Advertisment
Trends Watch

Cyber Terrorism

author-image
PCQ Bureau
New Update

Cyber terrorism in plain English can be defined as usage of IT for carrying

out unlawful activities. This form of terrorism is a deadly cocktail of

technology and terrorists, used for disruptive activities. Let us start the

story with some facts about usage of technology by terrorists. On July 26th

2008, 21 blasts were carried out in Ahmedabad. Terrorists misused insecure WiFi

networks for their communications for this act. In the recent Mumbai attacks,

terrorists used Google Maps for planning. Also, investigations have revealed

that 9/11 attackers were trained on Microsoft Flight Simulator. These examples

give us a clear picture that like guns, IT can also have devastating effect, if

used by criminals. Reasons for usage of IT by terrorists are not difficult to

find. Technology and information is easily available and widely used, and most

people in modern world are dependent on technology making them vulnerable to

cyber attacks. Costs associated with such terrorism is very low, and one can

cripple modern cities by just carrying out attacks from a machine located

anywhere in world. Another important reason for proliferation of cyber terrorism

is its covertness; criminals can carry out terrorist activities without

revealing their identity.

Advertisment

Countering Cyber Terrorism



In order to efficiently negate threats of cyber terrorists, there is need for
close collaboration between the private and the public sectors. Besides such

collaboration, there is need to be more proactive in approach. But being

proactive also means more interference in privacy. There are technologies

available that can be used by telecom operators to monitor each call routed by

them. Even 24 x 7 monitoring is possible using massive implementation of video

surveillance in attack prone areas or big cities. But both these approaches

would lead to interference in private lives of public. As such an approach is

being used by other countries, government and other stakeholders involved in

this should try to figure out the thin line between privacy and proactive

approach. There are different technologies and approaches that can be effective

against cyber terrorism.

Physical security



When it comes to information security, the trend is that enterprises, government
bodies and law enforcement agencies concentrate quite a lot on virtually

securing their sensitive digital information relative to physically securing

their data centers and computer assets. What is over-looked most of the times,

is the fact that physically breaching the weak security of a data center is far

easier for an attacker with little or no technical know-how. So it is extremely

important to set-up multiple layers of physical security around your data center

to encounter any act of cyber terrorism.

Cyber Crime Facts
  • 54,000 serious computer attacks reported on hackerwatch.org.
  • 60% of businesses don't know how much computer attacks cost them.
  • 5% who know, estimate it at $5 million per hour.
  • 1% of business continuity plans address cyber attacks.
  • 3% of business continuity plans address computer viruses.
  • Few minutes is what it takes for an unprotected computer to get

    compromised.
  • 1.9 million IP addresses have been linked to Online Child Exploitation

    ($20 billion industry).
  • 29th May 2009: U.S President Barack Obama said that his government was

    not prepared against disruption caused by hacker attacks.
  • A small Baltic country, Estonia, came to a standstill after a wave of

    cyber attacks.
  • March 2009: An IP address originating from China intruded into Indian

    cyber territory. Hacker attacked the ministry of external affairs website.



    (Based on excerpts from presentation given by B G Gupta, director, SCI
    Software India.)
Advertisment

Recruit well-trained security personnel



The first layer of security of a data center is having a batch of efficient
security personnel deployed at strategic locations. Care must be taken to

recruit well-trained security personnel from a reputed security agency. Though

the current private security guard pool in India is vast, it is still

ill-trained to combat specific security challenges. So rather than relying

completely on the outsourced security staff, organizations should take charge of

the security of data centers themselves and guide these personnel about the

specific security needs of the data center.

“With huge repositories of

public and private data, including sensitive data, residing on the servers

and on the 'cloud', it is extremely important that our critical information

infrastructure is secure from anti-national elements. There is an urgent

need to develop capacity within various stakeholders like enterprises,

governments, law enforcement agencies, including judiciary, and citizens to

understand cyber threats and the responses needed to mitigate such threats.”

Shyamal Ghosh,

Chairman, Data Security Council of India

 “Government should encourage

Ethical Hackers Association to counter cyber terrorism. I strongly advocate

ethical hacking under government jurisdiction, or through bodies like NIXI.”

-

Saugaato Ray, Director and CEO, Satmac

Infosys

In the unexplored and ill-trained pool of private security guards, who

receive little in terms of salary and respect, lies a great opportunity for the

private security industry of India. The latter can take up the onus of providing

specialized training to security guards keeping in mind the different needs of

different industries. All this would translate into a reliable private security

guards pool that commands respect for its expertise to combat any kind of threat

to the homeland security.

Advertisment
IT Act and Cyber Terrorism

Strengthening of laws is also important to deter criminals from using IT for

malicious intent. Here is a peek into the country's IT Act. Cyber terrorism

is defined in Section 66F. By law, definition of Cyber terrorism is that

whosoever threatens the unity, integrity, security or sovereignty of India

or/and strike terror in people by denying access to computer resources

or/and access computer resources without authority or/and introduce any

computer contaminant which results in death or/and destruction of property.

Plus whosoever penetrates restricted computer resources or information

affecting sovereignty, integrity, friendly relations with foreign state,

public order, decency, contempt of court, defamation or works to the

advantage of foreign state or group of persons, is punishable with

imprisonment upto life.

Access control systems



The entry point of the data center should have the most stringent access control
systems in place to prevent any unauthorized intrusion. There are generally

three types of user authentication mechanisms that the access control systems

employ:

  • unique individual passwords like a PIN
  • a tangible document that belongs to the user, like an ATM card or an ID

    card
  • Biometric authentication based on measurable, unique, physical

    characteristics of an individual, like fingerprint, voice recognition, face

    recognition, hand geometry, vascular patterns, retina scan etc.
Advertisment

The access control systems can be based on any one of these three

authentication factors, providing a single-factor authentication. But for

tighter security, there has to be deployment of multiple factor authentications:

a combination of two or three of these mechanisms.

Though biometric authentication technologies are expensive to deploy and

implement, they are considered to be strong access control mechanisms. This is

because the aforementioned biometric information of each individual is unique;

remains almost unchanged throughout his/her life; is non-transferable and is

extremely difficult to forge. But even biometric authentication, individually,

is not completely foolproof due to issues like wrongful duplication of user

fingerprints. So the best way to secure your data center would be by deploying a

two-factor or three-factor authentication based access control system, with

biometric authentication as one of them.

Intelligent IP surveillance



Intelligent IP surveillance can be achieved by either deployment of intelligent
IP cameras that have built-in video analytics software or by integrating Video

Analytics software with your existing network of standard IP cameras across your

data center. Such embedded intelligence can detect suspicious movements,

unauthorized entries, missing objects, camera tampering etc. and can

automatically send out audio alarms, visual alerts and SMSes to the concerned

security personnel, initiating immediate action.

Advertisment

Information Security



Security of data in your data center is critical not only for your business but
also for overall security of individuals. If data regarding customers in a

organization is available to criminals, then this data can be used for identity

theft for camouflage. If compromised information is financial in nature then

this could fund terrorists. One needs multiple approaches to secure information;

at data level one can have email security, encrypted communication, port

blocking etc and at network level one can have firewalls, UTMs and IDS systems.

Besides these approaches, one also needs anti-virus and anti-spam software. All

these approaches would give right results only if there is proper security

policy in place, plus adherence to such a policy is made compulsory.

(The article contains excerpts from the presentation given by Pradeep

Gupta, CMD, CyberMedia.)

Sandeep Koul and Amrita Premrajan

Advertisment