Institutional Structure

& Institutional
Response
Mechanism in an
Related Incidents
Organization to Handle
Cyber Security
I CM Iqbal Kaur
R
2/18

What is
cyberspace?
A global domain within the information environment
consisting of the interdependent network of
information technology infrastructures, including the
Internet, telecommunications networks, computer
systems, and embedded processors and controllers.
A DEFINITIONOF CYBE
RSPACE
3/18

Life in a Networked
World
R a p i d D e v e l o p m e n t in I n f o r m a t i o n
Te c h n o l o g y

Speed of Microprocessor chips doubles every 12-18

months Storage Density doubles every 12 months
Bandwidth is doubling every 12 months
Price keeps dropping making technology affordabl&
pervasive
4/18

The New Net The Internet in India in

monitors &
2020
There are 730 million internet ussrs and 75%

controls
new users from rural areas and 75% new users
to consume data in vernacular languages.
83% CAGR mobile video content growth,

critical
175 million have started shopping online.
70% are performing E-commerce transactions

Infrastructu
via mobile phones.

re
5/18

VULNERABILITY
Cyberspace has inherent vulnerabilities that
cannot be removed

Cyber
Security ASSIGNING ATTRIBUTION

Challeng
Internet technology makes itrelatively easy
to misdirect attribution to other parties

es DEFENCE
Computer Network Defense techniques,
tactics and practices largely protect
individual systems and networks rather than
critical operations (missions)
 6/18

Out of data software

ransomware 20%
Malware
22.2% Indian Cyber
Situation
India ranks 3rd in terms of the highest number of internet users
Denial of service in the world after USA and China, the number has grown 6-
5.6%
fold between 2012-2017 with a compound annual growth rate
of 44%.
India secures a spot amongst the top 10 spam-sending
Spear phishing countries in the world alongside USA.
11.1%
India was ranked among the top five countries to be affected
by cybercrime, according to a 22 October report by online
security firm ”Symantec Corp”.
Phishing and Social Engineering
41.1%
7/18

Ransomware Statistics
Vulnerable to Risks 2017

75% 1 in
OF INDIAN CXOS ADMIT THEY LACK
CONFIDENCE IN THEIR
COMPANIES CYBERSECURITY
PROCESSES
131
26% share of respondents whose security EMAILS CONTAIN MALWARE
operations centres collaborate and share data with
others in the industry.
 How Does any institute
prevent cyber
crimes?
Every institute has its specific incident handling rules
depending on the type of organisation.
For example: an organisation tending to its customers in
real time may have its focus on its servers rather than on
data and an organisation which stores confidential data
like a bank may have more focus on data security.

What is an incident?
An incident is an adverse event or threat of an adverse
event in a computer system (the event maybe an misuse,
hoax, intrusion or even compromise of confidentiality)
 Incident
9/18

Incident Handling
handling consists the set
of rules/actions which
was executed to protect
and restore the
normal operating
the systemcondition
and of
information th
when event occurs. e
adverse
a
10/18

Stages to Incident
Handling

PREPRATION AND CONTAINMENT AND RECOVERY AND

DETECTION ERADICATION FOLLOW-UP
11/18
Preparation| Stage
1
1. Identify & Prioritise assets: We need to prioritisethe asset of the company. For example: What
would

cause its business to go under or suffer heavy losses if it were stolen or damaged?

2.Identify Potential risks: This includes a little bit of research depending on the organisation, for example

a bank may have risks like phishing calls that reveal any confidential details from its clients.

3.Establish Procedures: After identifying the risks, a set of actions should be decided to prevent as much

as you can. For example: for things like phishing calls you can make you clients aware so that they do

not response to such calls. Moreover, even if a breach happens these set of actions should be
performed by the employee to bring back the system to the original state.
 12/18

Preparation| Stage
1
4. Set up a response team: You’ll need to designate a team that helps coordinate the actions of your

company after the discovery of a data breach. The goal for this team is to help coordinate resources during a
security incident to minimize impact and restore operations as quickly as possible.
5.Sell the plan: Your incident response team won’t be very effective if you don’t have the proper backing and
resources to execute the plan. This is true from enterprise organizations to smaller, one-off businesses. That’s
why you need to make sure that those who control your company’s purse strings are aware of the need and
benefits of having an incident response plan.
6.Employee Training: Just having an incident response plan won’t help you in a data breach. Your employees
need to be aware of the plan and be properly trained on what they’re expected to do should you get
breached. Test the response plan through tabletop exercises. These exercises familiarize your employees with
their particular roles in a data breach by testing your response plan through a potential hacking scenario
 13/18

STAGE 2
This is the process whereIDENTIFICATTION
you determine whether you’ve been breached. A breach, or incident, could
originate
from many different areas.
Questions to address

When did the event happen?

How was it discovered?
Who discovered it?

Have any other areas been impacted?

What is the scope of the compromise?
Does it affect operations?
Has the source (point of entry) of the
event been discovered?
14/18 STAGE 3:
CONTAINMENT
When a breach is first discovered, your initial instinct may be to securely delete everything so you
can

just get rid of it. However, that will likely hurt you in the long run since you’ll be destroying valuable

evidence that you need to determine where the breach started and devise a plan to prevent it from

happening again.

Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can,

disconnect affected devices from the Internet. Have short-term and long-term containment strategies

ready. It’s also good to have a redundant system back-up to help restore business operations. That way,

any compromised data isn’t lost forever.

This is also a good time to update and patch your systems, review your remote access protocols

(requiring mandatory multi-factor authentication), change all user and administrative access credentials

and harden all passwords.

 STAGE 4
15/18

ERADICATION
Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all

malware should be securely removed, systems should again be hardened and patched, and updates should
be applied.
Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any trace of malware or
security issues remain in your systems, you may still be losing valuable data, and your liability could increase.
Questions to address

Have artifacts/malware from the attacker been securely removed?

Has the system be hardened, patched, and updates applied?
Can the system be re-imaged?
16/18 STAGE 5:
RECOVERY
This is the process of restoring and returning affected systems and devices back into your business

environment. During this time, it’s important to get your systems and business operations up and running

again without the fear of another breach.

Questions to address

When can systems be returned to production?

Have systems been patched, hardened and tested?

Can the system be restored from a trusted back-

up?

How long will the affected systems be monitored

and what will you look for when monitoring?

What tools will ensure similar attacks will not reoccur? (File integrity monitoring,

intrusion detection/protection, etc)

 STAGE 6 FOLLOW-
17/18

UP
Once the investigation is complete, hold an after-action meeting with all Incident Response Team members

and discuss what you’ve learned from the data breach. This is where you will analyze and document
everything about the breach. Determine what worked well in your response plan, and where there were some
holes. Lessons learned from both mock and real events will help strengthen your systems against the future
attacks.
Questions to address

What changes need to be made to the security?

How should employee be trained differently?
What weakness did the breach exploit?
How will you ensure a similar breach doesn’t
happen again?
18/18

No one wants to go through

a data breach, but it’s
essential to plan for one.
Prepare for it, know what
do when it happens
to , and
learn all that you can
afterwards.