Chapter 8: Information Securities and Cyber Security

Digital Society and Computer Ethics

Digital Society
  • Integration of information and communication technologies.
  • Impacts home, work, education, and recreation.
  • Digital innovations reshaping society, economy, industries.
  • Technologies like mobile, cloud, Big Data, IoT transforming various sectors.
  • Opportunities for growth, citizen welfare, efficiency.
  • Improves health, transportation, energy, agriculture, manufacturing, and more.
  • Enhances governance, policy-making, citizen engagement.
  • Internet’s potential for democracy, diversity, human rights.
  • Need to understand impact on consumers, users, citizens, workers.
  • Impact on private life, education, science, government, democracy, business.

Stakeholder of Digital Society

  • Society
  • Technologies
  • Content

Challenges of Digital Society

  • Privacy concerns due to increased data collection and surveillance.
  • Growing cybersecurity threats and risks of cyberattacks.
  • Unequal access to technology and the internet, creating a digital divide.
  • Rapid spread of misinformation and false information online.
  • Rise of online harassment and cyberbullying.
  • Over-reliance on digital interactions leading to social isolation.
  • Job displacement caused by automation in certain sectors.
  • Health issues arising from digital addiction and excessive screen time.
  • Ethical dilemmas posed by AI, automation, and data usage.
  • Challenges in regulating the rapidly evolving digital landscape.

 

Computer Ethics

  • Involves moral principles guiding computer use.
  • Includes intellectual property rights, privacy, societal impact.
  • Ensures ethical implementation and use of computing resources.
  • Addresses copyright, trademarks, unauthorized distribution.
  • Encompasses human behavior, workplace ethics, compliance.
  • Focuses on Internet-related issues like privacy and content publication.

Importance of Computer ethics

  • Protect personal and commercial information.
  • Control plagiarism, identity fraud, copyrighted material misuse.
  • Ensure ICT accessibility for all, including disabled and deprived.
  • Prevent dishonest business practices and promote fair competition.
  • Promote moral and social values in society.

Concept of Information Security

  • More than just preventing unauthorized access.
  • Prevents unauthorized access, use, disclosure, disruption, etc.
  • Applies to physical and electronic information.
  • Encompasses various data types, including personal details.
  • Spans research areas like Cryptography, Mobile Computing, etc.

 

Information Security vs. Cyber Security

  • Focus:
      • Information Security: Primarily concerned with safeguarding data from unauthorized access, disclosure, and modification, ensuring confidentiality, integrity, and availability.
      • Cyber Security: Focuses on protecting computer systems, networks, and digital assets from cyber threats, including attacks and breaches.
  • Scope:
      • Information Security: Encompasses physical and digital data across various forms.
      • Cyber Security: Centers on digital assets, online threats, and vulnerabilities in the cyber realm.
  • Components:
      • Information Security: Involves policies, procedures, access controls, data classification, and risk management.
      • Cyber Security: Includes firewalls, intrusion detection systems, antivirus software, encryption, and incident response.
  • Emphasis:
      • Information Security: Stresses confidentiality, integrity, and availability of information.
      • Cyber Security: Emphasizes protection from cyberattacks, data breaches, and maintaining system functionality.
  • Application:
      • Information Security: Relevant to all aspects of data handling, storage, and transmission.
      • Cyber Security: Specifically addresses online threats and digital systems.
  • Examples:
      • Information Security: Securing physical documents, complying with regulations, data disposal.
      • Cyber Security: Preventing malware infections, DDoS attacks, and unauthorized network access.
  • Interconnected:
      • Both fields are closely related and often overlap due to the digital nature of modern information management.
  • Collaboration:
      • Effective protection often requires collaboration between information security and cyber security experts.
  • Evolution:
      • Both fields evolve to adapt to new technologies and emerging threats in the digital landscape.
  • Foundation:
    • The principles of both fields contribute to a comprehensive approach to overall organizational security.

 

Information security principles

  • Basic principles/component of Information Security are CIA:

 

Confidentiality:

  • Prevents unauthorized disclosure of information.
  • Example: Password seen during login, compromise occurred.
  • Breach of confidentiality when unauthorized individuals access information.

Integrity:

  • Ensures accuracy and completeness of data.
  • Prevents unauthorized editing or tampering.
  • Example: Employee leaves, data updated across departments.
  • Only authorized personnel are allowed to edit data.

Availability:

  • Information accessible when needed.
  • Collaboration across organizational teams.
  • Example: Checking employee’s leave status.
  • Denial of service attacks can disrupt availability.

 

Information Security Policy
  • To prevent and mitigate security breaches.
  • To make security policy truly effective.
  • To change the company, new threats, conclusions drawn from previous breaches.
  • Make information security policy practice and enforceable.

 

Information security measures
  • Technical Measures
  • Organizational Measures
  • Human Measures
  • Physical Measures

 

Concept of Cybercrime

  • Crime committed using network-connected devices.
  • Perpetrators called cyber criminals or cyber crooks.
  • Growing digitization leads to increased cybercrime.
  • Attack computer networks or devices using IT skills.
  • Aims: Obtain business information, break accounts, identity theft.
  • Include revenge porn, cyber-stalking, harassment, bullying.
  • Also involve child sexual exploitation.
Types of Cybercrime:
  • Active Attack:
      • Intended to cause harm or disruption to system or network.
      • Use malicious code, viruses, worms, Trojans, and other forms of malware to carry out active attack
      • Attackers take direct and intentional action that causes harm.
  • Passive Attack:
      • Attacker intercepts and monitors data transmissions without altering or affecting the target system or data.
      • Aims to gather sensitive information, such as passwords, financial data, or confidential communications, without the victim’s knowledge.
      • Designed to be discreet and undetectable, making it challenging for the victim to realize that their data is being compromised.
  • Hacking:
      • Unauthorized access to personal information for illegal gain.
      • Include unauthorized access, data theft, service disruption, and more.
      • Hacking techniques evolve, requiring ongoing security measures to counteract attempts.
  • DDoS (Distributed Denial of service) Attacks:
      • Overwhelm target with traffic to render it inaccessible.
      • Utilize compromised devices in a botnet for traffic generation.
      • Detection involves monitoring traffic patterns and spikes.
  • Identity Theft:
      • Stealing personal information for financial fraud.
      • Unauthorized acquisition and use of someone’s personal information.
      • To assume the victim’s identity for financial gain or fraudulent activities.
  • Credit card fraud:
      • Unauthorized use of credit card information for financial gain.
      • To make fraudulent transactions using stolen card details.
      • Personal data like credit card numbers and CVVs are targeted.
  • Cyberstalking:
      • Harassment or stalking using digital communication and online platforms.
      • Involves persistent and unwanted online attention towards a victim.
      • Uses technology to intimidate, control, and cause fear in victims.
  • Cyber extortion:
      • Demanding money or something of value through online threats or attacks.
      • Impact on victims’ finances, reputation, and operational continuity.
      • Can lead to financial losses, data exposure, and damage to brand image.
  • Crypto jacking:
      • Illegitimate use of others’ computing resources to mine cryptocurrencies.
      • To generate digital currency for the attacker’s benefit.
      • Methods involve infecting devices with malware to mine cryptocurrencies.
  • Cyberbullying:
      • Insulting, harassing, or threatening via the internet.
      • Harassing, intimidating, or targeting individuals using digital communication.
      • Involves repetitive and harmful behavior through online platforms.
  • Cyber Espionage:
      • Covert and unauthorized gathering of sensitive information through digital means.
      • Aim is to obtain valuable data for political, economic, or military advantage.
      • Can lead to compromised diplomatic relations, financial losses, and weakened defense.
  • Social Engineering:
      • Cybercriminals make contact through calls, emails, or in person.
      • Pretend as legitimate entities to gain trust.
      • Aim: Obtain personal and important information.

 

Malicious Software and Spam

Malicious Software
  • Malware stands for malicious software, targeting computers and networks.
  • It encompasses harmful programs intended to delete, modify, block, or copy data without authorization.
  • Coined by Yisrael Radai in 1990, but examples of malware date back to earlier times.
  • One of the earliest instances is the Creeper virus in 1971, an experiment by Robert Thomas.

Different Types of Malware

  • Computer Virus:
    • Malicious software that self-replicates and attaches to other files.
    • Activates secretly when the host program is run.
    • Types: Memory-Resident, Program File, Boot Sector, Stealth, Macro, Email Viruses.
  • The example of computer virus include
    • Install the operating system, stay in RAM from boot to shutdown.
    • Rare due to modern OS security and Internet precautions.
    • Infects executable files (e.g., .EXE, .COM) to increase chances of execution.
    • Distributed through email messages, activated when attachments or links are interacted with.
    • Encoded as macros embedded in documents, often in applications like Word and Excel.
  • Worm:
    • Malicious software that self-replicates like viruses.
    • Automatically executes itself, unlike viruses that need a host program.
    • Spreads over networks quickly, capable of causing substantial damage rapidly.
  • Trojan Horse:
    • Non-replicating program.
    • Appears legitimate but contains malicious code.
    • Gains trust and performs harmful activities when executed.
    • Used by hackers for stealing passwords, data destruction, and more.
    • Difficult to detect due to its deceptive nature.
  • Logic Bomb:
    • Malicious code triggered by specific events or conditions.
    • Remains dormant until triggered.
    • Used for unauthorized access, data destruction, or harm.
    • Hidden within legitimate software.
    • Difficult to detect until activation.
    • Causes damage or disruption at a specific time/event.
  • Zombies:
    • Compromised computers/devices controlled by remote attackers.
    • Part of a botnet network for malicious activities.
    • Used for DDoS attacks, malware spreading, and data theft.
    • Devices include computers, smartphones, IoT devices, etc.
    • Users may not be aware of their devices being used.
    • Prevention requires security measures and updates.
  • Phishing:
    • Phishing is a cyberattack that tricks users into revealing sensitive information or performing actions.
    • Attackers use deceptive emails, websites, or messages to appear legitimate.
    • Goals include stealing passwords, financial data, or installing malware.
    • Phishing preys on human psychology and social engineering techniques.
    • Users should be cautious and verify the authenticity of requests before sharing information.
  • Spyware:
    • Secretly records user information.
    • Sends collected data to third parties.
    • Information can include accessed files, online activities, and keystrokes.
  • Adware:
    • Displays advertising banners during program execution.
    • Can function like spyware, collecting confidential information.
    • Aims to gather data from victim’s computer for various purposes.
  • Ransomware:
    • Ransom malware that blocks user access to files/programs.
    • Demands ransom payment through online methods.
    • Paid ransom allows user to regain access to their system
  • Rootkit:
    • Malicious software altering OS functionality stealthily.
    • Enables hacker to gain complete control as system administrator.
    • Designed to hide their presence on the victim’s system.
  • Botnet:
    • Compromised computer/device networks under remote control.
    • Used for various malicious activities.
    • DDoS attacks, spam distribution, data theft, etc.
    • Infected devices become “bots” or “zombies.”
    • Central control by operators for coordinated attacks.
    • Prevention requires security practices and updates.
  • Spam:
    • Unsolicited and often mass emails sent to numerous recipients.
    • Promotes products, services, scams, or fraudulent schemes.
    • Can include email, SEO, social networking, mobile, and messaging spam.
    • Aims to manipulate search results, exploit social platforms, and target mobile users.
    • Clogs inboxes, distracts from legitimate emails, and can be ignorable.
    • Spreads across various digital communication channels.
    • Adverse effects include annoyance, deception, and potential security risks.

Symptoms of Malware attack:

  • Unexpected Crashes
  • Slow System
  • Excessive Hard Drive Activity
  • Strange Windows
  • Peculiar Messages
  • Bad Program Activity
  • Random Network Activity
  • Erratic Email
  • Blacklisting IP Address
  • Unexpected Antivirus Disabling

 

Protection from Cybercrime

  • Keep your computer and software updated:
      • Regularly apply patches and software updates to prevent vulnerabilities.
  • Use a non-administrator account whenever possible:
      • limiting the privileges of the user, reducing the potential impact of security breaches or malicious activities.
  • Think twice before clicking links or downloading anything:
      • When clicking links or downloading files is essential to prevent potential exposure to malware, phishing, and other online threats.
  • Be careful about opening email attachments or images:
      • When opening email attachments or images is important to avoid potential risks of malware infection, phishing attempts, and other malicious activities.
  • Don’t trust pop-up windows that ask you to download software:
      • Being sceptical of pop-up windows that prompt you to download software is important to prevent unwittingly installing malicious or unwanted programs on your device.
  • Limit your files-sharing:
      • Limiting file sharing helps control the exposure of sensitive information and reduces the risk of unauthorized access or sharing of confidential data.
  • Use antivirus/antimalware software:
      • Utilizing antivirus and antimalware software enhances your device’s protection by identifying and mitigating potential threats, ensuring a safer online experience.
  • Secure your Network:
      • To prevent unauthorized access, data breaches, and cyberattacks by implementing strong passwords, encryption, and proper network configuration.
  • Backup your Files:
      • Regularly backing up your files ensures that important data is not lost in case of hardware failure, malware attacks, or other unforeseen events.
  • Use Multiple Strong Passwords:
      • Avoid repeating passwords on different sites.
      • Create complex passwords with letters, numbers, and symbols.
      • Consider using a password management application.
  • Keep Your Social Media Accounts Private:
      • Set privacy settings on social networking profiles.
      • Be cautious about sharing personal information online.

 

Intellectual Property Right (IPR)

  • Legal rights safeguarding intellectual creations like inventions, artistic works, and more.
  • Provides exclusive use of intangible assets for a specific period.
  • Encompasses copyrights, patents, trademarks, and trade secrets.

 

Types of Intellectual Property Right

Copyright and related rights:

  • Copyright is an IPR that safeguards literary, artistic, and technological creations, including writings, music, fine arts, computer programs, and databases.

Patents:

  • Patent is an exclusive right granted to inventors to prevent unauthorized commercial use of their invention for a limited time, in exchange for public disclosure of the invention’s details.

Trademarks:

  • Trademark is a distinguishing sign that identifies goods or services of one entity from others. It has historical roots in artisans’ marks and serves to establish brand identity.

Industrial designs:

  • Industrial design pertains to the aesthetic aspects of an article, encompassing both three-dimensional features like shape and surface, as well as two-dimensional elements like patterns and colors.

Geographical indications:

  • Geographical indications and appellations of origin are signs used on goods with a specific geographical origin, indicating qualities and characteristics linked to that place of origin, often identified by the name of the place.

Trade secrets:

  • Trade secrets are confidential and exclusive information such as procedures, systems, formulas, etc., that provide a competitive advantage to a company, contributing to its success.

 

Why should we promote and protect intellectual property?
  • Encourages innovation and creativity.
  • Drives economic growth and job creation.
  • Preserves cultural heritage and traditional knowledge.
  • Ensures fair competition and prevents unauthorized use.
  • Attracts investment and foreign direct investment.
  • Supports research and development activities.
  • Facilitates global collaboration and knowledge sharing.
  • Benefits consumers by ensuring product quality and origin.
  • Fosters cultural and artistic expression.
Intellectual property rights (IPRs)
  • Legal rights protecting intellectual creations.
  • Encompass inventions, art, products, and more.
  • Types include copyrights, patents, trademarks, trade secrets.
  • Encourage innovation, creativity, and economic growth.
  • Foster fair competition and prevent unauthorized use.
  • Attract investment and support research.
  • Preserve cultural heritage and traditional knowledge.
  • Ensure product quality and origin for consumers.
  • Facilitate global collaboration and partnerships.

 

Digital Signature

  • Electronic form of signature to authenticate sender’s identity or document signer.
  • Ensures original content integrity and prevents tampering.
  • Transportable and not easily imitated.
  • Provides non-repudiation, authentication, and message integrity.
  • The Government of Nepal adopted digital signatures officially on December 2, 2015.
  • Utilizes cryptographic measures for authenticity, non-repudiation, and integrity.

Working mechanism of digital signature

  • Two keys are generated : Private key and Public key.
  • Private key kept by signer and kept securely.
  • Public key owned by the receiver to decrypt the message.

Hash function:

  • Hash function generates a fixed-length string from data using a mathematical algorithm.
  • It works for files of any size, like emails, documents, or images.
  • The generated hash is unique to the input data.
  • Hashing is a one-way process; you can’t reverse it to find the original data.
  • Even a small change in input data produces a significantly different hash.
  • Used in data integrity verification, password storage, digital signatures, etc.

Public Key Infrastructure (PKI):

  • PKI facilitates digital signatures and more.
  • It involves a private-public key pair for each transaction.
  • Private key is kept secret and used for signing.
  • Public key is used for validating signatures.
  • Ensures secure key generation, usage, and storage.
  • Involves a trusted Certificate Authority (CA).

Certificate Authority (CA):

  • Digital signatures rely on public-private key pairs.
  • Assurance of secure key creation and usage is vital.
  • CAs are trusted third-party organizations.
  • CAs ensure key security and provide digital certificates.
  • CAs validate identities before issuing certificates.
  • Digital certificates are digitally signed by CAs.

Digital Certificate:

  • Issued by a Certificate Authority (CA).
  • Contains public key and associated identity.
  • Used to confirm the key’s ownership.
  • CA acts as a guarantor of authenticity.
  • Valid for a specified time.
  • Necessary for creating a digital signature.

 

Advantage and Disadvantages of Digital Signature:

Advantage of Digital Signature: 

  1. Enhanced security and resistance to forgery.
  2. Authenticates sender’s identity.
  3. Ensures data integrity.
  4. Provides non-repudiation.
  5. Saves costs and time.
  6. Increases efficiency in workflows.
  7. Globally accepted for legal purposes.
  8. Positive environmental impact.
  9. Simplifies audit trail creation.
  10. Integrates well with digital workflows.

Disadvantage of Digital Signature: 

  1. Dependence on technology and digital infrastructure.
  2. Complex implementation and management.
  3. Key management challenges.
  4. Variability in legal recognition.
  5. Infrastructure requirements for both parties.
  6. Initial costs for implementation.
  7. User acceptance and familiarity concerns.
  8. Potential for misuse or fraudulent activities.
  9. Complex revocation processes.
  10. Risk of sensitive data exposure during transfer.

Cyber Law in Nepal

  • Governs legal matters related to computers, internet, data, software, and networks.
  • Encompasses legal issues in cyberspace.
  • Pertains to preventing internet-related crimes.

Area of Cyber Law

  1. Electronic and Digital Signature:
  2. Computer Crime:
  3. Intellectual Property:
  4. Data Protection and Privacy:
  5. Telecommunication Laws:

Cyber law in Nepal

  • Cyber Law covers diverse issues tied to the internet and technology.
  • Encompasses intellectual property, privacy, expression, and jurisdiction.
  • Nepal’s first cyber law is the Electronic Transaction Act, 2063.
  • Responds to the increasing internet use in Nepal.
  • Addresses commercial, private sector, and criminal aspects.
  • Covers digital signatures, intellectual property, and cybercrime.
  • Consists of 12 sections and 80 clauses.
  • Focuses on computer networks and cybercrime.
  • Brings cybercriminals to court and imposes penalties like other crimes.

Provisions included in the laws:

  • Comprehensive coverage of cyber activities.
  • Key legislation for Nepal’s IT industry development.
  • Criminal and civil consequences for hacking, data theft, and more.
  • Penalties include imprisonment up to 5 years or fines.
  • Focus on severity and repetition of the crime.
  • Enhanced security for electronic banking transactions.
  • Boosts economic activities over the internet in Nepal.
  • Legal recognition for government websites and digital signatures.
  • Applies to e-banking, e-commerce, and more electronic media.
 ICT Policy in Nepal
  • ICTs are essential for sustainable development and economic growth worldwide.
  • They transform social interactions and public service delivery.
  • Nepal considers ICTs crucial for poverty reduction and development goals.
  • Efficiency is a key indicator of competitiveness, and ICTs contribute to efficiency.
  • ICTs play a role in better governance, education access, healthcare outreach, and economic growth.
  • Challenges arise from the fast-paced nature of ICT innovation and evolving policy needs.
  • Policy formulation needs to adapt to technological trends, including cybersecurity, data protection, privacy, and intellectual property rights.
  • Addressing challenges of technological convergence and regulatory governance is important.
  • As telecom connectivity expands, focus shifts to strengthening demand-side fundamentals.
  • ICTs offer a tool to bridge development gaps and improve citizens’ quality of life.

Vision

  • Goal to transform Nepal into an information and knowledge-based society and economy.

Mission

  • To create conditions for the intensified development and growth of ICT sector as a key driver for
  • Nepal’s sustainable development and poverty reduction

Major Objectives

  • Make ICT accessible and affordable to all citizens.
  • Develop and expand ICT infrastructure.
  • To promote good governance through the use of ICT.
  • Achieve sustainable and inclusive socio-economic development through the use of ICT
  • Create the opportunities of human resources development through the use of ICT.

Policy:

  • Promote a stable, fair and competitive investment climate.
  • Facilitate the development of e-Trade and E-Commerce activities.
  • Enhance competitiveness of farmers through ICT in agriculture.
  • Improve communication systems for tourism development.
  • Support e-Government planning and strategies.
  • Develop ICT services to bridge the digital divide.
  • Ensure efficient use of ICT infrastructure for resilience.
  • Enhance institutional capacity for ICT education in educational institutions.
  • Increase enrollment and output of students in key ICT-related skills.
  • Deploy ICTs in education for better outcomes and expanded access.
  • Facilitate youth and women’s participation in ICT, media, and content development.
  • Address gender-based inequalities in ICT initiatives.
  • Promote use of free and open source software in government.
  • Develop a competitive and regulated ICT industry through innovation and partnership.
  • Attract ICT-related foreign investments, especially in the IT-ITES/BPO sector.
  • Utilized ICT for social and economic development.
  • Expand broadband services through national telecommunications infrastructure.
  • Utilize regional and international telecom infrastructure for economic integration.
  • Safeguard public sector information and investments from negative ICT impacts.
  • Facilitate e-Trade and E-Commerce with a stable investment climate.