A quote by Jane Addams, a pioneer American settlement activist/reformer and social worker, is worth remembering while we discuss security. “The good we secure for ourselves is precarious and uncertain, until it is secured for all of us and incorporated into our common life”
Mathew Broderick created war games and hacking for fun, way back in 1983. Those days are over. Hacking is now real and a billion-dollar business. The World Economic Forum’s 2016 Global Risks Report, estimates that crimes in cyberspace will cost the global economy $445 Bn in 2016, rising at 30% per annum, in the next two years. Hewlett Packard and the U.S.-based Ponemon Institute of Cyber Crime reported, hacking attacks cost a global average of $7.7 Mn. In recent times, hacking of the National Bank of Bangladesh for a $100 Mn was a very sophisticated operation. Wannacry, NotPetya and Notdesignedtomakemoney are all still fresh in our memory, happened as they were, in our Country.
The amount of phishing emails containing a form of ransomware grew to 97.25% during Q3 2016, up from 92% in Q1 2016 as reported by PhishMe Review. Phishing emails have continued to grow as an attack vector for ransomware.
Eurograbber scam in Europe, back in 2012, was a “Sandroid” botnet, which intercepted around 28,000 text messages (OTP’s), of customers at major Middle East financial institutions. Operation Emmental, an attack at Trend Micro in July 2014, affected over 30 banks in Austria, Switzerland, Germany, Sweden and Japan where presumably millions were stolen from both consumer and commercial bank accounts. The attack demonstrated that hackers are upping their game and devising new advanced ways to defeat SMS OTPs. The threat looms over organizations of every stripe and size, private, and public, in every corner of the globe.
In September 2017, a news broke that consumer credit reporting agency Equifax had suffered a catastrophic breach the preceding May. Hackers or identity thieves, gained access to the personal data of nearly 150 million American citizens, roughly two thirds of the country’s population, including full names, Social Security numbers, addresses, and dates of birth. The swiftly unfolding scandal sent the company’s stock plummeting 33%, a market value loss of approximately ten billion dollars. Currently, three Equifax C-Suite managers are under federal investigation for allegedly dumping stock prior to disclosing the breach.
It was last November that the UIDAI asserted, “Aadhar data is fully safe and secure and there has been no data leak or breach. They claimed the same on 3rd January this year as well when it took just Rs 500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for a Tribune correspondent and gave a login ID and password. Now, one could enter any Aadhar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI, including name, address, postal code (PIN), photo, phone number and email.
People are very innovative, disruptive, unstructured and technology savvy, way ahead of structured developers that governments depend on. Hence, Data theft, sometimes through hacking and sometimes by exploiting breaches in the last mile, or anywhere in the operational supply chain, is always a possibility. For anyone to claim fool proof systems is a myth, let alone by UIDAI. In a bid to address privacy concerns, the UIDAI, a few days back, introduced a new concept of ‘Virtual ID’ which the holder can generate, differently every time he logs in, from a website and use for various purposes, including SIM verification, instead of sharing the actual 12-digit biometric ID. This will give the users the option of not sharing their Aadhar number at the time of authentication”. This is akin to one time pass word (OTP) which you receive, via SMS from your bank to your mobile phone every time you log in or transfer money from your online account without revealing the account number. Virtual ID is as vulnerable to phishing as OTP. Complete safety is just a myth. One can only build multi layers of security. The new kids on the block are technology savvy and extremely motivated.
Security policy, regulatory compliance, user awareness programs, access control, security audit, incident response, encryption, firewall and finally anti-virus, are all important aspects of security and are highly technical in nature. Learning, training, re-training on a regular basis, therefore becomes cardinal.
Governments have to work overtime to make the Nation safer than it was in the days preceding, especially after the global terrorist attacks. Cyber security remains a cross-cutting thread across every other infrastructure and is the underlying foundation for the operation of every business and government function. Unlike physical vulnerabilities, cyber security vulnerabilities and threats can change in seconds. The protective measures can also become obsolete just as quickly.
It is greatly imperative that we need a cyberspace security response system, a security threat and vulnerability reduction program, and a security awareness and training program. This will ensure secure Government Cyberspace and lead the country to embark on an effective International Cyberspace Security Cooperation Model.
A good way to begin would be to create a registry of cyber security experts at operational level. The Cyber Security program divided in four levels would create trained professionals at each level, accredited with either a white belt, blue belt, green belt or a black belt. A 240-hour training at each level with real time hands-on learning would populate the registry. A registry would keep tabs on the trained personnel since today’s experts could easily become tomorrow’s hackers in an ever expanding and innovative world. Such a registry can then be used to depute to address different classes of vulnerabilities and intrusions, simultaneously populating the expert’s database, vulnerabilities and the security solutions.
Besides creating a pool of experts for this country and other countries as well, a registry of security breaches and trouble shoots would be available which will help in research into future breaches, thus spinning off several new job opportunities, not to speak of the immense benefits accruing, like predicting future attacks.
The past of cyber security was young and immature. The attackers were more innovative than defenders who were mired in FUD (fear, uncertainty and doubt). Attack back, was illegal or classified. Currently, cyber security is a scientific discipline, is application and technology centric with a complete understanding that cyber security will never be “solved” but will only be “managed”. Further, attack back is an integral part of cyber security. Remember, attackers have sizable inventory of known but unused or rarely used tricks and are highly innovative.
It is extremely important that all present security initiatives are created as business cases. The cost of poor security must be measurable and actually be measured. Large policy changes must be supported with a robust, targeted communications plan, supporting services and documentation. Patch management, communications, incentives and mass communications must be shared with the private sector including owners and operators of the critical information infrastructure. Improving performance on cyber risk assessments and remediation activities must include a plan for Internet-related recovery in the event of a disaster or coordinated attack, and work closely with cyber first responders from the registry, across the Nation, State, local, and private sectors.
Finally, the strategy must also support research and development and educational activities to improve cyber security products and services that are user friendly and keep pace with risk and technology. A Cyber security knowledge database and an expert system that promotes alerts on possible cybercrime threats based on heuristics, statistical models etc. is imperative.
A security debate would probably not end without remembering what Benjamin Franklin, one of the founding fathers of the United States said on liberty. “Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety”