by Nirmal John
One of the factors that allows them this free hand is the reality that companies don’t want to report breaches to the police and would rather handle them on their own. If they report to the police, the collection of evidence has to be done in accordance with the rules that dictate what is admissible in court and what is not.
A young twenty-something security researcher in Mumbai, who wanted his name withheld, says many of the smaller companies also worry about the costs—both material and reputational—associated with the legal method of cyber-forensics. The researchers are then asked to resort to forensic practices that go against the spirit of the law, but according to the security researcher, companies prefer it this way because they want to go public only if they have a watertight case, lest there should be damage to their reputation if they go to the courts with anything less.
‘If you have a 500 GB hard disk drive that needs to be examined, for doing it the way it is acceptable as evidence you need a 1TB hard disk drive. To do just one image of a hard disk will end up costing Rs 10,000 to Rs 15,000. You have to use a commercial tool to extract forensic evidence that will stand in a court of law. This involves an expenditure of Rs 40,000 to Rs 50,000.’
He adds that usually dozens of hard drives are needed for these investigations, and most medium-size companies don’t want to bother with the expenditure because they don’t intend to pursue the case in a court of law. This results in companies wanting him to do what he calls ‘unofficial forensics’.
He explains, ‘Companies call and say, this is an employee’s laptop. We are asked to extract as much evidence as possible using free open source tools and give it to the company. If the evidence is worthy of admission in a court of law, they ask me to work with the cops and follow the official method of extracting evidence. By now we know what it is we are looking for and they can present a watertight case. The unofficial service would cost only a fourth of the official service.’
These practices will reveal themselves to be more and more of an issue in the days to come. Cybercrime is on the rise, and if the law has to prove effective against this menace then investigation techniques will have to follow the standards of evidence collection mandated by the courts, however rigorous they may be.
Legislation has been pending for a long while to bring some governmental regulation to the private detective agency business. If the legislation, first mooted in 2007, passes all formalities, a central board will be constituted to issue licences and to specify what the private agencies can and cannot investigate. The Private Detective Agencies (Regulation) Bill 2007, as it is formally called, must address this issue.
* * *
One of the most prominent topics of conversation in almost all technology circles these days is the quick march of artificial intelligence and its impact on our lives. Security is no different. Research into AI has been going on for a while, but recent advances have made it possible to say that artificial intelligence platforms would be used extensively and would be a huge business opportunity in cybersecurity in the years to come.
Of course, the most audacious of all concepts is the science fiction-esque idea of predicting crimes before they happen. That may well happen many decades in the future, once humanity figures out the ethical implications of such a move. But there are AI-based ideas that are relevant right now.
IBM is one of the companies making noise about its Watson platform and its uses in security. The basic premise is that the volume of data that comes from networks is far too much for humans to recognize patterns that are out of the ordinary or are threatening, whereas AI platforms like Watson can detect anomalies and help security professionals deal with them in near real time.
There is a threat that many see popping up with AI in security. When it comes to the intersection of technology and security, the problem with AI-based cyber-defence is that hackers too can use the immense power of AI to launch attacks, in effect resulting in a white hat AI vs black hat AI scenario. Then there is the possibility of AI itself being hacked into.
Writing for Harvard Business Review,6 Roman V. Yampolskiy, associate professor in the department of computer engineering and computer science at Speed School of Engineering, University of Louisville, says:
. . . intentional malice in design and AI hacking have not been addressed to a sufficient degree in the scientific literature. It’s fair to say that when it comes to dangers from a purposefully unethical intelligence, anything is possible. According to Bostrom’s orthogonality thesis, an AI system can potentially have any combination of intelligence and goals. Such goals can be introduced either through the initial design or through hacking, or introduced later, in case of an off-the-shelf software—‘just add your own goals.’ Consequently, depending on whose bidding the system is doing (governments, corporations, sociopaths, dictators, military industrial complexes, terrorists, etc.), it may attempt to inflict damage that’s unprecedented in the history of humankind—or that’s perhaps inspired by previous events.
There’s little doubt that the future of security will be led by artificial intelligence, but it may not be the silver bullet that companies peddling it make it out to be. As with other facets of life where AI will have immense impact, it is time that various stakeholders do some serious thinking on the ideal way to engage with AI in security.
With or without AI, adopting the best practices in cybersecurity will sooner than later become a competitive advantage. KPMGs 2017 Global CEO Outlook7 reports found, rather surprisingly, that 71 per cent of CEOs saw:
. . . their investment in cyber as an opportunity to find new revenue streams and innovate, rather than as an overhead cost. For example, some businesses have created value by investing in technology that sends an alert to the customer if there is an unusual login, such as in a different country. This means that the customer knows if someone is pretending to be them, which gives these businesses a good opportunity to delight their customers.
It is also important to remember that even if you have the best equipment, people, software, precautions and protocols, no system is truly secure. It is not unlike real life, where we lock our houses and latch our windows. We may have the most expensive lock with the most complex of mechanisms, but does it guarantee 100 per cent security? There is no such thing.
The horizon of technology is one that can never be reached. Security of any kind is inherently a reactive construct and follows the principle of securing by making it increasingly difficult to break in. But, as we know from real life, thieves do continue to exist and often find increasingly innovative ways to do what they do.
Securing data in the digital age is a cat-and-mouse game. Your biggest weapon to keep your data secure may not be hidden away just in code. It is knowledge of the various possibilities, and the steps you take based on that knowledge that will go a long way in keeping you and your company’s data safe.
Are you prepared?
Epilogue
We may not talk about it much, but theft of data is not new to India. In fact, India was a central player and a huge beneficiary of one of the world’s earliest recorded instances of business espionage. In the mid-1800s, Robert Fortune, a British botanist, at the behest of the British East India company, disguised himself and infiltrated the heart of China to steal the secret of growing Camellia Sinensis. You may, of course, have heard about this plant by its more popular name, tea.
It was a time when opium and tea were among the most valuable commodities in the world, with India being the source of opium, while China had a near monopoly on tea. Fortune was paid £500 every year by the company for his troubles. Inflation adjusted, that works out to £47,000 in 2016 money. That may not sound like much, but at that point in time, dominion over trade of spices and ore was instrumental in the creation of empires. It is a fascinating story, and American writer Sarah Rose’s For All the Tea in China1 is a page turner where the author recounts Fortune’s journey to China to steal the secrets of growing the tea plant.
Think about it. There is a little
bit of data theft at the bottom of every glass of tea that India drinks.
A century and half later, we are living in a time when conversations on securing data have started in earnest in India, catalysed by the extensive media coverage of digital India, the ransomware attacks as well as questions around the integrity of Aadhaar database.
A connected populace is a great idea, but without a far larger emphasis on digital literacy and cybersecurity, the hundreds of millions of people will be like sitting ducks for any number of cyberattacks. The year 2017 was when cyberattacks finally became front page fodder for Indian news media. It is a little surprise that this coincided with the country becoming the second largest smartphone market. The lure of India for cybercriminals has never been as high, and with the government embarking on its massive digital transformation project, it will become even more of a low hanging fruit for malicious actors in the days to come. Businesses as well as individuals will have to double down to bring overall levels of preparedness.
Here are a few basic things that must be kept in mind to create a more secure workspace.
Build Awareness
A secure workspace starts with an aware individual. Human error is generally regarded as the No. 1 cause of breaches. Take passwords for example. In the battle between the inconvenience of remembering a complicated but safer password and the ease of recalling, far too many opt for the latter. This has been a source of headache for security professionals in many companies and has resulted in a rather shocking statistic. According to the 2017 Verizon Data Breach Investigation Report, 63 per cent ‘of confirmed data breaches involve using weak, default or stolen passwords’. Many employees also instal programmes into their work computers that can compromise security. One of the most incisive decisions that can be made by any business hoping to reduce the odds of being breached would be to ensure that employees are aware of exactly how to handle technology securely.
Invest in Technology
The Federal Communications Commission of the United States says, ‘The latest security software, web browser and operating system are the best defenses against viruses, malware and other online threats.’ In a country like India, where the menace of pirated software is still high, particularly among small- and medium-sized companies, this assumes even more importance. Companies must make sure that they use original software and instal the latest version as and when they are updated to counter threats. This was a major reason for the spread of ransomware like WannaCry and Petya earlier this year. Along with these it is also crucial to run firewalls which keep an eye on traffic from the outside and other programmes which help maintain cybersecurity hygiene.
Define Security Perimeter
One of the basic tenets of cybersecurity is to have well-defined walls around different kinds of data which are put in different buckets, with access permitted only to those who must have access to that data. Not every employee needs to have access to every part of a company’s data and limiting access can go a long way in reducing risks. There is also a need to make it difficult for nefarious elements to access data even if they have breached the outer walls. This mandates thinking beyond passwords. Businesses should think about implementation of multi-factor authentication.
Back-up Everything
Among the simplest of things you could do to protect yourself against malware like ransomware, which ‘kidnaps’ your data, is to save a copy of everything. This way you are not at the mercy of nefarious elements. This could prove invaluable in the days to come as many security experts expect ransomware attacks to spike up in 2018.
Plan Ahead
Time and effort that goes into defining and documenting cybersecurity policies is where all the best practices start. These policies must detail the security practices for the business and also encompass an incident response plan which details how to react in case things do go awry. Knowing how to react saves valuable time. Business continuity planning is another important facet. When natural disasters happen, there are many business continuity plans that are put in place. This needs to be a standard operating procedure for breaches as well.
The demand for security is only going to go up as technology seeps further into our lives. Internet of things (IOT) and its philosophy of connecting everything is going to increase complexities and challenges. In a few years, we will be taking for granted living in a world of connected cars and homes. This future would be underpinned by rivers of data flowing from every device we own, and often from devices we don’t. How we take to protecting the integrity of this flow will determine if we can limit the dangers that lurk.
The security of all of that data will continue to depend on a combination of human and technological factors. The human factor is dependent on adopting simple, commonsensical practices including not biting the bait offered by black hats in the form of malicious links or by making sure that their software runs updated versions. The technological factors would include establishing well-defined security protocols and ensuring periodic audits are undertaken.
Companies need to invest in advancements in technology along with adding to their teams. With the sheer volume of data at stake, detection of and reaction to breaches will be dictated by machines. Artificial intelligence is going to redefine the arsenal we have to play with. As mentioned earlier, AI is going to be used by malicious actors as well. But the widespread adoption of AI-led security will likely enhance the pace at which threats will be detected and countered.
In terms of creating businesses that cater to the demand around better solutions for cybersecurity, India has the opportunity to not just try and leapfrog existing ideas and technologies, but also to help define the way of the future. Questions may be asked about the real world skills of a vast majority of coders India churns out every year,2 but there is no doubt that there are plenty of coders who are absolute masters of their domain in the country. Indian entrepreneurs must move fast and capitalize on that advantage.
1 ‘The World’s Most Valuable Resource Is no Longer Oil, but Data’, The Economist, 6 May 2017.
2 Joris Toonders, ‘Data Is the New Oil of the Digital Economy’, Wired, May 2014.
3 Kim Zetter, ‘Sony Got Hacked Hard; What We Know and Don’t Know So Far’, Wired, December 2014.
4 Chris Isidore, ‘Target: Hacking Hit up to 110 Million Customers’, CNN Money, January 2014.
5 Sam Thielman, ‘Yahoo Hack: 1bn Accounts Compromised by Biggest Data Breach in History’, Guardian, December 2016.
6 Spencer Ackerman and Sam Thielman, ‘US Officially Accuses Russia of Hacking DNC and Interfering with Election’, Guardian, October 2016.
7 Nicole Gaouette, ‘FBI’s Comey: Republicans also Hacked by Russia’, CNN, January 2017.
8 ‘Edward Snowden: Leaks that Exposed US Spy Programme’, BBC News, January 2014.
1 Richard Skrenta, ‘Elk Cloner (circa 1982)’, Skrentablog.
2 Mary Landesman, ‘A Brief History of Malware’, Lifewire, May 2017.
3 Rupert Goodwins, ‘Ten Computer Viruses that Changed the World’, ZDNet, August 2011.
4 Data Breach Investigation Report, Verizon, 2017.
5 Dictionary.com.
6 ‘You are being Tracked’, Fortune India, February 2014.
7 Vijay Mukhi, Vijay Mukhi’s Technology Cornucopia.
8 ‘Advanced Persistent Threats: How They Work’, Symantec.com.
9 ‘91% of APT Attacks Start with a Spear-fishing Email’, InfoSecurity.
10 George V. Hulme and Joan Goodchild, ‘What Is Social Engineering, How Criminals Take Advantage of Human Behaviour’, CSO Online, August 2017.
11 Seth Fiegerman, ‘Marissa Mayer Loses Cash Bonus Over Security Breaches’, CNN.com, March 2017.
12 Dominic Rushe, ‘Amy Pascal Steps Down from Sony Pictures in Wake of Damaging Email Hack’, Guardian, February 2015.
13 Clare O’Connor, ‘Target CEO Gregg Steinhafel Resigns in Wake of Data Breach Fallout’, Forbes, May 2014.
14 Turnaround and Transformation in Cyber
Security India-update, PwC, October 2015.
15 Turnaround and Transformation in Cyber Security India-update, PwC, October 2015.
1 ‘Sustainability’, One Horizon Center.
2 ‘Massive Blow to Criminal Dark Web Activities after Globally Coordinated Operation’, Europol, 20 July 2017.
3 Pranesh Prakesh, policy director at the Centre for Internet and Society, on Twitter.
4 Joseph Cox, ‘Hacker Steals Millions of User Account Details from Education Platform Edmodo’, Motherboard.vice.com, May 2017.
5 ‘Zomato’, Crunchbase.com.
6 Waqas Amir, ‘Zomato Hacked; 17 Million Accounts Sold on Dark Web’, Hackread.com, May 2017.
7 Gunjan Patidar, Security Notice, May 2017.
8 Reddit India thread on the Zomato hack, Reddit.com.
9 ‘[Responsible disclosure] How I Could Have Hacked 62.5 Million Zomato Users’, Anand Prakash, June 2015.
10 Deepinder Goyal, ‘Security Update: What Really Happened and What Next’, Zomato Blog, May 2017.
11 Joey Tyson, ‘Facebook Bug Bounty: $5 Million Paid in 5 Years’, Facebook, 13 October 2016.
12 Adam Ruddermann, ‘Economy of Trust: Building Relationships with Security Researchers’, Facebook, 18 March 2016.
13 The State of Bug Bounty, BugCrowd, June 2017.
1 ‘Pirates vs Moviemakers’, Fortune India, October 2012.
2 Associated Press, ‘Hacker Holds Netflix to Ransom Over New Season of Orange Is the New Black’, Guardian, April 2017.
3 Tom Huddleston Jr., ‘Hackers Leaked “Orange Is the New Black” Despite Receiving $50,000 Ransom’, Fortune, June 2017.
4 ‘Hyderabad: 6 Blackmail Producer with Baahubali Print’, Deccan Chronicle, May 2017.