cover story
12 egov / www.egovonline.net / February 2012
Anand Agarwal
cover story
In an age when technology changes at a rate faster than ever before, new means of communication, collaboration and data storage have brought in unprecedented rise in productivity and lowered costs beyond imagination. On the flip side, however, modern threats to security of IT systems, applications and data have also evolved as rapidly as their legitimate cousins, giving rise to a global security industry worth billions of dollars. All the research and vigilance, however, can one day turn to naught, and eternal vigilance has become the price one must pay for securing cyber assets –tangible and intangible
the Emerging IT security scenario:
an Overview
cover story
13 February 2012 / www.egovonline.net / egov
n the 1950s, a blind American kid Joe Engressia discovered that a certain whistling tune could stop recorded phone messages. Soon, others had discovered tones and pitches that
enabled them to make free phone calls. In the 1980s, hackers like Kevin Mitnik gained world-wide prominence. At the time of his arrest in 1995, Mitnick was on the US’ most wanted list and had to spend a year of his sentence in solitary confinement because the judge was told he could whistle the nuclear launch codes into a phone, prompting the judge to order that Mitnik would not be allowed to even touch a phone or modem! The only way of doing this was by putting him in solitary, and he thus spent an entire year alone in a cell.
The world has moved a long distance from the days of Engressia and Mitnick. As computerised information systems become almost ubiquitous and assume control of critical services and infrastructure, threats to security are much more serious than ever before. Similarly, financial data is almost exclu-sively maintained in electronic form, and any unauthorised access to such applications and data could wreak havoc. In an increasingly integrated world, the consequences of any such mishap might not remain confined to a single economy.
Emerging Threats to SecuritySecurity of infrastructure, data and applica-tions is an increasingly complex, 24X7 job. One has to practically keep running to stay in the same place. One slip-up is all it takes
“Social engineering attacks on employees to obtain confi-dential information will be the
biggest threat in 2012”
LucIuS LObOVice President and Global Head, Security Services, Tech Mahindra
for valuable, confidential business data to be compromised – leaving in its wake not only financial loss, but also loss of trust – something far more difficult to recoup than money. In an increasingly interconnected world, news trav-els fast, and bad news travels faster. Security for IT is no longer an option, it is a core part of any solution implementation.
Talking of the biggest emerging threats to IT security in the current scenario, Lucius Lobo, Vice President and Global Head, Security Services, Tech Mahindra, says social engineering attacks on employees to obtain confidential information will be the biggest threat in 2012. Lobo fears employees could become victims of such attacks through mal-ware or by phishing. RSA’s Country Manager for India and the SAARC Region, Kartik Sha-hani says new forms of exploits such as Man in the Browser (MITB) attacks would become more frequent. MITB attacks are designed to infect a web browser with malware that can result in modified web pages and transactions that are largely transparent to both the user and the host application. Such attacks can lead to illegal money transfers, identity theft, or the compromise of valuable enterprise information. Shahani also says that security-related information, and not financial data is now the major object of desire for hackers. Echoing Lobo, eScan CEO and MD Govind Rammurthy also picks social engineering as the standout threat. Shahani identifies a class of threats known as Advanced Persis-tent Threats (APTs), which combine social engineering techniques with other technical means to gain illegitimate access to systems and information.
Many of today’s malware could give pro-
I
Stuxnet – firSt Cyberweapon? Stuxnet – a sophisticated worm that specifically
targets Siemens-built systems – is believed to
have been unleashed upon key iranian nuclear
installations in 2009-10.
Stuxnet targets the Simatic winCC Step7
software developed by Siemens. the software
is deployed in industrial control systems and
is used to program controllers that drive com-
ponents such as motors, valves and switches
in a large number of industrial assemblies. it
infects windows systems and spreads via uSb
sticks, allowing it to infect ‘air-gapped’ systems
– systems that are not connected to a public
network such as the internet. Stuxnet had four
‘zero-day exploits’ – vulnerabilities that were
unknown and unpatched when the worm was
released – in its repertoire, showing the techni-
cal sophistication that must have gone into
creating the worm. Security researchers study-
ing the exploit later discovered that computers
in iran formed the majority of compromised
systems – a rarity in a world where the uS is
on the top of any malware infections. iran later
acknowledged that computers at its bushehr
plants had been infected. iran’s largest plant
at natanz was also facing severe problems at
around the same time.
there is no conclusive way to establish
whether Stuxnet was developed to target ira-
nian nuclear installations and unleashed upon
them by another country, but the coincidences
involved are too stark to be ignored. for now,
the only thing that can be said with certainty
is that Stuxnet takes us into a frightening new
era where things such as water, gas and electric
supply, things that we take for granted, might
one day become weapons that can be turned
upon us.
fessionally-written ‘good’ software a run for its money in design and sophistication. Take Stuxnet (see box) for example. A malware of such sophistication was never seen before. Stuxnet comes up in a conversation with Dr Gulshan Rai, Director General of CERT-In (Indian Computer Emergency Response Team) – India’s central authority for respond-ing to security incidents in the cyber domain. Agreeing that Stuxnet was probably the out-come of a dedicated project, Rai says it showed the kind of dangerous weapons that can be fashioned through IT, and emphasises upon the need to incorporate such concerns into upcoming infrastructure. ESET India Director Pankaj Jain also brings up Stuxnet and social engineering.
cover story
14 egov / www.egovonline.net / February 2012
systems need to be upgraded on a priority basis in order to stand against modern threats, Tech Mahindra’s Lobo emphasises upon the need for a cultural change to enhance cyber security awareness among its employees, a point that CERT-In’s Rai concedes, saying that while the policy and legal framework relating to security has been considerably tightened, training and full adoption will take some time. Rai also points out the continuous efforts being made in this direction through regular security workshops and security drills being conducted by CERT-In, in partnership with industry groups, security agencies and the law and order machinery etc.
Talking of issues related to security of Cloud-based data and applications, as well as mobile platforms, Amit Nath, Country Man-ager, Trend Micro says the anywhere, anytime access made possible by such technologies is a security nightmare.
Ensuring Security From the government side, the IT Act 2000 and its 2008 amendment form the bedrock of IT-related policies in India. Section 43A of the IT Act, introduced by the 2008 amendment, is primarily concerned with enhancing provi-sions related to data security and data protec-
New-age Technologies bring New-age ThreatsWith the huge savings, ease of access, con-sistency of data and information and other such attributes that it offers, the Cloud is fast becoming a favourite of the private sector as well as governments. A number of govern-ments in India are now talking of moving to private clouds, and some pioneer states have already started the preliminary work in this direction. Similarly, the increasing ubiquity of mobiles – smart and dumb – have seen a boom in m-commerce and governments are now looking at m-Governance as the next step in e-Governance. This is not without threats, however. Both the Cloud and mobile platforms face a number of security issues that stand in the way of full-scale adoption.
The convenience and collaborative potential offered by the Cloud and mobile devices is a mixed blessing. While on the one hand it has opened up hitherto unimagined vistas and expanded business potential (for enterprises as well as governments), it has also ushered in a highly complex security environment where the conventional defences offered by security software and intrusion detection systems is proving to be virtually futile. RSA’s Shahani says that in this new era, conventional notions
of security would have to change and become more agile and intelligence-based. Response times have to be brought down and vulnerabil-ity windows have to be shrunk. Security should be automatic and incident response needs to shift to real-time reporting and mitigation.
Saying that existing and legacy government
ConStant threat to indian webSiteS
the indian Computer emergency response team (Cert-in), the country’s designated
national agency in areas related to cyber security reported a total of 1277 security
incidents and over 15,000 instances of indian websites being defaced in the January-
november 2011 period. Cert-in defines a security incident as “any real or suspected
adverse event in relation to the security of computer systems or networks”.
“There’s still considerable confusion about how best to handle information security
in the cloud”
KArTIK ShAhANICountry Manager for India and the
SAARC Region, RSA
Security Incidents by type (Jan-Nov 2011)
cover story
15 February 2012 / www.egovonline.net / egov
tion. However, this is mainly related to data security by corporations and fixes liabilities in cases of compromise of data. Dr Kamlesh Bajaj, CEO, DSCI (Data Security Council of India) – a specialised body set up by NASS-COM – outlines the steps his organisation has taken to promote data safety and security. DSCI has developed a set of best practices and frameworks in data security & privacy and is actively involved in promoting their imple-mentation in the industry and government. In addition, it also conducts regular confer-ences and seminars etc., conducts trainings in cyber forensics and cyber crime investiga-tions for law enforcement agencies; provides policy inputs to the Government and is also engaged in international collaborations. The DSCI Cyber Labs programme for training law enforcement officers would soon be upgraded to a national programme supported by Minis-try of Home Affairs, Bajaj informs.
CERT-In is also actively engaged in helping improve the security stance of Indian websites, Rai discloses. CERT-In brings out regular bul-letins and white papers on security threats, conducts trainings and workshops, security drills and audits to evaluate the preparedness of websites. In addition, it also helps compro-mised sites to get back on feet, all the while maintaining secrecy regarding its identity.
Shahani ticks off a set of key steps needed to ensure data safety. Key among these are:
defending, be it mobile devices, virtual serv-ers, or cloud servers. The strategy should be to ensure a higher degree of host defence by applying stronger & effective context aware security to protect the applications and data on the hosts.
Both Lobo and Nath point to increasing threat of malware on mobile devices. It is feared that roughly 300 million devices could be infected by mobile malware. Experts say that whereas mobile viruses may be effectively mitigated by antivirus products, mobile mal-ware that gains access through downloads of malicious apps will be a difficult risk to manage.
Experts eGov spoke to are also optimistic about the positive impact that the impending adoption to IPV6 would have on security, but with caveats. As opposed to IPv4, IPv6 has been developed with security in mind, and as Nair points out, IPv6 eliminates some tradi-tional network level attack vectors and pro-vides mechanisms for maintaining transport confidentiality and integrity. Lobo sees the increased address space as a positive, saying the consequent reduction in sharing of IP addresses would make it easier to track down cyber criminals and cyber crime vectors like Botnets.
Jain points out that the IT infrastructure will have to ensure the IPv6 compatibility of fire-walls, intrusion-prevention devices, and other security appliances to successfully deploy IPv6 avoiding possible security issues, and says it is at least 5 years to fully implement IPv6. Nair says that IPv6 might not essentially change things for the better as the major security issues have simply moved ‘up-the-stack’ to the application level in the new implementation.
“The number of threats for smartphones and tablets is growing rapidly, for all the
platforms”
PANKAj jAINDirector, ESET India
a stricter initial registration and validation processes; enhanced fraud monitoring; moni-toring of the full network with cyber-forensic tools; strong authentication and access controls and encryption of data being transmitted etc. Bajaj emphasises the role of a security-oriented mindset, ongoing education & awareness on information security and privacy among individuals – employees, intermediaries and end-users.
Evolving Security SolutionsKutty Nair, Chairman & Managing Director of Mielesecurity, says that modern antivirus consistently fails at protecting against anything other than consumer level or mass threats, and Lobo acknowledges the threat posed by malware. He advises a deep defence approach, modelled on the ISO27001 standards. Nath says future attacks could be targeted at virtual machines and cloud computing services, but conventional attacks would be common, as these are still more effective. He advises a holis-tic, multilayered, high-quality solution imple-mentation by enterprises and government as a first line of defence.
Asked about the changing character of secu-rity solutions in light of the dynamic nature of threats, he says that the security industry is facing a complicated horizon – escalation in targeted attacks, increasing use of unsecured mobile devices at the workplace (or for work) and cloud implementations where data can be accessed anytime, anywhere.
With the proliferation of mobile devices or consumerisation of IT, coupled by virtualiza-tion or cloud adoption, Nath says the security needs to move closer to the application and data where it resides i.e. the host becomes self
“A holistic, multilayered, high-quality solution should be used by enterprises and government as a first line
of defence”
AmIT NAThCountry Manager, Trend Micro
cover story
16 egov / www.egovonline.net / February 2012
cyberterrorism – how big is the Threat?Numerous movies have portrayed insanely smart, crooked programmers who get access to a nation’s vital defence systems to either launch nuclear weapons, or demand massive ransoms in return; or, worm their way into the financial system to either transfer billions to themselves or unleash a financial Armageddon. Just how real are such scenarios? What is cyberterrorism in the first place?
As with terrorism, cyberterrorism is a term that has defied a universal definition. However, in a testimony before the US House Armed Services Committee in May 2000, computer science professor Dorothy Denning identified some characteristic features of cyberterrorism:• Cyberterrorism is the convergence of
cyberspace and terrorism• It refers to unlawful attacks and threats of
attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.
• A cyberterrorist attack would result in violence against persons or property, or at least cause enough harm to generate fear.
• Serious attacks against critical infrastruc-
tures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt non-
essential services or that are mainly a costly nuisance would not.
So how real is cyberterrorism? Rammurthy says cyberterror is a big threat.
He says Supervisory Control and Data Acqui-sition (SCADA) systems are favourite targets for cyber criminals as they have control over the critical infrastructures like government, large enterprises, etc. Echoing concerns about SCADA systems, Tech Mahindra’s Lobo says that although there have been no major inci-dents to date, inadequate security in SCADA systems can be targeted to cripple critical national infrastructure such as power, water, and nuclear facilities. There are plenty of opportunities to do so should these systems be connected or accessible via the Internet. SCADA systems the world over were not built for security and the cost for replacement or security refit is huge.
Noting that governments worldwide are prioritizing cyber security as both a national security and economic security issue, and have invested heavily in beefing up defences, RSA’s Shahani cites the growth in cyber crime, the rampant theft of IP and other sensitive
information from corporations, and the penetration of defence systems and
critical infrastructure by cyber attackers to emphasise upon the growing threats to cyber security. Shahani also says that the US Fed-eral Government is ramping up its cyber security workforce plans and forecasts spending $13.3 billion on
cyber security initiatives by 2015.Jain chooses to focus more on the
broader domain of cyber crimes. Saying user data is fast becoming the
most valuable asset, he says increasing access to the Internet and gadgets such as
laptops, smartphones and tablets means more and more people are carrying data on-the-go, and with the lack of proper security awareness among users, this data becomes a tempting target for cyber criminals. Data can be stolen through bots and the compromised system could be made part of a Botnet, or zombie network, consisting of thousands or even mil-lions of compromised computers controlled from the botnet’s command and control centre. Botnets are used to steal bank data, emails, and perform such cyber attacks as spam, DDOS, phishing, click fraud, adware and malicious programs’ distribution.
“DSCI has developed DSCI Security Framework (DSF) for data security and DSCI
Privacy Framework (DPF) for data privacy”
Dr KAmLESh bAjAjCEO, Data Security Council of India
AnOnyMOuS— TEMPlARS OR ROGuES?as its name suggests, anony-
mous is an underground
group with a very small core
made up of expert hackers.
anonymous has made quite
a splash for itself in the
virtual world, targeting lead-
ing sites such as paypal, Mas-
tercard, Visa and amazon,
bank of america, the united
States department of
defense, the united nations,
and Lockheed Martin etc.
anonymous has also brought
down sites in support of the
iranian protests and also the
arab Spring uprisings. its
most recent victims include
CbS and universal Music, in
response to their backing of
the (stillborn) controversial
anti-piracy legislations Sopa
and pipa. anonymous have
also (repeatedly) hacked
into the Sony playstation
network, and recently put
out a warning to Sony, telling
its support for Sopa would
invite another attack, and
asked it to be “prepared to
be extinguished”. Sony and
nintendo withdrew support
to Sopa following threats by
anonymous.
anonymous
have written a
software – Low
orbit ion Cannon
(LoiC) – that launches
a coordinated distributed
denial of Service (ddoS)
attack on target websites,
overwhelming the servers
with hundreds of thousands
of data packets and crashing
them. anonymous had also
targeted one of the world’s
largest websites – facebook,
running on over 60,000
servers – for a takedown on
January 28. this was the
most audacious attack ever
announced by the group but
they were not successful in
bringing facebook down.
The Anonymous
signature line:
We are Anonymous,
We are Legion, We do
not forgive, We do not
forget, They should have
expected us
cover story
17 February 2012 / www.egovonline.net / egov
rAjPurOhIT ADpage- - 17
cover story
18 egov / www.egovonline.net / February 2012
“The threats are growing daily, as evidenced by numer-ous breaches that have been
uncovered. We should not be ostriches and pretend the
problem does not exist”
KuTTy NAIrChairman & Managing Director, Mielesecurity
Jain also says India is the world’s leading source of spam - In 2011 India continued to be on the top of the rank as about 15-17% of world’s spam traffic originated from India. Most of the spam is generated from compro-mised systems - In 2010 more than 700,000 IP addresses globally were infected with Rustock botnet and the majority of them were in India. This particular botnet was believed to send out as many as 40 billion spam emails per day. Distributed Denial of Service (DDoS) attacks through compromised ‘zombie’ systems are also of concern to experts we spoke to. DDoS has been widely deployed by hacker groups such as Anonymous (see box) to target large websites.
Industry OutlookThe future for security industry looks bright, given the rapidly evolving overall security sce-nario. It is, at the same time, also very challenging to keep up with the increasingly complex threats and explosion of platforms that we are witness-ing. Jain sees spending on security by enterprise and SMB increasing at a good pace and sees major business potential from educational and government organisations.
The Indian security industry has been grow-ing at a much rapid clip than global average rates of 10-12 percent CAGR. Estimating the industry size at $ 150 billion, Jain says Indian industry is growing at about 20-25 percent CAGR.
Shahani prefers to focus on the technological trends when talking of industry outlook, and says the evolving computing paradigm pres-ents vast opportunities for cyber criminals, hacktivist groups and nation states to exploit. We are facing a new reality – one of persistent, advanced and intelligent threat. In the wake of this phenomenon, CEOs and corporate boards are taking a keen, increased interest in security. In his view, shaken by the wave of attacks in 2011, corporations would endeavour to make 2012 an year of action towards ensuring better security of their information assets.
Rammurthy concurs with the rosy predic-tions for revenue, quoting Gartner estimates of the security software market in India touching US$ 209 million in 2011 and is forecasted to grow to US$ 320 million in 2014.
Privacy IssuesThe debate over privacy has been getting increasingly heated in India of late. Particularly since the IT Rules (under the 2008 Amend-ment), were notified in April 2011 privacy advo-
cates are up in arms. However, the government has been citing national security concerns, and the need for maintaining public order as the two main motives driving its actions. Privacy and web-censorship related issues got a fresh lease of life when last month, representatives of social media giants such as Google, Facebook and Twitter etc were summoned by the gov-ernment and asked to devise mechanisms for screening of potentially objectionable content.
21 companies are currently embroiled in a case alleging they have violated Indian laws related to what kind of information can be published in the public domain, and have also been blamed with endangering national security under vari-ous sections of the Indian Penal Code. The out-come of this case will be keenly watched across the globe.
Defending the government’s stance, CERT-In DG Gulshan Rai says the government is
wikiLeakS – inforMation warrior or SenSationaLiSt?wikiLeaks, a non-profit
that says its goal is to bring
important news and informa-
tion to the public, had been
in the business of leaking
confidential government
and corporate information
for a while. november 2011
was different, however. in this
month, wikiLeaks commenced
sequential release of over
2,50,000 secret uS diplomatic
cables that had been stolen
by bradley Manning – a uS
military analyst now under
incarceration.
following the massive leak,
wikiLeaks came under
sustained fire from a number
of governments. it has also
sparked a yet-inconclusive
debate on the correct-
ness of its actions and the
impact these would have
on international relations.
wikiLeaks has also triggered a
massive review of information
security protocols in a number
of countries and it is unlikely
that another Manning could
leak classified information as
easily as by copying it onto a
Lady Gaga Cd.
November 2007: WikiLeaks publishes the Standard Operating
Procedures for Camp Delta. This document laid down the
processes for the infamous Guantanamo Bay detention camp
of the U S Navy, revealing systemic abuse of prisoners’ rights at
the Guantanamo Bay detention centre of the US.
August 2009: Censoring of a WikiLeaks story on fraud in
Iceland’s largest bank leads to drafting of the world’s most
liberal freedom of speech law – the Iceland Modern Media
Initiative and institution of a new ‘Nobel Prize’ for free speech
by the Iceland Parliament.
April 2010: WikiLeaks sets up a website ‘collateral murder’
showing video footage of American soldiers apparently
launching airstrikes on unarmed men in Iraq in July 2007
july 2010: WikiLeaks releases more than 90,000 documents
relating to the Afghanistan war, showing documented instances
of human rights abuse, civilian deaths and friendly fire among
Western forces in Afghanistan.
October 2010: In the biggest ever leak of military documents
in world history, WikiLeaks releases about 400,000 documents
from the Pentagon showing widespread human rights
violations, active Iranian support to Iraqi insurgents and abuse
of US laws by private US defence contractors operating in Iraq.
cover story
19 February 2012 / www.egovonline.net / egov
WrITE bAcKyour views and feedback matter to us. Tell us what you think of the stories in the magazine or what more you would like us to cover. Write back to us at [email protected]
one of the stakeholders in this entire debate, and is committed to protecting privacy and freedom of expression. In his view, there is a delicate balance among three concerns – privacy, national security and the right to information, and the government is trying to find an equilibrium. Rai also says that the provisions on data safety and security incor-porated in the IT Act are ahead of similar provisions elsewhere, and that the recently unveiled Data Protection Policy of the EU borrows several ideas from the Indian Act.
Pankaj Jain is of the view that the Indian law enforcement agencies are at the very ini-tial stage of developing policies and practices in cyber privacy surveillance, and seconds Rai’s opinion regarding the need for a balance between the need for security and privacy.
Saying that individuals need to raise their awareness on data privacy and on their rights available under Indian laws, Rahul Jain, Senior Consultant with the DSCI, advocates constant vigilance when providing personal data to third parties. He points out that quite often, we freely disclose personal details with-out even knowing the purpose for which it is collected and ascertaining if the other party is collecting information more than what is required. He also stresses upon the need for keeping oneself aware of the latest develop-ments related to cyber crime and following basic security practices such as checking authenticity of sites, not saving & sharing passwords, installing suspicious software & applications, etc.
The increase in surveillance and moni-toring by security agencies vs. privacy is an ongoing debate. To an extent, monitoring and surveillance does impact privacy, however, appropriate balance between both is the only way out.
Reflecting the general consensus, Lobo also admits that the issue of privacy and free speech vs. national security is a complicated one with few easy answers. As others, he also advocates clarity in laws and procedures that allow gov-ernment to snoop upon private information, and to censor speech on the web.
Please fill this form in CaPital letters
First Name............................................... Last Name .................................................................
Designation/Profession ...................................... Organisation ....................................................
Mailing address ...........................................................................................................................
City ......................................................... Postal code ................................................................
State ....................................................... Country .....................................................................
Telephone ............................................... Fax .............................................................................
Email ...................................................... Website ......................................................................
I/We would like to subscribe for 1 2 3 Years
I am enclosing a cheque/DD No. ................................................ Drawn on ................................
..................................................... (Specify Bank) Dated ...........................................................
in favour of Elets Technomedia Pvt. Ltd., payable at New Delhi.
For `/US $ ........................................................................................................................... only
www.egovonline.net | www.digitallearning.in | www.ehealthonline.org | www.elets.in
SubScribe now
Subscription Terms & Conditions: Payments for mailed subscriptions are only accepted via cheque or demand draft • Cash payments may be made in person • Please add `50 for outstation cheque • Allow four weeks for processing of your subscription • International subscription is inclusive of postal charges.
I would like to subscribe: egov digitalLEARNING eHEALTH
you CAN SubSCRIbE oNLINE ALSo
3Packed magazineS
Power
SubScription order card Duration Issues Subscription Newsstand Subscription Savings (year) uSD Price INR Price INR
1 12 100 900 900 --
2 24 150 1800 1500 `300
3 36 250 2700 2000 `700
*Please make cheque/dd in favour of Elets Technomedia Pvt. Ltd., payable at New Delhi
ASIA’S FIrST mONThLy mAGAZINE ON e-GOVErNANcE
ASIA’S FIrST mONThLy mAGAZINE ON IcT IN EDucATION
ThE ENTErPrISE OF hEALThcArE