Department of CSE
Chandigarh University EXPERIMENT 1
Problem: Installation Process of Windows and Linux. Objective: The objective of this experiment is to know about Installation of different operating systems like Windows, Linux and MacOS. Windows Operating System: Windows, is a multifamily of graphical operating developed, marketed, and sold by Microsoft. It consists of several families of operating systems, each of which cater to a certain sector of the computing industry with the OS typically associated with IBM PC compatible architecture. Microsoft introduced an operating environment named Windows on November 20, 1985, as a graphical operating system shell for MS-DOS in response to the growing interest in graphical user interfaces (GUIs). Microsoft Windows came to dominate the world's personal computer (PC) market with over 90% market share, overtaking Mac OS, which had been introduced in 1984. Installation Process of Windows Operating System 1. Enter your computer's BIOS. Turn off the computer that you want to install Windows on then turn it back on. When the BIOS screen appears or you are prompted to do so, press Del , Esc , F2 , F10 , or F9 (depending on your computer’s motherboard) to enter the system BIOS. The key to enter the BIOS is usually shown on the screen. 2. Find your BIOS's boot options menu. The boot options menu of your BIOS may vary in location or name from the illustration, but you may eventually find it if you search around. o
If you can't find the boot options menu, search the name of your BIOS (most likely located in the BIOS menu) online for help.
3. Select the CD-ROM drive as the first boot device of your computer. a. Although this method may vary among computers, the boot options menu is typically a menu of movable device names where you should set your CD15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
ROM drive as the first boot device. It can also be a list of devices that you can set the order of their boot on. Consult a manual or the internet for help if you're stuck.
4. Save the changes of the settings. Press the button indicated on the screen or select the save option from the BIOS menu to save your configuration. 5. Shut off your computer. Either turn off the computer by choosing the shut-down option in your current operating system, or hold the power button until the computer powers off. 6. Power on the PC and the insert the Windows 7 disc into your CD/DVD drive.
7. Start your computer from the disc. After you have placed the disc into the disc drive, start your computer. When the computer starts, press a key if you are asked if you would like to boot from the disc by pressing any key. After you choose to start from the disc, Windows Setup will begin loading. a. If you are not asked to boot from the disc, you may have done something wrong. Retry the previous steps to solve the problem.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
8. Choose your Windows Setup options. Once Windows Setup loads, you'll be presented with a window. Select your preferred language, keyboard type, and time/currency format, then click Next. 9. Click the Install Now button. 10. Accept the License Terms. Read over the Microsoft Software License Terms, check I accept the license terms, and click Next. 11. Select the Custom installation.
12. Decide on which hard drive and partition you want to install Windows on. A hard drive is a physical part of your computer that stores data, and partitions "divide" hard drives into separate parts. a. If the hard drive has data on it, delete the data off of it, or format it. i. Select the hard drive from the list of hard drives. ii. Click Drive options (advanced). iii. Click Format from Drive options. b. If your computer doesn't have any partitions yet, create one to install Windows on it. i. Select the hard drive from the list of hard drives. ii. Click Drive options (advanced). iii. Select New from Drive options. iv. Select the size, and click OK. 13. Install Windows on your preferred hard drive and partition. Once you've decided on where to install Windows, select it and click Next. Windows will begin installing. Linux Operating System: Linux is a Unix-like computer operating system assembled under the model of free and opensource software development and distribution. The defining component of Linux is the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. The Free Software Foundation uses the name GNU/Linux to describe the operating system, which has led to some controversy. Linux was originally developed for personal computers based on the Intel x86 architecture, but has since been ported to more platforms than any other operating system.[ Because of the dominance of the Linux kernel-based Android OS on smartphones, Linux has the largestinstalled base of all general-purpose operating systems.[19] Linux is also the leading operating system on 15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
servers and other big iron systems such as mainframe computers, and is used on 99.6% of the TOP500supercomputers. Installation Process of Linux Operating System 1. Download the Ubuntu ISO file. You can get the ISO file from the Ubuntu website. An ISO file is a CD image file that will need to be burned before you can use it. There are two options available from the Ubuntu website (you can also buy official Ubuntu CDs, which come in packs of 10):
16.04 LTS has continuous updates and provides technical support. It is scheduled to be supported until April 2021. This option will give you the most compatibility with your existing hardware. Ubuntu builds (not yet released) 16.10, 17.04, and 17.10 will come with limited support. They will have the newest features, though they may not work with all hardware. These releases are geared more towards experienced Linux users. If you have a Windows 8 or 10 PC or a PC with UEFI firmware, download the 64-bit version of Ubuntu. Most older machines should download the 32-bit version.
2. Burn the ISO file.Open up your burning program of choice. There are free and paid programs available that can burn an ISO to a CD or DVD.
Windows 7, 8, 10, and Mac OS X can all burn ISO files to a disc without having to download a separate program.
3. Boot from the disc. Once you have finished burning the disc, restart your computer and choose to boot from the disc. You may have to change your boot preferences by hitting the Setup key while your computer is restarting. This is typically F12, F2, or Del. 4. Try Ubuntu before installing. Once you boot from the disc, you will be given the option to try Ubuntu without installing it. The operating system will run from the disc, and you will have a chance to explore the layout of the operating system.
Open the Examples folder to see how Ubuntu handles files and exploring the operating system. Once you are done exploring, open the Install file on the desktop.
5. Install Ubuntu. Your computer will need at least 4.5 GB of free space. You will want more than this if you want to install programs and create files. If you are installing on a laptop, make sure that it is connected to a power source, as installing can drain the battery faster than normal.
Check the “Download updates automatically” box, as well as the “Install this third-party software” box. The third-party software will allow you to play MP3 files as well as watch Flash video (such as YouTube).
6. Set up the wireless connection. If your computer is not connected to the internet via Ethernet, you can configure your wireless connection in the next step. 15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
If you didn’t have an internet connection in the previous step, hit the Back button after setting up the wireless connection so that you can enable automatic updates.
7. Choose what to do with your existing operating system. If you have Windows installed on your system, you will be given a couple options on how you’d like to install Ubuntu. You can either install it alongside your previous Windows installation, or you can replace your Windows installation with Ubuntu.
If you install it alongside your old version of Windows, you will be given the option to choose your operating system each time you reboot your computer. Your Windows files and programs will remain untouched. If you replace your installation of Windows with Ubuntu all of your Windows files, documents, and programs will be deleted.
8. Set your partition size. If you are installing Ubuntu alongside Windows, you can use the slider to adjust how much space you would like to designate for Ubuntu. Remember that Ubuntu will take up about 4.5 GB when it is installed, so be sure to leave some extra space for programs and files. Once you are satisfied with your settings, click Install Now. 9. Choose your location. If you are connected to the internet, this should be done automatically. Verify that the timezone displayed is correct, and then click the Continue button. 10. Set your keyboard layout. You can choose from a list of options, or click the Detect Keyboard Layout button to have Ubuntu automatically pick the correct option. 11. Enter your login information. Enter your name, the name of the computer (which will be displayed on the network), choose a username, and come up with a password. You can choose to have Ubuntu automatically log you in, or require your username and password when it starts. 12. Wait for the installation process to complete. Once you choose your login info, the installation will begin. During setup, various tips for using Ubuntu will be displayed on the screen. Once it is finished, you will be prompted to restart the computer and Ubuntu will load.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University EXPERIMENT 2
Problem: Knowledge about the CA server Using Certificates and SSL in windows. Goals: 1)
Learn about default Certificate Authorities (CAs) for your browser.
2)
Install and configure in-house CA server.
3)
Learn how to configure a Web server to use the SSL and SSL certificates.
4)
Experiment with SSL for authentication via certificates.
Tools: 1) Windows XP Pro 2) Windows Server 3) Ethereal for analyzing captured session Certification Authorities: A certificate authority (CA) is a trusted third-party organization or company that issues digital certificates used to create digital signatures and encryption keys. The role of the CA in this process is to guarantee the identity of the party granted the certificate. Usually, this means that the CA has an arrangement with a financial institution that provides information to validate the grantee's identity. To install digital certificates for secure messaging, you must select a CA from whom to obtain the certificates. There are many CAs to choose from, and most of them do business on the World Wide Web. Some of the best known are: ·Verisign, Inc. ·Entrust Technologies. ·Baltimore Technologies. ·Thawte. There are also numerous lesser known CAs, which might be appropriate if they are well known in a particular geographical region or industry. One of the systems participating in a secure integration might even serve as CA for the other participants. Each CA provides a unique set of security services and has its own way of handling digital certificates.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
Before you implement secure messaging with PeopleSoft Integration Broker, investigate the available CAs, select one or more from whom you will obtain digital certificates, and familiarize yourself with their policies and procedures. Certificate Authorities, or Certificate Authorities / CAs, issue Digital Certificates. Digital Certificates are verifiable small data files that contain identity credentials to help websites, people, and devices represent their authentic online identity (authentic because the CA has verified the identity). CAs play a critical role in how the Internet operates and how transparent, trusted transactions can take place online. CAs issue millions of Digital Certificates each year, and these certificates are used to protect information, encrypt billions of transactions, and enable secure communication. An SSL Certificate is a popular type of Digital Certificate that binds the ownership details of a web server (and website) to cryptographic keys. These keys are used in the SSL/TLS protocol to activate a secure session between a browser and the web server hosting the SSL Certificate. In order for a browser to trust an SSL Certificate, and establish an SSL/TLS session without security warnings, the SSL Certificate must contain the domain name of website using it, be issued by a trusted CA, and not have expired. What goes into running a CA? As a trust anchor for the Internet, CAs have significant responsibility. As such running a CA within the auditable requirements is a complex task. A CA’s infrastructure consists of considerable operational elements, hardware, software, policy frameworks and practice statements, auditing, security infrastructure and personnel. Collectively the elements are referred to as a trusted PKI (Public Key Infrastructure). Certificates come in many different formats to support not just SSL, but also authenticate people and devices, and add legitimacy to code and documents. Visit the GlobalSignProducts section for more The Problem with SSL Certificates Years ago, certificate authorities used to verify a website’s identity before issuing a certificate. The certificate authority would check that the business requesting the certificate was registered, call the phone number, and verify that the business was a legitimate operation that matched the website.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
Eventually, certificate authorities began offering “domain-only” certificates. These were cheaper, as it was less work for the certificate authority to quickly check that the requester owned a specific domain (website). Phishers eventually began taking advantage of this. A phisher could register the domain paypall.com and purchase a domain-only certificate. When a user connected to paypall.com, the user’s browser would display the standard lock icon, providing a false sense of security. Browsers didn’t display the difference between a domain-only certificate and a certificate that involved more extensive verification of the website’s identity. Public trust in certificate authorities to verify websites has fallen – this is just one example of certificate authorities failing to do their due diligence. In 2011, the Electronic Frontier . How to install an SSL certificate on a Linux Server USING Plesk. It is a web hosting platform that has a very simple configuration. This simple configuration helps all web hosting providers to manage a lot of virtual hosts easily and on a single server. Ever since its conception, Plesk has been coming up as a preferred choice for all the web hosting companies 1. First Log into the control panel of Plesk. 2. Then, Select Domain; 3. The third step implies choosing the domain to be updated. 4. In the next step click on the ‘Add New Certificate’ icon. 5. Save the certificate name in the ‘Certificate Name’ box. One would have the certificate and key files saved on the local computer. These certificate and key files are provided by the certificate authority and are important for the installation. 6. The next step is to find these files. Open these in a Notepad or in other similar text formats from where one can copy the text. 7. Copy the entire text of the files.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
8. Paste them in the correct boxes. Reading through the content and the box name in Plesk will give one an idea where to paste it. 9. Next, click on the ‘Send Text’ button. 10. Go to the ‘Hosting Section’. It is on the domain screen. 11. Click ‘Set-up’ from this section. A drop down list will follow. 12. The next step is to click on the ‘new certificate’ from the drop down list. 13. Click ‘Ok’ to finish. How to install SSL Certificate on Linux servers that do not have Plesk. 1. The first and foremost step is to upload the certificate and important key files. One can upload the files to the server using – S/FTP. 2. Login to Server. It is important to log in via SSH. Logging in via SSH will help the user to become the root user. 3. Give Root Password. 4. One can see /etc/httpd/conf/ssl.crt in the following step. Move the certificate file here 5. Next move key file also to /etc/httpd/conf/ssl.crt It is important to ensure the security of the files that has been moved. One can keep the files secure by restricting permission. Using ‘chmod 0400’ will help users to securely restrict permission to the key. 6. Next Go to etc/httpd/conf.d/ssl.conf. Here the user will find Virtual Host Configuration set up for the domain. 7. Edit Virtual Host Configuration. 8. Restart Apache.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University EXPERIMENT 3
Problem: Familiarization with the VI editor. Linux offers various types of editor like ex,sed,ed,vietc to create and edit your files(data files,text files etc).the famous one is vi editor created by Bill Joy at the university of California at Berkley. Starting Vi Editor:- This editor can be invoked by typing vi filename at the prompt.If you specify a filename as an argument to vi,then the vi will edit the specified file,if it exists. Vi A status line at the bottom of the screen (25th line) shows the filename,current line & character position in the edited file. Vi VI Modes:- The editor works on 3 modes as follows:a) Insert Mode:(1) The text should be entered in this mode and any key pressed is created as text. (2) We can enter in this mode through command mode by pressing any of the keysior I. b) Command Mode:(1) It is the default mode when we start up vi Editor. (2) All the commands an vi Editor should be used in this mode. (3) We can enter into this mode from insert mode by pressing.[Esc] key and from Ex mode by pressing Enter. c) Ex Mode:(1) The ex mode command can be entered at the last line of the screen of the Mode. (2) We can enter into this mode directly from input mode or vice-versa. The following are some commands that are used: Insert Command:15BCS1361
Ishav Saxena
Department of CSE (1)
i :-Insert before cursor.
(2)
I :-Insert at the end of current line.
(3)
a :-Append after cursor.
(4)
A:- Append at the end of the current line.
(5)
o :-Insert a blank line below the current line.
(6)
O :-Insert a blank line above the current line.
Chandigarh University
Delete Command:(1)
x:-Delete the character at current position.
(2)
xn is any no.)Delete specified no of character from current position.
(3)
X:-Delete the character before the cursor.
(4)
(n)X:-Delete the no. of characters before the cursor.
(5) dw:- Delete from cursor position to the end of the current word.It stops at any punctuation that appears with in the word. (6)
dW :-same as ‘dw’but ignores the punctuation character.
(7) db :- Deletes from cursor position to beginning of the current word.It stops at any punctuation that appear with in the word. (8)
dB :-same as’db’ but ignores punctuations.
(9)
dd :-Deletes the current line.
Replace Commands:(1)
r:-Replace single character at the cursor position.
(2)
R:-Replace character until escape key is pressed from current cursor position.
(3)
s :-Replace single character at cursor position with no of characters.
(4)
S:- Replace the entire line.
Cursor Movement Commands:(1)
h :-Moves cursor to the left.
(2)
l :-Moves cursor to the right
15BCS1361
Ishav Saxena
Department of CSE (3)
k :-Moves cursor to the up.
(4)
j :-Moves cursor to the down
Chandigarh University
(5) w :-Forwards to the first letter of next word but stops at any punctuations that appears with the word. (6) b :-Backword to the first letter of previous word that stops at any punctuation that appears with the word. (7) e :-Moves forward to the end of the current word but stops at any punctuation that appears with the word. (8)
W :-same as w but ignores punctuations.
(9)
E :-same as e but ignores punctuations.
(10)
B:- same as b but ignores punctuations.
(11)
[Enter]:- Forward to the beginning of the next line.
Redo Command:(period):-Repeats the most recent editing operation performed. Undo Command:u :-undo’s the most editing operation performed. Ex Mode Commands:Some of the Ex mode commands are given below. These commands should be used in Ex mode prefixed by ( : )colon. (1)
:w :-Saves without quiting.
(2)
:w :-Saves the content into a file specified in the filename.
(3)
:mnw :-saves the lines m to n into the specified file name.
(4)
:.w ;-Saves the current line into specified file.
(5)
:$w :-Saves the last line of text into the specified file.
(6)
:wq :-Saves file and quit from vi editor.
(7)
:q! :-Quit without saving.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University EXPERIMENT 4
Problem: Familiarization with the Windows Client Configuration. Materials and Setup You will need the following: • Windows 7 • Windows 2008 Server Lab Steps at a Glance Step 1: Start the Windows 2008 Server and Windows 7 PCs. Log on only to the Windows 7 machine. Step 2: View the network card configuration using the ipconfig command. Step 3: Change the IP address of the Windows 7 machine. Step 4: Verify the new IP address. Use the ipconfig command to verify that the IP address has changed. Step 5: Change the IP address of the Windows 7 machine back to the original address. Step 6: Ping the Windows 2008 Server machine from the Windows 7 PC. Step 7: View and modify the ARP table. Step 8: Log off from the Windows 7 PC. Lab Steps Step 1: Start the Windows 2008 Server and Windows 7 PCs. Log on only to the Windows 7 machine. To log on to the Windows 7 PC, follow these steps: 1. At the Login screen, click the Admin icon. 2. In the password text box, type the password adminpass and press ENTER.
Step 2: View the network card configuration using the ipconfig command. On the Windows 7 PC, you will view the network card configuration using ipconfig. This utility allows administrators to view and modify network card settings. 1. To open the command prompt, click Start; in the Search Programs And Files box, type cmd and then press ENTER. 2. At the command prompt, type ipconfig /? and press ENTER. 15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
a. Observe the options available for ipconfi g. You may have to scroll up to see all of the information. b. Which options do you think would be most useful for an administrator? c. Which option would you use to obtain an IP configuration from a Dynamic Host Configuration Protocol (DHCP) server? 3. Type ipconfi g and press ENTER. a. What is your IP address? b. What is your subnet mask? 4. Type ipconfi g /all and press ENTER. a. Observe the new information. b. What is the MAC address (physical address) of your computer? c. What is your DNS server address? 5. Type exit and press ENTER. Step 3: Change the IP address of the Windows 7 machine. You will access the Local Area Connection Properties dialog box and change the host portion of the IP address. 1. Click Start | Control Panel | Network and Internet | Network and Sharing Center. 2. Click Change adapter settings. 3. Right-click Local Area Connection and select Properties. 4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. 5. In the IP Address text box, you will see the IP address 192.168.100.101. Change the last octet (101) to 110. 6. Click OK. 7. In the Local Area Connection Properties window, click Close. 8. Click Close to close the Network Connections window. Step 4: Verify the new IP address. Use the ipconfig command to verify that the IP address has changed. 1. To open the command prompt, click Start; in the Search Programs And Files box, type cmd and then press ENTER. 15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
2. Type ipconfi g and press ENTER. 3. Observe that your IP address has changed. 4. Type exit and press ENTER. Step 5: Change the IP address of the Windows 7 machine back to the original address. 1. Click Start | Control Panel | Network and Internet | Network and Sharing Center. 2. Click Change Adapter Settings. 3. Right-click Local Area Connection and select Properties. 4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. 5. In the IP Address text box, you will see the IP address 192.168.100.110. Change the last octet (110) to 101 6. Click OK. 7. In the Local Area Connection Properties window, click Close. 8. Click Close to close the Network Connections window. Step 6: Ping the Windows 2008 Server machine from the Windows 7 PC. 1. On the Windows 7 PC, click Start; in the Search Programs And Files box, type cmd and then press ENTER. 2. To view the ping help fi le, type ping /? at the command line and then press ENTER. 3. To ping the IP address of the Windows 2008 Server computer, type ping 192.168.100.102 at the command line and press ENTER. a. Observe the information displayed. b. What is the time value observed for all four replies? c. What is the TTL observed? d. What does this number refer to? e. How can you be sure that this response is actually coming from the correct computer? Step 7: View and modify the ARP table. At the Windows 7 machine, you are now going to view the ARP cache, using the arp utility. 1. Close the current Command Prompt window. 2. Select Start | All Programs | Accessories and then right-click Command Prompt. 3. Click Run as administrator.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
4. In the User Account Control dialog box, click Yes. 5. At the command line, type arp /? and press ENTER. a. Observe the options for this command. b. Which command displays the current ARP entries? 6. At the command line, type arp –a and press ENTER. 7. Observe the entry. Notice that the MAC address for the Windows 2008 Server machine is listed. 8. At the command line, type arp –d and press ENTER. (The –d option deletes the ARP cache.) 9. Observe the entries. (Do not worry if no entries are listed; you are simply deleting what is in the ARP cache.) 10. At the command line, type arp –a and press ENTER. 11. Observe that the ARP cache now has no entries. 12. At the command line, type ping 192.168.100.102 and press ENTER. 13. At the command line, type arp –a and press ENTER. a. Observe any entry. Notice that the MAC address is once again listed. b. How does using the ping utility cause the machine’s MAC address to be populated in the ARP cache? c. How can you be sure that this is actually the correct MAC address for the computer? Step 8: Log off from the Windows 7 PC. At the Windows 7 PC, follow these steps: 1. Choose Start | Shutdown arrow | Log off. 2. In the Log Off Windows dialog box, click Log Off.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University EXPERIMENT 5:
Problem: To research the Various System Vulnerabilitiesfor the target machine (Internet access CVE database of vulnerabilities) Goals: 1) Identifying vulnerabilities for the target machine. 2) Finding utilities to test these vulnerabilities. Tools: 1) Google to find CVE (at Mitre Corp.) 2) CVE database 3) Packet Storm Website Background The concept of vulnerability has held a central place in research ethics guidance since its introduction in the United States Belmont Report in 1979. It signals mindfulness for researchers and research ethics boards to the possibility that some participants may be at higher risk of harm or wrong. Despite its important intended purpose and widespread use, there is considerable disagreement in the scholarly literature about the meaning and delineation of vulnerability, stemming from a perceived lack of guidance within research ethics standards. The aim of this study was to assess the concept of vulnerability as it is employed in major national and international research ethics policies and guidelines. All policies in our sample reference vulnerability and/or vulnerable subjects, but only three out of eleven explicitly define these terms (Table 1). Of these, the Council for International Organizations of Medical Sciences (CIOMS) and the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS2) guidelines define vulnerability itself, while the International Conference on Harmonization, Good Clinical Practice (ICH GCP) instead provides a definition of vulnerable subjects. These definitions share similar structures, all defining vulnerability or vulnerable subjects and identifying paradigmatic sources (or causes) of vulnerability. The ICH GCP definition focuses on issues of consent, where a lack of voluntariness in a subject’s decision to participate establishes their vulnerability. The CIOMS and TCPS2 guidelines employ broader language, both stating that vulnerability arises from a subject’s lack of ability to protect their own interests. Both identify sources of vulnerability located within the subject (e.g. a lack of decision-making capacity) and in their environment (e.g. 15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
a lack of access to medical care). Only the definition provided by the TCPS2 makes explicit reference to another central ethical concept – that of autonomy. This reference suggests an important link between vulnerability and autonomy, Table 1 Content regarding definitions of vulnerability and detailing the use of qualifying language Policy/Guideline
Explicit definition of vulnerability or vulnerable subjects
Use of qualifying languages
Declaration of
–
• Some groups and
Intl
Intl
Helsinki
individuals are “particularly vulnerable”
CIOMS
“‘Vulnerability’ refers to a
• Persons with serious,
substantial incapacity to protect
potentially disabling
one’s own interests owing to such
or life-threatening
impediments as lack of capability
diseases are “highly
to give informed consent, lack of
vulnerable”
alternative means of obtaining medical care or other expensive
15BCS1361
necessities, or being a junior or
• Selection of the
subordinate member of a
“least vulnerable”
hierarchical group”
subjects required for
Ishav Saxena
Department of CSE
Chandigarh University
research.
UNESCO
–
Declaration
• Certain individuals and groups are of “special vulnerability”
US,
ICH GCP
Glossary defines vulnerable
EU,
subjects as individuals whose
JP,
willingness to volunteer in a
AUS,
clinical trial may be unduly
CA
influenced by the expectation,
–
whether justified or not, of benefits associated with participation, or of a retaliatory response from senior members of a hierarchy in case of refusal to participate”
National
15BCS1361
Ishav Saxena
Department of CSE
National Statement AUS
Chandigarh University –
• Where “potential participants [in dependent or unequal relationships] are especially vulnerable” special measures may be required. • Neonates in intensive care have a “unique developmental vulnerability” • People with a cognitive impairment, intellectual disability, or mental illness have “distinctive vulnerabilities as research participants” and are “more-than-usually vulnerable to various forms of discomfort or stress”
15BCS1361
Ishav Saxena
Department of CSE
CA
TCPS2
Chandigarh University “Vulnerability – A diminished
• Participants,
ability to fully safeguard one’s
researchers, and
own interests in the context of a
research ethics board
specific research project. This
members may be
may be caused by limited
rendered “more
decision-making capacity or
vulnerable” during
limited access to social goods,
publicly declared
such as rights, opportunities and
emergencies
power. Individuals or groups
• “The least
may experience vulnerability to
organisationally
different degrees and at different
developed
times, depending on their
communities are the
circumstances. See also
most vulnerable to
‘Autonomy’”
exploitation” • Participants may be “in highly vulnerable circumstances” because of social or legal stigmatisation.
UK
Research
–
–
Governance Framework
15BCS1361
Ishav Saxena
Department of CSE
US
Belmont Report
Chandigarh University –
• “Also, inducements that would ordinarily be acceptable may become undue influences if the subject is especially vulnerable”
Ethical justifications for the concept of vulnerability Many guidelines and policies (CIOMS, UNESCO Declaration, Declaration of Helsinki, Australian National Statement, TCPS2, Belmont Report) provide explicit ethical argumentation relating to vulnerability and/or vulnerable subjects. There is significant overlap across the sample between the principles from which obligations or considerations relating to vulnerability arise. In all cases where guiding ethical principles are provided by a policy or guideline, vulnerabilityrelated concerns are discussed in the application of each principle. Identifying vulnerable groups and individuals All guidelines and policies in the sample provide means through which vulnerability can be identified. The majority identify subject groups who are likely to be vulnerable. Vulnerable groups identified in our sample are captured in Table 4, along with the corresponding explanations of why a subject group is considered vulnerable or what they are vulnerable to, when these details are available. Notably, while the EU Clinical Trials Directive and Clinical Trials Regulation, as well as the United Kingdom Research Governance Framework, all identify vulnerable subject groups, none of these policies provide any supporting explanation. Further, only four policies (CIOMS, Australian National Statement, TCPS2, and the Common Rule) provide any explanations of what certain identified groups are vulnerable to. Implications of vulnerability in research All policies in our sample identify practical implications of vulnerability in research, i.e. responses to vulnerability in the design and review of research and to vulnerable participants themselves. A wide range of implications were identified, some directed explicitly towards REBs 15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
and/or investigators but the majority formulated more broadly with no specific group targeted. Further, these implications span the research process, from considerations important in the design of research to actions that must be taken when vulnerable persons are participating in research. Table 6 Implications of vulnerability, grouped by theme
Restrictions for research with vulnerable groups or individuals
Policy/Guideline
When research is carried out with vulnerable participants it should be responsive to the needs, conditions, or priorities of the vulnerable group involved
Declaration of Helsinki;
CIOMS
Vulnerable subjects should be involved in research only when it cannot be carried out with less vulnerable subjects
CIOMS
Special justification is required for involving vulnerable groups in research and appropriateness ought to be demonstrated
CIOMS;
Belmont Report
Children should not be included in early-phase research until therapeutic effects have been shown in adults
CIOMS
Opportunities to participate in and influence research affecting their welfare should not be withheld from vulnerable groups
TCPS2
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
Members of vulnerable groups are entitled to access the benefits of research
CIOMS
Children must be involved in studies of medicinal products likely to be of value to them
EU Clinical Trials Directive
People with a cognitive impairment, intellectual disability, or mental illness are entitled to participate in research, which need not be limited to their particular impairment, disability, or illness
Australian National Statement
Research with communities vulnerable to exploitation should strive to enhance capacity for participation
TCPS2
Patients receiving high-risk clinical care should not be inappropriately included in or excluded from research
TCPS2
Risk to vulnerable subjects is justified when it arises from interventions that will provide a direct health benefit, or when it will benefit the subject’s population group
CIOMS
Special protections and obligations
Individuals and groups of special vulnerability should be protected
UNESCO Declaration
Special ethical obligations exist towards vulnerable subjects
TCPS2
Vulnerable subjects should receive special/specific protections
Declaration of Helsinki
15BCS1361
Ishav Saxena
Department of CSE Groups or individuals in vulnerable circumstances may need or desire special measures to ensure their safety in a specific research project
Vulnerable subjects should be afforded security against harm or abuse
Special (or additional) protections for the rights and welfare of vulnerable subjects should be applied
Chandigarh University TCPS2
CIOMS
CIOMS; Common Rule
Attention and consideration
Special attention should be paid to trials involving vulnerable subjects
ICH GCP
Special attention or regard should be paid to vulnerable communities, groups, or persons
UNESCO Declaration;TCPS2
Researchers and REBs should recognise and address changes in participants’ circumstances that may impact their vulnerability
TCPS2
Research ethics board composition
REBs reviewing research with vulnerable subjects should include members with expertise on these populations
Common Rule;EU Clinical Trials Regulation
Community members on REBs ought to reflect participant’s perspectives, particularly important when participants are vulnerable and/or risks are high
TCPS2
Assessing harms, risks and benefits
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
For those gauging the severity of harm in research, the vulnerability of a population will be relevant
Australian National Statement
The existence of vulnerable circumstances may require greater effort to minimise risks/maximise benefits to participants
TCPS2
Care must be taken to ensure the risks and burdens of proposed research with persons with a cognitive impairment, intellectual disability, or mental illness are justified by potential benefits
Australian National Statement
Recruitment practices
The vulnerability of persons in unequal, dependent relationships must be taken into account when considering recruiting these persons
National Statement
Process of informed consent
Consent may need to be re-confirmed in research where participants are vulnerable
National Statement
The method of consent in qualitative research depends, in part, on the vulnerability of the research participant; the method must be tailored for their protection
National Statement;
TCPS2
When requirements of free, informed, ongoing consent cannot be met, vulnerable participants ought to be involved in decision-making, i.e. obtaining assent, asking about their feelings regarding participation
TCPS2
Clinician-researchers must take care not to overplay the benefits of research participation to vulnerable patients, who may be misled to enter research with false hope
TCPS2
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
Inducements that may not be excessive or inappropriate for other participants may be undue influences if the subject is especially vulnerable
Belmont Report
Care should be taken in the informed consent process to ensure that women vulnerable to coercion have adequate time and a proper environment in which to take decisions
CIOMS
Care should be taken in the informed consent process for adults with mental health problems or learning difficulties to ensure that information is provided in the appropriate format and that the roles and responsibilities of those involved are clearly explained and understood
UK Research Governance Framework
Additional consent from a parent or guardian may be required for young people who are vulnerable through immaturity in ways that warrant this
National Statement
Researchers should invite participants in dependent or unequal relationships to discuss their participation with someone who can support them in making their decision; especially vulnerable participants in these circumstances should be offered participant advocates
National Statement
Debriefing
REBs must assess risks and benefits of debriefing participants and whether debriefing plan is appropriate for participants, especially when they are vulnerable
TCPS2
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-securityvulnerabilities and exposures. The National Cybersecurity FFRDC, operated by the Mitre Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security. The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE's system[2] as well as in the US National Vulnerability Database.
15BCS1361
Ishav Saxena
Department of CSE
Chandigarh University
MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages. Historically, CVE identifiers had a status of "candidate" ("CAN-") and could then be promoted to entries ("CVE-"), however this practice was ended some time ago and all identifiers are now assigned as CVEs. The assignment of a CVE number is not a guarantee that it will become an official CVE entry (e.g. a CVE may be improperly assigned to an issue which is not a security vulnerability, or which duplicates an existing entry). CVEs are assigned by a CVE Numbering Authority (CNA);[3] there are three primary types of CVE number assignments: 1. The Mitre Corporation functions as Editor and Primary CNA 2. Various CNAs assign CVE numbers for their own products (e.g. Microsoft,
Oracle, HP, Red Hat, etc.) 3. A third-party coordinator such as CERT Coordination Center may assign CVE numbers for products not covered by other CNAs When investigating a vulnerability or potential vulnerability it helps to acquire a CVE number early on. CVE numbers may not appear in the MITRE or NVD CVE databases for some time (days, weeks, months or potentially years) due to issues that are embargoed (the CVE number has been assigned but the issue has not been made public), or in cases where the entry is not researched and written up by MITRE due to resource issues. The benefit of early CVE candidacy is that all future correspondence can refer to the CVE number. Information on getting CVE identifiers for issues with open source projects is available from Red Hat.[4] CVEs are for software that has been publicly released; this can include betas and other prerelease versions if they are widely used. Commercial software is included in the "publicly released" category, however custom-built software that is not distributed would generally not be given a CVE. Additionally services (e.g. a Web-based email provider) are not assigned CVEs for vulnerabilities found in the service (e.g. an XSS vulnerability) unless the issue exists in an underlying software product that is publicly distribute.
15BCS1361
Ishav Saxena