E-Commerce & Cyber Law Essentials

Cheatsheet Content

Module V: E-Commerce & Digital Payments Definition of E-Commerce Buying/selling goods/services over the internet. Also known as electronic commerce or internet commerce. Involves transactions of money, funds, and data. Business Models: Business to Business (B2B), Business to Customer (B2C), Customer to Customer (C2C), Customer to Business (C2B), Business to Administration (B2A), Customer to Administration (C2A). Main Components of E-Commerce User: Individual/organization using platforms. E-commerce Vendors: Entities providing goods/services (e.g., Flipkart). Must ensure: Suppliers and Supply Chain Management Warehouse operations Shipping and returns E-Commerce catalogue and product display Marketing and loyalty programs Technology Infrastructure: Servers, apps, data storage. Internet/Network: Essential for transactions, faster connectivity improves e-commerce. Web Portal: Interface for e-commerce transactions (desktops, mobiles, smart TVs). Payment Gateway: Mode for customer payments (Credit/Debit Card, Online Banking, Wallets, UPI). Elements of E-Commerce Security Encryption: Secure Sockets Layer (SSL) / Transport Layer Security (TLS) for data transmission. Secure Payment Gateways: Trusted gateways for financial information. Firewalls and Security Software: Prevent unauthorized access, malware. Authentication and Authorization: Strong user authentication (e.g., 2FA). Regular Updates and Patch Management: Mitigate vulnerabilities. Data Privacy and Compliance: Adherence to regulations (GDPR, CCPA). Risk Assessment and Monitoring: Identify vulnerabilities, continuous monitoring. Customer Education: Educate on safe online practices (strong passwords, phishing awareness). Physical Security Measures: Secure servers and data centers. Backup and Disaster Recovery: Plans for data recovery after breaches/failures. Common E-Commerce Security Threats Data Breaches: Unauthorized access/theft of sensitive customer info (hacking, phishing). Phishing Attacks: Deceptive emails/messages mimicking legitimate sources. Malware and Viruses: Malicious software infecting e-commerce sites. DDoS Attacks: Overwhelming servers with traffic, causing unavailability. SQL Injection: Exploiting code vulnerabilities to access/manipulate databases. Man-in-the-Middle (MITM) Attacks: Intercepting communication between user and website. Identity Theft: Stealing user identities for fraudulent purchases/accounts. Supply Chain Attacks: Targeting weaknesses in the supply chain. Payment Frauds: Fraudulent activities during payment transactions. E-Commerce Security Best Practices SSL Encryption: Encrypt data between website and users. Strong Password Policies: Encourage strong passwords and MFA. Regular Software Updates: Patch vulnerabilities. Secure Payment Gateways: Use PCI DSS compliant gateways. Data Encryption: Encrypt sensitive data at rest and in transit. Regular Security Audits: Identify vulnerabilities. Firewalls & DDoS Protection: Monitor traffic, prevent service disruption. Train Employees: Educate staff on security best practices. Privacy Policies & Compliance: Adhere to data protection regulations. Monitor Suspicious Activity: Detect and respond to incidents. Backup Data Regularly: Ensure data recovery. Limit Data Access: Restrict access to sensitive data. Advantages of E-Commerce Reduced Overhead Costs: No physical storefront, web hosting fees. No Physical Storefront Needed: Avoid costs/obstacles of a physical store. Broader Audience Reach: Global customer base. Scalability: Easier growth without physical relocation. Track Logistics: Easier to manage fulfillment (e.g., shipping, returns). Introduction to Digital Payments Payments without cash exchange, transferring value between digital devices. Payer and payee need bank accounts, online banking, a device, and a transmission medium (payment provider/bank). Components of Digital Payment & Stakeholders Payment Gateway: Authorizes/facilitates transactions, encrypts info. Payment Processor: Manages transaction flow, verifies details, transfers funds. Mobile Wallets: Store payment info for smartphone transactions (Apple Pay, Google Pay). Digital Currencies/Cryptocurrencies: Decentralized forms for peer-to-peer transactions (Bitcoin). Near Field Communication (NFC): Enables contactless payments. QR Codes: Scannable codes for easy transactions. Stakeholders: Customers/Users: Individuals making payments. Merchants/Retailers: Businesses accepting digital payments. Financial Institutions: Banks providing infrastructure. Payment Service Providers (PSPs): Companies facilitating payments (Stripe). Regulatory Bodies/Government Agencies: Ensure security and fairness. Technology Providers: Develop software/hardware for payment systems. Security Firms: Specializing in encryption, fraud detection. Modes of Digital Payments Banking Cards: Debit/Credit/Prepaid cards (Visa, RuPay, MasterCard). Unified Payment Interface (UPI): Links bank accounts to a single app for easy transfers. e-Wallets: Store financial info for quick online transactions (PayPal, Paytm). Unstructured Supplementary Service Data (USSD): Mobile banking via shortcodes (*99#) for limited internet access. Aadhaar Enabled Payment System (AEPS): Bank-led model using Aadhaar for fund transfers. Digital Payments Related Common Frauds & Preventive Measures Phishing: Fake messages/emails tricking users into revealing personal info. Preventive: Verify URLs, don't share details via email/unsecured sites, enable 2FA. Identity Theft: Fraudster steals personal info for fraudulent activities. Preventive: Strong passwords, monitor credit report, cautious online sharing. Account Takeover: Fraudster gains access to digital payment account. Preventive: Strong/unique passwords, account alerts, biometric authentication. Card Skimming: Illegal copying of card info via skimming devices. Preventive: Check card readers, use contactless payments, monitor statements. Malware and Spyware: Malicious software stealing financial info. Preventive: Antivirus software, avoid suspicious links, keep OS updated. Unauthorized Transactions: Transactions without account holder consent. Preventive: Check statements, enable alerts, report immediately. Social Engineering Attacks: Manipulating individuals to reveal confidential info. Preventive: Caution with unsolicited calls/messages, verify identity, educate self. RBI Guidelines on Digital Payments & Customer Protection Digital Payments: Security Measures: Banks must implement 2FA, encryption. Customer Awareness: Banks educate customers on risks. Fraud Monitoring: Regular transaction monitoring for suspicious activity. Prompt Redressal: Timely investigation of customer complaints. Customer Protection in Unauthorized Transactions: Limited Liability: Customer liability limited if reported within time. Timely Reporting: Customers encouraged to report quickly. Dispute Resolution: Defined process for resolving disputes. Reversal of Transactions: Banks ensure prompt reversal of unauthorized transactions. Relevant Provisions of Payment Settlement Act, 2007 (India) Regulation of Payment Systems: RBI is regulatory authority. Designation of Payment Systems: RBI designates systems for regulation. Licensing of Payment System Operators: Provisions for licensing. Oversight and Monitoring: RBI monitors systems. Settlement Finality: Settlements are final, cannot be revoked. Establishment of Payment System Board: Board within RBI to supervise systems. Penalties and Enforcement: Provisions for non-compliance. Module II: Cybercrime and Cyber Law What are Cybercrimes? Criminal activities done through cyberspace via internet-connected devices. Also called 'computer crimes'. Objective: Gather confidential data for monetary, political, or personal motives. Classifying Cybercrimes: Broad and Narrow Sense Role of Computer Cybercrime in Narrow Sense (Computer as an object) Cybercrime in Broad Sense (Computer as a tool or context) Description The computer/information stored is the subject/target of the crime. The computer/information is a tool or contains evidence, but not the primary target. Examples Hacking, sabotage, virtual child pornography. Computer fraud, forgery, distribution of child pornography, murder using computer techniques, bank robbery, drugs trade. Cybercrime Against Individual Email spoofing: Forged email headers to hide sender's true identity. Spamming: Sending multiple unsolicited mass emails. Cyber Defamation: Defamatory content published online. Harassment & Cyber stalking: Following individual's activity over internet. Cybercrime Against Property Credit Card Fraud: Fraud by using stolen or known card numbers. Intellectual Property Crimes: Software piracy, copyright infringement, trademark violations, theft of source code. Internet Time Theft: Unauthorized use of internet hours paid by another. Cybercrime Against Organization Unauthorized Accessing of Computer: Accessing systems without permission. Changing/deleting data. Computer voyeur: Reading confidential info without altering. Denial of Service (DoS): Flooding servers with bogus requests to make them unavailable. Computer Contamination / Virus Attack: Malicious programs infecting other programs. Email Bombing: Sending large number of emails to crash servers. Salami Attack: Removing negligible amounts that accumulate to something larger (financial crimes). Logic Bomb: Event-dependent program that triggers malicious action. Trojan Horse: Unauthorized program that appears legitimate but performs malicious actions. Data Diddling: Altering raw data before or after processing. Cybercrime Against Society Forgery: Forging currency, mark sheets using computers. Cyber Terrorism: Using computer resources for terrorism. Web Jacking: Gaining control of a website and changing its content. Cybercrime Targeting Computers and Mobiles Malware Attacks: Viruses, worms, Trojans, ransomware, spyware. Phishing: Tricking users into revealing sensitive information. Identity Theft: Stealing personal info for fraud. Online Scams: Advance-fee fraud, lottery scams. DDoS Attacks: Overwhelming networks to disrupt services. Data Breaches: Infiltrating organizations to steal sensitive data. Cyberbullying: Harassment, threats via digital means. Mobile Device Theft and Hacking: Stealing/hacking devices for data. Cyber Extortion: Threatening to release info unless ransom is paid. Insider Threats: Employees misusing privileges. Cryptojacking: Using victim's device to mine cryptocurrency. Cybercrime Against Women and Children Cyberbullying: Online harassment, threats, intimidation. Online Harassment: Unsolicited offensive messages. Revenge Porn: Sharing explicit images without consent. Sexting Exploitation: Coercion/blackmail for explicit content. Online Grooming: Predators manipulating children for exploitation. Child Pornography: Illegal distribution/possession. Online Trafficking: Luring/exploiting women and children. Cyberstalking: Persistent online attention leading to fear. Financial Fraud: Scams targeting personal finances. Privacy Violations: Sharing personal info without consent. Financial Frauds Ponzi Schemes: Lure investors with high returns, paying old investors with new funds. E.g., Saradha chit fund scam. Identity Fraud: Stealing sensitive info (phishing, malware). Warning Signs: Unfamiliar transactions, strange bank charges, new credit cards in your name. Fraudulent Charities: Fake charities collecting donations. Warning Signs: Claiming you're a previous donor, only accepting cash/crypto. Credit Card Fraud: Stealing card info (phishing, Dark Web, cloning). Warning Signs: Suspicious transactions, small unfamiliar charges. Stock Market Manipulation: Price rigging, insider trading, pump-and-dump schemes. E.g., Satyam Computer Services scandal. Bank Frauds: Loan frauds, cheque frauds, forged documents, unauthorized transactions. E.g., Nirav Modi-PNB scam. Protecting Yourself Against Financial Frauds Protect personal information. Monitor financial activities. Be cautious online. Use strong passwords & 2FA. Stay informed about scams. Keep devices secure. Exercise caution with public Wi-Fi. Verify before sharing information. Social Engineering Attacks Technique to influence and persuade people to obtain information. Exploits human weakness in security. Builds trust to gain unauthorized information/access. Example: Attacker pretending to be tech support. Classification of Social Engineering Human-based Social Engineering: Person-to-person interaction. Impersonating an employee/valid user: Posing as an insider. Posing as important user: Pretending to be CEO/Manager. Using a third person: Claiming permission from authorized source. Calling technical support: Obtaining info from help desk. Shoulder surfing: Gathering info by watching over someone's shoulder. Dumpster diving: Looking for info in trash. Computer-based Social Engineering: Using computer/software/internet. Fake emails (Phishing): Sending deceptive emails for sensitive info. Email attachments: Malicious code in attachments. Pop-up windows: Luring clicks on special offers to install malware. Effects of Social Engineering Loss/altering of medical/financial data. Loss of customers, funds, trust. Collapse of the organization. Countermeasures Against Social Engineering Training/awareness for potential victims. Awareness on how attackers gain trust. Strict policies for service desk staff (not to ask for sensitive info). Educate to recognize social engineering attempts. Malware and Ransomware Attacks Malware Attacks: Malicious software causing harm to computer/network. Used to steal personal, financial, or business information. Types of Malware Adware: Displays (malicious) ads. Viruses: Infects computers, corrupts files, destroys OS. Worms: Self-replicating, spreads to other systems, exhausts resources. Trojans: Masquerades as harmless program, steals data, allows remote control. Bots: Infected computers become part of botnet for DDoS attacks. Keyloggers: Captures keystrokes (URLs, credentials, personal info). RAT (Remote Access Tools): Enables remote access/control of device. Downloaders: Download other malware. POS (Point of Sale): Compromises POS devices to steal card info. Signs of Malware Infection Slow computer performance. Browser redirects. Infection warnings. Problems shutting down/starting up. Frequent pop-up ads. How to Protect Yourself from Malware Protect devices: Keep OS/apps updated, close pop-ups, limit app installs. Be careful online: Avoid unknown links, visit trusted sites, beware of emails asking for personal info, avoid risky websites. Perform regular checks: Scan with security software, check bank accounts/credit reports. Ransomware Attack Malware encrypts data, demands ransom for decryption. Files locked/encrypted, instruction file explains payment. Often spreads via phishing attacks or RDP access. Types of Ransomware Locker ransomware: Blocks standard computer functions until payment. Crypto ransomware: Encrypts local files, decryption key required. Scareware: Fake software claims virus detection, directs payment to resolve. How to Prevent Ransomware Attacks Regular data backups (cloud, physical). Keep system updated with latest security patches. Install reputed antivirus software. Use 'nomoreransom.org' for decryption tools if infected. Zero-Day and Zero-Click Attacks Zero-day: Exploiting software vulnerabilities before developers can fix them. Hackers steal data, corrupt files, install malware. Targets: Government, enterprises, individuals with valuable data, IoT devices. Zero-click: Requires no victim action; malware installs without clicks. More dangerous than spying software that relies on clicks. Targets: Smartphones, desktops, IoT devices. How to Protect Yourself from Zero-Day Attacks Keep all software and OS updated. Use only essential applications. Use a firewall. How to Protect Yourself from Zero-Click Exploits Keep OS, firmware, apps updated. Only download apps from official stores. Delete unused apps. Use device password protection. Use strong authentication for critical networks. Use strong passwords. Modus Operandi of Cyber Criminals Method used for successful crime commission. Elements: Ensure crime success, protect identity, facilitate escape. Common Forms of Modus Operandi Sending Annoying Messages: Bulk messages (insulting, misleading, defaming). Causes misperception, leads to fights/riots. Tricks unaware people with lottery SMS, prize money emails. Multimedia messages defaming identity. Pornography, obscene messages, cyberbullying (Delhi MMS Scandal). Obscene videos captured for exploitation. Making Offensive Calls: Harassing, threatening, extortion calls. Anonymous calls for extortion. Landlines without Caller IDs pose problem for analysis. Spoofing mobile numbers for fake calls (terrorism, illegal goods). Cyber criminals from overseas are hard to trace. Reporting Cybercrimes Contact Local Law Enforcement (Police). Report to National Cybersecurity Agency (e.g., CERT-In in India, FBI IC3 in US). Report to Appropriate Online Platforms (social media, email service). Report to Anti-Fraud Organizations (APWG, AMTSO). Report to Financial Institutions for financial fraud. Report to Internet Service Providers (ISPs) for illegal content. Document the Incident (emails, screenshots, IP addresses). Use Online Reporting Portals. Consider Legal Advice. Protect Yourself (change passwords, update security). Remedial and Mitigation Measures Remedial Measures: Incident Response: Plan to identify, contain, mitigate attacks (isolate systems, restore backups). Forensic Investigation: Identify source, gather evidence. Data Recovery: Backups to restore affected systems. Mitigation Measures: Strong Security Practices: Firewalls, antivirus, intrusion detection. Regular Updates and Patching: Keep software updated. Employee Education: Cybersecurity awareness training. Multi-factor Authentication (MFA): Extra layer of security. Data Encryption: Encrypt sensitive data in transit and at rest. Regular Security Audits: Identify weaknesses. Legal Perspective of Cyber Crime All legal issues related to internet crime are dealt with through cyber laws. Cyber law provides framework for risks from computer/network usage. Encompasses laws related to: Cyber crimes, Electronic and digital signatures, Intellectual property, Data protection and privacy. Legal Perspective of Cybercrime in India Governed by Information Technology Act, 2000 (IT Act) . Purpose of ITA: Amend Indian Penal Code (IPC). Key Provisions under Indian ITA 2000 Section Title Chapter Crime Punishment Sec. 43 Penalty for damage to computer system, etc. Chapter IX: Penalties and Adjudication Damage to computer system Compensation for Rs. 1 Crore. Sec. 66 Hacking with computer system Chapter XI: Offences Hacking (intent or knowledge) Fine of Rs. 2 lakhs and imprisonment for 3 years. Sec. 67 Publishing obscene material in electronics form Chapter XI: Offences Publication of obscene material in electronic form Fine of Rs. 1 lakh, imprisonment for 5 years and double conviction on second offence. Sec. 68 Power of controller to give directions Chapter XI: Offences Not complying with directions of controller Fine up to Rs. 2 lakhs and imprisonment of 3 years. Sec. 70 Protected system Chapter XI: Offences Attempting or securing access to computer of another person without his/her knowledge Imprisonment up to 10 years. Sec. 72 Penalty for breach of confidentiality and privacy Chapter XI: Offences Attempting or securing access to computer for breaking confidentiality Fine up to Rs. 1 lakh and imprisonment up to 2 years. Sec. 73 Penalty for publishing digital signature Certificates false in certain particulars Chapter XI: Offences Publishing false digital signatures Fine of Rs. 1 lakh or imprisonment of 2 years or both. Sec. 74 Publication for fraudulent purpose Chapter XI: Offences Publication of Digital Signatures for fraudulent purpose Imprisonment for 2 years and fine of Rs. 1 lakh. Amendments and Updates IT Act amended to address emerging threats (e.g., IT (Amendment) Act, 2008 for cyber terrorism, data privacy). Cyber Crime and Offences (General) Hacking: Unauthorized access to systems. Identity Theft: Stealing personal information. Phishing and Spoofing: Deceptive emails/websites. Cyberbullying: Harassment via digital platforms. Online Fraud: Investment scams, online shopping fraud. Distributed Denial of Service (DDoS) Attacks: Overloading servers. Cyber Espionage: Unauthorized access to confidential government/corporate info. Child Exploitation and Pornography: Illegal content involving minors. Ransomware Attacks: Encrypting files, demanding payment. Cyberstalking: Persistent online harassment. Organizations Dealing with Cybercrime and Cybersecurity in India National Cyber Security Coordinator (NCSC): Coordinates cybersecurity initiatives. Computer Emergency Response Team-India (CERT-In): National nodal agency for cybersecurity incidents. National Critical Information Infrastructure Protection Centre (NCIIPC): Protects critical infrastructure. State Police Cyber Cells: Investigate and handle cybercrimes at state level. National Investigation Agency (NIA): Deals with offenses affecting sovereignty, security. Cyber Appellate Tribunal (CAT): Hears appeals against IT Act orders. Banks and Financial Institutions: (RBI, SEBI) have cybersecurity guidelines/teams. Private Cybersecurity Firms: Offer consulting, risk assessment, incident response. Module I: Introduction to Cybersecurity Defining Cyberspace Coined by William Gibson in 1984. Environment where communication occurs over computer networks. Virtual, dynamic space created by machine clones. Primary purpose: Share info, communicate globally. Users share info, interact, engage in discussions/social media. Composed of large computer networks following TCP/IP protocol. Overview of Computer and Web-technology Computer Technology: Hardware: Physical components (CPU, RAM, storage, I/O devices). Software: Operating systems (Windows, macOS), applications (Office, browsers). Networking: Computers connecting via wired/wireless (Ethernet, Wi-Fi). Security: Protecting data/systems from threats (antivirus, firewalls, encryption). Processing Power: Moore's Law predicts doubling every two years. Web Technology: World Wide Web (WWW): Global system of interconnected documents/resources. Web Browsers: Access/interact with web content (Chrome, Firefox). Web Development: Creating/maintaining websites (HTML, CSS, JavaScript). Web Servers: Store/deliver web content (Apache, Microsoft IIS). Web Security: Protecting data/privacy (SSL/TLS encryption). Web Standards: W3C establishes standards for compatibility/accessibility. Architecture of Cyberspace No single architecture; encompasses various technologies. Network Infrastructure: Global network (Internet) with routers, switches, data centers, cables. Protocols: Define data transmission (TCP/IP, HTTP, SMTP, FTP). Domain Name System (DNS): Translates domain names to IP addresses. Data Centers: House servers and storage for digital content. Cyber Security: Measures to protect data/networks (firewalls, encryption). Web and Application Servers: Host websites, applications. User Devices: Computers, smartphones, tablets, IoT devices. Cloud Computing: Scalable computing resources (AWS, Azure). Social Media and Online Communities: Platforms for connection, sharing. Internet of Things (IoT): Devices collecting/exchanging data. Regulations and Governance: Laws/regulations (ICANN, government). Communication and Web Technology Integral components of modern digital landscape. Facilitate communication and information dissemination. Internet Derived from "internetwork". Started in 1960s for government researchers to share info. Official birthday: Jan 1, 1983 (TCP/IP established). Transmission Control Protocol/Internet Protocol (TCP/IP): Suite of communication protocols. TCP: Establishes connections, ensures packet sequence. IP: Provides addressing, delivers packets. Divided into four layers. World Wide Web (WWW): Invented by Tim Berners-Lee in 1989. Collection of websites/web pages stored on servers. Contains text, images, audios, videos. Accessed via devices (computers, laptops, cell phones). WWW + Internet enables retrieval/display of media. Building blocks: HTML pages connected by hypertext/hyperlinks, accessed by HTTP. Advent of Internet Packet switching research started in 1960s. ARPANET: First interconnected computers, used for confidential data transfer. Opened to educational institutes, then commercialized by 1995. Three Phases: Innovation (1961-1974): Packet-switching, TCP/IP, client/server computing conceptualized. Institutionalization (1975-1995): DoD, NSF funded/legitimized Internet. Commercialization (1995-present): Private corporations expanded Internet backbone. Internet Infrastructure for Data Transfer and Governance Physical/virtual systems, protocols, regulations for secure/efficient data exchange. Ensures data privacy, security, compliance. Network Infrastructure: Backbone networks, last-mile connectivity, data centers. Protocols and Standards: IP, TLS, HTTP/HTTPS, DNSSEC. Data Centers and Cloud Services: Major providers (AWS, Azure) for storage/processing. Data Governance and Regulation: GDPR, CCPA, HIPAA compliance; data retention policies, access controls, encryption. Cyber Security: Firewalls, intrusion detection, security audits. Internet Governance Bodies: ICANN, multistakeholder models. Content Delivery Networks (CDNs): Optimize content delivery (Akamai, Cloudflare). Quality of Service (QoS): Ensures performance for applications. International Collaboration: Establish norms/agreements. Data Transfer Agreements: Facilitate lawful data transfer. Internet Society (ISOC) Professional membership society promoting Internet development. Governed by elected board, coordinates groups for Internet infrastructure. Regulation of Cyberspace No formal framework; lacks clear ownership/control. Anonymity is default, encourages freedom. Crimes of global repercussion (trafficking, child pornography, terrorism). Freedom in cyberspace requires responsibility. Practical Problems in Extending Traditional Laws to Cyberspace Multiple Jurisdictions: Legal uncertainty due to anonymity, no geographical boundaries. Problem of Policing: Lack of technical knowledge, non-cooperation among police. Expensive Process: Training law enforcement officers is costly. Obtaining Digital Evidence: Difficulty in acquiring digital evidence. Concept of Cyber Security Practice of protecting computer systems, networks, data from theft/damage/unauthorized access. Safeguards digital info, ensures confidentiality, integrity, availability. Confidentiality: Info accessible only to authorized users (encryption, access controls). Integrity: Data/systems are accurate/trustworthy (checksums, digital signatures). Availability: Systems/data accessible when needed (redundancy, load balancing). Authentication: Verifying identity of users/devices (passwords, biometrics, 2FA, MFA). Cyber Attacks Exploitation of computer systems/networks using malicious code. Leads to cybercrimes (info/identity theft). Classified into: Web-based attacks, System-based attacks. Web-based Attacks Occur on websites/web applications. Injection attacks: Injecting data to manipulate application/fetch info. Session Hijacking: Stealing cookies to gain access to user sessions. Phishing: Tricking users into revealing sensitive info (login credentials, credit card numbers). Denial of Service (DoS): Flooding servers to make them unavailable. System-based Attacks Compromise computers/networks. Virus: Malicious program spreading through files, self-replicating. Worm: Malware replicating to spread to uninfected computers, often via email. Trojan Horse: Malicious program appearing legitimate, runs in background. Cyber Threat Malicious act attempting to gain unauthorized access to computer network. Ranges from damaging to disrupting systems/networks/information. Cyber Threat vs. Cyber Attack Feature Cyber Threat Cyber Attack Definition Condition/circumstance causing damage. Intended action to cause damage. Nature Intentional (human negligence) or unintentional (natural disasters). Deliberate action with motive and plan. Maliciousness May or may not be malicious. Always malicious. Damage Chance Low to very high. Very high. Issues and Challenges of Cyber Security Cyber Attacks: Constant threat from hackers, cybercriminals, nation-states. Data Breaches: Theft/exposure of sensitive data leading to financial losses. Security Vulnerabilities: Exploited by attackers (software/hardware flaws). Insider Threats: Individuals misusing access within organization. Lack of Cybersecurity Awareness: Individuals/employees unaware of best practices. Resource Constraints: Limited resources/expertise for robust security. Ransomware: Encrypting data, demanding ransom. Module III: Social Media Overview and Security Introduction to Social Networks Websites/apps for users to connect, communicate, share information. People connect with friends, family, shared interests. Important use of internet, for social/business purposes. Facebook is largest; others include Instagram, X, WhatsApp, TikTok, Pinterest. Types of Social Media, Social Media Platforms Social Networking Sites: Connect users, like/share/comment/follow (Facebook, LinkedIn, Instagram, X, TikTok, Snapchat). Media Sharing Networks: Find/share photos, videos (Instagram, Snapchat, YouTube). Discussion Forums: People answer questions, share ideas/news (Quora, Reddit, Digg). Blogs and Community Platforms: Publish thoughts, reach audience (WordPress, Tumblr, Medium). Bookmarking Networks: Save/share ideas, articles, online resources (Feedly, Flipboard, Pinterest). Consumer Review Networks: Find/share/review products/services/brands (Yelp, Zomato, TripAdvisor). Social Shopping Networks: Spot trends, make purchases, follow brands (Polyvore, Etsy, Fancy). Social Media Monitoring Collecting social conversations into useful database. Identifying what's said about a brand/individual/product. Helps achieve: Sentiment analysis: Understand user feelings (negative, positive, neutral). ROI: Identify if money is paying off. Hashtags and keywords: Improve strategies, attract customers. Trends: Identify popular themes, memes, topics. Share of voice: Percentage of online conversations about your brand. Top Social Media Monitoring Tools Hootsuite, Sprout Social, Agora Pulse, Zoho Social, Brand24, Mention, Keyhole, Iconosquare, Tailwind, Sendible. Benefits of Monitoring Social Media Brand Awareness: Protect reputation, improve awareness, real-time feedback. Engage Right Audience: Build relationships, identify interests/trends. Competitor Analysis: Learn from competitors' strategies/mistakes. Market Research: Stay on track of trends, customer sentiments. Receive Better Insights: Useful feedback from audience via tags/hashtags. Hashtag Draws attention, organizes, promotes, connects content. Pound symbol "#" marks keywords/topics. Helps users find relevant content. Associated with microblogging (Twitter). Enhances communication, adds context/humor. Viral Content Content (post, video, image) becomes extremely popular, shared by many. High awareness due to shares on networks, news sites, etc. Reaches large audiences quickly. Key Indicators: Millions of views/shares, exponential sharing, sparking conversations, picked up by mainstream media, inspiring remixes. Social Media Marketing Digital marketing leveraging social networks for branding goals. Increases website traffic, engagement, brand awareness. Content types: Videos, blogs, infographics. Benefits: Increased brand awareness, boost conversions, improved SEO, lower campaign costs. Popular platforms: Facebook, Instagram, LinkedIn, YouTube, X. Social Media Marketing Platforms (Example Chart Structure) Platform People Content Strategies Cons Facebook 25-34 Boomers Photos & links, Info, Live video Local marketing, Advertising, Relationships Weak organic reach YouTube 18-25, 26-35 How-tos, Webinars, Explainers Organic, SEO, Advertising Video is resource-heavy Instagram 18-24, 25-34 Millennials Inspiration & adventure, Questions/polls Ecommerce, Organic, Influencer High ad costs X (formerly Twitter) 25-34, 35-49 Educated/wealthy News, Discussion, Humor Customer service, Ads for males Small ad audience LinkedIn 46-55 Professionals Long-form content, Core values B2B, Organic, International Ad reporting & custom audience TikTok 10-19 Female (60%) Entertainment, Humor, Challenges Influencer marketing, Series content Relationship building Snapchat 13-17, 25-34 Teens Silly, Feel-good, Trends Video ads, Location-based marketing, App marketing Relationship building Pros of Social Media Marketing Enhance brand recognition. Cost-effective solutions with great exposure. Increase website traffic, real-time feedback. Targeted engagements. Cons of Social Media Marketing Time-consuming to set up/maintain. Unpredictable (algorithm changes). Negative feedback visible publicly. Difficult to measure true ROI. Social Media Privacy Personal/sensitive info users share voluntarily or unknowingly (tracking cookies). Crucial for online presence, controlling shared info. Tips to Enhance Social Media Privacy Privacy Settings: Adjust regularly, limit who sees posts/info. Strong Passwords: Use unique passwords for each account, password manager. Two-Factor Authentication (2FA): Enable for extra security. Be Mindful of Sharing: Think before posting, avoid sensitive info (address, phone). Regularly Review Permissions: Periodically revoke third-party app access. Customize Audience: Use platform features to control post visibility. Limit Tagging and Geo-Tagging: Disable automatic tagging. Update Privacy Policies: Stay informed, adjust settings. Regularly Audit Your Profile: Remove old posts/photos. Educate Yourself: Stay updated on privacy threats/tactics. Challenges, Opportunities, and Pitfalls in Online Social Networks Challenges: Privacy Concerns: Data misuse, identity theft. Cyberbullying and Harassment: Affects mental health. Fake News and Misinformation: Rapid spread of false info. Addiction and Mental Health: Excessive use leads to issues. Filter Bubbles and Echo Chambers: Limited exposure to diverse perspectives. Online Disinformation Campaigns: Manipulate public opinion. Security Threats: Cyberattacks, phishing, scams. Opportunities: Global Connectivity: Connect worldwide, share ideas. Business and Marketing: Audience for advertising, engagement. Information Dissemination: Rapid spread of information, awareness. Community Building: Find like-minded individuals, social change. Education and Learning: Platforms for educational content. Career Networking: Professional growth, job hunting. Pitfalls: Over-reliance on Algorithms: Reinforce biases, limit perspectives. Dependence on Engagement Metrics: Prioritize clicks over quality. Lack of Regulation: Spread of harmful content, data exploitation. Monetization vs. User Well-being: Business models conflict with user health. Digital Divide: Unequal access due to socioeconomic factors. Security Issues Related to Social Media Social media poses significant security risks. Key Issues: Privacy Concerns: Unintentional disclosure of sensitive data. Data Breaches: Cyber attackers target user data, login credentials. Phishing Attacks: Malicious actors trick users into revealing info. Fake Accounts and Impersonation: Fraudulent profiles deceive individuals. Cyberbullying: Harassment, hate speech. Misinformation and Fake News: Rapid spread of false info. Addiction and Mental Health: Excessive use linked to issues. Geotagging and Location Tracking: Compromises personal safety. Third-party Apps and Permissions: Risk of data misuse/privacy breaches. Employment and Reputation: Inappropriate content negatively impacts job prospects. Mitigation: Adjust privacy settings, strong passwords, verify sources, vigilant against suspicious activity. Flagging and Reporting Inappropriate Content Crucial for maintaining safe online environment. General Guide: Identify Content: Note hate speech, harassment. Check Platform Policies: Review community guidelines. Flag or Report: Use "Report" or "Flag" option. Provide Details: Be specific about violation. Follow Platform Instructions: Platform reviews content. Monitor and Follow Up: Track report status. Avoid engaging/spreading inappropriate content. Contact authorities for immediate risk. Laws Regarding Posting of Inappropriate Content Vary by country/region due to legal systems/cultural norms. Common Principles: Hate Speech and Discrimination: Laws against content promoting violence/discrimination (race, religion, gender). Defamation and Libel: Legal action for false info harming reputation. Copyright Infringement: Using content without permission. Privacy Violations: Sharing private info without consent. Laws in India: Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021: Regulations for social media intermediaries. Indian Penal Code (IPC): Sections for defamation (499), obscenity (292), religious feelings (295A). The Information Technology Act, 2000: Section 67 for publishing/transmitting obscene material. Defamation Laws: Civil and criminal laws for defamatory content. Best Practices for the Use of Social Media Define Your Goals: Determine objectives (brand awareness, lead generation). Know Your Audience: Understand preferences, behaviors. Quality Content: Share valuable, relevant, engaging content. Use Hashtags Wisely: Research relevant hashtags, use sparingly. Post Regularly: Consistent schedule, quality over quantity. Stay Up-to-Date: Informed on trends, algorithm changes. Community Building: Encourage user-generated content, discussions. Respect Privacy and Policies: Comply with guidelines, copyright laws. Security Case Studies Facebook-Cambridge Analytica Scandal (2018): Harvested data without consent. Twitter Hacks (2020): High-profile accounts compromised via social engineering. LinkedIn Data Breach (2021): Personal data scraped and sold online. TikTok's Privacy Concerns: Scrutiny over data collection practices, Chinese ownership. WhatsApp Privacy Policy Update (2021): Backlash over data sharing with Facebook. General Security Measures Two-Factor Authentication (2FA). Privacy Settings Review. Strong Passwords. Regular Updates and Patches. Awareness and Education. Module IV: Data Privacy and Protection Concept of Data Privacy The right of individuals to control how their personal information is collected, used, stored, and shared. Focuses on the individual's autonomy over their data. Key aspects: Consent, control, transparency, and fairness. Data Protection Measures taken to safeguard data from unauthorized access, corruption, or loss. Encompasses security measures, legal frameworks, and ethical practices. Aims to ensure data privacy and integrity. Data Privacy vs. Data Protection Feature Data Privacy Data Protection Focus Individual's rights over their personal data. Safeguarding data from compromise. Scope Ethical and legal use of data. Security measures, backup, recovery, integrity. Goal Control over personal information. Ensuring data security and integrity. Methods Consent, anonymization, access rights. Encryption, firewalls, access controls. Privacy Principles (e.g., OECD Guidelines, GDPR Principles) OECD Privacy Principles: Collection Limitation: Data collection should be limited and obtained lawfully and fairly, with consent. Data Quality: Personal data should be relevant, accurate, complete, and up-to-date. Purpose Specification: Purposes for data collection should be specified before collection. Use Limitation: Data should not be disclosed or used for purposes other than those specified, except with consent or by law. Security Safeguards: Personal data should be protected by reasonable security safeguards. Openness: There should be general openness about developments, practices, and policies with respect to personal data. Individual Participation: Individuals should have the right to access their data, challenge its accuracy, and have it corrected. Accountability: A data controller should be accountable for complying with these principles. GDPR Principles (General Data Protection Regulation): Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and transparently. Purpose Limitation: Data collected for specified, explicit, and legitimate purposes. Data Minimization: Only necessary data should be collected. Accuracy: Personal data must be accurate and kept up to date. Storage Limitation: Data should be stored no longer than necessary. Integrity and Confidentiality (Security): Data processed securely, protected against unauthorized or unlawful processing, accidental loss, destruction, or damage. Accountability: Controller is responsible for and must demonstrate compliance. Privacy by Design Approach to system engineering that embeds privacy into the design and operation of IT systems, networked infrastructure, and business practices. Proactive rather than reactive; privacy is built in, not bolted on. Seven Foundational Principles: Proactive not Reactive; Preventative not Remedial. Privacy as Default Setting. Privacy Embedded into Design. Full Functionality – Positive-Sum, not Zero-Sum. End-to-End Security – Full Lifecycle Protection. Visibility and Transparency. Respect for User Privacy (User-Centric). Data Protection Regulations (e.g., GDPR, CCPA, HIPAA) General Data Protection Regulation (GDPR - EU): Comprehensive data protection law effective May 25, 2018. Applies to organizations processing personal data of EU residents, regardless of location. Key rights: Right to access, rectification, erasure ("right to be forgotten"), data portability, objection. Mandates data protection officers (DPOs) for certain organizations. Significant fines for non-compliance (up to 4% of global annual revenue or €20 million). California Consumer Privacy Act (CCPA - USA): State-level privacy law effective January 1, 2020. Grants California consumers rights regarding their personal information. Key rights: Right to know what data is collected, right to delete, right to opt-out of sale. Applies to businesses meeting certain thresholds (e.g., $25M+ annual revenue, handles data of 50,000+ consumers). Health Insurance Portability and Accountability Act (HIPAA - USA): Federal law enacted in 1996. Protects sensitive patient health information (PHI) from being disclosed without the patient's consent or knowledge. Applies to covered entities (health plans, healthcare providers, healthcare clearinghouses) and their business associates. Includes Privacy Rule (patient rights over PHI) and Security Rule (safeguards for electronic PHI). Indian Data Protection Law (Digital Personal Data Protection Act, 2023) Replaced earlier drafts and aims to provide a comprehensive framework for personal data protection in India. Key Principles: Consent-based processing: Personal data must be processed lawfully with explicit consent. Data Minimization: Collection limited to what is necessary for specified purpose. Purpose Limitation: Data used only for purpose for which consent was given. Data Fiduciary & Data Principal: Defines roles and responsibilities. Rights of Data Principal: Right to access, correction, erasure, grievance redressal. Obligations of Data Fiduciary: Implement reasonable security safeguards, notify data breaches. Data Protection Board of India: Adjudicatory body for enforcement. Cross-border data transfers: Restrictions apply, based on notification by the Central Government. Significant penalties: For non-compliance, up to Rs. 250 crores. Aims to balance individual privacy rights with the need for legitimate data processing. Data Localization Requirement for data generated within a country to be stored and processed within that country's borders. Often mandated by governments for national security, law enforcement access, and economic development. Pros: Easier law enforcement access, potentially better data security, local economic benefits. Cons: Increased costs for businesses, potential for fragmented internet, reduced global data flow, can hinder cloud services. Anonymization and Pseudonymization Anonymization: Process of rendering data such that the individual is no longer identifiable. Irreversible process; once anonymized, data cannot be linked back to the individual. Example: Removing direct identifiers like names, addresses, or replacing them with random values. Pseudonymization: Process of replacing identifying information with artificial identifiers (pseudonyms). Reversible, but requires additional information (a "key") to re-identify the individual. Offers a level of privacy while still allowing for data analysis. Example: Replacing a real name with a unique ID that can be linked back to the name using a separate table. Data Breach Notification Legal requirement for organizations to notify individuals and/or regulatory authorities when their personal data has been compromised. Helps affected individuals take protective measures (e.g., change passwords). Regulations (e.g., GDPR, CCPA, DPDP Act) specify timelines, content, and recipients of notifications. Failure to notify can result in significant fines and reputational damage. Intellectual Property Rights and Data Protection Intellectual Property (IP): Creations of the mind (inventions, literary/artistic works, symbols, names, images, designs). Protected by patents, copyrights, trademarks, trade secrets. Data Protection: Focuses on personal data. Intersection: Trade Secrets: Data protection measures (encryption, access control) are crucial for protecting IP in the form of trade secrets. Copyrighted Data: Databases or digital content that are copyrighted also contain personal data, necessitating both IP and data protection. Data as IP: In some cases, aggregated or anonymized data itself can be considered a valuable asset and thus a form of IP. Balancing IP enforcement with data privacy rights is a key challenge. Recent Trends and Future of Data Privacy Increased Regulation: More countries adopting comprehensive data protection laws. AI and Data Privacy: Challenges in ensuring fairness, transparency, and consent in AI systems that process vast amounts of data. Decentralized Identity: Self-sovereign identity models giving individuals more control over their digital identities. Privacy-Enhancing Technologies (PETs): Techniques like homomorphic encryption, differential privacy, and federated learning to enable data analysis without compromising privacy. Consumer Awareness: Growing demand from consumers for greater transparency and control over their data. Ethical AI: Focus on developing AI systems that respect privacy and ethical considerations. Data Monetization vs. Privacy: Ongoing tension between businesses seeking to leverage data for profit and individual privacy rights.