Cyber Demonstration

Posted on December 25, 2012 by Vijayashankar Na

The incidents in Delhi over the past one week have indicated how the power of the voice of the people can make even the most adamant Government to sit up and take notice. Initially the Government tried to ignore the protests against the brutal rape of a young lady in Delhi. Later an attempt was made to implant hooligans in a filmy style to give a bad name to the protestors and to physically break their backs. Despite such authoritarian assault, the protests are still going on and now there appears to be some movement from the Government in the form of setting up of a judicial commission etc.

Continue reading

Posted in Cyber Law | Tagged , | Leave a comment

e-authentication framework for Government projects

Posted on December 25, 2012 by Vijayashankar Na

The Department of Electronics and Information Technology, GOI (DeitY) has released a document called “e-Pramaan: Framework for e-Authentication”. This is intended to serve as the guiding document for all Central and State Ministries, departments and government agencies for implementing an appropriate authentication model for online and mobile based delivery of their services It is also intended to help maintenance of uniformity and consistency across various authentication mechanisms.

Continue reading

Posted in Cyber Crime, Cyber Law, Information Assurance, Privacy | 2 Comments

Government is on a holiday

Posted on December 24, 2012 by Vijayashankar Na

The Lieutenant Governor of Delhi who was enjoying a holiday in US while the city was burning has now come back to India. Many hope that there will be some accountability for what happens in Delhi now. People have criticized the insensitivity of various political persons including the Prime Minister who did not consider it necessary to speak on the incident until the media started commenting on the irrelevance of the PM’s role in Governance.

As a person observing the Cyber Law scenario in India since its birth, it appears that what we are seeing in Delhi administration is also what we are seeing in the administration of Cyber Law related policy issues for which the Ministry of Communications and Information Technology is accountable. This ministry is headed by Mr Kapil Sibal with Mr Milind Deora as his deputy. Nearly for the last one and half years the undersigned has been constantly reminding the ministry that the post of the “Chair Person” of Cyber Appellate Tribunal (CAT) is lying vacant and without the appointment the Cyber Judicial system in the country is absent. The matter has been brought to the attention of the Chief Justice of India, President of India, the UPA Chair person as well as Mr Rahul Gandhi through various means.

But for reasons known to the department, no action has been taken in posting a chairman for the CAT.

What is revealing is that during this time, one retired High Court Judge of Madras High Court, Shri S.K.Krishan was appointed as the Judicial member at CAT and was otherwise eligible to be designated as the Chair person. Despite requests he was not designated and he worked from December 2011 to November 2012 without being able to hold any hearings and attained super annuation.

The Government in the meantime appointed a Head of Department of CAT and another person as the Technical Member of CAT. However, on the appointment of the Chair person there has been no information.

The only apparent reason is that appointment of the Chairperson is not to the liking of some vested interests or there is no consensus from the committee responsible for selection on the candidate selected for the post.

I wish some body in Delhi make an RTI application to find out why the Ministry is unable to appoint a person to the post of the Chair person of CAT.

I call upon the authorities such as the Ministers in charge to come up with a public statement in this regard. I wish the national media takes up this issue which is extremely important for the victims of Cyber Crime suffering without a judicial remedy from June 2011 and wake up the Government from it’s slumber.

Naavi

Posted in Cyber Crime, Cyber Law | Tagged , | Leave a comment

Stealing Credit Card information from POS

Posted on December 24, 2012 by Vijayashankar Na

Stealing of Credit card information when used on the Internet is a known vulnerability. It had also been observed that certain criminals had bought credit card information by bribing the employees of merchant establishments or by stealing the POS swiping device itself. Some established bogus business by offering goods at low rates only to steal the credit card information. Now it has been reported that a virus named Dexter has been identified which resides in the point of sale equipment used by merchants which has the capability to steal credit card information. Details

Posted in Cyber Crime | Leave a comment

Vulnerabilities in human space

Posted on December 24, 2012 by Vijayashankar Na

According to NIST (National Institute of Standards and Technology), a “Vulnerability” in Risk Analysis context is defined as a”flaw or weakness in system security procedures, design,implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system,s security polity”.

An organization undertaking a TIA (Total Information Assurance) program needs to identify the vulnerabilities in all three dimensions namely the Technology, Law and Human Resources.

In this article let’s briefly focus on some of the vulnerabilities in the human system.

“Social engineering” is one of the most successful attacks on system security that causes data breach time and again. For a Social Engineering Attack (SEA) to succeed the organization must have vulnerable people inside. The organization trying to mitigate the human risks therefore needs to identify its weak spots and fortify them.

Human risks arise because of various reasons such as

a) Faulty recruitment
b) Faulty training
c) Faulty personnel management

At the time of recruitment it is necessary for an organization to do an effective “background check”. Normally “Background Check” is understood as checking the educational documents submitted or the previous employer’s confidential report. These are of course necessary but are not sufficient. What is important is a “Psychographic Analysis” of the employee and its mapping to the known organizational work conditions. To achieve this, the candidate may need to be subjected to an appropriate “Aptitude Test” through which his psychographic profile can be mapped. Some of the attributes that need to be assessed are “Propensity to deviate from procedures”, “Ability to meet stress”, “Attitude towards Authority”, “Attitude to revenge”, “Attitude to Money”,etc.

It is necessary to understand that no person is perfect and hence it is natural to find some elements of “Undesirable traits” in every employee. Some times a “Trait” is a reflection of circumstances and an employee may change significantly over time. Expertise is therefore required to make a proper assessment of the results of the tests without unfairly branding any new employee. But observations made are to be used for designing an appropriate tracking mechanism to follow the employee’s development in the organisation over a period of time.

This should be followed up during the course of employment with appropriate training based on the TISM model (Theory of Information Security Motivation) which includes three elements of personnel management namely Awareness, Acceptance, Inspiration, besides Availability and Mandate. Strategies such as “Whistle blowing”, “dispute resolution through ombudsman” etc are additional measures that an organization needs to consider

Further, when a person leaves the organization, an analysis of the “Exit Interview” is also required to review the mistakes committed by the organization and improve. It is obvious that the “Exit Interview” has to be conducted by an authority with which the outgoing candidate is likely to express his views freely and in good faith. It is also necessary to accept that most of the exists are under stress and disappointment and a certain level of negative feeling about the management is normal. They have to be interpreted properly and without causing undue damage to the existing employees.

It is clear that dealing with human risks is not a simple HR function. In fact most organizations may not have in-house expertise since the HR functions may be over burdened with the day-to-day affairs of managing the new recruitment, allocation of personnel to different projects and attrition related issues. “Evaluation” of behavioural aspects of people has to be handled by experts in behavioural science with adequate under standing of Cyber sociology, Cyber Criminology and related aspects.

The subject of “Cyber Space Behavioural Analysis” is an emerging field of study and an important ingredient of HR personnel’s training in future.

Naavi

Posted in Cyber Crime, Cyber Law, Information Assurance | Tagged , , , | Leave a comment

Starting an Information Assurance Program

Posted on December 23, 2012 by Vijayashankar Na

Information Assurance (IA) is a management initiative to ensure Confidentiality, Integrity, Availability, Authentication and Non Repudiation of information in an organization. Taking the practical difficulties involved in achieving a satisfactory level of IA, Naavi has suggested a “Total Information Assurance”(TIA) plan under a “Modular Implementation” strategy. The essence of this Total Information Assurance for Modular Implementation approach (TIA4MI) is to set up achievable milestones that the organization can effectively address in its IA program so that it can achieve its TIA objective in measurable steps.

iaf_pyramid2

The TIA4MF approach depicted in the above diagram envisages that the focus of the organization in Level I will be to ensure “availability” of information to meet its business needs. This will be followed by “Integrity”,”confidentiality”, “Authentication” and “Non Repudiation” in that order. In each of the target levels, the focus is on the Core objective of the level. However it must be remembered that the levels lower to the target level are deemed to be already addressed to a satisfactory level while concurrent implementation of higher level objectives are considered desirable.

Once an organization resolves to start a TIA program, it needs to go through the process of “Risk Analysis” to identify the risks and steps needed to mitigate the risks.

Risk analysis depends on the “Threats” and “Vulnerabilities” that exist in relation to the information assets of an organization. We must understand that “Vulnerabilities” exist within the systems and “Threats” arise from outside the systems.

“Vulnerability” represents a “Flaw” or “Weakness” in system security procedures, design, implementation or internal controls that could result in a breach of security either through a deliberate action or through an accident.

“Threat” on the other hand is the potential for such vulnerabilities to be exploited. Threats may arise from external sources and not under the control of the organization.

Many organizations who are in the process of adopting IT in their business are driven by the operational requirements and often donot factor in Information Security as a part of their IT objectives. As a result they reach advance levels of IT implementation without a proper incorporation of Information Security principles. When such organizations decide to undertake an IA program the management will suddenly realize that they donot know where to start from.

Of course they can start by inviting an external IA Consultant and start their IA program under his guidance. However it would be advisable for the organization to at least prepare the foundation from which they can have a meaningful dialogue with an IA consultant. The lack of understanding of the issues involved may make it difficult for the IA consultant and the organization to arrive at a mutually acceptable engagement. In fact the IA consultant will not be able to make a proper estimation of the efforts required for IA implementation and hence the dialogue may get frustrating.

In order to improve the quality of the dialogue with the IA consultant it is essential for the organization to develop its own understanding of the requirement of IA in their organization.

The very first step in this direction is for the organization to understand what is the information they are intending to protect in their organization and where are they located. In other words they need to “identify” information, “classify” it into different categories such as “Personal”, “Sensitive”, “Business” etc., and “locate” them within the organization.

This Idenitify-Classify-Locate exercise (ICL Exercise) is the first step that an organization needs to undertake in embarking on an IA program.

It is possible that even this ICL Exercise may require an organization to call in an external consultant for assistance. This should however be treated as an “Information Assurance Preliminary Study” rather than an “IA Risk Analysis”.

Some organizations may treat the ICL exercise as part of the IA Risk Analysis and expect the consultant to undertake the exercise. While there is nothing wrong in this approach, the problem arises when the organization does not understand the difference which makes it difficult for them to appreciate and accept the effort estimates that are required to be accepted before the consultant begins his work. Without completion of the ICL exercise it is also not possible for the IA consultant to arrive at the effort estimate.

These problems are more common in SMEs who are undertaking an Information Assurance audit for the first time and also in most of he E-Governance projects.

“ICL before IA” is therefore what Naavi suggests organizations to adopt as a management principle as they try to move from IT implementation to Information Security consideration.

Naavi

PLEASE NOTE:

This website has been in existence since 1998.  

Older posts before the site switched to word press are available through the link at the top and here below.

OLD POSTS

Posted in Information Assurance | Leave a comment