ISCL (EIT 505)

Question Bank

UNIT 1

Short Questions

1) What are the four important functions, the information security performs in an organization?Information security performs four important functions for an organization:

Protects the organization’s ability to function Enables the safe operation of applications implemented on the organization’s IT systems Protects the data the organization collects and uses Safeguards the technology assets in use at the organization

 2) What are threats?

A threat is an object, person, or other entity that represents a constant danger to an asset Management must be informed of the various kinds of threats facing the organization By examining each threat category in turn, management effectively protects its

information through policy, education and training, and technology controls (3) What are different acts of Human error or failure?Includes acts done without malicious intent. It is Caused by:

Inexperience Improper training Incorrect assumptions Other circumstances

 (4) How human error can be prevented?

Much human error or failure can be prevented with training and ongoing awareness activities, but also with controls, ranging from simple procedures like asking users to type a critical command twice, to more complex procedures ,such as the verification of the commands by a second party (Eg key recovery actions in PKI systems)

5) Define HoaxesHoaxes - A more devious approach to attacking computer systems is the transmission of a

virus hoax, with a real virus attached 6) What is Distributed Denial-of-service (DDoS)?

DDoS is an attack in which a coordinated stream of requests is launched against a target from many locations at the same time 

7) What is Back Door?Back Doors - Using a known or previously unknown and newly discovered access

mechanism, an attacker can gain access to a system or network resource 8) Define Dictionary attack

The dictionary password attack narrows the field by selecting specific accounts to attack and uses a list of commonly used passwords (the dictionary) to guide guesses

9) What is a deliberate act of espionage or trespass?o Broad category of activities that breach confidentiality

Unauthorized accessing of information Competitive intelligence vs. espionage Shoulder surfing can occur any place a person is accessing confidential

informationo Controls implemented to mark the boundaries of an organization’s virtual territory

giving notice to trespassers that they are encroaching on the organization’s cyberspace

o Hackers uses skill, guile, or fraud to steal the property of someone else10) Who are Hackers? What are the two hacker levels?

The classic perpetrator of deliberate acts of espionage or trespass is the hacker. Hackers are “people who use and create computer software [to] gain access to information illegally”. Generally two skill levels among hackers:

Expert hacker unskilled hacker(Script kiddies)

 10) What is information extortion?

Information extortion is an attacker or formerly trusted insider stealing information from a computer system and demanding compensation for its return or non-useExtortion found in credit card number theft(A Russian hacker named Maxus,who hacked the online vendor and stole everal hundred thousand credit card numbers.

11) ) What is Cyber terrorism?Cyberterrorism is amost sinister form of hacking involving cyberterrorists hacking

systems to conduct terrorist activities through network or internet pathways.An example was defacement of NATO web pages during the war in Kosovo.

12. What is Vulnerability Identification?• We now face the challenge of reviewing each information asset for each threat it faces and creating a list of the vulnerabilities that remain viable risks to the organization• Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset• Examine how each of the threats that are possible or likely could be perpetrated and list the organization’s assets and their vulnerabilities• The process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions 

13.. What is Risk assessment?• We can determine the relative risk for each of the vulnerabilities through a process called risk assessment

• Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk control process 

14.. Mention the Risk Identification Estimate Factors Likelihood Value of Information Assets Percent of Risk Mitigated Uncertainty

15. Give an example of Risk determination.For the purpose of relative risk assessment:risk = likelihood of vulnerability occurrence times value (or impact) -percentage risk already controlled + an element of uncertainty

Long Answers

1. How information assets are classified?• Examples of these kinds of classifications are:• confidential data• internal data• public data• Informal organizations may have to organize themselves to create a useable data classification model• The other side of the data classification scheme is the personnel security clearance structure

What are asset identification and valuation.This iterative process begins with the identification of assets, including all of the

elements of an organization’s system: people, procedures, data and information, software, hardware, and networking elements What is Asset Information for People? 

• Position name/number/ID• Supervisor• Security clearance level• Special skills

2. What is risk management?Risk management is the process of identifying vulnerabilities in an organization’s

information systems and taking carefully reasoned steps to assure• Confidentiality• Integrity• Availability

of all the components in the organization’s information systems

 What the roles to be played by the communities of interest to manage the risks an organization encounters?

It is the responsibility of each community of interest to manage risks; each community has a role to play:

• Information Security• Management and Users• Information Technology

What is the process of Risk Identification?• A risk management strategy calls on us to “know ourselves” by identifying, classifying,

and prioritizing the organization’s information assets• These assets are the targets of various threats and threat agents and our goal is to protect

them from these threatsWhat are Hardware, Software, and Network Asset Identification?When deciding which information assets to track, consider including these asset attributes: 

• Name• IP address• MAC address• Element type• Serial number• Manufacturer name• Manufacturer’s model number or part number• Software version, update revision, or FCO number• Physical location• Logical location• Controlling entity

What are the deliberate acts of theft? Illegal taking of another’s property - physical, electronic, or intellectual The value of information suffers when it is copied and taken away without the owner’s

knowledge Physical theft can be controlled - a wide variety of measures used from locked doors to

guards or alarm systems Electronic theft is a more complex problem to manage and control - organizations may

not even know it has occurred

 4. What are deliberate software attacks? When an individual or group designs software to attack systems, they create malicious code/software called malwareo Designed to damage, destroy, or deny service to the target systems Includes: 

macro virus

boot virus worms Trojan horses logic bombs back door or trap door denial-of-service attacks polymorphic hoaxes

What are Asset Information for Procedures? 

• Description• Intended purpose• What elements is it tied to• Where is it stored for reference• Where is it stored for update purposes

What are the Asset Information for Data?• Classification• Owner/creator/manager• Size of data structure• Data structure used – sequential, relational• Online or offline• Where located• Backup procedures employed

5. What is deliberate acts of sabotage and vandalism? Individual or group who want to deliberately sabotage the operations of a computer

system or business, or perform acts of vandalism to either destroy an asset or damage the image of the organization

These threats can range from petty vandalism to organized sabotage Organizations rely on image so Web defacing can lead to dropping consumer confidence

and sales Rising threat of hacktivist or cyber-activist operations – the most extreme version is

cyber-terrorismWhat is an attack?

An attack is the deliberate act that exploits vulnerability It is accomplished by a threat-agent to damage or steal an organization’s information or

physical asseto An exploit is a technique to compromise a systemo A vulnerability is an identified weakness of a controlled system whose controls

are not present or are no longer effectiveo An attack is then the use of an exploit to achieve the compromise of a controlled

system

Very Long

1. (a) Define data classification and management.

• A variety of classification schemes are used by corporate and military organizations• Information owners are responsible for classifying the information assets for which they are responsible• Information owners must review information classifications periodically• The military uses a five-level classification scheme but most organizations do not need the detailed level of classification used by the military or federal agencies

 (b) What are security clearances?

• The other side of the data classification scheme is the personnel security clearance structure• Each user of data in the organization is assigned a single level of authorization indicating the level of classification• Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know requirement• This extra level of protection ensures that the confidentiality of information is properly maintained

 © Explain the process of threat identification?Threat Identification

• Each of the threats identified so far has the potential to attack any of the assets protected• This will quickly become more complex and overwhelm the ability to plan• To make this part of the process manageable, each step in the threat identification and vulnerability identification process is managed separately, and then coordinated at the end of the process

2. . Define the process of Information asset valuation.• Create a weighting for each category based on the answers to the previous questions• Which factor is the most important to the organization?• Once each question has been weighted, calculating the importance of each asset is straightforward• List the assets in order of importance using a weighted factor analysis worksheet 

List some of the Questions to assist in developing the criteria to be used for asset valuation?• Which information asset is the most critical to the success of the organization?• Which information asset generates the most revenue?• Which information asset generates the most profitability?• Which information asset would be the most expensive to replace?• Which information asset would be the most expensive to protect?

• Which information asset would be the most embarrassing or cause the greatest liability if revealed?

 3. What are the forces of Nature affecting information security?

Forces of nature, force majeure, or acts of God are dangerous because they are unexpected and can occur with very little warning

Can disrupt not only the lives of individuals, but also the storage, transmission, and use of information

Include fire, flood, earthquake, and lightning as well as volcanic eruption and insect infestation

Since it is not possible to avoid many of these threats, management must implement controls to limit damage and also prepare contingency plans for continued operations

 What are technical hardware failures or errors?

Technical hardware failures or errors occur when a manufacturer distributes to users equipment containing flaws

These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability

Some errors are terminal, in that they result in the unrecoverable loss of the equipment

Some errors are intermittent, in that they only periodically manifest themselves, resulting in faults that are not easily repeated

 What are technical software failures or errors?

This category of threats comes from purchasing software with unrevealed faults

Large quantities of computer code are written, debugged, published, and sold only to determine that not all bugs were resolved

Sometimes, unique combinations of certain software and hardware reveal new bugs

Sometimes, these items aren’t errors, but are purposeful shortcuts left by programmers for honest or dishonest reasons

 

Additional Questions

4. Define Virus - Each infected machine infects certain common executable or script files on all

computers to which it can write with virus code that can cause infection 

What are the various forms of attacks.

IP Scan and Atack Web Browsing Virus Unprotected Shares Mass Mail SNMP Hoaxes Back Doors Password Crack Brute Force Dictionary Denial of Service Distributed DoS

What is Denial-of-service (DoS) ?• attacker sends a large number of connection or information requests to a target• so many requests are made that the target system cannot handle them successfully along

with other, legitimate requests for service• may result in a system crash, or merely an inability to perform ordinary functions

 Define Spoofing

It is a technique used to gain unauthorized access whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host Define Man-in-the-Middle

Man-in-the-middle is an attacker sniffs packets from the network, modifies them, and inserts them back into the network

5. Explain various types of e-commerce model. What are limitations of e-commerce?

A company can carry out E commerce projects based on 5 different models :-

Business-to-Business (B2B) is one of the major forms of e commerce. Here the seller and the buyer participate as business entities. Here the business is carried out the same way a manufacturer supplies goods to a wholesaler.

Business-to-Consumer (B2C) : In this case transactions take place between consumers and business houses. Here individuals are also involved in the online business transactions

Consumer-to-Consumer (C2C) model is applicable when the business transaction is carried between two individuals. But for this type of e commerce, the individuals require a platform or an intermediary for business transactions.

Consumer-to-Business (C2B)

Peer-to-Peer (P2P) is another model of e-commerce. This model is technologically more sound than the other e commerce models. During this type of transactions, people can share computer resources. Here it is not required to use a common server; instead a common platform can be used for the transactions.

Limitations of E-commerce

1. Security:- the security risk in e – commerce can be-

• client / server risk

• data transfer and transaction risk

• virus risk

2. High start up cost:- The various components of cost involved with e – commerce are:-

• connection:- connection cost to the internet.

• hardware / software:- this includes cost of sophisticated computer, modulator, routers, etc.

• maintenance:- this include cost involve in training of employees and maintenance of web-pages.

3. Legal issues:- these issues arises when the customer data is fall in the hands of strangers.

4. Lack of skilled personnel:- there is difficulty in finding skilled www developers and

knowledgeable professionals to manage and a maintain customer on line.

5. Loss of contact with customers:-Sometimes customers feels that they does not have received

sufficient personal attention.

6. Uncertainty and lack of information:- most of the companies has never used any electronic means of communication with its customers as the internet is an unknown mode for them.

7. Some business process may never be available to e – commerce:-Some items such as foods, high cost items such as jeweler may be impossible to be available on the internet.

With technological advancements, the business transactions can be done through mobile devices. The latest model for e commerce is the M-Commerce. The e commerce sites can be specially optimized and programmed so that they can be viewed and used through mobiles.

Here two mobile users can contact each other to carry out the business transactions.

UNIT II

Short Questions

1. What is a policy?A policy is a plan or course of action, as of a government, political party, or business,

intended to influence and determine decisions, actions, and other matters

 2. What are the three types of security policies?Management defines three types of security policy:

• General or security program policy• Issue-specific security policies• Systems-specific security policies•

 3. What is Security Program Policy?A security program policy (SPP) is also known as

• A general security policy• IT security policy• Information security policy

 4. What is Information Security Blueprint?The Security Blue Print is the basis for Design,Selection and Implementation of Security

Policies,education and training programs,and technology controls.

5. What is Defense in Depth? One of the foundations of security architectures is the requirement to implement

security in layers Defense in depth requires that the organization establish sufficient security

controls and safeguards, so that an intruder faces multiple layers of controls

 6.What is Security perimeter?– The point at which an organization’s security protection ends, and the outside world

begins is referred to as the security perimeter

7. What are the different risk control strategies?• Avoidance• Transference• Mitigation• Acceptance

 8. Incidence Response PlanThe actions an organization can perhaps should take while the incident is in progress are documented in what is known as Incident Response Plan(IRP).Answers to the following type of questions will be provided in IRP:a. What should the administrator should do first?b. Whom should they contact?c. What should they document? 

9. Define Disaster Recovery PlanThe most common mitigation procedure is Disaster Recovery Plan(DRP). The DRP

includes the entire spectrum of activities used to recover from the incident and strategies to limit losses before and after the disaster. DRP usually include all preparations for the recovery process, strategies to limit losses during the disaster. 10. Define Business Continuity Plan

The BCP is the most strategic and long term of the three plans. It encompasses the continuation of business activities if a catastrophic event occurs,such as the loss of an entire database,building or entire operations center. The BCP includes the planning the steps necessary to to ensure the continuation of the organization when the scope or scale of a disaster exceeds the ability of the DRP to restore operations. Long Questions

1. What is the goal of documenting results of the risk assessment?• The goal of this process has been to identify the information assets of the organization that have specific vulnerabilities and create a list of them, ranked for focus on those most needing protection first• In preparing this list we have collected and preserved factual information about the assets, the threats they face, and the vulnerabilities they experience

 Mention the strategies to control the vulnerable risks.Four basic strategies are used to control the risks that result from vulnerabilities:

Apply safeguards (avoidance) Transfer the risk (transference) Reduce the impact (mitigation) Inform themselves of all of the consequences and accept the risk without control

or mitigation (acceptance)2. Define ISO 17799/BS 7799 Standards and their drawbacks

• One of the most widely referenced and often discussed security models is the Information Technology – Code of Practice for Information Security Management, which was originally published as British Standard BS 7799

• This Code of Practice was adopted as an international standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for information security

3. Mention the Drawbacks of ISO 17799/BS 7799Several countries have not adopted 17799 claiming there are fundamental problems:

The global information security community has not defined any justification for a code of practice as identified in the ISO/IEC 17799

17799 lacks “the necessary measurement precision of a technical standard” There is no reason to believe that 17799 is more useful than any other approach currently

available 17799 is not as complete as other frameworks available

17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could have on industry information security controls

 4. What are the objectives of ISO 17799?

Organizational Security Policy is needed to provide management direction and supportObjectives:

Operational Security Policy Organizational Security Infrastructure Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management System Access Control System Development and Maintenance Business Continuity Planning Compliance

 Very Long Questions

1. Define Issue-Specific Security Policy (ISSP)The ISSP:

• addresses specific areas of technology• requires frequent updates• contains an issue statement on the organization’s position on an issue• 5. What are ACL Policies?

ACLs allow configuration to restrict access from anyone and anywhereACLs regulate: Who can use the system What authorized users can access When authorized users can access the system Where authorized users can access the system from How authorized users can access the system

 2. What is the alternate Security Models available other than ISO 17799/BS 7799? Another approach available is described in the many documents available from the

Computer Security Resource Center of the National Institute for Standards and Technology (csrc.nist.gov) – Including:

NIST SP 800-12 - The Computer Security Handbook NIST SP 800-14 - Generally Accepted Principles and Practices for Securing IT Systems NIST SP 800-18 - The Guide for Developing Security Plans for IT Systems

 List the management controls of NIST SP 800-26 Risk Management Review of Security Controls

Life Cycle Maintenance Authorization of Processing (Certification and Accreditation) System Security Plan

 Mention the Operational Controls of NIST SP 800-26

  Personnel Security Physical Security Production, Input/Output Controls Contingency Planning Hardware and Systems Software Data Integrity Documentation Security Awareness, Training, and Education Incident Response Capability

13. What are the Technical Controls of NIST 800-26? Identification and Authentication Logical Access Controls Audit Trails

3. What is Sphere of protection?– The “sphere of protection” overlays each of the levels of the “sphere of use” with a layer

of security, protecting that layer from direct or indirect use through the next layer– The people must become a layer of security, a human firewall that protects the

information from unauthorized access and use– Information security is therefore designed and implemented in three layers

policies people (education, training, and awareness programs) technology

 What are the key technological components used for security implementation? A firewall is a device that selectively discriminates against information flowing into or

out of the organization The DMZ (demilitarized zone) is a no-man’s land, between the inside and outside

networks, where some organizations place Web servers In an effort to detect unauthorized activity within the inner network, or on individual

machines, an organization may wish to implement Intrusion Detection Systems or IDS 

What is Systems-Specific Policy (SysSP)? SysSPs are frequently codified as standards and procedures used when configuring or

maintaining systems Systems-specific policies fall into two groups: Access control lists (ACLs) consist of the access control lists, matrices, and capability

tables governing the rights and privileges of a particular user to a particular system

4. What is the importance of blueprint? The blueprint should specify the tasks to be accomplished and the order in which they are

to be realized. It should serve as a scaleable, upgradable, and comprehensive paln for the information security needs for coming years.

What is residual risk?• For each threat and its associated vulnerabilities that have any residual risk, create a preliminary list of control ideas• Residual risk is the risk that remains to the information asset even after the existing control has been applied

 What is access control?One particular application of controls is in the area of access controls• Access controls are those controls that specifically address admission of a user into a trusted area of the organization• There are a number of approaches to controlling access• Access controls can be - discretionary , mandatory , nondiscretionary What are the different types of Access Controls?• Discretionary Access Controls (DAC)• Mandatory Access Controls (MACs)• Nondiscretionary Controls• Role-Based Controls• Task-Based Controls• Lattice-based Control

 

5 What do you understand by authentication service security? Explain security techniques for mobile devices. ANSWER: There are two components of security in mobile computing: security in devices and security in networks. A secure network access involves the mutual authentication between the device and the base station or web services. Whenever a user wants to access the network in secured manner it needs to get its device authenticated from the base station or web server. This ensures that only authenticated devices can be connected to the network for obtaining the requested services. Authentication deals with the problem of determining whether a user should be allowed access to a particular system or resources. Authentication Services Security is important because of the typical attacks (DoS, traffic analysis, eavesdropping, man-in-the middle attack, and session hijacking) on mobile devices through the wireless networks. Security measures in this scenario comes from Wireless Application Protocols (WAPs), use of Virtual Private Networks (VPNs), Media Access Control (MAC) addres filtering and development in 802.xx standards.

Security Techniques for Mobile Devices:- Here are a few basic tips on how to secure your mobile phone 1. Keep your system updated

An updated mobile operating system allows you to enjoy the latest and greatest features and while protecting your information. Get rid of security holes or vulnerabilities by maintaining updated software on both your PC and your smartphone.

2. Install a security application: As your mobile device functions more like a mini computer, it becomes a more attractive target for hackers or thieves. A reliable security app safeguards your data, protect against threats and locate your lost or stolen phone. Here’s a quick video about our F-Secure Mobile Security, in case you’re interested.

3. Watch where you click and land The mobile threats you’re most likely to face are scams and phishing attacks that will attempt to steal credit card information. Social engineering methods would be used to lure you into clicking on malicious links. Always check to see if a website starts with “https” before you enter sensitive information.

4. Avoid shopping or banking on a public network Keep in mind that the public Wi-Fi that your phone is connected to might not be secure. Limit your activity to browsing and avoid committing any transaction that involves your account information.

5. Get applications from trusted source Part of the fun in having a smartphone is having an app for everything. There are plenty of applications out there, and some are offered through independent, unmonitored channels. Stick to app stores when you can. If you’re downloading an app from a third party, do a little research to make sure the app is reputable.

6. Make it a habit to check each app’s data access on your phone Some applications may have access to your data or personal information. Be wary of the access that is outside of the scope or purpose of the applications. A game application doesn’t need access to SMS (read, write and send), calling, phonebook entries and system files. If game wants all the access, get a little suspicious. If you have any doubt about an application, do not install it.

Q6. Explain the different physical entry controls. What are the different disasters and controls? ANSWER: Administrative controls rely on the willing compliance of managers and employees. Physical controls rely on the proper application of physical barriers and deterrents to control behavior. It's through the use of physical controls that an organization controls physical access to facilities and systems. They also assist in maintaining the operating environments necessary to continue information processing and delivery activities. Physical security controls are meant to detect and delay the passage of an intruder as he or she moves inward toward sensitive areas within around or within a facility. Physical controls provide an environment in which to safely process information as well as barriers to unauthorized access to systems. These controls include:

1. Alternate power sources 2. Flood management 3. Data Backup4. Fences5. Human guards 6. Locks 7. Fire suppression systems 8. Biometrics. Location In physical security, disasters and controls are of the following types:- 1. Fire- A fire affects information systems through heat, smoke, or supression agent damage. This threat category can be minor, major and catastrophic. Controls- install smoke detectors near euipment; keep fire extinguishers near equipment and train employees in their proper use; conduct regular fire evacuation exercises. 2. Earthquake- A violent ground motion results from stresses and of the earth's surface. Controls-Keep computer systems away from glass and elevated surface; in high risk areas secure the computers with antivibration devices. 3. Liquid leakage- A liquid inudation includes burst or leaking pipes and accidental discharge of sprinkles. Controls- Keep liquid-proof covers near the equipment and install water detectors on the structural floor near the computer systems. 4. Lightning-An electric charge of air can cause either direct lightning strikes to the facility or surges due to strikes to electrical power transmission lines, transformers and substations. Controls- install surge suppressors, store backups in grounded storage media, install and test Uninterruptible Power Supply (UPS) and diesel generators.

Q7. What are finger prints? What are the major issues related to document security? Discuss them in brief.

ANSWER: Finger prints were used in ancient china as a form of signature, they have served a similar purpose at other times in history. A fingerprint in its narrow sense is an impression left by the friction ridges of a human finger. In a wider use of the term, fingerprints are the traces of an impression from the friction ridges of any part of a human or other primate hand.

Finger prints are routinely used for identification, particularly in criminal cases.

TYPES OF FINGER PRINTS: 1.Exemplar: Exemplar prints, or known prints, is the name given to fingerprints deliberately collected from a subject, whether for purposes of enrollment in a system or when under arrest for a suspected criminal offense. 2.LATENT: The term latent prints means any chance or accidental impression left by friction ridge skin on a surface, regardless of whether it is visible or invisible at the time of deposition.

3.Patent: Patent prints are chance friction ridge impressions which are obvious to the human eye and which have been caused by the transfer of foreign material from a finger onto a surface. 4.Plastic: A plastic print is a friction ridge impression left in a material that retains the shape of the ridge detail. 5.Electronic recording: There has been a newspaper report of a man selling stolen watches sending images of them on a mobile phone, and those images included parts of his hands in enough detail for police to be able to identify fingerprint patterns.

(b) What are the Major Issues related to document security: A significantly more effective solution for protecting an electronic document is to assign security parameters that are an integral part of the document itself. The following criteria define persistent document security: 1.Confidentiality—Who should have access to the document? 2.Authorization—What permissions does the user have for working with the document? 3.Accountability—What has the recipient done with the document? 4.Integrity—How do you know if the document has been altered? 5.Authenticity—How do you know where the document came from? 6.Non-repudiation—Can the signatory deny signing the document? 1.Confidentiality—encryption Encryption is the process of transforming information (plaintext) into an incomprehensible form (ciphertext). Encryption is an effective technique for managing document access. Decryption is the reverse process that transforms ciphertext back to the original plaintext. Cryptography refers to the two processes of encryption and decryption and its implementation is referred to as a cryptosystem. 2.Authorization In addition to managing who can open a document, organizations gain additional protection through authorization. Authorization specifies what a user can do with a document and is achieved via permissions and dynamic document control. 3.Accountability Document auditing allows organizations to maintain accountability with regard to the use of protected documents, because they can know precisely: • How a recipient has used a document • How often each type of usage occurred • When that usage occurred Accountability is achieved when an author can track each recipient’s use of a document for each permission assigned. 4.Integrity Digital signatures enable recipients to verify the integrity of an electronic document that is used in one-way or round-trip workflows. 5.Authenticity Digital signatures provide document authenticity by verifying a signer’s digital identity. For example, a digitally signed quarterly financial statement allows recipients to verify the identity of the sender and assures them that the financial information has not been altered since it was sent. 6.Non-repudiation Non-repudiation is a document security service that prevents the signor of the document from

denying that they signed the document. Support for this service is often driven by authentication and time-stamping capabilities.

Q9. What are the design issues in biometric systems? What is the difference between authentication and identification? ANSWER: Design issues in biometric system:- • Target Design/Selection of Systems for: - Acceptable overall performance for a given application - Acceptable impact from a socio-legal perspective • Examine the architecture of a biometric system, its subsystems, and their interaction • Develop an understanding of design choices and tradeoffs in existing systems • Build a framework to understand and quantify performance.

Difference between User Authentication and Identification: 1. Authentication /Verification : ( Am I who I claim I am) It involves confirming or denying a person’s claimed identity. A one to one comparison of a captured biometric with a stored template to verify that the individual is who he claims to be. It can be done in conjuction with a smart card, username or ID number. 2. Identification: ( Who am I) The system has to recognize a person from a list of N users in the template database. Identification is a more challenging problem. A one to many comparison of the captured biometric against a biometric database in attempt to identify an unknown individual. Identification and authentication are commonly used as a two-step process, but they are distinct activities. Identification is the claiming of an identity. This only needs to occur once per authentication or access process. Any one of the three common authentication factors can be employed for identification. Once identification has been performed, the authentication process must take place. Authentication is the act of verifying or proving the claimed identity. The issue is both checking that such identity actually exists within the known accounts of the secured environment and also ensuring that the human claiming the identity is the correct, valid, and authorized human to use that specific identity.

UNIT III

Short Questions

1. Mention the functions of first generation firewallExamines every incoming packet header and selectively filters packets based on

address, packet type, port request, and others factors

2. What is Cryptography?.Cryptography, which comes from the Greek work kryptos,meaning “hidden”,and

graphein,meaning “to write”,is aprocess of making and using codes to secure the transmission of information. 3. What is Cryptoanalysis?

Cryptoanalysis is the process of obtaining the original message(called plaintext) from an encrypted message(called the ciphertext) without knowing the algorithms and keys used to perform the encryption. 4. Define Encryption

Encryption is the process of converting an original message into a form that is unreadable to unauthorized individuals-that is,to anyone without the tools to convert the encrypted message back to its original format. 5. Define Decryption

Decryption is the process of converting the cipher text into a message that conveys readily understood meaning.

6. What is the drawback of packet-filtering router?The drawback of packet-filtering router includes a lack of auditing and strong

authentication 7. What are Screened-Host Firewall Systems

Screened-Host firewall system allows the router to pre-screen packets to minimize the network traffic and load on the internal proxy 8. What is the use of an Application proxy?An Application proxy examines an application layer protocol, such as HTTP, and performs the proxy services 4. What are the restrictions of first generation firewall?The restrictions most commonly implemented are based on:

IP source and destination address Direction (inbound or outbound) TCP or UDP source and destination port-requests

 

5. What is the advantage of Second Generation firewalls?The primary disadvantage of application-level firewalls is that they are designed for a specific protocol and cannot easily be reconfigured to protect against attacks on protocols for which they are not designed 6. Define stateful inspection firewall

It keeps track of each network connection established between internal and external systems using a state table which tracks the state and context of each packet in the conversation by recording which station sent what packet and when 7. What is the disadvantage of third generation firewalls?

The primary disadvantage is the additional processing requirements of managing and verifying packets against the state table, which can possibly expose the system to a DoS attack. These firewalls can track connectionless packet traffic such as UDP and remote procedure calls (RPC) traffic 8. What is the function of Fifth Generation firewall?

The final form of firewall is the kernel proxy, a specialized form that works under the Windows NT Executive, which is the kernel of Windows NT. It evaluates packets at multiple layers of the protocol stack, by checking security in the kernel as data is passed up and down the stack

9. What is the use of NAT?A technology known as network-address translation (NAT) is commonly implemented to

map from real, valid, external IP addresses to ranges of internal IP addresses that are non-routable

 10. What are Sock Servers?The SOCKS system is a proprietary circuit-level proxy server that places special SOCKS client-side agents on each workstation

9. How firewalls are categorized by processing mode?The five processing modes are

Packet filtering Application gateways Circuit gateways MAC layer firewalls Hybrids

 10. Define NIDSA network-based IDS (NIDS) resides on a computer or an appliance connected to a segment of an organization’s network and monitors traffic on that network segment, looking for indications of ongoing or successful attacks. 11. What is HIDS?A Host-based IDS (HIDS) works differently from a network-based version of IDS. A host-based IDS resides on a particular computer or server, known as the host and monitors activity only on

that system. HIDs are also known as System Integrity Verifiers as they benchmark and monitor the status of key system files and detect when an intruder creates , modifies or deletes monitored files. 12. What is the use of HIDS?A HIDs is also capable of monitoring system configuration databases,such as windows registries,in addition to stored configuration files like .ini,.cfg,and .dat files. 13. What is Application-based IDS?A refinement of Host-based IDs is the application-based IDS(AppIDS). The application based IDs examines an application for abnormal incidents. It looks for anomalous occurrences such as users exceeding their authorization,invalid file executions etc. 14.What is Signature-based IDS?A signature-based IDS(also called Knowledge-based IDs) examines data traffic in search of patterns that match known signatures – that is,preconfigured ,predetermined attack patterns.

15. What are dual homed host firewalls?The bastion-host contains two NICs (network interface cards)

One NIC is connected to the external network, and one is connected to the internal networkWith two NICs all traffic must physically go through the firewall to move between the internal and external networks  Long Questions

 1. What are Screened-Subnet Firewalls?• Consists of two or more internal bastion-hosts, behind a packet-filtering router, with each host protecting the trusted network• The first general model consists of two filtering routers, with one or more dual-homed bastion-host between them• The second general model involves the connection from the outside or untrusted network 2. What are the factors to be considered while selecting a right firewall?

o type of firewall technology offers the right balance of protection features and cost for the needs of the organizationo features are included in the base price? What features are available at extra cost? Are all cost factors knowno ease to set up and configure the firewall? How accessible are staff technicians with the mastery to do it wello candidate firewall adapt to the growing network in the target organization

 3 What are the recommended practices in designing firewalls?• All traffic from the trusted network is allowed out• The firewall device is always inaccessible directly from the public network• Allow Simple Mail Transport Protocol (SMTP) data to pass through your firewall, but insure it is all routed to a well-configured SMTP gateway to filter and route messaging traffic securely• All Internet Control Message Protocol (ICMP) data should be denied

• Block telnet (terminal emulation) access to all internal servers from the public networks• When Web services are offered outside the firewall, deny HTTP traffic from reaching your internal networks by using some form of proxy access or DMZ architecture 4. What are intrusion detection systems(IDS)?• IDSs work like burglar alarms• IDSs require complex configurations to provide the level of detection and response desired• An IDS operates as either network-based, when the technology is focused on protecting network information assets, or host-based, when the technology is focused on protecting server or host information assets• IDSs use one of two detection methods, signature-based or statistical anomaly-based 5. What are different types of IDSs?

Network-based IDS Host-based IDS Application-based IDS Signature-based IDS Statistical Anomaly-Based IDS

Additional Questions

 

6. What is LFM?Log File Monitor(LFM) is an approach to IDS that is similar to NIDS. Using LFm the system reviews the log files generated by servers,network devices,and wven other IDSs. These systems look for patterns and signatures in the log files that may indicate an attack or intrusion is in process or has already succeeded. Very Long

1. (a) What are Honey Pots?Honey pots are decoy systems designed to lure potential attackers away from critical systems and encourage attacks against the themselves. These systems are created for the sole purpose of deceiving potential attackers. In Industry they are known as decoys,lures,and fly-traps. (b)What are Padded Cell Systems?A Padded Cell is a honey pot that has been protected so that it cannot be easily compromised. In otherwords,a padded cell is a hardened honey spot..

c) What are the advantages and disadvantages of using honey pot or padded cell approach?Advantages:

o Attackers can be diverted to targets that they cannot damage.o Administrators have time to decide how to respond to an attacker.o Attackers action can be easily and extensively monitoredo Honey pots may be effective at catching insiders who are snooping around a

network.Disadvantages:

o The legal implication of using such devices are not well defined.o Honey pots and Padded cells have not yet been shown to be generally useful

security technologies.o An exper attacker,once diverted into a decoy system,may become angry and

launch a hostile attack againt an organization’s systemso Admins and security managers will need a high level of expertise to use these

systems.

2.(a) What are foot printing and finger printing?

One of the preparatory part of the attack protocol is the collection of publicly available information about a potential target,a process known as footprinting. Footprinting is the organized research of the Internet addresses owned or controlled by the target organization.The next phase of the attack protocol is a second intelligence or data-gathering process called fingerprinting. This is systematic survey of all of the target organization’s Internet addresses(which are collected during the footprinting phase); the survey is conducted to ascertain the network services offered by the hostsin that range. Fingerprinting reveals useful information about the internal structure and operational nature of the target system or network for the anticipated attack. (b) What are Vulnerability Scanners?

Vulnerability scanners are capable of scanning networks for very detailed information As a class, they identify exposed usernames and groups, show open network shares,

expose configuration problems, and other vulnerabilities in servers

© What are firewalls?A firewall is any device that prevents a specific type of information from moving

between the untrusted network outside and the trusted network insideThe firewall may be:

a separate computer system a service running on an existing router or server a separate network containing a number of supporting devices

 (d) Explain different generations of firewalls.

First Generation - packet filtering firewalls Second Generation-application-level firewall or proxy server Third Generation- Stateful inspection firewalls

Fourth Generation-dynamic packet filtering firewall Fifth Generation- kernel proxy

 3.

(a) What is Public Key Infrastructure (PKI)?PKI or Public Key Infrastructure Public Key Infrastructure is the entire set of hardware, software, and cryptosystems

necessary to implement public key encryption PKI systems are based on public-key cryptosystems and include digital certificates and

certificate authorities (CAs) and can:o Issue digital certificateso Issue crypto keyso Provide tools to use crypto to secure informationo Provide verification and return of certificates

 (b) What are the PKI BenefitsPKI protects information assets in several ways:

Authentication Integrity Privacy Authorization Nonrepudiation

4. (a) How E-mail systems are secured? Encryption cryptosystems have been adapted to inject some degree of security into e-

mail:o S/MIME builds on the Multipurpose Internet Mail Extensions (MIME)

encoding format by adding encryption and authenticationo Privacy Enhanced Mail (PEM) was proposed by the Internet Engineering Task

Force (IETF) as a standard to function with the public key cryptosystemso PEM uses 3DES symmetric key encryption and RSA for key exchanges and

digital signatureso Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses the

IDEA Cipher along with RSA for key exchange   (b) What is a Secure Facility?

A secure facility is a physical location that has been engineered with controls designed to minimize the risk of attacks from physical threats

A secure facility can use the natural terrain; traffic flow, urban development, and can complement these features with protection mechanisms such as fences, gates, walls, guards, and alarms

 c). What are the controls used in a Secure Facility? What are the functions of Chief Information Security officer?

Walls, Fencing, and Gates Guards Dogs, ID Cards, and Badges Locks and Keys Mantraps Electronic Monitoring Alarms and Alarm Systems Computer Rooms Walls and Doors

  The CISO performs the following functions:

Manages the overall InfoSec program Drafts or approves information security policies Works with the CIO on strategic plans, develops tactical plans, and works with security

managers on operational plans Develops InfoSec budgets based on funding Sets priorities for InfoSec projects & technology Makes decisions in recruiting, hiring, and firing of security staff Acts as the spokesperson for the security team

Unit IV

Short Questions

1. What is the duration of a registered trademark?

The initial registration of a trademark shall be for a period of ten years but may be renewed from time to time for an unlimited period by payment of the renewal fees.

2. What are Intellectual Property Rights (IPR)?

IPR is a general term covering patents, copyright, trademark, industrial designs, geographical indications, protection of layout design of integrated circuits and protection of undisclosed information (trade secrets).

3. What are the conditions to be satisfied by an invention to be patentable?

An invention must satisfy the following three conditions of :

(i) Novelty (ii) Inventiveness (Non-obviousness) (iii) Usefulness

4. What is considered as the date of patent?

The date of patent is the date of filing the application for patent (whether provisional or complete). The term of the patent is counted from this date.

5. What is the term of a patent in the Indian system?

Term of the patent is 20 years from the date of filling for all types of inventions

6. Is there any relationship between the Paris Convention and the TRIPS Agreement?

It has been made mandatory for the member countries of the TRIPS Agreement to comply with the Article 1 to 12 and Article 19 of the Paris Convention.

7. What are the essential patent documents to be generated and submitted by a potential patentee?

There are two types of patent documents usually known as patent specification, namely

(i) Provisional Specification and (ii) Complete Specification

8. Who coordinates the activities of PCT ?

All activities related to PCT are coordinated by the World Intellectual Property Organization (WIPO) situated in Geneva.

9. Will an international application designating India be treated as an application for grant of patent under the 1970 Act?

Yes, an international application designating India shall be treated as an application for patent under the Act.

10. How is computer defined for the purpose of copyright?

Computer includes any electronic or similar device having information processing capabilities.

11. What is the definition of a computer program?

Computer program means a set of instructions expressed in words, codes, schemes or any other form, including a machine readable medium, capable of causing a computer to perform a particular task or achieve a particular result.

12. Is it necessary to deposit accompanying documents of the computer program for which copyright is being sought?

Documentation which normally accompanies the program is regarded as separate work and for this reason if the same has to be registered, it must be separately registered and not combined with the computer program in single application.

13. If an employee in a company develops a program, would this employee own the copyright?

No. In the case of a program made in the course of author's employment under a contract of service or apprenticeship, the employer shall, in the absence of any agreement to the contrary, be the first owner of the copyright.

14. What notice needs to be put on computer program copies to seek copyright protection?

When a work is published by authority of the copyright owner, a notice of copyright may be placed on publicly distributed copies. As per the Berne Convention for protection of literary and artistic works, to which India is a signatory, use of copyright notice is optional. It is, however, a good idea to incorporate a copyright notice.

15. What is meant by an article under the Designs Act, 2000?

Article means any article of manufacture and any substance, artificial, or partly artificial and partly natural; and includes any part of an article capable of being made and sold separately.

16. How does one keep a patent in force for the full patent term?

A patent has to be maintained by paying the maintenance fees every year. If the maintenance fees is not paid, the patent will cease to remain in force and the invention becomes open to public. Anyone can then utilize the patent without the danger of infringing the patent.

17. What does copyright cover?

(i)   Literary, dramatic and musical work. Computer programs/software are covered within the definition of literary work. (ii)  Artistic work. (iii) Cinematographic films which include sound track and video films. (iv)  Record-any disc, tape, perforated roll or other device

Long Questions :

1. Who are responsible for administration of IPRs in the country?

Patents, designs, trademarks and geographical indications are administered by the Controller General of Patents, Designs and Trademarks which is under the control of the Department of Industrial Policy and Promotion, Ministry of Commerce and Industry. Copyright is under the charge of the Ministry of Human Resource Development. The Act on Layout Design of Integrated Circuits. Will be implemented by the Ministry of Communication and Information Technology.

2. What is the cost of filing a patent application in India?

The Government fee for filing a patent application (complete/provisional) in India is Rs.750/- for individuals and Rs.3,000/- for legal entities. An applicant is now required to make a request for examining the patent application within 48 months of filing of the application. In case of applications filed before May 20, 2003 examination request has to be made within the 48 months of filing of the application or within 12 months from May 20, 2003 whichever is shorter. An individual has to pay Rs.1,000/- as examination fee and Rs.3,000/- for legal entities. A sealing fee of Rs.1,500/- for individuals and Rs.5,000/- for legal entities has to be paid at the time of grant (sealing) of patent.

3. Does grant of a patent in one country affect its grant or refusal in another country?

Each country is free to grant or refuse a patent on the bases of scrutiny by its patent office. This means that granting a patent in one country of the Union does not force other countries to grant the patent for the same invention. Also, the refusal of the patent in one country does not mean that it will be terminated in all the countries.

4. What is industrial property?

Industrial property includes:

(a) Patents (b) Utility models (c) Industrial designs (d) Trademarks, service marks and trade names (e) Indication of source or appellations of origin (this is same as the geographical indications adopted in TRIPS);

5. What is patent cooperation treaty (PCT)?

The patent cooperation treaty (PCT) is a multilateral treaty entered into force in 1978. Through PCT, an inventor of a member country (Contracting state of PCT can simultaneously obtain priority for his/her Invention in all/ any of the member countries, without having to file a separate application in the countries of interest , by designating them in the PCT application .India joined the PCT on December 7, 1998.

6. What are "Well-known Trademarks" and "Associated Trademarks"?

Well-known trademark in relation to any goods or services, means a mark which has become so to the substantial segment of the public which uses such goods or receives such services that the use of such mark in relation to other goods or services would be likely to be taken as indicating a connection in the course of trade or rendering of services between those goods or services and a person using the mark in relation to the first-mentioned goods or services.

Associated Trademarks means trademarks deemed to be, or required to be, registered as associated trademarks under this Act.

7. What is the meaning of "Service" in the Trademark Act 1999?

Service means service of any description which is made available potential users and includes the provision of services in connection with business of any industrial or commercial matters such as banking, communication, education, financing, insurance, chit funds, real estate, transport, storage, material treatment, processing, supply of electrical or other energy, boarding, lodging, entertainment, amusement, construction, repair, conveying of news or information and advertising.

8. What is the term of a copyright?

a. If published within the life time of the author of a literary work the term is for the life time of the author plus 60 years.

b. For cinematography films, records, photographs, posthumous publications, anonymous' publication, works of government and international agencies the term is 60 years from the beginning of the calendar year following the year in which the work was published.

c. For broadcasting the term is 25 years from the beginning of the calendar year following the year, in which the broadcast was made.

9. If an independent third party develops a program for a company, who owns the copyright?

Works created by third parties on commission do not automatically vest the copyright in the commissioning party. If the third party is an independent contractor, it is essential for the commissioning party to obtain the copyright through a written deed of assignment. It is a common misconception that the copyright automatically belongs to the commissioning party. Thus, it is only where the developer is an employee creating the work under a contract of service that the! Rights belong to the employer.

10. What is the rule for the transfer of copyright?

The owner of the copyright in an existing work or prospective owner of the copyright in a future work may assign to any person the copyright, either wholly or partially in the following manner.

i. for the entire world or for a specific country or territory; orii. for the full term of copyright or part thereof ; or

iii. relating to all the rights comprising the copyright or only part of such rights.

11. In some of the programs, the screens could be the most commercially significant aspect. Is it necessary to register the program screen separately from the underlying code?

Generally, all copyrightable expressions embodied in a computer program, including screen displays, are protectable. However, unlike a computer program, which is a literary work, screen displays are artistic work and cannot therefore be registered in the same application as that covering the computer program. A separate application giving graphic representation of all copyrightable elements of the screen display is necessary.

12. What are the major provisions in the amended Copyright Act, 1999 with regards to computer programs?

The major provisions are :

(i) the doing of any act necessary to obtain information essential for operating inter-operability of an independently created computer program with other programs by a lawful possessor of a computer program provided that such information is not otherwise readily available;(ii) the observation, study or test of functioning of the computer program in order to determine the ideas and principles which underline any elements of the program while performing such acts necessary for the functions for which the computer program was supplied;(iii) the making of copies or adaptation of the computer program from a personally legally obtained copy for non-commercial personal use.

13. What does the term 'Design' mean according to the Designs Act, 2000 ?

"Design" means only the features of shape, configuration, pattern, ornament or composition of lines or colours applied to any article whether in two dimensional or three dimensional or in both forms, by any industrial process or means, whether manual, mechanical or chen-iical, separate or combined, which in the finished article appeal to and are judged solely by the eye; but does not

include any mode or principle of construction or anything which is in substance a mere mechanical device.

14. What are the designs not registrable under the Act?

A design which (a) is not new or original; or(b) has been disclosed to the public any where in India or in any other country by publication in tangible form or by use in any other way prior to the filing date, or where applicable, the priority date of the application for registration; or(c) is not significantly distinguishable from known designs or combination of known designs; or(d) comprise or contains scandalous or obscene matter, shall not he registered.

15. What is the object of registration of designs?

Object of the Designs Act is to protect new or original designs so created to be applied or applicable to particular article to be manufactured by industrial process or means. Sometimes purchase of articles for use is influenced not only by their practical efficiency but also by their appearance. The important purpose of design registration is to see that the artisan, creator, originator of a design having aesthetic look is not deprived of his bonafide reward by others applying it to their goods.

Very Long Questions

1. What are the legislations covering IPRs in India?

Patents: The Patents Act, 1970 and was amended in 1999 and 2002. The amended Act after the amendments made in 2002 came in to force on May 20, 2003.Design: A new Design Act 2000 has been enacted superseding the earlier Designs Act 1911. Trade Mark: A new Trademarks Act, 1999 has been enacted superseding the earlier Trade and Merchandise Marks Act, 1958. The Act came in force from September 15, 2003Copyright: The Copyright Act, 1957 as amended in 1983, 1984 and 1992, 1994,1999 and the Copyright Rules, 1958.Layout Design of Integrated Circuits: The Semiconductor Integrated Circuit Layout Design Act 2000. (Enforcement pending) Protection of Undisclosed Information: No exclusive legislation exists but the matter would be generally covered under the Contract Act, 1872.Geographical Indications: The Geographical Indication of Goods (Registration and Protection) Act 1999.

2. What is a patent?

A patent in an exclusive right granted by a country to the owner of an invention to make, use, manufacture and market the invention, provided the invention satisfies certain conditions stipulated in the law. Exclusivity of right implies that no one else can make, use, manufacture or market the invention without the consent of the patent holder. This right is available only for a

limited period of time. However, the use or exploitation of a patent may be affected by other laws of the country which has awarded the patent.

These laws may relate to health, safety, food, security etc. Further, existing patents in similar area may also come in the way. A patent in the law is a property right and hence, can be gifted, inherited, assigned, sold or licensed. As the right is conferred by the State, it can be revoked by the State under very special circumstances even if the patent has been sold or licensed or manufactured or marketed in the meantime. The patent right is territorial in nature and inventors/their assignees will have to file separate patent applications in countries of their interest, along with necessary fees, for obtaining patents in those countries.

3. What is the cost of filing a PCT application?

The schedule of fees is given below for filing with International Bureau directly:

1. (a) Basic fee up to 30 sheets of a patent application 650 Swiss francs

(b) Basic fee for a patent application having more than 30 sheets;

650 Swiss francs plus15 Swiss francs for each sheet in excess of 30 sheets

2. (a) Designation fee if designation is less than 5 (Countries)

140 Swiss francs per designation

(b) Designation fee if designation is more than 5 (Countries) 700 Swiss francs

3. Handling fee 233 Swiss francs

4. Search fees are additionally payable 5 All fees payable are reduced by 75% for applications filed by any applicant who resides in a PCT Contracting State where the per capita national income is below 3000 US dollars. If there are several applicants, each must satisfy the criterion. It may be noted that no concessions are available in the national phase or regional phase applications; respective fees in these phases will have to be paid by the applicant.

4. What is the cost of filing copyright application in India?

Some important fees are given below :-

S. No Action Official fee1 For an application for registration of copyright in a-

(a) literary, dramatic, musical or artistic work(b) literary or artistic work which is used or is capable of being used in relation to any goods

Rs.50 per workRs.400 per work

2 For an application for registration of copyright in a Cinematograph Film

Rs.600 per work

3 For an application for registration of copyright in a sound recording Rs.400 per work

5. How is "Trademark" defined?

Trademark means a mark capable of being represented graphically and which is capable of distinguishing the goods or services of one person from those of other and may include shape of goods, their packaging and combination of colours; and

(i) in relation to Chapter XII (other than section 107), a registered trade mark or a mark used in relation to goods or services for the purpose of indicating or so as to indicate a connection in the course of trade between the goods or services, as the case may be, and some person having the right as proprietor to use the mark and

(ii) in relation to other provisions of this Act, a mark used or proposed to be used in relation to goods or services for the purpose of indicating or so to indicate a connection in the course of trade between the goods or services, as the case may be, and some person having the right, either as proprietor or by way of permitted user, to use the mark whether with or without any indication of the identity of that person, and includes a certification trade mark or collective mark.

Some additional questions

6. What are the rights of a copyright holder (which when violated lead to infringement)?

(a) In the case of literary, dramatic or musical work, not being a computer program-----

(i) to reproduce the work in any material form including the storing of it in any medium by electronic means; (ii) to issue copies of the work to the public not being copies already in circulation; (iii) to perform the work in public, or communicate it to the public;(iv) to make any cinematography film or sound recording in respect of the work; (v) to make any translation of the work; to make any adaptation of the work; (vi) to do, in relation to a translation or an adaptation of the Work, any of the acts specified in relation to the work in Sub-clauses (i) to (vi);

(b) in the case of computer program -

(i) to do any acts specified in clauses (a); (ii) to sell or give on hire, or offer for sale or hire any copy of

(iii) the computer program, regardless of whether such copy has been sold or given on hire on earlier occasions;

(c ) in the case of an artistic work –

i. to reproduce the work in any material form including depiction in three dimensions of a two dimensional work or in two dimensions of a three dimensional work;

ii. to communicate the work to the public; iii. to issue copies of the work to the public not being copies already in circulation; iv. to include the work in any cinematography film . v. to make any adaptation of the work;

vi. to do, in relation to a translation or an adaptation of the work, any of the acts specified in relation to the work in

sub-clauses (i) to (vi);

(d) in the case of a cinematography film -

i. to make a copy of the film including a photograph of. any image forming part thereof;ii. to sell or give on hire or offer for sale or hire, any copy of the film, regardless of whether

such copy has been sold or given on hire on earlier occasions; iii. to communicate the film to the public;

(e) in the case of sound recording -

i. to make any other sound recording embodying it; ii. to sell or give on hire or offer for sale or hire, any copy of the ,sound recording,

regardless of whether such copy has been sold or given on hire on earlier occasions; iii. to communicate the sound recording to the public;

Explanation :- For the purpose of this section, a copy which has been sold once shall be deemed to be a copy already in circulation.

7. Explain some of the major cyberlaws in India. What are the advantages of cyber laws?

ANSWER: Cyber Law is the law governing cyber space. Cyber space is a very wide term and includes computers, networks, software, data storage devices (such as hard disks, USB disks etc), the Internet, websites, emails and even electronic devices such as cell phones, ATM machines etc.

Cyber law or Internet law is a term that encapsulates the legal issues related to use of the Internet. It is less a distinct field of law than intellectual property or contract law, as it is a domain covering many areas of law and regulation. Some leading topics include internet access and usage, privacy, freedom of expression, and jurisdiction. Law encompasses the rules of conduct: 1. that have been approved by the government, and

2. which are in force over a certain territory, and 3. which must be obeyed by all persons on that territory.

Some major Cyber laws in India :

1. The primary source of cyber law in India is the Information Technology Act, 2000 (IT Act) which came into force on 17 October 2000. The primary purpose of the Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government. The IT Act also penalizes various cyber crimes and provides strict punishments (imprisonment terms up to 10 years and compensation up to Rs 1crore).

2. An Executive Order dated 12 September 2002 contained instructions relating provisions of the Act with regard to protected systems and application for the issue of a Digital Signature Certificate.

Minor errors in the Act were rectified by the Information Technology (Removal of Difficulties) Order, 2002 which was passed on 19 September 2002.

The IT Act was amended by the Negotiable Instruments (Amendments and Miscellaneous Provisions) Act, 2002. This introduced the concept of electronic cheques and truncated cheques.

4 Information Technology (Use of Electronic Records and Digital Signatures) Rules, 2004 has provided the necessary legal framework for filing of documents with the Government as well as issue of licenses by the Government. It also provides for payment and receipt of fees in relation to the Government bodies.

5 The Indian Penal Code (as amended by the IT Act) penalizes several cyber crimes. These include forgery of electronic records, cyber frauds, destroying electronic evidence etc.

The Information Technology (Security Procedure) Rules, 2004 came into force on 29th October 2004. They prescribe provisions relating to secure digital signatures and secure electronic records.

Advantages of cyber laws: Information Technology is encapsulating all the aspects of life across the world. It has brought transition from paper to the paperless world. With the increasing usage of internet in the world, the criminals are also increasing in the field of information technology. The cyber criminals are able to use the software by creating it themselves and manipulating it for their own benefits. It is happening only because of the simplicity of crimes.

In order to maintain harmony and co-existence of people in the cyberspace, there is a need for a legal program called as cyber laws. Coming of the internet. Complex legal issues arising leading to the development of cyber laws. Different approaches for controlling , regulating and facilitating electronic communication and commerce. Internet requires an enabling and supportive legal infrastructure in tune with the times. Ecommerce the biggest future of internet, can only be possible if we have the required legal infrastructure in place to compliment its growth. Since it touches almost all the aspects of transactions, and activities concerning the internet, the WWW and cyberspace. Therefore, cyber laws are extremely important. As such, the coming of the internet led to the emergence of numerous ticklish legal issues and problems which necessitated the enactment of cyber law. With the advent of Computers as a basic tool of Communication, Information Processing, Information Storage, Physical Devices Control, etc., a whole new Cyber Society has come into existence. This Cyber society operates on a virtual world created by Technology and it is the “Cyber Space Engineering” that drives this world. In maintaining harmony and co-existence of people in this Cyber Space, there is a need for a legal regime which is what we recognize as “Cyber laws”

Cyber Laws are the basic laws of a Society and hence have implications on every aspect of the Cyber Society such as Governance, Business, Crimes, Entertainment, Information Delivery, Education etc.

10. What do you understand by Computer Ethics? Discuss IPR.

ANSWER: Computer Ethics is a branch of practical philosophy which deals with how computing professionals should make decisions regarding professional and social conduct. The ethical decisions related to computer technology and usage are categorised into 3 primary influences:

The individual's own personal code.

Any informal code of ethical conduct that exists in the work place.

Exposure to formal codes of ethics. Computer ethics is a branch of practical philosophy which deals with how computing professionals should make decisions regarding professional and social conduct. The term “computer ethics” was first coined by Walter Maner in the mid-1970s, but only since the 1990s has it started being integrated into professional development programs in academic settings.

The importance of computer ethics increased through the 1990s. With the growth of the Internet, privacy issues as well as concerns regarding computing technologies such as spyware and web browser cookies have called into question ethical behavior in technology. The core issues of computer ethics include, but are not limited to: professional responsibility, intellectual property rights, privacy, censorship, and the impact of technology in society. * Professional responsibility relates to the decisions the computer professional makes regarding customer–professional and professional–professional relationships. * The issue of intellectual property rights relates to respecting established copyright rights as defined by law. * Issues of privacy relate to the usage of information collected about individuals and stored in databases. * The final issue, the impact of technology in society, is perhaps the controlling issue in computer ethics. This issue relates to the consequences of the introduction of technology for society as a whole, as well as the place computers have in society. IPR Intellectual property rights are the rights given to persons over the creations of their minds. They usually give the creator an exclusive right over the use of his/her creation for a certain period of time. Intellectual property is the product of the human intellect including creativity concepts, inventions, industrial models, trademarks, songs, literature, symbols, names, brands,....etc. Intellectual Property Rights do not differ from other property rights. They allow the rights owner to completely benefit from his product which was initially an idea that developed and crystallized. They also give him the right to prevent others from using, dealing or tampering with his product without prior permission from him. He can in fact legally sue them and force them to stop and compensate for any damages. Types of IPR: Common types of intellectual property rights include patents ,copyright, industrial design rights, trademarks, trade dress, and in some jurisdictions trade secrets. There are also more specialized varieties of sui generis exclusive rights, such as circuit design rights,etc.

1.PATENT: Patent grants an inventor exclusive right to make, use, sell, and import an invention for a limited period of time, in exchange for the public disclosure of the invention. An invention is a solution to a specific technological problem, which may be a product or a process.

2. COPYRIGHT: A copyright gives the creator an original work exclusive rights to it, usually for a limited time. Copyright may apply to a wide range of creative, intellectual, or artistic forms, or "works". Copyright does not cover ideas and information themselves, only the form or manner in

which they are expressed.

3.INDUSTRIAL DESIGN RIGHTS: An industrial design right protects the visual design of objects that are not purely utilitarian. An industrial design consists of the creation of a shape, configuration or composition of pattern or colour, or combination of pattern and colour in three dimensional form containing aesthetic value. An industrial design can be a two- or three-dimensional pattern used to produce a product, industrial commodity or handicraft.

4. TRADEMARK: A trademark is a recognizable sign, design or expression which identifies products or services of a particular source from those of others.

5. TRADEDRESS: Trade dress is a legal term of art that generally refers to characteristics of the visual appearance of a product or its packaging (or even the design of a building) that signify the source of the product to consumers.

6.TRADE SECRETS: A trade secret is a formula, practice, process, design, instrument, pattern, or compilation of information which is not generally known or reasonably ascertainable, by which a business can obtain an economic advantage over competitors or customers. 7. RELATED RIGHTS: Related Rights or Neighbouring Rights are rights that in certain respects resemble copyright. The purpose of related rights is to protect the legal interests of certain persons and legal entities who contribute to making works available to the public. The overall purpose of these related rights is to protect those people or organizations that add substantial creative, technical or organizational skill in the process of bringing a work to the public. Related rights have been granted to three categories of beneficiaries: performers, producers and broadcasters. Benefits of IPR are to: encourage innovation share knowledge protect the creator allow the work to be developed allow commercial return allow the work to be used in the public sphere