InfoQuest by Enterprise IT World

@entitworld

@enterpriseitworld

R S 1 9 9 | PA G E S 5 6 | V O LU M E 0 1 | I S S U E 0 1

A Special Supplement on Cyber Security

A JOURNAL ON INTERNET SECURITY

30 JULY 2018

& FOR THE CIOs. BY THE CIOs.

Infoquest is a journal of Internet Security and mouth piece of Infosec Foundation. Infosec Foundation is a multi-disciplinary and multi-user based initiative for increasing awareness and sharing best practices

CONTENTS

FOR THE CIOs. BY THE CIOs.

Risk Management and Social Engineering

Cyber Attacks – a historical compilation

The Genesis and the genetic of Infoquest 4

Security issues with “https ://” even

Digital Forensic And Future

Cyber Security for Enterprises

Supply-chain: A new battle ground

Vulnerabilities in Embedded Systems Some Real Life cases

43 47 Digital Attack Maps and How to use them

GDPR Simplified: Know if You Fall under GDPR Scope

Transporting Employees balancing information security and effective transport

Cyber Security is an existential threat

Cryptography: The art and science behind data disguise

Encryption And Poetry

Being Defensive, A Losing Strategy Today

Effectiveness of ISO 27001

Importance of Baseline in Cyber Security

Threat of Cyber Attacks in Smart Cities

38 Drilling Down To Ransomware

Social Media – Notion Of Identity & Role of Government

Cryptomoney, Bitcoin and Security ?

FOR THE CIOs. BY THE CIOs.

FOREWARD

FOR THE CIOs. BY THE CIOs.

I am extremely pleased to hear of Infosec Foundation publishing their Journal on Cyber Security called InfoQuest. It is a very important step in achieving broad-level awareness about cyber security. I wish all the success to the Journal and congratulations to all of the people who have worked hard to have this published and also to the readers of the Journal. I hope that the Infoquest will continue to get published and will serve the wider eco-system of Cyber Security Awareness Building

Sudipta Biswas Pritam Bhattacharya Sanjay Mohapatra

Senior Editor: Chitresh Sehgal Associate Editor: Deepak Singh Designer: Ajay Arya Assistant Designer: Rahul Arya Technical Writer: Manas Ranjan Lead Visualizer: DPR Choudhary Social Media Manager: Ravish

An editor is like a thread that joins a number of gems in a formation or in a pattern. My task has been made easy as well as difficult by the variety and number of contributions. Easy, because contributors have submitted very rich content; difficult because of making the decision of inclusion. Continuing with my role as a thread, I present the rationale of a linear narrative of the content like this: leaving me here you hear the founder and InfoSec Foundation’s Chairman’s musings on the genesis of the movement as well as the birth of Infoquest. Some issues related to the catch 22 aspect of information security – how to communicate enough so that the job gets done but not so much as to inject known risk. A list of high level and high impact security breaches and cyber crime that will make you scared but you will also be somewhat relieved to find that the locksmiths are keeping pace with the key-breakers. To amplify anxiety, an authority explains why the “s” at the end of https:// is not the end of security concerns. To brighten up the pall of gloom and doom, a complete but evolving (like any organism) manual is presented and if you master the manual and practice, you shall understand the truism of the adage – one man’s fear is another man’s career – understanding the immense career opportunities arising in the sector. We hear the arguments and cautions from a cybercrime legal expert. In between, two practitioners enlighten us on two approaches towards Information security – standards and compliance. We now become really pro-active and think of educating our children on this issue because their first few hour’s photo after birth was shared, if not in facebook, then surely in orkut. We now get tutored on the issue of cyber / digital forensics and quietly think of how interesting our time has become – just like uber /ola connects roads, cars, freelance drivers with internet and smart phone, digital footprints lead to criminal prosecution and courtrooms and stark jail cells. Before I take your leave, few words on the philosophical methodology of compilation, selection and inclusion. The journal’s aim is quite broad and addressed not only to the practitioners of the field and sub-fields but for a wider audience. Hence care was taken to make the content a mix of specialist treatment and general applicability. There are many specialists from other domains who find that the information security is not some techno-speak but their worlds have already got mixed up with the half-hazy, half-lit http://infosecglobal.co.in Page 4 of 86 world of cyber security. The communication aspect of the content is moderated and modulated so as to make the reading not only edifying but occasionally pleasurable. I thank all the contributors – those whose work got published and also those whose work we could not include in this issue, our publisher, our sponsors, our editorial team members and the most-important member-group – our readers. Happy Reading and Spreading. First among Equals of the Editorial Team, Pritam Bhattacharyya Editor-at-Large

01 02 03

Chief Editor: Sanjay Mohapatra

Web Designer: Vijay Bakshi

EDITORIAL

EDITORIAL BOARD

Publisher: Sanjib Mohapatra

04 05 06

MARKETING Marketing Manager: Kajal Sharma kajal@accentinfomedia.com SALES CONTACTS Delhi 6/102, Kaushalya Park, Hauz Khas New Delhi-110016 Phone: 91-11-41055458 E-mail: info@accentinfomedia.com EDITORIAL OFFICE Delhi: 6/103, (GF) Kaushalya Park, New Delhi-110016, Phone: 91-11-41657670 / 46151993 info@accentinfomedia.com Printed, Published and Owned by Sanjib Mohapatra Place of Publication: 6/103, (GF) Kaushalya Park, Hauz Khas New Delhi-110016

Phone: 91-11-46151993 / 41055458

Printed at Karan Printers, F-29/2, 1st floor, Okhla Industrial Area, Phase-2, New Delhi 110020, India. All rights reserved. No part of this publication can be reproduced without the prior written permission from the publisher. Subscription: Rs.200 (12 issues) All payments favouring: Accent Info Media Pvt. Ltd.

Sanjib Mohapatra Chitresh Sehgal Sushobhan Mukherjee

FOR THE CIOs. BY THE CIOs.

THE GENESIS AND THE GENETIC OF INFOQUEST

e are living in the era of connectivity where usage of smart phones, tablets, computers, internet, social media, online banking, e-commerce, third party payment gateways, games, online utility payments, internet of things etc are bound to touch every aspect of our lives. People are getting addicted to comfort and convenience with the inclusion of technology. The influence of virtual world, missing human touch, product promotions in carpet bombarding style making life miserable in a way. People are doing something which others want them to do instead of having their own thoughts. In this puppet-dance like social economic situation across the globe gives rise to cheating, fraud, attacks, sniffing, leakage, siphoning of critical and confidential data. These in effect will not only be incurring financial loss for individuals or corporate, but tend to make entire economies, nations, eco systems some kind of toxic. There is a prediction going around that in 2025, a cyber war may even kick-off. IoT (Internet of things where not only devices are getting connected but things) enables to connect even your implanted pacemaker and regulate it externally using Bluetooth. This has been done for the betterment of medical treatment, but imagines if this connection is compromised by a hacker and your pacemaker can be accessed and recalibrated to cause your death! Your personal data, confidential information, secret messages can be available to public and can be used by the intruder to harm you. Hence it is better to be proactive, cautious and defensive before the misery manifests itself. This wisdom can be attained by cultivation of non-biased knowledge. The more we converge towards connected world, information keeps on flooding between anything to everything and then of course information security becomes a point of concern. People start panicking and common sense takes back-seat. But there is a solution to every problem and counter measures to defend, protect and launch offensive attack do exist as well. But the mechanism, process and knowledge are in silos and in effect are not meaningfully available as a whole. Different and piece-meal, ad-hoc and fragmented measures are being projected as solutions resulting in people becoming more anxious confused and decision making culminates into dilemma. Information is residing in many forms; it can be physical documents, assets, money, intellectual property and even the inner working of human mind. Security measures also come in multifold.

Few common strategies revolve around with a mix of physical security (security guards, CCTV surveillance, RF-ID based access control, biometric etc), IT Security (Firewall/UTM, Antivirus/End point security, Intrusion detection/prevention, Data Leakage Protection, Identity Management, File Integrity and so on), Process and Compliance (ISO, CMMI, PCI-DSS and so on) to Legal aspect and many more. But an individual, a corporate entity, a service provider, a manufacturer cannot have all these expertise and experience in 360-degree form. Hence exchanging pain points, success stories, sharing knowledge among different stake holders/experts will create better eco system through collaboration and hand-holding. “Infosec Global” is being envisioned as a platform to address the burning concerns in the community. The idea is to engage different stake holders including partners, customers, manufacturers, policy makers, academicians, regulators, end-users to cross pollinate and create unbiased and true wisdom through awareness and sharing of best practices. With the same mission, International Infosec Summit is being organized in Kolkata on 18th November, 2016 at CII Suresh Neotia Centre of Excellence as it is the first event in India. However, two similar events were organized on this theme by us - one in Bangladesh and the other in the United Kingdom. Apart from the International Infosec Summit we have conceptualized a multi-disciplinary and multi-level user based journal on Information security named “InfoQuest”. The vision is not to restrict the platform only into a conference, but also to focus on continual engagement with the community with the journal. We welcome all the readers, well wishers, users and stake holders of the community to participate, contribute in this platform to make it meaningful for the global digital society. Infosec Foundation is a nonprofit platform dedicated to cyber security and working on a collaborative framework to blend users, manufacturer, police, government, providers, policy makers and other respective stakeholders.

BRIEFLY, INFOSEC’S CORE OBJECTIVES ARE: •

•

Building an ecosystem to create awareness, discuss best practices, report and share emerging and emergent threats, share knowledge and expertise. Bringing a paradigm shift in thinking about Information

FOR THE CIOs. BY THE CIOs.

HERE ARE FEW PLANNED INITIATIVES BY INFOSEC GLOBAL UNDER “VISION 2015” ROADMAP: INFOQUEST “Infoquest”, the quarterly print magazine is working as a great tool for building awareness and creating a Knowledge Hub on the subject. We already have good readership of the Mag and many from Industry, practitioners, Audit agencies and people at large eagerly wait for the forthcoming edition.

INFOVISION (CIO ROUND TABLE/CISO SYMPOSIUM)

SUSHOBHAN MUKHERJEE,

CHAIRMAN OF INFOSEC FOUNDATION AND CO-FOUNDER AND CEO OF PRIME INFOSERV LLP

security – from re-active thinking to accept these risks as heirloom of our age • Educating enterprises and end-users so that they come out of the mental trap of “H-W-S-W-S” syndrome [Hardware-SoftwareSolution] and consider the challenges in a broader perspective • To publish, run and promote a magazine that will promote and help a consistent and regular initiative • Conducting Infosec in many cities worldwide through a collaborative and resource sharing model • Aiding to create attitude and capacity in facing the most dangerous threats – threats that we have not heard yet! In November 2016 in Kolkata, we had the kick-ff international mega summit “Infosec Global” and the same was much bigger in scale last year. Infosec Global was a grand success where we had participants, and Delegates from across the Industry, Govt., Police, corporates, Banks and other Non-Profit organizations. During the day, there were Deliberations, Workshops and Panel discussions with some definite takeaways, which had long and deep impact on the ecosystem. Awards were also given away in different categories for significant contributions. “Infosec Global 2018” is being planned in same lines but with a much larger scale and format with larger participation from the Govt. and different stakeholders in 18th November 2018.

CIO Round Table is a unique concept where Head of IT of corporate, Key solution providers, different stakeholders get together to discuss Challenges, how to overcome, Roadmap to Automation and mindshare & exchanges on different Technological aspects. The first CIO Round Table is scheduled to happen on July and we are already getting huge response and inquisitiveness from different quarters because of the Format and outreach planned.

INFOCONNECT (CYBER HELPLINE) We are opening a “First in India” dedicated Cyber Security Helpline to assist common people (citizen). NASSCOM (DSCI), CID, Kolkata Police, Media and off course users expressed their extreme need for this ‘first level of assistance’ Helpline. This will enable police, CID to concentrate on their actual work for level 2, 3 and 4.

INFOGEN (CYBER VOLUNTEERS) We are working towards creating a center of excellence with course curriculum to create first next generation array of Cyber Army for the proactive and reactive measures.

FOR THE CIOs. BY THE CIOs.

CYBER SECURITY FOR ENTERPRISES CRITICAL FACTORS INFLUENCING CYBERSECURITY FOR BUSINESSES.

SUDIPTA BISWAS,

VICE PRESIDENT AND CHIEF INFORMATION SECURITY OFFICER, PRIME INFOSERV LLP

AUTHOR’S BIO

A Graduate Engineer with 32 years industry experience in the domain of Information Technology & Information Security. His past assignments were in Companies like GEC & BHEL. He is an expert in Information System Security Domain With Deep Exposure in Governance, Compliance, Procedures & Strategies. His Knowledge Covers a wide spectrum with a holistic view on people, process and technology, focusing on Information security, data protection, privacy, incident management and audits. He is certified ISO 27001 Lead Auditor, Ethical Hacker ,CIISA & CISP, an active member of DSCI ,Kolkata Chapter & NASSCOM

Digital Transformation of Business: Digitization is playing a key role today in all Business sectors like Manufacturing, Power , Automobiles, Oil and Gas, Banking, Services, Utility etc. Cyber Security is one of the pillars of Digital Transformation and it is no longer just an IT issue, it’s a business issue. As business models and assets move deeper into the digital sphere & Companies embrace technologies such as the Internet of Things, big data, cloud and mobility etc. , they become more susceptible to security breaches & security becomes more than an afterthought. Technologies such as big data analytics, the Internet of Things (IoT), blockchain, and mobile computing etc are reinventing the way companies handle everything from decision making to customer service. The automation of virtually all business processes and the increasing digital connectedness of the entire value chain create agility, but they also significantly raise cybersecurity risks and threat levels. The key to addressing those risks and threats is building security into applications, as well as into interconnected devices, right from the start. Running IT systems in the cloud supports organizational flexibility. To that end, companies are increasingly moving both data and business functions (e.g., human resources and procurement) between the cloud and on-premises legacy systems. But as companies embark on their journeys of digital transformation, they must make cybersecurity a top priority. We have to maintain confidentiality, integrity, and availability of data in all these contexts: on premises, in the cloud, and in hybrid environments Bring Your Own Device (BYOD) : As more employees bring personal Cellphones and tablets to work place, otherwise known as “Bring Your Own Device” (BYOD) & workforces become increasingly mobile and available through the use of smartphones, tablets and laptops, the enterprise becomes increasingly vulnerable to data loss, whether by employees losing devices or compromising cyber security through Cyber attacks which come from cybercriminals, competitors stealing proprietary data, disgruntled employees and hackers. While cyber security leaders maintain rigid firewalls, anti-virus or antimalware software, and strict policy controls over company issued systems, many organizations struggle to reconcile data security with human resource management policies. Human Factors : Most security professionals agree that people are the weakest link - so why do we continue to ignore this area of security? Or at best give it lip service through half-hearted security awareness programmes?

FOR THE CIOs. BY THE CIOs.

We all know that attackers will focus on weakest link. For example, they do not target on-line banking directly. Instead, they attack the bank’s customers, using phishing techniques to force them giving away their credentials. HR (conveniently) thinks information security is an IT issue. With the Companies poor record of investment in training, finding a slice of the training budget to address human security can be a challenge. Perhaps the security experts can save the day. But with the CISSP exam guide telling us that it is easier to prepare employees to withstand social engineering attacks than it is to set up a firewall, then maybe not. The answer starts with bringing IT, physical and human security together under a true information security management system. To be fair, this is something that the ISO 27001 can deliver, if addressed properly, by building on a proper assessment of risk.

GAPS IN ORGANIZATIONAL SECURITY TYPICALLY BEING EXPLOITED BY ATTACKERS.

Identity Management Previous generations of attacks targeted technology and exploited vulnerabilities in software, but attackers have now evolved to target human inadequacies and weaknesses. More attacks are coming from “inside.” More secured companies may be attacked through their less secure partners or vendors. The significant breaches of today are executed by people infiltrating the organization, and attackers are doing this by assuming identities or abusing insider privileges. Security teams that focus on “what” is happening, and the layers of defense being breached, are constantly in reactive mode. Reviewing logs produced by technology - firewalls, network devices or servers - is not making organizations more secure. With this approach, the team fails to prevent breaches. Instead, the addition of more data and more complexity perversely prevents achieving the end result: protecting sensitive information. There is a gap between the firewall (as the initial line of defense) and the data-centric analysis and alerts received by the security team (the organization’s last line of defense). Tracking user activity, especially connections between suspicious behaviors and privileged users, would allow organizations to close this gap. It is time to incorporate Identity Management into the organization’s overall security and, more specifically, breach prevention strategy. We have to stop accepting a gap approach to security, which is usually focused on data and devices rather than people. In light of the nascent perimeter-less world, identity will increasingly be the primary factor that matters to the security team.

Identity data is pervasive, yet typically absent from the security world view. For security organizations, our corporate identity – the personal identity elements we bring to our corporate environment – and our behavior, are essential in building a picture of what is happening within - and beyond - the corporate perimeter, offering deep context to inform the security team on the appropriate response to potential threats and real attacks. The critical piece in this approach is the security organization’s ability and capacity to understand the full scope of identity - who the person really is behind any given device, and whether they are behaving abnormally. This is particularly helpful when identifying attackers that have managed to acquire privileged user credentials. Vulnerability in the IT System & Application The vulnerabilities in the IT systems & Applications could allow hackers to exploit them & launch Cyber-attacks. Hence it is all the most important to conduct periodic Vulnerability Assessment & Penetration Testing of Network & IT Infrastructure to find out loop holes/Vulnerability in the system & mitigate them. Vulnerability Assessment and Penetration Testing (VAPT) are two types of vulnerability testing. The tests have different strengths and are often combined to achieve a more complete vulnerability analysis. In short, Penetration Testing and Vulnerability Assessments perform two different tasks, usually with different results, within the same area of focus. Vulnerability assessment tools discover which vulnerabilities are present, but they do not differentiate between flaws that can be exploited to cause damage and those that can not. Vulnerability scanners alert companies to the pre-existing flaws in their code and where they are located. Penetration tests attempt to exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible and identify which flaws pose a threat to the application. Penetration tests find exploitable flaws and measure the severity of each. A penetration test is meant to show how damaging a flaw could be in a real attack rather than find every flaw in a system. Together, penetration testing and vulnerability assessment tools provide a detailed picture of the flaws that exist in a Network & application and the risks associated with those flaws. Lack of Security Awareness Lack of security awareness poses a major threat to businesses. Organizations are putting their reputation and competitive advantage at risk by not addressing the ‘human factor’ in cyber security. Security Awareness Playing a Key Role in preventing Ransomware

Attacks. Case Studies and Proofs of concept reveal Customers who have implemented Continuous Security Training Methodology have seen up to a 90% reduction in successful external phishing attacks and malware infections. The Cyber Edge Group released its fourth annual Cyberthreat Defense Report and it should come as no surprise that ransomware was a central topic of the study. It should also come as no surprise that the news isn’t very good. Of the 1,100 IT security professionals (spanning 15 countries and 19 industries) who participated in the study, 61% said their organization fell victim to a ransomware attack in 2016. Of these, 33% paid the ransom; 54% refused to pay but were able to recover their data anyway; and 13% refused to pay and lost their data. There is no disputing that ransomware is most scary attack to be reckoned with. And with many ransomware attacks originating via email, end users make up a significant portion of the attack surface. Unfortunately, lack of security awareness training is putting organizations at greater risk. How to become Safe ? • Cyber Security must be addressed at Senior most levels. Cyber Security should be a key part of Business strategy rather than Technology governance. CISO should report Cyber Security issues to the Board’s risk committee rather than the Technology committee. In many organizations, Cyber Security has been treated primarily as a technology issue. Many believe that senior Corporate leaders have too little understanding of the IT security risks and Business implications to discuss the trade-offs for investment, risk, and user behavior. • Move from protecting the perimeter to protecting data Most organizations have approached Cyber Security by trying to put increasingly sophisticated defenses around their perimeter. The reality is that an intelligent attacker will find vulnerability—or an employee may inadvertently create an opening (for example, by accidentally e- mailing sensitive customer information). Progressive corporations are reorienting security architectures from devices and locations to roles and data. Ultimately, plugging your laptop into the network at a corporate location may enable you to do no more than reach publicly available Web sites. Accessing corporate data or applications, however, would require authentication of your identity. Security will soon become a fundamental design decision in underlying technology architectures. If customer credit card information resides in a single database, for example, a cyber-criminal would only have to breach security once to engage in fraudulent transactions. Separating credit card numbers and expiration dates vastly complicates the task. Since a malicious systems or database administrator can be much more dangerous than even the most careless end user, some IT organizations have started to limit the number of people who can access production systems and data, preventing not only application developers but also infrastructure architects and engineers from touching “live machinery.” • Refresh Cyber Security strategies to address rapidly evolving Business needs and threats It is an ongoing battle. New digital assets and mechanisms for accessing them simply mean new types of attacks. Many corporations are conducting simulated Cyber-attacks to identify unexpected vulnerabilities and develop Organizational muscles for managing breaches. Some have built sophisticated capabilities to aggregate and analyze massive amounts of operational data (such as e- mail headers and IP traffic) to uncover emerging threats. In addition, Corporations must make Cyber Security measures that need to be implemented before entering new geographies, a key part of the business case for major initiatives or new-product introductions. • Implementation of Information Security Management System ( ISMS) under ISO 27001 Framework ISO 27001:2013 is an International standard designed and formulated to help create a robust information Security Management System (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes People, Process and Technology, three building blocks of Enterprise Security Framework. It applies a Risk Management Process.

FOR THE CIOs. BY THE CIOs.

TRANSPORTING EMPLOYEES BALANCING INFORMATION SECURITY AND EFFECTIVE TRANSPORT

GOPAL RATHNAM

DIRECTOR OF MTAP TECHNOLOGIES

THE PROBLEM On the topic of data security, one important aspect that is overlooked is the protection of employee data, both in physical format and in online version. Most of the leakage of employee data happens during attrition, due to improper agreements and not having properly indoctrinated the employee at induction stage with regards to the importance of not discussing company ocused subjects even in casual conversations. The other leakage regarding employee data occurs during the provision of company sponsored transport to employees, especially those working in night shifts. Normally, the tendency is for companies to outsource employee transport to vendors who specialize in transport operations. In the course of provision of transport, the transport operator becomes privy to lot of internal workings of the organization. The Shift schedules, client names, locations, employee schedules, addresses, phone numbers, designations etc. In the non- automated transportation systems, all the above data are freely available in paper format. These papers are freely available not only with transport vendor but also with their drivers, supervisors etc. Just a photocopy of these would be enough material for the competitors. Apart from the perceived business impact, we need to take into account the guidelines to companies on the issue of transportation from the local police officials, FICCI, NASSCOM CII etc. Some of these guidelines are meant both for the employee safety as well as for data safety. FICCI says that the address and phone numbers of women employees should not be provided to the transport operator / driver. NASSCOM says that family members of employees need to be in a position to track the employee during transportation. The Problem statement The question that arises is, how can these data be secured and at the same time the data is also put to effective use to provide and enable efficient

transport system to bring employees on time to the work place. This need becomes more important for organizations which work 24 X7 and need to provide secure transportation to their employees. There are now start-ups which have come out with effective technology solutions to cater to the above requirements without compromising company data. While organizations are looking to use technology along with their transportation vendors, they need to look at some of the important aspects from data security point of view. Being data â&#x20AC;&#x201C; secure and being statutory rules compliant regarding employee safety are both like two eyes for an organization. They have to find a via media for managing both without least compromise on the other aspect. Some of the contrasting requirements are like women employees needing to be contacted to make sure they have reached home. At the same time the phone number should not be privy to the checking official. Current Solutions This kind of secure requirement are nowadays achieved by voice integrating the transport tracking software where both the caller and called numbers are masked and the caller is able to call by just clicking on the employee ID or name as the case may be. Similarly driver does not get a paper trip sheet but is instructed through and app where he gets to know where to go, which route to take, whom to pick up and also able to call the employee in case of need, without ever getting to know the details . Similarly employee trip data is nowadays stored in servers which can be centrally accessed in the case of organization with multiple office locations. In such events, the cloud storage provides a much safer environment as also ease of accessibility along with lower cost back up and redundancy of data. The statutory requirements state that the company supervisor needs to be the only person who knows the dayâ&#x20AC;&#x2122;s routes and vehicle and employee allocation beforehand. Any changes needs to happen with his knowledge including change in driver for a vehicle. This required an automated routing mechanism which churns out trip sheets and gives the supervisor the ability to make manual changes as may be required. Through a mobile based employee app, employee is able to send out last minute leave requests, which enables the supervisor to revise schedules / trips accordingly. Since this is being done at supervisor level, the interference or possibility of others manipulating the trips becomes remote and controllable. By automating the tracking and emergency response systems, not only is the employee safety being taken care of , as also data is generated for better management in and improvements over a period of time. All stored data needs to be purged on periodic basis, most companies preferring to do it a month after the billing issues are settled and payment is made and accepted. Thus any data on trips, employees are all handled under controlled environment and data security and employee safety and taken care of by automating routing, assigning and tracking of employees during their transport to and from office.

FOR THE CIOs. BY THE CIOs.

BEING DEFENSIVE, A LOSING STRATEGY TODAY

The threats to power industry operations and the reliable supply of power that we all depend upon for daily life are no longer theoretical. A roughly 250% spike in reported industrial control system incidents over the past four years demonstrates that regulations alone will not protect power infrastructure. Everyone who works in this industry needs to develop higher awareness and skills. As a longtime cyber security professional, it has been interesting to observe the progression of conversations about cyber security and the technology advances made by industry colleagues. Perhaps most dramatically, for the first time, the issue of cyber security recently has become a mainstream topic of conversation worldwide. While the practice of cyber security the actual business of protecting personal, business, or government networks and computers has been around for more than 30 years, events over the previous couple of years have brought a sharper focus to growing challenges and concerns. Earlier discussions were focused solely on the need to have an appropriate level of cyber security to protect Internet-connected systems, but today businesses are also asking, is there a model of cyber security that can protect an organization against targeted attacks? The answer is yes, but the execution of protective measures can range from basic operational controls to a complicated technology deployment. What’s important to note is that business leaders are beginning to understand the connections between the increasingly common attacks on consumer-facing businesses and how those attacks are related to potentially more disruptive attacks on industrial systems and national critical infrastructure. There are lots of examples of how cybersecurity has taken its place at the forefront of people’s mind. Corporate giants such as JPMorgan Chase, Target and Home Depot fell victim to devastating cyber-attacks within 16-months period; it was the attack on Sony Pictures that one can argue is most responsible for the heightened public awareness of and attention on cybersecurity. If we don’t put in place the kind of security architecture that can prevent these attacks from taking place, this is not going to just be affecting entertainment world, this is going to affect our economy in ways that are extraordinarily significant. It is important to remain conscious of, and take the necessary precautions against, the type of hacks that can affect the ordinary consumer’s wallet. But there is another type of cybersecurity threat—one that targets an organization’s or a nation’s critical infrastructure—that cybersecurity and national defense professionals agree has the most potential to introduce severe harm. Similar to an attack on a corporation, a successful hack into the networks within national critical infrastructure also has the capability to victimize individuals severely. As you know, utilities maintain a tremendous amount of information about their customers, arguably more than retail and other services

companies. In order to get power, for example, a person must provide a credit score, home address, personal banking, and other sensitive information. But that’s where the similarities end. Unlike an attack on systems holding account information, should an attacker successfully infiltrate national critical infrastructure, the primary motivations likely exceed economic ones, as the incentives of such attacks are much more likely to be the threat of disruption to operations—by hindering public safety and productivity—within the foundational systems that keep a nation in service. An attacker willing to intrude upon a nation’s infrastructure or attempt to cause economic damage by destroying value has decided to risk a proportional response. The power industry, like the rest of the world, is increasingly becoming digitally connected. Historically operational technology (OT), like industrial control systems (ICS), was standalone and did not have cyber interconnectivity. In recent years, new technologies, such as data-driven analytic applications and cross-platform communications, have been added to industrial systems to increase productivity and achieve greater levels of reliability. This has been done despite legacy systems not being originally designed to integrate with such technologies. Modern automation and control systems now connect to business networks and external systems to allow operators and suppliers to remotely control, monitor, and maintain every aspect of operations, ultimately improving productivity, enhancing performance, and reducing costs. Communications technology is also used to tap into an extended global supply chain and more tightly couple manufacturing and infrastructure operations to the global marketplace. While these advancements improve efficiency, they also create new attack surfaces, introduce complexities, and expose vulnerabilities for attackers to exploit. Digital advancements in OT allow the power industry to more efficiently generate, transmit, and deliver electricity. However, a destructive cyber attack on these systems would challenge the core ability to operate safely and reliably. Threats to these systems create a reduced sense of predictability and heightened concern for safety. A successful attack on industrial systems may not only affect the control system. An attacker can directly affect the process and maliciously operate controlled equipment, raising safety concerns. Cyber intrusions into networks connected to electric grid OT networks allow an adversary to collect information, credentials, and find paths into systems that are responsible for the generation and transmission of safe and reliable power. Many policy makers believe that it is only a matter of time before the U.S. experiences an attack resulting in material damage. According to a survey from Pew Research, experts predict a major cyber attack between now and 2025 that results in property losses, damage, and theft of tens of billions of dollars. The Sony Pictures cyber attack has prompted many to take such predictions more seriously. Some Cyber Attack Histories on Critical Infrastructure Cyber attacks on industrial and critical

TATHAGATA DATTA,

CISO & HEAD (IT GOVERNANCE). SREI

AUTHOR’S BIO

FOR THE CIOs. BY THE CIOs.

Tathagata is a Risk Analyst, having 18+ years of industry experience in the domain of IT Infrastructure and Cyber Security. Specialist in process consulting, cyber incident handling and digital forensic analysis. He has been an empanelled Information Security Lead Auditor at BSI and Subject Matter Expert at International Council of E-Commerce Consultant (ICECC). He is a member of Data Security Council of India, Core committee member of InfoSec Foundation and one of founder members of Cyber Security Education Foundation. Tathagata has successfully done process and technology consulting at different MNCs across South East Asia, European Union and Middle East. As an Enterprise Risk Analyst, Tathagata through his effective contribution helped different CIIs (Especially in power & energy, transportation, Insurance and BFSI sectors) to identify cyber risk and mitigate them through application of appropriate controls.

infrastructure have gone from potential to actual. A German federal agency reported that a steel mill’s operations were affected by a cyber attack in late 2014 that caused physical damage to a furnace. Attackers reportedly gained access to the steel plant’s network through a malicious email, which resulted in a breach to the plant’s control systems, causing physical damage. The attackers were then able to get into the production network and gain control over the furnace operations. Although it is rare that a cyber attack would cause physical damage to a plant, we are beginning to witness the progression of ICS-capable attacks. South Korea reported a cyber attack against the operator of its nuclear power plants. Media reports are painting the picture that an unknown adversary used email addresses of retired employees to deliver malware, which reached systems connected to the ICS, throughout the company’s network. The attackers released sensitive and confidential information, including the plant equipment’s designs and manuals, online and through social media. South Korea claims that multiple IP addresses of the suspected hacker traced back to a northeastern city in China. In years past, threats to power and utility companies were the result of technical vulnerabilities and human errors. Current threats are much different. They are customized, targeted, and involve campaigns to intrude upon production systems. Motivations for hacking into ICSs vary, but the ability to infiltrate, study, and control operations could lead to damage affecting more than the infrastructure operator. China, for example, is very interested in U.S. business strategies, process, and practices. Gaining access to confidential information provides insight into the selection of suppliers, or what motivates businesses to make investments. Other attacks could involve extortion, nation states hacktivism, or leverage to be used in geopolitics. The results of these targeted attacks will certainly cause hardships to customers, damage reputations, undermine confidence, and renew concern for reliability. Go Beyond Regulation – Become a Trained Worrier The government has put many policies in place in order to protect infrastructures from cyber attacks. However, it takes years for bills to be written and legislation to pass, and attackers will not wait for government to issue regulations. So security professionals in power and utility companies should consider the intent of the regulations and apply measures and monitoring processes that go beyond what is strictly required by regulation. Cyber threats are becoming more targeted and consequential, and the workforce in critical infrastructure is undertrained to address these types of threats. Cyber-attacks are complicated, and vulnerabilities are constantly being discovered, so it is vital that engineers who are responsible for control systems are cross-trained with cybersecurity specialists for cyber threat detection, mitigation, and response. We have to remember “being on the defensive is a losing strategy,” and the industry needs to realize the importance of working across disciplines to address the challenges that accompany positive advancements in OT. It is wise to assume that an attacker will gain access to any device or network that connects to another network, and these considerations should be included in an organization’s incident response preparations. In addition, system operators should develop security capabilities for all of their facilities that support or are involved in infrastructure operations, not just systems and assets that are federally regulated. Power companies need to create a comprehensive security strategy to keep up with the connected world we live in. That strategy must not only address physical security concerns and establish cyber perimeters. When considering targeted cyber attacks, always assume the attacker will gain a difficult-to-detect foothold on any device or network that has connectivity to the Internet or an accessible wireless signal. The interconnection of systems and introduction of new digital components create cyber attack surfaces that must be accounted for in system designs and cybersecurity strategies and plans. Energy OT has purposeful and thus predictable communication profiles, and defenders need to leverage this important difference between OT and IT systems. Our collective challenge is to develop security capabilities and push them deeper into our operations and production systems. If a company wants to achieve the benefits of digital technology, it also needs to ensure that its systems operate well and with integrity.

FOR THE CIOs. BY THE CIOs.

RISK MANAGEMENT AND SOCIAL ENGINEERING NO TECHNOLOGY CAN BEAT A SOCIAL ENGINEERING ATTACK - FRANK ABAGNALE.

SABYASACHI HAZRA,

CISSP, CISA, CISM, CRISC, PMP, CCSP, SABSA FOUNDATION, ISO 27001LA, CEH, CCNP, MSCE, MCSA, ITIL, CCSA, CCSE, SCRUMS FUNDAMENTALS

AUTHOR’S BIO

Sabyasachi has 16 years of information security domain experience. He is a Manager in Deloitte & Touché Enterprise Risk Service practice. He was selected one of the SMEs worldwide panel for CISSP standard settings for (ISC) ²®. He is also an authorized item writer for CISA, CISM and CRISC exams for ISACA. He is a regular contributor of technical whitepapers for ISACA newsletter and other IT magazines.

Do you know who Frank Abagnale is -? Can you remember the movie Catch Me If You Can? This is based on the life story of Frank Abagnale, who is one of the most infamous social engineers. He started his journey while he was a teenager. Abagnale ran away from home and managed to pose as a Pan Am pilot and scam thousands of miles of free flights around the world, making people believe that he was a real pilot. This was not all. Abagnale also pretended to be a doctor and a teacher before he was caught by the FBI (years later). The movie is a good example of how social engineering is the art of human hacking, and how vulnerable we humans are. After being arrested and jailed at the age of 21 for writing more than $2 millionin forged checks and committing numerous social engineering schemes, he began assisting the federal government with forgery and fraud investigations and has worked with the FBI for more than 40 years. Abagnale is considered one of the foremost authorities in fraud, forgery and secure authentication. Security Risk Management plays a significant role in overall strategic alignment of an organization. Its role in the regulation and compliance cannot be overruled. As per various security surveys, numerous data leakage and security exploits happens through social engineering. In this whitepaper we will explore how security risk management can be integrated with social engineering mitigation techniques to measure the effectiveness and execution of the security program.

GENERALLY WE WILL DEFINE SECURITY RISK MANAGEMENT IN 4 STEPS IN CONTEXT OF SECURITY ENGINEERING:• Assessing Threat and Risk • Conducting Decision Support • Implementing Controls • Measuring Program Effectiveness and reporting

FOR THE CIOs. BY THE CIOs.

ASSESSING THREAT AND RISK This is the planning phase of high-level threat assessment. The purpose of the threat assessment is to establish and to document what an organization is trying to protect and who they are seeking to protect it from. An Organization can have a call center that handles a lot of personal information. They may be developing a new application and are concerned about intellectual property relating to the project being leaked to the press or falling into the hands of competitors. What would be the impact of a successful social engineering attack? It may be the financial impact of losing data, the reputational damage those results from a social engineering attack or corporate espionage, or even a drop in share prices. The regulatory requirement should also be a part of the planning. The scope needs to be defined in this phase. Social engineering test can be in different form ranging from phishing campaign with dedicated software to attempting an elicit sensitive information over the telephone. Metrics (KRIs) should be well planned. Below is an example of KRIs for a typical phishing campaign conducted with a specific phishing software:■ Number of e-mails sent - This metrics defines the number of e-mails that will be send in the Simulated Phishing campaign. It can be designed by department, section, functional area or enterprise wise. Specific dedicated team should monitor and draft the e-mail ■ Number of e-mails opened - This metrics defines the number of e-mails that are opened by the users. Most of the time a user is casual about opening an e–mail even after a comprehensive training on social engineering ■ Number of employees that clicked the link - This metrics defines the number of e-mails where the user have clicked on the link ■ Number of employees that entered information - This metrics defines the number of employees who entered information. This is the worst case where the information is shared due to lack of employee education

CONDUCTING DECISION SUPPORT The main deciding factor of any security campaign is budget. In an ideal world, you could perform the test over a series of months or even years, but few social engineering tests get this kind of sign off from the management. Security programs and awareness trainings are an ongoing activity and should be owned and driven by the management. A series of decisions like should be taken like how many individuals are been targeted, how many locations need to be tested? How many scenarios are going to be attempted? Etc.

IMPLEMENTING CONTROLS Typically the controls for social engineering is a form of trainings and sessions customized for the purpose. The frequency and duration should be well defined and approved by senior management. The security awareness training delivery methods are described below:l Instructor led live sessions - This used to be most common

method. This method does not always yield positive results. Sometimes people find the sessions are boring and less interactive. Sometimes the content of the presentation is too technical for generic users. Security incidents stories and case studies are helpful. Moreover it should be interactive. The main drawback can be to evaluate the users about the understanding of the required security awareness. Availability of the users can also be a problem. I always find the users are very reluctant to take the live sessions. If the instructor is not competent enough, complete training will go in vain. Sometimes there is an audience disconnect due to lack of focus from the instructor. l Videos – The videos are another type of delivery method. Instead of an instructor, videos are shown about the various aspects of security awareness. A start up video message from CEO / CISO generally helps the users about the intention of the top management. But again listening to couple of hour’s video can be boring. Also it is difficult to evaluate the users about the understanding of the security awareness content. l Computer based training (CBT) - The use of this delivery method is increasing day by day. The content can be unique with variety of formats, length and styles and can be modified as per the audience. For an example: Awareness trainings for a call center personnel can be different from a user from accounts department. This is the recommended method as the individual progress/ results can be tracked and enforced. The assessment modules can enforce the understanding of the subject. Moreover the users can take the session as per convenient time. Reports can be generated to show the completion progress. It also provide multi language support. l Web based training (WBT) – The concept and procedures are generally the same as Computer based training (CBT). The WBT are delivered through web access which connects to the server for course content. l Awareness posters and cards – Sometimes awareness posters and cards are good to spread the knowledge of security. For an example; “How to use password securely”, “Social engineering”, “Best practices of using a system”. Though these should be compensated with security awareness trainings through CBT or instructor led. These method can act as a complement additional method of spreading the security awareness.

MEASURING PROGRAM EFFECTIVENESS AND REPORTING The deliverables for a social engineering test usually include a report with photographs, screenshots, and possibly audio or video recordings of the social engineering fieldwork. The report are generally mapped with the KRIs like numbers of people who fell for the social engineering attempt. Specialized software are really helpful in creating customized reports. The reports should be confidential and restricted access to only designated professionals.

TOP 5 COMPUTER BASED SECURITY AWARENESS TRAINING:As mentioned before the popularity of CBTs are increasing day by day. Generally the prices are very competitive and ROI are better than the

other delivery methods mentioned on the above section. Below are the list of top CBT solutions:l PhishMe - PhishMe also offers a large library of interactive content that incorporates games, video and a variety of learning artifacts. For more information, please visit https://cofense.com Wombat Security Technologies - Wombat Security Technologies offers good innovative security education and behavior management CBT. In addition to a portfolio of CBT on traditional security awareness topics, Wombat provides an effective antiphishing solution that also supports simulated attacks through USB devices and SMS. Wombat provides extensive services in training needs analysis, content development, CBT customization and security essentials training for executives. It currently supports more than 30 languages. For more information, please visit https://www.wombatsecurity.com/ l KnowBe4 - KnowBe4 markets anti-phishing behavior management coupled with basic security awareness CBT offered in several packages. KnowBe4 has capabilities to improve employee Resistance to different kinds of social engineering attacks through various forms of penetration tests. It currently supports 28 languages. For more information, please visit https://www.knowbe4.com/ l MediaPro - Mediapro is a flexible Adaptive Awareness Framework platform which includes program planning tools, customizable CBT content, reinforcement materials (such as animations, games, posters and articles), phishing simulations and knowledge assessments. It currently supports 35 languages. For more information, please visit https://www.mediapro.com/ l Inspired Elearning – This tool provides customers the ability to identify and quantify high-risk areas within the organization. Inspired eLearning’s new mobile app also allows users on Android and iOS devices the convenience of offline learning. The CBT portfolio is augmented with newsletters, security alerts/reminders, and instructional design and customization services. Multilingual support across multiple media is available for culturally diverse employee populations. It currently supports more than 40 languages. For more information, please visit https://inspiredelearning.com/ There are many product vendors who offer image tracking and analysis to detect fake websites and social media profiles that misuse corporate branding assets or impersonate executives. They also strengthen anti-phishing efforts with a combination of monitoring and reporting mechanisms to detect in-the-wild phishing attacks.

FOR THE CIOs. BY THE CIOs.

Few of those vendors of this category are BrandProtect, LookingGlass, MarkMonitor, OpSec Security, Proofpoint, etc. To reinforce our understanding let’s discuss these with a case study:-

CASE STUDY:After a minor security breach a large retailer is planning to test the security awareness of their employees. It is planned to launch a phishing campaign through a dedicated software and team. Company management to plan the phishing campaign in a structured and timed way. Below are the list of planning parameters drafted for this phishing campaign:Threat Assessment:l Type of Attacker - Dedicated or Ad hoc hackers can gain personal details and restricted information through phishing emails l Current level of awareness - An instructor led security awareness training has taken place

SCOPING THE TEST:Type of test - Phishing campaign for quarter 1 Information required in advance:Time period – This campaign will be limited to 7 days effort of which 2 days were set aside or reporting and analysis. Deliverables – A report containing details of the scenarios used and statistics with supporting artifacts. Report should also include risk mitigation plan with suggestion of tools and techniques. Target list – The phishing campaign email will be send to all the employees in the organization. Team – The campaign team will be from the designated professionals from the testing vendor, HR and security department. Communication plan - The reports of this campaign will be considered confidential and only be distributed between designated professionals of the organization. Social engineering poses a great threat in today’s dynamic information technology world. As rightly said by Kevin Mitnick that all the security technologies can be bypassed by social engineering. It’s now time to act and deliver ………… https://www.trusona.com/news/2016/6/7/frank-abagnaleno-technology-can-beat-a-social-engineering-attack=

FOR THE CIOs. BY THE CIOs.

USER ID MANAGEMENT

DR. SUDIP SINHA DMS,

MCA, MTM, CEH, CHFI, ISO 27001:2013 LA/LE, CCSK, CLOUD SECURITY AUDITOR (CSA STAR)

ser ID is the eliminatory object that is essentially required for getting into any application using valid credential or the password. Historically for simplicity the user ID was created as ‘root’, ‘admin’, ‘superuser’, ‘cisco’ etc. Then the concept came of group user ID creation like ‘netadmin’, ‘dbadmin’ etc. but from security perspective it became a real concern as audit log was not able to provide information from what IP address using the generic user ID user has accessed application for a specific time. Then the concept evolved for user specific User ID creation, moving away from Generic User ID. Individual user specific user ID provided greater visibility in forensic analysis. In enterprise segment, real problem raised, how to handle different credentials for 50 different applications. End user has to maintain list of passwords for various applications which are really complex. Industry moved towards SSO – single sign on meaning same user ID and password for every application. Somehow it is simple but if the user ID credential is compromised then hacker can have access to all of the applications. So securely maintain credential is one of the core responsibilities of the individuals – by implementing complex password, changing it time to time etc. From organization perspective, RADIUS / TACACS Server or LDAP which is used for connecting user authentication mechanism of Windows / Non-Windows Active Directory with the applications. Audit trail is very much important to have clarity who has accessed which applications at what time so that any unwanted activities can be easily tracked or deflected. Next Gen SIM / SOC / Net flow provides greater visibility on user’s activity which can be investigated on demand during forensic analysis. Organization should also put emphasis on careful role based access

management. Who will have access to what for how long will determine the key algorithm for access rights management. Also, when users are moving to different projects or leaving organization, user access rights to be cleaned up, users should be deactivated as part of regular identity access management operational task. Also, it is important to observe the behavior of activity of deactivated users. Historically it has been observed that hackers have enabled the deactivated users and performed malicious activities (insider threat) so permanent deletion of deactivated user IDs should be included in the governance process with define timeline by the organization. For External access, like VPN or Cloud applications, instead of static user ID and password – two factor (RSA token based) to multi factor authentication has become well accepted standard by the industry to enhance security level. Apart from regular user name password, OTP + code send through email + Approval request send in registered mobile applications will add real value and secure user authentication mechanism stronger. There should be minimum standard for User ID creation to avoid the conflict. Creation of User ID and granting access permission should be aligned with multi-level approval process. Since GDPR is coming and Data Protection and Privacy is on upmost focused topic, to avoid insider threat, control and governance will help to minimize associated risk. As per recent European Data leakage penalty clause, organize may have to provide penalty of 4% of annual revenue – so security enforcement for Identity access management has given priority by senior management for Enterprise Organizations. Also, it has to be kept in mind that failure authentication attempt may lead to user ID getting locked out. If the password is changed, all drive mapped to the external share folders may require a refresh else user ID will get locked out. Few virus codes also randomly lock out the users, Security team should have visibility and take immediate action as part of incident management process to fix the potential threat from the network. From Organization perspective policy and procedure is very curtail from audit perspective. Documentation is up most important which requires to be up to date all the time. Periodic review of users who has not logged in is essential operation management task, depending on organizational policy, such users may be deactivated after few months of non-activity. Inactive user deletion policy should be framed, maintained, reviewed on agreed interval to comply audit requirement. Incident management around User ID Management should also be focused from process perspective. Since User ID and credential is sensitive asset, end users training and awareness is very important. It is the responsibility of the end user to report if the password is compromised and securely maintain the password, not to be shared. From individual perspective for different financial applications / portal – it is recommended to use different credential and enabling two of multi factor authentication mechanism to avoid potential risk of user ID credential being compromised. For Mobility component, MDM (Mobile Device Management) or EMM (Enterprise Mobility Management) solution to be integrated so that if the device is stolen – user ID along with sensitive corporate data can be remotely wiped out to maintain CIA as standard practice. In Conclusion, After physical security, User ID is the first level of access and everyone has got equal responsibility to maintain, manage securely to avoid potential risk of unwanted issues.

FOR THE CIOs. BY THE CIOs.

CYBER ATTACKS – A HISTORICAL COMPILATION BY INFOQUEST RESEARCH TEAM

nfoquest Research team compiles a series of attacks – reported worldwide and the list is an evidence that the cyber attack is a global issue and will continue to remain so. 1. Also known as Skywiper and Flamer, Flame is a modular computer malware that was discovered in 2012 as a virus used to attacks computer systems in Middle Eastern countries that run on Microsoft Windows as their operating system. Used by hackers for espionage purposes, it infected other systems over a local network (LAN) or USB stick including over 1,000 machines from private individuals, educational institutions, and government organizations. It was discovered on May 28, 2012 by the MAHER Center of Iranian National Computer Emergency Response Team (CERT), the CrySys Lab and Kaspersky Lab. 2. These were a series of coordinated attacks against major government, financial websites and news agencies of both the United States and South Korea involving the activation of botnet. This involved a number of hijacked computers that caused servers to overload due to the flooding of traffic called DDoS attack. The numbers of hijacked computers varied depending on the sources and include 50,000 from the Symantec’s Security Technology Response Group, 20,000 from the National Intelligence Service of South Korea, and more than 166,000 from Vietnamese computer security researchers as they analyzed the two servers used by the invaders 3. The Canadian government has revealed in news sources that they became a victim of cyber attacks in February 2011 from foreign hackers with IP addresses from China. These hackers were able to infiltrate three departments within the Canadian government and transmitted classified information back to themselves. Canada eventually cut off the internet access of the three departments in order to cut off the transmission towards China. 4. Paypal became a victim of cyber attack in December 2010 after it permanently restricted the account used by WikiLeaks to raise fund,

citing their violation of the Acceptable Use of Policy as their reason. However, it did not only result in multiple boycotts from individual users but also caused hackers to move in. 5. The biggest protest movement against the Church of Scientology was conducted by Anonymous, a leaderless group of internetbased hacktivist that originated from 4chan. The Project Chanology originated from the church’s attempt to remove the material from the highly-publicized interview of Tom Cruise, a prominent member of the church, in the internet in January 2008. It started with a YouTube “Message to Scientology” on January 21, 2008 and was followed by distributed denial of service attacks (DDoS), prank calls, black faxes and other methods due to their views of internet censorship implemented by Scientology. 6. An English-language image board website used for posting pictures and discussion of the Japanese manga and anime, 4chan was launched on October 1, 2003 by a bored 15-year-old student from New York City named Christopher Poole. Since users of the website can post anonymously, experts believed that its users were able to pull off the highest collective actions in the history of the internet. One of their victims includes Hal Turner, who was raided with DDoS attacks and prank calling in his radio show from December 2006 to 2007. Later that year, the private Yahoo!Mail account of Sarah Palin, who was running as a Republican vice presidential candidate in the 2008 US presidential election, was hacked by a 4chan user, resulting in criticisms in using private email accounts for government work.7. 7. Despite the country reputation for being an IT and software powerhouse, India has reported 13,301 cyber security breaches in 2011. However, the biggest cyber attack that the country has faced occurred on July 12, 2012 where hackers penetrated the email accounts of 12,000 people, which include high officials from Defense Research and Development Organization (DRDO), the Indo-Tibetan Border Police (ITBP), Ministry of Home Affairs, and the Ministry of External Affairs

FOR THE CIOs. BY THE CIOs.

8. Iran was subjected to cyber attacks on June 2010 when its nuclear facility in Natanz was infected by Stuxnet, a cyber worm that was believed to be a combined effort of Israel and the United States, though no one claimed responsibility for its inception. The worm destroyed Tehran’s 1000 nuclear centrifuges and set back the country’s atomic program by at least two years, as it spread beyond the plant and infected over 60,000 computers as well. The Iranian government was also accused of its own cyber attacks to the United States, Israel and other countries in the Gulf Arabs, including their alleged involvement in the hacking of American banks in 2012. 9. A coordinated cyber attack by anti-Israel groups and individuals, #opiIsrael is a DDoS assault that was timed for April 7, 2012, the eve of Holocaust Remembrance Day with the aim of erasing Israel from the internet. Websites targeted by these hactivists include financial and business sectors, educational institutions, non-profit organizations, newspapers, and privately-owned businesses in Israel. 10. Yahoo was also subjected to cyber attacks that originated from China in an action called ‘Operation Aurora.’ This operation was conducted by the Elderwood Group, which was based in Beijing and has ties with the People’s Liberation Army, using advanced persistent threats that began in mid-2009 to December 2009. This was disclosed in a blog posted by Google on January 12, 2010 and has been aimed at a number of organizations besides Yahoo, which also include Rackspace, Juniper Networks and Adobe Systems to gain access and modify their source code repositories. 11. Considered as the biggest cyber-attack in history, Spamhaus, a filtering service used to weed out spam emails, was subjected to cyber attacks wherein home and business broadband router owners became unsuspecting participants when their routers have been threatened. Thousands of Britons used Spamhaus on a daily basis determine whether or not to accept incoming mails. On March 18, 2013, Spamhaus added Cyberbunker to its blacklisted sites and Cyberbunker and other hosting companies retaliated by hiring hackers to put up botnets, which also exploited home and broadband routers, to shut down Spamhaus’ system 12. Citigroup, one of the largest financial giants in the world, provides an ample incentive for hackers to organize an attack due to the vast amount of wealth and sensitive information that flows through the company daily. In 2011, over 200,000 customer information from contact details to account numbers were compromised, which resulted in $2.7 million loss for the company. 13. The trusted payment processor Heartland Payment Systems also fell into the trap set by Albert Gonzales of the Shadowcrew fame, which were responsible for phishing out over 100 million individual card numbers, costing Heartland more then $140 million dollars in damages incurred in 2008. Besides the damages incurred, it also besmirched the company’s motto, “The highest standards – The Most

Trusted Transactions.” However, this proved to be Gonzales’ last ruse as he was found guilty of his crimes and was sentenced to 20 years in prison. 14. In 2007, Hannaford Bros, a grocery retailer, suffered a fourmonth long breach wherein over 4.2 million credit and debit card numbers and other sensitive data were stolen by a group of hackers that installed malware on the stores’ servers, instead of the company’s databases. This was masterminded by Albert Gonzales, who also hacked TJX, Heartland Payment Systems, BJ’s Wholesale Club, Barnes & Noble, DSW, Boston Market, and Sports Authority. Gonzales was behind the Shadowcrew.com where stolen account numbers and counterfeit documents were auctioned out to the 4,000 users who registered on the site, and also offers tutorials and how-to’s in using cryptography in magnetic strips on credit cards – a virtual playground for thieves. 15. An ongoing series of cyber attacks that started in mid2006, Operation Shady Rat have hit at least 72 organizations worldwide including the International Olympic Committee, the United Nations, businesses, and defense contractors. Discovered by Dmitri Alperovitch, Vice President of Threat Research of McAfee in 2011, it was assumed that the People’s Republic of China was behind this. The operation was derived from the common security industry acronym for Remote Access Tool (RAT) and was behind the cyber attack on the 2008 Summer Olympics. 16. TJX, a Massachusetts-based retailing company and owner of TJ Maxx and Marshalls, was just one of the many retailer companies hacked by Albert Gonzales and a group of hackers from the Shadowcrew. They were able to siphon 45 million credit and debit card information, which they used to fund their million-dollar shopping spree of electronic goods from Wal-Mart. The data breach has resulted in $250 million in damages as Gonzales and 10 of his crew seek their targets while wardriving and looking for vulnerabilities in wireless networks along US Route 1 in Miami.\ 17. Sven Jaschan, a German college student who confessed as the author of Netsky worms and Sasser computer worms, has unleashed a virus in 2004 on his 18th birthday that has resounding effects all around the world. Though the estimated damage was pegged at $500 million dollars, experts believed that it could have been more as it disabled the Delta Air Lines’ computer system and resulted in a number of cancellations of several transatlantic flights. Microsoft placed a $250,000 bounty on his head. He was captured after a three-month manhunt operation. 18. Michael Demon Calce from West Island, Quebec is just an ordinary 15-year-old, but in the cyberspace; he is very famous as ‘MafiaBoy.’ He gained notoriety in the year 2000 for hacking companies with high-level of securities, which include computer giant Dell, Yahoo, Fifa.com, Amazon, Ebay and CNN with estimated damages of

FOR THE CIOs. BY THE CIOs.

$1.2 billion dollars, not including his attacks in 9 out of 13 root name servers. However, he only received eight months of ‘open custody,’ one year of probation, a small fine and restricted use of internet by the Montreal Youth Court. 19. During the 2008 presidency run, suspected hackers from China or Russia attacked the computer systems used in the campaigns of both Barrack Obama and John McCain, which include emails and sensitive data used in the campaign. Because of the breach, the FBI confiscated all the computers and all the electronic devices; while a lot of people hoped that the FBI will keep secret all the things they might dug up during the campaign trail. 20. In 2011, 77 millions of Playstation Network and Sony Online Entertainment accounts, including credit and debit card information users were stolen by an unknown group of cyber hackers. The outage from external intrusion has an estimated damage at $1 to $2 billion dollars; and the worst thing that can happen to dedicated gamers happened, where hackers were able to log on even when the company was trying to fix the breach, which lasted for 24 days. 21. The government of Estonia was subjected to cyber terrorism on April 27, 2007 by the Nashi, a pro-Kremlin group from Transnistria. One of the largest after Titan Rain, they employed a number of techniques such as ping floods and botnets to penetrate and take down key government websites rendering them useless. Their method was so complicated that the Estonian government believed that they might have had aids from the Russian government. What triggered these attacks was an important icon to the Russian people, the Bronze Soldier of Tallinn, an elaborate Soviet-era war grave marker and the war graves that were relocated by the Estonian government 22. One of the costliest cyber attacks in history, the data breach in Epsilon, the world’s largest provider of marketing and handling services to industry giants such as JP Morgan Chase, Best Buy, and other major financial services, retailers and other major companies in 2011, has an estimated damage cost that ranged from $225 million to $4 billion dollars. The targets of the hackers were email addresses that they can use for their criminal activities, making its implications a lot greater than estimated. 23. One of the earliest forms of major infiltration where hackers penetrated American computer systems at will; Moonlight Maze was an accidental discovery made by the US officials and was believed to be conceived by the Russians although they denied their involvement. In this cyber attack, hackers targeted military maps and schematics and other US troop configurations from the Pentagon, the Department of Energy, NASA and various universities and research labs in unremitting attacks that was discovered in March 1988, but had been going on for nearly two years. 24. In 2004, Shawn Carpenter discovered a series of coordinated ‘cyber raids’, in what the FBI believed to originated from government-supported cells in China. Dubbed as ‘Titan Rain,’ hackers were able to infiltrate several computer networks including those at NASA and the Lockheed Martin, Redstone Arsenal, and Sandia National Laboratories. Considered as one of the biggest cyber attacks in history, these acts posed the dangers of not only making off with military intelligence and classified data, but also paved the way for other hackers and espionage entities to infiltrate these systems as they leave backdoors or ‘zombify’ these machines. 25. During the cold war in 1982, the CIA found a way to disrupt the operation of a Siberian gas pipeline of Russia without using traditional explosive devices such as missiles or bombs. Instead, they caused the Siberian gas pipeline to explode using a portion of a code in the computer system that controls its operation in what they tagged as “logic bomb.” The chaos that ensued was so monumental that the resulting fire was even seen from space.

BIBLIOGRAPHY 1. 2. 3. 4.

www.wired.com The New Yorker The Atlantic You tube documentaries

FOR THE CIOs. BY THE CIOs.

SECURITY ISSUES WITH “HTTPS ://” EVEN WHY?

ABIR ATARTHY,

SR.CONSULTANT, CYBER SECURITY, TCG DIGITAL SOLUTIONS PRIVATE LIMITED

Ever since Google announced that from January 2017 it plans to list many HTTP sites as not secure in their Chrome browser of version 56, the web has gone nuts for HTTPS. Google is not alone in pushing for an encrypted Internet. In 2015, the White House announced that all publicly accessible federal websites must use a secure connection by the end of this year. In the site https://www.whitehouse.gov/blog/2015/06/08/https-everywheregovernment it is clearly written: “Today, the White House Office of Management and Budget (OMB) issued the HTTPS-Only Standard directive, requiring that all publicly accessible Federal websites and web services only provide service through a secure HTTPS connection…” According to a report in the journal Wired (www.wired.com), the “Let’s Encrypt” initiative of Internet Security Research Group (ISRG) has helped 3.8 million sites to move to a secure connection. Many security professionals, including developers, derive a false sense of security by imagining that if a site is HTTPS then it must be secure. As a result, several other parameters related to website security are erroneously considered as lightweight and often overlooked. As a result of this, hackers and cyber criminals have a field day since it provides them with a wide berth to discover loopholes for random exploitation which may finally lead to serious data breaches. I would like to emphasize here that HTTPS is an important technology for securing websites and must be widely adopted. However, it is important to keep in mind that it is not a panacea for all website related security issues and exclusive dependence on HTTPS at the cost of ignoring other parameters may well be a recipe for disaster.

WHAT IS HTTPS? Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is transmitted between your browser and the website to which you are connected. The confusion is rooted in the use of the word “secure” in the protocol name itself. It must be understood that the HTTPS protocol does not cover the entire spectrum of security. It just ensures that all communication exchange between your browser and the website are transmitted in an encrypted mode and as such the data travelling between your browser and the web server is safe during transit since attackers will

find it difficult to meaningfully intercept such encrypted traffic. This type of interception is known as “Man in the Middle” (MITM) attack. However, it is important to keep in mind that MITM attacks are a relatively small area in the overall scheme of securing a website. The process of securing a website is much more complex. SQL injection, DDOS attack, Cross-site Scripting, Shell Uploading, File Inclusion, Buffer Overflow, Brute Forcing Access Controls are some of the well-known attack techniques by which vulnerabilities are exploited to compromise a site. HTTPS cannot prevent an attacker from such exploiting techniques. Even with respect to HTTPS, there are possibilities of a Down Grade attack wherein an encrypted connection may be abandoned in favour of a lower quality mode like clear text. HTTPS pages typically use one of two secure protocols to encrypt communications: 1. Secure Socket Layer (SSL) protocol 2. Transport Layer Security (TLS) protocol Several critical vulnerabilities like Browser Exploit Against SSL/TLS (BEAST), Heartbleed Bug, Logjam Attack, Poodle Attack, DROWN Attack exist for SSL and TLS protocols. Since the objective of this article is to make readers generally aware of some of the security pitfalls of HTTPS, I have not discussed here any of these vulnerabilities specifically. In the next few paragraphs, I have shared my thoughts with respect to four popular beliefs regarding how HTTPS secures websites. AUTHENTICATION: This is one of the main reasons why HTTPS is used. With HTTPS the true owner of a website can be authenticated. This ensures that all the data that is being sent is going to the right server. Last year quite a few fake SSL certificates were identified, mocking legitimate certificates from banks, e-commerce sites, Internet Service Providers (ISPs) and social networks. Coming across such a bogus certificate could put a user at risk from a man-in-the-middle attack. Faking to be authentic certificates from Google, Facebook, GoDaddy, YouTube and iTunes, just to name a few, these unsigned certificates were quite likely to dupe any unsuspecting individual who was using a conventional browser. The popular site Netcraft discovered a fake Google certificate that was being served by a machine in Romania and claimed to have been issued by “America Online Root Certification Authority 42”, a non-existent and bogus entity masquerading as America Online. In another instance, a certificate was found impersonating the POP mail server of GoDaddy, which could enable capturing mail credentials, issuing password resets and stealing sensitive data. Certificate spoofing could become a significant threat in the near future. In such cases, an attacker could also sniff online banking transactions using the “Man-in-the-Middle” type of attack on the network. Several organizations continue to repose their trust in certificate based authentication and as such allow users to authenticate sensitive applications that way. Time has definitely come to objectively rethink about such strategies.

FOR THE CIOs. BY THE CIOs.

ENCRYPTION: There should not be any doubt regarding the importance of encryption and that by providing encryption HTTPS is indeed fulfilling an important need. HTTPS encrypts traffic from the browser to the web server. However, it is not known how the data is stored in the server. After 3 decrypting, is the data being stored in an encrypted form? Are strong encryption algorithms used? From LinkedIn to Sony, millions of usernames have been leaked, along with their credentials. If top tech giants cannot protect their data, it is better not to comment about other mid-level companies. Rarely do we see encryption traversing the entire information lifecycle! HTTPS PROTECTS AGAINST PHISHING ATTACKS: In Phishing attacks, criminals setup bogus websites that mimic original websites. They trick unsuspecting and ignorant individuals into disclosing their username, password and other credentials and thus gain illegitimate access to an online account. HTTPS certificate assures that one is communicating with the legitimate owner of a website. That is the way it should be! But the fact of the matter is that a website that hosts a phishing page may also display the secure lock symbol of an HTTPS site, thus claiming its legitimacy. The only way one can verify the authenticity of the site is to click on the lock symbol to verify that it comes from an acceptable source. Practically speaking, how many of us actually do that? All most all the users see the lock symbol and take it for granted that the website is trustworthy and thereby proceed with all their transactions. CREDIBILITY OF CERTIFICATE AUTHORITY: A Certificate Authority (CA) is a third-party organization that acts as a central trusted body empowered to issue and validates digital certificates. There are literally hundreds of such organizations that are empowered to issue valid SSL certificates for any domain, despite the fact, that you may already have purchased one from another CA. This is one of the major loopholes in the CA system. Last year Google discovered that Symantec, a CA, had improperly issued a duplicate certificate for www.google.com to someone else, albeit mistakenly. In Jul’14 Google found that National Informatics Centre (NIC) of India was using unauthorized digital certificates for some of its domains. Within twenty-four hours, the Indian Controller of Certifying Authorities (India CCA) revoked all the NIC intermediate certificates and also issued a CRLSets to block the fraudulent certificates in Chrome. In another instance in late 2013, Google discovered fake digital certificates for its domains were being used by a French Government Agency to perform man-in-the-middle attacks. In Mar’11, Comodo, a popular Certificate Authority, was hacked to issue fraudulent certificates for popular domains, including mail. google.com, addons.mozilla.org, and login.yahoo.com. The above should act as an eye-opener and it is dangerous to trust CAs with a blindfold. While HTTPS will grow a lot and it is needed, but when we talk about website security emphasising only on HTTPS will not make your site safe. This is the point we all technology people need to understand.

FOR THE CIOs. BY THE CIOs.

SUPPLY-CHAIN: A NEW BATTLE GROUND

UDAY MITTAL,

CONSULTANT AT DATA SECURITY COUNCIL OF INDIA (DSCI)

AUTHOR’S BIO

Uday Mittal is a security and privacy professional with rich working experience working with various industries including telecom, publishing and consulting. He holds internationally recognized certifications such as OSCP, CISSP (Associate), DCPP among others. He has been speaking at various forums on cybersecurity awareness and has authored various articles on topics related to cyber security and software development for Open Source for You magazine]

BACKGROUND Over the past few years, a new cyber-attack vector has surfaced. It has proven to be potent than other attack vectors and with a wider impact. It starts out by strategically seeking an organization, with weakest security controls, in the target’s supply chain and compromises them. The aim is to infect a component in the supply chain so that the malicious payload enters the target network without being detected. These attacks are termed as supply-chain attacks. Supply-chain attacks leverage Advanced Persistent Threats (APTs) to determine the weakest member in the supply-chain. These APTs infect the member firm’s offering, for example inject a rootkit in their software product, or steal credentials, such as tokens, usernames and passwords, to the target organization’s network. Both of these mechanisms provide attackers with easy access to the target organization. Depending upon the nature of the member firm’s offering this attack vector can be used to target a single organization, as in case of Target breach, or multiple organizations, as demonstrated by the recent CCleaner attack. These attacks have gained popularity because they provide a wider reach with similar efforts. Imagine, an attacker spending ten hours to infiltrate into a single organization vs an attacker spending eight hours to compromise the weakest supply-chain member and infiltrate into multiple organizations. This became evident by the recent

NotPetya attack where a popular tax accounting software was used to deliver the malicious payload. Attackers compromised the software firm’s update servers and injected the malware in an upcoming update of the software. As a result, any system which downloaded the update got infected. This attack impacted several big organizations. One of them, a large shipping corporation, reported a loss of over $200 million. Recently, security researchers from a threat intelligence firm discovered another supply-chain attack. This attack was using a popular PC optimization tool as a carrier for a two-staged backdoor. This tool is used by over 75 million users worldwide. It was reported that approximately 2.27 million users were affected by the malware-laden version of the software. Attackers had penetrated into one of the update servers of the software firm and injected a backdoor capable of remotely executing code on the affected systems. Such code can also be used to download and execute another malware on the system. This attack was reported to target top technology companies. Earlier, malware authors had to rely on manual ways to spread their creation. However, with supply-chain attacks this has become much simpler. Attackers can simply inject their malware into a piece of software and let the supply chain take care of further distribution. This increase in scalability makes them capable of being leveraged for a global cyber-attack. One such scenario is depicted in Carey Nachenberg’s novel, The Florentine Deception. In this novel a refurbished PC unfolds a plot for a massive cyber-attack. This is no longer just a piece of fiction. As demonstrated by the recent cyber-attacks, supply-chain attacks have become powerful weapon in cyber criminal’s arsenal. Another factor that works in favour of supply-chain attacks is their low detectability. It is difficult to detect them because they piggy-back on a trusted source, as seen in case of CCleaner and NotPetya attacks. A common countermeasure recommended against these attacks is having a smaller supplier base and strict vendor control. These may work where there’s a direct contract involved between the parties. However, it becomes difficult to implement when relying on off the shelf software such as CCleaner or even Microsoft Windows for that matter. Supply-chain attacks often have a devastating reputational impact on the organization whose servers were compromised. For instance, after NotPetya attack, the servers of MeDoc were seized and a threat of criminal charges also loomed large on the organization. MeDoc, is a Ukraine-based software company whose software product was used as a carrier for NotPetya malware. The popularity of supply-chain attacks affects the software industry at large. It hinders the trust relationship between the software firm and its customers. Customers would now feel wary of installing updates and patches even from firms which have not been affected by such attacks. Supply-chain attacks have raised an important question on the accountability of cybersecurity in the supply-chain. While each member is individually responsible for security of their network, it should also be considered as a collective responsibility of all members of the supply-chain. A lapse in security of one member could affect all others in the supply-chain. Hence, members should ensure that other participants in the supply-chain are following stringent security controls as well.

FOR THE CIOs. BY THE CIOs.

CYBER SECURITY IS AN EXISTENTIAL THREAT

ORION HINDAWI,

CO-FOUNDER OF CALIFORNIA-BASED CYBERSECURITY COMPANY TANIUM

he hardest challenge for cybersecurity in 2017 won’t be social engineering or the rise of ransomware or even state-sponsored cyberattacks. It will be scalability. Just ten years ago, a typical large enterprise had around 50,000 endpoints - devices, such as computers and point-of-sale terminals, on a network. Today, people can have hundreds of data-collecting devices about their bodies and homes. Smartphones and internet of things (IoT)-enabled hardware in the workplace have taken network endpoint counts into the hundreds of thousands. By 2020, networks with tens of millions of endpoints will be the norm. A massive amount of innovation has created a booming hardware ecosystem of wristband health trackers, smart thermostats, connected pacemakers and more. To go to market, the industries that develop, manufacture and manage these devices have solved big engineering problems -

form factors, low power consumption and connectivity, among others - but they haven’t yet solved security. In 2017 this will change, because it must: the innovation trajectory will grind to a halt if we don’t collectively secure the networks that manage, protect and analyse IoT devices and the valuable - and potentially dangerous - data they collect. Cybersecurity, much of which is still from the 20th century, needs to catch up with today’s ecosystem. IoT devices have a problem on two fronts: the data on the device itself; and the cloud-based software that synthesizes and manages this data. Manufacturers should be routinely building cybersecurity into their product development life-cycle. Some companies, like Apple, lead the way, but work needs to be done. How do we do this? We can no longer protect networks the way we did 30 years ago, with tools not built to match the speed of modern hackers and the scale of modern companies. Today, hackers can get in and out of a network within minutes, yet companies still depend upon sluggish “hub and spoke” architectures to monitor their IT. A central hub will send out a signal individually to each endpoint (the spokes) and await an answer from each, which can take weeks to receive answers, well after an attacker has vanished without a trace. Additionally, such a system can rarely exceed 150,000 endpoints. Many large companies are modernizing their IT systems, but we need to do more. We have more devices, more data, more threats, more sophisticated attacks and more attackers. We must band together as an industry to push in the opposite direction: towards lightning-quick solutions at a grand scale. It’s our only hope. And over the next decade, companies that promise results without speed and scale will disappear. Government will also play a considerable role. If you look at the drivers for catastrophic failures - war, industrial accidents, power failures – it’s governments that create buffers against them. Breaches are hurting companies every day. Corporate espionage is now a cyber exercise. When you want to cause harm to another person, you can do that through cyber theft and doxing - publishing sensitive information online. It’s a reasonable expectation that our next war will be cyber. Because government regulates industries that can cause harm, common-sense standards - as in the payments industry and in health - are necessary. There is cause for optimism: a decade ago, no one cared about cybersecurity. We had no emotional connection to the issue. Today, cybersecurity stands as an existential threat at the highest levels of industry and government, and we have some of the world’s greatest minds focusing on how to deal with it. We’ve had major attacks, but we haven’t yet had “the big one”. With urgency, collaboration and the best tools, we’ll make real progress to ensure it never happens.

FOR THE CIOs. BY THE CIOs.

EFFECTIVENESS OF ISO 27001 AUTHOR’S BIO

Colin Brown began his working life in 1977 as an engineering apprentice in one of the UK’s major telephony manufacturing plants. He progressed through quality roles, and has seen the evolution of the quality industry from its earliest origins. He joined one of the UK’s major certification bodies as a lead assessor before returning to industry as Quality Manager for a UK-based multinational. Presently he is an Independent Quality Auditor]

COLIN BROWN,

ISO CONSULTANTS, UNITED KINGDOM

any companies regard ISO 27001 implementation as difficult and expensive, and some specialist consultants are quite happy for this illusion to remain, and their fees to roll in. My opinion differs. ALL businesses need control of their information security, and many of those who helped write ISO 27001 are world leaders in this area. So why not take advantage of their advice, get hold of a copy, and adopt the sections which will add value to your business? The standard aims to install a method of systematically managing the security of all your business information, safeguarding your business, and that of your suppliers, customers and staff from those external bodies wishing to take advantage of it. So, if you try a few of the principles and find they work, then maybe you should look at implementing all elements of the standard, or even gaining certification against ISO 27001. Not only can this safeguard your own valuable information, but in many parts of the world certification against ISO 27001 is becoming a key requirement of customers. So gaining certification can open the gates to new customers, new markets, and even new regions of the world.

HERE ARE SOME DEEP-ROOTED BASICS:1. Get commitment and support from senior management. ISO 27001 is not an IT department standard, but an information standard. Perhaps description of the consequences for the whole business of an IT security failure may concentrate minds. Sadly, the vital importance of IT security is only recognized when

something goes very wrong indeed. 2. Engage the whole business with good internal communication. Occasionally, IT departments, busy fighting the inevitable and frequent “fires”, can be their own worst enemy. As per point 1, a clear portrayal of potential consequences will help the whole organization realise that ISO 27001 implementation is more than an IT department administration issue 3. Compare existing information security management with ISO 27001 requirements. You may find, surprisingly, that you are using parts of “best practice” already, and reinventing the wheel will not be necessary. Many companies are daunted by the prospect of ISO Certification, but discover that they are applying some of the principles anyway 4. Get customer and supplier feedback on current information security. Without making them too alarmed about your current state, ask what their requirements are, in the light of your consideration of ISO 27001 implementation and certification. This may be a rich source of “pointers”. 5. Establish an implementation team to get the best results. Again, this may be a chance to break out of the IT department ghetto and “spread the word” about security. It’s also going to help with point 2 above if you have some corporate “champions” throughout the company. 6. Map out and share roles, responsibilities and timescales. As a caution to point 5, it is possible, with too many team members, to generate more heat than light. Implementation is unlikely to be perfect from day one. Adjustments will be inevitable. The key issue is to move forward, not duplicate activity, and at least have a framework and objectives to revisit. So, getting started is good. And often the hardest part. 7. Adapt the basic principles of the ISO/IEC 27001 standard to your business. You need to find out what these are first, and ideally have an ISO Consultant on board who will be able to reinterpret them and make sure they are practical in your specific business. 8. Motivate staff involvement with training and incentives. Keeping it simple and accessible will be the key. Once again, you will certainly have to “sell” the changes to the wider audience. But make sure that you “sell the sizzle, not the sausage”. Practical examples of application (or non-application) are vital. 9. Share ISO/IEC 27001 knowledge and encourage staff to train as internal auditors. The best evangelists will be the earliest converts. Plus, regrettably, the average IT team is not all-knowing, and a broader corporate team will have task-based insights that only they could discover. ISO27001 needs to move out of the IT department as soon as possible in order to be truly effective. 10. Regularly review your ISO/IEC 27001 system to make sure you are continually improving it. “Constant change is here to stay”. As per the point above, implementation of ISO27001 is a journey, not a destination. It’s good to start, as that’s often the hardest part, but its champions need to realise that it’s application and hence effectiveness, changes as quickly as the IT industry does.

Ybercrime Is One Of The Fastest Growing Areas Of Crime. More And More Criminals Are Exploiting The Speed, Convenience And Anonymity That Modern Technologies Offer In Order To Commit A Diverse Range Of Criminal Activities. These Include Attacks Against Computer Data And Systems, Identity Theft, The Circulation And Publication Of Sexual Abuse Images, Usage Of Social Media For Harming The Reputation Of An Individual, The Penetration Into The Online Financial Services, As Well As The Infiltration Of Viruses, Botnets, And Various Email Scams Such As Phishing, Lottery Frauds, Job Frauds Etc. In The Past, Cybercrime Has Been Committed By Individuals Or Small Groups Of Individuals. However, It Is Seen That An Emerging Trend With Traditional Organized Crime Syndicates And Criminally Minded Technology Professionals Are Working Together And Pooling Their Resources And Expertise. In Conventional Crime Generally The Perpetrator Himself Or His Associates Has To Be Physically Present To Commit The Offence. But In Cyber Crime, The Perpetrator Needs Not To Be Physically Present At The Crime Scene Or Place Of Occurrence. The Cybercriminal Can Either Use A Computer Resource/Communication Device As A Tool For Doing Crime Or As A Target. He Can Remotely Access The Computer System Of The Victim And Can Commit The Offence. The Users Of The Internet Are Required To Be Aware About The Different Types Of Cyber Crimes And They Should Take Some Measures So That They Would Not Be Vulnerable In The Cyber Space. Facebook, Whatsapp, Twitter Are The Most Popular As Far As Social Media In The Internet Are Concerned. But The People Should Secure Their Respective Accounts By Enhancing The Security Settings Available In Those Websites And Messaging Application. Sharing Of Personal Information May Invite Unsolicited Harassment. Acceptance Of Friend Request From Unknown Person May Lead Any Person Particularly Women To Be A Victim Of Sexual Abuse. If Any Person Uses Internet In A Prudent Way Then He/She May Not Be A Victim Of Cyber-Crime. The Teenagers Are Found To Be Frequent User Of Internet And They Are The Most Vulnerable In The Online Social Media. If They Are Not Guided By Their Parents In Respect Of Use Of Internet They May Fall Prey To The Dark Fringe Of The Internet. Two Basic Steps Are Required To Be Taken By Any Person While Using Internet: 1. Password & 2. Two Step Authentication Or Two Step Verification. It Is Very Difficult To Hack Any Email Id Or Any Account/Profile In The Social Online Media, If A Person Possesses Strong Password (Combination Of Alphabet, Numeric & Special Character) And Uses Two Step Verification In Respect Of His Email Id And Any Other Account In The Online.

THE FOLLOWING ARE THE DIFFERENT TYPE OF CYBER CRIME: Phishing : The Perpetrators Send Inducing Email With A Link Or Create Lookalike Website And Stealthily Collect Password, Phone Number, Bank Account Number & Other Personal Information And Commits Crime Using The Said Information. It Is Seen That Lakhs Of Rupees Was Fraudulently Transferred From The Victim Account Through Online Without Any Knowledge Of The Said Person. Hacking Or Unauthorised Access: It Is Most Common In The Arena In Cyber Offence. It Is Seen That The Victims Are Not Serious About Using Strong Password Or Two

FOR THE CIOs. BY THE CIOs.

Step Verification. Sometimes They Share The Password Or Ask Other To Create Email Id Or Facebook Profile On Their Behalf And Does Not Change The Password After That. It Is Also Seen That The Mobile Number, Son Or Daughterâ&#x20AC;&#x2122;s Name, Vehicle Number Etc. Is The Password And Thus Easy To Guess. Creation Of Fake/Impersonating Profile: The Miscreants Create Fake Profile In The Name Of The Victim Using His/Her Name And Photograph And Upload False Information /Morphed Picture Of The Victim. The Photographs Are Easily Available With The Original Profile. Moreover The Wrongdoers Sent Friend Request From The Fake Profile To The Friends Of The Victim And The Friends Are Unaware To This Fact And Accept Friend Request Without Verifying The Authenticity Of The Said Profile From The Victim. The Security Setting Of The Facebook Profile Should Be Properly Maintained To Avoid This Type Of Offence. Cyber Obscenity: The Phone Number, Address And Photograph Of The Victim Is Uploaded In Different Adult Website Or Free Classified Advertisement Website With Sexual Contents Which Invites Numerous Unsolicited Calls From Different Persons With Indecent Proposals. Personal Information Like Phone Number And Address Should Not Be Shared In Any Public Domain. Online Sexual Harassment: The Alleged Persons Morph The Photograph Of The Victim Girl And Transmit The Same To The Victim And Her Friends To Blackmail Her As Well As To Harm Her Social Reputation. It Is Seen That The Victim Girl Is Befriended Through Facebook And Share Her Personal Photograph As Well As Phone Number Of Her Relatives Through Facebook Messenger Or Whatsapp. Later The Relation Became Soar And The Perpetrators Take Revenge By Transmitting The Said Photograph To The Relatives Of The Victim Girl. Offence Through Matrimonial Website: There Are Various Matrimonial Website And The Intending Person Particularly Female Does Not Verify The Information And Photograph Of The Profile Of The Intending Groom. The Victim Share Personal Email Id, Phone Number Even Address Before Meeting Personally. Moreover, The Alleged Person Cheated The Victim In Respect Of Money. Job Cheating: The Job Seeker Furnish The Details Information Like Email Id, Phone Number And Cv In Different Website Related To Job. The Perpetrators Collected The Same And Send Inducing Email To The Intending Job Seeker. They Also Ask For Money In The Form Of Registration/ Interview/Visa Charge Etc. The Intending Job Seeker Fall Prey To The Said Malicious Offer. It Is To Be Noted That The Renowned Company Does Not Use Free Email Domain. Defacement Of Website The Miscreants After Hacking The Website Of Reputed Institution/ Organisation Defaces The Same By Changing The Contents Of The Website And Input Obscene Picture/Offensive Comments Etc. In Most Of The Cases It Is Seen The Affected Organisation Uses Shared Server.

FOR THE CIOs. BY THE CIOs.

THREAT OF CYBER ATTACKS IN SMART CITIES

mart cities are the outcome of integration of technologies with new and existing urban landscapes. “Smart Cities” would bridge cyber-physical technologies and infrastructure for improving the overall quality of life. In times to come, smart cities will provide businesses efficiency and unprecedented economic opportunities. In effect, these transformations of today’s cities into smart cities will be an amalgamation of two major technologies – millions of Internet of Things (IoT) devices dispersed across a city and Network that connects all of these nodes together and enables real-time communication. By year 2020, there would be more than 50 Billion IoT devices that will transform the way we live and work.

CITIES ARE BECOMING SMARTER BY DEPLOYING NEWER TECHNOLOGIES, SUCH AS: l l l l l l l l

Smart Traffic Control. Smart Parking Application. Smart Street Lights. Smart Surveillance Network: Smart Public Transportation. Smart Energy Management. Smart Water Management. Smart Waste Management.

VULNERABILITIES OF SMART CITIES COL INDERJEET SINGH,

AUTHOR’S BIO

an established Thought Leader in the industry and a distinguished speaker in various national and international forums. An information security expert with over 26 years of experience, Colonel Inderjeet Singh used to work with the Ministry of Defence before moving to corporate. He is Security Evangelist, Security Analyst and Freelance Writer with wide area of interests.]

Every new technology also brings new Risks and Vulnerabilities and so is Internet of Things. Risks and vulnerabilities of Internet of Things (IoT) Devices would impact the city administration, residents, businesses and other organizations alike. Internet of Things (IoT) based Smart devices are the enabler for effectively converting the exiting city to be a smart city. These are extensively utilized in traffic and surveillance cameras, meters, streetlights, traffic lights, smart pipes and sensors are easy to implement and at the same time are even easier to hack due to lack of stringent security measures and insecure encryption mechanisms. This is a major point of concern as smart cities are implementing newer technologies at a very fast pace without testing them for cyber threats and its vulnerabilities. As the cities become smarter, consider as to what could happen if one or more technology-reliant services fails to work. l What would commuting look like with non-functioning traffic control systems, no streetlights, and no public transportation? l How would citizens respond to an inadequate supply of electricity or water, or to dark streets, and no cameras? l What if garbage collection is interrupted during the summer time and the smell of refuse stinks up the streets? To anybody’s gues that it would be unpleasant and probably cause a lot of chaos in any city. When prolonged, interruptions to sanitation services or other basic services, goes beyond unpleasant odours and inconvenience, it does not take long before these issues create major concerns. In case, if a cyber-attack on smart cities causes an inadequate supply of electricity

or water or tripping of complete electricity grid, dark streets, or/and no cameras and the hackers asking for Ransom to restore the services. Then how would citizens respond to it? Cyber Threats and vulnerabilities will be presented with an unprecedented attack surface in smart cities due to the significant increase in number of inter-connected IoT devices. Smart IoT devices create huge potential for cyber-attacks due to numerous vulnerabilities, making smart cities more vulnerable than today’s computers and smartphones. People residing in smart cities might face a panic attack when they are made slaves of their “Cyber Masters/Criminals for Ransom.” This scenario might not be as unlikely as you think. Problems in cyber security could trigger anytime causing devastating effects.

CYBER ATTACKS ON SMART CITIES Simple bugs can cause big problems and have big impact, Whether it’s a water dam in Rye Brook or power grids, financial institutions, water systems or online networks, all these infrastructures are going to be at risk and would be under assault like never before, and we need to do more about it. Recently, a police department in Massachusetts paid $750 to get its files back after being hit by the ransomware. In February 2016, California‘s Hollywood Presbyterian Medical Center paid a ransom of about $17,000 in Bitcoins, one of at least six major health care systems victimized so far this year. In Mar 2016, the city of Plainfield, New Jersey, faced a demand for about $700 in Bitcoins to unfreeze their municipal servers. In addition, the recent attack of Wannacry and Petya Ransomware. Technologies used by smart cities would pose a major cyber security threat and open the door for several possible cyber-attacks. Each Smart City creates a new opportunity for cyber attackers. Some of the key technologies and systems that together make up the smart city’s complex attack surface are: l Traffic Control Systems. Traffic control systems could be easily hacked as some of the devices used are without any encryption for communication between traffic control systems and traffic lights, traffic controllers, and so on, allowing an attacker to directly change traffic lights. l Smart Street Lighting Systems. Wireless street lighting systems are being deployed in many cities around the world use wireless communications and have the encryption related problems. Attacks on smart street lighting systems are not complex and can have big impact by causing street blackouts in large areas. l City Management Systems. Every city has hundreds of systems to manage different services and tasks. Hacking these systems would give an attacker many options to cause harm. Just as simple software bugs can create significant harm, manipulating simple information could also have a seemingly oversized security effect. l Cloud and SaaS Solutions. City servers and cloud infrastructure are exposed to DDoS attacks. Servers and cloud infrastructure are cheaper targets for cybercriminals or cyber terrorists. l Smart Power and Water Grid. Attacks on a smart grid and water could be devastating, causing millions of dollars in losses and even loss of life. l Public Transportation. Just by displaying incorrect information by manipulating public transportation information systems, it’s possible to influence people’s behaviour to cause delays, overcrowding, and so on l Surveillance Cameras. Traffic and surveillance cameras are the eyes of any city and by attacking them, attackers can make the city blind. DDoS attacks on these have long-term damaging effects. l Location-based Services. Location-based Services which

FOR THE CIOs. BY THE CIOs.

extensively use GPS, spoofing and other attacks are possible. People get real-time location information, and if the location is wrong, in that case people will make decisions based on incorrect information. The nature of the impact depends on the extent to which a city relies on the services affected.

CHALLENGES IN IMPLEMENTATION OF CYBER SECURITY Cyber war scenarios make cities technologies an important and interesting target. Cyber-attacks will target city services and infrastructure. Cyber-threats are expanding in every way from attack frequency to scale, sophistication and impact severity. Present day Virus and Malware with Machine Learning and Artificial Intelligence is also on the rise. There are large number of challenges in ensuring cyber security while implementing smart cities such as: l Lack of Cyber Security Testing l Encryption Issues of IoT Devices and Network Components l Lack of Computer Emergency Response Teams l Patch Management Issues l Insecure Legacy Systems l Lack of Cyber Attack Emergency Plans l Susceptibility to Denial of Service l Proliferation of “Smart” Devices or The Internet of Things l Lack of Security Life Cycle Management.

SECURING AGAINST CYBER ATTACKS Ensuring that smart cities are cyber secure against cyber-attacks will require the identification and prioritization of critical infrastructure and assets, behavior based security. Establishing a benchmark of normal operations of all the critical infrastructures/ assets and continuously ensuring that all parts of the city adhere to said benchmark. Businesses operating public or private infrastructures that want to enhance cyber-security against Ransomware can started by: l Adopt or create a Cybersecurity Framework. l Explicit policies from selection of systems, procurement of systems, management of systems, and who accesses systems to the manner in which technology is disposed of securely once it has reached the end of its service life. l Create a simple checklist-type cyber security review. Check for proper encryption, authentication, and authorization and make sure the systems can be easily updated l Applying application whitelisting to prevent unauthorized applications from running l Enabling a USB lockdown on all SCADA environments to stop malware from physically entering the environment l Proactively monitor networks for unusual traffic, access logs, or requests that could indicate an attack in progress. l Create specific city CERTs that can deal with cyber security incidents, vulnerability reporting and patching, coordination, information sharing, and so on. l Regularly run penetration tests on all city systems and networks. Current attack surface for smart cities is unimaginably vast open to attack. This is a real and immediate danger. The more technology a smart city uses, more vulnerable it would be to cyberattacks. Therefore, smartest cities have the highest risks. It is only a matter of time until attacks on city services and infrastructure happen. It may be ongoing or could happen at any moment in the future. Actions must be taken immediately to make smart cities secure and protected against cyber-attacks.

FOR THE CIOs. BY THE CIOs.

SOCIAL MEDIA – NOTION OF IDENTITY & ROLE OF GOVERNMENT tices being followed will allow for a positive impact on social interaction and growth of digital sociology.

NOTION OF IDENTITY

ANUPAM AGARWAL AUTHOR’S BIO

An Information Technology Practitioner with leadership experience in IT Public Policy, Corporate Industry Forums, Information Technology Standards, & Program Implementation. Anupam is a Cheveninig Fellow on Cyber security. Additionally, he has Finance Degree from ICAI & ICWAI, India. He is the Co-founder of India Internet Foundation , a not for profit organization which is working on setting up community driven, bottom up neutral Internet Exchange points across the country and hosts couple of root server instances, contributing to critical Internet Infrastructure of India.He also serves as Chair of Internet Society Kolkata.

INTRODUCTION The value of participation in social media accrues to the users at the individual level by impacting the self-wellbeing of the individual and at the societal level by means of civic engagement and thereby providing an increased thrust for larger use of social media. (Pendry and Salvatore, 2015). The benefits of social media are largely from the participative nature of contemporary digital environment. The speed of embracing the social media technologies signifies that it has moved from a platform of information sharing to a platform of communication and entertainment (Collin et al., 2011). However, there are arguments that increased usage of social media is eroding the social construct, hampering the family relationships and values and eroding privacy. It is also limiting the social interaction and communication between individuals.(Mcgrath, 2012). Therefore a collective use of social technologies with reasonable privacy prac-

The traditional notion of identity is a collection of personal characteristics or attributes. It has its bearing from social science wherein identity is a social construct and considered as things which needs an explanation and things which has a force which can explain it. (Fearon, 1999). In the current times where in a group of applications (Facebook, Twitter, Four Square, YouTube, Flickr) as available on Internet and based on the foundations of development of technology (Web1.0 to Web 2.0), revolving primarily around generation of content by the user has gained momentum,and is changing the traditional notion of identity. (Kaplan & Haenlein, 2010 p. 61). The social media applications are creating a platform to exchange user generated content and the function of services offered by social media platforms is directly dependent on it. (Picazo-Vela, Gutiérrez-Martinez, & Luna- Reyes, 2012). Testimony to it are the messages from social media companies to their users about percentage of their profile being incomplete and urging time and again to include more and more personal information on their websites. Identification of the individual with a community and with a social category has gained dominance on these platforms. However, in the current time, identity has taken wider construct and has started referring itself as a source of self respect or dignity. This gives the feeling that personal identity in the current world is an integration of individual’s self respect along with social category to which the individual belongs but not necessarily social category is central to the personal identity. So on one hand it looks like both are inter related and on another it looks like they are independent making identity a complex issue to be handled. The role of social media applications and tools in changing the human behavior is getting prominent but trust by people on social media applications and tools will go through a lot of tests before it gets grounded. (Sandoval-Almazan and Ramon Gil-Garcia, 2014)

SOCIAL MEDIA & ROLE OF GOVERNMENT The government has the basic intelligence from the traditional sources but struggles to put the basic intelligence into some sort of advanced intelligence wherein meaningful information can be found out and more importantly predicted to reign in the trouble much earlier into the timeframe. (Ring, 2014). As social media is a platform wherein the users or the people from the government viewpoint generate the content by themselves, it offers the government a chance to use the available information to convert the basic threat intelligence into an advanced one (Sandoval-Almazan and Ramon Gil-Garcia, 2014) As the social technologies increasingly were used for political and social activism, and examples were created like Arab Spring, wherein the governments changed and the way a government used to make the decision altered its course, governments also started using this new social technology to gain intelligence. They became aware that these new technologies have the potential to provide fuel to a social movement and can be transformational in nature (Sandoval-Almazan and Ramon Gil-Garcia,

2014) and as such timely intelligence is extremely important for sustenance. It is a foregone conclusion that states will not be bothered about the pressures to constrain the intelligence operations as it relates to the existence of the states. (Deeks, 2016)

SOCIAL MEDIA INTELLIGENCE We live in times of social media and are completely surrounded by them. In social media people are reducing the differences between the self and the online world and are providing information wherein the online resembles nearly the self. SO when this massive transfer of self-information is happening on social media (Twitter is having a requirement of 750GB of disk space every week), society has started adapting to the new methods of communication it is imperative that the governments, law enforcement agencies and the intelligence community also start adopting the same. , As long as the usage of social media intelligence is for the good of the people allowing them the fundamental rights like food security, public health it is fine but when it starts treading on the privacy or erosion of civil rights, it becomes a cause of concern. The social media intelligence has been proved to provide near real time situational awareness like in the Mark Duggan case in United Kingdom which led to riots in different cities. The sudden burst of tweets from a geolocation can indicate a brewing situation and can help the authorities to take appropriate action. In the society there, exists some groups whose functioning can jeopardize the security of the state and it is important that the authorities have adequate information about them to maintain law and order. Social Intelligence can be used herein to understand the key themes emerging, the potential or organizing a mob and other indicators which otherwise will be difficult to find out. However, there has to be appropriate legal coverage and legal validity at all times to maintain accountability of the social intelligence operations. https://www.justiceinspectorates.gov.uk/hmic/media/a-review-ofthe-august-2011-disorders-20111220.pdf Most of the information is obtained by crosslinking the information available about an individual in one of the social media platforms with other social media platforms. So law enforcement under appropriate warrant can use the cross linking of information to find out some criminal who is on the run or in hiding. These are apparent benefits of social media intelligence SOCMINT(Omand, 2012) but the challenges for the social media intelligence is in terms of its legality. The argument of the state will always be the necessity but legitimacy needs to be preserved at all times to ensure that there is adequate public transparency is maintained. It has been observed in the British National security strategy that places wherein the public acceptability of a state necessity is not there, it has damaged the state’s credibility in the long run. One of the problems of the social intelligence is the vast amount of data at the disposal and no methodology developed by the social science discipline to handle the sample sets from large amount of social media data. Social media intelligence also requires huge technical capability to go through the data sets and determination of the naturalistic setting of the data is important to find out the real context and draw conclusions. If this is not done there can be profound issues and misrepresentations. Other challenges of social media intelligence is to get the right skills and dissemination process reflecting the complexity in terms of access and dissemination of social media intelligence into the traditional policing organizations following the highest standards of information

FOR THE CIOs. BY THE CIOs.

assurance.

CONCLUSION It’s a reality that huge amount of personal information is being shared though social media now a days and this wealth of personal information otherwise is difficult to find in an unconnected world. Such is the extent of sharing that at times that it’s nearly impossible to manage it online and it appears that managing privacy is not possible. However, this should not be construed as that people are not bothered about privacy. Privacy itself will keep changing form as the technologies involve and the user’s perception changes. The biggest challenge is that there has to be right set of options and tools available with the user to protect their privacy as they seem fit in the ever changing technological world. Also the role of government by enacting the right set of laws to manage privacy and accountability of the government to use the social media intelligence has to be created. The principles of right motive, right authority, absolute necessity & sufficient cause should be followed at all times for social media intelligence activities by government and should be the last resort only. The new branch of sociology called digital sociology is the way to go.

REFERENCES Collin, P. et al. (2011) ‘Literature Review: The Benefits of Social Networking Services’, (April), p. 29. Deeks, A.S. (2016) ‘CONFRONTING AND ADAPTING: INTELLIGENCE AGENCIES AND INTERNATIONAL LAW’, Virginia Law Review, 102 Copyright (c) 2016 Virginia Law Review Association, p. 599. Derksen, M. (2010) ‘Social Technology’, THE SAGE HANDBOOK OF THE PHILOSOPHY OF SOCIAL SCIENCES, , pp. 703–720. Fearon, J.D. (1999) ‘What Is Identity (As We Now Use the Word)?’, Department of Political Science (Stanford University), , pp. 1–43. Harman, J. (2015) ‘Disrupting the Intelligence Community.’, Foreign Affairs, 94(2) Foreign Affairs, pp. 99–107. Landon-murray, M. (2015) ‘Social Media and U.S. Intelligence Agencies: Just Trending or a Real Tool to Engage and Educate’, Journal of Strategic Security, 8(5), pp. 67–79. Mcgrath, S. (2012) ‘THE IMPACT OF NEW MEDIA TECHNOLOGIES ON SOCIAL INTERACTION IN THE HOUSEHOLD’, (April) Omand, D. (2012) ‘Introducing Social Media Intelligence (SOCMINT)’, Intelligence and National Security, (1-23), pp. 801–823. Pendry, L.F. and Salvatore, J. (2015) ‘Individual and social benefits of online discussion forums’, Computers in Human Behavior, 50 Elsevier Ltd, pp. 211–220. Ring, T. (2014) ‘Threat intelligence: Why people don’t share’, Computer Fraud and Security, 2014(3) Elsevier Ltd, pp. 5–9. Sandoval-Almazan, R. and Ramon Gil-Garcia, J. (2014) ‘Towards cyberactivism 2.0? Understanding the use of social media and other information technologies for political activism and social movements’, Government Information Quarterly, 31(3) Elsevier Inc., pp. 365–378. Skaržauskienė, A. et al. (2013) ‘Defining Social Technologies : evaluation of social collaboration tools and technologies’, Electronic Journal Information Systems Evaluation, 16(3), pp. 232–241. Christopher F. Spinelli, 2010, Corporate Communications Elon University, ‘Social Media: No ‘Friend’ of Personal Privacy’ Surveillance, Snowden, and Big Data: Capacities, consequences, critique Lyon, D. (2014), Big Data & Society vol. 1 (2) p. 2053951714541861

FOR THE CIOs. BY THE CIOs.

DIGITAL FORENSIC AND FUTURE

C BIVAS CHATTERJEE

CYBER LAW EXPERT

As per MacMillan dictionary, forensic relates to the use of scientific methods to solve crimes and to find out who committed them. It’s a Latin word, meaning “in open court or public”, and it is relating to be used in or suitable to a court of law. The Oxford Dictionary reveals that, it is relating to or denoting the application of scientific method and techniques to the investigation of crime and forensic evidence relates to the court of Law. As per Cambridge Dictionary, forensic is in adjective form, “related to scientific methods of solving crimes, involving, examining the objects or substances that are involved in the crime. As per Wikipedia, the word ‘Forensic ‘comes from the Latin term ‘Forensis’, meaning “of or before the forum”. In today’s world, forensic and forensic science resembles each other and forensic science is nothing but the application of science to criminal and civil laws, especially influencing today’s criminal investigation, complying the standard criminal investigation procedure and admissibility of evidence, so that the court can reach to the truth with admissible evidence carrying integrity, believability, admissibility, authenticity etc. Justice Stephen Breyer of the US Supreme Court said ----“Science in the Courtroom”, “In this age of science, science should expect to find a warm welcome, perhaps a permanent home, in our courtrooms… Our decisions should reflect a proper scientific and technical understanding so that the law can respond to the needs of the public.” In Daubert Merrel Dow Pharmaceuticals Inc, the American Supreme Court said--“…there are important differences between the quest for truth in the courtroom and the quest for truth in the laboratory. Scientific conclusions are subject to perpetual revision. Law, on the other hand, must resolve disputes finally and quickly.” Replied by our Hon’ble Supreme Court in A.P. Pollution Control Board vs. Prof M.V. Nayudu. In State of Maharashtra vs. Praful B. Desai (AIR 2003 SC 2053) the Hon’ble Supreme Court has observed that advancement in science and technology has also helped the process of law in administration of Justice. On analysis of the above, it is crystal clear that forensic science should go hand in hand with all the stakeholders of scientific and legal worlds. It is playing a very crucial role in eradicating the gap between legal world and technical world. Though debated, technology is industry-driven but the law of the land is framed by the legislature in Parliament for the benefit of the common people or the society. But it is also a fact that the technology also works for the benefit of the society, whose application standard should be guided by laws, rules and norms. Computer Forensic Analysis consists of the followings: l Storage Media Analysis l Software Source Code Analysis. l Network traffic and logs Analysis.

As per Section 79A of Information Technology Act, 2000 as amended: “Electronic Form Evidence” means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines”. Our today’s discussion is on Computer Forensic, or Digital Forensic, which has got a direct relationship with the electronic evidence or the digital evidence waiting to be admissible before the court of law. As per Wikipedia, digital forensic deals with recovery and investigation of electronic document in digital devices. Forensics analysis involves the following steps: l Collection – search and seizing of digital evidence, and acquisition of data. l Examination – applying techniques to identify and extract data. l Analysis – Analysis by using data and resources with standard norms. l Reporting – presenting the report. In forensics analysis, more experimental, more relevant and more reliable technologies were given higher priority. The digital evidence has to be legally admissible in court and investigators have to follow proper legal procedures in recovering and analyzing data from suspected systems. Indian laws especially Indian Evidence Act has paved the way to solve the huddle of admissibility of electronic evidence. As per the observation by Hon’ble Apex Court in Anvar P.V. vs. P.K. Basheer and Others (2014) 10 SCC 473, “proof by evidence: proof only by relevant and admissible evidence. Genuineness, veracity or reliability of the evidence is seen by the court only after the stage of relevancy and admissibility. These are some of the first principles of evidence.” In Indian perspective, more and more people are regularly visiting virtual world. Apart from witnessing the ever increasing cyber crime related cases, for other conventional cases like murder, abetment to suicide etc, there is a huge availability of electronic evidence in various forms and structures. In today’s world, e-evidence related to CCTV footages are more used in crime investigation rather than surveillance. In digital forensic followings may be the thumb rules: l One cannot investigate on suspect devices. l One has to document the entire evidence handling process. l Maintain integrity of the evidence with respect to l Collection of evidence l preservation of Evidence l Bringing the E-Evidence before the Court Room. l E-Evidence may be sensitive and easily subject to alter but that cannot be a strait jacket presumption in favor of accused. In light of these hike in use of digital medias, Forensic science investigation or use of forensic techniques in various fields has become imminent and need of the hour. A very good Forensic expert should at least have an overview latest amendment of Evidence Act and other laws, which may be summarized as follows:As per section 2(k) of Information Technology Act, 2000 as amended, “Computer Resource” means computer, communication device, computer system, computer network, data, computer database or software; l Section 3. Authentication of Electronic Records

FOR THE CIOs. BY THE CIOs.

Section 3-A. Electronic Signature Authentication Section 4 of the Information Technology Act, 2000 set the platforms where electronic records are to be welcome by the Court of laws like any other evidence which is as follows: l l

Legal Recognition of Electronic Records. Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is l Rendered or made available in an electronic form; and l Accessible so as to be usable for a subsequent reference l Section 5. Legal recognition of Electronic Signature. l Section 10-A. Validity of contracts formed through electronic means. Indian Evidence Act: Following provisions are important: In section 3, — (a) in the definition of “Evidence”, for the words “all documents produced for the inspection of the Court”, the words “all documents including electronic records produced for the inspection of the Court” shall be substituted. 22A. Oral admissions as to the contents of electronic records are not relevant, unless the genuineness of the electronic record produced is in question.” 47A. When the Court has to form an opinion as to the digital signature of any person, the opinion of the Certifying authority which has issued the Digital Signature Certificate is a relevant fact. 65A. Special provisions as to evidence relating to electronic record: The contents of electronic records may be proved in accordance with the provisions of section 65B. 65B: Admissibility of electronic records. Under Section 65B(4) of the Evidence Act, if it is desired to give a statement in any proceedings pertaining to an electronic record, it is permissible provided the following conditions are satisfied: l There must be a certificate which identifies the electronic record containing the statement; l The certificate must describe the manner in which the electronic record was produced; l The certificate must furnish the particulars of the device involved in the production of that record; l The certificate must deal with the applicable conditions mentioned under Section 65B(2) of the Evidence Act; and l The certificate must be signed by a person occupying a responsible official position in relation to the operation of the relevant device. As per, Anvar P.V. vs. P.K. Basheer and Others (2014) 10 SCC 473: Secondary Evidence of electronic record……..Producing a copy of a statement pertaining to electronic record……… Mandatory prerequirement…….. Held, such statement has to be accompanied by a certificate as specified in section 65-B(4). 88A. The Court may presume that an electronic message forwarded by the originator through an electronic mail server to the addressee to whom the message purports to be addressed corresponds with the message as fed into his computer for transmission; but the Court shall not make any presumption as to the person by whom such message was sent. Combined study of the IT Act and amended Evidence Act in terms of definition of Electronic record and document, it is now settled law that computer images, text and sound stored, whether on a computer

file, blog, web-site, e-mails are all documents. Now the amended definition of “evidence” includes the electronic records as documentary evidence. As per various provisions of Indian Penal Code, the word, Document has been substituted by word Document and or Electronic Record. But Indian law is matured enough in dealing with crime through concealment by way of encryption, as we find two amendment in section 118 and 119, which are as follows: In section 118, In for the words “Voluntarily conceals by any act or illegal omission, the existence of a design”, the words “Voluntarily conceals by any act or omission or by the use of encryption or any other information hiding tool, the existence of a design “ shall be substituted. In section 119, In for the words “Voluntarily conceals by any act or illegal omission, the existence of a design”, the words “Voluntarily conceals by any act or omission or by the use of encryption or any other information hiding tool, the existence of a design “ shall be substituted; Though the cloud or cloud service is a new technology yardstick in today’s world, in the opinion of some people, Cloud is not always forensics friendly, cloud service providing companies are not always providing evidence as per the standard forensics procedures though they are noting but Intermediaries defined in section 2(w) of the Information Technology Act and its liabilities are provided in section 79 of the said Act. We are all aware of that Cyber Crimes are on increase and the latest data as per NCRB is given below:

LATEST NCRB DATA, 2015: Increase of Cyber Crimes in 2015 compared with the previous year: 21.6% (In West Bengal : 12.1%) (No. of Crimes Reported in 2015: 11331)(In West Bengal : 398). l Increase in Arrest in Cyber Crime cases in 2015 compared with the previous year: 42.5% (In West Bengal: 35%), (No. of person arrested in Crimes Reported in 2015: 8044).( In West Bengal : 287). l Total No. person under trial: Male: 10295, Female: 239. Person Convicted: Male : 300, Female : 2. Acquitted: 519. l Age Group: Highest age group: 18< >30. In India it is also seen, that a large section of the people, are in fact using mobile phone for roaming about in the virtual world, rather than using computer and other conventional devices. It is estimated that nearly 84 percent of world’s mobiles runs on Android, and it is also seen that more and more Android phones are subject to various sorts of malware attacks which has got a large implication on online banking frauds and different types of fraud. Hence Android Forensic is an important work-field not only for the mobile forensic but for the entire forensic arena. Android Forensics study is the need of the hour. We all are aware that Mobile forensic deals with extracting, recovering and analyzing digital evidence or data as per the standard forensic procedures, keeping the original device not being tampered with. In working with the mobile devices forensics experts encounters various challenges namely the following:l Challenges to prevent data alteration on the mobile devices. l Various legal issues including especially the jurisdiction in case of use of mobile application covering cross geographical boundaries, etc. l There are wide range of mobile operating systems and platforms at wide range of hardware devices which makes the forensic analysis l

FOR THE CIOs. BY THE CIOs.

more difficult. l With increasing privacy and security control system in modern day devices, forensic analysis of the mobiles are becoming very difficult. On overall study of android architecture especially its security features in the form of sandboxing, permission model, etc. are coming in the way for a better forensic analysis of the target system. There are various types of data on android devices namely SMS, MMS, Chat Messages, Backups, E- Mail, Call Logs, Contacts, pictures , Videos, Browser History, GPS Data, Data in various installed application like Facebook, Twitter, etc. which today’s android forensic experts are to analyze in a very efficient way. Again there are various applications, some of which are coming with android, some are installed by the manufacturer or wireless carrier or the user himself/ herself. These applications and the data within are to be examined by today’s forensic expert. Imaging and analyzing the android RAM or memory and acquiring the android SD Card is also an important step in android forensic analysis. The process of recovering the deleted data from the internal android device and SD Card has also been developed. In android forensic analysis, user dictionary analysis provides an important source of forensic data. Gmail analysis, Google Chrome analysis, Google map analysis, Google Hangout analysis, Google keep and Plus analysis, Facebook and Facebook Messenger analysis, Skype, Viber, Watsapp, etc Analysis, especially recovering the video messages from Skype and decrypting the whatsapp backup are important step in today’s android forensic analysis. Forensic Investigation using java or Python may be of great help to the Forensic Investigator Importing socket and other way. Nowadays in more and more cases of cloud computing, big data analysis, mobile app development, network forensics python code is being used. Python programming is of great use in port scanning, website cloning, web server finger printing, wireless network scanning, accessing mail server, etc. Using the python and Google API, the location of IT Addresses can be analyzed. As per section 79-A of Information Technology Act, 2000 as amended, Central Government to notify Examiner of Electronic Evidence.The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence. Section 45A of Evidence Act says, “Opinion of Examiner of Electronic Evidence- When in a proceeding, the court has to form an opinion on any matter relating to any information transmitted or stored in any computer resource or any other electronic or digital form, the opinion of the Examiner of Electronic Evidence referred to in section 79A of the Information Technology Act, 2000(21 of 2000), is a relevant fact. Explanation.--For the purposes of this section, an Examiner of Electronic Evidence shall be an expert” On analysis of the above two provisions we are actually getting an highly desired solution to the electronic evidence admission but it is very unfortunate that till date the authority who will be Examiner of Electronic Evidence is not been defined. In conclusion, as the technology changes every day, forensic analysis of the digital evidence is becoming a very crucial and specialized field upon which the entire society depends.

FOR THE CIOs. BY THE CIOs.

VULNERABILITIES IN EMBEDDED SYSTEMS SOME REAL LIFE CASES AUTHOR’S BIO

Atul is the Founder and Managing Director of Apt Software Avenues Pvt Ltd, Kolkata, a boutique software company which provides software development and product engineering services to organizations around the world, specially to technology startups. Atul has over 25 years of experience in building complex software systems both in technology and enterprise business domains Atul earned his Bachelor of Technology (Computer Science) from IIT, Kharagpur,and an MS in Computer Science from Rutgers University, USA.

ATUL PRAKASH AGARWAL,

CEO, APT SOFTWARE AVENUES PVT. LTD, CYBER LAW EXPERT

n 2007, George Hotz, a seventeen-year-old hacked the iPhone so that it could be used in networks other than those of AT&T. He was able to reprogram the baseband chip in the phone. He later went on to hack the Sony PlayStation using an active side channel attack (a power supply glitch) and was able to examine privileged code to identify the secret key used by Sony to prevent only authorized software to run on the PlayStation. Once somebody has access to the embedded system, the above example shows how easy it is to exploit security vulnerabilities that usually exist. They exist because embedded systems (at least the commodity stuff) have never been designed with security in mind. However, these same commodity parts are now finding their way in real-world systems thanks to their low costs and the potential explosion of IOT applications. Most embedded systems have limited compute capability to handle complex cryptography. Also they are generally physically accessible. They don’t have a sandbox environment for storing secure data. It is usually difficult to upgrade them on the field. Once an embedded system is compromised, it leads to a compromise of all systems of the same type. Default factory passwords built into embedded systems are very often left unchanged and surface in marketplaces of the dark web. Embedded systems are particularly vulnerable to active side channel attacks because of the lack of any rigorous security oriented testing. The supply chain involved in the creation of an embedded system may lead to

creation of vulnerabilities in any part of the chain and there is no overall responsibility for the security of the end product. Security in embedded systems becomes more difficult because the threat or attack models may not be known in advance. On the other hand there are many embedded systems which are actually full-fledged servers in disguise. These include copiers/printers, ATMS and POS systems. They have powerful hardware and a modern OS. These are subject to vulnerabilities through their interface or the network they connect to or through the user interface for interaction. Once somebody hacks into such systems, the potential for damage is very high. We will now discuss a few embedded systems around us and their associated vulnerabilities to get feel for the kind of attacks they are subject to.

GARAGE DOOR OPENERS The evolution of Garage door openers over the years highlights some of the issues in the secure design of embedded systems. In the early days of the automatic garage door opener, it is claimed that many garage doors would swing open if an aircraft flew overhead. This is because they seemed to work on some frequencies which were also emitted by the aircraft. Also, it was not unusual for your garage door remote to be able to open a neighbor’s garage door. This is because both of them just happened to be working on the same frequency. Later, the number of possible code combinations were increased, but it was still possible to drive around a town and open garage doors because once in a while a built in security code in one remote opener would match that of another door.

ATMS ATMs are relatively secure from a cryptographic point of view. However, ATMS are publicly accessible and there is an immediate financial gain so they are targets of attacks. In India at least most ATMs have a security guard and hence they are not easy to hack into. Also, EMV chip based ATM cards have made things a little more difficult for fraudsters where earlier skimming of information from magstripe based ATM cards was easily accomplished. However, Bluetooth enabled skimmers are reportedly being installed in tourist places with some inside help. The current trend is to install malware on ATMs remotely using the banks internal networks, and taking full control of the ATMs to dispense cash at the fraudster’s will. Many ATMs still run the WinXP OS which Microsoft has stopped supporting now. The software which drives the ATM is often dependent on 3rd party middleware which implements the XFS/WOSA standard (to abstract out the hardware details) and is not always secure.

IP SECURITY CAMERAS Security cameras are notorious for their own insecure nature. Part of it stems from weak or default passwords and partly from zero day

FOR THE CIOs. BY THE CIOs.

vulnerabilities in the installed software (http server for example). The website insecam.org claims to be the world biggest directory of online surveillance security cameras. They were able to access numerous cameras worldwide because of poor access control restrictions. They now filter out any private cameras but the sheer number of feeds that you can access on that site is mind boggling. It is relatively simple to use Google to find cameras with unprotected streams. Video cameras usually run an embedded operating system and once you have privileged access, you can install any software and essentially take over a private home network. The Web interface of many Security Cameras is based on CGI (Common Gateway Interface) which itself has many vulnerabilities. There have also been recent reports of the Nest security camera being vulnerable to active side channel attacks.

VOTING MACHINES The jury is still out on whether the Indian EVM is vulnerable to fraud or not. If the officialdom is to be believed then it is an example of a very secure embedded system. The list of built in security measures seems very impressive: l One time programmable (OTP) microcontroller chip l Every key press is date/time stamped l Automated self-diagnosis l Built in tamper detection l Unique serial number for identification l No network connectivity required l Encryption of all transmissions over the wire In addition there are many impressive procedural controls in place which make it relatively impossible to influence the voting outcome associated with any one particular machine. However, these machines have not been subject to any public hacker community scrutiny. In many countries (Ireland, USA, Germany, Netherlands) vulnerabilities or procedural issues were detected and Electronic Voting machines are not allowed.

SMART METERS In India, there are many pilot projects under-way pertaining to the Smart Grid and Smart Meters but there is a good installed base of Smart Meters in the western world which have gone through the usual cycle of hacks and attacks. The attacks have ranged from reprogramming of the meters through accessible ports to exploiting the GSM and ZigBee protocols used by these meters for communications. Most utility companies usually rely on the same credentials on all the meters deployed by them so many meters get compromised as soon as one of them is compromised. Active side channel attacks can be used to crash the software in these meters. Smart meters are expected to provide two way communication where they â&#x20AC;&#x153;obeyâ&#x20AC;? commands from the Utility company as well as provide information to the Utility about consumption as well as power injection into the grid ( say by using solar energy). This Utility to Meter communication has a potential of causing significant disruption ( say, a hacker requests a whole bunch of meters to disconnect from the grid). An associated issue is that of individual privacy. Meters if hacked can yield information about electricity consumption which can be misused by rogue elements (to detect if a home is occupied or empty).

AUTO/TAXI METERS Mechanical taxi meters in India have given way to digital meters. These are inherently insecure devices. These are supposed to be maintained and calibrated by certified licensed mechanics. However,

the passwords required to access these digital meters are common knowledge leading to easy manipulation of rates built into the meter. Also there are devices which send extra pulses to the eMeter and trick it into showing a higher fare.

CONNECTED CARS The car of the future is a network of computers and sensors on wheels and hence security is very big concern. Since the futuristic car will have many embedded sub-systems (called ECUs) built into it, it is critical that these embedded systems be designed and tested with security as a focus. Many of these sub-systems will be accessed by technicians in service shops and it also becomes important to ensure that the equipment used by these technicians is also secure and tamper proof. One aspect of car security that has evolved over the years is that of transponder based car entry/start system where the car key cryptographically communicates with the Motor Control Unit to gain access and start the car. These keys only work when they are in close proximity to the car. WIRED magazine reports that smart thieves figured out a way to use two special devices to amplify these signals from keys kept in a home and trick a car parked outside the home into starting. Many of the exploits exhibited so far have been of a research nature but some exploits like tampering with the mileage counter, spoofing the tachometer or tuning chips to get more power are commonplace. There is a whole lot of work to be done around security before connected cars become mainstream everywhere. As more and more device get connected to the Internet, we open up a bonanza for the hackers of the world. Embedded system security is a difficult problem which needs to deal with many trade-offs. The recent announcement by Walmart to deliver groceries directly to the fridge adds another dimension to this problem (that of an unknown human entering your private space in your absence aided with embedded technology). The tech world has to bite the bullet and deal with such issues before such connected systems become a part of our daily life. There are already new security features being introduced into popular micro-controllers providing some hope for the times to come.

REFERENCES: Embedded Security in Cars: Securing Current and Future Automotive It Applications Edited by Kerstin Lemke , Edited by Christof Paar , Edited by Marko Wolf l Embedded Systems Security: Threats, Vulnerabilities, and Attack Taxonomy Dorottya Papp, Zhendong Ma, Levente Buttyan l https://www.wired.com/2016/03/ study-finds-24-car-models-open-unlocking-ignition-hack/ l http://eci.nic.in/eci_main1/current/ StatusPaperonEVM_09052017.pdf l https://media.blackhat.com/us-13/US-13-HeffnerExploiting-Network-Surveillance-Cameras-Like-AHollywood-Hacker-WP.pdf l http://fortune.com/2017/09/22/walmart-delivery-grocery/ l https://www.digikey.com/en/articles/techzone/2012/ sep/secure-mcus-and-smart-design-harden-embeddedsystems-against-cyber-hacks l https://media.blackhat.com/bh-us-10/whitepapers/ Pollet_Cummins/BlackHat-USA-2010-Pollet-CummingsRTS-Electricity-for-Free-wp.pdf l

FOR THE CIOs. BY THE CIOs.

CRYPTOGRAPHY: THE ART AND SCIENCE BEHIND DATA DISGUISE

r.Samuel was an executive director with a company. He always did his work in time and with perfection. This made him get into this high position. Now in this position he has to deal with the top level functions of the company. This means he is the potential target for the company’s competitors, to get hands on confidential material beneficial for both parties but solely owned by Mr Samuel’s company. In this case he has to protect the confidential files present on his system to prevent any leaks/ breaches. This is where Information security comes into action and plays a vital role by keeping your information safe and secure from malicious attackers. Now, the question comes that how can we put information security to use in our daily lives. What are some of the methods in which we can secure our systems? There are many methods in use but one of the most reliable and widely used is data encryption, better known as Cryptography.

WHAT IS CRYPTOGRAPHY? SUBHASIS CHATTERJEE,

FOUNDER, CONNECT INDIA

AUTHOR’S BIO

Subhasis Chatterjee is a Web Journalist, Content Architect, Content Analyst from Kolkata, India with an experience legacy of more than 24 years. He is an Author, Blogger, Traveller and a Keynote Speaker. He is a Social Media Influencer too. His core competency lies in the areas of Personal Branding, Digital Marketing, Social Media Propagation, Reputation Management & Entrepreneurship Skill Development. ]

This is one of the major methods at use to ensure data/ information security. You must have seen in movies that some characters disguise themselves to avoid some situations. Similarly, cryptography is the art and science of giving your sensitive information a proper disguise, so that even if data breach occurs, the attacker won’t be benefitted as the original data has been stored in a disguised form which he/ she can’t understand. Cryptography is applied as the last level of securing the data, when the access control mechanism is compromised. From online transactions to sending confidential data over an insecure channel, you will find cryptography silently playing the role of safeguarding your data. One can develop this question that, encryption algorithms can be broken or not? In most cases the answer is no as algorithms at use are very secure and breaking them without proper key is next to impossible because of its strong design. There are many elements inside an algorithm such as mathematical functions, bitwise operations etc. which all together create the algorithm.

FOR THE CIOs. BY THE CIOs.

HOW CRYPTOGRAPHY WORKS? Imagine a lock and a key. How do you use it? Simply put the lock somewhere around your valuable and then lock it using a key. Similarly, in case of data encryption the valuable is the data, the encryption algorithm is the lock and a key is used to specify a particular magnitude of change to encrypt the data. Let’s get deep and divide the whole process into its constituents. Encryption algorithm: This is the central part of the whole process of encrypting a data. The algorithm specifies how the data will be disguised and stored. For example: There is a data which is full of text. Let there be an algorithm ‘X’. X will specify what type of changes to be brought in individual characters inside the text. It can be a shift of characters or replacement with a random character. Key: This is the part which decides what will be the exact magnitude of change in the data. In the example above, if ‘X’ is a shift cipher then a key ‘K’ will decide, the number of places the character needs to be shifted. Plaintext: This is the original data which is to be encrypted using the algorithm and the key. Cipher text: This is the encrypted form or simply the output after the plaintext goes through encryption. The process includes the above constituents and is divided in three parts: Encryption: This is the process where the data is disguised into a different form. Here, firstly the plaintext is taken and divided into bits, then the algorithm and the key is used to convert the data into cipher text. Decryption: This is the process where the encrypted data is converted back to its original form i.e. the plaintext. In this case the key is used with the same algorithm, which runs in the reverse direction and gives back the plaintext in the end.

Key generation: This is where the key is generated and then used with the algorithm to carry on encryption.

TYPES OF CRYPTOGRAPHY Based on the process and number of keys used, cryptography is divided into two parts. Symmetric key cryptography: In this type, encryption and decryption are both carried out by using a single key. This is fast and uses less resource. But on the other hand it is not that secure to be implemented in larger areas. Asymmetric key cryptography: In this type, encryption and decryption are done by different keys. Key used for encryption is known as the public key and the key used for decryption is private key. Both of their roles can be reversed and used as well. This is slower and uses more resource as compared to symmetric key cryptography. But its best part is that it is highly secure and is almost impossible to break without the key.

APPLICATIONS OF CRYPTOGRAPHY The usage of cryptography is very wide. From phones to PCs to online transactions, data encryption plays a major role. One of the biggest examples of cryptography in today’s world is the ‘End to End encryption’ in ‘WhatsApp’ messenger. This is a fine example of asymmetric key cryptography. The end to end encryption is intended at encrypting a user’s messages and ensuring that it can only be read by the recipient and not even ‘WhatsApp’. This makes it next to impossible for third party to eavesdrop on the conversation. Just as in asymmetric key cryptography there are two keys each present with both the sending and receiving end. If Alice sends a message to Bob then it will be encrypted using Alice’s public key and decrypted at Bob’s end using Bob’s private key. The same happens if the scenario is reversed. Another small example is secure online transaction of data. Sites having a green lock on the left hand top corner of the address bar, states that the site is secure and all transactions done here is secure i.e. encrypted. From the above discussion you could imagine that how powerful is cryptography. It can be also referred as one of the pillars of Information security.

FOR THE CIOs. BY THE CIOs.

IMPORTANCE OF BASELINE IN CYBER SECURITY

A JAYADIP PALANA,

VETERAN SECURITY EXPERT WITH EXPERIENCE OF 15+ YEARS.

baseline is a line that is a base for measurement or for construction.” “A minimum or starting point used for comparisons.” (Source: Wikipedia) Baseline, in context of Cyber Security is kind of knowing and defining “business as usual”. It helps in understanding the usual traffic patterns, how users access resources on a network, what are peak and off peak windows, etc. When you know what is normal, it helps detecting deviations or unusual. Base-lining can be things like knowing processes running on standard build, volume of DNS queries on a working day, hits per second on the e-commerce portal during “Flash Sale”, average internet bandwidth utilization per day, admin workstations, etc. Deviations from baselines indicate unusual stuff. Baselines help detecting anomalies. A good base-lining should consider everything in an IT environment - users, network traffic, devices, DNS traffic, application access patterns, seasonal spikes and so on. We often hear about “Next Gen Cool Tools” that are supposed to prevent/ detect “advanced threats” failing to deliver effectively. One of the key reasons is baselines are often understated / overlooked while planning such big initiatives. (sometimes completely ignored) . So what can possibly go wrong if you deploy all of Top 10 “Next Gen” kind of solutions without base-lining your IT environment? When you place CCTV Cameras without knowing from which side your visitors enter, they only show you visitors’ backs (wish I could use the “better term”). You may end up pressing the panic button if you don’t know your kid arrives late from school on Wednesdays because of weekly music classes. I would say you are simply wasting your money on “Cool Tools” if you do the following without doing a base-lining first (Not Applicable if you are doing it only for compliance): Attempt UBA without obtaining good understanding of IT Usage patterns for different classes of users Introduce NBA without factoring in average, peak, seasonal burst scenarios when things are normal, periodic high traffic towards specific applications (e.g. sales and payroll apps towards end of month) Try DLP without classifying information, inventorying sensitive data and understanding legitimate life-cycle of sensitive documents Introduce “Data Analytics, ML, AI” or “Next Gen SOC” for IDR if you haven’t identified all information sources and understand how your overall IT environment normally operates Go for “deception solutions” without identifying crown jewels, high exposure assets, knowing unique technologies deployed in your network

FOR THE CIOs. BY THE CIOs.

When “Next Gen” stuff is implemented in a hurry to put a “tick mark” on the “must have list for enterprises”, funny things are bound to occur. Can’t wait to list down a few imaginary scenarios in my cunning ways: SOC notifies you of a potential SQL injection towards a host (thanks to “NG”). Your special services agents are deployed immediately. Investigation reveals poor DBA chap firing legitimate SQL queries from his workstation while trying to fix DB response issues. Personal Assistant of a Senior Executive is asked to explain what documents she sent to her personal ID only to know that it was V-Day Gift Voucher she bought online for her boyfriend. Her privacy evaded because of your false DLP alert. (What about user dissonance?) You start questioning a user from Marketing Department why he accessed a file and you find it’s required towards end of every month. Your baseline sample of file access patterns considered “one week”. Bingo !!! You start investigating a surge in internet traffic only to find out there was a big IPL game today or a planned online event. If you do not know how business as usual looks like, you will be in for “alert fatigue” and “user dissonance”. Base-lining is never easy to achieve and requires time and effort. In today’s scenario, there are many entities doing distinct interactions /activities in an enterprise network. Consumerization of IT, Cloud Apps, IoT, etc. increase to complexities. Various types of users need access to different resources, at different times, with different preferences and habits of using IT. If you go for static base-lining, it may not help you much, but will definitely help the “adversaries” to eventually find out how to evade detection. So revising baselines in line with changing threats and IT environment is important. There is no ideal way of establishing baselines, but one can start from network and slowly expand it to all other important areas such as users, devices, apps and so on. Though most product vendors claim their solutions have (machine) learning capabilities, they can’t be left completely on their own if you really want reduced or no noise. Of course tools aid to some extent but intervention of “intelligent humans” is needed for identifying areas for base-lining, defining sample size, timelines, thresholds, unusual activities and so on. You will need good quality and experienced resources who can establish realistic baselines. Sometimes not just IT guys, inputs from business may be required to understand business as usual. Lastly, buying and deploying “cool tools” based on vendor claims and hype cycles does not help much. Most of your investments in “NG Tools” will be ineffective if you don’t consider normal usage scenarios while configuring them. In long run, the law of diminishing returns will kick in. Someday, the management will ask CISO - “What are we getting from the huge investment of last year in NG-X or NG-Y?.” Know your environment well and establish baselines before anomalies become business as usual.

DISCLAIMER: THESE ARE MY PERSONAL VIEWS AND IN NO WAY REPRESENT VIEWS OF THE ORGANIZATION I AM EMPLOYED WITH/ HAVE WORKED FOR IN THE PAST. THE POST IS BASED ON MY EXPERIENCES AND READING AND DON’T REPRESENT VIEWS OF ANY INDIVIDUALS OR ORGANIZATIONS IN PARTICULAR.

FOR THE CIOs. BY THE CIOs.

DRILLING DOWN TO RANSOMWARE INFOSEC FOUNDATION AND PRIME INFOSERV LLP RESEARCH TEAM

WHAT IS RANSOMWARE? Ransomware is a form of crime ware. It’s a malicious software program that’s used, either by an individual or by an organized criminal group, to extort money from an affected user. Ransomware has attracted a significant amount of media coverage over the last few years as various organizations have revealed that their operations have been affected by it. One after another, hospitals, universities, major corporations, and even law enforcement offices have been hit, to name just a few. There are two main types of ransomware: crypto-ransomware and police-themed. These differ in the way they motivate the user into paying the ransom: Police-themed ransomware tries to scare the user into believing they need to pay a fine for committing a crime of some sort, while crypto-ransomware encrypts the user’s files, offering to decrypt them in exchange for a fee. There are many different families of ransomware. Each family has unique characteristics, such as how they infect the device, what kinds of files they target, how they demand payment and so on. Knowing which specific family is involved in an incident can be critical in figuring out what to do next - how to contain any damage and remove the infection from the affected device.

TYPES OF RANSOMWARE

Crypto-ransomware: Locky, CryptoWall, TeslaCrypt, Petya, Jigsaw Police-themed Ransomware: Reveton, Browlock, Urausy

WHAT IS WANNACRY RANSOMWARE? WannaCrypt ransomware, also known as WanaCrypt, WannaCry, or Wcry, has exploded across 100+ countries, infecting hospitals, businesses, metro stations, universities, operators’, and more organizations. WannaCrypt spreads to vulnerable Windows endpoints by a Trojan that spreads within the networks by exploiting a vulnerability in Microsoft’s SMB file-sharing services. More specifically, it exploits a bug designated CVE-2017-0145 or MS17-010 that Microsoft

patched in March for modern versions of Windows. All unpatched systems remain vulnerable and therefore can be attacked. It leverages SMB exploit in Windows machines called EternalBlue to attack and inject the malware. All versions of windows before Windows 10 are vulnerable to this attack if not patched for MS-17-010. After a system is affected, it encrypts the files and shows a pop up with a countdown and instructions on how to pay the 300$ in bitcoins to decrypt and get back the original files. If the ransom is not paid in 3 days, the ransom amount increases to 600$ and threatens the user to wipe off all the data. It also installs DOUBLEPULSAR backdoor in the machine.

HOW WANNACRY INFECTS THE SYSTEM WannaCry does not use any heavy sophistication methods for delivery. It first uses a password protected zip file, which has a document inside. Once the document is opened, it downloads a second stage, which is an unsigned executable. This executable contains the delivery method for infection, worm replication, and exploitation. The malicious software beacons out to a domain hxxp://www. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com to check if the website is up, if it is, it will not execute. This has since been sinkholed and if the website is up, will not actually execute. This means you can either use DNS to redirect to a legitimate site to ensure it stays up, or keep it as is since it’s been sinkholed and is currently up and running now. The malicious software should exit now upon checking as the kill switch is now active.

FILE EXTENSIONS TARGETED .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd,

.sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

IMPLICATIONS OF WANNACRY WannaCry is just the first. There will be many more, and soon to come. Why this is being looked at from many in the information security community as a major game changer is how far reaching this specific exploit (MS17-010) will be. Simply put, if one user opens up this type of attachment, it could literally detonate and cripple all systems that aren’t patched in an organization. We are starting to see the early stages of this type of attack with WannaCry, but it is highly expected to get much worse. Companies need to patch immediately, and most importantly, the healthcare industry needs to be substantially more proactive in patching in general, and isolating lifesaving systems. All of these could have been prevented with solid patch management practices. The component that is most alarming in totality is the infection/worm component. Doing analysis of the binary, it is trivial to substitute your own payload (or Ransomware variant) to execute. This means that other Ransomware creators will be looking at this as a method to deploy their Ransomware payloads almost immediately. Expect new variants, expect them quickly, and expect them now.

WHAT CAN YOU DO TO PREVENT INFECTION? Microsoft has released a Windows security patch MS17-010 for Windows machines. This needs to be applied immediately and urgently. l Remove Windows NT4, Windows 2000 and Windows XP-2003 from production environments. l Block ports 139, 445 and 3389 in firewall. l Avoid clicking on links or opening attachments of emails from people you don’t know or companies you do not do business with. l Manually disable SMBv1 via modifications made to Windows Registry by following these steps: l Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\LanmanServer\Parameters l

FOR THE CIOs. BY THE CIOs.

Look for Value: SMB1 Modify Data: REG_DWORD: 0 = Disabled l Restrict inbound traffic to open SMB ports (ports 139, 445) which are publicly accessible / open to Internet. l Block the IPs, Domains, Hash values that are involved in spreading this malware. Please refer the attachment – IOCs – WANNACRY RANSOMWARE.xlsx for details. l Keep an offline backup of critical data on desktops and servers. l Organizations should block connections to TOR nodes and TOR traffic on network (IOCs – WANNACRY RANSOMWARE.xlsx). l Make sure your software is up-to-date. l Have a pop-up blocker running on your web browser. l Regularly backup your files. l Install a good antivirus and a good anti ransomware product for better security. l Below is a consolidated list that we need to block on you firewall/ antivirus l l

IPS l l l l l l l l l l l l l l l l l l l l l l

16.0.5.10:135 16.0.5.10:49 10.132.0.38:80 1.127.169.36:445 1.34.170.174:445 74.192.131.209:445 72.251.38.86:445 154.52.114.185:445 52.119.18.119:445 203.232.172.210:445 95.133.114.179:445 111.21.235.164:445 199.168.188.178:445 102.51.52.149:445 183.221.171.193:445 92.131.160.60:445 139.200.111.109:445 158.7.250.29:445 81.189.128.43:445 143.71.213.16:445 71.191.195.91:445 34.132.112.54:445

l l l l l l l l l l l l l l l l l l l l l l l l

189.191.100.197:445 117.85.163.204:445 165.137.211.151:445 3.193.1.89:445 173.41.236.121:445 217.62.147.116:445 16.124.247.16:445 187.248.193.14:445 42.51.104.34:445 76.222.191.53:445 197.231.221.221:9001 128.31.0.39:9191 149.202.160.69:9001 46.101.166.19:9090 91.121.65.179:9001 2.3.69.209:9001 146.0.32.144:9001 50.7.161.218:9001 217.79.179.177:9001 213.61.66.116:9003 212.47.232.237:9001 81.30.158.223:9001 79.172.193.32:443 38.229.72.16:443

DOMAINS: l l l l l l l

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Rphjmrpwmfv6v2e[Author’s Bio: dot]onion Gx7ekbenv2riucmf[Author’s Bio: dot]onion 57g7spgrzlojinas[Author’s Bio: dot]onion xxlvbrloxvriy2c5[Author’s Bio: dot]onion 76jdd2ir2embyv47[Author’s Bio: dot]onion cwwnhwhlz52maqm7[Author’s Bio: dot]onion

FILE NAMES: l l l l l l l l l l l l l l l

@Please_Read_Me@.txt @WanaDecryptor@.exe @WanaDecryptor@.exe.lnk Please Read Me!.txt (Older variant) C:\WINDOWS\tasksche.exe C:\WINDOWS\qeriuwjhrf 131181494299235.bat 176641494574290.bat 217201494590800.bat [Author’s Bio: 0-9]{15}.bat #regex !WannaDecryptor!.exe.lnk 00000000.pky 00000000.eky 00000000.res C:\WINDOWS\system32\taskdl.exe

WHAT SHOULD BE DONE IF A NODE HAS FOUND INFECTED? Disconnect the infected system(s) from the production network. Perform a full Antimalware scan on the system(s) by adhering the following: l F-SECURE-http://www.f-secure.com/en/web/home_global/ online-scanner l MCAFEE-http://www.mcafee.com/uk/downloads/free-tools/ l

FOR THE CIOs. BY THE CIOs.

stinger.aspx l MICROSOFT-http://www.microsoft.com/security/scanner/ en-us/default.aspx l SOPHOS-http://www.sophos.com/en-us/products/free-tools/ virus-removal-tool.aspx l TREND MICRO-http://housecall.trendmicro.com/ l You can refer IOCs -WANNACRY RANSOMWARE.xlsx for identifying additional Antimalware tools with successful detection for further scanning and disinfection. l Block the supplied indicators (IPs, domains, and hash values)at the gateway devices. l Try attempting to decrypt any encrypted files using decryption tools such as Trend Micro Ransomware File Decryptor, nomoreransom.org/decryption-tools.html l Removal script for DoublePulsar impant (if found): github.com/ countercept/doublepulsar-detection-script l Restore data from the most recent backup made

PROACTIVE MEASURES Keep your systems Updated: If you are using Windows operating system, keep your system up to date, keep windows auto update mode on or simply upgrade your system to latest Windows version i.e. Windows 10. For other versions of Windows OS: If you are using Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft. Link: https://technet. microsoft.com/en-us/library/security/ms17-010.aspx Disable ActiveX and Macro in Microsoft Office like Applications: Disable Macro function in office applications, never enable content in Microsoft word, PowerPoint, excel etc. Tutorial: https://support.office.com/en-us/article/Enable-or-disable-macrosin-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12 https://support.office.com/en-us/article/Enable-or-disable-ActiveXcontrols-in-Office-documents-CEBEC41E-B63F-46AC-896184DBE0BBD486 Enable and Configure Firewall: Enable firewall, and if it is already there, modify your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138. Tutorial: https://support.microsoft.com/en-us/help/3185535/guidelines-forblocking-specific-firewall-ports-to-prevent-smb-traffic-from-leavingthe-corporate-environment Implement IDS/IPS and Threat Intelligence Systems: Configure and implement Intrusion Detection System and Intrusion Prevention System to safeguard against such intrusion. To cope up with the latest cyber threats, threat intelligent systems can be implemented.

Disable SMB service: Follow steps described by Microsoft to disable Server Message Block (SMB). Tutorial: https://support.microsoft.com/en-us/help/2696547/

FOR THE CIOs. BY THE CIOs.

Do’s

Don’t

Keep data backup periodically

Don’t Click on Attachments in Email

Remove the impacted system from the network and remove the threat.

Don’t Click on unauthorized or unknown links

Install Anti Ransomware tools inside the system.

Don’t Open auto downloaded files or extensions with “exe”, “vbs” and “scr” etc.

Install, configure and maintain an endpoint security solution

Don’t pay ransom.

Make sure that all systems and software are up- to-date with relevant patches

Don’t Use cracked OS and Tools.

Educate your employee and stake holders

Don’t Download content from unauthorized websites.

Employ content scanning and filtering on your mail servers Deploy and maintain a comprehensive backup solution. Conduct periodic Vulnerability Assessment

how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-inwindows-vista,-windows-server-2008,-windows-7,-windows-server2008-r2,-windows-8,-and-windows-server-2012 Keep Anti Ransomware and Antivirus software up-to-date: Virus definitions have already been updated to protect against latest threat. Always keep real time protection and auto update feature in active mode or enable mode. Backup your data regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC. Email Security: Always double-check before download any document as attachment in email. If document opens automatically, do not enable content or macro in it. Also, keep email security policy up to date. Never click on links inside those documents unless verifying the source. Keep Your Knowledge Up-to-Date There’s not a single day that goes without any report on cyber-attacks and vulnerabilities in popular software and services, such as Android, iOS, Windows, Linux and Mac Computers as well. So, it’s high time for users of any domain to follow day-to-day happening of the cyber world, which would not only help them to keep their knowledge up-to-date, but also prevent against even sophisticated cyber-attacks.

HOPE AND COURAGE You find your system is already under attack. Or you are very afraid and almost paralyzed thinking that something may happen. If it has happened to X, it might happen to me too ! Your personal reputation, your organizational reputation may be ruined. You want to protect but you find another problem: whom to trust? There are so many opinions and so many experts. You have a lurking thought that many are trying to sell their merchandise in this environment and when you are most vulnerable. Rule No. 1: Before actual war, psychological warfare weakens the opponent. As you are target of some malevolent people who attack digital assets for various reasons, they create psychological fear and a sense of helpless-

ness. Do not succumb. Do not psychologically yield. Rule No 2: The greatest survival expert is always within you: your instinct and common sense. While you seek expert opinion, do not leave your common sense and instinctive wisdom. Experts may know the “How” part of any question better than you but “Why” part of the question related to your situation, you are the best expert. Rule No 3: Isolate. Ransomware is based on the fact that people have a single copy of data and they are vulnerable of losing this sole instance and criminals use this behavior trait as an opportunity. Back-up all data in an isolated environment. Rule No 4: Do not overestimate the enemy. Don’t be under the spell of the myth that these malicious hackers are supermen! Most of these people are mere tricksters and cheat who use a) anonymity of internet and b) loopholes in our behavior to make some criminal gains. A hacker who steals data is no better in ability or intent than a pickpocket who picks up your asset in a busy bus. The Last Rule: Seek help. But while seeking help, see Rule No 2.

FURTHER REFERENCES: https://sushobhanm.wordpress.com/2017/05/14/wannacry/ https://primeinfoserv.wordpress.com/2017/05/15/ way-forward-on-wannacryransomware/

FOR THE CIOs. BY THE CIOs.

CRYPTOMONEY, BITCOIN AND SECURITY ? AUTHOR’S BIO

KAUSHIK BHATTACHARYA,

Kaushik Bhattacharya is an IT Business Strategy & Management Consultant with over 23 years global experience in Strategy Definition, Roadmap Creation, Growth Acceleration, Policy Execution, People Management for emerging companies. He is a Thought Leader on IT Business Management, Start-up Mentoring and has experience in growing IT business unit from start-up as well as an off-shoot of large IT Organization. Kaushik is an Evangelist in areas of Big Data, Analytics, Customer Experience Management, Digital Transformation and a Speaker, Coach & Writer on Business Growth, Sales Excellence.]

CHIEF STRATEGY OFFICER, PRIME INFOSERV LLP

CRYPTOCURRENCY “Cryptocurrency”, which was first described in 1998 by Wei Dai on the cypherpunks mailing list, suggesting the idea of a new form of money that uses cryptography to control its creation and transactions, rather than a central authority. The first Bitcoin specification and proof of concept was published in 2009 in a cryptography mailing list by Satoshi Nakamoto. Satoshi left the project in late 2010 without revealing much about himself. Bitcoin is the first implementation of this concept. The community has since grown exponentially with many developers working on Bitcoin.

THE NETWORK Nobody owns the Bitcoin network much like no one owns the technology behind email. Bitcoin is controlled by all Bitcoin users around the world. While developers are improving the software, they can’t force a change in the Bitcoin protocol because all users are free to choose what software and version they use. In order to stay compatible with each other, all users need to use software complying with the same rules. Bitcoin can only work correctly with a complete consensus among all users. Therefore, all users and developers have a strong incentive to protect this consensus.

WORKABILITY From a user perspective, Bitcoin is nothing more than a mobile app or computer program that provides a personal Bitcoin wallet and allows a user

to send and receive bitcoins with them. This is how Bitcoin works for most users. Behind the scenes, the Bitcoin network is sharing a public ledger called the “block chain”. This ledger contains every transaction ever processed, allowing a user’s computer to verify the validity of each transaction. The authenticity of each transaction is protected by digital signatures corresponding to the sending addresses, allowing all users to have full control over sending bitcoins from their own Bitcoin addresses. In addition, anyone can process transactions using the computing power of specialized hardware and earn a reward in bitcoins for this service. This is often called “mining”.

SECURITY Satoshi’s anonymity often raised unjustified concerns, many of which are linked to misunderstanding of the open-source nature of Bitcoin. The Bitcoin protocol and software are published openly and any developer around the world can review the code or make their own modified version of the Bitcoin software. As such, the identity of Bitcoin’s inventor is probably as relevant today as the identity of the person who invented paper.

OPERATIONAL ADVANTAGE Fewer risks for merchants - Bitcoin transactions are secure, irreversible, and do not contain customers’ sensitive or personal information. This protects merchants from losses caused by fraud or fraudulent chargebacks, and there is no need for PCI compliance. l Security and control - Bitcoin users are in full control of their transactions; it is impossible for merchants to force unwanted or unnoticed charges as can happen with other payment methods. Bitcoin payments can be made without personal information tied to the transaction. This offers strong protection against identity theft. l The Bitcoin technology - the protocol and the cryptography - has a strong security track record, and the Bitcoin network is probably the biggest distributed computing project in the world. Bitcoin’s most common vulnerability is in user error. Bitcoin wallet files that store the necessary private keys can be accidentally deleted, lost or stolen. l

ALERT The rules of the protocol and the cryptography used for Bitcoin are still working years after its inception, which is a good indication that the concept is well designed. However, security flaws have been found and fixed over time in various software implementations. Like any other form of software, the security of Bitcoin software depends on the speed with which problems are found and fixed. Bitcoin is a growing space of innovation and there are business opportunities that also include risks. There is no guarantee that Bitcoin will continue to grow even though it has developed at a very fast rate so far. Investing time and resources on anything related to Bitcoin requires entrepreneurship. There are various ways to make money with Bitcoin such as mining, speculation or running new businesses. All of these methods are competitive and there is no guarantee of profit. Acknowledgement: bitcoin.org

FOR THE CIOs. BY THE CIOs.

DIGITAL ATTACK MAPS AND HOW TO USE THEM BY. DR.KINJAL GHOSH

he Digital Attack Map displays global Distributed Denial of Service(DDoS) activity on any given day. Attacks are displayed as dotted lines, scaled to size, and placed according to the source and destination countries of the attack traffic when known. Some features include: l Use the histogram at the bottom of the map to explore historical data. l Select a country to view DDoS activity to or from that country. l Use the colour option to view attacks by class, duration, or source/ destination port. l Use the news section to find online reports of attack activity from a specified time. l View the gallery to explore some examples of days with notable DDoS attacks. Digital attack maps can be fun to look at, but are they useful? As usual, when it comes to security context is key, we looked at eight of the web’s most popular digital-attack maps. While the maps themselves are mostly eye candy with limited context, there are some creative ways they can be used. Entrenched security professionals view digital-attack maps with a somewhat jaded eye. They call them “pew pew” maps, mimicking a

child-like sound to represent gunfire when playing with toys. In fact, one map actually uses these sounds to an amusing effect. Some of the professionals said they’ll pop one of the maps up on a screen in the SOC (Security Operations Center) if they know a client is coming in, but only because of the eye candy factor. In fact, most of the professionals said they’ve used them, but other than “performance art,” there isn’t any real value in them. The common misconception with digital attack maps is that the data is live, or real-time. It isn’t. Most are just a subset of recorded attacks or a playback of sanitized packet captures. But don’t discount how useful the eye candy factor can be: one security professional said he uses them to get high schoolers interested in the security industry. The concept is smart, as the visuals and datatypes on display can create discussion points on attack types, methods and threat actors. Some SOC operators do the same thing for clients, using the maps to visualize attack types and try to answer customer questions. Again, the value of these digital attack maps isn’t the data they’re showing, it’s how they can be used as a conversation starter. This is something the vendors that produce the maps know well, as the maps themselves are sales tools.

NORSE Probably the most well-known digital attack map is the one produced by Norse, a security firm that’s had its share of problems over the last few years. Discussing the data shown on their map, Norse says the attacks are “based on a small subset of live flows against the Norse honeypot infrastructure…” Interestingly enough, organizations can add their logo to the map when it is displayed at the office.

FOR THE CIOs. BY THE CIOs.

KASPERSKY Taking first prize for visuals and interactive displays is the Kaspersky “Digitalthreat Real-Time Map” – complete with global rotation and zoom. The attacks shown on the Kaspersky map are taken from on-demand and on-access scans, as well as web and email detections. But it isn’t clear just how real-time, the real-time presentation is.

FORTINET Fortinet’s digital attack map looks similar to the one from Norse and appears to show a playback of recorded events. As the attacks are displayed, a rotating breakdown of various stats appears in the lower left part of the screen. Fortinet customers have the ability to have a map of their own, according to documentation.

CHECK POINT The ThreatCloud digital attack map from Checkpoint Software shows historical data that is reset each day at 12:00 a.m. PST. The map is more visual than the one from Norse, but still has the same basic construct. In addition to watching the playback, the top attackers and targets can be viewed historically, with monthly and weekly stats.

FOR THE CIOs. BY THE CIOs.

FIREEYE The FireEye digital attack map lacks the detail presented by the others, and keeps things simple. It tracks historical data and splits it into industry segments and top country of origin for attackers. The data displayed is “based on a subset of real attack data, which is optimized for better visual presentation.”

ARBOR NETWORKS The digital attack map from Arbor Networks is a hybrid map that was created in part with Google Ideas. The Digital Attack Map tracks DDoS attacks with data from Arbor’s ATLAS threat intelligence system. The raw data is sourced from more than 300 ISP customers, and 130Tbps of global traffic. The map will visualize DDoS attacks and allow filtering by size and type.

FOR THE CIOs. BY THE CIOs.

TREND MICRO Trend Micro’s Botnet Connection Dashboard is a smaller, stripped down digital attack map that tracks C&C (Command and Control) servers used by botnets (and their targets) across the globe. The age of the data shown isn’t clear, but the historical data tracks back 14 days.

AKAMAI The Akamai real-time monitor isn’t a typical digital-attack map, but we’ve included it here because it does track attacks in addition to traffic on the internet. Once loaded, it’s possible to see what regions in the world have the most traffic volume; in another tab, you can see what regions are experiencing the most attacks. Akamai says the data is presented in real-time.

FOR THE CIOs. BY THE CIOs.

GDPR SIMPLIFIED: KNOW IF YOU FALL UNDER GDPR SCOPE BY REETWIKA BANERJEE

he EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.” – as rightly claimed by the European Union (EU) GDPR Information Portal. Since April 2016, there have been loud buzzes in the entire information security fraternity surrounding the new data privacy law published by the European Trilogue – General Data Protection Regulation (GDPR). Almost all of us have celebrated 25th May 2018 as the GDPR Day. But the fun fact is, even though a mandate, it is yet not applicable to all business entities. So, before getting confused with the requirements, let us first understand, the key players of GDPR, scope of this regulation, its exemptions, whom does it apply to and conditions to appoint a DPO. GDPR applies ONLY for the “protection of natural persons (not deceased human beings, animals, or non-living objects) with regard to the processing of personal data and on the free movement of such data”, permissible only if explicitly consented by the data subject or owner. Parental or Legal Guardian’s unambiguous consent will be obligatory to process personal data of minors under the age of 16 years for providing online services. Member states may permit a lower age of consent but under no circumstances it can be under the age of 13 years as directed by the regulation.

AUTHOR’S BIO

Earlier, UK had their Data Protection Act and European Union had their own Directive 95/46/EC to protect privacy of EU citizen’s personal data. But standing today, all such older legislations have been completely repealed by GDPR starting from 25th May 2018. However, there are certain former obligations which still could be trailed in addition to GDPR requirements.

KEY PLAYERS OF GDPR – THE TRILOGUE & EDPB GDPR has been formulated and brought into force by an European legislative tripartite known as ‘The Trilogue’. It comprises of the following three governing bodies: l European Commission – A politically independent executive firm of EU which is chiefly responsible for drafting new legislative proposals and adjudicating them. It was the sole player who enlisted the GDPR articles in the Official Journal of European Union published on 4th May 2016. l European Council – The key policy body of EU formed by the heads of its member states, President of European Commission and delegates from foreign affairs and security policy ministries. It reviewed the GDPR draft created by the Commission within their own DAPIX committee meetings. l European Parliament – The only law-making body of EU

Reetwika Banerjee is a professional Cyber Security Expert, presently associated with a North American media giant as their Enterprise Data Privacy Consultant. She is also one of the integral members of her organization’s GDPR taskforce and a Certified GDPR Lead Implementer Professional (BS 10012). She is a novelist in her spare time and her short story entitled “Intruder” features after this Article]

comprising of the common parliament of European Union who too reviewed the GDPR draft within their own LIBE committee meetings and adopted it since April 2016. Once GDPR has been enforced by now, European Data Protection Board (EDPB) completely replaced the former Working Party responsible for harmonizing data protection policies in the EU member states. However, the new board will not be responsible for any law-making activities unlike the Parliament. Its foremost obligation is to provide advisory counselling for GDPR compliance.

MATERIAL SCOPE OF GDPR AND ITS EXEMPTIONS In this section we will address the physical scope of GDPR and what are its exemptions so that while analysing our compliance, we could evidently comprehend whether do we fall under the GDPR scope or not – perhaps the most confusing question of the year standing today. Let us first check what the regulation has to say. As they mentioned, it applies ONLY to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which either form or intended to form part of a filing system.” So, to simplify, the above definition clearly scopes out the following cases of personal data processing: l Any activity that falls outside the governance of European Union Law l Any activity being carried out by member states in accordance with the six standard principles and rules of personal data processing l Any activity carried out by a natural person for personal or household purposes l Any activity carried out by competent authorities for national security and prosecution of criminal offences Evidently, if your activities align to any of the above four cases, you can easily consider yourself unrestricted from the requirements of GDPR compliance.

TERRITORIAL SCOPE OF GDPR AND EXEMPTIONS Now that we are well versed with the material scope of GDPR, let us introspect on the geographical reach of the regulation. As articulated in the journal, GDPR applies to the holding, processing or controlling of personal data falling under any of the following territorial obligations: l Carried out by a business entity established within the EU, regardless of whether the processing takes place inside or outside the Union l For offering goods and services to EU residents, regardless of whether the business entity is established inside or outside the Union

FOR THE CIOs. BY THE CIOs.

For doing continuous monitoring of personal data of EU residents, regardless of whether the business entity is established inside or outside the Union l An establishment outside the geography of EU but where any of its member state laws apply (example: Embassies, Consulates, cross border in transit transports, legal non-EU territories etc.) There are no mentioned exemptions under territorial scope of GDPR. But that eventually implies any other conditions falling outside the above four cases, will be scoped out of GDPR requirements. l

NEED TO APPOINT A DPO Data Protection Officer (DPO) should be a top management official of executive rank who will solely be responsible for GDPR compliance, data privacy impact assessment, conformance to applicable data privacy laws of land, company’s data privacy policies and other obligatory requirements aligned to the regulation and business goal of your organization. However, the regulation clearly states that, appointing a DPO is not mandatory under any of the following circumstances: l You are not a personal data processor or controller under the material and territorial scopes of GDPR l You are not a public authority l You do not carry out large scale systematic monitoring of personal data of EU data subjects l You do not engage in bulk processing of sensitive or special categories of personal data of EU data subjects If your business processes fall under any of the above requirements, only then you need to appoint a DPO, else it clearly resides as a choice to the respective organization. However, as a best practice, all Indian organizations should aim to appoint a DPO and ensure GDPR compliance so that any further amendments in the regulation can be scoped in easily. International customer confidence is bound to grow magnetically with your GDPR compliance. And the foremost of all, the Indian Data Privacy Law is already knocking the bell and will be mandated soon. So, what are you waiting for? Pull up your socks and help improving the privacy posture of customer and employee’s personal data under your direct supervision, control or processing needs.

REFERENCES Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 l EU GDPR Information Portal, https://www.eugdpr.org/ l Official EU Commission website, https://ec.europa.eu/ commission/priorities/justice-and-fundamental-rights/ data-protection/2018-reform-eu-data-protection-rules l

FOR THE CIOs. BY THE CIOs.

ENCRYPTION AND POETRY CRYPTOGRAPHY AND PURE MATHEMATICS Cryptography is a pillar of Information security. We come across it every day as soon as we browse a secured site starting with https. As a matter of fact, the more threats arise in cyberspace, more will be the emphasis on cryptography and the power of cryptography is directly proportional to the theoretical limits of breaking it. In passing, in all the cases of security breach, there is no evidence of a brute force cryptographic break. The breach always happens with some human intervention in the form of carelessness, insider dope, back door entry, pattern observation or a mixture of all this. This will be explained next and that connects information security with pure mathematics.

MATHEMATICAL PLAYFULNESS

PRITAM BHATTACHARYYA,

EDITOR-AT-LARGE, INFOQUEST AND FOUNDER AND CHIEF, WORDSMITH COMMUNICATION

French mathematician Fermat found out a result in 1650 (at that time, there was no electricity and witches were burnt in the city centers of Europe) that established a fundamental relationship between the product of 2 prime numbers. It was just playing with the rules of the numbers and no one had any inkling whether this would be of any “practical use”. In 1888, a German mathematician named Riemann found out a function called Zeta function that pointed to some remarkable connection with the distribution of prime numbers in number line. Just note that prime numbers do not appear in a regular fashion and as we move to larger number interval, they become less frequent and very difficult to detect. For example, recent breakthrough research by a mathematician found out an interval of 70 million numbers within which at least a prime can be found in case of large numbers. Now consider the fact that to check this prime in 70 million numbers, any computer will need finite time. This finite time is the key antidote for this code to be broken and necessity of this finite time arises, as if it is in the fabric of the cosmos. The way primes are distributed as numbers become larger and larger (128 bit encryption – a 128 bit number in binary will be this one decimal: 340,282,366,920,938,463,463,374,607,431,768,211,456). This property of prime numbers is at the heart of all security of Internet. As a matter of fact, “secured site” means that the site is using 2 very large prime numbers – one is publicly known(public key) but the other one (private key) – being very large prime is so further away and it will take hours, if not days to find this out using the fastest computer and most optimized algorithm. If we use brute force (i.e take a number, check this and go to next number), then the time taken will be so large that solar system will collapse with sun getting off ! Even if an algorithm and machine can make this in 10 mins, the designer of this security code can just use a time-stamp and will expire – “session timed out” in say 5 seconds. This can be used for all communication. After 350 years from Fermat, we suddenly discovered that his “little theorem” and prime numbers are part of our everyday lives. Like electricity.

POETIC PLAYFULNESS Poetry shares this property of being playful with higher mathematics. If the above aspect of pursuit of mathematics can be considered to be doing something that will be “imposed” on mankind centuries or millennia later. One such poet, Shelley wrote a sentence in one of his essays which is very easy to denounce as “poetic rapture” or “over-speak”. He said, “Poets are the unacknowledged legislators of mankind.” If we soberly examine the Fermat’s little theorem’s impact on our lives and business today, it is really so. If you run an online business, you must be compliant to the “mathematical legislation” imposed by Nature and first discovered by Fermat while just intimately playing with them and later applied by the designers of RSA algorithm some 350 years later. Mathematics uses highly specialized language and notation. We are beneficiaries of their work with this language but cannot directly engage if we do not learn the language. But learning the language is not easy or we just cannot pick it up. Poets use words – used by all and the language is known and we start using this as soon as we are two or three years old. But poets do something remarkable with this commonplace entities using the same rules of grammar everybody use. And the miracle happens.I am giving an example which connects our native city – Calcutta and a Bengali poet.In 1856 a French poet Searle Baudelaire published his collection of poetry called “Les Fleurs du Mal” and in 1940s-50s – a leading Bengali poet Buddhadev Basu got so much attracted that he devoted an intense amount of time, attention and care to study, translate, review and spread the poems of this long-dead French poet, almost to his dying day. What is happening here? A combination of words, a pattern of words rather become so potent that as if they enter into one’s innermost soul, as if seizes the core of us – call it genetic code, call it consciousness, call it soul, call it “I-ness”, but the effect is remarkable. Another striking effect is the stability of some of the codes. Some poets are being read over centuries and millennia – the pattern has remained the same – the same old text but thousands of generations have come and gone but few in each generation respond to these codes in an intense way. There is no apparent encryption here – the text is all open – no stated private or public key here but just like our genetic code maintains its stability and integrity over millions of years although using very little matter, poetry – is strangely like these codes which run in our genes.I think true poetry is also encryption – encryption of our soul – some souls have the private key, most haven’t. Hence just like large primes do not seem to obey any law or some law of their own choosing which we haven’t figured it out completely but will benefit us as we walk along the time-line, true poets appear in their own choosing and guided by some unknown law.True Poetry is the encryption for our soul, our private key and people who can create these “keys” are those on whom “eternity casts its gigantic shadows.” The greatest poet wordsmith of Bengal – Tagore wrote a song – তোমায় নতুন করে পাব বলে হারাই বারে বারে (“to lose you, just to discover a new you”) – the context is different. But consider now, forget your password? You get a new password in your registered email.

FOR THE CIOs. BY THE CIOs.

SUPPORTED BY

PRIME INFOSERV LLP SERVICE PORTFOLIO TECHNOLOGY INTEGRATION l

MANAGED SERVICES AND CLOUD

Data Centre/ Infrastructure Built

Server, Storage, Networking and Security

Servers, Databases, Middle Tier Apps,

Solutions l

Messaging, Storage Systems

Voice-Data Solutions, Connectivity l

Routers, Switches, VoIP devices, Network

Mailing Solution

Links l

CCTV/IP Camera based Surveillance

Security Management Firewalls, Intrusion Protection Systems,

RFID/Biometric based Access Control and

Hardware, Software Supply & Installation

VPNs, PKI, AAA Tools

Attendance Management l

Network Management

VOIP/Call Centre Solution

Windows, Linux, Virtualization Based Solution

Data Center Management

Security Implementation &

Support

Desktop Management

Desktops, Laptops, File & Print Servers

Mobile Device Management

Microsoft Azure and Netmagic Cloud

CONSULTING l

Vulnerability Assessment & Penetration Testing (VAPT) l

l l

ISO 9001:2015 (QMS)

High-level & Detailed Risk Assessment ISO 27001:2013 -Information Security Management System (ISMS)

ISO 20000:2011 - IT Service Management (ITSM) l

ISO 14000, OHSAS etc

CMMi Level 3 and Level 5 (Capability Maturity Model Integration)

Contact : info@primeinfoserv.com | Web : www.primeinfoserv.com

Everything you need to know to stop ransomware.

67% of Indian organizations were hit by ransomware in the last year.*

91% were running up-to-

date endpoint security at the time of the attack.*

Protect against Ransomware with CryptoGuard The proven CryptoGuard capabilities in Sophos Intercept X block ransomware as soon as it starts trying to encrypt your files, returning data to its original state.

“Intercept X stopped all ransomware attacks we tested against it in seconds.” - ®ESG Labs “Since deploying Intercept X we’ve had zero ransomware infections.” - ®Flexible Business Systems For more details visit www.sophos.com/intercept-x Tel: +91 79 66216838 Email: indiamarketing@sophos.com *The State of Endpoint Security Today survey was conducted by Vanson Bourne, an independent specialist in market research. This survey interviewed 2,700 IT decision makers in 10 countries out of which, 300 respondents were from India, based in Delhi, Mumbai, Hyderabad, Bangalore, Kolkata and Chennai.