Has Sony Experience Changed the Security Perception?..How should Indian Government respond?

It appears that the hacking of Sony pictures in which corporate data has been destroyed and compromised has exposed the new dimension of a kind of Cyber warfare. According to FBI, the hack was attributed to North Korean Government and the motive was the prevention of the release of a Hollywood movie involving a theme of assassination of a North Korean leader. Of course North Korea has denied the charge.

The issue highlights the potential for damage to corporate business assets arising out of such state sponsored high impact attacks. Such attacks can occur on other corporates  in future either as a targeted attack as a part of Cyber terrorism.

Indian corporates face the specific risk of Pakistan sponsored attackers intending to damage the Indian economic infrastructure.

It is time therefore for Indian Companies to initiate appropriate security measures to ensure that they can ensure business continuity if such debilitating attacks are targeted at them.

Apart from hardening of the security on an ongoing basis, most companies need to revisit their Disaster Recovery Programs (DRP). Many companies need to establish a DRP where there is none and upgrade if they have a basic facility.

As a result of this new threat perception and the necessary mitigation measures, the cost of maintaining the IT infrastructure would increase significantly.

The Government of India needs to therefore think what is its responsibility in providing a security blanket to Indian Corporates against such attacks coming from enemy states. It appears that this is a National Defense Responsibility rather than an information security responsibility of an individual company.

There are two immediate actions that the Government may contemplate.

1. First requirement is to provide some kind of a defense cover to the Indian corporates by offering financial support directly promoting higher cyber security investments by corporates. This could be in the form of setting up a National Secured Data Center at different parts of the country where in companies can be provided DR hosting facilities at a reasonable cost.

2. Second is to  recognize that such attacks on private citizens of one country by another state actor  is  “Terrorism” and handled as such by the international community India should join an international consortium with US to develop a “Global Cyber Security Force of Democratic Nations” that can attack and bring down the rogue states who mount cyber wars on the citizens of other countries.  This should be discussed during the visit of Mr Obama to India during the next month.

The Sony attack is a defining moment in the global cyber security and we cannot afford to ignore the event as the next such attack can come upon one of our own global players.

Naavi

 Related Articles:

5 ways how Sony Hack will Change how America will do business

Hollywood Reporter

Security Week

US Cert Advisory

Share Button
Print Friendly

Is there a Mehdi in my company?

apna_ad_nov24

Mehdi Massor Biswas the Bangalore based employee of an ITC group company  was arrested by the Police for having maintained the Twitter account Shami Witness in which he was promoting ISIS ideology.

While the Police will continue their investigation and punish the guilty, the HR manager at ITC would be wondering how he/she could have not found out that a radical jihadist was working with them without being found out. Some may argue that Mehdi was very clever and carried a “Dual Personality” exhibiting only his quiet professional face in the organization and did what he did during his free time. Some may even say that organization has no responsibility for what an employee does during his spare time.

But let us not forget that ITC employed a jihadist and paid him a salary of about Rs 5.3 lakhs per annum. In a way this was funding a terrorist. However unpalatable it would look like, there is no way the organization can say they have not indirectly supported a global terror movement.

If so, can the Company officials be held liable for “Vicarious Liability”?. This depends on whether the company officials had a knowledge of Mehdi’s character as a Jihadi sympathizer and failed to take any action since nothing happenned during office time using office infrastructure.  If so they would be liable for not taking such steps as would be necessary to prevent the crime. This responsibility would also fall on Mr Mehdi’s co-workers who might have had more information than the HR Manager himself.

Had the Company practiced “Due Diligence” or “Reasonable Security Practices” to identify vulnerabilities in their human resource and apply risk mitigation measures perhaps the crime would have been detected earlier.

Now that the incident is behind us, not only ITC but also other companies need to review their HR and Security policies to check if they have a Mehdi in their company?.. a person who is a radicalized “terror sympathizer” and who carries the risk of committing a terrorist campaign or even a terror attack either within the company or in India or elsewhere.

If there is any such person in their company, then they need to take action to remove him from any sensitive positions and if necessary from the organization itself.  If in doubt, he needs to be kept under watch for action at a later time. Probably there is a need to share such information with the intelligence authorities also.

How do we identify persons who could be causing trouble? ..well this is a million dollar question. The normal “Back Ground Verification” where a report about the person’s previous employment etc is verified is inadequate since people providing reports are not always truthful. They tend to suppress any adverse report either because they are unsure of their assessment or because they are sympathetic to the employee even though he might have been chucked out of their organization.

We therefore need other means to identify the behavioural traits of a person during the time when a person is working for the organization. The first step in this direction is  to implement a “Whistle Blower Policy”, because there is a high likely hood of the Mehdi type person exposing himself with his co-workers unwittingly. A well managed whistle blower policy would help identifying such person at the earliest.

Additionally, one needs to adopt sophisticated psychological measures to spot persons with a deviant tendency. This could be done through behavioral analytics applied in a non intrusive manner to map the behavioural tendencies of the employees. May be the well known behavioural theories used in criminal psychology can be applied to identify persons who have a deviant tendency.

In the coming days, this domain of Behaviour Science will be the new skill  requirement for HR Managers and Security managers.

Related Article: ITC Confirms..

Naavi

Share Button
Print Friendly

ISIS Propaganda from a Bengaluru Executive?

It is a shocking revelation that one of the most prominent Twitter handles carrying on ISIS propaganda happens to be that of a young professional working in Bengaluru in an MNC firm.

Report

The twitter handle was titled Shami Witness and the person is identified by his pseudo name Mehdi.

The incident highlights how terrorism has spread its wings to young professionals with good educational background. It is unfortunate that the Police in Bengaluru had no inkling to the goings on.

It also highlights the failure of the employee behaviour monitoring system in the organization in which the person was employed and HR professionals need to think of new ways of identifying such deviant minds working in the system.

Naavi

P.S: Another question which the Government of India and Karnataka need to answer is that just as they banned Uber and other app based taxi services, will they ban the ad company in which the person was employed and also other ad companies !

Share Button
Print Friendly

Government Fails to understand the Uber business model

apna_ad_nov24

The incident in Delhi involving a Uber taxi driver (a known criminal convicted earlier) committing rape of a girl using the taxi service to get a drop back to her house at around midnight after attending a party and pub has exposed the inability of the Government of India to understand the business model of app based taxi service.

When these officials who does not understand business, try to regulate a business that they donot understand, we cannot but see the bizarre knee jerk reactions alround.  So far the Government is talking of banning the taxi services without realizing that these companies such as Uber, Ola or Taxi for Sure donot run a taxi service as we traditionally understand. They provide certain technology services to the drivers (may also be the owners) of vehicles which are available for adhoc hiring. They are “Communication Management Companies” or a “Digital Call Center service” trying to bring the commuters and the vehicle owners for meeting mutual requirements. Everything else is “Perception”.

In a way, the problem being faced by the app based taxi services in India is similar to the problems faced by Bitcoin community some time back when RBI came down heavily on the system taking it as a challenge to the currency system.

In the case of the Bitcoins, the system was promoted and perceived as a “Currency” replacing the Rupee or Dollar where as it was a “commodity” acceptable for exchange of goods and services  in a “Limited Voluntary user forum”. The mistake was that of both the community which promoted it as a currency and the regulators who considered it as a currency.

Now, as regards the Uber, Taxi for Sure and Ola, are not “Fleet Operators” who own vehicles under a permit and run it with the help of drivers employed either on salary basis or on contract basis. In the “app based taxi service”, if any body has to be registered as a “Commercial Taxi” it is the individual driver who operates the taxis and not the Ubers or Olas. It is incorrect to even call them as “Taxi operators”. They must be called ” Aggregators” acting on behalf of the drivers. In fact it is more appropriate to consider  the Ubers and Olas  as the agents of the taxi drivers and not the other way round.

It would therefore be not possible for the transport department to register them as taxi operators without a change of law. If this path of changing of law to consider Ubers and Olas as taxi operators is attempted by any of the State Governments, it could lead to more legal complications than what they are trying to solve. As per the current laws, perhaps a single vehicle owner can register himself as a “Commercial Taxi Operator” and this law is sufficient to address the needs of the drivers who are affiliated to the Ubers or Olas.

The Ubers and Olas would be still liable as an “Intermediary” with some vicarious liabilities arising out of representing themselves as “Principals owning the taxis” instead of  “Agents for Booking”. Their liability will be more like the “Cyber Cafes”.

If the Government tries to define the Ubers and Olas as “Fleet Operators”, then they also need to consider the impact of such an interpretation on  private bus booking agents, train or air ticket booking agents, tour operators etc. If the Government says that Ubers and Olas cannot run their business without owning the vehicles themselves, then similar rules would be made to all other cab operators and auto rikshaw operators also that only the owners need to run the business. This will be impractical and cannot be implemented. In that case the app based service providers can consider that they are being discriminated and their fundamental right to run a business of their choice would be unfairly curtailed. If challenged, the Supreme Court may have to declare such laws as unconstitutional.

If the role of Ubers and Olas as a technology intermediary is recognized, their technology strengths can be harnessed by the Government to ensure that consumers get a good service and at the same time technology can be used in various ways to improve the security of the passengers.

Naavi

Share Button
Print Friendly

Uber failed in ITA 2008 Compliance

apna_ad_nov24

Before we proceed, let me make one point clear. Banning of Uber and other “App Based Taxi Services” is completely unacceptable. It is an immature reaction to the incident and should be reversed immediately.

We need to learn from the incident and make a root cause analysis to identify what improvements can be brought into the system. If we have any hope of building “Smart Cities”,we need to be capable of  managing “Smart Taxi Services”. If a similar approach had been adopted to Banking where there have been hundreds of frauds, we would have closed internet and mobile banking long back.

The app based taxi services such as Uber, Ola or Taxi For Sure are extremely convenient to the public. It is also a great way of providing employment where individuals can throw up their resources  to a pool and earn a living. In Bengaluru, Ola is extending the service to Autos and it can be a great boon to the public if properly handled. The benefits of the service are too over whelming to be be denied to the public just because of the misdeed of one driver.

We need to find out how the service can be improved and made more secure without banning the service. In this context we can explore if ITA 2008 compliance would have assisted the app based companies to improve the security of their service.

Under ITA 2008, the services of the app based taxi operators would be recognized as an “Intermediary”. They receive messages from members and transmit them to the service providers. In the process they add value to the service by various means. Such service could also be provided by a telephone call center. The app is a digital tool that does the work better.

The “App Center” which could be a “Web Site” that operates in the background need to be compliant with Section 79 of ITA 2008. According to ITA 2008 the App Center (Or its owner who is the company such as Uber) need to exercise “Due Diligence” and “Reasonable Security Practice” failing which they would be liable for any contravention of ITA 2008.

The offence in question however falls under IPC committed with the use of electronic documents to lure the customer. However when the driver switched off the app to facilitate the crime, he caused “Disruption” of service which is a contravention under Section 43 of ITA 2008 as well as an offence under Section 66 of ITA 2008. It will also attract Section 85 of the Company according to which the individuals who are in charge of business of the company may be held liable personally for the civil and criminal liabilities arising out of the incident.

If the app company needs to defend against the liabilities arising out of the contravention, it needs to show observance of “Due Diligence” and “Reasonable Security Practice”.

A proper interpretation of the provisions of ITA 2008 indicate that there should be a “Privacy Policy” and appropriate disclosure policy while the intermediary collects and uses sensitive personal information from public for providing the service. The enrolled drivers would be “Business Associates” of the company and the company (Intermediary) needs to have appropriate policies, procedures and controls in place to ensure that information passed on to them is used only for the purpose for which it was provided, namely to provide the taxi service and nothing else.

Such security measures would include an anticipation of the failure of the network when the service provider loses connectivity with the driver either because he can switch it off or because the network may not be available and the counter measures that are required to address the consequences which are considered reasonable. This is a “Threat” and a “Vulnerability” that leads to a “Risk” that needs to be mitigated.

Such reasonable counter measures could be “Alerting the Passenger” and his/her emergency contacts that “The taxi in which the passenger is travelling is temporarily out of contact and its last known location was ….” and also alerting the nearest police control room. In the instant case, it would have woken up the  passenger and enabled her to protect herself better.

The Police may say that they donot have the resources to respond to such alerts since there would be too many false alarms. But if the first alert from the app is corroborated by a subsequent alert from say the passenger using some security app of their own, then the police can swing into action through the patrol vehicles to check. Also the passenger can confirm when the booking is made  if he/she has accompanying passengers or is travelling alone which can tag the alert as “Non Critical” or “Critical”.

The back ground verification of the drivers would however be an essential part of the security and can be used to tag the drivers as “Verified” or otherwise.

The beauty of technology is that if we are innovative, we can up the security several notches and make the life of the citizens that much more secure.

We hope that our administrators understand the power of technology and use it properly rather than banning the use of technology for managing the taxi services. In the coming days the app based transport services will be an integral part of “smart city life” and it would be unwise to interrupt this technology development.

I also urge the app taxi operators to immediately form a forum of their own and develop a “Standard Security Procedure” to be an “industry practice”. They can then seek approval of such information security practice under Section 43A of ITA 2008 as a “Reasonable Security Practice”.

This would protect their business from knee jerk and arbitrary regulations from different Governments and harassment from corrupt politicians and police.

Naavi

Share Button
Print Friendly

Cost of Data Breach in India

apna_ad_nov24

Business Managers always have  difficulty in appreciating the need for investment in Information Security. Money is always a scarce resource in any organization and there are always competing demands. Managers often prefer a marketing investment against an IS investment since the benefits of a marketing activity is more visible and are often immediate.

An investment in IS is however meant to prevent an adverse incident and if it is successful, then we may often not recognize the benefit. No body may  recognize that there was in deed a threat and it was prevented because of the IS investment. Even at the initial decision making stage, it is difficult for the business manager to appreciate why he should invest in IS when there has been no adverse impact on the organization in the past.

In the light of this dilemma, it is interesting that the Ponemon Institute has released an eye opening 2014 survey report quantifying the cost of data breach in India. Though the impact of a security threat may differ from one organization to another, there are certain observations in the report which every manager needs to take note.

For example

1.  The survey points out that the cost of data breach in India increased by 31% in the last year from RS 2271/- to Rs 3098/-. This is cost for one lost or stolen data. In actual practice, whenever there is a data breach incident in an organization, data is lost in large numbers. The average total organizational cost according to the study therefore is reported to have increased by 32% from Rs 6 crores to Rs 8.3 crores.

If therefore there is  a probability of one breach in an organization, then the cost would be around Rs 7 crores. It should also be remembered that the cost of loss in the Financial Sector such as Banks is nearly twice that of  the above average.

Hence one breach is all that it takes to close down a business.That single killer breach can occur any time because there are a number of threats lurking in the environment and a number of unattended vulnerabilities in the organization. It can also occur because a company has a lakh employees and  any one of them can cause the breach for various reasons including negligence, lack of awareness and malicious intention.

Every company has to therefore check if they have the ability to survive  even one breach incident if it occurs in their organization. If not, then they should not argue on the investment required in mitigating the risk even if the risk mitigation may not guarantee 100% elimination of the risk.

2 The survey observes that customers abandon organizations at a higher rate following the data breach. It is natural that customers do abondon organizations if a security breach in that organization puts the customer’s own business at risk of loss. On an average the customer turnover after a data breach increased by 11%. Marketing personnel who compete for investment from the IS department should consider that they need to get that much more of new business to protect their revenue if they try to snatch investment from the IS departments. In financial terms, the average cost of  lost business costs increased from Rs 1.53 crores to Rs 2.01 crores during the year.

3. The study also goes on to state that the cost of data breach can come down by around 9% merely by appointment of a CISO. It can also come down further by around 12% with a good incident response plan, another 20% by a strong security posture and Business Continuity program. In other words the study predicts that around 40% of the cost of data breach can be brought down by simple IS measures and there in lies an indication of the ROI on IS investments.

These figures must be sufficient for any business manager to understand that cutting investment in information security does not reflect prudence.

Refer here for more details

Related Article.

Naavi

Share Button
Print Friendly