Shraddha Kavale

TU4F2122008/A09
Terna Engineering College, Nerul
Department of Information Technology
A.Y. 2023-2024
Class: BE-IT(A), Semester: VII
Subject: Secure Application Development Lab

Experiment – 1: Study various standards of Cyber Security

Aim: To study different laws and standards of Cyber Security.

Objectives: After study of this experiment, the student will be able to

● Understand different Cyber Security laws.

● Identify and learn different standards of Cyber Security.

Outcomes: After study of this experiment, the student will be able to

● Demonstrate knowledge of different laws and standards of Cyber Security.

Prerequisite: Programming concepts, Cyber security.

Requirements: Personal Computer and Internet Connection.

Theory:

Cyber Security Introduction:

Cybersecurity is a critical field focused on protecting systems, networks, and data from digital
attacks. With the increasing reliance on digital infrastructure across all sectors, including
government, business, and personal use, cybersecurity has become a fundamental necessity. It
encompasses a wide range of practices aimed at safeguarding information and maintaining the
integrity, confidentiality, and availability of computer systems and networks against cyber threats.

What is cyber security?

Cybersecurity is the practice of protecting systems, networks, and data from digital attacks. These
cyberattacks aim to access, change, or destroy sensitive information, extort money from users
through ransomware, or interrupt normal business processes. Given the increasing connectivity and
reliance on digital technologies across various aspects of life, including communication,
entertainment, transportation, shopping, and medicine, cybersecurity has become indispensable. It
involves ensuring the confidentiality, integrity, and availability of information, safeguarding against
unauthorized access or criminal use of digital assets.
Why is cyber security important?

Cybersecurity is paramount in today's digital age due to several critical reasons:

Protection Against Cyber Threats: Cybersecurity defends against a wide range of cyber threats,
including phishing schemes, ransomware attacks, identity theft, data breaches, and financial losses.
As technology becomes increasingly integrated into daily life, the potential for cyberattacks grows,
necessitating robust cybersecurity measures to protect individuals and organizations 23.

Safeguarding Sensitive Data: Cybersecurity is essential for protecting sensitive data types, such as
protected health information (PHI), personally identifiable information (PII), intellectual property,
and government and business information systems. Without cybersecurity, this data could be easily
compromised, leading to significant financial and reputational damage 2.

Types of Cyber Attacks

A cyber-attack is an exploitation of computer systems and networks. It uses malicious code to alter
computer code, logic or data and lead to cybercrimes, such as information and identity theft.

Cyber-attacks can be classified into the following categories:

1) Web-based attacks

2) System-based attacks

Web-based attacks
These are the attacks which occur on a website or web applications. Some of the important web-
based attacks are as follows

● Injection attacks: It is the attack in which some data will be injected into a web application
to manipulate the application and fetch the required information. Example- SQL Injection,
code Injection, log Injection, XML Injection etc.

● DNS Spoofing: DNS Spoofing is a type of computer security hacking. Whereby a data is
introduced into a DNS resolver's cache causing the name server to return an incorrect IP
address, diverting traffic to the attackers computer or any other computer. The DNS
spoofing attacks can go on for a long period of time without being detected and can cause
serious security issues.

● Session Hijacking: It is a security attack on a user session over a protected network. Web
applications create cookies to store the state and user sessions. By stealing the cookies, an
attacker can have access to all of the user data.
 ● Phishing: Phishing is a type of attack which attempts to steal sensitive information like user
login credentials and credit card number. It occurs when an attacker is masquerading as a
trustworthy entity in electronic communication.

● Brute force: It is a type of attack which uses a trial and error method. This attack generates a
large number of guesses and validates them to obtain actual data like user password and
personal identification number. This attack may be used by criminals to crack encrypted
data, or by security, analysts to test an organization's network security.

● Denial of Service: It is an attack which meant to make a server or network resource

unavailable to the users. It accomplishes this by flooding the target with traffic or sending it
information that triggers a crash. It uses the single system and single internet connection to
attack a server. It can be classified into the following

1. Volume-based attacks: Its goal is to saturate the bandwidth of the attacked site, and is
measured in bit per second.

2. Protocol attacks: It consumes actual server resources, and is measured in a packet.

3. Application layer attacks: Its goal is to crash the web server and is measured in request
per second.

● Dictionary attacks: This type of attack stored the list of a commonly used password and
validated them to get original password.

● URL Interpretation: It is a type of attack where we can change the certain parts of a URL,
and one can make a web server to deliver web pages for which he is not authorized to
browse.

● File Inclusion attacks: It is a type of attack that allows an attacker to access unauthorized or
essential files which is available on the web server or to execute malicious files on the web
server by making use of the include functionality.

● Man in the middle attacks: It is a type of attack that allows an attacker to intercepts the
connection between client and server and acts as a bridge between them. Due to this, an
attacker will be able to read, insert and modify the data in the intercepted connection.

System-based attacks: These are the attacks which are intended to compromise a computer or a
computer network. Some of the important system-based attacks are as follows

● Virus: It is a type of malicious software program that spread throughout the computer files
without the knowledge of a user. It is a self-replicating malicious computer program that
 replicates by inserting copies of itself into other computer programs when executed. It can
also execute instructions that cause harm to the system.

● Worm: It is a type of malware whose primary function is to replicate itself to spread to

uninfected computers. It works same as the computer virus. Worms often originate from
email attachments that appear to be from trusted senders.

● Trojan horse: It is a malicious program that occurs unexpected changes to computer setting
and unusual activity, even when the computer should be idle. It misleads the user of its true
intent. It appears to be a normal application but when opened/executed some malicious
code will run in the background.

● Backdoors: It is a method that bypasses the normal authentication process. A developer

may create a backdoor so that an application or operating system can be accessed for
troubleshooting or other purposes.
● Bots: A bot (short for "robot") is an automated process that interacts with other network
services. Some bots program run automatically, while others only execute commands when
they receive specific input. Common examples of bots program are the crawler, chatroom
bots, and malicious bots.

Some important sections of the IT Act under which cyber crimes may be registered are:

● Section 65: Tampering with Computer Source Documents. Penalties if found guilty can be
imprisonment up to 3 years and/or up-to Rs 2 lakh fine. An example of such crime is:
Employees of a telecom company were held guilty by the court for tampering with the
Electronic Serial Number of cellphones of another company that had locked the handset
before selling it so as to work with its SIM only.

● Section 66: Hacking with computer systems or unauthorized usage of computer systems and
networks. Punishment if found guilty can be imprisonment up to three years and/or a fine of
up to Rs 5 lakh. An example: When a criminal hacked into an academy network by
unauthorized access of broadband and modified the passwords of users to deny access. The
criminal was punished under Section 66 of IT Act.

1. Section 66A: Hacking with computer systems, alteration of data etc.

2. Section 66B: Involves punishment for fraudulently obtaining stolen communication

equipment or computers, which carries a sentence of imprisonment for a term which
may extend to three years. This term can also be extended above Rs. 1 lakh fine
depending on the severity.

3. Section 66C: This section investigates identity theft involving forged digital signatures,
hacking passwords publish pornography or obscene materials. In other words,
stimulating sexual or other erotic activities over the Cyberspace, especially the internet
is known as Cyber Pornography9. Many websites exhibit pornographic photos, videos,
 etc., which can be produced quickly and cheaply either through morphing or through
sexual exploitation of women and children. Morphing refers to the editing of an original
picture through a fake identity or by an unauthorized user which is punishable under IPC
and Section 66 of the IT Act, 2000. Child pornography is abundant on the internet.
Online child pornography involves underage persons being lured into pornographic
productions or being sold or forced into cybersex or lives of prostitution (CNN staff
author, 2001). Kidnapping and international smuggling of young girls and boys for these
purposes is now a transnational crime phenomenon often instigated in impoverished
nations where victims face dire economic circumstances.

Identity theft using passwords, digital signatures, biometric thumb impressions or other
identifying features of another person for fraudulent purposes. An example is – when a
criminal obtained the login and password of an online trading account and transferred
the profit to his account by doing online transactions in the trading account in an
unauthorized manner. The criminal was charged under Section 66C.

4. Section 66D: Cheating by Personation Using Computer Resources. Punishment if found

guilty can be imprisonment up to three years and/or up to Rs 1 lakh fine. An example: A
criminal who posed as a woman and tried to seduce a businessman to extort Rs 96 lakh
from him by creating a fake email Id and trapping him in a cyber relationship. The
criminal was arrested and charged under Section 66D and various other IPC sections.

5. Section 66E: Taking pictures of private areas, publishing or transmitting them without a
person’s consent is punishable under this section. Penalties if found guilty can be
imprisonment up to three years and/or up to Rs 2 lakh fine.

6. Section 66F: Acts of cyber terrorism. Guilty can be served a sentence of imprisonment
up to life! An example: When a threat email was sent to the Bombay Stock Exchange and
the National Stock Exchange, which challenged the security forces to prevent a terror
attack planned on these institutions. The criminal was apprehended and charged under
Section 66F of the IT Act.

● Section 67: Publishing Obscene Information in Electronic Form. In this case, the
imprisonment is up to five years and a fine up to Rs 10 lakh. An example: When an accused
from Mumbai posted obscene information about the victim on the internet after she
refused to marry him. The criminal was implicated under Section 67 of the IT Act in addition
to various sections of IPC. The law enforcement agencies can take recourse to the following
IPC, 1860 sections if the IT Act is insufficient to cover specific cyber offenses:

● Section 379: Punishment for theft for up to three years and/or fine. Since many cybercrimes
are committed using stolen mobile/computers or stolen data this IPC Section comes into the
picture.

● Section 420: Cheating and dishonestly inducing delivery of property. Cybercrimes like
creating Bogus websites, cyber frauds are punishable under this section of IPC with a seven-
 year jail term and/or fine. This section of the IPC deals with crimes related to password
thefts for committing frauds or creating fraudulent websites.

● Section 463: Making false documents or false electronic records. Crimes such as Email
spoofing are punishable under this section with imprisonment of up to seven years and/or
fine.

● Section 468: Committing forgery for the intention of cheating attracts imprisonment of up to
seven years and/or a fine. Email spoofing is one such crime punishable under this section

Security Standards
To make cybersecurity measures explicit, the written norms are required. These norms are known
as cybersecurity standards: the generic sets of prescriptions for an ideal execution of certain
measures. The standards may involve methods, guidelines, reference frameworks, etc. It ensures
efficiency of security, facilitates integration and interoperability, enables meaningful comparison of
measures, reduces complexity, and provide the structure for new developments.

A security standard is "a published specification that establishes a common language, and contains
a technical specification or other precise criteria and is designed to be used consistently, as a rule, a
guideline, or a definition." The goal of security standards is to improve the security of information
technology (IT) systems, networks, and critical infrastructures. The Well-Written cybersecurity
standards enable consistency among product developers and serve as a reliable standard for
purchasing security products.

Security standards are generally provided for all organizations regardless of their size or the
industry and sector in which they operate. This section includes information about each standard
that is usually recognized as an essential component of any cybersecurity strategy.

1. ISO
ISO stands for International Organization for Standardization. International Standards make things
to work. These standards provide a world-class specification for products, services and computers,
to ensure quality, safety and efficiency. They are instrumental in facilitating international trade.

ISO standard is officially established On 23 February 1947. It is an independent, non-governmental

international organization. Today, it has a membership of 162 national standards bodies and 784
technical committees and subcommittees to take care of standards development. ISO has published
over 22336 International Standards and its related documents which covers almost every industry,
from information technology, to food safety, to agriculture and healthcare.

ISO 27000 Series

It is the family of information security standards which is developed by the International
Organization for Standardization and the International Electrotechnical Commission to provide a
globally recognized framework for best information security management. It helps the organization
to keep their information assets secure such as employee details, financial information, and
intellectual property. The need of ISO 27000 series arises because of the risk of cyber-attacks which
the organization face. The cyber-attacks are growing day by day making hackers a constant threat
to any industry that uses technology.

The ISO 27000 series can be categorized into many types. They are-
 ● ISO 27001- This standard allows us to prove the clients and stakeholders of any organization
to managing the best security of their confidential data and information. This standard
involves a process-based approach for establishing, implementing, operating, monitoring,
maintaining, and improving our ISMS.

● ISO 27000- This standard provides an explanation of terminologies used in ISO 27001.

● ISO 27002- This standard provides guidelines for organizational information security
standards and information security management practices. It includes the selection,
implementation, operating and management of controls taking into consideration the
organization's information security risk environment(s).

● ISO 27005- This standard supports the general concepts specified in 27001. It is designed to
provide the guidelines for implementation of information security based on a risk
management approach. To completely understand the ISO/IEC 27005, the knowledge of the
concepts, models, processes, and terminologies described in ISO/IEC 27001 and ISO/IEC
27002 is required. This standard is capable for all kind of organizations such as non-
government organization, government agencies, and commercial enterprises.

● ISO 27032- It is the international Standard which focuses explicitly on cybersecurity. This
Standard includes guidelines for protecting the information beyond the borders of an
organization such as in collaborations, partnerships or other information sharing
arrangements with clients and suppliers.

2. IT Act
The Information Technology Act, 2000 (IT Act) is a pivotal legislation in India that addresses issues
related to cybercrime and electronic commerce. Enacted by the Indian Parliament and coming into
effect on October 17, 2000, this act is based on the United Nations Model Law on Electronic
Commerce 1996 (UNCITRAL Model). It serves as the cornerstone for legal actions concerning digital
transactions and cybercrimes within India, aiming to promote lawful and trustworthy electronic,
digital, and online transactions while reducing cybercrimes.

The IT Act is comprehensive, comprising 13 chapters and 94 sections, with the final four sections
addressing amendments to the Indian Penal Code 1860. It categorizes various cyber activities as
offenses, including hacking, data theft, virus dissemination, identity theft, defamation,
pornography, child pornography, and cyberterrorism. Additionally, it grants legal validity to
electronic contracts and recognizes electronic signatures, facilitating the growth of e-commerce
and digital transactions in India.

3. Copyright Act
The Copyright Act in India, enacted in 1957 and subsequently amended, is a comprehensive
legislation that governs the protection of creative works within the country. It is designed to
safeguard the rights of creators of literary, dramatic, musical, and artistic works, as well as
producers of cinematograph films and sound recordings. The act also extends its protection to
architectural works and computer programs/software, recognizing the evolving nature of creative
endeavors in the digital age 3.

Under the Copyright Act, copyright is viewed as a bundle of exclusive rights granted to the creator
of an original work, including the rights of reproduction, communication to the public, adaptation,
and translation of the work. These rights enable authors to control how their work is used and
distributed, thereby incentivizing creativity and innovation. Importantly, the act distinguishes
between mere ideas, knowledge, or concepts, which are not copyrightable, and the original
expression of these elements, which are protected under copyright law 3.

4. Patent Law
The Indian Patent Act, 1970, is the primary legislation governing patents in India, providing an
exclusive right for an invention, which can be a product or a process offering a new way of doing
something or a new technical solution to a problem. To obtain a patent, detailed technical
information about the invention must be disclosed to the public in a patent application. The history
of patent law in India dates back to 1911 with the enactment of the Indian Patents and Designs Act,
1911. The current Patents Act, 1970, came into force in 1972 and has undergone several
amendments to align with international standards, notably becoming compliant with the Trade-
Related Aspects of Intellectual Property Rights (TRIPS) agreement through amendments in 1999,
2002, 2005, and 2006.

5. IPR
Intellectual Property Rights (IPR) refer to the legal rights that result from intellectual activity in the
industrial, scientific, literary, and artistic fields. IPRs are like any other property rights; they allow
creators, or owners, to benefit from their own work or investment in a creation. These rights are
protected by law through patents, copyright, trademarks, industrial designs, geographical
indications, and trade secrets, among others. The concept of IPR is designed to stimulate creativity
and innovation by enabling people to benefit from their inventions or works.

Post-Experiments Exercise:

Write any current real time case study on cyber security or cyber attack.
In 2023, both Mailchimp and Cisco fell victim to social engineering attacks, highlighting the growing
prevalence and sophistication of such threats. According to the 2023 Data Breach Investigations
Report by Verizon, social engineering attacks accounted for 17% of all data breaches and 10% of
cybersecurity incidents, making it one of the top three cyberattack vectors. These attacks primarily
target an organization's employees, deceiving them into revealing personal information or cracking
employee passwords that protect corporate resources, thus gaining unauthorized access to critical
data and systems 1.

Impact
Mailchimp: The attack on Mailchimp led to unauthorized access to customer accounts, resulting in a
significant breach of personal information. The attackers exploited employee credentials to gain
access to internal tools and systems, demonstrating the vulnerability of even well-established
companies to social engineering tactics.

Cisco: Similarly, Cisco experienced a breach through a successful phishing attack that targeted an
employee. The attacker gained control over the victim's account and conducted various malicious
activities, including modifying settings and accessing sensitive information. This incident
underscored the importance of robust cybersecurity measures beyond traditional perimeter
defenses.

Conclusion:
Cyber law is important because it touches almost all aspects of transactions and activities and on
involving the internet, World Wide Web and cyberspace. Every action and reaction in cyberspace
has some legal and cyber legal angles.