‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR ) report security events or potential events or other security risks to the organisation. Security roles and responsibilities should be defined and clearly communicated to job candidates during the pre-employment process. ‘Audit and Assurance + Organisations should undertake comprehensive security audit of the entire IT infrastructure networks and applications by independent —_ auditing organisations to discover the gaps with respect to best security practices and take appropriate corrective actions. + The audit of the system should be undertaken at least once in a year and also as and when any significant addition or alteration in respect of hardware, software, network resources, policies and configurations of systems and sub systems are affected ‘Security Training and Awareness All employees of the organisation and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organisational policies and procedures, as relevant for their job function, Awareness training should commence with a formal induction process designed to introduce the organisation's security policies and expectations before access to information or services is granted. Ongoing training should include security requirements, legal responsibilities and business controls, as well as training in the correct use of information processing facilities e.g + Latest Technologies and threats Implementation of Security Policy Physical Security Procedures Access Control Procedures Use of Licensed Software Packages Malicious code and Botnets and their prevention Reporting and mitigation of incidents Cyber Crisis Management Implementation of Information Security Guidelines The security awareness, education, and training activities should be suitable and relevant to the person's role, responsibilities and skills.‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR 5 Cyber Crisis Recognition, Mitigation and Management 5.1 _ Incident Recognition Recognition of cyber crisis depends on clearly identifying the cyber incidents. The crises arising out of cyber attacks are categorised and prioritised from level 1 to Level 4. The color in the table 5.1 below outlines the threat levels, spread of attack and related conditions that become the basis for declaration of a crisis. The table also outlines the crisis/contingency affecting the systems of individual organisation, multiple organisations, states and nation leading to crisis of different levels. The levels of crisis are interrelated. Each subsequent level will follow preceding one, No level other than level 1 will come in isolation Levels of concern fee Cerin Perceptible change/variation in system performance and discovery of criticalinon critical vulnerabilties/exploits and attacks that can affect normal operation of network and IT systems of individual organisation such as: «Targeted attacks and espionage activities. Identity theft (Phishing, spoofing, social engineering etc.) Web defacements and Application level attacks Visible signs of malicious programs (virusesiworms/ Bots/malware/Keyloggers/Spyware/etc) Detection of new and advanced malware infections Attempts for exploitation of zero-day vulnerabilities Denial of service attacks (DoS) Distributed Denial of Service (DDoS) and Distributed Reflection Denial of Service (DrDoS) Hacking of IT systems such as computers systems, Servers (Mail, Web, Database etc) and Routers ‘Spam Perceptible change/variation in network/ system performance and abnormal surge in network traffic affecting IT infrastructure of multiple organisations simultaneously due to: ete Targeted attacks and espionage ricvatsal Large scale infection of virusesiworms/ Bots/malware/ Keyloggers/Spyware for malicious and espionage activities Scope: Detection of domain specific malwares like "stuxnet'" targeting Multiple Industrial Control Systems ultiple f Organisations Focused attempts of network scanning and penetration DDoS attacks and Distributed Reflection Denial of Service (DrDos) Attacks on Domain Name Servers, ,Mail Servers, Databases, Routers etc 20‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR + Large scale web-application attacks like backdooring and defacement. Attacks on Trust infrastructure Attack on the IT infrastructure of a Critical Information System Infection of computer systems and/or Programmable Logic Controller s (PLCs) Abnormal functioning of SCADA/Industrial Control Systems Significant breakdown of supplies or services essential to the life of the citizens including but not limited to financial, Government, transport, energy or communication due to focused cyber-attacks on infrastructure of critical sector and Government across a state or mukiple states, Significant/complete breakdown of supplies or services essential to the life of the citizens including but not limited to financial, Government, national defense, transport, energy or communication due to focused cyber-attacks on infrastructure of critical sector and Government across the nation. 5.2 Cyber Crisis Management — Roles and Responsibilities The following paragraphs outline the roles and responsibilities of various stakeholders of Department of Water Resources, River Development & Ganga Rejuvenation in dealing with cyber crisis. The identification of expected roles will enable the affected organisation to expeditiously report the incident to the response teams in respective sectors. The latter may have to work together with other Incident Response Teams to mitigate the incident. 5.2.1 Crisis Management Group The composition of the Crisis Management Group of Department of Water Resources, River Development & Ganga Rejuvenation is indicated below: Department will setup Crisis Management Group as follows S.No. | Officer ‘Committee Email Phone No. 1. Secretar ‘Chairman secy-mowr@nicin | 011-23716979 2. | Joint Secretary (Admn)_| Member [email protected] (011-23710343 3. | DirectoriDS eGovt Member [email protected]_| 011-23708150 4. | Officer-in Charge (NIG) | Member [email protected] (017-23710312 5. [US (eGov) Member Convener _[[email protected] | 011-23766944 Service Desk provides support in Network management task. An email at [email protected] and toll free number 1800111555 is provided to users for taking up assistance on network support 21‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR In case of Organisations under DOWR,RD & GR, each one will setup its own Crisis, Management Group as follows (a) Head of the organisations «Chairman (b) -. Member 0) Member Convener The Crisis Management Group will be mainly responsible for dealing with the crisis, situation in consultation with CERT-In and nodal ministry/department/organisation. 5.2.2. Indian Computer Emergency Response Team (CERT-In) CERT-In monitors Indian cyberspace and coordinates alerts and warming of imminent attacks and detection of malicious attacks among public and private cyber users and organisations in the country. It maintains 24x7 operations centre and has working relations/collaborations and contacts with CERTs all over the world; and Sectoral CERTs, public, private, academia, Internet Service Providers and vendors of Information Technology products in the country. It would work with Central Ministries and monitors cyber incidents on continuing basis throughout the extent of incident and would analyse and disseminate information and guidelines. The primary constituency of CERT-In would be all organisations other than Defence, Space, Atomic Energy, Law Enforcement and security agencies and their critical infrastructure. 5.2.3 Role of National Informatics Centre National Informatics Centre (NIC) will provide expert advice/ guidelines in taking up the challenges in the countering Cyber Security threats, Providing Standard Operating Procedures (SOPs) from time to time to update the Internet Users on update of their Operating Systems and informing each Internet Users on threat it is facing. A website http://security nic.in/ is already providing latest patches and SOPs available for Operating Systems and Applications. Also it is mandatory to Security Audit each Application and get a Security Audit Certificate from NIC Cyber Security Division (CSD), which is valid for two year. Vulnerability assessment (Vas) are compulsory conducted on the VMs where Application and Databases are hosted. Applications are hosted on National Cloud only after getting certificate from NIC- CSD. Command Control Centre (CCC) and Network team also monitors the Applications & Network operations for each Ministry/Department. 5.2.4 Role of Internet Service Provider ‘Support in services of smooth functioning of Websites, Emails, VPN, IMAP etc. are very critical task, SOPs and standard procedures are already in place at NIC. An eForms portal is launched for User to avail accounts for Email, VPN service, WiFi service, IMAP service etc. 2‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR 5.2.5 Control Room of the Ministry/State/UT The respective Nodal Central Ministry / State Govt, / UT will setup a Control Room which would be activated immediately after a crisis situation is reported. A senior officer from the existing hierarchy of respective Nodal Central Ministry/State Govt. UT should be designated as in-charge of Control Room who would draw up a plan for its manning during crisis situations on a 24-hour basis. Hot line facilities Wherever necessary may be setup in consultation with the Department of Telecommunications. There would be a well laid out drill for the Control Room and the personnel expected to man it should be adequately trained in Control Room duties. Names, telephone numbers, cellular mobile phone numbers and addresses of Members and Alternate Members of Nodal Central Ministry/State Govt. / UT and various stake holders will be kept in the Control Room. 5.2.6 Reporting of Cyber Crisis As and when a cyber crisis situation develops, respective organisations will immediately convey to the respective Nodal Central Ministry/State Govt/UT through any quickest possible means. Further, all organisations will take all necessary actions as given in Appendix Ill of this document and also report the incident to CERT-In in the manner and format as prescribed in Appendix XIll of this document. 5.2.7 Response System Immediately on the occurrence of a cyber-crisis, the Contingency Plan would be put into effect by the respective organisations. The response action will be initiated in consultation with CERT-In, if the situation has wider ramifications and warrants response at the state/national level. 5.2.8 Contact Information Names, telephone numbers, cellular mobile phone numbers and addresses of Members and Alternate Members of various stakeholders are given in the Annexure | respectively. 5.3 Media Management ‘A media forms a vital link between those responding to crisis situation and the outside world. Besides this, media also can help in educating all concerns about crisis prevention and preparedness. It is recognized that unbiased and comprehensive media coverage can effectively aid the crisis response & resolution process and also enhance public confidence in the ability of organisations to respond to crisis. Accordingly, media management is a crucial issue in terms of pre-incidents as well as post incident information flow. In order to make best possible use of this, Vital link, it is necessary that media is given clear information and regular updates to enable them to perceive right picture and proportion of the crisis. In this context, itis also necessary for the organisations responding to cyber security incidents to identify responsible person of suitable level that has access to correct & updated information and is adequately trained for proper & consistent communication and avoid contradiction at all times. 236 ‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR Post Incident Activity After successful mitigation and recovery from incident, the following need to be undertaken (before closing the incident) for future reference/precaution: Perform a postmortem analysis of the incident as well as the incident response adopted at the organisation and CERT-In level Evaluate and perform assessment of the attack from the technical point of view in order to fine-tune and optimize the eradication mechanism. Document lessons learnt from the incident and prepare incident report, including infrastructure protection improvements from the postmortem process Share incident report with CERT-In for future precaution and mitigation of similar attacks All critical organisations to implement infrastructure protection improvements resulting from postmortem reviews or other protection improvement mechanisms 24‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR Appendix-1 Planning, Preparation & Best Practices for Incident Proper and advanced planning ensures the response activities and facilitates the organisation and its functional department concemed to make appropriate and effective decision in tackling cyber security incident, and in turn minimizes the possible damages caused, The plan includes strengthening of cyber security protection, making appropriate response to the incident, recovery of the system and other follow up activities. Major activities involved in planning and preparation are as follows: Sr.No. Item Details 1 Cyber Security Incident Plan for Security Incident Handling — this document Handling Plan takes care of this requirement 2 | Reporting Procedure Design and prepare for the reporting mechanism(s) Publish the report mechanism(s) to all staff 3 __| Escalation Procedure Gather contact information for all personnel to be contacted / involved, both intemal and external. 4 | Security Incident Response | Prepare security incident response procedure - This Procedure document takes care of this requirement. Publish the security incident response procedure to all personnel involved, 5 _| Training and Education Provide training to operation and support staff on knowledge in handling security incidents. Ensure staff are familiar with the incident response process. 6 __| Incident Monitoring Monitor and measure various parameters related to Measure incidents and ensure that these are reviewed as part of regular functional group meetings. The following flowchart depicts the broad incident management process and related actions: = ee == > _ 1 ze n+ Sa ES I che. Se a oe , S= Se Ge eee ee ee Dy f i be 25‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR a. General Computer usage — Best practices Use account with limited privileges on systems and avoid accessing with administrator privileges for day-to-day usage. Keep Operating System, Application software and Anti-Virus software updated by applying the latest service packs and patches. Backup of important files at regular intervals. Do not leave system unattended. Log out of or lock your computer when stepping away, even for a moment Supervise maintenance or rectification of faults in the system by service engineers, Do not download unfamiliar software off the Intemet Remove unnecessary programs or services from computer. Uninstall any software and series you do not need. Restrict remote access. If file sharing is not required in your day-to-day work, disable file and print sharing Treat sensitive data very carefully. Remove data securely: Remove files or data you no longer need to prevent unauthorized access to them. Merely deleting sensitive material is not sufficient, as it does not actually remove the data from your system. If your networking devices are not using IPv6, disable IPvé from computer. Always maintain a redundant power supply. Use systems screen locking functionality to protect against physical access, such as a screen saver that wont deactivate without a password, or just log out of everything so anyone that wants access has to log in again Enable the option chassis intrusion in the BIOS settings to be aware of unauthorized users, The systems should be placed in a room which is dust free and has a good ventilation to avoid overheating of CPU. Do not plug the computer directly to the wall outlet as power surges may damage computer. Instead use a genuine surge protector to plus a computer. Don't eat food or drink near the PC. There should be no magnets near to your PC. Scan all the files after you download whether from websites or links received from e-mails. Download anything only from trust worthy website, Do not click links to download anything you see on unauthorized sites, Don't click the link or file and let it start download automatically, download the file and save where you want save and then run on the application. Never download from the links that offer free antivirus or anti spyware software, always download from trusted sites, if you are not sure about 26‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR the site you are downloading, enter the site into favourite search engine to see anyone posted or reported that it contains unwanted technologies. b. General Internet browsing — Best practices Always use updated anti-virus, Operating System and applications and browser. Use a web browser with sandboxing capability (ike Google chrome, safari, etc.), Sandboxing usually contains malware during execution, Download software from trusted source only. Be wary of storing personal information on internet. Do not store any information you want to protect on any device that connects to the intemet. Verify those you correspond with. It is easy for people to fake identities over the internet. Make a habit of clearing history from the browser after each logout sessions. Delete Window “Temp” and “Temporary Internet Files” regularly Avoid all cloud services (Dropbox, iCloud, Evernote, etc) that are based outside India Avoid using services that require location information. Remember search engines track your search history and build profiles on you to serve you personalized results based on your search history. Be conscious of what you are clicking on/downloading. Some pop-ups have what appears to be a close button, but will actually try to install spyware when you click on it. Remember that things on the internet are rarely free. “Free” Screensavers, etc. generally contain Malware. Be wary of free downloadable software — There are many sites that offer customized toolbars or other features that appeal to users, which are likely to have backdoors. Don't follow email links claiming to offer anti-spyware software — Like email viruses, the links may serve the opposite purpose and actually install the spyware it claims to be eliminating Frequently check unusual folder locations for document (.doc, docx .xis, xlsx and .def) file extension (in search options, select advanced search options, make sure you checked “Search System folder’, “Search hidden files and folders” and "search subfolders") Avoid Internet access through public Wi-Fi Never exchange home and office work related contents. Avoid posting of photos with GPS coordinates Don't respond to email, instant messages (IM), texts, phones calls, etc, asking you for your password. Only click on links from trusted sources. Never olick on a mystery link unless you have a way to independently verify that it is safe. This includes tiny URLs. 27‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR * Be extremely careful with file sharing software. File sharing opens your computer to the risk of malicious files and attackers. Also, if you share copyrighted files, you risk serious legal consequences, c, Malware defense — Best practices * Always set automatic updates for Operating System, Anti-Virus and Applications. (My Computer -> properties > automatic updates -> select automatic and time) ‘+ Enable hidden file & system file view to find any unusual or hidden files (My computer -> tools - folder options -> view -> select enables with "Show hidden file and folders’ option and disable “Hide protected operating system file”) © Tum off auto play (Windows Vista/7 :- Star > Run -> type gpedit.msc -> Computer Configurations > Administrative Templates -> Windows Components ->Select "AutoPlay Policies’-> Double Click at “Turn off Auto play’ -> Select Enables > Set * to Turn off Auto play on:" “All drives” and Click OK) * Type: dir %temp% in ‘run’ and delete all entries after opening any suspicious attachments, + Type cmd in run and type netstat -na. Checkout foreign Established connection and IP addresses. Check the IP address for its ownership. ‘+ Type “msconfig’ in “run” and check for any unusual executable running automatically. * Check Network icon (for packets received and sent)/ ADSL lights for data in non browsing mode. Check data usage pattem in Mobile. If the outgoing is unusually high, then it is very likely that the system is compromised * Type “ipconfig/displaydns” in command prompt and look out for any URLs which you have not accessed recently. + Always be cautious while opening attachments even from the known sources, Try to use non native applications for opening attachments. Example for word document use, WordPad to open the attachment. + When in doubt, better to format the Internet connected computer rather than doing some “patch works” d. USB storage device (Pen Drive/ External Harddisk etc.) * Damaged/ faully RISM should never be handed over to outsiders/ manufacturer for repair. + Sensitive information should be stored on removable media only when required in the cases of assigned duties. + Allmedia must be stored in a safe, secure environment + All media must be handled with care and it must be ensured that it is not kept near magnetic material and not exposed to extreme heat or pollution; 28‘COMP for countoring Cyber Attacks and Cyber Terorism—DOWR, RO & GR * The computers should be enabled with “Show hidden file and folders’ option and “Hide protected operating system files" should be disabled to view hidden malicious files in USB storage devices. ‘+ Make sure there is no hidden file and folders present in the Media. ‘+ Autorun/Autoplay feature should be disabled in all the computers. * Avoid Baiting. (Someone gives you a USB drive or other electronic media that is preloaded with malware in the hope you will use the device and enable them to hack your computer). Do not use any electronic storage device unless you know its origin is legitimate and safe. + Scan all electronic media for Malware before use. e. Smart de e — Best practice ‘Smart device is a device having any of the features like computation power, Internet access, storage capability, camera, recordings, GPS, etc. Smart phone, Tablets, etc. falls under this category. Most of the Smart Phones and Tablets (Tabs) are having equal computing power of a normal Desktop/ Laptop systems. These gadgets are capable of delivering many services on Video, Voice, GPS and other computational apps like any other computer. Therefore, all cyber security issues related to computers are also applicable to these devices. Following are some of the security concems of Smart devices: + These are equally vulnerable to malware attacks and data leakages as ordinary Internet connected computers. ‘+ More application, features and service are available on Smart device for exploits than ordinary feature phones. ‘+ These gadgets are known to be used for bugging (audio and video), monitoring call details, contents, SMS monitoring, sending malicious SMS, Emails, spoofing and other malicious activities without the knowledge of the user. * Android and 10S platform based Smart Phones and Tabs are known to have multiple vulnerabilities, which are being widely exploited by the attackers and adversaries, * Smart device must not be used for sensitive telephonic conversation. The WiFi and blue-tooth should be kept in tumed-off mode. + A low-end basic mobile phone without camera/ internet/ Wi-Fi may be carried for sensitive voice conversation and contact details. ‘+ Internet connection in the Smart device will normally be kept in off-mode and it will be made on need basis to access internet + No free Apps should be loaded in the Smart device. * During repairs, do not leave Smart device unattended to deny the possibility of installation of malware. + Relevant anti-virus software should be installed in the smart device. 29