Cybersecurity and Privacy Lecture Notes PDF

Summary

This lecture introduces Cybersecurity and Privacy, discussing its importance for managers. Examples of phishing attacks and social engineering are presented. The lecture emphasizes the need for awareness of cyber threats in today's digital environment.

Full Transcript

Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 01
Lecture: 01

Good morning and welcome to this course - Cybersecurity and Privacy. I want to
welcome you and I thank you for signing in for the course Cybersecurity and Privacy.
Today is the day of introduction and therefore we will be breaking the ice and also get to
know what the course would contain, in terms of contents of what I would deliver from
this course and what I expect you to do as part of this course or the coursework. These
are the two main things that we will discuss but I will also try to motivate you about the
topic. So that is very important when we start- Is this topic important? Is cybersecurity an
important topic? And should it really bother or should it really be a matter of concern for
practising managers, irrespective of what you manage? Should managers be concerned
about cybersecurity? And if so, why? That is something that we would try to address in
the first session so that you have a clarity of why one should credit a course or why one
should actually spend so much time going through a six credit course to do, to understand
cybersecurity and privacy. So the title is Cybersecurity and Privacy.

I just want to know what is your understanding about cybersecurity? So you can just talk
about, what do you mean when you hear this term cybersecurity? There are two terms-
cybersecurity and privacy. So it is an "and" there. So feel free to talk about it. As to what
is your understanding? So, cybersecurity is more about vulnerability management of the
computers and the network system, so that the data whatever is there that gets protected
and you know unauthorized use of the data without the knowledge of the owner.

Okay good. So you have three keywords. One is data, other is about vulnerability, third
is about unauthorized access. So these are certain key terms that is associated with
cybersecurity.Anything else? Any other thoughts on cybersecurity? Okay, what do you
think about privacy? That is the second term.

See, the title is actually consisting of two key terms- cybersecurity and privacy. Okay
good. So we talked about two things one is privacy,is about me and my data which I choose
to disclose, I choose not to disclose and other is the security layer which exists at some
level, some system level. Alright, so there are two things cyber security and privacy and
the interface or the intersection between the two is also important. So, how is cybersecurity
and privacy related? So that is another aspect of the course.
 Okay, let me actually give you some more background information as we go, to get a
motivation to understand- Is cybersecurity and privacy a current topic? Is it an important
topic? And is it relevant to managers? So, here is an email I received some time back from
the director of IIT Madras and when you receive an email in your official emailbox and
it is from the top boss,you pay attention to it. So his name is written and it is a request and
there is content of course to meet him and of course it ends well, best regards, name and
designation, right. So what should I do to this email? And I know Professor Ramamurthy
,he does contact people when he wants to give some specific roles or administrative roles
particularly ,he did have this habit of calling up people or writing personal emails and
doing like this. So this is an instance of that kind. So what should be my response? I
should check the email id.

Why should I do that? Because you know ,we do not check the sender id when you get
an email from your colleague or from your area head or department head.We just have a
lot of communications going on. No. How, why should I doubt this mail? Sir, there is no
need to be suspicious according to me because it does not demand anything like sensitive
information from you, just asking you to drop an email. But I must tell you, I did check
who sent this mail.

I got suspicious. Can you imagine, what is the source of suspicion? This is? Well, that
is okay. It is an internal mail, so this is fine. The signature part is fine, the address,
everything is fine. Okay, it looks informal.

The pattern is different from the other way of getting the same. Okay, yeah, I agree with
you there is a slight change in the pattern, this is written like a very personal mail, you
know, there can be some personal element when people write you professionally. But
more than so but it is very personal. Can I have a quick, that is also fine,moment please.
So this does not sound professional ,as you sensed, I also sense you know I do not expect
him to say-" Can I have a quick moment with you?", right.

So I became suspicious at that particular content. This cannot be from the director, okay
or this may not be from the director because this is not the choice of words when you
typically write to a colleague or in a professional setting. So and then, of course, as you
suggested I decide who is sending this email, of course that is the first check all of us can
do when we have a doubt,okay. And I found this email coming from a Gmail, not from
the IITM domain and therefore this is obviously suspicious and we call this kind of mails
as phishing mails. We typically call it phishing mails, but it is not just a phishing mail.

Phishing mail, all of us get every day, in fact a lot of junk mail comes asking for our bank
details or other kinds of personal information. We know that this is obviously phishing
mail but here it takes time to resolve this because it is a colleague or it is a director and his
address is given at the end. And the sender also knows that, well, I am a faculty member
of IIT Madras and Professor Bhaskar Ramamurthy is the director, of course, the former
director. So someone knows, who is who, in an organization okay. Somebody has actually
collected background information, okay.

We call it typically social engineering okay. So, this is social engineering based phishing
mails, where the chance of one responding to this is much higher, okay. So not just a
phishing mail someone from Africa writing ,I have a lot of funds to transfer why do not
you share your bank account details. We obviously know, I do not have, I do not know
anyone out there but this is from a non-circle based on social engineering and this is
called spear phishing ,okay. Spear phishing is very specific ,based on social engineering
where people or the hacker or the hands behind this, have done background study, okay.

So then subsequently of course, Professor Ramamurthy sent a follow-up mail to all the
colleagues because he knew that this phishing mail was circulating in the institute ,okay.
So, this is sometime back and this is very recent, okay. So ,couple of weeks back, the head
of our department wrote, again a similar mail- "Can you do something for me?" right.
And here,again you see, the professor, you know, the proper title of the faculty member,
the name and the signature, you say it is full signature. So, you usually tend to reply
immediately, okay.

So, what I essentially want to say here is that, we face this kind of problems or this kind
of threats in the world of internet, in the world of so called, cyber world often and it is all
part of our experience or it has become part of our day to day experience. What I am trying
to do is to sample, to sample some instances which I came across either individually or
from newspapers and to give you a sense of what is going on in the environment in the
current times, okay. This is a text message I received,you know, in fact two weeks back
and the text message asked me to do a verification of my PAN card, okay and it gives a
link to the SBI site and I am sure all of you have,most of us have our account in the State
Bank of India,okay. And of course, since this is request from a bank, you tend to respond
to it ,right and it led me to this site, you know SBI and this login page looks exactly the
same, okay, the bank logo and whatever fields you generally fill in, in the same font, in
the same format is given and then you have to enter the captcha code and looks like I
should be entering this data and signing in, to do whatever formality is required to keep
my account on. But is there a problem here, I think by now all of us or most of us are
familiar, so when you get a message to sign in somewhere, you go and the first thing that
you look is what is the what is the website, is it giving the right address or it is giving a
fake address In this case, we know that this is not SBI website from where we sign in, it
is online SBI, but it is something else.
 So, as soon as ,even when I sign into a bank account on a regular basis, I of course check
the address because sometimes a wrong address may pop in and we may be signing in and
the signing in data including your username, password may be going elsewhere. So, yeah,
let me continue this so, I just show you some things I faced as an individual, okay as an
individual or of course this phishing mail is something that went to everyone so as a group
or as an organization, we do come across instances of cyber security or cyber security
related issues and these are clips from leading newspapers of India where it recently
reported increasing number of cyber attacks, okay. And the last piece is about ransomware
attacks, have you heard of ransomware attacks? okay but denial of service attack is
different from ransomware, we will be we will be discussing a case on denial of service
but ransomware is a, is another kind of a security threat where the one who attacks, so the
hacker, takes control of your machine and encrypts, in fact encrypts your machine and ask
you for money to release it. It is like when you lock your house and go away and when
you come back you find that your house is, there is another layer of a lock on your house
and you cannot enter the house because somebody else has locked and the hacker is quite
fair, well, I will give you the key to enter but give me some money, okay ,and let us not
make let us not make it complicated, just give me some money, the key is with me- take
the money, take the key, unlock and go in, okay. So it is ransom, you know the word
ransom is, about you know, it is about paying to release someone ,okay ,so ransom
redemption etc related words, so you have to pay a ransom to release your machine from
someone else's control,okay, ransomware infact ransomware is one of the most frequent
attacks, in terms of threat intelligence in today's world,ransomware has become very
common and this is something about which the world,as a whole is concerned about, okay.

Here is a report ,again from newspapers, as I said, this is another sample which happened
predominantly in the western world, where the POS machines, you know, the POS
machines are typically in a retail store, when you buy something and when you check out
,there is a POS point of sale machine, where you actually do the checkout process and
make the payment and then take your items and come out, but if suppose in a very busy
day on a retail store if the POS machine stops working, okay, then you know the kind of
chaos and also you know the operations just stop there because companies which are
automated, they would not have a manual process to continue business, okay. So your
shops just close down and this did happen in 2021 when retail stores which used the POS
software built by Kaseya,okay, Kaseya is an IT company which provided POS solutions
and several retail stores in the west stopped because there was a ransomware attack, you
see, what is the ransomware attack- the hacker just want 70 million dollars to restore the
machine and the most of the times, the hacker is very is a good thief, you know you call it
good thieves, you pay the money and it is done, you know, the machine is released but if
you do not pay the money it is, it is very very difficult, okay, to become operational and
generally in my reading, I found that companies just pay the money and restart the business
okay. The only exception I came across is in Chennai, okay, so Chennai corporation’s
PC’s were attacked by hackers and it was a ransomware attack, okay and Chennai
corporation refused to pay the money, okay, because they found that the machines were
very outdated ,okay, so they were running on windows 8 and it is very easy to take control
of machines which are not updated with the operating systems and they said ,okay, let it
be locked forever so they did not pay but for critical business operations when ransomware
attack happened ,okay, so it is huge loss, okay, so per hour loss will be very huge as
compared to the ransom that the hacker is asking for ,okay. So and that has become a
serious nuisance in today's world and here is more report so I am not exactly following a
chronological order in actually presenting to you the different cyber attacks that happened
in the recent times but this is November-December 2022, you must have read this in
newspapers about All India Institute of Medical Sciences. So, five servers were hacked by
the cyber criminals and they took control and you know the biggest concern when a
hospital's data center gets, comes under attack, okay, this is a different type of data, this is
healthcare data,okay, and someone takes control or someone gets access, you know, you
said unauthorized access, okay, somebody gets unauthorized access to my personal health
data, okay, in India we may not be so concerned about health data but health data when it
goes into the wrong hands has huge implications ,can you imagine why,so much so that in
the US, there is a act called HIPAA, okay ,so that relates to healthcare it is a regulation for
healthcare data alone, why is the world so concerned about healthcare data protection, can
you can you just imagine and give me some quick answers, once you have a health
condition.

So health care data is super sensitive because the the person whose health data is leaked
the the person actually faces huge embarrassment ,okay and it the person also can face
losses in an organization or it may have higher consequence and that is why the top hospital
of the country when their servers were attacked or came under cyber threat, it became a
huge concern, huge national concern. So we see cyber attack happening in all spheres,
you know, all domains, it is not just, we just saw Kirloskar, you know ,it is a manufacturing
company, we saw AIIMS healthcare, these are all very recent news, so you just open the
newspaper, everyday newspaper this is what I see , there is some piece of information or
some, something that is covered about cyber security, almost everyday, okay. So we all
talk about digital world,digitization, digital India and so on, so you see a very bright side
of how digital technologies are actually enabling the growth of the economy or enabling
the country to actually progress, be in the line of progress, we also see alongside a dark
side,there is a bright side- very bright side of digital and there is also a dark side or the
dark world that develops alongside and that is the concern of cyber security okay, so the
world consist of good people and bad people, okay. So there are bad people in the world
,who understands the weaknesses or as you use the word vulnerabilities and can exploit
those vulnerabilities very, very well and damage, cause damage and losses the impact of
such actions can be very high ,okay, to the extent that the recent, I think this is E&Y report,
which is summarized in the newspaper, which shows 91 percent of the organizations
reported at least one instance of cyber incidence in an year, at least one incident. So think
about that 91 percent of organizations do actually face at least one incident an year, okay
and it goes on to report how cyber security is becoming a top priority for CEOs or leaders
of the organizations.

So this is, the this piece is of grave concern to me, okay, so you know the changes that is
happening in transportation.
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 01
Lecture: 02

The matter of concern is this, suppose you are riding a digital car and you are going at
high speed, and you know that the even the speed is controlled by computer. And today,
you have internet connected cars , you know, how does the car get updates? It is through
the Internet. So, Tesla says when you wake up in the morning and when you enter the
car, the car may be updated, as compared to what it was in the previous day. So, the car
becomes newer and newer every day- good, great, very exciting that is what the digital
world is. But suppose, somebody gets access to your car, who is a bad guy or who you
may term as hacker and if a hacker takes control of your car, when you are running at a
high speed, just imagine, not just one car but the whole traffic. And these are potential
scenarios for the future in transportation and that is where actually this report shows the
International Centre for Automative Technology, which actually test cars before they are
released.

Now, the test of cyber security has become much more stringent. So and that is what this
particular report says, every car is tested for cyber security and that is because of the
potential damage of very, very serious nature which can cause damage to not just the car
but damage to human life. So digital world can actually enable human life, it can also
destroy human life today. It is not just about a computer attack where you lost some data
from a computer but beyond that, it can actually bring systems to a halt and also damage
people.

Look at that, so this is September 16, 2019- this became a talk of the town, I remember
when I was having my evening walk, faculty members particularly working in cyber
security or in computer science were stopping and talking about this particular attack that
happened on Ramco refinery in Saudi Arabia and this happened at 4 am in the morning
and the company was going public and suddenly the news breaks that the refinery got
shut down on this particular day, it got shut down not because it was short of raw materials,
not because the workers did not report, not because there was a power failure, not because
there was anything that is commonly understood as the course of shutdown, but it was a
cyber attack. It was a cyber attack, there was a cyber attack and a refinery was halted on
one fine morning, okay, and you see the tool used by the hackers, they used drones, okay,
they use drones, okay they use drones to shut down a refinery, you understand the
seriousness of this condition okay, of course nothing can stop IIT Madras, okay, so even
if power goes off or even if every digital support system goes off , I can still continue to
teach but you know that by and large several segments of the industry and government,
are overly dependent on computers to function, okay, for day to day operations, the
operational dependency of organizations especially with ERP systems, okay. You know,
Citibank, long ago said we are a branchless bank ,okay, what that means is we do not have
we do not need branch, you know, it runs on computers, it runs on network computers
and ERP systems okay and if therefore the software stops functioning or the computer
network stops functioning, the bank stops functioning, okay, even if people are present
they cannot do anything, okay. So the criticality of information systems to run several
organizations is very very high in the modern world, not just computer systems but the
need to have internet to run organizations, to have connectivity to run organizations has
become very high and very critical today and that is what you see in the Saudi oil refinery
and today we have a development known as smart connected devices, smart connected
devices. IOT is a example- Internet of Things,okay and you know in Internet of Things,
there are devices other than, you know, the personal computers or the laptops which you
use, of course they are computers but IOTs are like computers with processing units which
can actually connect to the internet and transmit data ,okay.

So for example, a sensor in a refinery, a temperature sensor, okay, in a refinery which is
nothing but a device which may not have any display but it is a sensor, it may be cable
connected or it may be cable less but it is actually sensing and transmitting data about
temperature okay and since it is internet connected, today experts say any device that is
connected to internet is not safe ,that is the basic principle, any device, any system that is
internet connected is not safe, okay. So if an IOT is connected to internet and it is sensing
a very important parameter for process control and if it comes under the control or if it is
hacked or some unauthorized access happens, you can imagine what happens, okay, if
temperature is, say 500 degree centigrade and the hacker makes it say 5 degree centigrade,
you know the controls that comes into picture you know ,it actually can totally damage
the system, okay, in terms of because of the wrong signal. So, IOTs can do a lot of good
- Manufacturing 4.0,okay,it is based on, you know,this high end devices or smart
connected devices, okay, and you see a lot of hype in literature or trade magazines that
4.0, you know we are going to the new generation of digital technologies and
manufacturing with digital technologies but that is a bright side, okay, this can do a lot of
good things.

When I used to work in manufacturing, 10 years in process control and we did not have
much of digital technologies, it was mostly analog technologies and of course computers
were used in control but if there is a sensor ,the sensor is connected by wire to a controller
okay, so there is a signal that actually, standard signal that transmit between the sensor
and the controller, okay and therefore there is no way somebody can access that and
manipulate that etc. But the same sensor when it becomes digital and digital plus internet
connected, okay, so the potential for unauthorized access becomes high because it is
internet connected and when the whole world relies on digital technologies connected to
internet, instances like this actually becomes eye openers. So, it brings in the severity of
the potential dark world that can actually make all this extremely vulnerable, you know,
the world is vulnerable and look at this, of course there was politics in this after the attack
happened and the US said Iraq Iran is behind the Saudi attacks and then you see what
happened to Iran a few months later. A US drone strike on Baghdad airport which killed
Qasem Soleimani who was actually a dear citizen or the commander and highly respected
name for people of Iran, okay so that is a country to which he belonged, of course a
different country can look at the same person from a different perspective but to that
country he was a great hero and he was killed and who killed him? That’s the important
question, it is not a soldier who killed him ,okay, it is not a gunshot but what killed him
was a drone, it was a drone that was used by the United States to kill a military leader.
So drones have come, drones have come into the picture of the cyber world and that is the
important point I want to bring to your notice, when as we start this course on cyber
security, okay, cyber security used to be called as information security or there are two
courses or two topics information security and cyber security, okay.

So cyber security is a more recent term that is used to describe security of computer
systems in the modern world but generally people believed what is most important in
computer systems is the data, because in information systems you must have learned,
what is the purpose of information systems? Basically information, they are information
systems, okay ,they create data, they store data,they transmit data, they process data, okay
and they present data, okay, data to information, to knowledge and so on, okay ,in addition
to process automation. So that is what computer systems do or that is what information
systems do but you see the scope widening in recent times from security to information
versus security to infrastructure, security to people , what has become more insecure is not
just machines, not just data but also people, the potential to cause damage to people has
become real, it is not imaginary, it is not like a scientific fiction , okay, it is not more a
fiction, this is as actually happened and here is more from my collection of questions of
course, you must have heard about Air India's data breach few years ago and how it
actually caused huge embarassment to the company and here is another technology
company, which some of you may be members of and which is very much in the news,
the Twitter, okay A technology company coming under cyber attack, okay and you do not
expect that to happen right, they we generally expect them to be much smarter than the
hackers but the Twitter handles of celebrities like Bill Gates or the contestant for American
elections was hacked by hackers and that was a huge embarrassment to Twitter at some
point in time and they had to explain ,why it happened and what actions they are taking,
they had to come in public and give an explanation ,okay, and this is something that you
can imagine when you are a reputed organization or you are working for a technology
organization, okay ,suppose you are working for TCS ,the Indian company, okay, you
know that TCS website was hacked some years ago and that was a joke because every
newspaper reported it in as a highlight, okay or as a headline, because it is a fun reporting
it, okay, an IT company's website hacked, okay and that is all they know about technology
, you can actually make fun of them okay and TCS had to explain that, well, we do not
maintain our own website, it is outsourced, okay. Alright, so here is the summary, so I
am not going to teach cyber incidents and why it happened and get into politics or get
into popular media much but the purpose was to give you an overview of cyber security
in the current world, okay and the first thing I want to summarize is cyber security is a
current and serious problem ,okay, it is happening okay, more digital would invite more
cyber security problems, okay, when digital computers were less or computerization as
we called it was less, we did not have much news about cyber attack in the newspapers.
If you read newspapers of the 60s or the 50s, nobody talks about cyber attack, nobody
about talks about information security, you know, probably there was no course like that,
okay but with more adoption of technology , we have the growing concern about protecting
this technology, okay, against the evil ,okay, against the dark world, okay and popular
media suggest to us this and the second reason as i said, is the pervasiveness of digital
technologies and all of us today use digital technology on a daily basis, what is the
frequency of you looking at your phone? how many times you look at your phone? you
need frequent updates right, you keeps running in you, I am actually missing my phone ,
I have kept it from me because I want to focus on you but the phone is there this is
something that you want to take you know, so some scholars say frequent information is
a need for people. So when you are getting it you know ,you use it does not mean it is
addiction, does not necessarily mean it is negative.

Although elders may scold you that you are closer to the phone than to us or to me etc
but that is norm of the day ,okay and I do not see it changing okay, I do not see the world
walking back or turning the clock back to the 50s or 60s, we are going to go forward ,
okay, but what that essentially means is that we have to manage, we have to learn to
manage the cyber threats with which we live, okay The cars can run into accidents. So,
solution one -stop using cars, right and solution two- increase safety -focus on safety so I
think route two is sensible,right , we cannot stop using digital technologies we cannot
throw away our phones and today live, okay or we cannot stop using the internet, okay,
some people do, okay, there I, I know people, IT professionals are, not IT professionals,
IT faculty who do not use instant messaging like whatsapp they just do not want to use,
okay. So, you can keep away, there there are people who do not use televisions at home ,
there are people who do not have any social media account, so that is one way of protecting
yourself, of course, to protect yourself you lose something, right, to gain something ,you
lose something so it depends on what you want to gain but generally we see people are
not willing to lose the privileges of the digital world, okay, the the better life that it gives
us or it promises us, okay. Autonomous cars may be great future of transportation when
, when transportation becomes much more efficient , okay and also it becomes
personalized all that is huge potential for future , but we should also be aware that it all
comes at a cost and safety is something that should not be compromised. So, essentially
it only tells us that attention- attention due attention should be paid to the the threats or
the cyber security at different levels.

The second point I highlight there is , cyber security affects different units okay, it affects
individuals, okay, you can recall some of the instances I reported which is an individual
level attack, you may not, it is not because you are an employee that you are getting
attacked, it is not an organizational infrastructure assets that is being attacked but it's
attack is on you, okay, your bank account or your individual data. So individuals,
organizations,society and government are all vulnerable, okay, these are all different units
,so all these units have cyber challenges or cyber security challenges ,okay so the the
landscape is wide , it affects different domains, it affects different types of organizations,
we talked about healthcare versus manufacturing, All these have different implications So
it is not restricted to certain domain alone, it is it is quite open to different domains, okay
and government should also be concerned about cyber security in two ways number one,
government systems can be attacked, government data can be leaked, okay, government
possesses a lot of data, you agree with it, with Aadhaar which will be one of our case
studies , as we proceed in the course, okay, it is a load of personal data that government
collects and stores and once it goes out to the wrong hands, okay, it is people's data or
people's privacy, that is compromised, okay, so there is a cost to it. So government should
be concerned about cyber security and also government's role is to ensure the safety of
citizens, the welfare of citizens, essentially the welfare from that point of view its
government's role also to formulate policies and regulations, regulate the cyber world in
such a way, that it actually, the the country is safe and the country progress and the
country does tap into the digital technologies without compromising security, okay, so
that is a big order, okay and that is the challenge every government is facing,okay. No
government wants to discontinue digital technologies, particularly India, you know so the
government is tech savvy ,which is good ,okay, but at the same time there are huge
challenges that are related to privacy and data protection, okay, privacy issues and data
protection issues which is a close cousin of cyber security, okay, so both are interrelated
,okay , it is getting national attention, okay and when we explore the regulation across
the globe on data protection, we will see , of course the developed countries and also a
developing country like India, okay,what is happening in data protection world in India,
okay and of course this is related to technology, this is related to privacy and it is also
related to politics and I must preempt potential biases that you may see in me when I
discuss politics ,okay, so because each of us can have an opinion in politics, okay , but I
would try to remain as government political party neutral as much as possible but different
governments face different challenges,okay and they change their taunts when they move
from opposition to ruling party but privacy is an important issue of the day, okay. And
the fourth point as a background and motivation for the course I want to stress is the role
of technology in cyber security.

I would articulate that technology has a triple role, okay, technology plays three roles in
cyber security, technology can be source of threat ,okay, so somebody talked about denial
of service attack okay,denial of service attack is actually an attack on a network or a
computer using another computer It is a script that runs on one computer to sort of stall
another computer, so it is a technology that is used for cyber attack, okay, so technology
itself is a source of threat. That is one role of technology, okay and there are scripts
available in public , if you want to actually try out denial of service attack, okay. Second,
it is also an asset to be protected, it can be a source of threat, it is also the asset that
organizations need to protect, okay. When your data center, your databases, okay or your
important devices like your computer - in ransomware your computer is the asset that
actually gets attacked.That is the asset that you need to protect, okay, so technology is a
threat, technology is an asset and technology can also be used as a defense weapon, okay,
so how do you defend your technology? So protection mechanisms which we will discuss
in one of the sessions, predominantly uses technology it deploys technology, the firewall
technology for example, is a technology to defend or protect your assets okay and
therefore my my articulation that technology is triple , okay, it is not, it is not just one it
can be a source of threat, it can be a weapon and it is also the asset that needs protection
So when we use the term technology in cyber security, keep in mind what are you referring
to okay, and that clear understanding is important.

Generally we may think that, well cyber security technologies mean technologies that you
use to protect your assets, no not necessary, okay ,not necessarily you need to understand
the nuances.
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 01
Lecture: 03

Okay, let me actually ask this question openly. What do you mean by security? Leave
cyber security. So the course deals with security. Protection from threats, protect whatever
is important to you. Okay, Is there anything general? When do you feel secure? The
general meaning of the word secure. Okay, okay, let us talk about general physical
security.

Let us also include not just information security, but physical security. Feeling safe,
feeling safe. What is that feeling? So the point is security is a psychological sense as well
in the general sense. Information security has also a emotional dimension but as you
pointed out, it is a quality or state.

In a general sense, security is a state, a state of being safe or state of feeling secure. Well,
everything is fine. There are no miscreants, there are no people who are trying to, you
know, attack or intrude and cause damage to your property, your assets, your information
or yourself, you are safe. So these are the constant concerns we have for our survival. So
when we change the unit from individual, so I asked you a personal question, in fact but
when you go or change the unit from individual to organizations, organizations also have
assets to protect.

For us as individuals, we are the asset, my body or my life is the most important asset
and then my information or what I carry in my mind, you know, that is the next asset that
I have as a individual, but it is a whole. And for organizations, they have plenty of assets,
physical assets and informational assets and that used to be the scope of cyber security or
information security in the past. And that is why I said when cyber security is referred to,
the general understanding was it is about securing information. It is about securing
computers. It is about securing computer networks.

And that is the scope, nothing beyond that. But today, the scope is also about securing
what is added to. So yeah, we are coming to the definition of cyber security versus
information security. In information security, as I said, you protect information as an asset,
data and information. For example, your databases, like in AIMS servers, you know,
people got access to AIMS database servers, that should not happen.

It is a breach of data. So and therefore, it is related to information security. So can you
imagine what would be the added dimension in cyber security? Information security is a
part of cyber security. But when you refer to cyber, there is a little more or in fact, there
is much more. There are different aspects of security when it comes to the organizations.

When you discuss organizational security, there is physical security of various
infrastructure elements of an organization, then there is personal security, operations,
communications, network, information and so on. So that is security in general. For
example, before you enter the institute, IIT Madras, there is a gate. There is a gate and
what is the purpose of the gate? And there are security personnel deployed there. So, the
institute has invested in creating a gate, we call it a security gate.

And we have security people deployed there , 24 by 7, essentially to ensure security of
all that is mentioned here. It is about the assets of the organization. But how are they
ensuring the security or what is the role of that security? So, that is where the discussion
of how security is ensured or what does a cyber security do? So, one word is definitely,
you use the word verifying, you said authorized access, etc. So, we will discuss that more
systematically, what does cyber security do? But essentially, a security system ensures
that people who enter the campus are authorized to enter the campus. Those who have
the right to enter, only enter and others do not enter.

Or conversely, those who have the right to enter should be able to enter. They should
not be denied entry. And those who do not have the right to enter, should be denied entry.
So, you can also see false positives and false negatives can happen there,in security system.
But their role is to ensure that.

But if that has to be done, then they need to know who is who, Who is trying to access,
whether they have the authority or not. So that is a verification. We will get into the details
of how cyber security is ensured. But there are some confusing terms here like cyber
security versus information security That is one. Otherwise , of course, let us look at, you
know, the words,you know, we should be very clear about the basic terms that are used,
the dictionary meanings in fact.

So, there are two words cyber and security. What do you think- which is correct? There
are three ways in which you can write cyber security, cyber security with a space in
between, cyber security with a hyphen in between, or cyber and security together, which
is correct? Hm? All are correct. Okay, good. Okay. So you probably you say all are
correct, because you may be reading so, in in different articles of papers.
 Is that so? Okay, let me see how I wrote this in the title. I gave a space in between, cyber
and security are two words. Is that okay? Okay. A is more common in reading.

A is more common. Okay. Well, you are right. All the three are correct. But only one,
only one condition. If you use one convention, like you write cyber and security
separately, follow that consistently.

In the same paper, you should not use different forms. If you choose cyber security as
two words, which is the norm in in Europe, typically in Europe, they use the two words
differently. And then follow the European convention. The last one is the US convention,
cyber security is written as one word. And if you follow that, then you follow that
consistently, it can be written as one word.

So therefore, if when you read journals or articles, which originate from the US, you will
always see it is a one word. But if it is European, you will see these are two words. So
you can follow any, so there and in India, we reach a compromise, the compromise is B,
you put a hyphen, because you do not want to displease anyone. So, that is also fine, in
some literature people do so. But adding a hyphen, instead of that you can add a space or
whatever you you think you like you can, there is no problem, but follow one consistently.

Now the word cyber security - cyber. So and the word cyber, we need to understand that
correctly. Cyber is a word that became associated with computers or the networked
computers, or predominantly the internet and the world of internet, I would say from 90s
onwards, the cyber world, we use that word cyber. It is a prefix to many words. Today
we have cyberspace, cyber coolie, cyber world, cyber cyber.

So this cyber, well, I do not know who did this, because the word comes from cybernetics.
Cybernetics is a Greek word. And cybernetics actually means somebody who is steering
a ship or a vehicle, the steerman, someone who is in control of that. So cybernetics means
control. So that is one word, you know, in Greek it is one word.

So somebody pulled cyber out and used it to represent the internet. So internet connected
world or internet connected systems is generally referred to as cyber systems or the cyber
world. Just keep that in mind. It is a new, it is a new terminology. And cyber security in
that sense, since it connects to the computer systems or networked world, it denotes the
security of the networked world, the computer networked world.

So, that is the connotation in terms of word meaning - cyber security, cyber denoting the
internet world. And cyber in terms of netics, it is cyber security means security of the
world of internet. And that is where actually we differentiate cyber security from
information security and for your information, International Telecommunication Union,
which is a global body for telecommunications, digital technologies, old body. They have
in 2008 given a definition to cyber security, which I have reproduced here.

It is not from a textbook. But it is a kilometer long. So, they are trying to include every
aspect of the sphere of computing, every element and every aspect of sphere of computing,
which includes tools, policies, security concepts, security safeguards, guidelines, risk
management approaches, actions, training, best practices, assurance, technologies, all that
is related. So therefore, you know, many of them are correlated. So the definitional clarity
is, is an issue, but cyber security is all inclusive, the security of everything that is under
the cyber world. And therefore, cyber security would also involve users or human beings.

Do you think that is a concern? It is not just the information, but you as a user or you as
a user, having an account in a social network like the Facebook. One thing is, your profile
should be safe and no unauthorized access should happen. Well, that is an information
security concern. But there are other concerns about security, which is your own security
in the cyber world. You know, there are cyber attacks on individuals.

There are movies today, right? People have been bullied or the so called cyber crimes.
Our TA is Binod, so Binod's research is related to cyber crimes. So there are criminals in
the cyber world, who can actually cause physical damage to you through these channels.
The security of individuals from cyber crimes is a concern or it is a part of cyber security.
It may not be information security it is a bigger scope.

So, in definition, I would say, cyber security is information security plus individuals. For
example, if there is a drone attack, well, the drone has surveyed your premises and there
is of course, leak of information, they have done intelligence, but it is going to attack me,
it can kill me. So, my safety through technology, through the use of technology or
information technology is also under the purview or under the scope of cyber security.
So cyber security covers everything, users and systems. Information security is more
about the systems and their security.

Now, since it is an emerging phenomenon, we will borrow a lot of concepts from
information security because the concepts have been developed well in the literature of
information security. And I am going to introduce the course outline to you now. And
you will see that your textbook is titled information security, okay, information security
So,it is predominantly the textbook deals with information security and other aspects of
cyber security will be covered through extra reading materials, which I am going to give
you. So, we will be covering both the aspects of information security and security in the
cyber world. And as I outlined, the cyber security seeks to ensure three aspects or security
can be understood in three elements, confidentiality, integrity and availability or it is
generally known as CIA, CIA triangle.

There are three dimensions of security - information security. And I will be dwelling on
these three concepts in the next class. We will try to parse out and get into the details of
what is confidentiality, what is integrity and what is availability. And these pertain to
information, confidentiality of information, confidentiality, sorry, integrity of information
and availability of information. That is the purpose of information security management.

Yeah, so the protection of information and its critical elements, including the systems
and hardware that use, store and transmit that information. This is a definition of
information security. Information security definition as given by Whitman and Mattord.
And this you have the 2018 book, which is your textbook by Whitman and Mattord , one
of the leading textbooks in the field of information security management. I must caution
you about the expectations from the course, as I take you through the course outline.

Information security can be taught as a technology course, from the computer science
perspective. Information security can also be understood from a managerial perspective,
management and governance perspective, where technology is one aspect. Technology
does exist. And we need to understand the role of technology in cyber security
management.

But it is not a study of technology. Cyber security is much more than cyber security
technologies. So, this course as outlined in this textbook 2018 covers the management
and governance aspects of cyber security management or what managers should know
about security of information assets and security of other assets like including people in
an organization will be the predominant focus of this course. So for example,
cryptography. A CS course may dwell on cryptography for several sessions because that
is an underlying technology to ensure confidentiality. When information is transmitted
from point A to point B, node A to node B, the node A sends that information to node B,
to be read by someone.

And the purpose of cyber security is to ensure that only person who to whom it is
addressed, to whom it is intended, should read that information and nobody else. And
that is confidentiality. And the role of cryptography is basically to ensure that nobody else
reads it, even if somebody accesses it. You cannot sometimes prevent access. You know,
I am talking to you and all of you understand.

I hope most of you. Is my English okay? I guess in India, my English is okay. Well, we
have some different pronunciations in different states but by and large I am, okay. Why
do you understand me? Same medium of communication or same language. We see
language X is based on a shared understanding of the words and the structure of words is
the grammar. So, you and I understand most of the words I use in a similar sense.

And you also know, when the words are connected what they mean. So, we have a
shared understanding. and therefore the communication happens. But if I use a language,
say I use Greek, which nobody understands in this class, I may be teaching the same thing.

You are here, you have access. You are very much listening to me. But do you get what
I am saying? You do not understand the thing. Maybe from the body language you get
something but in the world of computer transmission there is no face expression. It is
only the text or it is only the information. You do not get anything out of it because it is
another language.

You call it deep encryption. Because it is encrypted even if you gain access, you cannot
understand. So, it is a very important technology from the technological perspective. But
when we look at, I am just giving an example. When we look at encryption, we try to
understand what are the different types of encryption and how they are used? But we will
take the application perspective. What does encryption do, than how encryption
algorithms work? That is the technology domain.

So, we look more from the applications of technologies in cyber security management.
And I will have a case study in the next class, which would actually help you understand
clearly. Is cyber security a technology problem or is cyber security an administrative
problem? But if I raise that question now, what would be your quick thoughts? It is both.
It is more an administrative problem. What makes you think so? Because it is a technology
that is attacked most of the times and it is the technology that is used to attack.

So, therefore the focus should be on technology. Technology as a tool and administration
as the framework or administration as something overarching which deploys techies. So,
that is actually a view which techies may not appreciate because they say , they say today,
we are moving towards zero trust systems. Zero trust means no trust in human beings,
trust none. I have some articles on that. So, you have to develop and deploy technology
such that you do not have to be dependent on anyone's credibility.

So which is actually an approach where humans are less important or the technology
takes you know, gets a higher importance in managing cyber security. That is a good
debate and we will see as we go. So these are actually opinions that you have in your
mind about what cyber security is whether the management is more important or
technology is more important. But some of you argue, both are important. So let us
examine certain important cases of data breach that happened in the recent past and that
will be an important ingredient of this course.

We analyze cases to understand what went wrong and what action was taken
subsequently. And then you will understand cyber security as a more complex problem
and data breach of big organizations has not only technology issues but huge
administrative issues. And you will also see that has regulatory implications. Government
wakes up, when they actually see instances of data breach. So, it is not just technology
problem, well, it exists at some stage.

It is an administrative problem at the organizational level. And it is also a regulatory
issue, in when data protection is not regulated. There is no one to question you. So, why
should some company invest so much in cyber security or in data protection. So, the law
of the land also becomes important. And you must be aware our country is today debating
a personal data protection, as a law, as a bill.

Of course, there is politics in it but you can see the criticality of the issue today within
the digital world. And have you heard of GDPR? Very good. So, you can see that it has
gone beyond administration to policy and regulation at national levels. So therefore seeing
cyber security as a narrow firewalls in putting up intrusion detection systems or firewalls
or whatever protection mechanisms at the technology level, well, it is a important element.
But there also need to be administrative and government systems and standards.

Standards to manage cyber security and also policies and regulation to govern at a
country level these issues. So that is what cyber security and privacy today are. So, in this
course let me actually take you through the contents of the course. Maybe what I will do
today our time is almost up. In the next five minutes, I will just give you a very brief
overview about the course.

And maybe the course expectations as to what you are supposed to do in the course. I
will explain to you maybe a little more, in the next class. So, the philosophy of the course
is what is outlined here. And I have posted the course outline and the course extra reading
materials in Moodle already.

So, you can gain access to it. So, there are mandatory reading materials which are related
to the course. And there are also supplementary readings, which are research papers or
articles and even videos that actually would help you develop understanding about cyber
security, which is posted or referred to in the course outline. So, let me end with the course
learning objectives. Course learning objectives are fourfold.
 There are four objectives from this course. Number one , to recognize cyber security
from technological and administrative perspectives. So you must see that it is both. It is
not just one. And in this course, I am not going to sort of ignore technology.

And just make it a management talk. But we would definitely look at technology as
threat and technology as asset and technology for protection. So all the three aspects of
technology would be covered in the course. As I said, it has a threefold role in cyber
security. And I must also say that I am not the expert in cyber security technology
especially from the protection mechanism point of view.

So, that requires a lot of technical knowledge and experience. People are do exist in the
domain who are experienced in cyber security technologies. So, as part of this course, I
will be bringing in someone who can talk about cyber technologies from experience and
involvement much more. And that is a part of the course, a part of the pedagogy. So, you
will have a guest talk from industry and all your doubts, you should actually ask him not
me. In the sense, this is more like a sort of interaction with a cyber security practitioner.

That is the understanding. And so, how is this CL01 the course learning objective
covered in the course. I will just take you to the session plan. You can see, I am covering
foundations of cyber security, information security and related concepts with the help of
your textbook and also research articles, principles of information security management,
confidentiality, integrity, availability, etc. What do these concepts really mean? That will
be covered in the next session. So, this is about cyber security fundamental concepts and
you will have a case study of Target corporation.

One of the defining instances of cyber security breach was in 2016 alongside the same
time I think it was 2014 when Sony Corporation faced another huge data breach. These
two together actually shook up the world not just these companies, not just industry but
government as well. Because cyber security has become much bigger or in terms of size
and impact. So, that is why I have selected a representative case of the Target corporation
and we will analyze that case.

Security management, governance, risk and compliance. So GRC generally there are
frameworks. There is an ISO standard, there is GRC framework, which can be
implemented by organizations for overall management of cyber security. So, instead of
looking at it bits and pieces, buying some updates on a new technology, how do you
actually implement cyber security as a practice, as a management framework in an
organization and becomes compliant with certain standards. So what are those standards?
That will be one discussion in the course. And then, let me actually put it in your mind
right away from a cyber security management perspective.

Management is about planning, management is about managing resources at a
fundamental level. So there are two types of planning. One is called contingency planning.
Contingency planning is to manage contingencies where the basic premise is despite all
the steps that you have taken to protect your systems, things can go wrong.

Contingencies can come. Planning is done by human brains, who cannot predict the
future completely. You can have some prediction but predictions can go wrong. Then
what do you do? That is contingency. So, contingency planning is one dimension of cyber
security management.

The other dimension is the risk management. In risk management, there is no assumption
that something has gone wrong. But the assumption is something can, what are the things
that can go wrong? And how do you actually protect your systems against that? So, one
is about proactive or you know sort of preventive. Risk management planning is about
preventive. You prevent your systems from all potential disasters that can happen.

Contingency is about reactive. Suppose something go wrong, how do you do the
firefighting? How do you fight the fire, that is broken up? And then things restore the
systems to normal operation. So fundamentally I would say cyber security management
deals with these two aspects, contingencies and risk management. So, these are the two
important aspects we will be covering from a management perspective in this course. And
then there is cyber security policy which is a reference top, reference document for
understanding priority for cyber security and resources for cyber security, etc. So, as I
said, we will, I will take you through the foundations, fundamental concepts and also, we
also look at the technologies for cyber security.

So as I said, there will be a guest lecture, security technology, cryptography and security
I have dedicated one session to outline. So, I will be doing that from a confidentiality
point of view. And there is also something known as passive defense versus active defense
today. A lot of technologies are actually deployed for passive defense,to protect.

So, you also have heard offense is the best defense. Can you offend the hackers? Can
you attack them, instead of they attacking you? That is just a thought, but active defense,
you go beyond being, you know, building walls, you go beyond that, you tried shooting.
So that is the, so but what are the legal sides? I know you must be very aware. It is not a,
it is not a trivial thing. And then you can see the course slowly moves from topics related
to cyber security to privacy, Information privacy, and its landscape and one of the
important things this course does is to familiarize you with the landscape of regulation,
privacy regulation in different parts of the globe.

So that is, and including India, North America, Europe and India. And so, there are
several cases that I will use to illustrate this and help you understand the concepts clearly.
So that is what the course is. So I will thank you very much. Have a good day. Thank
you, sir.
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 02
Lecture: 04

Hello and welcome to the second session of cybersecurity and privacy course. So, in
the last class we had a brief introduction about cybersecurity and privacy, actually we
were trying to understand what the title means. So, it is like laying the foundation for
foundation and today is the foundation for cybersecurity. So, we will dwell on certain
fundamental aspects of cybersecurity, predominantly cybersecurity and privacy as a
topic, we will do after a few sessions on cybersecurity gets over and you will get to
appreciate what is, what are the connections between data privacy and cybersecurity
through, of course, through several sessions that follow. So, essentially cybersecurity as
an administrative issue, is what this course is focusing on. So, in administration you
need to administrate, you need to manage several resources.

So,you have to as managers , you manage human resources, you manage technological
resources you manage tangible and intangible resources of a organization. So
essentially, we do not look at cyber security as a technological issue alone but we also
look at it as a broad or much bigger issue concerning governance and management of
organizations. So what are the frameworks that are available what are the standards that
are available for cyber security management in practice is a part of this course as I
outlined in the previous session. And we would also be looking at technology in a three
dimensional perspective, as I explained in the last class, as technology as a source of
threat, technology as an asset to be protected and technology also as a tool or as a
firewall for protecting your cyber assets.

So there are three aspects to technology in this course. And the cyber security
challenges are emerging, we have seen that in the last class. So, I am going to bring
certain diagrams that actually help you understand the concept of cyber security or
information security in a holistic way, understanding what are the different dimensions
of it. So one such diagram is this and of course the title is information security, As I
explained to you in the last class, cyber security and information security are closely
related. Information security is a part of cyber security and it is a most important part of
cyber security I would say and therefore you can understand it from multiple
dimensions.

You can see, there are three major dimensions - information security as the main
concept or the main central concept, the main concept and then you can see there are
three concentric circles, which constitute three dimensions or three constituents of
information security which are network security,computer and data security and
management of information security. And in the intersection, you see the intersection, a
shaded intersection which actually emerges from the management perspective in terms
of color, you can see that but which is central, you know, which is common to all the
three. So, in other words, you can see that policy guides, policy is the reference for
security related practice, security related decisions, for example, how much should an
organization invest in cyber security? We are going to discuss a case today where there
is an organization which is invested as much as Pentagon, invests in security. So huge
focus on cybersecurity, that may not be the case with all organizations. So the policies
would differ from organization to organization, depending on the criticality of the cyber
assets and other considerations, that organization choose, chooses.

So, they make choices on cybersecurity investments. So the policy is the intersection
and policy guides decisions as I said, then you see network security and computer and
data security. Other way to think about it is, well, this is about in data and information.
So in data and information, there are three aspects, one is data storage, other is data
transmission and the third is data processing. So these are the computing elements- data
storage devices, data transmission and data processing.

So, security pertains to these three aspects of computing. You can see computer and
data security involves data, databases and computer means processing. So the
applications that process the data. So that is one aspect, storage and processing and the
third aspect is data transmission. You can see network security when data or information
is transmitted from node A to node B, there is a chance of data breach or you know
unauthorized access to the data and therefore that is another aspect or another aspect of
computer security or information security.

So data storage, data transmission and data processing - three aspects of computing
needs protection and should be secured and that is what is represented in this diagram.
And, well, in order to do that, you need management practices and management policies. There should be human resources, there should be technology for protecting these
assets and there should be decisions on ,how much to protect and how much to leave,
how much to leave - that is also a decision management actually, may not over invest in
security, we will see that. So all these are pertaining to the administrative dimension of
cyber security. So you can see cyber security is not one - cyber security involves all the
three and there is a need for understanding and also practicing it, as an integrated effort
to protect cyber assets.
 Now, this is a very important aspect of cyber security as a course, any course in cyber
security you do, be it a technology course, be it a management course, you will have
these three concepts which will be a common fundamental set of three concepts -
Confidentiality, Integrity and Availability. So, this is often called the CIA triangle, CIA
triangle. So, what is CIA triangle means one way to understand it is, CIA is the purpose
of cyber security,what does cyber security do? Cyber security ensures that
confidentiality, integrity and availability of information is secured. So it is like the
purpose, what is cyber security’s aim to achieve, it aims to achieve confidentiality,
integrity and availability of information,information in the cyber world. Well, that is the
most dominant or most important concept, the concept, set of concepts that pertain to
cyber security.

Of course,the cyber world goes beyond information today , so those aspects we will
slowly integrate into the lessons that are coming up but at a fundamental level, if you
look at the purpose of information security,it is to ensure these three aspects which are
important for computing for it which are important for secured storage processing and
transmission of information. So there may be other aspects, other concepts also related
to cyber security, for example accountability. So those are related concepts, we will
discuss them one by one. So let us try to understand what each of these concepts are,in
some more detail as we go. So I will get into each of these concepts in the coming slides
but let us have a holistic understanding of cyber security or information security, I am
using it, these two terms synonymously now.

So, here is an NSTI SSC security model, also known as McCumber cube or John
McCumber is the person, who proposed this cube which makes understanding about
cyber security holistic, very holistic and if you look at it closely and if you are in the
practice of cyber security, this cube ensures that you do not miss anything. do not miss
anything, you do not miss any aspect of cyber security. There are three dimensions that
McCumber cube actually represents in a cubical form, the first dimension is the
computing dimension which we discussed, storage processing transmission these are the
three roles of computer systems and that is where your information and data reside. So
those are the assets and those are the devices which actually are involved in the storage
processing and transmission of data. The second dimension is the objective or the
purpose of cyber security which is availability integrity and, sorry, confidentiality,
integrity and availability.

So when computer systems store, process and transmit data,they should be secure,
what does security means - security means confidentiality, integrity and availability. So
these three dimensions of computing should be protected with respect to confidentiality
integrity and availability. Now how do you do that? How do you actually protect?
There are three methods to ensure cyber security, they are number one, policy, number
two, education and number three, technology. These are methods to ensure cyber
security in terms of confidentiality, integrity and availability for data and information
storage, processing and transmission. So it is very intuitive, the important lesson here
is, suppose you look at one cell of this cube, it does not miss,it looks at all the three
dimensions for example, there is an application so that is for data processing, look at the
center dimension.

So this is for this particular cell, you will look at it from three dimensions. So for
example, this is for data processing and integrity of data processing has to be ensured
and this integrity has to be ensured with respect to policy, education and technology. So
this, the number of cells of course, you can, you know say, so three into three into three,
so each cell is holistic and when as my practicing managers, you can actually ask these
questions, you know, are all these cells considered in cyber security? Due attention has
been paid to all the three dimensions across all the cells. So that is the, that is another
fundamental concept or a fundamental framework to understand cyber security - the
McCumber cube. Now, let me also take you through the CIA triangle which we
discussed, which I propose as the three objectives or the purpose of cyber security.

The first concept is confidentiality. What is confidentiality? Confidential information.
So I have heard in administrative circles, if you want to make something public and
make a gossip out of something, put some document is so called, you know you want to
actually leak it out, put it into an envelope, close this and put a heading - confidential
and give it to a clerk, that will be the talk of the town the next day. So the moment you
say confidential, you become curious. So people are curious to listen to conversations or
tap data which is not theirs.

There is a human tendency, sometimes it is out of many reasons. So I can't tell you all
the reasons why people want to access others information. There can be malice, there
can be evil intentions, there can be fun, there can be, it could be by mistake also. So
there could be human errors but it can happen due to several reasons. The purpose of
cyber security is to ensure that if person A sends an information to person B and person
A wants this to be read only by person B and not by any C, system has to ensure that,
this transmission of data from A to B is confidential, that is it is read, only by B and not
by C.

And three scholars, of course, they are not scholars, they are also entrepreneurs, you
must have heard about this name Rivest, Shamir and Adleman, they actually, we will
refer to them later on in encryption techniques, when we discuss in a later class. So they
published a paper in 1978 in IBM systems journal where they actually represented
confidentiality using the diagram that is given here. Alice is sending a confidential letter
or a message to Bob and then there is the evil Eve, actually wanting to intersect or
wanting to know what is going on. So that is where, the aspect of confidentiality comes.
A data which is confidential should be read by only the intended recipient not by
anybody else and that is what confidentiality is.

And you can think of the application of this concept in so many situations or so many
contexts in business and in society. For example, who accesses your private
information, who has access to your credits or your academic performance. So, the
institute can give access to those who can access it and those who should not access it,
as those who are not supposed to access it, should not do it. So the data has to be
protected against unauthorized access unauthorized access. And see for example, best
example is our Aadhaar database.

Aadhaar database is biometric and it is your personal identity. And it is the
responsibility of the country to ensure that this is not accessed by people or anyone. It is
my data. So, that is where the privacy aspect comes in. And when I shared it with
someone, it should be used by that entity or the data processor only with those for whom
I have given permission, I have given consent to share the data.

There is always a consent between the data collector or the data processor and the data
subject. And therefore that contract should be maintained and that is what
confidentiality is. Confidentiality is the responsibility of the data collector to ensure that
data is shared only with the intended recipients and not with unintended recipients. So
how do we actually ensure this? So, in order to ensure confidentiality, there is need for
information classification. For example, in an organization there is personal data and
there is data about your salaries for example, in a company when you work, And the HR
department has to ensure that your salary data is known, can be accessed by maybe
certain superiors but not by your peers or your subordinates.

There is a policy. So the policy has to be implemented in the database access.
Essentially you are ensuring confidentiality as to who can access and who cannot access.
So therefore information need to be classified. We will discuss information classification
later, as to what is confidential and what is not confidential or what is top secret as in
the US military. And then documents have to be secured in terms of storage and the
security policies has to be applied and people need to be trained and so on.

That is the confidentiality aspect of information. So you will see in systems that ensure
confidentiality, when an information passes from Alice to Bob, the jealous Eve may be
able to access that data. You may be able to intersect and even if you intersect you
cannot actually make out what it is. Caesar cipher, you know, Caesar used to
communicate with his commanders through someone. But if someone on the way reads
that you do not understand anything.

So that is encryption. We will come to that. The second aspect of cyber security is
integrity. What do you mean by integrity when you hear this word what comes to your
mind? Completeness. Yeah, integrity means purity, completeness.

Okay. No compromise on the quality. Yeah it talks about quality. It talks about
completeness. It talks about purity. Is that the word you use? Okay.

Alright. Okay. So we refer to people, you know, the so and so person does not have
integrity and so and so person high integrity. So integration, integrity means whole, the
full. So if part is missing, somebody is really good in doing job but somebody gets into
malpractices. So we say, integrity is questionable. Some aspect is fine but some aspect
is missing.

Integrity is that. There is an information that is transmitted from A to B. That is the
whole information. At A, it is the whole information but when it reaches B, part of it is
missing. For example, you are giving your CV. You are sharing your CV with
placement and you have your complete CV.

But somebody is jealous about your CV and removes your work experience. Then, I
hope it does not happen, but then information is passed. CV is passed but integrity is the
problem. Part of the data is stolen or missing or somebody actually changes your work
experience. Say, you said, 10 years and somebody makes it 2 years.

You alter the data. So you also manipulate it. All that is about the integrity of the data.
So when data passes from A to B, the data should reach B intact. We call it intact,
without any damage, without any manipulation, without any change and it should be as
it is.

That is the integrity aspect of data. And in practical scenarios, for example if you share
your data in with your employer and employer does not give you access to your
personal data or your professional or your bio data. And suppose you did a certificate
program or you updated your, you want to update your CV. But as an employee, they
do not give you access to your data. Then again, it is a matter of integrity.

You are not able to update your data. And today, by regulation it is required that when
a data, a subject shares the data with a data controller or a data collector, the subject
should have access to that data wherever it is stored. I should be able to make changes to
that data. It is my data and I should have access to it. It is one of the privacy rights.

It is also about the integrity of the data. The data is incomplete. And suppose, it can
also happen when somebody entered that data into a database, your date of birth is
entered wrong. And date of birth matters in employment. Suppose you are born in year
2000, suppose it is entered as 2010, there is a big problem out there. Even one year
change can actually affect your promotions and so many things.

So it affects you and you are the affected party, others may not mind. So it is
somebody else's problem but user must have access. So it is a problem of data integrity,
essentially. So it reflects in so many aspects in organizations, in government and in so
many other settings. So integrity is therefore a very fundamental aspect of information
security.

Confidentiality and then integrity. Who has access to your data and protecting your
data without damage. That is the second aspect. And the third dimension of cyber
security is availability. Well, availability is the other side of confidentiality.

Data should not be available to unintended audience. But data should be available,
when it is required by the intended party. When you are in need of information, it
should be accessible and available. So it is the other side. It should not be accessed by
someone who does not have access rights but it should be accessible and always
accessible as per contract, based on the contract. And therefore availability is very
critical in certain business context.

Availability of databases. Suppose you are trying to book a ticket, an airline ticket or
train ticket in IRCTC. And you try to log in, you log in and you are about to reserve but
the database is not available, it is down. And maybe you want to browse and see your
past reservations some information you want but the database is not accessible. You
have signed in and therefore you have the privilege to access your data.

It’s your data, you are not accessing somebody else's. You are within confidentiality
but the system should allow you to access your information when you are in need of it.
And this is the time for you to make a reservation and the data is not available. It is a
problem of availability. So, in order for computing systems to ensure availability, they
need to make provisions for that. Cyber security management requires to ensure data is
available to those who are intended recipients of the data.

And availability is related to reliability. If systems are reliable, they will be available.
So therefore, reliability engineering, especially in computer systems, ensures the
availability of data or databases or access to computing resources using a method known
as redundancy. Redundancy is the word. So,how much of redundancy, if one system is
down, the processing or access should not stop, should be available from other systems.

So availability by redundancy. So I am just giving a clue as to how technologically you
will ensure availability and availability is also a function of how much. There is a
99.9999 so the number of nines after the decimal point. So, that is a sort of contract also
when it comes to B2B in terms of IT contracts, in terms of availability. So when critical
systems run on IT, availability is critical and therefore by contract, by service level
agreements, there will be contractual arrangement between parties to ensure availability
of systems.

And therefore if a client is asking for more availability, you can imagine the service
provider has to invest more in redundancy. And therefore, the cost will be higher. So
therefore, you can always ask for 100 percent availability but 100 percent comes at a,
sometimes an infinite cost. So, these are concepts that are related to cyber security -
confidentiality, integrity and availability and these three terms, even if you forget
everything else, should be by heart to you, as students of cyber security. Even if you
have woken up in the middle of the night, what is cyber security doing? confidentiality,
integrity and availability.

So there should be straight recall of these three concepts. Let me illustrate it with an
example. So there is an image of course, what does it take you to, this image, biometric,
the yeah, the retinal. So somebody is taking a biometric scan of the eye. It can be
different aspects of the eye, we will see that later.
 Course Name: Cyber Security and Privacy
Professor Name: Prof Saji K Mathew
Department Name: Department of Management Studies
Institute Name: Indian Institute Of Technology Madras, Chennai
Week: 02
Lecture: 05

So, there should be straight recall of these three concepts. Let me illustrate it with an
example. So, there is an image of course, what does it take you to, this image?
Biometric the, yeah, the retinal. So somebody is taking a biometric scan of the eye. It
can be different aspects of the eye, we will see that later. But you all have an Aadhaar
card.

So you all went for Aadhaar identification, that was the stage of identification. So, the
first concept related to cyber security is confidentiality. And in order to ensure
confidentiality, one of the first steps is identification. I gave the example of the security
gate.

Security gate, if people come to the security gate to enter our institute, the security
actually decides whether someone can enter or not. But how do we, how will they
decide whether you can enter or not? You cannot simply look at the face of people and
decide. You cannot just look at if somebody is smiling or somebody is well dressed or
not well dressed, you know, these are not ways. There has to be some credible
mechanism by which people can be identified. Without identity, you cannot ensure
confidentiality.

Who is who? Whether somebody is given the right to access or not, is based on
identification. So you can see that in all data collection efforts, be it by government or
by organizations, the first step is to create identity. As soon as you join IIT Madras in
your initial enrollment process, there is an identity creation process. You provide your
data and you provide supporting documents and based on that, the administration
actually agrees or they have those processes to identify you. And based on the
supporting documents you have given, you are given finally an identity card.

So how will you enter IIT Madras if somebody stops you at the gate? Here is my
identity. And that identity card identifies each of you as a student,as a student of IIT
Madras. But if somebody stops me, I also have an identity card and I show that identity
card and I am identified in a different role. I am not identified as a student, I am
identified as a faculty. You have your ID card in front of you.

So a student of IIT Madras. Well, a student can enter. Of course, the dates are also
important, not an old card. So they check that and that they let you in. But if there is no
identity card, they cannot actually make a decision, it becomes very difficult.

So the first step in confidentiality is identification. Identification is the process of
creating credible identity for individuals who can access computing resources. You can
imagine the effort done by the government in creating an Aadhaar ID for you. The most
difficult stage is the identification process. Because government had to use vendors,
existing vendors and the government verified their credibilities and outsourced this job
to vendors to create identities or to collect identity information and finally assign an
identification number, which is called Aadhaar number to every individual.

That was the identification process. Identification process, creating an employee ID or
a role number or an Aadhaar number, an account number, all these are actually part of
identification process. So the first step in security is identification. Who is who? And
the second step in confidentiality or in cyber security in general, it pertains
predominantly, to confidentiality. So that is why I am saying it is linked to
confidentiality.

So, after identification comes authentication. Or in other words, only if you have valid
identities, authentication will work. Now, suppose you go for your passport or suppose
you go for getting a SIM card for your mobile services, you want to have a new SIM
card, you go to Airtel. So there is any service provider not Airtel, it could be Jio,
anyone. So they have a need by government regulations to identify you as to who you
are.

So there is an identification process. So there in Airtel, you cannot produce your IIT ID
card. That is not a valid ID. A valid ID is to prove that you are a citizen of India. And
you have a unique ID, identification ID or number provided by the government of India.

That is the sort of identification they require to give you a telecom service. And
therefore, you may go and claim in a telecommunication service provider's office that I
am Saji, please give me a SIM card. And so and so are my credentials. Well, you claim
to be Saji, you claim to be a citizen of India, we want to verify that. We want to
authenticate, who you claim to be.

We want to verify. So authentication is nothing but verification. So you come to the
IIT gate and say I am a student of IIT Madras. Well, give evidence. So your ID card
serve us a source of your authentication.

It is already created, identification is done, you have the ID card. For authentication,
you produce your ID card. In a passport office or in telecom service and related
services, they ask you to place your fingerprints. There is a fingerprint reading device
where they ask you to place your fingers. What are they doing? They are doing
authentication.

Because in my Aadhaar ID, I have shared my biometric data. Biometric data is stored
in the Aadhaar database. And when I claim that I am X, let us check whether you are X.
X's credentials is what actually is already stored. So as X, I am giving my credentials.

If the credentials of my biometric matches with the credentials which are stored against
X in the Aadhaar database, your authentication is done. You are, you claim to be X and
you are actually X, we verified. Authentication is nothing but the verification of
ensuring a person is who he or she claims to be. That authentication is the entry, the
gateway or the entry into a computing system or an organization. Once authentication is
done, you are allowed, you are inside.

You get the point, you showed your ID card, you are in. But you have to create the ID
card, that is identification. Authentication is, well, verification. Whenever there is a
need to access resources, you need to show that identity and then there is an
authentication process. You try to access your Gmail or your Yahoo mail or your IIT
mail.

What do you do basically? There are two fields there. One is, you write your user ID.
What is that? Saji@iitm.

ac.in. That is my email ID. Well, fine. That is what I claim to be myself. But it could
be you tomorrow, want to see my emails, what is going on, between someone or
somebody, you know, you have something in the email which you want to see. You can
claim to be me. So therefore, there is authentication.

Well, you claim to be Saji, fine. So, tell me your password. So, password is, you can
say another, biometric is one, you can say, password is one of the long standing
methods of authentication. You basically disclose something which only I am supposed
to know. This is something I know, you know, biometric is something I have, password
is something I know and only I am supposed to know.

That is the secrecy of password. When I enter my password, the system will cross
check whether the password is correct and then you are authenticated. Essentially,
password is also a method for authentication, whether you are me or you are somebody
else. And if of course, my password has leaked, of course, you can become me. So that
is, that is a weakness and therefore, you have multi factor authentication today, We will
discuss that later. So, authentication based on the criticality of services that you are
actually signing into, is a very, very important step in cybersecurity - identification, then
authentication.

And the third important word is authorization. All these three are together key concepts,
for particularly, for confidentiality - identification, authentication and then comes
authorization. Authorization is about defining the level of access, what you can access
and what you cannot access. Suppose you enter IIT campus as a student, as a student,
you have certain privileges. For example, you are allotted a hostel room, you can
straight away go to your hostel room and enter the hostel room, you are allowed, but you
cannot enter a faculty room, that is not allowed.

So, therefore, there are certain privileges, when it comes to databases, or say Moodle,
look at Moodle, which we use for our course management. There is a student login, there
is a faculty login. So the authority, level of authority to access information is limited for
different roles. And that is known as authorization. So a system based on your, after
your authentication, provides access to resources based on your access rights.

And if authorization is to be done effectively, then the access rights have also need to
be defined properly. So who is who, what are the different roles and what are their rights
to access etc, need to be predefined. So in summary, you can imagine two aspects of
cybersecurity or management or information security management. One is to classify
information, information need to be classified and people also need to be classified.
And then there has to be a mapping between people and information.

So, that actually decides the level of authority. So we will understand these concepts a
little more in the upcoming sessions as to how to do an information classification, what
are some of the standard practices available, say in industry, in military, and so on. And
also how people are classified, in terms of their roles. We will get into those details
later, but at a fundamental level, these are three key concepts. Do you have any
questions here? Otherwise I move on to explain a couple of items more and maybe you
will be able to relate to these concepts in the case that we are going to discuss.

What went wrong? When we look at certain instances, you can see where was the
problem, was it with identification, authentication, authorization, or was it with
accountability? So accountability is related to incidents. For example, suppose there is
an incident in the campus, someone entered the campus who is not supposed to enter the
campus and created a problem or someone entered the ladies hostel in the night, who is
not a student, who is not a faculty, who is not a staff, then that person had no authority
at all. There is a problem of authentication. The person who is not supposed to enter,
entered or got access to systems. Now, what action to take? There comes the problem of
accountability.

If something goes wrong, who is to be held responsible? Who was, for example, in our
general security scenario, who was the person in the security, in the security post? Was
that person sleeping? Or how did that person get in? So therefore, who is responsible for
cyber security breaches or incidents need to be ascertained for taking actions, simply for
taking actions in the case of incidents. That is known as accountability. That is where
any data breach, who accessed and how that person got access, should get assigned to
someone, some role. Again, we will illustrate that using case studies, as to how this
accountability can be fixed. If nobody takes responsibility, then it will happen again.

And you do not know. And what was the vulnerability? And that is something which a
administration should take action upon. And therefore, sign in and log data, which are
to be maintained strictly in organization is based on the principle of accountability.
Keeping logs and keeping complete history of who signed in and who signed out into
systems need to be maintained, for the purpose of accountability. What we do now in
the next 15 to 20 minutes, we will actually discuss the case that was shared with you
reading R3, which pertains to a major incident in the world of cyber security.

Okay. I would say this is major, because this particular incident had implications for
industry and government, because government is also responsible for welfare of people.
And when major incidents happen, that affects large number of people, it could be due
to absence of or not having proper regulations, proper laws and law enforcement in the
country. So therefore, government also comes into picture and this is one such incident,
which was discussed world over. So, we will look at this case of Target corporation.
And we will ask three questions, which are given here.

One is to start with, identify technological and managerial vulnerabilities that led to
data breach at Target. This was reading R4 earlier, that is why the slide is showing it,
but it is actually R3, Okay. Yeah, so, first question, so who wants to answer the
question? So, I would leave it to you, you can, somebody can actually give introduction
to the case, just summarize the case as a whole without, you know, giving any solutions
or without doing a why why analysis or why this happened, but what happened is
something that we can start with. And then we can look at why.
 So anyone can actually answer. So what is this case about, what happened actually?
We can see that Target has to, for maintaining their payment systems on the day of, we
can say, the period of Thanksgiving 2013. The problem occurred when Target
outsourced or we can say, gave the responsibility to a third party, like a Faisal
Mechanical Services, which are supposed to control their climate services but due to
some, it made hackers, it gave access to the payment systems, which leaked the
customers information, payment information, such as credit card information and various
information to the hackers, which they commoditized. So what do you know about
Target corporation? Where is this company based and what do they do? Target? It