Monday 9 May 2011

Cyber Security

Cyber Security








Cyber security is a branch of computer technology known as information security as applied to computers and networks. Cyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific standards, cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance.

Cyber security standards have been created recently because sensitive information is now frequently stored on computers that are attached to the Internet. Also many tasks that were once done by hand are carried out by computer; therefore there is a need for Information Assurance (IA) and security. Cyber security is important in order to guard against identity theft. Businesses also have a need for cyber security because they need to protect their trade secrets, proprietary information, and personally identifiable information (PII) of their customers or employees. The government also has the need to secure its information. This is particularly critical since some terrorism acts are organized and facilitated by using the Internet.(citation needed) One of the most widely used security standards today is ISO/IEC 27002which started in 1995. This standard consists of two basic parts.

BS 7799 part 1 and BS 7799 part 2 both of which were created by (British Standards Institute) BSI. Recently this standard has become ISO 27001. The National Institute of Standards and Technology (NIST) have released several special publications addressing cyber security. Three of these special papers are very relevant to cyber security: the 800-12 titled “Computer Security Handbook;” 800-14 titled “Generally Accepted Principles and Practices for Securing Information Technology;” and the 800-26 titled “Security Self-Assessment Guide for Information Technology Systems”. The International Society of Automation (ISA) developed cyber security standards for industrial automation control systems (IACS) that are broadly applicable across manufacturing industries. The series of ISA industrial cyber security standards are known as ISA-99 and are being expanded to address new areas of concern

General security
  • Choosing and Protecting Passwords
  • Understanding Anti-Virus Software
  • Understanding Firewalls
  • Coordinating Virus and Spy ware Defense
  • Debunking Some Common Myths
  • Good Security Habits
  • Safeguarding Your Data
  • Real-World Warnings Keep You Safe Online
  • Keeping Children Safe Online
    • Attacks and threats
  • Dealing with Cyber bullies
  • Understanding Hidden Threats: Corrupted Software Files
  • Understanding Hidden Threats: Root kits and Bonnets
  • Preventing and Responding to Identity Theft
  • Recovering from Viruses, Worms, and Trojan Horses
  • Recognizing and Avoiding Spy ware
  • Avoiding Social Engineering and Phasing Attacks
  • Understanding Denial-of-Service Attacks
  • Identifying Hoaxes and Urban Legends
  • Avoiding the Pitfalls of Online Trading
    • Email and communication
  • Understanding Your Computer: Email Clients
  • Using Caution with Email Attachments
  • Reducing Spam
  • Benefits and Risks of Free Email Services
  • Benefits of Blind Carbon Copy (BCC)
  • Understanding Digital Signatures
  • Using Instant Messaging and Chat Rooms Safely
  • Staying Safe on Social Network Sites
    Mobile devices
  • Protecting Portable Devices: Physical Security
  • Protecting Portable Devices: Data Security
  • Using Caution with USB Drives
  • Securing Wireless Networks
  • Cyber security for Electronic Devices
  • Defending Cell Phones and Pads Against Attack
    • Privacy
  • How Anonymous Are You?
  • Protecting Your Privacy
  • Understanding Encryption
  • Effectively Erasing Files
  • Supplementing Passwords
    • Safe browsing
  • Understanding Your Computer: Web Browsers
  • Evaluating Your Web Browser's Security Settings
  • Shopping Safely Online
  • Browsing Safely: Understanding Active Content and Cookies
  • Understanding Web Site Certificates
  • Understanding Internationalized Domain Names
  • Understanding Bluetooth Technology
  • Avoiding Copyright Infringement
    • Software and applications
  • Understanding Patches
  • Understanding Voice over Internet Protocol (Void)
  • Risks of File-Sharing Technology
  • Reviewing End-User License Agreements
  • Understanding Your Computer: Operating Systems

Cyberspace is a playground for information seekers: Enlightening articles and digital encyclopedias can be accessed from anyone's desktop. The Internet enables highly productive workflows for electronic document collaborators. Postal service and other forms of physical document delivery have been eliminated in some businesses as electronic mail has replaced paper correspondence, and Web sites enable information distribution without significant digital "shipping" charges. Unfortunately, the immediate benefits of using the Internet to communicate and share information often postpone consideration of the long-range consequences of doing business electronically--until a crisis occurs.
Interaction with Web sites increasingly demands personal information. Ordering products online requires personal shipping addresses and credit card information. Sharing data often requires trusting business partners across open network architectures and relying on unknown data security infrastructures to complete transactions. When data and documents are transferred across poorly controlled networks and repositories of personal data are accumulated in hidden databases, the potential for corrupted information or compromised personal privacy increases. The integrity of business transaction records may be questionable, and individuals may become victims of identity theft or fraud.
Cyber security involves protecting the information and systems we rely on every day-whether at home, work or school.
There are three core principles of cyber security: Confidentiality, Integrity, and Availability. Confidentiality: Information that is sensitive or confidential must remain so and is shared only with appropriate users. Integrity: Information must retain its integrity and not be altered from its original state. Availability: Information and systems must be available to those who need it. Different types of data and systems require different levels of appropriate security.

For example, your confidential medical records should be released only to those people or organizations (i.e. doctor, hospital, insurance, government agency, you) authorized to see it (confidentiality); the records should be well protected so that no one can change the information without authorization (integrity); and the records should be available and accessible to authorized users (availability)

Why Is Cyber Security Important?
The increasing volume and sophistication of cyber security threats-including targeting phasing scams, data theft, and other online vulnerabilities-demand that we remain vigilant about securing our systems and information.
The average unprotected computer (i.e. does not have proper security controls in place) connected to the Internet can be compromised in moments. Thousands of infected web pages are being discovered every day. Hundreds of millions of records have been involved in data breaches. New attack methods are launched continuously.
These are just a few examples of the threats facing us, and they highlight the importance of cyber security as a necessary approach to protecting data and systems.
Threats
There are many threats, some more serious than others. Some examples of how your computer and systems could be affected by a cyber security incident - whether because of improper cyber security controls, manmade or natural disasters, or malicious users wreaking havoc-include the following:
Denial-of-service:
Refers to an attack that successfully prevents or impairs the authorized functionality of networks, systems or applications by exhausting resources. What impact could a denial-of-service have if it shut down a government agency's website, thereby preventing citizens from accessing information or completing transactions? What financial impact might a denial-of-service have on a business? What would the impact be on critical services such as emergency medical systems, police communications or air traffic control? Can some of these be unavailable for a week, a day, or even an hour?
Malaria, worms, and Trojan horses: These spread by email, instant messaging, malicious websites, and infected non-malicious websites. Some websites will automatically download the malaria without the user's knowledge or intervention. This is known as a "drive-by download." Other methods will require the users to click on a link or button.
Bonnets and zombies: A bonnet, short for robot network, is an aggregation of compromised computers that are connected to a central "controller." The compromised computers are often referred to as "zombies." These threats will continue to proliferate as the attack techniques evolve and become available to a broader audience, with less technical knowledge required to launch successful attacks. Bonnets designed to steal data are improving their encryption capabilities and thus becoming more difficult to detect


"Shareware" - fake security software warnings: This type of scam can be particularly profitable for cyber criminals, as many users believe the pop-up warnings telling them their system is infected and are lured into downloading and paying for the special software to "protect" their system.
Social Network Attacks:
Social networks can be major sources of attacks because of the volume of users and the amount of personal information that is posted. Users' inherent trust in their online friends is what makes these networks a prime target. For example, users may be prompted to follow a link on someone's page, which could bring users to a malicious website

What Can You Do?
It's important that we each understand the risks as well as the actions we can take to help protect our information and systems.
  • Properly configure and patch operating systems, browsers, and other software programs.
  • Use and regularly update firewalls, anti-virus, and anti-spy ware programs.
  • Use strong passwords (combination of upper and lower case letters, numbers and special characters) and do not share passwords.
  • Be cautious about all communications; think before you click. Use common sense when communicating with users you DO and DO NOT know.
  • Do not open email or related attachments from un-trusted sources.
  • Allow access to systems and data to only those who need it, and protect those access credentials.
  • Follow your organization's cyber security policies, and report violations and issues when they occur.
Many aspects of our lives rely on the Internet and computers, including communications (email, cell phones, testing), transportation (traffic control signals, car engine systems, airplane navigation), government (birth/death records, social security, licensing, tax records), finance (bank accounts, loans, electronic paychecks), medicine (equipment, medical records), and education (virtual classrooms, online report cards, research).

Consider how much of your personal information is stored either on your own computer or on someone else’s system. How are that data and the systems on which that data resides (or is transmitted) kept secure?
Cyber security involves protecting the information and systems we rely on every day—whether at home, work or school.
There are three core principles of cyber security: Confidentiality, Integrity, and Availability.
Confidentiality: Information which is sensitive or confidential must remain so and is shared only with appropriate users.
Integrity: Information must retain its integrity and not be altered from its original state.
Availability: Information and systems must be available to those who need it.

For example, your confidential medical records should be released only to those people or organizations (i.e. doctor, hospital, insurance, government agency, you) authorized to see it (confidentiality); the records should be well protected so that no one can change the information without authorization (integrity); and the records should be available and accessible to authorized users (availability).
Many aspects of our lives rely on the Internet and computers, including communications (email, cell phones, testing), transportation (traffic control signals, car engine systems, airplane navigation), government (birth/death records, social security, licensing, tax records), finance (bank accounts, loans, electronic paychecks), medicine (equipment, medical records), and education (virtual classrooms, online report cards, research).

Consider how much of your personal information is stored either on your own computer or on someone else’s system. How are that data and the systems on which that data resides (or is transmitted) kept secure?
Cyber security involves protecting the information and systems we rely on every day—whether at home, work or school.
There are three core principles of cyber security: Confidentiality, Integrity, and Availability.
Confidentiality:
Information which is sensitive or confidential must remain so and be shared only with appropriate users.
Integrity:
Information must retain its integrity and not be altered from its original state.
Availability:
Information and systems must be available to those who need it.
For example, your confidential medical records should be released only to those people or organizations (i.e. doctor, hospital, insurance, government agency, you) authorized to see it (confidentiality); the records should be well protected so that no one can change the information without authorization (integrity); and the records should be available and accessible to authorized users (availability)





Advantages of Cyber Laws:
The IT Act 2000 attempts to change outdated laws and provides ways to deal with cyber crimes. We need such laws so that people can perform purchase transactions over the Net through credit cards without fear of misuse. The Act offers the much-needed legal framework so that information is not denied legal effect, validity or enforceability, solely on the ground that it is in the form of electronic records. In view of the growth in transactions and communications carried out through electronic records, the Act seeks to empower government departments to accept filing, creating and retention of official documents in the digital format. The Act has also proposed a legal framework for the authentication and origin of electronic records / communications through digital signature.
  • From the perspective of e-commerce in India, the IT Act 2000 and its provisions contain many positive aspects. Firstly, the implications of these provisions for the e-businesses would be that email would now be a valid and legal form of communication in our country that can be duly produced and approved in a court of law.
  • Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act.
  • Digital signatures have been given legal validity and sanction in the Act.
  • The Act throws open the doors for the entry of corporate companies in the business of being Certifying Authorities for issuing Digital Signatures Certificates.
  • The Act now allows Government to issue notification on the web thus heralding e-governance.
  • The Act enables the companies to file any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in electronic form by means of such electronic form as may be prescribed by the appropriate Government.
  • The IT Act also addresses the important issues of security, which are so critical to the success of electronic transactions. The Act has given a legal definition to the concept of secure digital signatures that would be required to have been passed through a system of a security procedure, as stipulated by the Government at a later date

    Why Cyber Security is Crucial for Government?
    In 2007, the UK government admitted that its revenue and customs department lost the details of 25 million individuals (nearly 40% of the population). The incident caused a public outrage and the British prime minister was forced to apologies to the nation.

    Cut to 2010 India is not only a booming economy, but the government agencies are a repository of information that many would like to get their hands on! Whether it is land records, tax records or health records, information housed within government institutions is growing manifold. On the other hand, initiatives like filing tax returns online show that information is getting increasingly digitized, leading to the government increasing its spend on IT infrastructure. For instance, the government plans to spend a whopping Rs 10,000 core, or 3% of its annual plan budget, on governance projects in 2010-11.
    Last week, the government rolled out its most ambitious governance programmed Adhere, and the Unique Identification Authority of India (UIDAI) has set a target of issuing around 100 million 12-digit unique numbers by the end of this fiscal and 600 million by 2014. UIDAI representatives will collect demographic and biometric information to establish uniqueness of individuals the information collected and stored in a centralized database will be mammoth and most precious.
    No wonder, most government enterprises have started functioning like some of the largest businesses in terms of their IT. Hence the threats they face are increasingly similar and as targeted and sophisticated. Most people would agree today, the best way to compromise a nation's defenses is by accessing their most valued asset: information. Evidently, new age cyber criminals are targeting key areas of weakness that are putting large IT environments at risk. For instance, Chinese and Pakistani online espionage agents continue their attempts to hack into Indian computer systems; hostile intelligence agencies are also trying to steal defense secrets through the use of computer storage media (CSM) devices like pen drives, removable hard disks and CDs.
    Pagan Duggan, advocate, Supreme Court of India, says that governmental systems and websites are far more vulnerable to cyber war attacks than general private enterprise sites. "From the hacker's perspective, attacking the governmental websites tends to give more of a symbolic victory as it helps to spread the message that the government itself is not capable of protecting its own websites and hence cast doubts on the inherent capacity of the government to protect the IT infrastructure of the country. Hackers are also keen to hit the private sector websites, especially those which are doing the maximum ecommerce or governance related activities so as to inherently put a spoke in the wheel for the promotion of ecommerce or governance related activities," he says



    According to a DSCI-KPMG survey on the state of data security and privacy in India, 63% of IT/Its companies, 57% of financial services companies and 46% of Puss indicated that information security is top priority. Also, according to the recently conducted Symantec study on the State of Enterprise Security 2010, cyber attacks were still a larger concern for Indians enterprises in 2009 than terrorism. In fact, 42% of the enterprises surveyed rank cyber risk as their top concern, more than natural disasters, terrorism and traditional crime combined.

    Santana Gosh, vice-president, India product operations, Symantec India, reveals that the most recent attacks on government enterprises were the phasing attacks on the income tax department and six Pusses, including the Reserve Bank of India that was first reported by Symantec earlier this year. Also, at the beginning of this year, the National Security Adviser had revealed that his office and other government departments were targeted late last year. In that case, an email PDF attachment with an embedded Trojan was used to allow hackers to access and tamper data.

    Globally speaking, an Irish newspaper reported in 2008 that the government had lost the personal data of social welfare recipients. The incident left the department of social and family affairs contacting the 3, 80,000 recipients after it emerged their personal details were stored on a laptop computer which was stolen. About 1, 00,000 of the records contained bank account details.

    More recently, it was reported that the United Kingdom’s ministry of defense had lost more than 340 laptops worth more than 600,000 pounds in the last two years. Even Subs, hard drives and mobile phones were lost from the department. What was appalling in this case was that only one in five of these devices were encrypted. The report also indicated how it was not just the ministry of defense but also other departments like tourism and department for works and pensions that suffered similar losses.

    Whether the motive behind these losses were intentional or not, the fact remains that unlike other enterprises, the breach of data in government organizations can have direct repercussions on the lives of citizens as opposed to affecting bottom lines alone. This drives home the point that cyber security needs to be heightened in government enterprises.
    So what is the need of the hour? Gosh says that cyber attacks can be divided into two broad categories. These categories are attacks against infrastructure and attacks against information. Often these attacks will happen in a combined fashion. It is highly probable that even when the infrastructure is the final target of the attacker there will be a degree of information compromise as part of launching the attack.


    “In classified settings, you are severely restricted in the sources and kinds of technologies you use,” he writes. “You won't have admin permissions on the machine you're working on. Forget installing Chrome with the latest extensions, you'll be lucky to get Version 2 of Firebox! Or you might not have access to the Internet at all!”

    A like-minded logger identified as Nosegay wrote that “the government Leads in cyber-boring.” Not only is the technology outdated, but management has no clue and information is seen as something to be hoarded rather than shared. The House of Representatives yesterday passed the “Grid Reliability and Infrastructure Defense Act” which is intended to bolster that national electric grid against terrorist attacks, cyber threats, electromagnetic pulse weapons and solar storms. The Act uthorizes the Federal Energy Regulatory Commission to issue emergency orders to protect critical electric infrastructure, and to take other measures to address current and potential vulnerabilities. “The electric grid’s vulnerability to cyber and to other attacks is one of the single greatest threats to our national security,” said Rep. Ed Markey (D-MA), who introduced the bill.

    The floor debate on the bill was a somewhat jarring mix of prudent anticipation and extravagant doomsday warnings. “Some of us read the book ‘The Road’ [a post-apocalyptic tale by Comic McCarthy],” said Rep. Fred Upton (R-MI). “Lots of different scenarios are out there. We need to be prepared. This bill moves us down that road.”

    “Scientists tell us that the likelihood of a severe naturally occurring geomagnetic event capable of crippling our electric grid is 100 percent,” said Rep. Bennie Thompson (D-Miss.). “It will happen; it is just a question of when.” “If you believe intelligence sources, our grid is already compromised,” advised Rep. Yvette Clarke (D-NY). The Journal of National Security Law & Policy has just published a special issue dedicated to cyber security, with fifteen papers on various aspects of the issue. From various perspectives, they address what is known about the nature of the threat, current vulnerabilities, the role of the federal government, and policy options that are under consideration.

    Cyber space also is a gateway to many of our critical assets to both financial and infrastructural. It is also a major communication channel. Cyber wars are launched to destabilize the country and to secure advantages during a conventional war.

    Cyber space security is, therefore, a part of the national security. If we are weak in cyber security, we cannot be strong in physical security. Cyber security has many dimensions. One of the dimensions is having the required technical expertise. Another dimension is to have an effective legal regime. Third dimension is to have an effective security infrastructure that can use the technology and the law towards achieving the objective of securing the information assets of the country

    While discussing the role of laws in cyber space, there are two main objectives. Firstly, the laws should be drafted in such a manner that they:
    • do not provide loopholes for criminals to escape
    • do not make it difficult for police to investigate and provide power with discretion to judiciary to impose appropriate punishments
    Additionally, framing of a good law also requires promotion of ‘security culture’ in the community
    • By providing appropriate guidance to the society
    • By providing solutions for security
    • By making compliance mandatory
    The Indian scenario on cyber laws is that we have the Information Technology Act 2000 (ITA 2000) which provides:
    • three years imprisonment (+ two laky rupees fine) for “diminishing the value of information or utility”
    • 10 years for attempting to access a protected system
    • one core rupees compensation for any loss arising out of unauthorized access
    • Makes intermediaries and companies responsible for practicing “Due Diligence”
    ITA 2000 may not be as stringent as in some other countries where cyber terrorism may be punishable with life imprisonment but may be considered reasonable. In fact, the current version of ITA 2000 must be considered more than reasonable when we consider what may be in store when it is amended with ITAA 2006
    • Punishment for most of the offences to be reduced to two years
    • Preconditions imposed for some sections
    • Dishonesty, fraud and malicious intention for Sec 66
    • Conspiracy and abetment for Sec 79



    Also, a Personal Data Protection Act is under anvil both through some of the amendments proposed in ITAA 2006 through Sec 43 A and Sec 72 A as well as the proposed new law called personal Data Protection Act 2006 with the following features:
    • 43 A providing compensation of five core rupees
    • 72A providing imprisonment of two years and five laky rupees fine for negligent or intentional disclosure of private information
    • PDPA 2006 providing three years imprisonment, five laky rupees fine and compensation for the victim
    However, what is also required is promotion of a compliance culture in our society like what HIPAA tries to achieve.
    Such a compliance culture needs to be promoted through:
    • Security education
    • Security accountability
    • Security practices
    • Security audit and certification

      In addition, we may need appropriate security standards to be developed for different types of industries.
      • Like LIPS1008 developed by Cyber Law College for legal information protection in Lops in India
      • IFIPS-Standards for financial services, small banks, stock broking firms, Insurance
      We also require new approaches to cyber security such as development of an effective Cyber Crime Insurance system as a financial incentive for initiating best security practices. We also require Law Compliance software/Services to facilitate compliance. As a final but important step, we need an integrated National Cyber Security Infrastructure that can be an umbrella organization coordinating cyber security efforts against:
      • Cyber wars against Indian cyber assets
      • Cyber terrorist attacks
      • Cyber crimes
      • Data security breaches

      Some of the challenges we need to foresee in this effort are managing
      • Coordination of police in different states
      • Cooperation of ISPs in India and abroad
      • Cooperation between private sector and police
      • Cooperation from all IT users
      Refererance
      http://in.biz.yahoo.com
      http://en.wikipedia.org
      http://www.msisac.org
      http://www.fas.org








Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)