Download - Cyber Security-SAI India.doc
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 1/24
1
Cyber Security - Indian Scenario
Computers play an important part of our lives—in airports, banks, railway
stations and every well-equipped modern office, as they have brought about a
tremendous revolution and are likely to play an even greater role in our life inthe days to come. Some of the areas in which computers are being used
include issue of birth/death records, land records, licensing, taation,
communication ! email, cell phone, teting, vehicle registration and issue of
driving licenses, air navigation, banking etc."
#n one side the development of Computers and increasing use of $nternet
has sped up the pace of activities and facilitated integration of various
operations by wiping out physical and geographical barriers, on the other side
it has increased our dependence on these machines. This increased
dependence has also increased the risk perception of systems whichdeliver these services as any disruption may result in things going hay
wire. Hence there is an increased need to protect computer systems.
Cyber Security has become the order of the day. This paper discussed
the various facets of cyber crime and tries to address the issue by
suggesting a way forward.
Cyber Crime:
Cyber Crime is a generic term that refers to all criminal activities done using
the medium of communication devices, computers, mobile phones, tabletsetc., the internet, cyber space and the worldwide web.
Cyber crime can be categoried in three ways:
The computer as a target ! attacking the computers of others
%spreading viruses is an eample". The computer as a weapon ! using a computer to commit &traditional
crime' that we see in the physical world %such as fraud or illegal
gambling".
The computer as an accessory ! using a computer as a &fancy filing
cabinet' to store illegal or stolen information.
Types of Cyber Crimes
Hacking: (eans unauthori)ed attempts to bypass the security
mechanism of an information system or network. $n simple words
*acking is the unauthori)ed access to a computer system. +hese
attempts intend to result in denial of service. enial of Service refers to
an attack that successfully prevents or impairs the authori)ed
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 2/24
2
functionality of networks, systems or applications by ehausting
resources. !ata Theft: it is a growing problem, primarily perpetrated by office
workers with access to technology such as desktop computers and
hand-held devices, capable of storing digital information such as flashdrives, iods and even digital cameras.
"irus or worms# $alware or Tro%an horses: +hese are softwares
written to disrupt the normal functioning of the computers. $n most
cases viruses can do any amount of damage, the creator intends them
to do cause damage in terms of data corruption, data loss etc. +hese
spread by email, instant messaging, malicious websites, and infected
non-malicious websites. Some websites will automatically download
the malware without the users knowledge or intervention. +his is
known as a drive-by download. #ther methods will require the usersto click on a link or button.
Identity theft: $t is the term used to refer to fraud that involves stealing
money or getting other benefits by pretending to be someone else.
&-$ail Spoofing: is a technique used by hackers to fraudulently send
email message in which sender address and other parts of the email
header are altered to appear as though the email originated from a
source other than its actual source.
'otnets and ombies: 0 botnet, short for robot network, is an
aggregation of compromised computers that are connected to a central
controller. +he compromised computers are often referred to as
)ombies. +hese threats will continue to proliferate as the attack
techniques evolve and become available to a broader audience, with
less technical knowledge required to launch successful attacks.
(Scareware) ! fake security software warnings- +his type of scam can
be particularly profitable for cyber criminals, as many users believe the
pop-up warnings telling them their system is infected and are lured intodownloading and paying for the special software to protect their
system.
Cybercrimes * +lobal Scanario
+he ma1ority of cybercrimes are centered on forgery, fraud and
phishing,. $ndia is the third-most targeted country for phishing attacks
1 +he act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in anattempt to scam the user into surrendering private information that will be used for identity theft. +he e-
mail directs the user to visit a 2eb site where they are asked to update personal information, such aspasswords and credit card, social security, and bank account numbers, that the legitimate organi)ationalready has. +he 2eb site, however, is bogus and set up only to steal the user ��s information.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 3/24
3
after the 3S and the 34. Social networks as well as ecommerce sites
are ma1or targets. $nstances include5 6.7 million bot-infected systems in
89:9, :;,<;= website defacements in 89:9, 6,=>9. %ot" in and ;,:>9 .
%ot"com domains were defaced during 89::, :>,999 sites hacked in
89:: and $ndia is the number , country in the world for generating spam
8
.
Cyber crime and real impacts
?stimated @: +rillion of intellectual property stolen each year %Aartner
B (c0fee, an 8997" Deported cyber attacks on 3.S. government computer networks
climbed ;9E in 899=
Sensitive records of ;>,999 Federal 0viation 0dministration
%F00" workers breached %Feb 97"
esign secrets of all 3.S. nuclear weapons %(ichelle Gan Cleave"
stolen
Cybercrimes * India Scenario
The cyber crimes in India resulted in . million people being victim
of cybercrime involving direct financial losses to the tune of /0
billion# /1.2 billion in terms of time spent in resolving the crime# ; out of
every > online adults %345" being victim of cybercrime and ,65 of
adults online eperiencing cybercrime on their mobile phones.
7Source: Norton Cybercrime Report 2011)
8hy India9 :
In the recent past Indian has been the main target of Cyber Crimes
due to the reasons of rapidly growing online user base %,, million
internet users, 2 million active internet users, up 8=E from >: million in
89:9, 4 million users shop online on ecommerce and online shopping
sites, 02; million social network users and 102 million mobile users had
subscribed to data packages" %Source: IAMAI; Juxt; wearesocia 2011)
Cyber Security 'reach instances in India
0bout >;; government sites were hacked including those of the
defence wings, ministries and diplomatic missions. 0 recent survey by
(c0fee, the internet security giant, named $ndia among the nations
least able to defend themselves against cyber attacks. #thers on the
list include Hra)il, Domania and (eico.
2 Spam is the use of electronic messaging systems to send unsolicited bulk messages,especially advertising, indiscriminately.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 4/24
4
4ey websites hacked into include that of the rime (inisterIs #ffice,
the Jational Security 0dviserIs office, the defence ministry, air cargo
customs %(umbai", ministry of railways, Jational $nstitute of Social
efence, Hharat Sanchar Jigam Ktd, +elecom Degulatory 0uthority of
$ndia and the Central Hureau of $nvestigation. (ost of these attacksoriginated from China and akistan.
Cyber Security and its ob%ective
Cyber Security is the body of technologies, processes and practices
designed to protect networks, computers, programs and data from
attack, damage or unauthori)ed access. $n a computing contet, the
term security implies cyber security. 0S per Section 8%b" of the $nformation +echnology %amendment" 0ct
899= ! Cyber Security means protecting information, equipment,computer devices, computer resource, communication device and
information stored therein from unauthorised access, use, disclosure,
disruption, modification or destruction.
$t is the collection of security concepts, policies, guidelines, risk
management approaches, security safeguards, tools, actions, training,
best practices, assurance and technologies that can be used to protect
the cyber environment and organi)ation and userIs assets.
#rgani)ation and userIs assets include connected computing devices,telecommunications systems, infrastructure, applications, services,
personnel, and the totality of transmitted and/or stored information in
the cyber environment.
$t strives to ensure the attainment and maintenance of the security
properties of the organi)ation and userIs assets against relevant
security risks in the cyber environment.
<rinciples of Cyber Security
Confidentiality, $ntegrity, and 0vailability are three core principles of Cyber
Security.
Confidentiality: $nformation which is sensitive or confidential must remain
so and be shared only with appropriate users. For eample, our
confidential medical records should be released only to those people or
organi)ations %i.e. doctor, hospital, insurance, government agency, you"
authori)ed to see it.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 5/24
5
Integrity: $nformation must retain its integrity and not be altered from its
original state. The records should be well protected so that no one can
change the information without authorization.
=vailability5 $nformation and systems must be available to those who
need it. The records should be available and accessible to authorized
users.
8H> IS C>'&? S&C@?IT> I$<A?T=BT9
L The rising volume and sophistication of cyber security threats !
including targeting phishing scams, data theft, and other online
vulnerabilities!demand that we remain vigilant about securing our
systems and information.
L The average unprotected computer %i.e. does not have proper
security controls in place" connected to the $nternet can be
compromised in moments.
L Thousands of infected web pages are being discovered every day.
L Hundreds of millions of records have been involved in data
breaches.
L Bew attack methods are launched continuously.
L +hese are 1ust a few eamples of the threats facing us, and theyhighlight the importance of information security as a necessary
approach to protecting data and systems.
Impact of 8eak or Bo Cyber Security:
0 weak or absence of Cyber Security may lead to the following5
!enial-of-service:
+his refers to an attack that successfully prevents or impairs theauthori)ed functionality of networks, systems or applications by
ehausting resources. $t may result in 5
L Shut down a government agencyIs website, thereby preventing citi)ens
from accessing information or completing transactionsM
L Financial loss
L isruption of critical services such as emergency medical systems,
police communications or air traffic controlM
oss of critical data
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 6/24
6
=ccess to critical information having security implications
=dverse impact on the credibility of the system
ikely format of cyber crimes in India
Continued website hacks and defacements
ata and information theft
$ncreasing phishing attacks on ecommerce and financial websites
Cybercriminals targeting social and professional networks
+hreats directed at the mobile platform5 smartphones and tablets
8ay Dorward
Security <olicy# Compliance and =ssurance * egal Dramework
$+ 0ct 8999
$+ 0mendment Hill 8996 ! ata rotection B Computer Crime
Hest ractice ! $S# 8N99:
Security 0ssurance Framework-$+/$+?S/H# Companies
India and its Bational Cyber Security <olicy
+he cyber security policy is an evolving task, which need to be regularly
updated/refined in line with technological trends and security challenges
posed by such technology directions. +his policy caters for the whole
spectrum of $C+ users and providers including small and home users, mediumand large enterprises and Aovernment B non-Aovernment entities. $t provides
an over view of what it takes to effectively protect information, information
systems B networks and also to provide an insight into the AovernmentIs
approach and strategy for protection of cyber space in the country. $t also
outlines some pointers to enable collaborative working of all key players in
public B private to safeguard countryIs information and information systems.
+his policy, therefore, aims to create a cyber security framework, which will
address all the related issues over a long period. +he framework will lead to
specific actions and programmes to enhance the security posture of countryIs
cyber space.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 7/24
7
Securing cyber space * Eey policy considerations
+he key considerations for securing the cyber space include5• +he security of cyber space is not an optional issue but an imperative
need in view of its impact on national security, public safety and
economic well-being.• +he issue of cyber security needs to move beyond traditional
technological measures such as anti-virus and firewalls. $t needs to be
dynamic in nature and have necessary depth to detect, stop and
prevent attacks.
• Cyber security intelligence forms an integral component of security of
cyber space in order to be able to anticipate attacks, adopt suitable
counter measures and attribute the attacks for possible counter action.
• ?ffective correlation of information from multiple sources and real-time
monitoring of assets that need protection and at the same timeensuring that adequate epertise and process are in place to deal with
crisis situations.
• +here is a need to focus on having a suitable security posture and
adopt counter measures on the basis of hierarchy of priority and
understanding of the inter dependencies, rather than attempting to
defend against all intrusions and attacks.
• Security is all about what people, process and technology and as such
there is a clear need for focusing on people and processes while
attempting to use the best available technological solutions, which
otherwise could prove ineffective.
• 3se of adequately trained and qualified manpower along with suitable
incentives for effective results in a highly speciali)ed field of cyber
security.
• Security needs to be built-in from the conceptual design stage itself
when it comes to developing and deploying critical information
infrastructure, as opposed to having security as an afterthought.
<riorities for actionConsidering the transnational character of information technology B the cyber
space, the technical B legal challenges in ensuring security of information,information systems B networks as well as related impact on socio-economic
life in the country, the priorities for action for creating a secure cyber eco-
system include series of enabling processes, direct actions and cooperative B
collaborative efforts within the country and beyond, covering5
• Creation of necessary situational awareness regarding threats to ICT
infrastructure for determination and implementation of suitable
response
• Creation of a conducive legal environment in support of safe and
secure cyber space, adequate trust & confidence in electronic transactions, enhancement of law enforcement capabilities that can
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 8/24
8
enable responsible action by stakeholders and effective prosecution
• rotection of IT networks & gateways and critical communication &
information infrastructure
• utting in place !" # $ mechanism for cyber security emergency
response & resolution and crisis management through effective predictive, preventive, protective, response and recovery actions
• olicy, promotion and enabling actions for compliance to international
security best practices and conformity assessment %product, process,
technology & people and incentives for compliance.
• Indigenous development of suitable security techniques & technology
through frontier technology research, solution oriented research, proof
of concept, pilot development etc. and deployment of secure IT
products'processes
• Creation of a culture of cyber security for responsible user behavior &actions
• (ffective cyber crime prevention & prosecution actions• roactive preventive & reactive mitigation actions to reach out &
neutralize the sources of trouble and support for creation of global
security eco system, including public)private partnership
arrangements, information sharing, bilateral & multi)lateral agreements
with overseas C(*Ts, security agencies and security vendors etc.
• rotection of data while in process, handling, storage & transit and
protection of sensitive personal information to create a necessary
environment of trust.
egal Dramework in India to counter Cyber Crimes
Security legal framework and law enforcement
:. 0 sound legal framework and effective law enforcement procedures
are essential in deterring cyber-crime. $n this direction, recent
amendments to the $ndian $+ 0C+ 8999 provide for an ecellent means
to enable adequate trust and confidence in the online environment and
enhance law enforcement capability to deal effectively with cyber
crime. Hesides this, for greater international cooperation, there is a
need to harmoni)e national laws and enforcement procedures.
riorities for action include5
• ynamic legal framework that is in tune with the technological changes
and international developments in the area of information security %?.
?lectronic signatures, national encryption policy etc"
• edicated cyber-crime units with skilled and competent manpower• edicated state-of-the-art facilities for law enforcement for cyber crime
prevention and prosecution
• edicated state-of-the-art training facilities for law enforcement and 1udiciary to assist them in keeping track with developments
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 9/24
9
• $nternational cooperation agreements facilitating sharing of information
and crime prosecution
8. Combating Hi-Tech CrimeFCyber Crime: +he *i-+ech Crime/Cyber
Crime covers any crime committed against or using $+ systems
including hacking, web site defacements, identity theft, stealingpersonal information,. Criminals have sought to eploit the $nternet as it
offers a rapid and productive means of communicating as well as a
good chance of anonymity. 0lthough the threats in cyber space are
similar to those in the physical space %be it theft, fraud or terrorism", $+
has changed the way in which these activities are perpetrated. +he *i-
+ech/Cyber Crime strategy aims to focus on issues such as e-crime
reporting, crime reduction and prevention, legislation, response, role of
business-industry-public and international cooperation.
Information Technology 7=mendmentG =ct 443 - Chapter I
6>. +ampering with Computer Source ocuments
66. Computer Delated #ffences
660. unishment for sending offensive messages through
communication service, etc. %+his was involved in the recent arrests in
respect of comments made in Facebook."
66H. unishment for dishonestly receiving stolen computer resource or communication device
66C.unishment for identity theft
66. unishment for cheating by personation by using computer
resource
66?. unishment for violation of privacy
66F. unishment for cyber terrorism
6N. unishment for publishing or transmitting obscene material in
electronic form
6N0. unishment for publishing or transmitting of material containing
seually eplicit act, etc. in electronic form
6NH. unishment for publishing or transmitting of material depicting
children in seually eplicit act, etc. in electronic form
'&ST <?=CTIC&S:
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 10/24
10
Security best practices - compliance and assurance
7iG Critical Information Infrastructure <rotection+he primary focus of these efforts is to secure the information resources
belonging to Aovernment as well as those in the critical sectors. +he critical
sectors include efence, Finance, ?nergy, +ransportation and+elecommunications.
!a) Impementation o" security best practices in #o$t% an& Critica sectors$n order to reduce the risk of cyber attacks and improve upon the security
posture of critical information infrastructure, Aovernment and critical sector
organi)ations are required to implement security best practices in Aovt. and
Critical sectors. +his would involve the following5
:" $dentify a member of senior management, as Chief $nformation Security
#fficer %C$S#" responsible for coordinating security policy compliance efforts.
8" repare information security plan and implement the security controlmeasures as per international security best practices standards and other
guidelines.
<" Carry out periodic $+ security risk assessments and determine acceptable
level of risks, consistent with criticality of business/functional requirements.
;" eriodically test and evaluate the adequacy and effectiveness of technicalsecurity control measures implemented for $+ systems and networks usingtest and evaluation techniques like enetration +esting, Gulnerability 0ssessment, 0pplication Security +esting and 2eb Security +esting>" Carry out 0udit of $nformation infrastructure on an annual basis and when
there is ma1or up gradation/change in the $nformation +echnology
$nfrastructure, by an independent $+ Security 0uditing organi)ation
6" Deport to C?D+-$n % Computer ?mergency Desponse +eam" cyber
security incidents, as and when they occur and the status of cyber
security, periodically
!b) #o$ernment networ's 0 part of departmental budget should be earmarked for $+ and information
security needs. Hesides this, all ministries/departments and other agencies of
the government should ensure that they take necessary precautions and
steps to promote the culture of information security amongst their employeesand attached agencies. Jecessary change in office procedure should be
undertaken to bring in vogue, reliable and robust paperless offices where
required.
!c) #o$ernment secure intranet +here is a need for priority action to create a countrywide secure intranet for
connecting strategic installations with C?D+-$n as the nodal center for
emergency response and coordination. +his intranet will facilitate faster and
efficient information sharing between strategic installations and C?D+-$n as
well as supporting crisis management and disaster recovery during national $+security emergencies.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 11/24
11
7iiG Information security =ssurance Dramework$n order to ensure implementation security best practices in critical sector
organi)ations and periodic verification of compliance, there is a need to
create, establish and operate a O$nformation security 0ssurance FrameworkI,
including creation of national conformity assessment infrastructure.$nformation security 0ssurance Framework is aimed at assisting Jational level
efforts in protecting critical information infrastructure. $t supports Aovernment,
Critical $nfrastructure #rgani)ations and other key $+ users of nationIs
economy through series of &?nabling and ?ndorsing' actions.
!a) (nabin actions are essentially romotional /0dvisory/ Degulatory in
nature and involve publication of &Jational Security olicy Compliance
requirements' and cyber security guidelines and supporting documents to
facilitate cyber security implementation and compliance.
!b) (n&orsin actions are part of national conformity assessment
infrastructure. +hese are essentially commercial in nature and may involve
more than one service provider offering commercial services after having
fulfilled requisite qualification criteria and demonstrated ability prior to
empanelment. +hese include5
• =ssessment and certification of compliance to international $+
security best practices, standards and guidelines %?. $S(S
certification, +rusted company certification for +ata security and
privacy protection, $S system audits, enetration testing/Gulnerability
assessment etc"
overnment and critical infrastructure organizations can make use of
C(*T)In evaluated and empanelled third party agencies for their
organisation'site specific IT security assessment services %including
I-- assessment, risk assessment, network security profiling,
penetration testing, vulnerability assessment, application security
testing etc under specific contract and pre)determined rules of
engagement. Contact details of the agencies empanelled by C(*T)In
are available at /http0''www.cert)in.org.in1
• IT Security product evaluation and certification as per accepted
international standardsThese actions provide an assurance that the process of specification,
implementation and evaluation of a IT security product has been
conducted in a rigorous and acceptable manner.
• IT security manpower training# ualification and other related
services to assist user in $+ security implementation and compliance.
!c) *ata security an& pri$acy protection "or +,rust an& Con"i&ence-$n order to stay competitive in the global market place, business entities have
to continually generate adequate levels of trust B confidence in their services
in terms of privacy and data protection through the use of internationallyaccepted best practices and ability to demonstrate where necessary.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 12/24
12
!&) .uaity an& protection o" eectronic recor&s#rgani)ations need to ensure that important data/records are protected from
loss, destruction and falsification, in accordance with statutory, regulatory,
contractual, and business requirements. 2here a follow-up action against a
person or organi)ation involves legal action %either civil or criminal", electronicevidence needs to be properly collected, retained, and presented to conform
to the rules for evidence laid down in the relevant 1urisdiction%s". $t is a good
practice to have audit logs recording user activities, eceptions, and
information security events and retained for an agreed period to assist in
future investigations.
7iiiG &-governance 0ll e-governance initiatives in the country should be based on best information
security practices. Aovernment should encourage wider usage of ublic 4ey
$nfrastructure %4$" in its own departments. +here is a need to empanel
$nformation Security professionals/ organi)ations to assist ?-Aovernance
initiatives and monitor quality of their performance/service through appropriate
quality standards.
7ivG Secure software development and applicationSoftware development process, whether in-house or outsourced, needs to be
supervised and monitored using a system development life cycle methodology
that includes information security considerations and selection of appropriate
security controls and countermeasures.
Security Incident-&arly 8arning J ?esponse
C?D+ in Jational Cyber 0lert System
$nformation ?change with $nternational C?D+s
Security threat and vulnerability managementDegardless of the nature of the threat, facility owners have a responsibility to
limit or manage risks from these threats to the etent possible. +his is more
so, if the facility is a part of nationIs critical information infrastructure. 0s such
focus of these efforts would be5
2 To prevent cyber attacks on critical ICT infrastructure! *educe vulnerability of critical ICT infrastructure to cyber attacks.3 (nhancing the capability of critical ICT infrastructure to resist cyber
attacks" inimize damage and recovery in a reasonable time frame time
The key actions to reduce security threats and related vulnerabilitiesare:
:" $dentification and classification of critical information infrastructurefacilities and assets.
8" Doadmaps for organi)ation-wise security policy implementation in line
with international security best practices standards and other relatedguidelines.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 13/24
13
<" rocess for national level security threat B vulnerability assessments to
understand the potential consequences.
;" 3se of secure products/services, protocols B communications,
trusted networks and digital control systems.
>" ?mergency preparedness and crisis management %(irror Centers,*ot/warm/cold sites, communication, redundancy, and disaster
recovery plans, test B evaluation of plans etc
6" eriodic as well as random verification of the level of emergency
preparedness of critical information infrastructure facilities in resisting
cyber attacks and minimi)e damage B recovery time in case cyber
attacks do occur.
N" evelopment of comprehensive repair and maintenance policy so as
to minimi)e false alarms and increase cyber resource availability to
all users efficiently.
Security threat early warning and response
aG Bational cyber alert system
0 central nodal agency %C?D+-$n, $+" to perform analysis, issue
warnings, and coordinate response efforts would be established at
Jational level. +he Jational Cyber 0lert System will involve critical
infrastructure organi)ations, public and private institutions to perform
analysis, conduct watch and warning activities, enable information
echange, and facilitate restoration efforts. +he functions of Jational Cyber
0lert System include5• $dentification of focal points in the critical infrastructure• ?stablishment of a public-private architecture for responding to
national-level cyber incidents
• +actical and strategic analysis of cyber attacks and vulnerabilityassessments
• ?panding the Cyber 2arning and $nformation Jetwork to
support the role of Aovernment in coordinating crisis
management for cyberspace securityP
• Cyber security drills and eercises in $+ dependent business
continuity plans of critical sectors to assess the level of
emergency preparedness of critical information infrastructure
facilities in resisting cyber attacks and minimi)e damage B
recovery time in case cyber attacks do occur.
bG Sectoral C&?Ts
$n order to effectively deal with targeted cyber attacks on sensitive and
strategic sectors, it is essential to operationalise sectoral C?D+s in all
identified critical sectors such as finance, defence, energy, transportation,
telecommunication etc. +hese C?D+s would be responsible for allcoordination and communication actions within their respective sectors and
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 14/24
14
should be in regular touch with C?D+-$n for any incidence resolution support
as well as dealing with cyber crisis requiring broader action.
cG ocal incident response teams
?ach critical sector organisation should have an identified team of personnel
who will be part of the respective local $ncident Desponse +eam. +his team
would5
• $dentify the correctness of the severity level of any incident• Contain, ?radicate and Decover• Seek necessary resources and support from the corresponding Kevel $$
$ncident Desolution +eam
• rovide regular updates to higher management regarding progress of
the incident handling process
• ?scalate to an epert team/sectoral C?D+ or C?D+-$n, if unable to
resolve within the prescribed time frame/reasonable time frame.<artnership and collaborative effortsAovernment leadership cataly)es activities of strategic importance to the
Jation. $n cyber security, such leadership can energi)e a broad collaboration
with private-sector partners and stakeholders to generate fundamental
technological advances in the security of the JationIs $+ infrastructure.
Security information sharing and cooperation+he cyber threat sources and attacks span across countries. 0s such, as
there is a need for enhanced global cooperation among security agencies,
C?D+s and Kaw ?nforcement agencies of various countries to effectively
mitigate cyber threats and be able to respond to information security incidents
in a timely manner.
+he priorities for international cooperation are5• $nformation security and $nformation 0ssurance +echnology to prevent,
protect against, detecting, responding, and recovering from cyber attacks
in critical information infrastructure that may have large-scale
consequences.
• Collaboration in training personnel for implementing and monitoring
secure government intranets and cyber space
• oint DB pro1ects in frontline and futuristic technologies• Coordination in early warning, threat B vulnerability analysis and
incident tracking• $nformation security drills/eercises to test the vulnerability B
preparedness of critical sectors
Security crisis management plan for countering cyber attacks and cyber terrorism+he Crisis (anagement lan for Countering Cyber 0ttacks and Cyber
+errorism outlines a framework for dealing with cyber related incidents for a
coordinated, multi disciplinary and broad based approach for rapid
identification, information echange, swift response and remedial actions to
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 15/24
15
mitigate and recover from malicious cyber related incidents impacting critical
national processes. +he Crisis (anagement lan for Countering Cyber
0ttacks and Cyber +errorism describes the following aspects5
• +he Critical Sectors, Jature of cyber crisis and possible targets and
impact of particular type of crisis on these targets.• Focused cyber attacks affecting the organisations in critical sector such
as efence, ?nergy, Finance, Space, +elecommunications, +ransport,
ublic ?ssential Services and 3tilities, Kaw ?nforcement and Security
would lead to national crisis.
• ifferent types of cyber crisis described include Karge-scale
defacement and semantic attacks on websites, (alicious code attacks,
Karge scale S0( attacks, Spoofing, hishing attacks, Social
?ngineering, enial of Service %oS" and istributed oS attacks,
attacks on JS, 0pplications, infrastructure and Douters, Compound
attacks and *igh ?nergy DF attacks.
• $ncident prevention and precautionary measures to be taken at
organisational level which include implementation of $nformation
Security Hest ractices based on $S# 8N99: standard, Husiness
Continuity lan, isaster Decovery, Security of $nformation and
Jetwork, Security +raining and 0wareness, $ncident (anagement,
Sharing of information pertaining to incidents and conducting mock
drills to test the preparedness of Critical $nfrastructure organisations to
withstand cyber attacks.
&nabling technologies * !eployment and ?J!
,. !eployment of technical measures
(any different types of threats eist in the cyber world, but these threats will
fall into three basic categories - un-authori)ed access, impersonation and
denial of service. +hese threats may usually result in eavesdropping and
information theft, disabling access to network resources %#S attacks", un-
authori)ed access to system and network resources and data
manipulation.+he selection and effective implementation of cyber security
technologies require adequate consideration of a number of key factors,including5
• $mplementing technologies through a layered, defense-in-depthstrategyP
• Considering orgnisationsI unique information technology infrastructure
needs when selecting technologiesP
• 3tili)ing results of independent testing when assessing thetechnologiesI capabilitiesP
• +raining staff on the secure implementation and utili)ation of thesetechnologiesP and
• ?nsuring that the technologies are securely configured.+he organi)ations in Aovt. and critical sector may consider protecting their
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 16/24
16
networks, systems and data through deployment of access control
technologies %for perimeter protection, authentication and authori)ation",
system integrity measures, cryptography mechanisms and configuration
management and assurance.
Security research and development: $ndigenous DB is an essential component of national information
security measures due to various reasons- a ma1or one being eport
restrictions on sophisticated products by advanced countries. Second ma1or
reason for undertaking DB is to build confidence that an imported $+
security product itself does not turn out to be a veiled security threat. #ther
benefits include creation of knowledge and epertise to face new and
emerging security challenges, to produce cost-effective, tailor-made
indigenous security solutions and even compete for eport market in
information security products and services. Success in technologicalinnovation is significantly facilitated by a sound SB+ environment.
Desources like skilled manpower and infrastructure created through pre-
competitive public funded pro1ects provide much needed inputs to
entrepreneurs to be globally competitive through further DB. rivate
sector is epected to play a key role in meeting needs of short term DB
leading to commercially viable products. Hesides in-house DB, this sector
may find it attractive to undertake collaborative DB with leading research
organi)ations.
8. $ssues for focused action in DB are information security functional
Dequirements, securing the $nfrastructure, domain-Specific Security
Jeeds and enabling +echnologies for DB.
<. +he +hrust areas of DB include5
• Cryptography and cryptanalysis research and related aspects
• Jetwork Security ! including wireless B Dadio %2iFi. 2i(a, <A,ADS"
• System Security including Hiometrics
• Security architecture
•
(onitoring and Surveillance• Gulnerability Demediation B 0ssurance
• Cyber Forensics
• (alware 0nalysis +ools
• Scalable trust worth systems and networks
• $dentity (anagement
Capacity 'uilding
Skill B Competence development
+raining of Kaw ?nforcement agencies and 1udicial officials inthe collection and analysis of digital evidence
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 17/24
17
+raining in the area of implementing information security in
collaboration with speciali)ed organi)ations in 3S.
aG. Security education and awareness
, (any cyber vulnerabilities eist because of lack of informationsecurity awareness on the part of computer users, system/network
administrators, technology developers, auditors, Chief $nformation #fficers
%C$#s", Chief ?ecutive #fficers %C?#s", and Corporates. 0 lack of trained
personnel and the absence of widely accepted, multi-level certification
programs for information security professionals complicate the task of
addressing cyber vulnerabilities. +his policy identifies following ma1or
actions and initiatives for user awareness, education, and training5
• romoting a comprehensive national awareness program• Fostering adequate training and education programs to support the
JationIs information security needs %? School, college and post
graduate programs on $+ security"
• $ncrease in the efficiency of eisting information security training
programs and devise domain specific training programs %e5 Kaw
?nforcement, udiciary, ?-Aovernance etc"
• romoting private-sector support for well-coordinated, widely
recogni)ed professional information security certifications.
$nformation security awareness promotion is an ongoing process.
+he main purpose is to achieve the broadest penetration to enhance
awareness and alert larger cyber community in cases of significant
security threats. +he promotion and publicity campaign could include
• Seminars, ehibitions, contests etc• Dadio and +G programmes• Gideos on specific topics• 2eb casts, od casts• Keaflets and osters• Suggestion and 0ward Schemes
1 Safe use of $+ for children and small B home users
#wing to the vulnerability of children and small B home users on the $nternet
for criminal eploitation, special campaigns are required to promote
acceptable and safe use information technology. +his combines the
knowledge of the needs of protection while understanding the power of
information technology. $n addition, campaigns may also be directed to raise
the awareness among the parents about the means of helping children to go
online safely.
bG. Security skills training and certification$nformation security requires many skilled professionals to deal with variety of
domain specific actions. $n order to train security professionals with
appropriate skill sets, it is necessary to identify and create a pool of master trainers and training organi)ations to cater to specific set of training
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 18/24
18
requirements such as security audits, (anagement and information
assurance, +echnical operations etc. +hese trainers and training organi)ations
would then train and certify professionals for deployment in critical sectors.
+he following are some of the professional cyber security roles that can be
targeted for training and certification5• Chief information security officer %C$S#"• System operations and maintenance personnel• Jetwork security specialists• igital forensics and incident response analysis• $mplementation of information security and auditing• Gulnerability analyst• $nformation security systems and software development• 0cquisition of technology• +echno-legal• Kaw enforcement
cG Security training infrastructure+he requirement of security professionals is very huge and is only bound to
increase with more and more of $C+ usage. +owards this effect, it is an
imperative need to set up adequate training infrastructure to cater to the
needs of all types of users, particularly law enforcement agencies, 1udicial
officers, owners/operators of e-Aovernment services etc. +his effort may also
involve large number of private organi)ations to have an effective outreach.
?esponsible actions by user community?ssentially, actions for securing information and information systems are
required to be done at different levels within the country. Hesides the actionsby Aovernment, other stakeholders such as network services providers %$S",
large corporates and small users/home users are also required to be play
their part to enhance the security of cyber space within the country.
aG. =ctions by Betwork service providers• Compliance to international security best practices, service quality and
service level agreements %SK0s" and demonstration.
• ro-active actions to deal with and contain malicious activities,
ensuring quantity of services and protecting average end users by way
of net traffic monitoring, routing and gateway controls.
• 4eeping pace with changes in security technology and processes to
remain current %configuration, patch and vulnerability management"
• Conform to legal obligations and cooperate with law enforcement
activities including prompt actions on alert/advisories issued by C?D+-
in
• 3se of secure product and services and skilled manpower• Crisis management and emergency response.
bG. =ctions by arge Corporates• Compliance to international security best practices and demonstration•
ro-active actions to deal with and contain malicious activities, andprotecting average end users by say of net traffic monitoring, routing
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 19/24
19
and gateway controls
• 4eeping pace with changes in security technology and processes to
remain current %configuration, patch and vulnerability management"
• Conform to legal obligations and cooperate with law enforcement
activities including prompt actions on alert/advisories issued by C?D+-$n
• 3se of secure product and services and skilled manpower• Crisis management and emergency response.• eriodic training and up gradation of skills for personnel engaged in
security related activities
• romote acceptable usersI behavior in the interest of safe computing
both within and outside.
cG. =ctions by smallFmedium users and home users• (aintain a level of awareness necessary for self-protection• 3se legal software and update at regular intervals.• Heware of security pitfalls while on the net and adhere to security
advisories as necessary• (aintain reasonable and trust-worthy access control to prevent abuse of
computer resources.
Cyber Security and =uditors perspective 0n auditors concern on the issue of Cyber Security may arise as any of
the following three stages5
System esign Stage evelopment State
0naly)ing performance after systems implementation
=uditors perspective * !esign Stage
0uditorIs involvement at this stage will ensure that requisite Controls %general,
input, processing and output controls" have been inbuilt into the system to
ensure that system performance would be enhanced and the system
developed takes care of 0uditorIs requirements as well. 0t this stage the
0uditorIs involvement would also ensure that requisite ?mbedded 0udit(odules %?0(" or $ntegrated +est Facility %$+F" etc. have been duly designed
in the system design to ensure proper interrogation of the data.
=uditors perspective * !evelopment Stage
0t this stage, auditorIs involvement would lead to an assurance that
necessary audit trail/ audit module to furnish information required by the
auditor from time to time in smooth performance of audit function by him, are
being designed into the developed system so as to avoid its modification at a
later stage at etra avoidable costs.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 20/24
20
=uditors perspective * =nalying Stage
+his will ensure that the system so developed and implemented is capable of
providing requisite information in a timely manner and to the authori)ed
persons to support and assist in decision making process, besides ensuring
Confidentiality %C", $ntegrity %$" and 0vailability %0" of the information.
'ack @p and ?ecovery
Cyber Security also encompasses the issues relating to regular back ups of
the system data and isaster Decovery management. +here should be a
policy in eistence to ensure that regular back-up of the critical data are taken
and kept on-site and off-site locations to ensure its availability whenever
required.
!isaster ?ecovery 7!?G Centre ?very organisation should have a D centre. +he functionality and
operational drill should be carried out periodically to ensure its
operability during the times when required.
?very organisation should also have an archiving policy for such
record, data, information etc that are to be preserved permanently
because of their enduring value.
Aut-Sourcing Issues:
Jow a days most of the organi)ations resort to the practice of out-sourcingtheir routine activities and also system development, implementation and
maintenance issues to the eternal agencies in order to concentrate more the
their core activities. uring the process of outsourcing, there are elements of
risk involved in relation to access of outside agencies to organi)ationIs
resources and critical information etc. 0uditors are very much concern on this
issue and their involvement or active association may reduce or stop the
instances of data theft or other unwanted instances.
Change $anagement Controls
0uditorIs involvement would also ensure that proper change management
controls have been built into the system so as to ensure that only authorised
and approved changes are being made in the system and proper
documentation eists for each area of the system to support future
modifications.
System Security Issues:
0uditor would ensure that due care has been taken to design all required
security %general, input, processing and output" issues to prevent the systemfrom probable security breach instances.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 21/24
21
!ata $igration Issues:
Aenerally in case of organisations switching over from one platform to another
platform i.e. change of application system the data pertaining to the previous
database system is either not migrated fully into the new system or if it is
done, the same is found to be full of migration errors. 0uditorIs also see that
this problem is not carried over in the new application.
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 22/24
22
=nneKure I
Stakeholder agencies
, Bational Information 'oard 7BI'G
Jational $nformation Hoard is an ape agency with representatives from
relevant epartments and agencies that form part of the critical minimum
information infrastructure in the country. J$H is entrusted with the
responsibility of enunciating the national policy on information security and
coordination on all aspects of information security governance in the country.
J$H is headed by the Jational Security 0dvisor.
Bational Crisis $anagement Committee 7BC$CG
+he Jational Crisis (anagement Committee %JC(C" is an ape body of Aovernment of $ndia for dealing with ma1or crisis incidents that have serious
or national ramifications. $t will also deal with national crisis arising out of
focused cyber attacks. JC(C is headed by the Cabinet Secretary and
comprises of Secretary level officials of Aovt. of $ndia. 2hen a situation is
being handled by the JC(C it will give directions to the Crisis (anagement
Aroup of the Central 0dministrative (inistry/epartment as deemed
necessary. (http://www.ndmindia.nic.in)
1 Bational Security Council Secretariat 7BSCSG
Jational Security Council Secretariat %JSCS" is the ape agency looking into
the political, economic, energy and strategic security concerns of $ndia and
acts as the secretariat to the J$H.
0 $inistry of Home =ffairs 7$H=G
(inistry of *ome 0ffairs issues security guidelines from time to time to secure
physical infrastructure. +he respective Central 0dministrative
(inistries/epartments and critical sector organi)ations are required to
implement these guidelines for beefing up/strengthening the security
measures of their infrastructure. (*0 sensiti)es the administrativedepartments and organi)ations about vulnerabilities and also assists the
respective administrative (inistry/epartments. (www.mha.nic.in/)
$inistry of !efence
(inistry of efence is the nodal agency for cyber security incident response
with respect to efence sector. (o, $S %$0D0", formed under the aegis of
*eadquarters, $ntegrated efence Staff, is the nodal tri-Services agency at
the national level to effectively deal with all aspects of $nformation 0ssurance
and operations. $t has also formed the efence C?D+ where primary function
is to coordinate the activities of services/(o C?D+s. $t works in close
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 23/24
23
association with C?D+-$n to ensure perpetual availability of efence
networks. (mod .nic.in/)
2 !epartment of Information Technology 7!ITG
epartment of $nformation +echnology %$+" is under the (inistry of
Communications and $nformation +echnology, Aovernment of $ndia. $+
strives to make $ndia a global leading player in $nformation +echnology and at
the same time take the benefits of $nformation +echnology to every walk of life
for developing an empowered and inclusive society. $t is mandated with the
task of dealing with all issues related to promotion B policies in electronics B
$+. (http://deity.gov.in/)
6 !epartment of Telecommunications 7!oTG
epartment of +elecommunications %o+" under the (inistry of
Communications and $nformation +echnology, Aovernment of $ndia, is
responsible to coordinate with all $Ss and service providers with respect to
cyber security incidents and response actions as deemed necessary by
C?D+-$n and other government agencies. o+ will provide guidelines
regarding roles and responsibilities of rivate Service roviders and ensure
that these Service roviders are able to track the critical optical fiber networks
for uninterrupted availability and have arrangements of alternate routing in
case of physical attacks on these networks. ( www.dot.gov.in/)
3 Bational Cyber ?esponse Centre - Indian Computer &mergency
?esponse Team 7C&?T-InGC?D+-$n monitors $ndian cyberspace and coordinates alerts and warning of
imminent attacks and detection of malicious attacks among public and private
cyber users and organi)ations in the country. $t maintains 8;N operations
centre and has working relations/collaborations and contacts with C?D+s, all
over the worldP and Sectoral C?D+s, public, private, academia, $nternet
Service roviders and vendors of $nformation +echnology products in the
country. $t would work with Aovernment, ublic B rivate Sectors and 3sers in
the country and monitors cyber incidents on continuing basis through out the
etent of incident to analyse and disseminate information and guidelines asnecessary. +he primary constituency of C?D+-$n would be organi)ations
under public and private sector domain. ( www.cert -in.org.in/)
Bational Information Infrastructure <rotection Centre 7BII<CG
J$$C is a designated agency to protect the critical information infrastructure
in the country. $t gathers intelligence and keeps a watch on emerging and
imminent cyber threats in strategic sectors including Jational efence. +hey
would prepare threat assessment reports and facilitate sharing of such
information and analysis among members of the $ntelligence, efence and
Kaw enforcement agencies with a view to protecting these agenciesI ability tocollect, analy)e and disseminate intelligence. J$$C would interact with other
7/24/2019 Cyber Security-SAI India.doc
http://slidepdf.com/reader/full/cyber-security-sai-indiadoc 24/24
24
incident response organi)ations including C?D+-$n, enabling such
organi)ations to leverage the $ntelligence agenciesI analytical capabilities for
providing advanced information of potential threats.
,4G Bational !isaster $anagement of =uthority 7B!$=G
+he Jational isaster (anagement 0uthority %J(0" is the 0pe Hody for
isaster (anagement in $ndia and is responsible for creation of an enabling
environment for institutional mechanisms at the State and istrict levels.
J(0 envisions the development of an ethos of revention, (itigation and
reparedness and is striving to promote a Jational resolve to mitigate the
damage and destruction caused by natural and man-made disasters, through
sustained and collective efforts of all Aovernment agencies, Jon-
Aovernmental #rgani)ations and eopleIs participation. %ndma.gov.in/ )
,, Standardisation# Testing and Luality Certification 7STLCG !irectorateS+QC is a part of epartment of $nformation +echnology and is an
internationally recogni)ed 0ssurance Service providing organi)ation. S+QC
has established nation-wide infrastructure and developed competentance to
provide quality assurance and conformity assessment services in $+ Sector
including $nformation Security and Software +esting/Certification. $t has also
established a test/evaluation facility for comprehensive testing of $+ security
products as per $S# :>;9= common criteria security testing standards.
%www.stc.gov.inF"
, Sectoral C&?Ts
Sectoral C?D+s in various sectors such as efence, Finance %$DH+",
Dailways, etroleum and Jatural Aas, etc, would interact and work closely
with C?D+-$n for mitigation of crisis affecting their constituency. Sectoral
C?D+s and C?D+-$n would also echange information on latest threats and
measures to be taken to prevent the crisis.