Institute for Development and Research in Banking Technology

(Est. by RBI), Castle Hills, Road No.1, Masab Tank, Hyderabad-500 057.

Study Material
for
IT & Cyber Security
 Table of Contents
Title Page No.
Introduction to Cyber Security 1
Cyber Threat Land scape in India for Banks 2
Some common Cyber-attack types and techniques 4
Challenges Of Cyber Security 6
Cyber Security Governance 7
Implementing a cyber-security framework 10
Risks of Cyber presence for Banks 12
Cyber Law and relevant issues related to banks 14
Cyber Laws in India 16
Business Continuity Management 17
IDRBT Initiatives – IBCART, CISO Forum, Cyber Drill 21
Cyber Security Trends and How to Respond 24
Cyber Security Drivers 33
IT and Cyber Security Glossary 39
Study Material
Introduction to Cyber Security
1. What is Cyber Security

The term Cyber security refers to the techniques of protecting computers, networks,
programs and data from unauthorized access or attacks that are aimed for exploitation.
Cyber security Includes Application Security, Information Security, Disaster recovery and
Network Security.

Application security encompasses measures or counter-measures that are taken

during the development life-cycle to protect applications from threats that can come
through flaws in the application design, development, deployment, upgrade or
maintenance.

Information security protects information from unauthorized access to avoid identity

theft and to protect privacy.

Disaster recovery planning is a process that includes performing risk assessment,

establishing priorities, developing recovery strategies in case of a disaster. Banks should
have a concrete plan for disaster recovery to resume normal business operations as
quickly as possible after a disaster.

Network security includes activities to protect the usability, reliability, integrity and safety
of the network. Effective network security targets a variety of threats and stops them from
entering or spreading on the network.

Cyber security is a subset of information security. It generally focuses on the measures

to protect information from malicious threat sources that affect confidentially, integrity,
and availability of information. Following are a few examples of cyber threats to CIA in a
Banking environment:

Confidentiality: Information is only being seen or used by people who are authorized to
access it.

 Employee accessing information about a fellow employees or customers for

malicious purposes.
 Losing an unencrypted pen drive with employee personal or financial
information

1) Integrity: Any changes to the information by an unauthorized user are impossible,

and changes by authorized users are tracked.

 Hacker or employee maliciously modifying, creating, or deleting customer

information.
 Employee or vendor modifying data for personal gains

1|Page
2) Availability: Information is accessible when authorized users need it.

 Ransom ware attack rendering data unusable until backups are accessed or
encryption key obtained.
 Malicious denial of service (DOS) attack degrading network performance and
affecting operations.
 Server failure at your organization or a vendor.

Elements of cyber security:

1) Network security
2) Application security
3) Endpoint security
4) Data security
5) Identity management
6) Database and infrastructure security
7) Cloud security
8) Mobile security
9) Disaster recovery/business continuity planning
10) End-user education

What is a Cyber Attack?

A cyber-attack is a deliberate exploitation of computer systems, technology-dependent

enterprises and networks. Hackers (cybercriminals) use malicious code and software to
alter computer code, logic, or data, resulting in disruptive consequences that can
compromise data and lead to cyber-crimes such as financial information and identity theft
or system infiltration.

Cyber Threat Land scape in India for Banks

Cyber security in Banks has gained paramount importance as Banks have opened up
their IT platforms to customers in the wake of digitization, competition from peers,
customer experience, reduction of transaction cost etc. Banks exchange and transmit
sensitive data across networks and to other devices in the course of businesses, and
cyber security describes the discipline dedicated to protecting that information and the
systems used to process or store it.

Securing technology systems and protecting the data and assets of customers remains
one of the highest priorities for any financial institution. The unprecedented growth in

2|Page
digital payments in India and the Government’s push towards a cashless economy has
added many new customers to digital Banking, which in turn brought renewed focus on
the need to strengthen financial cyber security. Banks have scrambled to implement
various new mobile banking technologies like Wallets, Utility Bill Payments, 24x7 money
transfers etc.

As Cyber-attacks are carried out continuously on various organizations, it is banks who

are under the focus from the increasing threat. The volume and sophistication of cyber-
attacks is ever increasing and evolving. Innovation, Sophistication, Organization of Cyber
criminals is producing ominous results for Banks. This has led to catapulting of cyber
security to the top agenda for boards of Banks.

Banks and financial institutions are extremely vulnerable to various forms of cyber-attacks
and online frauds. The Cyber space environment changed in terms of the frequency,
scale, sophistication and severity of cyber incidents. More diverse and innovative
attempts are being made to compromise government and private sector networks. The
scale and impact of Distributed Denial of Service (DDOS) activity has set new records for
volume through both traditional approaches and by exploiting newer methods such as co-
opting IOT devices.

As per the information collected by India’s Computer Emergency Response Team

(CERT-in) majority of cyber security incidents took place in India include phishing, website
intrusions and defacements, virus and denial of service attacks.

Manifold increase in credit and debit card fraud cases has been reported over the past
three years. In addition to core banking, additional services like e-banking, ATM and retail
banking are also increasingly vulnerable to cybercrime. Mobile frauds are also expected
to grow in 2018, which is alarming as over 40% of financial transactions are being
conducted on mobile devices today. Software vulnerabilities in the Banks’ mobile
applications were recently exploited and Aadhar based account frauds by some business
correspondents also surfaced.

There is rise in misuse of Bank’s SWIFT systems credentials for transfer of funds or letters
of understanding / comfort through unlawful access to the bank’s SWIFT Systems for
cross-border transactions. In fact Reserve Bank of India has advised Banks to stop
issuing LOUs and LOCs.

Email became the Weapon of Choice for cybercrime and Email posed a dangerous and
efficient threat to users. And Business Email Compromise (BEC) scams, relying on spear-
phishing emails, targeted on businesses every day are draining huge money from
Customer’s accounts.

Cyber criminals caused unprecedented levels of disruption of IT services with relatively

simple IT tools and cloud services. Governments are targeted for cyber-attacks and the
focus is shifting focus from economic espionage to politically motivated sabotage and
subversion.

3|Page
The Cloud has become a Dangerous Place and Vulnerabilities in cloud infrastructure
provide the next frontier for cyber crime

Some common Cyber-attack types and techniques

a. Viruses?
Viruses are the oldest form of cyber-attacks and the most popularized in early media.
They are lines of code embedded in malware or phishing hooks. When opened, they
disrupt a computer’s normal operating habits.
b. Malware

Malware literally means “malicious software.” Malware can be spyware, ransom ware or
adware, and it can carry a virus. Rather than embedding itself into the operating system
or hard drive like a virus, it installs itself and runs as a software. Ransom ware is malware
that closes a computer, network, or other system until a ransom has been paid and the
hacker deactivates the ransom ware

Once malware is in your computer, it can wreak all sorts of havoc, from taking control of
your machine, to monitoring your actions and keystrokes, to silently sending all sorts of
confidential data from your computer or network to the attacker's home base.

c. Ransom ware

Ransom ware is a type of malware that blocks access to a victim’s assets and demands
money to restore that access. Ransom ware typically blocks access to a victim’s files
through encryption. Once a victim is infected, the ransom ware scans the available local
and network systems for important files and encrypts the files and alerts the user about
the infection. The alert includes a ransom demand and a deadline for payment. If victims
do not pay in time, the ransom ware destroys the decryption key and the victim’s files are
rendered useless. If the payment is made in time, victims usually receive a decryption key
to unlock their files.

d. SQL Injection Attack

An SQL injection attack works by exploiting any one of the known SQL vulnerabilities that
allow the SQL server to run malicious code. Stealing or dumping customer information
from the website, such as credit card numbers, usernames and passwords (credentials),
or other personally identifiable information, which are tempting and lucrative targets for
an attacker.

e. Cross-Site Scripting (XSS)

Similar to an SQL injection attack, this attack also involves injecting malicious code into
a website, but in this case the website itself is not being attacked. Instead, the malicious

4|Page
code the attacker has injected only runs in the user's browser when they visit the attacked
website, and it goes after the visitor directly, not the website.

f. Distributed Denial-of-Service (DDOS)

A distributed denial-of-service (DDOS) attack is an attack in which multiple compromised

computer systems attack a target, such as a server, website or other network resource,
and cause a denial of service for users of the targeted resource. The flood of incoming
messages, connection requests or malformed packets to the target system forces it to
slow down or even crash and shut down, thereby denying service to legitimate users or
systems. The motive of denial of service (DOS) is to render the target systems
unavailable.

g. Social engineering

As network defenses are becoming increasingly hardened and therefore more resistant
to cyber intrusion, social engineering provides a way to bypass security protocols that
cybercriminals may not be able to overcome via technical means. Cybercriminals use
social engineering techniques to manipulate human trust and elicit information in support
of network exploitation efforts. Social engineering is becoming more sophisticated and is
likely to be increasingly used by adversaries to disguise their illicit activities as genuine.

h. Malicious Emails

Phishing

Phishing is an attempt to trick users into sharing personal details or login credentials.
Attackers may do this by encouraging the user to respond to the email, or by asking them
to click to a fraudulent website that prompts them to share information. A link in a
malicious email is almost twice likely to point to a phishing website than to malware. Spear
phishing is simply a more targeted form of phishing. Rather than sending a single generic
email to a list of millions of email addresses, spear phishing attacks send carefully crafted
emails to smaller lists of targets

Business email compromise (BEC) also known as CEO fraud is a form of phishing
attack where a cybercriminal impersonates an executive (often the CEO), and attempts
to get an employee, customer, or vendor to transfer funds or sensitive information to the
phisher. BEC attacks are highly focused. Cyber criminals will scrape compromised email
inboxes, study recent company news, and research employees on social media sites in
order to make these email attacks look as convincing as possible.

i. Threats associated with outsourcing

Sophisticated cyber activity against Third Party Managed Service providers, vendors that
provide services to Banks has increased. As it has become more difficult for adversaries

5|Page
to directly compromise their targets, adversaries have sought secondary or tertiary
access into primary targets. The compromise of third party IT service providers can
enable cyber adversaries to target and exploit customer data and networks through a
range of direct and indirect means.

j. Insider Threats

While there are numerous threats aimed at bank systems and their customers, one of the
biggest threats, and often one of the hardest to detect, is that of malicious, careless and
compromised users. These employees, contractors and partners are already inside the
banks secure perimeter and have legitimate access to its sensitive data and IT systems

k. Advanced Persistent Threats

Advanced Persistent Threats, or APTs, are long, directed cyber-attacks that are most
often state sponsored. These types of attacks usually begin with a network probe. An
organization or individual illegally, and surreptitiously, accesses an organization’s local
area network or internal internet. This individual may have gotten in through an employee
access gateway or found a vulnerability through other means. The hacker will lurk on the
network, hiding from detection, while it maps the information stored there and implements
malicious measures. Often, results of APTs include theft

CHALLENGES OF CYBER SECURITY

The most difficult challenge in cyber security is the ever-evolving nature of security risks
themselves. Traditionally, Banks have focused most of their cyber security resources on
perimeter security to protect only their most crucial system components and defend
against known treats. Today, this approach is insufficient, as the threats advance and
change more quickly than organizations can keep up with. As a result, advisory
organizations promote more proactive and adaptive approaches to cyber security. Banks
need to incorporate guidelines in their risk assessment framework that recommend a shift
toward continuous monitoring and real-time assessments.

Cyber security is a key issue for investors, consumers, regulators and employees in the
financial services industry all the way up to boards of directors. Cybercrime will continue
to be a lucrative activity for criminals due to its ability to generate quick money with a low
risk of identification and interdiction. Each successful cybercrime attempt encourages
further cybercrime activities.

Ransom ware continues to grow as a method of extorting funds from a wide range of
victims. Credential-harvesting malware poses an increasing threat to Banks by facilitating
the theft of credentials, such as login details and account numbers observed a shift in
cybercriminals' targeting and capability, and the increased targeting of Android
smartphones.

6|Page
Social engineering is growing in sophistication and is likely to be increasingly employed
by malicious adversaries to disguise their illicit activities as genuine. As our network
defenses harden and are therefore more resistant to cyber intrusion, social engineering
provides a way to bypass security protocols that cybercriminals may not be able to
overcome via technical means. Adversaries have increased their targeting of trusted third
parties, particularly service providers. These companies are highly attractive targets as
they can enable secondary and tertiary access into a range of primary targets.

Cybercriminals continue to seek access to repositories of large amounts of personal

credentials of customers to facilitate financial crimes and identity theft. Security in Internet
of Things (IOT) devices, smartphones and tablets, is not always a top priority for the
manufacturers. Their increased integration into the ecosystem introduces significant
security risks.

It is interesting to note that malicious criminals are using rudimentary techniques and
known network vulnerabilities to compromise systems that lack baseline cyber security
measures. Adversaries of all kinds routinely scan the environment for vulnerabilities,
leveraging them to gain and sustain access to victim networks. This opportunistic
targeting is simple and cheap, and will continue as long as computers, networks and
devices fail to implement baseline security.

New technology like Cloud, Mobile, IOT call for specialized and different security controls
for risk management and integration with overall cyber security control framework. Too
many APIs, IOT, Mobile and access points will need new forms of identify management
which is risk based and context sensitive. Security monitoring will become key control
leveraging Threat Intelligence, Real time data and flow monitoring, Threat Hunting,
Behavior analytics and incident response.

Cyber Security Governance

Cyber security governance involves:

a) Information Security Strategic Planning

b) Information Security Roadmap Development
c) Information Security Resource Planning
d) Establishment of Information Security Policies, Standards, Processes
and Procedures
e) Information Security Training, Education and Awareness

Relevance and Importance of the Framework to Banks

Cyber threats are penetrating organizations from every corner. Be it from the endpoints
used by employees, tools and applications used to manage IT infrastructure or business
operations or interconnectivity between different components spread across cloud
landscapes, there are risks everywhere. A big chunk of these risk factors are related to
the people who operate, manage or even simply use any of the organizational services
or assets. This makes a well-defined cyber security framework essential in every

7|Page
organization, and most enterprises are putting out serious efforts to establish one for their
IT and business ecosystem.

This increased focus on cyber security can mainly be attributed to the technological
transformation we are going through with the emergence of cloud, analytics, mobile and
social (CAMS) as a mainstream focus. It’s also creating a pressing need for some formal
guidance and well-defined regulations, which can help organizations drive their cyber
security defense programs more effectively. The National Institute of Standards and
Technology (NIST) Cyber security Framework is one such effort to provide guidance in
the field of cyber security. This framework is a good starting point for organizations who
want to define, adopt and refine an infrastructure for their own needs while at the same
time follow industry standards and norms.

The Cyber security Framework

A cyber security framework contains a whole set of management tools, a comprehensive

risk management approach and, more importantly, a security awareness program
covering everyone in the organization from top to bottom. In other words, every
organization needs to have a complete cyber security governance framework to fully
address all of their cyber security needs. There are a few key components that play crucial
roles in shaping this security posture and are therefore crucial for long-term success.
These components are:

a) Organizational structure
b) Work culture
c) Security awareness programs;
d) Cyber security governance.

Each of these aspects works with the others to cover gaps in security. While focusing on
one specific area of need can make a difference, the most effective initiatives will use all
four of these components to protect the enterprise.

a. Organizational Structure

How the organization is structured, and how that drives security-related initiatives, plays
an important role in defining and shaping its security posture. A well-defined security and
compliance chain of management within the organizational structure is one of the key
components of this framework. It not only ensures the management is better suited to
contribute to security issues, but also shows how focused the organization is on the
cause.

8|Page
 Governance structure

b. Work Culture

What is the work culture inside the organization? This may include how teams look at
information security and how they respond to organizational changes, which are coming
at a fast pace. These are vital to the formation of the cyber security culture. Traditional
ways of working and interactions with various stakeholders within or outside the
organization need to be adjusted as per the changing landscape.

c. Security Awareness

If employees don’t know what is right and what is wrong when it comes to security, then
the chances of their falling into undesirable traps are much higher. Besides the
traditional approach of setting up security compliance-related policies, organizations
need to objectively focus on awareness and education programs. Businesses need to
have a policy to demonstrate their commitment to, and the seriousness of, making their
workforce aware of the ecosystem in which they operate.

d. Cyber security Governance

Governance plays an extremely important role in achieving the security objective of the
organization not only for current needs, but also to ensure well-drafted mitigation plans
for future challenges. To address current issues, the governance framework covers
improvements to security policies; the implementation of technical controls; audits and
assessments; and driving awareness among people to shape their attitude toward secure
behaviors. For future challenges, the governance framework must continually focus on
emerging threat factors, fast-moving changes in the technological landscape, people’s
views and behavior and — perhaps most importantly — the work culture transformations
being pushed by CAMS.

9|Page
Implementing a cyber-security framework:
a. Cyber Security Strategy

Getting cyber secure should be based on a risk assessment, and should address the
key cyber security domains: people, process, technology and compliance.

b. Risk Management

Cyber security risk assessments are the starting point for a cyber-security strategy.

c. Enterprise and Security Architecture

Deploying enterprise architecture frameworks to design Bank’s IT and security

infrastructures so that they are aligned with and support their business architecture.

d. Identifying and classifying risks:

A cyber security governance framework contains a set of management tools, a

comprehensive risk management approach and, more importantly, an organization-
wide security awareness program. This framework should weave into your
organization’s key systems and processes from end to end.

Identifying and classifying risks in a cyber-risk register will help you recognize potential
risks, determine the costs for those risks, and provide answers to what you can do to
help prevent them before they happen.

With the risk register in hand, begin by assessing the tactical plans developed by senior
management and determine a suitable budget for cyber security.

An important consideration when determining budget allocation is the return on

investment; not all assets are worthy of the same level of funding, just as some
risks are more urgent than others. The protection of your critical assets should
receive more weight in the proposed budget.

Your critical assets, may include any or all of the following:

 Hardware / Software
 Customer data like financial records, User Credentials, email addresses etc.
 Sensitive contracts with customers, suppliers, distributors, partners etc.
 Employee log-in credentials
 Business Strategies / Plans
 New products or services in development
 Lists of customers, employees or contractors

10 | P a g e
e. Security Audit, Intrusion Testing

Cyber security services include auditing for the existence and effectiveness of cyber
security controls. These audits are usually carried out against audit frameworks.

f. Regulation and Certification Controls

Regulatory compliance is a key aspect of effective cyber governance. Regulators are

paying more attention to cyber breaches, and fines are increasingly onerous.
Reputational damage from regulatory breaches can also be significant.

g. Recovery & Continuity Plans

Cyber resilience is a crucial underlying cyber security philosophy. Sooner or later any
cyber defense will be breached. Organizations need to develop cyber resilience, a
continuum of tested processes that enable it to respond appropriately to incidents of all
sizes, including those which escalate and threaten the survival of the organization itself.

h. Cyber security skills

Cyber security is an increasingly complex area. Organizations need either to employ staff
who have adequate skills and knowledge or, recognizing that there is a global shortage
of such skills, ensure that security staff acquire and maintain appropriate skills.

IT/ Cyber Risk Management

What is cyber risk?

‘Cyber risk’ means any risk of financial loss, disruption or damage to the reputation of an
organization from some sort of failure of its information technology systems.

While cyber security risks evolve and regulatory requirements continue to expand, the
approach organizations employ to manage them has not kept pace. The traditional
information security model—one that is based on controls and compliance, is perimeter-
oriented, and aims to secure the back office—does not address today’s cyber realities.

Organizations should know how their current information security programs fall short of
leading industry frameworks such as ISO 27001 and the NIST Cyber security Framework.
Truly effective cyber security will require that Organizations are able to capably and
quickly identify, mitigate, and manage cyber risks.

In addition, asset managers should identify cyber business risks by thoroughly scanning
and analyzing all known and relevant risk factors, including those that may not be likely
to occur. These risks should provide a starting point for establishing an effective cyber-
risk management framework.

11 | P a g e
Risks of Cyber presence for Banks:
A cyber-attack can be devastating because a single event can impact a business
in numerous ways like financial loss, Critical Data loss/breach, loss of productivity
or business disruption, and cost of investigation, compensation to customers,
reputational damage, and regulatory penalties.

The world is changing rapidly and cyber criminals are adapting to it faster than security
solutions are being developed. Targeted attacks by skilled and persistent cyber criminals
are now a worrying business reality. Traditional security measures such as firewalls and
antivirus software are proving inadequate in the evolving threat landscape. It’s not a
matter of ‘if’ but ‘when’ an organization will suffer a cyber-attack.

Worldwide, organizations are concerned about cybercrime, as they are worried about the
technically combating cyber incidents, business disruption, public perception and loss of
clientele. Understanding the technical implications of an attack are incredibly important.
That’s why many organizations employ incident response teams. Analysis of an attack
and restoring business operations is key to ensuring that organizations do not fall prey to
the same attack or similar attacker.

While technical issues can be resolved quickly it takes much longer to restore the
public brand perception and customer retention

The old boundaries of cyber security and cyber attacks are disappearing — from the
network perimeter, to end points, the cloud and analyzing the strategies of cybercriminal.
The attackers are exploiting endpoint vulnerabilities and inadequate security controls and
reshaping attacks to evade detection. Proactive information security can help Banks to
mitigate risks before they turn into security breaches.

Cyber risk and risk management

While assessing cyber risk of an organization the critical phase is identifying most critical
assets, identifying most valuable information, identifying the threats and risks facing that
information, and outlining the damage the organization would incur should that data be
lost or wrongfully exposed. Cyber risk assessments should also consider any regulations
that impact the way your organization collects, stores, and secures data,

The risks and opportunities which digital technologies, devices and media bring us are
manifest. Cyber risk is never a matter purely for the IT team, although they clearly play
a vital role. An organization’s risk management function need a thorough understanding
of the constantly evolving risks as well as the practical tools and techniques available to
address them.

12 | P a g e
The five key components of this framework include:

1. Protect valuable data: Organizations should identify their most valuable information
assets, where these assets are located at any given time, and who has access to them.

2. Monitor for cyber risks: Traditional security monitoring approaches typically identify
and react to cyber threats in isolation. Security tools are designed to identify specific
unusual patterns or traffic types, and then alert operational teams to anomalous activity.
Effective cyber-risk monitoring, on the other hand, focuses on building a sustainable and
resilient approach to assess intelligence inputs from various functional teams and to
correlate and dynamically adjust in real time the organization’s risk posture.

3. Understand your “cyber perimeter: Today, a financial institution’s cyber perimeter

extends to locations where data is stored, transmitted, and accessed—by internal
employees and trusted partners. Organizations should ensure they have transparency
into this expanded cyber security perimeter, because any weakness in the perimeter can
become a security vulnerability.

4. Improve cyber intelligence: Most financial institutions’ threat-analysis efforts are

scattered across several functions, physical locations, and systems. This disjointed
nature and lack of a common methodology to leverage intelligence can be a significant
barrier to robust cyber-risk intelligence. To close the gap, organizations should establish
a robust threat-analysis capability that is built on shared intelligence, data, and research
from internal and external sources.

5. Report and take action: A strong governing team with the right knowledge, expertise,
and influence will be necessary to advance cyber security. An effective team can help
ensure that monitoring systems are fluid and capable of precisely responding to cyber
threats, and can empower management to appropriately react.

What Banks are doing?

Banks are protecting their assets from cyber threats by deploying Next Generation
Firewalls, Intruder Protection systems etc. Also Banks have established Security
Operation Centers (SOC) and deployed some tools / measures like

1. SIEM (Security Information and Event Management)

2. Vulnerability assessment / Management

3. NBAD (Network behavior anomaly detection)

4. Anti - APT (Anti Advanced persistent Threat)

5. Anti - DDOS (Distributed Denial of Service)

13 | P a g e
 6. Anti-Phishing, Malware Monitoring

7. PIM (Privilege Identity Management)

8. FIM (File Integrity Management)

9. WAF (Web Application Filtering)

10. Cyber Insurance

11. Involvement of Top Management

12. Staff / customer awareness of cyber security

13. Vulnerability / Penetration Testing

14. Adopting Best Practices and Frameworks

Cyber Law and relevant issues related to banks

The computer-generated world of internet is known as cyberspace and the laws
prevailing this area are known as Cyber laws and all the users of this space come under
the ambit of these laws as it carries a kind of worldwide jurisdiction. Cyber law can also
be described as that branch of law that deals with legal issues related to use of inter-
networked information technology. In short, cyber law is the law governing computers
and the internet.

The growth of Electronic Commerce has propelled the need for vibrant and effective
regulatory mechanisms which would further strengthen the legal infrastructure, so crucial
to the success of Electronic Commerce. All these governing mechanisms and legal
structures come within the domain of Cyber law.

Cyber law is important because it touches almost all aspects of transactions and activities
and on involving the internet, World Wide Web and cyberspace. Every action and reaction
in cyberspace has some legal and cyber legal angles.

Cyber Crime is not defined in Information Technology Act 2000 nor in the National Cyber
Security Policy 2013 nor in any other regulation in India. In fact, it cannot be too. Crime
or offence has been dealt with elaborately listing various acts and the punishments for
each, under the Indian Penal Code, 1860 and quite a few other legislations too. Hence,
to define cyber-crime, one can say, it is just a combination of crime and computer. To put

14 | P a g e
it in simple terms ‘any offence or crime in which a computer is used is a cyber-crime’.
Interestingly even a petty offence like stealing or pick pocket can be brought within the
broader purview of cybercrime if the basic data or aid to such an offence is a computer
or an information stored in a computer used (or misused) by the fraudster. The I.T. Act
defines a computer, computer network, data, information and all other necessary
ingredients that form part of a cybercrime.

In a cyber-crime, computer or the data itself the target or the object of offence or a tool
in committing some other offence, providing the necessary inputs for that offence. All
such acts of crime will come under the broader definition of cyber-crime.

Cyber law encompasses laws relating to:

 Cyber crimes
 Electronic and digital signatures
 Intellectual property
 Data protection and privacy

Need for Cyber Law

In today’s techno-savvy environment, the world is becoming more and more digitally
sophisticated and so are the crimes. Internet was initially developed as a research and
information sharing tool and was in an unregulated manner. As the time passed by it
became more transactional with e-business, e-commerce, e-governance and e-
procurement etc. All legal issues related to internet crime are dealt with through cyber
laws. As the number of internet users is on the rise, the need for cyber laws and their
application has also gathered great momentum.

In today’s highly digitalized world, almost everyone is affected by cyber law. For example:

 Almost all companies extensively depend upon their computer networks and
keep their valuable data in electronic form.
 Government forms including income tax returns, company law forms etc. are
now filled in electronic form.
 Consumers are increasingly using credit/debit cards for shopping.

15 | P a g e
  Most people are using email, phones and SMS messages for communication.
 Even in “non-cybercrime” cases, important evidence is found in computers/cell
phones e.g.: in cases of murder, divorce, kidnapping, tax evasion, organized
crime, terrorist operations, counterfeit currency etc.
 Cybercrime cases such as online banking frauds, online share trading fraud,
source code theft, credit card fraud, tax evasion, virus attacks, cyber sabotage,
phishing attacks, email hijacking, denial of service, hacking, pornography etc.
are becoming common.
 Digital signatures and e-contracts are fast replacing conventional method of
transacting business.
 Almost all transactions in shares are in demat form.

Indian Computer Emergency Response Team (CERT-In) and Centre for Development of
Advanced Computing (CDAC) are involved in providing basic and advanced training of
Law Enforcement Agencies, Forensic labs and judiciary on the procedures and
methodology of collecting, analyzing and presenting digital evidence.

Indian Computer Emergency Response Team (CERT-In) issues alerts, advisories and
guidelines regarding cyber security threats and measures to be taken to prevent cyber
incidents and enhance security of Information Technology systems.

Cyber Laws in India:

In India, cyber laws are contained in the Information Technology Act, 2000 (“IT Act”) which
came into force on October 17, 2000. The main purpose of the Act is to provide legal
recognition to electronic commerce and to facilitate filing of electronic records with the
Government.

Crime based on electronic law-breaking are bound to increase and the law makers have
to go the extra mile compared to the impostors, to keep them at bay. Technology is always
a double-edged sword and can be used for both the purposes – good or bad.
Steganography, Trojan Horse, Scavenging (and even DOS or DDOS) are all technologies
and per se not crimes, but falling into the wrong hands with an illicit intent who are out to
exploit them or misuse them, they come into the array of cyber-crime and become

16 | P a g e
punishable offences. Hence, it should be the tenacious efforts of rulers and law makers
to ensure that technology grows in a healthy manner and is used for legal and ethical
business growth and not for committing crimes.

It should be the duty of the three stake holders viz. i) the rulers, regulators, law makers
and agents ii) Internet or Network Service Suppliers or banks and other intercessors and
iii) the users to take care of information security playing their respective role within the
permitted limitations and ensuring obedience with the law of the land.

Penalty for Offences under IT act.

Section 72 of the IT Act provides for a criminal penalty where a government official
discloses records and information accessed in the course of his or her duties without the
consent of the concerned person, unless permitted by other laws. The penalty
prescribed is imprisonment of up to two years, a fine of up to Rs 100,000 or both.

Section 72A of the IT Act provides for a criminal penalty where in the course of
performing a contract, a service provider discloses personal information without the data
subject’s consent or in breach of a lawful contract and with the knowledge that he or she
will cause or is likely to cause wrongful loss or gain. The punishment prescribed is
imprisonment of up to three years, a fine of up to Rs 500,000 or both.

To conclude we can say that the areas of corporation provide inter alia that both countries
agree to share and implement cyber security best practices, share cyber threat
information on a real-time basis, develop joint mechanisms to mitigate cyber threats,
promote cooperation between law enforcement agencies and improve their capacity
through joint training programs, encourage collaboration in the field of cyber security
research, and Strengthening critical Internet infrastructure in India.

Business Continuity Management

Business Continuity Planning (BCP) & Disaster Recovery Systems (DRS)

Business continuity planning (BCP) refers to the processes and procedures created to
ensure that all mission-critical operations can continue to function in the immediate
aftermath of a disaster with minimal to no downtime.

Why is business continuity planning important

Every organization is at risk from potential disasters that include:

 Natural disasters such as Cyclones, floods, earthquakes Sabotage and fire

accidents
 Power and energy disruptions

17 | P a g e
  Communications, transportation, safety and service sector failure
 Environmental disasters such as pollution and hazardous materials spills
 Cyber-attacks and hacker activity.

Creating and maintaining a BCP helps ensure that an institution has the resources and
information needed to deal with these emergencies.

Purpose of BCP:

 Plan, measure and make arrangements to ensure the continuous delivery of critical
services and products, which permits the organization to recover its facility, data
and assets.
 Identification of necessary resources to support business continuity, including
personnel, information, equipment, financial allocations, legal counsel,
infrastructure protection and accommodations.

BCP should include:

a) The business continuity planning process should include the recovery,

resumption, and maintenance of all aspects of the business, not just recovery of
the technology components;
b) Business continuity planning involves the development of an enterprise-
wide BCP and the prioritization of business objectives and critical operations that
are essential for recovery;
c) Business continuity planning includes the integration of the institution's role
in financial markets;
d) Business continuity planning should include regular updates to the BCP
based on changes in business processes, audit recommendations, and lessons
learned from testing
e) Business continuity planning represents a cyclical, process-oriented approach
that includes a business impact analysis (BIA), a risk assessment,
risk management, and risk monitoring and testing. Business Continuity Planning
Process.

Having a BCP enhances an organization's image with employees, shareholders and

customers by demonstrating a proactive attitude. Additional benefits include improvement
in overall organizational efficiency and identifying the relationship of assets and human
and financial resources to critical services and deliverables.

Creating a business continuity plan

A BCP typically includes five sections:

1. BCP Governance
2. Business Impact Analysis (BIA)
3. Plans, measures, and arrangements for business continuity

18 | P a g e
 4. Readiness procedures
5. Quality assurance techniques (exercises, maintenance and auditing

BCP best practices:

 plans must be updated and tested frequently;

 all types of threats must be considered;
 dependencies and interdependencies should be carefully analyzed;
 key personnel may be unavailable;
 telecommunications are essential;
 alternate sites for IT backup should not be situated close to the primary site;
 employee support (counselling) is important;
 copies of plans should be stored at a secure off-site location;
 sizable security perimeters may surround the scene of incidents involving
national security or law enforcement, and can impede personnel from returning to
buildings;

Bank’s board and senior management are responsible for overseeing the
business continuity planning process. Their roles include

a) Establishing policy by determining how the institution will manage and

control identified risks;
b) Allocating knowledgeable personnel and sufficient financial resources to properly
Implement the BCP;
c) Ensuring that the BCP is independently reviewed and approved at least annually;
d) Ensuring employees are trained and aware of their roles in the implementation of
The BCP;
e) Ensuring the BCP is regularly tested on an enterprise-wide basis;
f) Reviewing the BCP testing program and test results on a regular basis; and
g) Ensuring the BCP is continually updated to reflect the current
operating environment.

Disaster Recovery (DR)

A subset of business continuity planning, disaster recovery is a more technical set of

plans that are tailored to specific groups within an organization. Developed as part of the
business continuity planning process, DR refers to the backup of mission-critical data and
applications (as opposed to personnel and physical locations).

The purpose of having DR is to ensure that organization’s business has the ability to
immediately restore the data and applications that are required to keep its data center,
IT infrastructure and server running. Also it includes specific plans for the backup of
data centers, servers, IT services and technologies that could be damaged in the event
of a disaster.

Whether you opt for a managed disaster hosting service or choose to create and
implement your own in-house processes and procedures, DR requires that all critical data

19 | P a g e
be stored off site and available for immediate restoration after a disaster. Redundancy is
the key to successful DR.

BCP vs. DR

BCP relates more to essential operations, such as how physical infrastructure and
operation processes are recovered. Disaster recovery tends to refer more to the recovery
of systems and technical applications. Whether your business needs both depends on
the scope of your company. A simple way to determine the needed scope is to assess
what goes into the day to day operation of your business. What data, applications, servers
and personnel are critical to operations? Which would cause significant revenue
reductions if lost for hours or days? These are your mission-critical applications and must
be backed up.

The goal of both BCP and DR processes is to ensure that all mission-critical aspects of
your business can be immediately recovered in the aftermath of a disaster. Minimal to
zero downtime is the ideal. The goal of this article is to explain BCP and DR, spotlight the
differences between the two and help businesses determine which is most crucial for their
longevity.

Alternate facilities

If an organization's main facility or Information Technology assets, networks and

applications are lost, an alternate facility should be available. There are three types of
alternate facility:

1. Cold site is an alternate facility that is not furnished and equipped for operation.
Proper equipment and furnishings must be installed before operations can begin,
and a substantial time and effort is required to make a cold site fully operational.
Cold sites are the least expensive option.
2. Warm site is an alternate facility that is electronically prepared and almost
completely equipped and furnished for operation. It can be fully operational within
several hours. Warm sites are more expensive than cold sites.
3. Hot site is fully equipped, furnished, and often even fully staffed. Hot sites can be
activated within minutes or seconds. Hot sites are the most expensive option.

For security reasons, some organizations employ hardened alternate sites. Hardened
sites contain security features that minimize disruptions. Hardened sites may have
alternate power supplies; back-up generation capability; high levels of physical security;
and protection from electronic surveillance or intrusion.

When considering the type of alternate facility, consider all factors, including
threats and risks, maximum allowable downtime and cost.

20 | P a g e
 Typical Disaster recovery planning involves

1. Define Key Assets, Threats and Scenarios

2. Determine the Recovery Window

3. Define Recovery Solutions

4. Draft a Disaster Recovery Plan

5. Establish a Communications Plan and Assign Roles

6. DR Site Planning

7. Accessing Data and Applications

8. Document the Disaster Recovery Plan, In Detail

9. Test the Disaster Recovery Plan

10. Refine and Re-Test the Disaster Recovery Plan

IDRBT Initiatives – IBCART, CISO Forum, Cyber Drill

Institute for Development and Research in Banking Technology [IDRBT] was established
by the Reserve Bank of India in March 1996 as an Autonomous Centre for Development
and Research in Banking Technology.

(Some content about IDRBT may be added here)

Major initiatives of IDRBT in Research and training in Banking IT and IT Security

include

1) Centre of Excellence in Cyber Security

2) Executive Education ,Academic Programs/ Research and Development

3) Cyber Threat Intelligence Platform for Banks (IB-CART)

4) Cyber Security Drills for Banks

5) CISO Forum Meetings for BFSI

6) Publishing of Papers on Frame works , Best Practices and latest Banking

Technologies

21 | P a g e
1. Centre of Excellence in Cyber Security:

The Centre of Excellence in Cyber Security was established in 2013. The Centre serves
as "one stop" resource center for all Cyber Security, Digital Forensics, tools, literature,
and expertise for the banking sector.

Major activities of COE:

A. Cyber Drills for Banks

B. IBCART – Cyber Threat Intelligence Platform for Indian Banks
C. CISO Forum Meetings
D. International Programs
E. International Conferences

2. Executive Education and Development Programs conducted by IDRBT

1) Cyber Frauds, Forensics and Cyber Laws/ Banking Technologies

2) Cyber defense for banks/Cyber Security for Senior Management /Website
Security
3) Customized EDP* on Cyber Security for Top Executives of RBI
4) Customized EDP on Cyber Security for Top Executives of SEBI
5) Customized EDP on Cyber Security for Top Executives of KVB
6) Customized EDP on Cyber Security for Top Executives of Andhra Bank
7) Three Customized EDP on Cyber Security for Top Executives of UBI
8) Certificate Course in Cyber Security
9) Four Customized EDP on Cyber Security for Top Executives of OBC
10) 7 International EDPs along with UB, SUNY, USA.
11) Digital Forensics for banks
12) Vulnerability Assessment and Penetration Testing
13) Vulnerability Assessment and Penetration Testing for Cyber Defence
14) Website Security
15) Malware Analysis

Academic programs:

 IDRBT Post-Doctoral Fellowship: Encourages promising young Ph.D. Scholars

with innovative ideas to work on Institute’s focal areas of research
 Ph. D. Programme: In Computer Science, in collaboration with University of
Hyderabad (Central University); National Institute of Technology, Warangal and
National Institute of Technology, Trichy
 M. Tech. Programme: Unique two-year Programme (with specialization in
Banking Technology and Information Security) in collaboration with University of
Hyderabad since 2001
 Post Graduate Diploma in Banking Technology: One year programme designed
to provide essential learning inputs on technology implementation, integration

22 | P a g e
 and management to meet the changing technology requirements of the Banking
Sector, launched in July 2016.

3. IB-CART

Indian Banks Center for Analysis of Risks and Threats (IB-CART) operations started in
2014. IB-CART portal provides a platform for sharing and viewing incidents /threats/
vulnerabilities maintaining anonymity. Scheduled Commercial Banks and NPCI are
members of IB-CART.

Role and objectives of IB-CART in Cyber Security of Banks

A. To disseminate and foster sharing of relevant and actionable threat information

among members to ensure the continued public confidence in the banking sector.
B. To share and disseminate information associated with physical and cyber events
(incidents / threats / vulnerabilities) and resolution or solutions associated with the
bank's critical infrastructures and technologies.
C. To utilize the sectors' resources (people, process, and technology) to aid the entire
sector with situational awareness and advance warning of new physical and cyber
security events and challenges.
D. To enable infrastructure that enables anonymity and security while capturing and
disseminating information.
E. To conduct research and intelligence gathering to alert the members of evolving
or existing events
F. To support the development of content that is posted to the IB-CART database,
advise on mitigation steps or best practices to members
G. To facilitate cross sector information exchange.

4. Cyber Security Drills

IDRBT conducts Cyber drills for Banks in order to help banks build cyber security
/defense skills. It is open to all member banks and is conducted every quarter (Feb,
May, Aug, and Nov). For every drill, new applications and new attacks are tested and
latest attacks are simulated. Such reports are also discussed during CISO Forum
meetings.

Objectives of the Cyber Drills

A. Enable participating Banks to gauge their attack detection skills

B. Enhance their mitigation capabilities
C. Evaluate the security team’s response to cyber-attacks
D. Test technical competency in dealing with cyber-attacks.
E. Check the effectiveness of tools used to detect the cyber attacks.* EDP
stands for Executive Development Programme

23 | P a g e
 5. CISO Forum Meetings

CISO Forum Meetings are held every quarter at IDRBT and outside IDRBT (normally
hosted by a bank) alternately. At such meets topics of interest are shared among
members and knowledge sharing sessions by experts from industry and academia. The
results of cyber drill and IBCART updates are discussed in the CUG sessions.
Management committee takes decisions related to the Forum, scope, membership,
agenda, priority areas, issues of importance, etc.

6. Publishing of Papers on Frame works, Best Practices and latest Technologies.

IDRBT publishes various research papers on banking technologies contributed by

Domain Experts from researchers and authors of repute. These papers are also made
available on their Website.

Some latest publications on Cyber Security are:

Cyber Insurance for Banks: A Reference Guide, Nov 2017

Handbook on Security Operations Center, Sept 2017

Cyber Security Check List, July 2016

Trends and Techniques in Cyber Security

Cyber Security Trends and How to Respond

Banks will Integrate, standardize and automate real-time enterprise security, fraud and
controls. API Security, Mobile Security and Identity frauds will dominate and replace older
ATM skimming, Web and cheque frauds.

Ensuring compliance with Bank’s rules is not the equivalent of protecting the company
against cyber-attacks, unless the rules integrate a clear focus on security.

Banks are accepting the importance of making the necessary security changes and will
involve the allocation of significantly larger resources to IT (information technology)
departments and initiatives—both in terms of capital and manpower.

Cyber-threats have the power to wipe out huge chunk of business value in a matter of
moments, and banks need to address the gap in IT budgets in tackling this growing risk.
Skilled expert knowledge will be required to effectively tackle the fast-paced dynamics of
cyber security threats—and even then because of the speed of technological development,
it will be hard to keep up. The best shot will come from applying the attention and skill of the
best expertise.

24 | P a g e
An effective cyber security strategy will involve devising a combination of defense, assurance
and resilience. Although outsourcing cyber security can be of huge benefit, there needs to
be a radical change of mind-set across the banking operational infrastructure in tackling
cyber-threats comprehensively A standardized, systematic approach should be set in place
so that each attack is not treated with an ad hoc procedure but with a pre-determined action
plan that has pre-allocated roles and responsibilities in the event of cyber-attacks.

Banks and individuals need to be increasingly vigilant about cyber security, some of the
emerging and continuing trends are:

Ransom ware continues to grow as an attack method

Ransom ware is poised to be a big trend into 2018, with state-sponsored attacks adding fuel
to an already roaring fire. Crime-as-a-Service makes creating attacks easy and cost effective
for criminals. Successful ROI for these attacks means more attacks in future using even more
targeted messaging.

However the profitability of traditional ransom ware campaigns will continue to decline as
vendor defenses, user education, and industry strategies improve to counter them. Attackers
will adjust to target less traditional, more profitable ransom ware targets, including high net-
worth individuals, connected devices, and businesses.

Attacks on the IOT insecure ecosystem

While the Internet of Things can make life easier, it’s a double-edged sword for privacy. The
effectiveness of IOT on a personal level rests on the amount of access connected devices
have to your daily life and your data – but it’s becoming more common in business spaces
too, especially in verticals such as ecommerce.

However, as IOT-enabled devices become more popular, the exposure risk increases
exponentially – and this has already begun.

Using IOTs to drive DDOS attacks, zombie attacks from IOTs, and taking down corporate
IOT devices should be expected in 2018. IOT devices come from many vendors and
are frequently insecure and hard to monitor and control by companies. IOT devices, mobile
Apps, and IOT cloud service providers are all points of vulnerability.

Social Engineering Attacks

AI will be increasingly weaponised by cybercriminals to customize and target social

attacks against users

Use of AI based security to protect and detect is increasing. In 2018 expect AI to be used to
bypass your AI defenses and to create more focused phishing, customized malware and
attack methods.

25 | P a g e
Business Email Compromises (BEC)

Phishing is still a top cyber security threat. New innovative (AI based) phishing messaging
and targeting techniques make these inexpensive attacks more successful than ever.

Business Process Compromises (BPC)

Compromises of corporate business processes for financial gain using social engineering
knowledge continues to power exploits like CEO Fraud.

Hijacking Computers. Hijacking servers, web servers and computers to mine crypto
currency (Crypto-jacking), to generate advertising cash, to use as phishing sites, or as
zombies increases as a security problem.

Insecure Access Control – ID Hijacking

Passwords are insecure and poorly controlled

IOT Devices often have default password after deployment

The move of Apps to the cloud makes secure access control even more important

To mitigate these threats many Banks are moving to Multi-factor authentication like

 Phone based (Soft tokens, text)

 Biometrics
 Automatic Adaptive authentication used by Web portals such as financial, HR,
etc.

Employees\ Vendors are still your weakest link. Most security is designed to try to
prevent outside breaches. Yet, employees are a big risk for companies especially when
they are not properly trained on how to deal with cyber security threats. Rampant use of
social media is increasingly making corporate information available on the web.

Other people in partners, consultants, suppliers, customers also can be serious threats to
your security

Cloud Data Center and Cloud Application Security.

Breaches of cloud infrastructures is likely to be a big negative surprise to many companies

in 2018. As more and more of our infrastructure moves to trusted 3rd party providers who
host our systems and data in the cloud, can we expect adequate security increased
adoption of the cloud equals increased risk?

According to McAfee’s report 73 percent of the companies profiled were planning to move
to a fully software-defined data center within two years – which means the cloud will be a
prime target for attackers.

26 | P a g e
Poor configuration, poor maintenance, and a lack of understanding of where responsibilities
lie may lead to organization-wide breaches.

If your organization is moving to the cloud, ensure that you create a security policy, encrypt
your files, enhance authentication processes, and stay on top of new trends without taking
personal responsibility for our data?

BYOD and cloud will redefine the perimeter security

With the pervasiveness of BYOD, cloud and the mobile workforce it has become very clear
that there is no longer a perimeter that can be statically determined, and established
enterprise security architectures are due for an overhaul. With a dynamic perimeter that
needs to meet business requirements in terms of agility, flexibility, productivity and risk, many
companies will look towards the new Zero Trust network models as well as security from the
Application level rather than at a network level. Visibility, real-time alerting as well as SOC
team up-skilling will be paramount for the transition.”

Cyber security solution areas for the evolving cyber Threats.

Independent Risk Assessments. A complete look at your goals, security controls, and
needs can reveal the best way to utilize your budget. Over-spending on one area and ignoring
another key area can result in exploits of the “weakest link”. Companies that ignore areas
like employee training, SIEMs, advanced malware solutions or multi-factor authentication feel
secure, but are setting themselves up for some type of security breach.

Employee training is key. Having great security tools can’t negate employee risks from
being improperly trained.

Gateway security. Advanced email security, web security, and firewalls are needed to
protect against malware, phishing, and hackers. Integrated Next-Gen solutions are
recommended.

AI machine learning cyber security. AI based network and endpoint security is an

important addition to your traditional security. Just know that this security alone is not
sufficient by itself and the hackers are using AI to attack holes in your security.

Multi-factor authentication. Both human process authentication and MFA digital security
solutions are required to combat credential theft, CEO fraud and phishing attacks.

Integrated intelligence. Solutions that integrate information from endpoints, networks, real-
time security data feeds is important to correlate and analyze information looking for
indications of compromise. Solutions include APT, SIEM, Threat feeds, and AI data
collectors.

Backup and Disaster Recovery (BDR). A good backup that can instantly recover your
servers and data makes up for a lot of other sins. Onsite, offsite, data, systems, and frequent
testing are all key elements of a good BDR policy.

27 | P a g e
Cloud Security Solutions. Data center and cloud application security needs to be treated
as seriously as firewalls and endpoint security. These are potentially weak spots and can
result in lost, compromised or corrupted data, websites, or servers.

How will banks combat cybercrime in the future?

Compared to today, the secure bank of the future will use more machine-learning technology
and systems to proactively prevent potential breaches and data loss.

In other words, we will see more ‘attack as the best form of defense.’ They will also defend
the sensitive data they hold at every potential access point, regardless of whether that is a
mobile device, internal network, connected internet of things device, through a website,
through an app etc. And of vital importance, they will all then add more protection to the
databases themselves that hold the key to the information the criminals are after.

So, we will see proactive prevention, and more unique layers of defense to protect what the
banks value the most.

Information and commit crimes, creating a culture of continuous and consistent awareness
of threats is essential. Regular team meetings about cyber security is required to ensure that
employees understand how to keep data secure. Cyber-attacks come in many different forms
and are always evolving, so everyone needs to be kept up to date on what to look out for.

Internal processes need to be in place to ensure that this security culture. Firstly, Banks
need to ensure that cyber security awareness and Bank’s security procedures are well
established during the employee induction and training process. Employees need to be made
aware of the cyber risks they face in their role so they know what to look out for, but they also
need to know what measures are in place to protect them if they make a mistake so they
don’t feel under pressure to be the last line of defense.

In view of the multiplicity of cyber-attacks in nature and in volume, Banks may seek engage
external teams of cyber security experts and simultaneously develop internal cyber security
team.

Staff should be encouraged through competitions quizzes and incentives for Cyber Security
related courses. Often encouraging an employee for reputed Cyber Security certification
empowers him better than an in-house training.

Consumers access the Banking services from a wide range of devoices and yet they want
the assurance from the bank that their financial information will be protected, regardless of
how it’s accessed. The banks have reputation, brand and highly sensitive personal data to
protect, and they are taking it very seriously'

RBI - Cyber security framework, regulatory measures

RBI has also set up a Cyber Crisis Management Group to address any major incidents
reported including suggesting ways to respond.

28 | P a g e
(iii) Based on market intelligence and incidents reported by the banks, advisories, alerts
are issued to the banks for sensitizing them about the threat & to enable them to take
prompt preventive/corrective action.

(iv) CSITE Cell conducts cyber security preparedness testing among banks on the basis
of hypothetical scenarios with the help of CERT-In.

(v) CSITE Cell carries out IT Examination of banks separately from the regular financial
examination of the banks since 2015 to assess their cyber resilience

(vi) An inter-disciplinary standing committee on cyber security has been constituted to

reviews, inter alia, the threats inherent in the existing/emerging technology and
suggests appropriate policy interventions to strengthen cyber security and resilience.

(vii) In off-site monitoring, a number of periodic/ad-hoc returns are evaluated to assess

the effectiveness of cyber security preparedness of banks

(viii) KRIs have been developed to assess the cyber security posture of banks in an
objective manner

(ix) RBI has set up an IT Subsidiary, which, inter alia focuses on cyber security within
RBI as well as in regulated entities

(x) RBI co-ordinates with GOI on various fora, committees including setting up of CERT-
FIN.

(xi) Introduced CSAP (Cyber Security controls Augmentation Plan). Discussion with ED
concerned of the bank for ITE reports.

29 | P a g e
Cyber Security Framework is a guide for businesses and enterprises of good practices
for information security. Cyber security framework gives enterprises and businesses the
possibility of applying the principles and the best practices of risk management to
upgrade security and resilience of critical infrastructure. It provides organization and
structure for the different insights of our time, with the best practices already adopted
across the industry.

The Framework is an approach based on risk to manage cyber security risks and is
composed of three parts: Framework Core, Framework Implementation Tiers, and
Framework Profiles. Each part of the component of the Framework enforces the
connection between business owners and the activities of cyber security. In its
composition, the Framework Core has five concurrent functions and continuous:

Identity,

a. Identify
b. Protect
c. Detect
d. Respond
e. Recover

When placed together these functions give a strategic approach to the high level of the
life cycle of risk management for cyber security of an organization. The Framework

30 | P a g e
Implementation Tiers gives the context in which an organization understands the risk of
cyber security and the processes established to manage that risk.

1. Regulatory support and supervision

The RBI had first notified the Cyber Security Framework (‘Framework’) in Banks in June
2016. The Framework was a successor to broad guidelines on information security and
cyber frauds which had been issued in line with the recommendations of the Working
Group on Information Security, Electronic Banking, Technology Risk Management and
Cyber Frauds in 2011.

Reserve Bank of India also directed banks to implement a security policy containing
detailing their strategy to for dealing with cyber threats and including tangible “cyber-
hygiene” measures.

The Framework is aimed at gearing up Banks towards minimizing data breaches and
implementing immediate containment measures in the event of such breaches. It
emphasizes the urgent need to put in place a robust cyber security and resilience
framework and to ensure continuous cyber security preparedness among banks. The
Framework also mandates the adoption by banks of a distinct cyber security policy to
combat threats in accordance with “complexity of business and acceptable levels of risk”
within a set deadline. Further, the Framework requires the earliest setting up of Security
Operations Centers (SOC) within banks for continuous surveillance; disallowing
unauthorized access to networks and databases; protection of customer information; and
the evolution of a cyber-crisis management plan

RBI had created a cyber-cell under the department of banking supervision and conducted
a separate IT audit of banks covering each bank for separate cyber-security and IT audit.
RBI is also has done a gap analysis on the basis of the reports and asked banks to bridge
the gaps. The Indian Government has announced the formation of a sectoral Computer
Emergency Response Team for Finance (Cert-Fin).

The Government may encourage forming of larger body of stakeholders, including banks,
finch start-ups, cyber security companies, and academic institutions who can jointly fund
advanced research and even incubate cyber security solutions on a co-creation basis.
Also the threat incidents and intelligence should be shared among them to combat
Cybercrimes collectively.

The RBI has also identified the need to evolve a framework for co-ordination and
information sharing between financial institutions and public authorities in the event of
cyber-attacks. To this end, the RBI recently appointed its first information security officer
and has formalized a sectoral sharing interface called the Indian Banks- Centre for
Analysis of Risks and Threats (IB-CART).

31 | P a g e
 There is a visible apathy from Banks to publicize or report the Cyber Incidents. The
Ministry for Electronics and Information Technology has also formally urged banks to co-
operate with the CERT-In for carrying out audits and other measures to strengthen their
cyber security systems. RBI also issued an ultimatum to banks, requiring them to report

Building Security Awareness Program

1. Rotate Key Messages as Monthly Themes Throughout the Year

2. Customize a Security Awareness Website
3. Develop and Brand Campus-Specific Posters and Videos
4. Develop and Brand a Campus-Specific Security (Awareness) Newsletter
5. Develop or Outsource Training Materials
6. Build Relationships (Internal and External)
7. Communicate Policies and Procedures
8. Send Community Alerts as Needed (Use Credible Sources; Keep Messages Short and
Simple)
9. Create and Deliver Presentations
10. Tie-in Institution or IT-Specific Glossaries Where Acronyms are Defined

Acknowledgements

www.rapid7.com

www.paloaltonetworks.com

http://whatis.techtarget.com

https://economictimes.indiatimes.com

www.skyboxsecurity.com

http://www.zdnet.com

www.webopedia.com

32 | P a g e
Cyber Security Drivers
Threats and vulnerabilities

Counterfeiting

Denial of service

Eaves dropping

33 | P a g e
Buffer overflow

Malicious modification

Password based attacks

Man in the middle attacks

Phishing

Security Controls

Physical security

Data Protection

Building Security Resiliency

Identity access Management Compliance

Regulatory Compliance

End point protection

Building Trust and Safety

Security monitoring and analytics

2. Conclusion
Technology help Banks to compete with their peers in offering latest products for their
customers and also reduce the cost of transactions and improve their ROI and in turn the
bottom line. In the name of Cyber threats Banks cannot isolate from the financial eco
system of the world and stay hyper connected and need to continue offering state of the
art technologies to the customers.
The resilience of our banking infrastructure against cyber-attacks will depend on co-
ordinated action from all stakeholders. The Cyber Security Framework must be strictly
implemented in a timely manner, with regular audits to ensure comprehensive
compliance. Cyber security at banks and financial institutions needs to be prioritised as
part of the design architecture and must not remain restricted to reactive fire fighting
during crises. Cyber security solutions must be deliberately designed to enable stemming
of cyber-attacks in real time

Further, the Information Technology Act, 2000 is also needs to be reviewed to counter
the increased security risks.

34 | P a g e
Evolving security threats, both internal and external, require the use of new controls, latest
methods and sophisticated advanced security tools to protect all transaction activities and
data. Multifaceted and layered security tools and procedures strengthen any institution‘s
efforts in combating against these threats by providing multiple automated barriers at
different levels. Hence, it is important to ensure that security practices are stringent by
utilising a strong, multi-layered security strategy, including the use of best of the security
tools.

In the banking and payment system, a strong security strategy requires that all high-risk
transactions be reviewed and authorised by the customer, and that the payment system
network uses industry-standard practices to validate the legitimacy of those transactions.
A layered security policy should also take into consideration where sensitive data is
stored, human resources, and the physical assets of the organization, including laptops,
tablets, printers, scanners, mobile phones, Wi-Fi and access to all other facilities.

Mobile security is really about risk and identity management

Indian banking industry has successfully enabled mobile banking for large customer
bases. As customers are free for anywhere, anytime banking, it became necessary that
strong controls are put in place for mobile browsing as well as the apps by the security
managers and experts.

Mobile security was an essential part of a mobility strategy, and every enterprise needed
one. Today, not so much.

"Security is a response to risk. Identity is a response to a need, and unless that need is
clearly understood, and actually expressed as something that the business wants to
address, then you're screwed."

Of course, technology can't remove all of the risk associated with mobile devices. And
the loss or theft of unattended mobile devices continues to be a real problem.

Security professionals will still need to configure their systems properly, patch for
vulnerabilities, and monitor their systems for anomalous behavior.

Social Media Threats and policy.

Indiscriminate sharing of official data like circulars, internal communications over social
media is on the rise and every Bank should have a Social Media Policy describing and
discouraging acts like.

 • Misuse of confidential information

 • Misrepresenting the views of the business
 • Inappropriate non-business use
 • Disparaging remarks about the business or employees

35 | P a g e
Data Theft
Hackers can target Business, Government , Home users or System Integrators for data
theft like Client information, Bulk-data containing personal information about the public
Intellectual property Staff information National security information Social media
accounts • Email accounts • Banking logins Personal information including photos and
personal files Client network information Direct access to client networks Network
security architecture details Access to global corporate networks Customer passwords

Compared to today, the secure bank of the future will use more machine-learning
technology and systems to proactively prevent potential breaches and data loss.
While over focussing on cyber security Banks should not forget to monitor the
transactions through FRM solutions to identify fraudulent transactions.
.
Threat Prevention automatically stops vulnerability exploits with IPS capabilities, offers
in-line malware protection, and blocks outbound command-and control-traffic. When
combined with Wild fire and URL Filtering, organizations are protected at every stage of
the attack lifecycle, including both known and zero-day threats.
Distributed Denial of Service activity will remain a threat to internet-connected systems
for the foreseeable future. The means and mechanisms may change, but it will remain an
enduring threat with demonstrated utility for state, criminal and issue motivated groups.
DDOS activities can be disrupted at several points and a coalition of stakeholders may
contribute to mitigating the threat
Banks need to make third-party risk management a priority if they are to avoid similar
attacks. They must find their weaknesses and tighten policies, to prevent sub-standard
security measures and systems providing the gateway for major exposures.
Linking of all payment and financial messaging systems with core banking is essential.
This helps centralised monitoring and escalation of suspicious events to the monitoring
officials.
Limits on transactions and adding a higher layer for approval at central level.
Straight through processing helps avoiding manual errors and manipulation of data.
The measures suggested for implementation by RBI are not final. Banks need to pro-
actively create/fine-tune/modify their policies, procedures and technologies based on new
developments and emerging concerns.

Going forward, every IOT device should ship with an updated kernel/firmware and include
the ability to regularly update as new vulnerabilities are found. At the same time, anyone
who deploys an IOT device needs to take the time to change the default user/password
combination (if available) and constantly be on the lookout for suspect network activity.

36 | P a g e
Finally, developers should seriously consider making default password change a
requirement upon initial deployment of the device.
The Internet of Things is going to stay and so are the attacks on such devices. With just
a bit of care during setup and a constant watchful eye on your network, you can prevent
security breaches by way of IOT devices.
In order to accurately prioritize remediation, organizations have to keep up with the threat
landscape as it evolves. As trends in vulnerabilities, exploits and threat shift, so too must
defence strategies. From WannaCry to NotPetya to the Equifax data breach, it’s clear
that intelligence — and taking proactive measures based on that intelligence can make
the difference between an intrusion and a damaging cyber-attack or data breach.
Systematically incorporating threat intelligence in your vulnerability management and
overall security management program is key to directing efforts in the right place.
Correlating information of your vulnerabilities, assets, network topology and security
controls with intelligence of the current threat landscape will ensure resources are
focused on risks most likely to be exploited by an attacker.
With the growing number of cyber-attacks, IT security budget constraints, and the
challenge of finding people with the necessary cyber security skills, it should come as no
surprise that Banks may look for managed security services (MSSPs) to guide
implementations and help respond to attacks has been growing in recent years.
The emphasis is on training and simulation, so that everybody knows how to react in case
of an incident.
IT development and cyber security are two different fields. Cyber security is not a
technology problem. It is your business continuity problem. If technology, processes and
people work together, the system works well. If one of them misbehaves, there is a threat
to business.
Customer perceptions also keep changing, with the younger lot having a different view of
privacy. This makes it difficult for the regulator. But the RBI has taken up the challenge
and is trying to keep ahead of the curve.
Concerns arising from frauds and cyber-attacks remain elevated with the recent global
ransom ware attacks.” In an increasingly interconnected India, where everything is linked
with Aadhaar, which comes with its own set of issues, banks should be more vigilant in
protecting customers from cyber risks.
The establishment of an IT subsidiary by RBI is a welcome step not only for the BFSI
sector but also for IT security solutions providers like Quick Heal, as it will ensure better
compliance with regulations to prevent data theft and to check financial fraud.
New technologies are always targeted by cyber criminals and hence new products need
to be launched after proper testing and security should be built in to the application
development process. Regulatory or qualified third party sand boxing will help reduce the
risks.

37 | P a g e
Acknowledgements
www.rapid7.com
www.paloaltonetworks.com
http://whatis.techtarget.com
https://economictimes.indiatimes.com
www.skyboxsecurity.com
http://www.zdnet.com
https://searchsecurity.techtarget.comwww.webopedia.com
https://searchsoftwarequality.techtarget.com

38 | P a g e
Cyber Security
Glossary
Cyber Security Glossary
Access control
The process of granting or denying specific requests for or attempts to obtain and use
information and related information processing services and enter specific physical
facilities.

Active Directory
Active directory stores information about its users and can act in a similar manner to a
phonebook. This allows all of the information and computer settings about an organization
to be stored in a central, organized database.

Advanced Persistent Threat (APT)

Advanced Persistent Threats, or APTs, are long, directed cyber-attacks that are most
often state sponsored. These types of attacks usually begin with a network probe. An
organization or individual illegally, and surreptitiously, accesses an organization’s local
area network or internal internet.

Adware
Adware is software distributed to the user free of cost with advertisements embedded into
them. As such, it displays advertisements, and redirects your queries to sponsor’s
websites. Adware helps advertisers collect data for marketing purposes, without your
permissions to do so. A user can disable ad pop-ups by purchasing a registration key.

Attack surface
The set of ways in which an adversary can enter a system and potentially cause damage.
An information system's characteristics that permit an adversary to probe, attack, or
maintain presence in the information system.

Audit Trail
A record showing who has accessed an Information Technology (IT) system and what
operations the user has performed during a given period. It is a chronological record that
reconstructs and examines the sequence of activities surrounding or leading to a specific
operation, procedure, or event in a security relevant transaction from inception to final
result.

Authentication
Security measure designed to establish the validity of a transmission, message, or
originator, or a means of verifying an individual’s authorization to receive specific
categories of information.

Baseline Security
The minimum security controls required for safeguarding an IT system based on its
identified needs for confidentiality, integrity, and/or availability protection

39 | P a g e
Baseline Configuration
A set of specifications for a system, or Configuration Item (CI) within a system, that has
been formally reviewed and agreed on at a given point in time, and which can be changed
only through change control procedures. The baseline configuration is used as a basis
for future builds, releases, and/or changes.

Bot
A computer connected to the Internet that has been surreptitiously / secretly compromised
with malicious logic to perform activities under remote the command and control of a
remote administrator. A member of a larger collection of compromised computers known
as a botnet.

Business Continuity Plan (BCP)

A Business Continuity Plan is the plan for emergency response, backup operations, and
post-disaster recovery steps that will ensure the availability of critical resources and
facilitate the continuity of operations in an emergency situation.

Business Impact Analysis (BIA)

The process of analyzing an organization’s business to determine the impact of a loss or
disruption of service. A Business Impact Analysis determines what levels of impact to a
system are tolerable.

Biometrics
A measurable, physical characteristic or personal behavioral trait by a human being that
is used to recognize the identity, or verify the claimed identity, for authentication purposes.
Example: Facial images, fingerprints, handwriting samples, etc.

Botnet
A group of computers that have the same bot installed, that can communicate with and
control each other, and are usually used for malicious activities (create and send spam
email, propagate malicious software, or other cyber-attack).

Behaviour monitoring
Observing activities of users, information systems, and processes and measuring the
activities against organizational policies and rule, baselines of normal activity, thresholds,
and trends.

Blue Team
A group that defends an enterprise's information systems when mock attackers (i.e., the
Red Team) attack, typically as part of an operational exercise conducted according to
rules established and

Certification Authority (CA)

A trusted entity that issues and revokes public key certificates. Certification Authority in a
public key infrastructure (PKI) that is responsible for issuing certificates and exacting
compliance to a PKI policy.

40 | P a g e
For Public Key Infrastructure (PKI): A trusted third party that issues digital certificates and
verifies the identity of the holder of the digital certificate.
Cipher text
Cipher text is also known as encrypted or encoded information because it contains a form
of the original plaintext that is unreadable by a human or computer without the proper
cipher to decrypt it. Decryption, the inverse of encryption, is the process of turning cipher
text into readable plaintext

Certification Authority (CA)

A trusted entity in a public key infrastructure that is responsible for issuing and revoking
certificates.

Cloud Computing – A model for enabling on-demand network access to a shared pool
of configurable IT capabilities/ resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and released with minimal management
effort or service provider interaction. It allows users to access technology-based services
from the network cloud without knowledge of, expertise with, or control over the
technology infrastructure that supports them. This cloud model is composed of five
essential characteristics (on-demand self-service, ubiquitous network access, location
independent resource pooling, rapid elasticity, and measured service); three service
delivery models (Cloud Software as a Service [SaaS], Cloud Platform as a Service
[PaaS], and Cloud Infrastructure as a Service [IaaS]); and four models for enterprise
access (Private cloud, Community cloud, Public cloud, and Hybrid cloud).

Critical infrastructure
The systems and assets, whether physical or virtual, so vital to society that the incapacity
or destruction of such may have a debilitating impact on the security, economy, public
health or safety, environment, or any combination of these matters.

Cryptanalysis
The operations performed in defeating or circumventing cryptographic protection of
information by applying mathematical techniques and without an initial knowledge of the
key employed in providing the protection.

Cryptography
The use of mathematical techniques to provide security services, such as confidentiality,
data integrity, entity authentication, and data origin authentication. The art or science
concerning the principles, means, and methods for converting plaintext into cipher text
and for restoring encrypted cipher text to plaintext.

Cyber Warfare
An armed conflict conducted in whole or part by cyber means, or military operations
conducted to deny an opposing force the effective use of cyberspace systems and
weapons in a conflict. Cyber Warfare (CW) includes cyber-attack, cyber defense, and
cyber-enabling actions.

41 | P a g e
Cyberspace
A global domain within the information environment consisting of the interdependent
network of information systems infrastructures including the Internet, telecommunications
networks, computer systems, and embedded processors and controllers.

Cracker
The preferred term used to refer to a computer criminal who penetrates a computer to
steal information or damage the program in some way

Crawler
A web crawler is an internet bot that systematically browses the World Wide Web, typically
for the purpose of web indexing. It is also called a web spider.

Cyber terrorism
It is the disruptive use of information technology by terrorist groups to further their
ideological or political agenda. This takes the form of attacks on networks, computer
systems and telecommunication infrastructures.

Cyber warfare
Cyber warfare involves nation-states using information technology to penetrate another
nation’s networks to cause damage or disruption. In the U.S. and many other nations,
cyberwar fare has been acknowledged as the fifth domain of warfare (following land, sea,
air and space). Cyberwar fare attacks are primarily executed by hackers who are well-
trained in exploiting the intricacies of computer networks, and operate under the auspices
and support of nation-states.

Cyberespionage is the practice of using information technology to obtain secret

information without permission from its owners or holders. Cyberespionage is most often
used to gain strategic, economic, political or military advantage, and is conducted using
cracking techniques and malware.

Cyberbullying: This is very similar to bullying at school however the bullying takes place
online. It ranges from threatening email messages, slanderous information posted on the
internet, to embarrassing videos and photo’s being shared with the world.

Critical infrastructure
The systems and assets, whether physical or virtual, so vital to society that the incapacity
or destruction of such may have a debilitating impact on the security, economy, public
health or safety, environment, or any combination of these matters.

Cybersecurity
The activity or process, ability or capability, or state whereby information and
communications systems and the information contained therein are protected from and/or
defended against damage, unauthorized use or modification, or exploitation.

42 | P a g e
Cyberspace
Cyberspace refers to the virtual computer world, and more specifically, is an electronic
medium used to form a global computer network to facilitate online communication. It is
a large computer network made up of many worldwide computer networks that employ
TCP/IP protocol to aid in communication and data exchange activities

Defense-in-Depth – Information security strategy integrating people, technology, and

operations capabilities to establish variable barriers across multiple layers and
dimensions of the organization.

Degauss – Procedure that reduces the magnetic flux to virtual zero by applying a reverse
magnetizing field. Also called demagnetizing. SOURCE: CNSSI-4009

Demilitarized Zone (DMZ)

A network between an organisation’s internal network and the public network (Internet)
that hosts externally facing services such as web servers or email.

Denial of Service (DoS) – The prevention of authorized access to resources or the

delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours,
depending upon the service provided.)

Data aggregation
The process of gathering and combining data from different sources, so that the combined
data reveals new information. The new information is more sensitive than the individual
data elements themselves and the person who aggregates the data was not granted
access to the totality of the information.

Data Encryption Standard (DES)

A widely-used method of data encryption using a private (secret) key. For each given
message, the key is chosen at random from among this enormous number of keys. Like
other private key cryptographic methods, both the sender and the receiver must know
and use the same private key.

Digital Forensics
The application of science to the identification, collection, examination, and analysis of
data while preserving the integrity of the information and maintaining a strict chain of
custody for the data.

Data breach
The unauthorized movement or disclosure of sensitive information to a party, usually
outside the organization, that is not authorized to have or see the information.

Data integrity
The property that data is complete, intact, and trusted and has not been modified or
destroyed in an unauthorized or accidental manner.

43 | P a g e
Digital forensics
The processes and specialized techniques for gathering, retaining, and analyzing system-
related data (digital evidence) for investigative purposes. It is a cybersecurity work where
a person: Collects, processes, preserves, analyzes, and presents computer-related
evidence in support of network vulnerability, mitigation, and/or criminal, fraud,
counterintelligence or law enforcement investigations.

Data loss prevention DLP

A set of procedures and mechanisms to stop sensitive data from leaving a security.
Boundary. DLP is a strategy for making sure that end users do not send sensitive or
critical information outside the corporate network. The term is also used to describe
software products that help a network administrator control what data end users can
transfer.

Data mining
The process or techniques used to analyse large sets of existing information to discover
previously unrevealed patterns or correlations.

Domain Hijacking
Domain hijacking is an attack by which an attacker takes over a domain by first blocking
access to the domain's DNS server and then putting his own server up in its place.

Domain Name
A domain name locates an organization or other entity on the Internet. For example, the
domain name "www.sans.org" locates an Internet address for "sans.org" at Internet
point 199.0.0.2 and a particular host server named "www". The "org" part of the domain
name reflects the purpose of the organization or entity (in this example, "organization")
and is called the top-level domain name. The "sans" part of the domain name defines
the organization or entity and together with the top-level is called the second-level
domain name.

Domain Name System (DNS)

The domain name system (DNS) is the way that Internet domain names are located and
translated into Internet Protocol addresses. A domain name is a meaningful and easy-to-
remember "handle" for an Internet address.

Domain: On a local network the Domain is a group of computers that is run by at least
one server (domain server) so that a set of policies (computer rules telling the computer
who is allowed to do what) is permeated (passed) throughout the whole network in a quick
and easy fashion.

Digital Certificates An electronic document that contains a set of data that uniquely
identifies an entity that includes the subject's public key and other identifying information
about the subject. The certificate is
Digitally signed by a Certification Authority (CA) to bind the key and subject identification
together.

44 | P a g e
Digital signature
A digital signature is a mathematical technique used to validate the authenticity and
integrity of a message, software or digital document. The digital equivalent of a
handwritten signature or stamped seal, a digital signature offers far more inherent
security, and it is intended to solve the problem of tampering and impersonation in digital
communications.

Disaster recovery planning is a process that includes performing risk assessment,

establishing priorities, developing recovery strategies in case of a disaster. Banks should
have a concrete plan for disaster recovery to resume normal business operations as
quickly as possible after a disaster

Distributed denial of service DDOS a denial of service technique that uses numerous
systems to perform the attack simultaneously.

Encryption In cryptography, encryption is the process of encoding messages (or

information) in such a way that hackers cannot read it, but the authorised users can
access it.

Eavesdropping
Eavesdropping is simply listening to a private conversation which may reveal information
which can provide access to a facility or network.

Firewall
A firewall is a network security system designed to prevent unauthorized access to or
from a private network. Firewalls can be implemented as both hardware and software, or
a combination of both. Firewall is a gateway that limits access between networks in
accordance with local security policy.

Hacker
An unauthorized user who attempts to or gains access to an information system.
Generally, a hacker is a person who breaks into or subverts information systems for
malicious/destructive intent, or personal gain. However, there are also hackers who have
a positive or ethical usage.

Hardening
Hardening is the process of identifying and fixing vulnerabilities on a system.

Honey pot Programs that simulate one or more network services that you designate on
your computer's ports. An attacker assumes you're running vulnerable services that can
be used to break into the machine. A honey pot can be used to log access attempts to
those ports including the attacker's keystrokes. This could give you advanced warning of
a more concerted attack.

Hot Site An alternate facility that has the equipment and resources to recover the
business functions affected by the occurrence of a disaster. Hot-sites may vary in type of
facilities offered (such as data processing, communication, or any other critical business

45 | P a g e
functions needing duplication). Location and size of the hot-site will be proportional to the
equipment and resources needed.

Incident
An occurrence that actually or potentially results in adverse consequences to (adverse
effects on) (poses a threat to) an information system or the information that the system
processes, stores, or transmits and that may require a response action to mitigate the
consequences. An occurrence that constitutes a violation or imminent threat of violation
of security policies, security procedures, or acceptable use policies.

The internet of things (IoT) is a system of interrelated computing devices, mechanical

and digital machines, objects, animals or people that are provided with unique identifiers
(UIDs) and the ability to transfer data over a network without requiring human-to-human
or human-to-computer interaction.

Intrusion detection
The process and methods for analyzing information from networks and information
systems to determine if a security breach or security violation has occurred.

Intrusion Detection System (IDS) An intrusion detection system is a system that

monitors network traffic for suspicious activity and issues alerts when such activity is
discovered. While anomaly detection and reporting is the primary function, some intrusion
detection systems are capable of taking actions when malicious activity or anomalous
traffic is detected, including blocking traffic sent from suspicious IP addresses.

Intrusion Prevention System (IPS) Intrusion prevention is a preemptive approach to

network security used to identify potential threats and respond to them swiftly. Like an
intrusion detection system (IDS), an intrusion prevention system (IPS) monitors network
traffic. However, because an exploit may be carried out very quickly after the attacker
gains access, intrusion prevention systems also have the ability to take immediate action,
based on a set of rules established by the network administrator

Malware It a software that disrupts normal computer functions or sends a user’s personal
data without the users authorisation

Key logger
A program that records the keystrokes on a computer. It does this by monitoring a user's
input and keeping a log of all keys that are pressed. The log may be saved to a file or
even sent to another machine over a network or the Internet. Key logger programs are
often deemed spyware because they usually run without the user knowing it. They can
be maliciously installed by hackers to spy on what a user is typing.

Least Privilege
Least Privilege is the principle of allowing users or applications the least amount of
permissions necessary to perform their intended function.

46 | P a g e
Lightweight Directory Access Protocol (LDAP)
A software protocol for enabling anyone to locate organizations, individuals, and other
resources such as files and devices in a network, whether on the public Internet or on a
corporate Intranet.

Machine learning
A field concerned with designing and developing artificial intelligence algorithms for
automated knowledge discovery and innovation by information systems.

Macro virus
A type of malicious code that attaches itself to documents and uses the macro
programming capabilities of the document’s application to execute, replicate, and spread
or propagate itself.

Malicious applet
A small application program that is automatically downloaded and executed and that
performs an unauthorized function on an information system.

Malicious code
Program code intended to perform an unauthorized function or process that will have
adverse impact on the confidentiality, integrity, or availability of an information system.
Includes software, firmware, and scripts.

Multi-factor Authentication
The use of two or more authentication factors to validate an identity. Authentication
factors are pieces of information unique to an individual and are typically classified as:

1) Something the user has (e.g. id card, token, certificate);

2) Something the user knows (e.g. password, PIN, phrase or code);
3) Something the user is (fingerprint, retinal pattern, voice print, signature, or other
biometric identifier);
4) Somewhere the user is (GPS coordinates, inside a controlled room)

This is commonly referred to as two-factor authentication, because the general practice

is to use two of the above four items to identify and authenticate a user. Example:
requiring a: hardware token & PIN for remote access, fingerprint & password for logon,
bank card & PIN for ATM

NAT
Network Address Translation. It is used to share one or a small number of publicly
routable IP addresses among a larger number of hosts. The hosts are assigned private
IP addresses, which are then "translated" into one of the publicly routed IP addresses.
Typically home or small business networks use NAT to share a single DLS or Cable

47 | P a g e
modem IP address. However, in some cases NAT is used for servers as an additional
layer of protection.

NBAD (Network behavior anomaly detection)

NBAD is the continuous monitoring of a network for unusual events or trends. NBAD is
an integral part of network behavior analysis (NBA), which offers security in addition to
that provided by traditional anti-threat applications such as firewalls, intrusion detection
systems, NBAD solutions can also monitor the behavior of individual network subscribers.
In order for NBAD to be optimally effective, a baseline of normal network or user behavior
must be established over a period of time. Once certain parameters have been defined
as normal, any departure from one or more of them is flagged as anomalous.

Non-Repudiation
Non-repudiation is the ability for a system to prove that a specific user and only that
specific user sent a message and that it hasn't been modified. Non-Repudiation is an
assurance that the sender of information is provided with proof of delivery and the
recipient is provided with proof of the sender’s identity, so neither can later deny having
processed the information.

Off-Site Storage Facility

A secure location, remote from the primary location, at which backup hardware, software,
data files, documents, equipment, or supplies are stored.

Open Source Software (OSS)

Software that makes the underlying source code available to all users at no charge. Linux
is the example of open source software.

Passive attack
An actual assault perpetrated by an intentional threat source that attempts to learn or
make use of information from a system, but does not attempt to alter the system, its
resources, its data, or its operations.

Penetration Testing
The security-oriented probing of a computer system or network to seek out vulnerabilities
that an attacker could exploit, which could include an exploration of the security features
of the system in question, followed by an attempt to breach security and penetrate the
system or network.
Perimeter Security A network protection or defense design where security devices, such
as firewalls, are positioned to inspect and interdict network traffic from external untrusted
networks as it attempts to pass to internal protected networks.
Phishing
Tricking individuals into disclosing sensitive personal information through deceptive
computer-based means, such as through specially crafted emails. It is the use of e-mails
that appear to originate from a trusted source to trick a user into entering valid credentials
at a fake website. Typically the e-mail and the web site looks like they are part of a bank
the user is doing business with.

48 | P a g e
Privileged identity management (PIM) is the monitoring and protection of super user
accounts in an organization’s IT environments.
Oversight is necessary so that the greater access abilities of super control accounts are
not misused or abused. Unmanaged super user accounts can lead to loss or theft of
sensitive corporate information, or malware that can compromise the network. Super user
accounts, such as those for database administrators (DBAs), CIOs and CEOs, have
typically been very loosely governed. Identity management software often leaves super
user accounts totally uncontrolled while enabling advanced privileges on the corporate
network

Ping of Death
An attack that sends an improperly large ICMP echo request packet (a "ping") with the
intent of overflowing the input buffers of the destination machine and causing it to crash.

Port Scan
A port scan is a series of messages sent by someone attempting to break into a computer
to learn which computer network services, each associated with a "well-known" port
number, the computer provides. Port scanning, a favourite approach of computer cracker,
gives the assailant an idea where to probe for weaknesses. Essentially, a port scan
consists of sending a message to each port, one at a time. The kind of response received
indicates whether the port is used and can therefore be probed for weakness.

Private Key
A cryptographic key that must be kept confidential and is used to enable the operation of
an asymmetric (public key) cryptographic algorithm.

Public key
A cryptographic key that may be widely published and is used to enable the operation of
an asymmetric (public key) cryptographic algorithm. The public part of an asymmetric
key pair that is uniquely associated with an entity and that may be made public.

Public Key Infrastructure (PKI)

A PKI (public key infrastructure) enables users of a basically unsecured public network
such as the Internet to securely and privately exchange data and money through the use
of a public and a private cryptographic key pair that is obtained and shared through a
trusted authority. The public key infrastructure provides for a digital certificate that can
identify an individual or an organization and directory services that can store and, when
necessary, revoke the certificates.

Risk Assessment
The process of identifying risks to agency operations (including mission, functions, image,
or reputation), agency assets, or individuals by determining the probability of occurrence,
the resulting impact, and additional security controls that would mitigate this impact. Part
of risk management and incorporates threat and vulnerability analyses. Similar Terms:
Risk Analysis; Impact Assessment; Corporate Loss Analysis; Risk Identification;
Exposure Analysis; Exposure Assessment.

49 | P a g e
Rootkit
A set of software tools with administrator-level access privileges installed on an
information system and designed to hide the presence of the tools, maintain the access
privileges, and conceal the activities conducted by the tools.

Router A
Network device that enables the network to reroute messages it receives that are
intended for other networks. The network with the router receives the message and sends
it on its way exactly as received. In normal operations. They do not store any of the
messages that they pass through.

Recovery Point Objective (RPO)

The point in time (referring to a point prior to an incident) to which data must be
synchronously restored in order to resume processing transactions. RPO refers to the
tolerance for the loss of data measured in terms of the time between the last backup of
data and the disaster event.

Recovery Strategy
The method selected to recover the critical business functions following a disaster. In data
processing, some possible alternatives would be manual processing, use of service
bureaus, or a backup site (hot or cold-site). A recovery alternative is usually selected
following either a Risk Analysis, Business Impact Analysis, or both.

Recovery Time Objective (RTO)

The maximum period of time available for recovering time sensitive processes before
there is a significant impact on the agency. Registration Authority (RA) An organization
responsible for maintaining lists of codes under international standards.

Tabletop exercise
A discussion-based exercise where personnel meet in a classroom setting or breakout
groups and are presented with a scenario to validate the content of plans, procedures,
policies, cooperative agreements or other information for managing an incident

Sanitization The removal of data so that it is unrecoverable from a given media form to
a level commensurate with the sensitivity of the information

SIEM (Security Information and Event Management)

(SIEM) is a set of network security tools, often packaged as a complete security solution,
used by IT professionals and system administrators to manage multiple security
applications and devices, and to respond automatically to resolve security incidents.

Spam
The abuse of electronic messaging systems to indiscriminately send unsolicited bulk
messages.

50 | P a g e
Session hijacking
Session hijacking, also known as TCP session hijacking, is a method of taking over a
Web user session by surreptitiously obtaining the session ID and masquerading as the
authorized user. Once the user's session ID has been accessed (through session
prediction), the attacker can masquerade as that user and do anything the user is
authorized to do on the network.

Steganography
Methods of hiding the existence of a message or other data. This is different than
cryptography, which hides the meaning of a message but does not hide the message
itself. An example of a stenographic method is "invisible" ink.

Sniffer
Software that observes and records network traffic.

Social Engineering
An attempt to trick someone into revealing confidential or sensitive information (e.g.,
password, user account, account number) that can be used to attack systems or
networks.

Spam
E-mail that is not requested. Also known as “unsolicited commercial e-mail” (UCE),
“unsolicited bulk e-mail” (UBE), “gray mail” and just plain “junk mail,” the term is both a
noun (the email message) and a verb (to send it).

Spoofing
Faking the sending address of a transmission in order to gain illegal entry into a secure
system Example: “IP spoofing” (or “email spoofing”) refers to sending a network packet
(or email) with header information that makes it appear to come from a source other than
its actual source.

Spyware
Software that is secretly or surreptitiously installed into an information system to gather
information on individuals or organizations without their knowledge; a type of malicious
code.

Software that is secretly or surreptitiously installed into an information system without the
knowledge of the system user or owner.

Threat Vs Vulnerability
Threat A natural, human, or environmental source with the intent or opportunity to trigger
the exploitation of a vulnerability.

Vulnerability A flaw or weakness in a process, design, implementation, control, system,

or organization that could be triggered or intentionally exploited, resulting in a security
incident or breach.

51 | P a g e
Threat actor / Threat agent
An individual, group, organization, or government that conducts or has the intent to
conduct detrimental activities.

Trojan horse
A computer program that appears to have a useful function, but also has a hidden and
potentially malicious function that evades security mechanisms, sometimes by exploiting
legitimate authorizations of a system entity that invokes the program.

Virtual Private Network (VPN)

A restricted-use, logical computer network that is constructed from the system resources
often by using encryption (located at hosts or gateways), and often by tunnelling links of
the virtual network across the real network.
A Web application firewall (WAF) is a firewall that monitors, filters or blocks data
packets as they travel to and from a Web application. A WAF can be either network-
based, host-based or cloud-based and is often deployed through a proxy and placed in
front of one or more Web applications. Running as a network appliance, server plug-in or
cloud service, the WAF inspects each packet and uses a rule base to analyse Layer 7
web application logic and filter out potentially harmful traffic.

Wired Equivalent Privacy (WEP)

A security protocol for wireless local area networks defined in the standard IEEE 802.11b.

Wireless Application Protocol

A specification for a set of communication protocols to standardize the way that wireless
devices, such as cellular telephones and radio transceivers, can be used for Internet
access, including e-mail, the World Wide Web, newsgroups, and Internet Relay Chat.

Wiretapping /sniffing
Monitoring and recording data that is flowing between two points in a communication
system.

World Wide Web ("the Web", WWW, W3)

The global, hypermedia-based collection of information and services that is available on
Internet servers and is accessed by browsers using Hypertext Transfer Protocol and other
information retrieval mechanisms.

Worm
A computer program that can run independently, can propagate a complete working
version of itself onto other hosts on a network, and may consume computer resources
destructively.

Zombie
A computer that has been hijacked by a cracker without the owner's knowledge and used
to perform malicious tasks on the Internet

52 | P a g e
Zero Day Exploit
Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties
responsible for patching or otherwise fixing the flaw. A zero day vulnerability is a software,
hardware or firmware flaw unknown to the manufacturer. When hackers leverage that
flaw to conduct a cyberattack, it's called a zero day exploit.

References
https://www.sans.org
https://mn.gov/
https://techterms.com
https://www.webopedia.com/
https://www.sans.org/security-resources/glossary-of-terms/
https://searchsecurity.techtarget.com/

53 | P a g e