Crisis Management Plan

Transcription

1 Crisis Management Plan for countering Cyber Attacks and Cyber Terrorism Department of Information Technology Ministry of Communications and Information Technology Government of India

2 Cyber Security Agenda Influencing Factors Cyber Security Agenda

3 In security matters, there is nothing like absolute security We are only trying to build comfort levels, because security costs money and lack of it costs much more Comfort level is a manifestation of efforts as well as a realization of their effectiveness & limitations

4 Cyber threats and concerns International level National level Organisational level Individual level Cyber crime & cyber terrorism Deliberate and anonymous use of ICTs for attacks on critical Infrastructure Unhindered growth of botnets Absence of international mechanism to facilitate information sharing & counter action Risk of attack misperception due to uncertainty of positive attack attribution Cyber crime & terrorism Attacks on Critical Infrastructure Web defacements Website intrusion and malware propagation Malicious Code & spread of botnets Scanning and probing for Cyber espionage Denial of Service & Distributed Denial of Service attacks Supply chain integrity Technical & legal inability for positive attack attribution Website intrusion/ defacement Domain stalking Malicious Code Scanning and probing Denial of Service & Distributed Denial of Service Targeted attacks Phishing Data theft Insider threats Financial frauds Social Engineering hacking & misuse Identity theft & phishing Financial scams Abuse through s Abuse through Social Networking sites Laptop theft

5 Security of Cyber Space - Stakeholders NIB NSCS NCMC MHA MOD DIT DOT NIIPC NDMA NIC STQC CCA CERT-In Sectoral CERTS of key critical sectors TSP/ISPs Incident response teams of critical sector organisations (CSIRTs) General user community

6 Actions for Cyber Security Perspectives for effective security of cyber space Strategic Legal Protection Crisis response and resolution Compliance Education & Awareness Enforcement perspective Collaboration Data Security and Privacy Level Actions Impact Government level Critical Sector level ISP/TSP level Professional level Technical level Individual level International level Security Strategy, ICT policies & laws, CMP, Assurance framework CMP, Security Policy, Drills, TVM Threat monitoring, Rapid response, preventive & quarantine Security skills and competence Honey pots, sensors, intrusion detectors, traffic scanning, etc. Awareness campaign, trainings, security messaging UNGGE, CSCAP, Trusted Computing, ITU Enabler for security, compliance & assurance, adequacy of investment Posture improvement, enhancing capability to detect & resist attacks Prevention of occurrence & reoccurrence of attacks Adequacy of skills & competence for cyber security Actionable security intelligence for proactive & preventive actions Enhanced user awareness, responsible behavior & actions Security ecosystem through a set of cooperative & collaborative actions

7 Crisis Management & Emergency Response - Role of CERT Level Actions Impact CERT- Agency for incident response Incident prevention Alert, advice, MoU, & collaboration Timely alert for preventive & proactive actions Collection, analysis & dissemination of information Forecast and alerts of incidents Incident prediction Response & recovery assistance Honey pots, sensors, filters, etc Helpdesk, incident tracking mechanism Tailored advice for specific actions by critical sector Incident reporting, assistance, knowledge repository Emergency measures for incident handling Coordination of response activities Guidelines, advisories, vulnerability notes, research/white papers & practices Crisis mgmt & emergency response Policy & assurance framework Investigation, analysis & forensic CMP implementation & drill Policy, best practices, audits & assessments Forensic support, pattern analysis, LEA support Improved readiness of critical sectors Improved security posture, assurance over minimal security baseline Investigation support, speedier trial of criminal cases Training & awareness Training of security professionals Better preparedness, adequacy & sufficiency of competence

8 Cyber Security Force multiplier effect Test bed security posture Verification Of critical sectors against latest threats Test bed for cyber security drills & empanelment support Conformity assessment framework ISO ISMS Process /system certification Technical security compliance verification Empanelment of IT Security auditing organizations ISO IT Product security Testing Security manpower training And qualification 4 Training and Skill Development (PPP model) Cyber Forensic LEA Short Term courses Creation of skills? Awareness (PPP Model) 6 Security cooperation with industry(nasscom 3 and other such agencies Skill development & Mass education Security portals & E-forums Security survey & Research Security cooperation & partnership With industry Reporting & analysis Of incidents Awareness How do we reach all? Are we doing right? Enabling Trust through Cyber security Assurance 1 Cyber Laws IT Act compliance and enforcement 2 Security compliance support and research & development 5 CERT-IN : Enabling protection & Resistance to cyber attacks thro Security incident prediction, IT Act 43A compliance Requirement on data security & privacy protection Compliance guidelines & standards 70B, 70, 70A Annual compliance & reporting Core and thrust areas Development of tools ISMS implementation and compliance Assessment tool development & deployment What need to be done? How do we implement ISMS? MoU with vendors & other CERTs Crisis management & emergency response Info sharing & international Co-operation Tech security guidelines, alerts, advices Mitigation Cyber incidents Auditing Security training, security tools portal Are we safe? What if something goes wrong?

9 Crisis Management & Emergency Response Crisis Security Crisis A situation wherein security characters of information are compromised as a result of a failure of an IT system or network of IT systems, due to technical reasons, intentional acts or negligence, leading to consequences that may threaten lives, economy and national security. Cyber security crisis may be triggered by attacks on Individual IT systems Simultaneously on multiple IT systems IT networks in a single or multiple organisations, states or entire nation from within or outside the country

10 Crisis Management & Emergency Response Crisis management & Emergency response is a set of actions aimed at rapid response & remedial measures and recovery & restoration of normalcy in the event of a build-up or emergence of a crisis. These actions include: Containment of crisis Communication to all concerned and Coordination of efforts that can facilitate Adequate & swift response in a timely manner Business continuity to maintain availability of minimum essential services/activities in accordance with international best practices and industry accepted standards Detailed analysis of the crisis event, initiation of appropriate disaster recovery measures and return to normalcy at the earliest Learning from the crisis

11 Crisis Management & Emergency Response Strategic issues in effective Crisis management & emergency response: Implementation of appropriate measures to reduce the likelihood of occurrence or recurrence of incidents and/or reduce the potential effects of those incidents Taking due account of the resilience and mitigation measures Providing continuity for critical services during and following an incident The effectiveness of above actions depends on a range of factors such as: The maximum tolerable period of disruption of a critical activity The costs of implementing a strategy and Consequences of inaction (business impact analysis aided by risk assessment)

12 Crisis Management & Emergency Response Crisis management and emergency response involves actions at two levels: Actions within an organisation the point of action where the crisis has occurred (as part of due diligence and fulfillment of its business objectives, legal and commercial obligations) Actions beyond an organisation the point of coordination between multiple agencies & stakeholders (in view of public safety, economic order and national security) Actions within an organisation are of three types: Putting in place systems and procedures in the form of a crisis management plan in accordance with accepted international best practices Ensuring complete alignment with the National Crisis Management Plan prepared by CERT-In/DIT for countering cyber attacks and cyber terrorism Implementing the crisis management plan, verifying workability through tests & mock drills and demonstrating compliance

13 National Crisis Management Plan - Purpose To ensure that interruption or manipulations of critical functions/services in critical sector organisations are brief, infrequent and manageable and cause least possible damage To enable respective administrative Ministries/Departments to draw-up their own contingency plans in line with Crisis Management Plan for countering cyber attacks and cyber terrorism, equip themselves suitably for implementation, implement, supervise implementation and ensure compliance among all the organisational units (both public & private) within their domain. To assist oranisations to put in place mechanisms to effectively deal with cyber security crisis and be able to pin point responsibilities and accountabilities right down to individual level

14 National Crisis Management Plan - Mandate Ministries/Departments of Central Govt., State Govts. and Union Territories to draw-up their own sectoral Crisis Management Plans in line with the Crisis Management Plan for Countering Cyber attacks and Cyber Terrorism Equip themselves suitably for implementation, implement, supervise implementation and ensure compliance among all the organizational units (both public & private) within their domain Implement the sectoral Crisis Management Plan DIT to conduct mock drills with Ministries/organisations DIT to seek necessary compliance information on implementation of the sectoral Crisis Management Plan from all the organizational units of the Ministries/Departments of Central Government, State Governments and Union Territories on a regular basis and apprise the NCMC of progress

15 Structure of Crisis Management Plan The structure of Crisis Management Plan for countering Cyber Terrorism has five sections dealing with the following: Concept of Crisis Management Plan Nature of cyber crisis Incident prevention measures Crisis recognition mitigation and management Incident closure and information sharing In addition, the document contains guidelines on: Implementing Information Security Management System (ISMS) Incident Response Activities in first hour and first 24 hours Crisis Management and Security of Critical Infrastructure

16 Cyber Attacks - Levels of concern Threat Level Level 1 Guarded Scope: Individual Organisation Condition Large scale attacks on the IT infrastructure of an organisation Level 2 Elevated Scope: Multiple Organisations Simultaneous large scale attacks onto IT infrastructure of multiple organisations Level 3 Heightened Scope: State/Multiple States Level 4 Serious Scope: Entire Nation Cyber attacks on infrastructure of critical sector and Government across a state or multiple states Cyber attacks on infrastructure of critical sector and Government across the nation.

17 How can we work together for effective Crisis Management

18 CERT-In Work Process Detection Analysis Dissemination & Support Department of Information Technology ISP Hot Liners Major ISPs Foreign partners Private Sectors Home Users Analysis Detect Dissemination Press & TV / Radio Recovery

19 Crisis Management & Emergency Response Effective Crisis management & emergency response in an organisation depends on: Proactive security incident preventive actions in the form of implementation of Information Security management System (ISMS) as per ISO standard Proactive monitoring of network assets and traffic for any visible signs of changes from normal situation Being in continuous touch with CERT-In/NTRO/IDS(DIARA) to receive actionable cyber security alerts and advice

20 Crisis Management & Emergency Response Organisations can make effective use of CERT-In supportive initiatives such as: Empanelment of IT security auditors to verify effective implementation of technical, managerial and operational security controls Remote security profiling services to know their security posture and enhance their ability to resist cyber attacks Participating in the Cyber Security drills Proactive and timely security alerts and advices to remain fully updated with regard to possible virus/worm infections, latest security patch status and workarounds for zero-day exploits

21 Cyber Security Drills Expected Actions Secure Monitor Detect Defend Report Mitigate Recover

22 Security Assurance Ladder Security assurance emphasis depends on the kind of environment Low risk : Awareness know your security concerns and follow best practices Medium risk: Awareness & Action Proactive strategies leave you better prepared to handle security threats and incidents High risk: Awareness, Action and Assurance Since security failures could be disastrous and may lead to unaffordable consequences, assurance (basis of trust & confidence) that the security controls work when needed most is essential.

23 Crisis Management & Emergency Response Organisations can help CERT-In in securing the cyber space by: Duly reporting security incidents and sharing all relevant information that can support real-time incident analysis & rapid response Collaborating with CERT-In to keep a watch on cyber space to look for malicious traffic, virus/worm infections and visible signs of build-up or emergence DDoS attacks Regularly participating in CERT-In trainings/workshops on contemporary topics/issues to remain updated on technology and security best practices

24 Sectoral CMP Points for action Identify a member of senior management as a Point of Contact to coordinate security policy compliance efforts across the sector and interact regularly with CERT-In Establish a Sectoral Crisis Management Committee, on the lines of National Crisis Management Committee, with Secretary (in case of Central Ministries/Depts) or Chief Secretary (in case of Sates/UTs) as its Chairman and a 24x7 control room to monitor crisis situations Prepare a list of organisational units that fall under the purview of sectoral CMP and provide them with a list of action points for compliance Direct the organisational units to identify and designate a member of senior management as Chief Information Security Officer (CISO) Prepare a list of CISOs complete with up-to-date contact details Prepare a sectoral CMP on the lines of CMP of CERT-In, outlining roles, responsibilities of sectoral stakeholders, CMP coordination process Direct the organisational units to develop and implement their own CMP on the lines of CMP of CERT-In, including security best practices as per ISO and report compliance on a periodic basis

25 Organisation level CMP Points for action Identify a member of senior management as a Chief Information Security Officer (CISO) to coordinate security policy compliance efforts across the organisation and interact regularly with CERT-In and sectoral Point of Contact Establish a Crisis Management Group, on the lines of Sectoral Crisis Management Committee, with head of organisation as its Chairman Prepare a list of contact persons complete with up-to-date contact details Prepare an Organisational level CMP on the lines of CMP of CERT-In, outlining roles, responsibilities of organisational stakeholders, CMP coordination process Implement the CMP, including security best practices and specific action points as outlined below: Prepare a Security plan and implement Security control measures as per ISO and other guidelines/standards as appropriate Carry out periodic IT security risk assessments and determine acceptable level of risks, consistent with business impact assessment and criticality of business functions

26 Organisation level CMP Points for action Develop and implement a business continuity strategy and contingency plan for IT systems Develop and implement ICT disaster recovery and security incident management processes Periodically test and evaluate the adequacy and effectiveness of technical security control measures, especially after each significant change to the IT applications/systems/networks and it can include: Penetration testing (both announced and unannounced) Vulnerability assessment Application security testing Web security testing Carry out audit of information infrastructure on an annual basis and when there is a major upgradadtion/change in IT infrastructure, by an independent IT security auditing organisation (Ref. to list of CERT-In empanelled IT security auditors on CERT-In web site at Report to CERT-In cyber security incidents as and when they occur and status of cyber security periodically and take part in cyber security mock drills

27

28 Cyber Security - Final Message Failure is not when we fall down, but when we fail to get up

29 We want you Safe Thank you