by January 1, 2009 0 comments



Anil Chopra and Anindya Roy

By now, there’s been ample media coverage of the terror attacks in Mumbai,
and how terrorists managed to use the loopholes in our system to achieve their
objective. Never before was there such an uproar from the entire nation over
this episode, which clearly reflects that we’ve run out of patience at the lax
attitude of the govt. toward the country’s security. While we wait for the govt.
to do something about it, it’s time we also did something to combat this menace.
After all, security is everyone’s responsibility, if we don’t want any further
loss of lives, property, business, and market reputation. We received lots of
queries from many CIOs on how should they use IT to protect their
infrastructure. Considering that IT systems are the backbone of most businesses,
the CIOs obviously have a reason to worry.

So in order to understand what Indian enterprises are doing to secure their
infrastructures, we did a small survey of around 30 CIOs from leading
organizations across the country. By and large, everyone’s definitely worried. A
majority of the CIOs said that their organization was very worried about the
security of their infrastructure, and were quite serious about doing something
about it. Some of them had even gotten special budgets sanctioned for
strengthening their IT security.

The right way to deploy IT security
But before you scramble to deploy high-tech equipment like DFMDs (door frame
metal detector), surveillance systems, etc, you need to understand the scope of
the problem and the role IT can play in combating terror. Technology can
certainly help combat terror, but its usage has to be clearly understood in
order to choose the right equipment. For instance, even if the surveillance
system detects a terrorist, or the DFMD detects heavy metallic objects being
brought into the premises, they can’t really stop them. Their objective is to
detect and monitor, and not protect. That doesn’t mean you shouldn’t deploy such
systems. You need to understand their effectiveness in combating terror. For
instance, the US has deployed video surveillance cameras at many of its
airports, which can identify baggage that remains unattended for some time.
Similarly, video monitoring technologies have been deployed to check if a
vehicle circles a high-rise building more than required, or if a person makes
multiple trips to the shopping mall within a specified period of time. All of
these technologies can certainly help in raising an alert if something goes
wrong.

Unfortunately, that’s not how technology has been used in India. For
instance, the Taj hotel in Mumbai had also deployed CCTV, but when the
terrorists attacked it, they took over the control room because it was located
within the hotel’s premise itself. Since the terrorists knew the hotel inside
out before attacking, they made the control room inaccessible to the security
forces. Had the hotel used IP Surveillance, then the entire hotel could have
been monitored from outside, and many more innocent lives could have been saved.

In another incident, which was much more mild than this, but puts the point
across, is of a close acquaintance of mine who lost her bag in a shopping mall.
The bag contained all her cards (credit, ATM, etc), as well as cash. She
immediately informed the mall’s security personnel about the incident.
Thankfully, the mall had CCTV installed at its entrance, and had recorded all
movements in that area. Upon playing back the video, they were able to spot the
thief (apparently a small boy), walking away with the bag out of the mall. This
sounded like good news, but only for a while, because they soon realized that
they couldn’t identify the thief. The cameras were just not powerful enough to
zoom close enough to recognize the thief.

What measures
should our govt. take to help organizations protect their IT infrastructure
against terror attacks?
The Govt. is now asking us to be compliant
with well defined IT security norms.
Jyoti Bandopadhyay, VP-IT, Torrent Power

The govt. should
standardize and enforce a uniform security framework that should be accepted
by organizations, both in the private and public sector.
Ashish Bharadwaj, UPES

Intelligence & surveillance systems with proactive controls.
BLV Rao, VP-IT Networks & Systems, Infotech Software

Information risk normally leads to business risk. Therefore, the govt.
should come forward to issue various directives to corporates as minimum
ruling to maintain certain security measures on various Internet / Intranet
based communication means (especially Internet and e-mailing) for daily
business working.

In the private sector as well, while recruiting personnel, police
verification must be kept mandatory before joining.
Sardindu Paul, GM-IT, ElectroSteel

In the IT ministry, the govt. should create a cell to handle and advise
corporates and SMBs from time to time on how to protect them from data
security threats.
Preet Kumar Singh, CIO, Glencore

Government can create some guidelines in line with SOX, making it
mandatory for organizations to adhere to IT security, and to create DR sites
for IT infrastructure. Plus, the govt needs to focus on building
infrastructure like roads, leased lines and Internet availability. The govt.
also needs to develop the capability to intercept and process information
flow (through telecom and the Internet) to take preventive and corrective
actions for suspicious activities. The police has to help organizations do
speedy and authentic scrutiny of new recruits. At present most IT
infrastructure is concentrated in Metros. To reduce the risk, we need to
create more data centers in tier 2 and tier 3 cities.
Nitin Doshi, Head-IT, Sterlite Industries

Both of the above cases are examples where technology has been used just for
the sake of it, without serving any real purpose. Had the mall used CCTV cameras
with better optical zoom, they could have identified the thief and nabbed him
later. Had IP Surveillance been used, operation Taj would perhaps have ended
much faster. You might say that the Taj group would never have imagined in their
wildest of dreams that such an episode could ever happen to them. But then,
that’s how disaster strikes!

So, it’s important to understand that IT security goes much beyond
surveillance systems. It needs to ensure that the business can spring back into
action quickly a fter a terrorist attack. Essentially, a terror strike is an
unpredictable disaster, so you need to ensure that your business is able to
spring back into operation as quickly as possible after it happens. For
instance, post the Sep 11 attack on the world trade center towers, many
companies that had offices in those buildings managed to get back to business
because they had an effective DR and BCP strategy.

Vi Software
Some Software which can perform all
functions we have just described, and are available for purchase today:

Agent Vi: http://www.agentvi.com 
(a 90 day trial is available for 3 IP cams on request through the website.

OnSSI: http://www.onssi.com/

Intelli-vision:
http://www.intelli-vision.com/

Which security technologies to deploy?
Security is no longer about protecting your data against virus and malicious
software attacks, nor is it about protecting it against hacking attempts or
against preventing disgruntled employees from stealing information. These you
need to do anyways. Today, security also means protection against infrastructure
mis-use and information leakage. How do you know that the person you’ve recently
recruited is the person who he/she claims to be? Maybe it’s a terrorist. In
today’s world, it doesn’t really sound that absurd. How do you know that your
network is not being mis-used by terrorists for communication?

The moment you add this dimension, you see security in a whole new light. For
infrastructure mis-use, you need to put stringent access controls in all places,
like WiFi networks or in sensitive areas like data centers. For keeping a tab on
you employees, you need to put in stringent identity management systems,
possibly backed up by police verification.

There would be some measures that would be specific to different types of
verticals. The govt. for instance, needs to secure all its websites against
information theft, and from being hacked. Large buildings infrastructures like
commercial towers, shopping malls, railway stations, etc would need to put in
surveillance systems that can monitor specific things like how many times is an
unknown person making trips, or report suspicious unattended items lying around
for too long, etc.



When we asked our respondents, 45% of them said that they planned to deploy
information leakage prevention solutions. Another 34% had plans to deploy
biometric access in their data centers and soup up their wireless LAN security.
You can see the rest of the security measures in the chart.

There are many other things that can be done besides the above to secure your
IT infrastructure, depending upon your setup. For instance, if you’re in the
power business, then you might also need to deploy video surveillance of all
installations and devices for distribution, transmission and generation.

IP Surveillance
At a time, surveillance was something which had nothing to do with IT. Then came
the IP cameras making IP Surveillance a major part of IT Security. And now
things have gone much more sophisticated through the use of IT and we have
something called Video Intelligence or Vi. With a huge market in US and UK, this
is spreading its wings into developing countries like ours. Vi has emerged
because of a problem which was there in legacy Surveillance systems, where the
real-time monitoring was a complete manual task. And imagine a scenario where
one has a video control room with two people sitting and watching the feeds from
200 odd cameras.

This is physically not possible for a human to pay 100% attention to the
video feeds throughout his working hours, and if he misses a small incident, it
can cause a havoc. And that’s where Vi plays its role. With Vi solutions, one
can automate alerts based on a veriety of events, and in case of an alert it can
push the feed to the concern person’s laptop, PC or even smart phones.Some key
features of Vi are as follows

Tracking movement: These devices can not only highlight suspicious
activities but also can track movements. So let’s say, someone is trying to
enter a restricted area and he gets caught by the motion detection feature and
the alert is generated. Now the system will not only highlight the person in the
video but will also track and map his movement.

Car tailgating: With this feature, the camera automatically captures
the stream of a car trying to enter a restricted area by tailgating an
authorized car. And of course generates an alert.

Grouping of people: This is a customizable feature where one can
select an area in the video stream and set a threshold of how many people can be
there at a point of time in a group. If the group exceeds the number of people
it raises an alarm. Systems are now sophisticated that they can easily
differentiate between persons and their shadow and overlook the shadows while
counting the people.

Tracking objects: This is a great feature and can be used to protect
our railway stations and other public places such as malls to protect against
bomb scares. With this feature either one can set alert on any object which is
lying unattended and can raise an alarm on such event.

The same feature can be also used to raise an alarm someone forgets his
belongings somewhere and someone else tries to go near it or pick it up.

NightVision/Thermal Vision: Night vision and thermal vision is another
great feature of new age surveillance solutions. This is not exactly a software
feature, but rather a feature of the camera. But if used along with good
intelligent software can be very helpful. So for instance, if you are trying to
set a motion detection near a railway line, it is nearly impossible for the
system to differentiate between the motion caused by the trains and the motion
caused by a human intruder.

But with a thermal vision camera, the system can measure the heat level of
different objects and can actually differentiate between a moving train and a
moving intruder.

Zero Day flaw in
Internet Explorer
In December, Internet Explorer made a lot
of news thanks a to critical zero day flaw found in it. On 10th December
2008, Microsoft issued a security advisory about a critical vulnerability in
IE which allows remote execution of code. One of the Microsoft’s blog claims
that the company came to know about this vulnerability in the early hours of
December 9th. Initially it was thought that only I.E 7 browser was affected,
however later on the advisory was updated that all versions of Internet
Explorer, from IE5 to I.E 8 .2 beta have been affected. The Vulnerability
has been identified as Pointer Reference Memory Corruption Vulnerability —
CVE-2008-4844 and defined as “A remote code execution vulnerability exists
as an invalid pointer reference in the data binding function of Internet
Explorer. When data binding is enabled (which is the default state), it is
possible under certain conditions for an object to be released without
updating the array length, leaving the potential to access the deleted
object’s memory space.”

What it implies
For those, who are working in the security domain or have been dealing with
patches and vulnerabilities for a while, will probably be wondering what’s
the fuss about. However, since all versions of I.E 5 have this
vulnerability, this means it’s an architectural issue. Another reason for
this hype is that news travels faster than before, so as soon as Microsoft
published the advisory, it was all over the web, news, blogs, etc. Microsoft
responded quickly and published a workaround on 12th on its website.
However, online reports suggest that somehow the exploit code was released
in the wild. And soon a few gaming and pornographic websites started
exploiting this flaw and launched attacks on users. As per another Microsoft
blog, initially few legitimate websites were also modified to include these
exploits. So most of the enterprises that have security solutions in place,
will manage to detect if somebody drops malware on their network. This means
other personal users and small businesses are at a great risk. Microsoft on
its blog also mentioned that 0.2% of all users have been exposed to these
websites.

Soon after a few nice people at MilW0rm released a proof of concept code.
Soon after there were many attackers looking for unscaped shell code and
huge sums of money for it. To put in simple words, there was a 7 day gap
before MS released the patch and all this while all the attackers took
advantage of this zero day vulnerability.

Microsoft’s solution
Microsoft has released an emergency patch for this vulnerability on 17th
Dec. Usually MS security patches come out every Tuesday but this one was
released on Wednesday and is believed to be the fastest response from
Microsoft. The patch can be downloaded from
www.microsoft.com/technet/security/bulletin/ms08-078.mspx . If you have your
automatic updates on, chances are that this patch has been deployed on your
machines already. We had also tested this patch with the proof of concept
code released by MilW0rm on a Windows Vista machine with I.E 7, and the
exploit was fixed, and the attack was unsuccessful. Also it’s recommended
that you update your anti-virus and scan all machines in your organization
to ensure that you are not infected by any trojans.

With MS releasing the patch, Internet explorer is now protected against
this exploit, but this whole saga leaves few unanswered questions, largely
due to the claims made by some security expert. After the exploit was found
few security experts, claimed that they knew about this months back. Which
is bit of a surprise, because if they knew about it, why didn’t they file a
public vulnerability report or informed MS about it. If they were looking to
make some money from it, they could have used channels like ZDI or
wabisabilabi etc. And if they did informed MS about it, what happened ? As
we said earlier MS says it came to know about this on Dec 9 only. My only
point is, if they want to claim in public domain that they knew about it,
they should tell the entire story i.e what did they do about it? Whether
they informed MS about it or not ? if they did MS took it lightly and risked
all of their users ? By not properly disclosing the exploit these people are
only helping the bad guys. What do you think really happened ? Come and
voice your opinion at forums.pcquest.com.

Swapnil Arora

Security & Corporate Resilience: Urgent Memo to
CEOs
Ashish Sonal, CEO, Orkash Services

If at all, there exists a silver lining to the very dark clouds of Mumbai’s
26/11 events, it is that these seem to have triggered a key psychological shift
in how security is perceived. The question regarding the ‘relevance’ of security
would hopefully no longer need contrived answers in this country. For the
corporates, the challenge of achieving operational resilience in the face of
increasing complexity of security risks (both external and internal) is becoming
a defining factor. Terrorism, cyber attacks, online threats, major frauds,
likelihood of global epidemics, impact of global warming, the operational risks
arising from the current global financial crisis, are like ‘Tsunamis’ in the
waiting, their impact amplified by the interdependent business and economic
environment. Very few companies are doing a good job of taking the
responsibility to create a management-level of understanding of such security
risks. Business leaders, as decision makers who set the priorities and steer the
strategy of their companies, must acquire this understanding because many such
events are statistically unpredictable. Security is a big challenge in itself,
but what creates resilient organisations is not merely this. It requires
something that I term as building an ‘Assurance Layer’ around security risks. In
reality, all corporates commit fairly large amounts of resources and money on
security and internal controls. Yet, often fail to be resilient to even routine
threats because they miss putting this assurance layer in their systems and
processes.

What constitutes this Assurance Layer? It is accurate intelligence (and in
the absence of actionable intelligence, a capability for anticipation) and good
incident response. The first line of incident response capabilities and
intelligence creation encompass mainly tactical and operational level processes
and systems in an enterprise. There are many things that must change in how
corporates manage security risks. The Mumbai attacks are an immediate
psychological drivers for this. But, so should be the impending threat of cyber
attacks, the likelihood of epidemics like avian influenza, and the operational
uncertainties that went unmonitored. The best security can only be achieved
through the involvement of every employee and every business process. This is
not as difficult a proposition as it may seem. A similar management challenge
was successfully met by the corporates in the decades of eighties and nineties.
It led them to devise ways to embed quality management as a key performance
parameter for every employee, every function and every process in their
day-to-day working, enterprise wide. Security and the concept of Assurance
Laycer are indeed very much like Quality from a management perspective; these
must be part of the DNA of the functioning of a company. To make this happen, we
require change-management as an agenda that is driven from the top; remember it
took someone of the stature of Jack Welch to demonstrate that (six sigma)
quality management can be embedded seamlessly down to the minutest level across
even as massive an enterprise as the GE.

Whether it is physical security or information security, the enterprise level
systems that exist in companies focus disproportionately on building static
controls at the physical and logical/IT perimeters of an enterprise. When these
fail, or when the threat just materializes as a random event, what truly matters
is incident response in terms of speed, in real time, for containment and
recovery. This requires speedy defensive response and investigative intelligence
capabilities, particularly when the threat arises as an event that occurs
through or impacts the information technology infrastructure. Beyond the larger
aspect of integrating and aligning security risk management with the other
day-to-day business processes that run in a company, another challenge is about
the ramifications of the convergence of security risks in physical and IT
infrastructures of companies. An alliance and interconnect between the physical
security and logical/IT functions is a great value-add. For example, alerts can
be triggered based on IP enabled surveillance systems and access control logs,
even as the IT security team’s cyber forensics tools investigate in real time an
internal intrusion/anomaly indicative of an employee attempting data theft.

For the role of incident response, investigative intelligence and cyber
forensics based evidence chain creation is the key -an area where very few
companies have created capabilities that can provide real time response. The
world remains full of random variability from a management perspective. The
defining events that bring radical changes in the business environment,
generally tend to be unforeseen and massive. Business leaders must focus beyond
business efficiencies. An assurance layer comprising capabilities for
intelligence and incident response for security risks is increasingly the key
characteristic of successful companies.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<