1. 06 Sep 2006 Cyber security Cyber Security for Protection of Critical Information Infrastructure B J Srinath Director & Scientist ‘ F ’, CERT-In Department of Information Technology Ministry of Communications and Information Technology Government of India Tel: 011-24363138, E-mail: srinath@mit.gov.in

2. 06 Sep 2006 Cyber security India: Economy & Demographics  A large and growing working population  Increasing urbanisation and rising expenditure capacity  4 th largest Economy in the world with sustained GDP growth of over 8%  Fast growing Forex reserves - US$ 160billion (2006); Fairly stable currency ~ Rs 45 per US $  Growth rate of exports of 32% in dollar terms  Accelerated consumer demand in 2005 - 1 million Cars, 12 million TVs, 38 million mobiles, 3.5 million credit cards, 1 million new houses…Over 150 Million middle class population,  20 – 30 million people joining India’s middle class every year  Telephones140 million  Broadband Connection 0.8 million  Internet users 40 million Source: NASSCOM & MAIT

3. 06 Sep 2006 Cyber security Indian IT Industry – Year 2005 : An Overview ♦ Industry Turnover ---------------------------- US $ 38+ Billion ♦ Hardware -------------------------------------US $ 7 Billion ♦ Hardware Exports ------------------------ US $ 1.8 Billion ♦ Software & Services ---------------------- US $ 24 Billion ♦ Software Exports -------------------------- US $ 17 Billion ♦ ITES & BPO--------------------------------- US $ 7 Billion ♦ ITES & BPO ------------------------------ US $ 6 Billion IT Industry ♦ PC Shipment: 6 Million Units p.a ♦ PC Penetration: 20 per 1000 ♦ Mobile Penetration: 100 per 1000 ♦ TV Penetration: 140 per 1000 ICT Industry ♦ Broadband: 8 per 1000 ♦ Internet Penetration: 40 per 1000 ACCESS

4. 06 Sep 2006 Cyber security The Four Tigers of IT growth 2004 Worldwide:160 Million India-Volume: 4 Million India Share: 2.5% India Growth: 32% 2007 :234 Million : 9 Million : 4% : 30% 2004 Worldwide:650 Million India-Volume: 58 Million India Share: 4% India Growth: 58% 2007 :1040 Million : 90 Million : 9% : 24% 2004 Worldwide:136 Million India-Volume: 1 Million India Share: 0.4% 2007 :261 Million : 10 Million : 4% 2004 Worldwide:51 Million India-Volume: 1 Million India Share: 2% 2007 :80 Million : 5 Million : 6%

5. 06 Sep 2006 Cyber security ISPs in India Total 150 ISPs Major ISPs NICNET ERNET BSNL MTNL VSNL Bharti Reliance Tata STPI

6. 06 Sep 2006 Cyber security Information Security Survey - Highlights

7. 06 Sep 2006 Cyber security Security – importance & strategy

8. 06 Sep 2006 Cyber security Security – importance & strategy

9. 06 Sep 2006 Cyber security Security breaches

10. 06 Sep 2006 Cyber security Security breaches

11. 06 Sep 2006 Cyber security Security breaches

12. 06 Sep 2006 Cyber security Security breaches

13. 06 Sep 2006 Cyber security Security breaches

14. 06 Sep 2006 Cyber security CERT-In: Established in January, 2004 Mandate ‘Ensure security of cyber space in the country’ by ‘Enhancing the security of communications and Information infrastructure’ through ‘Proactive action and effective collaboration aimed at security incident prevention & response and security assurance’

15. 06 Sep 2006 Cyber security CERT-In Constituency Indian Cyber Community Emphasis on : Critical Information Infrastructure Organizations –Defence –Finance –Energy –Transportation –Telecom (Dept. of Telecom) CERT-In – Mother CERT Sectoral CERTs being established –NTRO –Army/Navy/Air Force CERTs –IDRBT –Power Sector-CERT –Civil Aviation-CERT – Railways-CERT –Telcom-CERT

16. 06 Sep 2006 Cyber security Activities of CERT-In Activities2003200420052006 (till August) E-mail messages received-62518221185 Incidents handled-23254386 Security Alerts/ Incident Notes 4203029 Advisories17232526 Vulnerability Notes167412084 Security Guidelines942- White papers-361 Trainings1764 Indian Website Defacement1687152947052706 Open Proxy Servers-23611561555

17. 06 Sep 2006 Cyber security Information Sharing: Stakeholders ISPs, Key Networks CERTs CSIRTs Vendors Media Law Enforcement Agencies Home Users CERT-In --- Government Sector -Critical Information Infrastructure - Corporate Sector International CERTs

18. 06 Sep 2006 Cyber security Web Defacements: Sector wise Phishing40% Virus/Malicious Code38% Network Scanning/Probing 16% System Misuse2% Email Spoofing2% Others2% Type of hackers Incidents handled

19. 06 Sep 2006 Cyber security Nature of Cyber Security Breaches Web defacements of Information based websites Spread of malicious codes SPAM – Open Proxy Servers Phishing – Largely gets to foreign Banks and Financial Institutions Denial of Service attacks (DoS)

20. 06 Sep 2006 Cyber security Challenges and Concerns Outreach Security Investment Information sharing and exchange Cyber Forensics and Quality of Evidence Global Cooperation

21. 06 Sep 2006 Cyber security Action at Government Level National Information Security Policy Legal Framework to address Data and Privacy concerns Critical Information Infrastructure Protection Plan Cyber Security Assurance Framework Cyber Security Research & Development

22. 06 Sep 2006 Cyber security Legal Framework Information Technology Act 2000 (IT Act, 2000) –Legal recognition to Electronic Transaction/Record –Acceptance of Contracts expressed by electronic means –Framework for Digital Signatures –Computer crimes

23. 06 Sep 2006 Cyber security Legal Framework Amendments proposed in the IT Act 2000 to include: Technology-neutral concept of e-Signature Delivery of e-Governance services through Public-Private Partnership Data Security and Privacy Identity Theft and Phishing Video Voyeurism

24. 06 Sep 2006 Cyber security Critical Infrastructure Protection Government has initiated measures to protect Critical Information Infrastructure in public and private sector. The focus is on Identification of core sectors and points of contact Implementation of Best Practices comprising: Disaster Recovery & Business Continuity Planning Compliance with laws and regulations Managing risk Auditing, reporting and monitoring Education and awareness training (Capacity Building)

25. 06 Sep 2006 Cyber security “National Information Security Assurance Program (NISAP)” for Government and Critical Infrastructure Organizations

26. 06 Sep 2006 Cyber security It has four elements Mandatory compliance requirement – in the form of a legal/regulatory framework Mandatory compliance efforts – to ISMS standards like ISO/IEC 27001/BS 7799 etc Mandatory compliance verification – of security technical, managerial as well as operational controls including ISMS assessments, penetration testing, vulnerability assessment, application security testing etc Mandatory compliance reporting – to CERT-In as a notified entity on a periodic basis Security Assurance Framework – Concept

27. 06 Sep 2006 Cyber security It has two distinct actions Enabling actions Directives/Standards/Guidelines/Empanelment & rating/Training & awareness Endorsing actions Assessments, Testing & Certification covering Product, Process & People – includes specific services such as ISMS certification as per ISO 27001/BS 7799 etc Common Criteria security product test/evaluation as per ISO 15408 IT Security auditing (Pen. Test/ VA etc) IT Security auditor training and skill evaluation Security Assurance Framework - Concept

28. 06 Sep 2006 Cyber security Areas of Cooperation Coordination in early warning, threat & vulnerability analysis and incident tracking Assistance in Cyber space monitoring Cyber security drills/exercises to test the vulnerability & preparedness of critical sectors Joint R&D projects on cyber security Exchange of expertise

29. 06 Sep 2006 Cyber security Thank you