Types of cyber threats:
- Phishing: deceptive e-mails and websites are used for gathering personal information.
- Malware: it refers to malicious software that causes damage to single computers, servers or computer network. Various types of malware are ransomware, spyware, virus, worms, Trojans etc.
- Denial of Service (DoS) attacks: for shutting down a machine or network in order to make it inaccessible to its users this type of attack takes place. It is targeted by flooding traffic or sending information that would result in crash.
- Man-in-the-middle (MitM) attacks: these are eavesdropping attacks. It takes place in case of a two-party transaction where attackers put themselves in it. By interrupting traffic, they filter and steal data.
- Structured Query Language (SQL) Injection: it is a programming language for communication of database. The attack takes place on servers that store critical data for websites and services. Malicious code is used to divulge information in a server that it normally would not.
- Cross-Site Scripting (XSS): it is similar to a SQL Injection attack. It does not attack the website itself but malicious code is injected into a website. When a user visits a website, it goes after the user directly.
- Social Engineering: attacker through human interactions get sensitive information.
- Hardware attacks: manufacturing backdoor may be created for malware or other penetrative purposes. Backdoors may be embedded in radio-frequency identification (RFID) chips and memories.
Motives behind cyber-attacks:
- Cyber Crime
- Cyber Theft
- Cyber Espionage
- Cyber Intrusion
Cyber-attack in India:
Data: Global Information Security Survey 2018-19 of EY suggest India is at 2nd rank in targeted attacks. Banking, telecom, manufacturing, healthcare, retail and government websites are some of the affected sectors.
As per the Indian Computer Emergency Response Team (CERT-In) report, maximum numbers of cyber attacks on official Indian websites are from China, US and Russia.
Some of the examples of recent attack:
- StrandHogg Malware: Indian Cyber Crime Coordination Centre has sent alert to all states and police departments. This attack Android Operating System that would allow it to listen to a microphone, access SMS, camera, photos and other login credentials.
- Spyware Pegasus: social media platform WhatsApp was used to spy on Journalists and human rights activists by using spyware tool ‘Pegasus’ developed by Israeli Firm, NSO Group.
- Union Bank of India: in July 2016, hackers sent a phishing email to employees. They accessed credentials and transferred funds. This cost bank $171 million. However, it was recovered back.
- Wannacry Ransomware attack: In May 2017, many computers in India got locked down by hackers in demand of ransom. Even the operating system of Andhra Pradesh Police and State Utility of West Bengal got affected.
- Petya Ransomware attack: it happened in June 2017. It was a global ransomware attack. It affected Danish firm AP Moller which is container handler at JNPT, Mumbai.
- GravityRAT (Remote Access Trojan) malware attack detected by CERT-In in 2017 infiltrating various computers through an email attachment.
- Other malware attacks like Mirai, Reaper, Saposhi etc.
Cyber Security Framework:
For the protection of user, assets and transactions through visibility, analytics and integration. Governance structure can be as follows:
- Identification and Authorisation: privacy, minimum disclosure and anonymity support.
- Data Security: data sovereignty, data localisation, interoperability and secure communication.
- Threat management: by profiling, protection, detection and response.
- Building Resilience: risk-based decision, across data flow and people-centric security.
Laws in India:
- Information Technology Act, 2000- it defined critical information infrastructure in Section 70(1) of the act.
- National Cyber Policy, 2013
- Data Protection Bill on the recommendation of Justice B N Srikrishna Committee.
- Indian Computer Emergency Response Team (CERT-In) is an office within MeitY which is the nodal agency to deal with cybersecurity threats.
- Indian Cyber Crime Coordination Centre (I4C) is apex coordination centre to deal with cyber-crimes such as financial frauds, pornographic and communal content.
- Cyber Surakshit Bharat Initiative, 2018
- Cyber Swachhta Kendra
- Information Security Education and Awareness Project
- Digital Investigation Training and Analysis Centre (DITAC)
- National Cyber Coordination Centre: it has launched TechSagar platform in partnership with the Data Security Council of India to discover technological capability.
- National Informatics Centre
- Global Conference on Cyberspace was conducted. Its theme was ‘Cyber4All: A Secure and Inclusive Cyberspace for Sustainable Development’. Its aim was to establish internationally agreed ‘rules of the road’ and participation of all stakeholders.
- Government has planned to launch its own public Domain Name Server (DNS) to provide a faster and secure browsing experience for internet users.
- Government is going to set up the Defence Cyber Agency to address challenges to national security on the recommendations of Naresh Chandra Task Force and Chief of Staff Committee.
- MHA has issued a National Information Security Policy and Guidelines (NISPG) to secure government data and control access to it.
Cyber Security Hierarchy in India:
- UN Group of Government and Experts (UNGGE) suggested 11 norms in 2013.
- Budapest Convention on Cyber-Security drawn by Council of Europe in 2001, which entered into force on 1 July 2004. India has not adopted it on the issue of data sharing with foreign law enforcement agencies. In August 2020, the committee is to be convened to establish the new treaty.
- CERT-In has signed cooperation pacts with three nations Malaysia, Singapore and Japan
The cyber-security framework can be envisaged through the P-P-P Model. Security audit adhering to international standards should be applicable to all government websites. Cyber-security drills can be carried out with the help of state-CERT. government agencies that implement IT projects shall allocate appropriate for compliance with security requirement of IT Act, 2000 and state cybersecurity policy. There is need for capacity building and awareness among citizens and small business for cybersecurity.