issues in cyber world

8/2/2019 Issues in Cyber World

1/31

Attacks, Services andmechanisms


2/31

Security Attack Any action that compromisesthe security of informationowned by an organization

Security mechanism

Security Service

A mechanism that isdesigned to detect, prevent

or recover from a securityattack.

A service that enhances the

security of informationtransfers in an organisation.


3/31

Security AttacksNormal Flow Interruption

Interception Modification

Fabrication


4/31

Active & Passive

Passive threats Release of message contents

Traffic analysis

Active threats Masquerade

Replay

Modification of message contents Denial of service


5/31

Security Services

Confidentiality Authentication Integrity

Nonrepudiation

Access control Availability


6/31

Confidentiality

Is the protection of messages

from passive attacks

Release of message contents

Traffic analysis


7/31

Authentication

Confirms that the sender and

the receiver are authentic

Also that there is notinterference from third parties


8/31

Integrity

Makes sure that there is no

stream modification anddenial of service


9/31

Nonrepudiation

This prevents either the

sender or receiver fromdenying a transmittedmessage.


10/31

Access controlAvailatbility


11/31

A model from network security

Trusted third party (e.g. arbiter, distributor of secret informaiton)

Principal Principal

Information channel

Security relatedtransformation

Security relatedtransformation

MessageMessage

SecretInformation

SecretInformation

Opponent


12/31

What exactly are information assets ? People Assets The professionals who are a part of the Org.

Data Assets Databases, Intellectual property, Procedures etc.

Paper Documents Contracts, Business documents etc.

Software Assets Application systems, Development tools etc.

Physical Assets Computers, Servers, Routers etc.

Services Telecommunications, Power systems, ACs etc.


13/31

Your people are your greatest asset.

But sometimes they are also, unfortunately your

greatest vulnerability.

You are only strong as your weakest link .!


14/31

Some dangerous statements commonly made

Nothing has happened to me till date ..( it may be happening now )

Just wait for a week there is something new coming up in security.

( the wait never ends )

Is it really worth spending so much money just for information security ? .

( we normally realize that too late )

Our security systems are up-to-date. We just rebuild our whole system lastmonth

( sir, do you know what happened today morning ? )


15/31

Do you seriously have answer to these questions ?

? Are you prepared for an external attack with inside knowledge

? What will happen if a hacker attacks your network

? Is your data & network secured internally

? Are your employees aware of the value of information

? Are they taking care of information like any other physical asset

? Do you have a physical & logical security in place

? Are you aware of Disaster recovery planning

? Do you have a business continuity plan in place

Well frankly in most cases NO !


16/31

The fundamental reason is lack of awareness.

Let us identify the threats

You let web content, e-mail and files into your networks without

being questioned - You are inviting trouble

Use of unauthorized CDs and other storage devices - they couldmake your system vulnerable

Lack of a defined security policy, password policy or poor password

can cause a compromise in the security

Access of ex-employees could prove the most dangerous

Natural disasters


17/31

What is information security management ?

Security is the reduction of risk.

We can never eliminate risk, but effective security can reduce the risk to

a business and its information resources

Any effective security system will have three stages

PREVENTIONDETECTION

REACTION


18/31

Let us now look at the most dangerous of them all

The insider

Always remember that the Principal threats to information assets

(Company) are from the inside.

Most of the system managers believed that the threat was always

from outside and therefore all security systems were preventive.

Now they have started realizing that people back home are

more dangerous.


19/31

SOME FACTS

The U.S. Chamber of Commerce reported that 75 % of all employees

steal from their employers, causing one third of all corporate bankruptcies.

The FBI found that insider information theft accounts for 40% of all

computer related losses.

They have also reported that insider information theft losses haveincreased on average by 49 % annually for the past 5 years.


20/31

DANGEROUS INSIDERS ?

Insiders have the means to access the information we protect so vigilantlyfrom attackers from the outside.

Insiders have the means to invisibly copy your information andcommunicate it to others

One in every three business-closures is the direct result of employee theft

Hackers have never put a company out of business (though they cause

damage ), but insiders have shut businesses down.


21/31

THE IMPACT

PERSONAL INFORMATION WARFARE

PUBLIC INFORMATION WARFARE

CORPORATE INFORMATION WARFARE

GOVERNMENT INFORMATION WARFARE


22/31

Current Solutions

The best of technology

Firewalls, IDSs, Anti-Viruses, Encryption, Content

Filters

Automatic lock out

2 Way Authentication

The best of processes

ISO 27001 Earlier BS7799

Safe Harbor Act


23/31

Are we safe ?

Look at the instances of frauds in-spite of the

controls

Instances of frauds in the finance/banking sector

Many of them are not publicized, but they exist

Common thread:

Internal employee sells information for money

Internal employee sends source code to unauthorizedpersonal account


24/31

3 biggest threats.

Human Fraud

Human Incompetence

Human Error


25/31

Emotions/Behavior

Oppression toAuthority

Obedience toAuthority/ Fear

Reluctance toChange

CharacterWeakness

Desire to

Help

LowInvolvement

External Pressure

Curiosity

Self Preservation

Desire for

Recognition


26/31

Threats.

Attacker calls random employees in an organization The following conversation takes Place

I am calling from the CFOs room

I am your ERP consultant.

We are implementing a new system to process yoursalaries starting from next month onwards

We need your user name and password to integrate

your salary processing to your user account 5 out of 5 targets provided user name and

passwords


27/31

Threats.

External Security Consultant places 6 CD-ROMs inspecific locations Rest Room, Conference Room

CD-ROM is titled 2006 Financials and Lay Offs

Within a few hours each of these CD-ROMs aregrabbed by employees

Employees run the CDs Each CD has a hidden

script which records IP address of host machine


28/31

All behavior is learned through the

consequences that follow. If the person likes

the consequence, the behavior will berepeated; if the person does not like the

consequence, the behavior is less likely to be

repeated


29/31

Information TechnologyAct 2000

Passed in May 2000 by both houses of

parliament, the IT ACT 2000 aims at

providing a legal framework under which

legal sanctity is accorded to all electronic

records and other activities carried out byelectronic means.


30/31

Objectives Grant legal recognition for transactions carried out by

electronic means.

Legal recognition to digital signature

Facilitate electronic filing of documents

Electronic storage of data Legal sanction to fund transfer

Legal recognition to books of accounts by bankers in electronic

forms To amend the Indian Penal code, the Indian Evidence act,

1872, the bankers book evidence act 1891 and the RBI Act

1934.


31/31

Scope Use of asymmetric digital signatures

Authentication of records using digital signatures

Electronic governance

Attribution, receipt and despatch of electronic records.

Certifying authorities and regulations

Digital signature certification

Cyber regulations

Offences and implications

Network service providers liabilities and exceptions