More Related Content
Similar to Cyber Crimes and IT Risk Management Explained
Similar to Cyber Crimes and IT Risk Management Explained (20)
Cyber Crimes and IT Risk Management Explained
- 5. What makes it different form terrestrial Crime
They are easy to learn how to
commit
They are often not clearly illegal They can be committed in a
jurisdiction without being
physically present in it
When done leaves no or less
trace
They require few resources
relative to the potential damage
caused
© Det Norske Veritas AS. All rights reserved. 5
- 6. to name a few
Cyber Terrorism False Websites
Cyber Squatting Phishing
Web Jacking Auction Frauds
Internet Time Thefts e-mail Spoofing
Email Bombing Cyber Terrorism
Cyber Stalking Pornography
Salami Attacks Data Interference/Forgery/Interception
Hacking Credit Card Fraud
Viruses/Worms/Trojans Network Sabotage
Data Diddling DOS
Cyber Blackmailing Identity Fraud/Theft
Cyber Luring Source code stealing
Intellectual Property
crimes
© Det Norske Veritas AS. All rights reserved. 6
- 7. Cyber terrorism: The deliberate destruction,
disruption or distortion of digital data or
information flows with widespread effect for
political, religious or ideological reasons.
Cyber espionage is the act or practice of obtaining
secrets without the permission of the holder of the
information (personal, sensitive, proprietary or of
classified nature), from individuals, competitors,
rivals, groups, governments and enemies for
personal, economic, political or military advantage
using illegal exploitation methods on the Internet,
networks or individual computers.
© Det Norske Veritas AS. All rights reserved. 7
- 8. The Impact……
Armies may cease to march
Stock Markets may crash
Businesses may be bankrupted
Individuals may lose their social identity
Threats not from novice teenagers :
- but purposeful military, political, and criminal organizations
© Det Norske Veritas AS. All rights reserved. 8
- 9. - "This site has been hacked by ISI (Kashmir is ours), we
want a hospital in Kashmir"
- signed by
- Mujahideen-ul-dawat
© Det Norske Veritas AS. All rights reserved. 9
- 10. Challenges to India's National Security
India's reliance on technology is increasing as reflected from the fact that India
is shifting gears by entering into facets of e-governance
India has already brought sectors like defense, income tax, passport under the
realm of e -governance
The travel sector is also heavily reliant on this
Most of the Indian banks have gone on full-scale computerization. This has also
brought in concepts of e-commerce and e-banking
The stock markets have also not remained immune
Sectors like police and judiciary are to follow
© Det Norske Veritas AS. All rights reserved. 10
- 11. Cyber Crimes – Exploding Problem
11. India
Share of malicious computer activity: 3%
Malicious code rank: 3
Spam zombies rank: 11
Phishing web site hosts rank: 22
Bot rank: 20
Attack origin rank: 19
List of Top 20 Countries with the highest rate of Cybercrime
(source: BusinessWeek/Symantec)
Each country lists 6 contributing factors, share of malicious
computer activity, malicious code rank, spam zombies rank, phishing
web site hosts rank, bot rank and attack origin, to substantiate its
cybercrime ranking.
© Det Norske Veritas AS. All rights reserved. 11
- 12. Extent of the Problem
Source: National Crime Records Bureau, Statistics of Cyber Crimes, 2007
© Det Norske Veritas AS. All rights reserved. 12
- 13. Extent of the Problem
2009 FBI-IC3 Internet Crime Report
Friday, April 2nd, 2010
© Det Norske Veritas AS. All rights reserved. 13
- 14. Extent of the Problem
Ponemon Institute Research Report
Publication Date: July 2010
© Det Norske Veritas AS. All rights reserved. 14
- 15. Why Is Cyber Attack Possible?
Software Has Bugs/Networks Not Designed For Security: Engineering
practices and technology used by system providers do not produce systems
that are immune to attack
Implementation Is Poor: Network and System operators do not have the
people and practices to defend against attacks and minimize damage
Law And Policy Lag Behind Dependence: Policy and law in cyber-space are
immature and lag the pace of change
© Det Norske Veritas AS. All rights reserved. 15
- 16. Attack Sophistication vs. Intruder Technical Knowledge
Auto
Coordinated
Cross site scripting Tools
“stealth” / advanced
High scanning techniques
packet spoofing denial of service Staged
sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Intruders
Low
1980 1985 1990 1995 2000
© Det Norske Veritas AS. All rights reserved. 16
- 18. New risk reality
Today we are operating in an increasingly more global, complex and demanding risk
environment with “zero tolerance” for failure
Even as there is Increased demands for transparency the Challenges of businesses or the
State remain due to Increasing IT vulnerability
There must be a balance between Transparency and Security
Stricter regulatory requirements
© Det Norske Veritas AS. All rights reserved. 18
- 19. Definition of risk
Risk is an event that occurs with a certain frequency/ probability and
that has consequences towards one or more goals/objectives
Risk Level = Frequency/ Probability combined with Consequence
THREAT EXPLOIT VULNERABILITY
PROBABILITY x CONSEQUENCE = RISK
DAMAGE ASSET
© Det Norske Veritas AS. All rights reserved. 19
- 20. Approach - Work process and method
The Risk Management Approach ensures that mapping of risk exposure, treatment of
risks and follow-up are carried out in a structured manner
Communication
Initiation Uncertainty Risk Actions Implementation
& focusing Identification Analysis Planning & follow-up
Documentation
© Det Norske Veritas AS. All rights reserved. 20
- 21. 2
Actions planning – handling strategy
Alter the risk
- Preventive measures reduce the
probability of the event
- Corrective measures reduce the
consequence of the event
- Plan for that event happen
- Avoid escalation
- Recovery plan
Risk Reduction Risk Transfer
Transfer the risk
- Disclaim responsibility; write a
contract, take out insurance etc.
Avoid the risk
- Eliminate by stopping the activity
Accept the risk
- Continue as before; the activity
remains unchanged Risk Avoidance Risk Acceptance
© Det Norske Veritas AS. All rights reserved. 21
- 23. the solutions…. - Technology
Firewalls, Intrusion Prevention System
Public Key Infrastructure
High Grade Encryption Technologies
Optical Fiber Links
Vulnerability/Risk Assessment
Cyber Forensics
Honey Pots
VPN
Biometrics, Access Control
Backups (System Redundancy)
Incident Response Actions
© Det Norske Veritas AS. All rights reserved. 23
- 24. the solutions…. - Processes
Reduction in the Operation flexibility (Segregation of Duties)
Effective Organization Procedures and Policies
Security/System Auditing
Training to the employees
Government-to-Government coordination
Recognizing Shortage of skilled cyber security workers
Creation of Cyber Army
Cooperation & Information Sharing
Investment in information assurance systems
Increased R&D funding
Development of cyber ethics
Mutual cooperation with law enforcement
© Det Norske Veritas AS. All rights reserved. 24
- 26. ISO 27000 Series - Published standards
ISO/IEC 27000 — Information security management systems — Overview and vocabulary
ISO/IEC 27001 — Information security management systems — Requirements
ISO/IEC 27002 — Code of practice for information security management
ISO/IEC 27003 — Information security management system implementation guidance
ISO/IEC 27004 — Information security management — Measurement
ISO/IEC 27005 — Information security risk management
ISO/IEC 27006 — Requirements for bodies providing audit and certification of information
security management systems
ISO/IEC 27011 — Information security management guidelines for telecommunications
organizations based on ISO/IEC 27002
ISO/IEC 27033-1 - Network security overview and concepts
ISO 27799 - Information security management in health using ISO/IEC 27002 [standard
produced by the Health Infomatics group within ISO, independently of ISO/IEC JTC1/SC27]
© Det Norske Veritas AS. All rights reserved. 26
- 27. ISO 27000 Series - In preparation
ISO/IEC 27007 - Guidelines for information security management systems auditing (focused on the management
system)
ISO/IEC 27008 - Guidance for auditors on ISMS controls (focused on the information security controls)
ISO/IEC 27013 - Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
ISO/IEC 27014 - Information security governance framework
ISO/IEC 27015 - Information security management guidelines for the finance and insurance sectors
ISO/IEC 27031 - Guideline for ICT readiness for business continuity (essentially the ICT continuity component within
business continuity management)
ISO/IEC 27032 - Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)
ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)
ISO/IEC 27034 - Guideline for application security
ISO/IEC 27035 - Security incident management
ISO/IEC 27036 - Guidelines for security of outsourcing
ISO/IEC 27037 - Guidelines for identification, collection and/or acquisition and preservation of digital evidence
© Det Norske Veritas AS. All rights reserved. 27
- 28. Other IT Security Management Models
Common Criteria (CC)
Common Criteria for Information Technology Security Evaluation
- ISO 15408
- Framework for specification of evaluation
FISMA
Federal Information Systems Management Act – US
Information Security Forum (ISF)
Standard of Good Practice for Information Security
ITIL
Information Technology Infrastructure Library
NIST
library of freely available resources
- http://csrc.nist.gov
Security Self-Assessment Guide for Information Technology Systems 800-26
© Det Norske Veritas AS. All rights reserved.
- 29. Other IT Security Management Models
PCI
Payment Card Industry Data Security Standards
- 6 Control Objectives
- 12 Requirements
Securities and Financial
- Basel II
- COSO
- SOX
RFC 2196
RFC 2196 is memorandum published by Internet Engineering Task Force for developing security
policies and procedures for information systems connected on the Internet.
Statement on Auditing Standards No. 70: Service Organizations
SAS 70 provides guidance to service auditors when assessing the internal controls of a service
organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors of
financial statements of an entity that uses one or more service organizations.
© Det Norske Veritas AS. All rights reserved.
- 30. IT Governance Models
COBIT
ISACA (Information Systems Audit and Control Association)
© Det Norske Veritas AS. All rights reserved.
- 31. The CALDER-MOIR IT Governance Framework
There are many IT-related management
frameworks, standards and methodologies in
use today.
None of them, on their own, are complete IT
governance frameworks, but they all have
a useful role to play in assisting
organizations manage and govern their IT
operations more effectively.
The CALDER-MOIR IT Governance Framework
is designed to help get maximum benefit
from all these overlapping and competing
frameworks and standards, and also to
deploy the best practice guidance contained
in the international standard for
IT governance, ISO/IEC 38500.
© Det Norske Veritas AS. All rights reserved. 31
- 32. Governance & Cyber Crime - Cost Comparison
Ponemon Institute Research Report
Publication Date: July 2010
© Det Norske Veritas AS. All rights reserved. 32
- 33. Cyber Crimes and Law
Electronic Signature Laws
U.S. - Electronic Signatures in Global and National Commerce Act
U.S. - Uniform Electronic Transactions Act - adopted by 46 states
U.S. - Digital Signature And Electronic Authentication Law
U.S. - Government Paperwork Elimination Act (GPEA)
U.S. - The Uniform Commercial Code (UCC)
UK - s.7 Electronic Communications Act 2000
European Union - Electronic Signature Directive (1999/93/EC)
Mexico - E-Commerce Act [2000]
Costa Rica - Digital Signature Law 8454 (2005)
Australia - Electronic Transactions Act 1999 (Cth) (also note that there is State and Territory mirror legislation)
Information Technology Act 2000 of India
Information Technology Laws
Computer Misuse Act 1990
Florida Electronic Security Act
Illinois Electronic Commerce Security Act
Texas Penal Code - Computer Crimes Statute
Maine Criminal Code - Computer Crimes
Singapore Electronic Transactions Act
Malaysia Computer Crimes Act
Malaysia Digital Signature Act
UNCITRAL Model Law on Electronic Commerce
Information Technology Act 2000 of India
© Det Norske Veritas AS. All rights reserved. 33
- 34. Cyber Security Initiatives by Government of India
Cybercrime provisions under IT Act,2000
Offences & Relevant Sections under IT Act
Tampering with Computer source documents Sec.65
Hacking with Computer systems, Data alteration Sec.66
Publishing obscene information Sec.67
Un-authorized access to protected system Sec.70
Breach of Confidentiality and Privacy Sec.72
Publishing false digital signature certificates Sec.73
© Det Norske Veritas AS. All rights reserved. 34
- 35. Cyber Security Initiatives by Government of India
National Informatics Centre (NIC)
Indian Computer Emergency Response Team (Cert-In)
National Information Security Assurance Programme (NISAP)
Indo-US Cyber Security Forum (IUSCSF)
© Det Norske Veritas AS. All rights reserved. 35
- 36. Conclusion
Majority of on-line threat is cyber
crime
Cyber terror is still emerging
- Evolving threat
- Integrating critical missions with general
Internet
- Increasing damage/speed of attacks
- Continued vulnerability of off-the-shelf
software
© Det Norske Veritas AS. All rights reserved. 36
- 37. Conclusion
Capacity of human mind is unfathomable. It is
not possible to eliminate cyber crime from the
cyber space. However it is quite possible to
check them.
Hence, the possible steps to counter Cyber
crimes are to :
make people aware of their rights and duties (to
report crime as a collective duty towards the
society)
making the application of the laws more
stringent to check crime
implement good IT Security systems and
governance models to reduce the possibilities of
cyber crimes
to bring about increased awareness amongst
the law keepers of the State on Cyber crimes
© Det Norske Veritas AS. All rights reserved. 37
- 38. Conclusion
To counter cyberthreats, India should
immediately establish a National
center on information systems
security
It should tap the expertise of
universities and private software and
internet companies
In addition to the government and
defense sectors it should cater to the
banking sector, stock exchanges,
telecom and internet networks, power
and water supplies, and transportation.
© Det Norske Veritas AS. All rights reserved. 38