Professional Documents
Culture Documents
A PRESENTATION BY
R. M. JOHRI
PRINCIPAL DIRECTOR
(INFORMATION SYSTEMS)
OFFICE OF CAG OF INDIA
Quotable Quotes
The only system which is truly secure is one which is switched off
and unplugged, locked in a titanium safe, buried in a concrete
bunker, and is surrounded by nerve gas and very highly paid
armed guards. Even then, I wouldn’t stake my life on it.
(By Professor Gene Spafford)
In security matters,
there is nothing like absolute security”
“We are only trying to build comfort levels, because security costs
money and lack of it costs much more”
“Comfort level is a manifestation of efforts as well as a realization of
their effectiveness & limitations’
Cyber world – Current Scenario
Sophistication of
Sniffers Hacker
Sweepers
Hijacking Tools
Back Doors Sessions
Exploiting Known Disabling
Vulnerabilities Audits
Password
Cracking
Self Replicating Code Technical
Knowledge
Password Guessing Required
Low
1980
Security trends and challenges beyond 2008 1990 2006 01 Dec 2007
Global Cyber security Trends – The next wave
Internet has become an weapon for political, military and economic espionage
The software used to carry out these attacks indicate that they were clearly designed & tested with much
greater resources than usual individual hackers.
Most Govt. agencies and companies around the world use common computing technologies & systems that
are frequently penetrated by criminal hackers and malware.
Traditional protective measures are not enough to protect against attacks such as those on Estonia, as the
complexity and coordination in using the botnets was totally new. National networks with less
sophistication in monitoring and defense capabilities could face serious problems to National security.
There are signs that intelligence agencies around the world are constantly
probing others’ networks and developing new ways to gather intelligence
Threats to Online services
There is a new level of complexity in malware not seen before. These are more resilient, are
modified over and over again and contain highly sophisticated functionality such as encryption
(Ex. Nuwar also known as ‘Zhelatin’ and ‘Storm’ worm’ – with a new variant appearing almost
daily)
As a trend we will see an increase in threats that hijack PCs with bots. Another challenging trend is
the arrival of self-modifying threats
Given the exponential growth in social networking sites, social engineering may
shortly become the easiest & quickest way to commit ID theft
Hi-Tech crime: A thriving economy
The market is growing for zero-day threats & tools for cyber crime
With so many PCs now infected (around 5 % of all global machines are zombies), competition to supply
botnets has become intense. The cost of renting a platform for spamming is now around $ 3 - 7 Cents per
zombie per week.
A budget as little as $ 25 to $ 1500 USD can buy you a trojan that is built to steal credit card data and mail
it you. Malware is being custom written to target specific companies and agencies.
Computer skills are no longer necessary to execute cyber crime. On the flip side malware writers today
need not commit crimes themselves. People can subscribe to the tools that can keep them updated with
latest vulnerabilities and even test themselves against security solutions (Ex. MPACK pr Pinch include
support service).
The black market for stolen data (Ex. Credit cards, e-mails, skype accounts etc) is now well established
and the cost of obtaining credit cards is upwards of $ 5 USD.
Another black market that is causing alarm to Govts is that of Zero-day exploits. In Jan 2006 a Microsoft
WMF (windows meta file) exploit was sold for $ 4000 USD.
Competition is so intense among cyber criminals that ‘customer service’ has now become a specific selling point
Future Trends
The main reasons for India as a main target of cyber crime are:
Rapidly growing online user base ( 121 million internet users, 65
million active internet users, up 28% from 51 million in 2010).
Other issues:
Back Up and Recovery – There should be a policy in existence
to ensure that regular back up of the critical data are taken and
kept on-site and off-site to ensure its availability whenever
required.
Outsourcing - Risks related to integrity, availability and
confidentiality of data need to be addressed
Change Management controls – Only authorised and
approved changes are made and proper documentation exists for
each area of the system to support future modifications.
System Security Issues
Data Migration Issues
Survival
Charles Darwin
Q &A
Thank You