Walking the High Wire

These are exciting times. A major shift is underway in the
way the corporate world communicates. The barriers of time and place are being
removed, giving way to open communications and the free flow of information and
ideas, centering on the Internet. E-mail ids have, for quite some time now,
become a necessary part of the business card–even if it has to be from the
Hotmail genre of free mail providers.

“The shift is remarkable,” says Sandhya Verma, VP
operations at Velocient Technologies, “but it has its own set of
dangers.” Sanjay Dhawan, director, information risk management services,
KPMG, agrees. “With the increasing use of IT for business processes and
operations,” he says, “it is critical for organizations to recognize
information as a business asset and implement controls to secure it.”

Indeed. Last December, 300,000 credit-card numbers were
snatched from online music retailer, CD Universe. In March the same year, the
Melissa virus caused an estimated $80 million damage, when it swept around the
world, paralyzing e-mail systems. That same month, hackers-for-hire pleaded
guilty to breaking into phone giants AT&T, GTE and Sprint, among others, for
calling card numbers that eventually made their way to organized crime gangs in
Italy. According to the FBI, the phone companies were hit for an estimated $2
million.

And let’s not forget the recent and global Love Bug attack.
With the ability to forward messages to everyone in a victim’s e-mail address
book, the Love Bug, with mere 20 lines of code, was responsible for an estimated
$10 billion damage to businesses, governments, and organizations in just two
days. Like many modern “Internet” viruses, it relied more on human
psychology than on software ingenuity to replicate and proliferate.

An attack of a different variety–but similar in its
notoriety–was launched in February. The distributed denial of service (DDoS)
attack that caused shut downs at major Web sites such as Amazon.com, eBay and
Yahoo was also simple in concept and apparently simple to execute. In a DDoS
attack, hackers flood network routers with an overwhelming amount of traffic to
targeted Web sites. Like armies of attacking computers, the blitzkrieg overcomes
its targets with a wave of information requests to a site, denying service to
anyone else trying to access it. The February attacks effectively shut down
several major sites for two to six hours, resulting in loss in sales and ad
revenues, and public image as well.

While it seems that most of these attacks were aimed at
organizations abroad and the India Inc has some how been spared, Dhawan says
that the situation is not much better here. “Though it appears that
security breaches in India are very low, it’s not because we have some very
effective security controls,” he says. “In fact, it is more because
most of these breaches are going undetected, or are not being reported at
all.” This is a dangerous situation, and experts are unanimous: ignorance
is never bliss. The ostrich is not a good corporate model.

A networked India Inc

The information security survey of Indian enterprises
conducted by KPMG in 1999 reveals that nearly 80% of all Indian organizations
operate in a networked file server environment. More than 60% of the respondent
organizations were using PCs for their information processing. Only 4%
organizations relied on mainframe environments, while 6% used third party
facilities for processing data.

Significantly more than 90% of the organizations use private
internal networks, with limited use of public networks like the Internet.
However, 92% organizations reported the use of external networks connecting
organizations to their customers and suppliers.

Warfare in the new economy

Talking about the information trend in the preface of their
book Defending Digital Assets, Randall K Nichols, Daniel J Ryan and Julie J C H
Ryan say that there are three information trends evident worldwide. First: a
huge amount of valuable information is being created, stored, processed and
communicated using computers and computer-based systems and networks. Second:
computers are increasingly interconnected, creating new pathways to valuable
information assets. Third: threats to information assets are becoming more
widespread and sophisticated.

Accordingly, these three trends have influenced significant
development in three diverse computer security areas–info-crimes and digital
espionage (DE), information security (INFOSEC) and information warfare (IW).

“While more Indian organizations than ever are embracing
technology in order to become more competitive, they are forgetting one major
rule of the game–don’t leave your flanks open,” says Hanif Sohrab,
business development manager, network security, HCL Comnet. The Internet and
e-business completely open up relationships inside and outside a company, while
at the same time blurring the lines between public and private networks.

Also, to enable seamless business-to-business relationships,
companies are building extranets, which allow partners, customers and suppliers
to access select back-office systems via the Internet. “Obviously, when you’re
opening up your internal systems to outsiders, the need to control and
authenticate that access is critical and hence the need to focus on INFOSEC,”
Sohrab adds.

From computer viruses and denial of service to outright
hacking into corporate or government networks to steal confidential information,
the attacks may be in any form, but the effects are the same–and they can be
crippling. Lost sales. Lost productivity. Lost customers. Lost opportunities.
All right through to the bottom line, bringing e-security to the top of senior
executives’ agendas. However, according to many industry experts, this is
merely the tip of the DE and IW iceberg.

The missing link is…IT

Experts believe that while the first phase of Internet-led
business initiatives was more about speed–who got out there first being more
important than what they got out there and how well it performed. Today,
however, companies worldwide are realizing that their e-businesses must be
secure to be successful. Instead of just a race to get connected, smart
companies are now focusing on privacy, reliability, and performance issues, with
e-security playing a prominent role in any e-business
strategy.

Not in India. At least that is what the KPMG survey suggests.
According to it, 77% of the Indian organizations do not have a formal security
policy document in place. What this means is that either the top brass is not
aware of the threats of this widely wired world or they under-estimate the value
of the organization’s information assets and hence the need to protect it.

Dhawan says that the Indian corporate sector has not attached
adequate importance to information-related security risks and threats. “It’s
therefore not surprising that most Indian organizations don’t have a clearly
identified or dedicated person for information risk management. While MNCs,
particularly those in the financial sector, are aware of security requirements,
there too it is not common to find professionally qualified information security
experts.” Everybody would agree that a false sense of security is worse
than a true sense of insecurity. Knowing where your enterprise is still insecure
provides you with the framework for moving ahead. It’s critical to know where
you have left gaps and what mechanisms need replacing.

The survey also reveals that the need for recognizing IT as a
key strategic resource and asset has still not gained momentum in the country.
IT continues to be looked upon as a support function. The lack of appreciation
for information security as a critical business need is also highlighted by the
absence of a designated information security and risk management function at 68%
of the respondent organizations. Also, 52% of the organizations indicated that
information risk management function is the responsibility of the IT department.
Most others–25%–felt that the finance department should take care of it,
while only 11% assigned the role to a separate division.

Experts, however, believe that scripting and implementing the
security policy is not the job of the IT department alone. While the IT people
in organizations can act as technological drivers of the policy, they can in no
way classify information for each of the departments. Asset classification
allows an organization to keep track of its information assets, including the
data owned, its retention period, its sensitivity and the likely impact on the
operations of the organization if it were lost or compromised. Hence the only
people who can classify it are those working in the particular section. This
also means that the heads of all departments, including HR and IT need to sit
together and work out who should know what and how much. Unfortunately 38% of
KPMG survey respondents said they do not have any data classification procedure.

Error and the human element

A big missing link in the security chain of any enterprise is
the human factor. Says Verma, “While most of the organizations focus on
threats from external factors, internal factors are as big a danger, if not
worse.” Rangan Devarajan, GM, e-management and e-security services at HP’s
Software Operation, agrees, “The human factor is by far the biggest
security challenge. An employee writing the password on the keyboard for all to
see can quickly compromise a million-dollar strong security
infrastructure.”

Naturally, the HR department also comes into the picture. Yet
most HR heads of leading companies in India were amazed when this author asked
them to speak on the enterprise security issue or security policy. “Speak
to the IT manager,” was the pet response. Experts, on the other hand, say
that HR departments should be the prime driver of the security policy because it’s
the people who commit mistakes and not the machines.

Kevin Mitnick, the infamous-and convicted-computer hacker, is
reported to have said that he was able to break into three US federal agency
systems by simply calling various employees and asking for passwords–”social
engineering”, versus elaborate crypto or password cracking. “Why take
the trouble of cracking passwords when you can simply get it by asking a
careless and ever-too-ready-to-help employee unaware of the risks from their
actions,” says Dhawan. His team of “white hackers” has been able
to get the most sensitive passwords by just calling people over the telephone.

Security training and awareness for all employees and system
administrators are a fundamental component of e-security. Says Verma,
“Continually evaluating employees’ understanding and compliance of policy
is critical to the success of e-security. Remember that a security solution is
only as strong as its weakest link, and the employees are these links, because
systems if properly implemented cannot err in themselves.”

Another issue involving the man and the machine arises from
the increasingly popular concept of anytime, anywhere office. While the concept
of virtual office is already in vogue in developed e-economies, the concept is
slowly gaining acceptance with Indian enterprises; at least amongst the top
brass. “The big issue before the industry in India and worldwide is how to
provide a secure infrastructure to these mobile people carrying and accessing
vital information from remote areas. Making sure their connections are secure as
they dial in, access network systems, and download and upload files has become
critical. Indeed, remote security is more critical than ever because thousands
of hackers are always lurking, ever watchful for ways to sneak into network
pathways,” Sohrab says. According to experts, rather than attacking a
fortified server behind a firewall, an intruder can easily gain access to a
remote user’s system, then wait until the user of that desktop logs into the
server. Without end-to-end, distributed security, the remote desktop becomes the
weak link and a hacker’s delight.

The only solution, according to Sohrab, is awareness of the
threats amongst the enterprises and users. If you are aware of threats, you are
cautious and the thieves have lesser chance to succeed.

Can we trust you?

Trust is yet another key factor and stems from the company’s
security policy. It is ironic but true that e-business–with all the innovative
technologies and new business models–still depends on one of the most
important factors of the old economy, trust. In fact, the very open nature of
the wired economy demands a much higher level of trust between enterprises, its
customers and partners for the e-business to survive and flourish.

While cases of customer’s personal information–credit
card data, surfing pattern, buying habit and income–being stolen or sold has
not been reported in India so far, the West has been witness to such vandal
attacks in plenty. And as Indian consumers start using the Net more for day to
day activities, experts believe such incidents will start getting reported.
Sohrab puts on corporations the onus to make customers confident that their
confidential data will remain confidential. He says, "We also need to
address the issue of authenticity and integrity of information and that of
non-repudiation as well."

Dhawan agrees. "Not only is fraud a concern, but the
potential for disputed contract is enormous. After all, what proof does the
company or individual have that an authorized company representative has agreed
to terms and conditions they may later deny." Hence, the issue of PKI and
digital signature needs to be addressed, and the issue can be initiated only
through government initiative. Industry analysts are unanimous on the issue.
According to most of them, the Indian government needs to take up a prominent
and active role to ensure that adequate infrastructure is available, and that
too soon.

However, there are others with different opinions. According
to Verma, the government definitely needs to resolve this issue, though the
country still has some time to go. "The Indian economy needs time to
mature, and a mature economy can better adapt to these changing needs of the
e-world." She’s not alone in her belief. Other experts say that being a
late starter in the e-business and the Internet-led economy has tremendous
advantages for India Inc. "We can definitely learn from what the West has
been facing all these years and avoid repeating them," says Verma. "In
fact, that’s the reason why we want the laws and regulations in place before
actually opening our economy to the wired world."

SHUBHENDU PARTH
in New Delhi

Leave a Reply

Your email address will not be published. Required fields are marked *