Breach
Page 3
While this information may not be sufficient to enable them to zoom in on the culprit, it could at least be the lead that would help them prove the journalist was innocent. It could show that he was not physically present in the country the dumpsites were being accessed from. Doshi kept tapping away on his computer to unearth as much as possible.
It wasn’t that long a trail. He and Hidayatullah followed the digital breadcrumbs of the IP addresses until the trail went cold in Israel. After that they kept hitting a dead end and couldn’t figure out anything more.
What Hidayatullah and Doshi could establish was the innocence of the journalist. Nothing in what their group of coders had unearthed pointed to his involvement. A few phone calls later, the journalist—shaken by his ordeal—was let off. Their job was done.
But many questions remained unanswered.
Who was behind the attack? Who had paid the hackers to attack the system? That remains a mystery to this day. The breach after all happened in one of the biggest Indian corporate houses and initial investigations had suggested involvement of international actors, possibly even state actors. Nothing could be confirmed, and further investigation into the Israeli IP wasn’t going to be possible unless India’s national intelligence agencies were involved.
Hidayatullah and Doshi claim to know little about what happened afterwards in the case of the businessman and the journalist, which was taken up by what they call ‘higher authorities’.
‘From what I understand, around that time there were similar attacks on around forty other Indian businesses in the same sector. All these companies were being spied on in a similar manner,’ says Hidayatullah. He adds that all the attacks are believed to have originated in one neighbouring country.
That potentially points to a coordinated and systematic siphoning of data, likely by the same perpetrator. The nature of the information that was lost from the businessman’s computer was never revealed.
* * *
What Hidayatullah and Doshi could divulge was that such attacks aren’t rare and often go undetected. In a country like India, where awareness of safe practices for the use of the Internet is still low, targeted phishing-led attacks, according to them, have resulted in multiple breaches.
Security researchers classify such attacks under an umbrella term—Advanced Persistent Threats, popularly known by the acronym APT. Symantec, a security research firm, defines an advanced persistent threat as an attack that ‘uses multiple phases to break into a network, avoid detection, and harvest valuable information over the long term.’8
With the increase in APT attacks since the turn of the decade, spear phishing has become one of the go-to tools for those who have specific targets to break into. Security firm TrendMicro studied APT-related emails between February and September 2012, and found that ‘ . . . APT attacks—certainly those against government agencies and large corporations—were almost entirely dependent upon spear phishing emails.’9
The success of APT attacks is not necessarily only dependent on cutting-edge programming that enables criminals to design a malware that would compromise a digital asset, but also on the gathering of information that would lead to the breach. It is as much about the level of granular information that is gathered about targets to find out their weaknesses that can be used to make sure the targets take the bait.
This allows hackers to mould their attacks to suit the target, often by using social engineering techniques. The security industry publication CSO says social engineering is ‘. . . essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques.’10
The more the information that can be gathered about a target and who they are in touch with, the easier it becomes to, for example, spoof an email from those people that the target wouldn’t think twice about clicking on. That sort of customizing of an attack obviously results in an incrementally high probability of breaching the target’s defences.
In most cases, that would mean a considerable amount of time spent planning, preparing and collecting information to execute successful APT attacks. Who are the entities in touch with the target? What time do they work? What are their digital habits? Which devices do they own? How do they use them? How do they move about? No detail is unimportant.
In certain cases, even a physical reconnaissance of the target is done to get that edge. That may sound like something straight out of a spy thriller, but for those who want to get their target at whatever cost, technology has provided enough avenues.
Information gathering is, after all, relatively easy in these days of hyper-connectivity. A search on Google can reveal much about each one of us, with the likelihood of more information if you work in big companies.
The voluntary sharing of details encouraged in social networks makes it easy to know more about people. There is, after all, so much that people broadcast to the world on social media. Facebook and other social media platforms are virtually autobiographies that billions of us have been writing for the last many years.
Much of this explains why these days many in top management are advised by their security teams to stay away from social media. The fear that over-sharing might compromise their digital perimeter security is a very real one.
Not that any such precaution would have mattered when it came to the attacker zeroing in on the journalist as a potential route to bait the businessman. It would have taken only a few minutes on Google Search. The journalist would have popped up as someone who possibly had an inside line to the businessman, going by the number of stories he had written on the company and the number of times he had quoted the businessman. For anyone who was looking to figure out from the outside who the businessman could be in touch with, it would definitely appear that the journalist had considerable access to him.
Once the information layer forms, it is then simply a matter of using it to identify potential weaknesses that can be exploited through an attack. The weakness in this businessman’s behaviour that the infiltrator exploited was his familiarity with the journalist and, deriving from that, the human tendency to lower our guard around those we know.
The attackers chose one of the easiest ways to do this, by spoofing the email id of the journalist in a bid to phish the businessman. Again, spoofing an email id—sending emails from a forged address—is easy enough and can be done even by those without a tech bent of mind. There are several techniques—from techie ones to not-so-techie ones—that are listed online for anyone to learn. There are even YouTube tutorials available for getting yourself acquainted with this sort of thing.
Email filters have become better over the years at ignoring unwanted mail from servers known to be rogue, but there are still many emails that get through. There are many little tricks for spoofing addresses, including those that may sound silly but are often effective. One of the simplest techniques is to replace an ‘m’ with ‘nn’ or an ‘I’ with an ‘l’. The theory being that at first glance many people won’t notice the difference. And when tiny font sizes are used for email addresses, most people don’t feel the need to reconfirm if each and every mail they receive is indeed from whom they seem to be from. Not exactly high-tech, but often highly effective.
The target, in most cases, would fall for the bait only once. This is where the coding skills of the hacker come to the fore. How well is the malware disguised? How can it go about its business installing itself and siphoning off data without triggering any of the alarms wired to go off at the indication of suspicious behaviour, which are built into the security apparatus of companies? Sadly enough, newer kinds of malware, once inside networks, are often difficult to detect. Security researchers almost universally lament that far too often, in cases of breach, malware remains undetected for months on end.
The perpetrator of the hacking crime on the businessman was sitting outside India and could have been a state or non-state actor. It is natural in a globalized world that the race
for competitive advantage—the businessman’s company was involved in several international deals—would see cross-border business espionage.
There are many who believe that India could do a lot more to protect its economic interests. Raghu Raman, former CEO of the National Intelligence Grid or NATGRID, a government initiative to integrate intelligence sharing by connecting the databases of core security agencies, believes that India is especially vulnerable to external snooping and there is little that can be done about it because of our dependence on external technology.
Next to nothing in the tech ecosystem is made in India or owned by the country—whether it is the chip that powers phones, the software that runs computers, or the pipes that carry the country’s data. So there is very little that can be done to really protect Indian interests in this context. Indian data that goes through pipes around other countries, according to Raman, can be mined. Even the software that searches for malware is not Indian. The only way out for India, he says, is to become technologically innovative rather than remain a consumer of tech.
That idea of a national security utopia, where much of the tech we use is created by us, may sound great, but is not a very practical one. Real, large-scale innovations will take time. Data security has to be put at the centre of conversations to bring about a change in the country. Also policies have to evolve to mitigate obvious vulnerabilities.
Hardly anyone talks openly about technological breaches in India. For a country that is the fastest growing in a connected world, the top echelons—right from those in the government to those in the boardroom and the executive suites—remain remarkably silent when it comes to such breaches and, by extension, when it comes to data security in general.
As a result, the lack of thought leadership when it comes to security is pervasive in India’s boardrooms, say many security researchers and observers, and is one of the factors that makes the country and its businesses vulnerable to cyberattacks of all kinds from anywhere in the world.
There may be enough and more instances of breaches, but because these are brushed under the carpet, the evolution of a comprehensive, national strategy becomes difficult. The bigger Indian conglomerates and the strategically important companies do engage with the country’s intelligence community, but that is not percolating to organizations down the Fortune India 500 list and further down to the thousands of small and medium enterprises.
Leadership sets the direction in any entity, and the prevailing casual attitude that underpins most Indian companies percolates down the chain to the lowest-ranking employees when it comes to data security, perpetuating a culture of blissful ignorance of data security, whether corporate or personal. Most people don’t really care because most people don’t really know.
Informing employees about data security is crucial. Throwing a cybersecurity blanket around the top management or loading anti-virus software on to employee computers isn’t enough to safeguard business secrets. Security is a culture. The knowledge of how to be technologically secure varies widely within any group of people. Many in India don’t even know that their system and all the data on it can be compromised through what they perceive as normal actions, such as clicking a link on the Internet.
Knowledge of breaches will not solve the problem of breaches but can help create a more aware populace in a digital India. The idea of security, whether physical or digital, is to increase the time and the effort it takes an attacker to break in. The apathy of many when it comes to imbibing basic security practices makes it easier for the system to be compromised. There is no such thing as 100 per cent security, but companies, and the government too, can increase their odds of not being digitally hacked by being open to their people and investing in educating them about safer tech practices.
Data security, which is generally perceived as something that is under the chief technology officer (CTO) in an organization, needs to be viewed as something of an existential risk and far more critical. Therefore it needs to be a separate function under the direct purview of the chief executive. This is not always the case. Hence for last several years, digital security has been under the purview of CTO. The role of a separate chief information security officer needs to be carved out by far more companies. CTOs have enough on their plate and information security cannot remain merely one of the things that they look at. Things have been changing in the bigger conglomerates and companies as well as in highly regulated industries, but there is still a long way to go.
Multiple instances of compromised data from around the world and what it meant for the leaders of those targeted organizations have certainly had an impact on the behaviour of chief executives of the bigger organizations in India. In 2016, Yahoo! penalized11 their then chief executive officer Marissa Mayer for being negligent of the breaches that resulted in more than a billion Yahoo! account holders’ information being leaked on to the Internet. Or take the example of how Sony Pictures’ co-chairman, Amy Pascal, had to step down after the company was breached.12 In 2014, the departure of the chief executive of the global retail behemoth Target, Gregg Steinhafel, was hastened by the breaches of its security.13 These are just a few examples of the events that made top management from around the world sit up and take notice.
In the boardrooms of many a big organization, it has now been realized how vulnerable their companies are and have hired for positions that manage security and report directly to the chief executive officer. Many of the biggest conglomerates in India have, for instance, hired experts to boost their muscle in defending their perimeters, both physical and digital.
There are companies who have hired former officials from the intelligence services and regularly conduct audits and reviews of their security apparatus. Take, for instance, Raghu Raman joining Reliance Industries as group president, risk, security and new ventures. That designation is interesting, as it captures the interlinkage between security and risk.
When it comes to small and medium enterprises, it is still rare to find companies investing seriously in digital security. As Sivarama Krishnan, leader, cybersecurity, at PwC India says in a report titled Turnaround and Transformation in Cyber Security—India Update,
The larger organizations are often much ahead of the curve in deploying cyber defence strategies. The mid-market and smaller organizations are often seen to be struggling, more so because of the mindset: ‘If I am small, I am not interesting for the cybercriminal.’ In the absence of appropriate security controls, organizations have delayed incident detection and response and may sometimes even fail to detect incidents, only to be noticed later by external parties.14
To think they won’t be attacked is foolishness. If anything, the lower levels of security could mean that smaller companies could potentially be lower-hanging fruit for those looking to steal data. In fact, these breaches may be far more common than they appear.
PwC India’s report says that, ‘almost 38% respondents claim to have suffered a loss of “hard” intellectual property (IP), which includes strategic business plans, deal-related information and sensitive financial information’.15
Indian boardrooms need to discuss data security in far greater detail than they are used to if they are to arrest this slide. The fight between those who strive to steal and those sweating to protect will go on, and the first thing to do is arm yourself with knowledge of the ways in which things can go wrong.
Why? Because they will go wrong. In the modern era, those determined to break their way in will persist. The attacker may fail once, twice or more times. But all that is required for a successful breach is one moment of weakness when one accidentally clicks a rogue link.
Theft of data in the digital era is about keeping at it—fail in one attack, and you come back and attack another day, another way. The nature of the Internet gives hackers as many bites at the cherry as they desire.
Breaches can happen any time and to anyone.
CHAPTER 2
FOOD FOR THOUGHT
How Zomato Dealt with
Their Biggest Crisis
The mercury starts soaring well into the forties in the middle of May in Gurgaon. The chimneys on top of the glass and steel buildings that dominate the skyline spew thick plumes of smoke into the air all day. That’s the result of the generators guzzling gallons of diesel, trying to keep up with the energy consumption as the air-conditioning in these buildings works on full blast.
One Horizon Centre on Golf Course Road is one of the relatively newer buildings in Gurgaon. The building has an LEED—short for Leadership in Energy and Environmental Design certification and claims to meet energy demand through natural gas rather than by using the dirtier diesel.1 The literature about the building claims it is designed in such a way that it consumes 14 per cent less energy than other regular buildings. That would possibly be among the reasons why some of the choicest names among multinational corporations—Apple, Coca Cola, Tata-Singapore Airlines, GlaxoSmithKline and American Express—moved into this building.
Zomato, one of the few new-generation Indian enterprises that has gone multinational, is at home on the twenty-first floor of One Horizon Centre. The view outside the window is rather impressive by Gurgaon standards, with the office overlooking the Arnold Palmer-designed DLF Golf and Country Club, next to a cluster of buildings under construction on the edge of the greens across the road. The interiors of the office are standard for a new-age start-up, letting in plenty of natural light and characterized by a general airiness. There is a relaxed vibe in the office. Every few minutes, a rake of coaches of the second phase of the rapid metro, the big local public transportation project that recently threw its doors open to the public, can be seen snaking its way up and down the tracks.
Gunjan Patidar was perched comfortably on the beige couch near the entrance to the office along with a couple of his colleagues. It was 18 May, one of those business-as-usual days at Zomato. That is how the day had progressed, until the young chief technocrat of Zomato saw the email that had popped up on security@zomato.com.