260 likes | 420 Views
Enabling Trust in a Networked Environment. B J Srinath, Sr. Director, Indian Computer Emergency Response Team (CERT-In) Ministry of Communications and Information Technology Government of India Tel: 011-24363138, Web: http://www.cert-in.org.in , E-mail: srinath@mit.gov.in.
E N D
Enabling Trust in a Networked Environment B J Srinath, Sr. Director, Indian Computer Emergency Response Team (CERT-In) Ministry of Communications and Information Technology Government of India Tel: 011-24363138, Web: http://www.cert-in.org.in, E-mail: srinath@mit.gov.in Enabling Trust in a Networked Environment
Indian Cyber Space Enabling Trust in a Networked Environment
e- Transactions Enabling Legal Framework Communication Infrastructure TRUST & CONFIDENCE Trust & Confidence in e-Transactions Safe and secure e-Transaction is not only dependent on excellent Legal Framework and Communication Infrastructure, but also very importantly TRUST & CONFIDENCE Enabling Trust in a Networked Environment
Enabling Trust in a networked environment What is trust? “It is the extent to which one party is willing to depend on somebody or something in a given situation with a feeling of relative assurance even though negative consequences are possible” Who are the stakeholders? Government, Businesses and People "In a networked environment cyber security has a big impact on the kind of trust that we wish to have, because we are about to deal with an unfamiliar entity in an unfamiliar medium” Enabling Trust in a Networked Environment
Today’s business environment Cyber Security – Why is it an issue? Because…..although the threats in cyber space remain by and large the same as in the physical world (ex. fraud, theft and terrorism), they are different due to 3 important developments • automation has made attacks more profitable • action at a distance is now possible • attack technique propagation is now more rapid and easier Enabling Trust in a Networked Environment
Today’s business environment Cyber Security – Why is it an issue? In addition to the 3 important developments, there are 3 more trends that make an enterprise transparent and vulnerable • Internet enabled connectivity • Wireless networking • Mobile computing “Good recipe for trouble – E-Commerce+M-Commerce +Critical sector plus well known brand-name” Enabling Trust in a Networked Environment
Cyber Security Trends – The next wave Mischievous activities in cyber space have expanded from novice geeks to organized criminal gangs that are going Hi-tech Recent studies reveal three major findings: • Growing threat to national security -web espionage becomes increasingly advanced, moving from curiosity to well-funded and well-organized operations aimed at not only financial, but also political or technical gain • Increasing threat to online services – affecting individuals and industry because of growth of sophistication of attack techniques • Emergence of a sophisticated market for software flaws – that can be used to carry out espionage and attacks on Govt. and Critical information infrastructure. Findings indicate a blurred line between legal and illegal sales of software vulnerabilities Enabling Trust in a Networked Environment
Today’s Enterprise – Struggle for balance An improperly managed & vulnerable IT infrastructure can upset the balance Today, enterprises using IT need to balance four requirements simultaneously • Sensible investments and reasonable ROI • Compliance with legal requirements • Facilitate business with secure access to information and IT resources • Keep intruders at bay Enabling Trust in a Networked Environment
Enabling Factors for Trust • Social factors To generate & establish trust in terms of reputation, responsibility, familiarity, transparency and human intervention • Organisational factors To enable trust in terms of rules, policies/procedures, discipline of compliance and demonstration • Legal factors To enable trust in terms of legal compliance, judicial systems and law enforcement mechanisms Enabling Trust in a Networked Environment
Enabling Factors for Trust • Technology factors To enable trust and enforce compliance in terms of tools, technologies, standards/protocols for data security & privacy protection and fraud prevention • Assurance factors To radiate trust through third party guarantee in terms of approvals, certifications and accreditations Enabling Trust in a Networked Environment
Assuring features of Trusted transaction • Identification and authentication • Integrity and Confidentiality of communication • Non-repudiation • Transparent transaction • Traceability and accountability “The enabling factors coupled with the assuring features can help in creating an environment of trust & confidence & make it possible to trust an unfamiliar entity on the net for commercial transactions” Enabling Trust in a Networked Environment
Environment of Trust & Confidence Creating an environment of Trust & Confidence requires actions by different stakeholders such as • Government • Network Service Providers (ISPs) • Corporate entities • Small users and home users Enabling Trust in a Networked Environment
Enabling Trust– Actions at Country level • Cyber security strategies and Policy directives on data security and privacy protection - Compliance, liabilities and enforcement (ex. Information Technology Act 2000) • Standards and guidelines for compliance (ex: ISO 27001, ISO 20001 & CERT-In guidelines) • Conformity assessment infrastructure (enabling and endorsement actions concerning security product – ISO 15408, security process – ISO 27001 and security manpower – CISA, CISSP, ISMS-LA, DISA etc.) • Cyber security incident - early warning and response (National cyber alert system, crisis management and emergency response) • Information sharing and cooperation (MoUs with vendors and overseas CERTs and security forums). • Pro-active actions to deal with and contain malicious activities on the net by way of net traffic monitoring, routing and gateway controls • Lawful interceptions and Law enforcement. • Nation wide security education & awareness campaign and focused training programs. • Security research and development focusing on tools, technology, products and services. Enabling Trust in a Networked Environment
Cyber Security – Strategic objectives Enabling ‘Trust & Confidence’ in the networked environment by • Proactive policies & actions (Legal, Technical etc) • Effective collaboration (Govt, Industry, Public) Ensuring Safety & Security of Indian Cyber Space by • Preventing cyber attacks against the country’s critical information infrastructures • Reducing national vulnerability to cyber attacks • Minimizing damage and recovery time from cyber attacks Enabling Trust in a Networked Environment
National Cyber Security Strategy • Security legal framework & law enforcement • Security early warning and response (CERT-In) • Security compliance and assurance • Security education, awareness and training • Security technology R&D • Security information sharing and cooperation Enabling Trust in a Networked Environment
The recent amendments to the Indian IT Act 2000 cover the following Legal Provisions • for tackling cyber security related crimes and violations:- • ·Data Protection • -Corporate bodies to implement best practices to protect data • - Heavy Compensation to affected user (Section 43 A) • ·Breach of Confidentiality & Privacy • -Intermediary and service providers not to disclose personal information of subscriber/user acquired • by them while providing services • - Penalties in form of Imprisonment and Fine (Section 72 A) • ·Pornography including child pornography (Section 67A and B) • ·Computer related offences • -Expansion of list of offences (Section 66 expanded) • - Identity theft (Section 66C) • - Phishing (Section 66D) • - Spoofing and SPAM (Section 66A) • - E-Commerce Frauds (Section 66 C and D) • - Violation of Privacy (Section 66 E) • ·Cyber Terrorism (Section 66F) • Monitoring of malicious traffic (Section 69) • Empowering of CERT-In to call for Information (Section 70A) Enabling legal provisions Enabling Trust in a Networked Environment
Today’s challenge – Struggle for balance Balance betweenadequate security&acceptable privacy • Effective security demands surveillance, monitoring, reporting and accountability. In a secure environment anonymity is unacceptable. However, this would mean reduced privacy. • On the other hand, privacy when prioritized results in increased anonymity and reduced accountability. There is a challenge to strike a right balance between adequate security and acceptable privacy. • Duties and rights of key organisations in multi-party infrastructures and services (Telecom, ISP, ASP etc) and adherence to business values and technology policy need to be prescribed & promoted. Enabling Trust in a Networked Environment
Security Assurance Ladder • Security assurance emphasis depends on the kind of environment • Low risk : ‘Awareness’ – know your security concerns and follow best practices • Medium risk: ‘Awareness & Action’ – Proactive strategies leave you better prepared to handle security threats and incidents • High risk: ‘Awareness, Action and Assurance’ – Since security failures could be disastrous and may lead to unaffordable consequences, assurance (basis of trust & confidence) that the security controls work when needed most is essential. Enabling Trust in a Networked Environment
Enabling Trust – Actions at Network level (ISP) • Compliance to security best practices (ex. ISO27001), service quality (ISO 20001) and service level agreements (SLAs) and demonstration. • Pro-active actions to deal with and contain malicious activities, ensuring quality of services and protecting average end users by way of net traffic monitoring, routing and gateway controls • Keeping pace with changes in security technology and processes to remain current (configuration, patch and vulnerability management) • Conform to legal obligations and cooperate with law enforcement activities including prompt actions on alert/advisories issued by CERT-In. • Use of secure product and services and skilled manpower. • Crisis management and emergency response. Enabling Trust in a Networked Environment
Enabling Trust – Actions at Corporate level • Compliance to security best practices (ex. ISO27001), and demonstration. • Pro-active actions to deal with and contain malicious activities, and protecting average end users by way of net traffic monitoring, routing and gateway controls • Keeping pace with changes in security technology and processes to remain current (configuration, patch and vulnerability management) • Conform to legal obligations and cooperatewith law enforcement activities including prompt actions on alert/advisories issued by CERT-In. • Use of secure product and services and skilled manpower. • Crisis management and emergency response. • Periodic training and up gradation of skills for personnel engaged in security related activities • Promote acceptable users’ behavior in the interest of safe computing both within and outside. Enabling Trust in a Networked Environment
Enabling Trust – Actions at Small users/Home users level • Maintain a level of awareness necessary for self-protection. • Use legal softwareand update at regular intervals. • Beware of security pitfalls while on the net and adhere to security advisories as necessary. • Maintain reasonable and trust-worthy access control to prevent abuse of computer resources. Enabling Trust in a Networked Environment
Environment of Trust & Confidence Actions for creating an environment of Trust & Confidence requires answers to questions such as • What needs to be done? • How do we do it? • How do we reach all? • Are we doing it right? • Are we safe? What if something goes wrong? Enabling Trust in a Networked Environment
Cyber Trust - Final Message “Failure is not when we fall down, but when we fail to get up” Enabling Trust in a Networked Environment
“We want you Safe” Thank you Enabling Trust in a Networked Environment