De­fend­ing The New Fron­tier

How In­dia Inc is los­ing its cy­ber se­cu­rity war. and re­port

The Economic Times - - Saturday Feature -

Mum­bai’s top cy­ber­cop Bri­jesh Singh has his hands full these days. With in­creas­ing cy­ber­crime, in­clud­ing a ris­ing tide of cor­po­rate cy­ber in­ci­dents, there’s no respite for the Ma­ha­rash­tra Po­lice cy­ber­crime team that the suave 1996 batch IPS of­fi­cer leads. Re­cently Singh’s crack team solved a host of high-pro­file cases in­clud­ing the Re­liance Jio In­fo­comm unau­tho­rised data ac­cess case and Game of Thrones leak. “We end up get­ting at least three-four cor­po­rate cy­ber­crime cases in a week. Ear­lier the cor­po­rates wouldn’t come for­ward to dis­close cy­ber in­ci­dents, but now we see them com­ing for­ward to lodge com­plaints and work closely with the po­lice de­part­ment to help solve the cases,” said Singh, spe­cial IG-cy­ber, Ma­ha­rash­tra Po­lice.

Singh’s team, these days, is swamped with so­phis­ti­cated busi­ness email com­pro­mise cases wherein cy­ber crim­i­nals in­jected mes­sages in trail mails and changed in­voice num­bers and bank ac­counts to siphon off money.

With each pass­ing day, cy­berspace is be­com­ing a new fron­tier for cor­po­rates. Glob­ally, in the past few days, Equifax breach ex­posed per­sonal in­for­ma­tion of 145 mil­lion US cus­tomers, Ya­hoo ac­knowl­edged three bil­lion email ac­counts were breached in 2013 at­tack and ac­count­ing firm Deloitte, which in­ci­den­tally runs a large cy­ber prac­tice, was also hacked.

The in­dus­try big­wigs have started sound­ing warn­ing bells. Tech vi­sion­ary Larry El­li­son said last week, “Make no mis­take: it’s a war. We have to repri­ori­tise and re­think about how we de­fend our in­for­ma­tion.” In its Q2 2017 re­port, lead­ing IT se­cu­rity firm McAfee Labs counted 311 pub­licly dis­closed se­cu­rity in­ci­dents. The re­port also men­tioned that se­cu­rity teams nowa­days face 244 new cy­berthreats ev­ery minute.

In such a mi­lieu, the sit­u­a­tion is not dif­fer­ent in In­dia. In the past few months, two of In­dia’s top pri­vate banks, a top tele­com com­pany, a top me­dia com­pany and a stock ex­change have all been vic­tims of ma­jor cy­ber­at­tacks or cy­berthefts, and ran­somware Wan­nacry and Petya in­fected thou­sands of com­pa­nies. “The at­tacks which are pub­licly known are only a minis­cule num­ber. We are only look­ing at the sur­face; no one know what’s go­ing on in the back­ground and even the com­pa­nies are not aware of threats lurk­ing in their sys­tem,” said Altaf Halde, man­ag­ing di­rec­tor, Kasper­sky Lab (South Asia).

Given the lack of any reg­u­la­tions re­gard­ing dis­clo­sure – ex­cept in fi­nan­cial ser­vices where it is man­dated by the Re­serve Bank of In­dia – com­pa­nies hit by cy­ber­crime hide the in­ci­dents even in cases where cus­tomers have been im­pacted. So the true ex­tent of im­pact on In­dia Inc never comes out. Cy­ber ex­perts say what makes In­dian in­dus­try vul­ner­a­ble is chang­ing threat pro­file due to re­source rich na­tion states now tar­get­ing com­pa­nies.

In­creas­ingly there is ev­i­dence that crit­i­cal na­tional in­fra­struc­ture is be­ing probed by cy­ber agents from other na­tion states. A few years ago, US in­tel­li­gence agency NSA had picked up the trend of Chi­nese hack­ers tar­get­ing In­dian phar­ma­ceu­ti­cal and IT com­pa­nies and even dis­cussed spe­cific in­puts with com­pa­nies.

In a re­cent at­tack, cy­ber­crim­i­nals sus­pected to be based out of China man­aged to break into two of In­dia’s most prom­i­nent in­for­ma­tion tech­nol­ogy firms. While one of the com­pa­nies de­tected the cy­ber­at­tack on its servers within hours and was able to stop any data breach, the other IT firm could only spot the in­tru­sion only a week later. “Since 2012, in­ter­na­tional coun­tries which have eco­nomic in­ter­ests in In­dia have been silently ac­tive. There is a sec­toral pen­e­tra­tion which is real and we are not as ready as one would ex­pect. We be­lieve sec­tors like IT, pharma, chem­i­cals, de­fence and en­ergy are in their crosshairs,” said Si­varama Kr­ish­nan, part­ner ad­vi­sory cy­ber­se­cu­rity, PwC.

The na­tion state cy­berthreat is be­com­ing very real. A de­fence con­trac­tor was com­pro­mised re­cently af­ter an em­ployee down­loaded ex­cel sheets con­tain­ing ma­li­cious code from an In­done­sian in­sti­tute. Dur­ing in­ves­ti­ga­tions it was found out that Pak­istani in­tel­li­gence agen­cies were Re­liance Jio Star Union Bank Axis Bank Zo­mato Re­nault In­dia IRCTC Yes Bank Hi­tachi Pay­ment Sys­tems Bank of Ma­ha­rash­tra Reckitt Benckiser In­dia qui­etly pulling out data from the con­trac­tors’ sys­tems. The North Korean hack­ing group known as Lazarus was likely be­hind a re­cent cy­ber cam­paign tar­get­ing or­gan­i­sa­tions across mul­ti­ple coun­tries and some In­dian banks were hit too.

In sec­tors where com­pet­i­tive in­ten­sity is high, cy­ber crim­i­nals now op­er­ate with both es­pi­onage and crim­i­nal in­tent. In the past cy­ber crim­i­nals fo­cused on steal­ing in­for­ma­tion and threat­en­ing cor­po­rates but now they are weapon­is­ing soft­ware by in­stalling ma­li­cious scripts and dis­rupt­ing work. Two In­dian con­glom­er­ates were forced to pay $5 mil­lion each in or­der to pre­vent hack­ers from dis­clos­ing in­for­ma­tion that outed their wrong­do­ings. The cy­ber crim­i­nals pa­tiently ac­cessed the IT sys­tems for two to three years be­fore they acted on it.

In yet another cy­ber­at­tack, hack­ers seized con­trol of com­put­ers at three banks and a phar­ma­ceu­ti­cal com­pany, and then de­manded a ran­som in bit­coins for the de- Unau­tho­rised ac­cess into a part of data­base

Un­re­leased episodes of Games of Thrones leaked

Hack­ers man­aged to steal Union Bank’s ac­cess codes for the So­ci­ety for World­wide In­ter­bank Fi­nan­cial Telecom­mu­ni­ca­tion (SWIFT).

Unau­tho­rized lo­gin by an un­named, off­shore hacker.

17 mil­lion user records from its data­base were hacked.

Hit by Ran­somware Wan­nacry in global at­tack

Data theft from web­site

Mal­ware at­tacked some ATMs and POS ma­chines

Mal­ware caused breach of bank data cen­tral server hacked Hit by global ran­somware at­tack

cryp­tion keys to un­freeze them. The at­tack­ers ac­cessed the sys­tem by com­pro­mis­ing IT ad­min­is­tra­tors’ com­put­ers. In all four cases, the hack­ers are said to have used the Lechiffre ran­somware. Cy­ber hack­ers breached Union Bank of In­dia se­cu­rity sys­tems but the money trail was traced and the move­ment of funds was blocked.

Given the na­ture and scale of threat, In­dian com­pa­nies are not in­vest­ing enough in se­cu­rity. For ex­am­ple, global banks spend up to 15% of their IT spends on IT but in In­dia it’s hardly 2-3% of the IT se­cu­rity bud­get.

But now se­nior man­age­ments have started tak­ing no­tice given the loss po­ten­tial and also the rep­u­ta­tional risk. “We have to think se­cu­rity first along with dig­i­tal first. In ev­ery se­nior man­age­ment meet­ings, the se­cu­rity is­sue is be­ing brought up given the high risks in­volved,” said Joy­deep Dutta, group chief tech­nol­ogy of­fi­cer at Cen­tral De­pos­i­tory Ser­vices In­dia Lim­ited.

Even when the large com­pa­nies beef up se­cu­rity, though, the ven­dor or dis­trib­u­tor base down the chain re­mains vul­ner­a­ble and the en­tire ecosys­tem is at risk. In the Re­liance Jio case, for in­stance, a ven­dor based in Ra­jasthan had built an in­ter­face on top of the com­pany data­base that al­lowed some peo­ple to ac­cess their de­tails from the com­pany’s data­base. A lot of Aad­haar leaks are sim­i­lar, ac­cord­ing to ex­perts. Some per­sonal data can be ac­cessed through dif­fer­ent users but the bio­met­ric data­base and other key data re­mains safe. “We are sit­ting on a time bomb. Com­pa­nies are not look­ing at the en­tire ecosys­tem,” said Kr­ish­nan.

One rea­son for In­dian com­pa­nies get­ting af- fecte­d­in­cy­ber­at­tack­sis­ther­am­pan­tuse­un­li­censed­soft­ware­and,in­some­cases,un­der­paid li­cences, which make them sit­ting ducks.

Lately, there has been a spike in cases where the protectors turned into per­pe­tra­tors. In­creas­ingly, the IT main­te­nance, op­er­a­tions and sup­port ecosys­tem is be­com­ing a key area of vul­ner­a­bil­ity due to mul­ti­ple lev­els of out­sourc­ing dic­tated by cost com­pul­sions. A Delhi-based FMCG com­pany found out a dis­grun­tled ven­dor em­ployee used an ad­min pass­word to cre­ate a false trail of ev­i­dence to im­pli­cate the com­pany IT se­nior who wouldn’t hire him on com­pany rolls. Just that he used his own desk­top to log into IT man­ager’s mail and that com­bined with TV cam­era ev­i­dence was used to nail him.

In another case, per­tain­ing to a tower com­pany, an IT ad­min fig­ured out how bank­ing switch­ing sys­tem and com­pany’s ERP soft­ware recorded fi­nan­cial trans­ac­tions. He changed the bank ac­count num­ber and IFSC code us­ing ad­min lo­gin and trans­ferred Rs 4 crore in small value trans­ac­tions to his ac­count. A wor­ried sup­plier, who couldn’t rec­on­cile his ac­counts, com­plained to the CEO and fi­nally the em­ployee was caught.

Us­ing cy­ber tools for es­pi­onage is fast be­com­ing com­mon. In a fam­ily feud be­tween two broth­ers who in­her­ited a large fab­ric man­u­fac­tur­ing busi­ness and later branched out on their own, the el­der brother de­cided to tar­get the bet­ter off younger brother. Us­ing cy­ber as­sets he started dis­rupt­ing the younger brother’s busi­ness. Sud­denly sys­tems would be unavail­able, sup­pli­ers and cus­tomers wouldn’t get im­por­tant com­mu­ni­ca­tion and de­signs were be­ing lifted, till the younger one or­dered a foren­sic in­ves­ti­ga­tion.

In in­ves­ti­ga­tions a key trend that’s emerg­ing is that a big part of the prob­lem is lack of un­der­stand­ing of se­cu­rity risks among se­nior man­age­ment and their at­ten­dant staff. A phish­ing ex­er­cise car­ried out by PwC for se­nior­man­age­mento­falarge­bank­found­out that more than 80% of sec­re­tar­ial staff fell for the bait com­pro­mis­ing the sys­tem. Hack­ers tar­geted an MNC CEO by find­ing out de­tails about his sec­re­tary from so­cial me­dia and then sent her a mail with ma­li­cious code that dis­cussed her boss’ up­com­ing travel plans. The sec­re­tary opened the at­tach­ment com­pro­mis­ing the CEO’s ac­count.

Hack­ing com­pa­nies is now eas­ier than ever be­fore. “The cost of en­try into cy­ber­crime is very low and there are lots of on­line tools avail­able. One doesn’t even need to go out to learn hack­ing; there are YouTube videos giv­ing step-by-step tu­to­ri­als. Also, the fact that on­line world gives a per­son a cer­tain sense of anonymity, which peo­ple find em­pow­er­ing,” said Singh of Ma­ha­rash­tra Po­lice.

To com­pound the woes of the cor­po­rates, the out­dated reg­u­la­tions are not help­ing. “In the In­dian IT Act fi­nan­cial fraud is a bail­able of­fence. Crim­i­nals are not afraid be­cause the penal­ties are small. Af­ter 2008, the Act has not been amended, so the reg­u­la­tions are not keep­ing pace with the chang­ing cy­ber sce­nario,” said Mukesh Choud­hary, founder of Cy­berops In­fosec.

I ndian em­ploy­ees a re par ticu la rly sus­cep­ti­ble with large-scale adop­tion of smart­phones, cheap data rates and a habit of down­load­ing all sorts of apps. Re­cently, cy­ber crim­i­nals up­loaded an app at Google Play that gave peo­ple tips and tricks to find more Poke­mons, and sub­se­quently a lot of peo­ple ended up in­fect­ing their phones. With the whole Bring Your Own De­vice or BYOD trend catch­ing on, IT man­agers have been strug­gling with the se­cu­rity as­pect. In a large pharma firm, the head of re­search’s lap­top was in­fected by hack­ers from an en­emy na­tion and for two and a half years they gleaned all com­pany and per­sonal in­for­ma­tion from the per­sonal lap­top. “Mo­bile is the most vul­ner­a­ble but gets least at­ten­tion by the cor­po­rates” said PwC’s Kr­ish­nan.

So is the cy­ber­se­cu­rity prob­lem any closer to be­ing solved? Num­bers re­veal a dis­turb­ing trend. Ac­cord­ing to the McAfee re­port, new mal­ware sam­ples leaped 67% to 52 mil­lion, new ran­somware sam­ples in­creased 54% to 10.7 mil­lion sam­ples and to­tal mo­bile mal­ware grew 61% in the past four quar­ters to 18.4 mil­lion sam­ples. Looks like Singh and his team are star­ing at a busy sea­son ahead.

Com­pany Name What Hap­pened

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.