An Overview to Information Security and Security Initiatives in India Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In)

Objectives Why we need security To understand Information Security To know Security Initiatives in India

Why Security? Polish Teen Faces Charges for Allegedly Manipulating Train System (January 11, 2008) Barclays Chairman Victim of Identity Theft (January 10 & 11, 2008) Stolen Laptops Hold Nashville Voter Data ( 337,000 voters) (January 3, 2008)

Security: The Need The consequences of insufficient security –Identity theft –Compromised customer confidence; loss of business –Service interruption (e.g., ) –Loss of competitive advantage –Equipment theft –Embarrassing media coverage –Substantial financial loss –Legal penalties

What’s at stake? When connecting to the Internet, three things are put at risk: –Data –Resources –Reputation

Facebook Widget Installing Spyware

Information Security – CIA Confidentiality –ensuring that information is accessible only to those authorized to have access Integrity –assurance of accuracy and reliability of information –unauthorized modification of data is prevented Availability –Information is being accessible and usable upon demand by an authorized entity Non Repudiation –Verification of the sender and the recipient were, in fact, the parties who claimed to send or receive the message, respectively

Threats to Information Security Confidentiality – Unauthorised Disclosure Integrity – Unauthorised Alteration Availability –Disruption

Threats An event, the occurrence of which could have an undesirable impact on the well-being of an asset. [ISC2] International Information Systems Security Certification Consortium Any circumstances or event that has the potential to cause harm to a system or network.That means, that even the existence of a(n unknown) vulnerability implies a threat by definition. [CERT]

Vulnerability A feature or bug in a system or program which enables an attacker to bypass security measures. An aspect of a system or network that leaves it open to attack. Absence or weakness of a risk-reducing safeguard. It is a condition that has the potential to allow a threat to occur with greater frequency, greater impact or both.

Threats

Current trend of cyber threats Targeted attacks Stealing of data/modification Identity theft (Phishing) Spread of malicious code Distributed Denial of service attacks Website Defacements

Rapid Development of Cyber Threats

Confidentiality INFORMATION SECURITY Integrity Availability Authenticity Security Policy People Process Technology Regulatory Compliance Access Control Security Audit User Awareness Program Incident Response Firewall, IPS/IDS Encryption, PKI Antivirus Information Security Management

What actions need to be taken User awareness –Security portals for user awareness –Ad campaigns Enterprise security –CSIRTs Sectoral cooperation and coordination –Sectoral CERTs National coordination –CERT-In Global coordination –APCERT, ASEAN, FIRST

Need for cooperation Users Organisations CSIRTs, CERTs ISPs Domain registrars DNS operators IT vendors Law enforcement agencies

Govt. Initiatives Formation of CERT-In (January, 2003) Nodal agency for –Responding to security incidents –Prevention of incidents by means of generating user awareness –Promotion of security best pratices Coordination at –Sectoral level –National level –International level

CERT-In initiatives Directives issued to Govt. and public sector organisations to –Implement ISO security standard –Perform regular security audits –Shifting of websites onto ‘.in’ name space –Hosting of websites within country Empanelment of IT Security auditors Creation of awareness by organising training programs for CISOs, System administrators Issuance of security guidelines

CERT-In initiatives Collaboration with security vendors like Microsoft, Redhat, Cisco, Symantec, McAfee, TrendMicro etc. Security surveys and reports Created forum on Phishing and Spam in collaboration with CII & other stakeholders Issued “Securing Home Computers” and “Web Server Security” Guidelines Informative Web Portals created in collaboration with Microsoft & Redhat for general user

25 Information Sharing: Stakeholders ISPs, Key Networks CERTs CSIRTs Vendors Media Law Enforcement Agencies Home Users CERT-In --- Government Sector -Critical Information Infrastructure - Corporate Sector International CERTs

International Cooperation FIRST APCERT CERT/CC US-CERT JPCERT Korean CERT

DIT initiatives Generation of trained manpower on Information security –Master trainers in Information Security (60) –Short-term/long-term courses in Information Security Certification, Vulnerability Assessment, training programs in the area of IT –STQC

DIT initiatives R&D projects –Cryptography –Steganography –Network Behavior Analysis –Biometric Authentication –Mobile Security –Cyber Forensics

Indian Website Defaced in Year 2007

Security Incidents handled by CERT-In during 2007

Latest attack vectors Compromise of popular websites and subsequent distribution of malware visiting the website Compromise of accounts and distribution of malicious attachments to contact list users Collection of user credentials through keyloggers

Activities of CERT-In Activities messages received Incidents handled Security Alerts/ Incident Notes Advisories Vulnerability Notes Security Guidelines94211 White papers-3622 Trainings17676 Indian Website Defacement tracked Open Proxy Servers tracked Bot Infected System tracked

33 Communication channels CERT-In website –About 1460 users visiting the site per day –Significant increase of site visit during major events CERT-In Incident Response Help Desk –Toll free nos (Voice) (FAX) CERT-In mailing list –About 1100 individuals from various national and international security organizations CIOs Database ISPs Postal mail

Conclusion Let us work together for a vision. Create an society in which spam, viruses and worms, the plagues of modern information technology are eliminated.

Thank you Incident Response HelpDesk Phone: FAX: