Cyber Security Strategies

To design and implement a secure cyberspace, some stringent strategies have been put in place.
This chapter explains the major strategies employed to ensure cybersecurity, which include the
following −

Creating a Secure Cyber Ecosystem

Creating an Assurance Framework

Encouraging Open Standards

Strengthening the Regulatory Framework

Creating Mechanisms for IT Security

Securing E-governance Services

Protecting Critical Information Infrastructure

Strategy 1 − Creating a Secure Cyber Ecosystem

The cyber ecosystem involves a wide range of varied entities like devices (communication
technologies and computers), individuals, governments, private organizations, etc., which interact
with each other for numerous reasons.

This strategy explores the idea of having a strong and robust cyber-ecosystem where the cyber-
devices can work with each other in the future to prevent cyber-attacks, reduce their
effectiveness, or find solutions to recover from a cyber-attack.

Such a cyber-ecosystem would have the ability built into its cyber devices to permit secured ways
of action to be organized within and among groups of devices. This cyber-ecosystem can be
supervised by present monitoring techniques where software products are used to detect and
report security weaknesses.

A strong cyber-ecosystem has three symbiotic structures − Automation, Interoperability, and

Authentication.

Automation − It eases the implementation of advanced security measures, enhances the

swiftness, and optimizes the decision-making processes.

Interoperability − It toughens the collaborative actions, improves awareness, and

accelerates the learning procedure. There are three types of interoperability −
 Semantic (i.e., shared lexicon based on common understanding)

Technical

Policy − Important in assimilating different contributors into an inclusive cyber-

defense structure.

Authentication − It improves the identification and verification technologies that work in

order to provide −

Security

Affordability

Ease of use and administration

Scalability

Interoperability

Comparison of Attacks
The following table shows the Comparison of Attack Categories against Desired Cyber
Ecosystem Capabilities −
Case Study
The following diagram was prepared by Guilbert Gates for The New York Times, which shows
how an Iranian plant was hacked through the internet.
Explanation − A program was designed to automatically run the Iranian nuclear plant.
Unfortunately, a worker who was unaware of the threats introduced the program into the
controller. The program collected all the data related to the plant and sent the information to the
intelligence agencies who then developed and inserted a worm into the plant. Using the worm,
the plant was controlled by miscreants which led to the generation of more worms and as a
result, the plant failed completely.

Types of Attacks
The following table describes the attack categories −

Attack Category Description of Attack

Attrition Methods used to damage networks and systems. It includes the

following −
 distributed denial of service attacks

impair or deny access to a service or application

resource depletion attacks

Any malicious software used to interrupt normal computer

operation and harm information assets without the owner’s
Malware
consent. Any execution from a removable device can enhance the
threat of a malware.

An attempt to intentionally exploit weaknesses to get unethical

access, usually conducted remotely. It may include −

data-leakage attacks

injection attacks and abuse of functionality

spoofing

time-state attacks
Hacking
buffer and data structure attacks

resource manipulation

stolen credentials usage

backdoors

dictionary attacks on passwords

exploitation of authentication

Using social tactics such as deception and manipulation to

acquire access to data, systems or controls. It includes −

Social Tactics pre-texting (forged surveys)

inciting phishing

retrieving of information through conversation

Improper Usage (Insider Misuse of rights to data and controls by an individual in an

Threat) organization that would violate the organization’s policies. It
includes −

installation of unauthorized software

 removal of sensitive data

Human-Driven attacks such as −

stolen identity tokens and credit cards

fiddling with or replacing card readers and point of sale

Physical Action/Loss or
terminals
Theft of Equipment
interfering with sensors

theft of a computing device used by the organization,

such as a laptop

Single attach techniques which contains several advanced attack

Multiple Component
techniques and components.

Attacks such as −

Other supply chain attacks

network investigation

Strategy 2 − Creating an Assurance Framework

The objective of this strategy is to design an outline in compliance with the global security
standards through traditional products, processes, people, and technology.

To cater to the national security requirements, a national framework known as the Cybersecurity
Assurance Framework was developed. It accommodates critical infrastructure organizations and
the governments through "Enabling and Endorsing" actions.

Enabling actions are performed by government entities that are autonomous bodies free from
commercial interests. The publication of "National Security Policy Compliance Requirements"
and IT security guidelines and documents to enable IT security implementation and compliance
are done by these authorities.

Endorsing actions are involved in profitable services after meeting the obligatory qualification
standards and they include the following −

ISO 27001/BS 7799 ISMS certification, IS system audits etc., which are essentially the
compliance certifications.
 'Common Criteria' standard ISO 15408 and Crypto module verification standards, which
are the IT Security product evaluation and certification.

Services to assist consumers in implementation of IT security such as IT security

manpower training.

Trusted Company Certification

Indian IT/ITES/BPOs need to comply with the international standards and best practices on
security and privacy with the development of the outsourcing market. ISO 9000, CMM, Six Sigma,
Total Quality Management, ISO 27001 etc., are some of the certifications.

Existing models such as SEI CMM levels are exclusively meant for software development
processes and do not address security issues. Therefore, several efforts are made to create a
model based on self-certification concept and on the lines of Software Capability Maturity Model
(SW-CMM) of CMU, USA.

The structure that has been produced through such association between industry and
government, comprises of the following −

standards

guidelines

practices

These parameters help the owners and operators of critical infrastructure to manage
cybersecurity-related risks.

Strategy 3 − Encouraging Open Standards

Standards play a significant role in defining how we approach information security related issues
across geographical regions and societies. Open standards are encouraged to −

Enhance the efficiency of key processes,

Enable systems incorporations,

Provide a medium for users to measure new products or services,

Organize the approach to arrange new technologies or business models,

Interpret complex environments, and

Endorse economic growth.

Standards such as ISO 27001[3] encourage the implementation of a standard organization
structure, where customers can understand processes, and reduce the costs of auditing.

Strategy 4 − Strengthening the Regulatory Framework

The objective of this strategy is to create a secure cyberspace ecosystem and strengthen the
regulatory framework. A 24X7 mechanism has been envisioned to deal with cyber threats
through National Critical Information Infrastructure Protection Centre (NCIIPC). The Computer
Emergency Response Team (CERT-In) has been designated to act as a nodal agency for crisis
management.

Some highlights of this strategy are as follows −

Promotion of research and development in cybersecurity.

Developing human resource through education and training programs.

Encouraging all organizations, whether public or private, to designate a person to serve

as Chief Information Security Officer (CISO) who will be responsible for cybersecurity
initiatives.

Indian Armed Forces are in the process of establishing a cyber-command as a part of

strengthening the cybersecurity of defense network and installations.

Effective implementation of public-private partnership is in pipeline that will go a long

way in creating solutions to the ever-changing threat landscape.

Strategy 5 − Creating Mechanisms for IT Security

Some basic mechanisms that are in place for ensuring IT security are − link-oriented security
measures, end-to-end security measures, association-oriented measures, and data encryption.
These methods differ in their internal application features and also in the attributes of the
security they provide. Let us discuss them in brief.

Link-Oriented Measures

It delivers security while transferring data between two nodes, irrespective of the eventual source
and destination of the data.

End-to-End Measures

It is a medium for transporting Protocol Data Units (PDUs) in a protected manner from source to
destination in such a way that disruption of any of their communication links does not violate
security.
Association-Oriented Measures

Association-oriented measures are a modified set of end-to-end measures that protect every
association individually.

Data Encryption

It defines some general features of conventional ciphers and the recently developed class of
public-key ciphers. It encodes information in a way that only the authorized personnel can
decrypt them.

Strategy 6 − Securing E-Governance Services

Electronic governance (e-governance) is the most treasured instrument with the government to
provide public services in an accountable manner. Unfortunately, in the current scenario, there is
no devoted legal structure for e-governance in India.

Similarly, there is no law for obligatory e-delivery of public services in India. And nothing is more
hazardous and troublesome than executing e-governance projects without sufficient
cybersecurity. Hence, securing the e-governance services has become a crucial task, especially
when the nation is making daily transactions through cards.

Fortunately, the Reserve Bank of India has implemented security and risk mitigation measures for
card transactions in India enforceable from 1st October, 2013. It has put the responsibility of
ensuring secured card transactions upon banks rather than on customers.

"E-government" or electronic government refers to the use of Information and Communication

Technologies (ICTs) by government bodies for the following −

Efficient delivery of public services

Refining internal efficiency

Easy information exchange among citizens, organizations, and government bodies

Re-structuring of administrative processes.

Strategy 7 − Protecting Critical Information Infrastructure

Critical information infrastructure is the backbone of a country’s national and economic security.
It includes power plants, highways, bridges, chemical plants, networks, as well as the buildings
where millions of people work every day. These can be secured with stringent collaboration plans
and disciplined implementations.
Safeguarding critical infrastructure against developing cyber-threats needs a structured
approach. It is required that the government aggressively collaborates with public and private
sectors on a regular basis to prevent, respond to, and coordinate mitigation efforts against
attempted disruptions and adverse impacts to the nation’s critical infrastructure.

It is in demand that the government works with business owners and operators to reinforce their
services and groups by sharing cyber and other threat information.

A common platform should be shared with the users to submit comments and ideas, which can
be worked together to build a tougher foundation for securing and protecting critical
infrastructures.

The government of USA has passed an executive order "Improving Critical Infrastructure
Cybersecurity" in 2013 that prioritizes the management of cybersecurity risk involved in the
delivery of critical infrastructure services. This Framework provides a common classification and
mechanism for organizations to −

Define their existing cybersecurity bearing,

Define their objectives for cybersecurity,

Categorize and prioritize chances for development within the framework of a constant
process, and

Communicate with all the investors about cybersecurity.