The document discusses cyber crimes and IT risk management. It provides a list of common cyber crimes and notes that India ranks 11th in the world for share of malicious computer activity. It also discusses the extent of cyber crimes according to various reports. The document outlines reasons why cyber attacks are possible and provides solutions to combat cyber crimes, including implementing security systems and processes. It discusses various IT security frameworks and standards such as ISO 27000, COBIT, and NIST.

1. Cyber Crimes and IT Risk Management Nandakumar Shamanna

3. What makes it different form terrestrial Crime They are easy to learn how to commit They are often not clearly illegal When done leaves no or less trace They require few resources relative to the potential damage caused They can be committed in a jurisdiction without being physically present in it

4. Cyber Terrorism Cyber Squatting Web Jacking Internet Time Thefts Email Bombing Cyber Stalking Salami Attacks Hacking Viruses/Worms/Trojans Data Diddling Cyber Blackmailing Cyber Luring Intellectual Property crimes False Websites Phishing Auction Frauds e-mail Spoofing Cyber Terrorism Pornography Data Interference/Forgery/Interception Credit Card Fraud Network Sabotage DOS Identity Fraud/Theft Source code stealing to name a few

5. Cyber Crimes – Exploding Problem List of Top 20 Countries with the highest rate of Cybercrime (source: BusinessWeek/Symantec) Each country lists 6 contributing factors, share of malicious computer activity, malicious code rank, spam zombies rank, phishing web site hosts rank, bot rank and attack origin, to substantiate its cybercrime ranking. 11. India Share of malicious computer activity: 3% Malicious code rank: 3 Spam zombies rank: 11 Phishing web site hosts rank: 22 Bot rank: 20 Attack origin rank: 19

6. Extent of the Problem Source: National Crime Records Bureau, Statistics of Cyber Crimes, 2007

7. Extent of the Problem 2009 FBI-IC3 Internet Crime Report Friday, April 2nd, 2010

8. Extent of the Problem Ponemon Institute Research Report Publication Date: July 2010

9. Why Is Cyber Attack Possible? Software Has Bugs/Networks Not Designed For Security : Engineering practices and technology used by system providers do not produce systems that are immune to attack Implementation Is Poor : Network and System operators do not have the people and practices to defend against attacks and minimize damage Law And Policy Lag Behind Dependence: Policy and law in cyber-space are immature and lag the pace of change

10. Information Technology – Risk Management

11. Today we are operating in an increasingly more global, complex and demanding risk environment with “zero tolerance” for failure Increased demands for transparency and business sustainability Stricter regulatory requirements Increasing IT vulnerability New risk reality

12. Definition of risk Risk is an event that occurs with a certain frequency/ probability and that has consequences towards one or more goals/objectives Risk Level = Frequency/ Probability combined with Consequence x = DAMAGE ASSET PROBABILITY CONSEQUENCE RISK THREAT EXPLOIT VULNERABILITY

13. Approach - Work process and method Initiation & focusing Uncertainty Identification Risk Analysis Actions Planning Documentation Communication Implementation & follow-up The Risk Management Approach ensures that mapping of risk exposure, treatment of risks and follow-up are carried out in a structured manner

14. Alter the risk Preventive measures reduce the probability of the event Corrective measures reduce the consequence of the event Plan for that event happen Avoid escalation Recovery plan Transfer the risk Disclaim responsibility; write a contract, take out insurance etc. Avoid the risk Eliminate by stopping the activity Accept the risk Continue as before; the activity remains unchanged Actions planning – handling strategy 2 Risk Avoidance Risk Reduction Risk Transfer Risk Acceptance

15. to combat Cyber Crimes Implement Security Systems

16. the solutions…. - Technology Firewalls, Intrusion Prevention System Public Key Infrastructure High Grade Encryption Technologies Optical Fiber Links Vulnerability/Risk Assessment Cyber Forensics Honey Pots VPN Biometrics, Access Control Backups (System Redundancy) Incident Response Actions

17. the solutions…. - Processes Reduction in the Operation flexibility (Segregation of Duties) Effective Organization Procedures and Policies Security/System Auditing Training to the employees Government-to-Government coordination Recognizing Shortage of skilled cyber security workers Creation of Cyber Army Cooperation & Information Sharing Investment in information assurance systems Increased R&D funding Development of cyber ethics Mutual cooperation with law enforcement

18. Security Models and Frameworks

19. ISO 27000 Series - Published standards ISO/IEC 27000 — Information security management systems — Overview and vocabulary ISO/IEC 27001 — Information security management systems — Requirements ISO/IEC 27002 — Code of practice for information security management ISO/IEC 27003 — Information security management system implementation guidance ISO/IEC 27004 — Information security management — Measurement ISO/IEC 27005 — Information security risk management ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 ISO/IEC 27033-1 - Network security overview and concepts ISO 27799 - Information security management in health using ISO/IEC 27002 [standard produced by the Health Infomatics group within ISO, independently of ISO/IEC JTC1/SC27]

20. ISO 27000 Series - In preparation ISO/IEC 27007 - Guidelines for information security management systems auditing (focused on the management system) ISO/IEC 27008 - Guidance for auditors on ISMS controls (focused on the information security controls) ISO/IEC 27013 - Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 ISO/IEC 27014 - Information security governance framework ISO/IEC 27015 - Information security management guidelines for the finance and insurance sectors ISO/IEC 27031 - Guideline for ICT readiness for business continuity (essentially the ICT continuity component within business continuity management) ISO/IEC 27032 - Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet) ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already) ISO/IEC 27034 - Guideline for application security ISO/IEC 27035 - Security incident management ISO/IEC 27036 - Guidelines for security of outsourcing ISO/IEC 27037 - Guidelines for identification, collection and/or acquisition and preservation of digital evidence

21. C OBI T ISACA (Information Systems Audit and Control Association) ‏ Four phases/domains: Planning and Organization Acquisition and Implementation Delivery and Support Monitoring Common Criteria (CC) ‏ Common Criteria for Information Technology Security Evaluation ISO 15408 not a security framework not even evaluation standard Framework for specification of evaluation Protection Profile (PP) ‏ Evaluation Assurance Level (EAL 1-7) ‏ FISMA Federal Information Systems Management Act – US National Information Assurance Certification and Accreditation Process (NIACAP) ‏ National Institute of Standards and Technology outline, Defense Information Technology Systems Certification and Accreditation Process (DITSCAP) ‏ Director of Central Intelligence Directive 6/3

22. ITIL Information Technology Infrastructure Library management guidelines Incident response Problem management Change management Release management Configuration management Service desk management Service level management Availability Capacity management Service continuity IT financials IT workforce/HR management Information Security Forum (ISF) ‏ Standard of Good Practice for Information Security 5 "aspects" Security Management Critical Business Applications Computer Installations Networks Systems Development broken out into 30 "areas," and 135 "sections"

23. NIST library of freely available resources http://csrc.nist.gov Information Security Handbook: A Guide for Managers 800-100 Recommended Security Controls for Federal Info Systems 800-53 Guide to Information Technology Security Services 800-35 Risk Management Guide for Information Technology Systems 800-30 Engineering Principles for Information Technology Security 800-27 Guide for Developing Security Plans for Federal Info Systems 800-18 Generally Accepted Principles and Practices for Securing Information Technology Systems 800-14 An Introduction to Computer Security: The NIST Handbook 800-12 Security Self-Assessment Guide for Information Technology Systems 800-26 PCI Payment Card Industry Data Security Standards 6 Control Objectives 12 Requirements

24. Securities and Financial Basel II bank solvency “ operational risk” COSO Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework internal controls SOX RFC 2196 is memorandum published by Internet Engineering Task Force for developing security policies and procedures for information systems connected on the Internet. RFC 2196 Statement on Auditing Standards No. 70: Service Organizations SAS 70 provides guidance to service auditors when assessing the internal controls of a service organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors of financial statements of an entity that uses one or more service organizations.

25. The CALDER-MOIR IT Governance Framework There are many IT-related management frameworks, standards and methodologies in use today. None of them, on their own, are complete IT governance frameworks, but they all have a useful role to play in assisting organizations manage and govern their IT operations more effectively. The CALDER-MOIR IT Governance Framework is designed to help you get maximum benefit from all these overlapping and competing frameworks and standards, and also to deploy the best practice guidance contained in the international standard for IT governance, ISO/IEC 38500.

26. Governance & Cyber Crime - Cost Comparison Ponemon Institute Research Report Publication Date: July 2010

27. Cyber Crimes and Law Electronic Signature Laws U.S. - Electronic Signatures in Global and National Commerce Act U.S. - Uniform Electronic Transactions Act - adopted by 46 states U.S. - Digital Signature And Electronic Authentication Law U.S. - Government Paperwork Elimination Act (GPEA) U.S. - The Uniform Commercial Code (UCC) UK - s.7 Electronic Communications Act 2000 European Union - Electronic Signature Directive (1999/93/EC) Mexico - E-Commerce Act [2000] Costa Rica - Digital Signature Law 8454 (2005) Australia - Electronic Transactions Act 1999 (Cth) (also note that there is State and Territory mirror legislation) Information Technology Law Computer Misuse Act 1990 Florida Electronic Security Act Illinois Electronic Commerce Security Act Texas Penal Code - Computer Crimes Statute Maine Criminal Code - Computer Crimes Singapore Electronic Transactions Act Malaysia Computer Crimes Act Malaysia Digital Signature Act UNCITRAL Model Law on Electronic Commerce Information Technology Act 2000 of India

28. Cybercrime provisions under IT Act,2000 Offences & Relevant Sections under IT Act Tampering with Computer source documents Sec.65 Hacking with Computer systems, Data alteration Sec.66 Publishing obscene information Sec.67 Un-authorized access to protected system Sec.70 Breach of Confidentiality and Privacy Sec.72 Publishing false digital signature certificates Sec.73

29. Implications Failure to comply with the above may result in damages payable for which there is no specified upper limit, besides possible imprisonment of upto 7 years. It is also necessary for Companies to understand that even if any of their employees contravene the provisions of the Act including committing of such personal offences such as searching for child pornography using the corporate network, then there could be vicarious liabilities on the organization and its Directors and Executives. Prevention of these liabilities requires a Cyber Law Compliance Programme with special focus on IT Act 2008. Even if the organization is ISO 27001 certified, it is recommended that the organization should review its security and examine IT Act 2008 compliance.

30. Conclusion Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the cyber space. However it is quite possible to check them. The only possible steps to counter Cyber crimes are to to make people aware of their rights and duties (to report crime as a collective duty towards the society) making the application of the laws more stringent to check crime to implement good systems and governance models to reduce the possibilities of cyber crimes to bring about increased awareness amongst the law keepers of the state on Cyber crimes

31. Safeguarding life, property and the environment www.dnv.com