Naavi.org

In a shameful security lapse by the Jail authorities, 8 dreaded convicted SIMI terrorists have reportedly escaped from a Bhopal prison considered one of the secure jails, after overpowering and killing just one guard. The guard was strangulated in a hand combat and not through any sophisticated weapons, indicating the primitive security that the jail had.

See the report here

There is no doubt that the escape was made possible by corruption in the system and hopefully the corrupt persons will be brought to book.

In the meantime, it is important for the serious professionals in the Law Enforcement System to completely revamp the security systems in our jails and make it impossible for such escapes to happen.

There was a time when private sector used to hire retired Policemen for their security thinking that they are good in preventing thefts and burglaries in the industrial premises. Later when the industry realized that the most precious asset they have is in the form of “Information” and not in the form of physical assets, they started hiring “Electronic Security Experts” to manage security and today they have risen to the ranks of “CISO”s in the industry and occupy a coveted post.

Even in the Information Security scenario, physical security is an important component and therefore there are either specialized physical security manpower assisting the CISO or the CISOs themselves are experts in physical security also. Since most of the Physical security gadgets today are in fact “Electronic Devices”, there is a lot of “information Security Expertise” required even to manage the “Physical Security”.

Now that private sector has developed an expertise in preventing unauthorized persons gaining entry into a secure physical premises, it is time to use this expertise in reverse to prevent unauthorized exit of people from the so called “Jails” .

We therefore look forward to the LEA immediately reinforcing the security of Jails by appointing an expert corporate CISO and install the various physical security gadgets that can prevent unauthorized escape of inmates of a jail.

First and the most important security measure that needs to be taken for high security prisoners such as terrorists is to monitor them on a 24×7 basis through a GPS collar or an implant device which cannot be easily removed without raising an alarm at multiple centers with multiple security levels. These devices should be monitored at all times even when the prisoners are sleeping and intelligence should be built in to identify any unusual patterns of movements of the prisoners.

Raising the perimeter wall, implanting electronic surveillance systems like “Mines on the Walls” to monitor any attempted scaling of the walls as well as CCTV cameras are normal security measures which should anyway be in place.

The security should be built with the “Defense in Depth” concept with multiple layers separated by mantraps, turnstiles and other similar devices which make it impossible for anybody to force their way out without raising alarm.

I wish the Jail authorities go through the available systems for prison security  (Check here) worldwide and incorporate them in our country too. (Also check this Report)

There is no doubt that the best secured prisons will also be broken some day. But it requires that much more expertise to break the Techno-Physical security systems and such attempts have to come from outside hackers which the SOC of the prison can try to tackle.

Probably this should also create lot more job opportunities for IS persons who want to serve the nation. Man of them may take up such assignments out of their love for the nation if  Mr Modi makes a call.

In the meantime, I urge some corporate security teams to offer their services to secure the local prisons on a voluntary basis under Corproate Social Responsibilities….. Let’s see if there is a political will.

Naavi

A few months back, Corporation Bank suddenly changed its account numbering system and issued new account numbers to all its customers.  While doing so, it was expected that the Bank would prepare it’s systems to manage the transition by accepting old account numbers for a certain period of time so that if any remittances are received with the old account numbers, the amount would be automatically credited to the new accounts.

This could have been easily done with the maintenance of a mapping database which mapped the new numbers to the old numbers and initiating a process of checking of the data base whenever an error is logged. It could have been a manual intervention at this stage also if required.

Unfortunately, the system engineers did not plan the transition properly and hence NEFT remittances received in the new account number were rejected by the system. The old numbers are still getting accepted indicating that some systems have not yet been updated.

The branch does not seem to have a clue on this error and are unable to provide a solution. They seem to think that there could be problems in interbank remittances but not in corporation bank to corporation bank remittances.

I would like to draw the attention of the Bank to this problem which besides being a customer service issue could also be looked at as a “Denial of Service Issue”. If remittances are not received, businesses may not be able to conduct their regular business transactions and the ripple effect of this would be on many of the Bank’s customers as well as the business associates of the customers.

It is possible that the problem may be at the Switch maintained by NPCI or IDRBT where there may be a cache of account particulars which is rejecting the transactions due to the mismatch between the new account number and the names associated with the old account numbers.

I hope that the IT personnel of the Bank will be alert to this note and set things right at the earliest.

Naavi

Yesterday (29th October 2016), there was an ODI cricket match between India and New Zealand in which we saw the Indian cricketers sporting new tea shirts carrying the names of their mothers on their back. So Dhoni wore a jersy which read “Devaki” and Kohli wore a jersy showing “Saroj”. Other players also wore jersies showing their respective names of their mothers except one in which there was a “printing error” as we understand.

Women rights activists might have hailed the initiative of Star TV as a new found empowerment of women and importance given to the mothers. Apparently it was so. But for those who are aware of “Cyber Risks”, the first thing that struck was that what we were seeing was “mother’s maiden name” which is a typical parameter used for recovery of forgotten passwords in many of the websites. The dates of birth of all these cricketers are already known and that forms another critical parameter of recovery of forgotten passwords.

With two of the forgotten password recovery keys now being available to the millions of viewers, the social media accounts and may be some e-mail and bank accounts of our favourite crickets might have been placed at a risk of compromise.

So far security architects thought that there was some confidentiality in “Mother’s Maiden Name” and used it as a security parameter. This has been destroyed by the Star TV campaign perhaps without realizing the damage they have done to the system.

Now all companies who are using the “Mother’s Maiden Name” as a security parameter should drop it and use some thing else such as “What is your Pet’s Name”?, “What is your Favourite Actor?” etc. This is therefore a Y2K moment for all such companies to spend money to erase the “Mother’s Maiden Name” from the list of security questions.

I am not sure how much cost is there to the community in such a massive exercise ..all caused by some hair brained marketing person and/or the Advertising agency who/which thought of this campaign.

If there is any specific incident following this where a financial loss occurs to any of these cricketers, they should hold Star TV responsible for the loss and claim damages. At the same time, “Due Diligence” and “Reasonable” security practices would require recognition of this cyber risk by the security community and a change of processes wherever it is required to eliminate this “Known Risk”.

Naavi

Naavi has been expressing a thought that India should work at being the Global Hub for ODR and hence the services of odrglobal.in needs to be promoted vigorously.

Today IE reports the following quote from Mr Modi.

“Seeking that India emerge as a global hub for arbitration, the PM pointed out that businesses seek assurances that commercial disputes would be resolved efficiently. Hence, a robust legal framework backed by a vibrant arbitration culture is essential, he said. This alternative dispute resolution should simultaneously facilitate arbitration, mediation and conciliation, Modi said. “This will provide additional comfort to investors and businesses. More importantly, it will also ease the case load on Indian courts. An enabling alternative dispute resolution ecosystem is a national priority for India. We need to promote India globally as an arbitration hub,” he said.

CJI Mr T.S. Thakur concurred with the view and said the “ever increasing avalanche of cases” to push this alternative method of resolving commercial disputes.They were addressing a global conference on ‘National Initiative Towards Strengthening Arbitration and Enforcement in India’.

Refer Article here

Hope they also see value in the existence of a ready to use service in www.odrgloal.in and encourage its adoption in some organizations under their control.

Naavi

RBI in continuation of its fire fighting efforts after the “Mega Data Breach” in the Indian banking system has suggested that the “CISO” (Chief Information Security Officer) in a Bank which is already a senior position is to be upgraded from an “Operational Level” to a “Strategic Level”. (Refer article in IE).

The Gopalakrishna Committee which in 2011 gave a comprehensive recommendations on the E Banking security (Refer here for more information) which included the Administrative structure for Information Security Management. It included a Board Level Committee followed by an Executive Level Committee and a mandatory position of CISO etc.

Any sensible information security structure places the role of CISO as a top level officer who needs to be consulted on new product releases and other strategic initiatives besides managing the day to day security issues.

Again in June this year, RBI gave further mandatory instructions in the form of Cyber Security Framework.

Now RBI for the umpteenth time has reiterated the importance to be given to the CISO in the organization. Banks need to now look at whether the CISO should be at the Chief Officer level or at AGM/DGM level or at GM level.

Also it is important to note that the roles of the Chief Compliance officer and Chief Security Officer in an organization overlaps with the role of the CISO. For a proper functioning of the system it is necessary to identify that there is an apex level “Chief Security Officer” who oversees the work of the Information Security officer, the Physical Security Officer and the Compliance officer.

Ideally, such a person in the Bank should ideally be at the Executive Director’s level. At present there are a few Banks who may have multiple “Executive Directors”. Probably there should be one exclusively designated as “Executive Director-Security”.

We hope some Bank takes the lead in creating the CISO at the Executive Director’s level who naturally will be supported by several Deputy CISO s at lower levels.

Naavi

Related Article:

RBI points out many shortcomings of Banks

Banks should not get away

People Distrust on Plastic money Grows

If you find a pen drive in the Car Park or elsewhere, What are you likely to do? …particularly If you find it with your company sticker?

In a recent survey, in the University of Illinois, 48%  of the respondents said that they would not only pick it up, but connect it to the computer to find out to whom it belongs or what it contains. The first drive used in the survey was tried within 6 minutes when a malware in the drive generated a signal to the researchers. A majority (68%) of the persons who picked up the drive took no precautions with the drives. 16% scanned the drive for anti-virus. It is interesting to note that 8% decided to try it on the office computer and not on their personal computer so that the risk could be offloaded into the office computer. Another 8% trusted their system and tried it despite knowing the risk.

In another experiment conducted by CompTIC in four US cities Chicago, Cleveland, San Fransisco ad Washington DC. 20% of the drives were picked up and plugged in the drives to their computers and opened various files, clicking unfamiliar weblinks etc..all considered risky from the point of view of malware infection possibilities.

It is clear that therefore a “Dropped USB Drive” is a good system for hackers to get into the otherwise secured corporate systems. When malwares such as “Stuxnet” can be configured to target specific companies, specific devices, run in stealth, defeat the anti-virus systems etc, it is therefore no surprise that we are at a risk that needs to be contained with proper education of our employees.

Today, if we find an unattended bag in an airport lounge or a box even in a public place, we donot touch them. We call the Police and the Bomb Disposal squad since we know the risk. Similarly,if some stranger asks us to carry a gift packet during travel or offerf biscuits while travelling in a train, we shun them because we know the risks.

Similarly we need to learn that if we find a Pen Drive either on the street or more so in the Company vicinity, there is every possibility that a stuxnet type malware which could be also a ransomware be hiding inside and may get into any system in stealth the moment it is connected. Only an expert who runs it in a sandboxed environment can try to find out what it contains.

Let’s therefore inform all our employees today about this “Dropped Pen Drive Attack”

Naavi