Cyber Security:

1

Cyber Security Indian perspective and Challenges
Dr. Gulshan Rai Director Indian Computer
Emergency Response Team (CERT-In) Department of
Information Technology
2
The Complexity of Todays Network

3
Growing Concern

• Computing Technology has turned against us
• Exponential growth in security incidents
• Pentagon, US in 2007
• Estonia in April 2007
• Computer System of German Chancellory and three
  Ministries
• Highly classified computer network in New Zealand
  Australia
• The software used to carry out these attacks
  indicate that they were clearly designed tested
  with much greater resources than usual individual
  hacker
• Most Government agencies and companies around the
  world use common computing technologies systems
  that are frequently penetrated by criminal
  hackers and malware
• There are signs that intelligence agencies around
  the world are constantly probing others networks
  and developing new ways to gather intelligence

4
Security The Need

• The consequences of insufficient security
• Identity theft
• Compromised customer confidence loss of business
• Service interruption (e.g., e-mail)
• Loss of competitive advantage
• Equipment theft
• Embarrassing media coverage
• Substantial financial loss
• Legal penalties

5
Rapid Development of Cyber Threats
6
Type of Attacks on Internet

• Web Site Defacements
• Port Scanning
• Malicious Code
• VIRUS
• BOTS
• Keystroke - logging
• Phishing
• DNS Attacks
• Denial of Service and DDoS

7
Security Incidents reported during 2007
8
Indian Website Defaced in Year 2007
9
Phishing
Indicators
Phishing Web site
Legitimate Web Site
10
Major Type of Attacks observed in India during
Last Week (28Jan-1Feb, 2008)
11
Scans prevalent on ports (last 24 hrs)
12
Trends in Cyber Attacks (2007)

• Phishing
• Around 392 phishing cases affecting financial
  institutions in India and abroad were observed in
  the year 2007
• Increase in cases of fast-flux phishing and
  rock-phish
• 35 of phishing web sites were observed for
  financial services sector brands
• Bots and Malicious Code
• Botnets are evolving with increased number of
  Bots
• The command control server regularly shifting
• Spamthru Trojan use botnets for spamming and
  DDoS
• Strom worm spread through spam to increase
  botnet and launch DDoS
• Malicious Code with keystroke-logging and
  secluded communications capacity are on rise and
  made confidential information threats a major
  concern
• 4 of all malicious activity detected during the
  first 6 months of 2007 originated from IP space
  registered to Fortune 100 companies
• Largely malicious code distribution is done
  through Social engineering techniques in todays
  scenario

13
Trends in Cyber Attacks

• Fake data about domain registrants on WHOIS
  directory
• Increased malicious activities in professional
  and commercial way
• Trade of malicious code in popular forums such as
  IRC, Web-Sites etc
• Emergence of Phishing Toolkits
• Automated toolkits that could exploit user
  systems who visit a malicious or compromised
  website
• Increasing number of underground economy servers
  which are used by criminals and criminal
  organisations to sell stolen information,
  typically for subsequent use in identity theft.

14
Nature of Attacks in Cyber World

• Rise of Cyber Spying
• Curiosity probes funded and organised operations
  for variety of purpose
• Web Espionage operation
• Mapping of network, probing for weakness and
  strength
• Attackers targeting new technologies such as
• Peer to peer and VOIP services
• Social Network
• On-line banking

15
Nature of Attacks in Cyber World

• Sophisticated attacks
• Attackers are refining their methods and
  consolidating assets to create global networks
  that support coordinated criminal activity
• Emergence of a sophisticated market for software
  flaws that can be used to carry out espionage
  and attacks on Government and Critical
  Information Infrastructure. Findings indicate a
  blurred line between legal and illegal sales of
  software vulnerabilities

16
Hi-Tech Crime A Thriving Economy

• The market is growing for zero-day threats
  tools for cyber crime
• With so many PCs now infected (around 5 of all
  global machines are zombies), competition to
  supply botnets has become intense. The cost of
  renting a platform for spamming is now around
  3-7 cents per zombie per week
• A budget as little as US 25 to US 1500 can buy
  you a trojan that is built to steal credit card
  data and mail it you. Malware is being custom
  written to target specific companies and agencies
• The black market for stolen data (Ex. Credit
  Cards, emails, skype accounts etc) is now well
  established and the cost of obtaining credit
  cards is upwards of US 5
• Another black market that is causing alarm to
  Governments is that of Zero-day exploits. In Jan
  2006 a Microsoft WMF (Windows Meta File) exploit
  was sold for US 4000
• Competition is so intense among cyber criminals
  that customer service has now become a specific
  selling point

17
Challenges ahead

• Managing IS Security
• Information Security dependency on vendor inputs
• Complex networked environment leading to lack of
• Know Your - Employee, Systems Procedures,
  Vendors
• Maintaining Confidentiality Privacy of Data
  while in storage, transmission processing.
• Providing DRP BCP in a complex technology
  infrastructure supported by multiple vendors

18
Challenges ahead

• Vendor Management
• Multiple vendor support necessary for working of
  highly complex technology
• Coordinating various vendors to provide a secure
  IT infrastructure for business operations
• Alternatives for failure of a specific vendor
  services
• Extant of Replacing vendors with internal staff

19
Information Security Management
INFORMATION SECURITY
Confidentiality
Availability
Integrity
Authenticity
Security Policy
People
Regulatory Compliance
User Awareness Program
Access Control
Process
Security Audit
Incident Response
Encryption, PKI
Firewall, IPS/IDS
Technology
Antivirus
20
Cyber Security Strategy India

• Key Initiatives
• Security Policy, Compliance and Assurance Legal
  Framework
• IT Act, 2000
• IT (Amendment) Bill, 2006 Data Protection
  Computer crimes
• Best Practice ISO 27001
• Security Assurance Framework
• Security Incident Early Warning Response
• CERT-In National Cyber Alert System
• Information Exchange with international CERTs
• Security training / Capacity building
• Skill Competence development
• Collaboration with CMU USA to train personnel
• Discussion with Cornell University
• Domain Specific training Cyber Forensics
• Setting up Digital Forensics Centres

21
Security Governance

• IT Policy and IS Security Policy
• Standards and Procedures
• Half yearly reviews to update IT Policy and IS
  Security Policy - Standards and Procedures
• Security Guidelines for Critical Applications
• IS Roles and Responsibilities across Organisation

22
Security Governance

• Central Anti-Virus, Firewall/IDS monitoring teams
  setup
• Policies enforced through periodic security
  compliance reviews
• Promoting IS Awareness and Security Culture
  across the organisation

23
Suggested Organization structure of IT
CIO
CISO
Application Owners
24
What actions need to be taken

• Exchange of Information on incidents
• User awareness
• Security portals for user awareness
• Ad campaigns
• Enterprise security
• CSIRTs
• Sectoral cooperation and coordination
• Sectoral CERTs
• National coordination
• CERT-In
• Global coordination
• APCERT, ASEAN, FIRST

25
Collaborative Efforts

• Standard procedures/manuals among countries
  mandating service providers for supply of
  information
• Instant Information Sharing
• Rapid Response to Security Incidents
• Research and Development
• Internet Health Monitoring
• DNS Security
• Immune and Survivable Systems

26
Need of Today

• Its important to get in at the beginning
• Experience teaches us that these concerns are
  hard to add after the fact
• The Internet experience inform us
• It is also a social system, not simply a
  technology
• Once we give up privacy or security, we may not
  be able to regain it
• Important to assert a leadership role while we
  can!

27
Thank you http//www.cert-in.org.in
28
IT Governance Best Practices
BACK