ABES Engineering College, Ghaziabad w.e.f: Feb.
, 2015
Form No. Acad-006
Department of Computer Applications
Session: 2018-19 Semester: III Section: (A+B)
Subject Code: RCA 305 Subject Name: Cyber Security
Assignment - 1
Date of Assignment: Date of submission:
Q1. Discuss the process of Information System? Explain Information System types in detail
Sol: Information system can also be described as a combination of hardware, software, data, business
process and functions which can be used to increase efficiency and management of an organization. Any
specific information system aims to support operations, management and decision-making.
Types:
Operations support system
In an organization, data input is done by the end user which is processed to generate information
products i.e. reports, which are utilized by internal and or external users. Such a system is called
operation support system.
The purpose of the operation support system is to facilitate business transaction, control
production, support internal as well as external communication and update organization central
database. The operation support system is further divided into a transaction-processing system,
processing control system and enterprise collaboration system.
Transaction Processing System (TPS)
In manufacturing organization, there are several types of transaction across department. Typical
organizational departments are Sales, Account, Finance, Plant, Engineering, Human Resource and
Marketing. Across which following transaction may occur sales order, sales return, cash receipts,
credit sales; credit slips, material accounting, inventory management, depreciation accounting,
etc.
These transactions can be categorized into batch transaction processing, single transaction
processing and real time transaction processing.
Process Control System
In a manufacturing organization, certain decisions are made by a computer system without any
manual intervention. In this type of system, critical information is fed to the system on a real-time
basis thereby enabling process control. This kind of systems is referred as process control
systems.
Enterprise Collaboration System
In recent times, there is more stress on team effort or collaboration across different functional
teams. A system which enables collaborative effort by improving communication and sharing of
data is referred to as an enterprise collaboration system.
Management Support System
Managers require precise information in a specific format to undertake an organizational decision.
A system which facilitates an efficient decision making process for managers is called
management support system.
Management support systems are essentially categorized as management information system,
decision support system, expert system and accounting information system.
Management information system provides information to manager facilitating the routine decision-
making process. Decision support system provides information to manager facilitating specific issue
related solution.
Q2. What do you understand by Information System?
Sol: An information system (IS) is an organized system or the collection, organization, storage and
communication of information. More specifically, it is the study of complementary networks that people and
organizations use to collect, filter, process, create and distribute data.
• An Information System is a man-made system that facilitates an organization's operational
functions and supports management decision-making by providing information that managers
can use to plan and control the activities of the firm
Q3. What is the risk associated with using public Wi-Fi?
Sol: The Risks of a Public Wi-fi. The same features that make free Wi-Fi hotspots desirable for consumers
make them desirable for hackers; namely, that it requires no authentication to establish a network connection.
Hackers can also use an unsecured Wi-Fi connection to distribute malware.
Man-in-the-Middle attacks
One of the most common threats on these networks is called a Man-in-the-Middle (MitM) attack.
Essentially, a MitM attack is a form of eavesdropping. When a computer makes a connection to the
Internet, data is sent from point A (computer) to point B (service/website), and vulnerabilities can allow
an attacker to get in between these transmissions and “read” them. So what you thought was private no
longer is.
Unencrypted networks
Encryption means that the information that is sent between your computer and the wireless router are in
the form of a “secret code,” so that it cannot be read by anyone who doesn’t have the key to decipher the
code. Most routers are shipped from the factory with encryption turned off by default, and it must be
turned on when the network is set up. If an IT professional sets up the network, then chances are good
that encryption has been enabled. However, there is no surefire way to tell if this has happened.
Malware distribution
Thanks to software vulnerabilities, there are also ways that attackers can slip malware onto your
computer without you even knowing. A software vulnerability is a security hole or weakness found in an
operating system or software program. Hackers can exploit this weakness by writing code to target a
specific vulnerability, and then inject the malware onto your device.
Snooping and sniffing
Wi-Fi snooping and sniffing is what it sounds like. Cybercriminals can buy special software kits and even
devices to help assist them with eavesdropping on Wi-Fi signals. This technique can allow the attackers
to access everything that you are doing online — from viewing whole webpages you have visited
(including any information you may have filled out while visiting that webpage) to being able to capture
your login credentials, and even hijack your accounts.
Malicious hotspots
These “rogue access points” trick victims into connecting to what they think is a legitimate network
because the name sounds reputable. Say you’re staying at the Goodnyte Inn and want to connect to the
hotel’s Wi-Fi. You may think you’re selecting the correct one when you click on “GoodNyte Inn,” but
you haven’t. Instead, you’ve just connected to a rogue hotspot set up by cybercriminals who can now
view your sensitive information.
How to stay safe on public Wi-Fi
The best way to know your information is safe while using public Wi-Fi is to use a virtual private
network (VPN), like Norton WiFi Privacy, when surfing on your PC, Mac, smartphone or tablet.
However, if you must use public Wi-Fi, follow these tips to protect your information.
Don’t:
Allow your Wi-Fi to auto-connect to networks
Log into any account via an app that contains sensitive information. Go to the website instead and
verify it uses HTTPS before logging in
Leave your Wi-Fi or Bluetooth on if you are not using them
Access websites that hold your sensitive information, such as such as financial or healthcare
accounts
Log onto a network that isn’t password protected
Do:
Disable file sharing
Only visit sites using HTTPS
Log out of accounts when done using them
Use a VPN, like Norton WiFi Privacy, to make sure your public Wi-Fi connections are made
private
Q4. Differentiate between Information security and information Assurance.
Sol: The measures that protect and defend information and IS by ensuring
1.Availability
2. Integrity
3. Authentication
4. Confidentiality
5. Non-Repudiation
• The measures that provides for restoring information systems after an attack by putting in place
proper protection, detection and reaction abilities.
Attributes Of Information Assurance
• Authentication
• Access Control
• Information & Data Integrity
• Intrusion Detection System (IDS)
• Cryptography
• Security Verification
• Risk Analysis & Management
Q5. Explain various threats to Information security.
Modern technology and society’s constant connection to the Internet allows more creativity in
business than ever before – including the black market. Cybercriminals are carefully discovering
new ways to tap the most sensitive networks in the world. Protecting business data is a growing
challenge but awareness is the first step. Here are the top 10 threats to information security
today:
1. Accidental Threats
2. Intentional Threats
Assignment – 2
Q1. What is firewall? Compare different types of firewall.
Sol: A firewall is a network security system that monitors and controls incoming and outgoing
network traffic based on predetermined security rules. A firewall typically establishes a barrier
between a trusted internal network and untrusted external network, such as the Internet.
• A choke point of control and monitoring
• Interconnects networks with differing trust
• Imposes restrictions on network services
– only authorized traffic is allowed
• Auditing and controlling access
– can implement alarms for abnormal behavior
• Itself immune to penetration
Classification of Firewall:
Packet filtering firewalls
This, the original type of firewall, operates inline at junction points where devices such as routers and
switches do their work. However, this firewall doesn't route packets, but instead compares each packet
received to a set of established criteria -- such as the allowed IP addresses, packet type, port number, etc.
Packets that are flagged as troublesome are, generally speaking, unceremoniously dropped -- that is, they
are not forwarded and, thus, cease to exist.
Circuit-level gateways
Using another relatively quick way to identify malicious content, these devices monitor the TCP
handshakes across the network as they are established between the local and remote hosts to determine
whether the session being initiated is legitimate -- whether the remote system is considered trusted. They
don't inspect the packets themselves, however.
Application-level gateways
This kind of device, technically a proxy, and sometimes referred to as a proxy firewall, combines some of
the attributes of packet filtering firewalls with those of circuit-level gateways. They filter packets not
only according to the service for which they are intended -- as specified by the destination port -- but also
by certain other characteristics, such as the HTTP request string.While gateways that filter at the
application layer provide considerable data security, they can dramatically affect network performance.
Proxy Server Firewall:
A proxy firewall is a network security system that protects network resources by filtering messages at the
application layer. A proxy firewall may also be called an application firewall or gateway firewall.
Q2. What is Digital Signature? What are the requirements of a digital signature system? List the security
services provided by it.
Sol: A digital code (generated and authenticated by public key encryption) which is attached to an
electronically transmitted document to verify its contents and the sender's identity.
In this example the message is only signed and not encrypted. 1) Alice signs a message with her private
key. 2) Bob can verify that Alice sent the message and that the message has not been modified.
A digital signature is a mathematical scheme for presenting the authenticity of digital messages or
documents. A valid digital signature gives a recipient reason to believe that the message was created by a
known sender (authentication), that the sender cannot deny having sent the message (non-repudiation),
and that the message was not altered in transit (integrity)
List the security services provided Digital Signature
Authentication. ...
Integrity. ...
Non-repudiation. ...
Putting the private key on a smart card. ...
Using smart card readers with a separate keyboard. ...
Other smart card designs. ...
Using digital signatures only with trusted applications
Q3. Explain different security threats to Cyber Security with suitable example.
Sol:Different security threats to Cyber Security are:
Malware: Malware is short for “malicious software.” Wikipedia describes malware as a term used to
mean a “variety of forms of hostile, intrusive, or annoying software or program code.” Malware could be
computer viruses, worms, Trojan horses, dishonest spyware, and malicious rootkits—all of which are
defined below.
Computer virus: A computer virus is a small piece of software that can spread from one infected
computer to another. The virus could corrupt, steal, or delete data on your computer—even erasing
everything on your hard drive. A virus could also use other programs like your email program to spread
itself to other computers.
Trojan horse: Users can infect their computers with Trojan horse software simply by downloading an
application they thought was legitimate but was in fact malicious. Once inside your computer, a Trojan
horse can do anything from record your passwords by logging keystrokes (known as a keystroke logger)
to hijacking your webcam to watch and record your every move.
Malicious spyware: Malicious spyware is used to describe the Trojan application that was created by
cybercriminals to spy on their victims. An example would be keylogger software that records a victim’s
every keystroke on his or her keyboard. The recorded information is periodically sent back to the
originating cybercriminal over the Internet. Keylogging software is widely available and is marketed to
parents or businesses that want to monitor their kids’ or employees’ Internet usage.
Computer worm: A computer worm is a software program that can copy itself from one computer to
another, without human interaction. Worms can replicate in great volume and with great speed. For
example, a worm can send copies of itself to every contact in your email address book and then send
itself to all the contacts in your contacts’ address books.
Because of their speed of infection, worms often gain notoriety overnight infecting computers across the
globe as quickly as victims around the world switch them on and open their email. This happened with
the Conficker worm (also known as Downadup), which, in just four days, had more than tripled the
number of computers it infected to 8.9 million.
Botnet: A botnet is a group of computers connected to the Internet that have been compromised by a
hacker using a computer virus or Trojan horse. An individual computer in the group is known as a
“zombie“ computer.
The botnet is under the command of a “bot herder” or a “bot master,” usually to perform nefarious
activities. This could include distributing spam to the email contact addresses on each zombie computer,
for example. If the botnet is sufficiently big in number, it could be used to access a targeted website
simultaneously in what’s known as a denial-of-service (DoS) attack. The goal of a DoS attack is to bring
down a web server by overloading it with access requests. Popular websites such as Google
and Twitter have been victims of DoS attacks.
Spam: Spam in the security context is primarily used to describe email spam —unwanted messages in
your email inbox. Spam, or electronic junk mail, is a nuisance as it can clutter your mailbox as well as
potentially take up space on your mail server. Unwanted junk mail advertising items you don’t care for is
harmless, relatively speaking. However, spam messages can contain links that when clicked on could go
to a website that installs malicious software onto your computer.
Phishing: Phishing scams are fraudulent attempts by cybercriminals to obtain private information.
Phishing scams often appear in the guise of email messages designed to appear as though they are from
legitimate sources. For example, the message would try to lure you into giving your personal information
by pretending that your bank or email service provider is updating its website and that you must click on
the link in the email to verify your account information and password details.
Rootkit: According to TechTarget, a rootkit is a collection of tools that are used to obtain administrator-
level access to a computer or a network of computers. A rootkit could be installed on your computer by a
cybercriminal exploiting a vulnerability or security hole in a legitimate application on your PC and may
contain spyware that monitors and records keystrokes.
Rootkits gained notoriety when, in 2005, a security blogger discovered that a copy-protection tool inside
music CDs from Sony BMG Music Entertainment was secretly installing a rootkit when users copied the
CD onto their computers. At the time, security expert Bruce Schneier warned that the rootkit could allow
a hacker to “gain and maintain access to your system and you wouldn’t know it.”
Q4 Define EPS .Also explain various types of EPS with suitable example.
Sol: E-payment system is a way of making transactions or paying for goods and services through
an electronicmedium without the use of check or cash. It's also called an electronic payment system or
online payment system.
various types of EPS
Credit Card
The most popular form of payment for e-commerce transactions is through credit cards. It is simple
to use; the customer has to just enter their credit card number and date of expiry in the appropriate
area on the seller’s web page. To improve the security system, increased security measures, such
as the use of a card verification number (CVN), have been introduced to on-line credit card
payments. The CVN system helps detect fraud by comparing the CVN number with the cardholder's
information.
Debit Card
Debit cards are the second largest e-commerce payment medium in India. Customers who want to
spend online within their financial limits prefer to pay with their Debit cards. With the debit card, the
customer can only pay for purchased goods with the money that is already there in his/her bank
account as opposed to the credit card where the amounts that the buyer spends are billed to
him/her and payments are made at the end of the billing period.
Smart Card
It is a plastic card embedded with a microprocessor that has the customer’s personal information
stored in it and can be loaded with funds to make online transactions and instant payment of bills.
The money that is loaded in the smart card reduces as per the usage by the customer and has to
be reloaded from his/her bank account.
E-Wallet
E-Wallet is a prepaid account that allows the customer to store multiple credit cards, debit card and
bank account numbers in a secure environment. This eliminates the need to key in account
information every time while making payments. Once the customer has registered and created E-
Wallet profile, he/she can make payments faster.
Netbanking
This is another popular way of making e-commerce payments. It is a simple way of paying for online
purchases directly from the customer’s bank. It uses a similar method to the debit card of paying
money that is already there in the customer’s bank. Net banking does not require the user to have a
card for payment purposes but the user needs to register with his/her bank for the net banking
facility. While completing the purchase the customer just needs to put in their net banking id and pin.
Mobile Payment
One of the latest ways of making online payments are through mobile phones. Instead of using a
credit card or cash, all the customer has to do is send a payment request to his/her service provider
via text message; the customer’s mobile account or credit card is charged for the purchase. To set
up the mobile payment system, the customer just has to download a software from his/her service
provider’s website and then link the credit card or mobile billing information to the software.
Amazon Pay
Another convenient, secure and quick way to pay for online purchases is through Amazon Pay. Use
your information which is already stored in your Amazon account credentials to log in and pay at
leading merchant websites and apps. Your payment information is safely stored with Amazon and
accessible on thousands of websites and apps where you love to shop.
Q5. Justify the crucial role of VPN? Discuss various protocol used for encryption and decryption in VPN.
Sol: Virtual Private Network (VPN) creates a secure private network connection over a public network,
like Internet, and allows users to send and receive data across this secure private network. Virtual Private
Networks were mostly used by large business and government organizations only.
VPN tunnels have long been used to provide confidentiality and integrity for data over untrusted
networks like the Internet. Today, many companies use tunnels to secure traffic from remote workers to a
VPN gateway at the edge of the company network. That gateway is responsible for authenticating users
and controlling which destinations can be reached.
Today, VPNs are also being leveraged for endpoint security enforcement, either alone or in conjunction
with a broader Network Access Control (NAC) deployment. Endpoint devices are checked for
compliance before being granted network access. For example, a worker on a public PC may only be
permitted to check e-mail, while a worker on a company laptop may be given access to sensitive servers.
A laptop missing patches or infected with a Trojan may be directed a quarantine server for remediation.
Wireless users can benefit from these same security measures.
Assignment – 3
Q1. What is an application development security? Describe in brief security architecture and design.
Sol:Application security is the use of software, hardware, and procedural methods to protect applications from
external threats. Once an afterthought in software design, security is becoming an increasingly important
concern during development as applications become more frequently accessible over networks and are, as a
result, vulnerable to a wide variety of threats. Security measures built into applications and a sound application
security routine minimize the likelihood that unauthorized code will be able to manipulate applications to
access, steal, modify, or delete sensitive data.
Security Architecture is one component of a products/systems overall architecture and is developed to provide
guidance during the design of the product/system.Security Architecture is the design artifacts that describe how
the security controls (= security countermeasures) are positioned and how they relate to the overall systems
architecture. These controls serve the purpose to maintain the system’s quality attributes such as
confidentiality, integrity and availability.A security policy is a statement that outlines how entities access each
other, what operations different entities can carry out, what level of protection is required for a system or
software product, and what actions should be taken when these requirements are not met.
Q2. How is the physical security of an organization achieved? What is the primary measure applied for the
security of backup?
Sol: Physical security describes security measures that are designed to deny unauthorized access to facilities,
equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft,
or terrorist attacks).
Many storage professionals responsible for backups believe that the mere existence of a process for
replicating sensitive data is all that's needed to keep the organization secure. But that's only half the
battle. It's what can be done with the data backups after the fact that introduces an entirely different set of
risks that are often overlooked. Here are 10 ways you can ensure that your data backups are secure:
1. Ensure your security policies include backup-related systems within their scope.
Practically every type of security policy -- from access controls to physical security to system
monitoring -- applies directly to data backups.
Include your data backup systems in your disaster recovery and incident response plans.
Data backups can be breached, compromised or destroyed. Be it a malware outbreak, employee
break-in or hurricane -- otherwise good backups can be adversely affected and you need to have a
plan outlining what you're going to do if that time comes.
Assign backup software access rights only to those who have a business need to be involved in
the backup process. Be sure not to overlook any Web-based interfaces that provide backup access and
keep your original backup software media secured as well.
Store your backups offsite or at least in another building. I know this sounds pretty basic, but I
still see it a lot. A fire or other incident could be all that's needed to take out your data center and your
backups in one fell swoop.
However you choose to store your backups -- be it on tape, network-attached storage (NAS), or
external drives -- be sure to control access to the room/car/house in which the backups stored. Handle
your backup media as you would any other critical hardware.
Use a fireproof and media-rated safe. Many people store their backups in a "fireproof" safe, but
typically one that's only rated for paper storage. Backup media such as tapes, optical disks and
magnetic drives have a lower burning/melting point than paper and a standard fireproof safe only
serves to provide a false sense of security.
Find out the security measures that your vendors for offsite storage, data center and courier
services are taking to ensure that your backups remain safe in their hands. Although lawyers like
good contracts, they're not enough. Contracts do offer fallback measures but they won't keep sensitive
data from being exposed in the first place, so make sure reasonable and consistent security measures
are taking place with any vendor that has a hand in your backups.
Password-protect your backups at a minimum. Passwords aren't foolproof because some people
with special skills and tools may be able to crack the code, but it is a level of security that should be
considered. That said, password-protection is better than nothing, and at least provides a layer of
security.
Encrypt your backups if your software and hardware support it. As with laptop computers and
other mobile devices, portable backup media need to be encrypted with strong passphrases especially
if they're ever removed from the premises. Encryption implemented and managed in the right way
serves as an excellent last layer of defense. It also helps provide peace of mind knowing that the
worst outcome is that you'll have to buy new backup media -- especially when it comes to compliance
and data breach notifications.
You've heard it a thousand times but it deserves repeating: Your backups are only as good as
what's on the backup media. There are two sides to this coin. First, make sure your backing up
everything that's important. Most backups are server-centric but what about all of that unstructured
data scattered about on your workstations and mobile devices that isn't getting backed up? Second,
test your backups occasionally -- especially if you're using tape. There's nothing worse than
recovering from a loss and only to find out you backed up the wrong data or no data at all.
Q3. How to develop secure information systems?
Sol: To develop secure information systems:
1. Protect with passwords.
2. Design safe systems.
3. Related: How Small-Business Owners Can Award Against Online SecurityThreats.
4. Conduct screening and background checks. ...
5. Provide basic training.
6. Avoid unknown email attachments.
7. Hang up and call back.
8. Think before clicking.
Assignment – 4
Q1. What are Security Policies? Classify security policies in detail.
Sol: Security policy is a definition of what it means to be secure for a system, organization or other entity. ...
For systems, the security policy addresses constraints on functions and flow among them, constraints on access
by external systems and adversaries including programs and access to data by people.
Classify security policies
1. WWW Policies
2. Email Policies
3.Coprate Policies
Q3. Discuss different ISO standards for information security.
The ISO/IEC 27000 family of standards helps organizations keep information assets secure.
Using this family of standards will help your organization manage the security of assets such as financial
information, intellectual property, employee details or information entrusted to you by third parties.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information
security management system (ISMS).
• It’s a International Standard for Information Security Management
• It consists of various Specification for information Security Management
• Code of Practice for Information Security Management
• Basis for contractual relationship
• Basis for third party certification
• Can be Certified by Certification Bodies
• Applicable to all industry Sectors
• Emphasis on prevention
ISO27001
Important Areas of Concern
1. Security policy (5)
2. Organization of information security (6)
3. Asset management(7)
4. Human resources security (8)
5. Physical and environmental security (9)
6. Communications and operations management (10)
7. Access control (11)
8. Information systems acquisition, development and maintenance (12)
9. Information security incident management (13)
10. Business continuity (14) management
11. Compliance (15)
Q4. Write a short note on:
(i) Patent Law
Sol: Patent law is the area of law that deals with an inventor's exclusive right to use their own invention.
The area of patent law aims to encourage new products and inventions by granting creators the legal right
to use and profit from the things that they create.
A patent does not refer to a right to practice or use an invention, but rather, the right to exclude others
from using, selling, making, offering for sale, or importing the patented invention. Once patented, the
underlying invention will be protected from use, sale, production, or importing for the term of the patent,
which is typically 20 years from the filing date.
(ii) Cyber Law & IT act, 2000
Sol: Cyber laws are contained in the IT Act, 2000. This Actaims to provide the legal infrastructure for
e-commerce in India. ... The Information Technology Act, 2000 also aims to provide for the legal
framework so that legal sanctity is accorded to all electronic records and other activities carried out by
electronic means.
Enacted on 17th May 2000- India is 12th nation in the world to adopt cyber laws
IT Act is based on Model law on e-commerce adopted by UNCITRAL
Objectives of the IT Act
To provide legal recognition for transactions:-
Carried out by means of electronic data interchange, and other means of electronic
communication, commonly referred to as "electronic commerce“
To facilitate electronic filing of documents with Government agencies and E-Payments
To amend the Indian Penal Code, Indian Evidence Act,1872, the Banker’s Books Evidence Act
1891,Reserve Bank of India Act ,1934