Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

S nandakumar


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

S nandakumar

  1. 1. Cyber Crimes and IT Risk ManagementNandakumar Shamanna
  2. 2. © Det Norske Veritas AS. All rights reserved. 2
  3. 3. © Det Norske Veritas AS. All rights reserved. 3
  4. 4. © Det Norske Veritas AS. All rights reserved. 4
  5. 5. What makes it different form terrestrial Crime They are easy to learn how to commit They are often not clearly illegal They can be committed in a jurisdiction without being physically present in it When done leaves no or less trace They require few resources relative to the potential damage caused© Det Norske Veritas AS. All rights reserved. 5
  6. 6. to name a few  Cyber Terrorism  False Websites  Cyber Squatting  Phishing  Web Jacking  Auction Frauds  Internet Time Thefts  e-mail Spoofing  Email Bombing  Cyber Terrorism  Cyber Stalking  Pornography  Salami Attacks  Data Interference/Forgery/Interception  Hacking  Credit Card Fraud  Viruses/Worms/Trojans  Network Sabotage  Data Diddling  DOS  Cyber Blackmailing  Identity Fraud/Theft  Cyber Luring  Source code stealing  Intellectual Property crimes© Det Norske Veritas AS. All rights reserved. 6
  7. 7.  Cyber terrorism: The deliberate destruction, disruption or distortion of digital data or information flows with widespread effect for political, religious or ideological reasons.  Cyber espionage is the act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary or of classified nature), from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using illegal exploitation methods on the Internet, networks or individual computers.© Det Norske Veritas AS. All rights reserved. 7
  8. 8. The Impact……  Armies may cease to march  Stock Markets may crash  Businesses may be bankrupted  Individuals may lose their social identity  Threats not from novice teenagers : - but purposeful military, political, and criminal organizations© Det Norske Veritas AS. All rights reserved. 8
  9. 9. - "This site has been hacked by ISI (Kashmir is ours), we want a hospital in Kashmir" - signed by - Mujahideen-ul-dawat© Det Norske Veritas AS. All rights reserved. 9
  10. 10. Challenges to Indias National Security Indias reliance on technology is increasing as reflected from the fact that India is shifting gears by entering into facets of e-governance India has already brought sectors like defense, income tax, passport under the realm of e -governance The travel sector is also heavily reliant on this Most of the Indian banks have gone on full-scale computerization. This has also brought in concepts of e-commerce and e-banking The stock markets have also not remained immune Sectors like police and judiciary are to follow© Det Norske Veritas AS. All rights reserved. 10
  11. 11. Cyber Crimes – Exploding Problem 11. India Share of malicious computer activity: 3% Malicious code rank: 3 Spam zombies rank: 11 Phishing web site hosts rank: 22 Bot rank: 20 Attack origin rank: 19 List of Top 20 Countries with the highest rate of Cybercrime (source: BusinessWeek/Symantec)Each country lists 6 contributing factors, share of maliciouscomputer activity, malicious code rank, spam zombies rank, phishingweb site hosts rank, bot rank and attack origin, to substantiate itscybercrime ranking. © Det Norske Veritas AS. All rights reserved. 11
  12. 12. Extent of the Problem Source: National Crime Records Bureau, Statistics of Cyber Crimes, 2007© Det Norske Veritas AS. All rights reserved. 12
  13. 13. Extent of the Problem 2009 FBI-IC3 Internet Crime Report Friday, April 2nd, 2010© Det Norske Veritas AS. All rights reserved. 13
  14. 14. Extent of the Problem Ponemon Institute Research Report Publication Date: July 2010© Det Norske Veritas AS. All rights reserved. 14
  15. 15. Why Is Cyber Attack Possible?  Software Has Bugs/Networks Not Designed For Security: Engineering practices and technology used by system providers do not produce systems that are immune to attack  Implementation Is Poor: Network and System operators do not have the people and practices to defend against attacks and minimize damage  Law And Policy Lag Behind Dependence: Policy and law in cyber-space are immature and lag the pace of change© Det Norske Veritas AS. All rights reserved. 15
  16. 16. Attack Sophistication vs. Intruder Technical Knowledge Auto Coordinated Cross site scripting Tools “stealth” / advanced High scanning techniques packet spoofing denial of service Staged sniffers distributed attack tools Intruder sweepers www attacks Knowledge automated probes/scans GUI back doors disabling audits network mgmt. diagnostics hijacking burglaries sessions Attack exploiting known vulnerabilities Sophistication password cracking self-replicating code password guessing Intruders Low 1980 1985 1990 1995 2000© Det Norske Veritas AS. All rights reserved. 16
  17. 17. Information Technology – Risk Management
  18. 18. New risk reality  Today we are operating in an increasingly more global, complex and demanding risk environment with “zero tolerance” for failure  Even as there is Increased demands for transparency the Challenges of businesses or the State remain due to Increasing IT vulnerability  There must be a balance between Transparency and Security  Stricter regulatory requirements© Det Norske Veritas AS. All rights reserved. 18
  19. 19. Definition of risk Risk is an event that occurs with a certain frequency/ probability and that has consequences towards one or more goals/objectives Risk Level = Frequency/ Probability combined with Consequence THREAT EXPLOIT VULNERABILITY PROBABILITY x CONSEQUENCE = RISK DAMAGE ASSET© Det Norske Veritas AS. All rights reserved. 19
  20. 20. Approach - Work process and method The Risk Management Approach ensures that mapping of risk exposure, treatment of risks and follow-up are carried out in a structured manner Communication Initiation Uncertainty Risk Actions Implementation & focusing Identification Analysis Planning & follow-up Documentation© Det Norske Veritas AS. All rights reserved. 20
  21. 21. 2 Actions planning – handling strategy  Alter the risk - Preventive measures reduce the probability of the event - Corrective measures reduce the consequence of the event - Plan for that event happen - Avoid escalation - Recovery plan Risk Reduction Risk Transfer  Transfer the risk - Disclaim responsibility; write a contract, take out insurance etc.  Avoid the risk - Eliminate by stopping the activity  Accept the risk - Continue as before; the activity remains unchanged Risk Avoidance Risk Acceptance© Det Norske Veritas AS. All rights reserved. 21
  22. 22. Implement Security Systemsto combat Cyber Crimes
  23. 23. the solutions…. - Technology  Firewalls, Intrusion Prevention System  Public Key Infrastructure  High Grade Encryption Technologies  Optical Fiber Links  Vulnerability/Risk Assessment  Cyber Forensics  Honey Pots  VPN  Biometrics, Access Control  Backups (System Redundancy)  Incident Response Actions© Det Norske Veritas AS. All rights reserved. 23
  24. 24. the solutions…. - Processes  Reduction in the Operation flexibility (Segregation of Duties)  Effective Organization Procedures and Policies  Security/System Auditing  Training to the employees  Government-to-Government coordination  Recognizing Shortage of skilled cyber security workers  Creation of Cyber Army  Cooperation & Information Sharing  Investment in information assurance systems  Increased R&D funding  Development of cyber ethics  Mutual cooperation with law enforcement© Det Norske Veritas AS. All rights reserved. 24
  25. 25. Security Models and Frameworks
  26. 26. ISO 27000 Series - Published standards  ISO/IEC 27000 — Information security management systems — Overview and vocabulary  ISO/IEC 27001 — Information security management systems — Requirements  ISO/IEC 27002 — Code of practice for information security management  ISO/IEC 27003 — Information security management system implementation guidance  ISO/IEC 27004 — Information security management — Measurement  ISO/IEC 27005 — Information security risk management  ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems  ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002  ISO/IEC 27033-1 - Network security overview and concepts  ISO 27799 - Information security management in health using ISO/IEC 27002 [standard produced by the Health Infomatics group within ISO, independently of ISO/IEC JTC1/SC27]© Det Norske Veritas AS. All rights reserved. 26
  27. 27. ISO 27000 Series - In preparation  ISO/IEC 27007 - Guidelines for information security management systems auditing (focused on the management system)  ISO/IEC 27008 - Guidance for auditors on ISMS controls (focused on the information security controls)  ISO/IEC 27013 - Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001  ISO/IEC 27014 - Information security governance framework  ISO/IEC 27015 - Information security management guidelines for the finance and insurance sectors  ISO/IEC 27031 - Guideline for ICT readiness for business continuity (essentially the ICT continuity component within business continuity management)  ISO/IEC 27032 - Guideline for cybersecurity (essentially, being a good neighbor on the Internet)  ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)  ISO/IEC 27034 - Guideline for application security  ISO/IEC 27035 - Security incident management  ISO/IEC 27036 - Guidelines for security of outsourcing  ISO/IEC 27037 - Guidelines for identification, collection and/or acquisition and preservation of digital evidence© Det Norske Veritas AS. All rights reserved. 27
  28. 28. Other IT Security Management Models Common Criteria (CC)  Common Criteria for Information Technology Security Evaluation - ISO 15408 - Framework for specification of evaluation FISMA  Federal Information Systems Management Act – US Information Security Forum (ISF)  Standard of Good Practice for Information Security ITIL  Information Technology Infrastructure Library NIST  library of freely available resources -  Security Self-Assessment Guide for Information Technology Systems 800-26© Det Norske Veritas AS. All rights reserved.
  29. 29. Other IT Security Management Models PCI  Payment Card Industry Data Security Standards - 6 Control Objectives - 12 Requirements Securities and Financial - Basel II - COSO - SOX RFC 2196  RFC 2196 is memorandum published by Internet Engineering Task Force for developing security policies and procedures for information systems connected on the Internet. Statement on Auditing Standards No. 70: Service Organizations  SAS 70 provides guidance to service auditors when assessing the internal controls of a service organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors of financial statements of an entity that uses one or more service organizations.© Det Norske Veritas AS. All rights reserved.
  30. 30. IT Governance Models COBIT  ISACA (Information Systems Audit and Control Association)© Det Norske Veritas AS. All rights reserved.
  31. 31. The CALDER-MOIR IT Governance Framework There are many IT-related management frameworks, standards and methodologies in use today. None of them, on their own, are complete IT governance frameworks, but they all have a useful role to play in assisting organizations manage and govern their IT operations more effectively. The CALDER-MOIR IT Governance Framework is designed to help get maximum benefit from all these overlapping and competing frameworks and standards, and also to deploy the best practice guidance contained in the international standard for IT governance, ISO/IEC 38500.© Det Norske Veritas AS. All rights reserved. 31
  32. 32. Governance & Cyber Crime - Cost Comparison Ponemon Institute Research Report Publication Date: July 2010© Det Norske Veritas AS. All rights reserved. 32
  33. 33. Cyber Crimes and Law Electronic Signature Laws U.S. - Electronic Signatures in Global and National Commerce Act U.S. - Uniform Electronic Transactions Act - adopted by 46 states U.S. - Digital Signature And Electronic Authentication Law U.S. - Government Paperwork Elimination Act (GPEA) U.S. - The Uniform Commercial Code (UCC) UK - s.7 Electronic Communications Act 2000 European Union - Electronic Signature Directive (1999/93/EC) Mexico - E-Commerce Act [2000] Costa Rica - Digital Signature Law 8454 (2005) Australia - Electronic Transactions Act 1999 (Cth) (also note that there is State and Territory mirror legislation) Information Technology Act 2000 of India Information Technology Laws Computer Misuse Act 1990 Florida Electronic Security Act Illinois Electronic Commerce Security Act Texas Penal Code - Computer Crimes Statute Maine Criminal Code - Computer Crimes Singapore Electronic Transactions Act Malaysia Computer Crimes Act Malaysia Digital Signature Act UNCITRAL Model Law on Electronic Commerce Information Technology Act 2000 of India© Det Norske Veritas AS. All rights reserved. 33
  34. 34. Cyber Security Initiatives by Government of India Cybercrime provisions under IT Act,2000 Offences & Relevant Sections under IT Act Tampering with Computer source documents Sec.65 Hacking with Computer systems, Data alteration Sec.66 Publishing obscene information Sec.67 Un-authorized access to protected system Sec.70 Breach of Confidentiality and Privacy Sec.72 Publishing false digital signature certificates Sec.73© Det Norske Veritas AS. All rights reserved. 34
  35. 35. Cyber Security Initiatives by Government of India National Informatics Centre (NIC) Indian Computer Emergency Response Team (Cert-In) National Information Security Assurance Programme (NISAP) Indo-US Cyber Security Forum (IUSCSF)© Det Norske Veritas AS. All rights reserved. 35
  36. 36. Conclusion Majority of on-line threat is cyber crime Cyber terror is still emerging - Evolving threat - Integrating critical missions with general Internet - Increasing damage/speed of attacks - Continued vulnerability of off-the-shelf software© Det Norske Veritas AS. All rights reserved. 36
  37. 37. Conclusion Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the cyber space. However it is quite possible to check them. Hence, the possible steps to counter Cyber crimes are to : make people aware of their rights and duties (to report crime as a collective duty towards the society) making the application of the laws more stringent to check crime implement good IT Security systems and governance models to reduce the possibilities of cyber crimes to bring about increased awareness amongst the law keepers of the State on Cyber crimes© Det Norske Veritas AS. All rights reserved. 37
  38. 38. Conclusion To counter cyberthreats, India should immediately establish a National center on information systems security It should tap the expertise of universities and private software and internet companies In addition to the government and defense sectors it should cater to the banking sector, stock exchanges, telecom and internet networks, power and water supplies, and transportation.© Det Norske Veritas AS. All rights reserved. 38
  39. 39. Safeguarding life, property and the environment© Det Norske Veritas AS. All rights reserved. 39