role of cert-in & cyber security initiatives

Role of CERT-In & Cyber Security

Initiatives

Indian computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

New Delhi

Ajay Lakra

INDIA Internet Infrastructure

2

18+ mil. High

Speed Internet

Fixed Broadband

penetration 1%

Overall Tele-density : 81.82

Internet 6

Bharti

Mail Servers

Approx:1800

16 mil. All

Domains

(1.5 mil. “.in”)

DNS

Estimated: 860

355+ IDCs

`

VOIP, IPTV

Govt.

Academia

Enterprise

Home

IT /

ITES

BPO

Targeted Broadband connections: 131.49

mil.

NIC

ERNET

BSNL

Reliance

TATA

Communications

STPI

462 mil. Internet Users

Penetration 19 %

Global share 8 %

1001 mil. Mobile

Phones

MTNL

155 Major

ISPs

Role of CERT-In

• Established in January 2004 by Department of Electronics and Information Technology, Govt. of India

• Role of CERT-In – Computer Security Incident Response (Reactive)

– Computer Security Incident Prevention (Proactive)

– Security Quality Management Services

• Information Exchange – With sectoral CERTs (CSIRTs), CIOs of Critical Infrastructure organisations,

ISPs, Vendors

• International Collaboration – Member of FIRST

– Member of APCERT

– Research Partner- APWG

– Functional relationships with CERTs (US-CERT, CERT/CC, JPCERT etc.)

Role of CERT-In in Cyber Crime Prevention

CERT-In

Section 70B, Information Technology Act 2000: Designates

CERT-In as the National nodal agency to serve as the national

agency to perform the following functions in the area of cyber

security:

• Collection, analysis and dissemination of information on

cyber incidents

• Forecast and alerts of cyber security incidents

• Emergency measures for handling cyber security incidents

• Coordination of cyber incident response activities

• Issue guidelines, advisories, vulnerability notes and

whitepapers relating to information security practices,

procedures, prevention, response and reporting of cyber

incidents

• Such other functions relating to cyber security as may be

prescribed


Triage

Email

Other

• Events/logs

• Alerts from CERTs

• Network Monitoring

• Technology watch

Letter

Phone/

Fax

Information

Gathering

Obtaining Contact

Information,

Incident

Documentation

Technical Analysis

Coordinate

Information and

Response

Incident Handling Life Cycle

Reporting and

Detection Triage Analysis and Response

Detection Triage Response

Vulnerability

Report

Information

Request

Incident

Report

Resolution/

Escalation

Department

of

Information

Technology

Detection Analysis Dissemination & Support

Analysis

Recovery

Dete

ct

Dis

sem

inatio

n

ISP Hot Liners

Media

Home Users

Private Sectors

Major ISPs

Foreign partners

CERT-In Work Process


Activities of CERT-In

Activities 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Incidents

handled 23 254 552 1237 2260 7981 10134 28127 36924 41319 44679 49455 50362

Security Alerts/

Incident Notes 20 30 48 44 49 29 43 48 10 12 13 16 12

Advisories 23 25 50 66 76 61 73 81 56 92 69 70 98

Vulnerability

Notes 74 120 138 163 197 157 275 188 122 223 290

316

325

Trainings 7 6 7 6 18 19 26 26 26 25 21 24 19

Indian Website

Defacement

tracked 1529 4705 5211 5863 5475 6023 14348 17306 23014 24216 25037 26244 31664

Bot Infected

systems tracked - - - 25915 146891 2159804 6893814 6277936 6494717 7457024 7728408 9163288 10020947

Security Drills - - 1 2 2 3 4 4 6 3 3 3 2

Trend of Security Incidents in India

8

Channels of Attack • Trusted websites – infected • Emails • FTP/downloads (Untrusted sources) • Mobile Apps & Social media • Pen drives

Website Defacements

Phishing Incidents Handled

Virus/Malicious Code

4705 5211 5863 5475 6023

14348 17306

23014

24216

25037

26244

31664

0

5000

10000

15000

20000

25000

30000

35000

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

5 95 19 358 408 596

2817 2765 3149 4160 4307

9830

13371

0

2000

4000

6000

8000

10000

12000

14000

16000

9

Security Incidents 2011 2012 2013 2014 2015 2016

Phishing 674 887 955 1122 534 757

Network Scanning /

Probing 1748 2866 3239 3317 3673

416

Virus / Malicious Code 2765 3149 4160 4307 9830 13371

Website Defacements 17306 23014 24216 25037 26244 31664

Website Intrusion &

Malware Propagation 4394 4591 4265 7286 961

1483

Others 1240 2417 4484 3610 8213 2671

Total 28127 36924 41319 44679 49455 50362

2011 2012 2013 2014 2015 2016

Malicious Spam

Incidents 2480 8250 54677 85659 61628 57262

Incidents related to Govt. Websites (2016)

Type of Incident No.

Website Defacements

(.nic.in+.gov.in)

165

Website Intrusion and

Malware Propagation

(.nic.in+.gov.in)

34

10

Other CERT-In Activities

• Security Assurance framework and Audit Services – Empanelment of Security Auditors :

– to carry out information security audit, including the vulnerability assessment

and penetration test of the networked infrastructure of government and

critical sector organizations.

– CERT-In has also carried out episodic security audits of key organizations

for enhancing their security posture

• Forensic Lab – CERT-In is equipped with cyber forensic and mobile device forensic analysis

facility to extract and analyse the data from the digital devices involved in the

cyber crime.

• Network Traffic Scanning for early warning – facility to gather useful network information from different IT networks across

the country for meaningful analysis to detect and predict possibilities of

cyber attacks

Other Activities

• Cyber Swachhta Kendra (BOTNET Cleaning Centre)

– launched on 21 February 2017

– for detection of compromised systems in India and to

notify, enable cleaning and securing systems of end

users to prevent further malware infections.

• National Cyber Coordination Centre (NCCC)

– to generate macroscopic views of the cyber security breaches

and cyber security threats in the country.

CERT- In website


secureyourpc.in Portal

14

Threat Landscape

Current cyber threat scenario

• Complex nature of cyber space

• Proliferation of ICT systems – Technology has reached everywhere

– New IT platforms and processes such as mobile platforms, IOT have raised the need of new security requirements

• Cyberspace is growing exponentially and has emerged as a key global asset – dependency on technology is unquestionable

• Evolving cyber threat scenario in India – Increased attacks on critical infrastructure and key government

systems

– Targeted attacks, Sophisticated malwares, Hacktivism

Dynamic Threat Landscape

• More market share = more lucrative target

• Security will always be a mission-critical concern

• New IT platforms and processes such as mobile platforms, cloud

computing have raised the need of new security requirements

• Targeted attacks, Sophisticated malwares, Hacktivism forced rethinking

of current security practices and process

• Changes in threats will drive changes in infrastructure protection

technology as well

• Exponential Growth in Android based malware and formulation of

Botnets

– Zitmo , Geimini, Gingermaster to name a few.

17

Cybercrime economy

• Sale of Vulnerabilities and exploits online

• Crimeware tool kits

• Stolen data

– Credit card numbers, PINs

– Email ids, passwords

– FTP credentials

• Sale of Botnets

– DDoS as a Service

• Hacking as a Service

The Expanding Cyber Threat Motive & Challenges

• Political

• Ideological

• Criminal

Increase in Sophistication (APT)

Hackers Spend 200+ Days Inside Systems Before Discovery

It’s getting harder for organizations to spot when they’ve been breached

less than a third (31%) of organizations discovered an internal breach themselves

Cyber Attacks Trends observed globally

20

•A New Zero-Day Vulnerability Discovered Each Week

• Last year the number of new malware variants discovered was 430

million.

•Half a Billion Personal Records Stolen or Lost

•Vulnerabilities Found in Three Quarters of Websites

•Spear-Phishing Campaigns Targeting Employees Increased 55 Percent

•Ransomware Increased 35 Percent

•100 Million Fake Technical Support Scams Blocked

Source: Symantec

21

Managing Information Security

Products, tools,

and automation

Consistent and

Repeatable

Skills, roles,

and responsibilities

Processes

People Technology

People is often the weakest link

22

Countermeasures - Technology and Defense in Depth

Policies, Procedures & Awareness

Physical Security

Perimeter

Internal Network

Host

Application

Data

OS hardening, authentication,

patch management, HIDS, HIPS

Firewalls, VPN, IDS/IPS

Guards, locks, tracking devices

Network segments, IPSec, NIDS

Application hardening, antivirus

ACL, encryption

User education

23

Countermeasures - People

• Awareness! Awareness! Awareness!

• Education and user training

• Awareness and training are one of the fundamental vehicles to help

address information security threats

– No one is going to take precaution if he is not aware of the potential negative

consequences of his actions or inactions

– No one is able to protect himself from attacks if he is not aware of how he can

do it

– Ignorance is no longer a bliss – social engineering attacks remain as one of

the most successful attack on the Internet

• Anti-virus must be installed and patches and signatures must be up to

date.

• Use of genuine Operating system and Softwares

• Pirated softwares includes malicious code

• Operating system and application security patches must be up to date.

• Hardware and software that provide memory (data Execution Prevention,

Buffer Overflow) protection must be implemented.

24

• Install and enable :

– Personal firewall

– Anti-spyware

– Anti-phishing controls and HIPS

• Download applications from the trusted sources

• Do not follow unsolicited web links or attachments in email messages

• Exercise caution while visiting links to Web pages

• Do not visit untrusted websites

• Disable autoplay feature as a safe practice

• Consider Disk-encryption

• Success of any encryption scheme depends on strength of Key/passphrase

and how it is kept/shared.

• Practice limited account privilege

• Admin privilege is not required for most of the day to day work

Countermeasures - People

Countermeasures - Process

• Policies: general statement produced by senior

management that dictates what role security plays within the

organization.

• Standards: mandatory activities, actions or rules

• Baselines: a point in time that is used as a comparison for

future changes.

• Guidelines: recommended actions and operational guides to

users when a specific standard does not apply.

• Procedures: detailed step-by-step tasks that should be

performed to achieve a certain goal.

25

Threat by IOT Devices

IOT Devices

Advantages

• promise of efficiency and

innovation to the

enterprise

Disadvantages

• profoundly expands the

threat surface for your

organization


IoT Botnets

•launch DDoS attacks

•send spam

•other malicious activities

Evolution

2014: A large IoT botnet would have 75,000 compromised devices.

2016: The now-infamous Mirai botnet was originally leveraging 500,000

devices.


MIRAI Botnet

Timeline

September 20, 2016: Investigative journalist Brian Krebs targeted

October 1, 2016: Mirai source code released on GitHub

October 21, 2016: Dyn.com attacked

November 1: Liberia’s Internet connection disrupted

November 30: Deutsche Telekom customers taken offline


How Mirai Works

Two main components

• the virus itself

• the command and control center (CnC).

The virus contains

•the attack vectors, Mirai has ten vectors that it can launch

•a scanner process that actively seeks other devices to compromise.

The CnC is a separate image that controls the compromised devices

(BOT) sending them instructions to launch one of the attacks against

one or more victims.


Why are IoT devices being targeted? commonly used and default passwords

Processing power limitations

designed to be plugged in and forgotten about, (No security updates )

How many passwords is Mirai configured to try? use a list of at least 62 user name and password combinations

Can a Mirai infection be removed?

Devices that become infected with Mirai can be cleaned by restarting them.


What can I do to protect my devices and prevent them

from becoming infected?

Research the capabilities and security features of an IoT device before

purchase

Perform an audit of IoT devices used on your network

Change the default credentials on devices. Use strong and unique passwords

for device accounts and Wi-Fi networks.

Use a strong encryption method when setting up Wi-Fi network access (WPA)

Disable features and services that are not required

Disable Telnet login and use SSH where possible

Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary

Modify the default privacy and security settings of IoT devices according to your

requirements and security policy

Disable or protect remote access to IoT devices when not needed

Use wired connections instead of wireless where possible

Regularly check the manufacturer’s website for firmware updates

Ensure that a hardware outage does not result in an unsecure state of the

device


DEEP WEB & DARK WEB


All information that cannot be indexed using general web search engines

Also known as the deep internet, deepnet, or the hidden web

Cannot be accessed using search engines

What is the Deep web?


Webpages with no links on them, called disconnected pages

Password protected webpages

Webpages generated from databases

Dynamically generated webpages

Real-time content

Webpages that require a registration form to access

Webpages with non-html text, or any coding that a spider program can not

understand

Content Found On The Invisible Web


Within Darknet both the web surfers and website publishers are entirely

anonymous

Anonymity is achieved using TOR

Number of marketplaces

Agora Marketplace

Abraxas

Silk Road 1,2,3

Darknet or Darkweb


Acronym for The Onion Router

Free software for enabling anonymous communication

Originally developed on behalf of the U.S. intelligence community

Today it is used by criminal enterprises, hacktivists, and LEA

Users can remain anonymous

Activities can remain untraceable

Resources can remain hidden

What is TOR


Top Darket Markets:

Dream Market:

Alpha Bay:

Russian Anonymous Marketplace

(RAMP):

Outlaw:

East India Company:

http://ltxocqhw4eruf5lu.onion/

http://pwoah7oh4jlgdwri.onion/

http://ramp2bombkadwvgz.onion/

http://ramp2bombkadwvgz.onion/

http://outfor6jwcztwbpd.onion/

http://tvdoujoqp67evxq7.onion/


In March 2013, the site had 10,000 products for sale by vendors, 70% of

which were drugs

Not on Sale

Included child pornography, stolen credit cards, assassinations, and

weapons of any type

Buyers were able to leave reviews of sellers' products on the site, and in

an associated forum where crowdsourcing provided information about the

best sellers and worst scammers

Most products were delivered through the mail, with the site's seller's

guide instructing sellers how to vacuum-seal their products to escape

detection

The FBI has claimed that the real IP address of the Silk Road server was

found via data leaked directly from the site's CAPTCHA,[31] but security

researchers believe that the PHP login page was manipulated to output its

$_SERVER variable and real IP following site maintenance

reconfiguration

https://en.wikipedia.org/wiki/CAPTCHA

https://en.wikipedia.org/wiki/Silk_Road_%28marketplace%29

https://en.wikipedia.org/wiki/PHP


we have learned so much during the past 20 years or so.

with powerful search engines such as Google and Bing, what we have

access to is only a small fraction at the surface of the gigantic data ocean.

Deep Web is getting deeper and certain parts of it are getting darker by the

day.

how to balance the protection of civil liberty for law-abiding citizens with the

concerns for national security remains a daunting

challenge for policymakers in the age of big data and Deep Web.

Challenges

Thank you

Incident Response HelpDesk

Phone: 1800 11 4949

FAX: 1800 11 6969

e-mail: [email protected]

http://www.cert-in.org.in


role of cert-in & cyber security initiatives

Documents