already achieving the desired outcomes, thus managing cybersecurity commensurate with
the known risk. Alternatively, an organization may determine that it has opportunities to (or
needs to) improve. The organization can use that information to develop an action plan to
strengthen existing cybersecurity practices and reduce cybersecurity risk. An organization
may also find that it is overinvesting to achieve certain outcomes. The organization can use
this information to reprioritize resources.
While they do not replace a risk management process, these five high-level Functions
will provide a concise way for senior executives and others to distill the fundamental
concepts of cybersecurity risk so that they can assess how identified risks are managed, and
how their organization stacks up at a high level against existing cybersecurity standards,
guidelines, and practices. The Framework can also help an organization answer fundamental
questions, including “How are we doing?” Then they can move in a more informed way to
strengthen theircybersecurity practices where and when deemed necessary.

VIJAYAM BUSINESS SCHOOL [MCA] Page 14

CHITTOOR Cyber Security
 Establishing or Improving a Cybersecurity Program
The following steps illustrate how an organization could use the Framework to
create a new cybersecurity program or improve an existing program. These steps should
be repeated as necessary to continuously improve cybersecurity.
Step 1: Prioritize and Scope. The organization identifies its business/mission objectives
and high-level organizational priorities. With this information, the organization makes
strategic decisions regarding cybersecurity implementations and determines the scope of
systems and assets that support the selected business line or process. The Framework can
be adapted to support the different business lines or processes within an organization,
which may have different business needs and associated risk tolerance. Risk tolerances
may be reflected in a target Implementation Tier.
Step 2: Orient. Once the scope of the cybersecurity program has been determined for
the business line or process, the organization identifies related systems and assets,
regulatory requirements, and overall risk approach. The organization then consults
sources to identifythreats and vulnerabilities applicable to those systems and assets.
Step 3: Create a Current Profile. The organization develops a Current Profile by indicating
which Category and Subcategory outcomes from the Framework Core are currently being
achieved. If an outcome is partially achieved, noting this fact will help support subsequent
stepsby providing baseline information.
Step 4: Conduct a Risk Assessment. This assessment could be guided by the
organization’s overall risk management process or previous risk assessment activities. The
organization analyzes the operational environment in order to discern the likelihood of a
cybersecurity event and the impact that the event could have on the organization. It is
important that organizations identify emerging risks and use cyber threat information from
internal and external sources to gain a better understanding of the likelihood and impact of
cybersecurity events.
Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the
assessment of the Framework Categories and Subcategories describing the organization’s
desired cybersecurity outcomes. Organizations also may develop their own additional
Categories and Subcategories to account for unique organizational risks. The organization may
also consider influences and requirements of external stakeholders such as sector entities,
customers, and business partners when creating a Target Profile. The Target Profile should
appropriately reflectcriteria within the target Implementation Tier.
Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current
Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to
address gaps – reflecting mission drivers, costs and benefits, and risks – to achieve the
outcomes in the Target Profile. The organization then determines resources, including funding
and workforce, necessary to address the gaps. Using Profiles in this manner encourages the
organization to make informed decisions about cybersecurity activities, supports risk
management, and enables the organization to perform cost-effective, targeted improvements.
Step 7: Implement Action Plan. The organization determines which actions to take to
address the gaps, if any, identified in the previous step and then adjusts its current
cybersecurity practices in order to achieve the Target Profile. For further guidance, the
Framework identifies example Informative References regarding the Categories and

VIJAYAM BUSINESS SCHOOL [MCA] Page 15

CHITTOOR Cyber Security
 Subcategories, but organizations should determine which standards, guidelines, and practices,
including those that are sector specific, work best for their needs.

An organization repeats the steps as needed to continuously assess and improve its
cybersecurity. For instance, organizations may find that more frequent repetition of the orient
step improves the quality of risk assessments. Furthermore, organizations may monitor
progress through iterative updates to the Current Profile, subsequently comparing the Current
Profile to the Target Profile. Organizations may also use this process to align their
cybersecurity program with their desired Framework Implementation Tier.
 IT Goverance:
Methodology to Protect Privacy and Civil Liberties
This section describes a methodology to address individual privacy and civil liberties
implications that may result from cybersecurity. This methodology is intended to be a general
set of considerations and processes since privacy and civil liberties implications may differ by
sector or over time and organizations may address these considerations and processes with a
range of technical implementations. Nonetheless, not all activities in a cybersecurity program
engender privacy and civil liberties considerations. Technical privacy standards, guidelines,
and additional best practices may need to be developed to support improved technical
implementations.
Privacy and cybersecurity have a strong connection. An organization’s cybersecurity
activities also can create risks to privacy and civil liberties when personal information is
used, collected, processed, maintained, or disclosed. Some examples include: cybersecurity
activities that result in the over-collection or over-retention of personal information;
disclosure or use of personal information unrelated to cybersecurity activities; and
cybersecurity mitigation activities that result in denial of service or other similar potentially
adverse impacts, including some types of incident detection or monitoring that may inhibit
freedom of expression or association.
The government and its agents have a responsibility to protect civil liberties arising
from cybersecurity activities. As referenced in the methodology below, government or its
agents that own or operate critical infrastructure should have a process in place to support
compliance of cybersecurity activities with applicable privacy laws, regulations, and
Constitutional requirements.
To address privacy implications, organizations may consider how their cybersecurity
program might incorporate privacy principles such as: data minimization in the collection,
disclosure, and retention of personal information material related to the cybersecurity incident;
use limitations outside of cybersecurity activities on any information collected specifically for
cybersecurity activities; transparency for certain cybersecurity activities; individual consent
and redress for adverse impacts arising from use of personal information in cybersecurity
activities; data quality,integrity, and security; and accountability and auditing.
Governance of cybersecurity risk
 An organization’s assessment of cybersecurity risk and potential risk responses
considersthe privacy implications of its cybersecurity program.

VIJAYAM BUSINESS SCHOOL [MCA] Page 16

CHITTOOR Cyber Security
  Individuals with cybersecurity-related privacy responsibilities report to
appropriatemanagement and are appropriately trained.
 Process is in place to support compliance of cybersecurity activities with
applicableprivacy laws, regulations, and Constitutional requirements.
 Process is in place to assess implementation of the above organizational measures
andcontrols.
Approaches to identifying, authenticating, and authorizing individuals
to accessorganizational assets and systems
 Steps are taken to identify and address the privacy implications of identity
management and access control measures to the extent that they involve collection,
disclosure, or useof personal information.
Awareness and training measures
 Applicable information from organizational privacy policies is included in
cybersecurityworkforce training and awareness activities.
 Service providers that provide cybersecurity-related services for the organization
areinformed about the organization’s applicable privacy policies.
Anomalous activity detection and system and assets monitoring
 Process is in place to conduct a privacy review of an organization’s anomalous
activitydetection and cybersecurity monitoring.
Response activities, including information sharing or other mitigation efforts
 Process is in place to assess and address whether, when, how, and the extent to
which personal information is shared outside the organization as part of
cybersecurity information sharing activities.
 Process is in place to conduct a privacy review of an organization’s cybersecurity
mitigation efforts
 Cybersecurity Compliance and Audit
No longer is a cyber attack a rare phenomenon in the world we live in. Nowadays, there
is a very good chance that one will affect your company. In recent years, protecting the security
of your digital perimeter has become a necessity since the consequences of failing to do so are
grave. Because navigating the ever-changing sea of regulations, threats, existing defense
strategies and third-party risks is a challenge, obtaining a cyber security audit is one of the best
ways to reduce your risk level by protecting your business and its equipment.
The Benefits Of A Cyber Security Compliance Audit
It is often useful to solicit an objective perspective on your operations, and IT security audits are
one of the best assessment tools available today. Investing in a cyber security audit can help you
in four primary ways:
 Auditors have knowledge of current regulations and standards. Armed with this expertise, they can
analyze your information systems, controls and practices, flag potential gaps or weaknesses and
recommend solutions.
 Auditors are neutral outside entities that can evaluate vulnerabilities in your technology and assess its
attractiveness to bad actors.

VIJAYAM BUSINESS SCHOOL [MCA] Page 17

CHITTOOR Cyber Security
 Since auditors are objective, they often provide insights about your entire organizational structure that key
management personnel lack because of their close proximity to the situation.
 Auditors provide credibility. This is particularly critical when it comes to your privacy policy. A third-
party assessor will provide assurance that the mechanisms you have put in place are as effective as you
claim them to be.
Conducting the auditing process provides your company with a report that will assess your
preparedness in guarding against cyber security breaches of all kinds. With this information in
hand, your team can make internal modifications, including changes to training protocols, data
storage, program security and threats monitoring.
The Scope Of A Cybersecurity Audit
One of the jobs of your company’s stakeholder team is to design your own cyber security audit
template. This framework helps you to conduct an analysis, evaluate the effectiveness of your
current solutions and plan your improved compliance strategy. A cyber security audit framework
addresses how well your company identifies, detects, protects, responds and recovers from
breaches and other incidents. Specifically, you are expected to document compliance in the
following areas:
 Risk management, including hardware, software, assets and system interconnections. Risk level must be
communicated to all stakeholders throughout the organization.
 Contractor systems, including the availability, integrity and confidentiality of all services and systems that
are outsourced to third parties.
 Configuration management, including settings and baselines for all information systems as well as routine
audit procedures.
 Identity, credential and access management with a related audit for these procedures.
 Implementing training in security and privacy.
 Implementing processes, protocols, assessments and procedures for continuous monitoring of information
security.
 Incident response plan.
 Contingency plan.
All federal agencies must submit reports semi annually as well as FISMA audits by March 1 of
each year. If your company does business with any such agency or receives government grant
funding, you too must be FISMA-compliant. The more your controls, procedures and systems
gel with the current FISMA gold standard, the lower is your risk. Combine that with higher client
satisfaction, and your investment of time, people, resources and education/training will be more
than worthwhile.
While top-of-the-line cyber security audit programs are an absolute necessity for modern
businesses, it is equally important to address ongoing compliance after the audit has been
completed. That means documenting your comprehensive security efforts as well as your
processes for identifying vulnerabilities and closing gaps. To that end, a staff member should be
given the role of remediation specialist.
This job includes having the skill set to focus on and address security incidents when they arise.
Once identified, others can test all components, learn about and understand system and cost
constraints, devise and practice corrective steps and eventually incorporate them into the
company’s information protection infrastructure.
These days, the news headlines are filled with sobering tales about the disruptive and financially
destructive consequences of security and data breaches. This is an issue that shows no signs of
going away anytime soon. Understanding the compliance requirements that legally pertain to

VIJAYAM BUSINESS SCHOOL [MCA] Page 18

CHITTOOR Cyber Security
 your company is the first step. Once armed with this information, you can find a respected third-
party auditor who can guide you through the compliance requirements and assess your
company’s strengths and weaknesses pertaining to them. The time has come to get the
information and support you need in the cybersecurity compliance arena.
 pen testing (penetration testing)
What is a pen test?
A penetration test, also called a pen test or ethical hacking, is a cybersecurity technique
organizations use to identify, test and highlight vulnerabilities in their security posture. These
penetration tests are often carried out by ethical hackers. These in-house employees or third
parties mimic the strategies and actions of an attacker in order to evaluate the hackability of an
organization's computer systems, network or web applications. Organizations can also use pen
testing to test their adherence to compliance regulations.
Ethical hackers are information technology (IT) experts who use hacking methods to help
companies identify possible entry points into their infrastructure. By using different
methodologies, tools and approaches, companies can perform simulated cyber attacks to test the
strengths and weaknesses of their existing security systems. Penetration, in this case, refers to
the degree to which a hypothetical threat actor, or hacker, can penetrate an organization's
cybersecurity measures and protocols.
There are three main pen testing strategies, each offering pen testers a certain level of
information they need to carry out their attack. For example, white box testing provides the tester
all of the details about an organization's system or target network; black box testing provides the
tester no knowledge of the system; and gray box penetration testing provides the tester partial
knowledge of the system.
Pen testing is considered a proactive cybersecurity measure because it involves
consistent, self-initiated improvements based on the reports generated by the test. This differs
from nonproactive approaches, which lack the foresight to improve upon weaknesses as they
arise. A nonproactive approach to cybersecurity, for example, would involve a company
updating its firewall after a data breach occurs. The goal of proactive measures, like pen testing,
is to minimize the number of retroactive upgrades and maximize an organization's security.
What is the difference between pen testing and vulnerability assessment?
Pen tests are not the same as vulnerability assessments, which provide a prioritized list of
security weaknesses and how to amend them, but they are often performed together. Pen testing
is often conducted with a particular goal in mind. These goals typically fall under one of the
following three objectives:
1. identify hackable systems
2. attempt to hack a specific system
3. carry out a data breach
Each objective focuses on specific outcomes that IT leaders are trying to avoid. For example, if
the goal of a pen test is to see how easily a hacker could breach the company database, the
ethical hackers would be instructed to try and carry out a data breach. The results of a pen test
will not only communicate the strength of an organization's current cybersecurity protocols, but
they will also present the available hacking methods that can be used to penetrate the
organization's systems.

VIJAYAM BUSINESS SCHOOL [MCA] ` Page 19

CHITTOOR Cyber Security
 Why is pen testing important?
The rate of distributed denial-of-service, phishing and ransomware attacks is dramatically
increasing, putting all internet-based companies at risk. Considering how reliant businesses are
on technology, the consequences of a successful cyber attack have never been greater. A
ransomware attack, for instance, could block a company from accessing the data, devices,
networks and servers it relies on to conduct business. Such an attack could result in millions of
dollars of lost revenue. Pen testing uses the hacker perspective to identify and mitigate
cybersecurity risks before they are exploited. This helps IT leaders implement informed security
upgrades that minimize the possibility of successful attacks.
Technological innovation is one of, if not the greatest, challenge facing cybersecurity. As tech
continues to evolve, so do the methods cybercriminals use. In order for companies to
successfully protect themselves and their assets from these attacks, they need to be able to update
their security measures at the same rate. The caveat, however, is that it is often difficult to know
which methods are being used and how they might be used in an attack. But, by using skilled
ethical hackers, organizations can quickly and effectively identify, update and replace the parts
of their system that are particularly susceptible to modern hacking techniques.
How to do penetration testing
Pen testing is unique from other cybersecurity evaluation methods, as it can be adapted to
any industry or organization. Depending on an organization's infrastructure and operations, it
may want to use a certain set of hacking techniques or tools. These techniques and their
methodologies can also vary based on the IT personnel and their company standards. Using the
following adaptable six-step process, pen testing creates a set of results that can help
organizations proactively update their security protocols:
1. Preparation. Depending on the needs of the organization, this step can either be a simple or
elaborate procedure. If the organization has not decided which vulnerabilities it wants to
evaluate, a significant amount of time and resources should be devoted to combing the
system for possible entry points. In-depth processes like this are usually only necessary for
businesses that have not already conducted a complete audit of their systems. Once
a vulnerability assessment has been conducted, however, this step becomes much easier.
2. Construct an attack plan. Prior to hiring ethical attackers, an IT department designs a cyber
attack, or list of cyber attacks, that its team should use to perform the pen test. During this
step, it is also important to define what level of system access the pen tester has.
3. Select a team. The success of a pen test depends on the quality of the testers. This step is
often used to appoint the ethical hackers that are best suited to perform the test. Decisions
like these can be made based on employee specialties. If a company wants to test its cloud
security, a cloud expert may be the best person to properly evaluate its cybersecurity.
Companies also often hire expert consultants and certified cybersecurity experts to carry out
pen testing.
4. Determine the stolen data type. What is the team of ethical hackers stealing? The data type
chosen in this step can have a profound impact on the tools, strategies and techniques used to
acquire it.

VIJAYAM BUSINESS SCHOOL [MCA] Page 20

CHITTOOR Cyber Security
 5. Perform the test. This is one of the most complicated and nuanced parts of the testing
process, as there are many automated software programs and techniques testers can use,
including Kali Linux, Nmap, Metasploit and Wireshark.
6. Integrate the report results. Reporting is the most important step of the process. The results
must be detailed so the organization can incorporate the findings.
 Mile 2 CPTE
Certified Penetration Testing Engineer (C)PTE) is an internationally recognized cyber
security certification administered by the United States-based information
security company Mile2. The accreditation maps to the Committee on National Security
Systems' 4013 education certification. The C)PTE certification is considered one of five core
cyber security certifications.
Accreditations
Obtaining the C)PTE certification requires proven proficiency and knowledge of five
key information security elements, penetration testing, data collection, scanning, enumeration,
exploitation and reporting.
The CPTE certification is one of several information assurance accreditations recognized by the
U.S. National Security Agency. The certification has also been approved by the U.S. Department
of Homeland Security's National Initiative for Cyber Security Studies and Careers (NICSS) and
the U.S.-based National Security Systems Committee.
Examination
The online exam for C)PTE accreditation lasts two hours and consists of 100 multiple
choice questions.
 OWSAP frame work
The Open Web Application Security Project (OWASP) is an open community dedicated
to enabling organizations to develop, purchase, and maintain applications that can be
trusted. All of the OWASP tools, documents, forums, and chapters are free and open to
anyone interested in improving application security. We advocate approaching
application security as a people, process, and technology problem because the most
effective approaches to application security includes improvements in all of these areas.

OWASP is a new kind of organization. Our freedom from commercial pressures

allows us to provide unbiased, practical, cost-effective information about application
security. OWASP is not affiliated with any technology company, although we support the
informed use of commercial security technology. Similar to many open-source software
projects, OWASP produces many types of materials in a collaborative, open way.

Contact for information about communicating with OWASP Contributions for

details about how to make contributions Advertising if you're interested in advertising on

VIJAYAM BUSINESS SCHOOL [MCA] Page 21

CHITTOOR Cyber Security
 the OWASP site How OWASP Works for more information about projects and
governance OWASP brand usage rules for information about using the OW

About OWASP OWASP is a volunteer organization that is dedicated to developing

knowledge based documentation and reference implementations and software that can be
used by system architects, developers and security professionals. Our work promotes and
helps consumers build more secure web applications.

The Open Web Application Security Project ® (OWASP) is a nonprofit foundation that
works to improve the security of software. Through community-led open-source software
projects, hundreds of local chapters worldwide, tens of thousands of members, and
leading educational and training conferences, the OWASP Foundation is the source for
developers and technologists to secure the web.

 Tools and Resources

 Community and Networking
 Education & Training

For nearly two decades corporations, foundations, developers, and volunteers have supported the
OWASP Foundation and its work. Donate, Join, or become a Corporate Member today.

About the OWASP Testing Project (Parts One and Two) The OWASP is currently working on a
comprehensive Testing Framework. By the time you read this document Part One will be close
to release and Part Two will be underway. Part One of the Testing Framework describes the
Why, What, Where and When of testing the security of web applications and Part Two goes into
technical details about how to look for specific issues using source code inspection and a
penetration testing (for example exactly how to find SQL Injection flaws in code and through
penetration testing). This check list is likely to become an Appendix to Part Two of the OWASP
Testing framework along with similar check lists for source code review.

VIJAYAM BUSINESS SCHOOL [MCA] Page 22

CHITTOOR Cyber Security