CSL IA2 Question Bank

1. List Amendments done in IT ACT 2000.

Ans: The Information Technology Act, 2000 was passed to provide legal recognition to
electronic transactions and promote e-governance. Some of the major amendments done in 2008
include:
1. Section 66A: Introduced to punish the sending of offensive messages via communication
services. Later, this section was struck down by the Supreme Court of India.
2. Section 66F: Defines and penalizes Cyber Terrorism, introducing life imprisonment for
attacks on national security or critical information infrastructure.
3. Data Protection (Section 43A): Mandates companies to protect sensitive personal data.
In case of failure, compensation is awarded to the affected party.
4. Hacking (Section 66): Expanded to penalize activities related to unauthorized access,
theft of information, and damage to computer systems.
5. Section 69: Provides the government with the power to intercept, monitor, and decrypt
any information for national security reasons.
6. Electronic Signature: Amendments validated electronic signatures and contracts,
replacing the term "digital signature" with "electronic signature" to expand the scope of
transactions.
7. Child Pornography (Section 67B): Criminalized publishing or transmitting material
depicting children in sexually explicit acts.

2. Explain HIPAA and GLBA

Ans: HIPAA (Health Insurance Portability and Accountability Act): The Health Insurance
Portability and Accountability Act (HIPAA), enacted in 1996, primarily aims to improve the
efficiency and effectiveness of the healthcare system while safeguarding patients' sensitive health
information. HIPAA establishes national standards for protecting health information and ensures
that patients' rights to privacy and security are maintained throughout the healthcare process.
Key Components of HIPAA:
 Privacy Rule: Establishes standards for the protection of individuals’ medical records
and personal health information (PHI).
 Security Rule: Sets standards for the protection of electronic PHI (ePHI).
  Transactions and Code Sets Rule: Standardizes electronic healthcare transactions, such
as billing and claims processing, to enhance efficiency and reduce administrative burdens.
 Unique Identifiers Rule: Establishes unique identifiers for healthcare providers, health
plans, and employers to streamline administrative processes.
 Enforcement Rule: Outlines the procedures for compliance investigations and penalties
for violations, including civil and criminal penalties.

GLBA (Gramm-Leach-Bliley Act): The Gramm-Leach-Bliley Act (GLBA), enacted in 1999,

primarily focuses on the financial services industry, aiming to protect consumers' personal
financial information. GLBA encourages the establishment of clear privacy practices among
financial institutions and seeks to enhance consumer trust in financial transactions.
Key Components of GLBA:
 Financial Privacy Rule: Requires financial institutions to provide customers with a
privacy notice that explains what personal information is collected, how it is used, and
how it is protected.
 Safeguards Rule: Mandates that financial institutions implement measures to protect
customer information from unauthorized access and data breaches.
 Pretexting Protection: Prohibits pretexting, the practice of obtaining personal
information under false pretences, and imposes penalties for such deceptive practices.

3. Discuss need for Indian Cyber Law?

Ans: The need for Indian cyber law, formatted into brief points:
1. Increase in Cybercrime: The incidence of cybercrime, including hacking and online fraud, is
escalating in India, leading to significant financial losses and emotional distress for victims.
2. Protection of Personal Data: With extensive online data collection, robust cyber laws are
necessary to safeguard sensitive personal information from unauthorized access and misuse,
aligning India with international data protection standards.
3. Regulation of E-commerce and Digital Transactions: The growing e-commerce sector
necessitates clear legal frameworks to protect consumer rights and ensure secure online
transactions, fostering trust in digital financial systems.
4. Facilitation of Digital Economy: A strong legal framework promotes innovation and allows
businesses to thrive in the digital economy, while also encouraging investment in cybersecurity
measures to protect users.
5. International Cooperation and Collaboration: Cybercrime often crosses borders, making it
essential for legal frameworks that facilitate international cooperation to effectively combat these
threats and comply with global norms.
6. Awareness and Education: Cyber laws can enhance public awareness about online safety,
empowering individuals to protect themselves, while also providing clear legal recourse for
cyber-related grievances.
7. Safeguarding National Security: Comprehensive cyber laws are crucial for protecting critical
infrastructure and addressing the rising threats of cyberterrorism, contributing to national security
in the digital age.

4. Explain concept of EDI.

Ans: Electronic Data Interchange (EDI) is a technology and methodology that enables the
electronic exchange of business documents and data between organizations in a standardized
format. It facilitates seamless communication and data transfer across different computer systems,
eliminating the need for paper-based processes and manual intervention. Here’s a detailed
explanation of the concept of EDI:

Benefits of EDI

 Increased Efficiency: EDI automates the exchange of documents, reducing manual data
entry and processing time, which enhances overall efficiency in business operations.
 Cost Savings: By minimizing paper usage and manual labor, EDI can lead to significant
cost savings in terms of printing, postage, and administrative overhead.
 Improved Accuracy: EDI reduces the likelihood of human errors associated with
manual data entry, leading to greater accuracy in transactions and fewer discrepancies.
 Faster Processing Times: The electronic exchange of documents speeds up processes
such as order fulfillment, invoicing, and inventory management, enabling quicker
response times.
 Enhanced Relationships: EDI fosters better communication and collaboration between
trading partners, improving relationships and ensuring smoother supply chain
operations.

Applications of EDI

 Supply Chain Management: EDI is widely used in supply chain management for
exchanging documents related to inventory levels, order processing, and shipping
schedules.
 Retail and E-commerce: Retailers use EDI for processing purchase orders, invoices,
and shipping notices, facilitating efficient transactions with suppliers and distributors.
 Healthcare: In the healthcare sector, EDI is used for transmitting patient information,
insurance claims, and billing data, ensuring compliance with industry regulations.
 Finance: EDI is also utilized in financial services for electronic funds transfers (EFT)
and processing financial statements, enhancing the speed and accuracy of transactions.

5. Write Laws related to electronic banking.

Ans: The laws related to electronic banking:
1. Information Technology Act, 2000: Establishes a legal framework for electronic
governance, recognizing electronic records and digital signatures as valid and addressing
cybercrimes and data breaches.
2. Banking Regulation Act, 1949: Regulates the banking sector, defining the rights and
responsibilities of banks and customers in electronic transactions, while ensuring data security
and confidentiality.
3. Reserve Bank of India (RBI) Guidelines: Issued by the RBI, these guidelines focus on
customer protection, secure electronic payment systems, and the implementation of
cybersecurity measures by banks.
4. Payment and Settlement Systems Act, 2007: Regulates payment systems in India, ensuring
the safety and efficiency of electronic transactions, and empowers the RBI to oversee these
systems.
5. Consumer Protection Act, 2019: Protects consumer rights related to electronic banking
services, providing mechanisms for grievance redressal and compensation for losses due to
banking negligence.
6. The Negotiable Instruments Act, 1881: Governs negotiable instruments, recognizing
electronic cheques and digital signatures as legally valid in electronic transactions.
7. The Cybersecurity Policy for Financial Sector: Issued by the RBI, this policy mandates
cybersecurity frameworks for banks and promotes the establishment of incident response teams
to address cyber threats.

6. Compare Virus and worms.

Ans:

7. Discuss need of Information Security standard compliance.

Ans: The need for information security standard compliance, presented succinctly:
1. Risk Management: Identifies vulnerabilities and mitigates risks through established
controls.
2. Legal and Regulatory Requirements: Ensures adherence to laws, avoiding penalties and
demonstrating compliance to stakeholders.
3. Enhancing Trust and Reputation: Builds customer confidence and protects the
organization’s reputation against breaches.
4. Operational Efficiency: Standardizes processes to improve efficiency and optimizes
resource allocation.
5. Competitive Advantage: Differentiates the organization in the market and opens access
to new business opportunities.
6. Incident Response and Recovery: Prepares organizations to handle security incidents
effectively and ensures quick recovery.
7. Continuous Improvement: Encourages ongoing review and improvement of security
practices.
8. Employee Awareness and Training: Promotes security awareness among employees
and fosters a culture of security within the organization.

8. Describe Buffer overflow problem with its types. How NOPs are used to cause buffer
overflow?
Ans: Buffer overflow occurs when data written to a buffer exceeds its storage capacity, leading
to adjacent memory locations being overwritten. This can cause unpredictable behavior, including
application crashes, data corruption, or security vulnerabilities, enabling attackers to execute
arbitrary code.
Types of Buffer Overflow
1. Stack Buffer Overflow: Occurs when a buffer on the stack is overflowed. Can overwrite
the return address, allowing attackers to redirect the execution flow to malicious code.
2. Heap Buffer Overflow: Happens in the heap memory segment, where dynamic memory
allocation occurs. Can corrupt data structures, leading to unpredictable behavior or control
over execution.
3. Off-by-One Overflow: A specific case where the overflow occurs by just one byte, often
due to incorrect boundary checking. Can still lead to overwriting adjacent memory
locations, including critical variables.
 4. Integer Overflow: Occurs when an arithmetic operation results in a value outside the
allowable range, potentially causing a buffer allocation to be smaller than expected. This
can lead to buffer overflows when the smaller allocation is used incorrectly.

NOPs in Buffer Overflow: NOPs (No Operation Instructions) are used in buffer overflow
attacks to facilitate code execution by creating a "NOP sled." Here’s how they work:
1. NOP Sled Concept: A sequence of NOP instructions is placed before the shellcode in the
buffer. When the buffer overflow occurs, the attacker aims for the instruction pointer (IP)
to point to the NOP sled.
2. Execution Flow: If the IP lands anywhere in the NOP sled, it will execute the NOP
instructions until it reaches the actual shellcode. This increases the likelihood that the
shellcode will be executed, as the exact location of the buffer overflow can be difficult to
predict.
3. Padding: NOPs can also be used to pad the buffer, ensuring that the overflow does not
immediately jump to an invalid memory address or crash the program.

9. What is DOS attack? Explain types of DOS attacks.

Ans: A Denial of Service (DoS) attack is a malicious attempt to disrupt the normal functioning
of a targeted server, service, or network by overwhelming it with a flood of traffic. This can lead
to the service becoming slow or completely unavailable to legitimate users. The primary goal of
a DoS attack is to render the target inoperable.
Types of DoS Attacks
1. Volume-Based Attacks: These attacks generate high levels of traffic to saturate the
bandwidth of the target. Examples: UDP Flood, ICMP Flood.
2. Protocol Attacks: These attacks exploit weaknesses in network protocols to consume
server resources or disrupt the service. Examples: SYN Flood, Ping of Death.
3. Application Layer Attacks: These attacks target specific applications or services by
exhausting their resources or exploiting vulnerabilities. Examples: HTTP Flood,
Slowloris.
4. Distributed Denial of Service (DDoS) Attacks: Involves multiple compromised systems
(botnets) launching coordinated attacks on the target, making it difficult to mitigate.
Examples: Amplification Attacks, Botnet-Based Attacks.
 10. Explain SQL Injection attack.
Ans: SQL Injection is a web security vulnerability that allows attackers to manipulate SQL
queries executed by an application, potentially compromising database integrity and
confidentiality.
Mechanism: Attackers input malicious SQL code into application inputs (e.g., forms, URLs) to
alter or exploit the database query. If the application does not properly sanitize these inputs, the
SQL commands are executed by the database.
Types of SQL Injection:
 In-band SQL Injection: Directly retrieves data using the same communication channel
(e.g., error-based, union-based).
 Inferential SQL Injection: Infers information from the application’s responses without
seeing direct results (e.g., boolean-based, time-based).
 Out-of-band SQL Injection: Utilizes a different channel to exfiltrate data (e.g., sending
data to an external server).
Consequences:
 Data Breach: Unauthorized access to sensitive data (e.g., user information, credentials).
 Data Loss/Corruption: Altering or deleting critical database records.
 Authentication Bypass: Gaining unauthorized access to accounts or sensitive functions.
 System Compromise: Executing commands on the database server, leading to further
system vulnerabilities.

11. What is Intellectual Property? Explain types of Intellectual properties in detail.

Ans: Intellectual Property (IP) refers to the legal rights that protect creations of the mind,
allowing creators to control and profit from their inventions, artistic works, brands, and designs.
IP rights are essential for fostering innovation and creativity by ensuring that individuals and
businesses can safeguard their intangible assets.
Types of Intellectual Property
1. Copyright: Copyright protects original works of authorship, including literature, music,
art, and other creative expressions.
2. Trademarks: Trademarks protect symbols, names, phrases, logos, and designs that
distinguish goods or services of one entity from another.
3. Patents: Patents protect inventions or discoveries, granting the inventor exclusive rights
to use, sell, or license the invention for a limited time.
 4. Trade Secrets: Trade secrets encompass confidential business information that provides
a competitive edge, such as formulas, practices, processes, or designs.
5. Industrial Design: Industrial design protection covers the ornamental or aesthetic aspects
of a product, such as its shape, pattern, or color.
6. Geographical Indications (GIs): GIs are signs used on products that have a specific
geographical origin and possess qualities, reputation, or characteristics inherent to that
location.

12. Elaborate E-contracts and its different types.

Ans: E-contracts, or electronic contracts, are agreements created and signed electronically rather
than through traditional paper methods. They are essential in the digital age, facilitating
transactions over the internet and providing a legally binding alternative to physical contracts. E-
contracts are governed by laws like the Electronic Signatures in Global and National Commerce
(ESIGN) Act in the U.S. and the Uniform Electronic Transactions Act (UETA), which establish
their validity.
Types of E-Contracts
1. Clickwrap Contracts: Agreements where users must click "I agree" or a similar button
to accept the terms and conditions before accessing a service or product.
2. Browse wrap Contracts: Contracts where the terms and conditions are available on the
website, and users are deemed to accept them simply by using the site.
3. Hybrid Contracts: A combination of clickwrap and browse wrap agreements, often
requiring explicit acceptance of specific terms while also including broader terms
available on the site.
4. Electronic Signatures: A method of signing contracts electronically, which can include
typed names, scanned signatures, or digital signatures that use encryption.
5. Smart Contracts: Self-executing contracts with the terms of the agreement directly
written into code on a blockchain. They automatically execute actions when predefined
conditions are met.
6. Email Contracts: Agreements that are formed through the exchange of emails, where the
terms are outlined, and both parties agree to the contract via email correspondence.