CYBER - SECURITY

Information System

Information system can be defined as a system of interrelated components that collect , maniipulate ,
store data , distribuute infromation to support decision making and provide a feedback mechanism to
monitor performance.It may also help the manager and workers to visualize complex subject, and
create new products. Software, Hardware, information system users, computer system connections and
information, and the system's housing are all part of an Information System.

Components of Information System

The components that must be combined together in order to produce an information system are:

People: Peoples are the most essential part of the information system because without them the system
cannot be operated correctly.

Hardware: It is the part of a physical component of an information system which we can touch. The
information system hardware includes the computer, processors, monitors, printer, keyboards, disk
drives, iPads, flash drives, etc.

Software: It is a set of instruction that tells the hardware what to do. It can be used to organize, process
and analyse data in the information system.

Data: Data is a collection of facts. Information systems work with data. These data can be aggregated,
indexed, and organized into tables and files together to form a database. These databases can become
a powerful tool for every businesses information system.

Network: It includes internet, intranet, extranet to provide successful operations fore*all types of
organizations and computer-based information system.

Procedures: It specifies the policies that govern the operation of an information system. It describes
how specific method of data are processed and analysed to get the answers for which the information
system is designed.

Feedback: It is the component of an information system which defines that an IS may be provided with
feedback.

Types of Information system

The information systems can be categorized into four types. These are:

1. Executive Information Systems

It is a strategic-level information system which is found at the top of the Pyramid.

Its primary goal is to provide information gathered from both internal and external sources to the
senior executives and management *to analyse the environment in which the organization operates,
and to plan appropriate courses of action for identifying the long-term trends.

Role of Executive Information System : - *****************************

* It used at the higher levels of the authority.

* It uses both internal and external data sources.**

* It supports unstructured data.

* It is highly flexible.

* It is highly efffective.

* It is conerned with the ease of use.

2. Decision Support Systems

A DSS or Decision Support System is a computer application program used by senior managers to
analyse the business data and presents it in that form in which the users can make business decisions
more easily. These systems are usually interactive and can be used to solve ill-structured problems in an
organization.

Role of Decision Support System : -

* It supports both ill structured and semi - structured decisions.

* It has analytical and modeling capacity.

* It is support by senior managerial levels.

* It is concerned with predicting the future.

3. Management Information Systems

MIS or Management Information System is the use of information technology, people, and business
processes to record, store, manipulate, and process data to produce meaningful information. These
information helps decision makers to make day to day decisions correctly and accurately. It is used to
make a tactical decision (middle-term decision) to ensure the smooth running of an organization. It also
helps to evaluate the organization's performance by comparing previous outputs with current output.

Role of Management Information System : -

* It is based on internal information flow.

* It is inflexible and has little analytical capacity.

* It supports the flow of internal decisions.

* It deals with the past and the present rather than on the future.

* It is used by low or middle level managers.

4. Transaction Processing System

TPS or transaction processing system is a type of information processing system for business transactions
that involve the collection, storage, modification and retrieval of all data transaction of an enterprise.
The characteristics of a Transaction Processing System includes reliability, performance, and
consistency. A TPS is also known as real-time processing.

Role of Transaction Processing System : -

* It produces information for other system.

* It provides information for operational personel plus supervisory levels.

* It is efficieny oriented.

------------------------------------------------------------------------------------------------------------------------

Development of Information System

An Information System Development is a set of activities, methods, best practices, deliverables and
automated tools that every organization use to develop and continuously improve information systems
and its related software.

1. Define and understand the problems :

The purpose of the first step is to find the scope of the problem and determine solutions. This phase also
includes and considered resources, time, cost, and other items for the requirements of the information
system.

2. Develop an alternative solution

The purpose of this steps is to find a path*** to the solution determined by system analysis. In this
phase some solution require modificatio*n in the existing system, some solution does not require an
information system, and some solution requires a new system.

3. Evaluate and choose the best solution

The purpose of the third step is to evaluate the feasibility issues related to financial, technical, and
organizational. It measures the time and cost to design an information system. It evaluates the business
value of a system and finds the best solution for developing an information system.

4. Implement the solution

The purpose of the last step is to create the detailed design specification for an information system. This
phase provides complete implementations for-

* Hardware selection and acquisition

* Software development and programming

* Testing such as Unit, System, Acceptance testing

* Training and documentation (Online practice, step-by-step instruction)

* Conversion, i.e., Changing from Old to New System

* Production & maintenance (Review, Objectives, Modification)

------------------------------------------------------------------------------------------------------------------------

Cyber-Security(Information System Security)**

Cybersecurity is the protection of Internet-connected systems, including hardware, software, and data
from cyber attackers. It's primarily about people, processes, and technologies working together to
encompass the full range of threat reduction, vulnerability reduction, deterrence, international
engagement, and recovery policies and activities, including computer network operations, information
assurance, law enforcement, etc.

It is the body of technologies, processes, and practices designed to protect networks, devices, programs,
and data from attack, theft, damage, modification, or unauthorized access. Therefore, it may also be
referred to as information security.

The need for Information security:

Information security is essential for protecting sensitive and valuable data from unauthorized access,
use, disclosure, disruption, modification, or destruction. Here are some of the key reasons why
information security is important:

Protecting Confidential Information: Confidential information, such as personal data, financial records,
trade secrets, and intellectual property, must be kept secure to prevent it from falling into the wrong
hands. This type of information is valuable and can be used for identity theft, fraud, or other malicious
purposes.

Complying with Regulations: Many industries, such as healthcare, finance, and government, are subject
to strict regulations and laws that require them to protect sensitive data. Failure to comply with these
regulations can result in legal and financial penalties, as well as damage to the organization’s reputation.

Maintaining Business Continuity: Information se*curity helps ensure that critical business operations
can continue in the event of a disaster, such as a cyber-attack or natural disaster. Without proper security
measures in place, an organization’s data and systems could be compromised, leading to significant
downtime and lost revenue.

Protecting Customer Trust: Customers expect organizations to keep their data safe and secure. Breaches
or data leaks can erode customer trust, leading to a loss of business and damage to the organization’s
reputation.

Preventing Cyber-attacks: Cyber-attacks, such as viruses, malware, phishing, and ransomware, are
becoming increasingly sophisticated and frequent. Information security helps prevent these attacks and
minimizes their impact if they do occur.

Protecting Employee Information: Organizations also have a responsibility to protect employee data,
such as payroll records, health information, and personal details. This information is often targeted by
cybercriminals, and its theft can lead to identity theft and financial fraud.
------------------------------------------------------------------------------------------------------------------------

CIA Triad :

The three letters in "CIA triad" stand for Confidentiality, Integrity, and Availability. T*he CIA triad is a
common model that forms the basis for the development of security systems. They are used for finding
vulnerabilities and methods for creating solutions.

The confidentiality, integrity, and availability of information is crucial to the operation of a business,
and the CIA triad segments these three ideas into separate focal points. This differentiation is helpful
because it helps guide security teams as they pinpoint the different ways in which they can address each
concern.

1. CONFIDENTIALITY :

Confidentiality involves the efforts of an organization to make sure data is kept secret or private. To
accomplish this, access to information must be controlled to prevent the unauthorized sharing of data
—whether intentional or accidental. A key component of maintaining confidentiality is making sure that
people without proper authorization are prevented from accessing assets important to your business.
Conversely, an effective system also ensures that those who need to have access have the necessary
privileges.

For example : -

Those who work with an organization’s finances should be able to access the spreadsheets, bank
accounts, and other information related to the flow of money. However, the vast majority of other
employees—and perhaps even certain executives—may not be granted access. To ensure these policies
are followed, stringent restrictions have to be in place to limit who can see what

NOTE : To fight against confidentiality breaches, you can classify and label restricted data, enable access
control policies, encrypt data, and use multi-factor authentication (MFA) systems.

2. INTEGRITY :

Integrity involves making sure your data is trustworthy and free from tampering. The integrity of your
data is maintained only if the data is authentic, accurate, and reliable.

For example :-

If your company provides information about senior managers on your website, this information needs to
have integrity. If it is inaccurate, those visiting the website for information may feel your organization is
not trustworthy. Someone with a vested interest in damaging the reputation of your organization may
try to hack your website and alter the descriptions, photographs, or titles of the executives to hurt their
reputation or that of the company as a whole.
NOTE : To protect the integrity of your data, you can use hashing, encryption, digital certificates, or
digital signatures. For websites, you can employ trustworthy certificate authorities (CAs) that verify the
authenticity of your website so visitors know they are getting the site they intended to visit.

3. AVAILIABILITY:

Even if data is kept confidential and its integrity maintained, it is often useless unless it is available to
those in the organization and the customers they serve. This means that systems, networks, and
applications must be functioning as they should and when they should. Also, individuals with access to
specific information must be able to consume it when they need to, and getting to the data should not
take an inordinate amount of time.

For example : -

There is a power outage and there is no disaster recovery system in place to help users regain access to
critical systems, availability will be compromised.Availability can also be compromised through
deliberate acts of sabotage, such as the use of denial-of-service (DoS) attacks or ransomware.

NOTE : To ensure availability, organizations can use redundant networks, servers, and applications.
These can be programmed to become available when the primary system has been disrupted or
broken. You can also enhance availability by staying on top of upgrades to software packages and
security systems.

------------------------------------------------------------------------------------------------------------------------

Threats to Information Security:

1. Types of Cyber Attacks:

Cyber attacks are a major threat to information security and can take many forms, including:

Malware : Malicious software designed to damage or disrupt computer systems. This includes viruses,
worms, and Trojans.

Phishing : Fraudulent emails or websites designed to trick users into disclosing sensitive information
such as passwords or credit card numbers.

Denial of Service (DoS) attacks : Attacks that aim to make a system or network unavailable to its
intended users by overwhelming it with traffic.

Ransomware : Malware that encrypts files on a computer system and demands a ransom payment in
exchange for the decryption key.

Social engineering : The use of psychological manipulation to trick individuals into disclosing sensitive
information or performing actions that compromise security.

2. Risks posed by Cyber Attacks:

Cyber attacks pose a significant risk to organizations and individuals. Some of the risks posed by these
attacks include:
Data Loss: Cyber attacks can result in the theft or destruction of sensitive information, leading to data
loss.

Reputation Damage: Cyber attacks can damage an organization’s reputation and credibility, which can be
difficult and expensive to repair.

------------------------------------------------------------------------------------------------------------------------

Information Assurannce and Risk Analysis :

Steps in the risk analysis process

The basic steps followed by a risk analysis process are:

Conduct a risk assessment survey:

Getting the input from management and department heads is critical to the risk assessment process. The
risk assessment survey refers to begin documenting the specific risks or threats within each department.

Identify the risks:

This step is used to evaluate an IT system or other aspects of an organization to identify the risk related
to software, hardware, data, and IT employees. It identifies the possible adverse events that could occur
in an organization such as human error, flooding, fire, or earthquakes.

Analyse the risks:

Once the risks are evaluated and *identified, the risk analysis process should analyse each risk that will
occur, as well as determine the consequences linked with each risk. It also determines how they might
affect the objectives of an IT project.

Develop a risk management plan:

After analysis of the Risk that provides an idea about which assets are valuable and which threats will
probably affect the IT assets negatively, we would develop a plan for risk management to produce
control recommendations that can be used to mitigate, transfer, accept or avoid the risk.

Implement the risk management plan:

The primary goal of this step is to implement the measures to remove or reduce the analyses risks. We
can remove or reduce the risk from starting with the highest priority and resolve or at least mitigate each
risk so that it is no longer a threat.

Monitor the risks:

This step is responsible for monitoring the security risk on a regular basis for identifying, treating and
managing risks that should be an essential part of any risk analysis process.

--------------------------------------------------

Types of Risk Analysis

The essential number of distinct approaches related to risk analysis are:

Qualitative Risk Analysis

The qualitative risk analysis process is a project management technique that prioritizes risk on the
project by assigning the probability and impact number. Probability is something a risk event will occur
whereas impact is the significance of the consequences of a risk event.

The objective of qualitative risk analysis is to assess and evaluate the characteristics of individually
identified risk and then prioritize them based on the agreed-upon characteristics.

Quantitative Risk Analysis

The objectives of performing quantitative risk analysis process provide a numerical estimate of the
overall effect of risk on the project objectives.

It is used to evaluate the likelihood of success in achieving the project objectives and to estimate
contingency reserve, usually applicable for time and cost.

------------------------------------------------------------------------------------------------------------------------

Security Technologies :

Today, the fundamental problem is that much of the security technology aims to keep the attacker out,
and when that fails, the defences have failed. Every organization who uses internet needed security
technologies to cover the three primary control types - preventive, detective, and corrective as well as
provide auditing and reporting. Most security is based on one of these types of things: something we
have (like a key or an ID card), something we know (like a PIN or a password), or something we are (like a
fingerprint).

**

Firewall

Firewall is a computer network security system designed to prevent unauthorized access to or from a
private network. It can be implemented as hardware, software, or a combination of both. Firewalls are
used to prevent unauthorized Internet users from accessing private networks connected to the Internet.
All messages are entering or leaving the intranet pass through the firewall. The firewall examines each
message and blocks those that do not meet the specified security criteria.

The five processing modes that firewalls can be categorised are-

**

Packet filtering

Packet filtering firewalls examine header information of a data packets that come into a network. This
firewall installed on TCP/IP network and determine whether to forward it to the next network
connection or drop a packet based on the rules programmed in the firewall.

Most firewall often based on a combinatio of : -

* Internet Protocol (IP) SOURCE AN DDESTINATION ADDRESS.*

* Direction.

* Transmission Control Protocol (TCP) or User Datagram Protocol.

Application gateways

It is a firewall proxy which frequently installed on a dedicated com*puter to provides network security.
This proxy firewall acts as an intermediary between the re***quester and the protected device. This
firewall proxy filters incoming node traffic to certain specifications that mean only transmitted network
application data is filtered. Such netw*ork applications include FTP, Telnet, Real Time Streaming Protocol
(RTSP), BitTorrent, etc.**

Circuit gateways

A circuit-level gateway is a firewall that operates at the transport layer. It provides UDP and TCP
connection security which means it can reassemble, examine or block all the packets in a TCP or UDP
connection. It works between a transport layer and an application layers such as the session layer.

MAC layer firewalls

This firewall is designed to operate at the media access control layer of the OSI network model. It is able
to consider a specific host computer's identity in its filtering decisions. MAC addresses of specific host
computers are linked to the access control list (ACL) entries.

Hybrid firewalls

It is a type of firewalls which combine features of other four types of firewalls. These are elements of
packet filtering and proxy services, or of packet filtering and circuit** gateways.

VPN

A VPN stands for virtual private network. It is a technology which creates a safe and an encrypted
connection on the Internet from a device to a network. This type of connection helps to ensure our
sensitive data is transmitted safely. It prevents our connection from eavesdropping on the network traffic
and allows the user to access a private network securely. This technology is widely used in the corporate
environments.

A VPN works same as firewall like firewall protects data local to a device wherever VPNs protects data
online. To ensure safe communication on the internet, data travel through secure tunnels, and VPNs user
used an authentication method to gain access over the VPNs server.

Intrusion Detection System (IDS)

An IDS is a security system which monitors the computer systems and network traffic. It analyses that
traffic for possible hostile attacks originating from the outsider and also for system misuse or attacks
originating from the insider. A firewall does a job of filtering the incoming traffic from the internet, the
IDS in a similar way compliments the firewall security. Like, the firewall protects an organization sensitive
data from malicious attacks over the Internet, the Intrusion detection s*ystem alerts the system
administrator in the case when someone tries to break in the firewall security and tries to have access on
any network in the trusted side.

1. NIDS-

It is a Network Intrusion Detection System which monitors the inbound and outbound traffic to and
from all the devices over the network.
2. HIDS-

It is a Host Intrusion Detection System which runs on all devices in the network with direct access to
both internet and enterprise internal network. It can detect anomalous network packets that originate
from inside the organization or malicious traffic that a NIDS has failed to catch.* HID**S may also
identify malicious traffic that arises from the host itself.

3. Signature-based Intrusion Detection System- *****

It is a detection system which refers to the detection of an attack by looking for the specific patterns,
such as byte sequences in network traffic, or known malicious instruction sequences used by malware.
This IDS originates from anti-virus software which can easily detect known attacks. In this terminology, it
is impossible to detect n*****ew attacks, for which no pattern is available.***

4. Anomaly-based Intrusion Detection System-

This detection system primarily introduced to detect unknown attacks due to the rapid development of
malware. It alerts administrators against the potentially malicious activity. It monitors the network traffic
and compares it against an established baseline. It determines what is considered to be normal for the
network with concern to bandwidth, protocols, ports and other devices.

Access Control

Access control is a process of selecting restrictive access to a system. It is a concept in security to

minimize the risk of unauthorized access to the business or organization. In this, users are granted access
permission and certain privileges to a system and resources. Here, users must provide the credential to
be granted access to a system. These credentials come in many forms such as password, keycard, the
biometric reading, etc. Access control ensures security technology and access control policies to protect
confidential information like customer data.

The access control can be categories into two types

Physical Access Control- This type of access control limits access to buildings, rooms, campuses, and
physical IT assets.

Logical access control- This type of access control limits connection to computer networks, system files,
and data.

The more secure method for access control involves two - factor authentication. The first factor is that a
user who desires access to a system must show credential and the second factor could be an access
code, password, and a biometric reading.

The access control consists of two main components: authorization and authentication. Authentication
is a process which verifies that someone claims to be granted access whereas an authorization
provides that whether a user should be allowed to gain access to a system or denied it.

------------------------------------------------------------------------------------------------------------------------

### WWW Policies (World Wide Web Policies)

Policies for the World Wide Web (WWW) are essential guidelines and regulations that ensure the
internet remains a safe, accessible, and reliable platform for users and businesses. These policies cover
various aspects, including security, privacy, content, and usage. Here are some key areas of WWW
policies:

1. **Security Policies**

Security policies are designed to protect the integrity, confidentiality, and availability of data on the
internet. Key components include:

- **Encryption**: Ensuring data transmitted over the web is encrypted to protect it from interception
and tampering.

- **Authentication**: Verifying the identity of users and devices accessing web services.

- **Authorization**: Ensuring users have appropriate permissions to access specific resources or

perform certain actions.

- **Incident Response**: Establishing procedures for responding to security breaches and other
incidents.

2. **Privacy Policies**

Privacy policies are crucial for protecting users' personal information and ensuring compliance with
regulations like GDPR and CCPA. Key components include:

- **Data Collection**: Clearly stating what data is collected from users and for what purpose.

- **Data Usage**: Explaining how the collected data will be used and shared.

- **User Consent**: Obtaining explicit consent from users before collecting or using their data.

- **Data Protection**: Implementing measures to protect personal data from unauthorized access and
breaches.

3. **Content Policies**

Content policies regulate the type of content that can be published and accessed on the web. Key
components include:

- **Acceptable Use**: Defining what constitutes acceptable and unacceptable content and behavior on
a website or platform.

- **Copyright and Intellectual Property**: Ensuring that content does not infringe on the intellectual
property rights of others.
- **Hate Speech and Harassment**: Prohibiting content that promotes hate speech, harassment, or
discrimination.

- **Misinformation**: Implementing measures to detect and prevent the spread of false or misleading
information.

4. **Accessibility Policies**

Accessibility policies ensure that web services are usable by people with disabilities. Key components
include:

- **Compliance with Standards**: Adhering to accessibility standards such as the Web Content
Accessibility Guidelines (WCAG).

- **Assistive Technologies**: Supporting the use of assistive technologies like screen readers and speech
recognition software.

- **Usability Testing**: Conducting usability testing with individuals with disabilities to identify and
address accessibility issues.

5.Usage Policies**

Usage policies govern how users can interact with web services and the internet. Key components
include:

- **Terms of Service**: Outlining the terms and conditions for using a website or service.

- **User Conduct**: Establishing rules for user behavior, including prohibitions on spamming, hacking,
and other malicious activities.

- **Monitoring and Enforcement**: Implementing mechanisms to monitor user activity and enforce
compliance with usage policies.

6. **E-Commerce Policies**

E-commerce policies ensure safe and fair online transactions. Key components include:

- **Payment Security**: Implementing secure payment methods and protecting payment information.

- **Consumer Protection**: Ensuring that consumers' rights are protected, including return and refund
policies.

- **Data Privacy**: Protecting customer data collected during transactions.

- **Anti-Fraud Measures**: Detecting and preventing fraudulent activities.

Implementing WWW Policies

To implement WWW policies effectively, organizations should:

- **Develop Clear Policies**: Create comprehensive policies covering all key areas.

- **Educate Users**: Inform users about policies and their importance.

- **Regular Audits**: Conduct regular audits to ensure compliance with policies.

- **Use Technology**: Employ technologies like firewalls, encryption, and monitoring tools to enforce
policies.

- **Stay Updated**: Keep policies up-to-date with the latest regulations and best practices.

These policies help maintain the integrity and usability of the web, ensuring it remains a valuable
resource for everyone.

-----------------------------------------------------------------------------------------------------------------------

Security Policies : Overview and Importance

A security policy is a document that states in writing how a company plans to protect its physical and
information technology (IT) assets. Security policies are living documents that are continuously updated
and changing as technologies, vulnerabilities and security requirements change.

Why Policies Should Be Developed

Framework for Decision-Making : Security policies provide a structured approach to decision-making

within an organization, ensuring consistency and adherence to security standards.

Risk Management : Policies help identify and mitigate risks, protecting the organization from various
threats such as cyberattacks, data breaches, and physical security issues.

Compliance : Many industries are regulated by laws and standards (e.g., GDPR, HIPAA), and security
policies help ensure compliance with these regulations.

Protection of Assets : Security policies safeguard an organization’s assets, including intellectual property,
data, and physical resources.

Employee Guidance : Policies offer clear guidelines to employees on their roles and responsibilities,
helping to prevent accidental or intentional security breaches.

------------------------------------------------------------------------------------------------------------------------

Policy Review Process

Initial Assessment: Evaluate current security policies and identify gaps or areas for improvement.
Stakeholder Involvement: Engage key stakeholders, including management, IT staff, and legal advisors,
to gather input and ensure comprehensive coverage.

Drafting and Revision: Create or revise policies based on the initial assessment and stakeholder
feedback.

Review and Approval: Present the drafted policies to senior management or a dedicated security
committee for review and approval.

Implementation: Implement the approved policies across the organization, ensuring all employees are
aware of the changes.

Continuous Monitoring: Regularly monitor the effectiveness of the policies and make adjustments as
necessary.

Scheduled Reviews: Conduct periodic reviews (e.g., annually) to ensure policies remain relevant and
effective in addressing current security threats.

Types of Policies

WWW (World Wide Web) Policies: Guidelines for the acceptable use of the internet within the
organization, including restrictions on accessing certain websites and ensuring safe browsing practices.

Email Security Policies: Rules for the secure use of email, including guidelines for creating strong
passwords, recognizing phishing attempts, and encrypting sensitive information.

Corporate Policies: Comprehensive policies covering various aspects of corporate security, such as data
protection, physical security, and employee conduct.

Sample Security Policies: Templates or examples of security policies that can be adapted to meet the
specific needs of an organization.

Sample Security Policies

WWW Policy:

Purpose: To ensure the safe and appropriate use of the internet by employees.

Scope: Applies to all employees using the company's internet resources.

Policy: Employees must not access inappropriate websites, download unauthorized software, or engage
in activities that could harm the company’s network.

1. World Wide Web (WWW) Policies

Definition: WWW policies govern the use of the internet within an organization. These policies set rules
and guidelines for accessing and using web resources.

Key Components:

Acceptable Use: Defines what constitutes acceptable and unacceptable use of the internet (e.g.,
personal browsing, social media use, downloading software).
Access Control: Details who has access to the internet and what resources they can access.

Content Filtering: Specifies the types of websites that can be accessed and blocks harmful or
inappropriate content.

Monitoring and Reporting: Describes how internet usage will be monitored and what actions will be
taken in case of violations.

Email Security Policy:

Purpose: To protect the company from email-based threats.

Scope: Applies to all employees using company email.

Policy: Employees must use strong passwords, recognize and report phishing attempts, and encrypt
sensitive information sent via email.

Email Security Policies

Definition: Email security policies govern the use of email within an organization, ensuring that
communications are secure and compliant with regulations.

Key Components:

Acceptable Use: Specifies acceptable uses of the organization’s email system, such as sending business-
related communications only.

Email Encryption: Guidelines on when and how emails should be encrypted to protect sensitive
information.

Phishing Protection: Measures to protect against phishing attacks, including user education and
technical defenses.

Attachment Policies: Rules about what types of attachments are allowed and how they should be
scanned for malwar

Corporate Security Policy:

Purpose: To safeguard the company’s assets and ensure compliance with legal requirements.

Scope: Applies to all aspects of corporate security, including physical security, data protection, and
employee conduct.

Policy: Includes guidelines on access control, data encryption, incident response, and employee
training.

Key Components:
Information Security Policy: A high-level document that outlines the organization’s approach to
managing and protecting information.

Access Control Policy: Defines who can access what information and under what conditions.

Incident Response Policy: Procedures for responding to security incidents, including roles,
responsibilities, and communication strategies.

Data Protection Policy: Guidelines for the protection of personal and sensitive data in compliance with
relevant laws and regulations (e.g., GDPR).

------------------------------------------------------------------------------------------------------------------------

ISO (International Organization for Standardization)

Overview

ISO is an independent, non-governmental international organization that develops and publishes

standards to ensure the quality, safety, efficiency, and interoperability of products and services.

Key Standards

ISO/IEC 27001: Information security management systems (ISMS) standard.

ISO 9001: Quality management systems (QMS) standard.

ISO 14001: Environmental management systems (EMS) standard.

--------------------------------------------------------------------------------------------------------------------------------

Threat to E-Commerce

E-Commerce refers to the activity of buying and selling things over the internet. Simply, it refers to the
commercial transactions which are conducted online. E-commerce can be drawn on many technologies
such as mobile commerce, Internet marketing, online transaction processing, electronic funds transfer,
supply chain management, electronic data interchange (EDI), inventory management systems, and
automated data collection systems.

E-commerce threat is occurring by using the internet for unfair means with the intention of stealing,
fraud and security breach. There are various types of e-commerce threats. Some are accidental, some
are purposeful, and some of them are due to human error. The most common security threats are an
electronic payments system, e-cash, data misuse, credit/debit card frauds, etc.

Electronic Payment System

The electronic payment systems have a very important role in e-commerce. E-commerce organizations
use electronic payment systems that refer to paperless monetary transactions.

It revolutionized the business processing by reducing paperwork, transaction costs, and labour cost.
E-commerce processing is user-friendly and less time consuming than manual processing.

Electronic commerce helps a business organization expand its market reach expansion. There is a
certain risk with the electronic payments system.

RISK :

The Risk of Fraud

If the password and the answers to the security questions are matched, the system doesn't care who is
on the other side. If someone has access to our password or the answers to our security question, he will
gain access to our money and can steal it from us.

The Risk of Tax Evasion

It makes the process of tax collection very frustrating for the Internal Revenue Service. It is at the
business's choice to disclose payments received or made via electronic payment systems.

The Risk of Payment Conflicts

In electronic payment systems, the payments are handled by an automated electronic system, not by
humans. The system is prone to errors when it handles large amounts of payments on a frequent basis
with more than one recipients involved.

----------------------------------------------------------------------

E-cash

E-cash is a paperless cash system which facilitates the transfer of funds anonymously. E-cash is free to
the user while the sellers have paid a fee for this. The e-cash fund can be either stored on a card itself or
in an account which is associated with the card. The most common examples of e-cash system are transit
card, PayPal, GooglePay, Paytm, etc.

E-cash has four major components-

Issuers - They can be banks or a non-bank institution.

Customers - They are the users who spend the e-cash.

Merchants or Traders - They are the vendors who receive e-cash.

Regulators - They are related to authorities or state tax agencies.

Some of the major threats related to e-cash system are-

Backdoors Attacks

It is a type of attacks which gives an attacker to unauthorized access to a system by bypasses the normal
authentication mechanisms. It works in the background and hides itself from the user that makes it
difficult to detect and remove.

Denial of service attacks

A denial-of-service attack (DoS attack) is a security attack in which the attacker takes action that prevents
the legitimate (correct) users from accessing the electronic devices. It makes a network resource
unavailable to its intended users by temporarily disrupting services of a host connected to the
Internet.

Direct Access Attacks

Direct access attack is an attack in which an intruder gains physical access to the computer to perform
an unauthorized activity and installing various types of software to compromise security. These types
of software loaded with worms and download a huge amount of sensitive data from the target
victims.

Eavesdropping

This is an unauthorized way of listening to private communication over the network. It does not
interfere with the normal operations of the targeting system so that the sender and the recipient of the
messages are not aware that their conversation is tracking.

Credit/Debit card fraud

A credit card allows us to borrow money from a recipient bank to make purchases. The issuer of the
credit card has the condition that the cardholder will pay back the borrowed money with an additional
agreed-upon charge.

A debit card is of a plastic card which issued by the financial organization to account holder who has a
savings deposit account that can be used instead of cash to make purchases. The debit card can be used
only when the fund is available in the account.

Some of the important threats associated with the debit/credit card are-

ATM (Automated Teller Machine)-

It is the favourite place of the fraudster from there they can steal our card details. Some of the important
techniques which the criminals opt for getting hold of our card information is:

Skimming-

It is the process of attaching a data-skimming device in the card reader of the ATM. When the customer
swipes their card in the ATM card reader, the information is copied from the magnetic strip to the device.
By doing this, the criminals get to know the details of the Card number, name, CVV number, expiry date
of the card and other details.

Phising / Vishing-

Phishing is an activity in which an intruder obtained the sensitive information of a user such as
password, usernames, and credit card details, often for malicious reasons, etc.

Vishing is an activity in which an intruder obtained the sensitive information of a user via sending SMS
on mobiles. These SMS and Call appears to be from a reliable source, but in real they are fake. The main
objective of vishing and phishing is to get the customer's PIN, account details, and passwords.

POS Theft

It is commonly done at merchant stores at the time of POS transaction. In this, the salesperson takes the
customer card for processing payment and illegally copies the card details for later use.

Some important ways to steal our confidential information during an online transaction are-

By downloading software which scans our keystroke and steals our password and card details.

By redirecting a customer to a fake website which looks like original and steals our sensitive
information.

By using public Wi-Fi.

-----------------------------------

CCTV Bacup

Step 1: Sign up for a Google Cloud Storage Account.

Step 2: Connect your CCTV system to your Network.

Step 3: Install Cloud Storage Software

Step 4: Configure your Cloud Storage Software

Step 5: Set Up a Backup CCTV Schedule

-------------------------------------------------------------------------------------------------------------------------

Security Standards

To make cybersecurity measures explicit, the written norms are required. These norms are known as
cybersecurity standards: the generic sets of prescriptions for an ideal execution of certain measures.
The standards may involve methods, guidelines, reference frameworks, etc. It ensures efficiency of
security, facilitates integration and interoperability, enables meaningful comparison of measures,
reduces complexity, and provide the structure for new developments.

A security standard is "a published specification that establishes a common language, and contains a
technical specification or other precise criteria and is designed to be used consistently, as a rule, a
guideline, or a definition." The goal of security standards is to improve the security of information
technology (IT) systems, networks, and critical infrastructures. The Well-Written cybersecurity standards
enable consistency among product developers and serve as a reliable standard for purchasing security
products.

Security standards are generally provided for all organizations regardless of their size or the industry and
sector in which they operate. This section includes information about each standard that is usually
recognized as an essential component of any cybersecurity strategy.

1. ISO

ISO stands for International Organization for Standardization. International Standards make things to
work. These standards provide a world-class specification for products, services and computers, to
ensure quality, safety and efficiency. They are instrumental in facilitating international trade.

ISO standard is officially established On 23 February 1947. It is an independent, non-governmental

international organization. Today, it has a membership of 162 national standards bodies and 784
technical committees and subcommittees to take care of standards development. ISO has published
over 22336 International Standards and its related documents which covers almost every industry, from
information technology, to food safety, to agriculture and healthcare.

ISO 27000 Series

It is the family of information security standards which is developed by the International Organization for
Standardization and the International Electrotechnical Commission to provide a globally recognized
framework for best information security management.

The need of ISO 27000 series arises because of the risk of cyber-attacks which the organization face. The
cyber-attacks are growing day by day making hackers a constant threat to any industry that uses
technology.

The ISO 27000 series can be categorized into many types. They are-

ISO 27001- This standard allows us to prove the clients and stakeholders of any organization to
managing the best security of their confidential data and information. This standard involves a process-
based approach for establishing, implementing, operating, monitoring, maintaining, and improving our
ISMS.

ISO 27000- This standard provides an explanation of terminologies used in ISO 27001.

ISO 27002- This standard provides guidelines for organizational information security standards and
information security management practices. It includes the selection, implementation, operating and
management of controls taking into consideration the organization's information security risk
environment(s).

ISO 27005- This standard supports the general concepts specified in 27001. It is designed to provide the
guidelines for implementation of information security based on a risk management approach. To
completely understand the ISO/IEC 27005, the knowledge of the concepts, models, processes, and
terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is required. This standard is capable for all
kind of organizations such as non-government organization, government agencies, and commercial
enterprises.

ISO 27032- It is the international Standard which focuses explicitly on cybersecurity. This Standard
includes guidelines for protecting the information beyond the borders of an organization such as in
collaborations, partnerships or other information sharing arrangements with clients and suppliers.

2. IT Act

The Information Technology Act also known as ITA-2000, or the IT Act main aims is to provide the legal
infrastructure in India which deal with cybercrime and e-commerce. The IT Act is based on the United
Nations Model Law on E-Commerce 1996 recommended by the General Assembly of United Nations.
This act is also used to check misuse of cyber network and computer in India. It was officially passed in
2000 and amended in 2008. It has been designed to give the boost to Electronic commerce, e-
transactions and related activities associated with commerce and trade. It also facilitate electronic
governance by means of reliable electronic records.

IT Act 2000 has 13 chapters, 94 sections and 4 schedules. The first 14 sections concerning digital
signatures and other sections deal with the certifying authorities who are licenced to issue digital
signature certificates, sections 43 to 47 provides penalties and compensation, section 48 to 64 deal
with appeal to high court, sections 65 to 79 deal with offences, and the remaining section 80 to 94 deal
with miscellaneous of the act

3. Copyright Act

The Copyright Act 1957 amended by the Copyright Amendment Act 2012 governs the subject of
copyright law in India. This Act is applicable from 21 January 1958. Copyright is a legal term which
describes the ownership of control of the rights to the authors of "original works of authorship" that
are fixed in a tangible form of expression. An original work of authorship is a distribution of certain
works of creative expression including books, video, movies, music, and computer programs. The
copyright law has been enacted to balance the use and reuse of creative works against the desire of the
creators of art, literature, music and monetize their work by controlling who can make and sell copies of
the work.

The copyright act covers the following-

Rights of copyright owners

Works eligible for protection

Duration of copyright

Who can claim copyright

The copyright act does not covers the following-

Ideas, procedures, methods, processes, concepts, systems, principles, or discoveries

Works that are not fixed in a tangible form (such as a choreographic work that has not been notated or
recorded or an improvisational speech that has not been written down)

Familiar symbols or designs

Titles, names, short phrases, and slogans

Mere variations of typographic ornamentation, lettering, or coloring

4. Patent Law

Patent law is a law that deals with new inventions. Traditional patent law protect tangible scientific
inventions, such as circuit boards, heating coils, car engines, or zippers. As time inc*reases patent law
have been used to protect a broader variety of inventions such as practices, coding algorithms, or
genetically modified organisms. It is the right to exclude others from making, using, selling, importing,
inducing others to infringe, and offering a product specially adapted for practice of the patent.

In general, a patent is a right that can be granted if an invention is:

-> Not a natural object or process

-> New

-> Useful

-> Not obvious.

5. IPR

Intellectual property rights is a right that allow creators, or owners of patents, trademarks or copyrighted
works to benefit from their own plans, ideas, or other intangible assets or investment in a creation.
These IPR rights are outlined in the Article 27 of the Universal Declaration of Human Rights. It provides
for the right to benefit from the protection of moral and material interests resulting from authorship of
scientific, literary or artistic productions. These property rights allow the holder to exercise a monopoly
on the use of the item for a specified period.

6. The Semiconductor Law

The Semiconductor Chip Protection Act is a law that helps protect companies who make computer chips
from other people copying or using their designs without permission. Computer chips are tiny parts that
make computers and other electronic devices work. The law also protects the special templates used to
make these chips, called mask works. The law gives the companies who make these chips and templates
the right to control who can use them for ten years.

An example of the Semiconductor Chip Protection Act in action is when a company creates a new
semiconductor chip design and applies for protection under the law. If the application is approved, the
company can prevent others from copying or using their design without permission for ten years.

7. Software Piracy

Software Piracy is the illegal approach of copying, distributing, modifying, selling, or using software that
is legally protected. So in a simple term, we can say Software piracy is the act of stealing legal software.
This software piracy refers to the unauthorized copy and use of legal software and now this critical
problem has turned into a global issue.

Types of Software Piracy

Softlifting- Softlifting is the most common type of software piracy. In this piracy, the legal owner of the
software is one, but the users are multiple. For instance, someone purchases genuine software, and
others will illegally use that software by downloading the software to their computer. For example,
many times we borrow software from our colleagues and install a copy of that on our computers just to
save money which rises to softlifting one type of software piracy.

Hard-disk Loading- It is the most common type of software piracy which mainly happens in PC resell
shops. The shop owner buys a legal copy of the software and reproduces its copies on multiple
computers by installing it. Most of the time customers/PC users are not aware of these things and get
the pirated version of the software in the original S/W price or less than the original price. It is one type
of Commercial software piracy.

Counterfeiting- In counterfeiting the duplicates are created of genuine/legal software programs with the
appearance of authenticity. Then these
dupli*********************************************************************************
*************************************************************************************
*************************************************************************************
**cate software are sold out at a lower price.

Client-Server overuse – In client-server overuse, more copies of the software are installed than it has
licensed for.

Online Piracy- In online piracy, the illegal software is acquired from online auction sites and blogs which
is mainly achieved through the P2P(Peer to Peer) file-sharing system.

What Are the Effects of Software Piracy?

Revenue Loss: Significant revenue losses for software developers and companies.

Reduced Investment: Less investment in new product development, research, and innovation

Malware and Viruses: Increased risk of malware, viruses, and other malicious code.

Lack of Support: No access to official customer support, leading to technical difficulties and reduced
productivity.

Compatibility Issues: Potential incompatibility with other software or hardware, causing operational
inefficiencies.

8. What is a software license?

A software license is a document that provides legally binding guidelines for the use and distribution of
software.

Software licenses typically provide end users with the right to one or more copies of the software
without violating copyrights. The license also defines the responsibilities of the parties entering into the
license agreement and may impose restrictions on how the software can be used.

Software licensing terms and conditions usually include fair use of the software, the limitations of
liability, warranties and disclaimers. They also specify protections if the software or its use infringes on
the intellectual property rights of others.

Software licenses typically are proprietary, free or Open Source. The

distinguishin**********************************g feature is the terms under which users may
redistribute or copy the software for future development or use.

How do software licenses work?

The following are some examples of specifications a license might include:

how many times the software can be downloaded;

what the software will cost; and

what level of access users will have to the source code.

--------------------------------------------------------------------------------------------------------------------------

What are the different types of software licenses?

There are two general types of software licenses that differ based on how they are viewed under
copyright law.
Free and open source software (FOSS) licenses are often referred to as open source. FOSS source code
is available to the customer along with the software product. The customer is usually allowed to use the
source code to change the software.

Proprietary licenses are often referred to as closed source. They provide customers with operational
code. Users cannot freely alter this software. These licenses also usually restrict reverse engineering the
software's code to obtain the source code.

--------------------------------------------------------------------------------------------------------------------

Digital Signature

A digital signature is a mathematical technique which validates the authenticity and integrity of a
message, software or digital documents. It allows us to verify the author name, date and time of
signatures, and authenticate the message contents. The digital signature offers far more inherent
security and intended to solve the problem of tampering and impersonation (Intentionally copy
another person's characteristics) in digital communications.

The computer-based business information authentication interrelates both technology and the law. It
also calls for cooperation between the people of different professional backgrounds and areas of
expertise.

The digital signatures are different from other electronic signatures not only in terms of process and
result, but also it makes digital signatures more serviceable for legal purposes. Some
elect*********************************************************************************
************************************************************ronic signatures that legally
recognizable as signatures may not be secure as digital signatures and may lead to uncertainty and
disputes.

Application of Digital Signature

The important reason to implement digital signature to communication is :

Authentication

Non-repudiation

Integrity

Authentication

Authentication is a process which verifies the identity of a user who wants to access the system. In the
digital signature, authentication helps to authenticate the sources of messages.

Non-repudiation

Non-repudiation means assurance of something that cannot be denied. It ensures that someone to a
contract or communication cannot later deny the authenticity of their signature on a document or in a
file or the sending of a message that they originated.

Integrity
Integrity ensures that the message is real, accurate and safeguards from unauthorized user modification
during the transmission.

Algorithms in Digital Signature*

A digital signature consists of three algorithms:

1. Key generation algorithm******************

The key generation algorithm selects private key randomly from a set of possible private keys. This
algorithm provides the private key and its corresponding public key.

2. Signing algorithm

A signing algorithm produces a signature for the document.

3. Signature verifying algorithm

A signature verifying algorithm either accepts or rejects the document's authenticity.

How digital signatures work

Digital signatures are created and verified by using public key cryptography, also known as asymmetric
cryptography. By the use of a public key algorithm, such as RSA, one can generate two keys that are
mathematically linked- one is a private key, and another is a public key.

The user who is creating the digital signature uses their own private key to encrypt the signature-
related document. There is only one way to decrypt that document is with the use of signer's public
key.

This technology requires all the parties to trust that the individual who creates the signature has been
able to keep their private key secret. If someone has access the signer's private key, there is a
possibility that they could create fraudulent signatures in the name of the private key holder.

The steps which are followed in creating a digital signature are:

Select a file to be digitally signed.

The hash value of the message or file content is calculated. This message or file content is encrypted by
using a private key of a sender to form the digital
signature.***the**********************************************************************
original message or file content along with the digital signature is transmitted.

The receiver decrypts the digital signature by using a public key of a sender.

The receiver now has the message or file content and can compute it.

Comparing these computed message or file content with the original computed message. The
comparison needs to be the same for ensuring integrity.

--------------------------------------------------------------*----------------------------------*-------------------------
Security Policies

Security policies are a formal set of rules which is issued by an organization to ensure that the user who
are authorized to access company technology and information assets comply with rules and guidelines
related to the security of information. It is a written document in the organization which is responsible
for how to protect the organizations from threats and how to handles them when they will occur.

A security policy also considered to be a "living document" which means that the document is never
finished, but it is continuously updated as requirements of the technology and employee changes.

Need of Security policies-

1) It increases efficiency.

The best thing about having a policy is being able to increase the level of consistency which saves time,
money and resources. The policy should inform the employees about their individual duties, and telling
them what they can do and what they cannot do with the organization sensitive information.

2) It upholds discipline and accountability

When any human mistake will occur, and system security is compromised, then the security policy of the
organization will back up any disciplinary action and also supporting a case in a court of law. The
organization policies act as a contract which proves that an organization has taken steps to protect its
intellectual property, as well as its customers and clients.

3) It can make or break a business deal

It is not necessary for companies to provide a copy of their information security policy to other vendors
during a business deal that involves the transference of their sensitive information. It is true in a case of
bigger businesses which ensures their own security interests are protected when dealing with smaller
businesses which have less high-end security systems in place.

4) It helps to educate employees on security literacy

A well-written security policy can also be seen as an educational document which informs the readers
about their importance of responsibility in protecting the organization sensitive data. It involves on
choosing the right passwords, to providing guidelines for file transfers and data storage which increases
employee's overall awareness of security and how it can be strengthened.

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter
computer code, logic or data and lead to cybercrimes, such as information and identity theft.

We are living in a digital era. Now a day, most of the people use computer and internet. Due to the
dependency on digital things, the illegal computer activity is growing and changing like any type of
crime.
Cyber-attacks can be classified into the following categories:

Types of Cyber Attacks

Web-based attacks

These are the attacks which occur on a website or web applications. Some of the important web-based
attacks are as follows-

1. Injection attacks*

It is the attack in which some data will be injected into a web application to manipulate the application
and fetch the required information.

Example- SQL Injection, code Injection, log Injection, XML Injection etc.

2. DNS Spoofing

DNS Spoofing is a is an attack involving manipulating DNS records to redirect users toward a fraudulent,
malicious website that may resemble the user's intended destination.

3. Session Hijacking

It is a security attack on** a user session over a protected network. Web applications create cookies to
store the state and user sessions. By stealing the cookies, an attacker can have access to all of the user
data.

4. Phishing

Phishing is a type of attack which attempts to steal sensitive information like user login credentials and
credit card number. It occurs when an attacker is masquerading a*s a trustworthy entity in electronic
communication.

5. Brute force

It is a type of attack which uses a trial and error method. This attack generates a large number of guesses
and validates them to obtain actual data like user password and personal identification number. This
attack may be used by criminals to crack encrypted data, or by security, analysts to test an organization's
network security.
6. Denial of Service

It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a crash. It uses
the single system and single internet connection to attack a server. It can be classified into the following-

Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is measured in bit
per second.

Protocol attacks- It consumes actual server resources, and is measured in a packet.

Application layer attacks- Its goal is to crash the web server and is measured in request per second.

7. Dictionary attacks

This type of attack stored the list of a commonly used password and validated them to get original
password.

8. URL Interpretation

It is a type of attack where we can change the certain parts of a URL, and one can make a web server to
deliver web pages for which he is not authorized to browse.

9. File Inclusion attacks

It is a type of attack that allows an attacker to access unauthorized or essential files which is available on
the web server or to execute malicious files on the web server by making use of the include functionality.

10. Man in the middle attacks

It is a type of attack that allows an attacker to intercepts the connection between ****client and server
and acts as a bridge between them. Due to this, an attacker will be able to read, insert and modify the
data in the intercepted connection.

System-based attacks

These are the attacks which are intended to compromise a computer or a computer network. Some of
the important system-based attacks are as follows-

1. Virus

It is a type of malicious software program that spread throughout the computer files without the
knowledge of a user. It is a self-replicating malicious computer program that replicates by inserting
copies of itself into other computer programs when executed. It can also execute instructions that cause
harm to the system.

2. Worm

It is a type of malware whose primary function is to replicate itself to spread to uninfected computers. It
works same as the computer virus. Worms often originate from email attachments that appear to be
from trusted senders.

3. Trojan horse

It is a malicious program that occurs unexpected changes to computer setting and unusual activity, even
when the computer should be idle. It misleads the user of its true intent. It appears to be a normal
application but when opened/executed some malicious code will run in the background.

4. Backdoors

It is a method that bypasses the normal authentication process. A developer may create a backdoor so
that an application or operating system can be accessed for troubleshooting or other purposes.

5. Bots

A bot (short for "robot") is an automated process that interacts with other network services. Some bots
program run automatically, while others only execute commands when they receive specific input.
Common examples of bots program are the crawler, chatroom bots, and malicious bots.