India not protected against hacking: NAG

India, despite making progress in various sectors, has a long way to go before it can claim to be immune against hacking. Vineet Kumar, Founder & CEO, National Anti-Hacking Group spoke to BE about this.

Q) What are the major threats faced by business in India due to cyber crime?

A) Hackers and criminals are constantly becoming internet security savvy and using IT enabled methods to attack their target organisations. Attacks these days can be as simple as defacing a company’s website or as complicated as stealing trade secrets and intellectual property. Indian businesses, as of now have been extremely slow in their adoption of appropriate and recommended IT security measures. As a result, a large part of corporate India is extremely exposed and vulnerable to national and international threats from criminal organisations, anti-national groups, etc.

The threats faced by India Inc are: financial damage/theft, theft of proprietary process/formula/techniques, theft of sensitive information/knowledge, theft of organisational secrets, compromise of customer/user data, etc.

Q) Have we done an assessment and prioritisation of critical infrastructures that need protection from cyber crime and cyber terrorism?

A) A certain amount of effort is definitely put in place by various Indian government organisations that work very hard to protect the nation. However, there is certainly a long way to go before we can comfortably say that the nation and its IT assets are relatively protected. We hear about attackers breaking into Indian orga-nisations/government everyday and the worrying fact of the matter is: We are only hearing 1% of what is really happening.

Q) How much are we investing in developing the skills and infrastructure needed for meeting the new threats of cyber crime?

A) Much lesser than what is required. India Inc is always about the bottom line, and as long as “it works” right now while spending the minimum amount, that is generally good enough. The problem with this approach is that we are causing a lot of long-term harm. Our focus should be on training and development of students, employees, etc to understand security concerns and face them head-on. The human element is known as the weakest factor in security and therefore education and development is the key to building a secure organisation.

Q) How much companies on an average lose due to cyber crime and are the investments made to counter it in proportion to the loss?

A) Indian companies only really act after an attack has taken place. Most of the focus of the investment is on identifying the criminal and covering up the damage. Real investments to build good long-term security are rare. According to Symantec, Indian organisations lost over `58, 00,000 revenue in an average in 2009 due to security breaches.

Additionally, 66% of organisations experienced cyber security breaches in the same year. Besides, Indian enterprises lost an average of ` 94, 56,216 in organisation, customer and employee data in the same year and an average of ` 84, 57,037 in productivity.

Q) How are we protected against hacking?

A) In short I would say, we are not protected.

Copyright@Business Economics October 31 2010

Cyber crime has undergone a metamorphosis

As the threat landscape is ever evolving, enterprises today are facing several new challenges in managing and securing their data. Today, for Indian enterprises information has become the new currency. Protecting this valuable asset is the key to a business’s ability to grow and thrive.

In the last couple of months, the face of the cyber criminal has undergone a complete metamorphosis. Increased instances of IP theft, loss of customer and employee information among others have often indicated the involvement of not only external sources but that of malicious insiders as well. Evidently, these new age cyber criminals are targeting four key areas of weakness that are putting business environments at risk, namely-poorly protected infrastructure, poorly protected information, poorly enforced IT policies and poorly managed systems.

From our research, Symantec has found that most breaches have 4 stages:

1. Incursion – Where malware gets into a company

2. Discovery – Where the attackers look for the valuable assets

3. Capture – Where the attackers get a hold of these assets

4. Exfiltration – Where they move the assets out of the company

Increasingly, criminals have dedicated teams associated with each of the stages.

Furthermore, these stages are enabled by:

1. Well-meaning insiders mishandling information

2. Malicious insiders stealing confidential information

3. Hackers who target poorly protected infrastructure, poorly protected information, lack of strong IT policies and poorly managed endpoints

Apart from the sophisticated nature of today’s threat landscape, the IT environment is undergoing an evolution as well. Some of the challenges that this poses to information security include:

Explosion of Information: It is becoming an increasingly information-centric world. Consider these statistics — IDC reports estimate that digital information will surge six-fold, from 281 exabytes in 2007 to a staggering 1773 exabytes in 2012. To add to this, this information now resides at various endpoint including the cloud making it all the more difficult to secure.

Proliferation of unstructured data: Enterprises are struggling with large volumes of unstructured data, including documents, spreadsheets and emails. Analysts predict the growth of unstructured data to continue at over 60% per year, and in many organisations it accounts for more than 80 % of all data. Protecting unstructured data against loss and misuse is vital but with the size, organisation and age of file server data, protecting it can represent the largest data loss prevention challenge.

Growth of the mobile workforce: Today the workforce in Indian enterprises is moving out of the four walls of the premise. In fact, according to IDC, the number of worldwide mobile workforce will reach 1 billion by 2011 with Asia Pacific contributing the maximum number. Hence, this mobile workforce, coupled with growing heterogeneity of enterprise IT environments, increases the threat of losing sensitive data. According to the Symantec’s Enterprise Security Survey 2010 – Millennial Mobile Workforce and Data Loss, 59% of Indian enterprises feel employee-owned endpoints compromise security, and 42% have lost confidential or proprietary data in the past. While access to unlimited information and the presence of collaborative tools in the business environment is enormously empowering, it can easily manifest rogue business processes that violate regulations resulting in loss of sensitive data.

Consumerisation of IT: The official use of consumer technology such as social networking, instant messaging and blogs has become prevalent in Indian enterprises and is bound to increase over the next few years. However, the fact is that enterprises are not adequately protected. The above mentioned Symantec study reveals that 82% of Indian enterprises use Facebook, while 54% officially use web-based consumer email and 62% use blogs. Additionally, 46% of Indian enterprises use microblogging tools, 69% use Google Talk and 61% use Yahoo Messenger. The biggest concern was around the use of instant messaging (IM), with 57% of respondents rating IM as a major security threat. Social media is being increasingly used in business for collaboration and communication. Yet 54% of CIOs and CISOs considered social networking sites to be a serious threat to their security. Fifty percent of Indian enterprises revealed that web-based email presented a high security threat as well.

Rise of insider threat to data: While in the past threats to data were synonymous with external threats, trends like consumerisation of IT, the use of employee-owned endpoints and the consequent diversity of enterprise IT have changed this belief. According to the above mentioned Symantec study, Indian enterprises are not adequately equipped to protect their information, leaving them vulnerable to data breaches, especially from insiders. Last year, according to a study by the Ponemon Institute, sponsored by Symantec, more than 59% of those surveyed kept corporate information after leaving their jobs.

Furthermore, according to the Symantec’s Enterprise Security Survey 2010 – Millennial Mobile Workforce and Data Loss; Indian enterprises perceive malicious insiders (61%), well-meaning insiders (50%) and former employees (50%) as threats to sensitive information. This is a threat that could grow over the next couple of years.

The increase in targeted attacks: Today’s attacks are proving to be more sophisticated, well-organised and covert in nature than attacks seen in years past, thus requiring a new approach to security. The recent case of the Hydraq attacks brings to light how threats to organisations can not only be highly sophisticated but also very targeted. Hydraq is a Trojan that recently compromised sensitive information and brought down the critical infrastructure of several large corporations. According to the Symantec Internet Security Threat Report, 60% of identities exposed were compromised by hacking attacks similar to Hydraq. Another such example we observed recently is that of the W32.Stuxnet, which uses a previously unseen technique to target sensitive information by compromising large SCADA (supervisory control and data acquisition) systems which control large industrial and infrastructure units.

Copyright @Business Economics October 31 2010