UNIT-II

UNIT –II Syllabus

Introduction to Computer Security, Internet, E-

commerce and E-governance with reference to
Free Market Economy
Definition, Threats to security, Government requirements,
Information Protection and Access Controls, Computer
security efforts, Standards, Computer Security mandates
and legislation, Privacy considerations, International
security activity, Conceptual Framework of E-commerce:
governance, the role of Electronic Signatures in E-
commerce with Reference to Free Market Economy in
India.
Introduction to Computer Security:
computer security the protection of computer systems and
information from harm, theft, and unauthorized use. Computer
hardware is typically protected by the same means used to protect
other valuable or sensitive equipment.
The security precautions related to computer information and access
address
Four major threats:
(1)theft of data: such as that of military secrets from government
computers.
(2)Vandalism: including the destruction of data by a computer virus.
(3)Fraud: such as employees at a bank channeling funds into their
own accounts.
(4)Invasion of privacy: such as the illegal accessing of protected
personal financial or medical data from a large database.
The laws make it a crime to reveal personal information gathered during business.
Health Insurance Portability and Accountability Act(HIPAA) in US
Family Educational Rights and Privacy Act (FERPA)
General Data Protection Regulation (GDPR) in the EU:
California Consumer Privacy Act (CCPA):
Data Protection Act (DPA) in the UK:

The organizations which provide assistance w.r.to attacks over internet:

Defence Advanced Research Projects Agency (DARPA)
Computer Emergency Response Team (CERT)
 US-CERT, and CERT-IN
Interpol
Europol's European Cybercrime Centre (EC3):
Federal Bureau of Investigation (FBI) – Cyber Division:
National Cyber Security Centre (NCSC) – UK:
International Telecommunication Union (ITU):

Information Sharing and Analysis Canters (ISACs) help in developing the best
practices for protecting critical infrastructures and minimizing vulnerabilities.
Continues
…
Computer crime is an act performed by a knowledgeable computer
user, sometimes called a "hacker," that illegally browses or steals a
company's or individual's private information. Sometimes, this
person or group of individuals may be malicious and destroy or
otherwise corrupt the computer or data files.
Examples:
•Child pornography - Making, distributing, storing, or viewing
child pornography.
•Click fraud - Fraudulent clicks on Internet advertisements.
•Copyright violation - Stealing or using another
person's Copyrighted material without permission.
•Cracking- Breaking or deciphering codes designed to protect data.

Continues
…
 Confidentiality, Integrity, Availability
(CIA)
Computer and Network security is build on 3-pillars, C-I-A.
Confidentiality - preventing the disclosure of data to unauthorized
parties.
Also keep the identity of authorized parties involved in sharing and
holding data private and anonymous.
Often confidentiality is compromised by cracking poorly encrypted
data, Man-in-the-middle (MITM) attacks, disclosing sensitive data.
Standard measures to establish confidentiality include:
1.Data encryption
2.Two-factor authentication
3.Biometric verification
4.Security tokens

Continues
…
Integrity Availability
Availability is making sure
Integrity refers to protecting that authorized parties are
information from being able to access the
modified by unauthorized information when needed.
parties.
Standard measures to
guarantee availability
Standard measures to include:
guarantee integrity include:
1.Backing up data to external
1. Cryptographic checksums drives
2. Using file permissions 2.Implementing firewalls
3. Data backups 3.Having backup power
supplies
Continues
4.Data redundancy …
7
Identification, Authentication, Authorization and
Accountability
These are other terms but part of CIA model
Identification describes a method of ensuring that a user is the
entity it claims to be. Identification can be provided with the use
of a username or account number.
Authentication Prove you are XYZ, using multifactor
authentication like password, biometric, passport, ID etc.
Authorization What are you allowed to access?
Accountability (also referred as Auditing)
Trace an action to a User’s Identity
Prove Who/what a given action was perform by (non-
repudiation)
Threats to Security:
There are three key words that come up in discussions of computer
security issues: vulnerabilities, threats and countermeasures.
A vulnerability is a point where a system is susceptible to attack.
A threat is a possible danger to the system.
The danger might be a person (a system cracker or a spy), a thing (a
faulty piece of equipment), or an event (a fire or a flood) that might
exploit a vulnerability of the system.
Vulnerabilities:
A vulnerability is a point where a system is susceptible to attack.
Every computer and network is vulnerable to attack.
Security policies and products may reduce the likelihood that an attack
will actually be able to penetrate your system’s defenses
The following sections demonstrate the typical points of vulnerability
in a computer system.
Physical vulnerabilities:
Your buildings and equipment rooms are vulnerable. Intruders can
break into your server room just as they can break into your home.
They can sabotage and vandalize your network equipment and they
can steal backup media and printouts or obtain information that will
allow them to more easily hack their way in at a later time.
Natural vulnerabilities:
Computers are very vulnerable to natural disasters and to
environmental threats.
Disasters such as fire, flood, earthquakes, lightning, and power loss
can wreck your computer and destroy your data. Dust, humidity,
and uneven temperature conditions can also do damage.
Hardware and software vulnerabilities:
Certain kinds of hardware failures can compromise the security of an entire
computer system. If protection features fail, they wreak havoc with your
system, and they open security holes. It is also possible to open some
“locked” systems by introducing extra hardware, or to use external
devices to make a copy of the contents of disks or memory.
Software failures of any kind may cause your system to fail, open your
system to penetration, or simply make the system so unreliable that
it can’t be trusted to work properly and efficiently.
Media vulnerabilities:
Backup media: such as disk packs, tape reels, cartridges, and printouts
can be stolen or can be damaged by such mundane(universal)
perils(risks) as dust and stray magnetic and electromagnetic fields.
Most hard-drive erase operations involve rewriting.
Emanation vulnerabilities:
All electronic equipment emits(release) electrical and electromagnetic
radiation. Electronic eavesdroppers can intercept the signals
emanating from computers, networks and wireless systems, and
decipher them.
Communications vulnerabilities:
The computer is attached to a network or if it can be accessed by a
dial-in modem or over the Internet, you greatly increase the risk
that someone will penetrate your system.
Human vulnerabilities:
The people who administer and use your computer system represent
the greatest vulnerability of all. If your administrator is poorly
trained, or decides to take to a life of crime, your network is in
grave peril.
Exploiting vulnerabilities:
There’s a lot of variation in how easy it is to exploit different types of
vulnerabilities. For example, tapping a wireless network can require
nothing more than special software installed on a laptop.
Threats:
Threats are three main categories: natural, unintentional, and
intentional.
Natural and physical threats:
These threats imperil every physical plant and piece of equipment:
fires, floods, power failures, and other disasters.
Can’t prevent such disasters but can be detected quickly using fire
alarms, sensors etc.
Unintentional threats:
Ignorance creates dangers: for example, a user or a system
administrator who hasn’t been trained properly, who hasn’t read the
documentation, and who doesn’t understand the importance of
following proper security procedures.
A user might inadvertently delete a file, or a system administrator
might change the protection on the password file or on critical
system software, locking out programs and applications that need to
access that data.
Intentional threats:
These villains come in two varieties: outsiders and insiders. Some
types of attacks are feasible only for certain types of attackers. For
example, a casual “browser” isn’t likely to intercept and decipher
electromagnetic emanations, or to perform a determined
cryptographic analysis.
Countermeasures:
There are many different types of countermeasures—methods of
protecting computers and information.
Computer security: The term “computer security” was used in a
broad sense to cover the protection of computers and everything
associated with them.
Communications security: Communications security is the
protection of information while it’s being transmitted by telephone,
cabling, microwave, satellite, or any other means.
Physical security: Physical security is the protection of physical
computer equipment from damage by natural disasters and
intruders.
Government requirements:
The computer vendors who want to sell lot of work stations to govt.,
they are forced to build security into those products.
- Most govt. agencies specify security requirements along with the
operational requirements.
- The seller need to use encryption to protect stored and transmitted
data.
- Information protection : govt. agencies need to protect sensitive
info. From theft, modification, data breaches and need to ensure
integrity of the information.
Information Protection and Access Controls:
Access control is a security technique that regulates(control) who or
what can view or use resources in a computing environment. It is a
fundamental concept in security that minimizes risk to the business
or organization.
There are two types of access control: physical and logical. Physical
access control limits access to campuses, buildings, rooms and
physical IT assets. Logical access control limits connections to
computer networks, system files and data.
Physical access control :
can be limited by access card readers, auditing and reports to track
employee access to restricted business locations and proprietary
areas, such as data centers. Some of these systems incorporate
access control panels to restrict entry to rooms and buildings, as
well as alarms and lockdown capabilities, to prevent unauthorized
access or operations.
Logical access control :
systems perform identification authentication and authorization of users and
entities by evaluating required login credentials that can include passwords,
personal identification numbers, biometric scans, security tokens or
other authentication factors. Multifactor authentication (MFA), which
requires two or more authentication factors, is often an important part of a
layered defense to protect access control systems.
Access control methods:
They’re also followed by government investigations and controls. For
example:
• In 1793, the first commercial semaphore system (use of
mechanized flags) was established between two locations near
Paris. Semaphore signaling came to be used throughout France,
Italy, Germany, and Russia. Thousands were employed manning
the stations, which operated at a speed of about 15 characters per
minute. Code books were used so that whole sentences could be
represented by a few characters. Semaphores weren’t very
successful in England because of fog and smoke but in the United
States systems of this kind are the reason so many communities
have geographic names such as Signal Hill, Beacon Rock, Signal
Butte, and Semaphore Pointe.
• With Samuel F.B. Morse’s introduction of the telegraph came
concerns for protecting the confidentiality of transmitted messages.
In 1845, just a year after the invention, a commercial encryption
code was developed to keep the transmitted messages secret.
• Within five years of the introduction of the telephone in 1881 a
patent application was filed for a voice scrambler.
• In the 1920s the use of telephone wiretaps by both government and
criminal forces resulted in a public outcry Congressional hearings
and ultimately legislation prohibiting most wiretapping. In the
1930s Title VI of the Communications Act of 1934 prohibited
unauthorized interception and publication of communications by
wire or radio, while giving the President certain powers to deal with
communication matters in the event of war or other national
emergency.
• In the 1940s, concerns about controlling the proliferation of
information about atomic energy led to the Atomic Energy Act of
1946. This act created a Restricted Data category of information
requiring special protection and penalties for dissemination. Similar
controls have been imposed on new advances in other scientific
fields.
Computer security efforts: The earliest computer-related
security activities began in the 1950s, with the development of the
first TEMPEST (the process of protecting sensitive equipment from
emanating electromagnetic radiation (EMR) that may carry
classified information) security standard the consideration of
security issues in some of the earliest computer system designs and
the establishment of the first government security organization the
U.S. Communications Security (COMSEC) Board.
- standards that strive(fighting nature) to prevent outright data theft.
- 1960s – Department of Defence, National Institute of standards and
technology or NIST, national security agency first initiated public
awareness of security.
- 1967, DoD studied threats to computer systems and information
- Later Defence Advanced Research Projects Agency (DARPA)
worked on identifying vulnerabilities and threats and introduced
methods to safeguard systems and controlled access to defence
computer systems, networks and information.
1970, Security controls for computer systems –a document
is published, which is landmark in the history of computer
security.
Tiger Teams :
In 1970s, first time emerged on computer scene.
These teams where govt. and industry sponsored teams of
crackers.
They attempt to break down systems, security patches,
flaws.
- Sponsored by DoD
- Penetration testing
Standards for secure Systems: National Bureau of standards
(NBS) , also known as the National Institute of standards and
Technology (NIST), responsible for the development of all kinds of
standards.
-NBS sponsored conference on computer security in collaboration
with ACM. (Association for Computing Machinery)
-Required attention in three areas w.r.to:
-Policy : What security rules should be enforced for sensitive info?
-Mechanisms : What h/w and s/w mechanisms are needed to enforce
the policy?
-Assurance : What need to be done for mechanisms to support the
policy even when the system is subjected to threats?
National Computer Security Center (NCSC):
The Center was founded with the following goals:
• Encourage the widespread availability of trusted computer systems
•Evaluate the technical protection capabilities of industry- and
government-developed systems
• Provide technical support of government and industry groups
engaged in computer security research and development
•Develop technical criteria for the evaluation of computer
systems
•Evaluate commercial systems
•Conduct and sponsor research in computer and network security
technology
•Develop and provide access to verification and analysis tools
used to develop and test secure computer systems
•Conduct training in areas of computer security
•Disseminate computer security information to other branches of
the federal government and to industry
Computer Security mandates and legislation:
Throughout history, new advances in the availability, processing, and
transmission of information have inevitably been followed by new
security methods, federal laws, and procedural controls. These are
typically aimed at protecting information that’s considered to be
essential to national security or other national interests.
Laws typical aim is to protect information.
-protection of classified or sensitive information
Legislation mandating computer security practices by federal agencies
and con-tractors. The idea of this legislation is that organizations that
process classified or sensitive unclassified government information
must be careful to protect that information from unauthorized access.
-computer crime
Legislation defining computer crime as an offense and extending other
regulations to cover thefts and other abuses carried out by computers
and other new techniques. In addition to federal policies, virtually all
U.S. states have enacted their own legislation prohibiting computer
crime and abuse.
Privacy: Legislation protecting the privacy of information maintained
about individuals (e.g., health and financial records). Another
consideration for computer privacy is the practice of merging records
from multiple, seemingly began databases into profiles that may
reveal devastating amounts of information about an individual.
Acts:
•The Balancing Act
•Computer Fraud and Abuse Act
•Computer Security Act
Privacy considerations:
The ability to collect and manage information doesn't necessarily
confer(interact) the right to save, analyze, and publicize that
information, but several recent attacks suggest that this is
occurring.
In one high profile case, an airline was approached and asked to
turn over the records of millions of passengers who had
purchased tickets for trips on the airline.
Apparently the purpose was to combine the flight plans of
customers with other data available commercially, such as
reports from credit bureaus, and determine which fliers may fit
the profile of a terrorist.
This is feasible only if you can rapidly combine information
from several different databases, and that, in the view of
many, represents a massive invasion of privacy.
International security activity:
International security also called global security is a term which
refers to the measures taken by states and international
organizations such as the United Nations, European Union, and
others to ensure mutual survival and safety.
These measures include military action and diplomatic agreements
such as treaties and conventions.
International and national security are invariably linked.
International security is national security or state security in the global
arena.
Conceptual Framework of E-commerce:
The term e-commerce framework is related to software frameworks
for e-commerce applications. They offer an environment for
building e-commerce applications quickly. E-Commerce
frameworks are flexible enough to adapt them to your specific
requirements.
As result, they are suitable for building virtually all kinds of online
shops and e-commerce related (web) applications.
 allow replacing all parts of the framework code
 forbid changes in the framework code itself
 contain bootstrap code to start the application
 be extensible by user-written code
E-Commerce frameworks should
 define the general program flow
 consist of reusable components
 be organized in functional domains
Examples of e-commerce frameworks are
 Aimeos (Laravel, Symfony, TYPO3, SlimPHP, Flow)
 Spryker (Symfony only)
 Sylius (Symfony only)
They provide an overall structure for e-commerce related applications.
Furthermore, they implement the general program flow e.g. how
the checkout process works. Contrary to monolithic shop systems,
existing program flow can not only be extended but completely
changed according to your needs.
 Conceptual Framework of E-commerce: governance
Governance within the conceptual framework of e-commerce refers to the set of
principles, policies, regulations, and mechanisms that guide and regulate the
activities and interactions within the e-commerce ecosystem. It encompasses
both internal governance within e-commerce platforms and external governance
by regulatory bodies, industry associations, and other stakeholders. Here are
some key aspects of governance in e-commerce:
1. Legal and Regulatory Frameworks
2. Platform Policies and Guidelines
3. Data Governance and Privacy
4. Cybersecurity and Fraud Prevention:
5. Trust and Reputation Management
6. Ethical Considerations
Overall, governance in e-commerce plays a crucial role in fostering trust,
ensuring legality, protecting consumer rights, and promoting the sustainable
growth of the digital economy. It requires collaboration among governments,
businesses, civil society organizations, and technology experts to address
emerging challenges and maintain a healthy and transparent e-commerce
ecosystem.
• The role of Electronic Signatures in E-commerce with
Reference to Free Market Economy in India
• Electronic signatures play a crucial role in e-commerce
within the framework of a free market economy like India.
Here's how:
1. Legal Validity: In India, the Information Technology Act,
2000, recognizes electronic signatures as legally valid. This
means that contracts and agreements signed electronically
hold the same legal weight as traditional pen-and-paper
signatures. This legal recognition boosts confidence in e-
commerce transactions, facilitating smoother business
operations.
2. Efficiency and Convenience: Electronic signatures
streamline the e-commerce process by eliminating the need
for physical paperwork. Businesses and consumers can sign
contracts and documents digitally, saving time and
resources. This efficiency is particularly beneficial in a free
market economy where agility and flexibility are valued.
3. Security: Electronic signatures often come with
advanced security features such as encryption and
authentication mechanisms, making them more
secure than traditional signatures. This security is
vital in e-commerce transactions where sensitive
information is exchanged between parties. It helps in
safeguarding against fraud and unauthorized access.

4. Global Reach: In a free market economy,

businesses often engage in cross-border
transactions. Electronic signatures facilitate such
transactions by transcending geographical
boundaries. They enable businesses in India to
engage with international partners and customers
seamlessly, contributing to the growth of e-
commerce in the global market.
5. Cost Savings: Adopting electronic signatures reduces costs associated with
printing, mailing, and storing physical documents. This cost-effectiveness is
advantageous for businesses operating in a competitive free market
environment, allowing them to allocate resources more efficiently and invest in
innovation and expansion.
6. Customer Experience: In e-commerce, providing a seamless and convenient
customer experience is crucial for success. Electronic signatures enable
businesses to offer a hassle-free signing process, enhancing customer
satisfaction and loyalty. This positive experience can drive repeat business and
word-of-mouth referrals, contributing to overall growth in the e-commerce
sector.

In summary, electronic signatures play a pivotal role in facilitating e-commerce

transactions within the context of a free market economy like India. They offer
legal validity, efficiency, security, global reach, cost savings, and improved
customer experience, thereby contributing to the growth and success of
businesses operating in the digital marketplace.