S nandakumar_banglore


Published on

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 22 December 2010 The new risk reality is a statement that illustrates the increased complexity of society. Picture 1: (Prestige sinking) Extreme environmental focus. Compliance, or lack of compliance? A symbol of a shipping accident. Picture 2: (Enron USA) Expectations on ethical standards in business. Demonstrates consequences of poor ethics. A symbol of corporate failure. Picture 3: (microphones) Requirements on transparency from media and non-governmental organisations (NGO) on the rise. Picture 4: (air pollution) Climate change is a consequence of human activity and pollution. Changes in weather patterns and more frequent natural catastrophes are risks business must take into account.
  • 22 December 2010 Different definitions exists for Risk, let’s not go too deep into that now But the scales for probability and Consequence/Impact needs to be agree
  • 22 December 2010 These are the core activities in regular Risk Management Often this exists and relevant risks may be found there, in addition findings from the BC Risk Assessment should be included in this risk picture
  • 22 December 2010
  • 22 December 2010 Widely used and, until the rise of BS 7799-1, probably the most recognized of the security frameworks, COBIT (Control OBjectives for Information and related Technology) is directed at information security. However, it should be noted that COBIT was created by a specific group and intended for a specific purpose. COBIT was created by ISACA (which used to be known as the Information Systems Audit and Control Association). Auditability is key to the COBIT, and the accounting and management background definitely shows in the choice of items in the COBIT list. Much of the activity suggested relates to measurement, performance, and reporting. Thus, in a sense, most of COBIT concentrates on what can be counted and demonstrated, sometimes disregarding what might actually be effective.
  • 22 December 2010 The United States' Federal Information Systems Management Act mandates certain standards of information security and controls for US federal agencies. The legislation states that standards must be applied, but the standards are different for different agencies and applications. Detailed instructions can be found in directives for the military (Defense Information Technology Systems Certification and Accreditation Process or DITSCAP), the intelligence community (Director of Central Intelligence Directive 6/3 or DCID 6/3), and more generally the National Information Assurance Certification and Accreditation Process (NIACAP). The National Institute of Standards and Technology also has outlines.
  • 22 December 2010 It really isn't fair to compare the Computer Security Resource Center (CSRC) of the United States' National Institute of Standards and Technology, with the security frameworks we have been discussing. The centre (which, even though it is only one office of the institute, is generally known simply as NIST in the security community) provides a wealth of security information and resources, which are freely available at the Website at http://csrc.nist.gov. The publications section is particularly useful, with a constantly updated stream of guidelines and aids, particularly the 800 series documents.
  • 22 December 2010 As should be clear to everyone in both fields, the financial securities industry has very little to do with computer or information security, despite a heavy reliance on the technology. However, recent concerns in that community have concentrated on the area of internal controls, which have application in reviewing controls and safeguards, particularly in regard to insider attacks. This reference is shorthand for the second report from the Basel Committee on Banking Supervision, Risk Management Principles for Electronic Banking. Basel II Accord also looks at operational risk, which is more in line with the risk management that infosec people know and love. Shorthand for the Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework. Shorthand for the Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework. COSO outlines a three dimensional framework for examining controls. The United States' Sarbanes-Oxley law (frequently referred to as Sarbox or SOX) emphasizes that corporate management is responsible for the reliability of financial reports about publicly traded companies. Section 404 (and also 302, in a marvelous confusion with Web result codes) notes that the integrity of information systems supporting these financial reports must also be managed.
  • S nandakumar_banglore

    1. 1. Cyber Crimes and IT Risk Management Nandakumar Shamanna
    2. 3. What makes it different form terrestrial Crime They are easy to learn how to commit They are often not clearly illegal When done leaves no or less trace They require few resources relative to the potential damage caused They can be committed in a jurisdiction without being physically present in it
    3. 4. <ul><li>Cyber Terrorism </li></ul><ul><li>Cyber Squatting </li></ul><ul><li>Web Jacking </li></ul><ul><li>Internet Time Thefts </li></ul><ul><li>Email Bombing </li></ul><ul><li>Cyber Stalking </li></ul><ul><li>Salami Attacks </li></ul><ul><li>Hacking </li></ul><ul><li>Viruses/Worms/Trojans </li></ul><ul><li>Data Diddling </li></ul><ul><li>Cyber Blackmailing </li></ul><ul><li>Cyber Luring </li></ul><ul><li>Intellectual Property crimes </li></ul><ul><li>False Websites </li></ul><ul><li>Phishing </li></ul><ul><li>Auction Frauds </li></ul><ul><li>e-mail Spoofing </li></ul><ul><li>Cyber Terrorism </li></ul><ul><li>Pornography </li></ul><ul><li>Data Interference/Forgery/Interception </li></ul><ul><li>Credit Card Fraud </li></ul><ul><li>Network Sabotage </li></ul><ul><li>DOS </li></ul><ul><li>Identity Fraud/Theft </li></ul><ul><li>Source code stealing </li></ul>to name a few
    4. 5. Cyber Crimes – Exploding Problem List of Top 20 Countries with the highest rate of Cybercrime (source: BusinessWeek/Symantec) Each country lists 6 contributing factors, share of malicious computer activity, malicious code rank, spam zombies rank, phishing web site hosts rank, bot rank and attack origin, to substantiate its cybercrime ranking. 11. India Share of malicious computer activity: 3% Malicious code rank: 3 Spam zombies rank: 11 Phishing web site hosts rank: 22 Bot rank: 20 Attack origin rank: 19
    5. 6. Extent of the Problem Source: National Crime Records Bureau, Statistics of Cyber Crimes, 2007
    6. 7. Extent of the Problem 2009 FBI-IC3 Internet Crime Report Friday, April 2nd, 2010
    7. 8. Extent of the Problem Ponemon Institute Research Report Publication Date: July 2010
    8. 9. Why Is Cyber Attack Possible? <ul><li>Software Has Bugs/Networks Not Designed For Security : Engineering practices and technology used by system providers do not produce systems that are immune to attack </li></ul><ul><li>Implementation Is Poor : Network and System operators do not have the people and practices to defend against attacks and minimize damage </li></ul><ul><li>Law And Policy Lag Behind Dependence: Policy and law in cyber-space are immature and lag the pace of change </li></ul>
    9. 10. Information Technology – Risk Management
    10. 11. <ul><li>Today we are operating in an increasingly more global, complex and demanding risk environment with “zero tolerance” for failure </li></ul><ul><li>Increased demands for transparency and business sustainability </li></ul><ul><li>Stricter regulatory requirements </li></ul><ul><li>Increasing IT vulnerability </li></ul>New risk reality
    11. 12. Definition of risk Risk is an event that occurs with a certain frequency/ probability and that has consequences towards one or more goals/objectives Risk Level = Frequency/ Probability combined with Consequence x = DAMAGE ASSET PROBABILITY CONSEQUENCE RISK THREAT EXPLOIT VULNERABILITY
    12. 13. Approach - Work process and method Initiation & focusing Uncertainty Identification Risk Analysis Actions Planning Documentation Communication Implementation & follow-up The Risk Management Approach ensures that mapping of risk exposure, treatment of risks and follow-up are carried out in a structured manner
    13. 14. <ul><li>Alter the risk </li></ul><ul><ul><li>Preventive measures reduce the probability of the event </li></ul></ul><ul><ul><li>Corrective measures reduce the consequence of the event </li></ul></ul><ul><ul><ul><li>Plan for that event happen </li></ul></ul></ul><ul><ul><ul><ul><li>Avoid escalation </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Recovery plan </li></ul></ul></ul></ul><ul><li>Transfer the risk </li></ul><ul><ul><li>Disclaim responsibility; write a contract, take out insurance etc. </li></ul></ul><ul><li>Avoid the risk </li></ul><ul><ul><li>Eliminate by stopping the activity </li></ul></ul><ul><li>Accept the risk </li></ul><ul><ul><li>Continue as before; the activity remains unchanged </li></ul></ul>Actions planning – handling strategy 2 Risk Avoidance Risk Reduction Risk Transfer Risk Acceptance
    14. 15. to combat Cyber Crimes Implement Security Systems
    15. 16. the solutions…. - Technology <ul><li>Firewalls, Intrusion Prevention System </li></ul><ul><li>Public Key Infrastructure </li></ul><ul><li>High Grade Encryption Technologies </li></ul><ul><li>Optical Fiber Links </li></ul><ul><li>Vulnerability/Risk Assessment </li></ul><ul><li>Cyber Forensics </li></ul><ul><li>Honey Pots </li></ul><ul><li>VPN </li></ul><ul><li>Biometrics, Access Control </li></ul><ul><li>Backups (System Redundancy) </li></ul><ul><li>Incident Response Actions </li></ul>
    16. 17. the solutions…. - Processes <ul><li>Reduction in the Operation flexibility (Segregation of Duties) </li></ul><ul><li>Effective Organization Procedures and Policies </li></ul><ul><li>Security/System Auditing </li></ul><ul><li>Training to the employees </li></ul><ul><li>Government-to-Government coordination </li></ul><ul><li>Recognizing Shortage of skilled cyber security workers </li></ul><ul><li>Creation of Cyber Army </li></ul><ul><li>Cooperation & Information Sharing </li></ul><ul><li>Investment in information assurance systems </li></ul><ul><li>Increased R&D funding </li></ul><ul><li>Development of cyber ethics </li></ul><ul><li>Mutual cooperation with law enforcement </li></ul>
    17. 18. Security Models and Frameworks
    18. 19. ISO 27000 Series - Published standards <ul><li>ISO/IEC 27000 — Information security management systems — Overview and vocabulary </li></ul><ul><li>ISO/IEC 27001 — Information security management systems — Requirements </li></ul><ul><li>ISO/IEC 27002 — Code of practice for information security management </li></ul><ul><li>ISO/IEC 27003 — Information security management system implementation guidance </li></ul><ul><li>ISO/IEC 27004 — Information security management — Measurement </li></ul><ul><li>ISO/IEC 27005 — Information security risk management </li></ul><ul><li>ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems </li></ul><ul><li>ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 </li></ul><ul><li>ISO/IEC 27033-1 - Network security overview and concepts </li></ul><ul><li>ISO 27799 - Information security management in health using ISO/IEC 27002 [standard produced by the Health Infomatics group within ISO, independently of ISO/IEC JTC1/SC27] </li></ul>
    19. 20. ISO 27000 Series - In preparation <ul><li>ISO/IEC 27007 - Guidelines for information security management systems auditing (focused on the management system) </li></ul><ul><li>ISO/IEC 27008 - Guidance for auditors on ISMS controls (focused on the information security controls) </li></ul><ul><li>ISO/IEC 27013 - Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 </li></ul><ul><li>ISO/IEC 27014 - Information security governance framework </li></ul><ul><li>ISO/IEC 27015 - Information security management guidelines for the finance and insurance sectors </li></ul><ul><li>ISO/IEC 27031 - Guideline for ICT readiness for business continuity (essentially the ICT continuity component within business continuity management) </li></ul><ul><li>ISO/IEC 27032 - Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet) </li></ul><ul><li>ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already) </li></ul><ul><li>ISO/IEC 27034 - Guideline for application security </li></ul><ul><li>ISO/IEC 27035 - Security incident management </li></ul><ul><li>ISO/IEC 27036 - Guidelines for security of outsourcing </li></ul><ul><li>ISO/IEC 27037 - Guidelines for identification, collection and/or acquisition and preservation of digital evidence </li></ul>
    20. 21. C OBI T <ul><li>ISACA (Information Systems Audit and Control Association) ‏ </li></ul><ul><ul><li>Four phases/domains: </li></ul></ul><ul><ul><ul><li>Planning and Organization </li></ul></ul></ul><ul><ul><ul><li>Acquisition and Implementation </li></ul></ul></ul><ul><ul><ul><li>Delivery and Support </li></ul></ul></ul><ul><ul><ul><li>Monitoring </li></ul></ul></ul>Common Criteria (CC) ‏ <ul><li>Common Criteria for Information Technology Security Evaluation </li></ul><ul><ul><li>ISO 15408 </li></ul></ul><ul><ul><ul><li>not a security framework </li></ul></ul></ul><ul><ul><ul><li>not even evaluation standard </li></ul></ul></ul><ul><ul><li>Framework for specification of evaluation </li></ul></ul><ul><ul><ul><li>Protection Profile (PP) ‏ </li></ul></ul></ul><ul><ul><ul><li>Evaluation Assurance Level (EAL 1-7) ‏ </li></ul></ul></ul>FISMA <ul><li>Federal Information Systems Management Act – US </li></ul><ul><ul><li>National Information Assurance Certification and Accreditation Process (NIACAP) ‏ </li></ul></ul><ul><ul><li>National Institute of Standards and Technology outline, </li></ul></ul><ul><ul><li>Defense Information Technology Systems Certification and Accreditation Process (DITSCAP) ‏ </li></ul></ul><ul><ul><li>Director of Central Intelligence Directive 6/3 </li></ul></ul>
    21. 22. ITIL <ul><li>Information Technology Infrastructure Library </li></ul><ul><ul><li>management guidelines </li></ul></ul><ul><ul><ul><li>Incident response </li></ul></ul></ul><ul><ul><ul><li>Problem management </li></ul></ul></ul><ul><ul><ul><li>Change management </li></ul></ul></ul><ul><ul><ul><li>Release management </li></ul></ul></ul><ul><ul><ul><li>Configuration management </li></ul></ul></ul><ul><ul><ul><li>Service desk management </li></ul></ul></ul><ul><ul><ul><li>Service level management </li></ul></ul></ul><ul><ul><ul><li>Availability </li></ul></ul></ul><ul><ul><ul><li>Capacity management </li></ul></ul></ul><ul><ul><ul><li>Service continuity </li></ul></ul></ul><ul><ul><ul><li>IT financials </li></ul></ul></ul><ul><ul><ul><li>IT workforce/HR management </li></ul></ul></ul>Information Security Forum (ISF) ‏ <ul><li>Standard of Good Practice for Information Security </li></ul><ul><ul><li>5 &quot;aspects&quot; </li></ul></ul><ul><ul><ul><li>Security Management </li></ul></ul></ul><ul><ul><ul><li>Critical Business Applications </li></ul></ul></ul><ul><ul><ul><li>Computer Installations </li></ul></ul></ul><ul><ul><ul><li>Networks </li></ul></ul></ul><ul><ul><ul><li>Systems Development </li></ul></ul></ul><ul><ul><li>broken out into 30 &quot;areas,&quot; and 135 &quot;sections&quot; </li></ul></ul>
    22. 23. NIST <ul><li>library of freely available resources </li></ul><ul><ul><li>http://csrc.nist.gov </li></ul></ul><ul><ul><ul><li>Information Security Handbook: A Guide for Managers 800-100 </li></ul></ul></ul><ul><ul><ul><li>Recommended Security Controls for Federal Info Systems 800-53 </li></ul></ul></ul><ul><ul><ul><li>Guide to Information Technology Security Services 800-35 </li></ul></ul></ul><ul><ul><ul><li>Risk Management Guide for Information Technology Systems 800-30 </li></ul></ul></ul><ul><ul><ul><li>Engineering Principles for Information Technology Security 800-27 </li></ul></ul></ul><ul><ul><ul><li>Guide for Developing Security Plans for Federal Info Systems 800-18 </li></ul></ul></ul><ul><ul><ul><li>Generally Accepted Principles and Practices for Securing Information Technology Systems 800-14 </li></ul></ul></ul><ul><ul><ul><li>An Introduction to Computer Security: The NIST Handbook 800-12 </li></ul></ul></ul><ul><li>Security Self-Assessment Guide for Information Technology Systems 800-26 </li></ul>PCI <ul><li>Payment Card Industry Data Security Standards </li></ul><ul><ul><li>6 Control Objectives </li></ul></ul><ul><ul><li>12 Requirements </li></ul></ul>
    23. 24. Securities and Financial <ul><li>Basel II </li></ul><ul><ul><li>bank solvency </li></ul></ul><ul><ul><li>“ operational risk” </li></ul></ul><ul><li>COSO </li></ul><ul><ul><li>Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework </li></ul></ul><ul><ul><li>internal controls </li></ul></ul><ul><li>SOX </li></ul><ul><li>RFC 2196 is memorandum published by Internet Engineering Task Force for developing security policies and procedures for information systems connected on the Internet. </li></ul>RFC 2196 Statement on Auditing Standards No. 70: Service Organizations <ul><li>SAS 70 provides guidance to service auditors when assessing the internal controls of a service organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors of financial statements of an entity that uses one or more service organizations. </li></ul>
    24. 25. The CALDER-MOIR IT Governance Framework There are many IT-related management frameworks, standards and methodologies in use today. None of them, on their own, are complete IT governance frameworks, but they all have a useful role to play in assisting organizations manage and govern their IT operations more effectively. The CALDER-MOIR IT Governance Framework is designed to help you get maximum benefit from all these overlapping and competing frameworks and standards, and also to deploy the best practice guidance contained in the international standard for IT governance, ISO/IEC 38500. 
    25. 26. Governance & Cyber Crime - Cost Comparison Ponemon Institute Research Report Publication Date: July 2010
    26. 27. Cyber Crimes and Law <ul><li>Electronic Signature Laws </li></ul><ul><ul><li>U.S. - Electronic Signatures in Global and National Commerce Act </li></ul></ul><ul><ul><li>U.S. - Uniform Electronic Transactions Act - adopted by 46 states </li></ul></ul><ul><ul><li>U.S. - Digital Signature And Electronic Authentication Law </li></ul></ul><ul><ul><li>U.S. - Government Paperwork Elimination Act (GPEA) </li></ul></ul><ul><ul><li>U.S. - The Uniform Commercial Code (UCC) </li></ul></ul><ul><ul><li>UK - s.7 Electronic Communications Act 2000 </li></ul></ul><ul><ul><li>European Union - Electronic Signature Directive (1999/93/EC) </li></ul></ul><ul><ul><li>Mexico - E-Commerce Act [2000] </li></ul></ul><ul><ul><li>Costa Rica - Digital Signature Law 8454 (2005) </li></ul></ul><ul><ul><li>Australia - Electronic Transactions Act 1999 (Cth) (also note that there is State and Territory mirror legislation) </li></ul></ul><ul><li>Information Technology Law </li></ul><ul><ul><li>Computer Misuse Act 1990 </li></ul></ul><ul><ul><li>Florida Electronic Security Act </li></ul></ul><ul><ul><li>Illinois Electronic Commerce Security Act </li></ul></ul><ul><ul><li>Texas Penal Code - Computer Crimes Statute </li></ul></ul><ul><ul><li>Maine Criminal Code - Computer Crimes </li></ul></ul><ul><ul><li>Singapore Electronic Transactions Act </li></ul></ul><ul><ul><li>Malaysia Computer Crimes Act </li></ul></ul><ul><ul><li>Malaysia Digital Signature Act </li></ul></ul><ul><ul><li>UNCITRAL Model Law on Electronic Commerce </li></ul></ul><ul><ul><li>Information Technology Act 2000 of India </li></ul></ul>
    27. 28. Cybercrime provisions under IT Act,2000 Offences & Relevant Sections under IT Act Tampering with Computer source documents Sec.65 Hacking with Computer systems, Data alteration Sec.66 Publishing obscene information Sec.67 Un-authorized access to protected system Sec.70 Breach of Confidentiality and Privacy Sec.72 Publishing false digital signature certificates Sec.73
    28. 29. Implications <ul><li>Failure to comply with the above may result in damages payable for which there is no specified upper limit, besides possible imprisonment of upto 7 years. </li></ul><ul><li>It is also necessary for Companies to understand that even if any of their employees contravene the provisions of the Act including committing of such personal offences such as searching for child pornography using the corporate network, then there could be vicarious liabilities on the organization and its Directors and Executives. </li></ul><ul><li>Prevention of these liabilities requires a Cyber Law Compliance Programme with special focus on IT Act 2008. Even if the organization is ISO 27001 certified, it is recommended that the organization should review its security and examine IT Act 2008 compliance. </li></ul>
    29. 30. Conclusion <ul><li>Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the cyber space. However it is quite possible to check them. The only possible steps to counter Cyber crimes are to </li></ul><ul><li>to make people aware of their rights and duties (to report crime as a collective duty towards the society) </li></ul><ul><li>making the application of the laws more stringent to check crime </li></ul><ul><li>to implement good systems and governance models to reduce the possibilities of cyber crimes </li></ul><ul><li>to bring about increased awareness amongst the law keepers of the state on Cyber crimes </li></ul>
    30. 31. Safeguarding life, property and the environment www.dnv.com