india cyber security indian perspective

8/12/2019 India Cyber Security Indian Perspective

1/29

A P R E S E N T A T I O N B Y

R. M. JOHRIP R I N C I P A L D I R E C T O R

( I N F O R M A T I O N S Y S T E M S )

O F F I C E O F C A G O F I N D I A

Cyber SecurityIndian Perspective


2/29

Quotable Quotes

The only system which is truly secure is one which is switched offand unplugged, locked in a titanium safe, buried in a concretebunker, and is surrounded by nerve gas and very highly paidarmed guards. Even then, Iwouldntstake my life on it.

(By Professor Gene Spafford)

In security matters,

there is nothing like absolutesecurity

We are only trying to build comfort levels,because security costs

money and lack of it costs much moreComfort level is a manifestation of efforts as well as a realization of

their effectiveness & limitations


3/29

CyberworldCurrent Scenario

Advances in information and communications technologies haverevolutionised government scientific , educational andcommercial infrastructures.

The IT infrastructure has become integral part of the criticalinfrastructure which supports national capabilities such aspower grids, emergency communication systems, financialsystems , defence systems and air traffic control networks. Theoperational stability and security of critical informationinfrastructure is vital for economic security of the country.

It also enables large scale processes through out the economy byfacilitating complex interactions among individuals,organisations and systems across global networks for trade andeconomic requirements.


4/29

Technology trends

Increasing complexity of IT systems and networks will mountsecurity challenges for both providers and consumers.

The evolving nature of the telecommunications infrastructure,as the traditional phone systems and IT networks converge into a

more unified architecture. The expanding wireless connectivity to individual computers and

networks making it increasingly difficult to determine thephysical and logical boundaries of networks.

The increasing interconnectivity and accessibility (andconsequently risk) to computer based systems that are critical tocountryseconomy.


5/29

01 Dec 2007Security trends and challenges beyond 2008

Sophistication ofHacker

Tools

19901980

Packet Forging/ Spoofing

Password Guessing

Self Replicating Code

PasswordCracking

Exploiting KnownVulnerabilities

DisablingAudits

Back DoorsHijackingSessions

Sweepers

Sniffers

Stealth Diagnostics

TechnicalKnowledgeRequired

High

Low

2006

Information SecurityGeneral trends


6/29

Mischievous activities in cyber space have expanded from novice geeks toorganized criminal gangs that are going Hi-tech

Recent studies reveal three major findings:

Growing threat to national security -web espionage becomesincreasingly advanced, moving from curiosity to well-funded andwell-organized operations aimed at not only financial, but also

political or technical gain Increasing threat to online services affecting individuals

and industry because of growth of sophistication of attacktechniques

Emergence of a sophisticated market for software flaws that can be used to carry out espionage and attacks on Govt. andCritical information infrastructure. Findings indicate a blurred linebetween legal and illegal sales of software vulnerabilities

Global Cybersecurity TrendsThe next wave


7/29

There are signs that intelligence agencies around the world are constantly

probing others networks and developing new ways to gather intelligence

Internet has become an weapon for political, military and economic espionage

Organized cyber attacks have been witnessed Pentagon, US in Estonia in April 2007 Computer systems of German Chancellery and three Ministries E-mail accounts at National Informatics Centre, India Highly classified Govt. computer networks in New Zealand & Australia

The software used to carry out these attacks indicate that they were clearly designed & tested with muchgreater resources than usual individual hackers.

Most Govt. agencies and companies around the world use common computing technologies & systems thatare frequently penetrated by criminal hackers and malware.

Traditional protective measures are not enough to protect against attacks such as those on Estonia, as thecomplexity and coordination in using the botnets was totally new. National networks with lesssophistication in monitoring and defense capabilities could face serious problems to National security.

Threats to National security


8/29

Given the exponential growth in social networking sites, social engineering may

shortly become the easiest & quickest way to commit ID theft

Online services are becoming prime targets for cyber criminals

Cyber criminals continue to refine their means of deceit as well as their victims In summary, theglobal threats affecting users are:

New & sophisticated forms of attacks. Attacks targeting new technologies, such as VoIP (vishing phishing via VoIP & phreaking

hacking tel networks to make free long distance calls) and peer-to-peer services. Attacks targeting online social networks. Attacks targeting online services, particularly online banking services.

There is a new level of complexity in malware not seen before. These are more resilient, aremodified over and over again and contain highly sophisticated functionality such as encryption(Ex. Nuwar also known as Zhelatin and Stormworm with a new variant appearing almostdaily)

As a trend we will see an increase in threats that hijack PCs with bots. Another challenging trend isthe arrival of self-modifying threats

Threats to Online services


9/29

Hi-Tech crime: A thriving economy

The market is growing for zero-day threats & tools for cyber crime

With so many PCs now infected (around 5 % of all global machines are zombies), competition to supplybotnets has become intense. The cost of renting a platform for spamming is now around $ 3 - 7 Cents perzombie per week.

A budget as little as $ 25 to $ 1500 USD can buy you a trojan that is built to steal credit card data and mail

it you. Malware is being custom written to target specific companies and agencies.

Computer skills are no longer necessary to execute cyber crime. On the flip side malware writers todayneed not commit crimes themselves. People can subscribe to the tools that can keep them updated withlatest vulnerabilities and even test themselves against security solutions (Ex. MPACK pr Pinch includesupport service).

The black market for stolen data (Ex. Credit cards, e-mails, skype accounts etc) is now well establishedand the cost of obtaining credit cards is upwards of $ 5 USD.

Another black market that is causing alarm to Govts is that of Zero-day exploits. In Jan 2006 a MicrosoftWMF (windows meta file) exploit was sold for $ 4000 USD.

Competition is so intense among cyber criminals that customerservicehas now become a specific selling point


10/29

Future Trends

Trends suggest an increase in safe havens for cyber criminals andhence the need for International cooperation arrangements.

It is an inevitable that some countries will become safe havens for

cyber criminals and international pressure to crack down wontwork well.

It is believed that in next few years Govts are likely to get aggressiveand pursue action against the specificindividuals/groups/companies, regardless of location.

It is also likely that Govts will start putting pressure onintermediary bodies that have the skills and resources, such asbanks, ISPs and software vendors to protect the public frommalware, hacking and social engineering.


11/29

Future Trends

We may see industry sector codes of practice demandingimproved security measures, backed probably by assurance andinsurance schemes.

Greater connectivity, more embedded systems and less obvious

perimeters. Compliance regulations will drive upgrades and changes and also

increase system complexity and legal wrangles increase in civilsuits for security breaches.

Massive data storing patterns that ensure data never goes away a boon to law enforcement agencies .

As of now, cyber criminals seem to have no real threat ofprosecution. Our job is to create a climate of fear of effectiveprosecution, as in other types of crime.


12/29

Cyber Crime - categories

Cyber Crime is a generic term that refers to all criminal activitiesdone using the medium of communication devices, computers,mobile phones, tablets etc. It can be categorised in three ways:

The computer as a target attacking the computers of

others.

The computer as a weapon- Using a computer to committraditionalcrimethat we see in the physical world.

The computer as an accessory- Using a computer as a fancyfiling cabinetto store illegal or stolen information.


13/29

Cyber crimeMost common forms

Hacking Unauthorised attempts to bypass the securitymechanism of an information system or network.

Data theft ( using flash/pen drives, digital cameras).

Virus or worms, Malware or Trojan horses.

Identity Theft

E- mail spoofing

Botnets and Zombies

Scareware


14/29

Cyber Incidents - Indian experience

Cyber crime in India resulted in 29.9 million people being victimof cybercrime involving direct financial losses to the tune of $4billion and $3.6 billion in terms of time spent in resolving thecrime.

4 out of 5 online adults( 80%) being victim of cyber crime

17% of adults online experiencing on their mobile phones

( source: Norton Cybercrime Report)


15/29

Cyber CrimeWhy India

The main reasons for India as a main target of cyber crime are:

Rapidly growing online user base ( 121 million internet users, 65million active internet users, up 28% from 51 million in 2010).

50 million users shop online on ecommerce and online shoppingsites.

46+ million social network users.

400 million mobile users had subscribed to data packages(source IAMAI 2011).


16/29

Cyber security - Principles

Confidentiality: Information which is sensitive or confidentialmust remain so and be shared only with appropriate users. Forexample, our confidential medical records should be releasedonly to those people or organizations (i.e. doctor, hospital,

insurance, government agency, you) authorized to see it. Integrity: Information must retain its integrity and not be

altered from its original state. The records should be wellprotected so that no one can change the information withoutauthorization.

Availability: Information and systems must be available tothose who need it. The records should be available andaccessible to authorized users.


17/29

Cyber security- Indian Response

Government of India had set up an Inter DepartmentalInformation Security Task Force (ISTF) with National securitycouncil as the nodal agency. The task force studied and deliberatedon the issues such as :

National Information security Threat perceptions. Critical minimum Infrastructure to be protected.

Ways and means of ensuring Information security includingidentification of relevant technologies.

Legal procedures required to ensure Information security. Awareness , Training and Research in Information Security.


18/29


Contd.

On the recommendations of ISTF the following initiatives havebeen taken :

Indian Computer Emergency Response Team ( CERT-In) hasbeen established to respond to the cyber security incidents and

take steps to prevent recurrence of the same.

PKI infrastructure has been set up to support implementation ofInformation Technology Act and promote use of Digitalsignatures.

Government has been supporting R&D activities throughpremier Academic and Public Sector Institutions in the country.


19/29


Contd.

To pursue the strategic objectives the following majorinitiatives have been identified.

Security Policy, Compliance and Assurance.

Security Incident Early warning and response. Security Training skills/competence development & user end

awareness.

Security R&D for securing the Infrastructure, meeting the

domain specific needs and enabling technologies. Security Promotion & Publicity.


20/29


Contd.

Information Security Policy Assurance Framework for theprotection of Government Cyberspace and critical infrastructurehas been developed .

The Government has mandated Implementation of Security

Policy in accordance with the Information Security Standard ISO27001.

Currently 246 organisations have obtained certification againstthe ISO 27001 as against the total number of 2814 certificatesissued worlwide .

Security auditors have been empanelled for auditing , includingvulnerability assessment & penetration testing of computersystems and networks of the Government, critical infrastructureorganisations and those in other sectors of the economy.


21/29


Contd.

Security Policy, Compliance and Assurance

Critical Information Infrastructure Protection ( Critical sectors includeDefence, Finance, Energy, Transportation and Telecommunications) .Emphasis has to be put on improved software development, system

engineering practices and the adoption of strengthened security modelsand best practices). Cyber Security Assurance Framework ( Assessment and certification of

compliance to IT security best practices, standards and guidelines- ISO27001 /BS7799 ISMS certification etc, IT security product evaluation andcertification as per Common criteria standard ISO 15408 and Cryptomodule verification standards

IT security manpower training and other services to assist user in ITsecurity implementation and compliance.

Trusted Company certification ( ISO 9000, CMM, six sigma, TQM, ISO27001 etc) . Efforts are on to create a model that is based on selfcertification and on the lines of Software capability maturity model (SW-CMM) of CMU, USA.


22/29


Contd.

Security Incident Early Warning and response Rapid Identification , information exchange and remediation can

mitigate the damage caused by malicious cyberspace activity. The essential actions under National Cyber Alert System. Identification of focal points in the critical infrastructure. Establish a public private architecture for responding to national-

level cyber incidents. Tactical and strategic analysis of cyber attacks and vulnerability

assessments. Expand the Cyber warning and Information Network to support

the role of Government in coordinating crisis management forcyberspace security.

Improve national response capabilities ( CERT In and sectoralCERTs), Exercise cyber security continuity plans and drills.

International cooperation and Information sharing.


23/29


Contd.

Security training Security Digital Evidence & Forensics

Promote a comprehensive national awareness program.

Foster adequate training to meet the specific needs of LawEnforcement , Judiciary and other users.

Training and education programs to support the Nationscybersecurity needs.

Increase the efficiency of existing cyber security trainingprograms and devise domain specific training programs ( ex:Law Enforcement , Judiciary , E Governance etc).

Promote private- sector coordination for well coordinated,widely recognised professional cyber security certifications.


24/29


Contd.

Security Research and Development

Creation of knowledge and expertise to face new and emergingsecurity challenges to produce cost- effective, tailor made

indigenous security solutions and even compete for exportmarket in information security products and services.

Private sector is expected to play key role for meeting theResearch and Development needs leading to commercially viableproducts. It may also undertake collaborative R&D with leading

research organisations.


25/29


Contd.

Promotion and Publicity

Information security awareness promotion is an ongoingprocess. The main purpose is to achieve the broadest penetration

to enhance awareness and alert larger cyber community in casesof significant threats.

The promotion and publicity campaign could include seminars,exhibitions, contests, radio and TV programs, videos on specifictopics, Web casts, Pod casts , Leaflets and posters, suggestionand award schemes.


26/29

Cyber security- Auditors perspective

An auditors concern on the Cyber Security may arise atany of the following three stages :

Design Stage: At this stage auditorsinvolvement would ensurethat requisite Embedded Audit Modules (EAM) or IntegratedTest facility (ITF) etc. have been duly designed to ensure proper

interrogation of the data. Development Stage : At this stage it would lead to an

assurance that necessary audit trail/ audit module to furnishinformation required by auditor at different stages of processingare being built into the system under development.

Analysing stage : At this stage it will ensure that the system sodeveloped is capable of providing requisite information in atimely manner and to the authorised persons to support andassist in decision making process.


27/29

Cyber security- Auditors perspective

Contd.

Other issues:

Back Up and Recovery There should be a policy in existenceto ensure that regular back up of the critical data are taken andkept on-site and off-site to ensure its availability whenever

required. Outsourcing - Risks related to integrity, availability and

confidentiality of data need to be addressed

Change Management controls Only authorised andapproved changes are made and proper documentation exists for

each area of the system to support future modifications.

System Security Issues

Data Migration Issues


28/29

Survival

It is not the strongest of the species that survive,nor the most intelligent, but the one mostresponsive to change.

Charles Darwin

Q &A


29/29

Thank You

india cyber security indian perspective

Documents