Unit 01 · ECS 563 MJ-EC21-4

Evolution of Cyber Security

F.Y. M.C.A. (Management) · Semester II · 2024 Pattern · Savitribai Phule Pune University
Topics Covered5 Topics
Exam Weightage~10 Marks
Study ModeRegular + Last Night
DifficultyFoundation Level

Topics in This Unit

  1. 1.1 — Evolution of Cyber Security
  2. 1.2 — Cyber Security: Increasing Threat Landscape
  3. 1.3 — Introduction to Cyber Security
  4. 1.4 — Confidentiality, Integrity & Availability (CIA Triad)
  5. 1.5 — Security Management, Frameworks & Standards
Topic 1.1

Evolution of Cyber Security

Cyber Security did not appear overnight. It has evolved over decades — growing alongside the internet, computers, and digital technology. Every time technology advanced, new threats appeared, and new security solutions had to be invented.
📌 Last Night Tip
Remember the 5 eras of evolution. Each era = new technology → new threat → new security response. That's the pattern.

Era 1 — The Pre-Internet Era (1960s–1980s)

Computers in this era were large mainframes accessible only to universities, research labs, and the military. There was almost no networking — computers were mostly standalone. Security was purely physical: lock the room, only trusted people get access.

The first known computer "worm" — not a security threat but a self-replicating program — was the Creeper program (1971), created on ARPANET (the predecessor to the internet). It moved from computer to computer and displayed "I'm the creeper, catch me if you can!" The first "antivirus" — called Reaper — was written to delete it.

🕰️ Historical Milestone
1983 — First use of the word "Virus": Fred Cohen officially described the concept of a computer virus in his academic paper — a program that can infect other programs by modifying them. This was the beginning of malware as we know it.

Era 2 — The Early Internet Era (1988–1999)

ARPANET grew into the public internet. Email, websites, and online communication became widespread. With connectivity came the first wave of real cyber threats.

The Morris Worm (1988) was the first major internet attack. Created by Robert Tappan Morris, it infected ~6,000 computers (about 10% of the entire internet at the time), caused millions of dollars in damage, and led to the creation of the first Computer Emergency Response Team (CERT).

During the 1990s, antivirus software became a commercial product, firewalls were introduced, and basic password-based authentication became standard.

Era 3 — The Dot-Com and E-Commerce Era (2000–2007)

The internet exploded. Online banking, e-commerce, and email became everyday activities. Criminals recognized the financial opportunity — cybercrime shifted from curiosity-driven hacking to profit-motivated attacks.

Era 4 — The Advanced Persistent Threat Era (2008–2015)

Attacks became more sophisticated, targeted, and organized. Nation-states started using cyberattacks as a tool of warfare. Organized criminal groups operated like businesses — with specializations, customer support (for ransomware victims), and profit-sharing.

Stuxnet (2010) — believed to be created by US and Israel — became the world's first known cyber weapon. It physically destroyed Iran's nuclear centrifuges by sending incorrect commands to industrial machines. This proved that cyberattacks can cause real physical destruction.

Era 5 — The Modern Era: AI, Cloud & IoT (2016–Present)

Today's threat landscape is the most complex in history. Three technology revolutions have dramatically expanded the attack surface:

Fig 1.1 — Evolution of Cyber Security: Timeline
1960s–1980s Physical Security Mainframes Only 1988–1999 Morris Worm CERT Created 2000–2007 E-Commerce Era IT Act 2000 2008–2015 APT / Stuxnet Nation-State Attacks 2016–Present AI + IoT + Cloud Ransomware-as-Service ~1970 ~1988 ~2000 ~2008 ~2016
References
  • Stallings, W. — Cryptography and Network Security, Pearson
  • Morris Worm — CERT/CC: https://www.cert.org/historical/advisories/CA-1988-01.cfm
  • Stuxnet documentation — Symantec: https://www.symantec.com
  • CERT-IN History: https://www.cert-in.org.in
Topic 1.2

Cyber Security: Increasing Threat Landscape

The Threat Landscape means the full picture of all possible cyber threats at any given time. It is called "increasing" because as technology grows and more systems connect online, the number and variety of threats keeps growing — faster than security can keep up.

Why is the Threat Landscape Expanding?

1. More Devices = More Targets

Every new device connected to the internet is a new potential entry point for an attacker. In 2010, there were about 12.5 billion internet-connected devices. By 2025, this number crossed 75 billion devices — including smartphones, smart TVs, industrial sensors, medical equipment, and vehicles.

🌍 Real-World Case
Mirai Botnet (2016): Hackers used 600,000 insecure IoT devices (webcams, routers, baby monitors) to launch a massive DDoS attack that took down Twitter, Netflix, Reddit, and GitHub for hours. The devices were hacked simply because their owners never changed the default password.

2. Ransomware Explosion

Ransomware attacks grew by 150% between 2020 and 2022 (IBM X-Force). Attackers now offer "Ransomware-as-a-Service" — even non-technical criminals can buy ransomware kits and launch attacks. Hospitals, schools, and governments are prime targets because they desperately need their data and will pay quickly.

🌍 Real-World Case
WannaCry Ransomware (2017): Infected 200,000+ computers across 150 countries in a single day. The UK National Health Service (NHS) had to cancel 19,000 appointments. Total estimated damage: $4–8 billion.

3. Cloud Misconfigurations

Organizations moved to cloud platforms (AWS, Azure, Google Cloud) quickly — but many misconfigured their storage. A "publicly accessible" S3 bucket in AWS can expose millions of files to anyone on the internet. According to IBM, cloud misconfiguration is responsible for 15% of all data breaches.

4. Phishing and Social Engineering

Phishing is now highly targeted. Attackers research victims on LinkedIn, Instagram, and company websites, then send convincing personalized emails pretending to be a trusted person. 91% of all cyberattacks begin with a phishing email (KnowBe4, 2023).

5. Supply Chain Attacks

Instead of attacking a well-defended company directly, attackers compromise a small, trusted software vendor that the company uses — and deliver malware through a legitimate software update.

🌍 Real-World Case
SolarWinds Attack (2020): Hackers (believed to be Russian state-sponsored) added malicious code into a SolarWinds software update. Because SolarWinds was trusted by 18,000 organizations — including the US Treasury, Pentagon, and Microsoft — the malware reached all of them through a legitimate update.

6. AI-Powered Attacks

Attackers now use AI to: write more convincing phishing emails (using ChatGPT-like tools), create deepfake videos of CEOs authorizing fraudulent wire transfers, automatically discover software vulnerabilities, and make malware that changes its code to avoid antivirus detection.

Fig 1.2 — Cybercrime Damage Cost Worldwide (Billions USD) — Growing Threat
Fig 1.3 — Today's Threat Landscape: Attack Surface Map
YOUR ORGANIZATION Systems · Data · People RANSOMWARE Encrypts all data Demands ransom PHISHING Fake emails Steal credentials IoT ATTACKS Smart devices Default passwords DDoS Flood servers Service down SUPPLY CHAIN Vendor malware INSIDER THREAT
References
  • IBM X-Force Threat Intelligence Index 2024: https://www.ibm.com/reports/threat-intelligence
  • Verizon DBIR 2023: https://www.verizon.com/business/resources/reports/dbir
  • Cybercrime Magazine — Global Cybercrime Costs: https://cybersecurityventures.com
  • CERT-IN Annual Report 2023: https://www.cert-in.org.in
Topic 1.3

Introduction to Cyber Security

Cyber Security is the practice of protecting computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks, damage, or unauthorized access. It covers everything from individual device protection to securing entire national infrastructure.

Key Definitions

Cyber Security (NIST Definition)

"The prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation."

Simple Definition

Cyber security is like a security guard system for the digital world — it protects your data, devices, and networks from theft, damage, and unauthorized access, just like a lock and security camera protect your home.

Core Goals of Cyber Security

Cyber security aims to protect three core properties of information — remembered as the CIA Triad (covered in detail in Topic 1.4):

Domains of Cyber Security

Cyber security is not just one thing — it covers multiple specialized areas:

Fig 1.4 — Domains of Cyber Security
Network Security Protecting networks from intruders & attacks Application Security Securing software from bugs & vulnerabilities Information Security Protecting data from unauthorized access Operational Security Processes & decisions for data management Cloud Security Securing cloud-stored data & services Endpoint Security Securing devices like laptops, phones Identity & Access Who can access what and when Disaster Recovery Restoring operations after an attack Digital Forensics Investigating cybercrimes User Education Training people is critical

Types of Cyber Attacks (Overview)

Attack TypeSimple ExplanationExample
MalwareBad software that harms your systemVirus, worm, ransomware
PhishingFake emails/websites to steal your infoFake bank login page
DDoSFlood a website with traffic to crash itTaking down a bank website
Man-in-MiddleSecretly reading messages between two peopleIntercepting banking app traffic on public Wi-Fi
SQL InjectionTricking a database through a web formExtracting all usernames & passwords
Social EngineeringTricking humans into revealing secretsPretending to be IT support on phone
RansomwareLocks your files, demands paymentWannaCry hospital attacks
Zero-DayExploits an unknown software bugStuxnet exploiting Windows flaw

Why is Cyber Security Important Today?

References
  • NIST Cybersecurity Definition: https://www.nist.gov/cyberframework
  • Cybersecurity Ventures — $10.5 trillion report: https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021
  • Stallings, W. & Brown, L. — Computer Security: Principles and Practice, Pearson
Topic 1.4

Confidentiality, Integrity, and Availability — The CIA Triad

The CIA Triad is the most fundamental model in all of cybersecurity. Every security decision, policy, and control ultimately comes back to protecting one or more of these three properties: Confidentiality, Integrity, and Availability. If any one of the three is broken, a security breach has occurred.
📌 Exam Tip
CIA Triad is the single most important concept in Unit 1. Always define all three, give an example for each, and remember how each can be violated. This appears directly in exam questions.
Fig 1.5 — The CIA Triad Model
CONFI- DENTIALITY Only auth. access INTEGRITY Data is accurate & unaltered AVAILABILITY Accessible when needed CIA TRIAD

1. Confidentiality

Simple Definition: Only the right people can see the right information. Unauthorized people should never be able to read sensitive data.

How to Achieve Confidentiality?

How is Confidentiality Violated?

Simple Analogy
Confidentiality is like your private diary with a lock. Only you have the key. If someone breaks the lock and reads it, confidentiality is broken.
🌍 Real-World Violation of Confidentiality
Aadhaar Data Breach (2018): A Tribune India investigation found that unauthorized operators were selling access to the entire Aadhaar database for ₹500, exposing personal details of 1.1 billion Indians — a massive confidentiality breach.

2. Integrity

Simple Definition: Data must be accurate, complete, and unchanged from its original form. No one should be able to modify data without authorization, and any modification should be detectable.

How to Achieve Integrity?

How is Integrity Violated?

Simple Analogy
Integrity is like a sealed envelope. If you receive it with the seal broken, you know someone tampered with the letter inside. A hash is the digital version of that seal.
🌍 Real-World Violation of Integrity
Bangladesh Bank Heist (2016): Hackers compromised the SWIFT banking communication system and modified transaction messages, instructing the Federal Reserve Bank of New York to transfer $81 million to fraudulent accounts in the Philippines. The integrity of the financial messages was completely compromised.

3. Availability

Simple Definition: Authorized users must be able to access systems, networks, and data whenever they need it. If a system is unavailable when needed, it's just as damaging as a theft.

How to Achieve Availability?

How is Availability Violated?

Simple Analogy
Availability is like an ATM machine. Even if the money is safe inside, if the machine is broken or out of service, you can't withdraw your money — availability has failed.
🌍 Real-World Violation of Availability
GitHub DDoS Attack (2018): GitHub was hit with the largest DDoS attack ever recorded at that time — 1.35 terabits per second of traffic — making GitHub completely unavailable for 10 minutes. Even 10 minutes of downtime cost developers worldwide enormous productivity loss.

Summary: CIA Triad at a Glance

PropertyQuestion It AnswersMain ThreatMain Defence
ConfidentialityCan only the right people see this?Data theft, phishing, eavesdroppingEncryption, access control, MFA
IntegrityIs this data accurate and unmodified?SQL injection, MitM, malwareHashing, digital signatures, audit logs
AvailabilityCan users access systems when needed?DDoS, ransomware, hardware failureRedundancy, backups, DDoS protection
⚠️ Important — Beyond CIA: The Parkerian Hexad
Some textbooks mention an extended model called the Parkerian Hexad which adds three more properties to CIA: Possession/Control (who controls the data), Authenticity (verifying the source), and Utility (usefulness of the data). For your exam, the CIA Triad is the core requirement.
References
  • NIST SP 800-53 — Security and Privacy Controls: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
  • Stallings, W. — Cryptography and Network Security, 8th Ed., Pearson
  • Anderson, R. — Security Engineering, 3rd Ed., Wiley
  • Aadhaar Breach — TRAI Report 2018
Topic 1.5

Security Management, Frameworks and Standards

A Security Framework is like a recipe book for cybersecurity. It gives organizations a structured, step-by-step guide on what controls, policies, and procedures to implement in order to protect their information systems. Frameworks tell you what to do; tools and technology tell you how to do it.
📌 Exam Tip
Know at least 5 frameworks with their full names, what they focus on, and who uses them. This is a direct 5-mark question in the paper.

Why are Security Frameworks Needed?

Major Security Frameworks

1. NIST Cybersecurity Framework (NIST CSF)

Developed by the US National Institute of Standards and Technology. Arguably the most widely used cybersecurity framework in the world. Organized around 5 Core Functions:

Fig 1.6 — NIST Cybersecurity Framework: 5 Core Functions
IDENTIFY Know your assets & risks PROTECT Implement safeguards DETECT Find threats early RESPOND Take action on incidents RECOVER Restore operations

Who uses it? US federal agencies, healthcare organizations, banks, IT companies globally. NIST CSF v2.0 was released in February 2024 and adds a 6th function: GOVERN.

2. ISO/IEC 27001

An international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

Organizations can get certified against ISO 27001 by an accredited certification body. This certification tells customers, partners, and regulators that the organization has a robust, verified security management system.

Example
A software company in Pune wants to work with a German client. The German client asks for ISO 27001 certification as proof that the company's data handling is secure. The Pune company undergoes a 6-month audit and gets certified.

3. COBIT (Control Objectives for Information and Related Technologies)

Developed by ISACA (Information Systems Audit and Control Association). COBIT is primarily an IT Governance framework — it helps organizations align their IT strategy with business goals while managing risk and ensuring compliance.

COBIT 2019 (current version) organizes governance into 6 principles and covers domains like: Plan & Organize, Acquire & Implement, Deliver & Support, Monitor & Evaluate.

Who uses it? Large enterprises, auditors, IT governance teams, and financial regulators.

4. PCI-DSS (Payment Card Industry Data Security Standard)

Developed by the PCI Security Standards Council, which includes Visa, MasterCard, American Express, and Discover. This standard is mandatory for any organization that processes, stores, or transmits credit/debit card information.

PCI-DSS v4.0 (2022) has 12 core requirements:

  1. Install and maintain network security controls (firewalls)
  2. Apply secure configurations to all system components
  3. Protect stored account data with encryption
  4. Protect cardholder data with strong cryptography during transmission
  5. Protect all systems against malware
  6. Develop and maintain secure systems and software
  7. Restrict access to cardholder data on a need-to-know basis
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security systems and networks regularly
  12. Support information security with organizational policies

5. CIS Controls (Center for Internet Security)

A prioritized set of 18 cybersecurity best practices (CIS Controls v8, published 2021). Designed to be practical and immediately actionable. Organized into 3 Implementation Groups based on organization size and resources.

Top Controls include: Inventory of Enterprise Assets, Inventory of Software Assets, Data Protection, Secure Configuration, Account Management, and Continuous Vulnerability Management.

Why it's popular: It tells you exactly what to do in priority order — start with the most impactful security controls first.

6. HIPAA (Health Insurance Portability and Accountability Act)

A US law that sets mandatory standards for protecting patient health information (PHI). Requires healthcare organizations to implement: Technical Safeguards (encryption, access controls), Administrative Safeguards (policies, training, audits), and Physical Safeguards (secure facilities, device controls).

7. IT Act 2000 & DPDP Act 2023 (India)

India's primary legal framework for cybersecurity and data protection. The IT Act 2000 defines cybercrimes and their penalties. The Digital Personal Data Protection Act 2023 (DPDPA) establishes the rights of individuals over their personal data and the obligations of organizations that collect it.

Fig 1.7 — Security Frameworks: Focus Area vs Adoption Rate

Comprehensive Comparison Table

FrameworkFull NameFocusBest ForCertifiable?
NIST CSFNIST Cybersecurity FrameworkGeneral cybersecurityAll sectorsNo (guideline)
ISO 27001ISO/IEC 27001:2022Info security managementAll organizationsYes ✓
COBITControl Objectives for ITIT governanceEnterprises, auditorsYes (via ISACA)
PCI-DSSPayment Card Industry DSSCard payment securityFinance, e-commerceYes (mandatory)
CIS ControlsCenter for Internet Security Controls v8Prioritized security actionsAll sizesNo (guideline)
HIPAAHealth Insurance Portability & Accountability ActPatient data protectionHealthcareLegal compliance
IT Act / DPDPADigital Personal Data Protection Act 2023Personal data rights & dutiesIndia-based organizationsLegal compliance

Security Management: Key Concepts

Risk Management

The process of identifying, assessing, and prioritizing risks, then deciding how to handle each risk — either by reducing it (mitigate), accepting it, avoiding it, or transferring it (insurance).

Formula: Risk = Threat × Vulnerability × Impact

Security Policy

A formal document that defines an organization's rules and expectations for protecting its information assets. Three levels:

Security Controls

Three categories of security controls — remember as PTT:

Unit 1 — Key Takeaway

Security frameworks are the backbone of any organization's cybersecurity strategy. They ensure nothing is missed. Choose your framework based on your industry (HIPAA for healthcare, PCI-DSS for payments, ISO 27001 for general certification) and implement the CIA Triad as your fundamental guiding principle for every security decision.

Official References
  • NIST CSF v2.0: https://www.nist.gov/cyberframework
  • ISO/IEC 27001:2022: https://www.iso.org/isoiec-27001-information-security.html
  • COBIT 2019: https://www.isaca.org/resources/cobit
  • PCI-DSS v4.0: https://www.pcisecuritystandards.org
  • CIS Controls v8: https://www.cisecurity.org/controls
  • DPDP Act 2023, India: https://www.meity.gov.in/data-protection-framework
  • IT Act 2000: https://www.meity.gov.in/content/information-technology-act