In the emerging scenario of digital espionage and cyber warfare, protecting critical cyber infrastructure is increasingly becoming a formidable challenge.
Entities in key sectors such as banking and finance, energy, oil, power, defence, chemical, transportation, telecommunications, use a combination of information technologies.
They depend, not only on Internet, Intranet, Local Area Network (LAN), Wide Area Network (WAN), Metropolitan Area networks (MAN), Virtual Private Network (VPN) but also wireless, radio, satellite-based network technologies, different operating systems, off the shelf and proprietary and in-house applications on leased lines, private fibre optics and wireless networks.
Technologies for IT systems and networks can be categorised based on their control objectives: firewalls and content management or filtering technologies protect a network or a node by controlling the network traffic.
TECHNOLOGIES AND STANDARDS
Authentication technologies validate the identity of the users; while biometrics identify physical characteristics of an individual such as a fingerprint or iris; smart tokens or cards contain embedded microprocessors capable of storing and processing data.
Integrity checkers, based on checksums, verify the genuineness of the network packets and stored data. Encryption technology helps in hiding the content. Digital signatures use public key cryptography for ensuring data integrity, authentication, and non-repudiation.
Cyber security standards, such as International Organisation for Standardisation's ISO 17799 and Information Technology Security and Evaluation Criteria, known also as Common Criteria Guide help in the selection of products for managing information security. Security architecture of cyber infrastructure needs to be monitored continuously by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
Security event correlation tools provide audit logs, list of incidents from operating systems, fire walls, applications and other services, depending on the configuration of the logging functions. They are configured for detecting anomalous activity on the network, taking corrective and preventive measures. While computer forensic tools for evidence preservation and collection prevent the accidental or deliberated modification of evidence, forensic tools are meant for recovery and analysis and help to recover damaged or deleted data.
Assurance to network security can be provided only by enforcing effective configuration management which alerts problems to the users and manages security faults, corrects configuration for improved performance, and sets proper security logging and accounting. Many operational techniques, such as redundant systems, are adopted to maintain the systems and get the network up and running.
Security auditors need to check the usage of various scanners to probe modems, internet pots, databases, wireless access points, Web pages and applications. They also assess if patch management tools are used for updating patches and their proper deployment.
IT SECURITY AUDITING
Responsibility for ensuring effective cyber security to critical cyber infrastructure rests with the cyber infrastructure owners. Cyber security policy should be based on business requirements and overall risk assessment. The risk management process essentially should encompass identification of IT assets to be protected, identification of threats, vulnerabilities, risk determination, prioritization and recommending countermeasures for risk mitigation to the risk acceptance level.
Cyber security audit concentrates on two vital issues; firstly, effectiveness of security architecture and integrity of the existing security configuration; and secondly identification of weaknesses where improvements are needed. Auditors take the help of attack detection and penetration testing tools and the built-in audit module in the system.
To assess the effectiveness of the security policy, planning and procedures for authentication, authorisation, credential mapping process and security management holistically, the auditor checks the audit log files, analyses incidents reported, identifies security breaches and potential weaknesses in the security architecture, for suggesting remedial actions.
(The author is a Director-General, CAG Office.)