cyber security-sai india.doc

7/24/2019 Cyber Security-SAI India.doc

http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 1/24

1

Cyber Security - Indian Scenario

Computers play an important part of our lives—in airports, banks, railway

stations and every well-equipped modern office, as they have brought about a

tremendous revolution and are likely to play an even greater role in our life inthe days to come. Some of the areas in which computers are being used

include issue of birth/death records, land records, licensing, taation,

communication ! email, cell phone, teting, vehicle registration and issue of

driving licenses, air navigation, banking etc."

#n one side the development of Computers and increasing use of $nternet

has sped up the pace of activities and facilitated integration of various

operations by wiping out physical and geographical barriers, on the other side

it has increased our dependence on these machines. This increased

dependence has also increased the risk perception of systems whichdeliver these services as any disruption may result in things going hay

wire. Hence there is an increased need to protect computer systems.

Cyber Security has become the order of the day. This paper discussed

the various facets of cyber crime and tries to address the issue by

suggesting a way forward.

Cyber Crime:

Cyber Crime is a generic term that refers to all criminal activities done using

the medium of communication devices, computers, mobile phones, tabletsetc., the internet, cyber space and the worldwide web.

Cyber crime can be categoried in three ways:

The computer as a target ! attacking the computers of others

%spreading viruses is an eample". The computer as a weapon ! using a computer to commit &traditional

crime' that we see in the physical world %such as fraud or illegal

gambling".

The computer as an accessory ! using a computer as a &fancy filing

cabinet' to store illegal or stolen information.

Types of Cyber Crimes

Hacking: (eans unauthori)ed attempts to bypass the security

mechanism of an information system or network. $n simple words

*acking is the unauthori)ed access to a computer system. +hese

attempts intend to result in denial of service. enial of Service refers to

an attack that successfully prevents or impairs the authori)ed



2

functionality of networks, systems or applications by ehausting

resources. !ata Theft: it is a growing problem, primarily perpetrated by office

workers with access to technology such as desktop computers and

hand-held devices, capable of storing digital information such as flashdrives, iods and even digital cameras.

"irus or worms# $alware or Tro%an horses: +hese are softwares

written to disrupt the normal functioning of the computers. $n most

cases viruses can do any amount of damage, the creator intends them

to do cause damage in terms of data corruption, data loss etc. +hese

spread by email, instant messaging, malicious websites, and infected

non-malicious websites. Some websites will automatically download

the malware without the users knowledge or intervention. +his is

known as a drive-by download. #ther methods will require the usersto click on a link or button.

Identity theft: $t is the term used to refer to fraud that involves stealing

money or getting other benefits by pretending to be someone else.

&-$ail Spoofing: is a technique used by hackers to fraudulently send

email message in which sender address and other parts of the email

header are altered to appear as though the email originated from a

source other than its actual source.

'otnets and ombies: 0 botnet, short for robot network, is an

aggregation of compromised computers that are connected to a central

controller. +he compromised computers are often referred to as

)ombies. +hese threats will continue to proliferate as the attack

techniques evolve and become available to a broader audience, with

less technical knowledge required to launch successful attacks.

(Scareware) ! fake security software warnings- +his type of scam can

be particularly profitable for cyber criminals, as many users believe the

pop-up warnings telling them their system is infected and are lured intodownloading and paying for the special software to protect their

system.

Cybercrimes * +lobal Scanario

+he ma1ority of cybercrimes are centered on forgery, fraud and

phishing,. $ndia is the third-most targeted country for phishing attacks

1 +he act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in anattempt to scam the user into surrendering private information that will be used for identity theft. +he e-

mail directs the user to visit a 2eb site where they are asked to update personal information, such aspasswords and credit card, social security, and bank account numbers, that the legitimate organi)ationalready has. +he 2eb site, however, is bogus and set up only to steal the user ��s information.

http://www.webopedia.com/TERM/E/e_mail.html


http://www.webopedia.com/TERM/W/Web_site.html






3

after the 3S and the 34. Social networks as well as ecommerce sites

are ma1or targets. $nstances include5 6.7 million bot-infected systems in

89:9, :;,<;= website defacements in 89:9, 6,=>9. %ot" in and ;,:>9 .

%ot"com domains were defaced during 89::, :>,999 sites hacked in

89:: and $ndia is the number , country in the world for generating spam

8

.

Cyber crime and real impacts

?stimated @: +rillion of intellectual property stolen each year %Aartner

B (c0fee, an 8997" Deported cyber attacks on 3.S. government computer networks

climbed ;9E in 899=

Sensitive records of ;>,999 Federal 0viation 0dministration

%F00" workers breached %Feb 97"

esign secrets of all 3.S. nuclear weapons %(ichelle Gan Cleave"

stolen

Cybercrimes * India Scenario

The cyber crimes in India resulted in . million people being victim

of cybercrime involving direct financial losses to the tune of /0

billion# /1.2 billion in terms of time spent in resolving the crime# ; out of

every > online adults %345" being victim of cybercrime and ,65 of

adults online eperiencing cybercrime on their mobile phones.

7Source: Norton Cybercrime Report 2011)

8hy India9 :

In the recent past Indian has been the main target of Cyber Crimes

due to the reasons of rapidly growing online user base %,, million

internet users, 2 million active internet users, up 8=E from >: million in

89:9, 4 million users shop online on ecommerce and online shopping

sites, 02; million social network users and 102 million mobile users had

subscribed to data packages" %Source: IAMAI; Juxt; wearesocia 2011)

Cyber Security 'reach instances in India

0bout >;; government sites were hacked including those of the

defence wings, ministries and diplomatic missions. 0 recent survey by

(c0fee, the internet security giant, named $ndia among the nations

least able to defend themselves against cyber attacks. #thers on the

list include Hra)il, Domania and (eico.

2 Spam is the use of electronic messaging systems to send unsolicited bulk messages,especially advertising, indiscriminately.

http://en.wikipedia.org/wiki/Email

http://en.wikipedia.org/wiki/Email



4

4ey websites hacked into include that of the rime (inisterIs #ffice,

the Jational Security 0dviserIs office, the defence ministry, air cargo

customs %(umbai", ministry of railways, Jational $nstitute of Social

efence, Hharat Sanchar Jigam Ktd, +elecom Degulatory 0uthority of

$ndia and the Central Hureau of $nvestigation. (ost of these attacksoriginated from China and akistan.

Cyber Security and its ob%ective

Cyber Security is the body of technologies, processes and practices

designed to protect networks, computers, programs and data from

attack, damage or unauthori)ed access. $n a computing contet, the

term security implies cyber security. 0S per Section 8%b" of the $nformation +echnology %amendment" 0ct

899= ! Cyber Security means protecting information, equipment,computer devices, computer resource, communication device and

information stored therein from unauthorised access, use, disclosure,

disruption, modification or destruction.

$t is the collection of security concepts, policies, guidelines, risk

management approaches, security safeguards, tools, actions, training,

best practices, assurance and technologies that can be used to protect

the cyber environment and organi)ation and userIs assets.

#rgani)ation and userIs assets include connected computing devices,telecommunications systems, infrastructure, applications, services,

personnel, and the totality of transmitted and/or stored information in

the cyber environment.

$t strives to ensure the attainment and maintenance of the security

properties of the organi)ation and userIs assets against relevant

security risks in the cyber environment.

<rinciples of Cyber Security

Confidentiality, $ntegrity, and 0vailability are three core principles of Cyber

Security.

Confidentiality: $nformation which is sensitive or confidential must remain

so and be shared only with appropriate users. For eample, our

confidential medical records should be released only to those people or

organi)ations %i.e. doctor, hospital, insurance, government agency, you"

authori)ed to see it.



5

Integrity: $nformation must retain its integrity and not be altered from its

original state. The records should be well protected so that no one can

change the information without authorization.

=vailability5 $nformation and systems must be available to those who

need it. The records should be available and accessible to authorized

users.

8H> IS C>'&? S&C@?IT> I$<A?T=BT9

L The rising volume and sophistication of cyber security threats !

including targeting phishing scams, data theft, and other online

vulnerabilities!demand that we remain vigilant about securing our

systems and information.

L The average unprotected computer %i.e. does not have proper

security controls in place" connected to the $nternet can be

compromised in moments.

L Thousands of infected web pages are being discovered every day.

L Hundreds of millions of records have been involved in data

breaches.

L Bew attack methods are launched continuously.

L +hese are 1ust a few eamples of the threats facing us, and theyhighlight the importance of information security as a necessary

approach to protecting data and systems.

Impact of 8eak or Bo Cyber Security:

0 weak or absence of Cyber Security may lead to the following5

!enial-of-service:

+his refers to an attack that successfully prevents or impairs theauthori)ed functionality of networks, systems or applications by

ehausting resources. $t may result in 5

L Shut down a government agencyIs website, thereby preventing citi)ens

from accessing information or completing transactionsM

L Financial loss

L isruption of critical services such as emergency medical systems,

police communications or air traffic controlM

oss of critical data



6

=ccess to critical information having security implications

=dverse impact on the credibility of the system

ikely format of cyber crimes in India

Continued website hacks and defacements

ata and information theft

$ncreasing phishing attacks on ecommerce and financial websites

Cybercriminals targeting social and professional networks

+hreats directed at the mobile platform5 smartphones and tablets

8ay Dorward

Security <olicy# Compliance and =ssurance * egal Dramework

$+ 0ct 8999

$+ 0mendment Hill 8996 ! ata rotection B Computer Crime

Hest ractice ! $S# 8N99:

Security 0ssurance Framework-$+/$+?S/H# Companies

India and its Bational Cyber Security <olicy

+he cyber security policy is an evolving task, which need to be regularly

updated/refined in line with technological trends and security challenges

posed by such technology directions. +his policy caters for the whole

spectrum of $C+ users and providers including small and home users, mediumand large enterprises and Aovernment B non-Aovernment entities. $t provides

an over view of what it takes to effectively protect information, information

systems B networks and also to provide an insight into the AovernmentIs

approach and strategy for protection of cyber space in the country. $t also

outlines some pointers to enable collaborative working of all key players in

public B private to safeguard countryIs information and information systems.

+his policy, therefore, aims to create a cyber security framework, which will

address all the related issues over a long period. +he framework will lead to

specific actions and programmes to enhance the security posture of countryIs

cyber space.



7

Securing cyber space * Eey policy considerations

+he key considerations for securing the cyber space include5• +he security of cyber space is not an optional issue but an imperative

need in view of its impact on national security, public safety and

economic well-being.• +he issue of cyber security needs to move beyond traditional

technological measures such as anti-virus and firewalls. $t needs to be

dynamic in nature and have necessary depth to detect, stop and

prevent attacks.

• Cyber security intelligence forms an integral component of security of

cyber space in order to be able to anticipate attacks, adopt suitable

counter measures and attribute the attacks for possible counter action.

• ?ffective correlation of information from multiple sources and real-time

monitoring of assets that need protection and at the same timeensuring that adequate epertise and process are in place to deal with

crisis situations.

• +here is a need to focus on having a suitable security posture and

adopt counter measures on the basis of hierarchy of priority and

understanding of the inter dependencies, rather than attempting to

defend against all intrusions and attacks.

• Security is all about what people, process and technology and as such

there is a clear need for focusing on people and processes while

attempting to use the best available technological solutions, which

otherwise could prove ineffective.

• 3se of adequately trained and qualified manpower along with suitable

incentives for effective results in a highly speciali)ed field of cyber

security.

• Security needs to be built-in from the conceptual design stage itself

when it comes to developing and deploying critical information

infrastructure, as opposed to having security as an afterthought.

<riorities for actionConsidering the transnational character of information technology B the cyber

space, the technical B legal challenges in ensuring security of information,information systems B networks as well as related impact on socio-economic

life in the country, the priorities for action for creating a secure cyber eco-

system include series of enabling processes, direct actions and cooperative B

collaborative efforts within the country and beyond, covering5

• Creation of necessary situational awareness regarding threats to ICT

infrastructure for determination and implementation of suitable

response

• Creation of a conducive legal environment in support of safe and

secure cyber space, adequate trust & confidence in electronic transactions, enhancement of law enforcement capabilities that can



8

enable responsible action by stakeholders and effective prosecution

• rotection of IT networks & gateways and critical communication &

information infrastructure

• utting in place !" # $ mechanism for cyber security emergency

response & resolution and crisis management through effective predictive, preventive, protective, response and recovery actions

• olicy, promotion and enabling actions for compliance to international

security best practices and conformity assessment %product, process,

technology & people and incentives for compliance.

• Indigenous development of suitable security techniques & technology

through frontier technology research, solution oriented research, proof

of concept, pilot development etc. and deployment of secure IT

products'processes

• Creation of a culture of cyber security for responsible user behavior &actions

• (ffective cyber crime prevention & prosecution actions• roactive preventive & reactive mitigation actions to reach out &

neutralize the sources of trouble and support for creation of global

security eco system, including public)private partnership

arrangements, information sharing, bilateral & multi)lateral agreements

with overseas C(*Ts, security agencies and security vendors etc.

• rotection of data while in process, handling, storage & transit and

protection of sensitive personal information to create a necessary

environment of trust.

egal Dramework in India to counter Cyber Crimes

Security legal framework and law enforcement

:. 0 sound legal framework and effective law enforcement procedures

are essential in deterring cyber-crime. $n this direction, recent

amendments to the $ndian $+ 0C+ 8999 provide for an ecellent means

to enable adequate trust and confidence in the online environment and

enhance law enforcement capability to deal effectively with cyber

crime. Hesides this, for greater international cooperation, there is a

need to harmoni)e national laws and enforcement procedures.

riorities for action include5

• ynamic legal framework that is in tune with the technological changes

and international developments in the area of information security %?.

?lectronic signatures, national encryption policy etc"

• edicated cyber-crime units with skilled and competent manpower• edicated state-of-the-art facilities for law enforcement for cyber crime

prevention and prosecution

• edicated state-of-the-art training facilities for law enforcement and 1udiciary to assist them in keeping track with developments



9

• $nternational cooperation agreements facilitating sharing of information

and crime prosecution

8. Combating Hi-Tech CrimeFCyber Crime: +he *i-+ech Crime/Cyber

Crime covers any crime committed against or using $+ systems

including hacking, web site defacements, identity theft, stealingpersonal information,. Criminals have sought to eploit the $nternet as it

offers a rapid and productive means of communicating as well as a

good chance of anonymity. 0lthough the threats in cyber space are

similar to those in the physical space %be it theft, fraud or terrorism", $+

has changed the way in which these activities are perpetrated. +he *i-

+ech/Cyber Crime strategy aims to focus on issues such as e-crime

reporting, crime reduction and prevention, legislation, response, role of

business-industry-public and international cooperation.

Information Technology 7=mendmentG =ct 443 - Chapter I

6>. +ampering with Computer Source ocuments

66. Computer Delated #ffences

660. unishment for sending offensive messages through

communication service, etc. %+his was involved in the recent arrests in

respect of comments made in Facebook."

66H. unishment for dishonestly receiving stolen computer resource or communication device

66C.unishment for identity theft

66. unishment for cheating by personation by using computer

resource

66?. unishment for violation of privacy

66F. unishment for cyber terrorism

6N. unishment for publishing or transmitting obscene material in

electronic form

6N0. unishment for publishing or transmitting of material containing

seually eplicit act, etc. in electronic form

6NH. unishment for publishing or transmitting of material depicting

children in seually eplicit act, etc. in electronic form

'&ST <?=CTIC&S:



10

Security best practices - compliance and assurance

7iG Critical Information Infrastructure <rotection+he primary focus of these efforts is to secure the information resources

belonging to Aovernment as well as those in the critical sectors. +he critical

sectors include efence, Finance, ?nergy, +ransportation and+elecommunications.

!a) Impementation o" security best practices in #o$t% an& Critica sectors$n order to reduce the risk of cyber attacks and improve upon the security

posture of critical information infrastructure, Aovernment and critical sector

organi)ations are required to implement security best practices in Aovt. and

Critical sectors. +his would involve the following5

:" $dentify a member of senior management, as Chief $nformation Security

#fficer %C$S#" responsible for coordinating security policy compliance efforts.

8" repare information security plan and implement the security controlmeasures as per international security best practices standards and other

guidelines.

<" Carry out periodic $+ security risk assessments and determine acceptable

level of risks, consistent with criticality of business/functional requirements.

;" eriodically test and evaluate the adequacy and effectiveness of technicalsecurity control measures implemented for $+ systems and networks usingtest and evaluation techniques like enetration +esting, Gulnerability 0ssessment, 0pplication Security +esting and 2eb Security +esting>" Carry out 0udit of $nformation infrastructure on an annual basis and when

there is ma1or up gradation/change in the $nformation +echnology

$nfrastructure, by an independent $+ Security 0uditing organi)ation

6" Deport to C?D+-$n % Computer ?mergency Desponse +eam" cyber

security incidents, as and when they occur and the status of cyber

security, periodically

!b) #o$ernment networ's 0 part of departmental budget should be earmarked for $+ and information

security needs. Hesides this, all ministries/departments and other agencies of

the government should ensure that they take necessary precautions and

steps to promote the culture of information security amongst their employeesand attached agencies. Jecessary change in office procedure should be

undertaken to bring in vogue, reliable and robust paperless offices where

required.

!c) #o$ernment secure intranet +here is a need for priority action to create a countrywide secure intranet for

connecting strategic installations with C?D+-$n as the nodal center for

emergency response and coordination. +his intranet will facilitate faster and

efficient information sharing between strategic installations and C?D+-$n as

well as supporting crisis management and disaster recovery during national $+security emergencies.



11

7iiG Information security =ssurance Dramework$n order to ensure implementation security best practices in critical sector

organi)ations and periodic verification of compliance, there is a need to

create, establish and operate a O$nformation security 0ssurance FrameworkI,

including creation of national conformity assessment infrastructure.$nformation security 0ssurance Framework is aimed at assisting Jational level

efforts in protecting critical information infrastructure. $t supports Aovernment,

Critical $nfrastructure #rgani)ations and other key $+ users of nationIs

economy through series of &?nabling and ?ndorsing' actions.

!a) (nabin actions are essentially romotional /0dvisory/ Degulatory in

nature and involve publication of &Jational Security olicy Compliance

requirements' and cyber security guidelines and supporting documents to

facilitate cyber security implementation and compliance.

!b) (n&orsin actions are part of national conformity assessment

infrastructure. +hese are essentially commercial in nature and may involve

more than one service provider offering commercial services after having

fulfilled requisite qualification criteria and demonstrated ability prior to

empanelment. +hese include5

• =ssessment and certification of compliance to international $+

security best practices, standards and guidelines %?. $S(S

certification, +rusted company certification for +ata security and

privacy protection, $S system audits, enetration testing/Gulnerability

assessment etc"

overnment and critical infrastructure organizations can make use of

C(*T)In evaluated and empanelled third party agencies for their

organisation'site specific IT security assessment services %including

I-- assessment, risk assessment, network security profiling,

penetration testing, vulnerability assessment, application security

testing etc under specific contract and pre)determined rules of

engagement. Contact details of the agencies empanelled by C(*T)In

are available at /http0''www.cert)in.org.in1

• IT Security product evaluation and certification as per accepted

international standardsThese actions provide an assurance that the process of specification,

implementation and evaluation of a IT security product has been

conducted in a rigorous and acceptable manner.

• IT security manpower training# ualification and other related

services to assist user in $+ security implementation and compliance.

!c) *ata security an& pri$acy protection "or +,rust an& Con"i&ence-$n order to stay competitive in the global market place, business entities have

to continually generate adequate levels of trust B confidence in their services

in terms of privacy and data protection through the use of internationallyaccepted best practices and ability to demonstrate where necessary.



12

!&) .uaity an& protection o" eectronic recor&s#rgani)ations need to ensure that important data/records are protected from

loss, destruction and falsification, in accordance with statutory, regulatory,

contractual, and business requirements. 2here a follow-up action against a

person or organi)ation involves legal action %either civil or criminal", electronicevidence needs to be properly collected, retained, and presented to conform

to the rules for evidence laid down in the relevant 1urisdiction%s". $t is a good

practice to have audit logs recording user activities, eceptions, and

information security events and retained for an agreed period to assist in

future investigations.

7iiiG &-governance 0ll e-governance initiatives in the country should be based on best information

security practices. Aovernment should encourage wider usage of ublic 4ey

$nfrastructure %4$" in its own departments. +here is a need to empanel

$nformation Security professionals/ organi)ations to assist ?-Aovernance

initiatives and monitor quality of their performance/service through appropriate

quality standards.

7ivG Secure software development and applicationSoftware development process, whether in-house or outsourced, needs to be

supervised and monitored using a system development life cycle methodology

that includes information security considerations and selection of appropriate

security controls and countermeasures.

Security Incident-&arly 8arning J ?esponse

C?D+ in Jational Cyber 0lert System

$nformation ?change with $nternational C?D+s

Security threat and vulnerability managementDegardless of the nature of the threat, facility owners have a responsibility to

limit or manage risks from these threats to the etent possible. +his is more

so, if the facility is a part of nationIs critical information infrastructure. 0s such

focus of these efforts would be5

2 To prevent cyber attacks on critical ICT infrastructure! *educe vulnerability of critical ICT infrastructure to cyber attacks.3 (nhancing the capability of critical ICT infrastructure to resist cyber

attacks" inimize damage and recovery in a reasonable time frame time

The key actions to reduce security threats and related vulnerabilitiesare:

:" $dentification and classification of critical information infrastructurefacilities and assets.

8" Doadmaps for organi)ation-wise security policy implementation in line

with international security best practices standards and other relatedguidelines.



13

<" rocess for national level security threat B vulnerability assessments to

understand the potential consequences.

;" 3se of secure products/services, protocols B communications,

trusted networks and digital control systems.

>" ?mergency preparedness and crisis management %(irror Centers,*ot/warm/cold sites, communication, redundancy, and disaster

recovery plans, test B evaluation of plans etc

6" eriodic as well as random verification of the level of emergency

preparedness of critical information infrastructure facilities in resisting

cyber attacks and minimi)e damage B recovery time in case cyber

attacks do occur.

N" evelopment of comprehensive repair and maintenance policy so as

to minimi)e false alarms and increase cyber resource availability to

all users efficiently.

Security threat early warning and response

aG Bational cyber alert system

0 central nodal agency %C?D+-$n, $+" to perform analysis, issue

warnings, and coordinate response efforts would be established at

Jational level. +he Jational Cyber 0lert System will involve critical

infrastructure organi)ations, public and private institutions to perform

analysis, conduct watch and warning activities, enable information

echange, and facilitate restoration efforts. +he functions of Jational Cyber

0lert System include5• $dentification of focal points in the critical infrastructure• ?stablishment of a public-private architecture for responding to

national-level cyber incidents

• +actical and strategic analysis of cyber attacks and vulnerabilityassessments

• ?panding the Cyber 2arning and $nformation Jetwork to

support the role of Aovernment in coordinating crisis

management for cyberspace securityP

• Cyber security drills and eercises in $+ dependent business

continuity plans of critical sectors to assess the level of

emergency preparedness of critical information infrastructure

facilities in resisting cyber attacks and minimi)e damage B

recovery time in case cyber attacks do occur.

bG Sectoral C&?Ts

$n order to effectively deal with targeted cyber attacks on sensitive and

strategic sectors, it is essential to operationalise sectoral C?D+s in all

identified critical sectors such as finance, defence, energy, transportation,

telecommunication etc. +hese C?D+s would be responsible for allcoordination and communication actions within their respective sectors and



14

should be in regular touch with C?D+-$n for any incidence resolution support

as well as dealing with cyber crisis requiring broader action.

cG ocal incident response teams

?ach critical sector organisation should have an identified team of personnel

who will be part of the respective local $ncident Desponse +eam. +his team

would5

• $dentify the correctness of the severity level of any incident• Contain, ?radicate and Decover• Seek necessary resources and support from the corresponding Kevel $$

$ncident Desolution +eam

• rovide regular updates to higher management regarding progress of

the incident handling process

• ?scalate to an epert team/sectoral C?D+ or C?D+-$n, if unable to

resolve within the prescribed time frame/reasonable time frame.<artnership and collaborative effortsAovernment leadership cataly)es activities of strategic importance to the

Jation. $n cyber security, such leadership can energi)e a broad collaboration

with private-sector partners and stakeholders to generate fundamental

technological advances in the security of the JationIs $+ infrastructure.

Security information sharing and cooperation+he cyber threat sources and attacks span across countries. 0s such, as

there is a need for enhanced global cooperation among security agencies,

C?D+s and Kaw ?nforcement agencies of various countries to effectively

mitigate cyber threats and be able to respond to information security incidents

in a timely manner.

+he priorities for international cooperation are5• $nformation security and $nformation 0ssurance +echnology to prevent,

protect against, detecting, responding, and recovering from cyber attacks

in critical information infrastructure that may have large-scale

consequences.

• Collaboration in training personnel for implementing and monitoring

secure government intranets and cyber space

• oint DB pro1ects in frontline and futuristic technologies• Coordination in early warning, threat B vulnerability analysis and

incident tracking• $nformation security drills/eercises to test the vulnerability B

preparedness of critical sectors

Security crisis management plan for countering cyber attacks and cyber terrorism+he Crisis (anagement lan for Countering Cyber 0ttacks and Cyber

+errorism outlines a framework for dealing with cyber related incidents for a

coordinated, multi disciplinary and broad based approach for rapid

identification, information echange, swift response and remedial actions to



15

mitigate and recover from malicious cyber related incidents impacting critical

national processes. +he Crisis (anagement lan for Countering Cyber

0ttacks and Cyber +errorism describes the following aspects5

• +he Critical Sectors, Jature of cyber crisis and possible targets and

impact of particular type of crisis on these targets.• Focused cyber attacks affecting the organisations in critical sector such

as efence, ?nergy, Finance, Space, +elecommunications, +ransport,

ublic ?ssential Services and 3tilities, Kaw ?nforcement and Security

would lead to national crisis.

• ifferent types of cyber crisis described include Karge-scale

defacement and semantic attacks on websites, (alicious code attacks,

Karge scale S0( attacks, Spoofing, hishing attacks, Social

?ngineering, enial of Service %oS" and istributed oS attacks,

attacks on JS, 0pplications, infrastructure and Douters, Compound

attacks and *igh ?nergy DF attacks.

• $ncident prevention and precautionary measures to be taken at

organisational level which include implementation of $nformation

Security Hest ractices based on $S# 8N99: standard, Husiness

Continuity lan, isaster Decovery, Security of $nformation and

Jetwork, Security +raining and 0wareness, $ncident (anagement,

Sharing of information pertaining to incidents and conducting mock

drills to test the preparedness of Critical $nfrastructure organisations to

withstand cyber attacks.

&nabling technologies * !eployment and ?J!

,. !eployment of technical measures

(any different types of threats eist in the cyber world, but these threats will

fall into three basic categories - un-authori)ed access, impersonation and

denial of service. +hese threats may usually result in eavesdropping and

information theft, disabling access to network resources %#S attacks", un-

authori)ed access to system and network resources and data

manipulation.+he selection and effective implementation of cyber security

technologies require adequate consideration of a number of key factors,including5

• $mplementing technologies through a layered, defense-in-depthstrategyP

• Considering orgnisationsI unique information technology infrastructure

needs when selecting technologiesP

• 3tili)ing results of independent testing when assessing thetechnologiesI capabilitiesP

• +raining staff on the secure implementation and utili)ation of thesetechnologiesP and

• ?nsuring that the technologies are securely configured.+he organi)ations in Aovt. and critical sector may consider protecting their



16

networks, systems and data through deployment of access control

technologies %for perimeter protection, authentication and authori)ation",

system integrity measures, cryptography mechanisms and configuration

management and assurance.

Security research and development: $ndigenous DB is an essential component of national information

security measures due to various reasons- a ma1or one being eport

restrictions on sophisticated products by advanced countries. Second ma1or

reason for undertaking DB is to build confidence that an imported $+

security product itself does not turn out to be a veiled security threat. #ther

benefits include creation of knowledge and epertise to face new and

emerging security challenges, to produce cost-effective, tailor-made

indigenous security solutions and even compete for eport market in

information security products and services. Success in technologicalinnovation is significantly facilitated by a sound SB+ environment.

Desources like skilled manpower and infrastructure created through pre-

competitive public funded pro1ects provide much needed inputs to

entrepreneurs to be globally competitive through further DB. rivate

sector is epected to play a key role in meeting needs of short term DB

leading to commercially viable products. Hesides in-house DB, this sector

may find it attractive to undertake collaborative DB with leading research

organi)ations.

8. $ssues for focused action in DB are information security functional

Dequirements, securing the $nfrastructure, domain-Specific Security

Jeeds and enabling +echnologies for DB.

<. +he +hrust areas of DB include5

• Cryptography and cryptanalysis research and related aspects

• Jetwork Security ! including wireless B Dadio %2iFi. 2i(a, <A,ADS"

• System Security including Hiometrics

• Security architecture

•

(onitoring and Surveillance• Gulnerability Demediation B 0ssurance

• Cyber Forensics

• (alware 0nalysis +ools

• Scalable trust worth systems and networks

• $dentity (anagement

Capacity 'uilding

Skill B Competence development

+raining of Kaw ?nforcement agencies and 1udicial officials inthe collection and analysis of digital evidence



17

+raining in the area of implementing information security in

collaboration with speciali)ed organi)ations in 3S.

aG. Security education and awareness

, (any cyber vulnerabilities eist because of lack of informationsecurity awareness on the part of computer users, system/network

administrators, technology developers, auditors, Chief $nformation #fficers

%C$#s", Chief ?ecutive #fficers %C?#s", and Corporates. 0 lack of trained

personnel and the absence of widely accepted, multi-level certification

programs for information security professionals complicate the task of

addressing cyber vulnerabilities. +his policy identifies following ma1or

actions and initiatives for user awareness, education, and training5

• romoting a comprehensive national awareness program• Fostering adequate training and education programs to support the

JationIs information security needs %? School, college and post

graduate programs on $+ security"

• $ncrease in the efficiency of eisting information security training

programs and devise domain specific training programs %e5 Kaw

?nforcement, udiciary, ?-Aovernance etc"

• romoting private-sector support for well-coordinated, widely

recogni)ed professional information security certifications.

$nformation security awareness promotion is an ongoing process.

+he main purpose is to achieve the broadest penetration to enhance

awareness and alert larger cyber community in cases of significant

security threats. +he promotion and publicity campaign could include

• Seminars, ehibitions, contests etc• Dadio and +G programmes• Gideos on specific topics• 2eb casts, od casts• Keaflets and osters• Suggestion and 0ward Schemes

1 Safe use of $+ for children and small B home users

#wing to the vulnerability of children and small B home users on the $nternet

for criminal eploitation, special campaigns are required to promote

acceptable and safe use information technology. +his combines the

knowledge of the needs of protection while understanding the power of

information technology. $n addition, campaigns may also be directed to raise

the awareness among the parents about the means of helping children to go

online safely.

bG. Security skills training and certification$nformation security requires many skilled professionals to deal with variety of

domain specific actions. $n order to train security professionals with

appropriate skill sets, it is necessary to identify and create a pool of master trainers and training organi)ations to cater to specific set of training



18

requirements such as security audits, (anagement and information

assurance, +echnical operations etc. +hese trainers and training organi)ations

would then train and certify professionals for deployment in critical sectors.

+he following are some of the professional cyber security roles that can be

targeted for training and certification5• Chief information security officer %C$S#"• System operations and maintenance personnel• Jetwork security specialists• igital forensics and incident response analysis• $mplementation of information security and auditing• Gulnerability analyst• $nformation security systems and software development• 0cquisition of technology• +echno-legal• Kaw enforcement

cG Security training infrastructure+he requirement of security professionals is very huge and is only bound to

increase with more and more of $C+ usage. +owards this effect, it is an

imperative need to set up adequate training infrastructure to cater to the

needs of all types of users, particularly law enforcement agencies, 1udicial

officers, owners/operators of e-Aovernment services etc. +his effort may also

involve large number of private organi)ations to have an effective outreach.

?esponsible actions by user community?ssentially, actions for securing information and information systems are

required to be done at different levels within the country. Hesides the actionsby Aovernment, other stakeholders such as network services providers %$S",

large corporates and small users/home users are also required to be play

their part to enhance the security of cyber space within the country.

aG. =ctions by Betwork service providers• Compliance to international security best practices, service quality and

service level agreements %SK0s" and demonstration.

• ro-active actions to deal with and contain malicious activities,

ensuring quantity of services and protecting average end users by way

of net traffic monitoring, routing and gateway controls.

• 4eeping pace with changes in security technology and processes to

remain current %configuration, patch and vulnerability management"

• Conform to legal obligations and cooperate with law enforcement

activities including prompt actions on alert/advisories issued by C?D+-

in

• 3se of secure product and services and skilled manpower• Crisis management and emergency response.

bG. =ctions by arge Corporates• Compliance to international security best practices and demonstration•

ro-active actions to deal with and contain malicious activities, andprotecting average end users by say of net traffic monitoring, routing



19

and gateway controls

• 4eeping pace with changes in security technology and processes to

remain current %configuration, patch and vulnerability management"

• Conform to legal obligations and cooperate with law enforcement

activities including prompt actions on alert/advisories issued by C?D+-$n

• 3se of secure product and services and skilled manpower• Crisis management and emergency response.• eriodic training and up gradation of skills for personnel engaged in

security related activities

• romote acceptable usersI behavior in the interest of safe computing

both within and outside.

cG. =ctions by smallFmedium users and home users• (aintain a level of awareness necessary for self-protection• 3se legal software and update at regular intervals.• Heware of security pitfalls while on the net and adhere to security

advisories as necessary• (aintain reasonable and trust-worthy access control to prevent abuse of

computer resources.

Cyber Security and =uditors perspective 0n auditors concern on the issue of Cyber Security may arise as any of

the following three stages5

System esign Stage evelopment State

0naly)ing performance after systems implementation

=uditors perspective * !esign Stage

0uditorIs involvement at this stage will ensure that requisite Controls %general,

input, processing and output controls" have been inbuilt into the system to

ensure that system performance would be enhanced and the system

developed takes care of 0uditorIs requirements as well. 0t this stage the

0uditorIs involvement would also ensure that requisite ?mbedded 0udit(odules %?0(" or $ntegrated +est Facility %$+F" etc. have been duly designed

in the system design to ensure proper interrogation of the data.

=uditors perspective * !evelopment Stage

0t this stage, auditorIs involvement would lead to an assurance that

necessary audit trail/ audit module to furnish information required by the

auditor from time to time in smooth performance of audit function by him, are

being designed into the developed system so as to avoid its modification at a

later stage at etra avoidable costs.



20

=uditors perspective * =nalying Stage

+his will ensure that the system so developed and implemented is capable of

providing requisite information in a timely manner and to the authori)ed

persons to support and assist in decision making process, besides ensuring

Confidentiality %C", $ntegrity %$" and 0vailability %0" of the information.

'ack @p and ?ecovery

Cyber Security also encompasses the issues relating to regular back ups of

the system data and isaster Decovery management. +here should be a

policy in eistence to ensure that regular back-up of the critical data are taken

and kept on-site and off-site locations to ensure its availability whenever

required.

!isaster ?ecovery 7!?G Centre ?very organisation should have a D centre. +he functionality and

operational drill should be carried out periodically to ensure its

operability during the times when required.

?very organisation should also have an archiving policy for such

record, data, information etc that are to be preserved permanently

because of their enduring value.

Aut-Sourcing Issues:

Jow a days most of the organi)ations resort to the practice of out-sourcingtheir routine activities and also system development, implementation and

maintenance issues to the eternal agencies in order to concentrate more the

their core activities. uring the process of outsourcing, there are elements of

risk involved in relation to access of outside agencies to organi)ationIs

resources and critical information etc. 0uditors are very much concern on this

issue and their involvement or active association may reduce or stop the

instances of data theft or other unwanted instances.

Change $anagement Controls

0uditorIs involvement would also ensure that proper change management

controls have been built into the system so as to ensure that only authorised

and approved changes are being made in the system and proper

documentation eists for each area of the system to support future

modifications.

System Security Issues:

0uditor would ensure that due care has been taken to design all required

security %general, input, processing and output" issues to prevent the systemfrom probable security breach instances.



21

!ata $igration Issues:

Aenerally in case of organisations switching over from one platform to another

platform i.e. change of application system the data pertaining to the previous

database system is either not migrated fully into the new system or if it is

done, the same is found to be full of migration errors. 0uditorIs also see that

this problem is not carried over in the new application.



22

=nneKure I

Stakeholder agencies

, Bational Information 'oard 7BI'G

Jational $nformation Hoard is an ape agency with representatives from

relevant epartments and agencies that form part of the critical minimum

information infrastructure in the country. J$H is entrusted with the

responsibility of enunciating the national policy on information security and

coordination on all aspects of information security governance in the country.

J$H is headed by the Jational Security 0dvisor.

Bational Crisis $anagement Committee 7BC$CG

+he Jational Crisis (anagement Committee %JC(C" is an ape body of Aovernment of $ndia for dealing with ma1or crisis incidents that have serious

or national ramifications. $t will also deal with national crisis arising out of

focused cyber attacks. JC(C is headed by the Cabinet Secretary and

comprises of Secretary level officials of Aovt. of $ndia. 2hen a situation is

being handled by the JC(C it will give directions to the Crisis (anagement

Aroup of the Central 0dministrative (inistry/epartment as deemed

necessary. (http://www.ndmindia.nic.in)

1 Bational Security Council Secretariat 7BSCSG

Jational Security Council Secretariat %JSCS" is the ape agency looking into

the political, economic, energy and strategic security concerns of $ndia and

acts as the secretariat to the J$H.

0 $inistry of Home =ffairs 7$H=G

(inistry of *ome 0ffairs issues security guidelines from time to time to secure

physical infrastructure. +he respective Central 0dministrative

(inistries/epartments and critical sector organi)ations are required to

implement these guidelines for beefing up/strengthening the security

measures of their infrastructure. (*0 sensiti)es the administrativedepartments and organi)ations about vulnerabilities and also assists the

respective administrative (inistry/epartments. (www.mha.nic.in/)

$inistry of !efence

(inistry of efence is the nodal agency for cyber security incident response

with respect to efence sector. (o, $S %$0D0", formed under the aegis of

*eadquarters, $ntegrated efence Staff, is the nodal tri-Services agency at

the national level to effectively deal with all aspects of $nformation 0ssurance

and operations. $t has also formed the efence C?D+ where primary function

is to coordinate the activities of services/(o C?D+s. $t works in close



23

association with C?D+-$n to ensure perpetual availability of efence

networks. (mod .nic.in/)

2 !epartment of Information Technology 7!ITG

epartment of $nformation +echnology %$+" is under the (inistry of

Communications and $nformation +echnology, Aovernment of $ndia. $+

strives to make $ndia a global leading player in $nformation +echnology and at

the same time take the benefits of $nformation +echnology to every walk of life

for developing an empowered and inclusive society. $t is mandated with the

task of dealing with all issues related to promotion B policies in electronics B

$+. (http://deity.gov.in/)

6 !epartment of Telecommunications 7!oTG

epartment of +elecommunications %o+" under the (inistry of

Communications and $nformation +echnology, Aovernment of $ndia, is

responsible to coordinate with all $Ss and service providers with respect to

cyber security incidents and response actions as deemed necessary by

C?D+-$n and other government agencies. o+ will provide guidelines

regarding roles and responsibilities of rivate Service roviders and ensure

that these Service roviders are able to track the critical optical fiber networks

for uninterrupted availability and have arrangements of alternate routing in

case of physical attacks on these networks. ( www.dot.gov.in/)

3 Bational Cyber ?esponse Centre - Indian Computer &mergency

?esponse Team 7C&?T-InGC?D+-$n monitors $ndian cyberspace and coordinates alerts and warning of

imminent attacks and detection of malicious attacks among public and private

cyber users and organi)ations in the country. $t maintains 8;N operations

centre and has working relations/collaborations and contacts with C?D+s, all

over the worldP and Sectoral C?D+s, public, private, academia, $nternet

Service roviders and vendors of $nformation +echnology products in the

country. $t would work with Aovernment, ublic B rivate Sectors and 3sers in

the country and monitors cyber incidents on continuing basis through out the

etent of incident to analyse and disseminate information and guidelines asnecessary. +he primary constituency of C?D+-$n would be organi)ations

under public and private sector domain. ( www.cert -in.org.in/)

Bational Information Infrastructure <rotection Centre 7BII<CG

J$$C is a designated agency to protect the critical information infrastructure

in the country. $t gathers intelligence and keeps a watch on emerging and

imminent cyber threats in strategic sectors including Jational efence. +hey

would prepare threat assessment reports and facilitate sharing of such

information and analysis among members of the $ntelligence, efence and

Kaw enforcement agencies with a view to protecting these agenciesI ability tocollect, analy)e and disseminate intelligence. J$$C would interact with other



24

incident response organi)ations including C?D+-$n, enabling such

organi)ations to leverage the $ntelligence agenciesI analytical capabilities for

providing advanced information of potential threats.

,4G Bational !isaster $anagement of =uthority 7B!$=G

+he Jational isaster (anagement 0uthority %J(0" is the 0pe Hody for

isaster (anagement in $ndia and is responsible for creation of an enabling

environment for institutional mechanisms at the State and istrict levels.

J(0 envisions the development of an ethos of revention, (itigation and

reparedness and is striving to promote a Jational resolve to mitigate the

damage and destruction caused by natural and man-made disasters, through

sustained and collective efforts of all Aovernment agencies, Jon-

Aovernmental #rgani)ations and eopleIs participation. %ndma.gov.in/ )

,, Standardisation# Testing and Luality Certification 7STLCG !irectorateS+QC is a part of epartment of $nformation +echnology and is an

internationally recogni)ed 0ssurance Service providing organi)ation. S+QC

has established nation-wide infrastructure and developed competentance to

provide quality assurance and conformity assessment services in $+ Sector

including $nformation Security and Software +esting/Certification. $t has also

established a test/evaluation facility for comprehensive testing of $+ security

products as per $S# :>;9= common criteria security testing standards.

%www.stc.gov.inF"

, Sectoral C&?Ts

Sectoral C?D+s in various sectors such as efence, Finance %$DH+",

Dailways, etroleum and Jatural Aas, etc, would interact and work closely

with C?D+-$n for mitigation of crisis affecting their constituency. Sectoral

C?D+s and C?D+-$n would also echange information on latest threats and

measures to be taken to prevent the crisis.

http://www.stqc.gov.in/

http://www.stqc.gov.in/

cyber security-sai india.doc

Documents