Você está na página 1de 43

Cyber Crisis Management Plan (CCMP)

Cyber Crisis Management Plan

Document Details

Version 1.0

Year 2017-18

Number of Pages 43

Owner Punjab & Sind Bank

Page 1 of 43
Cyber Crisis Management Plan (CCMP)

Version History

Version Date Comments

This document describes the Cyber Crisis Management


1.0 January 2018
Plan for the Bank.

Page 2 of 43
Cyber Crisis Management Plan (CCMP)

CONTENT

Sr. No. Topic Page

1 Introduction 4

2 Overview 4

3 Objective/ Purpose 5

4 Applicability of the Plan 5

5 Plan Exceptions 5

6 Guidelines for formulating Cyber Crisis Management Plan 6

7 Maintenance & Review of CCMP 6

8 Cyber Crisis and Contingencies 7

9 Types of Cyber Crisis 7

10 Prevention Strategies and Plans 9

11 Crisis Recognition & Mitigation Plan 10

12 End-user Awareness and Training 12

Annexure - A (Components within the System and their mappings to


13
Controls)

Annexure - B (Threat levels and related conditions) 16

Annexure - C (Incidence Response Activities During The First Hour) 18

Annexure - D (Contact Details and Reporting Formats) 24

Annexure - E (Nature and Severity of Crisis And Steps For Mitigation) 38

Page 3 of 43
Cyber Crisis Management Plan (CCMP)

1. Introduction

1.1 Crisis is defined as a significant threat to the operations of the organization that can have negative
consequences, if not handled properly. Crisis can create financial and reputational loss by disrupting
operations.

1.2 Cyber crisis is coordinated large scale cyber events that result in or have the potential to result in a
wide spread outage or disrupt multiple infrastructures. Cyber-attack is any type of offensive maneuver
by individuals or whole organizations that targets computer information systems, infrastructures,
computer networks, and/or personal computer devices by various means of malicious acts usually
originating from an anonymous source that either steals, alters, or destroys a specified target by
hacking into a susceptible system. These can be labeled as either a cyber campaign, cyber warfare or
cyber terrorism in different context. Cyber-attacks can range from installing spyware on a PC to
attempts to destroy the infrastructure of the entire Bank.

1.3 Cyber Crisis Management is a critical organizational function. Failure can result in serious harm to
stakeholders, losses for the organization, or end its very existence. The cyber crisis management plan is
prepared in line with Business Continuity Plan.

1.4 RBI vide circular RBI/ 2015-16/ 418 DBS.CO/ CSITE/ BC.11/ 33.01.001/ 2015-16 dated 02.06.2016
mandates that Cyber Crisis Management Plan (CCMP) should be evolved and should be a part of the
overall Board approved strategy.

1.5 RBI guidelines lay down the guiding principles for formulation of an effective Cyber Crisis
Management Plan and its implementation. These guidelines mandates implementation of a CCMP. The
same shall be reviewed periodically. This document on Cyber Crisis Management Plan (CCMP) has been
formulated in compliance with the RBI guidelines.

2. Overview

This document on CCMP is designed to reduce the Bank's risk arising from an unexpected disruption of
the critical functions/ operations necessary for the business due to cyber attacks/ crisis. CCMP can be
defined as a statement of:

• Actions to be taken.
• Resources to be used.
• Procedures to be followed before, during and after a cyber crisis which renders a Business function
totally or partially unavailable.

Page 4 of 43
Cyber Crisis Management Plan (CCMP)

3. Objective/ Purpose

The objective of this Cyber Crisis Management Plan is to counter Cyber Attacks/ Cyber Terrorism by
outlining a framework for dealing with cyber related incidents for a coordinated, multi-disciplinary and
broad based approach for rapid identification, information exchange, swift response and remedial
actions to mitigate and recover from malicious cyber related incidents impacting critical business
functions and processes of the Bank.

The purpose of Cyber Crisis Management Plan (CCMP) is to enable Bank to continue operations in the
event of an interruption to the Business Functions. The plan addresses all business and systems
functions necessary to continue as a viable organization. Strong management support, extensive
planning and a commitment of resources are necessary to adequately plan for both manual and
automated interruptions.

Any serious disruption can cause critical information resources to be inoperative from few hours to
several days, depending upon the criticality of the information resources. The recovery of key business
processes, in a worst-case scenario, would probably involve the use of alternative processing facilities,
where the recovery of software and data files from offsite locations may be required. This CCMP take
into account of all events types that might impact both critical information systems processing facilities
and end-user business operational functions.

The main objective of CCMP is:-

1) To continue the service to customers and financial market participants.


2) To minimize financial loss to the bank.
3) To mitigate the negative effects that the disruptions can have on the bank‘s strategic plans,
reputation, operations, liquidity, credit quality and market position.
4) To remain in compliance with applicable laws and regulations.
5) To support systemic financial market business processes (e.g., inter-bank payment systems, key
market clearance and settlement activities).

4. Applicability of the Plan

This document applies to all activity owners, including Bank Employees, contractors, consultants,
temporary staff and other individuals even if, affiliated with Third Parties, who have access to Bank‘s
Information/ Information Processing Facilities and other resources to have CCMP‘s in place to be in
readiness to tackle serious business disruptions.

5. Plan Exceptions

Every care has been taken in formulating this CCMP. The Information Security Cell cannot possibly
foresee all possible circumstances or situations in which it might apply. It is conceivable that

Page 5 of 43
Cyber Crisis Management Plan (CCMP)

exceptional situations or emergencies may occur when practical considerations clearly override or
negate the statements made herein.

In case anyone identifies a situation in which these plan cannot apply for some reason, it is his/ her
responsibility to raise the matter with the respective GMs/ Head of Branch, Zone, or Department.
GMs/ Head of Branch, Zone, Department taking into consideration the relevant Information resources
Owners and other stakeholders, will take up with the GM-IT who will take decision on whether to
permit or deny such plan exceptions.

6. Guidelines for formulating Cyber Crisis Management Plan

Based on the broad guidelines issued by RBI, CCMP addresses the following four aspects:

i. Detection
ii. Response
iii. Recovery, and
iv. Containment

Bank need to take effective measures to prevent Cyber-Attacks and to promptly detect any cyber-
intrusions so as to respond/ recover/ contain the fall out. Bank is expected to be well prepared to face
emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among
other things, bank should take necessary preventive and corrective measures in addressing various
types of cyber threats including, but not limited to, Denial Of Service (DOS), Distributed Denial Of
Services (DDoS), Ransom-Ware/ Crypto Ware, Destructive Malware, Business Email Frauds including
Spam, Email Phishing, Spear Phishing, Whaling, Vishing Frauds, Drive-By Downloads, Browser Gateway
Fraud, Ghost Administrator Exploits, Identity Frauds, Memory Update Frauds, and Password Related
Frauds etc.

7. Maintenance & Review of CCMP

CCMP document shall be reviewed, at least, annually or as and when changes in the Bank’s
environment/ infrastructure or threat occur to keep pace with the changes within the Bank. Some of
the typical changes that may be identified and updated in the manual include:

a. The Critical assets, Nature of cyber crisis and possible targets and impact of particular type of
crisis on these targets.
b. Crisis due to focused cyber-attacks affecting the Bank.
c. Different Types of cyber crisis described include large-scale defacement and semantic attacks
on websites, Malicious code attacks, large scale SPAM attacks, Spoofing, Phishing attacks, Social
Engineering, Denial of Service (DoS) and Distributed DoS attacks, attacks on DNS, Applications,
Infrastructure and Routers, Compound attacks and High Energy RF attacks.

Page 6 of 43
Cyber Crisis Management Plan (CCMP)

d. Measures to be taken at organizational level for enhancement of security posture of


Information and Network including implementation of Information Security Best Practices
based on ISO 27001 standard, provisioning for Business Continuity Plan.
e. Incident handling and Management, Sharing of information pertaining to incidents and
participating in mock drills conducted by various external agencies such as Cert-In, NCIIPC,
CSITE, IDRBT etc. to test the preparedness of Critical Infrastructure of Bank to withstand cyber-
attacks.

8. Cyber Crisis and Contingencies

This section identifies different types of threats and crisis that affect specific targets. Impact of such
crisis on respective targets and critical business functions and services of Bank identified to determine
suitable response and mitigation actions. While preparing the CCMP the following actions are kept in
mind:

a) Identification of all critical units of Bank by concerned owner/ division.


b) Functions and services of all such units
c) Inventory of all Critical Information assets
d) Risk Assessment and risk management as per BCP of Bank
e) Business Impact Analysis as per BCP of Bank.
f) Contingency plan for IT systems

Cyber crisis has unique features that are different from a physical crisis. In some cases, the severity of
cyber crisis is high but confined to individuals or few departments within the Bank. In other cases the
severity may be low but widely spread to entire Bank.

9. Types of Cyber Crisis

There are various types of cyber security incidents that can trigger a crisis at organization level.

a) Targeted Scanning, Probing and Reconnaissance of Networks and IT Infrastructure: Publicly


available reconnaissance techniques, including web and newsgroup searches, WHOIS querying, and
Domain Name System (DNS) probing, are used to collect data about the structure of the target
network from the Internet without actually scanning the network or necessarily probing it directly.

b) Large scale defacement and semantic attacks on websites: A website defacement is when a
defacer breaks into a web server and alters the contents of the hosted website. Attackers change
the content of a web page subtly so that the alteration is not immediately apparent. As a result,
false information is disseminated.

c) Malicious Code attacks (virus/ worm/ Trojans/ Botnets): Malicious code or malware is software
designed to infiltrate or damage a computer system without the owner's informed consent.

Page 7 of 43
Cyber Crisis Management Plan (CCMP)

Malicious code is hostile, intrusive, or annoying software or program code. Commonly known
malware are virus, worms, Trojans, spyware, adware and Bots.

d) Malware Affecting Computing Devices: Malicious code and malicious applications (apps)
affecting operating systems/ platforms used for mobile devices such as Symbian, Android, iOS,
Windows Mobile, and Blackberry OS.

e) Large scale SPAM attacks: Spamming is the abuse of electronic messaging systems to
indiscriminately send unsolicited bulk messages. SPAM mails may also contain virus, worm and
other types of malicious software and are used to infect Information Technology systems.

f) Spoofing: Spoofing is an attack aimed at ‘Identity theft’. Spoofing is a situation in which one
person or program successfully masquerades as another by falsifying data and thereby gaining an
illegitimate advantage.

g) Phishing Attacks: Phishing is an attack aimed at stealing the ‘sensitive personal data that can
lead to committing online economic frauds. Phishers attempt to fraudulently acquire sensitive
information, such as usernames, passwords and credit card details etc., by masquerading as a
trustworthy entity in an electronic communication.

h) Social Engineering: Art of manipulating people into performing disclosure actions or divulging
confidential information for using the same for monetary or defacing an individual or corporate
image.

i) Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks: DoS is an
attempt to make a computer resource unavailable to its intended users. A distributed denial of
service attack (DDoS) occurs when multiple compromised computer systems flood the
communication link (called bandwidth) or resources of a targeted system.

j) Application Level Attacks: Exploitation of inherent vulnerabilities in the code of application


software such as web/ mail/ databases.

k) Infrastructure Attacks: Attacks such as DoS, DDoS, corruption of software ,Gateways of


ISPs and Data Networks, Infection of Programmable Logic Control (PLC) systems by sophisticated
malware.

l) Compound Attacks: By combining different attack methods, hackers could launch an even more
destructive attack. The Compound attacks magnify the destructiveness of a physical attack by
launching coordinated cyber-attack.

m) Router Level Attacks: Routers are the traffic controllers of the Internet to ensure the flow of
information (data packets) from source to destination. Routing disruption could lead to massive
routing errors resulting in disruption of Internet communication.

Page 8 of 43
Cyber Crisis Management Plan (CCMP)

n) Attacks on Trusted infrastructure: Trust infrastructure components such as Digital certificates


and cryptographic keys are used at various levels of cyber space ranging from products,
applications and networks.

o) High Energy Radio Frequency Attacks: Use of physical devices like Antennas to direct focused
beam which can be modulated from a distance to cause RF jamming of communication systems
including Wireless networks leading to attacks such as Denial of Service

p) Cyber Espionage and Advanced Persistent Threats: Targeted attack resulting in compromise of
computer systems through social engineering techniques and specially crafted malware.

The different types of cyber crisis/ attacks mentioned above are indicative but not exhaustive, and
may not include all types of cyber crisis/ attacks. However, the CCMP covers all types of cyber
attacks which may evolve in future also.

10. Prevention Strategies and Plans

10.1. Cyber resilience of Bank

Cyber resilience is defined as ability of organization or business process to anticipate, withstand cyber-
attacks and the capability to contain, recover rapidly and evolve to improved capabilities from any
disruptive impact of such cyber-attacks.

10.2. Protection and resilience of Bank’s infrastructure

To build cyber resiliency, Bank need to work for the following:

• Identification of key information and technology assets that support the services of the Bank by
the concerned divisional head.
• Implementation of controls to protect those assets from cyber attack.
• Implementation of controls to sustain the ability of those assets to operate under disruptive
events and recover rapidly from disruption.
• Development of processes to maintain and repeatedly carry out the protection and recovery
activities.
• Development of appropriate measures to drive these activities.
• Develop a plan for protection of Bank’s IT Infrastructure and its integration with business plan
and implement such plan. The plans shall include establishing mechanisms for secure
information flow (while in process, handling, storage & transit), guidelines and standards, crisis
management plan, proactive security posture assessment and forensically enabled information
infrastructure.
• Closely interact with 24x7 National Critical Information Infrastructure Protection Centre
(NCIIPC) by providing it the necessary and timely information.

Page 9 of 43
Cyber Crisis Management Plan (CCMP)

• To ensure identification, prioritization, assessment, remediation, and protection of Bank’s IT


infrastructure and key resources based on the plan for organization Information Infrastructure.
• To ensure compliance to global security best practices, business continuity management and
cyber crisis management plan by all entities within domain of Bank, to reduce the risk of
disruption and improve the security posture.

10.3. Cyber Resilience Components & Control Matrix

A matrix showing relation between each of the components within system and their mapping to these
controls, may be referred at Annexure - A.

11. Crisis Recognition & Mitigation Plan

11.1. Classification – Levels of Concern

The crisis arising out of cyber-attacks are categorized and prioritized from level 1 to Level 4.The levels
of concern are mentioned below:

Level 1 – Guarded
Scope: Individual user/ department /Branch

Level 2 – Elevated
Scope: Multiple Departments /Branches

Level 3 – Heightened
Scope: Complete Zone

Level 4 – Serious
Scope: Entire Bank

Refer Annexure - B for details on Levels of Concern

11.2. Reporting Mechanism

As and when a cyber-crisis situation develops, respective divisions will immediately convey to the
Information Security Cell and CISO through any quickest possible means. Further, all divisions will take
all necessary actions as given in Annexure - C of this document and Information Security Cell shall
report it to CERT-In, RBI and other agencies, as applicable time to time.

Page 10 of 43
Cyber Crisis Management Plan (CCMP)

11.3. Response System

Immediately on the occurrence of a crisis, the Contingency Plan would be put into effect. The response
action will be initiated in consultation with CISO/ CERT-In/ NCIIPC/CSITE if the situation has wider
ramifications and warrants response at the national level. During any cyber crisis, to maintain the
continuity of the Business, BCP (Business Continuity Plan) will be invoked.

11.4. Mitigation Strategy

General Guidelines on Crisis Management and security of Critical Infrastructure are outlined in
Annexure-E. The table outlines the nature of crisis/ contingency affecting the systems of individual
department, multiple departments within a Division, Various Divisions and the entire Bank leading to
crisis of different levels and authorities responsible for mitigation along with agencies that support
mitigation actions. The steps necessary to mitigate crisis will vary with respect to nature and severity of
crisis. Respective authorities responsible for mitigation of a crisis will report the incident to the
concerned authority and step-wise approach for mitigation vis-à-vis nature of crisis/ contingency as
given in the table in Annexure-D.

11.5. Closing the incident and Information Sharing

After successful mitigation and recovery from incident, the following need to be undertaken by
individual department (before closing the incident) for future reference/precaution:

• Perform a Root Cause Analysis (RCA) of the incident as well as the incident response adopted.
• Evaluate and perform assessment of the attack from the technical point of view in order to fine-
tune and optimize the eradication mechanism
• Document lessons learnt from the incident and prepare a incident report, including
infrastructure protection improvements from the post-mortem process
• Share incident report with CISO who will share it to CERT-In/ NCIIPC/CSITE and IB-CART for
future precaution and mitigation of similar attacks
• All critical departments/ Divisions shall implement infrastructure protection improvements
resulting from post-incident reviews or other protection improvement mechanisms.

11.6. Contact Information

Names, telephone numbers/ mobile numbers, e-mail IDs and addresses of Members and Alternate
Members of various stakeholders are given in the Annexure - D respectively.

11.7. Policy Review

Cyber Crisis Management Plan shall be reviewed atleast annually or whenever any major changes
required due to change in threat landscape or IT Infrastructure/ resources/ stakeholders of the Bank.

Page 11 of 43
Cyber Crisis Management Plan (CCMP)

12. End-user Awareness and Training

Bank may use following methods to create end user awareness:

• Classroom training programmes at the time of induction.

• Publication of newsletters on frauds covering various aspects of frauds and containing


important message for fraud prevention.

• Detailed ‘do’s and don’ts’ displayed on the intranet portal of the bank.

• Posters on various safety measures at the work place.

• Awareness session and quizzes through Video Conferencing/ Webinar to cover all end-user and
other stakeholders.

Page 12 of 43
Cyber Crisis Management Plan (CCMP)

Annexure - A

Components within the System and their mappings to Controls

Building cyber resilience begins with effective protection of five key components within any system
(i.e. key information and technology assets, user identity, system processes, data and hardware &
software platform along with network of connections between systems.

Achieving cyber resilience is about understanding the sensitivity and interdependency of critical assets
and selecting appropriate technical controls for protection, detection, containment and recovery from
cyber disruptive activities and assigning resilience rating for each system component by the Bank
depending on the services provided by them and their respective Service level Agreements (SLA).

User Identity Component

• Controlled access based on need-to- know.


• Enforce strong password policy.
Protect
• Multi factor authentication.
• Usages of digital certificates.

• Maintenance and analysis of complete security events and audit logs.


Detect
• Privilege escalation monitoring and alerting.

• Minimize the invalid logon counts.


• Revocation of digital certificate.
Contain
• Change access control on all devices.
• Continuous account monitoring and deactivating the dormant accounts.

• Offline recovery procedures for logging into accounts.


Recover
• Alternative indicators

System Processes Component

• Effective security patches updating Mechanism on applications etc.


• Follow best security practices during software development lifecycle.
Protect
• Secure configuration.
• Malware defenses.

• File integrity checking.


Detect
• Malware analysis.

Page 13 of 43
Cyber Crisis Management Plan (CCMP)

• Policy based restrictions on process actions.


Contain • Reconfiguration of settings.
• Usage of sandbox security mechanism.

• Assured data back-ups.


• Clustering.
Recover • Recovery time objectives for system and support.
• Manual/ Automated takeover to active alternative IT provision.
• Use of unstaffed sites as opposed to staffed sites.

Hardware and Software Platform Component

• Asset inventory (Asset classification and management).


Protect • Regular review of configuration files: OS/Middleware.
• Boot process integrity check.

• Continuous vulnerability testing and remediation.


• Tamper detection mechanism.
Detect • Platform Security Assessment (Review of system architecture/ operating
system configuration/ Security management controls/ System
configuration).

• Lockout Policies
Contain
• System isolation.

• Usage of virtual environment.


Recover • Assured back-up and replication.
• Replacing compromised missed files with clean versions.

Data Component

• Database access control: Regular review of access privileges to users of the


database.
Protect
• Role base access
• Need to Know based/ Least privilege based access

Page 14 of 43
Cyber Crisis Management Plan (CCMP)

• Monitoring access violations


Detect
• Monitoring remote access.

• Application restrictions monitoring.


• Data leakage prevention (system designed to detect potential data leakage
Contain
while in-process, handling, storage or transit).
• Access control on database.

• Assured data back-ups and physical segregation of back-up.


• Storage replication mirroring/ cloning.
Recover • Database reprocessing (going back to a known point of database activity
before the problem occurred and reprocessing work from that point
forward

Network Component

• Limitation and control of ports, protocols and services.


Protect • Wireless device control.
• Following best practices for secure configuration of network devices.

• Centralized network log analysis for wired and wireless networks.


Detect
• Network scanning and analysis.

• Isolation of trusted networks from untrusted networks.


• Denial of service offloads to ISP and cloud.
Contain • Reconfiguration of impacted network devices.
• Modify access control (all user/ root/ administrator passwords) in all
systems and network devices.

• Alternate network routing.


Recover • Alternate cloud communications.
• Usage of devices in cluster mode/load balancing mode.

Page 15 of 43
Cyber Crisis Management Plan (CCMP)

Annexure - B

Threat levels and related conditions

The table outlines the threat levels, spread of attack and related conditions that become the basis for
declaration of a crisis. The table also outlines the crisis/ contingency affecting the systems of individual
department within a division, multiple departments within a division, one division and entire bank
leading to crisis of different levels. The levels of crisis are interrelated. Each subsequent level will follow
preceding one. No level other than level 1 will come in isolation.

Threat Level Condition

Perceptible change/ variation in system performance and discovery of


critical/non critical vulnerabilities/ exploits and attacks that can affect normal
operation of network and IT systems of individual Department such as:
• Visible signs of viruses/ worms/ Bots/ malware/ Keyloggers/ Spyware
• Spam
• Identity theft (Phishing, spoofing, social engineering etc.)
Level - 1
• Web defacements
(Individual Department/
• Hacking of IT systems such as computers systems, Servers (Mail, Web,
single Branch)
Database etc) and Routers
• Application level attacks
• Denial of service attacks (DoS)
• Distributed Denial of Service (DDoS)
• Attempts for exploitation of zero-day vulnerabilities
• Detection of new and advanced malware infections

Page 16 of 43
Cyber Crisis Management Plan (CCMP)

Perceptible change/ variation in network/ system performance and abnormal


surge in network traffic affecting IT infrastructure of multiple departments
simultaneously due to:
• Large scale infection of Viruses/ Worms/ Bots/ Malware/ Key loggers /
Spyware for malicious and espionage activities.

Focused attempts of networks scanning and penetration


• DoS/ DDoS attacks
Level - 2
• Attacks on Domain Name Servers, Mail Servers, Databases, Routers
(Multiple Departments/
etc.
More than one Branch)
• Attacks on Web servers resulting in
• Defacement of websites on large scale

Attacks on Trusted infrastructure


• Attack on the IT infrastructure of a Critical Information System
• Infection of computer systems and/ or Programmable

Level - 3 Significant breakdown of working of the entire zone due to focused cyber
(One Zone) attacks on IT infrastructure related to that zone.

Level - 4 Significant breakdown of working of the entire Bank due to focused cyber
(Entire Bank) attacks on infrastructure.

Page 17 of 43
Cyber Crisis Management Plan (CCMP)

Annexure - C

Incident Response Activities During The First Hour

Introduction:

The primary objective of incident response actions during first hour is to contain the damage due to
the incident, notify appropriate authorities about the incident and ensure continuity of essential
activities and services of the Bank.

The following guidelines describe the actions to be taken within the Bank during the first hour of
incident. The guidelines also facilitate detailed incident analysis and determination of recovery and
response actions and possible escalation within and outside the Bank.

Triggers for first reaction

The reaction by the users or administrators within Bank could be triggered by observation of certain
symptoms and anomalies in the functioning of systems, networks and processes. The trigger for
response action could be infection, attack or intrusion or malfunctioning of a system or reported loss of
damage to information assets/systems etc. Further the actions could be triggered when alerts are
received from external organisations such as CERT-In, NCIIPC, IDRBT and other Incident Response
teams and security agencies.

Means of Detection

The means of detecting anomalies and abnormal conditions that require response actions are Users,
System/ Network Administrators, technical tools and external alerts from security agencies such as
CERT-In/ NCIIPC etc.

Symptoms of incidents and response actions

Table 1 outlines the general symptoms indicating occurrence of incident noticeable by all types of
users, source of detection, response actions required and persons responsible for the actions.

Table 2 outlines Indications of different types of Cyber Crisis generally noticeable by trained users,
System Administrators & tool based detection mechanisms and response actions required and
authorities responsible for the actions.

Page 18 of 43
Cyber Crisis Management Plan (CCMP)

Table 1 General symptoms of incidents noticeable by all types of users and related response actions.

Symptoms/ Alerts Source of Response Actions Who to


Detection Handle

Common Symptoms

Non-availability of computer User • Boot with alternate OS/ recovery User /


system (failure to start) media. IT Dept /
• Check the booting process for specific IT Personnel at concerned
errors. Location
• Report to IT Personnel at Concerned
Zonal Office/ Department

Frequent system crashes User • Scan system with updated Antivirus & User /
Unexplained, poor system Anti-spyware IT Dept /
performance, Presence of • Report to IT Dept/ IT Personnel at IT Personnel at concerned
new files, Presence of Concerned Division(HO) Location
unknown processes,
Changes in the file size or
dates
New suspicious user User, • Disable suspicious user account HO: IT Department
accounts Server Custodian • Do the log analysis

Failed or successful social User, • Collect all details such as email HO: Information Security
engineering attempts System Administrator content, header etc and examine. Cell

Failed log-in attempts by Technical tools/ SOC • Determine the timing, sources of HO: IT Department
unauthorized users. Supervisory review of activities (Application Team)
logs • Trace the attack sources from logs of
system/ directory server.
• Change of password

Unusual time of usage, Supervisory Review of • Correlate with physical access by users HO:IT Department
Unauthorized user accounts logs/ alerts • Correlate with logs of perimeter devices (Application Team)
to find external intrusion

Virus/worm infection User, • Disconnect system from network HO: IT Department


Security Operation • Boot with different OS and scan with Operation/ Network Team
Centre Antivirus & Anti-spyware
• Antivirus and Anti- spyware
should be updated

Suspicious Technical tools • Close the ports and services which are HO:IT Department
Probes (IPS/ IDS/ Firewall) not required. (Networking Team)/
• Sent the logs to incident response team HO: Information Security
Cell

Page 19 of 43
Cyber Crisis Management Plan (CCMP)

Abnormal surge in traffic Technical tools, • Trace the specific service/ protocol HO: IT Department
(inbound/outbound) Network Behaviour • Detect the source of (Networking Team)
Analysis, Router generation of abnormal traffic
• Correlate with alerts from
CERT-In/ NCIIPC/ CSITE etc.

Compromise of Sensitive Users/ • Block the affected cards and inform the HO: ATM Cell
Information of customers National Payment customers through SMS/ e-mail.
such as PIN, Card Number, Corporation of India
CVV etc. of Debit card (NPCI)/ Master Card
through various kind of
infections (Malware or
skimmer) within or outside
our infrastructure.

External Alerts

Alert for new CERT- In/ NCIIPC/ • Apply appropriate patches/updates HO: Information Security
vulnerability CSITE • Implement suggested workaround for Cell in consultation with
zero-day vulnerabilities CISO

Alert on propagation of CERT- In/ NCIIPC/ • Update the Antivirus signatures HO: Information Security
malicious code CSITE • Follow the countermeasures suggested Cell in consultation with
in the specific advisory CISO

Alert indicating attack CERT-In/ NCIIPC/ • Block the attack sources notified by HO: Information Security
sources CSITE/ CERT-In/ NCIIPC and other agencies. Cell in consultation with
Security agencies CISO

Note:- In case a user is unable to identify the symptoms/ alerts of any incident, he may contact HO Information
Security Cell for further assistance.

Page 20 of 43
Cyber Crisis Management Plan (CCMP)

Table 2 Indications of different types of Cyber Crises generally noticeable by trained users, System
Administrators & tool based detection mechanisms and Response actions

Symptoms/ Alerts Source of Response Actions Who to


Detection Handle

Common Symptoms

Detection of Users / • Disconnect the web server hosting defaced/ HO IT Department: Website
defacement/intrusion of Web Admin/ compromised website Manager
website External agencies • Examine the compromised system/ website
for specific unauthorized changes
• Restore the website content, Shift and run
website from a different trusted system by
making appropriate DNS changes at the new
system
• Collect relevant logs of server and
application and submit to HO: Information
Security Cell of the Bank.
• Report the incident t o HO: Information
Security Cell which along with logs report it
to CERT-In/ NCIIPC/ CSITE

Malicious Code attacks (virus/worm/ Trojans/ Botnets/ Spyware)

Unexplained poor system Users • Disconnect infected systems from network HO: Information Security
performance • Scan with updated Antivirus and Anti- Cell
HO: Information spyware
Presence of suspicious Security Cell • Apply appropriate countermeasures in
process/files on system consultation with CISO/ NCIIPC/ CERT-In /
Alerts from CSITE.
Surge in traffic on Antivirus, NIPS
ports/services used by
malware External agencies

Connections to suspicious
remote systems

Unusual ports open

SPAM attacks

Page 21 of 43
Cyber Crisis Management Plan (CCMP)

Abnormal surge in SMTP Users • Check the mail servers for open relays and HO: IT Department
traffic disable ports not required in the Mail server (Networking Team)
HO: IT Deptt • Identify possible sources of Spam from email
Bandwidth congestion Slow ( Networking Team) headers and invoke blacklists such as SBL,
response of mail servers XBL and PBL
• If attack persists report to NCIIPC/ CERT-In

Distributed Denial of Service (DDoS) Attacks

Non availability of services Users • Identify the type of attack such as flooding of HO: IT Deptt (Application
such as website, email etc particular types of packets/requests (TCP Team) /
SYN, ICMP etc) by examining logs of Router/ HO: IT Deptt (Networking
HO: Information IPS/IDS/ Firewall Team)
System crashes Security Cell
• Identify the attack sources
• Block the attack sources at Router/Packet
Bandwidth congestion Alerts from filtering device
Surge in traffic Antivirus, NIPS • Check Router configuration and implement
Egress and Ingress filtering to block spoofed
packets
External agencies • Disable the non-essential ports/services
• Report to CISO with relevant logs

Slow response or non- User • Change the Primary DNS Server HO: IT Deptt
Availability of web/ mail • Implement Source address validation ( Networking Team)
services HO: IT Deptt through ingress filtering (Implement IETF and
( Networking Team) BCP 38/RFC 2827 ) HO: Information Security
• Use Unicast Reverse Path Forwarding to Cell
mitigate problems that are caused by
malformed or forged IP source addresses
• Run separate DELEGATED and RESOLVING
name servers
• Disable Recursion on DNS server
authoritative for the zone
• Restrict zone transfers to Secondary name
servers only
• Block invalid DNS messages to an
authoritative name server at the network
edge. This includes blocking large IP packets
directed to an authoritative name server.
• Report to CISO

Phishing attacks

Page 22 of 43
Cyber Crisis Management Plan (CCMP)

Reporting of phishing Users • Report phishing incident to CISO HO: Information Security
email/website • Report phishing URL to phishing filters Cell
Anti-phishing/ fraud • Send phishing emails and details of phishing
detection services website to CISO

CERT- In/IB- Cart/


CSITE/ NCIIPC/
Other external
agencies.

Application Level attacks

Unauthorized changes to HO: IT Deptt • Disable suspected user accounts HO: IT Deptt
Data/ Suspicious user (Application Team) • Reduce the interactive features and run (Application Team)
activity/ Elevation of with minimum essential features And
Privileges HO: Information Security
Cell

Router level attacks

Unexplained packet loss/ Users • Replace the router with a securely HO: IT Deptt
Non availability of gateway/ configured standby router with Egress and (Networking Team)
Internet services HO:IT Deptt Ingress filtering
( Networking Team) • Check the logs and configuration files of
compromised router to identify attacks
Review of Router • Replace the configuration files with trusted
configurations backup
• Apply appropriate patches/ updates
• Block the attack source
• Report to CISO

Targeted Scanning, Probing and Reconnaissance of Networks and IT Infrastructure

Huge amount of IPS/IDS User • Identify the type of scans/ probes by HO: Information Security
alerts examining logs of Router/ IDS/ IPS/ Firewall Cell /
HO: Information • Identify the sources of scans HO: IT Deptt
High volume of dropped Security Cell • Block the sources of scanning (Networking Team)
packets by Firewalls • Report the incidents with relevant logs to
Logs of CISO
Surge in specific traffic relevant devices

Page 23 of 43
Cyber Crisis Management Plan (CCMP)

Annexure-D

Contact Details and Reporting Formats

1. Conditions for Escalation

Who Reports To Whom


The person who notices the incident (In branch) Branch Head

Branch Head Zonal Office or Respective Stakeholders at Head


Office

The person who notices the incident (In Zonal HO: Information Security Cell
Office)

HO: Information Security Cell CISO

The person who notices the incident (In Head In-charge of the department
Office)

In-charge of the Department CM/ AGM of HO: Information Security Cell

CM/ AGM of HO: Information Security Cell CISO and GM(IT)

GM (IT) ED (in- charge of IT)

CISO GM (RMD) or ED (in-charge of RMD)

CISO External agencies like IB-Cart, NCIIPC, Cert-In/


CSITE, RBI

2. Contact Details of CERT-In

Reporting of a Security Incident: A computer security incident is any adverse event whereby some
aspect of a computer system is threatened viz. loss of confidentiality, disruption of data or system
integrity, denial of service availability.

By reporting computer security incidents to CERT-In Bank shall receive technical assistance in resolving
these incidents. This will also help CERT-In to correlate the incidents thus reported and analyze them;
draw inference; disseminate up-to-date information and develop effective security guidelines to
prevent occurrence of the incidents in future.

Bank can report an adverse activity or unwanted behavior which they may feel as an incident to CERT-
In through following channels:
Page 24 of 43
Cyber Crisis Management Plan (CCMP)

Email : incident@cert-in.org.in
Helpdesk : +91-1800-11-4949
Fax : +91-1800-11-6969
Website : http://www.cert-in.org.in/

Reporting of a Vulnerability: A vulnerability can be defined as a feature or bug in a system or program


which enables an attacker to bypass security measures. A vulnerability discovered in a product,
operating system, or an Application Software can be reported to CERT-In. Following channels can be
used to report the vulnerability:

Email : info@cert-in.org.in
Helpdesk : +91-1800-11-4949
Fax : +91-1800-11-6969
Website : http://www.cert-in.org.in/

3. Contact Details of CSITE - RBI

Cyber Security and Information Technology Examination (CSITE) Cell


Reserve Bank of India, Department of Banking Supervision, Central Office
4th floor, B Wing, Centre-1, World Trade Centre, Cuffe Parade
Mumbai - 400 005

Email : csite@rbi.org.in

4. Contact details of NCIIPC

National Critical Information Infrastructure Protection Centre (NCIIPC)


Block III, Old JNU Campus
New Delhi - 110 067

Toll Free : 1800-11-4430


Banking Coordinator : coord.banking@nciipc.gov.in
Incident Reporting : ir@nciipc.gov.in
Vulnerability Disclosure : rvdp@nciipc.gov.in
Website : http://nciipc.gov.in/

5. Contact details of Internal Staff

Designation Contact Details


CISO (Chief Information Security Officer) Email id: ciso@psb.co.in
Landline: 011 - 25728171

Page 25 of 43
Cyber Crisis Management Plan (CCMP)

SRM/ CM: Information Security Cell Email id: psbsecurity@psb.co.in


Landline: 011 – 25861095

MGR/ SRM/ CM:


Networking Cell, IT Department Email id: operation.network@psb.co.in
Landline: 011 - 25861095, 011 - 25815512
Active Directory/ Antivirus Email id: operation.adav@psb.co.in
Landline: 011 - 25861095, 011 - 25815512

Web Master, IT Department Email: ho.it@psb.co.in


Landline: 011 – 25815512

MGR/ SRM/ CM/ AGM – ATM Cell (ATM/ Debit Email: atmcell@psb.co.in
Card, POS) Landline: 011 - 64780510, 011 - 25899872, 011 -
25782927

MGR/ SRM/ CM/ AGM – Mobile Banking Cell Email: psbmobile@psb.co.in


Landline: 011 - 64780516, 011 - 64780531

MGR/ SRM/ CM/ AGM – Internet Banking Cell Email: hoit_ibc@psb.co.in


Landline: 011-64780520/ 23

GM - IT Landline: 011 - 25782928

6. What needs to be reported to CERT-In/ NCIIPC

The following cyber security incidents should be reported to CERT-In/ NCIIPC/ CSITE in the format
prescribed in Annexure D, within one hour of occurrence of the incident or noticing the incident :

• Targeted scanning/probing of critical networks/systems


• Compromise of critical systems/information
• Unauthorized access of IT systems/data
• Defacement of website or intrusion into a website and unauthorized changes such as inserting
malicious code, links to external websites etc.
• Malicious code attacks such as spreading of virus/worm/Trojan/Botnets/Spyware
• Attacks on servers such as Database, Mail and DNS and network devices such as Routers
• Identity Theft, spoofing and phishing attacks
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Attacks on Critical infrastructure.

Page 26 of 43
Cyber Crisis Management Plan (CCMP)

The following information (as much as possible) may be given while reporting the incident:

• Time of occurrence of the incident


• Information regarding affected system/ network
• Symptoms observed
• Relevant technical information such as security systems deployed, actions taken to mitigate the
damage etc.
• For details please refer the incident reporting form.
• Verification
• HO: Information Security Cell will verify the authenticity of the report.
• Triage

HO Information Security Cell will then analyze the information provided by the reporting authority and
identify the existence of an incident. In case it is found that an incident has occurred, a tracking
number will be assigned to the incident. Accordingly, the report will be acknowledged and the
reporting authority will be informed of the assigned tracking number. HO: Information Security Cell will
designate a team as needed.

Incident Response: The designated team will assist the concerned System Administrator in following
broad aspects of incident handling:

Identification: to determine whether an incident has occurred, if so analyzing the nature of such
incident, identification and protection of evidence and reporting of the same.

Containment: to limit the scope of the incident quickly and minimize the damage.

Eradication: to remove the cause of the incident

Recovery: taking steps to restore normal operation

NCIIPC/ CERT-In will provide support to the CISO/ System Administrators in identification, containment,
eradication, and recovery during the incident handling in the form of advice.

7. Reporting Formats

A. CSITE, RBI: Cyber Security Incident reporting format is available online on the Data Collector
Portal (URL: https://datacollector.rbi.org.in) of Reserve of India (RBI).

B. IB-CART, IDRBT: Security incident reports are available online on the IB-CART Portal of IDRBT
(Institute for Development and Research in Banking Technology), Hyderabad.

C. CERT-In: Security Incident should be reported to CERT-In in the Incident Reporting form format
given below:
Page 27 of 43
Cyber Crisis Management Plan (CCMP)

Incident Reporting Form

Form to report Incidents to CERT-In

For official use only: Incident Tracking Number : CERTIn-xxxxxx

1. Contact Information for this Incident:

Name: Organization: Title:

Phone / Fax No: Mobile: Email:

Address:

2. Sector : (Please tick the appropriate choices)

Government Transportation Telecommunications InfoTech

Financial Manufacturing Academia Other ___________

Power Health Petroleum

3. Physical Location of Affected Computer/ Network and name of ISP.

4. Date and Time Incident Occurred:

Date: Time:

5. Is the affected system/network critical to the organization’s mission? (Yes / No). Details.

Page 28 of 43
Cyber Crisis Management Plan (CCMP)

6. Information of Affected System:

IP Address: Computer/ Operating System (incl. Last Patched/ Hardware

Host Name: Ver./ release No.) Updated Vendor/ Model

7. Type of Incident:

Phishing Spam Website Intrusion

Network scanning /Probing Bot/Botnet Social Engineering

Break-in/Root Compromise Email Spoofing Technical Vulnerability

Virus/Malicious Code Denial of Service(DoS) IP Spoofing

Website Defacement Distributed Denial of Service(DDoS) Other_______________

System Misuse User Account Compromise

8. Description of Incident:

9. Unusual behavior/symptoms (Tick the symptoms)

Anomalies

System crashes Suspicious probes

New user accounts/ Accounting discrepancies Suspicious browsing

Failed or successful social engineering attempts New files

Unexplained, poor system performance Changes in file lengths or dates

Unaccounted for changes in the DNS tables, Attempts to write to system

Page 29 of 43
Cyber Crisis Management Plan (CCMP)
router rules, or firewall rules Data modification or deletion

Unexplained elevation or use of privileges Denial of service

Operation of a program or sniffer device to Door knob rattling

capture network traffic; Unusual time of usage

An indicated last time of usage of a user account that Unusual usage patterns

does not correspond to the actual last time of usage Unusual log file entries

for that user Presence of new setuid or setgid files

A system alarm or similar indication from an Changes in system directories and files

intrusion detection tool Presence of cracking utilities

Altered home pages, which are usually the Activity during non-working hours or

intentional target for visibility, or other pages on holidays

the Web server Other (Please specify)

10. Has this problem been experienced earlier? If yes, details.

12. Agencies notified?

Law Enforcement Private Agency Affected Product Vendor Other_______________

11. When and How was the incident detected:

13. Additional Information: (Include any other details noticed, relevant to the Security Incident.)

Whether log being submitted Mode of submission:

OPTIONAL INFORMATION

Page 30 of 43
Cyber Crisis Management Plan (CCMP)

14. IP Address of Apparent or Suspected Source:

Source IP address: Other information available:

15. Security Infrastructure in place:

Name OS Version/Release Last Patched/Updated

Name OS Version/Release

Last Patched / Updated

Anti-Virus

Intrusion Detection/Prevention

Systems

Security Auditing Tools

Secure Remote

Access/Authorization Tools

Access Control List

Packet Filtering/Firewall

Others

16. How Many Host(s) are Affected

1 to 10 10 to 100 More than 100

Page 31 of 43
Cyber Crisis Management Plan (CCMP)

17. Actions taken to mitigate the intrusion/ attack:

No action taken Log Files examined

Restored with a good backup

System Binaries checked System(s) disconnected form

Other___________________

Network

Mail/Fax this Form to: CERT- In, Electronics Niketan, CGO Complex, New Delhi 110003 Fax:+91-11-

24368546 or email at: incident@cert-in.org.in

Page 32 of 43
Cyber Crisis Management Plan (CCMP)

D. NCIIPC: The NCIIPC Incident Report Form is given below:


Restricted/Confidenti
Type of Report Initial/Follow-up/Final Classification of Document

Section-A: General Information

1. Organisation Details

Name of CI

Address of CI

Name of CISO

Contact Details of CISO

Contact Details of Office handling the

incident

2. Date Incident Occurred Approximate Time

3. Type of Incident( Check mark)

Un-patched Vulnerable Software

Website Defacement

Exploitation

Patched Software Exploitation Unauthorised System Access

Exploitation of Weak Configuration Data Theft

Page 33 of 43
Cyber Crisis Management Plan (CCMP)

Account Compromise Malware Infection

Service Disruption Wireless Access point Exploitation

Social Engineering and Phishing

Exploitation of Weak Network Architecture

Attacks

Unintentional Information Exposure Network Penetration

Spoofing or DNS Poisoning Any other (Please describe below)

4. Brief description of the incident

5. Interface affected Public Network Internal Network Other

6. Incident Handling Steps taken

a) Immediate

Page 34 of 43
Cyber Crisis Management Plan (CCMP)
b) Long term

c) Was System backup plan


implemented successfully? If yes,
details of the Backup Plan applied

7. Whether other agencies such as CERT have also been informed? If yes, please mention here

(Use Separate Sheet for additional information)

8. CII assets affected

9. Impact of Incident on CIIs( Check mark)

Data theft Service Disruption (Downtime)

System (software/hardware)

Other (please explain)

Sabotage

10. Number of Users affected

11. Duration of Incident from (dd/mm/yyyy, hh:mm) to (dd/mm/yyyy, hh:mm)

12. Impact on dependent ICT

13. Threat Profile

Page 35 of 43
Cyber Crisis Management Plan (CCMP)

a) Attacking IP address

b) Source port of attacking machine

14. Type of attack( Check mark)

Denial of Service Unauthorised Access (internal or external)

Malware attack Website Defacement

Phishing attack Other

15. Root Cause Analysis (with following details)

a) Log analysis Report

b) Forensic Report

c) Audit Report

d) Network traffic Analysis Report

Details of Compromised Machine

a) Physical Location

b) Operating System

c) IP Address

d) MAC Address

e) DNS Entry

f) Domain/Workgroup

Page 36 of 43
Cyber Crisis Management Plan (CCMP)

g) Is the compromised machine connected to a network? Yes No

h) Is the compromised machine connected to a modem? Yes No

i) Physical Security details of the machine Yes No

j) Logical Security details of the machine Yes No

k) Was the compromised machine had to be removed from the Yes No

16. Current Status of the Incident

(Use Separate Sheet for additional information)

17. Was Crisis Management Plan Offered? Please explain the details

(Use Separate Sheet for additional information)

Page 37 of 43
Cyber Crisis Management Plan (CCMP)

Annexure - E

Nature and Severity of Crisis And Steps For Mitigation

Severity Nature of Crisis Steps for mitigation


Level of Crisis

Level 1 Steps to be taken


Response • Notify incidents to HO: Information
Security Cell and CISO.
(Impact : One
• Monitor and detect anomalous behaviour and
Branch/ One
Department) degradation of service in network and systems.
• Take all logs (system, application, security, access,
error etc.) of affected systems and data therein and
keep them separately for analysis and forensics.
• Forward a copy of all the logs of affected systems and
All attacks
network devices, suspicious files, data, traffic trends
wherever applicable to CERT-In/ NCIIPC through CISO.
• Consult incident reports or vulnerability reports for
specific advisories on the suspected behaviour as
published by CERT-In and implement those in the
affected networks and systems.
• Segregate networks (LAN/ WAN) and perimeter
security devices and systems. Check for configuration vis-
à-vis ongoing attack. Implement the appropriate
eradication process and recovery of system files and
data as prescribed against each attacks mentioned
below.
• Change all user/ root/ administrator passwords in all
systems and network devices.
• Install updated software patches on Operating System
and all other system software running on computer
servers and Personal computers in the network.
• Mitigation Steps- Specific to nature of cyber-attacks/
crisis.

Page 38 of 43
Cyber Crisis Management Plan (CCMP)

Virus/ Worm/ • Isolate affected systems/ network segments from LAN


Spyware/ Botnet and Internet
attacks • Scan all files in the suspected systems, including emails
for viruses.
• Clean the affected systems with the updated antivirus
software.
• Install updated Antivirus/ anti-spyware on all systems
(servers and Personal Computers)

DoS/ DDoS attacks • Take a copy of all the logs at the perimeter level (IDS/IPS,
firewall) and traffic trends
• Identify the type of attack such as flooding of particular
types of packets/requests
• Allocate traffic to unaffected available network paths, if
possible, to continue the services.
• Apply appropriate rate limiting strategies at the
local perimeter and if necessary consult ISP
• Implement Egress and Ingress filtering to block spoofed
packets
• Use appropriate DoS prevention tools
• Install updated software patches on all the network
devices such as Routers, Firewalls, IDS, IPS and switches.

High Energy RF- • Use a network management solution capable of alerting


based DoS Attacks on a degraded signal noise ratio or the increased noise
levels in the airwaves.
• Identify the other devices due to which RF interference
occurs and physically remove them.
• Deploy IPS/ IDS to detect rouge access points

Page 39 of 43
Cyber Crisis Management Plan (CCMP)

DNS Attack • Check for version updates at the DNS server and
install latest software patches
• Implement spoofing countermeasures
• Use Unicast Reverse Path Forwarding to mitigate
problems that are caused by malformed or forged IP
source addresses
• Adopt source IP address verification
• implement DNSSec

Attack attempts/ • Check for effectiveness of filtering rules in the routers,


scans on Servers, firewall and IPS and reconfigure if required.
Routers, Firewall etc. • Check the logs of these devices for source of attack.

Phishing attacks • Keep watch on phishing sites


• Alert customers regarding the known phishing sites
• Encourage customers to use anti-phishing enabled
browsers
• Shutdown phishing sites in coordination with concerned
ISP and CERT-In

Mail Server attacks • Deploy hot standby mail servers in physically separated
networks and places which can be made operational
when the main server is attacked
• Disable all other ports and services on mail servers
• Enforce strong password policy and encourage users to
change passwords periodically

Level 2 General
Response
• Monitor and detect anomalous behaviour and
(Impact : (One or
degradation of service in network and systems
More
Zone/Multiple • Take all logs (system, application, security, access, error
Department) etc) of affected systems and data therein and keep them
separately for analysis and forensics
• Forward a copy of all the logs of affected systems and

Page 40 of 43
Cyber Crisis Management Plan (CCMP)

network devices, suspicious files, data, traffic trends


wherever applicable to CERT-In through CISO.
• Consult incident reports or vulnerability reports for
specific advisories on the suspected behaviour as
published by CERT-In and implement those in the
All attacks affected networks and systems.
• Segregate networks (LAN/WAN) and perimeter security
devices and systems. Check for configuration vis-à-
vis ongoing attack. Implement the appropriate
eradication process and recovery of system files and data
as prescribed against each attacks mentioned below.
• Change all user/ root/ administrator passwords in all
systems and network devices
• Mitigation Steps - Specific to nature of cyber-attacks/
crisis

Virus/ Worm/ • Isolate affected systems/ network segments from


Spyware/ Botnet LAN/Internet
attacks • Scan all files in the suspected systems, including emails
for viruses
• Install Antivirus/anti-spyware updates
• Clean the affected systems with the updated antivirus
software
• Block the infection/attack vectors through IPS/Firewall

DoS/ DDoS attacks • Shift critical services to alternate channels.


• In case of IP based attacks, shift hosting of affected
services to different ISPs.
• Apply appropriate rate limiting strategies at the local
perimeter and if necessary consult ISP
• Implement Egress and Ingress filtering to block spoofed
packets
• Use appropriate DoS prevention tools
• Take a copy of all the logs at the perimeter level (IDS/IPS,
firewall) and traffic trends
• Install updated patches on the network devices

Page 41 of 43
Cyber Crisis Management Plan (CCMP)

High Energy RF- • Use a network management solution capable of alerting


based DoS Attacks on a degraded signal noise ratio or the increased noise
levels in the airwaves.
• Identify the other devices due to which RF interference
occurs and physically remove them.
• Relocate the Access Points in case of Wireless Networks

DNS Attack • Change the preferred DNS server


• Implement Source address validation through ingress
filtering (Implement IETF BCP 38/RFC 2827 )
• Use Unicast Reverse Path Forwarding to mitigate
problems that are caused by malformed or forged IP
source addresses
• Run separate DELEGATED and RESOLVING name servers
• Disable Recursion on DNS server authoritative for the
zone
• Restrict zone transfers to slave name servers and other
authorized software
• Block invalid DNS messages to an authoritative name
server at the network edge. This includes blocking large
IP packets directed to an authoritative name server.
• Check for version updates at the DNS server and install
latest patches
• Implement split DNS architecture
• Implement any cast technology on DNS server

Attacks on Servers, • Check for the effectiveness of filtering rules in the


Routers, Firewall etc. routers, firewall and IPS and reconfigure if required.
• Replace compromised systems with trusted ones.
• Check for version updates/patches and install latest
patches for routers, firewall and IPS
• Check the logs of these devices for source of attack

Mail server attacks • Activate hot standby mail servers and direct mail traffic
appropriately.

Page 42 of 43
Cyber Crisis Management Plan (CCMP)

Level 3 Response All attacks • Notify incidents to respective Zone/ Department


(Impact Level : • Implement the Contingency Plan
Entire Bank) • Deploy onsite response team on 24X7 basis
• Limit the access to systems and networks from outside in
consultation with concerned ISPs.
• Enable hot stand-by systems/ servers with alternate
Traffic paths.
• Take all logs (system, application, security, access, error
etc) of affected systems and data therein and keep them
separately for analysis and forensics
• Segregate networks (LAN/ WAN) and perimeter security
devices and systems.
• Check for configuration vis-à-vis ongoing attack.
• Implement the appropriate eradication process and
recovery of system files and data as prescribed against
each attacks in level 1 & 2.
• Carry out file integrity checks on all the systems
• Restore systems from trusted back-ups and validate the
systems and networks before connecting to Internet.
• Change all user/ root/ administrator passwords in all
systems and network devices.

Page 43 of 43