|
No end to cybercrime
Crime in cyberspace is on the rise and Indians are as likely
to be targeted as anybody else. Much needs to be done to secure India Inc. and
end-users, writes Vinita Gupta
 Remember
the Love Bug worm, and the recent Adnan murder case. Cybercrime in India is
rapidly evolving from simple e-mail mischief where offenders send obscene e-mails,
hoaxes and fake e-mails to receive personal information to more serious offenses
like identity theft, hacking, kidnapping, theft of information/source, e-mail
bombing to crashing servers, denial-of-service attacks, etc. According to analysts
at the Indian Institute of Science, tax evasion, cheating on the Net, identity
theft, child pornography and other cybercrimes cause a loss of $50 billion annually.
Presently network vulnerabilities have been increasing at a rate of over 40
percent year-on-year.
Pinning responsibility
Gartner states that while a few attacks focus purely on technology, the vast
majority of cybercrimes involve a failure in human processes. In many infamous
cases (TJX, CardSystems, etc.), employees’ and contractors’ complicity
in the commission of the crime. Assistance in a crime can be through omission
(failing to exercise due care) and commission (performing an inappropriate action).
Criminals depend on people making errors in judgment and being lazy. A diligent
and tireless person is not an attractive target for a criminal.
Pavan Duggal, Advocate, Supreme Court of India and a noted cyber lawyer said,
“In 2006, I did a survey to find out how many cybercrime reports were filed
and I was shocked to discover that only 10% of the cases were reported and that
one percent got registered as FIRs. The reason behind this is that the victim
is either scared of police harassment or wrong media publicity.”
Duggal believes that the law system is poor in India as after 12 years of commercial
introduction of the Internet only two convictions have been made. “There
is no proper prosecution to restrict cybercrime and it will continue to rise
if there are loopholes. The IT Act 2000 does not cover social networking crimes,
credit cards and identity thefts, etc.” Duggal pointed out that the government
should be a member of an international treaty working to prevent cybercrimes.
Public-private partnership is also crucial.
It is important that security vendors should find out which
sites are involved in malicious activities and try to bring those sites down.
|
 "To
fight against blended threats which enter though multiple modes, there
is a need for unified security solutions which have all the needed security
features to curb threats"
- Digvijaysinh
Chudasamasama
|
 "The
increased usage of Web 2.0 technologies such as IM, P2P and VoIP provide
malware writers with yet another vehicle for attachments containing malicious
payloads"
- Vinod Kumar
|
|
 "Years
ago we combined anti-virus, anti-spyware and firewall technology. This
must be extended to HIPS, device control, data leakage prevention, mobile
device protection, NAC and more"
- Prabhat Kumar Singh
|
 "Security
companies can only guide users to take precautions and it is the users’
responsibility to follow instructions"
- Kartik Shahani
|
|
 "I
did a survey to find out how many cybercrime reports were filed and was
shocked to discover that only 10% of the cases were reported and that
1% got registered as FIRs"
- Pavan Duggal
|
Phishing and spamming on the rise
As per the ISTR released in India early this year, the numbers indicate a dynamic
threat environment. Phishing and spamming are clearly two vectors of cybercrime
that are in the news. India is the fourteenth ranked country worldwide hosting
phishing Web sites. In terms of the numbers, Mumbai ranked high as a city hosting
phishing Web sites.
Spam is constantly rising as it is one of the easiest and safest ways to make
money. However, it is no longer plain spam. Spammers have bonded with virus
writers to create blended threats that are increasing at a rate of 25% annually.
A secure e-mail gateway is quite common now in India. However, many-a-times
the Web gateway is not secured leading to a rise in malware. Malware is also
the largest security concern for organizations.
Vinod Kumar, Managing Director, Satcom Infotech added, “The increased usage
of Web 2.0 technologies such as IM, P2P and VoIP provide malware writers with
yet another vehicle for attachments containing malicious payloads. Last year
41,536 pieces of new malware were detected by Sophos.”
Symantec Global Intelligence Network daily scans more than
two million decoy e-mail addresses for anti-spam, phishing, and e-mail security
threats.
|
 "Cybercrime
is no longer considered a fun activity or a game by the perpetrators,
it is emerging as a professional activity, and a profession in itself"
- Shamshad Ahmed
|
Phishing e-mails seek an individual’s personal or financial
information. However, today it is no longer a consumer-centric issue and has
rapidly moved into the enterprise threat domain with phishing messages installing
spyware into a user’s computer when the phishing links, which come in the
form of spam, are clicked on. The originator now has access to the enterprise
network, putting the confidentiality enterprise information and the network
itself at risk.
The Web has become a significant weapon in a cyber criminal’s
armory. The choice of Web site is immaterial. Gardening and cookery sites are
as likely as gambling and pornography. Statistics reveal a greater threat from
the latter as more users are likely to visit these sites rather than cookery
sites. The new areas of threat are Scareware, mobile malware and infecting removable
disk drives.
Shamshad Ahmed, Regional Director, India and SAARC, Lumension Security said,
“Cyber security is witnessing many important phases and trends. Cybercrime
is no longer considered a fun activity or a game by the perpetrators, it is
emerging into a professional activity, and a profession in itself. Hence it’s
crucial for users and organizations to take proactive measures to minimize or
eliminate risks. Organizations should also focus their time and money in ensuring
the basic rules of security.”
- Crimeware:
This is a class of computer programs that automates financial crime.
It represents a growing problem in network security as many malicious
code threats seek to pilfer confidential information.
- Vishing:
VoIP based phishing attacks IP telephony users. It can be an automated
call or a direct call from the criminal asking for a user’s credit
card details.
- SMS-based phishing: In this,
the software would be capable of sending an SMS from the user’s
contact list asking for his credit card details.
- Ransomware:
It involves the use of malicious code to hijack user files, encrypt
them and then demand payment in exchange for a decryption key.
- Pharming:
Here you are redirected to a bogus Web site, for instance two months
back many users in India experienced this while using a bank’s
site.
|
Challenges faced by security vendors
|
 "Effective
security products must now evolve to include both behavior- and signature-based
protection"
- Srikiran Raghavanavan
|
Threats have become more transient, viruses attack for a couple
of weeks and then are never seen again so there are many challenges faced by
security vendors.
The challenges faced by the security vendors involve recognizing
the behavioral pattern of transient viruses as they occur to curb viruses that
are variants on older ones. The use of advanced technologies such as HIPS and
Genotype detection go a long way in reducing the challenge.
The security software market is going through consolidation and change, as major
vendors are increasing R&D, integration and acquisition efforts. Large platform
vendors are entering the market with their own offerings, even as some traditional
software security specialists are stepping up their efforts. McAfee has a huge
team which is present at different locations. This team’s work is to keep
searching for threats and vulnerabilities and then come with a security solution.
Usually all the security vendors have such a team in place.
Patrik Runald, Senior Security Specialist, F-Secure Security Labs, Kuala Lumpur
said, “We have many ways of hunting viruses by using automated systems
that browse the Web and classifieds Web sites, looking for malware, by establishing
partnerships with organizations around the world which send us information.”
With the rise in zero-day attacks, there is a need for real-time security solutions.
Organizations can no longer rely only on signature-based technology. There is
a need for powerful gateway-level security which stops threats at the entry
point. “Also, to fight against blended threats which enter though multiple
modes, there is a need for unified security solutions which have all the needed
security features to curb threats,” said Digvijaysinh Chudasama, VP Sales,
Elitecore Technologies.
Prabhat Kumar Singh, Director, Security Response Lab, Symantec India, believed
that in the current threat scenario, more manageable, layered security is critical.
Years ago the industry combined anti-virus, anti-spyware and firewall technology.
Now the user must extend this to include HIPS, device control (thumb drives),
data leakage prevention, mobile device protection, Network Access Control, and
more.
Srikiran Raghavan, Regional Sales Head, RSA said, “Effective security products
must now evolve to include both behavior- and signature-based protection.”
| Security Threat |
Type of solution |
| Virus |
Anti-virus |
| Trojans and Worms |
Firewall, Anti-virus, Intrusion Detection and Prevention
(IDP) |
| Spam |
Anti-spam |
| Spyware/Adware |
Spyware blocker |
| Unrestricted surfing and Instant Messaging |
Firewall, content filtering |
| OS vulnerability |
Firewall, content filtering, IDP |
| Remote connectivity |
VPN, Firewall, Antivirus, IDP |
| Rogue intruders, hackers and internal security
breaches |
Firewall, IDP |
Users need to be alert
The home user segment is the largest recipient of cyber attacks as they are
less likely to have established security measures in place. The other sectors
that are constantly under attack include the banking and financial industries,
IT and ITeS segment and the telecom sector as well.
Almost all companies are dealing with this by using up-to-date security solutions
and educating their users. In a corporate environment it is a bit easier as
a lot of the bad stuff can be filtered at the gateway and never reaches end-users.
This is much harder to do for consumers as it requires that the ISP takes this
responsibility, something providers rarely do.
Banks need to constantly build awareness and educate their consumers against
phishing as cyber crime involves social engineering. For example, banks need
to educate their consumers to “never fill out confidential data like credit
card numbers in an e-mail requesting the same.”
- Use original software
- Keep upgrading your software
- Have at least an anti-virus and firewall
in place
- Avoid sharing personal details with strangers
- Follow instructions especially while banking
online
- The user, if attacked, should file an
FIR
|
Enterprises like banks and other financial institutions require solutions
that provide multi-layered, end-to-end security and are capable of assessing
threats, monitoring controls, shielding individual applications, and protecting
desktops. In short, enterprises require protection at all layers of the organization—from
the gateway to the client to the internal network.
Kartik Shahani, Regional Director, McAfee India said, “The security companies
can only guide users to take precautions and now it is the users’ responsibility
to follow instructions. For instance, users are informed to lock their Bluetooth
when not in use as any time malware can drop into the mobile or laptop.”
Even downloading files like wallpapers and music from the Internet can lead
to malware attacks and hence users should avoid this by using free solutions
provided to them by security vendors. For instance, McAfee’s site advisor,
which is free of cost, helps the user to know whether a site is malware-free
or not.
Shahani and Raghavan feel that users should have licensed
software on their PCs. Upgradation of software is also essential as new types
of viruses keep attacking.
|
 "The
growth of corporate users and the knowledge - centric nature of the Internet
has been causing concern amongst organizations over the issue of absolute
security"
- Niraj Kaushik
|
The increasing annoyance of Web threats has alarmed organizations
into implementing more comprehensive and preventive security solutions. “The
growth of corporate computer users with the ubiquitous knowledge-centric nature
of the Internet has been causing increased concern amongst organizations over
the issue of absolute security,” said Niraj Kaushik, Country Head (India
& SAARC), Trend Micro.
Deepak Maheshwari, Director Corporate Affairs, Microsoft
India asserted that revention was better than cure, “Crimes are on the
rise along with security solutions. It is important that parental controls are
in place so that children do not visit malicious sites as children are generally
unaware of such attacks.”
The biggest difference between today’s scenario and what is to come is
that the majority of crimes in the past and present have been voluntary in nature,
in the sense that no crime was committed unless the victim responded by clicking
on a link, replying to a hoax, etc. The future is likely to be more alarming
in the sense that crimes will be committed without the knowledge and cooperation
of the victim. Preventing cyber crime in the future will require stringent e-security
rather than plain human prudence.
vinita.gupta@expressindia.com
|
