The Information Technology (Amendment) Act, 2008 an act to amend the IT Act 2000 received the assent of the President on 5^th February 2009. Several legal & security experts are in the process of analyzing the contents and possible impacts of the amendments. The objective of this note is to try and study the possible implications and impacts on Indian companies. This note is not intended to be a comprehensive analysis of the amendments, but only certain key points which could impact Indian Companies.

1. Data Protection

The IT Act 2000 did not have any specific reference to Data Protection, the closet being a provision to treat data vandalism as an offence. The Government introduced a separate bill called “Personal Data Protection Act 2006” which his pending in the Parliament and is likely to lapse. The ITA 2008 has introduced two sections which address Data Protection aspects to an extent, which gives rise to certain key considerations for the sector.

The sections under consideration are:

• Section 43A: Compensation for failure to protect data
• Section 72A: Punishment for disclosure of information in breach of lawful contract

• Section 43A states

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected. 

By way of explanation: “Body corporate means Indian companies”

“Reasonable security practices mean a mutual contract between the customer and service provider OR as per the specified law. In absence of both then as specified by the Central Government”

Hence it would be important for Indian companies to seriously look at SLA’s and agreements which have been signed with clients to understand the data protection implications. The same goes for understanding the applicable laws.

A major modification is that this clause doesn’t mention the compensation limit of Rs. 1 Crore which was there as part of section 43 of the ITA 2000. This implies that there is no upper limit for damages that can be claimed. This essentially is “unlimited liability” for Indian companies, which could cause serious business implications.

Section 72A:

Under this section disclosure without consent exposes a person including an "intermediary" to three years improsonment of fine upto Rs. Five lacs or both. 
This section uses the term “personal information” and not “sensitive personal information” as in section 43A. Hence it could apply to any information which is obtained in order to deliver services. Hence in some ways broadens the definition of information.

2. Information Preservation
Across the amendments there are several references to “service providers” or “intermediaries”, which in some form would apply to all Indian companies.

e.g. Section 67C: Preservation and Retention of information by intermediaries.

Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe”. Any intermediary who intentionally or knowingly contravenes the provisions shall be punished with an imprisonment for a term which may extend to 3 years and shall also be liable to fine.

The notifications on time for preservation etc. are not yet released. However since this is a “cognizable” offence any police inspector can start investigations against the CEO of a company.

Apart from the two aspects discussed in this note, there are other areas which could also be considerations for E.g.

Sec 69: Power to issue directions for interception or monitoring or decryption of any information through any computer resource.

Sec 69B: Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security.etc.

In summary, IT Risk management and response needs to be looked at by all companies for various reasons including customer assurance, compliance, customer regulations, protection of information assets etc. The ITA 2008 amendments provide us with few additional factors for considerations which could have significant impact on business. Information technology regulations and laws would only get more stringent and defined; hence it’s imperative for organizations to be aware and prepared.

Today’s recession is pushing the business to move to cloud which can convert the CapEx cost to OpEx cost. Here is a glimpse of latest security news from Google Docs.

“We’ve identified and fixed a bug where a very small percentage of users shared some of their documents inadvertently.”

“We’re sorry for the trouble this has caused. We understand our users’ concerns (in fact, we were affected by this bug ourselves) and we’re treating this very seriously.”

This is a serious threat to privacy and trust. Think about a business confidential document shared with a competitor? Who will take ownership of the losses incurred?  The issue indicates how dangerous cloud can be. 

Security is the biggest factor that prevents organizations from adopting cloud, but this did not stop the companies from building products that are less secured. Google’s issue is very simple fundamental design issue. To understand it lets see the three fundamental security design patterns.

•   Single Access Point

• Authentication and Authorization Point

• User-Role-Privilege

The Single Access Point pattern was implemented but the second and third patterns have been buggy that allowed people to view all the documents. As always security is an afterthought. The lack of security awareness  and not following Secure SDLC will cause havoc in cloud computing business.

The only solution would be to bring in security standards, audits and publically present this information. It's really raining out there in cloud just an umbrella cannot help.

Few weeks ago, as part of the DSCI Bangalore Chapter (http://www.dsci.in) one of the Business Leader presented his security concerns of his organizations. When asked what is the one problem that security professionals need to address, he said, the information about people behavioral aspects in terms of security. How does one gather and share the information ? How does one do background checks on the people. He felt and I agree that people are the weakest link and if there is a way to figure out the behavioral patterns than that would help control security incidence.

 
Cut to last week I attended Emtech 2009 (http://www.emtechindia.in/) a premier technology conference in India. Lot of interesting technologies from Biofuel to stem cell to Nano. One of the interesting and relevant technology demos that I saw was implementation of Analytics, data mining and predictive algorithms to publicly available data on internet say terrorists. For example it is now well known fact that many organizations act as front of terrorist organizations and they are well masqueraded in terms hierarchies of valid and invalid organizations. Individuals working in these organizations may be connected to banned organization. The data is then organized by links and layers and one can do a search on any organization to see if they are connected by any remote link to terrorist organization. 

So what do you think is it time for security analytics in personnel space ? or there would privacy issues in this ?

Most organizations today have allowed employees to download software from websites, and has become a routine with most. Generally it’s the admin or the user who downloads the software’s and installs them, failing to verify the authenticity of the website, from which it is being downloaded; even the experienced administrators fail to do so.

As you all know it’s easy to create a binary for open source software’s as the code is readily available. But there are also ways to alter a binary file without the code. A binary file could be altered to perform various other tasks. In windows a good win32 programmer can easily hijack the code. In theory the data and other sensitive information can be easily stolen. Even your antivirus can not detect this kind of attack.

Take example of a sample attack for win32 program:

Open any win32 application with a debugger. These debuggers have sophisticated ways to identify the system calls. It’s a no brainer for a windows programmer to identify the system calls and add break point to trace the exact location. Using this tool, we can exactly decide where we need to hijack to accomplish a certain task.

Once decided the place to hack, we need to decide where to place the hack code inside the binary. As per windows PE format the binary is organized as sections whose size is the multiple of file alignment value. So there is a high chance that we can always find some free space inside the segments to place our hack code. Use the Portable Executable (PE) identification tools to see the segments.

Open the EXE in hex editor, a powerful one like Hiew and change the API call that we identified to jump to a free location where we would write our new functionality. At the end, the function jumps back to the original location to continue the execution of the program. You can also call an external file to accomplish more work.

Either open source or binaries are susceptible to the same attacks. It’s always advised to download software from a trusted site and also make it a practice to download and verify the checksums of the software from an official website.

Build security in your organization: From process to application…

Recently I came across two intresting information in one of the online security forums (InfoSec).

One is a statistics on registered Cyber Crime cases in India (http://ncrb.nic.in/CII2007/cii-2007/CHAP18.pdf)

Very intresting data collection and seems to follow the genral IT trends in india.

Cyber crime is classified under IPC and IT Act. IPC related cyber crimes are the generic crime which uses electronic medium as an aide (forged electronic documents) whereas IT Act is specifically related to Hacking and other very computer specific crimes.

Some highlights : Most of the defendents are in the age group 18-30, with most cases in Karnataka, Kerala, Andhra and Maharashtra with metros leading. Obscene media distribution tops the list followed by hacking. IT savvy states are also leading the hacking incidences.

That brings me to the issue of IT Act amendement that was passed on Dec 23 2008.

http://economictimes.indiatimes.com/articleshow/msid-3875931,prtpage-1.cms

http://prsindia.org/docs/bills/1168510210/1168510210_The_Information_Technology__Amendment__Bill__2006.pdf

There have been grumblings about how the bill was passed without any discussion. But keeping that aside, amendments do seem to be reflecting the cyber crime trends.

Specific amendements are added to deal with obscene content, privacy and data handling. Digital signatures are being made more legal and givernamnet is given more power for interception and analyses.

While bill is a welcome move, the overall issue in my opinion is still of Awareness and Enforcement of cyber laws.

On that note, wishing you a Very Happy New Year !!

Are the customers ready to trust a service provider to store their private data?

Individual home users have very less information that has to be secured but what about the advertisement based on the users data. Where is the user’s privacy? Should the user buy privacy?

            As a corporate do we wish to store the company specific information in a server where we have no control? What about the NDA's? What if my data is sold/stolen without my knowledge?

Is it really worth the ROI?

Individual users have very less sensitive data and there seems no big benefit of accessing information where ever the users goes other than the mail box.

            But as a corporate yes there is a huge benefit in terms of the principal equipment cost, support and maintenance charges for software as a utility rather than an investment in capital assets. Think about the amount of laptops that are lost every year and the security risk involved with the stolen laptops or any other thick clients. The boon of accessing information from anywhere without any additional cost and infrastructure is very attractive for a global business.

Being security experts we wish to organize all the data in one place and secure that place tightly rather than securing each and every thick client.

Some ways to overcome these problems

·         Ensure more transparency between the cloud service providers and cloud consumer.

·         Have better SLA’s and clear security policies, privacy policies and Data ownership policies.

·         The provider should have both physical and logical security infrastructures.

·         Trusted third party’s to overlook the cloud service providers activity and compliance.

I am in Hyderabad attending the DSCI (Data Security Council of India) conference (http://www.nasscom.in/Nasscom/Templates/CustomEvents.aspx?id=54143). Aujas also did one day training on Application Security which was well received.

· Perimeter security (Sea Route),

· Intrusions detection (Terrorists stayed inside without detection),

· Deep packet inspection, Incident Response (Delayed response),

· Management commitment (Lack of political will),

· Employee Awareness (Suspicious activity was not informed to anyone),

· Background checks, Business Intelligence and Correlation (Co-operation among intelligence agencies) and finally

· The RISK Management (National Security policy)

have all become more significant than ever before. Moreover Digital world is more advanced as it is easier to attack and hence security mechanisms have evolved with attacks. So far digital world mimicked the real world, but given the evolution, is it time for real world to mimic the digital world?

I have online accounts with many financial institutions and I do most of my transactions online. Being a security conscious user, I take all precautions for using strong and different passwords along with managing my passwords in a secure way. But frankly, all these are too much complicated. The fear of mis-managing the passwords and possibility of your bank account being pilfered remains.

Password based authentication is past its use-by-date. With the current advances in technology and skills, password authentication is like providing passbook to the person who mentions the account number (an unsophisticated but a real life example in non urban banking in India till couple of years back). I am not going into the details of how a password can be cracked or known by others. The main problem is that once password is known, the intruder's job is done and he has uninterrupted access.

Two-factor authentication alleviates this adding one more factor for authentication. Along with password (which you know), you need to provide information based on what you have. One of my bank has given me security token which generates an unique number every time I press a key. I need to enter this number along with password for authentication. So even if my password is compromised, an intruder cannot login as he does not have this token and cannot specify the unique number. Of-course there are various other ways to provide the second factor in authentication based on what you have (software based token, phone, cell phone). Again the advantages are same.

Note that two-factor authentication is not solution for ‘Man-In-Middle’ or Trojan attacks. Both of these attacks will not need your the input passwords or unique numbers. These attacks which take place with the help of phishing are more active threats to be worried about. But that is a topic for another post.  

In summary, by using two-factor authentication, we are just strengthening the already existing security mechanism against a known threat and not really dealing with any new threats. So in that way two-factor authentication has become a first step in any security implementation.

One suggestion I always get from visitors to my house is to add additional security measures. Instances of all sorts of potential attacks and burglary are quoted. Some suggestions are good, but some down-right impractical (apart from the fact that it is not easy to do major alterations in the house). My standard response is, the current security is enough to protect  the assets in the house. At any instant, I approximately know how much I am going to lose (in monetary terms) in case of a burglary.

Of course the psychological effects or physical harm cannot be that easily quantified. My 5 year son is still shocked that someone tried to break into our neighbour's house, couple of months earlier. So security mechanisms at my house is sort a trade-off considering the loss of tangibles and intangibles, and how much I am willing to spend.

Business security is much more complex, but very much similar to personal security example quoted above. It should protect the organization, its ability to perform their mission and not just its IT assets.  It should also consider the factors like confidence loss and bad publicity, perception of market, investors and all stakeholders. Finally is should also take into consideration the amount of money spent on security versus the value of assets that is being protected.

Any Risk Assessment activity starts with understanding and collecting system related information. The paper <link given below> from NIST elaborates on this activity. It classifies and gives details of the IT system related information which can be collected. It also enumerates some techniques to collect such information.

http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/info/reference/nist/draft-special-publications/sp-800-30-rev-a-draft.pdf

Another related activity is business impact analysis. It analyzes the impact associated with the compromise of information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets.  Identifying, classifying and associating a cost to the information helps to concentrate on realistic threats among the innumerable threat perceptions. It would also help in deciding quantity of investment and any other tradeoffs which would be made with respect to security. 

             We automatically do risk assessment and impact analysis when it comes to our personal security, to ensure a comfort level.  Organizations need to do the same but in a more systematic way. Only then, they will be sure on how much to spend on security and where to focus. It would also be a good beginning for measuring the Security Return on Investment (RoI).