1.

Security Problems

Information and communication technologies are rapidly becoming an integral part of the Bangladeshi society. Through favorable government initiatives and policies ICTs are spreading fast reaching the farthest corners of the country to make a common citizens life easier, efficient and faster. Today more and more people across the country are accessing ICTs to meet various needs of their daily life - getting government information and services online, storing information, processing data, sending and receiving messages, communications, controlling machines, typing, editing, designing, drawing, and so on. But this is only one facet of the information technology; today the other facets are the challenges not for only Bangladesh but for the whole world like cyber crimes and moreover cyber terrorism. There can be no one exhaustive definition of cyber crime. However, any activities which basically offend human sensibilities can also be included in its ambit. On the other hand cyber terrorism is the premeditated use of disruptive activities, or the threat thereof, in cyber space, with the intention to further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives. In the cyber world Bangladesh is not an isolated island. It faces the same sophistication of attacks as that of USA and other developed countries are facing. There is no reason to think that Bangladesh can survive the cyber attacks taking less sophisticated measures than the developed countries. This should also be noted that cyber security is a continuous process and not a one-time solution. As the security practices and solutions are continuously improving so are the attacks. Therefore, it is a continuous process and need to be at par with the international standards. In Bangladesh, several cyber attacks have been observed within the past few years and to prevent further proliferation proper actions need to be in place fast. The hackers and terrorists have caused substantial damages to computer systems including loss of data, disruptions in governments service delivery, privacy and confidentiality, intellectual property crimes, selling illegal articles, pornography etc. In Bangladeshs cyber space these are achieved through many methods such as spoofing, internet phising, wire transfer etc. Disrupting government services through coordinated attack of government systems cause damages to citizens and government. In recent years there have been several cases of violation of privacy and confidentiality through pornography where many citizens are victimized and threatened by the abuser to pay extortion money to

Cyber Security Guidelines for Bangladesh

A Policy Note on

keep their sensitive information intact to avoid social damages. All of these caused a greater damage to the society and government and often corrupted the young minds that are vulnerable. With time cyber crime is becoming more and more common and also becoming more sophisticated. Cyber terrorists prefer using the cyber attack method because of its many advantages i.e. it is cheaper than traditional methods, very difficult to be traced, can hide the attakers personality and location information and there is no physical barriers. Using this method the attackers can target a large number of people easily. The type of attack Bangladesh is facing can be categorized as the following; (1) Privacy violation: violating a citizens or an organizations non-public information assets. (2) Secret information appropriation and data theft: unauthorized access and/or distribution of information assets. (3) Intentional corruption of e-governance information systems: deliberate damage to information systems of government organizations (4) Distributed denial of services: Intentional overloading of an information system so that it cannot provide its intended services to its customers. (5) Network damage and disruptions: Involves a combination of computer tampering, virus attacks, hacking, etc. (6) Sexually explicit material: involves materials that are unlawful and unethical by national standards This document will not cover defamatory material because that is a matter of a larger ongoing social debate. The intention of a cyber terrorism attack could range from economic and social disruptions of financial benefits. Although cyber attacks have caused billions of dollars in damage around the world and affected the lives of millions, security experts believe this world have yet to witness the implications of a truly catastrophic cyber terrorism attack. Since Bangladesh is just entering the cyber world so far the damages are minimum. Some of the affects are the disruption of governments service delivery, network delays, information access for citizens, costs of forensics for recovery, loss of critical communications in time of emergency. These are the direct damages caused by cyber attacks. However, there are indirect damages involved, for example, loss of confidence and credibility in government systems, tarnished relationships and public image globally and loss of trust in the countrys computer industry.

2. Causes Behind the Problems

Hacking: Hacking is committed if someone, with the intention of causing wrongful loss or damage (or with the knowledge that such damage or loss is likely to result) to the public/any person, destroys/deletes/alters any information residing in a computer resource, diminishes its value or utility, or affects it injuriously by any means. This is the most common cause of cyber crime in Bangladesh. Lack of skilled human resources: Human resources are very scarce in the security space. There are very few people who are certified security professionals and can perform security audit on an information system against actual requirements. There is no security professional in government bodies. IT professionals in the government are very poor in terms of numbers, and have to increase by multiple folds. Non-use of internationally accepted security standard practices: Information security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information Security Management Systems with a set of well defined security controls are absent in the government organizations which is making the information systems vulnerable. A formal specification of a management system for government bodies that is intended to bring information security under explicit management control is missing. Absence of information security classifications/categorizations: A well defined guideline and standards for information categorization/classification is absent in Bangladesh by which information can be easily identified and then its security standard can be easily established. As a result the agencies or the service providers may build week security around important systems and also may not be able to manage it properly. With the guideline and standards in place every service provider or agency will know what type of security is required for each information systems.

3. Strategies for Ensuring Cyber Security

3.1 Objective
The national strategy to secure cyberspace should focus on the following areas: Develop/adopt and implement information security standard practices in government agencies and in their service providers. Develop a security policy and map it with the countrys legal system. Develop a information security response system Minimize damage and recovery time from cyber attacks

3.2 Developing/adopting Standards

There are international standard practices for information and cyber security management for example SOGP (Standard of Good Practices), ISO 27001: Information Security Practices, RFC 2196 etc. ISO 27001 has also been adopted by many governments around the world as their security management practices. A formal specification means that it mandates specific requirements for information and communication security. The standard practice requires that the following conditions are met: Management systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts. A coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address risks that are deemed unacceptable are designed and implemented. A change management process is adopted to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis. A special amendment is made over the standards document to accommodate special needs of an agency/industry.

Like many other governments around the world Bangladesh government may take ISO 27001 as a standard for information security both in organizational level and for the cyberspace. ISO/IEC 27001 is a part of the growing ISO/IEC 27000 family of standards, for Information Security Management System (ISMS) published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 - Information Technology -- Security Techniques -- Information Security Management Systems -Requirements but it is commonly known as "ISO 27001". ISO/IEC 27001 formally specifies a management system that is intended to bring information security under an explicit management control. Being a formal specification means that it mandates specific requirements. There are several other standards concerning the 27,000 family of standards which were introduced to government bodies for enhance security. Published standards ISO/IEC 27000 Information security management systems Overview and vocabulary ISO/IEC 27001 Information security management systems Requirements ISO/IEC 27002 Code of practice for information security management ISO/IEC 27003 Information security management system implementation guidance

ISO/IEC 27004 Information security management Measurement ISO/IEC 27005 Information security risk management ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27011 Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 ISO/IEC 27033-1 - Network security overview and concepts ISO 27799 - Information security management in health using ISO/IEC 27002 [standard produced by the Health Infomatics group within ISO, independently of ISO/IEC JTC1/SC27]

Standards in preparation ISO/IEC 27007 - Guidelines for information security management systems auditing (focused on the management system) ISO/IEC 27008 - Guidance for auditors on ISMS controls (focused on the information security controls) ISO/IEC 27013 - Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 ISO/IEC 27014 - Information security governance framework ISO/IEC 27015 - Information security management guidelines for the finance and insurance sectors ISO/IEC 27031 - Guideline for ICT readiness for business continuity (essentially the ICT continuity component within business continuity management) ISO/IEC 27032 - Guideline for cyber security (essentially, 'being a good neighbor' on the Internet) ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already) ISO/IEC 27034 - Guideline for application security ISO/IEC 27035 - Security incident management ISO/IEC 27036 - Guidelines for security of outsourcing ISO/IEC 27037 - Guidelines for identification, collection and/or acquisition and preservation of digital evidence

The government may also adopt Standard of Good Practices (SOGP) for IT security practices. The Standard of Good Practice (SoGP) is a detailed documentation of identified good practices in information security. First released in 1996, the Standard is published and revised every two or three years by the Information Security Forum (ISF), an international association of organizations in financial services, manufacturing, consumer products, telecommunications, government, and other areas. The Standard is available free of charge for non-commercial use from the ISF, whereas other ISF

reports and tools are generally available only to member organizations. The Standard is used as the default governing document for information security behavior by many major organizations around the world, by itself or in conjunction with other standards such as ISO/IEC 27002 or COBIT. Using such systems will force users to consider and assess risks and design security systems based on those risks making application and services more secure. These standards cover security management at enterprise level by securing business applications, web services, computer systems, network, processes and systems.

3.3 Information security classification/categorization

Bangladesh government needs to adopt a defined set of standards for information security categorization/classification. These standards will be used by all agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels. Guidelines are also needed for recommending the types of information and information systems to be included in each category and minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category. Below is a sample security classification guideline: Classification Description Unrestricted Examples of Examples of risk information assets impacts Public health Little or no impact information Minimal Job postings inconvenience if not available Ordinary staff meeting agendas If lost, changed or and minutes denied would not result in injury to Communications an individual or to claims clerks government (that Research and is, no legal effect) background papers (with no copyright restrictions) Policy interpretation Draft request for proposals Business Unfair competitive advantage Disruption to business if not available

Protected

Information that is created in the normal course of business that is unlikely to cause harm. Unrestricted information includes information deemed public by legislation or through a policy of routine disclosure and active dissemination. Unrestricted information is available to the public, employees and contractors, sub-contractors and agents working for the government. Information that is sensitive outside the government and could impact service levels or performance, or result in low levels of financial loss to

Classification Description individuals or agencies. Protected information would include personal information, financial information or details concerning the effective operation of the government, ministries and departments. Protected information is available to employees and authorized non-employees (contractors, sub-contractors and agents) possessing a need to know for business-related purposes. Information that is sensitive within the government and could cause serious loss of privacy, competitive advantage, loss of confidence in government programs, damage to partnerships, relationships and reputation. Confidential information includes highly sensitive personal information. Confidential information is available only to a specific function, group or role.

Examples of information assets information Applications Planning documents Documents containing personal information

Examples of risk impacts Low degree of risk if corrupted or modified

Confidential

Personal case files such as benefits, program files or personnel files Industrial trade secrets Registration information Personnel files Policy Advice 3rd party business information submitted in confidence Cabinet documents Cabinet deliberations and supporting documents Personal medical records Provincial Budget prior to public release Criminal records

Restricted

Information that is extremely sensitive and could cause extreme damage to the integrity, image or effective service delivery of the government. Extreme damage includes loss of life, risks to public safety, substantial financial loss, social hardship, and major economic impact. Restricted information is available only

Loss of reputation or competitive advantage Loss of confidence in the government program Loss of personal or individual privacy Loss of trade secrets or intellectual property Financial loss High degree of risk if corrupted or modified Loss of public safety Significant financial loss Compromise of the legal system Compromise of Cabinet deliberations Destruction of partnerships and relationships

Classification Description to named individuals specified positions.

Examples of information assets or Criminal investigations

Examples of risk impacts Sabotage/terrorism Extreme risk if corrupted or modified

Implementing information security classification will mean that ministries should consider practices related to: labeling information assets, storing information, transmitting information, disposing of unneeded information, protecting the integrity of information, allowing appropriate access and disclosure and, establishing accountability. These practices have to be standardized and codified.

3.4 Security policy

The security policy will be formulated and mapped to the countrys constitution, legal system and international laws. The policy will be revised regularly.

3.5 Response
The Information Security Incident Response Plan (ISIRP) will provide guidance and documentation on computer security incident response handling and communication efforts. The ISIRP will be activated whenever a computer security incident occurs, and will guide the responses to all incidents whose severity is such that they could affect an organizations ability to do business, or undermine its reputation. The government need to build a proper security response system with the following objectives: Provide timely and relevant information Help mitigate, protect and deliver solution Design information coding and categorization system for interoperability of information exchange and proper understanding of information sets

Strategy for a response system should be the following: Re-build and re-organize BDCERT (Bangladesh Computer Emergency / Response Team) Publish security bulletin Watch, alert and mobilize, asses and stabilize, resolve, maintain information systems Build a response system with the following goals o Quickly gain a thorough understanding of the problem o Provide government bodies with timely, relevant, consistent information

o Deliver tools, security updates and other assistance to restore normal operation o Design and asses the DR practices around the government organization

3.6 Disaster Recovery

Bangladesh needs a standard disaster recovery practice forthe government agencies as well as the service providers. There is also a need for central data center which meets international standard for its build, disaster recovery practices and security.

3.7 Awareness
Cultivate awareness: Enlist all users and decision makers in support for the security standards and objectives. Set organizational direction: Aware the government agencies to establish priorities and objectives, principles, policies, standards, and performance measures within. Certified service providers: Aware the use of security certified service providers to reduce risk of security threats among government agencies. Also measure, review, monitor, supervise, and remediate to ensure coordinated and consistent security implementation across all government organizations and its service providers. Shape capabilities: Continually work with all government organizations, focal points, system administrators, system analysts and communities of practice (i.e. industry, educational institutions), and users to explain security issues and standard practices.

3.8 Training
The government needs to provide a continuum of learning activities from basic literacy to advanced specialties, recruit and retain highly qualified professionals in needed positions, and keep workforce capabilities current in the face of constant change. The following should be done: Educate and train: Partner with academia to train and sustain a workforce with the depth and breadth of skill and expertise to anticipate, engineer for, and defend against sophisticated cyber adversaries. Also train the government focal points of different ministries for information security audits so that they can audit their own information systems. Structure the workforce: Define operational skills and specialties, determine organizational needs and put the right number of jobs in the right places. Put the right people in the right jobs. A professional approach at this is crucial to avoid compromising security in the hands of incompetent people.

Certified auditors: Get some IT friendly government officials trained in security practices and also get them certified with ISO 27001 auditing can be a way forward for security practices within the government organizations and systems hosted outside.

3.9 Partnerships
The unique capabilities of a wide set of partners (non government enterprises, defense, educational institutes, associations etc.) needs to be leveraged to create advanced security capabilities. Partnerships with academic institutions, defense and industry can benefit the development of standard practices and awareness campaigns. Also publicprivate engagement should be seriously considered as it is a key component to most countries strategy to secure cyberspace. This is true for several reasons. Public-private partnerships can usefully confront coordination problems. They can significantly enhance information exchange and cooperation. Public-private engagement will take a variety of forms and will address awareness, training, technological improvements, vulnerability remediation, and recovery operations. The following areas can be addressed through public-private partnerships: Intra-Government: Support and benefit from security-related programs and initiatives throughout the government agencies. Build a knowledge base of security practices, response, DR practices etc. Academia: Help build future generations of security professionals and train existing government officials. Prepare awareness for all information systems stakeholders. Cyber security and IT Industries: Expand technical relationships with critical service providers. Build standards and adopt best practices with the industry. Also build a partnership model for auditing. International: Enhance global cyber security situational awareness and build partner capacity.

Government activities should also support research and technology development that will enable the private sector to better secure privately-owned portions of the nations critical infrastructure.

3.10 Legal and policy recommendations

To improve the quality of security contracts, the government will develop standard SLAs to address security, non-disclosure agreements and disaster recovery issues. This will also help government protect their digital assets while outsourcing. The current legal and policy framework does not cover every aspect of cyber crime and thus needs to be reworked and mapped with the relevant laws. To accommodate standard practices, develop workable SLAs and protect citizens privacy and

confidentiality new laws and updating some old ones need to be done. Developing clearer definitions are also important to avoid ambiguity in legal systems. The following needs to be addressed in the legal system: breach of confidentiality and privacy, contracts and SLAs, damages caused by cyber crime, specific performance of the contract, punishment for criminal breach of trust, cheating and dishonestly inducing delivery of property, consumer protection clauses and specific relief clauses.

3.11 Central Entity for Coordination

A central entity for coordination to unite all security agencies and coordinate cyber security issues among them. To secure Bangladeshs cyber space the responsibilities of the body should include: Developing a comprehensive national plan for securing the key resources and critical infrastructure of Bangladesh Providing crisis management in response to attacks on critical information systems; Providing technical assistance to the private sector and other government entities with respect to emergency recovery plans for failures of critical information systems; Coordinating with other agencies of the government to provide specific warning information and advice about appropriate protective measures and countermeasures to the agencies Performing and funding research and development along with other agencies or private sector that will lead to new scientific understanding and technologies in support of cyberspace security. Developing/Adopting and implementing standard practices for securing cyber and information space Guiding and building relation to other government bodies and international agencies to share knowledge and build co-operation against cyber crime and thus making the countrys cyber space more secure.

Consistent with these responsibilities, the authority should become a government center of excellence for cyber and information security and provide a focal point for government and non-government organizations including the private sector, academia, and the public.