In our previous article on this subject , we did point out
that since lack of Cyber Space Security could lead to loss of assets belonging
to the nation, the Government should take the lead in providing the Cyber
Space Security initiative.
However, this does not mean that Government alone is
responsible for the Cyber Space Security. After all, Security of the society
consisting of many soft targets, cannot be ensured by the Government without an
active cooperation from the public.
In ensuring security of Cyber Space, the public have two
kinds of roles.
One is that of a responsible citizen who is vigilant to the
happenings around him and bringing suspicious looking transactions to the notice
of the appropriate authorities. This will help incident monitoring and early
detection of major attacks.
As of now there is no apex agency of the Government to which
a member of the public can report any abnormal happening in the Cyber space and
it is the responsibility of the Government to create such an agency at the
earliest. Until then public can only express through private enterprises such as
naavi.org.
Secondly, it is necessary for every Netizen to keep his
own desktop secure. Negligent Netizens often provide the breeding ground for
Virus dissemination and Distributed Denial of Services attack. This is where
action is called for by individual Netizens in India.
Desk Top Security has several dimensions to it. Some of them
are:
1. Anti Virus
Every Netizen needs to realize that today, a good Anti Virus
programme is as essential to computer usage as an operating system itself.
Hence, every Netizen should consider it mandatory to install a good Anti-Virus
programme and keep it updated. While this may not guarantee 100 % protection
against Virus attacks, this is the minimum responsibility that the society
expects its constituents to follow.
The general observation is that more than the individual Home
Computer user, there are many small and medium size enterprises who have
inadequate security against Virus in the office network. This situation needs to
be attended to at the earliest.
2. Firewall
In view of the possibility of hacker attacks and denial of
service attacks using a weak system, it is necessary for every computer owners
to install some form of personal firewall that provides a basic protection
against unauthorised intrusion and extraction of information from the system.
3. Access Control
Whenever a Computer resource is shared either in the office
or at home, it is necessary for the users to adopt a reasonable access security
measure that ensures that only authorized persons log in to the machine and the
activities of different users can be monitored if required with reference to
their log in IDs.
Having introduced a log-in system, say on password
authentication system, it is necessary to ensure that passwords are well
configured and often changed.
Passing on passwords to another person in an office should be
made an act punishable under the employee regulations just as a Bank Manager
cannot hand over the vault key to his subordinate except under a due process.
4. Digital Signatures
It is necessary for users to start using digital signature
system at the earliest for authenticating outward messages as well as protecting
stored documents against manipulation.
In the Indian context however, the digital signature
infrastructure is still inadequate to meet the requirements of the individual
users and it may take a while for proper user level applications to be
available.
5. Application Security
After the passage of ITA-2000, every software application
that runs on a Computer can be considered a legally appointed "Agent" of the
Computer owner. Hence any activity of the software is attributable to the
owner and this could lead to legal liabilities also.
One of the important problems that Indian Computer users are
facing is that the application vendors are yet to realize the importance of
security and sell applications that leave lot of security loop holes.
Additionally, most of the document processing
applications and ERP applications sold by even large companies, are not "Cyber
Law Compliant" and therefore present a risk to an unsuspecting user.
Selling ERP applications to companies without PKI
infrastructure for example, is a fraud on the consumer since in the event
of a legal dispute the documents generated by the system are not legally valid.
Before the advent of the Digital Signatures (i.e. before the
passage of ITA-2000), it might have been acceptable to issue documents such as
Bank account statements with the proviso "This is a computer generated document
and does not require a signature". But any Bank issuing such statements now is
violating the basic contractual requirement in Banking practice and is making a
"False" statement.
There are also many e-governance applications which
suffer legal validity because of not using digital signatures and pose a serious
threat to the growth of computerization in India.
Before it is too late, application vendors should address the
issue of making their applications "Cyber Law Compliant". Until such time, they
must provide a statutory warning that "This Version of the Application does not
support compliance of Cyber Laws in India".
Consumer activists may have to step in if applications that
are non-Cyber law compliant are sold without alerting the consumer
to the dangers he is being exposed.
Thus, we may conclude that the Netizen whether he is an
individual or a corporate citizen, has a responsibility to maintain a certain level of Desk top security within the systems that
he operates. This is like a requirement of a Car owner to keep his brakes in
working condition before he ventures out into the public roads.
Netizens should also insist that any IT application that
they purchase should be reasonably certified as to the legal compliancy aspect
just as every Car manufacturer provides a deemed guarantee that it conforms to
minimum safety standards and emission control regulations.
Compliance of such requirements should be ensured both
through development of guidance notes by appropriate authorities and also
through a positive incentivisation say in the form of "Insurance" against loss
of information asset.
naavi.org welcomes suggestions from the public in this
regard.
Naavi
October 26, 2002
Related Article:
Security When Conventional Security Fails
Cyber Space
Security..Whose Responsibility is It?
