They're after your data!
Date: Monday , March 31, 2008
In June 30, 2004 a virus attack partially brought down the operations of Infosys Technologies in Bangalore and its other centers in the country.
In June 2006, a security breach at HSBC’s offshore data-processing unit in Bangalore had led to $ 425,000 being stolen from the accounts of a small number of the bank’s U.K. customers.
Cut to March 2008, a security breach at the Hannaford east coast supermarket chain in the U.S. led to the exposure of some 4.2 million credit card particulars.
Let’s say, you receive an email similar to the email from your bank, announcing tempting financial offers. You give your credit card particulars, address, and other confidential details to avail the offer. But alas! By the time you realize it’s a phishing mail, you might have lost your valuable information along with hard earned money!
These instances depict how your data is continuously under threat. Information security continues to remain one of the foremost new age challenges and a variety of menaces have been increasing exponentially. As technology is becoming increasingly advanced, the hackers’ community is also finding sophisticated ways to attack.
The security scenario
Today, attackers are becoming creative while assailing. They can use annoying but relatively benign schemes — like pop-up ads, spam, and search bar installations to harvest money. More insidious attacks include phishing schemes, pump-and-dump stock scams, denial-of-service floods, and form-scrapers that gather bank account numbers and passwords from browsers.
Says Sanjiv Dalal, Chief Technology Officer, Firstsource, “These days even mobile phones, advanced smartphones that run full-fledged operating systems, and e-mail applications store more valuable data than before, and present themselves as tempting targets. Especially in Banking, Financial Services and Insurance (BFSI), and BPO offshore centers mobile devices may pose an internal threat.”
According to Goldman Sachs report, a majority of emails sent over the Internet are unsolicited. Phishing has been rampantly used and has created a new category of threat – identity theft. Says ASA Krishnan, Senior Director, Cyber security division, Department of IT, “In India, out of the total complaints received by the department, 32 percent was about phishing and three percent on spams. There are 25,940 botnets (PCs which are set to forward transmissions of Spam/viruses to other computers on the Internet) operating in India.”
Miscreants are developing peer-to-peer communications and control mechanisms to avoid points of failure in their botnets. Attackers are also using fast flux techniques to rapidly shift critical servers’ domain name-to-IP address mapping, making it hard for investigators to hunt down phishing Web sites, and control servers and other parts of their infrastructure.
Studies of affected enterprise networks have shown that malwares such as worms and viruses were introduced via email. BFSI and IT and ITES sectors are the most vulnerable to these kinds of attacks, with phishing being the biggest threat.
How do enterprises address cyber menace?
A September 2007 Goldman Sachs report says that the top three drivers of enterprise security spend were IT policy compliance, data loss prevention, and endpoint protection. But, are enterprises in India really bothered?
“Till recently, many IT enterprises, especially Small and Medium Enterprises (SMEs) were not considering security as part of their enterprise function until unless there was a damage to them,” says Bhaskar Bakthavatsalu, Country Manager, India and SAARC, Check Point.
The fact is that the importance of information security has still not percolated to each individual in the IT industry. “And most of the corrective measures for information security incidents are reactive in nature,” notes Allen Roy, Global Head Networking, Insurance and Business Process Solutions, Perot Systems.
Of late, globally as well as in India, these days organizations are required to comply with stringent regulations and compliances. As a result, companies are forced to re-evaluate their investments for security solutions. “The early movers were definitely the larger enterprises, with the SMEs beginning to follow them now,” adds Bakthavatsalu.
Since organizations need to strike the right balance between clamping down and ease/flexibility of day-to-day operations, it requires proper thought and segregation of information into several zones. "I believe that industry is not reluctant but struggles with relevance, optimization and direction," opines Sudhir Kumar Reddy, CIO, MindTree.
Though larger corporations have started spending on security aspects, most of the SMEs can’t afford to adopt security solutions. But as the need for security is mounting, vendors have started rolling out low-end security solutions. “In India the IT security act is not so robust, as these days firewalls, anti-virus, encryption methodologies are not the only security measures,” reckons Bakthavatsalu.
However, in the BPO and Banking sectors information security standards are much more stringent in India. Today the value of information asset is much more than the physical assets. “Information security is not only about spending on technology. It’s also about managing technology and processes around us and making sure that the system is truly robust,” says Dalal.
Currently, most BFSI companies and BPOs have invested in ‘in-house’ security teams that conduct much of their own detective work. They are a group of full-time security specialists devoted to the task of monitoring various hacker sites, scanning the horizon, collecting and analyzing intelligence, and taking preventative action. The teams also keep vigilance on employee activities and test the internal procedures. Now insiders, not just hackers, pose greater threat as it’s easy for them to violate information security since they have ready access to customers, employees, products, and financial data and to the Internet. Without much effort they can email confidential customer data to a competitor.
“However, when compared to other countries, India has been the safest country in terms of security breaches. This is because most of the sensitive data is yet to be computerized in the country,” opines Dalal.
Is this is the only reason? According to analysts, Indian information security space is still in the evolving stage. They still hesitate to exhibit gut feel. Notes Satyaki Maitra, Business Manager, Emerging Products Group, NetApp India, “In India, even though security breaches happen frequently, they are not getting reported as in other countries. Indian companies do not want to divulge it.”
Awareness and security policies
Whose job is it then to create awareness about the impending peril? Are the Indian organizations prepared to face new challenges?
“In India the industry is still very much content with the current security measures and is yet to react to the latest threats posed from the applications of Web 2.0. Businesses should be made aware of the threats posed by trojans, worms, advanced spams, and malwares,” says Ajit Pillai, Country Manager, India & SAARC, Secure Computing.
Thus, in the BFSI perspective it is important to create wakefulness among customers. As far as BPOs are concerned, they should build confidence among their clients. Though most companies have their awareness programs, threats come in different ways — such as an overhead phone call, stolen laptop, or suspicious downloads. All these pose significant security threats, and so along with implementing in-house stringent rules, the security practices should start from the heads of companies. Stringent governmental laws are also mandatory as unless there is a law people won’t follow it,” opines Bakthavatsalu.
It’s also every employee’s responsibility — from the executive suite to the manufacturing floor — to have clear security policies and procedures. An effective security policy needs to have some significant forward-looking policy directives that will ensure a foolproof security planning. Educating employees about the security and legal implications of their actions and management of mobile devices within the organization should be incorporated in the security policy.
However, there has been a slow and steady growth in the overall security market due to a worldwide increase in awareness about the need for information security. In India particularly in BFSI, IT and ITES and health sectors security concerns are growing gradually. In 2007 the security product market has seen 29 percent growth. “Today, India has the highest number of ISO 27001 certified companies, next only to Japan,” says Roy. ISO 27001 is a standard, which helps to establish and maintain an effective information management system, using a continual improvement approach.
One can own a beautiful palace. But what’s the use if it doesn’t have security protocols to defend it from attackers. It’s the same scenario with regard to enterprise security, with information being the prime asset. In a nutshell, undoubtedly, implementing ‘more stringent and proactive measures’ to deal with both internal and external dangers is the need of the hour.
Get ready to revolt!
These are some of the hot security threats the enterprises are facing today and will continue to be so for next one year. Get ready to combat!
Targeted phishing: While the majority of phishing attacks target individuals, targeted phishing attacks also go one step further by targeting specific organizations creating specially tailored messages that have been very effective in fooling users. While consumers are becoming aware of generalized phishing, employees of organizations are much less prepared to deal with targeted phishing.
Botnets: PCs, which are set to transmit Spam and viruses to other computers on the Internet. They are a major source of evil on the Internet, from spam, phishing attacks, virus propagation and denial-of-service attacks to the stealing of financial information and other illegal activities.
Event-driven, targeted email containing malware: Beware! Malware authors will send you an email with attachments with catchy headlines based on present hot events as these may contain malware.This trend is expected to continue in 2008 too.
Spyware: Spyware is computer software that is installed surreptitiously on a PC to intercept or take partial control of the user’s interaction with the computer, without the user’s consent. This has seen massive growth in the past couple of years, and this year too spy ware menace will be rampant.
Pump-and-dump stock scams: “Pump and dump” schemes, also known as “hype and dump manipulation,” involve the touting of a company’s stock through false and misleading statements to the marketplace. After pumping the stock, fraudsters make huge profits by selling their cheap stock into the market. These attacks also may see a rise.
Denial-of-service floods: A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users. Although the means to, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or even from remaining functional, temporarily or indefinitely.
Attacks to social networking sites: Web 2.0 and social networking sites will be targeted in a big way. They will likely be the next big targets for hackers because they have exploded in popularity.
VoIP attacks: In the headlong rush to VoIP it is essential that organizations do not overlook the security implications of the technology. The bulk of VoIP calls currently being made are still not properlyprotected. According to analysts, VoIP attacks will increase by 50 percent in 2008.