CHAPTER 4 COMPUTER INSECURITY gE Objective Meaning and Definition of Information Security Pillars of Information Security Software and Hardware Security Network Security Internet Crimes BREER BRE EE ie & Causes for Internet Crimes - Es User failures * to Bank Failures and Initiatives summary Questions Answers Key Terms i» 8 i» = ip 8 i» &4.1 OBJECTIVE In this chapter, we will take an insight into the meaning and definition of, information security, the ingredients of information security, the pillars and attributes of data security, different layers of security like hardware, software and network etc. We will also briefly study the various network and internet based frauds and the causes for such crimes and Internet of- fences specially focusing on the causes for cyber crime in banks. 4.2 MEANING AND DEFINITION OF INFORMATION SECURITY Before we go into the concept of computer security (and later insecurity), let us first try to understand the meaning of the related words like ‘data’, ‘information’, ‘security’ etc. In common parlance, the words ‘data’ and ‘in- formation’ are used interchangeably, though security professionals often consider information as ‘processed data’ and in that sense data is what the computer stores in bits and bytes or in zeros and ones internally. We input data and computer processes the data internally and presents it as infor- mation for MIS and other purposes. In view of these, data is considered to be the raw format. However, it is interesting to note that the Indian Information Technology Act, 2000 (IT Act 2000) descries data as ‘a representation of information, knowledge, facts, concepts’ etc. and in the same Act it is stated that ‘information includes, data, message, text,’ ete. From this it is clear that from a legal perspective the words data and information can be used interchangeably. In other words, data and information both are resources in the computer or in a network and have to be treated accordingly and information security nec- essarily encompasses data security as well. The other concept related to information security and insecurity is the study of stakeholders to a computerized information resources and information asset. Study of cyber crime necessarily involves the study of, information asset. Crime and security is always with regard to an infor- mation asset and its protection in the following ‘W’ ie. What, Why, When, from Whom, Where and of course the main study being ‘How’. Information security necessarily involves definition of information asset and this being ‘what’ to protect, it then proceeds to the subsequent steps of analysing ‘why’, ‘when, ‘from whom’ and in greater detail ‘how’ to protect the infor- mation asset. Information Asset refers to the value of the information or the data which is itself a computer resource and is protected depending upon its criticality. The asset could be just a physical asset say a computer, a hard-disk, a pen- drive, a CD/DVD, a network equipment like a router etc, or a software asset critical for its Intellectual Property Rights (IPR) or licence value or a pro- gram significant for its copyright value or data/information critical for its confidentiality and other such values. In all these cases, itis the asset that is to be secure, which answers to our first ‘W’ in the list. The reason whywe should protect the information asset and ensure its security, is because of the value of the asset, be it the financial value, confidentiality value, IPR value, Copyright value or in any other form of criticality, Security should be at the right time and at the right place. For instance, the security of an information asset in transit should be visible throughout the journey of the asset. The security of stored data should be in the form of not only its storage, but also in its long term preservation and in its re- trieval protecting it from unauthorised access. Security of an IT asset lies in protecting the same from threats & attacks Though Threats and attacks can be because of various factors —internal as well as external, but for the current topic, we shall focus onexternal factors. When an attack or a threat meets a vulnerability in the information asset the resultant factor is Risk. Threats and attacks have to be mitigated and vulnerability should be eliminated so that security can be maximized and crimes can be averted. We will be discussing the various forms of threats to an information asset and all the crime prone areas impacting security, in the later chapters. Much more than the other factors, itis this factor ‘from whom’ which assumes much importance for a study of cyber crime and fraud manage- ment. Itis this human factor that is of major contribution to a cyber crime especially in a banking and financial sector. Similarly, itis this ‘how’ factor i.e. how to protect the information asset and how to ensure its security, which forms the most fundamental part of the study of cyber crime and fraud management. The three main stake-holders to an information asset are: © Owner * Custodian © User The security of an IT resource lies in the way the asset is classified by the owner, handled by the custodian and operated by the user. For instance information security depends upon the classification of the asset as given by the owner, taking into account the criticality factors like confidentiality, importance, monetary value etc. The custody, upkeep and preservation of the asset depends upon the criticality factor as stated above. Users in a bank database may not always be a staff member. He may be a customer, an auditor, an inspector from a regulatory authority like RBI, a hardware vendor or a software system maintenance vendor or other such special category of user. Anyway, the right for the user depends upon the Access Privileges which will be set as per the category of users. Rights will be assigned to each class of users being decided based on the level, cate- gory etc, of the user. Especially in banks, setting of proper access privileges is a significant factor in cyber crime prevention. As a preventive control, access control should be in place and the IT Security Policy of the bank should have clear guide- lines and operational instructions on the same. At the time of creationof user itself, care has to be taken to decide whether all parameters have been properly filled in and the user is given legitimate access and nothing more and nothing less. Most of the bank frauds especially those involving the abuse of system or misuse etc. can be attributed to improper definition of access privileges and unauthorised, excessive or illegal use of a user’s access right. Proper access management at the time of user creation is very important, in the absence of which the connivance of the system manager, administrator or whosoever is in charge of setting privileges at the user creation stage, will be assumed and the system manager's role will become suspicious. 4.3 PILLARS OF INFORMATION SECURITY Information security is normally considered to be dependent upon four main aspects known as pillars of information security or the ingredients or constituents namely; * Confidentiality © Integrity + Availability + Non Repudiation, Authorization, Authentication ete. Confidentiality is the quality of secrecy associated with the data and the state of keeping an information asset secret and disclosing to authorized persons only. It is an assurance that the information is shared only among authorized persons or entities. Integrity is the state of the data remaining in the same format and not allowing for any tampering, otherwise than with an authorized process of access and resultant data manipulation. No one should be allowed to tamper with the data from the time of its creation and during its entire life cycle of transmission from one computer resource or network to another system or network and its entire period of preservation, enabling retrieval only through an authorized process of access. Especially in communication i.e. when the data is in transit moving from one system to another, via different classes and categories of network de- vices cutting across various protocols and technologies, this quality of data integrity is of absolute significance. In fact this proneness to impacting by an unauthorized data access in the form of data diddling, tampering, network session hijacking, spoofing, spying etc. are all the causes and en- ablers of different kinds of cyber crimes (details of all of which we shall see in later chapters). Availability of the data at all the times, as envisaged from the System as. per the requirements from the System, is an essential ingredient of Secu- rity, as the non-availability of data either at the time of need to access the data or otherwise, makes the entire system vulnerable and untrustworthy. This is one of the qualities impacted by attacks like DoS or DDoS, i.e. De- nial of System or Distributed Denial of system.‘Though some security professional discuss only the CIA factor i.e, Confi- dentiality, Integrity and Availability as the three main pillars of informa- tion security, of late, however, some more attributes are added to these. Non Repudiation, Authorisation and Authentication are also considered to be the pillars of information security and its main attributes. eon Em eng Information Security Naas eas a oe eed Non repudiation is the quality or the state of the information asset that makes the i. creator of the data own the responsibility of creating the data i.e. the data entry, ii, sender own the responsibility of sending it iii, receiver own the responsibility of receiving the same and sometimes iv. network provider own the responsibility of carrying the data through its channel. Hence, non-repudiation means the quality of non-denial, a quality by which the stake holders i.e. all those persons, are not permitted to deny the particular act of doing the act like from the data entry, creating the data, sending the data ‘and finally the act of receiving the data. Ina cyber crime scenario, this Non Repudiation is of very vital importance since the person sending the data if permitted to deny having sent it, will completely destabilize the investigation process and the entire case will fail. Or, if the person who receives the data denies having received it, it will also equally spoil the investigation process. Therefore, in evidence man- agement, especially in the areas of admissibility of evidences, strengthen- ing of prosecution and zeroing on the criminals, non-repudiation plays a very crucial part as an attribute of information security. Authorisation refers to the process of confirming whether the user has the authority to issue the command to the system and determining what types of activities and access to the resources the user is permitted. It is some- times referred to as a sub-set of authentication and an activity AFTER the process of authentication. After the process of authenticating the user, the actual process of authorization for the transaction starts depending upon the type of user who is authenticated. This now leads us to the next attribute of information security namely authentication. In information security, authentication is the process of confirming that someone or something is the actual person or entity that he/she or it claims to be. That is, when a user enters the user id, the system. awaits the password or the PIN and then checks that the user id enteredearlier is correct and thus confirms that the user is the actual person who he/she claims to be. An extension of authentication is one-factor, two-factor and three-factor authentication. In simple terms and in common parlance, it is said that: 1. What you have is one-factor authentication i.e. a physical possession of a device or a card or an object. In other words, in a Point of Sales terminal merchant establishment, when the debit card is swiped and the transaction gets authenticated (without any need to enter a PIN etc) it is onepoint authentication. 2. Additionally, what you know is a two-factor authentication or 2FA in short. In this case, in addition to having a card or a device, the user is also required to enter a number or a password for authentication. Typically, withdrawals from ATMs is a 2FA only, since we first swipe (or dip) the card depending upon whether it is a strip based card or a chip based card AND then, we enter the ATM PIN. This process of what we have ie. the card and what we know ie. the PIN is a 2FA implementation. Of late, it has become common practice to ensure this 2FA by a process of user name and password at the time of entering the Inter- net Banking website and then entering a One Time Password received in the mobile as a 2FA. In most of the credit card and debit card trans- actions also, this process of 2FA is implemented when the user enters his secret PIN in the PoS device of the shop keeper. 3, Sometimes, what you are also serves as an authentication mecha- nism, as a third factor authentication, i.e. a biological feature of the user. Compared to the other forms of authentication, this is consid- ered to be extremely stronger and not easily broken and non-tamper- able. In this system, the finger print, retina, palm or other physical features of the user is stored in the system and the system ensures this particular user is the one who has done the login. lm addition to authorization and authentication, some text books also speak about accountability, reliability etc. as attributes of information security. Accountability refers to the attribute which can be traced to the particular entity who breached the policy or the security parameter. Ac- countability is always seen with and presupposes proper existence of ade- quate audit trail which only provides all information relating to the person, the entity and the entire event landscape to define the accountability. Reliability meaning dependability is a sub set of integrity and a little more focused on the attribute of information to rely upon it, in times of a crisis or a disaster. Especially in a Disaster Recovery Management scenario, when the data centre is being accessed from a DR Site, this quality of reliability is of very great importance, since the data in a crisis should be fully reliable without giving any room for a question. Ina physical evidence and physical record scenario, all these attributes es- pecially non-repudiation can always be ensured by the person’s signatureina typed document or handwriting in the case of handwritten document. Ina network communication and a digital era, information security rests on how these pillars of security are ensured and by the use of which partic- ular technology. simple Mail Transfer Protocol (SMTP) is a protocol used in email servers. Though not mainly used for security, it continues to be popular and is used mainly at the client side for sending mail as part of the mail application Emails, per se, are not authentic means of communication unless spe- cific authentication technologies are deployed in them like Sender Policy Framework, Domain Keys Identification Mail, Pretty Good Privacy, Secure Socket Layer and Transport Layer Security (TLS/SSL), Secure Hash Algo- rithm (SHA2 or SHA 256 or SHA 512 etc.). A digital signature is a means of authentication of an electronic commu- nication. A digital signature is a digital code called a hash value, generated and authenticated by a process (what is known as public key encryption), which is attached to the electronic communication. It is a mathematical scheme to demonstrate the authenticity of a digital message or a docu- ment. ‘An electronic signature, or e-signature, is any electronic means of authen- tication denoting that the person who claims to have sent the message is the one who has actually sent it and the person to whom it is addressed, is the one who has confirmed having received it by entering his user id and password ie. by his electronic signature conforming to the particular technique. Electronic signature is a generic term and technology neutral whereas digital signature is a process conforming the particular process of public key encryption and private key with an asymmetric key generating a hash value which also travels along with the document or the message. Authenticating a document or a message is of paramount importance as a very good control measure to prevent cyber crimes. For cyber crime investi- gation perspective, the authenticity of an email can always be questioned, in the absence of any specific security initiatives in place, since no id proof is produced at the time of creation of email id and anyone can created an email id in any name. 4.4 SOFTWARE AND HARDWARE SECURITY Information Security is not a stand-alone product and not a separate, distinct entity that can be attached to computer system or an information to make it ‘secure’. Information Security lies in the way the information is stored in the hardware, processed in the software and is communicated through a network. Hence the success and strength of information security lies in the way the information is treated in the hardware be it storage, an external drive, an internal drive, a storage device, a computer, a server etc. and isalways as strong as the weakest linkprocessed in the software by the server or the computer system, or at any of the intermediary levels andtransported through the various communication devices. Security should be part of theinformation in its entire journey going along with the technologies adopted by them, the channels used by them and the access controls in place in- stalled in the network. In the context of hardware, if the hardware is absolutely secure, it will ensure prevention of cyber crimes to a considerable extent, Breaches at the hardware level or the physical breaches of security is more possible by non-technological than software breaches. In other words, trespassing a physical hardware asset or bypassing a physical control or breaching a hardware security control (like physical tail gating, bypassing a security guard, disabling a CCTV camera, stealing a pen drive, stealing a hard-disk, scavenging ie. taking out data from a discarded device) is always easier and needs no special technological knowledge unlike a software breach (like hacking, IP spoofing, email spoofing, DoS, Trojan attacks etc.) Hardware security and physical security are closely related. If physical security can be implemented, it is as good as implementing hardware security. Security for the hardware boxes (servers, network equipment, devices, data centres, computers, user level systems etc) differs according to the criticality of the location and the hardware. For instance, security for Core Banking Data Centre will not be the same as the security for the hard- ware system ie. the computer maintained at the security or the reception helpdesk or in a parking are, though all these are hardware security and come under the same hardware policy. Work from Home is a latest concept increasing in popularity these especially among the software companies and generally among IT based organisations, Officers are allowed to work from home, by logging into the company’s information resources, irrespective of where the hardware is kept. Especially, when an officer is permitted to work with a BYOD (Bring ‘Your Own Device) and the information resources in the organisation is accessed from the device, which is on the move either in the office, or at home or at a public place like an airport etc,, the security becomes more critical and has far more ramifications. It is a hardware plus essentially and more significantly a software access control issue. Hardware at the Primary Data Centre is very critical and has huge security implications. Security should start right from the day the hardware is in- stalled in the centre and perhaps even before it is operationalised, i.e. even before the complete o/s and the database is loaded in it and is brought ‘live’ in the environment. In a three-tiered approach of data centre management like i) Primary Data Centre, ii) Secondary Data Centre and iii) Disaster Re- covery entre, the issue is to be looked at from the entire gamut of security for the entire architecture. There are lots of cyber crimes associated with hardware security and phys- ical security. Some of them are: + Physical Access Breach: When there is a physical access control, delib- erately trying to breach it or violating the control. + Tailgating: When the door opens with a due process of access control after swiping the card, the fraudster trying to enter through the en-trance, before the door closes. (This kind of crime is possible in the case of software access too). + Masquerading: Physical access to a secure area, with a common entry pass or a generic gate pass that permits entry without individual veri- fication of entrants. + ‘Trespassing: Gaining access to a hardware resource through deliber- ately breaching the entry regulations. + Trapdoors: Disabling an access control intentionally for a temporary period of testing to ensure smooth testing and then later, deliberately failing to re-instate the testing control (this is possible in software ac- cess control too). + Theft, larceny, arson, sabotage etc. of hardware assets with theinten- tion of destroying the resource + ‘Tampering with the hardware assets and peripherals + Personation and gaining illegal entry to the hardware resource in the guise of some maintenance or other service personnel. ‘With so much of centralization especially in the banking industry with the onset of Core Banking Solution in almost the entire banking sector (with the exception of a few cooperative banks and small rural banks), hardware security is now mostly centralized. Not much of hardware ie. servers are kept at the branch location. Except the network equipment like routers, switches etc. that enable networked transmission of data from branches to the Data Centre and vice versa, branches do not maintain much critical or costly hardware equipment. Of course, the traditional bank assets like cash, important documents, Safe Deposit Lockersetc. are maintained at the branches. With centralized loan processing, account opening etc. being followed in many banks, these days, even the documents related to loan assets, account maintenance are not maintained at the branches but a centralised repository with access to branch personnel based on authorisation and set +access rights. Itis not a matter of debate whether crimes are more because of breach of physical and hardware security or software and logical security or network security. In the real world scenario, it is always a combination of one or more and an exploitation of the vulnerabilities in these viz hardware, soft- ware and network security controls. Just like hardware security, breach or non-observance or inadequate compliance of software security initiatives too becomes the cause of many cyber crimes like: * Password theft and vulnerabilities in the password system + Inadequate Information System Security Policy or ineffective imple- mentation + Improper definition of user privileges and User Management + Inadequate testing of software (application software, tools and others)+ Trapdoors (disabling a security check for a temporary period to enable faster testing and later inadvertently or deliberately not enabling it) + Masquerading, shoulder surfing and tail gating, and gaining accessto data + Back end access of the data bypassing the front-end application software * Data diddling, Data manipulation, Scavenging, Dumpster diving etc. (We will be studying in detail the controls in respect of hardware, software and network security later in Chapter No. 6) 4.5 NETWORK SECURITY After the hardware security and software security, the next area of major concern is network security. In the banking industry in particular, with the entire banking system dependent upon network and connectivity, security at every stage in the network. Network security essentially deals with the guidelines to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and the resources. Network security is mainly the job of a network administrator though he is not the only stake holder in the area, On the question of responsibility, much of the ownership vests with the network administrator or manager. Banks mainly use network gadgets like switches, routers, hubs, VLAN equipment, firewall boxes, UTM (Unified Threat Management) servers, ATM Front-end processors etc. though which the data in a bank always passes. ‘Some of the most common network based crimes are’ * Crimes relating to hackers (about which we will see in detail, in Chap- ter) * Man in the Middle Attacks + Bots, Botnet and such kind of attacks in a network * DoS, DDoS ete + Session hijacking and capturing the data while in transit+ Specific software like Tojans, Zeus, Stuxnet * Network based tools like Zombies etc. * Worms and virus tools which spread in a network Most of the network security appliances are available as UTMs and next Generation Firewalls and other features associated with it, like stateful inspection, VPNs, IPS and IDS, Web filtering, bandwidth management etc. In the context of network security, a term that is gaining in importance these days is SIEM (Security Information and Event Management). Since most of the network based crimes are a result of network incidents and start as an event at the first stage, a comprehensive study of the incident and information management is essential. Hence SIEM is an approach to security management which provides a complete view of the IT Security of the organisation. Message Authentication Code is a significant data which is used to authen- ticate a message and provides integrity and authenticity assurances in the message. It is closely associated with cryptography. Encryption is the process of encoding messages or information in such a way and as part of cryptography, that only the authorized parties can read it. Cryptography is very important as part of network security, since it en- sures that even in case the message is intercepted by an unauthorised tres- passer, the same cannot be read or deciphered. 4.6 INTERNET CRIMES Acyber crime committed in an Internet is called an Internet crime or Inter- net fraud. Intemet crime can be broadly classified as follows: * Crime against the individual like cyber stalking + crime against a bank or a financial institution like data theft ete. + Crime targeting specific vulnerabilities in a network like Phishing etc. + cyber Terrorism + Corporate Espionage + Hacking and other technologies associated with it + Man in The Middle Attack ‘+ spreading virus and worms against specific systems From the above list, cyber stalking, cyber terrorism, phishing and espi- onage have all been discussed already in the earlier chapters. Hacking is going to be separately dealt with later in chapter No. 5. Hence virus, worms and Man-in-The-Middle-Attack are being discussed here. ‘Man-in-the-middle attack sometimes also referred to as ‘MiTM’ is a kind of network attack in which the criminal or the attacker stealthily intercepts messages between two systems or a network. This is of late being consid- ered to be a very deadly attack and most of the network spying software and most of the network attacks use some kind of MiTM technologies only.It is the technological equivalent of common eavesdropping in a telephonic conversation. Impersonation in a session, session hijacking or TCP session hijacking etc. are all considered to be other variants of MiTM attacks, in which the attacker often masquerades as a genuine authorized user. MiTM is resorted to by deploying techniques like sending a malware, exploiting an existing vulnerability in a router, capturing a routing table, spying in a network, DNS spoofing, IP Address spoofing to fool or bypass an existing IPS in the form of URL filtering and other such methodologies. After a MiTM attack, the attacker gets control over the system and then uses it as if part of a botnet, and accesses the real site acting as a proxy and then intercepts the traffic between the user and the real site. Such an attack proves very deadly with serious financial impact especially in ecom- merce, internet banking transactions or other such financial remittances when the login credentials are intercepted and read. Among the main contributors to Internet crime is virus, worms, spams and. Trojans. Malicious software is popularly called malware (MALicious+soft- WARE). Any software which is written with a malicious intention or cause a malicious effect in the system resources impacting it adversely, is called a malware. Virus, worms, spyware, adware, Trojan Horse, Bots, Zombies, Zeus, Rootkits etc. can all be brought under the broad category of malware. Virus: The word ‘virus’ though not an acronym and carries the normal physical meaning of virus i.e. having an adverse impact and affecting the system, was also being construed as an acronym in some schools of thought, as an abbreviated form of “Vital Information Resources Under siege”. A computer virus is a piece of software code or a program which corrupts the information, data or other resources and makes to function it in a manner other than that intended by the owner of the resource. ‘The earliest forms of virus was written by smart techie programmers with an intention to prove the programming software coding capability to showcase the prowess to write a code and put it in a system without the knowledge of the owner. What once started as a show of one's techno- logical supremacy later grew into a profession and unfortunately, in to- day's world, no one writes a virus code just for the heck of it. Today's virus programs are all written with a specific purpose, a specific target of say a particular system or an industry or a server or a network. ‘The words ‘virus’, ‘worm’, ‘trojans’ are all sometimes used interchange- ably, though there is a certain technological difference in the meanings and attributes of all these. Worm is a piece of software that travels without any human interaction or without any specific action and multiplies at a tremendous speed and spreads. It automatically replicates itself as hun- dreds and thousands and sends itself to say, all the addresses in the ad- dress book stored in the system, A worm does not attach itself to any mail and does not wait for any executable file to run and is generally harmless. It only spreads itself and in that capacity, the only major impact it has on the system is that, it con- sumes much of system resources and in that way, itis a very major irritant inasmuch as it takes the bandwidth, occupies storage space and adverselyaffects the traffic. On the other hand, a virus may attach to any file, may steal the data or information and may even crash the system depending upon what the programmer has intended. ‘Adware can arguably called the virus with the least impact in a network or a computer resource. Adware is a software, maybe called a malware too, deployed most often stealthily in a computer system popping up an adver- tisement, Sometimes, it is deployed or downloaded in a random manner in various computer systems to give an advertisement giving some links to some sites to know about the product. But, here lies the catch. When the link is clicked, it may lead to some phishing site, taking information from the user like user id and password or other confidential information or sometimes may just confirm that he is a real user. On knowing that he is a real user, the sponsor of the program will increase his database. ‘Another use of such adware is, sending unsolicited bulk mails to a huge list, of unknown recipients. Here too, there is a catch. Quite often, we find that a mail is received advertising a product or a software or giving some infor- mation that may be of least use to you. The mail will also have a link called ‘Unsubscribe”, with a remark that ‘In case you do not want to receive such mails, please click the ‘unsubscribe’ button.” Here even without clicking the “Unsubscribe” button, simply deleting such mails would be a better option, because by clicking the ‘unsubscribe’ button, we send a message to the server that this mail id is real and there is a human being responding to it, which then, goes into the database of email ids. Perhaps the next mail will come from the sponsor specifically addressed to this receiver. In the context of adware, we are not discussing the profiling of the user that is reportedly being resorted to by the search engines. Depending upon the user preferences and search pattern, the search engines have the capability to profile the user and pop up those advertisements that may be of reference and relevance to the user. Much more than a technological ca- pability, this issue of user profiling being resorted to by the search engines. is more a techno-legal issue with ramifications on data privacy, user infor- mation and other areas. A Trojan Horse is a malware written with a specific purpose of impacting the system and with a capability to download stealthily into the system, Itis named as a Trojan, much after the Greek mythological story that is referred to in the War of Troy, in which soldiers are said to have hidden themselves in the hollow wooden giant-sized statue of a horse and entered the city of Troy and broken open it and captured the city to end the war. In software parlance, any software executable file that hides itself inside another program and comes out and executes itself at an opportune (or inopportune?) time, for its malicious task, while the other genuine program is functioning. From this point of view only, it is always feared that any unchecked and unscanned downloads (of films, video clippings, music downloads etc.) can always be dangerous and it is a must that before downloading anything from the Internet, the anti-virus is run and thor- ough scanning of the tool is undertaken.Like virus programs, Trojan programs too come in different flavours, with different purposes and most of the banking related bots, Internet crimes, session spying software, data stealing programs etc. all come under this, category. Spyware is a category of Trojans and malwares written with a specific purpose of spying the data in the computer, without the knowledge of the owner, stealthily downloading itself like a Trojan and sending the stolen data to the host system. A botnet is a network of private computers in- fected with malicious software and controlling a group of computers. The compromised computers which have been ‘captured’ or where the pro- gram sits without the knowledge of the owner, are called the ‘bots’ in the system. Drones: In the context of spyware, an interesting device or gadget that is being spoken about frequently and being deployed (fortunately so far, for government and administrative purposes only) in modern days is drones. Drone is a generic word commonly used to refer an Unmanned Aerial Vehicle (UAV) meaning an aircraft which is automated and flies without a human pilot ie. with no one on board. Drones come in different pay- loads right from a very cheap variety costing hardly a few thousands upto amounts in lakhs of rupees, depending upon the payload, capacity, the na- ture of IC inside, the capabilities in speed, reach and distance ete. Many state police departments and many private individuals too have started deploying drones for crowd management to monitor the crowd from a higher altitude and keep sending the images through the video camera fitted in it, on occasions like a huge gathering, kumbh mela, water- logged and marooned locality for rescue operations etc. From a cyber security perspective, study of drones and the technology as- sociated with UAVS is interesting, because when a drone captures an object or video-records something and keeps transmitting it to its base (sender), the object or the target person image of which is being captured does not know that a drone is capturing the images, unless he watchfully looks at it. That is where the question of spying comes. As a spying device, especially these days when cameras with very powerful capability to capture the minutest detail even from a very far off distance is possible, deployment of drones can pose enormous security concerns. Regulations for developing a drone and importing the IC for a drone UAV are yet to be formally in place in India with the DGCA reportedly working on an interim Operations Guidelines for the civil use of drones or un- manned aircraft systems. In many metro cities, the city police takes careof the regulations though DGCA right now regulatesobjects (aircraft) flying above a particular height as applicable for civil aviation in general. A bot is sometimes known as a Zombie too, since it operates remotely and acts on the instructions of the master and spreads like worms, or does a DoS attack or does any other act as instructed for financial purpose or stealing data or other malicious purposes. In this context the botnet ie. the network of bots is referred to as a zombie army. In practice, in most of the cases, a zombie is often a hapless and ignorant home PC user who is not aware that his PC is compromised and is sending the malicious mails or transmitting data from it. This kind of unintentional and malicious trans- mission has been made easier these days, with the advent of high speed lines even for a domestic user. Like Trojan, the word Zombies too have an interesting origin. Originally zombies referred to a species revived from the dead and acting upon the instruction of a master, without the knowledge of the person i. the body. Hence in a network parlance, they are often used to denote the system which acts upon instructions without its knowledge of what it is doing. Zombies are often deployed to create a Denial of Service attack or most often, collectively from a botnet, launching a Distributed Denial of Service Attack too. Sometimes the zombies are programmed to launch the attack intermittently called a ‘pulsing zombie’ so as not to attract the attention of the owner who will be alerted if the entire zombie attack happens at the same moment. One of the network controls deployed these days to check that the login or other forms of data entry is done by a human being and not a robot, is the use of CAPTCHA, an acronym for “Completely Automated Public Turing test to Tell Computers and Humans Apart”. This is a type of challenge- response test used to ensure that the data entry or the response is done by a human being and not by a robot or a computer system. The user is given a picture or some alpha numeric characters in various font sizes that only a human being can read and which is not recognizable by a computer system. This alpha numeric characterset is automatically generated by the server and presented to the user in the screen and the data in itis to be en- tered by the user. Some of the examples of CAPTACHA are Cyber 2015 crime — exe In the above, the words are ‘cyber 2015 crime’ and “exam”. Since the words are given in different fonts and sizes, it would be difficult for a computer to read it and quite easier for a human being user to read and enter the data. Of late, some banks use an advanced system of CAPTCHA presenting a very simple arithmetical question like ‘3 + 4 ~’ and the user is required to fill in the answer “7” as his response. To make it still more effective, some- times colours, background images, stylish writing are all deployed which may be difficult for a machine to read and easy for a human being. In the case of Internet crimes and frauds, a major issue of complexity is the question of jurisdiction and the process of filing the first information report for the crime. For instance, a company with headquarters in a major metrocity reports its website is hacked and the suspect criminal is a resident of another city thousands of kilometers away, the onus of investigation and dealing with the crime will rest on the jurisdiction limits of the place where the corporate office is and it would be practically difficult to nab the crimi- nal from a far off place, bring him for trial, produce the evidences and ulti- mately ensure dispensation of justice. 4.7 CAUSES FOR INTERNET CRIMES Just like the causes for any crimes, causes for Internet crimes is basically the greed and the need for committing a crime, the opportunities provided by the system coupled with the justification of the criminal to commit the crime. Here, ‘opportunities’ form the major and crucial role as a cause for Internet crimes. With the prevalent availability and usage of very high bandwidth lines even for a domestic home user who needs to download a full movie in a matter of few minutes and with more and more telecom providers adver- tising about their products as adware, spreading a virus or a malware has become very easy these days. ‘The other cause for Internet crimes is the lackadaisical approach of the user towards the use of anti-virus and firewall kind of software. Despite the emphasis being given to the use of anti-virus and the use of official and licensed software, still, common users are inclined to use more unlicensed software and not buying anti-virus software. Lack of proper updated anti- virus and firewall with features like IDS, IPS, web filtering etc.is a major cause for increase in Internet crimes. ‘The other major causes for Internet crimes are + Massive and indiscriminate use of computers + Perceived or ill-assumed notion of ‘anonymity’ * Indiscriminate use of massive data handling and too much of central- ization + Handling of a huge volume of data in network * Too much of information being transmitted through network * Inappropriate use of network resources in transmitting unnecessary, trivial data + Information overload in the net at any point of time + Massive use of social networking sites often with personal, private data + Absence of awareness of common user on what is private data and what is public Internet Addiction has now become a growing menace. Often we hear more and more reports on surveys and studies undertaken in the area of how a common man especially youth or even children are addicted to the Internet. The excessive use of computer and the Internet and its impactin daily life is commonly called Internet addiction disorder (IAD), and is sometimes also referred to as Problematic Internet Use. Unlike other syn- dromes the cure or the medicine for this is quite simple ie. stay away from computers! But in today’s world, however much you would try, you would never be able to do it. Most of the above will be taken care, if proper controls are in place, either at the personal level or at the organizational level or more often and more appropriately at the Internet Service provider level. Proper and adequate controls could be installed at the ISP level or at the Mail Service Provider or other such intermediary level, with content filtering, URL filtering and stateful inspection in place, which alone will go a long way in combating Internet crimes and mitigating them. With more and more companies going towards cloud computing, without, the relevant controls in place, it a matter of concern that this is fast becom- ing a cause for increase in Internet crimes. Cloud Security mainly consists of the following attributes: + Identity management to keep the customer data separate and distinct, taking care of the privacy concems of the customer * Conformance to the Information security attributes like Confidential- ity, Integrity and Availability + Physical security taking care of the physical assets of the customer distinct + HR issues dealing with the people who are engaged in the cloud data as their owners, custodians and users and the process in their employment + Application security concems especially focusing on the type of appli- cation that the cloud provider is giving the customer 4.8 USER FAILURES User failures are a major cause for Internet crimes as already seen above. User failure by itself may be deliberate or unintentional, though, in prac- tice, more often, it is unintentional only. in the context of Internet crimes, the user failure mainly contributes towards frauds resulting in a loss for the user himself or sometimes loss at the other end in the network too. All user level controls should be in place, to thwart any attack. Some of the basic user failures that result in cyber crimes are + Not keeping the password secret + Adventurism ie. venturing into a website not knowing its implication + Clicking a URL or a link without confirming its authenticity + Not having an antivirus or not updating or upgrading it * Using an unlicensed software or a pirated version + Downloading indiscriminately all kinds of apps in the mobile (we will discuss in detail about apps in the later chapters)+ Exchange of all sorts of data in a public domain + Indiscriminate use of network and transmission of data over the net. 4.9 BANK FAILURES AND INITIATIVES ‘To prevent Internet crimes, if we have to discuss the initiatives taken by banks, it will come within a single point of convergence namely the Infor- mation System Security Policy of the bank. On the policy front, there are three main issues: Adequacy of the Policy b. Implementation of the Policy (effective and sufficient) c. Review of the Policy for its effectiveness and all regulatory compli- ance. Ifall the three are adequate and are properly in place, there should be no cause for any bank failure on the grounds of cyber crime or information insecurity. Added to this is the question of awareness on the part of all staff members about the contents of the Policy, the guidelines and work instructions forming part of it, consequences of breach and the departmen- tal action for non-compliance. Awareness about the ISS Policy has been stressed by the banking regulator Reserve Bank of India in repeatedly in all the appropriate channels with clear recommendations even from the Gopalakrishna Working Group on Information Security, IT Governance, IS audit, cyber fraud and related areas. In this report, the Group strongly recommends specific training and awareness initiatives on information security, besides going a step further by expressing the need for a forum of Chief Information Security Officers (of various banks) to interact, so that they can get to have knowledge trans- fer on security threats. Though a stronger ISS Policy encompasses all the other policies (which are subsets like the Password Policy, Internet Access Policy, Email Policy, Access Privileges Policy etc), special mention is to be paid on the Password Policy, since this is one policy that is very close to every user and its breach affects everyone. Most of the bank frauds concerning the system i.e. cyber crime in banks can be attributed to either breach of password policy or improper imple- mentation of the policy or deliberate or unintentional leak of passwords Almost every year, there are survey reports and industrial statistics reveal- ing that the following continue to be the most used passwords: © Qwerty123 © password * PASSWORD + 123456 + Password123 There are occasions when password is shared with others by even senior bank officials ‘for the sake of convenience’ or ‘in the larger interest andsmooth functioning of the branch’ or for such reasons like ‘the branch head had to go out on urgent official work and left his password with his junior to do the normal branch routine’. Whatever be the reason, password is the personal property of the official using the particular user id and loss of password and any consequences of its misuse will bind him/her as the owner of the password as responsible for the transactions. This clause invariably finds a place in the information security policy of any bank and bank managements will do well to take this with utmost seriousness it deserves. The role of Information Security Committee is to devise strategies and policies for the protection of all assets of the bank (including information, application, infrastructure and people). The Committee will also provide guidance and direction on the Security Implications of the Business Continuity and Disaster Recovery Plans. Its main responsibilities include developing and facilitating implementation of information security policies, standards and procedures to ensure that all identified risks are managed within the bank's risk appetite. (Source: 1S Governance for the Indian Banking Sector published by IDRBT No- vember 2011) 4.10 SUMMARY Information Security mainly refers to the concept of security of informa- tion asset, protecting the asset from attacks at the appropriate place and time. The three main attributes of information secure are: confidentiality, integrity and availability. Added to these are the other qualities like Non Repudiation, Authentication, Authorisation etc. Any organisation which is conscious of these attributes as part of the Information Security Policy will be successful in drafting the policy and its effective implementation. Information Security lies as much in hardware as in software and network too. Physical security and hardware security can be ensured by controls like proper upkeep of the asset and access control to the asset. Software security can be ensured by proper testing, proper access privileges to the information resources, not allowing any back end access to the data, ade- quate logs of all access to the data etc. ‘Network based attacks and threats are of various types like virus, worms and malware. There are specific malware attacks targeted against specific information resource like a particular user or a particular bank or an ac- count and there are general randomized attacks with no specific targets but waiting for any bait that would fall as a prey. Bots, Botnets, Zombies are all different kinds of attacks in a network mostly used for a Denial of Service attack or a Distributed Denial of Service attack and other related attacks. Spyware, adware, spams are all specific kinds of malware with greater or lesser degree of impact on computer systems. Sometimes instead of human beings, systems are used to make an attack and to act without the knowledge of the owner of the system himself. CAPTCHA is a tool often deployed to ensure that the system login is done by a person ie. a human being only and not a computer system.Causes for most of the Internet crimes include factors like non observance of information security guidelines, policy violations and inadequate of improper training and awareness initiatives on the use of the policy. Banks have to improve their security training initiatives. 4.11 QUESTIONS 1. The non-tamperable quality of data otherwise than through an autho- rised process of access is called 2. Not allowing the sender of a communication, to deny having sent the same is called 3. The process of confirming that the user is the one who he/she claims to be is called 4, Allowing only the particular access to an information resources as, may be required for the particular user is called 5. To confirm that the system is being accessed only by human beings and not by a robot, the technique used is called 6. The process of coding a message in such a way that it is read and understood only by the intended recipient and not by others is called 7. BYOD stands for ‘The process of getting authentication from a process other than user name and password is commonly known as 9. is said to contain features like anti-virus and web fil- tering, URL filtering etc. 10. UTMstands for___ 4.12 ANSWERS 1, Integrity 2. Non Repudiation 3. Authentication 4. Access Privileges 5. CAPTCHA 6. Encryption 7. Bring Your Own Device8. 2FA 9. Firewall 10. Unified Threat Management 4.13 KEY TERMS Cryptography Integrity Electronic Signature Repudiation Authentica- tion 2FA SIEM BYOD UTM Firewall Work From Home spyware Adware Zombies CAPTCHA Botnet Encryption Trojan Drones