– Indian Perspective Cyber Security
Transcription
– Indian Perspective Cyber Security
Cyber Security – Indian Perspective A PRESENTATION BY R. M. JOHRI PRINCIPAL DIRECTOR (INFORMATION SYSTEMS) OFFICE OF CAG OF INDIA Quotable Quotes The only system which is truly secure is one which is switched off and unplugged, locked in a titanium safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it. (By Professor Gene Spafford) In security matters, there is nothing like absolute security” “We are only trying to build comfort levels, because security costs money and lack of it costs much more” “Comfort level is a manifestation of efforts as well as a realization of their effectiveness & limitations’ Cyber world – Current Scenario Advances in information and communications technologies have revolutionised government scientific , educational and commercial infrastructures. The IT infrastructure has become integral part of the critical infrastructure which supports national capabilities such as power grids, emergency communication systems, financial systems , defence systems and air traffic control networks. The operational stability and security of critical information infrastructure is vital for economic security of the country. It also enables large scale processes through out the economy by facilitating complex interactions among individuals, organisations and systems across global networks for trade and economic requirements. Technology trends Increasing complexity of IT systems and networks will mount security challenges for both providers and consumers. The evolving nature of the telecommunications infrastructure, as the traditional phone systems and IT networks converge into a more unified architecture. The expanding wireless connectivity to individual computers and networks making it increasingly difficult to determine the physical and logical boundaries of networks. The increasing interconnectivity and accessibility (and consequently risk) to computer based systems that are critical to country’s economy. Information Security – General trends Packet Forging/ Spoofing High Stealth Diagnostics Sniffers Sweepers Back Doors Exploiting Known Vulnerabilities Hijacking Sessions Disabling Audits Sophistication of Hacker Tools Password Cracking Self Replicating Code Password Guessing Technical Knowledge Required Low 1980 Security trends and challenges beyond 2008 1990 2006 01 Dec 2007 Global Cyber security Trends – The next wave Recent studies reveal three major findings: Growing threat to national security - web espionage becomes increasingly advanced, moving from curiosity to well-funded and well-organized operations aimed at not only financial, but also political or technical gain Increasing threat to online services – affecting individuals and industry because of growth of sophistication of attack techniques Emergence of a sophisticated market for software flaws – that can be used to carry out espionage and attacks on Govt. and Critical information infrastructure. Findings indicate a blurred line between legal and illegal sales of software vulnerabilities Mischievous activities in cyber space have expanded from novice geeks to organized criminal gangs that are going Hi-tech Threats to National security Internet has become an weapon for political, military and economic espionage Organized cyber attacks have been witnessed Pentagon, US in Estonia in April 2007 Computer systems of German Chancellery and three Ministries E-mail accounts at National Informatics Centre, India Highly classified Govt. computer networks in New Zealand & Australia The software used to carry out these attacks indicate that they were clearly designed & tested with much greater resources than usual individual hackers. Most Govt. agencies and companies around the world use common computing technologies & systems that are frequently penetrated by criminal hackers and malware. Traditional protective measures are not enough to protect against attacks such as those on Estonia, as the complexity and coordination in using the botnets was totally new. National networks with less sophistication in monitoring and defense capabilities could face serious problems to National security. There are signs that intelligence agencies around the world are constantly probing others’ networks and developing new ways to gather intelligence Threats to Online services Online services are becoming prime targets for cyber criminals Cyber criminals continue to refine their means of deceit as well as their victims In summary, the global threats affecting users are: New & sophisticated forms of attacks. Attacks targeting new technologies, such as VoIP (vishing – phishing via VoIP & phreaking – hacking tel networks to make free long distance calls) and peer-to-peer services. Attacks targeting online social networks. Attacks targeting online services, particularly online banking services. There is a new level of complexity in malware not seen before. These are more resilient, are modified over and over again and contain highly sophisticated functionality such as encryption (Ex. Nuwar also known as ‘Zhelatin’ and ‘Storm’ worm’ – with a new variant appearing almost daily) As a trend we will see an increase in threats that hijack PCs with bots. Another challenging trend is the arrival of self-modifying threats Given the exponential growth in social networking sites, social engineering may shortly become the easiest & quickest way to commit ID theft Hi-Tech crime: A thriving economy The market is growing for zero-day threats & tools for cyber crime With so many PCs now infected (around 5 % of all global machines are zombies), competition to supply botnets has become intense. The cost of renting a platform for spamming is now around $ 3 - 7 Cents per zombie per week. A budget as little as $ 25 to $ 1500 USD can buy you a trojan that is built to steal credit card data and mail it you. Malware is being custom written to target specific companies and agencies. Computer skills are no longer necessary to execute cyber crime. On the flip side malware writers today need not commit crimes themselves. People can subscribe to the tools that can keep them updated with latest vulnerabilities and even test themselves against security solutions (Ex. MPACK pr Pinch include support service). The black market for stolen data (Ex. Credit cards, e-mails, skype accounts etc) is now well established and the cost of obtaining credit cards is upwards of $ 5 USD. Another black market that is causing alarm to Govts is that of Zero-day exploits. In Jan 2006 a Microsoft WMF (windows meta file) exploit was sold for $ 4000 USD. Competition is so intense among cyber criminals that ‘customer service’ has now become a specific selling point Future Trends Trends suggest an increase in safe havens for cyber criminals and hence the need for International cooperation arrangements. It is an inevitable that some countries will become safe havens for cyber criminals and international pressure to crack down won’t work well. It is believed that in next few years Govts are likely to get aggressive and pursue action against the specific individuals/groups/companies, regardless of location. It is also likely that Govts will start putting pressure on intermediary bodies that have the skills and resources, such as banks, ISPs and software vendors to protect the public from malware, hacking and social engineering. Future Trends We may see industry sector codes of practice demanding improved security measures, backed probably by assurance and insurance schemes. Greater connectivity, more embedded systems and less obvious perimeters. Compliance regulations will drive upgrades and changes and also increase system complexity and legal wrangles – increase in civil suits for security breaches. Massive data storing patterns that ensure data never goes away – a boon to law enforcement agencies . As of now, cyber criminals seem to have no real threat of prosecution. Our job is to create a climate of fear of effective prosecution, as in other types of crime. Cyber Crime - categories Cyber Crime is a generic term that refers to all criminal activities done using the medium of communication devices, computers, mobile phones, tablets etc. It can be categorised in three ways: The computer as a target – attacking the computers of others. The computer as a weapon- Using a computer to commit “traditional crime” that we see in the physical world. The computer as an accessory- Using a computer as a “fancy filing cabinet” to store illegal or stolen information. Cyber crime – Most common forms Hacking – Unauthorised attempts to bypass the security mechanism of an information system or network. Data theft ( using flash/pen drives, digital cameras). Virus or worms, Malware or Trojan horses. Identity Theft E- mail spoofing Botnets and Zombies Scareware Cyber Incidents - Indian experience Cyber crime in India resulted in 29.9 million people being victim of cybercrime involving direct financial losses to the tune of $4 billion and $3.6 billion in terms of time spent in resolving the crime. 4 out of 5 online adults( 80%) being victim of cyber crime 17% of adults online experiencing on their mobile phones ( source: Norton Cybercrime Report) Cyber Crime – Why India The main reasons for India as a main target of cyber crime are: Rapidly growing online user base ( 121 million internet users, 65 million active internet users, up 28% from 51 million in 2010). 50 million users shop online on ecommerce and online shopping sites. 46+ million social network users. 400 million mobile users had subscribed to data packages (source IAMAI 2011). Cyber security - Principles Confidentiality: Information which is sensitive or confidential must remain so and be shared only with appropriate users. For example, our confidential medical records should be released only to those people or organizations (i.e. doctor, hospital, insurance, government agency, you) authorized to see it. Integrity: Information must retain its integrity and not be altered from its original state. The records should be well protected so that no one can change the information without authorization. Availability: Information and systems must be available to those who need it. The records should be available and accessible to authorized users. Cyber security- Indian Response Government of India had set up an Inter Departmental Information Security Task Force (ISTF) with National security council as the nodal agency. The task force studied and deliberated on the issues such as : National Information security Threat perceptions. Critical minimum Infrastructure to be protected. Ways and means of ensuring Information security including identification of relevant technologies. Legal procedures required to ensure Information security. Awareness , Training and Research in Information Security. Cyber security- Indian Response Contd. On the recommendations of ISTF the following initiatives have been taken : Indian Computer Emergency Response Team ( CERT-In) has been established to respond to the cyber security incidents and take steps to prevent recurrence of the same. PKI infrastructure has been set up to support implementation of Information Technology Act and promote use of Digital signatures. Government has been supporting R&D activities through premier Academic and Public Sector Institutions in the country. Cyber security- Indian Response Contd. To pursue the strategic objectives the following major initiatives have been identified. Security Policy, Compliance and Assurance. Security Incident – Early warning and response. Security Training – skills/competence development & user end awareness. Security R&D for securing the Infrastructure, meeting the domain specific needs and enabling technologies. Security – Promotion & Publicity. Cyber security- Indian Response Contd. Information Security Policy Assurance Framework for the protection of Government Cyberspace and critical infrastructure has been developed . The Government has mandated Implementation of Security Policy in accordance with the Information Security Standard ISO 27001. Currently 246 organisations have obtained certification against the ISO 27001 as against the total number of 2814 certificates issued worlwide . Security auditors have been empanelled for auditing , including vulnerability assessment & penetration testing of computer systems and networks of the Government, critical infrastructure organisations and those in other sectors of the economy. Cyber security- Indian Response Contd. Security Policy, Compliance and Assurance Critical Information Infrastructure Protection ( Critical sectors include Defence, Finance, Energy, Transportation and Telecommunications) . Emphasis has to be put on improved software development, system engineering practices and the adoption of strengthened security models and best practices). Cyber Security Assurance Framework ( Assessment and certification of compliance to IT security best practices, standards and guidelines- ISO 27001 /BS7799 ISMS certification etc, IT security product evaluation and certification as per “Common criteria standard ISO 15408 and Crypto module verification standards ” IT security manpower training and other services to assist user in IT security implementation and compliance. Trusted Company certification ( ISO 9000, CMM, six sigma, TQM, ISO 27001 etc) . Efforts are on to create a model that is based on self certification and on the lines of Software capability maturity model (SWCMM) of CMU, USA. Cyber security- Indian Response Contd. Security Incident – Early Warning and response Rapid Identification , information exchange and remediation can mitigate the damage caused by malicious cyberspace activity. The essential actions under National Cyber Alert System. Identification of focal points in the critical infrastructure. Establish a public – private architecture for responding to nationallevel cyber incidents. Tactical and strategic analysis of cyber attacks and vulnerability assessments. Expand the Cyber warning and Information Network to support the role of Government in coordinating crisis management for cyberspace security. Improve national response capabilities ( CERT –In and sectoral CERTs), Exercise cyber security continuity plans and drills. International cooperation and Information sharing. Cyber security- Indian Response Contd. Security training – Security Digital Evidence & Forensics Promote a comprehensive national awareness program. Foster adequate training to meet the specific needs of Law Enforcement , Judiciary and other users. Training and education programs to support the Nation’s cyber security needs. Increase the efficiency of existing cyber security training programs and devise domain specific training programs ( ex: Law Enforcement , Judiciary , E – Governance etc). Promote private- sector coordination for well coordinated, widely recognised professional cyber security certifications. Cyber security- Indian Response Contd. Security Research and Development Creation of knowledge and expertise to face new and emerging security challenges to produce cost- effective, tailor made indigenous security solutions and even compete for export market in information security products and services. Private sector is expected to play key role for meeting the Research and Development needs leading to commercially viable products. It may also undertake collaborative R&D with leading research organisations. Cyber security- Indian Response Contd. Promotion and Publicity Information security awareness promotion is an ongoing process. The main purpose is to achieve the broadest penetration to enhance awareness and alert larger cyber community in cases of significant threats. The promotion and publicity campaign could include seminars, exhibitions, contests, radio and TV programs, videos on specific topics, Web casts, Pod casts , Leaflets and posters, suggestion and award schemes. Cyber security- Auditor’s perspective An auditor’s concern on the Cyber Security may arise at any of the following three stages : Design Stage: At this stage auditor’s involvement would ensure that requisite Embedded Audit Modules (EAM) or Integrated Test facility (ITF) etc. have been duly designed to ensure proper interrogation of the data. Development Stage : At this stage it would lead to an assurance that necessary audit trail/ audit module to furnish information required by auditor at different stages of processing are being built into the system under development. Analysing stage : At this stage it will ensure that the system so developed is capable of providing requisite information in a timely manner and to the authorised persons to support and assist in decision making process. Cyber security- Auditor’s perspective Contd. Other issues: Back Up and Recovery – There should be a policy in existence to ensure that regular back up of the critical data are taken and kept on-site and off-site to ensure its availability whenever required. Outsourcing - Risks related to integrity, availability and confidentiality of data need to be addressed Change Management controls – Only authorised and approved changes are made and proper documentation exists for each area of the system to support future modifications. System Security Issues Data Migration Issues Survival “It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change. Charles Darwin Q &A Thank You