Cyber Security

WHAT IS CYBERSECURITY?
Cyber Security is the protection of confidentiality, integrity and availability of
information in the Cyberspace.

Cyber Space is defined as the complex environment resulting from the

interaction of people, software and services on the Internet by means of
technology devices and networks connected to it, which does not exist in
any physical form.

The word cyber comes from the word cybernetics, relating to electronic
communication network and virtual reality. We, at MFL, do all our daily transactions
using internet and hence each staff needs to be aware of the threats that exist in
cyberspace.

WHY THERE IS A SUDDEN FOCUS TO CYBER SECURITY IN INDIA?

In last couple of years, Internet has spread to each & every

corner of the country. Access to internet has now become easy
and cheap along with the cost of mobile devices. Nowadays,
companies are also relying on internet for day-to-day use. As a
result, risk has increased and therefore, the possibility of attack
has increased.
HOW IS CYBER THREAT STARTING TO EMERGE AS A PROBLEM?
Cyber threat started becoming a problem since the use of:

Mobile Applications (Mobile Apps)

Presence of MNC’s addressing local needs (Global & Local = Glocal) &

Extensive use of E-mail

MAJOR TYPES OF CYBER ATTACKS

Nowadays, Cyber-attack can happen in multiple ways of which the 2 most popular
ways are:
1) Your computer is hacked, and your files are locked and you not able to
access them. This can be unlocked only if you pay a ransom to the attacker. This
is called Ransomware attacks.

2) Your data is breached or stolen from your computer without your

knowledge. This is called Data Breach.

RANSOMWARE

In 2017 most of the attacks were happening

as Ransomwares. In Ransomware once the
computer virus enters a computer it locks
the computer terminal and then the person
who has locked (hacker) asks for a ransom.

Only once the payment of ransom is done then only the system is released. Some of
the types of Ransomware are:

Bad Rabbit WannaCry Petya

Reasons why Ransomware attacks happen?

Use of pirated version of the Operating System (OS like Windows 7/ 8/ 10) at
Government, Small offices & Office homes. So, use only licensed version of the
OS.

Update of security patches/updates of the OS and anti-virus are not happening.

Ensure that the desktop/laptop/mobile on which you are working are up to date
with security features & updates.

DATA BREACH
This happens when data stored on your laptop or desktop is stolen and you are not
aware of the data theft. In case of data breach there are strict penalties as per IT Act of
India. The IT Act also talks about sensitive personal data or information which is known
as SPDI, and its security.

Daily Material Dated : 21-11-2018

 WHAT IS DEFACEMENT OF A
WEBSITE?
One of the common attacks is defacement of
various websites. Website defacement is an attack
on a website that changes the visual appearance
of the site or a webpage.

Around 17588 Indian registered domain (.in) websites were defaced and another 9081
dotcom (.com) websites were attacked and defaced during the year Jan-Dec 2017.

PHISHING WEBSITES FOR STEALING INFORMATION

Real Website Fake Website

http://www.muthootmicrofin.com/ http://www.muthootmicrofiin.com/

For example, the web address of one of our group companies is

http://www.muthootmicrofin.com/. But hackers can create another page like this with a
different web address - http://www.muthootmicrofiin.com/. Here if we closely observe
there is an additional “i” in Microfin. These are called phishing websites. We also must
check whether at the start whether it is http or https. HTTPS is a secured link. Nearly 1.4
million phishing websites are created every month.
WHAT ARE SOME OF THE POPULAR CYBER ATTACKS ENCOUNTERED
ON A DAY-TO-DAY BASIS?

Phishing

Pharming

Vishing

Smishing

PHISHING

Phishing is a criminal activity that attempts to fraudulently obtain sensitive information

– like Aadhar number, driving license, credit card info, bank account info often tempting
you with sensitive personal data or information.

The typical mail will be “Please respond within 24 hours”. Phishing is one of the most
popular cyber attacks
There are basically 4 types of phishing:

a) Mass market email:

is the most common type of Phishing where a large number of
people are sent a common mail with a hope that at least a few of
them will fall prey for it.
b) Spear Phishing:
is a customized attack on a specific employee and company.
Instead of trying to get banking credentials of 1000 consumers, the
attacker may find it more profitable to target a handful of
businesses. So, a targeted Phishing is called Spear Phishing.

c) Whaling:
A phishing attack specifically targeting a company’s executives (like
CEO, CFO, CHRO, COO etc.) is called whaling. The victim is
considered to be high-value, and thus the stolen information from
him/her will be more valuable than what a regular employee may
offer. The account credentials belonging to these top executives will
open more doors than an entry-level employee. The goal is to steal
data, employee information and cash.

d) Business Email Communication (BEC):

resembles official mails asking to remit certain amount to an
account number citing urgency (like closure of deal or customer
urgency etc). For eg: a Branch Manager may get a mail from CEO
asking to remit Rs. XXXX through NEFT to some account, which will
be unusual. In such cases the BM should act smartly and cross
verify the origin of the mail. If the BM does not check whether CEO
has sent the mail, the entire money will go out of the organization.
Therefore, every mail that comes for remittance of money out of the
organization must be looked at with caution by all the staff.

Daily Material Dated : 22-11-2018

 EXAMPLES OF PHISHING IN INDIA
Below is an example of phishing mail received claiming that the mail is from Tax
department and that there is a miscalculation. The mail states that the person must pay
Rs. 19,570 to the Tax department.

If we closely observe the mail has come from

donotreply@incometaxindiaefilling.gov.in. While the ID looks genuine, it is not. Even if
the tax department would have sent a mail (which they will never as they send only
Income Tax assessment (ITA)) they wouldn’t have kept a third party in cc
(nmds@bestfitsolution.in) and the mail ID mentioned is wrong as the email ID reads
@incometaxindiaefilling and not efiling. The person who received the mail will not
identify the small spelling mistake and may compromise the sensitive personal data by
clicking on “complete my return now and pay the amount”.
 HOW TO IDENTIFY A

PHISHING MAIL?

Every mail comes with a message header. In outlook there is an option called “Message
Options”. When we click on it a window opens up where we can see the internet
headers.

Return Path:
If it’s a genuine mail the “return path” will be back to
the sender or else to a mail from the department or
office it came from and not any Gmail or yahoo ID. In
the above case if the mail was genuinely from Income
Tax department then the return path would have been
to Income Tax and not Gmail or Yahoo account.
 In the picture it can be seen the
Return-Path is mentioned as
minhdyj1@gmail.com which
means it is a phishing mail.

X-Apparently-To: nmds@bestfitsolutions.in means the response will be sent to

the above mentioned mail ID and not to Income Tax Filing
department

Received SPF: Is mentioned as “Soft fail“ in the above case along with a note
that transitioning domain of gmail.com does not designate
176.10.37.212 as permitted sender

To get the above option in Rediff: In the mail itself there will be an option of “Show full
headers” & we can see entire history along with return path.

To get the above option in Gmail: On the top right corner of the body of the mail, near to
the time there will be a Down arrow. Click on the down arrow and the drop down will
show an option of “Show original”. When we click on it we will be able to see the details
about the mail.

Daily Material Dated : 23-11-2018

 HOW TO PROTECT OURSELVES FROM

PHISHING MAIL?

Never click on email links

Check the headers before replying to the mail

Report all such spam mails to designated support desk through email or
phone as per the policy of the organization

VISHING
Telephonic version of phishing is called
vishing. That is data obtained through
telephonic conversation is called Vishing.
Eg: If we get a call stating, “I am calling
from Axis bank or ICICI bank, your credit
card is blocked, please share

credit card details to update in your system” or “your ATM is blocked, please give your
card details.” Never ever share any financial data and personal details like Card no, Bank
account no, IFSC code, even the OTP to anyone including our own relatives.
 SMISHING
SMS phishing is called as Smishing. Hacker
uses cell phone text messages to lure people.
Often the text message will contain a link or
phone number and will ask for your immediate
attention. The phone number often has an
automated voice response system.

For e.g.: “Reebok or Adidas 10th anniversary sale”. “Free coupons from this link”, “one
lottery for 5 lakh, please click here”. We fall into the trap and compromise our personal
data. In many cases, the smishing message comes from a "5000“number.

PHARMING
Pharming is another scam where a fraudster
installs malicious code (.exe files) on a
personal computer or server. This code then
redirects any clicks you make on a website to
another fraudulent Website without your
consent or knowledge. We have to be very
careful while entering financial information on a
website.

Fraudster normally uses a combination of techniques mentioned above to get hold of

our information/communication device/computer. For eg: a hacker will get hold of
customer financial data from the financial institutions by multiple means. These
financial details will then be used on e-commerce websites to make purchase.
 Once they reach the payment gateway, they would
immediately ring up the customer and tell him/her the
system is showing of some purchase with the card which
is happening because of some problem, therefore please
confirm the card number, name on the card, CVV,
customer ID and to share the OTP.

Customer would believe the same as he/she would by now would have received an
SMS with OTP. They would share the same and lose money. This type of an attack is
called social engineering attack, wherein the customer is taken into confidence and is
asked to share their personal/financial details.

Daily Material Dated : 24-11-2018

 In addition to cyber-attacks, there are many cyber-crimes

Cyber Bullying

Is faced by youngsters. It usually happens when the

children get access to phone and internet. Cyber
bullying takes place from their friends, enemies,
school colleagues or classmates. It becomes a mental
agony for the children.

So, we should mentor them, counsel

them and make them understand before
it becomes a malice.

Cyber Stalking

happens when people are stalked by others online, usually with a purpose to bring
harm or loss.

Cyber Espionage
happens when competition is fierce and our competition company tries to take out
information pertaining to our products, services and try to kill the competition.

Cyber Warfare
An attack on the communication and IT infrastructure of a country by another country
is called cyber warfare.
 There are mainly 2 types of browsing that usually happens on web:

SURFACE WEB DEEP WEB

is when we are browsing common The remaining traffic flows through

websites. Hardly 20% of the traffic flows deep web or dark web. These are
through surface web. One can browse websites where people try to keep their
the surface web anonymously with the identity anonymous but ends up
use of specific browsers or plug and becoming part of cyber attack. A few
play devices. such websites for anonymous browsing
are - Ghostery, Privacy Badger,
TorProject, DuckDuckGo.

CYBER SECURITY

ECOSYSTEM
Ministry of Electronics and Information Technology (department under Govt of India) is
the highest authority and the decision making body in the Cyber Security Ecosystem.
The only act pertaining to cyber security is the Information Technology Act 2000 (IT Act
2000) which was drastically amended in 2008 and certain modifications keep
happening to it in between.

Therefore, we do have a cyber law in the form of IT Act 2000. But we don’t have a cyber
law named as cyber law 2000 or cyber law act 2010.
There are 2 additional organizations /institutions which are constituted as per the IT act:

CERT-In

NCIIPC (National Critical Information Infrastructure Protection Center)

In addition to the above mentioned institutions, there are a few other entities who act as
regulatory bodies. These agencies have participated and have given inputs in
formulating rules and regulations for cyber security.

For eg:

RBI – Regulates NBFC’s & Banks

PFRDA – Regulates organisation dealing with pension funds/NPS

SEBI regulations

NSE, BSE & SEBI – Regulates exchanges

Police – reporting of cyber crimes

IRDAI (Insurance Regulatory and Development Authority of India)

-Regulates insurance broker or insurance company

Below mentioned institutions work at a global level for Cyber Security.

National Institute of Standards & Technology

(NIST) -recommended cyber security framework

Bank of International Settlement

Anti-Phishing Working Group (APWG)

International Organisation of Securities Commissions (OICV-IOSCO) - have made

recommendations on cyber security, mostly for financial services.

Forum of Incident Response and Security Teams (FIRST)

Asia Pacific Computer Emergency Response Team (APCERT)

Daily Material Dated : 26-11-2018

 Some Important

Sections
1. Section 70B of IT Act

talks about Indian Computer Emergency Response Team or Cert-in or I-Cert

which serves as national agency for incident response. This section states that the
central govt shall, by notification in the Official Gazette, appoint an agency of the govt
to be called the Indian Computer Emergency Response Team. This section also states
the roles of CERT-In. Cert-In shall serve as the national agency for performing the
following functions in the area of cyber security:

Collection, analysis and dissemination of information on cyber incidents

Forecast and alerts of cyber security incidents

Emergency measures for handling cyber security incidents

Coordination of cyber incidents response activities

Issue guidelines, advisories vulnerability notes and white papers (govt

reports) relating to information security practices, procedures, prevention,
response and reporting of cyber incidents

Such other functions relating to cyber security as may be prescribed.

 2. Section 69 of IT Act

talks about the power or authority to monitor and collect internet traffic data
or information through any computer resource for cyber security. So, as per 69B if you
are browsing internet in India, govt has the authority to monitor and collect the internet
traffic data.

IMPORTANT ROLES OF CERT-In:

In its website, CERT-In has a Cyber

Swachhtha Kendra or Botnet Cleaning
and Malware Analysis Centre (an Indian
initiative) through which they provide security products (at free of cost) like USB
Pratirodh and M-Kavach etc. These products can be downloaded & used from the
option Security Tools in the website.

Another role of CERT-In is to create awareness. In their website there is enough

material to understand what phishing is, how to cross check the links & browser,
mis-spelt URLs etc.

We need to report all cyber security incidents to CERT-in which is mandated as

per section 70B of the IT Act which has to be read along with rule XII-1A. Suppose
our organization has a “Wannacry” attack and we forget to report it to our
seniors / IT department and further that designated department also fails to
report it, then it is considered as an offense under the IT Act and there is a penalty
of 1 lakh rupees or imprisonment which can extend up to 1 year. Reporting a
cyber security incident is very important and we cannot hide such cyber-attack
incidents.

Our organization comes under “Corporate/Body Corporates” and as per the

definition of the IT Act we need to report around 8 different types of incidents:

Probing of critical network

Unauthorized access of IT systems/data

 Defacement of websites

Malicious code attacks

Attacks on servers and network devices

Identity theft, spoofing, and phishing attacks

Attacks on critical infrastructure and wireless network

Attacks on applications such as e-Governance, e-Commerce etc

WHOM TO REPORT, WHAT TO REPORT & HOW TO REPORT AN INCIDENT?

Whom to report - Section 12 (1) Incident reporting, response and information

dissemination:

CERT-In works 24 hours on all days including government and public holidays to
facilitate reporting of cyber security incidents.

What to report: Reporting of incidents

Any individual, organization, corporate entity affected by cyber security

incidents may report the incident to Cert-in.

The type of cyber security incidents as identified in the above mentioned 8

points shall be mandatorily reported to Cert-in as early as possible to leave
scope for action.

Service providers, intermediaries, data centers and Body Corporate shall

report the cyber security incident to Cert-in within a reasonable time of
occurrence or noticing the incident to have scope for timely action.

The details regarding methods and formats for reporting cyber security
incidents, vulnerability reporting and remediation, incident response
procedures and dissemination of information on cyber security shall be
published on the website of Cert-In.
Where to report:

In the CERT-In website (http://www.cert-in.org.in/) there is a heading “Reporting”

on the left side below which there are 2 options “Incident reporting” & “Vulnerability
reporting”. When we click on it there will be a few guidelines and there will be a pdf
document with Security Incident Reporting format or details on vulnerability
reporting. We can fill these and mail the report to
info@CERT-In.org.in.
Reporting for individuals or home users is optional but for corporates it is
mandatory. Which means if you are using a home computer/laptop and a cyber
attack happens you may or may not report it to CERT-In. However, if you are using
an office computer then as an employee you are required to report the incident to
the IT Security team who in turn will report it to the CERT-In.

Daily Material Dated : 27-11-2018

 3. Chapter IX, Section 43

defines damage to computer, computer system etc and compensation.

However, how much is the compensation is not defined in this section. (amended vide
ITAA-2008). It states that if any person without permission of the owner or any other
person who is in charge of a computer, computer system or computer network tries to
commit a damage, then he/she is punishable. Damage of computer system or network
or computer resource in this context will be:

Accesses without approval

Downloads, copies or extracts data including information stored in

removable storage medium.

Introduces or causes to introduce any computer virus

Disrupts or causes to disrupt

Denies or causes the denial of access to any person authorized to access

Provides any assistance to any person to facilitate access in breach of the

provision of this Act.

Charges the services availed of by a person to the account of another

person by tampering with or manipulating

Destroys, deletes or alters any information residing in a computer resource

or diminishes its value or utility or affects it injuriously by any means
 Steals, conceals, destroys or alters or causes any person to steal, conceal,
destroy or alter any computer source code used for a computer resource
with an intention to cause damage. He shall be liable to pay damages by
way of compensation to the person so affected

4. Section 43A

Where a body corporate, possessing, dealing or handling any sensitive personal

data or information in a computer resource which it owns, controls or operates, is
negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of compensation, to the person
so affected.

Compensation for this section can go up to any amount. Therefore, it is important to

understand that we are handling sensitive data in our work daily and we should ensure
reasonable security practices to such data.

5.Chapter XI – Offences

For each of the offence as per the IT Act there can be imprisonment or there
can be fines and there are certain offences which are called as incognizable or
cognizable, i.e for certain offences you can be arrested even without an arrest warrant.
Offences can be categorized into Bailable offence and nonbailable offence.

Whenever the imprisonment period is more than 3 years you can be arrested without
an arrest warrant and the offence is a non-bailable offence. For imprisonment less
than or equal to 3 years, it is bailable and you need an arrest warrant.

Daily Material Dated : 28-11-2018