Arun Jaitley National Institute of Financial Management

Master of Business Administration (Financial Management) 2022-24

Presentation On

Paper No. 204: Management of Information System

 “Issues & challenges in
National Information
Infrastructure
.”
Presented by:
Group:-8
1. Ms. Meeta Rani Bishwal
2. Shri Lipoksungkum Imsong
3. Shri Virekhru Domeh
4. CA Mayur Chandan
Information/Critical Information Infrastructure

 Information Infrastructure is the totality of inter-connected computers

and networks, and information flowing through them.
 Certain parts of this Information Infrastructure, could be dedicated for
management / control etc of infrastructure providers’ e.g. Power
generation, Gas/oil pipelines, or support our economy or national fabric
e.g. Banking / Telecom etc.
 The contribution of the services supported by these infrastructures, and
more importantly, the impact of any sudden failure or outage on our
National well-being or National Security marks them as being Critical.
 Information infrastructure supporting the operations of Critical
Infrastructure (CI) marks this as Critical Information infrastructure (CII).
What is National Information Infrastructure (NII)?
 National Information Infrastructure (NII) includes more than just
the physical facilities used to transmit, store, process and display
voice, data and images. It encompasses: -
 A wide range of equipment.
 Building foundations for living in the Information.
 The information itself.
 Applications and software.
 The network standards and transmission codes.
 It’s component; - Hardware, software, Supporting physical and human
resources and Data, information and knowledge.
Legal/Institutional Framework to protect NII
 To protect major critical national information infrastructure
the Information Technology Act, 2000 defines Critical Information
Infrastructure (CII) as “those computer resource, the destruction of
which, shall have debilitating impact on national security, economy,
public health or safety”.

 Government of India has notified the ‘National Critical Information

Infrastructure Protection Centre’ (NCIIPC) as the nodal agency to
address the threat to Critical National Information Infrastructure.
Major critical national information infrastructure CNII

 National Critical Information Infrastructure Protection Centre

(NCIIPC) has identified the following as ‘Critical Sectors’: –
Features of National Critical Information Infrastructure

Intricate interdependence between various national critical information

infrastructure.
Backbone of countless critical operations in a country’s infrastructure.
An information technology failure at a power grid can lead to prolonged
outages crippling other sectors like healthcare, banking services.
Instances of cyberattacks by national/state actors targeting critical
infrastructure.
A string of high-profile cyberattacks in recent months has exposed
vulnerabilities in the critical infrastructure of even advanced nations .
Issues and Challenges

 Vulnerabilities : -
 Directly or indirectly related to the development and utilization of new
technologies.
 Vulnerabilities are the flaws, loophole or backdoors used by attackers to
manipulate or take control of the system.
 There are multiple segments/services inherent in the architecture of any
Critical Information Infrastructure which are under continuous threat
from variously motivated malicious hackers/attackers Infrastructure like
SCADA, VPN services, e-mail, web services, network services etc.
 In the case of CII, the attackers are more than likely to have strong state
support from any number of adversaries.
Issues and Challenges

 Action Needed: -
 Development of mechanisms to facilitate Identification of CII.
 Protection of CII through a risk management approach.
 compliance of NCIIPC policies, guidelines, advisories/ alerts etc. by CIIs.
 Develop capabilities for real time warning system .
 Lead and coordinate national programs and policies.
 Establish national and international linkages .
 Promote Indigenous Research and Development (R&D).
Issues and Challenges

 Action Needed: -
 Develop mechanisms to facilitate sharing of information on
Information Security breaches, incidents, cyber-attacks, espionage etc .
 Facilitate thematic workshops and Information Security Awareness and
Training Programme through PPP.
 Facilitate capacity building towards creation of highly skilled
manpower.
 Establish Sectoral CERTs to deal with critical sector specific issues.
Issues and Challenges

 Families of controls for the protection of CNII : -

A. Planning Controls: -required to be assessed at the conceptualisation
and design stage.

B. Implementation Controls: -required for translating the

design/conceptualisation planning so as to ensure adequate and
accurate translation of the security designs into actual system security
configurations.

C. Operational Controls: -security postures are maintained in the

operational environment.
Issues and Challenges

 Families of controls for the protection of CNII : -

D. Disaster Recovery/Business Continuity Planning (BCP) Controls: -
essential to ensure minimum downtime, as well as to ensure that the
restoration process factors in, and overcomes the initial vulnerabilities.

E. Reporting and Accountability Controls: -ensure that adequate

accountability and oversight is exercised by Senior management, as
well as reposting to concerned Government agencies where required.
This family of Controls also includes compliance controls.
Issues and Challenges
 Planning Controls: -
 PC1: Identification of CII
 PC2: Vertical and Horizontal Interdependencies
 PC3: Information Security Department
 PC4: Information Security Policy
 PC5: Integration Control
 PC6: VTR Assessment and Mitigation Controls
 PC7: Security Architecture Controls including configuration Management and Mitigation
Controls
 PC8: Redundancy Controls
 PC9: Legacy System Integration
 PC10: Supply Chain Management – NDA’s, Extensions and Applicability
 PC11: Security Certifications
Issues and Challenges
 Implementation Controls: -
 IC1: Asset and Inventory Control
 IC2: Access Control Policies
 IC3: Identification and Authentication Control
 IC4: Perimeter Protection
 IC5: Physical and Environmental Security
 IC6: Testing and Evaluation of Hardware and Softwares
Issues and Challenges
 Operational Controls: -
 OC1: Data storage: Hashing and Encryption
 OC2: Incident Management - Response
 OC3: Training, Awareness and Skill up-gradation
 OC4: Data Loss Prevention
 OC5: Penetration Testing
 OC6: Asset and Inventory Management
 OC7: Network Device Protection
 OC8: Cloud Protection
 OC9: Critical Information Disposal and Transfer
 OC10: Intranet Security
Issues and Challenges
 APT protection Disaster Recovery/ Business Continuity Planning
(BCP) Controls: -
 DR1: Contingency Planning – Graceful degradation
 DR2: Data Back-up and Recovery Plan, Disaster Recovery Site
 DR3: Secure and Resilient Architecture Deployment

 APT protection Disaster Recovery/ Business Continuity Planning

(BCP) Controls: -
 DR1: Contingency Planning – Graceful degradation
 DR2: Data Back-up and Recovery Plan, Disaster Recovery Site
 DR3: Secure and Resilient Architecture Deployment
Issues and Challenges
 APT protection Disaster Recovery/ Business Continuity Planning
(BCP) Controls: -
 DR1: Contingency Planning – Graceful degradation
 DR2: Data Back-up and Recovery Plan, Disaster Recovery Site
 DR3: Secure and Resilient Architecture Deployment

 APT protection Disaster Recovery/ Business Continuity Planning

(BCP) Controls: -
 DR1: Contingency Planning – Graceful degradation
 DR2: Data Back-up and Recovery Plan, Disaster Recovery Site
 DR3: Secure and Resilient Architecture Deployment
Recent incident of vulnerability of CNII: -
 The flight booking site, CLEARTRIP suffered a massive data breach involving the
information of an unknown number of victims. security anomaly gave hackers
unauthorised access to a part of Cleartrip’s internal systems.
 United Kingdom's National Health Service (NHS) emergency services were affected by
a significant outage triggered by a cyberattack.
 Google Blocks Domains of Hack-for-Hire Groups . hack-for-hire gangs targeting in
Russia, India and the United Arab Emirates. The group has been targeting healthcare,
government and telecom organisations with attempts to phish credentials of Amazon
Web Services (AWS), Gmail and government services accounts.
Quarterly Vulnerability Analysis Report: -
 During Third quarter of 2022, a total of 5259 vulnerabilities have been observed.
 out of which majority of vulnerabilities have score ranging from 4-7.
 19 percent of total vulnerabilities reported were of Critical severity.
 Google, Microsoft, Jenkins, Apple and Linux were the top five vendors having
25% of total reported vulnerabilities.
Quarterly Vulnerability Analysis Report: -
Severity CVSSv3 Number of vulnerabilities Total Severity
Score Vulnerabilities Total

Jun’22 Jul’22 Aug’22

0 0 0 0
0-1
0 0 0 0 128
1-2
Low 9 11 10 30
2-3
16 34 48 98
3-4
177 159 104 440
4-5
275 231 266 772
Medium 5-6 2086
278 294 302 874
6-7
536 480 478 1494
High 7-8 2058
155 238 171 564
8-9
320 287 380 987
Critical 9-10 987

Total 1766 1734 1759 5259

Quarterly Vulnerability Analysis Report: -

Severity wise share of Vulnerability: - Severity wise number of Vulnerability: -

Quarterly Vulnerability Analysis Report: -
S. No. Vendor No. of Vulnerabilities Total
Jun’22 Jul’22 Aug’22

1. Google 118 199 212 529

Microsoft 119 153 160 432
2.
Jenkins 86 42 3 131
3.
Apple 40 40 28 108
4.
5. Linux 35 35 29 99
6. H3C 17 14 67 98
7. Adobe 36 34 27 97
8. Oracle 6 86 0 92
9. Fedoraproject 36 39 15 90
10. IBM 24 36 24 84
11. Cisco 11 55 11 77
12. Mediatek 18 27 25 70
13. Siemens 26 36 6 68
Intel 6 1 46 53
14.
Tenda 2 13 37 52
Quarterly Vulnerability Analysis Report: -
Count of vulnerabilities for top 15 vendors