Lex Cyberia
Ms. Karnika Seth

Contact Info

  • B-10, Sector 40
    NOIDA-201301, N.C.R, India

  • +91-9810155766,
    +91(120)4352846,
    +91(120)2500052

  • Fax: +91 (120) 4331304

  • karnika@sethassociates.com

  • Tweets

Cybercrime india beware, Moneycontrol News-12 sept 2015

There's a new world war being fought-on our computers, phones and all the fancy gadgetry that controls manufacturing plants, information highways and government systems. Companies, consumers, governments-we are all warriors in the war against cybercrime.

Last year US corporations lost $400 billion to cyber attacks! The numbers are mind-boggling, the vulnerabilities terrifying and the consequences un-imaginable. So this week The Firm talks to security experts, hackers, Chief Information Officers and lawyers to find out if India Inc. is prepared to fight this new battle!

Sony, Ebay, Target, Home Depot, JP Morgan, Neiman Marcus, Yahoo mail, AT&T, UPS, Google they are all victims of cyberattacks. And that's just in 2014. The Washington post says in 2013 federal agents notified 3000 US companies that their computer systems had been hacked. Information technology and Security experts say everything is at risk-financial data, customer data, intellectual property. And often the attackers are insiders.

Ganesh Ramamoorthy
Research VP, Gartner

"We have seen details of credit cards being stolen; we have seen user information getting stolen. We have seen user names and passwords getting stolen; we have seen various different cases that have been happening across the globe in various different areas. These are not just consumer facing but even within the corporate within the organisations we have seen cases where because of hacker intuitions we have seen some very valuable, mission critical kind of information getting leaked out into the public or going in to the hands of the competition and so on and so forth."

Tarun Kaura
Director-Technology Sales, India, Symantec

"We saw a 300 million variants of malware written last year which basically means that around a million per day. This is a large number of malwares which theattackers are using to exploit into the network and the infrastructure of businesses."

Ruggero Contu Research Director, Security Markets Worldwide-Gartner

"The type of a tax the type of issue, probably there is a similarity to a virus of pandemic, when explores, he impacts everyone."

It's a constantly mutating virus. Sahir Hidayatullah is an ethical hacker and helps companies protect themselves. He says from widespread phishing attacks or emails that fool people into parting with their private data - hackers have now moved to more targeted attacks.

Sahir Hidayatullah Ethical Hacker CEO, Smokescreen

"If you think about how people used to get hacked just a few years ago they would be targeting you and me, your credit card, my healthcare information for identity theft that has completely changed. That is now bottom of the barrel stuff. The really serious stuff is where they are targeting companies directly. They are not saying okay I will take Rs 10,000 out of 500 people accounts. They are saying you know what, let us break into one bank, get access to the ATM network and let's pith out a few million dollars."

Or many million dollars. in cybercrime-data breaches are the most common form of attack. Last year hackers accessed log in information?? for 233 million customer accounts at Ebay, one of the world's biggest online selling platforms. Soon after J P Morgan Chase, the largest American bank with a $250 million dollar cybersecurity budget, suffered a widespread attack on its servers that affected 76 million households and 7 million small business accounts. J P Morgan says the attackers weren't able to get their hands on sensitive data like social security numbers, account numbers and passwords. But IT expert, Pranesh Prakash says even basic contact information like names, addresses, phone numbers andemails can be easily exploited by a cyber criminal.

Pranesh Prakash Policy Director, Centre of Internet and Society

"You can do a lot just by having access to a person's birth date; you can do a lot by having access to a person's mother's maiden name and things like that because in a few way-this I one these kind of information are often used in financial transactions as well. They are often proved that you are you when are taking with the banking representative. For instances the birth date as long as you have knowledge of a person's PAN number and the knowledge of that person's birth date then even a income tax return that is password protected you can have access to that."

At American retailer Home Depot, 56 million customer accounts were reportedly hacked and financial data stolen. Media reports suggest it cost the company $62 million and banks another $90million to replace the debit and credit cards. Neiman Marcus, Staples and UPS and many other companies have been victims of similar attacks. And then there's extortion. Domino's Pizza had 600,000 personal records of it's users stolen. The attackers held the data for ransom by publicly threatening the company on twitter to pay up 30,000 euros.

Tarun Kaura Director - Technology Sales, India, Symantec

"The number of days that a hacker can be in any of the premises is now longer than what we saw before. They are in the network looking into the stuff that they need - intellectual property, it could be identities, the campaign is much longer and targeted rather than just going for a random kind of data. Businesses may not even know that hackers are already prevalent into their network and they are looking into something very sensitive."

Last year, a North Korean group called Guardians of Peace, hacked into Sony Pictures, one of the largest film studiosin Hollywood. The attackers destroyed systems and stole large quantities of employee data, confidential communications and commercial data. They frightened Sony into cancelling the release of its film The Interview about an attempted assassination of North Korean leader Kim Jong-un. The FBI said that the North Korean Government was responsible for the attack. In May this year, the US Justice Department filed criminal charges against 5 hackers in the Chinese military accusing them of steal trade secrets from 6 American companies including Alcoa, US Steel and Westinghouse Electric. The cyber theft of intellectual property is now a cross-border issue for companies across the globe.

Sahir Hidayatullah Ethical Hacker CEO, Smokescreen

"A large pharma company was actually hacked and we watched first hand as Chinese malware and Chinese hackers tried to move through their network towards their lab tissue culture systems and that information was flowing back out to a Chinese dump site. This is something that we have seen time and time again."

Pranesh Prakash Policy Director, Centre of Internet and Society

"I once saw this interesting Cable from the US Diplomatic Cables that were leaked by WikiLeaks, where a German businessman was complaining how industrial espionage from France was a much greater threat to his business than things like the threat of IP violators in China."

Financial data, intellectual property even manufacturing systems have been hacked into. In 2010 in Iran, a piece of code called Stuxnet succeeded in shutting down several centrifuges in a uranium enrichment facility. In a world where everything is connected and hackers have state support-nothing is safe.

Ganesh Ramamoorthy Research VP, Gartner

"They could be taking over the entire set of assets. If an organisation has implemented IOT in its manufacturing plant orits warehouse or in its inventory godowns and if they are all connected with internet of things anybody who is hacking in to those networks could be completely taking the ownership or the control of those systems that are enabled in them and they could be changing or altering various different things, make them work in a completely different manner, make them behave very erratically which would cause them material damage, physical damage for the organisation."

You now know the size and scale of the problem and its constantly changing nature. The question is how are companies across the world coping, are laws strong enough, is prosecution effective? Last year 60% of all attacks on corporations took place in the US. That's probably because the US mandates that companies report data breaches. While many countries, including EU, now have data breach reporting laws, disclosure levels are highest in the us.

Lisa Sotto is a reputed lawyer and partner at Hunton and Williams. She specializes in cybercrime matters and has advised various governments around the world on data security and breach notification laws. She says the US has a plethora of laws but they are all fighting yesterday's battle!

Lisa Sotto Partner, Hunton & Williams

"Our clients ask us all the time if we could provide the playbook, what is the road map for securing the data, what playbook should they follow for data security and unfortunately the answer is there's no magic potion, there is no playbook! So what we have in the US is really a hodgepodge of laws- we have financial security laws, we have healthcare security requirements and then as a general security requirement the Federal Trade Commission requires that we have reasonable security in place to protect data and of course the term reasonable is a bit of a moving target because what's reasonable today may be less than reasonable tomorrow and as the cybercriminals become more and more sophisticated and they figure out how to get past certain security measures that are in place."

In 2013, one of the biggest retail chains in the US, Target's payment system was infected with malware. Attackers stole credit card information of 70 million customers. The attack cost Target $148 million dollars and banks lost $200mn. Target's CEO resigned, government investigations were launched and the company had to pay 10 million dollars to settle a class action lawsuit brought by consumers. More recently, Home Depot and Ashley Madison have been sued by customers for failing to protect their data. After last year's cyber attack, Sony faced employee lawsuits for not doing enough to protect their data. Inadequate data protection can also prompt Government enforcement actions.

Lisa Sotto Partner, Hunton & Williams

"Absolutely the government does it all the time and I should say governments because in the US we are faced with enforcement actions by the FTC at the federal level, possibly the department of health and human services with respect to health data and other federal agencies where we have compromises of data. We also, in private industry are faced with Attorney General action. So the states are very active and we may be faced with multiple actions by Attorney general if we fail to protect data."

The costs, litigation and regulatory action is half the story. Reputational damage can be more crippling. Many American companies are now adding cybersecurity experts to their boards and senior management. What about India Inc.? After the break our ethical hacker, Sahir has some interesting experiences to share

Welcome back-you are watching a special edition of The Firm on cybercrime. Earlier in the show, you met Sahir Hidayatullah, an ethical hacker who helps companies devise protection strategies. Sahir has someinteresting stories to tell about hacking experiences in India.

RBI says $12.6 billion dollars worth of cyber fraud cases were reported last year. Amit Sethi, the Chief IO at Axis Bank contends that the frequency and magnitude of attacks has gone up in the last five years, and that's led him to change his security strategy.

Amit Sethi President & CIO, Axis Bank

"Two very important things are happening, the original strategy used to be defence only. So, build a parameter firewall, build your whole strategy around a defensive mechanism. Now that has changed, it is moving more to what we call as predictive and responsive mechanism. So, we are able to predict on the basis of certain traffic patterns or on the basis of what we hear from the underground dark web about what is the likelihood of the attack. So, we are getting into predictive. When we see the traffic increase or an attack happening, have an immediate response. So, responsiveness has increased very fast. These are the two new additions which have happened over the last few years and few months over and above the defensive strategy."

It's this change in strategy that's made ethical hackers like Sahir Hidayatullah much sought after. Sahir helps Indian companies prevent and counter hack attacks. And he has some interesting stories to tell

Sahir Hidayatullah Ethical Hacker CEO, Smokescreen

"A Fortune 50 CEO of an Indian company received an email purportedly from a person who used to write articles on him, from a news publication. Once again that email had a virus attached to it and that virus when it was analysed it was capable of switching on the audio, the mike on his computer, turning on the camera, downloading excel docs, recording the keystrokes, the screen- pretty much everything the hacker could want to do if he was sitting in front of that system and you must understand thecost to the hacker is minimal for him to send this out. He could just make a list of all the top executives in India and fire that thing out and it's basically the cost of sending an email."

In another instance Sahir shared, hackers infiltrated a company's systems by sending a well crafted, spear phishing email to an executive assistant of a senior executive in a company. Once in, they accessed the system for months.

Sahir Hidayatullah Ethical Hacker CEO, Smokescreen

"They were able to move from system to system and over a period of months they gained access to what they wanted to and then siphoning it off was a simple matter. We were able to luckily in that case figure out that something was wrong because they misused the password out of office hours and for some reason this lady received some sort of an alert which said you tried to log in last night at 3 in the morning and that is how the whole incident kind of started unravelling. Once we got in, we realised we can't just shut these guys down. If we just close off her access they will realise that we have figured out that they are there and they might have five other backdoors. So, it was really important that we kept them going. So, we built an elaborate deception around what information they were getting, we drew them away from the real information but kept them busy while we could figure out and dimension the incident and finally then shut them down cleanly when we can. So, I think the operative takeaway in that is, you don't need to have the strongest parameter firewall, it is not going to help you if somebody is just going to give up their username and password."

Cybercrime has seen a 350% increase in India and yet there's rarely news of an attack on an Indian company. That's because India has no law that requires companies to report hacking attacks or data breaches.

Sahir Hidayatullah EthicalHacker CEO, Smokescreen

"There have been a number of instances where a large number of Indian companies have been hit by targeted attacks. They've not made the news due to the lack of breach reporting laws that we have here. But, there have been serious incidents, in fact if you look at any advanced persistent threat report of the last few years, you will usually find that India is in the top 5 targets."

Karnika Seth
Advocate, Supreme Court
Founding Partner, Seth Associates
Founder, Lex Cyberia

"If you see there is no mandatory reporting which means lesser crimes are reported and the indices which are projected from surveys or research may not give the real picture because the current threats may be even far more than what they are being projected. Since there is less reporting there is less investigation, there is less tracking of offences and as a result less prosecution and convictions."

Karnika Seth is a well known lawyer specializing in cybercrime matters. She has also advised the government on matters of cyber security. Karnika says that India is woefully under-equipped.

Karnika Seth
Advocate, Supreme Court
Founding Partner, Seth Associates
Founder, Lex Cyberia

"Well, our current IT system, the legal framework and machinery and our current infrastructure, even the manpower which handles this kind of investigation is certainly way behind what we should be now. That because I feel the awarenesss levels are really low and because of that the cyber criminals find it as a haven."

In 2000, the Indian Parliament legislated the Information Technology Act. Sec 66 of the Act makes hacking illegal. Sec 43 A provides for compensation for victims of data breach and Sec 72 A imposes criminal liability on a person who discloses confidential information.

Karnika Seth
Advocate, Supreme Court
Founding Partner, Seth Associates
Founder, Lex Cyberia

"Every customer's personal information taken should be protected to an extent which ensures reasonable security practises have been adopted by that corporation or a company. How many corporations really follow this is what is a big challenge today."

Pranesh Prakash Policy Director, Centre for Internet and Society

"43A(of the IT Act, 2000) which is the provision relating to data protection and the only provision really relating to data protection as we understand it is grossly inadequate. One example of why it is inadequate is that it doesn't really allow the capability for suo motu action by the government, meaning it in essence envisages complaints by victims for claiming this kind of compensation which very often doesn't not happen. The kind of negligence that has to be shown it is unclear and what we see is that despite it being many years since this provision was introduced, I don't know of a single case where it has actually been used. It is not as though India has been a haven for data security, it hasn't, there have been dozens of data breaches. So, why hasn't this provision been used."

Since companies rarely disclose if they've been attacked, consumers, despite the legal provisions, have little opportunity to take action and class action is a rarity here. On the other hand, catching and prosecuting hackers is no easy job either. But as the problem grows in size, so has the awareness. Now government intelligence agencies like the National Technical Research Organisation - NTRO and the Computer Emergency Response Team-CERT are also coming to the aid of Indian business.

Amit Sethi President & CIO, Axis Bank

"We have seen agencies like that step in now. They are extremely collaborative, information exchange is happening between agencies and we see them as activeparticipants in both prevention and detection of these kind of things. So, they are playing quite an important role in this."

Sahir Hidayatullah Ethical Hacker CEO, Smokescreen

"There's no point having the laws if we don't have the teeth to enforce them or the investigative capabilities to enforce them. Right now, it's difficult enough for our police to deal with the type of cyber crime that we see daily. If you're talking about them dealing with a really advanced gang that's difficult, there have been victories and there are a quite a few officers who have done a lot of work and are very knowledgeable on the subject but unfortunately they are few and far between."

But, that's not a problem unique to India. Constantly changing technology has helped hackers stay one step ahead of investigating authorities everywhere. Finding them is tough, prosecuting them even tougher.

Lisa Sotto Partner, Hunton & Williams

"Cyber criminals are really operating in a space that is above jurisdictional lines or beyond jurisdictional lines. So finding them, identifying them when they're talented enough to leave very few footprints after they've been in a system is a huge challenge. So, identifying the attackers and then bringing them to justice is really a very difficult task."

Amit Sethi President & CIO, Axis Bank

"Tracking is definitely possible, we are able to track them right down to the countries of origination or the place where the attack has originated. In terms of prosecution because it involves cross border, you need to involve government agencies, I believe that's one area of improvement where all of us need to work together, where the international community needs to have a better mechanism of prosecution for cross border. I think most of the countries are struggling with that andsoon we will see some work and some outcome."

Karnika Seth
Advocate, Supreme Court
Founding Partner, Seth Associates
Founder, Lex Cyberia

"There is no cyber crime convention, so whether cross border crimes could be easily investigated because MLAT system which we currently follow, which is the mutual legal assistance treaty system with other countries is also pretty slow. Also when at times we look at information from the other authority in the other country it could take 6 months or even one year. Why talk about other countries? Even forensic reports which we are in fact domestically procuring from government or other agencies could also take really long, so because of that the backlog of cases doesn't get decided very quickly and we are only endeavoring right now to create cyber awareness, not just in the general masses but also with law enforcement and police officers."

As is evident, we are struggling to keep up. It's not just the legal and enforcement architecture or better laws to protect customer data. Cybercrime is forcing companies everywhere to rework security and governance systems. Is that conversation happening in Indian boardrooms?

Amit Sethi President & CIO, Axis Bank

"The awareness over last few years and if you look at India Inc in general and government, it has increased tremendously and that has happened also because of the kind of attacks that we are seeing and actually the digital property is becoming the face for most of the companies and if that gets attacked it is both not only a reputation risk but it could actually risk release of sensitive data outside. So, everyone is taking it extremely seriously. Over the last two years especially I have seen that become as an important part of their strategy and board level reviews. So, the top management of the companies are also extremely involved in these things."

Ganesh Ramamoorthy Research VP, Gartner

"The boards do realise that security is an issue. Securing their assets, IT assets and information assets are critical to them. However do they have all the relevant knowledge from a technology perspective, from the perspective of what kind of impact it can have for their business continuity planning, probably disaster recovery management and so on and so forth, the awareness levels I would guess is still pretty average is what I would say at least in the Indian context."    

http://m.moneycontrol.com/news/management/cyber-crime-india-beware_3046341.html