cyber security notes - prudentac.com · cyber crime •cyber crime involve criminal activities...
TRANSCRIPT
CYBER SECURITY NOTES
UNIT 5 PPT
(Dr. Lalit Saraswat)
Visit www.prudentac.com for more details
Information Security
standards(ISS)
The ISO/IEC(International Electrotechnical Commission)
27000 family of standards
• ISMS provides a framework to establish,
implement, operate, monitor, review, maintain
and improve the information security within an
organization
• ISMS provides means to
1. Manage risks to suit the business activity
2. Manage incident handling activities
3. Build a security culture
4. Conform to the requirements of the Standard
ISMS(Information Security Management System)
Need for ISMS
• Information security that can be achieved
through technical means is limited
• Security also depends on people, policies,
processes and procedures
• Resources are limited
• It is not a once off exercise, but an
ongoing activity
All these can be addressed effectively and
efficiently only through a proper ISMS
Who needs ISMS?
• Every organization which values information needs to protect it e.g.
• Banks
• Call centers
• IT companies
• Government bodies
• Manufacturing concerns
• Hospitals
• Insurance companies
9
Benefits of ISMS
• Assurance through discipline of
compliance
• Risk management
• Secure environment (protection of IPRs)
• Minimize security breaches (continuity of
business)
• Increase trust & customer confidence &
business opportunities
10
Major components of the ISMS
ISO 27000 Standards
1. ISO/IEC 27001:2005(Information security
management system)
2. ISO/IEC 27002:2005(code of practice for
information security management)
3. ISO/IEC 15408(evaluation criteria for IT
industry)
4. ISO/IEC 1335(IT security management)
ISO/IEC 27001:2005(Information
security management system)
• is a standard specification for an Information
Security Management Systems (ISMS) which
instructs you how to apply ISO/IEC 27000 and
how to build, operate, maintain and improve an
ISMS.
• ISO/IEC 27001, part of a growing family of
ISO/IEC 27000 standards, is an information
security management system (ISMS) standard
published in October 2005 by the ISO and the
International Electrotechnical Commission (IEC).
ISO/IEC 27001:2005(Information
security management system)
• It specifies the requirements for establishing
,implementing, operating ,monitoring reviewing,
maintaining and improving a documented
information security management system within
an organization.
• This standard is applicable for all type of
organization ,including business ,enterprise,
government agencies etc.
• ISO27001 formally specifies how to establish an
Information Security Management System
(ISMS).
ISO/IEC 27002:2005(code of practice for
information security management)
• is a standard code of practice and can be
regarded as a comprehensive catalogue of good
security things to do
•ISO27002 is a “Code of Practice”
recommending a large number of
information security controls.
•Control objectives throughout the standard
are generic, high-level statements of
business requirements for securing or
protecting information assets.
2004-04-29/ Information Security
Seminar
The certification Process
• Guidelines – ISO/IEC 27002:2007
• Certification – ISO/IEC 27001:2005
o Stage 1 : Documentation Review & evaluate client’s readiness
o Stage 2 : Implementation audit & evaluate effectiveness of client’s systems
o Lead Auditor’s recommendation to certify
o Certificate issued by certification/registration body
• Surveillance
o Periodic review audits(6 monthly interval)
o Triennial re-certification(after 3 years)
Security domain of ISO/IEC
27002:2005 • Asset management
• Human resource security
• Access control
• Business continuity management and
compliance
• Communication and operation
management
ISO/IEC 15408(evaluation criteria for
IT industry)
• This standard helps in organization in
evaluating ,validating and certifying
assurance of technology product
• This standard helps us to check the
products against various factors such as
security functional requirements specified
in the standards.
ISO/IEC 1335(IT security management)
• ISO/IEC 13335-2004 standard defines the
concept and model for information and
communication technology security
management
• ISO/IEC 13335 -1998 defines the
techniques for the management of IT
security
• ISO/IEC 13335- 20001 covers
management guidenvnce on network
security
msb.intnet.mu 2004-04-29/ Information Security
Seminar
19
Benefits of Certification
• A valuable framework for resolving security issues • Enhancement of client confidence & perception of your organisation • Enhancement of business partners’ confidence & perception of your
organisation • Provides confidence that you have managed risk in your own security
implementation • Enhancement of security awareness within an organisation • Assists in the development of best practice • Can often be a deciding differentiator between competing organisations
UNIT 5 part 2 PPT
(Dr. Lalit Saraswat)
Visit www.prudentac.com for more details
Cyber Crime
• Cyber crime involve criminal activities
,such as fraud, forgery and insult which
are subject to the Indian penal Code(IPC).
• Cyber crime means any criminal activity in
which a computer or network is the
source, tool or target or place of crime.
Cyber crime
Types(categories)
Cybercrimes can be basically divided
into three major categories:
1. Cybercrimes against persons.
2. Cybercrimes against property.
3. Cybercrimes against government.
1. Cybercrimes against
persons.
• Include various crimes like transmission
of child-pornography, harassment of
any one with the use of a computer
such as e-mail.
• The trafficking, distribution, posting, and
dissemination of obscene material is
one of the most important Cybercrimes
against persons.
2. Cybercrimes against
property
• Computer vandalism a process that
performs malicious function such as
extracting a user's password or other data
or erasing the hard disk
• Transmission of harmful programmes;
• Transfer of funds from financial
institutions illegally ;
• Stealing secret information & data.
3. Cybercrimes against
government. • Cyber terrorism is one distinct kind of
crime in this category.
• The medium of Cyberspace is used by individuals and groups to threaten the international governments as also to terrorize the citizens of a country.
• individual "cracking" into a government or military maintained website also comes under cyber crime against government
Cyber law
Cyber law includes laws relating to:
1. Cyber Crimes
2. Electronic and Digital
Signatures
3. Intellectual Property
4. Data Protection and Privacy.
Introduction to Indian Cyber
Law
• In India, the unlawful use of
computers has given birth to a
new age of cybercrimes that are
addressed by the IT Act 2000.
• A separate set of laws, known as
cyber or Internet laws, has been
designed to regulate cybercrimes.
Categories of Cyber law
• Computer as a target:
– Specifies that a computer is used as a tool to
attack another computers such as virus and
worm attacks.
• Computer as a weapon:
– Specify that a computer is used as a weapon
to commit crimes, such as credit card fraud,
cyber terrorism and pornography.
Need for cyber law
• Cyberspace is impossible to govern and
regulate using conventional law.
• Cyberspace has complete disrespect for
jurisdictional boundaries.
• Cyberspace handles gigantic traffic
volumes every second.
• Cyberspace is open to participation by
all.
Main features of this ACT
• Chapter 1 of the Act deals with important
definition of the terms used in the
regulations.
• Chapter 2 covers regulation regarding
digital signature.
• Chapter 3 deals with electronic
governance. It legalizes the use of
electronic records in government
organizations and establishments.
• Chapter 4 involves attribution,
acknowledgment and dispatch of
electronics records and their certifying
authority.
• Chapter 5 comprise secure electronic
records and secure digital signatures.
• Chapter 6 covers regulation of certifying
authorities.
• Chapter 7 deals with digital signature and
details its certification with the duties of
subscriptions.
• Chapter 8 involves duties of subscriptions.
• Chapter 9 comprises penalties and by
cyber regulation. Its covers penalty for
damaging a computer system.
• Chapter 10 details about the establishment
of the CART to secure justice in such
cases.
– Cyber Regulations Appellate Tribunal (CRAT)
• whose primary role is to hear appeals against
orders of the Adjudicating Officers.
Intellectual property
• Intellectual property refers to
creations of the human mind e.g. a
story, a song, a painting, a design
etc.
• The aspects of intellectual
property that relate to cyber space
are covered by Cyber law.
Intellectual Property Right
• Intellectual Property Right refers to
intangible property that has been created
by individuals and corporate for their
personnel benefit or usages such as
– copyright, trademark, patent and digital data.
• Intellectual property (IP) refers to creations
of the mind, such as
– inventions; literary and artistic works; designs;
and symbols, names and images used in
commerce.
Cont..
• India is one of the signatories of the agreement
that established the world trade
organization(WTO).
– WTO came in to force on January 1, 1995.
– The WTO agreement consist of an agreement on
Trade Related Aspects of Intellectual Property Rights
(TRIPS).
• TRIPS prescribe the minimum standards to be
adopted by the members countries within a
specified regarding the following areas of
intellectual property.
Intellectual Property related
Legislation in India • Computer software come under the field of
copyright law and are protected by the Indian
copyright act,1957.
• The Indian copyright act was amended in 1994.
• These amendments came in to effect from may
10,1995.
• The main features of Indian copyright act as
follows:
– The cat specifies the clarity of copyright holder.
– Copyright and distributing of copyright software without
proper authorization is illegal according to section 14 of
act.
– The act provide the strict punishment for any violation of
software copyright.
Types of IPR
1. Patents.
2. Copyrights and related rights.
3. Trademarks
4. Software Licenses
5. Data Protection and Privacy
6. Geographical Indications.
1. Patent • A patent is an exclusive right granted for an
invention, which is a product or a process that
provides a new way of doing something, or
offers a new technical solution to a problem.
– It provides protection for the invention to the owner of
the patent.
– Patent protection means that the invention cannot be
commercially made, used, distributed or sold without
the patent owner's consent.
– A patent owner has the right to decide who may - or
may not - use the patented invention for the period in
which the invention is protected.
Patent Invention
• A new product or process involving an
inventive step and cable of industrial
application.
• The invention must be new
• The invention must involve inventive step
• The invention must have industrial
application
Patent law
• Patent law in relation to computer
hardware and software.
• The patent system is governed by Indian
act ,1970.
• The act was later amended in act,1999.
2. Copyright
• Copyright is a legal term describing rights given
to creators for their literary and artistic works.
• The kinds of works covered by copyright include:
– literary works such as
– novels, poems, plays, reference works, newspapers
and computer programs; databases; films, musical
compositions, and choreography;
– artistic works such as paintings, drawings,
photographs and sculpture; architecture; and
advertisements, maps and technical drawings.
• Creators often sell the rights to their
works to individuals or companies best
able to market the works in return for
payment.
• These payments are often made
dependent on the actual use of the work,
and are then referred to as royalties.
Copyright law
• Copyright law: relating to computer
software, source code, websites, cell
phone content etc.
• The copyright act is governed by the
Indian copyright act 1976.
3. Trademarks
• A trademark is a distinctive sign that identifies
certain goods or services as those produced or
provided by a specific person or enterprise.
• It may be one or a combination of words, letters,
and numerals.
• They may consist of drawings, symbols, three-
dimensional signs such as
– the shape and packaging of goods, audible signs
such as music or vocal sounds, fragrances, or colours
used as distinguishing features.
• It provides protection to the owner of the
mark by ensuring the exclusive right to
use.
• It to identify goods or services, or to
authorize another to use it in return for
payment.
• Trademark law with relation to domain
names, meta tags, mirroring, framing,
linking etc.
4. software license
• A software license is a legal instrument (usually
by way of contract law with or without printed
material) governing the use or redistribution of
software.
• Under United States copyright law
all software is copyright protected,
except material in the public domain.
• A typical software license grants an end-user
permission to use one or more copies of
software in ways where such a use would
otherwise potentially constitute copyright
infringement of the software owner's exclusive
rights under copyright law.
5. Data Protection and Privacy
Laws • Data Protection and Privacy Laws aim
to achieve a fair balance between the
privacy rights of the individual and the
interests of data controllers such as
banks, hospitals, email service providers
etc.
• These laws seek to address the
challenges to privacy caused by
collecting, storing and transmitting
data using new technologies.
6. Geographical Indications
• GI are signs used on goods that have a specific
geographical origin and possess qualities or a
reputation that are due to that place of origin.
• Agricultural products typically have qualities that
derive from their place of production and are
influenced by specific local factors, such as
climate and soil.
• They may also highlight specific qualities of a
product, which are due to human factors that
can be found in the place of origin of the
products, such as specific manufacturing skills
and traditions.
Some Punishable Offences under
ITA are- 1. Tampering with any computer source code used
for a computer, computer programmed, computer system or computer network, is punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
1. "Computer source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.(S.65)
2. Hacking with computer system is to be punished with imprisonment up to three years, or with fine which may extend up to five lakh rupees, or with both.(S. 66)
3. Sending offensive or false information through computer or a communicative device is punishable with imprisonment up to three years and with fine.(S.66A)
1. 4.
2. H
3. K
4. Receiving or retaining stolen computer resource or communication device is an offence punishable with imprisonment up to three years and fine up to one lakh or with both. (S.66B).
1. The same punishment is prescribed for fraudulent use of electronic signature, password etc. of any other person (S. 66C) and for cheating using computer, cell phone etc. (S.66D)
5. Capturing Transmitting or publishing the image of a private area of any person without consent is punishable with imprisonment up to three years and with fine up to two lakhs or with both.(S. 66E)
6. Punishment for Cyber terrorism may extend to imprisonment for life. (S.66F)
7. Publishing transmitting information which is indecent in electronic form shall be punished on first conviction with imprisonment of either description for a term which may extend to three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.( S. 67).
8 Publication and transmission of containing sexually explicit act or conduct is to be punished with imprisonment up to five years and fine up to ten lakh rupees and for second or subsequent conviction with imprisonment for a term up to seven years and fine up to ten lakh rupees.(S. 67A) The same punishment is prescribed for child pornography. (S. 67B)
9. Penalty for Misrepresentation Whoever makes any misrepresentation to, or suppresses any material fact from, the Controller or the Certifying Authority for obtaining any license or Digital Signature Certificate, as the case may be.
Shall be punished with imprisonment for a term, which may extend to two years, or with fine which may extend to one lakh rupees, or with both. (S. 71)
10. Penalty for Breach of Confidentiality and Privacy
Any person who has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses
person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.( S. 72)
11. Punishment for disclosure of information in breach of contract is imprisonment For a term up to three years or with fine up to five lakh rupees or with both.( S. 72A)
12. Punishment for publishing Digital Signature Certificate false in certain particulars.
(a) No person shall publish a Digital Signature Certificate or otherwise make it available to any other person with the knowledge that (a) the Certifying Authority listed in the certificate has not issued it; or
(b) the subscriber listed in the certificate has not accepted it; or
(c) the certificate has been revoked or suspended,
Violation of the above provision is punishable with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. (S. 73)
13. Publication for Fraudulent Purpose. Whoever knowingly creates, publishes or otherwise makes available a Digital Signature Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.(S. 74.)