Unit 2: Cyberattacks, Cybersecurity, and Cyber Law (12 Hrs.

)
Threat Landscape - Computer Incidents, Types of Exploits; CIA Security Triad -Confidentiality, Integrity,
Availability, Implementing CIA at Organizational, Network, Application, and End-User Level; Response to
Cyberattack - Incident Notification Protection of Evidence and Activity Logs Incident Containment Eradication
Incident Follow-Up Using an MSSP, and Computer Forensics; Cyber Law; Provision of Cyber Law and Electronic
Transaction Act of Nepal
Data and information are indeed among the most important and valuable assets in the contemporary world that
why security of data and information systems used in business is very important.
Table 1: Data on Complaints Registered under the ETA (Electronic Transactions Act)

Table 2: Nature/Types of Cases Filed at the Kathmandu District Court of Nepal

Source: Kathmandu Metropolitan Precinct and Cyber Bureau

For instance, the worldwide financial services industry spent $27.4 billion on IT security and fraud prevention in
2015

Why Computer Incidents Are So Prevalent? (किन िम्प्युटर घटनाहरू यति प्रचलिि छन ्?)

1. Increasing Complexity Increases Vulnerability: Cloud computing, networks, computers, mobile devices,
virtualization, operating systems, applications, websites, switches, routers, and gateways are
interconnected and driven by hundreds of millions of lines of code :- increases the possibility of security
breaches
2. Expanding and Changing Systems Introduce New Risks: Businesses have moved quickly into e-
commerce, mobile computing, collaborative work groups, global business, and interorganizational
information systems :- increases new security risks.
3. Increasing Prevalence of BYOD Policies: Bring your own device (BYOD) is a business policy that permits,
and in some cases encourages, employees to use their own mobile devices (smartphones, tablets, or
laptops) to access company computing resources and applications, including email, corporate databases,
the corporate intranet, and the Internet :- raises many potential security issues
4. Growing Reliance on Commercial Software with Known Vulnerabilities: According to the National
Vulnerability Database (the U.S. government repository of standards-based vulnerability management
data), the number of new software vulnerabilities identified in 2015 dropped 18 percent from the
previous year to 6,480.

The presence of software and hardware vulnerabilities, which can be exploited by attackers, necessitates
timely patching and updating to mitigate risks.
5. Increasing Sophistication of Those Who Would Do Harm: Today’s computer menace is much better
organized and may be part of an organized group (for example, Anonymous, Chaos Computer Club, Lizard
Squad, TeslaTeam, and hacker teams sponsored by national governments) that has an agenda and targets
specific organizations and websites.
 Figure: Perpetrators of cybercrime (साइबर अपराधिा दोषीहरू)

Short notes:
❖ Proliferation of Technology: The widespread use of computers and interconnected systems has
vastly expanded the attack surface, providing more opportunities for cybercriminals to exploit
vulnerabilities.
❖ Sophisticated Attackers: Cybercriminals and hacker groups continually develop advanced tools and
techniques, making it challenging for organizations to defend against their attacks.
❖ Human Vulnerabilities: Many computer incidents result from human errors, such as clicking on
phishing emails, weak password practices, and insufficient cybersecurity awareness and training.
❖ Software Vulnerabilities: The presence of software and hardware vulnerabilities, which can be
exploited by attackers, necessitates timely patching and updating to mitigate risks.
❖ Economic Incentives: Cybercrime is financially rewarding, motivating attackers to engage in
activities like ransomware attacks and data breaches, driving the prevalence of computer incidents.

Types of Exploits (Malicious Software : Malware) :

"Exploit" refers to a specific piece of software or code that takes advantage of vulnerabilities, weaknesses, or
security flaws in computer systems, software, or networks to gain unauthorized access, execute malicious
actions, or compromise the integrity, confidentiality, or availability of data and resources.
1. Ransomware: Ransomware is malware that stops you from using your computer or accessing your data
until you meet certain demands, such as paying a ransom or sending photos to the attacker.
Example: LAPSUS$ Ransomware Gang targets Nepal : On Dec 30, 2021, a piece of news circulated regarding
a ransom note sent by a cyber criminal’s group (SaudeGroup) through email to the victim organization of
Nepal stating that the criminal group has compromised the victim organization IT infrastructure and has
erased internal data.
Cyber Criminal Group Name: Lapsus$ Group aka SaudeGroup
Criminal Characteristic: Ransomware Gang
Country of Origin: Brazil
2. Viruses:
❖ A virus is a piece of programming code that causes a computer to behave in an unexpected and
usually undesirable manner.
❖ virus executes only when the infected file is opened
❖ viruses are spread by the action of the “infected” computer user.
❖ Macro viruses have become a common and easily created form of virus.
3. Worms:
❖ A worm is capable of replicating itself on your computer
❖ Worms differ from viruses in that they can propagate without human intervention
❖ Example: The cost to repair the damage done by each of the Code Red, SirCam, and Melissa worms
was estimated to exceed $1 billion, with that of the Conficker, Storm, and ILOVEYOU worms totaling
well over $5 billion.
4. Trojan Horses:
❖ A Trojan horse is a seemingly harmless program in which malicious code is hidden.
❖ "Trojan," is a type of malicious software that disguises itself as a legitimate or benign program to
deceive users into running or installing it.
❖ Once activated, a Trojan provides unauthorized access to a victim's computer, allowing cybercriminals
to carry out various malicious activities, including stealing sensitive data, manipulating the system, or
delivering additional malware.
❖ Trojans use deception and social engineering to breach a computer's defenses, making them a
prevalent and dangerous threat in the realm of cybersecurity.
❖ Trojan horse is a logic bomb, which executes when it is triggered by a specific event.
5. Blended threat: A blended threat is a sophisticated threat that combines the features of a virus, worm,
Trojan horse, and other malicious code into a single payload.
6. Spam:
❖ Spam refers to unsolicited and often irrelevant or inappropriate messages, typically sent over the
internet, especially via email. It can also manifest in other forms like instant messaging, social media,
and comments on websites.
❖ Spam is also used to deliver harmful worms and other malware
❖ Spam can take various forms, including email spam, where users receive bulk messages promoting
products or services, phishing attempts, and malware distribution. Other forms include social media
spam, blog comment spam, and SMS spam.
7. DDoS Attacks:
❖ Distributed Denial of Service (DDoS) is a cyber attack where a network of compromised computers
floods a target with overwhelming traffic, disrupting its normal operations.
❖ it keeps the target so busy responding to a stream of automated requests that legitimate users cannot
get in
❖ DoS attacks utilize botnets, networks of infected computers, to generate massive volumes of
requests, overwhelming the target's resources.
❖ Types of DDoS Attacks:
o Volumetric Attacks: Flood target bandwidth.
o Protocol Attacks: Exploit network protocol vulnerabilities.
 o Application Layer Attacks: Target specific applications or services.
8. Rootkit:
❖ A rootkit is malicious software designed to gain unauthorized access to a computer or network and
obtain administrator-level control, often remaining undetected by security software.
9. Phishing:
❖ Phishing exploits human psychology by tricking individuals into revealing sensitive information, such
as usernames and passwords, often through deceptive emails or websites.
❖ The requested action may involve clicking on a link to a website or opening an email attachment.
❖ Methods:
o Email Phishing: Attackers send fraudulent emails, often mimicking trusted organizations, with
links or attachments that lead to fake websites or install malware.
o Spear Phishing: Targeted phishing attacks customized for specific individuals or organizations,
often using information gathered from social media or other sources.
o Smishing/ Vishing: Phishing attacks conducted through SMS or text messages, tricking users
into clicking on malicious links or providing information. Vishing is similar to smishing except
that the victims receive a voicemail message telling them to call a phone number or access
a website.
10. Others:
❖ Zero-Day Exploits: Zero-day exploits target undisclosed vulnerabilities in software or hardware,
taking advantage of a "zero-day" window where no patch is available, making them highly effective
and dangerous.
❖ Social Engineering: Cybercriminals use social engineering to manipulate individuals into revealing
confidential information or performing actions that compromise security. Techniques may include
impersonation, pretexting, and baiting.
❖ SQL Injection: SQL injection exploits poorly sanitized user inputs in web applications, allowing
attackers to manipulate and execute unauthorized SQL database commands, potentially exposing
sensitive data.

CRITICAL THINKING EXERCISE

You are a member of the human resources department of a software manufacturer that has several products
and annual revenue in excess of $500 million. You’re on the phone with the manager of software development
who has made a request to hire a notorious black hat hacker to probe your company’s software products in
an attempt to identify any vulnerabilities. The reasoning is that if anyone can find a vulnerability in your
software, she can. This will give your firm a head start on developing patches to fix the problems before anyone
can exploit them. You feel uneasy about hiring people with criminal records and connections to unsavory
members of the hacker/cracker community and are unsure if you should approve the hire. Provide three good
reasons to hire this individual. Provide three good reasons not to hire this individual. How would you respond
to this request? Why?

Solution:
Three Reasons to Hire the Black Hat Hacker:
Expertise: The hacker possesses unique skills for identifying vulnerabilities.
Proactive Security: Allows for preemptive fixing of issues before exploitation.
Real-world Testing: Provides a practical, hands-on approach to security testing.
 Three Reasons Not to Hire the Black Hat Hacker:
Legal and Ethical Risks: Hiring someone with a criminal record poses legal and ethical challenges.
Trust Concerns: Potential damage to company trust and reputation.
Alternative Solutions: Ethical hackers and established cybersecurity practices offer viable alternatives.

Response:
Considering legal, ethical, and reputational risks, it's recommended to explore alternative solutions, such as
engaging ethical hackers, to achieve security objectives without compromising integrity.

The CIA security triad:

The CIA Security Triad, also known as
the CIA Triad model, is a
foundational concept in information
security that consists of three core
principles:
Confidentiality:
❖ Definition: Ensures that
information is accessible only
to those who are authorized
to access it.
❖ Objective: Protects sensitive
data from unauthorized
disclosure, maintaining
privacy and preventing unauthorized access.
Integrity:
❖ Definition: Ensures that information is
accurate, consistent, and unaltered during storage,
transmission, or processing.
❖ Objective: Guarantees the trustworthiness
of data, preventing unauthorized or accidental
modifications.
Availability:
❖ Definition: Ensures that information and
resources are available and accessible to authorized
users when needed.
❖ Objective: Prevents disruptions, ensuring
timely and reliable access to data and services.
 Implementing CIA at the Organization Level

Risk Assessment (जोखिम मूल्याङ्िन):

❖ Conduct a thorough risk assessment to identify and understand potential threats and vulnerabilities to
the organization's information assets.
❖ Prioritize risks based on their potential impact on confidentiality, integrity, and availability.
Security Policies and Procedures:
❖ Develop and implement clear and comprehensive security policies and procedures that align with the
principles of the CIA triad.
❖ Include guidelines for data classification, access controls, encryption, and incident response.
Data Classification:
❖ Classify data based on its sensitivity and importance to the organization.
❖ Apply appropriate security controls to each classification level to ensure confidentiality is maintained.
Access Controls:
❖ Implement strong access controls to ensure that only authorized personnel have access to sensitive
information.
❖ Use authentication mechanisms, role-based access controls, and least privilege principles.
Encryption:
❖ Utilize encryption to protect sensitive data during transmission and storage.
❖ Implement protocols like SSL/TLS for secure communication and full-disk encryption for stored data.
Security Awareness Training:
❖ Conduct regular security awareness training for employees to educate them about the importance of
confidentiality, integrity, and availability.
❖ Encourage a security-conscious culture throughout the organization.
Incident Response Plan:
❖ Develop and regularly update an incident response plan to address security incidents promptly and
effectively.
❖ Clearly define roles and responsibilities during security incidents to minimize their impact.
❖ Cloud computing has added another dimension to disaster recovery planning.
Continuous Monitoring:
❖ Implement continuous monitoring systems to detect and respond to security threats in real-time.
❖ Regularly review and update security controls based on the changing threat landscape.
Physical Security:
❖ Include physical security measures to protect against unauthorized access to critical infrastructure,
servers, and data centers.
❖ Control access to sensitive areas through measures like biometric access controls and surveillance.
Backups and Redundancy:
❖ Establish regular data backup procedures to ensure the availability of critical information in case of data
loss or system failures.
❖ Implement redundant systems to minimize downtime and ensure continuous availability.
❖ incremental backup.
Regular Audits and Assessments/ Security Audits:
❖ Conduct regular security audits and assessments to evaluate the effectiveness of implemented security
measures.
❖ Use the findings to improve and refine the organization's security posture.
❖ For example, if a policy says that all users must change their passwords every 30 days, the audit must
check how well that policy is being implemented.

By integrating these measures, organizations can create a robust security framework that aligns with the
principles of the CIA triad, safeguarding their information assets against a wide range of threats.

Implementing CIA at the Network Level

Implementing the CIA (Confidentiality, Integrity, Availability) security triad at the network level involves a set of
measures to protect information and ensure the reliability of network services.
Authentication Mechanisms:
❖ Enforce strong authentication mechanisms, such as multi-factor authentication, to protect against
unauthorized access.
o to enter a username and password;
o inserting a smart card and
o entering the associated PIN; or
o providing a fingerprint,
o voice pattern sample, or
o retina scan.
Firewall :
❖ A firewall is a system of software, hardware, or a combination of both that stands guard between an
organization’s internal network and the Internet and limits network access based on the organization’s
access policy.
❖ A next-generation firewall (NGFW) is a hardware- or software-based network security system that is able
to detect and block sophisticated attacks by filtering network traffic dependent on the packet contents.
Data Encryption:
❖ Employ encryption protocols (e.g., VPNs, SSL/TLS) to secure data in transit.
❖ Encrypt sensitive data stored on network devices to protect confidentiality.
❖ Transport Layer Security (TLS) is a communications protocol or system of rules that ensures privacy
between communicating applications and their users on the Internet.
Proxy Servers and Virtual Private Networks:
❖ A proxy server serves as an intermediary between a web browser and another server on the Internet
that makes requests to websites, servers, and services on the Internet for you.
❖ A proxy server can also capture detailed records of all the websites each employee has visited, when,
and for how long.
❖ A VPN enables remote users to securely access an organization’s collection of computing and storage
devices and share data remotely.

Intrusion Detection System:

❖ Deploy intrusion detection and prevention systems to identify and mitigate malicious activities that could
compromise confidentiality and integrity.
❖ Definition: An Intrusion Detection System (IDS) is a security tool that monitors network or system
activities to detect and respond to potential security threats and malicious activities.
❖ Types:
o Network-Based IDS (NIDS):
Monitors network traffic
for signs of attacks.
o Host-Based IDS (HIDS):
Operates on individual
devices, monitoring
activities such as log files
and file integrity.
❖ Detection Methods:
o Uses signature-based
detection (matching
known attack patterns)
and anomaly-based detection (identifying deviations from normal behavior).
❖ Response Mechanisms:
o Generates alerts for suspicious activities, with response options including passive alerts for
manual intervention or active measures to automatically mitigate threats.
❖ Benefits:
o Provides early threat detection, continuous monitoring, and complements firewalls by focusing
on identifying abnormal patterns within the network. Integration with other security tools and
regular updates are crucial for effectiveness.
 Implementing CIA at the Application Level
Authentication methods, user roles and accounts, and data encryption are key elements of the application
security layer.
Authentication and Authorization:
❖ Implement robust authentication mechanisms to verify the identity of users accessing the application.
❖ Enforce proper authorization controls to ensure that users have appropriate access privileges based on
their roles.
Data Encryption:
❖ Use encryption algorithms to protect sensitive data during transmission and storage.
❖ Apply encryption for data at rest, such as databases and files, to maintain confidentiality.
Input Validation and Sanitization:
❖ Validate and sanitize all input data to prevent injection attacks, such as SQL injection and cross-site
scripting (XSS).
❖ Implement parameterized queries and input validation routines to thwart potential exploits.
Error Handling:
❖ Implement custom error messages to avoid exposing sensitive information.
❖ Log errors securely and provide users with generic error messages to prevent information leakage.
Implementing CIA at the End-User Level
Security Awareness Training:
❖ Regularly educate users on security risks, social engineering, and best practices to enhance awareness.
Password and Authentication:
❖ Enforce strong password policies and promote the use of multi-factor authentication for enhanced
security.
Safe Browsing Practices:
❖ Instruct users to adopt safe browsing habits, avoid suspicious links, and verify website security.
Incident Reporting:
❖ Establish a clear process for users to report security incidents promptly, fostering a proactive response.
Device and Data Security:
❖ Emphasize securing physical workspaces, practicing safe email habits, and safeguarding devices to
protect confidentiality and integrity.
❖ Encourage users to regularly update their operating systems, applications, and antivirus software to
address security vulnerabilities and maintain the integrity of their systems.
 Response to cyberattack
Response to a cyberattack involves a well-coordinated set of actions aimed at minimizing damage, restoring
normal operations, and preventing future incidents. Here's a concise overview:
Incident Response Plan Activation:
❖ Activate Plan: Implement the organization's incident response plan, detailing roles, responsibilities, and
actions to be taken during a cyberattack.
❖ Communication: Establish clear communication channels among the incident response team members.
Identification and Isolation:
❖ Immediate Detection: Quickly identify the nature and extent of the cyberattack through monitoring
systems and anomaly detection.
❖ Isolation: Isolate affected systems or networks to prevent further spread of the attack and limit damage.

Containment and Eradication (तनयन्त्रण र उन्त्मूिन):

❖ Containment: Take steps to contain the attack, such as isolating compromised systems or blocking
malicious network traffic.
❖ Eradication: Identify and eliminate the root cause of the cyberattack to prevent it from recurring.
Follow-Up Using an MSSP:
❖ many organizations outsource their network security operations to a managed security service provider
(MSSP), which is a company that monitors, manages, and maintains computer and network security for
other organizations.
❖ MSSPs provide vulnerability scanning and web
❖ blocking and filtering capabilities.
Forensic Analysis:
❖ Investigation: Conduct a thorough forensic analysis to understand the attack vector, identify
vulnerabilities, and gather evidence.
❖ Attribution: If possible, determine the source or origin of the cyberattack.
❖ Computer forensics is a discipline that combines elements of law and computer science to identify,
collect, examine, and preserve data from computer systems, networks, and storage devices in a manner
that preserves the integrity of the data gathered so that it is admissible as evidence in a court of law.
Data Recovery and Restoration:
❖ Data Backup: Restore systems and data from secure backups to ensure business continuity.
❖ Verification: Validate the integrity of restored data and systems.
Communication and Reporting:
❖ Internal Communication: Keep internal stakeholders informed about the incident, the response efforts,
and the status of recovery.
❖ External Communication: Communicate with external parties, such as customers, regulatory bodies, and
law enforcement as necessary.
Post-Incident Analysis:
 ❖ Debriefing: Conduct a post-incident analysis to evaluate the effectiveness of the response and identify
areas for improvement.
❖ Documentation: Document lessons learned and update incident response plans and security measures
accordingly.
Enhanced Security Measures:
❖ Patch and Update: Apply patches and updates to address vulnerabilities exploited during the attack.
❖ Security Enhancements: Strengthen security controls, such as firewall rules, intrusion detection systems,
and access controls.
Legal and Regulatory Compliance:
❖ Compliance Checks: Ensure that the organization remains in compliance with legal and regulatory
requirements.
❖ Reporting: Report the incident to relevant authorities as required by law.
User Training and Awareness:
❖ Education: Conduct user training to enhance awareness of cybersecurity threats, especially regarding
phishing and social engineering.
❖ Testing: Simulate cyberattacks through penetration testing to evaluate the organization's resilience.
Continuous Monitoring:
❖ Ongoing Monitoring: Implement continuous monitoring of systems, networks, and user activities to
detect and respond to potential threats in real-time.
❖ Incident Response Review: Regularly review and update the incident response plan based on evolving
cyber threats.
A swift and well-coordinated response is critical to mitigate the impact of a cyberattack and safeguard the
organization's assets and reputation.

Cyber Law; Provision of Cyber Law and Electronic Transaction Act of Nepal
To regulate cybercrimes, On 2 September, 2063, parliament passed the first cyber law in Nepal called Electronics
Transactions Act, 2063. The objective of this bill was to mitigate crimes related to internet and digital properties.
Provides a legal framework for electronic transactions, digital signatures, and cybersecurity.

Summarized overview of the Electronic Transactions Act, 2063:

Legal Recognition of Electronic Records:
❖ The act grants legal recognition to electronic data, records, and documents, treating them on par with
their paper counterparts.
Digital Signatures:
❖ Establishes the legitimacy of digital signatures, providing a legal basis for their use in electronic
transactions. The act outlines the requirements and procedures for the use of digital signatures.
Offenses and Penalties:
❖ Defines cybercrimes and electronic offenses, such as unauthorized access, hacking, and data breaches.
Specifies penalties for individuals or entities engaged in illegal electronic activities.
Consumer Protection:
❖ Contains provisions to protect the rights of consumers engaging in electronic transactions. This includes
safeguards against fraud, misrepresentation, and unfair business practices in the digital realm.
Jurisdiction and Legal Recognition of Contracts:
❖ Clarifies the jurisdictional aspects of electronic transactions and recognizes the legal validity of contracts
formed electronically.
Data Protection:
❖ Outlines principles for the protection of personal data in electronic transactions. Establishes rules for the
collection, storage, and processing of personal information.
Government Use of Electronic Records:
❖ Allows government agencies to use and accept electronic records and documents for official purposes.
Cybersecurity Measures:
❖ Encourages the adoption of measures to ensure the security of information systems and data. This may
include provisions related to the prevention and investigation of cybersecurity incidents.
Admissibility of Electronic Evidence:
❖ Specifies the admissibility of electronic evidence in legal proceedings. Sets standards for presenting and
proving digital evidence in court.
Facilitation of Electronic Governance:
❖ Promotes the use of electronic means in government operations and public services to enhance
efficiency and transparency.