A new report by Threat Stack and ESG (Environmental, Social Governance) raises major security concerns about the increasing public cloud environments and containers. The report reveals a notable gap in security and compliance readiness across the rapidly growing cloud-container environs.
The report discloses some significant facts as:
- 60 percent of organizations regard security and compliance a hindrance to winning new business associates.
- 57 percent of those surveyed complained of significant delays in the sales cycle blaming troubles created to meet customer security requirements.
- 31 percent of those surveyed said they were unable to cope with the growing cloud and container environments. As a result, 62 percent said they’re aiming for greater visibility into their public cloud workloads.
- 40 percent of the respondents conveyed that in the next 12 months, they will have hybrid environments, which is an increase from the current 12 percent. Meanwhile, 45 percent of organizations plan on starting to test or deploy containerized environs, which is above the current 42 percent of those who already do.
- 94 percent of respondents believe containers give negative security implications for their organizations.
As the market democratizes, companies are adopting more complex technical solutions that were earlier reserved for only software giants.
This, experts believe, has led to the creation of an opening for external as well internal threats as security teams catch up on the cloud, containers, etc.
Sam Bisbee, Threat Stack CSO feels, “Containers originally focused on resource isolation, offering system building blocks to address specific operational needs that could be coupled with security solutions – they were not supposed to be a replacement for VMs, which is how most teams treat them”.
In emerging economies like India where the government is undertaking large scale digital initiatives and schemes, security has become a major concern. Cyber experts believe that the damage done by WannaCry ransomware is an issue of under-reported magnitude.
The use of pirated and outdated software is rampant among Indian users as well mid-size and small IT organizations. Fearing licensing issues, a huge number of these incidents will not be reporting the losses, concludes expert opinion on the latest cyber attack.
According to the Centre’s instruction to CERT-IN (Computer Emergency Response Team), “all the information of reported ransomware” have been collected into a report. Many of the cases across the country were isolated but the wave of attacks certainly shows that the impact to India is certainly a caution alarm.
The report states these places as worst hit by WannaCry:
1. 10% of Vadodara’s total computers in the District Administration Collectorate Office.
2. Computers in Panchayat offices of Wayanad and Pathanamthitta districts in Kerala.
3. 120 computers connected with Gujarat State Wide Area Network in Gujarat.
4. 18 systems of Andhra Pradesh Police Department.
5. Systems in the Tirumala Tirupati Devasthanams (TTD) Shrine in Andhra Pradesh.
6. Computers of the Personnel Department of the Southern Railways’ Palakkad Division.
7. Computers in several locations of the Police Department of Maharashtra.
8. Many attacks happened in computers across Kerala and Tamil Nadu.
May 12, 2017 is one of the most dreadful days of the year for cyber experts and its stakeholders. About 150 countries across the globe suffered a cyber-attack, affecting 200,000 computers.
It was the infamous “WannaCry” ransomware in which hackers locked people out of their computers, demanding a ransom of $300 in bitcoins. Medical care became inaccessible and factories were shut down for more than 2 days to minimize loss of confidential and further damage.
Here goes a brief on one of the most dangerous ransomware attacks in the Cyber-verse:
What is “WannaCry”?
“WannaCry” appears to have utilized a flaw in Microsoft’s software, discovered by the National Security Agency, which was quickly leaked by hackers. The malicious code that relied on the victims opening a zip file emailed to them, spread rapidly across networks locking away files one by one. From then on, the programme used Microsoft’s flaw to thrive.
Microsoft had released a security update which addressed the vulnerability in the sixteen year old Windows XP operating system, in March 2017. This update was exploited by the hackers to trigger the massive ransomware attack.
Who got affected?
Several computer networks worldwide were affected, including Telefonica as well as other major organizations in Spain. The British National Health Service (NHS), too, was forced to cancel scheduled patients.
FedEx, Deutsche Bahn, the Russian Interior Ministry and Russian telecom MegaFon were barred from normal operating services. According to Quartz the three bitcoin wallets used in the attack received just under 300 payments totalling a sum of 48.8635565 bitcoins, which is the equivalent of about $101,000.
What is a ransomware attack?
The term ‘ransomware’ appeared in 2005 in the US with the first notable biggest threats to security. While cyber experts maintain it to be 2005, the history of ransomware goes back to 1989.
According to Becker’s Hospital Review, the earliest ransomware attack occurred in 1989, targeting the healthcare industry. Tracing the same, the healthcare industry still remains a top target for such attacks even after twenty eight years.
Ransomware is a cyber-attack wherein hackers gain control over a computer system and block access to it until the demanded ransom is paid. Hackers get control of systems by downloading a type of malicious software onto a device within the network. This is usually done by getting a victim to click on download link by mistake. The link is normally attached with an email, which once opened, encrypts the hard drive. Once the software gets into the victim’s computer, it enables the hackers to launch an attack that locks all files it can find within that network.
The recent ‘WannaCry’, also known as Wanna Decryptor is a ransomware programme that locks all the available data in the system leaving the user with only instructions on what to do next and the Wanna Decryptor programme itself.
When the software is opened, it tells the users that the files on their computer have been encrypted. It then gives them a few days to pay up, warning that their files will otherwise be deleted. It generally gives them instructions to pay in Bitcoin, providing the Bitcoin address for it to be sent to.
What is the way out?
Larger organizations should ideally follow the guidelines provided by concerned institutions:
- Apply the latest Microsoft security patches for this particular flaw.
- Ensure all outgoing and incoming emails are scanned for malicious attachments.
- Ensure anti-virus programmes are up to date and conducting regular scans.
- Backup all key data and information.
- Organize education programmes on malware so employees can identify scams, malicious links or emails that may contain hazardous viruses.
- Run “penetration tests” against your network’s security at least once a year.
Many experts even suggested restoring all files from a backup. If that isn’t possible, there are tools that can decrypt and recover some information.
Google Cloud Summit is one of Google’s most definitive events on cloud-driven latest technologies, held on September 26th in Bengaluru and on September 28th in Mumbai.
The event marked motley of tech giants from across the globe, each having a significant announcement to make for the future of India’s e-commerce.
Rajan Anandan (Vice President, South East Asia and India, Google), Rick Harshman (Managing Director, Asia Pacific, Google Cloud) and Mohit Pande (Country Manager – India, Google Cloud) inaugurated the plenary session divided into three categories of discussions – Imagine, Learn and Build.
Each of the plenary discussion involved a close coordination between the global market of Internet of Things and India. Google India took this opportunity to highlight some important facts and figures concerning online businesses. Some vital ones are :
(i) According to Google, about 650 million Indians will have access to the Internet, mostly through smartphones, by 2020.
(ii) At least seven consumer-focused Google products have more than 100 million users each, in India. This number is growing fast.
(iii) By 2018, over 40 million Indians will shop online.
(iv) At present, 6.5 million Indians get online in over 100+ railways stations in the country through Google’s collaboration with RailTel.
(v) Google generates one new server in the cloud every 3 seconds.
(vi) Google Cloud Region is coming to Mumbai by the end of the year 2017. A Cloud Region in Mumbai will look after local data processing and online heavy-lifting, which is currently being taken care of by Google Cloud Regions located in Taiwan, Singapore, Tokyo and Sydney.
(vii) Google detects about 10 million spam messages every minute on the Internet.
(viii) On a monthly basis, Google performs scans and security checks on over 400 million Android devices.
With the advent of digital economy, more curious customers are adapting to the change in market environment. A latest report on the international market of Internet of Things (IoT) suggested last week that the global market spend is expected to grow from $625.2 billion in 2015 to $1.29 trillion in 2020 — with a compound annual growth rate (CAGR) of 15.6 per cent.
The spurt in growth is said to be due to the transformation of CIOs, IT and business enterprises into their digital footprints. IoT will play a major role in causing technological disruption and expansion of such multinational firms.
According to International Data Corporation (IDC), in partnership with US-based IoT service provider Aeris, the installed base of IoT endpoints will grow from 12.1 billion at the end of 2015 to more than 30 billion by 2020.
The report said that IoT will soon be in the first priorities in the minds of customers as their realization of its value grows and their needs to improve customer experience is delivered by IoT.
There is broad consensus among organizations that IoT leads the way when it comes to enriching customer lifetime value, smoothening customer onboarding or even making it easier for businesses to deliver sophisticated customer experiences.
“IoT is the next wave of growth in telecom sector. IoT is an enabling technology that bears the potential to take India to a whole new level of development and our vision is to play a significant part in this endeavor.” BSNL Chairman and Managing Director Anupam Shrivastava said at India Mobile Congress in September.
This comes with the state-run telecom firm Bharat Sanchar Nigam Limited (BSNL) announcing an agreement with IoT solutions provider Aeris to jointly tap the Internet of Things market in India.
The agreement guarantees that both the companies will offer packaged IoT solutions and services to enterprises, small and medium businesses and public sector undertakings, among other segments in India.
Further, BSNL will provide bandwith for IoT products that will be provided by Aeris Communications in India.
“Our tie-up with BSNL is a multi-dimensional one and I am confident that this relationship will transform the contours of the IoT landscape in the country. Our partnership will ensure faster permeation of IoT across India and help businesses and PSUs gain remarkable advantages,” Aeris Communications India President Rishi Bhatnagar said.
With global market trends shifting towards complete digitization, the nature of corporate asset value has also been changing. Maximum companies now consist of either intellectual property (IP) or other intangibles. As with AI, digital disruption in finance sector brings with it the corresponding risk of digitizing corporate assets.
According to latest research, corporations across the world are losing billions of dollars every year from the loss of altered or destroyed financial consumer data, traded algorithms, etc. Adding regulatory and legal exposure, the risk only multiplies.
Cyber systems are becoming even more insecure with the explosion of networked connection of almost every physical asset from phone cameras to refrigerators, known widely as “Internet of Things”. On the other hand, hackers are improvising their tricks. Attacks are being launched against commercial entities for political or economic purposes.
Surprisingly, cyber attacks are cheaper and easily accessible, with even weaker law enforcements. Less than 2% of cybercriminals are prosecuted. The imbalance is worsened because corporate entities undermine cybersecurity.
Cloud computing is cost-efficient but the matter of security gets complicated. Hence, corporate organizations are urgently faced with the need of maintaining their enterprises without risking their security.
To cope with the above, many associations set guidelines for their clients to follow.
The National Association of Corporate Directors’ Cyber Security Handbook has identified five core principles for corporate boards to enhance their cyber-risk management:
1.Understand that cybersecurity is an enterprise-wide risk management issue. Thinking of cybersecurity as an IT issue to be addressed simply with technical solutions is an inherently flawed strategy. The single biggest vulnerability in cybersystems is people – insiders. Cybersecurity costs are managed most efficiently when integrated into core business decisions such as product launches, M&A and marketing strategies. Moreover, in an integrated world, organizations must take into account the risk created by their vendors, suppliers and customers as their weaknesses can be exploited to the detriment of the home system.
2.Directors need to understand the legal implications of cyber-risk. The legal situation with respect to cybersecurity is unsettled and quickly evolving. There is no one standard that applies, especially for organizations that do business in multiple jurisdictions. It is critical that organizations systematically track the evolving laws and regulations in their markets.
3.Boards need adequate access to cybersecurity expertise. Although cybersecurity issues are becoming as central to business decisions as legal and financial considerations, most boards lack the needed expertise to evaluate cyber-risk. Many boards are now recruiting cyber professionals for board seats to assist in analysing and judging staff reports. At a minimum, boards should regularly make adequate time for cybersecurity at board meetings as part of the audit or similar committee reports.
4.Directors need to set an expectation that management have an enterprise-wide cyber-risk management framework in place. At a base level, each organization ought to have an enterprise-wide cyber-risk team led by a senior official with cross-departmental authority that meets regularly, has a separate budget, creates an organization-wide plan and exercises it.
5.Based on the plan, management needs to have a method to assess the damage of a cyber-event. They need to identify which risks can be avoided, mitigated, accepted or transferred through insurance. This means they need to identify which data, and how much, the organization is willing to lose or have compromised. Risk mitigation budgets need to then be allocated appropriately between defending against basic and advanced risks.
Any organization must follow these principles to establish a sustainably secure cyber-risk management system.
As the world moves from ‘globalization’ to ‘glocalization’, the era of digitization seems to make its entry into global markets too. We’ve stepped into the age of ‘digital disruption’ where every new technology succeeds over its predecessor, proving the former a failure.
Increasing digital market environments are becoming a goal for every contemporary business organization. Digital interventions of social, analytics, mobile, big data and cloud technologies are laying the foundation for transformation. When these are integrated into cognitive computing, robotics, internet of things, 3 D printing, they form multiple disruptive scenarios like P2P, remote healthcare, digital banks, etc.
From the industry perspective, digital disruption is blurring lines between practices and learning from one industry being implemented in the other. Proliferation of smart devices and surge of AI, is the new battleground that is taking many sectors by storm.
AI has become the new hiring manager as job losses are projected to be the next big story. A recent World Bank research shows that AI threatens 69% and 77% of jobs in India and China respectively. A report by US-based research firm HfS Research states that about 7 lakh low-skilled workers in IT and BPO industry in India are likely to lose their jobs 2022, due to automation and AI.
Further, AI is set to affect 60%-70% of the current jobs. They will either get marginalized or totally eliminated.
A number of AI-based startups like Skillate, Belong, Stockroom, etc. scan through resumes and contain automatically updating algorithms for CVs. All of these are slowly taking over jobs portals like monster.com, Indeed, etc.
AI is shaking up the recruitment industry. Companies like Airbnb, WeWork, are starting pay-per-use models in both products and services. This has consistently given rise to freelancers who enroll for project-based work in growing gigs economy. Projections show that 43% of the US workforce will be freelancers by 2020.
In the time interactivity, where AI ensures upgrade on the go, jobseekers often complained of websites becoming useless for their resumes. Many even complained of no update on feedback on their interviews.
With AI, the most prime concern is of privacy. It is naïve to believe that AI-based platforms only track data in the public domain. A lot of times, a candidate’s political bias might potentially affect the employer’s decision-making. Or in the digitally-dominated world, potentially employable candidates who don’t use a lot of computers, may miss out on opportunities.
It is largely expected by cyber specialists that gradually, a person’s digital footprints will significance in the future.
To curb the rising cyber fraud in digital transactions, a high level meeting has proposed the imposition of a token ‘security fee’ on digital payments in India.
The meeting, focused on measures to make digital transactions safer, was held on 13 September. Chaired by Home Minister Rajnath Singh, it was attended by officers from the MeITY, Home Ministry, Department of Financial Services, Department of Telecom, Reserve Bank of India and Intelligence Bureau. All major stakeholders were present to discuss and propose ways for the same.
Prasanto K. Roy, Nasscom Internet Council Head, expressed that every digital transaction could be aimed at starting a fund for creating better infrastructure to secure digital transactions.
“A special fund could help develop security infrastructure, hire experts and secure online transactions, though a cess on digital transactions isn’t the best way of doing it,” he told ThePrint. He further said that there was a need for the Ministry of Finance and the Ministry of Electronics and Information Technology (MeitY) to make digital transactions cheaper and secure.
An official from the Ministry said on condition of anonymity, “It was also discussed that an Act needs to be in place for regularizing digital payments, which will be looked after by the Finance Ministry, and to how fix the responsibilities of agencies”.
The action came after the official figures were disclosed that indicate that cases related to e-wallets and e-payments (that were reported to banks) jumped from 13,083 cases in 2014-15 to 16,468 cases in 2015-16.
Mostly, online frauds occur when people share their passwords, 3 D secure pins, ATM pins, etc. Hence there is a need to educate people about it. “A standard procedure for all e-wallets needs to be in place as right now anyone can make a wallet just by downloading the app. The KYC norms need to be strengthened for safer transactions,” the official from the Home Ministry said.
Further, the Ministry recommended undertaking a digital transaction education campaign and creation of dedicated cyber-forensics lab. Also, training for police personnel and forensic officers needs to be in place so that they can tackle cyber fraud cases.
“As of now we do not have the manpower or expertise to deal with cyber fraud cases, which is going to be challenging…we need to be prepared,” the Home Ministry official said.
The Intelligence Bureau proposed the Indian Government ensure the introduction of necessary software that is able to detect attempts at cyber fraud. Accordingly, the software would be incorporated by payment gateways so that customers can be alerted about suspicious activity.
“There needs to be a machinery to detect out-of-bound transactions and the pattern of violations in cyber fraud cases. The machinery should be able to figure if the transaction is fraudulent by looking at its pattern and send alerts,” Nasscom’s Roy said to The Print.
The second Global Cyber Security Index (GCI), released by the UN telecommunications agency, International Telecommunications Union (UTC) places India at 23rd position in the list of information secured countries. The rank is among 165 other nations across the world who have committed to cyber security.
The report reveals that only about half of all countries already have a cyber security strategy or are in the process of developing one. It urges countries to engage in cyber security education initiatives and job creation in the sector.
Singapore tops the index with a 0.925 score.
Other countries in the top 10 are United States, Malaysia, Oman, Estonia, Mauritius, Australia, Georgia, France and Canada.
The report says that 38 per cent of these countries have a published cyber security strategy while 12 per cent of governments are in the process of developing one.
The threat is dangerously worrying because in 2016, according to ITU, about one per cent of all emails sent were malicious attacks. The rate is the highest in recent years.
The findings show that there is “space for further improvement in cooperation” at all levels. It further advocates for encouraging governments to consider national policies that take into account cyber security and encourage private citizens to make smart decisions online.
The Indian government has taken a few steps to bring the attacks under control. Under PM Narendra Modi’s tenure, the Central govt established the office of Chief Information Ofiicer of Cyber Security Cell under PM’s office. Dr Gulshan Rai is the first to hold the post.
CERT-In, an emergency response team is set up under the Ministry of Electronics and Information Technology for dealing with a range of cyber-attacks.
Apart from this, the Government of India has four Sectoral Computer Emergency Response Teams to address Cyber Security Threats in Power Systems: Transmission, Thermal, Hydro and Distribution.
All the four utilities have been asked to identify a nodal senior executive as its Chief Information Security Officer (CISO) to lead the process of strengthening organizational systems with respect to cyber security and implement an information security management systems as recommended by rules under the Information Technology (IT) Act 2008.
With increasing number of people in India going online every year, the risk of cybercrime hovers above. The rise of smaller organizations and their less or no protection of data also leads to maximum cases of security breach.
In the first six months of 2017, India saw one incident of cybercrime per 10 minutes. These include ransomware attacks to minor phishing rackets. The Indian Computer Emergency Response Team reported 27,482 cases between January and June.
Phishing, scanning, probing, viruses, defacements, site intrusions and denial-of-service were the most reported incidents. Ransomware attacks are gaining pace in India.
1.71L crimes have been reported in the last 3.5 years.
The RBI has also issued warnings about bitcoins, the preferred mode of payment for attackers.
Here is a list of the most remembered security breaches in India last year:
- Mirai botnet malware: A botnet malware named Mirai took over the Internet targeting home router users and other IoT based devices. The malware affected 2.5 million IoT devices; it’s not clear how many systems were affected in India. CERT—In had also issued an advisory regarding the attack back in October 2016.
- WannaCry: Ransomware WannaCry swept the world in May. CERT-In immediately put out an advisory notice. Few instances of the ransomware were reported to have hit banks in India, and some businesses in Tamil Nadu and Gujarat as well during the first wave of the attack. Railwaire users were also most affected by the ransomware.
- Petya: India was also on the top 10 list of countries to be hit by Petya ransomware attacks, with the country faring worst among other Asia Pacific (APAC) countries, cyber security firm Symantec said in a blog postlast month. Globally, India took the 7th spot with less than 20 organisations being affected as per the Symantec’s analysis.
- Data breaches: Zomato said in May that it was affected by a data breach which led to details of 7.7 million users being stolen. The leaked information, listed for sale on a Darknet market. The company was, however, able to contact the hacker and take down the data. Reliance Jio was also affected by a data breach this month; a website called magicapk.com went up last month, allowing anyone to search for personal details of Jio customers. However, this also was taken down after the site went viral.