In emerging economies like India where the government is undertaking large scale digital initiatives and schemes, security has become a major concern. Cyber experts believe that the damage done by WannaCry ransomware is an issue of under-reported magnitude.
The use of pirated and outdated software is rampant among Indian users as well mid-size and small IT organizations. Fearing licensing issues, a huge number of these incidents will not be reporting the losses, concludes expert opinion on the latest cyber attack.
According to the Centreâ€™s instruction to CERT-IN (Computer Emergency Response Team), â€œall the information of reported ransomwareâ€ have been collected into a report. Many of the cases across the country were isolated but the wave of attacks certainly shows that the impact to India is certainly a caution alarm.
The report states these places as worst hit by WannaCry:
1. 10% of Vadodaraâ€™s total computers in the District Administration Collectorate Office.
2.Â Computers in Panchayat offices of Wayanad and Pathanamthitta districts in Kerala.
3.Â 120 computers connected with Gujarat State Wide Area Network in Gujarat.
4.Â 18 systems of Andhra Pradesh Police Department.
5.Â Systems in the Tirumala Tirupati Devasthanams (TTD) Shrine in Andhra Pradesh.
6.Â Computers of the Personnel Department of the Southern Railwaysâ€™ Palakkad Division.
7.Â Computers in several locations of the Police Department of Maharashtra.
8.Â Many attacks happened in computers across Kerala and Tamil Nadu.
How much information security is enough security ?
InfoconÂ is an initiative by Prime Infoserv, Kolkata and Wordsmith has been a collaborator in the initiative. Any contemporary CXO who is not concerned with the theme and confusion called Information Security is either non-existent or soon will face bankruptcy judge.
Billions are lost by private and public institutions worldwide through loopholes in securing information. Information is literally money. If you are a financial institution and if your customer database is compromised, then the fall-out can be seriously embarrassing to catastrophic.
The Problem of Mr. K, a CIO of the castle called KolkataÂ
Mr. K is a Â CIO of a large healthcare company in Kolkata. His 60% life was spent without internet and when his career is at the matured peak, he finds that he needs to reckon with information security. His CEO has instructed him to â€œdo somethingâ€. What he should do ?
In case of an enterprise, any â€œdoingâ€ needs management time, money and attention (follow-up). More important, no vendor appears to be able to answer the question :Â â€œHow much information security is good security ? â€œHow much I should spend, considering the solutions are correct ?â€Â
Mr. K, found to his great confusion that he is not able to get these â€œfiguresâ€.
In a autumn morning in Kolkata, post-Durga Puja last year, Â I and Sushobhan, CEO of Prime met Mr. K in his East Calcutta office, overlooking the wetlands of Calcutta that appear to be merging with the Sunderbans. Â Mr. K narrated his predicament, especially the most important one â€“ â€œHow much money and resource he should ask for approval ? â€ from his top management to implement the solution selected. The problem with the solution was its very nature : the solution is directly connected to the threat â€“ real, perceived, imagined or enmeshed in the business interest of the information security vendor.
The Mathematical Model
In other words, we need an analytic framework backed up by the cold, austere and objective mathematical perspective other than paranoia, vendor interest, disaster porn, technical jargon, hardware and software vendor with their exotic offerings lined up in the form of priests of some esoteric cult.
There is a mathematical model called Gordon-Leob model that does exactly that. It uses mathematical tools like probability, confidence interval, distribution to produce a mathematically verifiable statement
After the coffee, I and Sushobhan told Mr. K thatÂ he should spend no more than 37% of the amount X, where X is calculated by
X = Cost * Maximum probable vulnerability * Impact Constant * Quantified Risk
Mr. K was delighted. He is now at least dealing with arithmetic, not anxiety-metric.
In due course, we did find out X for his organization by using a 4 step method which is basically a combination of police work + detective work. In the first step, we did a vulnerability analysis and logged all known risks, in the 2nd step, we had assigned some metric to those risks in consultation with the company. In the 3rd step, we calculated the probabilities of such events, in the final step, we tabulated the impact and then estimated X.
Since then, we have been working in this area with clients in India, Bangladesh, UK and everywhere we found one common aspect : lack of awareness. Then the idea ofÂ InfoconÂ was born.
Infocon 2016Â is happening on 18th November â€“ a platform for sharing our confusion, triumph, fear, best practices and combining our torches in a same direction to create a path in the literal jungle of information which not only has exotic fruits, flowers and scenes but ferocious enemies.
May 12, 2017 is one of the most dreadful days of the year for cyber experts and its stakeholders. About 150 countries across the globe suffered a cyber-attack, affecting 200,000 computers.
It was the infamous â€œWannaCryâ€ ransomware in which hackers locked people out of their computers, demanding a ransom of $300 in bitcoins. Medical care became inaccessible and factories were shut down for more than 2 days to minimize loss of confidential and further damage.
Here goes a brief on one of the most dangerous ransomware attacks in the Cyber-verse:
What is â€œWannaCryâ€?
â€œWannaCryâ€ appears to have utilized a flaw in Microsoftâ€™s software, discovered by the National Security Agency, which was quickly leaked by hackers. The malicious code that relied on the victims opening a zip file emailed to them, spread rapidly across networks locking away files one by one. From then on, the programme used Microsoftâ€™s flaw to thrive.
Microsoft had released a security update which addressed the vulnerability in the sixteen year old Windows XP operating system, in March 2017. This update was exploited by the hackers to trigger the massive ransomware attack.
Who got affected?
Several computer networks worldwide were affected, including Telefonica as well as other major organizations in Spain. The British National Health Service (NHS), too, was forced to cancel scheduled patients.
FedEx, Deutsche Bahn, the Russian InteriorÂ Ministry and Russian telecom MegaFon were barred from normal operating services. According to Quartz the three bitcoin wallets used in the attack received just under 300 payments totalling a sum of 48.8635565 bitcoins, which is the equivalent of about $101,000.
What is a ransomware attack?
The term â€˜ransomwareâ€™ appeared in 2005 in the US with the first notable biggest threats to security. While cyber experts maintain it to be 2005, the history of ransomware goes back to 1989.
According to Beckerâ€™s Hospital Review, the earliest ransomware attack occurred in 1989, targeting the healthcare industry. Tracing the same, the healthcare industry still remains a top target for such attacks even after twenty eight years.
Ransomware is a cyber-attack wherein hackers gain control over a computer system and block access to it until the demanded ransom is paid. Hackers get control of systems by downloading a type of malicious software onto a device within the network. This is usually done by getting a victim to click on download link by mistake. The link is normally attached with an email, which once opened, encrypts the hard drive. Once the software gets into the victimâ€™s computer, it enables the hackers to launch an attack that locks all files it can find within that network.
The recent â€˜WannaCryâ€™, also known as Wanna Decryptor is a ransomware programme that locks all the available data in the system leaving the user with only instructions on what to do next and the Wanna Decryptor programme itself.
When the software is opened, it tells the users that the files on their computer have been encrypted. It then gives them a few days to pay up, warning that their files will otherwise be deleted. It generally gives them instructions to pay in Bitcoin, providing the Bitcoin address for it to be sent to.
What is the way out?
Larger organizations should ideally follow the guidelines provided by concerned institutions:
- Apply the latest Microsoft security patches for this particular flaw.
- Ensure all outgoing and incoming emails are scanned for malicious attachments.
- Ensure anti-virus programmes are up to date and conducting regular scans.
- Backup all key data and information.
- Organize education programmes on malware so employees can identify scams, malicious links or emails that may contain hazardous viruses.
- Run â€œpenetration testsâ€ against your networkâ€™s security at least once a year.
Many experts even suggested restoring all files from a backup. If that isnâ€™t possible, there are tools that can decrypt and recover some information.
As the world moves from ‘globalization’ to â€˜glocalizationâ€™, the era of digitization seems to make its entry into global markets too. Weâ€™ve stepped into the age of â€˜digital disruptionâ€™ where every new technology succeeds over its predecessor, proving the former a failure.
Increasing digital market environments are becoming a goal for every contemporary business organization. Digital interventions of social, analytics, mobile, big data and cloud technologies are laying the foundation for transformation. When these are integrated into cognitive computing, robotics, internet of things, 3 D printing, they form multiple disruptive scenarios like P2P, remote healthcare, digital banks, etc.
From the industry perspective, digital disruption is blurring lines between practices and learning from one industry being implemented in the other. Proliferation of smart devices and surge of AI, is the new battleground that is taking many sectors by storm.
AI has become the new hiring manager as job losses are projected to be the next big story. A recent World Bank research shows that AI threatens 69% and 77% of jobs in India and China respectively. A report by US-based research firm HfS Research states that about 7 lakh low-skilled workers in IT and BPO industry in India are likely to lose their jobs 2022, due to automation and AI.
Further, AI is set to affect 60%-70% of the current jobs. They will either get marginalized or totally eliminated.
A number of AI-based startups like Skillate, Belong, Stockroom, etc. scan through resumes and contain automatically updating algorithms for CVs. All of these are slowly taking over jobs portals like monster.com, Indeed, etc.
AI is shaking up the recruitment industry. Companies like Airbnb, WeWork, are starting pay-per-use models in both products and services. This has consistently given rise to freelancers who enroll for project-based work in growing gigs economy. Projections show that 43% of the US workforce will be freelancers by 2020.
In the time interactivity, where AI ensures upgrade on the go, jobseekers often complained of websites becoming useless for their resumes. Many even complained of no update on feedback on their interviews.
With AI, the most prime concern is of privacy. It is naÃ¯ve to believe that AI-based platforms only track data in the public domain. A lot of times, a candidateâ€™s political bias might potentially affect the employerâ€™s decision-making. Or in the digitally-dominated world, potentially employable candidates who donâ€™t use a lot of computers, may miss out on opportunities.
It is largely expected by cyber specialists that gradually, a personâ€™s digital footprints will significance in the future.