Unit-V Subject: Information Security

UNIT-V

Syllabus:
Implementing Information Security: Information security project management,
technical topics of implementation, Non-Technical Aspects of implementation,
Security Certification and Accreditation.
Information Security Maintenance: Security management models,
Maintenance model
Short case studies in Cryptography and Security: Secure Multi party
calculation, Virtual Elections, Single Sign On, Secure Inter Branch Payment
transactions, Cross site scripting vulnerability.
Objective:
• Explain how an organization’s information security blueprint becomes a project
plan and its implementation.
• Discuss the need for ongoing maintenance of the information security program
Outcome:
Use ethical hacking tools to study attack patterns and cryptography and secure
communication protocols and understand the technical and non-technical aspects of
security project implementation and Accreditation.

Implementing Information Security

Introduction
Implementing an information security project takes time, effort, and a great deal of
communication and coordination.
Implementation phase is accomplished by changing the configuration and operation
of the organization’s information systems in the following areas:
• Procedures (for example, through policy)
• People (for example, through training)
• Hardware (for example, through firewalls)
• Software (for example, through encryption)
• Data (for example, through classification)
During the implementation phase, the organization translates its blueprint for
information security into a project plan.
• Project plan instructs the individuals who are executing the implementation
phase.
• These instructions are needed to improve the security of the hardware,
software, procedures, data, and people that make up the organization’s
information systems.

Information security project management

Organizational change is not easily accomplished. So, project plan must address the
following issues:
• Project leadership
• Managerial, Technical, and Budgetary considerations.
• Organizational resistance to the change.
The major steps in executing the project plan are as follows:

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

I. Planning the project

II. Supervising tasks and action steps
III. Wrapping up

I. Developing the Project Plan

Planning for the implementation phase requires a detailed project plan. It is often
prepared by project manager or the project champion.
Project plan is created by using a simple planning tool called work breakdown
structure (WBS),
The major project tasks in WBS and their attributes are:
1. Work to be accomplished (activities and deliverables)
2. Individuals (or skill set) assigned to perform the task
3. Start and end dates for the task (when known)
4. Amount of effort required for completion in hours or workdays
5. Estimated capital expenses for the task
6. Estimated noncapital expenses for the task
7. Identification of dependencies between and among tasks

Each major WBS task is further divided into smaller tasks or specific action step.
The WBS can be prepared with a simple desktop PC spreadsheet program.

1. Work to Be Accomplished The work to be accomplished includes activities and

deliverables.
A deliverable is a completed document or program module that can either serve as
the beginning point for a later task or become an element in the finished project.
Ex: if the task is to write firewall specifications, then the deliverable is a specification
document suitable for distribution to vendors.

2. Assignees The project planner should describe the skill set or person (called as
resource) needed to accomplish the task.
• Instead of assigning individuals, the project plan should focus on
organizational roles or known skill sets.
• Ex: to write the specifications for a router, the assigned resource would be
noted as “network engineer”.

3. Start and End Dates In the early stages of planning, the project planner should
attempt to specify completion dates only for major project milestones.
• A milestone is a specific point in the project plan when a task that has a
noticeable impact on the progress of the project plan is complete.

4. Amount of Effort Planners need to estimate the effort required to complete each
task, subtask, or action step.
• Estimating effort hours for technical work is a complex process.

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

• It is always good practice to ask the people who are most familiar with the tasks
or with similar tasks to make these estimates.

5. Estimated Capital Expenses Planners need to estimate the capital expenses

required for the completion of each task, subtask, or action item.
• Each organization budgets and expends capital according to its own
established procedures.

6. Estimated Noncapital Expenses Planners need to estimate the noncapital

expenses for the completion of each task, subtask, or action item.
• Noncapital expenses include recovery charge for staff time, employee time and
project contract or consulting time.
• For example, at some companies a project to implement a firewall may charge
only the costs of the firewall hardware as capital and consider all costs for labor
and software as expenses.

7. Task Dependencies Planners should note wherever possible the dependencies of

other tasks or action steps on the task or action step at hand.
• Tasks or action steps that come before the specific task at hand are called
predecessors, and those that come after the task at hand are called
successors.
• There can be more than one type of dependency.

Example Project Plan Work Breakdown Structure–Early Draft

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

II. Project Planning Considerations

As project plan is developed, adding detail is not always straightforward. Special
considerations must be included for financial, priority, time and schedule, staff,
procurement, organizational feasibility, and training.
Financial considerations
• No matter what information security needs exist, the amount of effort that can
be expended depends on availability of funds.
• Cost benefit analysis must be verified prior to development of project plan.
• Both public and private organizations have budgetary constraints.
• To justify an amount budgeted for a security project at either public or for-
profit organizations, it may be useful to benchmark expenses of similar
organizations.
Priority considerations
• In general, the most important information security controls should be
scheduled first
• Implementation of controls is guided by prioritization of threats and value of
threatened information assets.
Time and scheduling considerations
Time impacts lots of points in development of a project plan, including:
• Time to order, receive, install, and configure security control
• Time to train the users
• Time to realize return on investment of control
Staffing considerations
• Lack of enough qualified, trained, and available personnel constrains a project
plan
• Experienced staff is often needed to implement available technologies and
develop and implement policies and training programs
Procurement considerations
• IT and information security planners must consider acquisition of goods and
services.
• Many constraints on selection process for equipment and services in most
organizations, specifically in selection of service vendors or products from
manufacturers/suppliers.
• These constraints may eliminate a technology from realm of possibilities.
Organizational feasibility considerations
• security-related technological changes should be transparent to system users
unless the new technology is intended to change procedures (e.g., requiring
additional authentication or verification)
• Policies require time to develop, new technologies require time to be installed,
configured, and tested.
• Employees need training on new policies and technology, and how new
information security program affects their working lives.
Training and indoctrination considerations

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

• Size of organization and normal conduct of business may be disturbed if a

single large training program on new security procedures/technologies is
conducted for all employees at a time.
• Thus, organization should conduct phased-in or pilot approach to
implementation
Scope Considerations
• Project scope: concerns boundaries of time and effort-hours needed to deliver
planned features and quality level of project deliverables.
• The scope of any given project plan should be carefully reviewed and kept as
small as possible.
• To control project scope, in the case of information security, project plans
should not attempt to implement the entire security system at one time
Scope of information security projects must be evaluated and adjusted with care
because, installation of information security controls can disrupt the ongoing
operations of an organization and may also conflict with existing controls in
unpredictable ways.

Need of Project Management

• Project management requires a unique set of skills and thorough
understanding of a broad body of specialized knowledge.
• Most information security projects require a trained project manager (a CISO)
or skilled IT manager versed in project management techniques.
• Even experienced project managers are advised to seek expert assistance when
engaging in a formal bidding process to select advanced or integrated
technologies or outsourced services.
Supervised implementation
• Organizations may designate champion from general management community
of interest to supervise implementation of information security project plan
• Alternative is to designate senior IT manager/CIO
• Optimal solution is to designate a suitable person from information security
community of interest
• It is up to each organization to find the most suitable leadership for a successful
project implementation.
Executing the plan
• Negative feedback ensures project progress is measured periodically
– Measured results compared against expected results
– When significant deviation occurs, corrective action taken
• Often, project manager can adjust one of three parameters for task being
corrected:
– Effort and money allocated
– Scheduling impact
– Quality or quantity of deliverable

III. Project wrap-up

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

• Project wrap-up is usually handled as procedural task and assigned to mid-

level IT or information security manager
• Collect documentation, finalize status reports, and deliver final report and
presentation at wrap-up meeting
• Goal of wrap-up is to resolve any pending issues, critique overall project effort,
and draw conclusions about how to improve process

Negative Feedback Loop

Technical topics of implementation

Some aspects of the implementation process are technical in nature and deal with
the application of technology.
They are:
1. Conversion Strategy
2. Prioritization among multiple components: Bulls Eye Model
3. Outsourcing
4. Technology governance

1. Conversion Strategy
Information security projects require careful conversion planning for the changeover
from the previous method of performing a task to the new method.
Four basic approaches are used for changing from an old system or process to a new
one.
❖ Direct changeover: As the name indicates a direct changeover involves
stopping the old method and beginning the new.

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

• The primary drawback to the direct changeover approach is that if the

new system fails or needs modification, users may not get the required
services.
• Complete testing of the new system in advance may reduces the
probability of such problems.
❖ Phased implementation: It is the most common conversion strategy.
• It involves a measured rollout of the planned system in which a part is
converted and disseminated across an organization before the next piece
is implemented.
• So, the security group implements only a small portion of the new
security profile, giving users a chance to get used to it and resolving
issues as they arise.
For example: If an organization seeks to update both its VPN and IDPS systems, for
a group of employees new VPN system is introduced. Next week for another group…
after complete implementation of VPN for all employees, they start IDPS.
❖ Pilot implementation: In this, the entire security system is put in place in a
single office, or department, or division, and issues that arise are dealt with
before expanding to the rest of the organization.
❖ Parallel operations: This strategy involves running the new methods alongside
the old methods. In general, this means running two systems concurrently.
For example: In terms of information systems, it might involve running two firewalls
concurrently.

2. Prioritization among multiple components: Bulls Eye Model

A proven method for prioritizing a program of complex change.
It addresses the issues from general to specific and focus is on providing systematic
solutions instead of individual problems.
• It relies on a process of project plan evaluation in four layers.
i. Policies: This is the outer, or first, ring in the bull’s-eye diagram. The foundation
of an effective information security programs is sound information security and
information technology policy.
• Policy establishes the ground rules for the use of all systems and enables all
other information security components to function correctly
ii. Network: In the past information security was often considered synonymous with
network security. In today’s computing environment, implementing information
security is more complex because networking infrastructure often comes into contact
with threats from public network
• Designing and implementing an effective DMZ is the primary way to secure an
organization’s networks.
• Providing the necessary authentication and authorization for public to connect
to organization network.
iii. System: Many organizations says that configuring and operating information
systems in a secure fashion become more difficult as the number and complexity is
growing.

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

• Includes Servers, Desktops, Process control and Manufacturing systems.

iv. Applications:
The layer that receives attention last is the one that deals with the application
software systems used by the organization to accomplish its work.
• Includes packaged applications, such as office automation, e-mail programs,
high-end enterprise resource planning (ERP) packages and Custom application
software developed by the organization.
By reviewing the information security blueprint and the current state of the
organization’s information security efforts in terms of these four layers, project
planners can determine which areas require expansion/improved information
security capabilities.

Bulls Eye Model

The bull’s-eye model is also used to evaluate the sequence of steps taken to integrate
parts of the information security blueprint into a project plan.
Bull’s-eye model dictates the following:
• Until sound IT and information security policies are developed, communicated,
and enforced, don’t think of other control measures.
• Until effective network controls are designed and deployed, all resources should
aim toward achieving this goal (unless resources are needed to revisit the policy
needs of the organization).
• After policies and network controls are implemented, implementation should
focus on the information, process, and manufacturing systems. All resources

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

should be spent on this goal until all critical systems are being configured and
operated in a secure fashion.
• Once policies are in place, networks are secure, and systems are safe, attention
should move to the assessment and remediation of the security of the
organization’s applications.
– Complicated and most concern for many organizations. They neglect to
analyze the impact of information security on existing/purchased and
their own proprietary systems.
As in all planning efforts, attention should be paid to the most critical applications
first.

3. Outsourcing (To Outsource or Not)

• It is not mandatory to develop information security program or department on
its own for every organization, they can outsource it.
• Organizations can outsource part of, or all their information security programs.
• The expense and time required to develop an effective information security
program may be beyond the means of some organizations, and they may hire
any professional services to help their IT departments in implementing
information security program.
• When an organization outsources most or all IT services, information security
should be part of the contract arrangement with the supplier.
• Organizations of all sizes frequently outsource network monitoring functions to
make certain that their systems are adequately secured and to gain assistance
in watching for attempted or successful attacks.

4. Technology Governance
Factors that determine the success of an organization’s IT and information security
programs are technology governance and change control processes.
Technology governance: A complex process that organization uses to manage the
effects and costs of technology implementation, innovation, and obsolescence, guides
how frequently technical systems are updated and how technical updates are
approved and funded.
• It also facilitates communication about technical advances and issues across
the organization.
Change Control Process: Organizations uses it to deal with the impact of technical
change on the operations.
By managing the process of change, the organization can do the following:
• Improve communication about change across the organization.
• Enhance coordination between groups within the organization.
• Reduce unintended consequences by having a process to resolve conflict and
disruption that change can introduce.
• Improve quality of service as potential failures are eliminated and groups work
together.

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

• Assure management that all groups are complying with the organization’s
policies regarding technology governance, procurement, accounting, and
information security.
Effective change control is an essential part of the IT operation. It assures that
confidentiality, integrity, and availability are followed when systems are upgraded
across the organization.

Non-Technical Aspects of implementation

Some aspects of information security implementation process are not technical in
nature and deal with human interface to technical systems.

The Culture of Change Management

The prospect of change, i.e., the familiar shifting to the unfamiliar, can cause
employees to build up, either unconsciously or consciously, a resistance to that
change.
• May be the changes are perceived as good or bad, employees tend to prefer the
old way of doing things.
• Even if employees embrace changes, the stress of making the changes and
adjusting to the new procedures can increase the probability of mistakes or
create vulnerabilities in systems.
So, by understanding and applying some of the basic tenets of change management,
project managers can reduce employee resistance to change and can even build
resilience to change.
One of the oldest models is the Lewin change model. It consists of
• Unfreezing: hard-and-fast applying of changes
• Moving: transition between the old way and the new
• Refreezing: integration of the new methods into the organizational culture by
creating an atmosphere in which the changes are accepted as the preferred way
of accomplishing the necessary tasks.

Considerations for Organizational Change

1. Reducing Resistance to Change from the Start
The level of resistance to change will affects the implementation of procedural and
managerial changes.
• So, Arrange an interaction session with the affected members of change and
project planners at the early stage of security improvement project.
• The interaction between these groups can be improved through a three-step
process in which project managers communicate, educate, and involve.
Communicate: Project managers must communicate with the employees about the
new security process that is considered, so that they understand it and gives feedback
on it, which is an essential thing to making it work.
Educate: Project managers must update and educate employees about exactly how
the proposed changes will affect them individually and within the organization.
• Education also involves teaching employees how to use the new systems.

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

Involve: Project managers can reduce resistance to change by involving employees in

the project plan.

2. Developing a Culture that Supports Change

Ideal organization fosters resilience to change, i.e., the organization understands that
change is a necessary part of the culture, and that embracing change is more
productive than fighting it.
• A resilient culture can be either cultivated or undermined by management’s
approach.
• Strong management support for change, with a clear executive-level champion,
enables the organization to recognize the necessity for and strategic importance
of the change.

Security Certification and Accreditation

Information Systems Security Certification and Accreditation
In order to comply with the myriad of new federal regulation of protecting personal
privacy, organization systems need to have some formal mechanism for verification
and validation.

Certification versus Accreditation: In security management

Accreditation: It authorizes an IT system to process, store, or transmit information.
• Issued by a management official and serves as a means of assuring that
systems are of adequate quality
Certification: The comprehensive evaluation of the technical and nontechnical
security controls of an IT system to support the accreditation process that establishes
the extent to which a particular design and implementation meets a set of specified
security requirements.

Organizations pursue accreditation or certification to gain a competitive advantage or

to provide assurance to their customers.
Accreditation and certification are not permanent. Just as standards of due diligence
and due care require an ongoing maintenance effort, most accreditation and
certification processes require reaccreditation or recertification every few years
(typically every three to five years).

Two documents provide guidance for the certification and accreditation of federal
information systems:
1. SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework to
Federal Information Systems: A Security Life Cycle Approach.
2. NSTISS Instruction-1000: National Information Assurance Certification and
Accreditation Process (NIACAP).
1. SP 800-37, Rev. 1 Provides guidance for the certification and accreditation of
federal information systems

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

Information processed by the federal government is grouped into one of three

categories:
1. National security information (NSI): National security information is processed
on national security systems (NSSs). NSSs are managed and operated by the
Committee for National Systems Security (CNSS)
2. Non-NSI: Non-NSSs are managed and operated by the National Institute of
Standards and Technology (NIST).
3. Intelligence community (IC): It is a separate category and is handled according
to guidance from the office of the Director of National Intelligence (DNI).

2. NSTISS Instruction-1000: National Information Assurance Certification and

Accreditation Process (NIACAP)
The NIACAP is composed of four phases
Phase 1 – definition
Phase 2 – verification
Phase 3 – validation
Phase 4 – post accreditation

Overview of the NIACAP process

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

ISO 27001/27002 Systems Certification and Accreditation

• Entities outside the United States apply the standards provided under these
standards.
• Standards were originally created to provide a foundation for British
certification of information security management systems (ISMS).
• Organizations wishing to demonstrate their systems have met this
international standard must follow the certification process.

Information Security Maintenance

Introduction
After successfully implementing and testing a new and improved information security
profile, organization may not feel more confident about the level of protection it is
providing for its information assets because of the dynamic nature of organization
environment.
• Threats that were originally assessed in the early stages of the project’s
SecSDLC have probably changed, and new priorities have emerged.
• New types of attacks, such as new viruses, worms, and denial-of-service
attacks, along with new variants of existing attacks, have also probably
emerged.
• In addition, a host of other variables outside and inside the organization have
most likely changed.

Some of the changes that may affect an organization’s information security

environment are
• The acquisition of new assets and the divestiture of old assets
• The emergence of vulnerabilities associated with new or existing assets
• Shifting business priorities
• The formation of new partnerships
• The dissolution of old partnerships
• The departure of personnel who are trained, educated, and aware of policies,
procedures, and technologies
• The hiring of personnel

Security management models

To manage and operate the ongoing security program, the information security
community must adopt a management maintenance model.
Management models are frameworks that structure the tasks of managing a
particular set of activities or business functions.

NIST SP 800-100 Information Security Handbook: A Guide for Managers provides

managerial guidance for the establishment and implementation of an information
security program.

Thirteen areas of information security management are presented in SP 800-100

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

1. Information Security Governance

2. System Development Life Cycle
3. Awareness and Training
4. Capital Planning and Investment Control
5. Interconnecting Systems
6. Performance Measures
7. Security Planning
8. Information Technology Contingency Planning
9. Risk Management
10. Certification, Accreditation, and Security Assessments
11. Security Services and Products Acquisition
12. Incident Response
13. Configuration (or Change) Management

Security Maintenance model

Maintenance model is designed (that complement the chosen management model) to
focus organizational effort on maintaining systems.
The recommended maintenance model is based on five subject areas or domains:
• External monitoring
• Internal monitoring
• Planning and risk assessment
• Vulnerability assessment and remediation
• Readiness and review

External Monitoring
The objective of the external monitoring with the maintenance model is to provide the
early awareness of new and emerging threats, threat agents, vulnerabilities, and
attacks that the organization needs to mount an effective and timely defense.

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

External monitoring collects intelligence from various data sources and gives it to
decision makers within the organization.

After the above task, the CISO must evaluate and take appropriate actions in a timely
fashion.

Monitoring, Escalation, and Incident Response: The basic function of the external
monitoring process is to monitor activity, report results, and escalate warnings.

The monitoring process has three primary deliverables:

• Specific warning bulletins issued when developing threats and specific attacks
pose a measurable risk to the organization. The bulletins should assign a
meaningful risk-level to the threat to help decision makers in the organization
formulate the appropriate response.
• Periodic summaries of external information. The summaries present either
statistical results (for example, the number of new or revised CERT advisories
per month) or itemized lists of significant new vulnerabilities.
• Detailed intelligence on the highest risk warnings. This information prepares
the way for the detection and remediation of vulnerabilities in the later steps of
vulnerability assessment. This intelligence can include identifying which
vendor updates apply to which vulnerabilities as well as which types of defenses
have been found to work against the specific vulnerabilities reported.

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

Internal Monitoring
The primary goal of the internal monitoring is to maintain an informed awareness of
the state of all of the organization’s networks, information systems, and information
security defenses. This awareness must be communicated and documented,
especially for components that are exposed to the external network.

Internal monitoring is accomplished by:

• Building and maintaining an inventory of network devices and channels, IT
infrastructure and applications, and information security infrastructure
elements.
• Leading the IT governance process within the organization to integrate the
inevitable changes found in all networks, IT, and information security
programs.
• Monitoring IT activity in real-time using IDPSs to detect and initiate responses
to specific actions or trends of events that introduce risk to the organization’s
information assets.
• Monitoring the internal state of the organization’s networks and systems.

• Network characterization and inventory

Organizations should have carefully planned and fully populated inventory for
network devices, communication channels, and computing devices

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

Once characteristics identified, they must be carefully organized and stored using a
mechanism (manual or automated) that allows timely retrieval and rapid integration
of disparate facts

• Making intrusion detection and prevention systems work

The most important value of raw intelligence provided by the IDS is providing
indicators of current or imminent vulnerabilities
Log files from IDS engines can be mined for information
Another IDS monitoring element is traffic analysis
Analyzing attack signatures for unsuccessful system attacks can identify weaknesses
in various security efforts

• Detecting differences
Difference analysis: procedure that compares current state of network segment
against known previous state of same segment
Differences between the current state and the baseline state that are unexpected
could be a sign of trouble and need investigation

Planning and Risk Management

Primary objective is to keep lookout over entire information security program

Accomplished by identifying and planning ongoing information security activities that
further reduce risk.

Primary objectives
Establishing a formal information security program review
Instituting formal project identification, selection, planning, and management
processes
Coordinating with IT project teams to introduce risk assessment and review for all IT
projects
Integrating a mindset of risk assessment across organization

Information security program planning and review:

Periodic review of ongoing information security program coupled with planning for
enhancements and extensions is recommended
Should examine IT needs of future organization and impact those needs have on
information security
A recommended approach takes advantage of the fact most organizations have annual
capital budget planning cycles and manage security projects as part of that process.

Large projects should be broken into smaller projects for several reasons:
Smaller projects tend to have more manageable impacts on networks and users
Larger projects tend to complicate change control process in implementation phase
Shorter planning, development, and implementation schedules reduce uncertainty

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

Most large projects can easily be broken down into smaller projects, giving more
opportunities to change direction and gain flexibility

Security risk assessments:

A key component for driving security program change is information security
operational risk assessment (RA).
RA identifies and documents risk that project, process, or action introduces to
organization and offers suggestions for controls.
Information security group coordinates preparation of many types of RA documents

Vulnerability assessment and remediation

Primary goal: identification of specific, documented vulnerabilities and their timely
remediation
Accomplished by:
• Using vulnerability assessment procedures
• Documenting background information and providing tested remediation
procedures for vulnerabilities
• Tracking vulnerabilities from when they are identified
• Communicating vulnerability information to owners of vulnerable systems
• Reporting on the status of vulnerabilities
• Ensuring the proper level of management is involved.

Process of identifying and documenting specific and provable flaws in organization’s

information asset environment

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

Five vulnerability assessment processes that follow can serve many organizations as
they attempt to balance intrusiveness of vulnerability assessment with need for stable
and productive production environment

1. Penetration testing
2. Internet vulnerability assessment
3. Platform security validation
4. Wireless vulnerability assessment
5. Modem vulnerability assessment

Documenting vulnerabilities
Remediating vulnerabilities
• Acceptance or transference of risk
• Threat removal
• Vulnerability repair

Readiness and review

Primary goal is to keep information security program functioning as designed and
continuously improving
Accomplished by:
• Policy review
• Program review
• Rehearsals

Dept. of CSE, MEC 2022-2023

Unit-V Subject: Information Security

Short case studies in Cryptography and Security:

Secure Multi party calculation

Virtual Elections
Single Sign On
Secure Inter Branch Payment transactions
Cross site scripting vulnerability

Dept. of CSE, MEC 2022-2023