Walking the High Wire

DQI Bureau
New Update

These are exciting times. A major shift is underway in the

way the corporate world communicates. The barriers of time and place are being

removed, giving way to open communications and the free flow of information and

ideas, centering on the Internet. E-mail ids have, for quite some time now,

become a necessary part of the business card–even if it has to be from the

Hotmail genre of free mail providers.


"The shift is remarkable," says Sandhya Verma, VP

operations at Velocient Technologies, "but it has its own set of

dangers." Sanjay Dhawan, director, information risk management services,

KPMG, agrees. "With the increasing use of IT for business processes and

operations," he says, "it is critical for organizations to recognize

information as a business asset and implement controls to secure it."

Indeed. Last December, 300,000 credit-card numbers were

snatched from online music retailer, CD Universe. In March the same year, the

Melissa virus caused an estimated $80 million damage, when it swept around the

world, paralyzing e-mail systems. That same month, hackers-for-hire pleaded

guilty to breaking into phone giants AT&T, GTE and Sprint, among others, for

calling card numbers that eventually made their way to organized crime gangs in

Italy. According to the FBI, the phone companies were hit for an estimated $2


And let’s not forget the recent and global Love Bug attack.

With the ability to forward messages to everyone in a victim’s e-mail address

book, the Love Bug, with mere 20 lines of code, was responsible for an estimated

$10 billion damage to businesses, governments, and organizations in just two

days. Like many modern "Internet" viruses, it relied more on human

psychology than on software ingenuity to replicate and proliferate.


An attack of a different variety–but similar in its

notoriety–was launched in February. The distributed denial of service (DDoS)

attack that caused shut downs at major Web sites such as, eBay and

Yahoo was also simple in concept and apparently simple to execute. In a DDoS

attack, hackers flood network routers with an overwhelming amount of traffic to

targeted Web sites. Like armies of attacking computers, the blitzkrieg overcomes

its targets with a wave of information requests to a site, denying service to

anyone else trying to access it. The February attacks effectively shut down

several major sites for two to six hours, resulting in loss in sales and ad

revenues, and public image as well.

While it seems that most of these attacks were aimed at

organizations abroad and the India Inc has some how been spared, Dhawan says

that the situation is not much better here. "Though it appears that

security breaches in India are very low, it’s not because we have some very

effective security controls," he says. "In fact, it is more because

most of these breaches are going undetected, or are not being reported at

all." This is a dangerous situation, and experts are unanimous: ignorance

is never bliss. The ostrich is not a good corporate model.

A networked India Inc


The information security survey of Indian enterprises

conducted by KPMG in 1999 reveals that nearly 80% of all Indian organizations

operate in a networked file server environment. More than 60% of the respondent

organizations were using PCs for their information processing. Only 4%

organizations relied on mainframe environments, while 6% used third party

facilities for processing data.

Significantly more than 90% of the organizations use private

internal networks, with limited use of public networks like the Internet.

However, 92% organizations reported the use of external networks connecting

organizations to their customers and suppliers.

Warfare in the new economy


Talking about the information trend in the preface of their

book Defending Digital Assets, Randall K Nichols, Daniel J Ryan and Julie J C H

Ryan say that there are three information trends evident worldwide. First: a

huge amount of valuable information is being created, stored, processed and

communicated using computers and computer-based systems and networks. Second:

computers are increasingly interconnected, creating new pathways to valuable

information assets. Third: threats to information assets are becoming more

widespread and sophisticated.

Accordingly, these three trends have influenced significant

development in three diverse computer security areas–info-crimes and digital

espionage (DE), information security (INFOSEC) and information warfare (IW).

"While more Indian organizations than ever are embracing

technology in order to become more competitive, they are forgetting one major

rule of the game–don’t leave your flanks open," says Hanif Sohrab,

business development manager, network security, HCL Comnet. The Internet and

e-business completely open up relationships inside and outside a company, while

at the same time blurring the lines between public and private networks.


Also, to enable seamless business-to-business relationships,

companies are building extranets, which allow partners, customers and suppliers

to access select back-office systems via the Internet. "Obviously, when you’re

opening up your internal systems to outsiders, the need to control and

authenticate that access is critical and hence the need to focus on INFOSEC,"

Sohrab adds.

From computer viruses and denial of service to outright

hacking into corporate or government networks to steal confidential information,

the attacks may be in any form, but the effects are the same–and they can be

crippling. Lost sales. Lost productivity. Lost customers. Lost opportunities.

All right through to the bottom line, bringing e-security to the top of senior

executives’ agendas. However, according to many industry experts, this is

merely the tip of the DE and IW iceberg.

The missing link is…IT


Experts believe that while the first phase of Internet-led

business initiatives was more about speed–who got out there first being more

important than what they got out there and how well it performed. Today,

however, companies worldwide are realizing that their e-businesses must be

secure to be successful. Instead of just a race to get connected, smart

companies are now focusing on privacy, reliability, and performance issues, with

e-security playing a prominent role in any e-business


Not in India. At least that is what the KPMG survey suggests.

According to it, 77% of the Indian organizations do not have a formal security

policy document in place. What this means is that either the top brass is not

aware of the threats of this widely wired world or they under-estimate the value

of the organization’s information assets and hence the need to protect it.

Dhawan says that the Indian corporate sector has not attached

adequate importance to information-related security risks and threats. "It’s

therefore not surprising that most Indian organizations don’t have a clearly

identified or dedicated person for information risk management. While MNCs,

particularly those in the financial sector, are aware of security requirements,

there too it is not common to find professionally qualified information security

experts." Everybody would agree that a false sense of security is worse

than a true sense of insecurity. Knowing where your enterprise is still insecure

provides you with the framework for moving ahead. It’s critical to know where

you have left gaps and what mechanisms need replacing.


The survey also reveals that the need for recognizing IT as a

key strategic resource and asset has still not gained momentum in the country.

IT continues to be looked upon as a support function. The lack of appreciation

for information security as a critical business need is also highlighted by the

absence of a designated information security and risk management function at 68%

of the respondent organizations. Also, 52% of the organizations indicated that

information risk management function is the responsibility of the IT department.

Most others–25%–felt that the finance department should take care of it,

while only 11% assigned the role to a separate division.

Experts, however, believe that scripting and implementing the

security policy is not the job of the IT department alone. While the IT people

in organizations can act as technological drivers of the policy, they can in no

way classify information for each of the departments. Asset classification

allows an organization to keep track of its information assets, including the

data owned, its retention period, its sensitivity and the likely impact on the

operations of the organization if it were lost or compromised. Hence the only

people who can classify it are those working in the particular section. This

also means that the heads of all departments, including HR and IT need to sit

together and work out who should know what and how much. Unfortunately 38% of

KPMG survey respondents said they do not have any data classification procedure.

Error and the human element

A big missing link in the security chain of any enterprise is

the human factor. Says Verma, "While most of the organizations focus on

threats from external factors, internal factors are as big a danger, if not

worse." Rangan Devarajan, GM, e-management and e-security services at HP’s

Software Operation, agrees, "The human factor is by far the biggest

security challenge. An employee writing the password on the keyboard for all to

see can quickly compromise a million-dollar strong security


Naturally, the HR department also comes into the picture. Yet

most HR heads of leading companies in India were amazed when this author asked

them to speak on the enterprise security issue or security policy. "Speak

to the IT manager," was the pet response. Experts, on the other hand, say

that HR departments should be the prime driver of the security policy because it’s

the people who commit mistakes and not the machines.

Kevin Mitnick, the infamous-and convicted-computer hacker, is

reported to have said that he was able to break into three US federal agency

systems by simply calling various employees and asking for passwords–"social

engineering", versus elaborate crypto or password cracking. "Why take

the trouble of cracking passwords when you can simply get it by asking a

careless and ever-too-ready-to-help employee unaware of the risks from their

actions," says Dhawan. His team of "white hackers" has been able

to get the most sensitive passwords by just calling people over the telephone.

Security training and awareness for all employees and system

administrators are a fundamental component of e-security. Says Verma,

"Continually evaluating employees’ understanding and compliance of policy

is critical to the success of e-security. Remember that a security solution is

only as strong as its weakest link, and the employees are these links, because

systems if properly implemented cannot err in themselves."

Another issue involving the man and the machine arises from

the increasingly popular concept of anytime, anywhere office. While the concept

of virtual office is already in vogue in developed e-economies, the concept is

slowly gaining acceptance with Indian enterprises; at least amongst the top

brass. "The big issue before the industry in India and worldwide is how to

provide a secure infrastructure to these mobile people carrying and accessing

vital information from remote areas. Making sure their connections are secure as

they dial in, access network systems, and download and upload files has become

critical. Indeed, remote security is more critical than ever because thousands

of hackers are always lurking, ever watchful for ways to sneak into network

pathways," Sohrab says. According to experts, rather than attacking a

fortified server behind a firewall, an intruder can easily gain access to a

remote user’s system, then wait until the user of that desktop logs into the

server. Without end-to-end, distributed security, the remote desktop becomes the

weak link and a hacker’s delight.

The only solution, according to Sohrab, is awareness of the

threats amongst the enterprises and users. If you are aware of threats, you are

cautious and the thieves have lesser chance to succeed.

Can we trust you?

Trust is yet another key factor and stems from the company’s

security policy. It is ironic but true that e-business–with all the innovative

technologies and new business models–still depends on one of the most

important factors of the old economy, trust. In fact, the very open nature of

the wired economy demands a much higher level of trust between enterprises, its

customers and partners for the e-business to survive and flourish.

While cases of customer’s personal information–credit

card data, surfing pattern, buying habit and income–being stolen or sold has

not been reported in India so far, the West has been witness to such vandal

attacks in plenty. And as Indian consumers start using the Net more for day to

day activities, experts believe such incidents will start getting reported.

Sohrab puts on corporations the onus to make customers confident that their

confidential data will remain confidential. He says, "We also need to

address the issue of authenticity and integrity of information and that of

non-repudiation as well."

Dhawan agrees. "Not only is fraud a concern, but the

potential for disputed contract is enormous. After all, what proof does the

company or individual have that an authorized company representative has agreed

to terms and conditions they may later deny." Hence, the issue of PKI and

digital signature needs to be addressed, and the issue can be initiated only

through government initiative. Industry analysts are unanimous on the issue.

According to most of them, the Indian government needs to take up a prominent

and active role to ensure that adequate infrastructure is available, and that

too soon.

However, there are others with different opinions. According

to Verma, the government definitely needs to resolve this issue, though the

country still has some time to go. "The Indian economy needs time to

mature, and a mature economy can better adapt to these changing needs of the

e-world." She’s not alone in her belief. Other experts say that being a

late starter in the e-business and the Internet-led economy has tremendous

advantages for India Inc. "We can definitely learn from what the West has

been facing all these years and avoid repeating them," says Verma. "In

fact, that’s the reason why we want the laws and regulations in place before

actually opening our economy to the wired world."


in New Delhi