egov-feb-2012-[12-19]-the emerging it security scenario - an overview

cover story

12 egov / www.egovonline.net / February 2012

Anand Agarwal

cover story

In an age when technology changes at a rate faster than ever before, new means of communication, collaboration and data storage have brought in unprecedented rise in productivity and lowered costs beyond imagination. On the flip side, however, modern threats to security of IT systems, applications and data have also evolved as rapidly as their legitimate cousins, giving rise to a global security industry worth billions of dollars. All the research and vigilance, however, can one day turn to naught, and eternal vigilance has become the price one must pay for securing cyber assets –tangible and intangible

the Emerging IT security scenario:

an Overview

cover story

13 February 2012 / www.egovonline.net / egov

n the 1950s, a blind American kid Joe Engressia discovered that a certain whistling tune could stop recorded phone messages. Soon, others had discovered tones and pitches that

enabled them to make free phone calls. In the 1980s, hackers like Kevin Mitnik gained world-wide prominence. At the time of his arrest in 1995, Mitnick was on the US’ most wanted list and had to spend a year of his sentence in solitary confinement because the judge was told he could whistle the nuclear launch codes into a phone, prompting the judge to order that Mitnik would not be allowed to even touch a phone or modem! The only way of doing this was by putting him in solitary, and he thus spent an entire year alone in a cell.

The world has moved a long distance from the days of Engressia and Mitnick. As computerised information systems become almost ubiquitous and assume control of critical services and infrastructure, threats to security are much more serious than ever before. Similarly, financial data is almost exclu-sively maintained in electronic form, and any unauthorised access to such applications and data could wreak havoc. In an increasingly integrated world, the consequences of any such mishap might not remain confined to a single economy.

Emerging Threats to SecuritySecurity of infrastructure, data and applica-tions is an increasingly complex, 24X7 job. One has to practically keep running to stay in the same place. One slip-up is all it takes

“Social engineering attacks on employees to obtain confi-dential information will be the

biggest threat in 2012”

LucIuS LObOVice President and Global Head, Security Services, Tech Mahindra

for valuable, confidential business data to be compromised – leaving in its wake not only financial loss, but also loss of trust – something far more difficult to recoup than money. In an increasingly interconnected world, news trav-els fast, and bad news travels faster. Security for IT is no longer an option, it is a core part of any solution implementation.

Talking of the biggest emerging threats to IT security in the current scenario, Lucius Lobo, Vice President and Global Head, Security Services, Tech Mahindra, says social engineering attacks on employees to obtain confidential information will be the biggest threat in 2012. Lobo fears employees could become victims of such attacks through mal-ware or by phishing. RSA’s Country Manager for India and the SAARC Region, Kartik Sha-hani says new forms of exploits such as Man in the Browser (MITB) attacks would become more frequent. MITB attacks are designed to infect a web browser with malware that can result in modified web pages and transactions that are largely transparent to both the user and the host application. Such attacks can lead to illegal money transfers, identity theft, or the compromise of valuable enterprise information. Shahani also says that security-related information, and not financial data is now the major object of desire for hackers. Echoing Lobo, eScan CEO and MD Govind Rammurthy also picks social engineering as the standout threat. Shahani identifies a class of threats known as Advanced Persis-tent Threats (APTs), which combine social engineering techniques with other technical means to gain illegitimate access to systems and information.

Many of today’s malware could give pro-

I

Stuxnet – firSt Cyberweapon? Stuxnet – a sophisticated worm that specifically

targets Siemens-built systems – is believed to

have been unleashed upon key iranian nuclear

installations in 2009-10.

Stuxnet targets the Simatic winCC Step7

software developed by Siemens. the software

is deployed in industrial control systems and

is used to program controllers that drive com-

ponents such as motors, valves and switches

in a large number of industrial assemblies. it

infects windows systems and spreads via uSb

sticks, allowing it to infect ‘air-gapped’ systems

– systems that are not connected to a public

network such as the internet. Stuxnet had four

‘zero-day exploits’ – vulnerabilities that were

unknown and unpatched when the worm was

released – in its repertoire, showing the techni-

cal sophistication that must have gone into

creating the worm. Security researchers study-

ing the exploit later discovered that computers

in iran formed the majority of compromised

systems – a rarity in a world where the uS is

on the top of any malware infections. iran later

acknowledged that computers at its bushehr

plants had been infected. iran’s largest plant

at natanz was also facing severe problems at

around the same time.

there is no conclusive way to establish

whether Stuxnet was developed to target ira-

nian nuclear installations and unleashed upon

them by another country, but the coincidences

involved are too stark to be ignored. for now,

the only thing that can be said with certainty

is that Stuxnet takes us into a frightening new

era where things such as water, gas and electric

supply, things that we take for granted, might

one day become weapons that can be turned

upon us.

fessionally-written ‘good’ software a run for its money in design and sophistication. Take Stuxnet (see box) for example. A malware of such sophistication was never seen before. Stuxnet comes up in a conversation with Dr Gulshan Rai, Director General of CERT-In (Indian Computer Emergency Response Team) – India’s central authority for respond-ing to security incidents in the cyber domain. Agreeing that Stuxnet was probably the out-come of a dedicated project, Rai says it showed the kind of dangerous weapons that can be fashioned through IT, and emphasises upon the need to incorporate such concerns into upcoming infrastructure. ESET India Director Pankaj Jain also brings up Stuxnet and social engineering.

cover story


systems need to be upgraded on a priority basis in order to stand against modern threats, Tech Mahindra’s Lobo emphasises upon the need for a cultural change to enhance cyber security awareness among its employees, a point that CERT-In’s Rai concedes, saying that while the policy and legal framework relating to security has been considerably tightened, training and full adoption will take some time. Rai also points out the continuous efforts being made in this direction through regular security workshops and security drills being conducted by CERT-In, in partnership with industry groups, security agencies and the law and order machinery etc.

Talking of issues related to security of Cloud-based data and applications, as well as mobile platforms, Amit Nath, Country Man-ager, Trend Micro says the anywhere, anytime access made possible by such technologies is a security nightmare.

Ensuring Security From the government side, the IT Act 2000 and its 2008 amendment form the bedrock of IT-related policies in India. Section 43A of the IT Act, introduced by the 2008 amendment, is primarily concerned with enhancing provi-sions related to data security and data protec-

New-age Technologies bring New-age ThreatsWith the huge savings, ease of access, con-sistency of data and information and other such attributes that it offers, the Cloud is fast becoming a favourite of the private sector as well as governments. A number of govern-ments in India are now talking of moving to private clouds, and some pioneer states have already started the preliminary work in this direction. Similarly, the increasing ubiquity of mobiles – smart and dumb – have seen a boom in m-commerce and governments are now looking at m-Governance as the next step in e-Governance. This is not without threats, however. Both the Cloud and mobile platforms face a number of security issues that stand in the way of full-scale adoption.

The convenience and collaborative potential offered by the Cloud and mobile devices is a mixed blessing. While on the one hand it has opened up hitherto unimagined vistas and expanded business potential (for enterprises as well as governments), it has also ushered in a highly complex security environment where the conventional defences offered by security software and intrusion detection systems is proving to be virtually futile. RSA’s Shahani says that in this new era, conventional notions

of security would have to change and become more agile and intelligence-based. Response times have to be brought down and vulnerabil-ity windows have to be shrunk. Security should be automatic and incident response needs to shift to real-time reporting and mitigation.

Saying that existing and legacy government

ConStant threat to indian webSiteS

the indian Computer emergency response team (Cert-in), the country’s designated

national agency in areas related to cyber security reported a total of 1277 security

incidents and over 15,000 instances of indian websites being defaced in the January-

november 2011 period. Cert-in defines a security incident as “any real or suspected

adverse event in relation to the security of computer systems or networks”.

“There’s still considerable confusion about how best to handle information security

in the cloud”

KArTIK ShAhANICountry Manager for India and the

SAARC Region, RSA

Security Incidents by type (Jan-Nov 2011)

cover story


tion. However, this is mainly related to data security by corporations and fixes liabilities in cases of compromise of data. Dr Kamlesh Bajaj, CEO, DSCI (Data Security Council of India) – a specialised body set up by NASS-COM – outlines the steps his organisation has taken to promote data safety and security. DSCI has developed a set of best practices and frameworks in data security & privacy and is actively involved in promoting their imple-mentation in the industry and government. In addition, it also conducts regular confer-ences and seminars etc., conducts trainings in cyber forensics and cyber crime investiga-tions for law enforcement agencies; provides policy inputs to the Government and is also engaged in international collaborations. The DSCI Cyber Labs programme for training law enforcement officers would soon be upgraded to a national programme supported by Minis-try of Home Affairs, Bajaj informs.

CERT-In is also actively engaged in helping improve the security stance of Indian websites, Rai discloses. CERT-In brings out regular bul-letins and white papers on security threats, conducts trainings and workshops, security drills and audits to evaluate the preparedness of websites. In addition, it also helps compro-mised sites to get back on feet, all the while maintaining secrecy regarding its identity.

Shahani ticks off a set of key steps needed to ensure data safety. Key among these are:

defending, be it mobile devices, virtual serv-ers, or cloud servers. The strategy should be to ensure a higher degree of host defence by applying stronger & effective context aware security to protect the applications and data on the hosts.

Both Lobo and Nath point to increasing threat of malware on mobile devices. It is feared that roughly 300 million devices could be infected by mobile malware. Experts say that whereas mobile viruses may be effectively mitigated by antivirus products, mobile mal-ware that gains access through downloads of malicious apps will be a difficult risk to manage.

Experts eGov spoke to are also optimistic about the positive impact that the impending adoption to IPV6 would have on security, but with caveats. As opposed to IPv4, IPv6 has been developed with security in mind, and as Nair points out, IPv6 eliminates some tradi-tional network level attack vectors and pro-vides mechanisms for maintaining transport confidentiality and integrity. Lobo sees the increased address space as a positive, saying the consequent reduction in sharing of IP addresses would make it easier to track down cyber criminals and cyber crime vectors like Botnets.

Jain points out that the IT infrastructure will have to ensure the IPv6 compatibility of fire-walls, intrusion-prevention devices, and other security appliances to successfully deploy IPv6 avoiding possible security issues, and says it is at least 5 years to fully implement IPv6. Nair says that IPv6 might not essentially change things for the better as the major security issues have simply moved ‘up-the-stack’ to the application level in the new implementation.

“The number of threats for smartphones and tablets is growing rapidly, for all the

platforms”

PANKAj jAINDirector, ESET India

a stricter initial registration and validation processes; enhanced fraud monitoring; moni-toring of the full network with cyber-forensic tools; strong authentication and access controls and encryption of data being transmitted etc. Bajaj emphasises the role of a security-oriented mindset, ongoing education & awareness on information security and privacy among individuals – employees, intermediaries and end-users.

Evolving Security SolutionsKutty Nair, Chairman & Managing Director of Mielesecurity, says that modern antivirus consistently fails at protecting against anything other than consumer level or mass threats, and Lobo acknowledges the threat posed by malware. He advises a deep defence approach, modelled on the ISO27001 standards. Nath says future attacks could be targeted at virtual machines and cloud computing services, but conventional attacks would be common, as these are still more effective. He advises a holis-tic, multilayered, high-quality solution imple-mentation by enterprises and government as a first line of defence.

Asked about the changing character of secu-rity solutions in light of the dynamic nature of threats, he says that the security industry is facing a complicated horizon – escalation in targeted attacks, increasing use of unsecured mobile devices at the workplace (or for work) and cloud implementations where data can be accessed anytime, anywhere.

With the proliferation of mobile devices or consumerisation of IT, coupled by virtualiza-tion or cloud adoption, Nath says the security needs to move closer to the application and data where it resides i.e. the host becomes self

“A holistic, multilayered, high-quality solution should be used by enterprises and government as a first line

of defence”

AmIT NAThCountry Manager, Trend Micro

cover story


cyberterrorism – how big is the Threat?Numerous movies have portrayed insanely smart, crooked programmers who get access to a nation’s vital defence systems to either launch nuclear weapons, or demand massive ransoms in return; or, worm their way into the financial system to either transfer billions to themselves or unleash a financial Armageddon. Just how real are such scenarios? What is cyberterrorism in the first place?

As with terrorism, cyberterrorism is a term that has defied a universal definition. However, in a testimony before the US House Armed Services Committee in May 2000, computer science professor Dorothy Denning identified some characteristic features of cyberterrorism:• Cyberterrorism is the convergence of

cyberspace and terrorism• It refers to unlawful attacks and threats of

attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.

• A cyberterrorist attack would result in violence against persons or property, or at least cause enough harm to generate fear.

• Serious attacks against critical infrastruc-

tures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt non-

essential services or that are mainly a costly nuisance would not.

So how real is cyberterrorism? Rammurthy says cyberterror is a big threat.

He says Supervisory Control and Data Acqui-sition (SCADA) systems are favourite targets for cyber criminals as they have control over the critical infrastructures like government, large enterprises, etc. Echoing concerns about SCADA systems, Tech Mahindra’s Lobo says that although there have been no major inci-dents to date, inadequate security in SCADA systems can be targeted to cripple critical national infrastructure such as power, water, and nuclear facilities. There are plenty of opportunities to do so should these systems be connected or accessible via the Internet. SCADA systems the world over were not built for security and the cost for replacement or security refit is huge.

Noting that governments worldwide are prioritizing cyber security as both a national security and economic security issue, and have invested heavily in beefing up defences, RSA’s Shahani cites the growth in cyber crime, the rampant theft of IP and other sensitive

information from corporations, and the penetration of defence systems and

critical infrastructure by cyber attackers to emphasise upon the growing threats to cyber security. Shahani also says that the US Fed-eral Government is ramping up its cyber security workforce plans and forecasts spending $13.3 billion on

cyber security initiatives by 2015.Jain chooses to focus more on the

broader domain of cyber crimes. Saying user data is fast becoming the

most valuable asset, he says increasing access to the Internet and gadgets such as

laptops, smartphones and tablets means more and more people are carrying data on-the-go, and with the lack of proper security awareness among users, this data becomes a tempting target for cyber criminals. Data can be stolen through bots and the compromised system could be made part of a Botnet, or zombie network, consisting of thousands or even mil-lions of compromised computers controlled from the botnet’s command and control centre. Botnets are used to steal bank data, emails, and perform such cyber attacks as spam, DDOS, phishing, click fraud, adware and malicious programs’ distribution.

“DSCI has developed DSCI Security Framework (DSF) for data security and DSCI

Privacy Framework (DPF) for data privacy”

Dr KAmLESh bAjAjCEO, Data Security Council of India

AnOnyMOuS— TEMPlARS OR ROGuES?as its name suggests, anony-

mous is an underground

group with a very small core

made up of expert hackers.

anonymous has made quite

a splash for itself in the

virtual world, targeting lead-

ing sites such as paypal, Mas-

tercard, Visa and amazon,

bank of america, the united

States department of

defense, the united nations,

and Lockheed Martin etc.

anonymous has also brought

down sites in support of the

iranian protests and also the

arab Spring uprisings. its

most recent victims include

CbS and universal Music, in

response to their backing of

the (stillborn) controversial

anti-piracy legislations Sopa

and pipa. anonymous have

also (repeatedly) hacked

into the Sony playstation

network, and recently put

out a warning to Sony, telling

its support for Sopa would

invite another attack, and

asked it to be “prepared to

be extinguished”. Sony and

nintendo withdrew support

to Sopa following threats by

anonymous.

anonymous

have written a

software – Low

orbit ion Cannon

(LoiC) – that launches

a coordinated distributed

denial of Service (ddoS)

attack on target websites,

overwhelming the servers

with hundreds of thousands

of data packets and crashing

them. anonymous had also

targeted one of the world’s

largest websites – facebook,

running on over 60,000

servers – for a takedown on

January 28. this was the

most audacious attack ever

announced by the group but

they were not successful in

bringing facebook down.

The Anonymous

signature line:

We are Anonymous,

We are Legion, We do

not forgive, We do not

forget, They should have

expected us

cover story


rAjPurOhIT ADpage- - 17

cover story


“The threats are growing daily, as evidenced by numer-ous breaches that have been

uncovered. We should not be ostriches and pretend the

problem does not exist”

KuTTy NAIrChairman & Managing Director, Mielesecurity

Jain also says India is the world’s leading source of spam - In 2011 India continued to be on the top of the rank as about 15-17% of world’s spam traffic originated from India. Most of the spam is generated from compro-mised systems - In 2010 more than 700,000 IP addresses globally were infected with Rustock botnet and the majority of them were in India. This particular botnet was believed to send out as many as 40 billion spam emails per day. Distributed Denial of Service (DDoS) attacks through compromised ‘zombie’ systems are also of concern to experts we spoke to. DDoS has been widely deployed by hacker groups such as Anonymous (see box) to target large websites.

Industry OutlookThe future for security industry looks bright, given the rapidly evolving overall security sce-nario. It is, at the same time, also very challenging to keep up with the increasingly complex threats and explosion of platforms that we are witness-ing. Jain sees spending on security by enterprise and SMB increasing at a good pace and sees major business potential from educational and government organisations.

The Indian security industry has been grow-ing at a much rapid clip than global average rates of 10-12 percent CAGR. Estimating the industry size at $ 150 billion, Jain says Indian industry is growing at about 20-25 percent CAGR.

Shahani prefers to focus on the technological trends when talking of industry outlook, and says the evolving computing paradigm pres-ents vast opportunities for cyber criminals, hacktivist groups and nation states to exploit. We are facing a new reality – one of persistent, advanced and intelligent threat. In the wake of this phenomenon, CEOs and corporate boards are taking a keen, increased interest in security. In his view, shaken by the wave of attacks in 2011, corporations would endeavour to make 2012 an year of action towards ensuring better security of their information assets.

Rammurthy concurs with the rosy predic-tions for revenue, quoting Gartner estimates of the security software market in India touching US$ 209 million in 2011 and is forecasted to grow to US$ 320 million in 2014.

Privacy IssuesThe debate over privacy has been getting increasingly heated in India of late. Particularly since the IT Rules (under the 2008 Amend-ment), were notified in April 2011 privacy advo-

cates are up in arms. However, the government has been citing national security concerns, and the need for maintaining public order as the two main motives driving its actions. Privacy and web-censorship related issues got a fresh lease of life when last month, representatives of social media giants such as Google, Facebook and Twitter etc were summoned by the gov-ernment and asked to devise mechanisms for screening of potentially objectionable content.

21 companies are currently embroiled in a case alleging they have violated Indian laws related to what kind of information can be published in the public domain, and have also been blamed with endangering national security under vari-ous sections of the Indian Penal Code. The out-come of this case will be keenly watched across the globe.

Defending the government’s stance, CERT-In DG Gulshan Rai says the government is

wikiLeakS – inforMation warrior or SenSationaLiSt?wikiLeaks, a non-profit

that says its goal is to bring

important news and informa-

tion to the public, had been

in the business of leaking

confidential government

and corporate information

for a while. november 2011

was different, however. in this

month, wikiLeaks commenced

sequential release of over

2,50,000 secret uS diplomatic

cables that had been stolen

by bradley Manning – a uS

military analyst now under

incarceration.

following the massive leak,

wikiLeaks came under

sustained fire from a number

of governments. it has also

sparked a yet-inconclusive

debate on the correct-

ness of its actions and the

impact these would have

on international relations.

wikiLeaks has also triggered a

massive review of information

security protocols in a number

of countries and it is unlikely

that another Manning could

leak classified information as

easily as by copying it onto a

Lady Gaga Cd.

November 2007: WikiLeaks publishes the Standard Operating

Procedures for Camp Delta. This document laid down the

processes for the infamous Guantanamo Bay detention camp

of the U S Navy, revealing systemic abuse of prisoners’ rights at

the Guantanamo Bay detention centre of the US.

August 2009: Censoring of a WikiLeaks story on fraud in

Iceland’s largest bank leads to drafting of the world’s most

liberal freedom of speech law – the Iceland Modern Media

Initiative and institution of a new ‘Nobel Prize’ for free speech

by the Iceland Parliament.

April 2010: WikiLeaks sets up a website ‘collateral murder’

showing video footage of American soldiers apparently

launching airstrikes on unarmed men in Iraq in July 2007

july 2010: WikiLeaks releases more than 90,000 documents

relating to the Afghanistan war, showing documented instances

of human rights abuse, civilian deaths and friendly fire among

Western forces in Afghanistan.

October 2010: In the biggest ever leak of military documents

in world history, WikiLeaks releases about 400,000 documents

from the Pentagon showing widespread human rights

violations, active Iranian support to Iraqi insurgents and abuse

of US laws by private US defence contractors operating in Iraq.

cover story


WrITE bAcKyour views and feedback matter to us. Tell us what you think of the stories in the magazine or what more you would like us to cover. Write back to us at [email protected]

one of the stakeholders in this entire debate, and is committed to protecting privacy and freedom of expression. In his view, there is a delicate balance among three concerns – privacy, national security and the right to information, and the government is trying to find an equilibrium. Rai also says that the provisions on data safety and security incor-porated in the IT Act are ahead of similar provisions elsewhere, and that the recently unveiled Data Protection Policy of the EU borrows several ideas from the Indian Act.

Pankaj Jain is of the view that the Indian law enforcement agencies are at the very ini-tial stage of developing policies and practices in cyber privacy surveillance, and seconds Rai’s opinion regarding the need for a balance between the need for security and privacy.

Saying that individuals need to raise their awareness on data privacy and on their rights available under Indian laws, Rahul Jain, Senior Consultant with the DSCI, advocates constant vigilance when providing personal data to third parties. He points out that quite often, we freely disclose personal details with-out even knowing the purpose for which it is collected and ascertaining if the other party is collecting information more than what is required. He also stresses upon the need for keeping oneself aware of the latest develop-ments related to cyber crime and following basic security practices such as checking authenticity of sites, not saving & sharing passwords, installing suspicious software & applications, etc.

The increase in surveillance and moni-toring by security agencies vs. privacy is an ongoing debate. To an extent, monitoring and surveillance does impact privacy, however, appropriate balance between both is the only way out.

Reflecting the general consensus, Lobo also admits that the issue of privacy and free speech vs. national security is a complicated one with few easy answers. As others, he also advocates clarity in laws and procedures that allow gov-ernment to snoop upon private information, and to censor speech on the web.

Please fill this form in CaPital letters

First Name............................................... Last Name .................................................................

Designation/Profession ...................................... Organisation ....................................................

Mailing address ...........................................................................................................................

City ......................................................... Postal code ................................................................

State ....................................................... Country .....................................................................

Telephone ............................................... Fax .............................................................................

Email ...................................................... Website ......................................................................

I/We would like to subscribe for 1 2 3 Years

I am enclosing a cheque/DD No. ................................................ Drawn on ................................

..................................................... (Specify Bank) Dated ...........................................................

in favour of Elets Technomedia Pvt. Ltd., payable at New Delhi.

For `/US $ ........................................................................................................................... only

www.egovonline.net | www.digitallearning.in | www.ehealthonline.org | www.elets.in

SubScribe now

Subscription Terms & Conditions: Payments for mailed subscriptions are only accepted via cheque or demand draft • Cash payments may be made in person • Please add `50 for outstation cheque • Allow four weeks for processing of your subscription • International subscription is inclusive of postal charges.

I would like to subscribe: egov digitalLEARNING eHEALTH

you CAN SubSCRIbE oNLINE ALSo

3Packed magazineS

Power

SubScription order card Duration Issues Subscription Newsstand Subscription Savings (year) uSD Price INR Price INR

1 12 100 900 900 --

2 24 150 1800 1500 `300

3 36 250 2700 2000 `700

*Please make cheque/dd in favour of Elets Technomedia Pvt. Ltd., payable at New Delhi

ASIA’S FIrST mONThLy mAGAZINE ON e-GOVErNANcE

ASIA’S FIrST mONThLy mAGAZINE ON IcT IN EDucATION

ThE ENTErPrISE OF hEALThcArE

egov-feb-2012-[12-19]-the emerging it security scenario - an overview

Documents

security services

security scenario

financial data

data storage

biggest emerging threats

confidential business

global head

confidential information