The Outsource Blog

General discussion, news & views about Outsourcing and Offshoring

Posts Tagged ‘Cyber’

Cyber crime is now a booming industry

January 23rd, 2012

A report, titled “Global Risks for 2012″, shows cyber attacks on governments and businesses are considered to be one of the top five risks in the world. Be it cybercrime, cyber-espionage or cyberwarfare – they are on a steady rise. The reason: highly lucrative payout hackers get from stealing data. “There are high profit margins and low-detection rate by law enforcement agencies. Further, half of the data thefts (on both individual PCs and enterprise PCs) are executed from remote or stolen server locations, which only makes prosecution difficult,” points an ethical hacker employed with a large Indian IT outsourcing company.

E-mails, personal data and financial data are the most sought after “goods” in the black market, says Pankaj Jain, director, ESET India. “The e-fraud business that has been traditionally flourishing in India is credit card cloning. The cloning itself is mostly performed by Nigerians living in India, though the card data they get are usually from Russian and former Soviet Union hackers on underground forums,” he says.

The fast-maturing cyber crime economy

Even as enterprises and individuals struggle with internet threats, the underground cybercrime economy has moved on to organised entrepreneurship. An ethical hacker from New Delhi, who regularly accesses the digital black market where cybercriminals advertise and trade stolen information and services, shared how the advertisements are done. “Search, compare, and if you find a better offer we will return your money…,” reads an ad selling user data in black market journals. With the economic crisis looming large, such claims and ads are on the rise.

“Today, the main concern for the data sellers is to generate trust among their clients,” the ethical hacker tells Business Standard. He added that data sellers have started offering free “trial” access to stolen bank or credit card details as well as money-back guarantees and free exchanges. “Since there is a great deal of competition in the cyber black market, the rule of supply and demand ensures that prices are competitive, with operators even offering bulk discounts to high-volume buyers,” says a security consultant at a leading pharmaceutical R&D unit in Bangalore.

Preying on enterprise data

The booming Indian economy, coupled with the growing buying power of individuals, is attractive to hackers. “Many industries like BPO, software, automobiles, pharmaceuticals among others are doing business across the globe from India. This certainly brings India on the wish list of hackers for data breaches and monetary gains,” says Amit Nath, country manager (India & Saarc), Trend Micro.

Hackers mostly use chance or targeted approach. “Chance approach is used when volume matters, ie, for stealing credit card, bank account and email account information. Such attacks usually consist of sending malware, trojans through mass emails, social network scams and infected links,” says Jain of ESET.

Targeted approach is used when the criminal has a certain intent or victim in mind and the attack is tailored to make use of certain security flaws in the system. These attacks are usually used to target organisations, government or celebrities. A compromised PC could be used by a hacker in his network for attacking other computers, and also for studying the web browsing pattern or interaction of the user on the internet.

Today, teams of ethical hackers or security consultants work with most leading corporates and R&D outfits, tinkering with corporate IT networks to ensure the data exchanged between employees is not mishandled or, worse, stolen by rival companies.

Threats are not always limited to financial fraud alone, says Atul Khatavkar, VP (IT Governance Risk Compliance), AGC Networks. He says, “There could be cases of intellectual property theft, too. For example, the vice-president of an e- learning firm – sacked from the company later – was accused of stealing the source code of the company’s future product. He subsequently used the product for his new venture, and the e-learning firm had to book nearly Rs 47 crore in losses due to the theft.” Government and defence data, too, is always in demand, especially by hackers in China and Pakistan, lists ESET.

Not wishing to be left behind, many enterprises are leveraging on social media tools. In a report, ISACA advises that enterprises must consider the risks of employee access to social media sites while on the corporate network.

Source:http://www.afaqs.com/news/story.html?sid=32833_Cyber+crime+is+now+a+booming+industry

Share and Enjoy:

Comments »

Posted in News

Tags: Booming Cyber

Indian Banks Lost Rs 12.6 crores to Cyber Fraud in 2010

August 19th, 2011

Share

Indian banks lost a whopping Rs 12.6 crore to digital fraudulent practices in 2010. And the financial services enterprises also faced a similar security quagmire. They could not escape the onslaught of cyber frauds. Plagued by spiraling security breaches, the financial services organizations incurred significant financial losses with the average loss being Rs 6.86 crore. The cyber scams cost the financial sector dearly. Other than financial losses, they also suffered losses in terms of downtime, lost man hours and even ended up losing customers.

The rising volumes of digital attacks have set the alarm bells ringing. And the banking system is waking up to the harsh reality that their IT security levels aren’t robust enough to combat the sophisticated cyber criminals.

In an attempt to clamp down on the increasing digital frauds, the industry regulators (RBI and IRDA) are putting in place stringent regulations and governance mandates. In May 2011, RBI issued the comprehensive guidelines which covered various areas such as IT Governance, information security (including electronic banking channels like internet banking, ATMs, cards), IT operations; IT services outsourcing, Information System Audit, cyber frauds, business continuity planning, customer education and legal issues.

These regulatory mandates have given the financial institutions a nudge in the right direction. Compliance and governance mandates have emerged as the primary drivers for the adoption of IT security. “Over the last year, RBI has mandated two factor authentication at banks for all delivery channels. The RBI guidelines and impending Basel III compliance are compelling financial institutions to rethink the way information is secured and managed. We have seen that in the past 12 months, a large percentage of banks invested in identity management. The investment in technologies to address such regulations is likely to continue. Technology investments during the next financial year will be made towards stronger governance, business continuity planning, securing mobile and wireless transactions, data loss prevention and network security,” informed Ajay Goel, Managing Director, India and SAARC, Symantec.

After monitoring the threat spectrum in the vertical, the security software firm identified phishing as the highest attack threat vector in this industry. “Since November 2010, all phishing attacks on Indian brands have targeted the banking sector,” cautioned Anand Naik, Director, Technology Sales, India and SAARC, Symantec.

He concurred that the mobility, communication and internet have opened up new frontiers for the financial sector. They can now introduce new and alternate channels to achieve increase levels of customer service and experience. According to the reports by Internet and Mobile Association of India, the Indian e-commerce market to grow at 70 percent by the end of 2011. However more often than not it is an unsecured leap to mobility and Ecommerce. “Our reports identified that there was a 43 percent increase in mobile vulnerabilities in 2010,” he highlights.

The cyber threats can be obviated by rethinking the security priorities. “Financial Services organizations need to develop and enforce IT policies and automate their compliance processes. By prioritizing risks and defining policies that span across all locations, businesses can enforce policies through built-in automation and workflow to protect information, identify threats, and remediate incidents as they occur or anticipate them before they happen,” recommended Goel.

Source:http://www.cio.in/news/indian-banks-lost-rs-126-crores-cyber-fraud-2010-162712011

Share and Enjoy:

Comments Off »

Posted in News

Tags: 2010 Bank Cyber Fraud Indian

Ethical hacking for cyber security

August 15th, 2011

Share

Investment in Business Process Outsourcing (BPO) and Information Technology services are estimated to grow by 16.6 per cent during 2011, to reach Rs 43,600 crore in 2012. Expenditure on software is projected to scale by 19.5 per cent during the period, to reach Rs 18,800 crore. The rate of cyber crimes is also bound to grow exponentially in the coming years.

As most sophisticated cyber criminals prefer targeting banks and government organisations, there is an urgent need to revamp the security system for Internet activities and to put in place effective internal controls. As the hackers’ prime objective is to find secure IDs for accessing networks for cyber burglary, authentication procedures should be made secure and foolproof from hacking.

The rapidly-increasing use of mobile-banking technologies augments risks and increases vulnerability. When a large number of customers prefer using wireless technology, iPhones, iPads, and Android-enabled smart phones for financial services, the cyber criminal may usethe opportunity to phish with an application, and gain access to their secure credentials.

Ethical hackers are in greater demand to counter cyber crimes which are growing at an alarming speed.

Experts specialised in different aspects of cyber policing, ranging from the relatively inexperienced greenhorns to seasoned cyber security greybeards need to visualise the big picture, anticipate potential attacks to the organisation and mitigate risks from cyber hacking.

An ethical hacker is not a cyber criminal though he knows well the art and science of hacking. He exercises his hacking expertise prudently for ethical concerns and deploys the cyber tools effectively to counter hacking and to identify the loopholes in order to safeguard the system from lethal cyber criminals.

CYBER SECURITY

Ethical hacking must be encouraged for detection and prevention of automated application attacks, because hackers are becoming adept at automating attacks by intensifying computerised attacks at smaller, vulnerable and largely homogenous targets.

For this, IT security professionals should monitor and analyse attack data, extract relevant information, share information for enlarging the knowledge base for identifying attacks and select appropriate mitigation tools.

They must ensure that controls are in place at all times to deter automated attacks. Securing data confidentiality, and availability in the cyber realm is becoming an increasingly challenging objective for the government and private sectors. Organisations must engage competent, well-trained, skilled, information security professionals to continuously monitor and manage cyber threats and secure sensitive organisational information assets.

Source:http://www.thehindubusinessline.com/features/mentor/article2356616.ece

Share and Enjoy:

Comments Off »

Posted in News

Tags: Cyber Security

IT firms resolve to thwart cyber attacks

July 6th, 2011

Share

Cyber attackers are creating mayhem in the digital world, forcing a wide range of companies, young and old, to re-think their digital security best practices. Not surprisingly, the $60-billion-plus IT services industry in India, known for being a pioneer in establishing quality standards that has impressed its global clients, is not taking chances.

While most of these companies have their own security best practices, efforts are underway to standardise them, spearheaded by the Data Security Council of India (DSCI), a Nasscom organisation that looks after data protection in India. In a pioneering move, DSCI is planning to launch a certification process for the Indian IT services providers.

Cyber attacks in the recent past—whether targeting consumer electronics giant Sony, or the systems of International Monetary Fund (IMF)—are even more insidious because they don’t reveal any common pattern or motive.
The only thing that is certain is that companies that fall prey to such attacks are subject to a high degree of reputational risk, not to mention the financial losses incurred due to data leakage.

“It starts with the basic premise of making quick money to more complex things like competitive warfare and espionage. In my opinion there is no simple trend or pattern,” says Sudhir Kumar Reddy, CIO of MindTree. “The perpetrators of these attacks could be disgruntled employees on the inside to professional hackers on the outside,” he adds.

The reason why experts feel that Indian IT services industry is a ripe target for possible attackers is that they are sitting on tonnes of data generated both domestically and by their global clients. Any kind of assault to their systems could have a disastrous impact on the export-driven industry and tarnish its image considerably. This is especially so since competing emerging markets are trying to position themselves as safer and viable destinations for IT outsourcing. “Of course, it could affect the reputation of the industry. In terms of data, the attackers could pull out financial data, competition data and HR data which will have a serious impact on their business,” said Siddharth Vishwanath, associate director (consulting) PwC.

According to security experts, the risk is more in a case where the IT/BPO company is handling a client’s data. For example, the global banking clients of most of the IT/ITeS services providers in India share their corporate banking information, including the names and details of their customers, with their service providers. Take the example of a large bank which outsources its works to most Indian IT services providers. “We need to protect not only the corporate banking information of the client, but the privacy of millions of their customers as well,” said an industry source on condition of anonymity. Some Indian IT companies, however, feel that they may not be a plum target of cyber attackers. “Most Indian IT companies may not be attractive targets as they do not offer information a hacker can profit from …These are neither transactional sites nor have information of relevance to warrant such attacks,” said MindTree’s Reddy.

On their own, Indian IT companies are not leaving any stone unturned. Most of the companies have employed security tools like anti-virus, firewalls and intrusion detection system. The data leak prevention software installed at these companies ensures that nobody is able to download the confidential financial data of the clients which could contain things like account information and credit card information. “At HCL Technologies’ business services division, there is a strong emphasis on Information Security,” says Sundaresan Ramamoorthy, VP and chief risk officer, HCL Technologies.

“We have a comprehensive multi-domain, multi-layered, multi-level information security policy which is divided into 11 domains with 39 control objectives and 133 controls which are audited at regular intervals,” he adds.

At present, most of the IT companies in India follow ISO 27001, that so far is the only global standard that takes care of the security elements. However, according to DSCI, ISO 27001 may not be enough to ensure that the companies that have adopted it are not prone to cyber attacks. The security certification that DSCI is planning to offer under the DSCI Security Frameworks (DSF), will rate Indian IT companies based on 16 areas.

This includes the security policies, processes, people induction, people maturity, buying of the equipment, third-part software testing and application security. The certification will also cover threat and vulnerability management, network access and data layer, among others, according to DSCI. “Some of these elements are not part of the ISO 27001. We believe that DSF has a better approach to security than the ISO standard,” says DSCI CEO Kamlesh Bajaj.

DSCI is already doing a pilot with about 15-20 IT/ITeS companies of various sizes on its own and with the help of consulting firms like KPMG, Deloitte, PwC and E&Y. The rating process is expected to start in the next 6-8 months.

Why online attacks can be a piece of cake?
According to industry experts, most of the applications in the Internet world are developed in a hurry and deployed immediately without testing for potential security problems. This happens because of the go-to-market pressure, as companies always want to be the first mover.

“Before you deploy any application, it must be developed very securely and tested thoroughly. So if this one precaution is taken, I think large number of attacks can be averted,” said Kamalesh Bajaj, CEO of DSCI. For example if someone is developing an internet payment gateway, the developer need to ensure that every part of that data is sent in an encrypted format.

Source:http://www.business-standard.com/taketwo/news/it-firms-resolve-to-thwart-cyber-attacks-/441720/

Share and Enjoy:

Comments Off »

Posted in News

Tags: Cyber IT

‘Any cyber attack will affect major fin mkts’

June 25th, 2010

Share

Internet is increasingly seen as the Wild Wild West (www) and a virtual world of lawlessness in the US. Under Obama’s new Cyber Security policy, India will be an active partner in combating cyber terrorism, says cyber security expert Clifford Gregory, also senior VP (security solutions), IonIdea, an Indian outsourcing firm. He spent over quarter century in the US Military developing cyber security programmes for the Senate and White House, apart from working for the FBI, Metropolitan Police, US Secret Service, and other Federal and security agencies.

Could you give us a figure of what each malware attack costs a company?
Each malware attack costs a company $70K, while lost or stolen hardware costs amounts to $300K. Spear Phishing (specific target) costs $500K, damage by disgruntled employees cost a neat one million each, resulting in a $5 million tag when you destroy a brand. These cost figures are averages. If your company is dependent on data regarding customers, the loss could be multiplied.

What are the gaps that you notice in your assessment of Indian companies?
In my earlier stint with a major bank, we had done an assessment of the global operations of 1,600 large Indian companies including BPOs. We noticed three major weaknesses. One is access control specifically knowing the person logged onto the system with access to customer data was the person who was authorised to do so and we felt that companies should adopt either multi-factor authentication or direct observation via CCTV to provide this level of assurance. Two, was in the area of information transit. Some vendors made great efforts to protect data within their networks, but simply did not consider what might happen while the information was in transit. The third gap was in data leakage private or non-public personal information that is sent via email or other means, especially as part of a call center process or part of the software development testing process.

In terms of Obama’s focus on cyber security, do you see an increased number of opportunities for Indian companies which provide security solutions?

India is one of US’s greatest allies, in combating cyber terrorism, and the opportunity could only get bigger. President Obama sees the threat and I am certain he understands that while an attack may be directed against Wall Street, the effect would be felt in every major financial markets in the world.

I read a report that China has a single point of entry to the internet from outside their country as a defensive measure against cyberwar and this might be true one day for other nations too.

Source:http://timesofindia.indiatimes.com/biz/india-business/Any-cyber-attack-will-affect-major-fin-mkts/articleshow/6088117.cms

Share and Enjoy:

Comments Off »

Posted in News

Tags: Cyber IT

Absence of cyber crime law, threat to ICT investment

June 14th, 2010

Share

National Information technology Development Agency (NITDA) has attributed low investments in Information Technology (IT) to absence of cyber crime law in Nigeria The Director General of NITDA, Cleopas Aganye, who made the observation in Abuja at the e-Nigeria 2010 summit press briefing bemoaned that many foreign investors were afraid of investing in ICT in Nigeria because of lack of legal framework upon which they can operate.

Arguing that in spite of his efforts to convince some of the foreign investors in ICT to invest in Nigeria, Aganye said the bottom line in their fear to venture into the sector in the Nigerian economy has been that there is no legal framework to work with.

According to him, the outsourcing initiative which was initiated by the past administration made him to travel to California to see if he could bring some of the Nigerian in Diaspora down, “but we have a problem that made most of them complained that they were afraid of fraudsters. They if they were duped who will pay for them, who will be their guarantors and many a times if these things are in law court it is not easy to get justice.

“We need to have proper framework for this thing; another problem is cyber security. We don’t have a law to crack down cyber criminals, if you commit any ICT crime it is not enforceable in the Nigerian court because we don’t have the legal backing yet.

“This is a big problem in the country. In fact I was looking at the rate of cyber crime offences and I discovered that Nigeria’s rate is very high, our country is rated the 6th worse in the world.

According to him, the cyber crimes are among others include scam which is generating unnecessary or unwanted mail. So we have the problem of network security, recalling that in 2008 NITDA sponsored cyber crime security workshop for all stakeholders, that have gone very far and it will be very useful in cyber-security law.

These he noted are some of the problems that have mitigated against the outsourcing security problems which include power, also as a major factor.

As part of efforts to make Nigeria a hub if ICT, he said he went to Singapore to woo G-Link, a ICT factory which expressed interest in investing in Nigeria, as well as other investors who were willing to come to make Nigeria.
“But because of those problem highlighted all these people don’t want to come, since 2004 we sent a bill to the National Assembly, unfortunately the law was not passed until the last NASS tenure wounded up. But it has now be represented through sponsored bill and all what we are advocating for is to be passed the bill into law”

Acknowledging the achievements of the agency, he said the agency has in 2006 sponsored an open programme in capacity building and most of the people that benefitted from the training got jobs.

“We have also achieved internet penetration in the country. If we look at the internet you will realized that we have moved forward initially, we were at 161 rating in 2006 but now we are at 100. Part of it also is that we have enhanced IT awareness.”

The DG said the agency trained 6000 unemployed youths, 1000 each from each of the geopolitical zones, this is in addition to making available IT equipment for them.

The agency had before now advertised the institutionalizing two software development centres with the provision of IT infrastructure in 18 higher institutions to include internet access, computer infrastructure and other component that entail e-learning.

Source:http://www.independentngonline.com/DailyIndependent/Article.aspx?id=13335

Share and Enjoy:

Comments Off »

Posted in News

Tags: Crime Cyber IT Outsourcing

Cyber crime threatening India

March 17th, 2010

Share

Cyber crime is the latest threat to India’s security with those inimical to its interests hiring experts to spy on companies and vital networks, says famous ethical hacker Sunny Vaghela.

“There has been an increase of 200 percent in cyber crime cases in India in the last three years and that is an alarming trend,” said Ahmedabad-based Vaghela, director of TechDefence Pvt. Ltd, a reputed cyber crime security consultant.

“The new tactics are more towards data theft like espionage on some other companies, working for some foreign intelligence agencies sitting in India, SMS and mobile call forging,” Vaghela told IANS.

Vaghela was in Guwahati for a demonstration on cyber crime security measures at the Indian Institute of Technology (IIT) here.

At the age of 18, Vaghela found loopholes like “Session Hijacking” & “Cross Site Scripting” in popular social networking website orkut.com.

Today, at 23, he has solved more than 16 cases in association with the Ahmedabad police’s crime branch, tracing out the origin of a terror e-mail relating to the Ahmedabad serial explosions, and helped Mumbai Police get information on Jamat-ud-Dawah post-26/11.

“Take the Ahmedabad serial explosions and the threat mail where a Yahoo engineer was involved. Big names and people are today indulging in cyber crimes with people from abroad outsourcing Indians spying on Indian networks,” Vaghela said.

“Cyber crime today is not restricted to just hacking and goes much beyond to data theft, to social network and credit card fraud, SMS and mobile hacking as well.”

Vaghela said the biggest worry is that officials of Indian investigating agencies are not competent enough to deal with techno crimes.

“Investigating agencies are still lagging behind in terms of technologies or techniques to actually tackle cyber crimes. Not even two percent of the officials know what is Voice over Internet Protocol (VoIP), its use or how to take precautions,” Vaghela said.

He said the hacking of mobile numbers and for making calls and sending SMS is another area of concern.

“Anyone can use or misuse a mobile number to send SMS or make a call. This technology was misused in the 26/11 bombings. But all the servers and the infrastructure required to commit this cyber crime is not available in India,” he said.

“The Indian IT law is not defined to tackle such crimes using mobile phones and that is dangerous.”

Vaghela said social networking sites are not at all safe and hackers exploit and misuse vital information from such sites for indulging in crime.

“Social networking sites are not at all safe. People are revealing lots and hackers use and misuse such information from such sites,” he said.

Source:http://www.thaindian.com/newsportal/sci-tech/cyber-crime-threatening-india_100335552.html