Cyber Security Awareness

With the increase in cyber threats, it is extremely important that all of us are aware of Cyber Security measures and build a culture of security by preventing data breaches and phishing attacks. BASL vide its circular 20220519-2 and other Regulators have also guided intermediaries from time to time to spread awareness about Cyber Security measures.

Therefore, in our endeavor to educate you and comply with the regulatory guidelines, an informative presentation is prepared which is available here for your reference.

What is Cyber Security?

Cybersecurity, also known as Information Technology security, is the protection of internet-connected systems such as laptops, tablets, mobile devices, wifi routers etc, including other hardware, software, and data, from Cyber Crime or Cyberattacks. Cyber Security ensures the safety and integrity of internet connected systems by preventing unauthorised access, damage, and disruption.

Types of Cyber Crime

Hacking

Hacking is illegally breaking into computers and networks by compromising devices like computers, smartphones, and tablets.

Phishing

Phishing is when an attacker sends a fake message to trick someone into revealing sensitive information like usernames, passwords, OTP and credit card details. This often happens through email, phone calls, SMS or Whatsapp, where the message looks like it’s from a trusted source but actually directs the person to a fraudulent website via a link.

Denial of Service

Denial-of-service (DoS) attack is a cyber-attack that disrupts access to a machine or network resource, making it unavailable to its intended users. This is achieved by overwhelming a network or a machine with excessive requests, causing the system to use up its CPU/Memory or Network bandwidth to be unable to handle legitimate requests.

When a DoS is triggered from multiple computers on the internet at the same time, a Distributed Denial of Service (DDoS) attack is possible that floods a website or an online service with requests, amplifying the disruption.

Spam Email

Spam email, also called junk email, is unsolicited messages sent to the user. It can be dangerous because it can carry viruses, spyware, and phishing attacks. Spammers collect email addresses from various sources and sometimes sell email addresses to other spammers.

Malware (Trojan, Virus, Worms, etc.)

Malware, including viruses, worms, and trojans, is malicious software designed to disrupt computers, servers, or networks. Hackers use malware to steal private information, gain unauthorised access, or block access to data. Viruses replicate by infecting other programs, while worms spread by copying themselves repeatedly, consuming all available memory.

Spyware, Adware

Spyware and adware are types of malicious software. Spyware secretly collects personal information, while adware shows unwanted ads. Both are designed to disrupt computers and steal information.

Ransomware

Ransomware is a dangerous type of malware that locks you out of your device and demands a ransom to be paid for regaining access. It can be very damaging, with notable examples like WannaCry, Petya, Cerber, Locky etc. To avoid ransomware, it’s important to be cautious and prepared.

Social Engineering

Social engineering is when someone tricks people into giving away sensitive information or access by manipulating them through deception or persuasion. It often involves pretending to be someone trustworthy to gain personal details or access to systems.

How Do We Protect Information?

• People: Training, education, awareness, repetition

• Process: Governance, oversight, policy, reporting

• Technology: Firewalls, anti-malware, Strong passwords, Logging/monitoring

Data Privacy

If you use an email account, your password is a method of data security. In contrast, how your email service provider manages and uses your data is related to data privacy.

Data Privacy & Precautions

Know what is considered personal information Personal information is any information that can be used independently or with other information to identify an individual. This umbrella encompasses:

• Name, address, and date of birth,
• Passport or driver’s licence number or any other Identity card
• IP address, if it can be traced to an individual
• DNA, fingerprints, and voiceprints

Beware of vishing, phishing and smishing attempts

• Don’t use public Wi-Fi
• Report any email scams you encounter
• Take steps to secure your online data

Email Best Practices

Avoid using free web-based email for business purposes, as they are less professional and more vulnerable to hacking or spoofing. Be cautious about sharing details about your job duties or positions on your website or social media (like LinkedIn or Facebook), especially if you have transactional or purchasing authority.

Carefully consider what information is included in your Out of Office email responders. Always check and verify the sender’s email address before responding or taking any action.

Password Use

Passwords are essential for verifying user identity and granting access to information and services. All users should:

• Keep their passwords confidential.
• Change passwords if there’s any suspicion of a system or password breach.
• Create strong passwords that are at least 8 characters long, easy to remember, and not based on easily guessable personal information like names, phone numbers, or birthdates.
• Avoid passwords with consecutive identical characters or those consisting only of numbers or letters.
• Ensure passwords include at least one number, one special character, and one uppercase letter. Regularly update passwords and avoid reusing or cycling old ones.
• Avoid including passwords in automated login processes, such as macros or function keys.
• Never share individual user passwords.

General Precautions for Financial Transactions

• Be cautious of suspicious pop-ups that appear while browsing the internet.
• Always verify that the payment gateway is secure (look for “https://” and a padlock symbol) before completing online transactions.
• Keep your PIN, passwords, credit/debit card numbers, and CVV private; do not share this sensitive financial information with banks, friends, or family.
• Avoid saving card details on websites, devices, or public computers.
• Enable two-factor authentication where available.
• Do not open or respond to emails from unknown sources, as they may contain phishing links or malicious attachments.
• Avoid sharing copies of your cheque book or KYC documents with strangers.
• Report financial fraud to the RBI ombudsman online or through the National Cybercrime - Reporting Portal (www.cybercrime.gov.in).
• If your card is lost or stolen, block the card and also freeze the linked bank account.

Mobile Application Security

Mobile application security involves protecting mobile apps from digital threats like malware, hacking, and other forms of criminal manipulation. If a mobile app is compromised, it poses a high risk of digital fraud, including:

• Theft of financial login credentials
• Theft and resale of credit card details
• Unauthorized access to business networks
• Using the device to spread malware to other devices
• Unauthorized access to TXT or SMS messages for private information

Steps to Mitigate Threats

• Monitor for rogue apps proactively
• Download apps only from trusted sources
• Avoid saving passwords on your device
• Invest in mobile app security services
• Enhance overall data security

Virus Monitoring & Detection

Signature-Based Protection

This detection method relies on databases of known threats. It can identify threats that match entries in the database but may not detect new or unknown threats outside its scope

Behavioral Detection

This approach continuously monitors the behavior of installed programs, looking for unusual or suspicious activity

Cloud-Based Detection

This method stores threat definitions, such as malware files or dangerous IPs and URLs, in the cloud rather than on the device. It saves space and allows for remote updates to your antivirus software. When new threats are identified, updates can be pushed to all connected devices, offering real-time protection.

Measures for Cyber Attack

• Verify links before clicking on them.
• Avoid sharing confidential information or accepting unsolicited friend requests on social media.
• Use footprinting techniques to identify and remove sensitive information from social media platforms.
• Conduct regular vulnerability assessments.
• Invest in a patch management system to handle software and system updates, ensuring your system remains secure and current.
• Maintain regular data backups to prevent significant downtime, data loss, and financial impact.
• Control access to your systems.
• Protect your network with a firewall to defend against brute force attacks.