Thursday, September 26, 2013

Monday, September 23, 2013

People are Not Robots-It’s a Business

People, Process & Technology are 3 critical gears of any system. The organization is spending humongous effort in developing a consistent environment for building services, solutions, products for a community. Conceiving the services may be worrisome due to over reminded buzz world called “Cyber Security”. Cyber Security is often associated with the External hacker community and very less preference given to Internal Employee. Reason has been a trust; However, Responsibility always comes with Power which has profound root under the ground. 

People are Not a Robot, they will try to take control of systems or react differently if the security culture is not deep penetrated inside the foundation.”

News broke this week about IBM’s latest file leak, where a former employee with access to confidential information regarding IBM’s play in cloud computing technology leaked hundreds of pages of documentation, shedding light on IBM’s weakness within the cloud computing industry. The breaches similar to this has affected the stock emotion and further reputation of the company in delivery services.  

Inside threat is the area of silence and always given second preference; however, the results are more painful than External threats. 
A survey was conducted on Insider Data Privacy, which has revealed some alarming situations



The Typical data movement practice followed are removing data was to copy it to a staging site on the Internet, such as iDisk or DropBox, with 43% choosing this channel; 36% used webmail to send out files as attachments, 29% copied information onto a USB device and 3% feels taking printout.

Data Leak Prevention system should be enforced at the foundation of the system not leaving any member out of its perimeter. This ensures data(structured/unstructured) protection to minimize the risk of a breach or a loss of intellectual property. A strong segregation of duties measures is incorporated to mitigate risk arising from Administration perspective.A careful attention should be given, so that productive working relationship of the Employee and Organization should not get restricted.

Tuesday, September 10, 2013

Cyber Crime History (1820) to Today's enforcement law’s (2013)

Cyber crime has shown a serious threat to society since many decades. We will not believe the first cyber crime recorded in late 1820.Yes, it's a shocking fact!!!
Abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan, and China. Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new technology.

Now, Technology has transverse  to many folds from standalone computers to messed network(like personal area network (PAN),local area network (LAN),home area network (HAN), storage area network (SAN),campus area network (CAN),Backbone network, Metropolitan area network (MAN), wide area network (WAN), virtual private network (VPN)) and etc. with different Technology modes.

To manage and maintain confidentiality, Integrity, and Availability of such complex system, a CyberLAW has to be enforced to minimize the challenges in the legal world. The disputes arise for any challenges, whether Statutory or otherwise, are terms as "CyberLAW".European Union, USA, United Nations Commission On International Trade Law (UNCITRAL) have already framed important laws to regulate cyberspace. In India, Information Technology Act (ITA) is also based on the UNCITRAL model, all cyber laws are contained in Information Technology Act, 2000.

The below list provide high-level analysis pertaining on Cyber Crime as associated IT LAW.

Cyber Crime
Brief Description(Example)
Relevant Section in IT Act
Punishments
Cyber Stalking
Stealthily or harass  a person or a group,  false accusations
 identity theft(tracking his chat)
43,65,66
3 years, or with fine up to 2 lakh
Cyber Pornography including Child Pornography
Publishing Obscene in Electronic Form involving children
67,67(2)
10 years and with fine may extend to 10 lakh
Intellectual Property Crimes
Source Code Tampering, Piracy, Copyright infringement etc.
65
3 years, or with fine up to 2 lakh
Cyber Terrorism
Protection against Cyber Terrorism
69
Imprisonment for a term, may extend to 7 years
Cyber Hacking
Destruction, Deletion, Alteration etc.
66
3 years, or with fine up to 2 lakh
Phishing
Banking Financial Frauds
43,65,66
3 years, or with fine up to 2 lakh

Friday, September 6, 2013

India in top 10 league for Spear Phishing

We discussed the aim of phishing and the modus-operandi of achieving it. Likewise, Spear Phishing is an attempt directed at specific individuals or companies to steal sensitive information rather than targeting to mass community. The probability of success, in this case, is much higher.India is upcoming country, with strong expansion in various verticals and specialized in providing IT Consulting services across the Global. One year back, India was not in a league of this competition; however, now it holds 3% share for hosting a phishing site. This is very less number but it looks to be an alarming situation down the line.  Today, the country has clearly established a footprint on the international cyber map for being in the list of top 10 hosts of phishing sites globally.
The most targeted Indian sites were classified in various categories - information technology (14.40%), education (11.90%), product sales and services (9.80%), industrial and manufacturing (7.30%), and tourism, travel, and transport (5.80%). 

The attack leaves a devastated footprint when targeted to specific customer-centric vertical.  Privacy protection is a crucial element of today’s  growing e-service demand.One of the most glaring attacks was the recent purchase of more than 15,000 online tickets on Kingfisher Airlines by fraudsters who somehow got hold of the credit card information of several cardholders, many of them foreign nationals. While it is not clear where the fraud originated, some estimates peg the loss to the carrier at Rs 17 crore.

In fact, Major Bank has been targeted and now in a race of taking corrective actions like user awareness and establishing a monitoring mechanism to track and block the site at Service Provider end. This does not look to be simply since it can be a target from the globe with different "Law of the Land" rules.

Countermeasures to avoid phishing attacks:
  • Do not click on suspicious links in email messages. In the case of any doubt, perform the simple step as mentioned in my previous blog (like identifying the email address in the message header and IP address) to identify if it’s a phishing mail.
  • Do Not reveal sensitive information over the call.
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software frequently, which protects you from online phishing
  • And lastly, Inform respective organization about the same to prevent further broadcasting.

Wednesday, September 4, 2013

Phishing a "Race"- How many Crosses the Battle ?




Government Phishing (“Fishing a user” ) High Volume threat

Phishing is a term, often used to describe a fraud which involves capturing personal information of users to perform unauthorized transactions or operations. Phishing can also be associated with the term fishy and I think that is how it has been originated.

In a real sense, it is achieved over call, email or hosting a website which is a replica copy of the genuine site. Attacker send a  mail which looks very similar to actual mail of the sender with a link embedded which redirect the user to site for  stealing user information

The phishing attack is not limited to Banking sector; however, it has been penetrated to other verticals like Government and Retails. A study shows around 10,000 users face phishing attacks daily in India, 65 percentage of attacks categorized under Government sector. A typical distribution of the attacks would represent as-
  • Phishing: 51.2 %
  • Virus, Trojan, worm, logic bomb: 7.7 %
  • Policy violation: 7.4 %
  • Malicious website: 6.3 %
  • Equipment theft/loss: 6.2 %
  • Suspicious network activity: 3.3 %
  • Social Engineering: 2.4 %
  • Attempted access: 0.8 %
  • Others: 5.8 %

It’s becoming a nightmare to detect phishing at a global level; however, a user careful attention can reveal its integrity. Banks and regulatory bodies like Reserve Bank of India (RBI), Income Tax (I.T) Dept. are publicizing awareness on phishing. Phishers now send emails resembling Yahoo / Rediff mail, shopping sites or regulatory bodies, like RBI / I.T. dept., asking for confidential data. 

In the case of Government vertical, let's consider a scenario where an attacker sends an email trying to lure a user to fill required detail to get a tax refund. The Email address is masked and resembles the actual email address of Government.




The attacker creates a Fraud site which looks similar to the genuine site except it doesn't have a certificate attached to it. The user is redirected to fraud site to capture sensitive and confidential information. The unsuspecting user enters their login information.


A legitimate financial institution will never ask for details of your account via an e-mail. A corollary to this rule is that never e-mail financial information over the Internet.