JRE SCHOOL OF Engineering
PUT April 2015
Subject Name
Information Security and
Cyber Laws
Roll No. of Student
Date
28th April 2015
For CSE branch VI Semester only
SET-A
Subject Code
EIT - 505
Max Marks
Max Duration
Time
50
10:00 AM to 1:00 PM
3 hrs
NOTE: ATTEMPT ALL QUESTIONS
1. Attempt any two parts:
(2 x 6 = 12)
a. What do you mean by Information System attack ? What are the various types of
“Information” attacks
Ans. When an individual or group designs software to attack systems, they create
malicious code/software called malware Designed to damage, destroy, or deny service
to the target systems
DoS- Denial of Service
Trojan Horse - Comes with other software.
Virus - Reproduces itself by attaching to other executable files.
Worm - Self-reproducing program. Creates copies of itself. Worms that spread using e-mail address books
are often called viruses.
Logic Bomb - Dormant until an event triggers it (Date, user action, random trigger, etc.).
Hacker Attacks
I use the term "hacker attacks" to indicate hacker attacks that are not automated by programs such as
viruses, worms, or trojan horse programs. There are various forms that exploit weakneses in security.
Many of these may cause loss of service or system crashes.
IP spoofing - An attacker may fake their IP address so the receiver thinks it is sent from a location that it is
not actually from. There are various forms and results to this attack.
The attack may be directed to a specific computer addressed as though it is from that same computer.
This may make the computer think that it is talking to itself. This may cause some operating systems such
as Windows to crash or lock up.
Gaining access through source routing. Hackers may be able to break through other friendly but less
secure networks and get access to your network using this method.
Man in the middle attack Session hijacking - An attacker may watch a session open on a network. Once authentication is complete,
they may attack the client computer to disable it, and use IP spoofing to claim to be the client who was
just authenticated and steal the session. This attack can be prevented if the two legitimate systems share
a secret which is checked periodically during the session.
Server spoofing - A C2MYAZZ utility can be run on Windows 95 stations to request LANMAN (in the clear)
authentication from the client. The attacker will run this utility while acting like the server while the user
attempts to login. If the client is tricked into sending LANMAN authentication, the attacker can read their
username and password from the network packets sent.
DNS poisoning - This is an attack where DNS information is falsified. This attack can succeed under the
right conditions, but may not be real practical as an attack form. The attacker will send incorrect DNS
information which can cause traffic to be diverted. The DNS information can be falsified since name
servers do not verify the source of a DNS reply. When a DNS request is sent, an attacker can send a false
DNS reply with additional bogus information which the requesting DNS server may cache. This attack can
be used to divert users from a correct webserver such as a bank and capture information from customers
when they attempt to logon.
Password cracking - Used to get the password of a user or administrator on a network and gain
unauthorized access.
Some DoS Attacks
Ping broadcast - A ping request packet is sent to a broadcast network address where there are many
hosts. The source address is shown in the packet to be the IP address of the computer to be attacked. If
the router to the network passes the ping broadcast, all computers on the network will respond with a
ping reply to the sttacked system. The attacked system will be flooded with ping responses which will
cause it to be unable to operate on the network for some time, and may even cause it to lock up. The
attacked computer may be on someone else's network. One countermeasure to this attack is to block
incoming traffic that is sent to a broadcast address.
Ping of death - An oversized ICMP datagram can crash IP devices that were made before 1996.
Smurf - An attack where a ping request is sent to a broadcast network address with the sending address
spoofed so many ping replies will come back to the victim and overload the ability of the victim to process
the replies.
Q. What is Intrusion ? What is an Intrusion Detection System (IDS) ? Explain its components and
working in detail.
Ans. • IDSs work like burglar alarms
• IDSs require complex configurations to provide the level of detection and response
desired
• An IDS operates as either network-based, when the technology is focused on
protecting network information assets, or host-based, when the technology is focused
on protecting server or host information assets
• IDSs use one of two detection methods, signature-based or statistical anomaly-based
The different types of IDSs:
 Network-based IDS
 Host-based IDS
 Application-based IDS
 Signature-based IDS
 Statistical Anomaly-Based IDS
NIDS
A network-based IDS (NIDS) resides on a computer or an appliance connected to a
segment of an organization’s network and monitors traffic on that network segment,
looking for indications of ongoing or successful attacks.
HIDS
A Host-based IDS (HIDS) works differently from a network-based version of IDS. A hostbased IDS resides on a particular computer or server, known as the host and monitors
activity only on that system. HIDs are also known as System Integrity Verifiers as they
benchmark and monitor the status of key system files and detect when an intruder
creates , modifies or deletes monitored files.
use of HIDS
A HIDs is also capable of monitoring system configuration databases,such as windows
registries,in addition to stored configuration files like .ini,.cfg,and .dat files.
Application-based IDS
A refinement of Host-based IDs is the application-based IDS(AppIDS). The application
based IDs examines an application for abnormal incidents. It looks for anomalous
occurrences such as users exceeding their authorization,invalid file executions etc.
Signature-based IDS
A signature-based IDS(also called Knowledge-based IDs) examines data traffic in search
of patterns that match known signatures – that is,preconfigured ,predetermined attack
patterns.
b. Using examples, elaborate the following terms:
(i)
B2B e-commerce
(ii) C2C e-commerce
(ii) B2C e-commerce
Ans. Business-to-Business (B2B) is one of the major forms of e commerce. Here the seller
and the buyer participate as business entities. Here the business is carried out the same
way a manufacturer supplies goods to a wholesaler.
Business-to-Consumer (B2C) : In this case transactions take place between consumers
and business houses. Here individuals are also involved in the online business
transactions
Consumer-to-Consumer (C2C) model is applicable when the business transaction is
carried between two individuals. But for this type of e commerce, the individuals require
a platform or an intermediary for business transactions.
Consumer-to-Business (C2B)
Peer-to-Peer (P2P) is another model of e-commerce. This model is technologically more
sound than the other e commerce models. During this type of transactions, people can
share computer resources. Here it is not required to use a common server; instead a
common platform can be used for the transactions.
2. Attempt any two parts:
(2 x 7 = 14)
a. Information Act was formulated in India in year 2000. Explain in detail its salient
features ? What are some of the grey areas in it ?
Ans. Cyber crime encompasses any criminal act dealing with computers and networks (called
hacking). Additionally, cyber crime also includes traditional crimes conducted through the
Internet. For example; hate crimes, telemarketing and Internet fraud, identity theft, and credit
card account thefts are considered to be cyber crimes when the illegal activities are committed
through the use of a computer and the Internet.
Information Act formulated in year 2000 in India.
Salient features:
1. Prior to the enactment of the IT Act, 2000 even an e-mail was not accepted under the
prevailing
statutes of India as an accepted legal form of communication and as evidence in a court of law.
But the IT Act, 2000 changed this scenario by legal recognition of the electronic format. Indeed,
the IT Act, 2000 is a step forward.
2. From the perspective of the corporate sector, companies shall be able to carry out electronic
commerce using the legal infrastructure provided by the IT Act, 2000. Till the coming into effect
of the Indian Cyber law, the growth of electronic commerce was impeded in our country
basically because there was no legal infrastructure to regulate commercial transactions online.
3. Corporate will now be able to use digital signatures to carry out their transactions online.
These digital signatures have been given legal validity and sanction under the IT Act, 2000.
4. In today’s scenario, information is stored by the companies on their respective computer
system, apart from maintaining a back up. Under the IT Act, 2000, it shall now be possible for
corporate to have a statutory remedy if any one breaks into their computer systems or networks
and causes damages or copies data. The remedy provided by the IT Act, 2000 is in the form of
monetary damages, by the way of compensation, not exceeding Rs. 1, 00, 00,000.
5. IT Act, 2000 has defined various cyber crimes which includes hacking and damage to the
computer
code. Prior to the coming into effect of the Indian Cyber law, the corporate were helpless as
there was no legal redress for such issues. But the IT Act, 2000 changes the scene altogether
Grey Areas:
The Grey Areas of the IT Act, 2000:
1. The IT Act, 2000 is likely to cause a conflict of jurisdiction.
2. Electronic commerce is based on the system of domain names. The IT Act, 2000 does not even
touch
the issues relating to domain names. Even domain names have not been defined and the rights
and
liabilities of domain name owners do not find any mention in the law.
3. The IT Act, 2000 does not deal with any issues concerning the protection of Intellectual
Property
Rights I the context of the online environment. Contentious yet very important issues concerning
online
copyrights, trademarks and patents have been left untouched by the law, thereby leaving many
loopholes.
4. As the cyber law is growing, so are the new forms and manifestations of cyber crimes. The
offences
defined in the IT Act, 2000 are by no means exhaustive. However, the drafting of the relevant
provisions
of the IT Act, 2000 makes it appear as if the offences detailed therein are the only cyber offences
possible
and existing. The IT Act, 2000 does not cove various kinds of cyber crimes and Internet related
crimes.
This Include:a) Theft of Internet hours
b) Cyber theft
c) Cyber stalking
d) Cyber harassment
e) Cyber defamation
f) Cyber fraud
g) Misuse of credit card numbers
h) Chat room abuse
5. The IT Act, 2000 has not tackled several vital issues pertaining to e-commerce sphere like
privacy and
content regulation to name a few. Privacy issues have not been touched at all.
6. Another grey area of the IT Act is that the same does not touch upon any anti- trust issues.
ISSUES IN DATA AND SOFTWARE PRIVACY:
Privacy software provides some of the tools needed to guarantee personal data privacy.
Data Privacy.
b. Using a block diagram, explain main components of a Biometric system. What are
the main criteria for selecting a Biometric system.
Ans.
c. What is Cryptanalysis? Explain various types of cryptanalytic attacks ?
Ans.
Cryptanalysis refers to the study of ciphers, ciphertext, or cryptosystems (that is, to secret code
systems) with a view to finding weaknesses in them that will permit retrieval of the plaintext
from the ciphertext, without necessarily knowing the key or the algorithm. This is known as
breaking the cipher, ciphertext, or cryptosystem.
1) Known-plaintext analysis: With this procedure, the cryptanalyst has knowledge of a portion of
the plaintext from the ciphertext. Using this information, the cryptanalyst attempts to deduce
the key used to produce the ciphertext.
2) Chosen-plaintext analysis (also known as differential cryptanalysis): The cryptanalyst is able to
have any plaintext encrypted with a key and obtain the resulting ciphertext, but the key itself
cannot be analyzed. The cryptanalyst attempts to deduce the key by comparing the entire
ciphertext with the original plaintext. The Rivest-Shamir-Adleman encryption technique has
been shown to be somewhat vulnerable to this type of analysis.
3) Ciphertext-only analysis: The cryptanalyst has no knowledge of the plaintext and must work
only from the ciphertext. This requires accurate guesswork as to how a message could be
worded. It helps to have some knowledge of the literary style of the ciphertext writer and/or the
general subject matter.
4) Man-in-the-middle attack: This differs from the above in that it involves tricking individuals
into surrendering their keys. The cryptanalyst/attacker places him or herself in the
communication channel between two parties who wish to exchange their keys for secure
communication (via asymmetric or public key infrastructure cryptography). The
cryptanalyst/attacker then performs a key exchange with each party, with the original parties
believing they are exchanging keys with each other. The two parties then end up using keys that
are known to the cryptanalyst/attacker. This type of attack can be defeated by the use of a hash
function.
5) Timing/differential power analysis: This is a new technique made public in June 1998,
particularly useful against the smart card, that measures differences in electrical consumption
over a period of time when a microchip performs a function to secure information. This
technique can be used to gain information about key computations used in the encryption
algorithm and other functions pertaining to security. The technique can be rendered less
effective by introducing random noise into the computations, or altering the sequence of the
executables to make it harder to monitor the power fluctuations. This type of analysis was first
developed by Paul Kocher of Cryptography Research, though Bull Systems claims it knew about
this type of attack over four years before.
A ciphertext-only attack is one in which the cryptanalyst obtains a sample of ciphertext, without
the plaintext associated with it. This data is relatively easy to obtain in many scenarios, but a
successful ciphertext-only attack is generally difficult, and requires a very large ciphertext
sample. A known-plaintext attack is one in which the cryptanalyst obtains a sample of ciphertext
and the corresponding plaintext as well.
A chosen-plaintext attack is one in which the cryptanalyst is able to choose a quantity of
plaintext and then obtain the corresponding encrypted ciphertext.
An adaptive-chosen-plaintext attack is a special case of chosen-plaintext attack in which the
cryptanalyst is able to choose plaintext samples dynamically, and alter his or her choices based
on the results of previous encryptions.
A chosen-ciphertext attack is one in which cryptanalyst may choose a piece of ciphertext and
attempt to obtain the corresponding decrypted plaintext. This type of attack is generally most
applicable to public-key cryptosystems.
An adaptive-chosen-ciphertext is the adaptive version of the above attack. A cryptanalyst can
mount an attack of this type in a scenario in which he has free use of a piece of decryption
hardware, but is unable to extract the decryption key from it.
3. Attempt any two parts:
(2 x 6 = 12)
a. What is Firewall ? Explain in detail various types of Firewalls. Write the pros n
cons of each of the types
Ans. A firewall is a system designed to prevent unauthorized access to or from a
private network. Firewalls can be implemented in both hardware and software, or a
combination of both. Firewalls are frequently used to prevent unauthorized Internet users from
accessing private networks connected to the Internet, especially intranets. All messages entering
or leaving the intranet pass through the firewall, which examines each message and blocks those
that do not meet the specified security criteria.
Packet Filter
Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly
effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
Application Gateway
Applies security mechanisms to specific applications, such as FTP and Telnetservers. This is very effective, but can impose a
performance degradation.
Circuit-level Gateway
Applies security mechanisms when a TCP or UDPconnection is established. Once the connection has been made, packets can flow
between the hosts without further checking.
Proxy Server
Intercepts all messages entering and leaving the network. The proxy servereffectively hides the true network addresses.
b. How can one build security into software life cycle ?
Ans. The National Institute of Standards and Technology (NIST) Special Publication (SP) 80064, Security Considerations in the System Development Life Cycle, has been developed to
assist federal government agencies in integrating essential information technology (IT)
security steps into their established IT system development life cycle (SDLC). This guideline
applies to all federal IT systems other than national security systems. The document is
intended as a reference resource rather than as a tutorial and should be used in conjunction
with other NIST publications as needed throughout the development of the system.
This publication serves a federal audience of information system and information security
professionals, including information system owners, information owners, information
system developers and program managers.
To be most effective, information security must be integrated into the SDLC from system
inception. Early integration of security in the SDLC enables agencies to maximize return on
investment in their security programs, through:
Early identification and mitigation of security vulnerabilities and misconfigurations,
resulting in lower cost of security control implementation and vulnerability mitigation;
Awareness of potential engineering challenges caused by mandatory security
controls;
Identification of shared security services and reuse of security strategies and tools to
reduce development cost and schedule while improving security posture through proven
methods and techniques; and
Facilitation of informed executive decision making through comprehensive risk
management in a timely manner.
This guide focuses on the information security components of the SDLC. First, descriptions of
the key security roles and responsibilities that are needed in most information system
developments are provided. Second, sufficient information about the SDLC is provided to
allow a person who is unfamiliar with the SDLC process to understand the relationship
between information security and the SDLC.
c. (i) What are security issues in Data mining ?
(ii)
Explain the terms Authentication, Non-repudiation and Availability
Authentication is the process of determining whether someone or
something is, in fact, who or what it is declared to be. In private and
public computer networks (including the Internet), authentication is
commonly done through the use of logon passwords.
Authorization is the process of giving someone permission to do or have
something. In multi-user computer systems, a system administrator
defines for the system which users are allowed access to the system and
what privileges of use (such as access to which file directories, hours of
access, amount of allocated storage space, and so forth).
Nonrepudiation is the assurance that someone cannot deny something.
Typically, nonrepudiation refers to the ability to ensure that a party to a
contract or a communication cannot deny the authenticity of their
signature on a document or the sending of a message that they
originated.
4. Write short notes on any two :
(2 x 6 = 12)
a. E-governance
It is widely believed today that e-govemance means getting automated. However, it does not
mean getting the several government departments automated so that they act like isolated
islands of information and services provided with the help of new technology. E-governanee
means providing citizen’s with a central point of access to government services.
E-governance requires net-centric attitude. Net-centric means leveraging the power of the
network. For most of us, this means using the Internet. However, this can also be local network
resource or it could be an internet. The main difference between being net-centric and focused
on information technology is that in the net-centric model, we enable collaboration and
through this collaboration, we create highly productive teams rather than more productive
individuals.
Automating tasks might not necessarily improve anything. This is particularly true if we are
simply automating outmoded ways of doing things and inefficient processes. Net-centric
focuses on allowing virtual teams focused on a common goal to come together on the network.
India has shown that they are developing their information technology economy using netcentric tools. They are delivering products and services using the net-work.
b. Copyright
Copyright is a bunch of rights in certain creative works such as text, artistic works, music,
computer programs, sound recordings and films. The rights are granted exclusively to the
copyright owner to reproduce the material, and for some material, the right to perform or show
the work to the public. Copyright owners can prevent others from reproducing or
communicating their work without their permission or may sell these rights to someone else.
Copyright protection exists from the moment a work is created in a fixed, tangible form of
expression. The copyright immediately becomes the property of the author who created the
work. Only the author, or those deriving their rights through the author, can rightfully claim
copyright. In the case of works made for hire, the employer—not the writer—is considered the
author.
c.
Mobile computing Security
Mobile computing has its fair share of security concerns as any other technology. Due to their nomadic nature,
it's not easy to monitor the proper usage. User might have different intentions on how to utilize this privilege.
Improper and unethical practices such as hacking, industrial espionage, pirating, online fraud and malicious
destruction are some but few of the problems experienced by mobile computing.
Another big problem plaguing mobile computing is credential verification. It's not possible to that the person
using that person is the true barrier. Other users share username and passwords. This is also a major threat to
security. This being a very sensitive issue, most companies are very reluctant to implement mobile computing
to the dangers of misrepresentation.
The problem of identity theft is very difficult to contain or eradicate. Issues with unauthorized access to data
and information by hackers, is also a plaguing problem. They gain access to steal vital data from companies.
This problem has been a major headache and hindrance in rolling out mobile computing services.
No company wants to lay open their secrets to hacker and other intruders, who will in terms sell them to their
competitors. It's also important to take the necessary precautions to minimize these threats from taking place.
Some of those measures include −

Hiring qualified personnel.

Installing Security Hardware and Software.

Educating the Users on proper Mobile computing ethics.

Auditing and developing sound, effective policies to govern mobile computing.

Enforcing proper access rights and permissions.
*****************************