Cyber Security – Indian Perspective

A PRESENTATION BY
R. M. JOHRI
PRINCIPAL DIRECTOR
(INFORMATION SYSTEMS)
OFFICE OF CAG OF INDIA
 Quotable Quotes

 The only system which is truly secure is one which is switched off
and unplugged, locked in a titanium safe, buried in a concrete
bunker, and is surrounded by nerve gas and very highly paid
armed guards. Even then, I wouldn’t stake my life on it.
(By Professor Gene Spafford)

In security matters,
there is nothing like absolute security”
“We are only trying to build comfort levels, because security costs
money and lack of it costs much more”
“Comfort level is a manifestation of efforts as well as a realization of
their effectiveness & limitations’
 Cyber world – Current Scenario

 Advances in information and communications technologies have

revolutionised government scientific , educational and
commercial infrastructures.
 The IT infrastructure has become integral part of the critical
infrastructure which supports national capabilities such as
power grids, emergency communication systems, financial
systems , defence systems and air traffic control networks. The
operational stability and security of critical information
infrastructure is vital for economic security of the country.
 It also enables large scale processes through out the economy by
facilitating complex interactions among individuals,
organisations and systems across global networks for trade and
economic requirements.
 Technology trends

 Increasing complexity of IT systems and networks will mount

security challenges for both providers and consumers.
 The evolving nature of the telecommunications infrastructure, as
the traditional phone systems and IT networks converge into a
more unified architecture.
 The expanding wireless connectivity to individual computers and
networks making it increasingly difficult to determine the
physical and logical boundaries of networks.
 The increasing interconnectivity and accessibility (and
consequently risk) to computer based systems that are critical to
country’s economy.
 Information Security – General trends

Packet Forging/ Spoofing

High
Stealth Diagnostics

Sophistication of
Sniffers Hacker
Sweepers
Hijacking Tools
Back Doors Sessions
Exploiting Known Disabling
Vulnerabilities Audits

Password
Cracking
Self Replicating Code Technical
Knowledge
Password Guessing Required

Low
1980
Security trends and challenges beyond 2008 1990 2006 01 Dec 2007
 Global Cyber security Trends – The next wave

Recent studies reveal three major findings:

 Growing threat to national security - web espionage becomes
increasingly advanced, moving from curiosity to well-funded and
well-organized operations aimed at not only financial, but also
political or technical gain
 Increasing threat to online services – affecting individuals
and industry because of growth of sophistication of attack
techniques
 Emergence of a sophisticated market for software flaws –
that can be used to carry out espionage and attacks on Govt. and
Critical information infrastructure. Findings indicate a blurred line
between legal and illegal sales of software vulnerabilities
Mischievous activities in cyber space have expanded from novice geeks to
organized criminal gangs that are going Hi-tech
 Threats to National security

Internet has become an weapon for political, military and economic espionage

 Organized cyber attacks have been witnessed

 Pentagon, US in
 Estonia in April 2007
 Computer systems of German Chancellery and three Ministries
 E-mail accounts at National Informatics Centre, India
 Highly classified Govt. computer networks in New Zealand & Australia

 The software used to carry out these attacks indicate that they were clearly designed & tested with much
greater resources than usual individual hackers.

 Most Govt. agencies and companies around the world use common computing technologies & systems that
are frequently penetrated by criminal hackers and malware.

 Traditional protective measures are not enough to protect against attacks such as those on Estonia, as the
complexity and coordination in using the botnets was totally new. National networks with less
sophistication in monitoring and defense capabilities could face serious problems to National security.

There are signs that intelligence agencies around the world are constantly
probing others’ networks and developing new ways to gather intelligence
 Threats to Online services

Online services are becoming prime targets for cyber criminals

 Cyber criminals continue to refine their means of deceit as well as their victims In summary, the
global threats affecting users are:

 New & sophisticated forms of attacks.

 Attacks targeting new technologies, such as VoIP (vishing – phishing via VoIP & phreaking –
hacking tel networks to make free long distance calls) and peer-to-peer services.
 Attacks targeting online social networks.
 Attacks targeting online services, particularly online banking services.

 There is a new level of complexity in malware not seen before. These are more resilient, are
modified over and over again and contain highly sophisticated functionality such as encryption
(Ex. Nuwar also known as ‘Zhelatin’ and ‘Storm’ worm’ – with a new variant appearing almost
daily)

 As a trend we will see an increase in threats that hijack PCs with bots. Another challenging trend is
the arrival of self-modifying threats

Given the exponential growth in social networking sites, social engineering may
shortly become the easiest & quickest way to commit ID theft
 Hi-Tech crime: A thriving economy

The market is growing for zero-day threats & tools for cyber crime
 With so many PCs now infected (around 5 % of all global machines are zombies), competition to supply
botnets has become intense. The cost of renting a platform for spamming is now around $ 3 - 7 Cents per
zombie per week.

 A budget as little as $ 25 to $ 1500 USD can buy you a trojan that is built to steal credit card data and mail
it you. Malware is being custom written to target specific companies and agencies.

 Computer skills are no longer necessary to execute cyber crime. On the flip side malware writers today
need not commit crimes themselves. People can subscribe to the tools that can keep them updated with
latest vulnerabilities and even test themselves against security solutions (Ex. MPACK pr Pinch include
support service).

 The black market for stolen data (Ex. Credit cards, e-mails, skype accounts etc) is now well established
and the cost of obtaining credit cards is upwards of $ 5 USD.

 Another black market that is causing alarm to Govts is that of Zero-day exploits. In Jan 2006 a Microsoft
WMF (windows meta file) exploit was sold for $ 4000 USD.

 Competition is so intense among cyber criminals that ‘customer service’ has now become a specific selling point
 Future Trends

Trends suggest an increase in safe havens for cyber criminals and

hence the need for International cooperation arrangements.

 It is an inevitable that some countries will become safe havens for

cyber criminals and international pressure to crack down won’t
work well.
 It is believed that in next few years Govts are likely to get aggressive
and pursue action against the specific
individuals/groups/companies, regardless of location.
 It is also likely that Govts will start putting pressure on
intermediary bodies that have the skills and resources, such as
banks, ISPs and software vendors to protect the public from
malware, hacking and social engineering.
 Future Trends

 We may see industry sector codes of practice demanding

improved security measures, backed probably by assurance and
insurance schemes.
 Greater connectivity, more embedded systems and less obvious
perimeters.
 Compliance regulations will drive upgrades and changes and also
increase system complexity and legal wrangles – increase in civil
suits for security breaches.
 Massive data storing patterns that ensure data never goes away –
a boon to law enforcement agencies .
 As of now, cyber criminals seem to have no real threat of
prosecution. Our job is to create a climate of fear of effective
prosecution, as in other types of crime.
 Cyber Crime - categories

Cyber Crime is a generic term that refers to all criminal activities

done using the medium of communication devices, computers,
mobile phones, tablets etc. It can be categorised in three ways:
 The computer as a target – attacking the computers of
others.

 The computer as a weapon- Using a computer to commit

“traditional crime” that we see in the physical world.

 The computer as an accessory- Using a computer as a “fancy

filing cabinet” to store illegal or stolen information.
 Cyber crime – Most common forms

 Hacking – Unauthorised attempts to bypass the security

mechanism of an information system or network.
 Data theft ( using flash/pen drives, digital cameras).
 Virus or worms, Malware or Trojan horses.
 Identity Theft
 E- mail spoofing
 Botnets and Zombies
 Scareware
 Cyber Incidents - Indian experience

 Cyber crime in India resulted in 29.9 million people being victim

of cybercrime involving direct financial losses to the tune of $4
billion and $3.6 billion in terms of time spent in resolving the
crime.

 4 out of 5 online adults( 80%) being victim of cyber crime

 17% of adults online experiencing on their mobile phones

 ( source: Norton Cybercrime Report)

 Cyber Crime – Why India

The main reasons for India as a main target of cyber crime are:
 Rapidly growing online user base ( 121 million internet users, 65
million active internet users, up 28% from 51 million in 2010).

 50 million users shop online on ecommerce and online shopping

sites.

 46+ million social network users.

 400 million mobile users had subscribed to data packages

(source IAMAI 2011).
 Cyber security - Principles

 Confidentiality: Information which is sensitive or confidential

must remain so and be shared only with appropriate users. For
example, our confidential medical records should be released
only to those people or organizations (i.e. doctor, hospital,
insurance, government agency, you) authorized to see it.
 Integrity: Information must retain its integrity and not be
altered from its original state. The records should be well
protected so that no one can change the information without
authorization.
 Availability: Information and systems must be available to
those who need it. The records should be available and
accessible to authorized users.
 Cyber security- Indian Response

Government of India had set up an Inter Departmental

Information Security Task Force (ISTF) with National security
council as the nodal agency. The task force studied and deliberated
on the issues such as :
 National Information security Threat perceptions.
 Critical minimum Infrastructure to be protected.
 Ways and means of ensuring Information security including
identification of relevant technologies.
 Legal procedures required to ensure Information security.
 Awareness , Training and Research in Information Security.
 Cyber security- Indian Response
Contd.

On the recommendations of ISTF the following initiatives have

been taken :
 Indian Computer Emergency Response Team ( CERT-In) has
been established to respond to the cyber security incidents and
take steps to prevent recurrence of the same.
 PKI infrastructure has been set up to support implementation of
Information Technology Act and promote use of Digital
signatures.
 Government has been supporting R&D activities through
premier Academic and Public Sector Institutions in the country.
 Cyber security- Indian Response
Contd.

To pursue the strategic objectives the following major

initiatives have been identified.

 Security Policy, Compliance and Assurance.

 Security Incident – Early warning and response.
 Security Training – skills/competence development & user end
awareness.
 Security R&D for securing the Infrastructure, meeting the
domain specific needs and enabling technologies.
 Security – Promotion & Publicity.
 Cyber security- Indian Response
Contd.

 Information Security Policy Assurance Framework for the

protection of Government Cyberspace and critical infrastructure
has been developed .
 The Government has mandated Implementation of Security
Policy in accordance with the Information Security Standard ISO
27001.
 Currently 246 organisations have obtained certification against
the ISO 27001 as against the total number of 2814 certificates
issued worlwide .
 Security auditors have been empanelled for auditing , including
vulnerability assessment & penetration testing of computer
systems and networks of the Government, critical infrastructure
organisations and those in other sectors of the economy.
 Cyber security- Indian Response
Contd.

Security Policy, Compliance and Assurance

 Critical Information Infrastructure Protection ( Critical sectors include

Defence, Finance, Energy, Transportation and Telecommunications) .
Emphasis has to be put on improved software development, system
engineering practices and the adoption of strengthened security models
and best practices).
 Cyber Security Assurance Framework ( Assessment and certification of
compliance to IT security best practices, standards and guidelines- ISO
27001 /BS7799 ISMS certification etc, IT security product evaluation and
certification as per “Common criteria standard ISO 15408 and Crypto
module verification standards ”
 IT security manpower training and other services to assist user in IT
security implementation and compliance.
 Trusted Company certification ( ISO 9000, CMM, six sigma, TQM, ISO
27001 etc) . Efforts are on to create a model that is based on self
certification and on the lines of Software capability maturity model (SW-
CMM) of CMU, USA.
 Cyber security- Indian Response
Contd.

Security Incident – Early Warning and response

 Rapid Identification , information exchange and remediation can
mitigate the damage caused by malicious cyberspace activity.
 The essential actions under National Cyber Alert System.
 Identification of focal points in the critical infrastructure.
 Establish a public – private architecture for responding to national-
level cyber incidents.
 Tactical and strategic analysis of cyber attacks and vulnerability
assessments.
 Expand the Cyber warning and Information Network to support
the role of Government in coordinating crisis management for
cyberspace security.
 Improve national response capabilities ( CERT –In and sectoral
CERTs), Exercise cyber security continuity plans and drills.
 International cooperation and Information sharing.
 Cyber security- Indian Response
Contd.

Security training – Security Digital Evidence & Forensics

 Promote a comprehensive national awareness program.
 Foster adequate training to meet the specific needs of Law
Enforcement , Judiciary and other users.
 Training and education programs to support the Nation’s cyber
security needs.
 Increase the efficiency of existing cyber security training
programs and devise domain specific training programs ( ex:
Law Enforcement , Judiciary , E – Governance etc).
 Promote private- sector coordination for well coordinated,
widely recognised professional cyber security certifications.
 Cyber security- Indian Response
Contd.

Security Research and Development

 Creation of knowledge and expertise to face new and emerging

security challenges to produce cost- effective, tailor made
indigenous security solutions and even compete for export
market in information security products and services.
 Private sector is expected to play key role for meeting the
Research and Development needs leading to commercially viable
products. It may also undertake collaborative R&D with leading
research organisations.
 Cyber security- Indian Response
Contd.

Promotion and Publicity

 Information security awareness promotion is an ongoing

process. The main purpose is to achieve the broadest penetration
to enhance awareness and alert larger cyber community in cases
of significant threats.
 The promotion and publicity campaign could include seminars,
exhibitions, contests, radio and TV programs, videos on specific
topics, Web casts, Pod casts , Leaflets and posters, suggestion
and award schemes.
 Cyber security- Auditor’s perspective

An auditor’s concern on the Cyber Security may arise at

any of the following three stages :
 Design Stage: At this stage auditor’s involvement would ensure
that requisite Embedded Audit Modules (EAM) or Integrated
Test facility (ITF) etc. have been duly designed to ensure proper
interrogation of the data.
 Development Stage : At this stage it would lead to an
assurance that necessary audit trail/ audit module to furnish
information required by auditor at different stages of processing
are being built into the system under development.
 Analysing stage : At this stage it will ensure that the system so
developed is capable of providing requisite information in a
timely manner and to the authorised persons to support and
assist in decision making process.
 Cyber security- Auditor’s perspective
Contd.

Other issues:
 Back Up and Recovery – There should be a policy in existence
to ensure that regular back up of the critical data are taken and
kept on-site and off-site to ensure its availability whenever
required.
 Outsourcing - Risks related to integrity, availability and
confidentiality of data need to be addressed
 Change Management controls – Only authorised and
approved changes are made and proper documentation exists for
each area of the system to support future modifications.
 System Security Issues
 Data Migration Issues
 Survival

 “Itis not the strongest of the species that survive,

nor the most intelligent, but the one most
responsive to change.

Charles Darwin

 Q &A
Thank You