Role of CERT-In & Cyber Security Initiatives
Transcript of Role of CERT-In & Cyber Security Initiatives
Role of CERT-In & Cyber Security
Initiatives
Indian computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
New Delhi
Ajay Lakra
INDIA Internet Infrastructure
2
18+ mil. High
Speed Internet
Fixed Broadband
penetration 1%
Overall Tele-density : 81.82
Internet 6
Bharti
Mail Servers
Approx:1800
16 mil. All
Domains
(1.5 mil. “.in”)
DNS
Estimated: 860
355+ IDCs
`
VOIP, IPTV
Govt.
Academia
Enterprise
Home
IT /
ITES
BPO
Targeted Broadband connections: 131.49
mil.
NIC
ERNET
BSNL
Reliance
TATA
Communications
STPI
462 mil. Internet Users
Penetration 19 %
Global share 8 %
1001 mil. Mobile
Phones
MTNL
155 Major
ISPs
Role of CERT-In
• Established in January 2004 by Department of Electronics and Information Technology, Govt. of India
• Role of CERT-In – Computer Security Incident Response (Reactive)
– Computer Security Incident Prevention (Proactive)
– Security Quality Management Services
• Information Exchange – With sectoral CERTs (CSIRTs), CIOs of Critical Infrastructure organisations,
ISPs, Vendors
• International Collaboration – Member of FIRST
– Member of APCERT
– Research Partner- APWG
– Functional relationships with CERTs (US-CERT, CERT/CC, JPCERT etc.)
Role of CERT-In in Cyber Crime Prevention
CERT-In
Section 70B, Information Technology Act 2000: Designates
CERT-In as the National nodal agency to serve as the national
agency to perform the following functions in the area of cyber
security:
• Collection, analysis and dissemination of information on
cyber incidents
• Forecast and alerts of cyber security incidents
• Emergency measures for handling cyber security incidents
• Coordination of cyber incident response activities
• Issue guidelines, advisories, vulnerability notes and
whitepapers relating to information security practices,
procedures, prevention, response and reporting of cyber
incidents
• Such other functions relating to cyber security as may be
prescribed
Role of CERT-In in Cyber Crime Prevention
Triage
Other
• Events/logs
• Alerts from CERTs
• Network Monitoring
• Technology watch
Letter
Phone/
Fax
Information
Gathering
Obtaining Contact
Information,
Incident
Documentation
Technical Analysis
Coordinate
Information and
Response
Incident Handling Life Cycle
Reporting and
Detection Triage Analysis and Response
Detection Triage Response
Vulnerability
Report
Information
Request
Incident
Report
Resolution/
Escalation
Department
of
Information
Technology
Detection Analysis Dissemination & Support
Analysis
Recovery
Dete
ct
Dis
sem
inatio
n
ISP Hot Liners
Media
Home Users
Private Sectors
Major ISPs
Foreign partners
CERT-In Work Process
Role of CERT-In in Cyber Crime Prevention
Activities of CERT-In
Activities 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Incidents
handled 23 254 552 1237 2260 7981 10134 28127 36924 41319 44679 49455 50362
Security Alerts/
Incident Notes 20 30 48 44 49 29 43 48 10 12 13 16 12
Advisories 23 25 50 66 76 61 73 81 56 92 69 70 98
Vulnerability
Notes 74 120 138 163 197 157 275 188 122 223 290
316
325
Trainings 7 6 7 6 18 19 26 26 26 25 21 24 19
Indian Website
Defacement
tracked 1529 4705 5211 5863 5475 6023 14348 17306 23014 24216 25037 26244 31664
Bot Infected
systems tracked - - - 25915 146891 2159804 6893814 6277936 6494717 7457024 7728408 9163288 10020947
Security Drills - - 1 2 2 3 4 4 6 3 3 3 2
Trend of Security Incidents in India
8
Channels of Attack • Trusted websites – infected • Emails • FTP/downloads (Untrusted sources) • Mobile Apps & Social media • Pen drives
Website Defacements
Phishing Incidents Handled
Virus/Malicious Code
4705 5211 5863 5475 6023
14348 17306
23014
24216
25037
26244
31664
0
5000
10000
15000
20000
25000
30000
35000
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
5 95 19 358 408 596
2817 2765 3149 4160 4307
9830
13371
0
2000
4000
6000
8000
10000
12000
14000
16000
9
Security Incidents 2011 2012 2013 2014 2015 2016
Phishing 674 887 955 1122 534 757
Network Scanning /
Probing 1748 2866 3239 3317 3673
416
Virus / Malicious Code 2765 3149 4160 4307 9830 13371
Website Defacements 17306 23014 24216 25037 26244 31664
Website Intrusion &
Malware Propagation 4394 4591 4265 7286 961
1483
Others 1240 2417 4484 3610 8213 2671
Total 28127 36924 41319 44679 49455 50362
2011 2012 2013 2014 2015 2016
Malicious Spam
Incidents 2480 8250 54677 85659 61628 57262
Incidents related to Govt. Websites (2016)
Type of Incident No.
Website Defacements
(.nic.in+.gov.in)
165
Website Intrusion and
Malware Propagation
(.nic.in+.gov.in)
34
10
Other CERT-In Activities
• Security Assurance framework and Audit Services – Empanelment of Security Auditors :
– to carry out information security audit, including the vulnerability assessment
and penetration test of the networked infrastructure of government and
critical sector organizations.
– CERT-In has also carried out episodic security audits of key organizations
for enhancing their security posture
• Forensic Lab – CERT-In is equipped with cyber forensic and mobile device forensic analysis
facility to extract and analyse the data from the digital devices involved in the
cyber crime.
• Network Traffic Scanning for early warning – facility to gather useful network information from different IT networks across
the country for meaningful analysis to detect and predict possibilities of
cyber attacks
Other Activities
• Cyber Swachhta Kendra (BOTNET Cleaning Centre)
– launched on 21 February 2017
– for detection of compromised systems in India and to
notify, enable cleaning and securing systems of end
users to prevent further malware infections.
• National Cyber Coordination Centre (NCCC)
– to generate macroscopic views of the cyber security breaches
and cyber security threats in the country.
Current cyber threat scenario
• Complex nature of cyber space
• Proliferation of ICT systems – Technology has reached everywhere
– New IT platforms and processes such as mobile platforms, IOT have raised the need of new security requirements
• Cyberspace is growing exponentially and has emerged as a key global asset – dependency on technology is unquestionable
• Evolving cyber threat scenario in India – Increased attacks on critical infrastructure and key government
systems
– Targeted attacks, Sophisticated malwares, Hacktivism
Dynamic Threat Landscape
• More market share = more lucrative target
• Security will always be a mission-critical concern
• New IT platforms and processes such as mobile platforms, cloud
computing have raised the need of new security requirements
• Targeted attacks, Sophisticated malwares, Hacktivism forced rethinking
of current security practices and process
• Changes in threats will drive changes in infrastructure protection
technology as well
• Exponential Growth in Android based malware and formulation of
Botnets
– Zitmo , Geimini, Gingermaster to name a few.
17
Cybercrime economy
• Sale of Vulnerabilities and exploits online
• Crimeware tool kits
• Stolen data
– Credit card numbers, PINs
– Email ids, passwords
– FTP credentials
• Sale of Botnets
– DDoS as a Service
• Hacking as a Service
The Expanding Cyber Threat Motive & Challenges
• Political
• Ideological
• Criminal
Increase in Sophistication (APT)
Hackers Spend 200+ Days Inside Systems Before Discovery
It’s getting harder for organizations to spot when they’ve been breached
less than a third (31%) of organizations discovered an internal breach themselves
Cyber Attacks Trends observed globally
20
•A New Zero-Day Vulnerability Discovered Each Week
• Last year the number of new malware variants discovered was 430
million.
•Half a Billion Personal Records Stolen or Lost
•Vulnerabilities Found in Three Quarters of Websites
•Spear-Phishing Campaigns Targeting Employees Increased 55 Percent
•Ransomware Increased 35 Percent
•100 Million Fake Technical Support Scams Blocked
Source: Symantec
21
Managing Information Security
Products, tools,
and automation
Consistent and
Repeatable
Skills, roles,
and responsibilities
Processes
People Technology
People is often the weakest link
22
Countermeasures - Technology and Defense in Depth
Policies, Procedures & Awareness
Physical Security
Perimeter
Internal Network
Host
Application
Data
OS hardening, authentication,
patch management, HIDS, HIPS
Firewalls, VPN, IDS/IPS
Guards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening, antivirus
ACL, encryption
User education
23
Countermeasures - People
• Awareness! Awareness! Awareness!
• Education and user training
• Awareness and training are one of the fundamental vehicles to help
address information security threats
– No one is going to take precaution if he is not aware of the potential negative
consequences of his actions or inactions
– No one is able to protect himself from attacks if he is not aware of how he can
do it
– Ignorance is no longer a bliss – social engineering attacks remain as one of
the most successful attack on the Internet
• Anti-virus must be installed and patches and signatures must be up to
date.
• Use of genuine Operating system and Softwares
• Pirated softwares includes malicious code
• Operating system and application security patches must be up to date.
• Hardware and software that provide memory (data Execution Prevention,
Buffer Overflow) protection must be implemented.
24
• Install and enable :
– Personal firewall
– Anti-spyware
– Anti-phishing controls and HIPS
• Download applications from the trusted sources
• Do not follow unsolicited web links or attachments in email messages
• Exercise caution while visiting links to Web pages
• Do not visit untrusted websites
• Disable autoplay feature as a safe practice
• Consider Disk-encryption
• Success of any encryption scheme depends on strength of Key/passphrase
and how it is kept/shared.
• Practice limited account privilege
• Admin privilege is not required for most of the day to day work
Countermeasures - People
Countermeasures - Process
• Policies: general statement produced by senior
management that dictates what role security plays within the
organization.
• Standards: mandatory activities, actions or rules
• Baselines: a point in time that is used as a comparison for
future changes.
• Guidelines: recommended actions and operational guides to
users when a specific standard does not apply.
• Procedures: detailed step-by-step tasks that should be
performed to achieve a certain goal.
25
IOT Devices
Advantages
• promise of efficiency and
innovation to the
enterprise
Disadvantages
• profoundly expands the
threat surface for your
organization
Role of CERT-In in Cyber Crime Prevention
IoT Botnets
•launch DDoS attacks
•send spam
•other malicious activities
Evolution
2014: A large IoT botnet would have 75,000 compromised devices.
2016: The now-infamous Mirai botnet was originally leveraging 500,000
devices.
Role of CERT-In in Cyber Crime Prevention
MIRAI Botnet
Timeline
September 20, 2016: Investigative journalist Brian Krebs targeted
October 1, 2016: Mirai source code released on GitHub
October 21, 2016: Dyn.com attacked
November 1: Liberia’s Internet connection disrupted
November 30: Deutsche Telekom customers taken offline
Role of CERT-In in Cyber Crime Prevention
How Mirai Works
Two main components
• the virus itself
• the command and control center (CnC).
The virus contains
•the attack vectors, Mirai has ten vectors that it can launch
•a scanner process that actively seeks other devices to compromise.
The CnC is a separate image that controls the compromised devices
(BOT) sending them instructions to launch one of the attacks against
one or more victims.
Role of CERT-In in Cyber Crime Prevention
Why are IoT devices being targeted? commonly used and default passwords
Processing power limitations
designed to be plugged in and forgotten about, (No security updates )
How many passwords is Mirai configured to try? use a list of at least 62 user name and password combinations
Can a Mirai infection be removed?
Devices that become infected with Mirai can be cleaned by restarting them.
Role of CERT-In in Cyber Crime Prevention
What can I do to protect my devices and prevent them
from becoming infected?
Research the capabilities and security features of an IoT device before
purchase
Perform an audit of IoT devices used on your network
Change the default credentials on devices. Use strong and unique passwords
for device accounts and Wi-Fi networks.
Use a strong encryption method when setting up Wi-Fi network access (WPA)
Disable features and services that are not required
Disable Telnet login and use SSH where possible
Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary
Modify the default privacy and security settings of IoT devices according to your
requirements and security policy
Disable or protect remote access to IoT devices when not needed
Use wired connections instead of wireless where possible
Regularly check the manufacturer’s website for firmware updates
Ensure that a hardware outage does not result in an unsecure state of the
device
Role of CERT-In in Cyber Crime Prevention
All information that cannot be indexed using general web search engines
Also known as the deep internet, deepnet, or the hidden web
Cannot be accessed using search engines
What is the Deep web?
Role of CERT-In in Cyber Crime Prevention
Webpages with no links on them, called disconnected pages
Password protected webpages
Webpages generated from databases
Dynamically generated webpages
Real-time content
Webpages that require a registration form to access
Webpages with non-html text, or any coding that a spider program can not
understand
Content Found On The Invisible Web
Role of CERT-In in Cyber Crime Prevention
Within Darknet both the web surfers and website publishers are entirely
anonymous
Anonymity is achieved using TOR
Number of marketplaces
Agora Marketplace
Abraxas
Silk Road 1,2,3
Darknet or Darkweb
Role of CERT-In in Cyber Crime Prevention
Acronym for The Onion Router
Free software for enabling anonymous communication
Originally developed on behalf of the U.S. intelligence community
Today it is used by criminal enterprises, hacktivists, and LEA
Users can remain anonymous
Activities can remain untraceable
Resources can remain hidden
What is TOR
Role of CERT-In in Cyber Crime Prevention
Top Darket Markets:
Dream Market:
Alpha Bay:
Russian Anonymous Marketplace
(RAMP):
Outlaw:
East India Company:
Role of CERT-In in Cyber Crime Prevention
In March 2013, the site had 10,000 products for sale by vendors, 70% of
which were drugs
Not on Sale
Included child pornography, stolen credit cards, assassinations, and
weapons of any type
Buyers were able to leave reviews of sellers' products on the site, and in
an associated forum where crowdsourcing provided information about the
best sellers and worst scammers
Most products were delivered through the mail, with the site's seller's
guide instructing sellers how to vacuum-seal their products to escape
detection
The FBI has claimed that the real IP address of the Silk Road server was
found via data leaked directly from the site's CAPTCHA,[31] but security
researchers believe that the PHP login page was manipulated to output its
$_SERVER variable and real IP following site maintenance
reconfiguration
Role of CERT-In in Cyber Crime Prevention
we have learned so much during the past 20 years or so.
with powerful search engines such as Google and Bing, what we have
access to is only a small fraction at the surface of the gigantic data ocean.
Deep Web is getting deeper and certain parts of it are getting darker by the
day.
how to balance the protection of civil liberty for law-abiding citizens with the
concerns for national security remains a daunting
challenge for policymakers in the age of big data and Deep Web.
Challenges
Thank you
Incident Response HelpDesk
Phone: 1800 11 4949
FAX: 1800 11 6969
e-mail: [email protected]
http://www.cert-in.org.in
Role of CERT-In in Cyber Crime Prevention