Cyber space needs a fix to tame the bad guys

Cyber space needs a fix to tame the bad guys

IT manufacturers and software developers are focused on adding functionality and ease of use. Security is only an afterthought. Therefore, they are al

Cyber space needs a fix to tame the bad guys

It is time to look at the happenings in the cyber space. Last year, McAfee Labs detected more than 307 new threats every minute, or more than five every second, with mobile malware samples growing by 16 per cent during the third quarter of 2014 and overall malware surging by 76 percent year on year.

In 2015, it predicts “more aggressive efforts to identify application, operating system, and network vulnerabilities, and an increasing focus on the limitations of sandboxing technologies as hackers attempt to evade application”. While this highlights the happenings on one side, the other has a different story.

Cybersecurity skills are in great demand and the cybersecurity market, which is presently around $100 billion, is expected to exceed $150 billion by the end of the decade. Overall, India has to let go its cyber complacency and its leading information technology companies should build their competencies in the cybersecurity domain to emerge as a global cybersecurity workforce.

In recent months, there have been a series of cyber attacks involving major organisations such as JPMorgan Chase, Home Depot, and Target, with Sony being the latest. While Stuxnet, a malware that crippled the Iranian centrifuges and widely believed to the handiwork of the US and Israel, was the first known cyberattack on a critical infrastructure, the recent Sony Hack is a major instance of cyber vandalism which is threatening to draw the US and North Korea into direct confrontation in cyberspace.

This confrontation may well turn out to be first cyber war. While a group calling itself the Guardians of Peace claimed responsibility for the cyber attack, the US Federal Bureau of Investigation has accused North Korea of carrying out the cyber attack against Sony’s computer network. The North Korean government denied the charge and warned the US of serious consequences if it launched any counter-attack.

The FBI’s accusation of the involvement of North Korea with Sony hacking is based on the similarities it found between the malware used in the Sony hacking and software used in previous cyber attacks carried out by North Korea.

From the motivational perspective also, North Korea seems to be the suspect. Sony was planning the release a movie called The Interview, which is about a mission to assassinate North Korean leader Kim Jong-un, and North Korea had protested against the release. Following the cyber attack, Sony was seen reluctant to release the movie, but the subsequent furor made it change its stance and release the movie.

President Barack Obama of the US dubbed the incident as cyber vandalism and said that the US would respond “proportionately”. Coincidentally, a few days later, North Korea experienced a total Internet outage for many hours. Some interpret this outage as the US’ initial proportional response.

Vandals used hardware wiping tool
According to reports available in the public domain, the Sony hack resulted in the release of internal Sony communications and tens of thousands of emails with sensitive and confidential information that contained embarrassing comments made by studio executives and sensitive pay data. Some reports also say that the attackers issued threats to theatres that planned to display the movie.

While news reports describe the nature of the havoc caused to the studio, the US-CERT alert (TA14-353A) provides information about the primary malware used by the attackers. While not mentioning Sony by name, the US-CERT alert describes the victim as a “major entertainment company”, and says that the cyber threat actors used the SMB (Server Message Block) worm to conduct cyber exploitation activities.

The malware has the ability to propagate throughout the target network via built-in Windows shares and contains five components – a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool. It sends log data to command and control infrastructure and accepts new scan tasks. It can guess passwords for SMB connections. This tool has a hard-drive wiping tool that can destroy data beyond the point of recovery and renders the victim machines inoperable.

The Sony hack seems to be a harbinger of times to come and it alerts us to the dangers of excessive dependence on information technology based systems and services. Companies which are in the business of supplying IT products, systems, and solutions, primarily focus on building functionality and ease of use. Security is only an afterthought and, therefore, they are all susceptible to cyber attacks.

With almost all primary services such as banking, commerce, communication, electricity generation and distribution, entertainment, and transportation depending upon IT for their operations in one way or the other, any disruption caused due to malicious activities makes us all vulnerable. American businesses, financial networks, government agencies, and infrastructure systems like power grids are at continual risk”. An attack on a country’s critical industries and infrastructure is more worrisome, and if it is coordinated, then the consequences could be far more damaging to the target country.

In the information technology space, while the good guys develop multitude of highly useful applications which have changed our lives forever, the bad guys focus on exploiting the vulnerabilities. Some do it for the heck of it, while others operate for profit or act on behalf of the sponsoring State.  If we go by the number of cyber incidents reported and their attack methodologies, it seems the bad guys are way ahead of the good guys. What then is the way forward for mitigating cyber threats?

The typical approach often suggested to ensure cyber protection includes keeping the operating system and application software up-to-date, installing software patches to stop attackers from taking advantage of known problems or vulnerabilities, and deploying anti-virus software. It is difficult to believe that large organisations such as JPMorgan Chase, Home Depot, Target, and Sony would not have had those preventive measures in place.

Therefore, it is essential to focus not only on ensuring protection of all cyber solutions and systems, but also to develop and implement quick recovery strategies to achieve resilience. To quote Serhat Cicekoglu, Director of Loyola University Chicago Quinlan’s Center for Risk Management, “Prevention is very important, but perhaps the most important aspect of big data and cyber security threats is resilience management. Given that it is almost impossible to be 100% secure, then the question becomes how well and fast an organisation can recover from the loss.”

India should be prepared
Given the existing geopolitical considerations, India should be prepared to face cyber attacks. The attacks may not only be directed at enterprises, but may also target the country’s critical infrastructure industries and services. Therefore, at the national level it is necessary to not only ensure a coordinated response in case of an attack, but also build resilience to recover quickly in case of a successful attack. Prime Minister Modi captured this sentiment by saying, “The threats may be known, but the enemy may be invisible. Domination of cyberspace will become increasingly important. Control of space may become as critical as that of land, air, and sea.”

A couple of days back, the Centre announced that the Union Home Minister has approved the setting up of a five-member Expert Group to prepare a roadmap for tackling cyber crimes in the country and make comprehensive recommendations to effectively address them.

The Center for Development of Advanced Computing (Pune), Indian Institute of Science (Bangalore), Indian Institute of Technology (Kanpur), Indian Computer Emergency Response team (CERT-In), and the International Institute of Information Technology (Bangalore) are represented in the expert group with the Joint Secretary, Ministry of Home Affairs, as the convenor.

Surprisingly the expert group does not have any representatives from India’s premier information technology companies or their industry association. While these companies have rich experience in information technology systems and solutions that are prone to cyber attacks, the country has only a few hundred cyber security experts, according to a report attributed to the National Security Council Secretariat (NSCS). This situation needs to be corrected on a top priority basis.

If India can get its act together, these companies have an opportunity to tap into  the growing cyber security market. On the one hand, cyber threats are increasing by the day and India cannot remain complacent. On the other hand, globally there is a need for cyber security experts and India can position itself to meet that demand.

(The writer is an independent industry analyst and automation consultant)