S nandakumar

Cyber Crimes and IT Risk Management

Nandakumar Shamanna

What makes it different form terrestrial Crime

They are easy to learn how to
commit

They are often not clearly illegal They can be committed in a
jurisdiction without being
physically present in it

When done leaves no or less
trace

They require few resources
relative to the potential damage
caused


to name a few
 Cyber Terrorism  False Websites
 Cyber Squatting  Phishing
 Web Jacking  Auction Frauds
 Internet Time Thefts  e-mail Spoofing
 Email Bombing  Cyber Terrorism
 Cyber Stalking  Pornography
 Salami Attacks  Data Interference/Forgery/Interception
 Hacking  Credit Card Fraud
 Viruses/Worms/Trojans  Network Sabotage
 Data Diddling  DOS
 Cyber Blackmailing  Identity Fraud/Theft
 Cyber Luring  Source code stealing
 Intellectual Property
crimes


 Cyber terrorism: The deliberate destruction,
disruption or distortion of digital data or
information flows with widespread effect for
political, religious or ideological reasons.
 Cyber espionage is the act or practice of obtaining
secrets without the permission of the holder of the
information (personal, sensitive, proprietary or of
classified nature), from individuals, competitors,
rivals, groups, governments and enemies for
personal, economic, political or military advantage
using illegal exploitation methods on the Internet,
networks or individual computers.


The Impact……
 Armies may cease to march
 Stock Markets may crash
 Businesses may be bankrupted
 Individuals may lose their social identity
 Threats not from novice teenagers :
- but purposeful military, political, and criminal organizations


- "This site has been hacked by ISI (Kashmir is ours), we
want a hospital in Kashmir"
- signed by
- Mujahideen-ul-dawat


Challenges to India's National Security

India's reliance on technology is increasing as reflected from the fact that India
is shifting gears by entering into facets of e-governance

India has already brought sectors like defense, income tax, passport under the
realm of e -governance

The travel sector is also heavily reliant on this

Most of the Indian banks have gone on full-scale computerization. This has also
brought in concepts of e-commerce and e-banking

The stock markets have also not remained immune

Sectors like police and judiciary are to follow


Cyber Crimes – Exploding Problem
11. India
Share of malicious computer activity: 3%
Malicious code rank: 3
Spam zombies rank: 11
Phishing web site hosts rank: 22
Bot rank: 20
Attack origin rank: 19

List of Top 20 Countries with the highest rate of Cybercrime
(source: BusinessWeek/Symantec)
Each country lists 6 contributing factors, share of malicious
computer activity, malicious code rank, spam zombies rank, phishing
web site hosts rank, bot rank and attack origin, to substantiate its
cybercrime ranking.


Extent of the Problem

Source: National Crime Records Bureau, Statistics of Cyber Crimes, 2007



2009 FBI-IC3 Internet Crime Report
Friday, April 2nd, 2010



Ponemon Institute Research Report
Publication Date: July 2010


Why Is Cyber Attack Possible?
 Software Has Bugs/Networks Not Designed For Security: Engineering
practices and technology used by system providers do not produce systems
that are immune to attack
 Implementation Is Poor: Network and System operators do not have the
people and practices to defend against attacks and minimize damage
 Law And Policy Lag Behind Dependence: Policy and law in cyber-space are
immature and lag the pace of change


Attack Sophistication vs. Intruder Technical Knowledge
Auto
Coordinated
Cross site scripting Tools
“stealth” / advanced
High scanning techniques

packet spoofing denial of service Staged

sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Intruders
Low
1980 1985 1990 1995 2000


Information Technology – Risk Management

New risk reality
 Today we are operating in an increasingly more global, complex and demanding risk
environment with “zero tolerance” for failure

 Even as there is Increased demands for transparency the Challenges of businesses or the
State remain due to Increasing IT vulnerability
 There must be a balance between Transparency and Security
 Stricter regulatory requirements


Definition of risk

Risk is an event that occurs with a certain frequency/ probability and
that has consequences towards one or more goals/objectives
Risk Level = Frequency/ Probability combined with Consequence

THREAT EXPLOIT VULNERABILITY

PROBABILITY x CONSEQUENCE = RISK

DAMAGE ASSET


Approach - Work process and method

The Risk Management Approach ensures that mapping of risk exposure, treatment of
risks and follow-up are carried out in a structured manner

Communication

Initiation Uncertainty Risk Actions Implementation
& focusing Identification Analysis Planning & follow-up

Documentation


2

Actions planning – handling strategy
 Alter the risk
- Preventive measures reduce the
probability of the event
- Corrective measures reduce the
consequence of the event
- Plan for that event happen
- Avoid escalation
- Recovery plan
Risk Reduction Risk Transfer
 Transfer the risk
- Disclaim responsibility; write a
contract, take out insurance etc.

 Avoid the risk
- Eliminate by stopping the activity

 Accept the risk
- Continue as before; the activity
remains unchanged Risk Avoidance Risk Acceptance


Implement Security Systems
to combat Cyber Crimes

the solutions…. - Technology
 Firewalls, Intrusion Prevention System
 Public Key Infrastructure
 High Grade Encryption Technologies
 Optical Fiber Links
 Vulnerability/Risk Assessment
 Cyber Forensics
 Honey Pots
 VPN
 Biometrics, Access Control
 Backups (System Redundancy)
 Incident Response Actions


the solutions…. - Processes
 Reduction in the Operation flexibility (Segregation of Duties)
 Effective Organization Procedures and Policies
 Security/System Auditing
 Training to the employees
 Government-to-Government coordination
 Recognizing Shortage of skilled cyber security workers
 Creation of Cyber Army
 Cooperation & Information Sharing
 Investment in information assurance systems
 Increased R&D funding
 Development of cyber ethics
 Mutual cooperation with law enforcement


Security Models and Frameworks

ISO 27000 Series - Published standards
 ISO/IEC 27000 — Information security management systems — Overview and vocabulary
 ISO/IEC 27001 — Information security management systems — Requirements
 ISO/IEC 27002 — Code of practice for information security management
 ISO/IEC 27003 — Information security management system implementation guidance
 ISO/IEC 27004 — Information security management — Measurement
 ISO/IEC 27005 — Information security risk management
 ISO/IEC 27006 — Requirements for bodies providing audit and certification of information
security management systems
 ISO/IEC 27011 — Information security management guidelines for telecommunications
organizations based on ISO/IEC 27002
 ISO/IEC 27033-1 - Network security overview and concepts
 ISO 27799 - Information security management in health using ISO/IEC 27002 [standard
produced by the Health Infomatics group within ISO, independently of ISO/IEC JTC1/SC27]


ISO 27000 Series - In preparation
 ISO/IEC 27007 - Guidelines for information security management systems auditing (focused on the management
system)
 ISO/IEC 27008 - Guidance for auditors on ISMS controls (focused on the information security controls)
 ISO/IEC 27013 - Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
 ISO/IEC 27014 - Information security governance framework
 ISO/IEC 27015 - Information security management guidelines for the finance and insurance sectors
 ISO/IEC 27031 - Guideline for ICT readiness for business continuity (essentially the ICT continuity component within
business continuity management)
 ISO/IEC 27032 - Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)
 ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)
 ISO/IEC 27034 - Guideline for application security
 ISO/IEC 27035 - Security incident management
 ISO/IEC 27036 - Guidelines for security of outsourcing
 ISO/IEC 27037 - Guidelines for identification, collection and/or acquisition and preservation of digital evidence


Other IT Security Management Models

Common Criteria (CC)
 Common Criteria for Information Technology Security Evaluation
- ISO 15408
- Framework for specification of evaluation
FISMA
 Federal Information Systems Management Act – US
Information Security Forum (ISF)
 Standard of Good Practice for Information Security
ITIL
 Information Technology Infrastructure Library
NIST
 library of freely available resources
- http://csrc.nist.gov
 Security Self-Assessment Guide for Information Technology Systems 800-26

© Det Norske Veritas AS. All rights reserved.

Other IT Security Management Models
PCI
 Payment Card Industry Data Security Standards
- 6 Control Objectives
- 12 Requirements
Securities and Financial
- Basel II
- COSO
- SOX

RFC 2196
 RFC 2196 is memorandum published by Internet Engineering Task Force for developing security
policies and procedures for information systems connected on the Internet.

Statement on Auditing Standards No. 70: Service Organizations
 SAS 70 provides guidance to service auditors when assessing the internal controls of a service
organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors of
financial statements of an entity that uses one or more service organizations.


IT Governance Models
COBIT
 ISACA (Information Systems Audit and Control Association)


The CALDER-MOIR IT Governance Framework

There are many IT-related management
frameworks, standards and methodologies in
use today.

None of them, on their own, are complete IT
governance frameworks, but they all have
a useful role to play in assisting
organizations manage and govern their IT
operations more effectively.

The CALDER-MOIR IT Governance Framework
is designed to help get maximum benefit
from all these overlapping and competing
frameworks and standards, and also to
deploy the best practice guidance contained
in the international standard for
IT governance, ISO/IEC 38500.


Governance & Cyber Crime - Cost Comparison

Ponemon Institute Research Report
Publication Date: July 2010


Cyber Crimes and Law
Electronic Signature Laws
U.S. - Electronic Signatures in Global and National Commerce Act
U.S. - Uniform Electronic Transactions Act - adopted by 46 states
U.S. - Digital Signature And Electronic Authentication Law
U.S. - Government Paperwork Elimination Act (GPEA)
U.S. - The Uniform Commercial Code (UCC)
UK - s.7 Electronic Communications Act 2000
European Union - Electronic Signature Directive (1999/93/EC)
Mexico - E-Commerce Act [2000]
Costa Rica - Digital Signature Law 8454 (2005)
Australia - Electronic Transactions Act 1999 (Cth) (also note that there is State and Territory mirror legislation)
Information Technology Act 2000 of India
Information Technology Laws
Computer Misuse Act 1990
Florida Electronic Security Act
Illinois Electronic Commerce Security Act
Texas Penal Code - Computer Crimes Statute
Maine Criminal Code - Computer Crimes
Singapore Electronic Transactions Act
Malaysia Computer Crimes Act
Malaysia Digital Signature Act
UNCITRAL Model Law on Electronic Commerce
Information Technology Act 2000 of India


Cyber Security Initiatives by Government of India
Cybercrime provisions under IT Act,2000
Offences & Relevant Sections under IT Act

Tampering with Computer source documents Sec.65
Hacking with Computer systems, Data alteration Sec.66
Publishing obscene information Sec.67
Un-authorized access to protected system Sec.70
Breach of Confidentiality and Privacy Sec.72
Publishing false digital signature certificates Sec.73


Cyber Security Initiatives by Government of India
National Informatics Centre (NIC)
Indian Computer Emergency Response Team (Cert-In)
National Information Security Assurance Programme (NISAP)
Indo-US Cyber Security Forum (IUSCSF)


Conclusion
 Majority of on-line threat is cyber
crime
 Cyber terror is still emerging
- Evolving threat
- Integrating critical missions with general
Internet
- Increasing damage/speed of attacks
- Continued vulnerability of off-the-shelf
software


Conclusion

Capacity of human mind is unfathomable. It is
not possible to eliminate cyber crime from the
cyber space. However it is quite possible to
check them.
Hence, the possible steps to counter Cyber
crimes are to :
 make people aware of their rights and duties (to
report crime as a collective duty towards the
society)
 making the application of the laws more
stringent to check crime
 implement good IT Security systems and
governance models to reduce the possibilities of
cyber crimes
 to bring about increased awareness amongst
the law keepers of the State on Cyber crimes


Conclusion

 To counter cyberthreats, India should
immediately establish a National
center on information systems
security
 It should tap the expertise of
universities and private software and
internet companies
 In addition to the government and
defense sectors it should cater to the
banking sector, stock exchanges,
telecom and internet networks, power
and water supplies, and transportation.


Safeguarding life, property
and the environment

www.dnv.com


S nandakumar

More Related Content

What's hot

Viewers also liked

Similar to S nandakumar

More from IPPAI

Recently uploaded

S nandakumar