Naavi.org

On 4th January 2017, CERT IN had issued an order regarding reporting of incidents to CERT IN.

The order has now been re-issued along with detailed instructions on other security measures which will be applicable to all service providers, intermediaries, data centers, body corporate and Government organizations. These directions will be effective from 60 days from the date of issue of this notification (28th April 2022). Refer here

Some of the requirements are as follows.

1. Shall connect to the Network Time Protocol (NTP) server of NIC or NPL or with NTP servers traceable to these NTP servers for synchronization of clocks.
2. Mandatorily report cyber incidents within 6 hours and follow the instructions provided if any.
3. Shall provide a point of contact.
4. Enable logs of all their ICT systems and maintain them for a rolling period of 180 days and shall be maintained within the Indian jurisdiction.
5. Shall maintain information of subscribers and customers hiring services for a period of 5 years, including IP s allotted to members, E Mail address, time stamp at the time of on boarding.
6. Virtual asset service providers shall maintain KYC of its users as per RBI/SEBI norms.
7. Accurate transaction records shall be maintained.

The type of incidents that need to be reported has also been expanded to include the following.

i. Targeted scanning/probing of critical networks/systems
ii. Compromise of critical systems/information
iii. Unauthorised access of IT systems/data
iv. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
v. Malicious code attacks such as spreading of virus/worm/ Trojan/Bots/ Spyware/ Ransomware/ Cryptominers

vi. Attack on servers such as Database, Mail and DNS and network devices such as Routers
vii. Identity Theft, spoofing and phishing attacks
viii. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
ix. Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
x. Attacks on Application such as E-Governance, E-Commerce etc.
xi. Data Breach
xii. Data Leak
xiii. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
xiv. Attacks or incident affecting Digital Payment systems
xv. Attacks through Malicious mobile Apps
xvi. Fake mobile Apps
xvii. Unauthorised access to social media accounts
xviii. Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
xix. Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
xx. Attacks or malicious/ suspicious activities affecting systems/ servers/ software/ applications related to Artificial Intelligence and Machine Learning

The incidents can be reported to CERT-In via email (incident@cert-in.org.in), Phone (1800-11-4949) and Fax (1800-11-6969).

Given the  reluctance of the companies to resist any security measures of the Government of India, we can expect a media campaign to oppose the directions.

However, it is good to know that CERT-IN has woken up from its slumber and has considered issuing this order. We have to wait and see how seriously the order would be implemented.

From the compliance point of view the CISOs need to take immediate action as the CERT IN also has quasi judicial powers and  can take action including initiating prosecution for criminal punishments if the order is ignored.

It may be noted that the data breaches of Non personal data and personal data are to be reported to CERT IN and also to the Data Protection Authority to be set up under DPA 2021. Hopefully CERT IN will focus on post incident action in respect of security while Data Protection Authority will focus on punitive action on Data Fiduciaries related to  personal data. Timely waking up of CERT In is therefore significant. The silence of CERT In for several years had rendered the office as a mere advisory issuing back office. This perception has to change and probably this notification signals to such a welcome change.

Naavi

Copy of PIB press release

It is well recognized that behind many of the successful ransomware attacks in an organization, there is a simple security failure of an employee clicking an e-mail attachment containing a malicious code. Prevention of E Mail based attacks is therefore one of the important security measures to be taken by any enterprise. Statistics indicate that more than 70% of malicious email attachments are delivered through attachments in PDF and Ms Office Documents.

The anti virus software normally works on the principle of scanning a document to identify a known virus signature. This could work for known viruses but cannot protect against zero day attacks. Also non updation of anti virus also could defeat the security and allow intrusion of the malicious code.

The Sandbox method where the files are allowed to be processed in a controlled environment until they are cleared for security may delay the delivery of the incoming files for further processing.

Considering the unacceptable level of risk that arises in a ransomware attack, there is a need to fortify the security of emails to ensure that malicious codes in incoming data is identified at source and stopped at the gateway.

The CDR (Code Disarming and Reconstruction) technology (also referred to as Threat Extraction or data sanitization) is a technology where a file is deconstructed into separate components such as image, text etc using the vendor specified specifications for the document type. They are then reconstructed leaving out any malicious (non conforming) content so that the file is cleaned of any unwanted components that may be the potential source of a malicious code. In the process, any executable content in the document also gets removed. The safe content after removal of the undesirable content is forwarded to the user and the original file is held in safe storage to be accessed only if required and confirmed that it is benign say after a sandbox inspection.

It is expected that the CDR technology could introduce certain delays in releasing the file for operation based on the signature based identification since it works on “Zero Trust” and inspects every file by deconstruction and reconstruction. But considering the risks associated with ransomware in large corporations, enterprises should be tolerant of some delays in the interest of security.

While the CDR technology is expected to provide 99.9% reliability for removal of malware, there could be some operational issues to be contended with when the usability of the incoming file could be curtailed. The “Policy Setting” therefore becomes important to ensure that the system is useful.

In the market there appears to be many solutions available on CDR technology. While there could be solutions like Checkpoint-Harmony that integrates CDR technology to the legacy malware security systems, specialized CDR based malware security providers such as Odix, Glasswall Solutions, Fortinet OPSWAT, Sasa software etc are also trying to capture the markets.

Some of the service providers may provide “CDR as a Service” and cost effective solutions for SMEs. Odi-x from Israel is reported to be one of the solutions that SMBs may be able to afford particularly if they are working on the Microsoft environment.

It would be good if in future CDR technology becomes affordable to even individuals.

Naavi

P.S: Comments and additional information and user experiences are invited

While we in India is still procrastinating on the introduction of a law for protecting information privacy, the world seems to be moving ahead into legislating for “Mental Privacy”.

The “Information Privacy” as defined by the Puttaswamy judgement refers to the right of a person to exercise his choice about how his personal information may be collected, used or disclosed by a third party.

Puttaswamy judgement recognizes that “Privacy” is a state of mind and much more than “Right to Spatial Privacy”. But technology developments are opening up new challenges on defining the boundaries of “Privacy”.

While I am not discussing the boundaries from the perspective of how much privacy intrusion should be allowed to Government or Law Enforcement or even Commercial interests, it is time to look at the more basic level of how technology may be threatening the very basics of “Freedom of Thought”.

Firstly, let us look at medical implants which sit inside our body, and watch how our heart is beating or blood sugar is changing etc. Is this “Privacy Invasion”? …of the exempted category where there is a need to protect life, and there is an explicit consent?

If the implant device owning company like it does in the case of all IoT devices, retain an ability to collect data, store it, analyze it and make money out of such analysis, is there a concern about potential misuse of personal data, possible crimes which may extend to causing death of the individual etc.?

When sports medics analysed the bowling action of Muttiah Muralidharan, were they intruding on his privacy and to gather evidence which could be incriminating against Mr Muralidharan himself?

…are issues that we are already aware of.

The wearable devices like the smart watches and the Alexa kind of “Always listening” devices also pose substantial privacy risks in the normal sense though “Explicit Consents” could be used to manage them.

In the next level, we are getting into the era of Meta Verse with Virtual presence where the potential for privacy invasion causing mental disturbance is extremely high.

Over and above these developments, the questions now coming up are the “Neuro Intrusions” where probes collect brain wave emissions and collect the subject’s thoughts. Probably in the coming days, the same probes may be capable of sending in messages to alter the brain perceptions and make people hallucinate more realistically than ever before.

Does our present legal system address  “Brain Hacking”? is a question we need to ask ourselves.

ITA 2000 attributes an action of a computer to its owner. This has effectively extended the Act to the field of Artificial Intelligence. The definition of “unauthorized access” is however limited to “Computer Devices”.

A Computer is defined in ITA 2000 as

” any electronic, magnetic, optical or other high-speed  data processing device or system which performs logical, arithmetic, and  memory functions by manipulations of electronic, magnetic or optical  impulses, and includes all input, output, processing, storage, computer  software, or communication facilities which are connected or related to the  computer in a computer system or computer network;”

While the legislative intent has to be limited to treating the devices that we today recognize as Computers, Mobiles and other binary processing devices , this definition is difficult to be extended to the “System” of “Human Brain” though the neuro system also  consists of data storage, data transmission, data sensors, data input and output periherals etc. similar to the computer system we know of.

In India, our Supreme Court can assume any kind of power whether written in the constitution or not and this argument has been used in the Puttaswamy judgement by one of the judges (Justice Chelameswar). Hence the Supreme Court has the power to read down the section 2(i) to interpret that the definition of a computer system includes the human brain since it also receives and emits electro magnetic impulses.

Every end point of a nerve is like a pixel in a computing device and has an experience which is communicated by the neurons. The software inside the human brain interprets the experience as “Sight” if it comes from the eye or “Sound” if it comes from the ears and “Touch” if it comes from the skin, “Smell” if it comes from the nose and “Taste” if it comes from the tongue and so on. There are APIs inside our body with specific instructions on how to interpret different sensory perceptions.

We may therefore consider that there is a need to discuss whether the interpretation of “Computer” has to be limited to the “Devices” or should be extended to human brain also. If so, our current law, either the ITA 2000 or the upcoming DPA 2021 can be used also to interpret Mental Privacy as the west is trying to interpret.

We may need more discussions on this subject and we shall continue our discussions in due course.

Naavi

Related Article in vidhilegalpolicy.in

We have moved from Security by Design to Privacy By Design. Now it is time to upgrade to Compliance by Design.

Non Compliance of Data Protection law could lead to a penalty of 4% of Global Turnover.

Mitigation of the 4% Penalty Risk Is the objective of CBD or Compliance by Design strategy.

CBD means compliance to Data Protection law. In India,…. the JPC approved Data Protection Act 2021.

While complacency born out of the Resistance to change stops us from taking compliance steps with the hope that Government will never get the courage to pass the law, Courts have already started interpreting parts of the new proposed bill as “Due Diligence” under Information Technology Act 2000.

If Courts can uphold Right to Forget before the DPA 2021 is passed, nothing prevents a Court from imposing penalties for non compliance of DPA 2021 as part of ITA 2000.

Let us not wait for some body to teach us with a penalty. Let us develop our own Code of Practice… to be compliant before we are forced to.

FDPPI< the dada of data protection in India has organized a one day seminar on “Compliance View of DPA 2021” at Chennai on April 23rd, 2021, in association with Madras Management Association and in partnership with ISACA, IACC and CySi.

Contact any of these organizations to participate in the program and enrich yourself with the Law, Technology, opportunities and means of compliance embedded in DPA 2021.

Naavi