This paper was prepared as a part of the course work for the Information Security Management course taught by Prof. Ashok Pattar at SICSR
The 3 key features of Information Security are: integrity, confidentiality and availability. The breach of any of these 3 aspects of Information Security could prove devastating for the Information Systems.
Person XYZ uses the identity of a dead person to get an Aadhar card for himself. The person registers a Rupay card on the same Aadhar account and becomes eligible for direct cash transfer schemes of the government meant for the people below the poverty line. Such ghost identities can siphon off lakhs of Rupees from the government without the government noticing it. ---- An individual PQR gets a call from a person representing his / her bank requesting their credit card information and willingly divulges the information over the phone. The hacker in this case gets other relevant information such as birth date and address from the individual’s social network profiles such as Facebook
There have been real world cases such as WikiLeaks where in sensitive and secret government documents have been leaked by insiders such as Julian Assange, who was in the US Army at that point of time. The Oil Ministry documents containing results of oil and gas surveys have been leaked by government officials of the present Modi government. The US Government used the StuxNet worm to disable the centrifuges in Iran that were enriching uranium to weapons grade. Sony Corp. servers in Tokyo, Japan were hacked and the pre-release copies of their movie featuring Kin Jong Un, the autocratic leader of North Korea, released online before the release date. Credit card information of thousands of customers of J. P. Morgan and Chase bank was stolen by hackers. The US retail store TARGET saw its customer information databases compromised by the HeartBleed bug which was discovered at Google. These stories highlight the vulnerabilities of the existing systems and the severity of impact that is possible if the security of Information Systems is breached.
The goal of this paper is to study the Information Security landscape in India. For this purpose, an analysis of the Information Security aspects of the Information Systems in India will have to be carried out at 3 levels: government, corporate and individual. Also the security will have to be studied in terms of the 3 key aspects of confidentiality, integrity and availability. The risks will be identified and possible mitigation measures suggested.
Confidentiality requires that only the authorized individuals have access to the information. The authorization could be through the means of passwords to computers and hard drives with sensitive data. Passwords protect most of the information in our systems today and we can secure our systems by changing our passwords often. The passwords have to be strong and cannot be names of users, their birth dates, addresses or a combination thereof. However, passwords are susceptible to brute force attacks. Unless the passwords are changed regularly such as a daily basis and unless they are reasonably complicated, a hacker with a powerful enough system could crack them eventually. Systems that use passwords could store them in a hashed form so that they cannot be stolen.
Confidentiality of communications and data requires that data and communications be encrypted. There are techniques such as RSA and SHA that have been developed from principles of elliptic curve cryptography to ensure confidentiality of communicated data. The communication link also needs to be secure in order to ensure that eavesdroppers cannot intercept the communications. For this purpose, secure communication means such as secret frequencies, frequency hopped spread spectrum wireless communication and fiber optic communication can be used. The Defense Department uses a range of wireless frequencies not allowed to civilians. The DRDO network is not connected to the commercial internet at any of its nodes. This makes the DRDO network secure from hackers. [This article from ExtremeTech highlights the cyber war going on between the American and Chinese hackers: ]
Availability states that the information should be available to all the authorized people. The means of authorization would best be technologies such as biometric identification of finger prints and retinal scans, which cannot be copied or duplicated. This also means that the information is in an accessible form to the concerned users. If the data is being stored in an encrypted form, the authorized user should be able to decrypt the data using his biometrics as the decryption key. Company networks connected to the internet should be blocked from outside access through the use of firewalls. Intrusion detection systems should be setup to ensure unauthorized access from outside of the company network does not happen.
Integrity of the data requires that the data is not lost or corrupted at any point of time. This requires backup systems such as RAID 3 and RAID 4 to ensure that the data is stored in a stable and reproducible manner. Robust recovery algorithms such as ARIES are needed for recovery of systems from system failures.
The techniques discussed so far are implementation level steps that could be carried out to ensure that information security is maintained. From a governance stand point, policies and frameworks such as ISO 27001:2013 should be followed to ensure that systems and processes are in place to ensure security of information. It provides a framework for the management of information security risks, which ensures you take into account your legal and regulatory requirements. It requires you to identify risks to your information and put in place security measures to manage or reduce them. It ensures you implement procedures to enable prompt detection of security breaches. It is based around continual improvement, and requires you to regularly review the effectiveness of your information security management system (ISMS) and take action to address new and emerging security risks.
From a legal standpoint, the Information Technology Act 2008 in India was a landmark legislation, which brought the rules and policy framework for Information Technology related businesses in line with the other countries of the world. Section 66A of the IT Act gave Indians the freedom of expression on the Internet, as long as they don’t hurt the sentiments of others. Digital signatures have been introduced in India, through the IT Act and these help with online verification of documents such as patents. Government contracts can now be signed digitally through these digital signatures. Extensive e-Governance systems have been setup in India over the last 5-6 years and all of the government documents are now available online under the Right to Information Act.
The government runs multiple databases for its citizens such as Aadhar, Rupay, PAN card and Ration card. Apart from these, the government runs a census once every 4 years. There is a big scope for consolidation of all these databases into a single centrally maintained secure database with all the information consolidated into a single record. This would produce better efficiencies in the system with single point access and management of all the data and also make the data stored more secure. Private contractors entrusted with the job of collecting Aadhar information should be mandated to give up all the information collected to the government in a stipulated time frame and not hold on to any of the data that they collect. A central database of biometrics such as finger prints and retina scans of citizens would help to identify people during acts of crime and identify the guilty. Biometrics based identification could replace all forms of card based identifications such as Aadhar card, Rupay card and passports. With this, all the individuals could be identified through their biometrics with almost 0 chances of fraud and duplication.
Power transmission utilities are also being connected to the internet and are becoming increasingly susceptible to terrorist hack attacks. Collecting power transmission systems to a network allows rapid load balancing through systems such as SCADA. With the increasing use of solar and wind power, whose output is variable as sun rays and wind speeds vary, load balancing on the grid has become increasingly important.
The US Department of Defense uses its own satellite network to control the drones that attack the terrorists of Al Qaeda and Taliban in Afghanistan. This is much like the DRDO’s network that is not connected to the Internet on any of its nodes. In a dooms day scenario, a military drone network could be hacked into by a terrorist group and the drone turned onto the government itself. Such risks can be averted only when people in the network can be trusted. People become the strongest asset and also the weakest link of any such secret network. High levels of trust and multiple levels of authorization should be put in place in security systems that are critical to a nation’s security. A risk aware culture should be built where in all the stakeholders are aware of all of the risks and also the steps to mitigate the risks in case of emergencies. Information Security awareness is needed at all levels of governance as it can affect anyone in this country and the weakest link in the human chain remains its biggest vulnerability.
To conclude, effective security measures are needed at government, corporate and individual levels to ensure that the confidentiality, integrity and availability of information are maintained. Information Security Management Systems and governance frameworks need to be setup to ensure humans do not become a vulnerability in the information systems. Information Technology holds a great promise and thus becomes a prime target for terrorists and other hackers. We need to be vigilant of these risks and make sure information systems run in a secure manner.
No comments:
Post a Comment