Center Of Excellence (CoE) For Internet Of Things (IoT) In India

Thursday, May 19, 2016

Mobile Cyber Security In India Is Needed Under Digital India

Mobiles are believed to play a major role in the successful implementation of the Digital India project of Indian government. From mobile commerce to mobile banking, the Indian government is betting big upon mobiles and their use for public delivery of services through electronic means. Of course, this big scale use of mobiles will also give rise to cyber law and cyber security issues that Indian government must be well prepared to deal with in future.

Mobile phones have become ubiquitous these days. They are used for multiple purposes ranging from personal use to mobile banking. Cyber criminals have also realised the importance of mobile phones for committing cyber crimes and financial frauds. This is also the reason why malware writers are also writing mobile phone specific malware to steal confidential and sensitive information.

Mobile cyber security in India has become a cause of concern these days. Mobile phones are now proposed to be used for mobile banking and mobile governance in India. Naturally, we must ensure robust mobile cyber security in India. An electronic authentication policy of India can help in more active and secure mobile usages in India. Mobile governance and e-authentication in India are also closely related and with the proposed electronic delivery of services in India this is also a must have requirement.

For the time being we have no implementable electronic delivery of services policy of India though it may be in pipeline. Indian government is working in the direction of ensuring electronic delivery of services in India. In fact a legal framework titled electronic delivery of services bill 2011 (EDS Bill 2011) was also proposed by Indian government in the past. The same has still to become an applicable law in India. Once the EDS Bill 2011 becomes an applicable law, governments across the India would provide electronic services through various modes, including mobile phones. This requires putting a robust and reliable mobile security infrastructure in India.

However, using of mobile phones for commercial and personal transactions in India is also risky. For instance, the mobile banking in India is risky as the present banking and other technology related legal frameworks are not conducive for mobile banking in India. Similarly, we do not have a well developed e-governance infrastructure in India. As a result India is still not ready for m-governance.

We at Perry4Law Organisation (P4LO) believe that the biggest hurdles before the mobile related uses in India pertain to use of weak encryption standards and non use of mobile cyber security mechanisms in India. Absence of encryption laws in India has further made the mobile security very weak in India. The ever evolving mobile malware are further increasing the woes of mobile users’ world wide. As on date the malware are defeating cyber security products and services with ease.

It is high time for India to seriously work upon mobile cyber security aspects as soon as possible. The policy decisions in this regard must be taken urgently and must be implemented as soon as possible.

Saturday, May 14, 2016

Healthcare Cyber Security Issues For Businesses And Entrepreneurs In India

Healthcare industry is facing diverse range of cyber attacks these days. The prominent among them is ransomware that encrypts the sensitive healthcare information and decrypts the same only once the ransom is paid.

So much is the nuisance these days that the National Institute of Standards and Technology (NIST) has released a guide for IT developers on integrating security measures into the development process, which could influence healthcare cyber security management.

The updated draft of the NIST publication provides IT developers with a framework for incorporating cyber security measures into the design process. The document aims to help inventors consider information security needs in all stages of the product, including how to dispose of the system while still protecting data.

Presently, healthcare cyber security market consists of protection against malware, ddos, advanced persistent threat, spyware, lost and stolen devices, etc. However, the list is just illustrative and the cyber security requirements are as vast as are the options available to the cyber criminals.

Perry4Law Organisation (P4LO) strongly recommends that the healthcare industry must work on three fronts i.e. formulation of techno legal policies, adoption of best cyber security practices and a mechanism to ensure cyber breach disclosure and coordination with the statutory and government authorities. If any of these three stages is missing, then the concerned healthcare organisation is at graver risk of cyber attacks and loss of sensitive healthcare information.

See CECSRDI for more.

Wednesday, May 11, 2016

DARPA Is Soliciting Innovative Research Proposals In The Area Of Cyber Attribution

Cyber attacks have become a global nuisance these days. Due to the global nature of Internet and cyberspace, it is very difficult to ascertain the source of such cyber attacks in many cases. Further, different countries have different laws that make it really difficult to prosecute and extradite the cyber criminal. In short, conflict of laws in cyberspace is a major hurdle before the international law enforcement of cyber law and cyber attacks. Authorship attribution for cross border cyber attacks is directly attributable to this scenario.

The US Defense Advanced Research Projects Agency (DARPA) is trying to solve this problem of authorship attribution and it has invited innovative research proposals in the area of cyber attribution. This is in addition to the recent proposal to expand the scope of Rule 41 of the Federal Rules of Criminal Procedure by the US Supreme Court that has conferred a long arm jurisdiction upon US courts.

The goal of the Enhanced Attribution program of DARPA is to develop technologies for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns. The objective is to not only collect and validate this pertinent information, but to create the means to share such information with any of a number of interested parties without putting at risk the sources and methods used for collection. Proposed research should investigate innovative approaches that enable revolutionary advances in science, devices, or systems. Specifically excluded is research that primarily results in evolutionary improvements to the existing state of practice.

Malicious actors in cyberspace currently operate with little fear of being caught due to the fact that it is extremely difficult, in some cases perhaps even impossible, to reliably and confidently attribute actions in cyberspace to individuals. The reason cyber attribution is difficult stems at least in part from a lack of end-to-end accountability in the current Internet infrastructure. Cyber campaigns spanning jurisdictions, networks, and devices are only partially observable from the point of view of a defender that operates entirely in friendly cyber territory (e.g., an organization’s enterprise network). The identities of malicious cyber operators are largely obstructed by the use of multiple layers of indirection. The current characterization of malicious cyber campaigns based on indicators of compromise, such as file hashes and command-and control infrastructure identifiers, allows malicious operators to evade the defenders and resume operations simply by superficially changing their tools, as well as aspects of their tactics, techniques, and procedures. The lack of detailed information about the actions and identities of the adversary cyber operators inhibits policymaker considerations and decisions for both cyber and non-cyber response options.

The Enhanced Attribution program aims to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions and to increase the Government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods.

The program will develop techniques and tools for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators, and the means to share such information with any of a number of interested parties (e.g., as part of a response option). The program seeks to develop:

(a) technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures;

(b) techniques to decompose the software tools and actions of malicious cyber operators into semantically rich and compressed knowledge representations;

(c) scalable techniques to fuse, manage, and project such ground-truth information over time, toward developing a full historical and current picture of malicious activity;

(d) algorithms for developing predictive behavioral profiles within the context of cyber campaigns; and

(e) technologies for validating and perhaps enriching this knowledge base with other sources of data, including public and commercial sources of information.

Sunday, May 1, 2016

Malware Are Big Nuisance For Business Houses And Individuals World Over

Business houses and individuals are facing sophisticated malware attacks around the world. This is true about not only big business companies but even small and medium business houses. Cyber criminals are also targeting individuals for sensitive personal and financial information. Ransomware attacks are increasing and they are targeting stakeholders ranging from big hospitals, banks and individual computer users.

Even at the organisational level, the directors and top management are lethargic towards cyber security of the organisation. For instance, the directors of Indian companies are not at all paying attention to cyber security issues. As the Indian government is not pushy at all regarding ensuring cyber security in companies and at the level of Indian cyberspace, these directors are escaping their legal liabilities even if a cyber breach occurs. There are no cyber security breach disclosure norms in India and this makes the directors and top management indifferent toward cyber security related legal obligations in India.

India has no dedicated cyber security law though it is absolutely required due to projects like Digital India and Aadhaar. Cyber criminals are targeting banking sector of India with ease and stealing big amount of money. The Reserve Bank of India (RBI) had even declared that it would open up an IT subsidiary that wold take care of cyber security issues of banks in India. However, till May 2016 there is no sign of such an IT subsidiary. Similarly, the Indian government has appointed Dr. Gulshan Rai as the first Chief Information Security Officer (CISO) of India but much has to be done after this stage.

In the present cyber security environment, malware have emerged as undefeatable and uncontrollable. Cyber security product and services providers have no other option left but to innovate so that sophisticated malware can be detected at the earliest stage. Anonymity tools and use of Dynamic DNS, Fast Flux and Bullet Proof Servers has further complicated the problems for law enforcement agencies world over. Instead of strengthening the cyber security capabilities, law enforcement agencies around the world are barking the wrong tree. They are trying to kill encryption and compromise the cyber security by demanding backdoor in the security products. FBI of US has even gone to the extent of acquiring long arm jurisdiction through US Supreme Court that would allow it to target global computers. This would clearly violate civil liberties and cyber laws of various nations.

Cyber criminals have unlimited resources at their disposal these days. Many of them are even supported by state actors and this allows them to make customised malware that cannot be detected and eliminated by traditional anti virus and security products. As a result the contemporary cyber security products and services are ineffective in preventing such malware from causing damage.

World has already faced sophisticated malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), etc. These malware were unique as they were detected much after they infected the targeted systems. Some of these systems remained infected for many years and this facilitated targeted cyber espionage and customised infection of these systems.

The financial sector has its own share of cyber security problems and challenges. Malware targeting financial sector are also in circulation for long. These include Carbanak, Vskimmer Trojan, Malware Dump Memory Grabber, etc that cause tremendous financial loss world over. It is not just the financial loss but also loss of faith and goodwill that banks and other financial institutions have to face.

Perry4Law Organisation (P4LO) has provided the “Cyber Security Trends In India 2016” that have predicted that use of botnet and malware would increase in the year 2016. The trends has also predicted that critical infrastructure, cloud computing and e-health would also be on the receiving end. We have already witnessed an increased use of ransomware and malware for targeting hospitals and health industry. Similarly, big corporations are also frequently targeted and their data are encrypted by the cyber criminals. This data is then decrypted only after the ransom is paid by the corporation to the cyber criminal.

The year 2016 would witness an increased use of malware for various purposes like cyber terrorism, cyber warfare and cyber espionage. It is for us to develop both offensive and defensive cyber security capabilities and a robust cyber security infrastructure so that the impact of these malware can be minimised if not eliminated.

Advertisement Space- Bid Now

Advertisement Space- Bid Now