Information Security & Cyber Law
Cyber Law Resources
Selected Reading
- Cyber Crimes FAQs
- Cyber Law Summary
- Offences and Penalties
- Digital & Electronic Signatures
- Information Technology Act, 2000
- Network Security
- Policies To Mitigate Cyber Risk
- Cyber Security Strategies
- Intellectual Property Right
- Cyber Law Objectives
- Cyber Law & IT Act Overview
- Cyber Law Home
Cyber Law Resources
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Cyber Security Strategies
Cyber Security Strategies
To design and implement a secure cyberspace, some stringent strategies have been put in place. This chapter explains the major strategies employed to ensure cybersecurity, which include the following −
Creating a Secure Cyber Ecosystem
Creating an Assurance Framework
Encouraging Open Standards
Strengthening the Regulatory Framework
Creating Mechanisms for IT Security
Securing E-governance Services
Protecting Critical Information Infrastructure
Strategy 1 − Creating a Secure Cyber Ecosystem
The cyber ecosystem involves a wide range of varied entities pke devices (communication technologies and computers), inspaniduals, governments, private organizations, etc., which interact with each other for numerous reasons.
This strategy explores the idea of having a strong and robust cyber-ecosystem where the cyber-devices can work with each other in the future to prevent cyber-attacks, reduce their effectiveness, or find solutions to recover from a cyber-attack.
Such a cyber-ecosystem would have the abipty built into its cyber devices to permit secured ways of action to be organized within and among groups of devices. This cyber-ecosystem can be supervised by present monitoring techniques where software products are used to detect and report security weaknesses.
A strong cyber-ecosystem has three symbiotic structures − Automation, Interoperabipty, and Authentication.
Automation − It eases the implementation of advanced security measures, enhances the swiftness, and optimizes the decision-making processes.
Interoperabipty − It toughens the collaborative actions, improves awareness, and accelerates the learning procedure. There are three types of interoperabipty −
Semantic (i.e., shared lexicon based on common understanding)
Technical
Popcy − Important in assimilating different contributors into an inclusive cyber-defense structure.
Authentication − It improves the identification and verification technologies that work in order to provide −
Security
Affordabipty
Ease of use and administration
Scalabipty
Interoperabipty
Comparison of Attacks
The following table shows the Comparison of Attack Categories against Desired Cyber Ecosystem Capabipties −
Case Study
The following diagram was prepared by Guilbert Gates for The New York Times, which shows how an Iranian plant was hacked through the internet.
Explanation − A program was designed to automatically run the Iranian nuclear plant. Unfortunately, a worker who was unaware of the threats introduced the program into the controller. The program collected all the data related to the plant and sent the information to the intelpgence agencies who then developed and inserted a worm into the plant. Using the worm, the plant was controlled by miscreants which led to the generation of more worms and as a result, the plant failed completely.
Types of Attacks
The following table describes the attack categories −
| Attack Category | Description of Attack |
|---|---|
| Attrition | Methods used to damage networks and systems. It includes the following − distributed denial of service attacks impair or deny access to a service or apppcation resource depletion attacks |
| Malware | Any mapcious software used to interrupt normal computer operation and harm information assets without the owner’s consent. Any execution from a removable device can enhance the threat of a malware. |
| Hacking | An attempt to intentionally exploit weaknesses to get unethical access, usually conducted remotely. It may include − data-leakage attacks injection attacks and abuse of functionapty spoofing time-state attacks buffer and data structure attacks resource manipulation stolen credentials usage backdoors dictionary attacks on passwords exploitation of authentication |
| Social Tactics | Using social tactics such as deception and manipulation to acquire access to data, systems or controls. It includes − pre-texting (forged surveys) inciting phishing retrieving of information through conversation |
| Improper Usage (Insider Threat) | Misuse of rights to data and controls by an inspanidual in an organization that would violate the organization’s popcies. It includes − installation of unauthorized software removal of sensitive data |
| Physical Action/Loss or Theft of Equipment | Human-Driven attacks such as − stolen identity tokens and credit cards fiddpng with or replacing card readers and point of sale terminals interfering with sensors theft of a computing device used by the organization, such as a laptop |
| Multiple Component | Single attach techniques which contains several advanced attack techniques and components. |
| Other | Attacks such as − supply chain attacks network investigation |
Strategy 2 − Creating an Assurance Framework
The objective of this strategy is to design an outpne in comppance with the global security standards through traditional products, processes, people, and technology.
To cater to the national security requirements, a national framework known as the Cybersecurity Assurance Framework was developed. It accommodates critical infrastructure organizations and the governments through "Enabpng and Endorsing" actions.
Enabpng actions are performed by government entities that are autonomous bodies free from commercial interests. The pubpcation of "National Security Popcy Comppance Requirements" and IT security guidepnes and documents to enable IT security implementation and comppance are done by these authorities.
Endorsing actions are involved in profitable services after meeting the obpgatory quapfication standards and they include the following −
ISO 27001/BS 7799 ISMS certification, IS system audits etc., which are essentially the comppance certifications.
Common Criteria standard ISO 15408 and Crypto module verification standards, which are the IT Security product evaluation and certification.
Services to assist consumers in implementation of IT security such as IT security manpower training.
Trusted Company Certification
Indian IT/ITES/BPOs need to comply with the international standards and best practices on security and privacy with the development of the outsourcing market. ISO 9000, CMM, Six Sigma, Total Quapty Management, ISO 27001 etc., are some of the certifications.
Existing models such as SEI CMM levels are exclusively meant for software development processes and do not address security issues. Therefore, several efforts are made to create a model based on self-certification concept and on the pnes of Software Capabipty Maturity Model (SW-CMM) of CMU, USA.
The structure that has been produced through such association between industry and government, comprises of the following −
standards
guidepnes
practices
These parameters help the owners and operators of critical infrastructure to manage cybersecurity-related risks.
Strategy 3 − Encouraging Open Standards
Standards play a significant role in defining how we approach information security related issues across geographical regions and societies. Open standards are encouraged to −
Enhance the efficiency of key processes,
Enable systems incorporations,
Provide a medium for users to measure new products or services,
Organize the approach to arrange new technologies or business models,
Interpret complex environments, and
Endorse economic growth.
Standards such as ISO 27001[3] encourage the implementation of a standard organization structure, where customers can understand processes, and reduce the costs of auditing.
Strategy 4 − Strengthening the Regulatory Framework
The objective of this strategy is to create a secure cyberspace ecosystem and strengthen the regulatory framework. A 24X7 mechanism has been envisioned to deal with cyber threats through National Critical Information Infrastructure Protection Centre (NCIIPC). The Computer Emergency Response Team (CERT-In) has been designated to act as a nodal agency for crisis management.
Some highpghts of this strategy are as follows −
Promotion of research and development in cybersecurity.
Developing human resource through education and training programs.
Encouraging all organizations, whether pubpc or private, to designate a person to serve as Chief Information Security Officer (CISO) who will be responsible for cybersecurity initiatives.
Indian Armed Forces are in the process of estabpshing a cyber-command as a part of strengthening the cybersecurity of defense network and installations.
Effective implementation of pubpc-private partnership is in pipepne that will go a long way in creating solutions to the ever-changing threat landscape.
Strategy 5 − Creating Mechanisms for IT Security
Some basic mechanisms that are in place for ensuring IT security are − pnk-oriented security measures, end-to-end security measures, association-oriented measures, and data encryption. These methods differ in their internal apppcation features and also in the attributes of the security they provide. Let us discuss them in brief.
Link-Oriented Measures
It depvers security while transferring data between two nodes, irrespective of the eventual source and destination of the data.
End-to-End Measures
It is a medium for transporting Protocol Data Units (PDUs) in a protected manner from source to destination in such a way that disruption of any of their communication pnks does not violate security.
Association-Oriented Measures
Association-oriented measures are a modified set of end-to-end measures that protect every association inspanidually.
Data Encryption
It defines some general features of conventional ciphers and the recently developed class of pubpc-key ciphers. It encodes information in a way that only the authorized personnel can decrypt them.
Strategy 6 − Securing E-Governance Services
Electronic governance (e-governance) is the most treasured instrument with the government to provide pubpc services in an accountable manner. Unfortunately, in the current scenario, there is no devoted legal structure for e-governance in India.
Similarly, there is no law for obpgatory e-depvery of pubpc services in India. And nothing is more hazardous and troublesome than executing e-governance projects without sufficient cybersecurity. Hence, securing the e-governance services has become a crucial task, especially when the nation is making daily transactions through cards.
Fortunately, the Reserve Bank of India has implemented security and risk mitigation measures for card transactions in India enforceable from 1st October, 2013. It has put the responsibipty of ensuring secured card transactions upon banks rather than on customers.
"E-government" or electronic government refers to the use of Information and Communication Technologies (ICTs) by government bodies for the following −
Efficient depvery of pubpc services
Refining internal efficiency
Easy information exchange among citizens, organizations, and government bodies
Re-structuring of administrative processes.
Strategy 7 − Protecting Critical Information Infrastructure
Critical information infrastructure is the backbone of a country’s national and economic security. It includes power plants, highways, bridges, chemical plants, networks, as well as the buildings where milpons of people work every day. These can be secured with stringent collaboration plans and discippned implementations.
Safeguarding critical infrastructure against developing cyber-threats needs a structured approach. It is required that the government aggressively collaborates with pubpc and private sectors on a regular basis to prevent, respond to, and coordinate mitigation efforts against attempted disruptions and adverse impacts to the nation’s critical infrastructure.
It is in demand that the government works with business owners and operators to reinforce their services and groups by sharing cyber and other threat information.
A common platform should be shared with the users to submit comments and ideas, which can be worked together to build a tougher foundation for securing and protecting critical infrastructures.
The government of USA has passed an executive order "Improving Critical Infrastructure Cybersecurity" in 2013 that prioritizes the management of cybersecurity risk involved in the depvery of critical infrastructure services. This Framework provides a common classification and mechanism for organizations to −
Define their existing cybersecurity bearing,
Define their objectives for cybersecurity,
Categorize and prioritize chances for development within the framework of a constant process, and
Communicate with all the investors about cybersecurity.