India Cyber Security Indian Perspective
-
Upload
manikandan-swaminathan -
Category
Documents
-
view
225 -
download
0
Transcript of India Cyber Security Indian Perspective
-
8/12/2019 India Cyber Security Indian Perspective
1/29
A P R E S E N T A T I O N B Y
R. M. JOHRIP R I N C I P A L D I R E C T O R
( I N F O R M A T I O N S Y S T E M S )
O F F I C E O F C A G O F I N D I A
Cyber SecurityIndian Perspective
-
8/12/2019 India Cyber Security Indian Perspective
2/29
Quotable Quotes
The only system which is truly secure is one which is switched offand unplugged, locked in a titanium safe, buried in a concretebunker, and is surrounded by nerve gas and very highly paidarmed guards. Even then, Iwouldntstake my life on it.
(By Professor Gene Spafford)
In security matters,
there is nothing like absolutesecurity
We are only trying to build comfort levels,because security costs
money and lack of it costs much moreComfort level is a manifestation of efforts as well as a realization of
their effectiveness & limitations
-
8/12/2019 India Cyber Security Indian Perspective
3/29
CyberworldCurrent Scenario
Advances in information and communications technologies haverevolutionised government scientific , educational andcommercial infrastructures.
The IT infrastructure has become integral part of the criticalinfrastructure which supports national capabilities such aspower grids, emergency communication systems, financialsystems , defence systems and air traffic control networks. Theoperational stability and security of critical informationinfrastructure is vital for economic security of the country.
It also enables large scale processes through out the economy byfacilitating complex interactions among individuals,organisations and systems across global networks for trade andeconomic requirements.
-
8/12/2019 India Cyber Security Indian Perspective
4/29
Technology trends
Increasing complexity of IT systems and networks will mountsecurity challenges for both providers and consumers.
The evolving nature of the telecommunications infrastructure,as the traditional phone systems and IT networks converge into a
more unified architecture. The expanding wireless connectivity to individual computers and
networks making it increasingly difficult to determine thephysical and logical boundaries of networks.
The increasing interconnectivity and accessibility (andconsequently risk) to computer based systems that are critical tocountryseconomy.
-
8/12/2019 India Cyber Security Indian Perspective
5/29
01 Dec 2007Security trends and challenges beyond 2008
Sophistication ofHacker
Tools
19901980
Packet Forging/ Spoofing
Password Guessing
Self Replicating Code
PasswordCracking
Exploiting KnownVulnerabilities
DisablingAudits
Back DoorsHijackingSessions
Sweepers
Sniffers
Stealth Diagnostics
TechnicalKnowledgeRequired
High
Low
2006
Information SecurityGeneral trends
-
8/12/2019 India Cyber Security Indian Perspective
6/29
Mischievous activities in cyber space have expanded from novice geeks toorganized criminal gangs that are going Hi-tech
Recent studies reveal three major findings:
Growing threat to national security -web espionage becomesincreasingly advanced, moving from curiosity to well-funded andwell-organized operations aimed at not only financial, but also
political or technical gain Increasing threat to online services affecting individuals
and industry because of growth of sophistication of attacktechniques
Emergence of a sophisticated market for software flaws that can be used to carry out espionage and attacks on Govt. andCritical information infrastructure. Findings indicate a blurred linebetween legal and illegal sales of software vulnerabilities
Global Cybersecurity TrendsThe next wave
-
8/12/2019 India Cyber Security Indian Perspective
7/29
There are signs that intelligence agencies around the world are constantly
probing others networks and developing new ways to gather intelligence
Internet has become an weapon for political, military and economic espionage
Organized cyber attacks have been witnessed Pentagon, US in Estonia in April 2007 Computer systems of German Chancellery and three Ministries E-mail accounts at National Informatics Centre, India Highly classified Govt. computer networks in New Zealand & Australia
The software used to carry out these attacks indicate that they were clearly designed & tested with muchgreater resources than usual individual hackers.
Most Govt. agencies and companies around the world use common computing technologies & systems thatare frequently penetrated by criminal hackers and malware.
Traditional protective measures are not enough to protect against attacks such as those on Estonia, as thecomplexity and coordination in using the botnets was totally new. National networks with lesssophistication in monitoring and defense capabilities could face serious problems to National security.
Threats to National security
-
8/12/2019 India Cyber Security Indian Perspective
8/29
Given the exponential growth in social networking sites, social engineering may
shortly become the easiest & quickest way to commit ID theft
Online services are becoming prime targets for cyber criminals
Cyber criminals continue to refine their means of deceit as well as their victims In summary, theglobal threats affecting users are:
New & sophisticated forms of attacks. Attacks targeting new technologies, such as VoIP (vishing phishing via VoIP & phreaking
hacking tel networks to make free long distance calls) and peer-to-peer services. Attacks targeting online social networks. Attacks targeting online services, particularly online banking services.
There is a new level of complexity in malware not seen before. These are more resilient, aremodified over and over again and contain highly sophisticated functionality such as encryption(Ex. Nuwar also known as Zhelatin and Stormworm with a new variant appearing almostdaily)
As a trend we will see an increase in threats that hijack PCs with bots. Another challenging trend isthe arrival of self-modifying threats
Threats to Online services
-
8/12/2019 India Cyber Security Indian Perspective
9/29
Hi-Tech crime: A thriving economy
The market is growing for zero-day threats & tools for cyber crime
With so many PCs now infected (around 5 % of all global machines are zombies), competition to supplybotnets has become intense. The cost of renting a platform for spamming is now around $ 3 - 7 Cents perzombie per week.
A budget as little as $ 25 to $ 1500 USD can buy you a trojan that is built to steal credit card data and mail
it you. Malware is being custom written to target specific companies and agencies.
Computer skills are no longer necessary to execute cyber crime. On the flip side malware writers todayneed not commit crimes themselves. People can subscribe to the tools that can keep them updated withlatest vulnerabilities and even test themselves against security solutions (Ex. MPACK pr Pinch includesupport service).
The black market for stolen data (Ex. Credit cards, e-mails, skype accounts etc) is now well establishedand the cost of obtaining credit cards is upwards of $ 5 USD.
Another black market that is causing alarm to Govts is that of Zero-day exploits. In Jan 2006 a MicrosoftWMF (windows meta file) exploit was sold for $ 4000 USD.
Competition is so intense among cyber criminals that customerservicehas now become a specific selling point
-
8/12/2019 India Cyber Security Indian Perspective
10/29
Future Trends
Trends suggest an increase in safe havens for cyber criminals andhence the need for International cooperation arrangements.
It is an inevitable that some countries will become safe havens for
cyber criminals and international pressure to crack down wontwork well.
It is believed that in next few years Govts are likely to get aggressiveand pursue action against the specificindividuals/groups/companies, regardless of location.
It is also likely that Govts will start putting pressure onintermediary bodies that have the skills and resources, such asbanks, ISPs and software vendors to protect the public frommalware, hacking and social engineering.
-
8/12/2019 India Cyber Security Indian Perspective
11/29
Future Trends
We may see industry sector codes of practice demandingimproved security measures, backed probably by assurance andinsurance schemes.
Greater connectivity, more embedded systems and less obvious
perimeters. Compliance regulations will drive upgrades and changes and also
increase system complexity and legal wrangles increase in civilsuits for security breaches.
Massive data storing patterns that ensure data never goes away a boon to law enforcement agencies .
As of now, cyber criminals seem to have no real threat ofprosecution. Our job is to create a climate of fear of effectiveprosecution, as in other types of crime.
-
8/12/2019 India Cyber Security Indian Perspective
12/29
Cyber Crime - categories
Cyber Crime is a generic term that refers to all criminal activitiesdone using the medium of communication devices, computers,mobile phones, tablets etc. It can be categorised in three ways:
The computer as a target attacking the computers of
others.
The computer as a weapon- Using a computer to committraditionalcrimethat we see in the physical world.
The computer as an accessory- Using a computer as a fancyfiling cabinetto store illegal or stolen information.
-
8/12/2019 India Cyber Security Indian Perspective
13/29
Cyber crimeMost common forms
Hacking Unauthorised attempts to bypass the securitymechanism of an information system or network.
Data theft ( using flash/pen drives, digital cameras).
Virus or worms, Malware or Trojan horses.
Identity Theft
E- mail spoofing
Botnets and Zombies
Scareware
-
8/12/2019 India Cyber Security Indian Perspective
14/29
Cyber Incidents - Indian experience
Cyber crime in India resulted in 29.9 million people being victimof cybercrime involving direct financial losses to the tune of $4billion and $3.6 billion in terms of time spent in resolving thecrime.
4 out of 5 online adults( 80%) being victim of cyber crime
17% of adults online experiencing on their mobile phones
( source: Norton Cybercrime Report)
-
8/12/2019 India Cyber Security Indian Perspective
15/29
Cyber CrimeWhy India
The main reasons for India as a main target of cyber crime are:
Rapidly growing online user base ( 121 million internet users, 65million active internet users, up 28% from 51 million in 2010).
50 million users shop online on ecommerce and online shoppingsites.
46+ million social network users.
400 million mobile users had subscribed to data packages(source IAMAI 2011).
-
8/12/2019 India Cyber Security Indian Perspective
16/29
Cyber security - Principles
Confidentiality: Information which is sensitive or confidentialmust remain so and be shared only with appropriate users. Forexample, our confidential medical records should be releasedonly to those people or organizations (i.e. doctor, hospital,
insurance, government agency, you) authorized to see it. Integrity: Information must retain its integrity and not be
altered from its original state. The records should be wellprotected so that no one can change the information withoutauthorization.
Availability: Information and systems must be available tothose who need it. The records should be available andaccessible to authorized users.
-
8/12/2019 India Cyber Security Indian Perspective
17/29
Cyber security- Indian Response
Government of India had set up an Inter DepartmentalInformation Security Task Force (ISTF) with National securitycouncil as the nodal agency. The task force studied and deliberatedon the issues such as :
National Information security Threat perceptions. Critical minimum Infrastructure to be protected.
Ways and means of ensuring Information security includingidentification of relevant technologies.
Legal procedures required to ensure Information security. Awareness , Training and Research in Information Security.
-
8/12/2019 India Cyber Security Indian Perspective
18/29
Cyber security- Indian Response
Contd.
On the recommendations of ISTF the following initiatives havebeen taken :
Indian Computer Emergency Response Team ( CERT-In) hasbeen established to respond to the cyber security incidents and
take steps to prevent recurrence of the same.
PKI infrastructure has been set up to support implementation ofInformation Technology Act and promote use of Digitalsignatures.
Government has been supporting R&D activities throughpremier Academic and Public Sector Institutions in the country.
-
8/12/2019 India Cyber Security Indian Perspective
19/29
Cyber security- Indian Response
Contd.
To pursue the strategic objectives the following majorinitiatives have been identified.
Security Policy, Compliance and Assurance.
Security Incident Early warning and response. Security Training skills/competence development & user end
awareness.
Security R&D for securing the Infrastructure, meeting the
domain specific needs and enabling technologies. Security Promotion & Publicity.
-
8/12/2019 India Cyber Security Indian Perspective
20/29
Cyber security- Indian Response
Contd.
Information Security Policy Assurance Framework for theprotection of Government Cyberspace and critical infrastructurehas been developed .
The Government has mandated Implementation of Security
Policy in accordance with the Information Security Standard ISO27001.
Currently 246 organisations have obtained certification againstthe ISO 27001 as against the total number of 2814 certificatesissued worlwide .
Security auditors have been empanelled for auditing , includingvulnerability assessment & penetration testing of computersystems and networks of the Government, critical infrastructureorganisations and those in other sectors of the economy.
-
8/12/2019 India Cyber Security Indian Perspective
21/29
Cyber security- Indian Response
Contd.
Security Policy, Compliance and Assurance
Critical Information Infrastructure Protection ( Critical sectors includeDefence, Finance, Energy, Transportation and Telecommunications) .Emphasis has to be put on improved software development, system
engineering practices and the adoption of strengthened security modelsand best practices). Cyber Security Assurance Framework ( Assessment and certification of
compliance to IT security best practices, standards and guidelines- ISO27001 /BS7799 ISMS certification etc, IT security product evaluation andcertification as per Common criteria standard ISO 15408 and Cryptomodule verification standards
IT security manpower training and other services to assist user in ITsecurity implementation and compliance.
Trusted Company certification ( ISO 9000, CMM, six sigma, TQM, ISO27001 etc) . Efforts are on to create a model that is based on selfcertification and on the lines of Software capability maturity model (SW-CMM) of CMU, USA.
-
8/12/2019 India Cyber Security Indian Perspective
22/29
Cyber security- Indian Response
Contd.
Security Incident Early Warning and response Rapid Identification , information exchange and remediation can
mitigate the damage caused by malicious cyberspace activity. The essential actions under National Cyber Alert System. Identification of focal points in the critical infrastructure. Establish a public private architecture for responding to national-
level cyber incidents. Tactical and strategic analysis of cyber attacks and vulnerability
assessments. Expand the Cyber warning and Information Network to support
the role of Government in coordinating crisis management forcyberspace security.
Improve national response capabilities ( CERT In and sectoralCERTs), Exercise cyber security continuity plans and drills.
International cooperation and Information sharing.
-
8/12/2019 India Cyber Security Indian Perspective
23/29
Cyber security- Indian Response
Contd.
Security training Security Digital Evidence & Forensics
Promote a comprehensive national awareness program.
Foster adequate training to meet the specific needs of LawEnforcement , Judiciary and other users.
Training and education programs to support the Nationscybersecurity needs.
Increase the efficiency of existing cyber security trainingprograms and devise domain specific training programs ( ex:Law Enforcement , Judiciary , E Governance etc).
Promote private- sector coordination for well coordinated,widely recognised professional cyber security certifications.
-
8/12/2019 India Cyber Security Indian Perspective
24/29
Cyber security- Indian Response
Contd.
Security Research and Development
Creation of knowledge and expertise to face new and emergingsecurity challenges to produce cost- effective, tailor made
indigenous security solutions and even compete for exportmarket in information security products and services.
Private sector is expected to play key role for meeting theResearch and Development needs leading to commercially viableproducts. It may also undertake collaborative R&D with leading
research organisations.
-
8/12/2019 India Cyber Security Indian Perspective
25/29
Cyber security- Indian Response
Contd.
Promotion and Publicity
Information security awareness promotion is an ongoingprocess. The main purpose is to achieve the broadest penetration
to enhance awareness and alert larger cyber community in casesof significant threats.
The promotion and publicity campaign could include seminars,exhibitions, contests, radio and TV programs, videos on specifictopics, Web casts, Pod casts , Leaflets and posters, suggestionand award schemes.
-
8/12/2019 India Cyber Security Indian Perspective
26/29
Cyber security- Auditors perspective
An auditors concern on the Cyber Security may arise atany of the following three stages :
Design Stage: At this stage auditorsinvolvement would ensurethat requisite Embedded Audit Modules (EAM) or IntegratedTest facility (ITF) etc. have been duly designed to ensure proper
interrogation of the data. Development Stage : At this stage it would lead to an
assurance that necessary audit trail/ audit module to furnishinformation required by auditor at different stages of processingare being built into the system under development.
Analysing stage : At this stage it will ensure that the system sodeveloped is capable of providing requisite information in atimely manner and to the authorised persons to support andassist in decision making process.
-
8/12/2019 India Cyber Security Indian Perspective
27/29
Cyber security- Auditors perspective
Contd.
Other issues:
Back Up and Recovery There should be a policy in existenceto ensure that regular back up of the critical data are taken andkept on-site and off-site to ensure its availability whenever
required. Outsourcing - Risks related to integrity, availability and
confidentiality of data need to be addressed
Change Management controls Only authorised andapproved changes are made and proper documentation exists for
each area of the system to support future modifications.
System Security Issues
Data Migration Issues
-
8/12/2019 India Cyber Security Indian Perspective
28/29
Survival
It is not the strongest of the species that survive,nor the most intelligent, but the one mostresponsive to change.
Charles Darwin
Q &A
-
8/12/2019 India Cyber Security Indian Perspective
29/29
Thank You