Security: Regular Patch Updates Critical

According to CERT-In’s Phishing Incidents Trend Report 2009, out of all the brand hijack incidents reported globally, 40 percent of the cases are from India. This apart, there are frequent reports about the increase of malicious Web activity in India; banks getting exposed to frauds due to security loopholes; and the occurrence of an increasing number of data breaches. Despite routine security awareness campaigns, workshops and dialogues with security consultants, 762 Indian websites were defaced in August 2009 as prefigures from the CERT-In website.

CIOs should dwell on the question of how the hackers are getting it right instead of where enterprises are letting it loose. However, is the hacker always at fault here? Vijay Mukhi, Consultant, e-Corporate Governance and e-Security, puts it succinctly, “Enterprises should understand that the hacker is dead, we now have organised cyber crime”.

So how does the organised cyber crime network operate? The answer lies in the ever-evolving tactics of the individuals involved in this network. “The kind of threats that we have noticed emerge largely from vulnerabilities, which have not been plugged. They are discovered on a daily basis and the patches are issued by the vendors but they are not plugged as soon as the patches are out. These are perennial threats that keep coming in different shapes and sizes. Neglect here results in a potential threat opportunity,” says Dr Kamlesh Bajaj, CEO, DSCI.

The road ahead for enterprises to improve their security stand lies in becoming more dynamic. “Companies should understand that this is a technology problem. The attack vectors keep changing so they need to change accordingly,” says Mukhi.

Security Best Practices

According to Mukhi, the first best practice is to spend more on IT security. Currently, the security spends are not appropriate compared to the evolving threat landscape. After 26/11, IT spending has actually dropped because IT deployments are not always visible. People rather spend money on two security guards than on IT-based security. Unfortunately, the money that we spend on security is more towards processes rather than technology itself. So companies rather do an ISO 27001, which is about management and not technology.

“I still think that Indian enterprises are complacent on the IT security front,” says Mukhi.

Enterprises often do their best to be up to the mark on security alertness; however, in case of an incidence of breach, how can they get justice according to the law in the country?

Importance of the IT Amendment Act, 2008

To deal with incidents of breach, the IT Act has been recently amended and is now called the IT Amendment Act 2008. According to the Act, enterprises will be held responsible for the security breaches happening within the organisation.

“The new act strengthens the regulatory regime wherein the responsibility has been fixed on the service provider,” said Pratap Reddy, Director, Cyber Security, NASSCOM. It has defined new crimes like cyber terrorism, child pornography, data theft, cyber stalking, phishing etc, which were not covered in the IT Act of 2000. The government has prescribed that reasonable security measures should be made available by service providers. This makes it easier for the investigating authorities to monitor and get the required information as and when needed.

“The earlier IT Act 2000 had a criminal section 66 that dealt with hacking. The good part is that in the new Act, this section has been further strengthened to make spam, phishing, cyber terrorism, and identity theft criminal offences,” says Mukhi.

Law in place, no cases being filed

The IT Act 2008 came into force on October 27, 2009, but there are still doubts on the readiness of the judicial system to actually prosecute cyber crime.

“I believe that the IT Amendment Act 2008 is good. You can never get the best. The problem is that we don’t have an ecosystem that understands information technology,” said Mukhi. Enterprises or end users are not proactively filing cases so the lawyers don’t understand IT well enough and the same holds true for the judiciary and the police.

CIOs are well aware that IT systems cannot be made foolproof. The only best practice that can come to the defense of CIOs is better implementation of the current information security framework and policies. As it is rightly said, prevention is better than cure.