Cyber and Network Security Framework: Knowledge Paper On
Cyber and Network Security Framework: Knowledge Paper On
Cyber and Network Security Framework: Knowledge Paper On
FOREWORD ............................................................................................................................. 3
MESSAGE FROM THE CEO - MAHINDRA SPECIAL SERVICES GROUP (MSSG) ................ 4
MESSAGE FROM THE SECRETARY GENERAL - ASSOCHAM ............................................. 5
CONTINUOUSLY RISING SECURITY THREATS ..................................................................... 6
DEVELOPING CYBER SECURITY STANDARDS .................................................................... 9
PUBLIC-PRIVATE INFORMATION SHARING & INFORMATION SECURITY........................ 14
PRIVACY & CIVIL LIBERTY PROTECTION ........................................................................... 15
PROTECTION OF CRITICAL INFORMATION INFRASTRUCTURE ....................................... 17
RECOMMENDATIONS............................................................................................................ 20
MAHINDRA SPECIAL SERVICES GROUP – BRIEF PROFILE.............................................. 21
ASSOCHAM – BRIEF PROFILE ............................................................................................. 23
Information Technology revolution has brought a radical change in the way businesses
function across globe. Businesses that stood on three pillar’s viz. people, process &
technology are compelled to factor the fourth pillar of security. Security may not be restricted
to safeguarding physical assets but also for intangible assets like information, reputation,
brand, intellectual property etc.
Internet has grown exponentially worldwide. India too has witnessed significant rise in
Cyberspace activities and usage of internet so much so that it has not only become one of the
major IT destinations in the world but has also become the third largest number of Internet
users after USA and China. Such phenomenal growth in access to information and
connectivity has empowered individuals to reach the world, but on the flip side has posed new
challenges to administrators of cyberspace.
Cyberspace has unique characteristics viz. anonymity and difficulty of provenance, coupled
with enormous potential for damage and mischief. This characteristic adds to the
vulnerabilities making cyber security a major concern across the globe. Cyberspace is being
exploited by criminals to carry out identity theft and financial fraud, conduct espionage, disrupt
critical infrastructures, facilitate terrorist activities, theft of corporate information and plant
malicious software (malware) and trojans.
Cyber security continues to be an issue of intense interest to users and governments across
the globe. Cyber security assurance is considered as the core strategy. Collaborative efforts
of vendors, customers, policy and law makers will make a substantial difference in addressing
the global cyber security challenge. Further it is prudent to share knowledge and
understanding of what works and what doesn’t to reduce the risk of people using technology
for purposes never intended.
Securing country's critical infrastructures require protecting not only the physical systems but
also the cyber segment of the systems on which they rely upon. Rivals seeking to harm the
critical infrastructures are driven by different motivations and view cyberspace as a possible
means to achieve effects of much greater impact, such as causing harm to people or
widespread economic damage.
This report from the MSSG Fraud Risk Management Teame gives an insight on developing
cyber security standards, information sharing and security framework, data privacy issues and
critical information infrastructure security, thereby giving the reader some basic understanding
about the present status and recommendations.
With increasing use of information technology enabled services such as e-governance, online
business and electronic transactions protection of personal and sensitive data have assumed
paramount importance. The economic growth of any nation and its security whether internal or
external and competitiveness depends on how well is its cyberspace secured and protected.
Cyberspace fundamentally is not complex as we think it to be, what makes it complex is its
nature i.e., Cyberspace is borderless which goes beyond jurisdiction and actions in the
cyberspace can sometimes be anonymous. These features are being exploited by adversaries
or to say cyber criminals for committing crime.
Cyber security threats pose one of the most serious economic and national security challenges
and the threats in cyberspace are serious both from the point of view of the governments as
well as corporates. Nevertheless, if they are addressed effectively then cyberspace will surely
go a long way in significantly contributing to economic growth, empowerment and secured
digital India.
Warm Regards,
Dinesh Pillai
CEO
Mahindra Special Services Group
Mumbai October 2014
1
http://mea.gov.in/in-focus-
article.htm?23632/Prime+Ministers+statement+in+6th+BRICS+Summit+on+the+Agenda++quotPolitical+Coordinati
on+quotInternational+Governance+amp+Regional+Crisesquot
The growing use of ICT for administration and in other spheres of our daily
life cannot be ignored. Further, we also cannot ignore the need to secure
the ICT infrastructure used for meeting the social functions.
With the focus on creating Digital India, the threat from cyber attacks and
malware is not only apparent but also very worrisome. There cannot be a
single solution to counter such threats. We need a techno legal
“Harmonized Law” and international cooperation and cooperation among
States, agencies to address these challenges.
A good combination of law and technology must be established and then an effort be made to
harmonize the laws of various countries keeping in mind common security standards. In this
respect ASSOCHAM lauds the efforts made by the Ministry of Communications and IT,
Government of India in releasing the National Cyber Security Policy 2013 to ensure a secure
and resilient cyber space for citizens, businesses, and the Government.
We at ASSOCHAM, have been discussing and deliberating with the concerned authorities and
stakeholders about the need for security compliance and a legal system for effective dealing
with internal and external cyber security threats.
ASSOCHAM has been a Member of the National Security Council, Joint Working Group (JWG)
on Public Private Partnership on Cyber Security and we deeply appreciate the efforts made by
the JWG in inviting private industries’ views and suggestions on Cyber Security related issues.
We are confident that the deliberations at the 6th Annual Summit on Cyber & Network Security
with theme “Cyber 2.0 – Preparing For the Next Level …With Scale, Speed & Skill” will provide
more insight to emerging cyber related challenges and their appropriate solutions for further
securing the cyber space.
ASSOCHAM is committed to creating more awareness about the Cyber related issues and this
Background Paper jointly prepared by Mahindra SSG and ASSOCHAM is a step in that
direction and we congratulate the team for their efforts.
We convey our very best for the success of the 6th Annual Summit on Cyber & Network
Security.
D. S. Rawat
Secretary General
ASSOCHAM
New Delhi October 2014
Stealing data or information from the computers of business organizations and government
agencies is a big business for criminals, and the scope of the loss to the business organizations
and government ranges from damage to reputation, loss of customer trust, financial penalties to
greater competition arising from the said stolen data or information.
As the quantity and value of data have increased, so to have the business models and efforts of
criminals and other adversaries who have embraced the Cyberspace as a more convenient and
profitable way of carrying out their activities anonymously.
Whether we call it interesting facts, disturbing facts or alarming facts but the
reality is these are true facts.
• 62,189 cyber security incidents in the first five months of the current calendar year
• 9,174 Indian websites were hacked by groups spread across the world
2
http://www.business-standard.com/article/current-affairs/cyber-crimes-alone-cost-india-rs-24-630-cr-in-2013-
report-114070600170_1.html
• These incidents include phishing, scanning, spam, malicious code and website
intrusions.
• These attacks have been observed to be originating from the Cyberspace of a number of
countries including the US, Europe, Brazil, Turkey, China, Pakistan, Bangladesh, Algeria
and the UAE
• The attackers compromise computer systems located in different parts of the world and
user masquerading techniques and hidden servers to hide the identity of the actual
system from which the attacks are launched.
• As per the cyber crime data maintained by National Cyber Records Bureau, a total of
1,791, 2,876 and 4,356 cyber crime cases were registered under Information
Technology Act during the year 2011, 2012 and 2013, respectively, thereby showing an
increasing trend.
• Growing Internet penetration and rising popularity of online banking have made India a
favourite among cybercriminals, who target online financial transactions using malware
and India ranks third after Japan and the US in the tally of countries most affected by
online banking malware during the April-June quarter of 2014.
However, it is interesting to note that the Government of India has understood the importance of
public private partnership model to combat cyber threats. Government has been associating
public and private sector organizations in the projects of Cyber Security Programme. Data
Security Council of India (DSCI), set-up by NASSCOM is implementing projects in the area of
Cyber Forensics Training and Awareness creation for Law Enforcement Agencies.
INR. 500 Crores has been allocated for Department of Electronics and Information Technology
(Deity) in the 12th Plan period (2012-17) for Cyber Security Programme including Cyber Safety,
Security and Surveillance, Cyber Crime Investigations and Cyber Forensics.
Further, the Division Bench of the Allahabad High Court (Lucknow Bench) had also issued
directions to ensure that Sub Rule 3(11) of the Information Technology (Intermediary
Guidelines) Rules 2011 is implemented in the country in its letter and spirit.
3
Writ Petition No 3672/2012
Keeping in mind the provisions laid down in this policy as the guiding principles the business
houses can design their strategies to combat any situation arising out of cyber crime and cyber
security incidents.
The mission statement of the National Cyber Security Policy, 2013 equally holds good for the
business houses and the corporates which states
Mission:
To protect information and information infrastructure in Cyberspace, build
capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize
damage from cyber incidents through a combination of institutional structures,
people, processes, technology and cooperation.
Following the strategies as laid down in the National Cyber Security Policy which was notified
on 2nd July 2013. We at Mahindra SSG have tried to simplify it from the point of view of
business houses and corporates.
1. Creating a secure cyber ecosystem – Cyber security threats are bound to increase
with emergence of new technologies therefore it is important for us to be prepared,
have best security standards and practice in place to detect cyber security threats
and respond to the threats.
Suffice it to say that it becomes imperative for the corporates to give priority to
information security.
In such a scenario, it equally becomes important for the business houses and the
government to allocate sufficient budget for implementing cyber security initiatives
and for meeting emergency response arising out of cyber incidents. Such allocation
of budget should not be treated and seen as an expense on the balance sheet rather
should be treated as one of the important component of doing secured business.
It is also suggested that all entities (both government and corporate) to periodically
test and evaluate the adequacy and effectiveness of technical and operational
security control measures implemented in their information technology system and
networks.
In my view the reason for such provision is that there cannot be uniform best
practices for all sectors and domains of business as threat perceptions are different
for each industry.
3. Encouraging open standards – Until and unless we adopt the practice of following
open standards it would be difficult for the corporate houses and the government to
facilitate interoperability and exchange of information or data exchange among
different products or services which have become part and partial of any business.
Most of the cyber crime and cyber security breaches occur because of ignorance of
law and regulatory framework and therefore it is important that the corporate houses
should make it mandatory in their induction programs that their employees and
vendors are made aware of the law and regulatory framework and its consequences.
The corporate houses should regularly conduct and facilitate regular cyber security
drills & exercises. This will help them in assessing their level of security posture and
level of emergency preparedness in dealing with cyber security incidents.
The Research and Development program should be undertaken for addressing all
aspects of development aimed at short term, medium term and long term goals. The
Research & Development programs should also address all aspects including
development of trustworthy systems, their testing, deployment and maintenance
throughout the life cycle and include R&D on cutting edge security technologies.
The corporates should collaborate in joint Research & Development projects with
other industry groups and academia in designing and developing frontline
technologies and solution oriented research as per their business requirements.
The organizations should create awareness of the threats, vulnerabilities and legal
consequences and liabilities on breach of security among entities for managing
supply chain risks related to information technology (products, systems or services)
procurement.
With the organizations facing new and dynamic risks, threats, and vulnerabilities
every day a highly skilled cybersecurity workforce capable of responding to these
challenges is needed. Organizations should establish cyber security training
infrastructure by way of institutional collaboration with academia and cyber security
research centers.
The Human Resource development team should design a strong cyber security
policy for its employees along with the technical and legal team. A clear mention of
the same should also reflect in all contracts and appointment letters.
Suffice is to say that nothing is totally secured today in Cyberspace but if the above
mentioned suggestions are adopted by the organizations to some extent it will help them in
protecting their information while in process, handling, storage & transit. This will also help
them in safeguarding the privacy of citizen's data and for reducing economic losses due to
cyber crime or data theft.
Last but not the least, it is always good that one should be on the right side of the law and
therefore in this context it is suggested that all business organizations should strictly comply
to the Information Technology Act its allied rules and regulations and governments
advisories.
Also one of the strategies mentioned in the National Cyber Security Policy, 2013 is with respect
to Developing effective Public Private Partnerships which emphasizes on the following.
Public private partnership is very important to address the issue of cyber security. The primary
challenges faced by both Government as well as the business houses is to curb the threat
arising out of cyber security incidents and cyber crime at the earliest and this cannot be
achieved in isolation by either Government or Industry alone. It requires collaboration and
coordinated efforts of all the corporates and the government agencies involved in securing the
country’s cyber space.
The business houses should design a mechanism to regularly interact with the government
agencies either directly or through industry associations.
In the real word it is often said that “Your right to swing your
arms ends just where the other man's nose begins 4”. But I
seriously doubt how good this proverb will stand the test of time
in the virtual world where privacy can easily be intrude without
touching ones nose.
The Information Technology Act 2000 contains adequate provisions to deal with various cyber
related offenses as well as protection of privacy of individuals. The following is a brief on such
provisions in the Act 6:
• Section 43 and section 66 of the Information Technology Act, 2000 provides penalty and
stringent punishment for hacking of website.
• Section 43A of the Information Technology Act, 2000 provides compensation to the
affected person for failure to protect data
• The Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011 notified on 11th April, 2013 under
section 43A of the Information Technology Act defines the sensitive personal data and
reasonable security practices and procedures. The Rules require body corporate to
4
Various permutations of this quote have been attributed to Oliver Wendell Holmes, Jr. (8 March 1841 – 6 March
1935) American jurist; Associate Justice of the Supreme Court of the United States from 1902 to 1932, but it was
actually written by Zechariah Chafee, "Freedom of Speech in Wartime", 32 Harvard Law Review 932, 957 (1919).
Source: http://en.wikiquote.org/wiki/Oliver_Wendell_Holmes,_Jr.
5
Bill Gates
6
Standing Committee on Information Technology (2013-14 - Fifty Second Report) dealing with Cyber Crime, Cyber
Security and Right to Privacy. February 2014
Further section 66C and 72A of the Information Technology Act, 2000 provides for punishment
and penalty for identity theft and breach of confidentiality and privacy respectively.
In a move towards safeguarding privacy of individuals and defining invasion of privacy offences,
the government has proposed to set up a Data Protection Authority (DPA) that will rule on
issues around invasion of privacy and impose penalties on violations. The Authority will
"investigate any data security breach and issue appropriate orders to safeguard security
interests of all affected data subjects in respect of any personal data that has or is likely to have
been compromised by such breach," according to a draft Right to Privacy Bill. 8
7
Standing Committee on Information Technology (2013-14 - Fifty Second Report) dealing with Cyber Crime, Cyber
Security and Right to Privacy. February 2014
8
http://articles.economictimes.indiatimes.com/2014-02-18/news/47451233_1_personal-data-privacy-bill-draft-
bill
Many of the critical services that are essential to the well being of
the economy are increasingly becoming dependent on IT. As such,
the Government is making efforts to identify the core services that
need to be protected from electronic attacks and is seeking to work
with organizations responsible for these systems so that their
services are secured in a way that is proportional to the threat
perception.
The primary focus of these efforts is to secure the information resources belonging to
Government as well as those in the critical sectors. The critical sectors include
• Defence,
• Finance,
• Energy,
• Transportation and
• Telecommunications.
Consequently, many in the industry and critical infrastructure organizations have come to
recognize that their continued ability to gain consumer confidence will depend on improved
software development, systems engineering practices and the adoption of strengthened
security models and best practices. 9
The Information Technology Act, 2000 did not have provision with respect to Critical Information
Infrastructure though it had a provision with respect to Protected System under Section 70 of
the Act. 10
However with passage of time the need and importance of safeguarding the Critical Information
Infrastructure was envisaged and accordingly it is stated in the Amendment Act 10 of 2009 –
Statement of Objects and Reasons which is as follows.
9
http://deity.gov.in/content/strategic-approach
10
(1) The appropriate Government may, by notification in the Official Gazette, declare that any
Computer, computer system or computer network to be a protected system.
(2) The appropriate Government may, by order in writing, authorize the persons who are
Authorized to access protected systems notified under sub-section (1).
(3) Any person who secures access or attempts to secure access to a protected system in
contravention of the provisions of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.
“The computer resource, the incapacitation or destruction of which, shall have debilitating
impact on national security, economy, public health or safety.”
“Any person who secures access or attempts to secure access to a protected system in
contravention of the provisions of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.”
On 16th January 2014, Government of India designated the National Critical Information
Infrastructure Protection Centre, Block - III, JNU Campus, New Delhi - 110067, an organization
under the National Technical Research Organization, as national nodal agency in respect of
Critical Information Infrastructure Protection.
Critical Sector means sectors, which are critical to the nation and whose incapacitation or
destruction will have debilitating impact on national security, economy, public health or safety; 11
To better understand the importance of protecting Critical Information Infrastructure let’s take an
example. The electricity power supply of the City of Mumbai which is considered as the financial
capital of India is disrupted for one full day because someone has managed to enter into
computer systems of the main power grid and has taken total control of the power grid and
demands a hefty amount of money to restore the electricity. In this case, what worries is not
only the money but the chaos it will create in the city.
One of the prominent examples of a cyber attack on a critical infrastructure is the Stuxnet virus,
which ravaged Iran's Natanz nuclear facility beginning in 2008, disrupting a fifth of Iranian
facilities and setting back Iran’s nuclear plans by almost two years.
To enable organizations to assess their preparedness in dealing with cyber crisis, CERT-In
conducts Cyber Security drills of different complexities with various key organizations. So far, 7
drills have been conducted involving more than 110 organizations from Defence, Space, Atomic
11
The Information Technology ( National Critical Information Infrastructure Protection Centre and Manner of
Performing Function and Duties) Rules, 2013
The Government should while drafting the detailed comprehensive guidelines for protection of
Critical Information Infrastructure should design a methodology to protect individual privacy and
civil liberties when critical infrastructure organizations conduct cyber security activities. It is
equally true that while the processes and existing needs will differ from organization to
organization, the guidelines should assist organizations in incorporating privacy and civil
liberties as part of a comprehensive cyber security program.
12
Standing Committee on Information Technology (2013-14 - Fifty Second Report) dealing with Cyber Crime, Cyber
Security and Right to Privacy. February 2014
A business will have good security if its corporate culture is correct. That depends on
one thing: tone at the top. There will be no grassroots effort to overwhelm corporate
neglect.
William Malik, Vice President and Research
Area Director for Information Security at Gartner
Cyber Security requirements are quite dynamic that change with the threat environment. Threat
landscape needs to be updated regularly to prevent emerging attacks. Collaboration among
various agencies is needed to share information regarding emerging threats and vulnerabilities,
which would help in effective protection and prevention of cyber attacks.
Some recommendations:
• The organizations should invest in Research and Development (R&D) initiative this is
essential for enhancement of skills and expertise in areas of cyber security.
• The organizations should regularly carry out cyber security mock drills on a periodic
basis for assessing the preparedness of their IT infrastructure in dealing with cyber
incidents and crisis arising out of such situation. Cyber security drill is a confidence
building and learning exercise.
• Last but not the least Organizations should allocate sufficient budget for cyber security
and consider as business investment rather than an expense.
Mahindra Special Services Group (MSSG), a strategic business unit under $15.9 bn Mahindra
group, is a leading Corporate Security Risk Consulting firm that helps organizations reduce risk
and enhance competitive advantage. MSSG protects information assets and minimizes losses
due to an enterprise’s deviations from good governance.
With a core team comprising exforces officers and domain experts with decades of experience
in corporate security, MSSG’s risk mitigation advisories have enabled over 150 major corporate
clients secure their people, assets, information and reputation. The company’s distinctiveness
lies in its ‘People-Centric’ approach; endorsed by clients across scores of implementations.
Headquartered in Mumbai, India, the company has presence in major cities of India and the
capability to operate out of several global locations.
One of the most defining differentiators of MSSG is its holistic approach towards Corporate
Security. The corporate risk landscape in the world has gone through paradigm shifts and
MSSG partners with clients to derisk their businesses from the new and emerging forces of risk.
We help our client’s to mitigate risk in the following manner:
• Assessment of risk exposure that the organization has in terms of physical, personnel and
information assets.
• Formulate and implement a de-risking strategy that hardens the organization across
Physical locations, Technology, Processes and the Personnel (including those who man
them).
• Changing the “People-Culture” and increasing their participation in the Risk Mitigation
Program.
• Providing an ‘embedded’ team that will ensure implementation and sustenance of the
security initiatives.
All the above mentioned practices have multiple services lines catering to varied needs of the
organizations.
At MSSG we realize that improving security is an ongoing and a structured process. This begins
with creating the right environment for improvement, viz, getting the buy-in of all stakeholders,
establishing return on investments and clear measurability of the success of the initiative.
5th floor, Times Square, 212, Rectangle One, 109, Raheja Chambers,
Western Express Highway, Commercial Complex D4, 1st Floor,12, Museum Road,
Andheri (E), Mumbai - 400 069, Saket, New Delhi-110017, Bangalore - 560 001,
India. India. India.
Ph: +91-22-40903232 Ph: +91-11- 41097807 Ph: +91-80-65736524
Email :[email protected]
Website : www.mahindrassg.com
• Vision
Empower Indian enterprise by inculcating knowledge that will be the catalyst of growth in the
barrier less technology driven global market and help them upscale, align and emerge as
formidable player in respective business segments.
• Mission
As a representative organ of Corporate India, ASSOCHAM articulates the genuine,
legitimate needs and interests of its members. Its mission is to impact the policy and
legislative environment so as to foster balanced economic, industrial and social
development. We believe education, IT, BT, Health, Corporate Social responsibility and
environment to be the critical success factors.
D. S. Rawat
Secretary General
email: [email protected]