an inconvenient reality_final
Post on 29-May-2018
223 Views
Preview:
TRANSCRIPT
-
8/9/2019 An Inconvenient Reality_Final
1/56
AnInconvenientReality
Theunaccountedconsequencesofnon-genuinesoftwareusage
A D V I S OR Y
I N F OR M A T I ON , C OM M U N I C A T I ON A N D E N T E R T A I N M E N T
-
8/9/2019 An Inconvenient Reality_Final
2/56
Table of Contents
Foreword 1
Executive Summary 3
Key Drivers 7
Potential Implications 11
Involvement of Anti-Social Elements 15
Information Disclosure and Data Theft 17
Malware Attacks 21
Extortion Using Ransomware 25
Unsecured Business Environment 29
Network Effect 31
Academic Institutions Usage of non-genuine
software by students 35
Increased Security Exposure for Government 39
Reputation Risks 43
Seeing the larger picture 45
Appendix: Methodology 51
-
8/9/2019 An Inconvenient Reality_Final
3/56
-
8/9/2019 An Inconvenient Reality_Final
4/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Foreword
ExplosivegrowthoftheInternetinthelasttwodecadeshasmadeitoneofthe
mostusedchannelsforacquiringsoftwarequickly.Atthesametime,higherprofit
marginsandminimalrisksassociatedwithcounterfeiting/crackingofgenuine
software,havegivenopportunitytoanti-socialandanti-nationalelementstomake
non-genuinesoftwareavailableontheInternetaswellasinthephysicalmedia.
Thiscombinedwithlimitedawarenessoftheimplicationsofusingsuchsoftware
inouruserpopulation,exposesourInformation,CommunicationandTechnology
(ICT)infrastructuretovariousinformationsecuritychallenges.
Theobjectiveofthiswhitepaperistosensitizereaders,endusers,government
establishmentsandenterprises,tothevarioussecurityimplicationsassociated
withusageofnon-genuinesoftware.Withthisintentionthepaperconsidersthe
resultsofourresearch,real-lifecasesandhypotheticalscenariostohighlightthe
potentialinformationsecurityconsequencesofnon-genuinesoftwareusage.
Theresearchperformedduringthedevelopmentofthispaperobservedthat
usageofnon-genuinesoftwarecannowbeconsideredasignificantvectorin
weakeningthesecuritypostureatmicroandmacroeconomiclevels.Theinformationandtestcasesassembledinthispaperdemonstratethatusingnon-
genuinesoftwarenotonlyincreasesthreatofdatalossandintrusionstopersonal
systems,butalsotocriticalICTinfrastructureofthesociety,therebythreatening
nationalsecurity.Therecannotbeabettertimeforcitizens,governmentsand
corporationstocometogetherintheendeavortomitigatetherisksarisingfrom
theusageofthesepotentiallydangeroussystems.
Akhilesh Tuteja
ExecutiveDirector
KPMGinIndia
1
-
8/9/2019 An Inconvenient Reality_Final
5/56
-
8/9/2019 An Inconvenient Reality_Final
6/56
Executive Summary
Itremainsawellestablishedfactthatuseofunlicensedorpiratedsoftware
resultsinbothimmensefinancialimplicationsduetoinfringementofthe
copyrightlawsaswellastarnishingofthecompanysmarketreputation.Studies
alsoindicatethatdeploymentofsuchsoftwareoftenleadstoorganization-wide
securityrisks,suchaslossofdataprivacy,systemfailuresanddowntime,and
reducedoperationalperformance.Additionally,a2009studycarriedoutbyKPMG
indicatesthatnon-genuinesoftwarecanpotentiallydisruptthesmoothfunctioning
ofanorganizationsoperationsbyadverselyaffectingthesystemsecurity
infrastructure.
Thispaperseekstoestablishthesignificantdirectandindirectinformation
securityimplicationsforgovernmentandcorporateorganizationsaswellas
individualswhendeployingnon-genuinesoftware.Thepaperelaboratesthekey
driversmotivatingthedeploymentofnon-genuinesoftware,thesecurity
implicationsthereof,andthesuggestedmeasuresandconsiderationswhich
governmentandcorporateorganizationscanadoptforincreasingawareness
amongusersregardingsecurityimplicationsofdeployingnon-genuinesoftware
wherebyreducingitsusage.
Drivers
Factorssuchaseasyavailability,lowercostsofacquisition,andconvenienceof
acquiringnon-genuinesoftwareaswellastheattractionofdeployingseemingly
effectiveyetfreesoftware,continuetodriveendusersandorganizationstowards
widerangedeploymentofnon-genuinesoftware.
Implications
Recentreportsindicateastrongdirectcorrelationbetweenusageofnon-genuine
softwareandsecuritythreatssuchasmalwareandbotnets.
Aspartoftheresearchconductedforthiswhitepaper,wereviewed50websites
offeringnon-genuinesoftwareand/orenablingtoolsandtechniquesforacquiring
suchsoftwarewhichrevealedthatmorethan60percentofthesewebsites
includeavaryingdegreeofthreatvectorsthatcanpotentiallyimpactinformation
systemssecurity.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
60percentwebsitesproviding
cracks,keygens,warezor
counterfeitshavepotentialthreat
vectors
39percentorganizationssurveyedreportedsecurityincidentofnon-
genuinesoftwaredetectionintheir
ITenvironment
35percentorganizationscitedready
availabilityasthereasonfor
employeestousenon-genuine
software
Correlationcoefficientbetween
softwarepiracyratesandmalware
attacksisastrong0.74
Companiesusingnongenuinesoftwareare43percentmorelikely
tohavecriticalsystemfailures*
*Source:Impactofunlicensedsoftwareonmid-
marketcompanies-HarrisonGroup
3
-
8/9/2019 An Inconvenient Reality_Final
7/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
4
-
8/9/2019 An Inconvenient Reality_Final
8/56
Thesecurityimplicationsofdeployingnon-genuinesoftwarearemulti-
dimensional,includingthreatsthatdirectlyaffecttheend-userandorganizations
securityaswellasindirectthreatsleadingtoincreasedcostofprotectionand
remediation.Directlyimpactingsecuritythreatsincludelossofdataconfidentiality
andintegrity,aswellasreducedoperationalperformancearisingfrom:
PhishingAttacks
MalwareandBotnets
Ransomware
Indirectsecuritythreatsofdeployingnon-genuinesoftwareincludethe
organizationoruserunknowinglybecomingpartofalargernexusofanti-social
elementsfundingandoperatingillegalpiratedsoftwarebusinesses,thus
contributingtothenetworkoforganizedcrime.
Giventodaysnetworkedenvironment,wheremostcomputingdevicesare
connectedthroughtheInternet,suchthreatsarisingfrominfectednon-genuine
softwarehavefarreachingimplicationsforanentirenetwork.Asystemhaving
non-genuinesoftwarecanadverselyimpacttheoverallsecurityofanetwork.A
largenumberofhackersdeveloppotentiallydangeroussoftwaredisguisedas
softwarewithrichfunctionalitiestolureunsuspectingusers.Theseuserscanthen
becomepartofBotnetsandbecontrolledremotelyforexecutinglargescale
attacks.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
5
-
8/9/2019 An Inconvenient Reality_Final
9/56
Measures
Thepaperdiscussesthesecurityprogramsadoptedbyselectcorporations
acrossindustrysectorsfordiscouraginguseofnon-genuinesoftwareand
alsoprovidesrecommendationsformitigatingsuchrisks.
Someofthemeasuresthatthegovernmentandindustrymayconsider
include:
Creatingawarenessamongendusersinhomes,academicinstitutions,
publicandprivateenterprisesagainsttheusageofnon-genuine
software;thisincludesaprogramspeciallytargetedtowardsthestudentcommunity
Workingtowardseffectiveimplementationofthelegalandregulatory
frameworktodiscouragedeploymentofinfectednon-genuinesoftware
Facilitatingfasterandmorefocusedpunitiveactionfornon-compliance,
includingestablishmentofspecialcourts
Institutionalizationofaninternalprogramwithinthegovernmentand
privateorganizationstomanageandcontroldeploymentofsoftware
assets;suchprogramsshouldincludeperiodicreviews/auditsof
softwareinventoryandmanagementprocessesaroundit
Implementingcontrolstopreventanddetectusageofnon-genuine
software,especiallyoncriticalInformation,CommunicationandTelecom
(ICT)infrastructure
Spreadingthegoodword
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
6
-
8/9/2019 An Inconvenient Reality_Final
10/56
At the outset Key Drivers
TheconsumerbaseforsoftwareinIndiahasoverthelastdecadewitnessedan
unprecedentedexpansiononaccountofasurgeinPCandInternetpenetration
acrossthecountry.Lowproductioncosts,easeofmanufacturingandhighprofit
marginshavefuelledthenon-genuinesoftwaremarketinthecountry.Asperthe
FifthAnnualBusinessSoftwareAlliance(BSA)andIDCGlobalSoftwarePiracy
StudyreleasedinMay2008,Indiahadapiracyrateof69percentin2007.
TheInternetservestobeoneoftheleadingchannelsforacquiringnon-genuine
software.Severalwebsitesandpeertopeernetworksofferinstallablenon-
genuinesoftware,productkeys,keygeneratorsandcracktools.Thereareother
equallypopularchannelslikephysicalmedia(CDsandDVDs)thatareeasily
availableaswell.AscanbeobservedinFigure1,irrespectiveofthemediumused
toobtainnon-genuinesoftware,therisksofgettinginfectedwithmalicious
softwarearefairlysignificant.
25
33.33 32
0
5
10
15
20
25
30
35
Possibility of
infection (%)
Websites Physical Media Key Generators
Medium
*Source:IDCStudy-TheRisksofobtainingandusingpiratedsoftware-2006andMicrosoft Internal
Study:DangersofCounterfeitSoftware
Figure 1: Possibility of infection through channel used for acquiring non-
genuine software
7
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
-
8/9/2019 An Inconvenient Reality_Final
11/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
8
-
8/9/2019 An Inconvenient Reality_Final
12/56
Informationsecurityisgenerallyassociatedwithtermslikevirusesandcyber
crime.However,keyinformationsecurityconcernsstemfromvarioussources
including:
Discontentemployees:Insiderthreatsinitiatedbydisgruntledemployees,
contractorsandconsultants
Internet:Cybercrime/attackssuchasbotnets,exploitingbrowser
vulnerabilities
Mismanagement:Databreaches/lossduetomismanagement
Terroristattacks
NeglectedendpointsandLANsecurity
Exploitedvulnerabilitiesduetoimproperpatchmanagement
Socialengineeringthatcanbeassistedbysocialnetworkingwebsites
Malwarelikespyware,virusesandtrojanswhichareusuallydownloadedfrom
theInternetbyunsuspectingusers
Theinformationsecuritychainisasstrongasitsweakestlinkandendusersare
usuallyfoundtobethisweakestlink.Asauserclicksonamaliciouslinkonthe
Internetanddownloadsunauthorizedsoftwareoremailattachments,he/shemay
becomeavictimofsocialengineeringattacksandsometimesknowinglyor
unknowinglyinstallcounterfeit/illegalorpiratedsoftwareonhis/hermachine.
WiththerapidriseoftheInternetandpersonal/mobilecomputingacrossall
walksoflife,theexposureofenduserstothesesecuritythreatshasincreased
manifoldandthusneithergovernmentsnorbusinessesareimmunetothese
threats.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
9
-
8/9/2019 An Inconvenient Reality_Final
13/56
Ouranalysissuggeststhatusersincountrieswithhighersoftwarepiracyrates
tendtobemoresusceptibletomalwareattacks(seeFigure2).Thecorrelation
coefficientbetweenthesetwoisastrong0.74.
1.8
23
5.2
25
5.3
27
5.7
25
6.2
69
25.4
78
27.8
67
29.2
57
0
10
20
30
40
50
60
70
80
Percent
JPN AUS GER FIN IND ALB MOR BAH
Country
Malware Infection Rate Software Piracy Rate
*CCM:ComputersCleanedperMilrepresentsthenumberofcomputerscleanedperthousand
executionsoftheMaliciousSoftwareRemovalTool
**MalwareInfectionRatesaspublishedintheMicrosoftSecurityIntelligenceReport2008
***PiracyratesaspublishedintheBusinessSoftwareAlliance(BSA)-2007GlobalSoftwarePiracyStudy
Figure 2: Malware infections are more in countries with higher softwarepiracy
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
10
-
8/9/2019 An Inconvenient Reality_Final
14/56
Inthecontextofindividualsandbusinesses,increasedvulnerabilitytomalware,
damagetoreputation,reducedoperationalefficienciesandincreasedtotalcostof
ownershiparesomeofthedownfallsofdeployingnon-genuinesoftware.Froma
broadermacro-economicperspective,theuseofnon-genuinesoftwarehasthe
potentialtoadverselyaffectemployment,taxrevenues,industrygrowthaswell
asnationalsecurity.
AsFigure3demonstrates,developingnationssuchasIndiastillremainrelatively
illequippedindealingwithsoftwarepiracy.Non-genuinesoftwareexposesits
users,whethertheyareindividualsororganizations,toaplethoraofinformation
securityrisks.Thisisevidentinthehighcorrelationbetweennon-genuine
softwareusageandmalwareinfections1.
Anysuchsecuritythreatsviz.viruses,worms,spywareandTrojans,exploit
vulnerabilitiesintheoperatingsystemand/orthesoftware/applicationinstalled
onit.Whilecybercriminalsarecontinuouslyonthelookoutforthesevulnerabilities,softwaredevelopersarebusydevelopingpatchesorhotfixesfor
pluggingthesevulnerabilities.Itisaneverendingwarandtheusersneedto
continuouslydownloadthesepatchesandhotfixestoberelativelysafeinthe
cyberworld.However,usersofnon-genuinesoftwaresufferabigdisadvantage
andareconstantlyvulnerabletotheseattacksduetothelackofpatchesandhot
fixesbeingmadeavailabletothem.
EverytimesuchauserissurfingontheInternetordownloadingfilesthrough
emailsorPeertoPeer(P2P)applications,he/sheissusceptibletoaplethoraof
At the outset Potential Implications
15 205
21 9 22 823
1025
132
69
151
91
147
92 97 92
113
92
83
93
0
20
40
60
80
100
120
140
160
Units
USA LUX NZ JPN SWZ IND ZIM BAN AZB MOL ARM
Country
Human Development Index (Rank) Software Piracy Rate (%)
Revenue losses in Indiadue to software piracy
were estimated to be
USD 2 billion in 2007
Figure 3: Software piracy trends higher in developing nations
1Correlationcoefficientof0.74observedinFigure2
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Source:BSA-2007GlobalSoftwarePiracyStudy/UnitedNationsHDIRankings
11
-
8/9/2019 An Inconvenient Reality_Final
15/56
securitythreats.Inadditiontothis,userswhocontinuetodownloadmorenon-
genuinesoftwarefromtheInternetfaceadoubleedgedswordandarenotonly
vulnerabletoanynewthreatsbutarecontinuouslyexposedtomoreofthese
threatseverytimetheyvisitawebsiteprovidingnon-genuinesoftwareor
assistingincracking(installationwithoutlicense)genuinesoftware.
Ourstudy2 of50websitesprovidingvariousenablersforusingnon-genuine
softwareviz.cracks,keygens,serials,warez,etc.revealsthatthereisa
significantlyhighprobabilityofauserbrowsingtheInternetinsearchofnon-
genuinesoftwaretobeexposedtosecuritythreatsasindicatedinFigure4.
16
30 32
Percent
0
5
10
15
20
25
30
35
Pot ential Malware Auto Redirect ion / Pop up Unsolicit ed Cont ent
Threat vectors
Figure 4: Threat vectors on websites providing non-genuine software
Source:AnInconvenientReality,KPMGinIndia,June2009
2KPMGstudyof50websitesofferingnon-genuinesoftwareand/orenablerstoobtainsuchsoftware.
ReferAnnexureformethodology.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
12
-
8/9/2019 An Inconvenient Reality_Final
16/56
Asynopsisofthepotentialsecurityimplicationsofdeployingnon-genuine
softwareisoutlinedbelow.
InvolvementofAnti-SocialElementsEndusersofnon-genuinesoftware
contributetoachainwhichmaypotentiallyfinanceanti-socialactivities
InformationDisclosureandDataTheftUsersofnon-genuinesoftware
couldbelosingvaluablepersonalandfinancialdata
MalwareAttacksHiddensecurityandcostimplicationsofusingnon-
genuinesoftwareusage
ExtortionusingRansomwareFraudstersusingnon-genuinesoftwareto
extractmoneyfromendusers
UnsecuredBusinessEnvironmentsUsageofnon-genuinesoftware
lowerssecuritypostureofbusinessenvironmentsandcanleadtohigher
criticalsystemfailures,operationaldowntimesandincreaseinthetotal
costofownershipinthelongrun
NetworkEffectSecurityimplicationsofnon-genuineversionsofa
softwarethatismadeavailabletomassescanacquireexponentialproportionsduetopresenceofalargenumberofpeopleonthenetworks
whereitismadeavailable
AcademicInstitutionsandStudentsSignificantriskstoacademic
institutionsandstudentsthemselvesduetousageofnon-genuine
softwarebystudents
IncreasedsecurityexposureforGovernmentGovernmentsector
susceptibletocyberwarfareandespionageduetousageofnon-genuine
software
ReputationRisksUsageofnon-genuinesoftwarecanoftenhavelarge
financialandlegalrisksthatmayimpactreputation
Informationsecurityhasgraduatedfrombeingaboardroomissuetoanissueof
nationalimportance.Thefollowingpagesattempttodemonstrate,throughreallife
casesandhypotheticalscenarios,howacademicinstitutions,governmentsector
organizationsandunsecuredbusinessenvironmentscanbecomepotential
victimsofsecurityconsequencesduetothewidespreaduseofnon-genuine
software.
Thewayforward,forendusers,governmentandprivateorganizations,tomitigate
securityrisksduetousageofnon-genuinesoftwarehavealsobeendiscussed.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
13
-
8/9/2019 An Inconvenient Reality_Final
17/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
14
-
8/9/2019 An Inconvenient Reality_Final
18/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
The story so farInvolvement of Anti-Social Elements
Setting the contextOrganizedcrimegroupsareoftenassociatedwithillegitimatefinancial
transactionssuchasmoneylaundering.Productionofnon-genuinesoftwareis
emergingasanothermeansofgeneratingrevenueforanti-socialelements.Since
theoperatingcostsamounttoonlyafractionofsalesrevenue,theremaining
revenueoftenendsupinalargerresourcebasebeingusedtofundcounterfeit
products,prostitution,weaponstrading,andpossiblyeventerrorism.
Consider thisIn2000,AliKhalilMehri,aLebanesebusinessman,wasarrestedbyParaguayan
authoritiesforallegedlysellingmillionsofdollarsworthofpiratedandcounterfeit
softwareandfunnelingtheproceedstoterroristorganizations3.Documents
seizedduringtheraidindicatethatthesalesofcounterfeitgoodswereusedfor
fundraisingbyterroristorganizationsintheMiddleEast.
InIndia,therehavebeenwelldocumentedcasesoforganizedcrimegroups
beinginvolvedintradeofcounterfeitgoodstofundtheiractivities.Theraidsin
20054,oflargescaleshipmentsofcounterfeitgoodsbelongingtothecriminal
organizationsoperatinginIndia,bytheUSandPakistaniauthorities,highlightthe
roleplayedbycounterfeitgoodsinfinancingthemurkyworldoforganizedcrime
andterrorism.
In the modern world, information
controls every aspect of
Governance and every sector of
economy. The security of ICT
(Information, Communication and
Technology) infrastructure,
resources and data, therefore,assume high importance, priority
and urgency which may even be
higher than the physical security.
We have a policy of periodic
review of our security policy for
ICT infrastructure, resources and
data to mitigate risks from various
threats. This is a big challenge
keeping in view the size spread
and capacity of the organization.
Our security policy prohibits
employees from using any non-
genuine software owing to their
high security risks. However, the
software vendors should also
support our cause by making the
software available at affordable
prices, at Purchasing Power
Parity (PPP), i.e. on the basis of
average earnings of a common
man. This would, on the one hand,
encourage the use of genuine
software; on the other hand this
would definitely help in
discouraging use of non-genuine
software in the country.
Nirmaljeet Singh Kalsi
Joint SecretaryMinistry of Home AffairsGovernment of India
Would you like to be part of a chain that potentially finances anti-
social / anti-national activities or would you much rather spend
that little extra and contribute to the security of our society and
country?
Why is software piracy such a lucrative business for organized crime groups?
HighMarkups Asmuchas1000percentowingtomarginalcostofproduction
HighDemand Highdemandasconsumersperceiveacostadvantage
LowEntry
Costs
Organizedcrimegroupsusetheirexistinginfrastructureasdistribution
cells
MinimalRisk
Level
Documentedevidenceontheinvolvementoforganizedcrimesgroupsis
sparseandevenwhenimplicated,thepenaltieslevied(INR50,000
2,00,000)aremarginalfortheselargeandwell-resourcedorganizations
Victimless
Crimes
Usersofnon-genuinesoftwareareusuallyawareoftheproducttheyare
buyingandarethusconsideredtobecomplicitinthecrime
Table 1
3MiddleEastIntelligenceBulletin:HezbollahsGlobalFinanceNetwork:TheTripleFrontierbyBlanca
Madani
4FilmPiracy,OrganizedCrimeandTerrorism"-RANDSafetyandJusticeProgramandtheGlobalRiskand
SecurityCenter
15
-
8/9/2019 An Inconvenient Reality_Final
19/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
16
-
8/9/2019 An Inconvenient Reality_Final
20/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
5SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,PublishedApril2009
Setting the contextWithrampantinstancesofmalwareinnon-genuinesoftware,datatheftand
disclosureofconfidentialinformationareoftenpotentialsecuritythreats.Arecent
reportfromSymantec5 showsthat82percentofthreatstoconfidential
informationintheAsiaPacificJapan(APJ)regionwereclassifiedasthreatsthat
exportuserdata(seeFigure5)
Information Disclosure and Data Theft
65
60
8082
69
0
10
20
30
40
50
60
70
80
90
Percent
Exports email
addresses
Exports
system data
Key stroke
logger
Exports user
data
Allows remote
access
Potential Threat
Figure 5: Threats to confidential information in the Asia Pacific Japan Region
Consider thisApplerecentlylauncheditsiWork09Suite.Posttheproductlaunch;non-genuine
copieswerereadilyavailableonfile-sharingsites.Severalofthenon-genuine
copies,however,containedTrojansoftwarethatwasbundledalongwiththe
installerpackage.Oninstallation,theTrojansoftwareconnectstoaremoteserver
overtheInternetandgrantsaremotecontrolleraccessonthemachinetoenable
maliciousactions.Morethan20,000peoplehavealreadyreportedlydownloaded
therogueinstaller,whichwasbundledwiththenon-genuineversionofthe
iWorks09Suite.
17
-
8/9/2019 An Inconvenient Reality_Final
21/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
18
-
8/9/2019 An Inconvenient Reality_Final
22/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
StatisticsfromarecentstudybyScansafe6,asillustratedbelowinFigure6,
indicatethatdatatheftTrojansasapercentageofMalwarehaveincreased
significantlyin2008(from6percentin2007to14percentin2008).
6ScansafeAnnualGlobalReport2008
7Impactoftheuseofunlicensedsoftwareinmidmarketcompanies,WhitePaperbyHarrisonGroup,2008
When you use non-genuine
software you could actually
be losing valuable personal
and financial data tomalicious users; this could
have far wider ramifications
in terms of reputational,
legal, financial or even
business continuity risks for
individuals and
organizations alike.
0
5
10
15
2025
30
35
40
45
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Percent
Monthly Volume Yearly Volume
Figure 6: 2008 Block Volume Data Theft Trojans
Otherstudiesindicatethatcompaniesusingnon-genuinesoftwareare73percent
morelikelytoloseconfidentialdataand28percentmorelikelytolosea
customerspersonalinformation7.Asaresult,therisksoflosingconfidentialdata
byusingnon-genuinesoftwarearesignificantforcompaniesaswellasfor
individuals.
19
-
8/9/2019 An Inconvenient Reality_Final
23/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
20
-
8/9/2019 An Inconvenient Reality_Final
24/56
-
8/9/2019 An Inconvenient Reality_Final
25/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
22
-
8/9/2019 An Inconvenient Reality_Final
26/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Consider thisAuserfindsatorrent8 onapeer-to-peerfilesharingnetworkthatcontainscopies
ofAdobesoftwareandfilesthatappeartobekeygeneratorsforthesoftware.
Unknowntotheuser,Malwarearepackagedwiththetorrentdisguisedaskey
generatorsorotherexecutables.Whentheuserdownloadsthetorrentandruns
suchexecutables,themalwareinfectsthesystemandtypicallyinfectssystem
filesandmorphsintootherseeminglyusefulfiles.
Thelistbelowhighlightssomeofthetypicalactionstakenbysuchmalwarewhile
infectingamachine:
Createssystemtraypopups,messages,errorsandsecuritywarnings
Makesoutboundcommunicationtoothercomputers,phones,IMchatroomsandotherservicesusingIRCprotocols
Readsemailaddressandphonebookdetails
ChangesInternetExplorer(IE)optionsincludinghomepage,securitytab,color,font,advancedmenu
ModifiestheWindowsHostFilewhichcouldbeusedtostopusersfromvisitingspecificwebsitesbyredirecting
themtoalternativeaddresseswithouttheirknowledge
Deletesotherprograms
Infectsotherprogramfilestoincludeacopyoftheinfection
Hookscodeintoallrunningprocesseswhichcouldallowittotakecontrolofthesystemorrecordkeyboardinput,
mouseactivityandscreencontents
Polymorphsandchangesitsstructure
AddsaRegistryKey(RUN)toautostartprogramsonsystemstartup
Includesfilecreationcodewhichisusedtotestforinterceptionbysecurityproducts
8TorrentsarefilesdownloadedusingBitTorrentsPeer-To-Peerfilessharingprotocol
23
-
8/9/2019 An Inconvenient Reality_Final
27/56
TheinstalledmalwarecouldbeanythingfromadatastealingTrojantoavirus/
wormorevenaremotely control ledbot.Symantecsrecentreport9 onInternet
securitythreatslistsIndiaasthemostaffectedcountryintheAPJregion,in
termsofdistributionofvirusesandworms(seeFigure8).
Top Countries
Rank Viruses Worms Backdoors Trojans
1 India India China China
2 China China India India
3 Indonesia Japan Japan Japan
Figure 8: Internet Security Threats in the APJ Region
9SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,PublishedApril2009
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
24
-
8/9/2019 An Inconvenient Reality_Final
28/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Setting the contextSeveralwebsitesclaimtooffergenuinesoftwareandutilitiesatthrowaway
prices.Fraudstershavefoundanotherinnovativewayofsqueezingmoneyoutof
theunsuspectingenduser.
Consider this...IfauserwishestoobtainacopyoftheAdobeAcrobatreadersoftware,anduses
thekeywordAdobereaderinaGooglesearch,GooglereturnsresultswithseverallinksofferingafreedownloadofAdobeAcrobatreadersoftwarealong
withasponsoredlinkleadingtoamalicious/spoofedwebsite.Clickingonthe
maliciouslinkredirectstheusertoaspoofedCNETDownload.comsitewhich
offersafreedownloadofacopyofAdobereader.Whenauserdownloadsand
runsit,afull,operatingcopyofAdobeAcrobatreaderisinstalled,butwitha
twist.
Extortion Using Ransomware
Figure 9: Ransomware message: An example
*Source:www.phirelabs.comandwww.zdnet.com
25
-
8/9/2019 An Inconvenient Reality_Final
29/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
26
-
8/9/2019 An Inconvenient Reality_Final
30/56
Afterinstallingtheprogram,usersareinterruptedwithmessageboxesatone
minuteintervals.TheMalwareitselfoffersafakeremedyintheformofapointer
toafakesitewhichispresentedasaRemoveallthreatsbutton.Afteraperiod
oftimeastheusertriestoaccessfilesontheSystemdriveoftheinfected
system,theransomwarestartsdisplayingamessagethatthefilesareencrypted.
Themessageclearlyindicatesthatthevictimneedstodownloadadecryptorfor
decryptingdataontheSystemdriveoftheinfectedsystem.Acceptingthe
messageredirectstheuserbrowsertoaMalwarewebsitewhichhoststhe
decryptorandwhichisavailablefordownloadataprice.
ArecentcaseofsuchransomwarewasthatofFileFixPro,aphonyutilitywhich
encryptstheusersdocumentsanddemandsthattheuserpurchaseadecryptor
forUSD50fordecryptingthesame.
Fakeanti-virusandsecuritysoftwareisapopulartargetforpropagatorsof
ransomware.ItisestimatedthatfraudstersmakeasmuchasUSD5million
throughplantingfakeanti-virussoftwarealone10.
Have you ever considered the possible security implications of
downloading software online from an untrusted source? What
could be the underlying motive for making popular software
available through alternative sources that are not trusted?
A question worth giving a hard thought to.
10ComputerworldSecurityOctober31,2008
Figure 10: An example message from ransomware asking for ransom
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
27
-
8/9/2019 An Inconvenient Reality_Final
31/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
28
-
8/9/2019 An Inconvenient Reality_Final
32/56
11http://www.microsoft.com/protect/promotions/us/wga_idc_us.mspx
Unsecured Business Environments
Setting the contextItisacommonmisconceptionthatuseofnon-genuinesoftwareleadstocost
reduction.Recentstudiesshowthatcompanies(includingSmallOffice/Home
Office(SoHo)organizations)whousenon-genuinesoftwarecanincursignificant
operationaldowntimesandmaintenancecosts,thusmakingtheuseofnon-
genuinesoftwareanexpensivepropositioninthelongrun.
Consider thisAsperthestudyImpactofUnlicensedSoftwareonMid-MarketCompaniesby
theHarrisonGroup,companiesusingnon-genuinesoftwareare43percentmore
likelytohavecriticalsystemfailures(someofthemlasting24hoursormore).
Apartfrommaintenancecosts,downtimeofITsystemscouldalsotranslateinto
lostrevenues,productivityandotherinvisiblecosts.
Additionally,theuseofnon-genuinesoftwaremakesitdifficultforcompaniesto
installsecuritypatchesandupdates,thusleavingthemexposedtomalware
attacks.Thecostofrecoveringfromsuchattacks/incidentscouldinsomecases
exceedUSD1,000,thusnegatingthevaluetheorganizationwashopingtogain
throughcounterfeitcopiesofsoftware.Thus,thecostsavingsofusingnon-
genuinesoftwareareeradicatedbyasinglesecuritybreach11.
73
43
28
24
9
0 10 20 30 40 50 60 70 80
Likelihood (%)
Loss of Sensitive Data
(Business)
Critical System Failure
Loss of Sensitive Data
(Personal)
Significant System Failure
Minor System Failure
Type
offailure
Figure 11: Likelihood of System Failure for companies using non-genuine
software*SampleSize:OriginalXPUsers144,PiratedXPUsers160*Source:MicrosoftAnalysisofRisksandIssuesAssociatedwiththeUsageofPiratedSoftware
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
29
-
8/9/2019 An Inconvenient Reality_Final
33/56
ReinforcingthisisastudybyMicrosoftillustratedinFigure12,whichindicates
thatoveraperiodoftime,thetotalcostofownershipofpiratedsoftwareisvery
highowingtomaintenancecostsandopportunitylossesduetosystemfailures
andvirusattacks.
Forthepurposeofthisstudy,MicrosoftboughtandtestedCDsandDVDsfrom
variousroadsidevendorsandcarriedoutasurveyofbusinessesdividedbetween
usinggenuineandnon-genuinesoftware.
0.35 0.38
0.790.83
1.11
1.48
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
Total cost of
ownership
(INR Lakh)
2 years 2 -3 years 3 -4 years 4 -5 years 5 -6years 6 -7years
Duration
Figure 12: Increased Total Cost of Ownership
*Source:MicrosoftIDCBusinessSurvey
Organizations may perceive that usage of non-genuine software
reduces costs. However critical system failures, operational
downtimes and loss of critical data, may in fact, increase the total
cost of ownership in the long run.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
30
-
8/9/2019 An Inconvenient Reality_Final
34/56
Network Effect
Setting the contextToday,Indiaisbeingrecognizedasthefastestgrowingmobilephonemarketin
theworld.AccordingtoGartner12,IndiancellularservicerevenueswereUSD
8.95billionin2006andareprojectedtogrowatacompoundannualgrowthrate
(CAGR)of18.4percenttoreachUSD25.617billionby2011.
Consider this
Itisestimatedthattherearearound30millionChinesehandsetsinthecountrywhichlackanInternationalMobileEquipmentIdentity(IMEI)number13.TheIMEI
isa16-17digitnumberwhichhelpsinuniquelyidentifyingahandsetandits
locationonthenetwork.CurrentlytheCellularOperatorsAssociationofIndia
(COAI)andtheIntelligenceBureau(IB)aremullingoverthesecurityimplications
ofasoftwarewhichwhenuploadedtothesedeviceswouldprovidethese
deviceswithauniqueIMEInumber.Asapreliminarycountermeasure,the
DepartmentofTelecommunications(DoT)hasmeanwhileinstructedallservice
providerstodisconnectthesehandsetsfromtheirnetworks.
Theramificationsofanunlicensedmaliciousversionofsuchasoftware,if
created,areenormous.Evenifdownloadedbyasmallpercentageofthe30millionChinesehandsetusers,itcouldleadtolargescaletamperingofIMEI
numbers.Giventheincreasingroleofcellphonetranscriptsinmonitoringand
investigatinganti-socialactivities,usageofanon-genuineversionofthissoftware
couldleadtofailureoftheveryobjectiveofmitigatingtheriskduetopresenceof
cellphoneswithoutIMEInumbersonthecellularnetworksinIndia.
Additionally,amaliciousversionofthesoftwarecouldalsoincreasetheriskof
usageofthephonebyamaliciousthirdpartyasalaunchpadfromwhichworms
andTrojansmightlaunchattacksonthenetwork.
12http://www.gartner.com/it/page.jsp?id=509906
13TimesofIndia,dated04April2009
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
31
-
8/9/2019 An Inconvenient Reality_Final
35/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
32
-
8/9/2019 An Inconvenient Reality_Final
36/56
44
177
305
366
402
0
50
100
150
200
250
300
350
400
450
Malware
discovered
2004 2005 2006
(Average)
2007
(Average)
2008
(Average)
Year
Figure 13: Growth of Mobile Malware
*Source:http://www.cellphonehits.com
AsobservedinFigure13,thethreatofmalwareinmobiledevicesisrapidly
increasingyearonyear.
Unlikeacomputervirusthatcanbeobservedanddissectedonamachinethatis
disconnectedfromanynetwork,wirelessmalwarecanspreadinsomecases,
evenmaketransoceanicleapsthemomenttheinfectedphoneispoweredup.It
couldsendunwarrantedMMS(MultimediaMessagingService)andSMS(Short
MessageService)messagestoallcontactsontheinfectedphonewhichhas
maliciousfilesonit.Further,calllogsofthedevicecarryingallpersonaland
professionalcontactsanddataonthephonecouldalsobesenttoacommercial
Internetserverforviewingbyathirdparty.
The security implications of any non-genuine software for mobile
phones must be carefully understood. Imperative is to create
stringent safeguards to ensure that malicious non-genuine
versions of any such software are not made available.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
33
-
8/9/2019 An Inconvenient Reality_Final
37/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
34
-
8/9/2019 An Inconvenient Reality_Final
38/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Setting the contextAccordingtoastudycommissionedbyIpsos14 afewyearsago,61percentofthe
studentssurveyed,neverorrarelypaidforcommercialsoftwareprograms.In
addition,justundertwo-thirdsofthecollegeanduniversitystudentssurveyed,do
notconsiderswappingordownloadingdigitalcopyrightedfiles(software,music
andmovies)withoutpayingforthemasunethical.Amongstudentswhosaythey
wouldalwaysdownloadmusicormovieswithoutpayingforthem,27percent
saidtheyregularlydownloadandsharesoftwarethroughapeer-to-peer(P2P)
network15.Empiricalstudiesalsosuggestthatstudentstendtoretaintheir
attitudestowardsusageofnon-genuinesoftwareastheygraduatetohigher
studies.
Consider thisStudentswidelyuseP2PsharingnetworkssuchasLimewire,Morpheusand
KaZaAtosharefiles.Thesenetworksarealsoapopularsourceforsharing
software,keygeneratorsandcracktools.However,unknowntotheuser,these
filescancontainmalicioussoftwareintheformofTrojansandWormswhichpose
significantsecurityrisks.AsperastudyconductedbytheIDC,59percentofthe
keygeneratorsandcracktoolsdownloadedfromP2Pnetworkscontained
maliciousorunwantedsoftware.Anotherrecentstudy16 showedthat68percent
ofalldownloadableresponsesinLimewirecontainedarchivesandexecutables
containingmalware.SomeofthetypicalmalwareencounteredinP2Psiteslike
Limewire17 arelistedinTable3.
Academic Institutions
Usage of non-genuine software by students
14HigherEducationUnlicensedSoftwareExperienceStudentsandAcademicsSurvey,IpsosPublicAffairsMay2005
15HigherEducationUnlicensedSoftwareExperienceStudentsandAcademicsSurvey,IpsosPublic
AffairsMay2005
16AStudyofMalwareinPeertoPeernetworksAndrewKalafut,AbhinavAcharyaandMinaxiGupta
17AStudyofmalwareinPeertoPeernetworksAndewKalafut,AbhinavAcharyaMinaxiGupta
When a user illegally
downloads a movie, song,
game, or software his / her
computer is likely to have
been incorporated into the
P2P network, possibly
without the usersknowledge. It also means
that the users computer has
very possibly been exposed
to harmful viruses, worms
and Trojan horses, as well
as annoying pop-up
advertisements. There is a
real danger as well that
private information on the
computer has been
accessible to others on the
network providing
opportunities for identity
thieves to obtain personal
and financial information
from network users who in
most cases have no idea
that their data is
vulnerable.
Rajiv Dalal
Managing Director
Motion Picture Dist. Association
of India (MPDA)
35
-
8/9/2019 An Inconvenient Reality_Final
39/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
36
-
8/9/2019 An Inconvenient Reality_Final
40/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Table 3
Thetablesuggeststhatfilesandunlicensedsoftwareobtainedbystudents
throughP2Pnetworksposesignificantinformationsecurityriskstoeducational
institutions.
Malware
FunctionDefinition Typical examples
Percentage
of Limewire files
infected
Downloader
Acomputerprogramthatisdesignedtodownloadfiles
ontoaPCusuallywithouttheusersknowledgeor
consent.Adownloadermayalsobeprogrammedto
performautomaticdownloadsinordertoupdateitself.
Win32.Zlobdx
Win32.Banload.n45.16percent
Worm
Aviruswhichcreatesitselfcopiesonotherdrives,
systemsornetworksandperformsothermalicious
actionswhichmaycausesystemstoshutdown.
Worm.Alcan.D
Worm.VB.-16
Worm.P2P.Poom.A
40.32percent
Backdoor
ARemoteControlSoftwarewhichallowsathird-party
(theattacker)togainaccessandcontrolofavictims
computer.BackdoorsconsideredtobeTrojans,can
bypasssecuritymechanisms.Backdoorsareasecurity
riskbecausetheycangainpersonalinformationoruse
avictimscomputertoattackaserver.
NetBus
BackOrifice25.81percent
Adware
Asoftwareprogramthatcandisplayadvertisingbannerswhiletheprogramisrunning.Adwaremay
trackauserspersonalinformationandtransfersthe
collecteddatatothirdparties,withouttheusers
knowledgeorconsent.
Adware.ABX.Toolbar
Adware.ActiveSearch
Adware.Adbars
Adware.AdBlaster
4.84percent
Dialer
Dialerisacomputerprogramusedtoredirectusers
telephoneconnectiontothemoreexpensivelinewith
higherchargesforacontentprovidedwithorwithouta
usersconsent.
Adware.Adhelper
Dialer.Antispy
Dialer.Asdplug
Dialer.AxFreeAccess
4.84percent
Keylogger
Amalwarethatcutsoffthedataexchangebetween
theuserenteringitandtheintendedrecipient
application.Itrecordsanyinformationthattheuser
typesatanytimeusinghis/herkeyboardandcansend
ittoathirdparty.Keyloggercreatesthelogfilewhich
canbesenttoaspecifiedreceiver.TrojanandPup
keyloggersarefunctionallyidentical.
Keylogger.Cone.Trojan
Keylogger.Mose
Keylogger.Stawink
3.23percent
37
-
8/9/2019 An Inconvenient Reality_Final
41/56
Whilst, some educational
institutions in India have
documented policies in place
to discourage usage of non-
genuine software, the extent
of their effectiveness inserving as a deterrent to
students is debatable.
Effective student awareness
programs, counseling and
appropriate disciplinary
actions would go a long away
in curbing the rampant usage
of non-genuine software by
the student community.
Theriskscouldalsooftenberegulatorynon-compliance.Acaseinpointiswhere
theSoftwareandInformationIndustryAssociation(SIIA)18 wasinvolvedinan
investigationofauniversityinthemid-westregion(USA)wherethestudents
werecreatingWarez19 sites/contentoncollegeservers.
18 WhatisPiracy-ThePiracyproblem(SIIA)
19 "Warez"referstocopyrightedworkstradedinviolationofcopyrightlaws
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
38
-
8/9/2019 An Inconvenient Reality_Final
42/56
Increased Security Exposure for Government
Setting the contextStudies20 showthattheITspendbytheIndianpublicsectorisoneofthefastest
growingamongstAsiancountries.Withinthepublicsector,asignificant
percentageofITspendisdonebythedefense,internalsecurityagencies(such
astheintelligence,immigration)andpublicsafetyagencies.
Typicallygovernmentdepartments/organizationsaretheoneswhoareinvolved
inlargeturnkeyIToutsourcingcontractswherethescopingofthedeploymentof
genuinesoftwareisseentoremainunclearamongstoutsourcingorganization,
serviceproviderandsoftwarevendor.Ithasbeenseenthatthisincreases
securityexposureduringlargedeploymentsorprojectsingovernment
enterprises.
Consider this...AgovernmentdepartmentdecidestoupgradetheirexistingITinfrastructure/
networkandinvestsinsubstantialnewIThardware.Whilstoriginaloperating
systemsarepurchasedforkeyservers,unlicensedsoftwareisinstalledonafew
endusersystems.Unknowntotheusers,theunlicensedsoftwareconsistsofa
backdoor,whichallowsthehosttoberemotelycontrolledbyacommand-and-controlserver.Subsequently,sensitivefilesareaccessedandrelayedtothe
controllersthroughencryptedschemesthatprovidecoverandstealthfrom
existingintrusionpreventionmechanisms.
20SuchasthestudyconductedbySpringboardResearch,aSingaporebasedfirmin2006
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
39
-
8/9/2019 An Inconvenient Reality_Final
43/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
40
-
8/9/2019 An Inconvenient Reality_Final
44/56
ArecentinvestigationconductedbyInformationWarfareMonitor21 showsthat
theabovescenarioisnotfarfetchedfromreality.Theinvestigationrevealedthe
existenceofaglobalmalwarebasedcyberespionagenetwork(termedasthe
GhostNet)whichcompromisedatleast1295computersin103countries,
including53IPaddressesinIndia.Alargepercentageofthetargetswerelocated
ingovernmentinstitutionssuchasembassiesandministriesofforeignaffairs,
includingseveralIndianembassies,asillustratedinTable4.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
"Government departments
cannot use, or condone the use
of, unauthorized software. The
consequence of usage of non-
genuine software in our
department could be serious
from a security perspective.
The risk of compromise of our
databases not only impacts the
reputation of the department
and the ministry, but also is a
kind of ransomware that could
be used by malicious elements
of the society to track financial
positions of citizens and hold
them for ransom."
Neeraj Kumar
Joint Director of Income Tax
Directorate of Income-Tax (Systems)
Organization Confidence Location Infections
NationalInformaticsCenter,India L IN 12
SoftwareTechnologyParksofIndia L IN 2
OfficeoftheDalaiLama,India H IN 2
TibetanGovernmentinExile,India H IN,US 4
EmbassyofIndia,Belguim L BE 1
EmbassyofIndia,Serbia L CS 1
EmbassyofIndia,Germany H DE 1
EmbassyofIndia,Italy H IT 1
EmbassyofIndia,Kuwait H KW 1
EmbassyofIndia,USA H US 7
EmbassyofIndia,Zimbabwe H ZA 1
HighCommissionofIndia,Cyprus H CY 1
HighCommissionofIndia,UnitedKingdom H GB 1
*Source:TrackingGhostNetInvestigatingaCyberEspionageNetwork,InformationWarfareMonitor
(IWM),Canada,March2009
Table 4: Government of India institutions affected by GhostNet
21TrackingGhostNetInvestigatingaCyberEspionageNetwork,InformationWarfareMonitor(IWM),
Canada,March2009
41
-
8/9/2019 An Inconvenient Reality_Final
45/56
As countries jostle for supremacy over the strategic cyber
domain, the threat of cyber espionage is an existing reality.
Installation of non-genuine / unlicensed software on any IT
systems in government offices may result in irretrievable losses
of strategic information to hostile third parties.
20.6
207.7
82
0.166
59
0.162
43
0.153
57
0.142
23
Units
0
10
20
30
40
50
60
70
80
90
USA China Brazil South
Korea
Poland Japan
Country
Botnet Attacks (USD Million) Software Piracy Rate (%)
In the list of Top 6 countries (in terms of botnet attacks), China, Brazil,
South Korea and Poland have medium-high software piracy rates
Figure 14: Correlation between software piracy and botnet attacks
*Source:BusinessSoftwareAlliance(BSA)-2007GlobalSoftwarePiracyStudy,www.Securityfocus.com
IncreasingadoptionofInternetenabledtechnologysolutionscombinedwiththe
highsoftwarepiracyratesinIndiacouldbeacontributingfactorinmakingthe
governmentsectormoresusceptibletoattackssuchasthebotnetattacks
describedabove.AsseenintheFigure14,severalbotnetattackscanbetracedto
countriessuchasChina,Brazil,SouthKoreaandPolandwherethereisamedium
-highsoftwarepiracyrate.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
42
-
8/9/2019 An Inconvenient Reality_Final
46/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Setting the contextThegovernmentcancriminallyprosecuteanorganizationforcopyright
infringementandifconvicted,finescanrangefromINR50,000-2,00,000anda
minimumjailsentenceof7daysgoingupto3yearscanbeleviedaswell 22.
AccordingtotheBSA23,in2008,non-genuinesoftwarecostbusinessesinthe
UKasmuchas16millioninlegalfines.Lastyear,theBSAtook294legal
actionsonbehalfofitsmembersintheUKandmorethan3,000legalactions
wereconductedacrossEuropeandAfrica.
Consider this...InMarch2009,BSAreportedtohavesettledclaimsofUSD350,909fromfour
California-basedcompaniesforhavingunlicensedcopiesofsoftwareinstalledon
theircomputers.ThecompaniespaiddamagesintherangeofUSD70,000to
USD110,000forhavingunlicensedcopiesofsoftwaresuchasAdobe,Symantec
andMicrosoftsoftwareinstalledonitscomputers.Aspartoftheindividual
settlements,thecompanieshaveagreedtodeleteallunlicensedcopiesof
softwareinstalledontheircomputers,acquireanylicensesnecessarytobecome
compliant,andcommittoimplementingstrongersoftwarelicensemanagement
practices.
Reputation Risks
Wouldnt you rather be involved with improving business
efficiencies and productivity instead of wasting time and
resources in settling legal suits and re-establishing reputation?
22IndianCopyrightAct&http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=6250
23http://www.itpro.co.uk/index.php/609881/pirated-software-costs-firms-16-million
43
-
8/9/2019 An Inconvenient Reality_Final
47/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
44
-
8/9/2019 An Inconvenient Reality_Final
48/56
Theintentofthiswhitepaperhasbeentohighlightthefarreachingimpactsof
usingnon-genuinesoftwareonthesecurityofindividuals,businesses,
governmentsandnations.Inthediscussionsabove,wehaveattemptedtobring
totheforefronttheevidentaswellastheconcealedimplicationsthatnon-
genuinesoftwareusagehasonitsstakeholders.
ThesurgeinInternetpenetration,whichprovideseasieraccesstonon-genuine
contentavailableonline,coupledwithnascentcomplianceinfrastructure,lowend
userawarenesslevelsandweaklegalenforcement,poseaformidablechallenge
incombatingnon-genuinesoftwareusage.
TheIndiangovernmenthastakencognizanceofthevariousinformationsecuity
threatsandhassetupCERT-IN(ComputerEmergencyResponseTeam-India)
withthechartertobecomethenation'smosttrustedreferralagencyofthe
Indiancommunityforrespondingtocomputersecurityincidentsasandwhen
theyoccur;thekeyobjectivebeingtoreducetherisksofcomputersecurity
incidents24.
InadditiontotheservicesprovidedbyCERT-IN,theGovernmentofIndias
CentralVigilanceCommission(CVC)hasissuedguidelinestocontrolthemenace
ofcounterfeitITproductsincludingoperatingsystems25.IndiasnewITActthat
wasrecentlypassedbytheparliamentalsochangesthecountrysapproachto
usergeneratedcontentandpiracyofcopyrightcontentonthewebandmobile.
ManybusinessestodayhavecreatedspecialrolesintheranksofChiefSecurity
officers(CSO)/ChiefInformationSecurityOficers(CISO)tolimitthehazardsof
informationsecuritythreats.Appropriatemindshareonissueslikeweaksecurity
controls,inadequatesecurityorganizations,non-genuinesoftwareusage,low
levelsofsecurityawarenessandmanagementcommitmenttowardsthe
informationsecurityprogram,helpprovidereasonableassurancethatthese
threatsareminimizedandmanagedwell.
The way forward
Seeing the larger picture
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
24Source:http://www.cert-in.org.in/mission.htm
25Source:http://www.cvc.nic.in/007crd008.pdf
45
-
8/9/2019 An Inconvenient Reality_Final
49/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
46
-
8/9/2019 An Inconvenient Reality_Final
50/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Organizationsaretakinginitiativesforconductingsecurityawarenesssessionsto
maketheemployeesawareofthenumerousthreatsand,enablethemtotake
proactivemeasurestosafeguardthemselvesandtheirorganizationsfrom
becomingvictimsofthevariousinformationsecuritythreats.Inasurvey
conductedbyKPMG26,majorityofCIOs/CISOsstatedthattheirorganization
hadanemployeeawarenessprogramonsecurityimplicationsofusingnon-
genuinesoftwareandthattheywerewellawareofindustryinitiativesand
governmentregulationsaroundit(Figure15).
74%
26%
Yes
No
Employee awareness program on security implications of non-genuine
software
78%
22%
Yes
No
Aware of measures taken by industry / government to combat usage of non-
genuine software
Figure 15*Source:KPMGstudy
26KPMGsurveyofCIO/CISOs,AnInconvenientReality,KPMGinIndia,June2009
47
-
8/9/2019 An Inconvenient Reality_Final
51/56
Oursurveyindicatesthatthepercentageoforganizationsstatingthat,significant
numberofitsemployeesareawareaboutsecurityimplicationsofusingnon-
genuinesoftware,ishigh.Further,thenumberoforganizationswheresecurity
incidentsarebeingreportedforidentification/detectionofnon-genuinesoftware
isalsofairlyhigh(Figure16).
9%
13%
26%
52%
0-25%
25-50%
50-75%
More than 75%
Percentage of employees aware of security implications of using non-
genuine software
39%
61%
Yes
No
Any security incident reported on identification of non-genuine software in
organizations
Figure 16*Source:KPMGstudy
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
48
-
8/9/2019 An Inconvenient Reality_Final
52/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Theaboveanalysisindicatesthatwhilesomeofthecorporateconsumersare
awareoftherisksofusingnon-genuinesoftwareandaretakinginitiativesto
discourageit,therestillexistsalargesectionofusergroupssmallofficeand
homeusers-thatareignorantofthepotentialconsequences.
Organizations should institute a program for discouraging use of non-
genuine software
Createaformallistcontainingprogramname,copiesavailable,serial
numbers,versionnumbersandfutureupgraderequirements
Runawarenesstrainingprogramsforemployeeandcommunicate
organizationscommitmenttogenuinesoftware
Obtainundertakingfromallthirdpartiestoensuretheyonlysupplyand
usegenuinesoftware
Ensurecontrolsareenforcedtopreventanddetectinstallationofnon-
genuinesoftware
Ensurecompliancebyperiodicaudits
Users need to be more aware
Buysoftwarefromgenuinesources
Checkonlineforauthenticityoftheserialnumbersonthesuppliers
genuineonlinewebsite
Validateforgenuineidentificationmarksontheinstallationmedia/
packaging
Assessthegenuineidentificationmarksonthewebsites,priorto
downloading,todistinguishbetweengenuineandfakewebsitesproviding
downloads
Preservealloriginallicensesanddocuments
Adheretopoliciesonusageofgenuinesoftwareintheworkplace
Asenduserscontinuetoperceiveacostadvantageinusingnon-genuinesoftware,thereisanimminentneedfortheindustry,academicinstitutionsand
thegovernmenttoplayanactiveroleincreatingawarenessontherisksof
softwarepiracy.Publiceducationcampaignsandawarenessdirectivesshouldbe
usedasamediumtohelpusersmakeinformedchoiceswithrespecttopurchase
ofsoftware.Educationalinstitutionsshouldimplementeffectivesoftwareasset
managementpoliciestoregulatetheuseofnon-genuinesoftwareintheir
facilities.
49
-
8/9/2019 An Inconvenient Reality_Final
53/56
Theexistinglegalandregulatoryframeworksalsoneedtobestrengthenedand
rigorouslyenforcedtodissuadeindividualsandcorporationsfrombeingapartof
thenon-genuinesoftwarechain.Existinggovernmentinitiativessuchasthe
appointmentoftheCopyrightEnforcementAdvisoryCouncil(CEAC)andcreation
ofpiracytargetingcellsinStatePoliceHeadquartersshouldbeexpandedand
strengthenedbothinscopeandoperations.
Considerations for the Government
Developmentandrolloutofaprogramforsensitizingstudentsand
parentsalikeonthesecurityimpactsofusingnon-genuinesoftware
Facilitatefasterandmorefocusedpunitiveactionfornon-compliance;set
upofspecialcourtsdealingspecificallywithIntellectualPropertyissues
maybeconsidered
Obtainundertakingfromallthirdpartiestoensuretheyonlysupplyand
usegenuinesoftware
Ensurecontrolsareenforcedtopreventanddetectinstallationofnon-
genuinesoftware
Ensurecompliancebyperiodicaudits
Onlyaconcertedeffortfromtheindustry,thegovernmentandtheconsumers
canpossiblyensureminimizationofinformationsecurityrisksarisingfromusage
ofnon-genuinesoftware.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
50
-
8/9/2019 An Inconvenient Reality_Final
54/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
Themethodologydeployedinthedevelopmentofthiswhitepaperwasprimarilya
combinationoflimitedprimaryresearch,assorteddiscussionswithgovernment
andcorporaterepresentativesandsecondaryresearch.
Weperformedastudyof50selectwebsitesprovidingcounterfeitsoftwareand/
orvariousenablerstonon-genuinesoftware(suchascracks,keygenerators,
serialsandwarez),withtheobjectiveofidentifyingthreatvectorslikepotential
malware,auto-redirections/pop-ups,andunsolicitedcontent.Theapproach
adoptedwastovisitthehomepageandthepageforonesampledownload.
Inaddition,weperformedasurveyofagroupofChiefInformationOfficers/
ChiefInformationSecurityOfficers(CIO/CISO)oforganizationstounderstand
theirviewsonprogramsfor,andawarenessofsecurityimplicationsofusingnon-
genuinesoftware.Thissurveywasperformedusingasurveyquestionnaire
focusingonidentificationof:
Existenceofemployeeawarenessprogramonsecurityimplicationsofusing
non-genuinesoftware
Proportionofemployeesawareaboutsecurityimplicationsofusingnon-
genuinesoftware
Anysecurityincidentreportedonusageofnon-genuinesoftware
Reasonsforanaverageemployeetousenon-genuinesoftware
Awarenessaboutmeasurestakenbygovernment/industrytocombat
usageofnon-genuinesoftware
Thesecondaryresearchinformationsourcesinclude:
BusinessSoftwareAlliance(BSA)2007GlobalSoftwarePiracyStudy
ScansafeAnnualGlobalReport2008
HarrisonGroupWhitepaperonImpactoftheuseofunlicensedsoftwarein
mid-marketcompanies(2008)
TrackingGhostNetInvestigatingaCyberEspionageNetwork,Information
WarfareMonitor(IWM),Canada,2009
IDCwhitepaperonRisksofPiratedSoftware
SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,
PublishedApril2009
Appendix: Methodology
51
-
8/9/2019 An Inconvenient Reality_Final
55/56
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
52
-
8/9/2019 An Inconvenient Reality_Final
56/56
in.kpmg.com
KPMGinIndia KPMGContacts
Pradip Kanakia
Head of Markets
Tel: +91 (80) 3980 6100
e-Mail: pkanakia@kpmg.com
Akhilesh Tuteja
Executive Director
Tel: +91 (124) 3074800
e-Mail: atuteja@kpmg.com
MumbaiKPMG House, Kamala Mills Compound
448, Senapati Bapat Marg,
Lower Parel,
Mumbai 400 013
Tel: +91 22 3989 6000
Fax: +91 22 3983 6000
Delhi
DLF Building No. 10,
8th Floor, Tower B,
DLF Cyber City, Phase 2, Gurgaon 122 002
Tel: +91 124 307 4000
Fax: +91 124 254 9101
Bangalore
Solitaire
139/26, 3rd Floor,
Inner Ring Road, Koramangala,
Bangalore 560 071
Tel: +91 80 3980 6000
Fax: +91 80 3980 6999
Chennai
No.10 Mahatma Gandhi Road
Nungambakkam
Chennai 600 034
Tel: +91 44 3914 5000
Fax: +91 44 3914 5999
Hyderabad
8-2-618/2
Reliance Humsafar, 4th Floor
Road No.11, Banjara Hills
Hyderabad - 500 034
Tel: +91 40 6630 5000
Fax: +91 40 6630 5299
Kolkata
Park Plaza, Block F, 6th Floor
71 Park Street
Kolkata 700 016Tel: +91 33 4403 4000
Fax: +91 33 4403 4199
Pune
703, Godrej Castlemaine
Bund Garden
Pune 411 001
Tel: +91 20 3058 5764/65
Fax: +91 20 3058 5775
top related