basics of cyber security

Basics of cyber security
Cyber crime involves criminal activities taking place over the internet. It is different from computer crimes which are restricted in nature and may occur in a physical space with or without a network. For ex Document theft, infecting of a digital device with virus or malware. Cyber crime takes place in a virtual space through digital environment which is unbridled by geographical area.
Cyber risks/Threats
Can be categorized into 3 major divisions:

* Cyber crime- Individuals working alone, or in organised groups, intent on extracting money, data or causing disruption. This can take many forms including the acquisition of credit/debit card data, intellectual property and impairing the operations of a web site or service.

* Cyber war- A nation state conducting sabotage and espionage against another nation to cause disruption or to extract data. This could involve the use ofAdvanced Persistent Threats (APTs).

* Cyber terror- An organisation, working independently of a nation state, conducting terrorist activities through the medium of cyber space.

Introduction to cyber criminals
The cost of committing cyber crime is surprisingly low. The world of cyber crime never stops innovating. Every month, Microsoft publishes the vulnerabilities of its systems- an ever-growing list of known threats, bugs and viruses. Cyber criminals can now even buy off-the-shelf hacking software, complete with support services. Cyber crime is increasingly simple to commit, making it more difficult to police.
There are a number of attack vectors that are available to cyber criminals:

* Phishing: An attempt to deceive users into acquiring their information by masquerading as a legitimate entity; such as spoof emails or websites

* Pharming: An attack to re-direct a websites traffic to different, fake website, where the individual's information is then compromised

* Drive-by: Opportunistic attacks against specific weaknesses within a system

* MITM: Man in the middle attack where a middleman impersonates each endpoint and is thus able to manipulate both victims.

* Social engineering: Exploiting the weakness of the individual, by making them click malicious links, or by physically gaining access to a computer through deception. Pharming and phishing are examples of social engineering.

* Advanced Persistent Threat (APT) is the description applied to the coordinated cyber activities of sophisticated criminals and state level entities. APTs target large corporations and foreign governments, with the objective of stealing information or compromising information sys

* Trolling:

* Hacking

* Child Pornography

* Cyber Stalking Cyber Stalking can be defined as the repeated acts harassment or threatening behavior of the cyber criminal towards the victim by using internet services.

* Denial of service attacks

* Virus Dissemination


Prevention:
Emerging Trends in CS

Recommendations

* Social media and mobile communications will increasingly become ubiquitous and integral to routine interactivity. It is therefore important that monitoring of the same by intelligence agencies and presence of peoples representatives in the domain, to ensure initiation of timely counter-measures against security threats and propaganda.

* The most effective way of countering false propaganda is to have an effective strategic communications policy. This should be accompanied by transparency in functioning. The absence of both was evident during the recent past in Assam and while dealing with rumours and propaganda in cyber space.

* The Maoists will make an endeavour to change the operational status quo by improving their arsenal. This will also assist them in employing coercive tactics to sway public opinion in their favour. It is critical to ensuring minimum collateral damage during operations, as well as effective countering of Maoist propaganda, to regain the psychological space from the Maoists.

* The present state of peace in J&K is extremely fragile and increasing rate of infiltration pose a serious threat to it. Given the effectiveness of the fencing on the LoC, alternate areas across the IB and the coastal belt are likely to be exploited. Even as surveillance is put in place, the most important defence against such threats is co-opting the local people in community policing.
Cyber security will continue to emerge as a potential challenge in future. The endeavour to create a comprehensive organisational structure remains a critical requirement. However, it is equally important to run cyber education programmes through the virtual world as well as educational institutions and public awareness groups to enable greater understanding of the implications of the threat. This will enable better understanding of the threats involved and could result in participative counter-measures between the gt and people using the networks.
Cyber Warfare

* Since the discovery of the Stuxnet malware in 2010, no less than five other cyber weapons have made their appearance over the past two years. Stuxnet was directed against the Iranian nuclear programme. After a lull of a year, the Duqu worm was discovered in September 2011, followed in quick succession by the Mahdi, Gauss and Flame malware. Flame, Duqu and Gauss shared similar digital DNA with Stuxnet with primary purpose seemed to be espionage (spying), with their targets ranging from banking to governmental to energy networks. Flames capabilities ranged from recording Skype conversations and downloading information from smart phones to more mundane activities such as recording audio, screenshots, keystroke and network traffic recording. The Mahdi Trojan seemed to have spread via phishing emails even though its purpose was also apparently espionage. Infections were reported from Iran, Israel, Afghanistan, the United Arab Emirates, Saudi Arabia, Syria, Lebanon and Egypt.

* In April 2012, there were reports of a new virus, Wiper, that was much more malicious, and wiped off the data on all computers that it infected. This virus largely affected networks in Iran. Four months later, the Shamoon virus is reported to have wiped off the data from 30,000 computers of the Saudi Arabian State oil company, Aramco, followed a week later by a similar episode on the networks of the second largest LNG company in the world, Ras Gas of Qatar.

* In what has become the norm for such cyber attacks, despite intense investigations by anti-virus companies, the origins of the malware have remained largely in the realm of speculation and inference. While ownership of the Stuxnet (and by inference, its cousins Duqu, Flame and Gauss) malware was claimed by the Obama Administration for electoral purposes, the Shamoon virus is speculated to be a reverse-engineered version of the Wipe virus unleashed by hackers loyal to the Iranian regime. Tit-for-tat attacks look set to become the norm as the countries of the region gird up their cyber loins.

* Similarly, existing defences appear to be no match for these malware attacks. The countries of West Asia are among the most pro-active when it comes to controlling cyberspace, with Iran going to the extent of decoupling from the Internet and building its own national Intranet. The energy infrastructure companies that were attacked are among the biggest in the field and would no doubt have had many layered defences against such attacks, to no avail. In their defence, the critical infrastructure itself was not affected by the attacks. It must also be mentioned that the behaviour of some of the malware has been akin to sleeper cells, programmed to awaken on command and carry out instructions sent from command and control servers. As in the case of the modularly designed Flame malware, they can be used for multiple purposes, based on requirement.

* From Indias perspective, there is much cause for concern in these developments. With a substantial part of its oil imports coming from the region, attacks on the global energy infrastructure centred in West Asia could have enormous repercussions on India. Unlike physical attacks which have been held at bay through international pressure, the anonymity of cyber attacks and the absence of norms and conventions make it difficult for the international community to restrain such acts. The sudden loss of petroleum supplies can be cushioned through a strategic petroleum reserve but efforts on to build such a reserve since 2004 are yet to bear fruition. Since gas has become a crucial energy component, the feasibility of establishing a Strategic Gas Reserve could also be considered.

* Of more immediate concern are the vulnerabilities in Indian critical infrastructure which could render them vulnerable to similar attacks. While prediction and prevention strategies are all to the good, even greater emphasis needs to be placed on effective recovery strategies. All of this calls for greater coordination between the motley government, public and private enterprises that together run the countrys critical infrastructure.

* Cyber attacks can have devastating results in terms of loss of livelihood, destruction of the economy and anarchy in society. Loss of life alone can no longer be a barometer of devastation. It is as important to have contingency plans ready to deal with all eventualities, as it is for countries to come together to nip this scourge in the bud, and to call out the rogue actors
Cyber Laws in India
Cyber Crime is not defined in Information Technology Act 2000 or in the I.T. Amendment Act 2008 or in any other legislation in India. In fact, it cannot be too. To put it in simple terms any offence or crime in which a computer is used is a cyber crime. In a cyber crime, computer or the data itself is the target or the object of offence or a tool in committing some other offence. All such acts of crime will come under the broader definition of cyber crime.

The Genesis (origin) of IT legislation in India:

Mid 90s : SAW an impetus in globalization and computerisation, with more and more nations computerizing their governance, and e-commerce seeing an enormous growth. Until then, most of international trade and transactions were done through documents being transmitted through post and by telex only. With increase in use of ICT in international trade the The United Nations Commission on International Trade Law (UNCITRAL) adopted the Model Law on e-commerce in 1996 recommending all States in the UN to give electronic records and according it the same treatment like a paper communication and record.

Beginning of 2000: Against this backdrop the Sarkar enacted IT Act 2000


Aim
* to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication
* to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934
* to build capabilities to prevent and respond to cyber threats and minimize damage from cyber incidents through a combination of institutional structures, people, process, technology and cooperation

Policy The Act essentially deals with the following issues:_ Legal Recognition of Electronic Documents_ Legal Recognition of Digital Signatures_ Offenses and Contraventions_ Justice Dispensation Systems for cyber crimes.

How the Act is structuredThe Act defines/provides the following:-
* Procedures for certifying authorities (for digital certificates as per IT Act -2000 and since replaced by electronic signatures in the ITAA -2008) have been spelt out.
* The civil offence of data theft and the process of adjudication and appellate procedures.
* Some of the well-known cyber crimes and lays down the punishments therefore.
* concept of due diligence, role of intermediaries and some miscellaneous provisions
* Defines the word computer/ computer system in a holistic manner, even high-end programmable gadgets like a washing machine or switches and routers used in a network can all be brought under the definition. (:P)

Applicabilityextends to the whole of India and except as otherwise provided, it applies to also any offence or contravention there under committed outside India by any person

Weakness Awareness: There is no serious provision for creating awareness and putting such initiatives in place in the Act.Jurisdiction: This is a major issue which is not satisfactorily addressed in the ITA or ITAA. Like if the mail of someone is hacked and the accused is a resident of a city in some state coming to know of it in a different city, which police station does he go to?Evidences: Pat of evidences is the crime scene issues. We cannot mark a place nor a computer nor a network, nor seize the hard-disk immediately and keep it under lock and key keep it as an exhibit taken from the crime scene.Non coverage of many crimes: While there are many legislations in not only many Western countries but also some smaller nations in the East, India has only one legislation -- the ITA and ITAA. Hence it is quite natural that many issues on cyber crimes and many crimes per se are left uncovered. Many cyber crimes like cyber squatting with an evil attention to extort money. Spam mails, ISPs liability in copyright infringement, data privacy issues have not been given adequate coverage.

Further Actions Needed


IT (Amendment) Act 2008
The IT Act, 2000 was subject to serious debates and discussions, elaborate reviews and critical analysis, with some calling it draconian and some lenient. Major committees and expert panels were set up to remove the lacunae in the IT ACT. Also, it was compared to similar acts of different nations.

Aim
* to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication
* to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934
* to build capabilities to prevent and respond to cyber threats and minimize damage from cyber incidents through a combination of institutional structures, people, process, technology and cooperation

Policy Some of the notable features of the ITAA are as follows:_ Focussing on data privacy_ Focussing on Information Security_ Defining cyber caf_ Making digital signature technology neutral_ Defining reasonable security practices to be followed by corporate_ Redefining the role of intermediaries_ Recognising the role of Indian Computer Emergency Response Team_ Inclusion of some additional cyber crimes like child pornography and cyber terrorism_ authorizing an Inspector to investigate cyber offences (as against the DSP earlier)

Weakness

Further Actions Needed


Relevance of Prevention of Money Laundering Act:
Its main objective is to provide for confiscation of property derived from, or involved in, money laundering. Money laundering involves a process of getting the money from illegal sources, layering it in any legal source, integrating it as part of any legal system like banking and actually using it. Since the banking as 18 an industry has a major and significant role to play in the act of money laundering, it is now a serious responsibility on the part of banks to ensure that banking channel is not used in the criminal activity.
Much more than a responsibility, it is now a compliance issue as well.
Obligations of banks include maintenance of records (KYC) of all transactions of the nature and value specified in the rules, furnish information of the transactions within the prescribed time, whenever warranted and verify and maintain records of the identity of all customers.

Legislations in other nations

1. USA : Health Insurance Portability and Accountability Act popularly known as HIPAA. regulates all health and insurance related records, their upkeep and maintenance and the issues of privacy and confidentiality involved in such records. Other laws :- Cable Communications Policy Act, Childrens Internet Protection Act, Childrens Online Privacy Protection Act etc

2. UK: Data Protection Act and the Privacy and Electronic Communications Regulations etc

National Cyber Security Policy 2013
(*CS = Cyber Security)

Aim
* To create a secure cyberspace ecosystem and strengthen the regulatory framework.
* To safeguard the privacy of citizen.
* To monitor and protect information and strengthen defenses from cyber attacks.
* To protect information infrastructure in cyberspace, reduce vulnerabilities, build capabilities to prevent and respond to cyber threats and minimize damage from cyber incidents through a combination of institutional structures, people, process, technology and cooperation

Policy
* Stakeholders:
* A National and sectoral 24X7 mechanism has been envisaged to deal with cyber threats through National Critical Information Infrastructure Protection Centre (NCIIPC).
* Computer Emergency Response Team (CERT-In) has been designated to act as a nodal agency for coordination of crisis management efforts. CERT-In will also coordinate actions and operations of sectoral CERTs.
* CISO: The policy aims at encouraging all Organizations (public or private) to designate a person to serve as Chief Information Security Officer (CISO) who will be responsible for CS initiatives. Organizations need to develop their information security policies and implement such polices as per international best practices. Provisions of fiscal schemes and incentives have been incorporated in the policy to encourage entities to install trustworthy ICT products and continuously upgrade information infrastructure with respect to CS.
* The policy calls for effective PPP and collaborative engagements through technical and operational cooperation.
* R&D:
* Another strategy which has been emphasized is the promotion of research and development in CS of trustworthy systems and their testing.
* collaboration with industry and academia
* Setting up of Centre of Excellence in areas of strategic importance etc.
* Developing of human resource through:
* Education and training programmes, establishing CS training infrastructure through PPP and to establish institutional mechanisms for capacity building for law enforcement agencies.
* Creating a workforce of 500,000 professionals trained in CS in the next 5 years through skill development and training.
* to promote and launch a comprehensive national awareness programme on CS through workshops, seminars and certifications to develop awareness of the challenges of CS amongst citizens.
* A mechanism is proposed to be evolved for obtaining strategic information regarding threats to information and communication technology (ICT) infrastructure, creating scenarios of response, resolution and crisis management through effective predictive, prevention, response and recovery action.

Weakness The following has not been addressed :
* security risks emanating due to use of new technologies e.g. Cloud Computing
* risks arising due to increased use of social networking sites by criminals and anti-national elements

Further Actions Needed
* Incorporation of cyber crime tracking, cyber forensic capacity building and creation of a platform for sharing and analysis of information between public and private sectors on continuous basis.
* Creating a workforce of 500,000 professionals needs further deliberations as to whether this workforce will be trained to simply monitor the cyberspace or trained to acquire offensive as well as defensive cyber security skill sets.
* Building of testing infrastructure and facilities of global standards for evaluation and not just Security Applications.



Jasleen Kaur