Special Feature

Cybersecurity: the year that was

2009 brought new tools for the CIOs, and new threats to deal with. By Aditya Kelekar

In 2009, we saw cloud computing and the popularity of social networking bringing a fresh wave of excitement at IT departments. As often, along with excitement has come a new threat—information security threats cloaked very effectively so as to make them very difficult to detect.

Security vendors from across the spectrum have been urging businesses to be mindful of the risks that cloud computing will bring. In a recent interview Eva Chen, CEO of Trend Micro, said that security concerns will weigh heavily on the minds of CIOs considering the cloud computing option. The fundamentally different model of having operating system, applications and services residing in third-party datacenters, potentially located thousands of miles away, will bring radical changes in the way organizations take care of information security and governance, she said.

The general view is that cloud computing will help decrease cost, increase operational flexibility and bring savings in terms of times and resources spent on system administration, procurement and deployment. The perception is that all this will come at a price-that of having data stored with the hosting vendor and acknowledging that the security can only be as good as that provided by the hosting party.

Unsure of the consequences, many enterprises continue to shy away from the cloud model. Typical of this type is Repco Bank whose General Manager (IT), Rajagopal said that although they haven't yet considered cloud computing, when the opportunity comes to do so, they would take all security measures to maintain the secrecy of customer data and to enforce information security & governance.

However, there are already moves afoot to ease the way for businesses. The European Network and Information Security Agency (ENISA) has in a new report titled ‘Cloud Computing: Benefits, risks and recommendations for information security’ outlined a detailed check-list of criteria which anyone can use to identify whether a cloud provider is as security-conscious as they could be. The report said, our report is a result of careful risk analysis of a number of cloud computing scenarios, focussing on the needs of business customers. The most important risks addressed by the check-list include lock-in, failures in mechanisms separating customers' data and applications, and legal risks such as the failure to comply with data protection legislation.

The report pointed out that cloud computing could also be a security enabler. The Executive Director of ENISA, Dr Udo Helmbrecht, underlined—the scale and flexibility of cloud computing gives the providers a security edge. For example, providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics.

Cybercriminals getting better at dodging

There are several ongoing investigations attempting to find the authors of the Conficker botnet, one of the fastest spreading worms in history, but those responsible for the worm haven't yet been brought to book. It looks like the criminals have been doing a very good job of covering their tracks.

Many technology professionals feel that dedicated international attempt to check cybercrimes is lacking. Mahesh Chandra Srivastava, Manager (Systems), IFFCO said that one of the reasons that cybercrime continues unabated is that efforts to control it are complex and not cost effective. Srivastava feelt that cyber crime will grow dramatically in India as online financial transactions keep increasing.

Social networking's can of worms

It's well known that because of the popularity of social networking sites, attackers may use them to distribute malicious code. Moreover, sites that offer applications developed by third parties are particularly susceptible. Attackers may be able to create customized applications that appear to be innocent while in reality infecting computers.

Prashant Pereira, Vice President - Technology & Operations at Edelweiss Capital, pointed out that last year there were numerous cases on most of the social networking sites that were exploited. "Scary as it may sound, social networking sites such as Orkut, Myspace & Facebook all have loopholes which are yet to be fixed." He noted that it is unfortunate that most of the reaction to the hacking is reactive. "Many a times it requires some celebrity account to be hacked before any action is initiated," he added.

Social networking sites are growing at so a rampant pace, he warned, that security professionals are finding it difficult to ensure that all the security concerns are addressed. "This is exactly the situation that the hackers are waiting for," he said.

Many professionals including Pereira note that unless there is going to be no respite unless there is a concentrated effort on the part of these sites to address the security features and adopt a more proactive approach towards ensuring the overall security and data confidentiality issues. "Rather than putting a disclaimer for 3rd party applications, they should take the overall ownership and ensure that they tie up with only those vendors who meet required security norms," Pereira said.

Legislation and loopholes

Legislations require enterprises to store customer data. However, with significant storage encryption costs, enterprises defer deployments. A case in point where the a US government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's data-security policy.

Closer home, new legislation made it mandatory for banks to impose two-factor authentication for credit card transactions done over the Internet. However, this may have only directed cybercrime to find some other weak link. P F X Thomas, COO, Cleartrip said that their findings reveal that hackers have stepped up their activity on another front: ensnaring gullible Internet banking users. "We have recorded a sharp rise in frauds through the Internet banking channel," he said.

In his recent blog post on thompson.blog.avg.com, AVG Chief Research Officer's Roger Thompson said that when he mimicked the behavior of a curious reader trying to search for news on the tsunami that hit Samoa, he was in for a surprise—five of the top ten sites that search results threw were all sites that had been hacked. Cybercriminals are getting so good at driving traffic to obscure Web sites loaded with malware, that, as discovered by Thompson, they were able to drive nothing-level websites higher than both The Guardian and CNN in less than 24 hours from a flat start. While five hacked sites featured in the top ten search, The Guardian and CNN trailed at numbers 20 and 35 respectively.

At close of 2009, the jury is still out on who stole a march over whom-cybercriminals or the law enforcement authorities-but it looks like cybercriminals had a field day most of the time.

aditya.kelekar@expressindia.com