Taller the wall, taller the ladder

Written by P P Thimmaya | Anand J | Updated: May 20 2013, 17:01pm hrs
Last year more than 700 US companies information security walls were breached. US and China have been engaging in a cyber war and a slanging match accusing each other for being behind the attacks. Not just that, the number of viruses being generated on the internet networks has exponentially exploded in the last one decade. Now its Indias turn to face the heat


* BSE Sensex

* NSE Nifty

* Top Gainers/Top Losers

* Top Value

* Top Quantity


The security breach at the two card processing firms based out of Pune and Bangalore respectively reveals the persistent attempts by the hackers and the vulnerabilities of the cyber security systems. Pune-based Electra Card Services and Bangalore-based enStage were victims of this breach who provide their services to the global financial institutions. This has put an unwarranted spotlight on the payment processing IT companies of India. The IT outsourcing industry feels that there can never be a foolproof though there are a lot of learnings from the recent ATM heist of $45 million.

Last year more than 700 US companies information security walls were breached. US and China have been engaging in a cyber war and a slanging match accusing each other for being behind the attacks. Not just that, the number of viruses being generated on the internet networks has exponentially exploded in the last one decade, according

to Pankaj Jain, director, ESET India, an anti-virus company. From just 10-20 viruses

being generated everyday in early 2000s, it has gone up to about 1,00,000 daily, he adds, revealing the enormity of the problem.

Nasscom president Som Mittal had at an event pointed out that even Pentagon had reported breaches. He said that these people are as smart, if not smarter. He added that this could have happened anywhere and does not indicate anything about the cyber security system in India.

With India handling half of all IT outsourcing in the world, it is likely that spotlight falls on the sector though quite unwarranted. Since India is one of the largest base for the payment solutions, most of the incidents will possibly have some link to India. This creates an unfortunate perception about the systems in the country that is contrary to the facts, says Nishanth Chandran, CEO & co-founder of EBS, a company which provides payment gateway solutions.

The people who are stealing the assets are getting more innovative, spending more money in stealing it, but security budgets are declining in absolute terms, said Vic Mankotia, vice-president, solution sales, Asia Pacific & Japan and head security business, CA Technologies, an enterprise software company.

According to Atul Khatavkar, VP, IT governance risk compliance, AGC Networks Ltd, a network solutions company, this phenomenon has been growing globally and is not restricted to India. Now real money is getting involved. Outsourcing is a business decision. The security team has to back and understand the business, he said.

Topping the list for cyber attackers has always been financial information as the Verizon 2013 data breach investigation

report reveals that large-scale financial cyber crime and state-affiliated espionage dominated the security landscape in 2012. Taking the top spot for all breaches in the 2013 report is financially motivated cyber crime (75%), with state-affiliated espionage campaigns claiming the number two spot (20%). Breaches in the number two spot include cyber threats aimed at stealing intellectual propertysuch as classified information, trade secrets and technical resourcesto further national and economic interests.

This actually reveals that it is not just the financial institutions or banks which are targetted by cyber attackers but also infrastructure set up like power plants or transport networks. Experts say unlike in the past, where an attack would be an isolated event, today hackers are constantly at it in what is called as advanced persistent threat (APT).

Sanjay Katkar, chief technical officer, Quick Heal, the Pune based anti-virus company in a blog post on the security breach said, A lot of core banking and financial domain software is developed by companies who are not at all following security practices or do not have any training of how hackers operate. According to him, these critical applications are further not tested for any security loop holes and all the testing that takes place on such applications is about functionality and stress testing. He feels that no tester thinks or is trained to think of tests cases with a cyber criminal in mind. As such no security testing takes place, he adds.

According to a recent survey by Juniper Networks, a networking products company, on an average the security posture of Indian organisations surveyed is only 4.7 based on a scale of 10 being very effective.

On one of the companies which is in focus, Enstage in an email response said: Since the time the incident occurred,

Enstage has retained independent security experts to analyse the intrusion and to recommend enhancements to its information security infrastructure. Enstage has implemented both these enhancements as well as additional monitoring capabilities.

According to experts, security must not be left to IT department and the top management also needs to get involved. They also add that companies need to go much beyond than implementing the certificates and compliance requirements mandated by Visa and MasterCard, as the hackers are usually smarter and the security system needs to keep pace with them.

However, cyber attacks are only going to increase in the near future and there is a need to improve upon the existing security infrastructure as well as creating more awareness of the likely threats. Once we know, how this happened, we can always prevent similar types of attacks. We cant have a system for a zero-day-attack (previously unknown vulnerability), says Khatavkar.