Introduction
Today the world is hurtling out of the industrial age and is on threshold a revolutionary new economy emerging based on Information Technology, rather than conventional raw materials and physical forces. The remarkable changes in the world economy have graduated mankind from conventional warfare to ‘economic warfare’ graduating to ‘cyber warfare’. The means used are control of market forces through high technology. So accelerated and phenomenal are the changes in the world scene these days that beliefs and logics revisions that used to take place in half a century now need updating in every few years. Knowledge now is the central resource both for destructibility and productivity and the impact of information technology revolution has led to new sets of rules. IT has globally led to economic boom creating vast multiplicity of channels through which information and misinformation flow at rapid speed. Cellular phones, PCs, copiers and fax machines, rones and UAVs, video-cams, satellites, sensors, robots and digital networks now permit the exchange of vast volume of data, voice and graphics through multiple, and decentralized channels often out of easy reach of the country’s intelligence agencies and military censors. Thousands of computer networks are springing up at rapid pace crossing national barriers, shrinking world to a global village, linking millions of individuals in continuous conversation about everything from safe sex, stocks, and shares to states’ secrets, facilitating formations of groups devoted to both destructibility and productivity with impunity.
Shockingly with the global security, along with advancements in IT, there has been colossal increase in low intensity conflicts and international terrorism has wide spread from Afghanistan, Pakistan, Yemen, Iran, Lebnan, Iraq, Syria, Sudan and beyond and various Arab terrorist outfits are fighting holy wars (Jehads) in Bosnia, Chechnya, Somalia, India, Indonesia, Malaysia and beyond the borders of Turkey in the European Union and the US. In the late 20th century, these conflicts have often been marked by superpower intervention causing grave losses in men and materials forcing American President to strike his bases in Afghanistan, Syra and Sudan. These LASER-guided cruise missile strikes were only possible due to availability of advanced IT.
During year 2015 there were over 2860 Islamic attacks in 53 countries, in which 27615 people were killed and 26136 injured. Large numbers of attacks and casualties go unreported.unreported
Importance of IT Security:
Outsider’s ability to penetrate computer networks which are often telephone dependent poses a grave threat not only to bankers, financial institutions, and industry but also to national and international security. Data networks are exceedingly vulnerable to twin threats of theft of sensitive classified data by external elements and distortions or obliterations by injection of systems with malicious viruses and worms without the knowledge of the users. Distortions force the users in taking wrong decisions whereas obliterations make essential data non-available during crisis such as war. These threats have forced users to develop computer security measures. In the US the National Computer Security Centre (NCSC) of the Defense Department has published an ‘Orange Book’ on IT security. UK has brought out a ‘Green Book’. Similar manuals have been published by other countries as well, whereas some others have passed laws on unauthorized access to computers used exclusively by the governmental institututions and military establishments. Separate laws are also on the anvil to deal with the menace of malicious software. Much of the IT security would, however, depend on how well instructions on this vital aspect are implemented.
Parameters of a Good Data Security System:
The first prerequisite of a good data securing system is the posting of Data Security Officer with a sound knowledge of how various networks operate and their limitations. The old type of conventional
Security Officers, who are good in physical security and not in IT security, would not meet the qualitative requirements of a good data Security officer. Where the security set up is headed by a generalist, he should be assisted by experts on IT security management. Based on their performance, Data Security Officers can be divided into the following categories:-
Outstanding: An officer with the capability to prevent breaches of data security. His safeguards are generally very effective.
Very Good: An officer whose preventive measures are not that effective but when a breach takes place, he immediately detects it and is able to identify and trap the culprit and can also enforce damage control measures.
Good: An officer who is alert enough to detect breach in time and enforces damage control measures but is unable to identify and catch the culprit.
Poor: One who is totally oblivious of IT security breaches till considerable damage has been done to the establishment through theft, distortions, or obliterations of sensitive data. Such officer should either be replaced on trained forthwith.
What Needs to Be Protected?
In each organisation, the Data Security Officer, in consultation with his superiors, at first must decide what data need protection. Since all data cannot and need not be protected, only sensitive data, damage to which or leakage of which would compromise national or organizational security needs to be protected. This would call for a system of classification or sensitive data. However, tendency to over classify data must be curbed.
Risk Analysis:
After deciding what is to be classified, the Data Security Officer should carry out an analysis of the type or risks which could arise and against which protection has to be ensured. Risks to computer security could arise from the following factors:-
a) Human Elements:
Careless employees could cause damage inadvertently due to negligence.
Disgruntled employees could willfully cause damage on their own or at the instance of outsiders’ interests in sensitive data.
Staff having character defects could be exploited by outsiders to gain unauthorized access to sensitive data.
b) Technical Elements:
Due to technical snags such as cross connections during data transmission.
Risks arising from dial-in facility which exposes network to telephone tapings.
Hard-wares being sent for repairs to outside agencies without down loading data from hard discs.
Unauthorized exchange of floppies/pendrives/thumb drives/software.
c) External Elements:
Theft of data (espionage) with or without the connivance of the employees.
Distortion / obliteration of data through introduction of malicious software.
Risk Management
a) Human Elements: To overcome threats from human element, frequent training classes, seminars, workshops have to be organized for the employees to make them security conscious. In addition a list of members of staff involved in handling of hardware/software may be prepared dividing them in 3 categories:-
Category-1, those authorized to read, input or erase, input, modify or erase data. This may be confined to a limited number at senior level.
Category-2, those authorized to read, input, modify but not authorized to erase data.
Category-3, those who are authorized only to read data but not to input, modify or erase it.
All those who do not figure in any of the above categories should have no access to computers or the network. List of authorized people and a log of users of computers/networks must be made and periodic surprise checks done to ensure that no unauthorized person has access to any sensitive data. In addition, computers of receptionists, PAs, administration, and accounts staff must be delinked from the main work network to prevent accidental leakage of sensitive information. A system of identification and authentication should also be enforced besides frequently changing the passwords and introducing separate badges or identity cards in the form of magnetic stripe cards, complex keys and ‘Smart cards’ for those authorized to handle sensitive data. Bio metric devices for recognition which use characteristic features of signatures, fingers and palm prints and voice etc. are also increasingly coming in use but they are very expensive and their reliability is not ensured. A combination of passwords, badges, bio metrics and magnetic stripe cards provide safer means of identification.
It is sometimes noticed that even security-cleared and duly-authenticated persons could be compromised by vested interests. Therefore, it would be desirable that every input, medication, or erasure is authenticated by the person doing so.
An additional safety precaution could be that at any given time at least two persons should operate sensitive computer networks and periodic verification of character and antecedents may have to be done in respect of personnel posted in sensitive sections and efforts made to weed out disgruntled and suspect personnel at the earliest opportunity.
b) Technical Elements: The risks from technical elements arise from over dependence on telephones for data transmission, Local Area Networks (LAN) which is normally confined to one building and Wide Area Network (WAN) spreading over to wide geographic areas covering many cities and countries providing inter-connectivity amongst various computer networks by numerous modems that are linked through DOT lines, satellites and microwave towers. The recent approval of the Government of India for introduction of Global Mobile Personal Communications by Satellite (GMPCS) in the country has several security implications. This was amply focused during the missile attacks by the US forces against Osman Bin Laden in Afghanistan on August 7, 1998. The US intelligence could track down Laden to the accuracy of a few meters because he was using INMARSAT voice channel to control his terrorist groups across the globe. The following counter measures could be useful to safe guard our systems:-
Avoid dependence on telephones in case of LANs.
Avoid direct dial-in facilities in case of WANs and use dial-back modems which call back genuine authorized member with post protection devices at the end of each link.
Use coding and decoding devices for sensitive data.
Introduce a system of immediate acknowledgment from the recipient of data confirming its safe receipt. If the recipient reports its non-receipt, presume that the data has fallen into wrong hands due to cross-connection and take appropriate damage control measures such as changing codes for future transmissions.
Besides the above, certain general precautions as under could also be taken:-
Surprise checks at gates to ensure that floppies or other software are not smuggled in/out.
Employees of service agency are always to be escorted.
Changing Passwords and authentication keys after servicing or when there is suspicion.
Prohibiting visitors from entering networking areas.
In addition, the following steps could also prevent introduction of malicious software:
Total ban on the use of private software brought by staff for use in official computers.
Discourage purchase of loose floppies and software ad issue strict instructions for purchasing of floppies of dependable quality in bulk in sealed packets.
Maintain a list of reliable dealers to rotate source of supply.
Treating with suspicion all gifts and free samples of software and not using them till they are tested for viruses.
Testing of all new software by experts for virus and compatibility on computer specially kept reserved for this purpose before introducing them into the information system.
Direction to the staff to the effect that they should keep the computer on when they suspect presence of any virus and inform Data Security Officer/System Manager who can take counter measures.
Crisis Management
According to Murphy’s Law, “In any system where things can go wrong, they would most probably go wrong one day despite all the precautions one might take”. Therefore, crisis management plan must be kept in readiness to meet any eventuality. A good crisis management plan caters for all unforeseen contingencies and should ensure:-
Stand by arrangements, if the entire system is damaged.
Availability of a back up master copy of all data at a safe place for use if data network is accidentally or maliciously destroyed.
Provision for a drill for reconstruction of data with the help of subordinate offices who might have stored them. Such a drill should also be practiced from time to time to make it effective.
The crisis management should also cover damage to information system from acts of Nature such as fire, floods, or earthquake. To reconstruct data, in such an eventuality, various policy documents, logs for issue of stores or movement of personnel and equipment etc. inside the organization must be also made manually and used for reconstruction of data.
Some eye opening stats from McAfee, the Intel-owned IT Security Company
A study of 28 million computers in 24 countries has found that 17 percent of all PCs do not have any form of security at all on them against viruses, worms, spyware and other Internet malware- a transgression that McAfee compares to “walking around naked on the Internet.” Singapore is the most unprotected country. 21.75 percent of all PCs there do not have any security coverage, while India is the 10th with 17.32 percent PCs unprotected.
Hackers target Mahanagar Telephone Nigam Limited (MTNL)
The virtual gheraoing of official websites went up for a notch on 6 June 2012 with online hackers Anonymous claiming to have taken down the (MTNL) website through a distributed denial of service attack. The group started attacking official and corporate websites to protest ‘internet censorship’ which snowballed after the Madras High Court ‘john doe’ order on copyright violation of Tamil movie ‘3’ and Telgu movie ‘Dammu’.
In addition to the net siege, Anonymous has planned peaceful street demonstrations in Mumbai, Delhi, Bangalore, Kolkata, Pune, Kochi and other cities on 9 June 2012. Their demand includes removal of blocks on websites and for amendments of certain provisions in the IT Act 2008.
Hacking Experts call for code
Recently handy, bite-sized course in computer hacking course during summer holidays was advertised. Advertised as ‘ethical hacking’ the course claims to teach ‘how to hack passwords and social networking accounts- all to protect our system better. But cyber lawyer Pawan Duggal says there is no such thing as ‘ethical hacking’ and institutes offering such courses need to be regulated.
Faridabad-based Brains Booster claims to have an IIM alumnus as faculty, offering an ‘exclusive’ summer ‘Hacking Course’. In its promotional pamphlet, the institute claims to teach ‘hacking Facebook account in less than a minute’ and even how to ‘run your virus when anyone opens your pen drive’.
Byte Code Cyber Securities in Delhi lists ‘Yahoo Hacking and Google Hacking’ and ‘Wi-Fi Hacking’ on their website as part of the sixty hour ethical hacking course. And Appin, with more than 100 centres nationwide, has a six week course in information security and ethical hacking costing upwards of Rs 6,000. There must be similar unethical training activities world over.
These institutes claim they function within the purview of law. ‘Unless one knows how to protect ones system, how will one protect ones system’ argues Suvam Patwari of the Brains Booster. However, with cyber criminal and an ethical hacker requiring similar skills sets, it pays to be careful about the laws as there is very thin line between criminal hacking and ethical hacking. Imagine a disgruntled IT expert leaving your organization and joining the rival industry indulging in hacking his former organization. That would be worst form of espionage and sabotage under the cover of the IT laws. Just imagine how a Turkish, Pakistani or Afghanistani soldier dealing with cyber security deserting and joining LeT, al Qaida or ISIS can compromise not only their national but international security!
Hacking in India is punishable under with three years imprisonment and a heavy fine. If a contaminant (virus) is created and released into a computer system or network, the victim can sue the hacker for damages up to Rs 15 crore per intervention. Protector or provocateur- the jury is still out on ethical hacking and industry needs to be warned new vistas of electronic espionage and sabotage.
Conclusion
An effort has been made to analyze the impact of modern technology on data protection and information security. By no stretch of imagination, this is a comprehensive analysis as the technology is becoming obsolete at a much faster pace. Advancements in information technology necessitate review and up gradation of our security needs from time to time so that we are able to control the events leading to security lapses and are not eventually controlled by the events.