Recently I came across two intresting information in one of the online security forums (InfoSec).

One is a statistics on registered Cyber Crime cases in India (http://ncrb.nic.in/CII2007/cii-2007/CHAP18.pdf)

Very intresting data collection and seems to follow the genral IT trends in india.

Cyber crime is classified under IPC and IT Act. IPC related cyber crimes are the generic crime which uses electronic medium as an aide (forged electronic documents) whereas IT Act is specifically related to Hacking and other very computer specific crimes.

Some highlights : Most of the defendents are in the age group 18-30, with most cases in Karnataka, Kerala, Andhra and Maharashtra with metros leading. Obscene media distribution tops the list followed by hacking. IT savvy states are also leading the hacking incidences.

That brings me to the issue of IT Act amendement that was passed on Dec 23 2008.

http://economictimes.indiatimes.com/articleshow/msid-3875931,prtpage-1.cms

http://prsindia.org/docs/bills/1168510210/1168510210_The_Information_Technology__Amendment__Bill__2006.pdf

There have been grumblings about how the bill was passed without any discussion. But keeping that aside, amendments do seem to be reflecting the cyber crime trends.

Specific amendements are added to deal with obscene content, privacy and data handling. Digital signatures are being made more legal and givernamnet is given more power for interception and analyses.

While bill is a welcome move, the overall issue in my opinion is still of Awareness and Enforcement of cyber laws.

On that note, wishing you a Very Happy New Year !!

Are the customers ready to trust a service provider to store their private data?

Individual home users have very less information that has to be secured but what about the advertisement based on the users data. Where is the user’s privacy? Should the user buy privacy?

            As a corporate do we wish to store the company specific information in a server where we have no control? What about the NDA's? What if my data is sold/stolen without my knowledge?

Is it really worth the ROI?

Individual users have very less sensitive data and there seems no big benefit of accessing information where ever the users goes other than the mail box.

            But as a corporate yes there is a huge benefit in terms of the principal equipment cost, support and maintenance charges for software as a utility rather than an investment in capital assets. Think about the amount of laptops that are lost every year and the security risk involved with the stolen laptops or any other thick clients. The boon of accessing information from anywhere without any additional cost and infrastructure is very attractive for a global business.

Being security experts we wish to organize all the data in one place and secure that place tightly rather than securing each and every thick client.

Some ways to overcome these problems

·         Ensure more transparency between the cloud service providers and cloud consumer.

·         Have better SLA’s and clear security policies, privacy policies and Data ownership policies.

·         The provider should have both physical and logical security infrastructures.

·         Trusted third party’s to overlook the cloud service providers activity and compliance.

I am in Hyderabad attending the DSCI (Data Security Council of India) conference (http://www.nasscom.in/Nasscom/Templates/CustomEvents.aspx?id=54143). Aujas also did one day training on Application Security which was well received.

Naturally recent unfortunate events in Mumbai have formed the backdrop for lot of speeches, offline discussions and dinner conversations.

One of the recurring theme in the conference and the security industry is the people being the weakest link. It could be lack of awareness, lack of empowerment or lack of responsibility. Enterprise security cannot be complete without this aspect.

Taking it to the national level it is becoming apparent that it is high time for common people to join hands with the government for national security. Heartening is the fact that there is strong urge among security professionals to contribute in some way to the national security. This makes sense given that the patterns of digital security and national security is very similar.

In the given instance, one can easily draw analogies between digital security and national security.

· Perimeter security (Sea Route),

· Intrusions detection (Terrorists stayed inside without detection),

· Deep packet inspection, Incident Response (Delayed response),

· Management commitment (Lack of political will),

· Employee Awareness (Suspicious activity was not informed to anyone),

· Background checks, Business Intelligence and Correlation (Co-operation among intelligence agencies) and finally

· The RISK Management (National Security policy)

have all become more significant than ever before. Moreover Digital world is more advanced as it is easier to attack and hence security mechanisms have evolved with attacks. So far digital world mimicked the real world, but given the evolution, is it time for real world to mimic the digital world?

I have online accounts with many financial institutions and I do most of my transactions online. Being a security conscious user, I take all precautions for using strong and different passwords along with managing my passwords in a secure way. But frankly, all these are too much complicated. The fear of mis-managing the passwords and possibility of your bank account being pilfered remains.

Password based authentication is past its use-by-date. With the current advances in technology and skills, password authentication is like providing passbook to the person who mentions the account number (an unsophisticated but a real life example in non urban banking in India till couple of years back). I am not going into the details of how a password can be cracked or known by others. The main problem is that once password is known, the intruder's job is done and he has uninterrupted access.

Two-factor authentication alleviates this adding one more factor for authentication. Along with password (which you know), you need to provide information based on what you have. One of my bank has given me security token which generates an unique number every time I press a key. I need to enter this number along with password for authentication. So even if my password is compromised, an intruder cannot login as he does not have this token and cannot specify the unique number. Of-course there are various other ways to provide the second factor in authentication based on what you have (software based token, phone, cell phone). Again the advantages are same.

Note that two-factor authentication is not solution for ‘Man-In-Middle’ or Trojan attacks. Both of these attacks will not need your the input passwords or unique numbers. These attacks which take place with the help of phishing are more active threats to be worried about. But that is a topic for another post.  

In summary, by using two-factor authentication, we are just strengthening the already existing security mechanism against a known threat and not really dealing with any new threats. So in that way two-factor authentication has become a first step in any security implementation.

Of course the psychological effects or physical harm cannot be that easily quantified. My 5 year son is still shocked that someone tried to break into our neighbour's house, couple of months earlier. So security mechanisms at my house is sort a trade-off considering the loss of tangibles and intangibles, and how much I am willing to spend.

Business security is much more complex, but very much similar to personal security example quoted above. It should protect the organization, its ability to perform their mission and not just its IT assets.  It should also consider the factors like confidence loss and bad publicity, perception of market, investors and all stakeholders. Finally is should also take into consideration the amount of money spent on security versus the value of assets that is being protected.

Any Risk Assessment activity starts with understanding and collecting system related information. The paper <link given below> from NIST elaborates on this activity. It classifies and gives details of the IT system related information which can be collected. It also enumerates some techniques to collect such information.

http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/info/reference/nist/draft-special-publications/sp-800-30-rev-a-draft.pdf

Another related activity is business impact analysis. It analyzes the impact associated with the compromise of information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets.  Identifying, classifying and associating a cost to the information helps to concentrate on realistic threats among the innumerable threat perceptions. It would also help in deciding quantity of investment and any other tradeoffs which would be made with respect to security. 

             We automatically do risk assessment and impact analysis when it comes to our personal security, to ensure a comfort level.  Organizations need to do the same but in a more systematic way. Only then, they will be sure on how much to spend on security and where to focus. It would also be a good beginning for measuring the Security Return on Investment (RoI).

TRAI has released a recommendation for VOIP on August this year (http://www.trai.gov.in/trai/upload/Recommendations/99/recom18aug08.pdf)

This has removed the final hurdle in terms of implementing VOIP on a large scale basis and has been hailed as the step in the right direction.

While benefits are many including cost savings, ease of implementation, convergence and value added services, it also brings with it a slew of security issues.

For Service Providers:

One of the interesting aspects, telephony being of national importance, is that of Lawful Interception. The recommendation while noting the vulnerabilities of internet as a medium notes that along with string encryption service providers need to make sure interception is possible. But given the real time nature of the VOIP networks, latency introduced by security is a big concern.

This adds a significant complexity for service providers. Moreover VOIP network is prone to frauds and sophisticated controls are needed to block the man-in-the-middle attacks and call frauds, to stop the unscrupulous people from stealing the network time.

For Customers:

Given the benefits, it makes business sense for enterprises to go for VOIP solutions. However one needs to take care of the security issues with VOIP. It is easy to spoof and is open for interceptions.

Security solutions including voice based firewalls (telecom firewalls) may need to be implemented to protect the VOIP network security. Regular audit of the telecom network is also a must to address to safeguard against known and newly found vulnerabilities.

It is essential to treat VOIP network as any other network and manage the security.

Wi-Fi security has caught attention of laymen and the experts alike. After the recent frenzy in the media, it is now the turn of the regulators and compliance frameworks. PCI DSS 1.2 (https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf) has been released and is seen as an improvement rather than a replacement for PCI DSS 1.1. Of the few changes, two factors are significant, one the mandatory Application security aspect which was announced earlier and the other is the stringent measures suggested for Wi-Fi.

PCI DSS 1.2 now mandates use of 802.1x implementation for Wi-Fi networks. The current 802.11i implementation that use WEP and WPA need to be replaced. New implementations of WEP are not allowed after March 31, 2009. Current Wi-Fi implementations must discontinue use of WEP after June 30, 2010. 802.1x uses a client, service provider and an authentication server (such as RADIUS) as part of the access control and provides sophisticated access control. While the intention seems to secure the Wi-Fi network, this will in fact drive proper Identity and Access management throughout the enterprise.

Another interesting aspect is turning off SSID, is removed and is no longer a requirement. Reason given is it wouldn't help much, as SSID is available through other communication channels. Given that security is always a layered approach, I wonder what was the necessity of removing this? Convenience? Your comments are welcome!

Key factors are as below.

• Placing secure login boxes on insecure pages: A full 47 percent of banks were guilty of this. A hacker could reroute data entered in the boxes or create a spoof copy of the page to harvest information. In a wireless situation, it's possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim. To solve this problem, banks should use the standard "secure socket layer" (SSL) protocol on pages that ask for sensitive information, (SSL-protected pages begin with https rather than http.) Most banks use SSL technology for some of their pages, but only a minority secure all their pages this way.
• Putting contact information and security advice on insecure pages: At 55 percent, this was the flaw with the most offenders. An attacker could change an address or phone number and set up his own call center to gather private data from customers who need help. Banks tend to be less cautious with information that's easy to find elsewhere, Prakash says. But customers trust that the information on the bank's site is correct. This problem could be solved by securing these pages with the standard SSL protocol.
• Having a breach in the chain of trust: When the bank redirects customers to a site outside the bank's domain for certain transactions without warning, it has failed to maintain a context for good security decisions, Prakash says. He found this problem in 30 percent of the banks surveyed. Often the look of the site changes, as well as URL and it's hard for the user to know whether to trust this new site. The solution is to warn users they'll be moving off the bank's site to a trusted new site. Or the bank could house all of its pages on the same server. This problem often arises when banks outsource some security functions.
• Allowing inadequate user IDs and passwords: Researchers looked for sites that use social security numbers or e-mail addresses as user ids. While this information is easy for customers to remember, it's also easy to guess or find out. Researchers also looked for sites that didn't state a policy on passwords or that allowed weak passwords. Twenty-eight percent of sites surveyed had one of these flaws.
• E-mailing security-sensitive information insecurely: The e-mail data path is generally not secure, yet 31 percent of bank Web sites had this flaw. These banks offered to e-mail passwords or statements. In the case of statements, users often weren't told whether they would receive a link, the actual statement, or a notification that the statement was available.

This is to me a is a classic SDLC (Software Development Life Cycle) issue.  As anyone worth their keyboard in Software Development world know, the earlier the flaw creeps in the cycle, the fix becomes more costly and time consuming. The root cause again is, security was never part of the original software development philosophy. It was always an afterthought or an add-on and even now when there is considerable awareness, security is limited to access control and encryption rather than comprehensive security. Its high time critical software development adapt thorough secure SDLC approaches.