Naavi.org

Zero-Day vulnerabilities are a category of software flaws that are exploited by cyber criminals before the software developer comes to know of it and fixes it through a bug fixing patch or upgradation. Since such vulnerabilities are not known to security companies such as the anti virus or anti malware software providers, the criminals have the maximum productivity for such tools.

Honest citizens would find it disgusting to know that there is a thriving market for exploits where the “Zero Day” tag provides carries a premium. As long as this market thrives, control of Cyber Crimes becomes difficult. Unfortunately, even some law enforcement agencies appear to be buying these tools for surveillance purpose legitimizing these criminal operations. This is similar to the arms trade in the physical market where there are countries which thrive by supplying arms to terrorist organizations and rogue nations.

Recently one of these underground operators in Italy called the “Hacking Team” which was a supplier of “exploits” was exposed. This was a typical inter-gang war type of operations where another hacker hacked into the Hacking Team resources and placed voluminous data in public domain. This not only revealed the customer list of this company which called itself a “Security Company” but also revealed how the company marketed its capability to supply Zero Day exploits, how it priced these services, the kind of warranties it provided to its customers etc.

A Case Study on the information now available in public domain is now available here.

One of the interesting aspects is an observation that the Zero Day exploits have a price of around $45000/- per month and the Hacking Team has even provided free replacement of exploits which were patched quickly by the software vendor as a part of its “Warranty”. It is also to be noted that the Italian Government was aware of the operations of the Company and did not think it was against either immoral or illegal. It is also depressing to note that many law enforcement agencies have been customers of this “Cyber Arms Supplier”.

It has been reported that US is considering a new law that may classify Information Security products as  “Cyber War Tools”. If this happens then the activities of Hacker Team and similar outfits will actually become outlawed.

It is time we as a society think how we react to such developments in the interest of the citizens. India being a major victim of Terrorism and an economy dependent on IT, needs to take up this issue with the UNO to formulate a strategy of dealing with  “Cyber Arm Dealers”. Perhaps there should be an international treaty sponsored by UNO which prevents Governmental patronage to such hacking outfits who will find their illegal activities rewarded in monetary terms. The public on the other hand will be the victims of the experimentation of these Cyber War tools development sponsored by state actors. Environmentalists who fight against nuclear testing need to turn their attention on the damage to the E-Ecosystem with the testing and development of hacking tools by organizations with their supporting state actors.

Naavi

An Android App in Google Play Store

Spreading the knowledge of Cyber Law has been a mission for Naavi. In continuation of this effort, Naavi has launched an Android App which can be used for sending questions on Cyber Law to Naavi.

The App titled “Cyber Law Guru” is available on Google App Store.

This app is meant to answer general questions on Cyber Law as an educative exercise and not meant for legal consultancy. If you have any questions which you want to ask Naavi outside the App, please send an e-mail.

Naavi

Information Security Professionals think that all the talk of Cyber Insurance is nonsense since the risks are so huge that any company that insures Cyber risks is doomed to fail. Is this negative thinking justified?.. Let’s explore

Cyber Insurance is a concept where an insured person or organization looks to claim recovery of loss suffered by him on account of an adverse cyber event. The adverse cyber event could be a financial fraud in case of an individual who loses money in his bank account. In an organization, it could be a denial of service attack that causes business loss or a hacking/data theft that leads to reduction in business competitiveness. In the case of “Intermediaries” who process third party data, the adverse event could be also a theft or compromise of customer data leading to liabilities payable to customers.

While an individual will be happy if some body can provide insurance cover against losses on account of Banking frauds, he does not know if such policies are available and if available, what is the cost. Some Banks are persuading their credit card customers to take such fraud insurance but the costs are unreasonably high and are meant to cover the liabilities that the Banks are expected to legally bear. Why should a customer bear the cost if the Bank makes a payment against a forgery?. So the individual does not know how he should approach the Cyber insurance. But he does expect the Government and the regulators who are keen on digital India, to do some thing to ensure that financial risks of common day to day activities does not increase.  Hence there is a need for pushing the Government for a Cyber Fraud Prevention policy. Insurance companies are also not very keen on the retail market since it may be uneconomical for them to manage the business from the point of view of the administrative cost.

At the same time providing Cyber Insurance to corporate is considered a lucrative business for the Cyber Insurance Companies and this market is in a take off stage. There is however lack of statistical data of risks and hence the Cyber Insurance companies try to cap their liabilities by imposing several restrictions on the claims.

In fact the Information Security professionals generally dismiss the talk of Cyber Insurance since they think that the threats are so great that any body thinking of providing insurance to this sector is foolish. The more they know about the threats, vulnerabilities and the risks, the less confidence that they have on the feasibility of the Cyber Insurance proposition.

But what the IS professionals are not aware of is that the Insurance industry has seen risks of many types and devised its own ingenious ways of providing an insurance cover in an environment of uncertainty and still manage the risks.

For example, one way by which the Cyber Insurance companies manage their risks is to put a cap on their liability per claim or per incident with sub-limits of various types. Accordingly, in a DDOS liability, the Cyber Insurance  may place a limit on loss per hour of disruption and total loss to not more than say 1 day disruption etc. (This may vary from industry to industry). Similarly, in the case of data loss situation there can be a loss per data limit and a total data loss in a single event and in multiple events during the policy period etc.

As a result even if there is a loss of Rs 5 crores as estimated in a data loss situation, and the Company has a policy of say 25 lakhs, the actual loss reimbursed in a given data loss or a given DDOS disruption incident may be only say Rs 5 lakhs. Thus the risk of 25 lakhs that the company has underwritten is spread over 5 incidents in an year and if not the first, the subsequent losses can be attributed to the insured not taking adequate security measures despite an earlier warning which may be a reason for rejecting a claim. As a result, despite underwriting a policy of Rs 25 lakhs and despite the insured suffering a loss of more than Rs 25 lakhs, the Insurance company may not really lose Rs 25 lakhs.

Some may jump to a conclusion that this is not fair. But what the insured need to understand that just as an IS professional manages his technology risks, the Cyber Insurance professional manages the financial risks and he has to have his shields. In the process, it becomes necessary for the IS professional to ensure that “Similar” security breach incidents donot occur repeatedly in his company and “Each security Breach” does not result in a run away loss and it is his responsibility to ensure that the company returns to its normal business within a short time. Essentially, having an Insurance does not allow the IS professional to be complacent. He has to be more responsible.

The Information Security Professional therefore have to appreciate that Cyber Insurers are ingenious enough to take only such risks that they can bear. In fact, it is the best of the Information Security professionals who will be assisting the Cyber Insurance companies in formulating policy conditions, conducting a pre-insurance evaluation and claim assessment. The best of the forensic professionals are engaged by the industry to find out the root cause of an incident and whether there is any ground to attribute the loss to the negligence of the Company. So, the Cyber Insurers are fully aware of the risks they are underwriting and taken necessary steps to meet their liabilities even when a Zero day attack creates havoc in the insured company.

It is clear therefore that the Information Security Professionals need to shed their bearish outlook on Cyber Insurance industry and appreciate that this is an industry which is set to grow rapidly in the coming years. In fact, Information Security professionals should be excited about the new career opportunities that the Cyber Insurance industry is opening up both in the prospective users of the Cyber Insurance products as well as the Cyber Insurance industry itself.

Naavi

After the attack on Sony in US, Naavi.org had pointed out that there is a need for Government subsidy for SMEs towards maintenance of Cyber Security. Now in a move which supports this view, the UK Government has come up with an innovative scheme to improve Cyber Security investments in SMEs through a system of granting Cyber Security vouchers to cover expenses for hiring experts etc.

Read the article here

The launch of the voucher scheme is part of a package of initiatives designed to increase the resilience of UK businesses to cyber-attacks. The new UK £ one million cyber security innovation vouchers scheme will offer micro, small and medium sized businesses up to £5,000 for specialist advice to boost their cyber security and protect new business ideas and intellectual property.

There is a lesson in this for Indian Digital India managers. We also need a similar scheme to augment the cyber security in the system.

The scheme need to be innovatively designed and effectively supervised so as to ensure that the funds are used productively.

This could be part of the over all Cyber Security policy of the Government, and needs to be explored furher.

Naavi

The Ministry of Information Technology has already adopted a National Cyber Security Policy adopted in 2013 by the Kapil Sibal ministry and continued by the new Government. The Cyber Security Task Force of NASSCOM-DSCI has tried to take a deeper look at the policy issues involved in the Digital India initiative which may require some changes to the strategic elements of the policy.

The National Cyber Security Policy 2013 identifies the following as a vision statement.

” To Build a secure and resilient cyberspace for citizens, businesses and Government”

The Mission statement proceeds to state as under:

“To Protect Information and Information Infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation”

It may be observed that while the vision statement includes the” security of citizens” as one of the objectives, the mission statement focusses only on “Protection of Information and Information Infrastructure”. Protection of “Citizens” is not found in the mission statement. This is the typical approach to information security which we often call the “Technical Approach” which fails to recognize that behind every information there are “people” . This approach also fails to recognize that  when there is a  breach of information security, these information owners get hurt and hence the information security policy should not forget that protection of these people behind information as the main objective of any security initiative.

To draw a parallel, if there is a terrorist attack on a building containing people, the security objective of “Secure the Building from collapsing” will be good enough to prevent the people from direct exposure to gun fire but will not be sufficient to prevent a biological warfare in which a lethal gas is aimed at the air vents. The security focus cannot therefore be the building but the people behind the walls of the building.

Similarly the vision and mission statement of a National Cyber Security Policy should consider protection of Citizens as the core focus and cannot stop at protecting the infrastructure which is only a step in the direction.

This is the prime reason why the National Cyber Security Policy as it exists is inadequate to protect the Citizens (who will also be Netizens in this context) and we need a separate policy for protection of the Citizens and Netizens. (Naavi.org has once called them as Cinezens).

Since we already have a National Cyber Security Policy in place, in order to achieve the objective of ensuring that the protection of Citizens and Netizens without a need to scrap this policy, we suggest building additional sub policies within the cyber security policy to protect the people from the vagaries of Cyber Space.

The role of this policy within the overall context is indicated below.

The protection of people from the adverse impact of the developments in Cyber Space consist of two distinct faces. One is the “Financial Impact” and the other is the “Non Financial Impact”. The non financial impact consists of reputation harm that is difficult to be easily converted into monetary terms. All other adverse aspects of Cyber Crimes/Terrorism/warfare that has an effect on financial impact can be brought under one category.

We need a policy exclusively addressing the protection of Citizens from such financial losses. We can have a single policy to address all incidents of financial loss suffered by the Citizens irrespective of whether it is an act of Cyber Crime, Cyber Terrorism or Cyber warfare. This aggregation is required since the end victim cannot distinguish what is a crime committed by an individual for himself or on behalf of a terror outfit or a state actor.

It is this sub policy which we shall call  “Cyber Fraud Prevention Policy” and urge the Government to formulate as a part of the Digital India project.

The undersigned has created a local circle to take this discussion further on www.localcircles.com with a title “Save Digital India from Cyber Frauds”. If you have a view on this subject and contribute to the formulation of a draft policy which can be forwarded to the Government, I request you to join the local circle.

Naavi

We are all Netizens who depend on Internet for our day to day communications as well as transactions. It has been several days since we have visited Banks physically and are happy to transact through Internet and Mobiles. Come to think of it, all our financial assets whether it is our Bank savings or shares, are in the form of digital assets and are controlled through mobile apps.

Ask any Cyber Security expert, he will vouch that Apps are inherently unsafe and so are computers. Targetted phishing, sophisticated trojans created by state actors, spywares created by hacker network which even FBI is willing to buy, a well developed underworld where our credit card and ATM card details are available for a price, all threaten every rupee that we hold in the Banks.

Recently, Economic Times carried an article titled “Cyber frauds increased after growth in mobile banking, NEFT and RTGS: Study “. The article referred to a study conducted by ASSOCHAM and stated that Mobile Banking is being used by 2.2 crore account holders out of the 58 crore total bank account holders in India. The mobile banking transactions themselves jumped from Rs 1819 crores in 2011/12 to over Rs 10000 crores in 2014/15. The study also stated that mobile frauds jumped from Rs 10 crores in 2011/12 to around 70 cores in 2014/15. This indicated that while the usage grew by 5 times, the frauds grew faster by 7 times. i.o.w. Frauds are growing at a rate 40% faster than the usage.

If we consider that the fraud data is under reported, it is clear that frauds grow at rates faster than the usage. An extrapolation of the ASSOHAM study indicates that if in the next decade, the entire Banking starts using mobile banking, the frauds would grow to around Rs 2100 crores. Our own estimate is that even this is an underestimation.

These frauds only take into account individual cyber crimes. If we consider the possibility of cyber terrorism and cyber warfare, Cyber Risks can create an economic wipe out of our country if we donot realize the risks and take effective counter action.

Does the Government of India which is set to usher in a “Digital India” for our benefit know about the risks? We should say that they do know the risks. Afterall, Mr Modi has made a statement that India should focus on Cyber Security to the extent that we should lead the world in this domain. This was a statement I made more than 10 year back and we can rejoice that at least now, a Prime Minister of India has realized the importance of Cyber Security.

But is it sufficient if we are only thinking of how to build a business in Cyber Security like Israel has done?.

The Digital India initiative is set to increase the dependence of the Netizens on Internet for every aspect of our life. Along with this dependency, what is increasing is the Cyber Fraud Risk. Today there are hundreds of frauds that are happenning in mobile Banking and Internet banking. Most of them are not however reported and the RBI is content in claiming that the losses are not too disconcerting. As the Digital India initiative progresses further, we will have more frauds that will start eroding the wealth of the Indian public. Then one day an attack by a Pakistan terrorist group or Chinese Cyber army will close down all Banks through a cyber attack and Indians will face a situation like the Greece people when all ATMs will be empty and no money can be withdrawn. Probably our money will also be siphoned off to fund the terrorists to create more physical damage on our property and people.

In such a scenario, we need to initiate suitable policies at the Government level to tackle the problem of financial frauds through Cyber crimes , cyber terrorism and cyber warfare.

The DOT has a policy on Cyber Security but it does not focus on the “Security of Financial Assets of Netizens”. Recently the DOT came up with a policy on Net Neutrality but not on Netizen safety.

RBI has so far failed in its responsibility to maintain its statutory responsibility in securing the Indian Banking scenario. Mr Raghuraman Rajan appears to be completely oblivious to the needs of Secured Banking and cannot look beyond the monetary policies and Inflation control.

We the Netizens therefore need to organize ourselves to bring enough pressure on the Government to focus on Cyber Fraud Control.  Naavi.org has been working in this direction from a long long time and would continue to do so. As another step in this direction, we have created a local circle titled “Save Digital India  From Cyber Frauds” and invite  all like minded persons to join the forum and express their views so that our combined voice reaches the otherwise hard of hearing administrators.

The link to the local circle is available here.

A request for joining can also be sent to the undersigned so that an invitation can be sent.

Join the forum and help in the development of a draft Cyber Fraud Protection Policy for Netizens in India, which shall be the key deliverable that this special interest group will aim at.

Naavi