Unit 2 — Networking Basics & Security Infrastructure

Topic 2.1

Network Design and Configuration

Network Design is the process of planning the layout, topology, components, and protocols of a computer network so that it meets the organization's needs for speed, security, scalability, and reliability. Good network design is the foundation of all network security — you cannot secure a badly designed network.

📌 Last Night Tip

Know the OSI model (7 layers), 3–4 network topologies, and the three network zones (LAN/MAN/WAN). Understand what a DMZ is — it appears in exam questions directly.

The OSI Model — 7 Layers of Network Communication

The OSI (Open Systems Interconnection) Model is a conceptual framework that describes how data travels from one computer to another across a network. Every layer has a specific job. Understanding OSI is critical because attacks happen at specific layers, and defences are designed per layer.

Fig 2.1 — OSI Model: 7 Layers with Security Relevance

7
Application
User-facing apps and protocols communicate here
HTTP, SMTP, DNS, FTP
6
Presentation
Data format, encryption & compression
SSL/TLS, JPEG, ASCII
5
Session
Opens, manages, and closes connections
NetBIOS, RPC, PPTP
4
Transport
Reliable delivery, flow control, ports
TCP, UDP
3
Network
Logical addressing & routing between networks
IP, ICMP, Routers
2
Data Link
Physical addressing, error detection
MAC, Ethernet, Switches
1
Physical
Raw bits transmitted over cables/wireless
Cables, Hubs, Wi-Fi

Simple Way to Remember OSI Layers (Top → Bottom)

"All People Seem To Need Data Processing"
Application · Presentation · Session · Transport · Network · Data Link · Physical

Network Topologies

A topology is the arrangement of devices in a network — how they are physically or logically connected. The choice of topology affects performance, cost, security, and fault tolerance.

Fig 2.2 — Common Network Topologies

Network Types by Scale

Type	Full Name	Coverage	Example	Speed
PAN	Personal Area Network	1–10 metres	Bluetooth earphones, smartwatch	~3 Mbps
LAN	Local Area Network	Building / campus	Office network, college Wi-Fi	100Mbps – 10Gbps
MAN	Metropolitan Area Network	City-wide	City cable TV network, ISP in Pune	10–100 Mbps
WAN	Wide Area Network	Country / global	The Internet, bank's national network	Variable
VPN	Virtual Private Network	Any distance	Employees working from home securely	Depends on ISP

Key Network Configuration Concepts

IP Addressing and Subnetting

Every device on a network needs a unique IP (Internet Protocol) address. IPv4 addresses are 32-bit numbers (e.g., 192.168.1.1). Subnetting divides a large network into smaller sub-networks, improving performance and security by limiting broadcast traffic and isolating segments.

Example

A hospital divides its network into subnets: 192.168.10.0/24 for clinical systems, 192.168.20.0/24 for administration, and 192.168.30.0/24 for guest Wi-Fi. Each subnet is isolated — a breach in guest Wi-Fi cannot directly reach clinical systems.

VLAN (Virtual Local Area Network)

A VLAN allows you to logically segment a physical network into separate virtual networks. Devices on different VLANs cannot communicate directly — even if they are connected to the same physical switch. This is a key security tool for network segmentation.

DMZ (Demilitarized Zone)

A DMZ is a separate, isolated network segment that sits between the internet (untrusted) and the internal corporate network (trusted). Public-facing servers (web server, email server) are placed in the DMZ. If a web server is compromised, the attacker only reaches the DMZ — not the internal network.

Fig 2.3 — Network Architecture with DMZ (Most Secure Design)

Network Protocols Important for Security

Protocol	What It Does	Security Relevance
HTTPS	Encrypted HTTP web communication	Protects login credentials, financial data in transit
TLS/SSL	Encrypts data between client and server	Foundation of all secure web communication
SSH	Secure remote login to servers	Replaces insecure Telnet; all admin access should use SSH
SFTP	Secure file transfer	Replaces insecure FTP; encrypts files in transit
DNS	Converts domain names to IP addresses	DNS spoofing can redirect users to fake sites
DHCP	Automatically assigns IP addresses	Rogue DHCP server attack can redirect all traffic
VPN	Encrypted tunnel over public internet	Secure remote access for employees

References

Tanenbaum, A. & Wetherall, D. — Computer Networks, 5th Ed., Pearson
Forouzan, B.A. — Data Communications and Networking, McGraw-Hill
NIST SP 800-41 Rev.1 — Firewall Guidelines: https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final
Cisco Networking Academy: https://www.netacad.com

Topic 2.2

Essential Components of Data Transfer Governance in Cyber Space

Data Transfer Governance is the set of rules, policies, controls, and technologies that ensure data moves between systems, organizations, and countries in a way that is secure, authorized, legally compliant, and verifiable. It answers: Who can send what data, to whom, how, and with what protections?

Why Data Transfer Governance Matters

Every day, organizations transfer massive amounts of data — customer records, financial transactions, health reports, intellectual property. Without governance:

Sensitive data can be intercepted during transmission (confidentiality breach)
Data can be modified in transit without detection (integrity breach)
Unauthorized parties can receive data they should never see (privacy violation)
Organizations can face fines for violating data protection laws (legal/compliance risk)

Essential Components of Data Transfer Governance

1. Data Classification

Before transferring data, you must know what kind of data it is. Organizations classify data into levels and apply different transfer rules to each level.

Classification Level	Examples	Transfer Rule
Public	Press releases, marketing brochures	Can be transferred freely
Internal	Employee handbook, internal memos	Transfer within organization only
Confidential	Customer database, financial reports	Encrypted transfer, authorized recipients only
Restricted / Top Secret	Medical records, defense data, trade secrets	Highest controls — strict authorization, audit trail required

2. Encryption in Transit

All sensitive data must be encrypted before it travels across any network. Encryption makes the data unreadable to anyone who intercepts it — only the intended recipient with the correct key can decode it.

TLS 1.3 — Standard for encrypting web traffic (HTTPS). All banking, government, and healthcare websites must use TLS 1.3.
SFTP / FTPS — Encrypted file transfer protocols replacing insecure FTP
VPN (IPSec / SSL) — Creates an encrypted tunnel for all data between two endpoints
S/MIME or PGP — Email encryption standards for sensitive communications
AES-256 — The encryption algorithm standard for data at rest (stored data)

3. Access Authorization and Authentication

Only verified, authorized users or systems should be allowed to send or receive sensitive data. This requires:

Digital Certificates (PKI): Cryptographically verify the identity of the sender and receiver before any data transfer begins
API Keys / OAuth Tokens: For system-to-system data transfers, each system must authenticate using a secure token
Role-Based Access Control (RBAC): Only users whose job requires accessing specific data can receive it in transfers

4. Data Integrity Verification

After data is transferred, the receiver must be able to confirm that the data arrived exactly as sent — not modified or corrupted in transit.

Hashing (SHA-256): A unique fingerprint is calculated before sending. The receiver calculates it again after receiving. If both hashes match — data is intact. If they differ — data was tampered with or corrupted.
Digital Signatures: The sender signs the data with their private key. The receiver verifies with the sender's public key — confirming both identity and integrity.
Checksums and CRC: Simpler integrity checks used in network protocols

Fig 2.4 — Secure Data Transfer: End-to-End Process

5. Data Loss Prevention (DLP)

DLP tools monitor all outgoing data transfers — email, USB uploads, cloud storage, web forms — and automatically block any transfer that violates data policies. For example, a DLP system can detect if someone is emailing a file containing 1,000 credit card numbers and block it before it leaves.

6. Audit Logs and Traceability

Every data transfer must be logged with: who sent it, what was sent, to whom, when, from which device, and using which protocol. These logs serve as:

Evidence in security incident investigations
Compliance proof for regulators (GDPR audit requirements)
Detection of unusual patterns (an employee suddenly transferring 50GB at midnight)

7. Legal and Jurisdictional Compliance

Data cannot always be transferred freely across international borders. Laws restrict cross-border data flows:

GDPR (EU): EU personal data can only be transferred to countries with adequate data protection laws. Transferring EU data to a non-compliant country without safeguards is illegal.
India's DPDP Act 2023: The government can restrict transfer of certain categories of personal data to foreign countries.
RBI Guidelines: Indian banking and payment data must be stored and processed within India (data localization).

8. Data Retention and Disposal Policy

Data that is no longer needed must be securely deleted — not just regular "delete" which can be recovered, but cryptographic erasure or physical destruction for storage media. Data must not be kept longer than legally required (to limit breach exposure) and must be kept at least as long as legally required (for audit purposes).

References

GDPR Articles 44–49 — Cross-Border Data Transfer Rules: https://gdpr-info.eu/chapter-5
DPDP Act 2023, Government of India: https://www.meity.gov.in/data-protection-framework
NIST SP 800-111 — Storage Encryption: https://csrc.nist.gov/publications/detail/sp/800-111/final
RBI Data Localization Circular: https://www.rbi.org.in/Scripts/BS_CircularIndexDisplay.aspx?Id=11244

Topic 2.3

Security Infrastructure

Security Infrastructure refers to the entire collection of hardware, software, policies, and processes that work together to protect an organization's information systems. Think of it as the complete security system of a building — not just the lock on the front door, but every camera, guard, alarm, and emergency exit working together.

Core Components of Security Infrastructure

1. Firewall

A firewall is the first line of defense at the network boundary. It inspects incoming and outgoing network traffic and blocks anything that violates defined rules.

Packet Filtering Firewall: Checks packet header data (source IP, destination IP, port, protocol). Fast but basic — cannot inspect packet content.
Stateful Inspection Firewall: Tracks the state of network connections. Knows whether an incoming packet belongs to an already-established connection or is suspicious.
Next-Generation Firewall (NGFW): Combines traditional firewall features with application awareness, user identity tracking, SSL inspection, and IPS. Palo Alto, Fortinet, and Check Point are popular NGFW vendors.
Web Application Firewall (WAF): Specifically protects web applications from attacks like SQL injection, XSS, and CSRF by inspecting HTTP/HTTPS traffic.

2. Intrusion Detection and Prevention Systems (IDS/IPS)

These systems watch network traffic for signs of attacks and either alert security teams (IDS) or automatically block the attack (IPS).

IDS — Intrusion Detection System

Passive — watches and reports only
Detects known attack patterns (signatures) or anomalies
Sends alerts to security team
Does NOT block traffic
Like a smoke detector — it alarms but doesn't spray water

IPS — Intrusion Prevention System

Active — detects AND blocks attacks
Sits inline with network traffic
Can drop malicious packets in real time
Risk of false positives blocking legitimate traffic
Like a sprinkler system — detects and acts automatically

3. SIEM (Security Information and Event Management)

A SIEM is like a central command center for security. It collects logs and security events from every system across the organization (firewalls, servers, applications, endpoints) and correlates them to detect attack patterns that no single system would notice alone.

Example of SIEM Correlation

A firewall log shows a port scan at 2am. An application log shows 50 failed login attempts at 2:05am. An admin log shows a new user account created at 2:10am. Individually, each looks suspicious. SIEM connects all three and alerts: "Active attack in progress — possible unauthorized access."

Popular SIEM tools: Splunk, IBM QRadar, Microsoft Sentinel, ArcSight.

4. Antivirus and Endpoint Detection & Response (EDR)

Traditional antivirus software detects known malware using signature databases. Modern EDR tools go further — they monitor endpoint behavior in real time, detect novel threats (zero-days) that have no known signature, and allow remote investigation and containment of compromised devices.

5. Identity and Access Management (IAM)

IAM systems manage who can access which resources. Key components:

Single Sign-On (SSO): One login gives access to all authorized systems
Multi-Factor Authentication (MFA): Requires two or more verification methods
Privileged Access Management (PAM): Extra controls for administrator accounts — the most powerful and dangerous accounts
Directory Services (LDAP / Active Directory): Central database of all users, groups, and permissions

6. VPN (Virtual Private Network)

A VPN creates an encrypted tunnel between a user's device and the corporate network over the public internet. Essential for remote workers — without a VPN, their traffic travels unencrypted over potentially hostile public networks.

7. PKI (Public Key Infrastructure)

PKI is the system that manages digital certificates — used to verify identities online. When you see the padlock icon in your browser, PKI is behind it. It uses a pair of keys: a public key (shared openly) and a private key (kept secret by the owner).

8. Honeypots

Deliberately vulnerable fake systems designed to attract attackers. When an attacker interacts with a honeypot, security teams learn about their tools, techniques, and entry methods — without any real systems being harmed.

Fig 2.5 — Security Infrastructure: Layered Defence Model

Zero Trust Architecture (Modern Approach)

Traditional security assumed: "everything inside the network is trusted." Zero Trust flips this: "Trust no one — verify everything, every time."

Zero Trust principles:

Verify identity for every user, every access request — no exceptions, even for internal users
Apply least privilege — give minimum access needed for each task
Assume breach — act as if attackers are already inside; monitor continuously
Micro-segmentation — divide the network into tiny zones so a breach in one area cannot spread

References

NIST SP 800-207 — Zero Trust Architecture: https://csrc.nist.gov/publications/detail/sp/800-207/final
NIST SP 800-94 — IDS/IPS Guide: https://csrc.nist.gov/publications/detail/sp/800-94/final
NIST SP 800-113 — VPN Guide: https://csrc.nist.gov/publications/detail/sp/800-113/final
Stallings, W. — Network Security Essentials, Pearson

Topic 2.4

Contingency Planning — Incident Response, Disaster Recovery & BCP

Contingency Planning is the process of preparing an organization to handle unexpected, disruptive events — cyberattacks, natural disasters, power failures, pandemics — so that critical operations can continue or be restored as quickly as possible. The three key pillars are: Incident Response (IR), Disaster Recovery (DR), and Business Continuity Planning (BCP).

📌 Exam Tip

Know the difference between IR, DR, and BCP — they are often confused. IR = reacting to a security incident. DR = restoring IT systems after a disaster. BCP = keeping the whole business running during and after a disaster.

The Three Pillars Explained

Pillar	Focus	Timeline	Key Question
Incident Response (IR)	Respond to a specific security incident	Hours to days	"How do we handle this attack right now?"
Disaster Recovery (DR)	Restore IT systems after a major disruption	Days to weeks	"How do we get our systems back online?"
Business Continuity Plan (BCP)	Keep the entire business functioning during any crisis	Ongoing during crisis	"How do we keep operating no matter what happens?"

Part A — Incident Response (IR)

An Incident Response Plan (IRP) is a documented, pre-planned procedure for detecting, responding to, containing, and recovering from cybersecurity incidents. Having a plan before an attack happens means you respond systematically rather than in panic.

NIST defines 4 phases of Incident Response (NIST SP 800-61):

1 Preparation Form IR team, define roles, set up tools, write playbooks, train staff before incidents occur

2 Detection & Analysis Identify that an incident has occurred, classify severity, and understand what happened and how

3 Containment, Eradication & Recovery Stop the attack spreading, remove malware, restore clean systems from backup

4 Post-Incident Activity Document lessons learned, update policies, improve defences, report to regulators if required

Key Incident Response Roles

Incident Response Manager: Leads the entire response; makes decisions under pressure
Security Analyst: Investigates the attack technically; traces what happened
Forensic Investigator: Collects and preserves digital evidence
Communications Officer: Manages internal and external communication during the incident
Legal/Compliance Team: Advises on legal obligations (notification requirements, law enforcement)

Incident Classification Levels

Level	Severity	Example	Response Time
Level 1	Low	Single spam email, one failed login	Within 24 hours
Level 2	Medium	Malware on one workstation, policy violation	Within 4–8 hours
Level 3	High	Ransomware spreading, server compromised	Within 1–2 hours
Level 4	Critical	Data breach, full network compromise, CEO fraud	Immediate — all hands

Part B — Disaster Recovery (DR)

Disaster Recovery focuses specifically on restoring IT infrastructure and data after a major disruption — whether from a cyberattack, natural disaster (flood, earthquake), fire, or major hardware failure.

Key DR Metrics

RPO (Recovery Point Objective): How much data can we afford to lose? If RPO = 4 hours, we back up every 4 hours. If a disaster strikes, we lose at most 4 hours of data.
RTO (Recovery Time Objective): How quickly must systems be back online? If RTO = 2 hours, all critical systems must be restored within 2 hours of a disaster.

Example — Hospital DR Plan

A hospital's RTO for its patient management system is 30 minutes (any longer and patient safety is at risk). Its RPO is 1 hour (it backs up patient data every hour). The hospital maintains a hot standby server that can take over in under 30 minutes.

Types of Recovery Sites

Site Type	Description	Recovery Time	Cost
Hot Site	Fully operational duplicate — hardware, software, data all ready. Switch over immediately.	Minutes to hours	Very High
Warm Site	Has hardware and connectivity but needs data restoration and software configuration	Hours to a day	Medium
Cold Site	Just the physical space and power — no equipment. Must buy and install everything.	Days to weeks	Low
Cloud DR	Data and systems replicated to cloud (AWS, Azure). Spin up on-demand when needed.	Minutes to hours	Pay-as-you-go

Part C — Business Continuity Plan (BCP)

A BCP is broader than DR. While DR focuses on IT recovery, BCP covers the entire organization — every department, every process, every resource needed to keep the business operating during and after any type of crisis.

BCP Development Process

1 Scope & Planning Define what functions are critical and what risks to plan for

2 Business Impact Analysis (BIA) Identify which processes, if disrupted, cause the most damage; calculate financial and operational impact

3 Identify Alternatives For each critical process, design a workaround if primary systems fail

4 Write the BCP Document procedures, responsibilities, communication plans, and recovery steps

5 Test and Train Conduct tabletop exercises and full drills; update based on lessons

6 Maintain and Update Review BCP annually and after every major change or incident

Business Impact Analysis (BIA)

BIA is the most critical step in BCP development. It identifies:

Which business functions are mission-critical (cannot stop without severe consequences)
The maximum tolerable downtime (MTD) for each function
The financial, reputational, legal, and safety impact of disruption
Dependencies — which processes depend on which systems, people, and vendors

🌍 Real-World Application

COVID-19 Pandemic (2020): Organizations with strong BCPs quickly shifted to remote work, maintained customer service, and sustained revenue. Those without BCPs struggled for months — losing customers, missing obligations, and scrambling to improvise. The pandemic was the largest real-world BCP test in history.

References

NIST SP 800-61 Rev.2 — Computer Security Incident Handling Guide: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
NIST SP 800-34 Rev.1 — Contingency Planning Guide: https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final
ISO 22301 — Business Continuity Management Systems: https://www.iso.org/iso-22301-business-continuity.html
Whitman & Mattord — Management of Information Security, Cengage

Topic 2.5

Cyber Security Policy — EISP, ISSP and SysSP

A Security Policy is a formal, written document that states the organization's rules, expectations, and responsibilities regarding the protection of its information assets. Without a policy, security is just individual effort with no accountability. Policies are the bridge between management decisions and actual technical controls.

📌 Exam Tip — Very Important

EISP, ISSP, and SysSP are a hierarchy: EISP is at the TOP (entire organization), ISSP is in the MIDDLE (specific technology topics), SysSP is at the BOTTOM (specific technical systems). This distinction always comes in exam questions.

The Three Levels of Security Policy

EISP
Enterprise Information Security Policy

Highest level policy in the organization
Set by senior management / Board of Directors
Covers the entire organization — all departments, all employees
Defines overall security vision, goals, and responsibilities
Does NOT go into technical detail
All other policies must align with EISP
Reviewed annually minimum

ISSP
Issue-Specific Security Policy

Mid-level policy for a specific topic or technology
Separate ISSP for each issue: email, internet use, ERP, remote access, BYOD
Addresses a specific area in detail
Includes: authorized use, prohibited actions, responsibilities, violations & penalties
Applies to users of that specific technology
Updated when the technology or threat changes

SysSP
System-Specific Security Policy

Lowest level — most technical and specific
Written for a particular system (firewall, web server, database)
Two types: Managerial guidance (what the system should achieve) and Technical specifications (exact configuration rules)
Written by IT security staff, not management
Example: Firewall rule: "Block all inbound traffic on port 23 (Telnet)"
Reviewed whenever the system changes

EISP — Enterprise Information Security Policy

The EISP is the organization's security constitution. It does not tell employees which passwords to use — it tells them that protecting information is everyone's responsibility and defines what happens if they fail to do so.

Components of a Good EISP

Statement of Purpose: Why does this policy exist? What is it trying to protect?
Information Security Goals: Alignment with CIA Triad; specific organizational security objectives
Scope: Who does this apply to? (All employees, contractors, vendors, visitors)
Roles and Responsibilities: CISO, department heads, all employees — who is accountable for what
Risk Management Framework: How the organization identifies and manages security risks
Compliance Requirements: Which laws and regulations must be followed (IT Act, GDPR, HIPAA)
Enforcement and Penalties: Consequences for policy violations — from warnings to termination to legal action
Policy Review Schedule: When and how this policy will be reviewed and updated

ISSP — Issue-Specific Security Policy

Each ISSP document tackles one specific technology or security issue in detail. Common ISSPs include:

Email Use Policy — What can and cannot be sent via corporate email
Internet & Social Media Policy — Acceptable use of internet and social platforms on company devices
Remote Access / VPN Policy — Rules for accessing corporate systems from outside the office
BYOD Policy (Bring Your Own Device) — Security requirements for personal devices used for work
Cloud Storage Policy — What data can be uploaded to cloud services
ERP Security Policy — Access controls, authorized use, and monitoring of ERP systems

Standard Structure of an ISSP Document

Statement of Purpose — Why this ISSP exists
Authorized Access and Usage — Who may use this technology, for what purposes
Prohibited Actions — Clear list of what is NOT allowed
Systems Management — Who manages and maintains this technology securely
Violations and Penalties — What happens when the policy is broken
Policy Review — When and how this specific ISSP will be updated

Example — Email Use ISSP

Authorized: Sending work-related communications, sharing non-confidential documents
Prohibited: Sending personal emails from corporate account, forwarding internal emails to personal accounts, opening attachments from unknown senders
Penalty for violation: First offence — written warning. Second offence — suspension. Third offence — termination and possible legal action under IT Act S.66C.

SysSP — System-Specific Security Policy

SysSP documents are the most technical. They contain the exact configuration rules for a specific system. Two types:

Type 1 — Managerial Guidance SysSP

Written guidance for how a system should be configured and managed — in plain language for IT managers. Example: "The web server must use TLS 1.3 or higher. TLS 1.0 and 1.1 must be disabled. HTTP-only access must be redirected to HTTPS."

Type 2 — Technical Specification SysSP (Access Control Lists)

The actual technical rules programmed into the system. Example — Firewall ACL rules:

ALLOW   TCP  192.168.1.0/24  ANY   PORT 443  (HTTPS inbound from internal)
ALLOW   TCP  ANY  192.168.10.5  PORT 25   (SMTP from mail server only)
DENY    TCP  ANY  ANY   PORT 23   (Block all Telnet - unencrypted)
DENY    TCP  ANY  ANY   PORT 21   (Block all FTP - use SFTP instead)
DENY    ALL  ANY  ANY   (Default deny - block everything else)

Policy Hierarchy Summary

Fig 2.6 — Security Policy Hierarchy: EISP → ISSP → SysSP

References

Whitman, M. & Mattord, H. — Principles of Information Security, 6th Ed., Cengage
Whitman, M. & Mattord, H. — Management of Information Security, 6th Ed., Cengage
SANS Security Policy Templates: https://www.sans.org/information-security-policy
ISO/IEC 27001:2022 — Annex A Controls: https://www.iso.org/isoiec-27001-information-security.html
NIST SP 800-12 Rev.1 — An Introduction to Information Security: https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final

Topic 2.6

Case Studies of Cyber Security Policy

Real-world case studies show us what happens when cyber security policies are absent, weak, or well-designed. These cases are selected to illustrate the direct impact of EISP, ISSP, SysSP, contingency planning, and data governance — the topics of Unit 2.

📌 Exam Tip

Case studies are asked as 7-mark scenario-based questions. Always structure your answer: What happened → Root cause (which policy failed) → What should have been in place → Legal consequence. These 4 points = full marks.

Case Study 1 — Target Corporation Data Breach

USA · 2013 · Retail Sector · 40 Million Cards Stolen

What Happened

In November–December 2013, during the US holiday shopping season, hackers stole credit and debit card data of 40 million customers and personal information of 70 million more from Target Corporation — one of the largest retail chains in America.

How the Attack Happened

Attackers gained access through a third-party HVAC (air conditioning) vendor called Fazio Mechanical Services
Fazio had network access to Target's systems to monitor energy usage — but there was no vendor security policy requiring Fazio to meet Target's security standards
Attackers stole Fazio's credentials through a phishing email containing malware (Citadel Trojan)
Using Fazio's credentials, they accessed Target's network and eventually reached Point-of-Sale (POS) systems at checkout counters
They installed a RAM-scraping malware called BlackPOS on 1,800 POS terminals that captured card data as it was being processed
Target's own security monitoring tool (FireEye) actually detected the attack and sent alerts — but no one acted on the alerts

Which Policies Failed?

EISP failure: No enterprise-wide policy requiring vendor security compliance before granting network access
ISSP failure: No vendor access management policy defining how third-party vendor access must be restricted and monitored
SysSP failure: POS terminals were not network-segmented from vendor access zones. Firewall rules should have prevented lateral movement from the HVAC network to POS systems
Incident Response failure: Automated alerts were ignored — no functional IRP required action on alerts

What Should Have Been in Place?

Vendor risk management policy (ISSP) requiring third-party security audits before granting access
Network segmentation (SysSP) keeping vendor access completely isolated from customer payment systems
An Incident Response Plan requiring investigation of all security alerts within a defined timeframe
PCI-DSS compliance properly enforced — PCI-DSS specifically requires segmentation of cardholder data environments

Legal & Financial Consequence Target paid $18.5 million in settlement to 47 US states. CEO and CIO both resigned. Total cost including settlements, legal fees, and security upgrades exceeded $200 million. This case became the defining example of supply chain security failure.

Case Study 2 — Sony Pictures Hack & Incident Response Failure

USA · 2014 · Entertainment Sector · Nation-State Attack

What Happened

In November 2014, hackers (attributed to North Korea, calling themselves the "Guardians of Peace") launched a destructive attack on Sony Pictures Entertainment. They stole 100+ terabytes of data and deployed malware that permanently wiped hard drives on Sony's entire corporate network — making 70% of Sony's computers completely inoperable.

What Was Exposed

Unreleased films (including "The Interview" — the movie that triggered the attack)
Personal data (SSNs, salaries, emails) of all 6,000 Sony employees
Embarrassing private emails between executives that were published publicly
Four unreleased movies were leaked online
Medical records of employees and their families

Policy Failures

No functioning BCP: After the attack, employees could not use computers for weeks — no business continuity procedures existed for such a scenario. Employees were told to use pen and paper.
No Disaster Recovery plan: Systems could not be restored because there were no clean, current backups. Many systems were permanently lost.
Poor password management (ISSP failure): Sony stored thousands of administrator passwords in a folder literally named "Passwords" on their network — with no encryption.
Weak EISP: Security was chronically underfunded; the CISO had reportedly warned management for years about inadequate security investment.

What Should Have Been Done?

A BCP that included procedures for operating without computer access (manual fallback procedures)
Regular, tested, offline backups — critical for recovery from destructive malware
A password management policy prohibiting cleartext storage of credentials
Network segmentation to prevent one breach spreading to the entire corporate network

Consequence Sony Pictures suffered an estimated $100 million in damages. The incident is considered one of the most destructive corporate cyberattacks in history and defined how the industry thinks about destructive (not just data-stealing) cyberattacks.

Case Study 3 — AIIMS Delhi Ransomware Attack (Indian Context)

India · November 2022 · Healthcare Sector · Ransomware Attack

What Happened

The All India Institute of Medical Sciences (AIIMS), New Delhi — India's premier government hospital — suffered a major ransomware attack on November 23, 2022. The attack encrypted the hospital's servers, making all digital patient records inaccessible. AIIMS serves thousands of patients daily, including senior government officials and VIPs.

Impact of the Attack

All hospital services — OPD registrations, lab reports, billing, blood bank — reverted to manual pen-and-paper processes
Approximately 1.3 crore (13 million) patient records were reportedly compromised
Emergency, outpatient, inpatient, and lab services were disrupted for over 2 weeks
Attackers reportedly demanded a ransom of approximately ₹200 crore in cryptocurrency
Five AIIMS servers were affected; data on at least 40 million patient records was at risk

Policy and Infrastructure Failures

No functional BCP: While AIIMS could switch to manual processes (which they did), there was no pre-tested manual fallback procedure — causing chaos and delays in critical care
Network segmentation failure (SysSP): Hospital administrative networks and clinical systems were not adequately separated — once one server was compromised, the attack spread laterally
No offline backups: The encrypted servers could not be quickly restored because backup systems were not current or were also network-connected (and thus also encrypted)
Insufficient EISP for critical infrastructure: As a government hospital handling VIP patient data, AIIMS should have followed India's CERT-IN guidelines for critical infrastructure protection — which require mandatory incident reporting within 6 hours
No ISSP for medical device security: Many hospital IoT medical devices (scanners, monitors) were on the same network without separate security controls

Response and Lessons

CERT-IN (India's cybersecurity agency), NIA, Delhi Police, Intelligence Bureau, and CBI all participated in the investigation
China-linked hackers were suspected based on forensic evidence
The attack accelerated India's push for a comprehensive National Cybersecurity Strategy for healthcare
Post-attack, AIIMS implemented network segmentation, air-gapped backups, and mandatory CERT-IN compliance

Indian Law — Legal Applicability Under IT Act 2000, Section 66F (Cyber Terrorism) and Section 43 (Damage to computer systems), the perpetrators if identified face imprisonment up to life and full compensation liability. AIIMS was also required to report under CERT-IN's 2022 mandatory reporting directive. This case directly led to stricter cybersecurity mandates for government healthcare institutions in India.

Case Study 4 — Microsoft's Zero Trust Policy Implementation (Positive Example)

USA · 2017–Present · Technology Sector · Policy Success Story

Background

After the devastating NotPetya ransomware attack (2017) — which caused $10 billion in global damage and partially affected Microsoft's operations — Microsoft undertook one of the most comprehensive cybersecurity policy transformations in corporate history.

What Microsoft Did — Policy Overhaul

EISP rewrite: Adopted Zero Trust as the enterprise-wide security philosophy — "Assume breach, verify explicitly, use least privilege access"
ISSP for every technology domain: Separate detailed policies for cloud access, device management, identity verification, data classification, and vendor access — all aligned with the new EISP
Mandatory MFA (SysSP): Multi-factor authentication required for all 200,000+ employees globally, for every system access — no exceptions
Micro-segmentation: The corporate network was divided into thousands of small segments so that a breach in any one segment cannot spread to others
Vendor security requirements (ISSP): Every vendor with Microsoft network access must comply with Microsoft's security standards and be audited annually

Outcome — Why This is a Positive Case Study

Microsoft successfully blocked the massive SolarWinds supply chain attack from spreading to its internal systems in 2020, while less prepared organizations were severely compromised
After the Lapsus$ hacking group briefly compromised one Microsoft employee account in 2022, the breach was contained within hours due to micro-segmentation and quick IR — no customer data was exposed
Microsoft publishes its security learnings as public case studies to help the global community

Key Lesson — Policy as Prevention Microsoft's case proves that comprehensive, well-enforced security policies prevent disasters — not just respond to them. The cost of implementing proper policies is a fraction of the cost of a breach. Microsoft now generates significant revenue from its own security products (Azure Sentinel, Microsoft Defender) built on these learnings.

Fig 2.7 — Case Study Comparison: Policy Failures vs Estimated Cost

Summary: Lessons Learned from All Case Studies

Case	Primary Policy Gap	Core Lesson
Target (2013)	Vendor security ISSP absent; SysSP network segmentation missing	Third-party access must be governed by strict policy — not trust
Sony Pictures (2014)	No BCP, no DR, no password management ISSP	Password policies and disaster recovery are non-negotiable basics
AIIMS (2022)	No offline backups, network segmentation missing, no healthcare-specific ISSP	Critical infrastructure requires specialized policy and mandatory CERT-IN compliance
Microsoft (2017–present)	N/A — positive example	Comprehensive, consistently enforced policies + Zero Trust = effective breach containment

Unit 2 — Final Takeaway

Network security is not just about technology — it is about governance, policy, and planning. The strongest firewall in the world cannot protect an organization that has no incident response plan, no vendor security policy, and no disaster recovery strategy. Policy is the foundation; technology is the implementation.

Official References

Target Breach Investigation Report — US Senate Commerce Committee, 2014
FBI Sony Pictures Investigation Statement, 2014: https://www.fbi.gov/news/press-releases/update-on-sony-investigation
CERT-IN AIIMS Advisory, 2022: https://www.cert-in.org.in
Microsoft Digital Defense Report 2023: https://aka.ms/mddr
IT Act 2000, Section 66F — Cyber Terrorism: https://www.meity.gov.in/content/information-technology-act
NIST SP 800-34 Rev.1 — Contingency Planning: https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final

Topics in This Unit

Network Design and Configuration

The OSI Model — 7 Layers of Network Communication

Network Topologies

Network Types by Scale

Key Network Configuration Concepts

IP Addressing and Subnetting

VLAN (Virtual Local Area Network)

DMZ (Demilitarized Zone)

Network Protocols Important for Security

Essential Components of Data Transfer Governance in Cyber Space

Why Data Transfer Governance Matters

Essential Components of Data Transfer Governance

1. Data Classification

2. Encryption in Transit

3. Access Authorization and Authentication

4. Data Integrity Verification

5. Data Loss Prevention (DLP)

6. Audit Logs and Traceability

7. Legal and Jurisdictional Compliance

8. Data Retention and Disposal Policy

Security Infrastructure

Core Components of Security Infrastructure

1. Firewall

2. Intrusion Detection and Prevention Systems (IDS/IPS)

IDS — Intrusion Detection System

IPS — Intrusion Prevention System

3. SIEM (Security Information and Event Management)

4. Antivirus and Endpoint Detection & Response (EDR)

5. Identity and Access Management (IAM)

6. VPN (Virtual Private Network)

7. PKI (Public Key Infrastructure)

8. Honeypots

Zero Trust Architecture (Modern Approach)

Contingency Planning — Incident Response, Disaster Recovery & BCP

The Three Pillars Explained

Part A — Incident Response (IR)

Key Incident Response Roles

Incident Classification Levels

Part B — Disaster Recovery (DR)

Key DR Metrics

Types of Recovery Sites

Part C — Business Continuity Plan (BCP)

BCP Development Process

Business Impact Analysis (BIA)

Cyber Security Policy — EISP, ISSP and SysSP

The Three Levels of Security Policy

EISPEnterprise Information Security Policy

ISSPIssue-Specific Security Policy

SysSPSystem-Specific Security Policy

EISP — Enterprise Information Security Policy

Components of a Good EISP

ISSP — Issue-Specific Security Policy

Standard Structure of an ISSP Document

SysSP — System-Specific Security Policy

Type 1 — Managerial Guidance SysSP

Type 2 — Technical Specification SysSP (Access Control Lists)

Policy Hierarchy Summary

Case Studies of Cyber Security Policy

Case Study 1 — Target Corporation Data Breach

What Happened

How the Attack Happened

Which Policies Failed?

What Should Have Been in Place?

Case Study 2 — Sony Pictures Hack & Incident Response Failure

What Happened

What Was Exposed

Policy Failures

What Should Have Been Done?

Case Study 3 — AIIMS Delhi Ransomware Attack (Indian Context)

What Happened

Impact of the Attack

Policy and Infrastructure Failures

Response and Lessons

Case Study 4 — Microsoft's Zero Trust Policy Implementation (Positive Example)

Background

What Microsoft Did — Policy Overhaul

Outcome — Why This is a Positive Case Study

Summary: Lessons Learned from All Case Studies

EISP
Enterprise Information Security Policy

ISSP
Issue-Specific Security Policy

SysSP
System-Specific Security Policy