feature
I-T Dept Hacked, 14 cr Siphoned The Remedy As we know that governments’ have been confronted with the increasing need for providing services electronically and providing access to information to partners, suppliers, consumers, contractors, and remotely distributed employees. But hacking events like occurred in the I-T department forces us to rethink about the strategies adopted for the same. The incident throws light on the security enhancement need, which has to be in Fig: 1.1 place if we have to save our systems from such attacks. Security, In today’s business environment, it is the one word that continually poses challenges to organisations looking to protect their data assets. Everything from financial information, transactions, and intellectual property to customer and employee data—it all assumes an increased level of vulnerability as network access is broadened both within the organisation and externally. Password-based authentication is very expensive for organisations. The financial burden of resetting passwords represents a significant portion of an IT help desk workload. But there is a bigger picture to look at these days in terms of
28
www.egovonline.net
what it can cost an organisation should a data breach occur. The impact can be staggering on both finances and reputation. That is what happened in the case of IT Department, where due to the password hacking Rs. 14 Cr was stolen As networks become increasingly exposed through a wide range of access points, the traditional user name and password method of authentication is no longer sufficient for establishing and trusting user identity. Passwords are often so simple that they can be easily guessed, or so complex that the user needs to write them down, which is weakening security. And while changing passwords on a
regular basis can somewhat minimize the risk of guessing or a brute force attack, the aforementioned vulnerabilities are still present. Yet most of the departments and companies continue to rely on passwords as their only means of user authentication. But these events of password hacking and identity theft can be minimized; with the use of Public Key Infrastructure (PKI) based two factor authentication and encryption for data residing on the hard disks. The use of two-factor authentication provides a significant increase to the level of network security by forcing a user to provide two means of identification when attempting to log in. In most cases, this
Fig: 1.2
Asnetworksbecomeincreasinglyexposedthroughawiderangeof access points, the traditional user name and password method of authentication is no longer sufficient for establishing and trusting user identity. Passwords are often so simple that they can be easily guessed, or so complex that the user needs to write them down, which is weakening security. And while changing passwords on a regular basis can somewhat minimize the risk of guessing or a brute force attack, the aforementioned vulnerabilities are still present.Yet most of the departments and companies continue to rely on passwords as their only means of user authentication.
is a password (something you know) and a security token (for example, USB or smart card - something you have). These devices are small enough to carry and typically store cryptographic keys, digital certificates, and digital signatures. Since the user’s digital credentials are saved on the USB token/smart card instead of the computer’s hard drive, they are protected from compromise. Similarly with the help of encryption of data at rest inside the hard drives its confidentiality can be maintained i.e. only the user who will be
able to provide the correct authentication can have access to the data otherwise nobody can see the data in readable format. Below figure (Fig 1.1) shows the difference in having encryption with two factor authentication and not having the same. These initiatives are very much important in the case of e-Governance projects undergoing and the projects which are been planned for the future. As these involve usage of electronic means for enhancing the reach of the
services offered to the citizens and providing the same in an effective manner, there is a need of bolstering the security and confidence, so that more and more people start using these facilities. We have already discussed how we can secure the information assets using PKI based security solutions, with the help of which integrity, confidentiality and non-repudiation of data can be maintained. If we have to make these e-Gov initiatives successful and to kill the cases of identity frauds, public key infrastructure security should be considered as an implicit part. Also if the security infrastructure has to be strengthened then organsation as a whole should be secured i.e. data in any form should be protected from any kind of malicious activity. For the same there should be some kind of integrated suite of Data centric security solutions in place (Fig 1.2). So we had seen that how use of PKI based Authentication and Data Security could have solved the problem of hacking and save the organsation from such kind of attacks and how this incident shows the need for e-Governance programs to review their state of Security preparedness and including Security as an essential component of the long lasting infrastructure. \\
egov
March 2010
29