basics of cyber security

Basics of cyber security

Cyber crime involves criminal activities taking place over the internet. It is different from
computer crimes which are restricted in nature and may occur in a physical space with
or without a network. For ex Document theft, infecting of a digital device with virus or
malware. Cyber crime takes place in a virtual space through digital environment which is
unbridled by geographical area.
Cyber risks/Threats
Can be categorized into 3 major divisions:
Cyber crime - Individuals working alone, or in organised groups, intent on extracting
money, data or causing disruption. This can take many forms including the
acquisition of credit/debit card data, intellectual property and impairing the
operations of a web site or service.
Cyber war - A nation state conducting sabotage and espionage against another
nation to cause disruption or to extract data. This could involve the use of Advanced
Persistent Threats (APTs).
Cyber terror - An organisation, working independently of a nation state, conducting
terrorist activities through the medium of cyber space.

Introduction to cyber criminals
The cost of committing cyber crime is surprisingly low. The world of cyber crime never
stops innovating. Every month, Microsoft publishes the vulnerabilities of its systems - an
ever-growing list of known threats, bugs and viruses. Cyber criminals can now even buy
off-the-shelf hacking software, complete with support services. Cyber crime is
increasingly simple to commit, making it more difficult to police.
There are a number of attack vectors that are available to cyber criminals:
Phishing: An attempt to deceive users into acquiring their information by
masquerading as a legitimate entity; such as spoof emails or websites
Pharming: An attack to re-direct a websites traffic to different, fake website,
where the individual's information is then compromised
Drive-by: Opportunistic attacks against specific weaknesses within a system
MITM: Man in the middle attack where a middleman impersonates each
endpoint and is thus able to manipulate both victims.
Social engineering: Exploiting the weakness of the individual, by making them
click malicious links, or by physically gaining access to a computer through
deception. Pharming and phishing are examples of social engineering.
Advanced Persistent Threat (APT) is the description applied to the coordinated
cyber activities of sophisticated criminals and state level entities. APTs target large
corporations and foreign governments, with the objective of stealing information or
compromising information sys
Trolling:
Hacking
Child Pornography
Cyber Stalking Cyber Stalking can be defined as the repeated acts harassment or
threatening behavior of the cyber criminal towards the victim by using internet
services.
Denial of service attacks
Virus Dissemination

Prevention:
Emerging Trends in CS
Recommendations
Social media and mobile communications will increasingly become ubiquitous and
integral to routine interactivity. It is therefore important that monitoring of
the same by intelligence agencies and presence of peoples representatives
in the domain, to ensure initiation of timely counter-measures against
security threats and propaganda.
The most effective way of countering false propaganda is to have an effective
strategic communications policy. This should be accompanied by transparency in
functioning. The absence of both was evident during the recent past in Assam and
while dealing with rumours and propaganda in cyber space.
The Maoists will make an endeavour to change the operational status quo by
improving their arsenal. This will also assist them in employing coercive tactics to
sway public opinion in their favour. It is critical to ensuring minimum collateral
damage during operations, as well as effective countering of Maoist propaganda, to
regain the psychological space from the Maoists.
The present state of peace in J&K is extremely fragile and increasing rate of
infiltration pose a serious threat to it. Given the effectiveness of the fencing on the
LoC, alternate areas across the IB and the coastal belt are likely to be exploited.
Even as surveillance is put in place, the most important defence against such
threats is co-opting the local people in community policing.
Cyber security will continue to emerge as a potential challenge in future. The
endeavour to create a comprehensive organisational structure remains a critical
requirement. However, it is equally important to run cyber education programmes
through the virtual world as well as educational institutions and public awareness
groups to enable greater understanding of the implications of the threat. This will
enable better understanding of the threats involved and could result in
participative counter-measures between the gt and people using the networks.
Cyber Warfare
Since the discovery of the Stuxnet malware in 2010, no less than five other cyber
weapons have made their appearance over the past two years. Stuxnet was
directed against the Iranian nuclear programme. After a lull of a year, the Duqu
worm was discovered in September 2011, followed in quick succession by the
Mahdi, Gauss and Flame malware. Flame, Duqu and Gauss shared similar digital
DNA with Stuxnet with primary purpose seemed to be espionage (spying), with
their targets ranging from banking to governmental to energy networks. Flames
capabilities ranged from recording Skype conversations and downloading
information from smart phones to more mundane activities such as recording audio,
screenshots, keystroke and network traffic recording. The Mahdi Trojan seemed to
have spread via phishing emails even though its purpose was also apparently
espionage. Infections were reported from Iran, Israel, Afghanistan, the United Arab
Emirates, Saudi Arabia, Syria, Lebanon and Egypt.
In April 2012, there were reports of a new virus, Wiper, that was much more
malicious, and wiped off the data on all computers that it infected. This virus largely
affected networks in Iran. Four months later, the Shamoon virus is reported to
have wiped off the data from 30,000 computers of the Saudi Arabian State oil
company, Aramco, followed a week later by a similar episode on the networks of
the second largest LNG company in the world, Ras Gas of Qatar.
In what has become the norm for such cyber attacks, despite intense investigations
by anti-virus companies, the origins of the malware have remained largely in the
realm of speculation and inference. While ownership of the Stuxnet (and by
inference, its cousins Duqu, Flame and Gauss) malware was claimed by the Obama
Administration for electoral purposes, the Shamoon virus is speculated to be a
reverse-engineered version of the Wipe virus unleashed by hackers loyal to the
Iranian regime. Tit-for-tat attacks look set to become the norm as the countries
of the region gird up their cyber loins.
Similarly, existing defences appear to be no match for these malware attacks. The
countries of West Asia are among the most pro-active when it comes to controlling
cyberspace, with Iran going to the extent of decoupling from the Internet and
building its own national Intranet. The energy infrastructure companies that were
attacked are among the biggest in the field and would no doubt have had many
layered defences against such attacks, to no avail. In their defence, the critical
infrastructure itself was not affected by the attacks. It must also be mentioned that
the behaviour of some of the malware has been akin to sleeper cells, programmed
to awaken on command and carry out instructions sent from command and control
servers. As in the case of the modularly designed Flame malware, they can be used
for multiple purposes, based on requirement.
From Indias perspective, there is much cause for concern in these developments.
With a substantial part of its oil imports coming from the region, attacks on the
global energy infrastructure centred in West Asia could have enormous
repercussions on India. Unlike physical attacks which have been held at bay
through international pressure, the anonymity of cyber attacks and the absence of
norms and conventions make it difficult for the international community to restrain
such acts. The sudden loss of petroleum supplies can be cushioned through a
strategic petroleum reserve but efforts on to build such a reserve since 2004 are
yet to bear fruition. Since gas has become a crucial energy component, the
feasibility of establishing a Strategic Gas Reserve could also be considered.
Of more immediate concern are the vulnerabilities in Indian critical infrastructure
which could render them vulnerable to similar attacks. While prediction and
prevention strategies are all to the good, even greater emphasis needs to be placed
on effective recovery strategies. All of this calls for greater coordination between
the motley government, public and private enterprises that together run the
countrys critical infrastructure.
Cyber attacks can have devastating results in terms of loss of livelihood,
destruction of the economy and anarchy in society. Loss of life alone can no longer
be a barometer of devastation. It is as important to have contingency plans ready
to deal with all eventualities, as it is for countries to come together to nip this
scourge in the bud, and to call out the rogue actors
Cyber Laws in India
Cyber Crime is not defined in Information Technology Act 2000 or in the I.T.
Amendment Act 2008 or in any other legislation in India. In fact, it cannot be too. To put
it in simple terms any offence or crime in which a computer is used is a cyber crime. In a
cyber crime, computer or the data itself is the target or the object of offence or a tool in
committing some other offence. All such acts of crime will come under the broader
definition of cyber crime.

The Genesis (origin) of IT legislation in India:

Mid 90s : SAW an impetus in globalization and computerisation, with more and more
nations computerizing their governance, and e-commerce seeing an enormous growth.
Until then, most of international trade and transactions were done through documents
being transmitted through post and by telex only. With increase in use of ICT in
international trade the The United Nations Commission on International Trade Law
(UNCITRAL) adopted the Model Law on e-commerce in 1996 recommending all
States in the UN to give electronic records and according it the same treatment like a
paper communication and record.

Beginning of 2000: Against this backdrop the Sarkar enacted IT Act 2000

Aim to provide legal recognition for transactions carried out by means
of electronic data interchange and other means of electronic
communication
to facilitate electronic filing of documents with the Government
agencies and further to amend the Indian Penal Code, the Indian
Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and
the Reserve Bank of India Act, 1934
to build capabilities to prevent and respond to cyber threats and
minimize damage from cyber incidents through a combination of
institutional structures, people, process, technology and
cooperation

Policy The Act essentially deals with the following issues:
_ Legal Recognition of Electronic Documents
_ Legal Recognition of Digital Signatures
_ Offenses and Contraventions
_ Justice Dispensation Systems for cyber crimes.

How the
Act is
structured
The Act defines/provides the following:-

Procedures for certifying authorities (for digital certificates as per
IT Act -2000 and since replaced by electronic signatures in the
ITAA -2008) have been spelt out.
The civil offence of data theft and the process of adjudication and
appellate procedures.
Some of the well-known cyber crimes and lays down the
punishments therefore.
concept of due diligence, role of intermediaries and some
miscellaneous provisions
Defines the word computer/ computer system in a holistic
manner, even high-end programmable gadgets like a washing
machine or switches and routers used in a network can all be
brought under the definition. (:P)

Applicability extends to the whole of India and except as otherwise provided, it
applies to also any offence or contravention there under committed
outside India by any person
Weakness Awareness: There is no serious provision for creating awareness and
putting such initiatives in place in the Act.
Jurisdiction: This is a major issue which is not satisfactorily addressed
in the ITA or ITAA. Like if the mail of someone is hacked and the accused is a resident
of a city in some state coming to know of it in a different city, which police station does he
go to?
Evidences: Pat of evidences is the crime scene issues. We cannot mark
a place nor a computer nor a network, nor seize the hard-disk
immediately and keep it under lock and key keep it as an exhibit taken
from the crime scene.
Non coverage of many crimes: While there are many legislations in
not only many Western countries but also some smaller nations in the
East, India has only one legislation -- the ITA and ITAA. Hence it is quite
natural that many issues on cyber crimes and many crimes per se are
left uncovered. Many cyber crimes like cyber squatting with an evil
attention to extort money. Spam mails, ISPs liability in copyright
infringement, data privacy issues have not been given adequate
coverage.
Further
Actions
Needed


IT (Amendment) Act 2008
The IT Act, 2000 was subject to serious debates and discussions, elaborate reviews and
critical analysis, with some calling it draconian and some lenient. Major committees and
expert panels were set up to remove the lacunae in the IT ACT. Also, it was compared to
similar acts of different nations.
Aim to provide legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic
communication
to facilitate electronic filing of documents with the Government
agencies and further to amend the Indian Penal Code, the Indian
Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the
Reserve Bank of India Act, 1934
to build capabilities to prevent and respond to cyber threats and
minimize damage from cyber incidents through a combination of
institutional structures, people, process, technology and cooperation

Policy Some of the notable features of the ITAA are as follows:
_ Focussing on data privacy
_ Focussing on Information Security
_ Defining cyber caf
_ Making digital signature technology neutral
_ Defining reasonable security practices to be followed by corporate
_ Redefining the role of intermediaries
_ Recognising the role of Indian Computer Emergency Response Team
_ Inclusion of some additional cyber crimes like child pornography and
cyber terrorism
_ authorizing an Inspector to investigate cyber offences (as against the
DSP earlier)
Weakness

Further
Actions
Needed


Relevance of Prevention of Money Laundering Act:
Its main objective is to provide for confiscation of property derived from, or involved in,
money laundering. Money laundering involves a process of getting the money from illegal
sources, layering it in any legal source, integrating it as part of any legal system like
banking and actually using it. Since the banking as 18 an industry has a major and
significant role to play in the act of money laundering, it is now a serious responsibility on
the part of banks to ensure that banking channel is not used in the criminal activity.
Much more than a responsibility, it is now a compliance issue as well.
Obligations of banks include maintenance of records (KYC) of all transactions of the nature
and value specified in the rules, furnish information of the transactions within the
prescribed time, whenever warranted and verify and maintain records of the identity of all
customers.

Legislations in other nations
1. USA : Health Insurance Portability and Accountability Act popularly known as
HIPAA. regulates all health and insurance related records, their upkeep and
maintenance and the issues of privacy and confidentiality involved in such records.
Other laws :- Cable Communications Policy Act, Childrens Internet Protection Act,
Childrens Online Privacy Protection Act etc
2. UK: Data Protection Act and the Privacy and Electronic Communications
Regulations etc

National Cyber Security Policy 2013
(*CS = Cyber Security)
Aim To create a secure cyberspace ecosystem and strengthen the
regulatory framework.
To safeguard the privacy of citizen.
To monitor and protect information and strengthen defenses
from cyber attacks.
To protect information infrastructure in cyberspace, reduce
vulnerabilities, build capabilities to prevent and respond to
cyber threats and minimize damage from cyber incidents
through a combination of institutional structures, people,
process, technology and cooperation

Policy Stakeholders:
I. A National and sectoral 24X7 mechanism has been envisaged to
deal with cyber threats through National Critical Information
Infrastructure Protection Centre (NCIIPC).
II. Computer Emergency Response Team (CERT-In) has been
designated to act as a nodal agency for coordination of crisis
management efforts. CERT-In will also coordinate actions and
operations of sectoral CERTs.
III. CISO: The policy aims at encouraging all Organizations (public
or private) to designate a person to serve as Chief Information
Security Officer (CISO) who will be responsible for CS
initiatives. Organizations need to develop their information
security policies and implement such polices as per international
best practices. Provisions of fiscal schemes and incentives have
been incorporated in the policy to encourage entities to install
trustworthy ICT products and continuously upgrade information
infrastructure with respect to CS.
The policy calls for effective PPP and collaborative engagements
through technical and operational cooperation.
R&D:
I. Another strategy which has been emphasized is the
promotion of research and development in CS of
trustworthy systems and their testing.
II. collaboration with industry and academia
III. Setting up of Centre of Excellence in areas of strategic
importance etc.
Developing of human resource through:
I. Education and training programmes, establishing CS training
infrastructure through PPP and to establish institutional
mechanisms for capacity building for law enforcement
agencies.
II. Creating a workforce of 500,000 professionals trained in CS
in the next 5 years through skill development and training.
III. to promote and launch a comprehensive national awareness
programme on CS through workshops, seminars and
certifications to develop awareness of the challenges of CS
amongst citizens.
A mechanism is proposed to be evolved for obtaining strategic
information regarding threats to information and communication
technology (ICT) infrastructure, creating scenarios of response,
resolution and crisis management through effective predictive,
prevention, response and recovery action.

Weakness The following has not been addressed :
security risks emanating due to use of new technologies e.g.
Cloud Computing
risks arising due to increased use of social networking sites by
criminals and anti-national elements
Further
Actions
Needed
Incorporation of cyber crime tracking, cyber forensic capacity
building and creation of a platform for sharing and analysis of
information between public and private sectors on continuous
basis.
Creating a workforce of 500,000 professionals needs further
deliberations as to whether this workforce will be trained to
simply monitor the cyberspace or trained to acquire offensive as
well as defensive cyber security skill sets.
Building of testing infrastructure and facilities of global
standards for evaluation and not just Security Applications.