Kartik Shahani, country manager, RSA, the security division of EMC talks about the security situation in India
According to EMC, Indian companies lost `328 crore due to phishing in July-september quarter this year. There were about 375 attacks. India ranks 4th when it comes to phishing attacks. Given these findings, how is the security situation in India?
There is no pattern to a phishing attack. It is a real-time threat to everyone. At some quarter, it is really high, in other quarter it reduces. But over the year this is increasing. It is a standard methodology that is being followed. And has become a practice that is perfected to an art. So it is no surprise that this is happening. This means organizations have to sit-up and take cognizance of it. It is not like phishing attacks happen, specifically for the financial segment where a lot of customers are involved. And it gets into a contentious issue. It is highly regulated and people who are regulators will hold banks responsible for phishing attacks and the loss that is taking place from there. So the banking segment has got up to it. And this is not only in India. It could be any other country in the world. If you look at the US and UK, numbers are even higher. But it also shows that phishing attacks are being targeted to Indian customers now.
Why phishing attack?
There are two reasons. Firstly, awareness. Secondly, it's easy and perfected. So when you say awareness, any country where you are aware that you can thwart a phishing attack why would someone want to target those kind of countries. Then why US and UK? Because now it has become such a perfected art that even if a small percentage of people fall for it, it is a fairly large game. Now awareness levels of how phishing attacks takes place, how to figure out which is a phishing and non-phishing side is also something that organizations are working on. So there are many organizations today who run anti-phishing classes which ask people to look at a site, and say where do they think is a phishing and non-phishing side. This is a sign showing the building of awareness. But look at it, India is such a huge country, look at the rampant use of internet. This usage is so high that it becomes a natural reason for someone to target India.
Are you involved with any company in providing third party knowledge in anti-phishing classes?
We provide a knowledge base. There are organizations who do this work. They have a package which they go and sell to organizations which says, run this package in your system and see what is the awareness level among your employees. But we would provide them a knowledge base to work from.Now phone applications are so popular. So in a way is this inviting the cyber criminals, are we surrendering to them through this?
We had a process of what is called cards giving, where a sim card is duplicated and then money is removed from someone's account. So how could that happen? It is pretty simple if you look at it. You invited it because a smart guy looked at your LinkedIn profile, pulled your photograph, telephone number, and address. Then made a fraud driving licence. Then he goes to your Facebook. He sees what are you doing. And you write I am off to the US for fifteen days. You are not going to use your phone there because it is expensive. He goes and logs into your yahoo account. He sees what your back account is. He checks out your pin number. He goes and cracks your account. Pulls out the money. He has already made a sim card for himself. He wipes you clean. When you come back after fifteen days and you find you have lost all the money
What went wrong in the year 2011? RSA was attacked by phishers. What were the lessons learned from that experience?
Following the 2011 incident two things came up. One is, you need not be the end result of an attack. You might be just an intermediary to an attack. You may just be one of the steps within it. The end intent may be someone else. The hijacker comes to your network, takes something from there and goes and attack someone else. This is called ‘spear fish' for a specific reason. The second thing is you don't even know for how long you are compromised and hence the dwell time is the average time that a adversary or a cyber criminal is in your network is roughly 450 days. So for that many days you don't even know that someone else is sitting in your network. The second learning is to try and reduce the dwell time. So the amount of information going out reduces. And then the third thing that came out was, let's make tools that can detect it fast enough so that we can take responses. This engendered a whole bunch of intelligent technologies to detect the breach faster that what it is.
What kind of cyber criminals does the future see evolving?
It's like Nostradamus. No one knows. It began with nuisance then turned into financial loss. To nation-state attacks. So who knows what next.
So in terms of deploying security solutions how it has changed in India since 2009?
Initially there was a requirement of perimeter security which is knows as the enforcement layer. You had a lot of people looking for anti-virus, firewalls, authentication. But they are all very reactive. They have got fixed signatures, fixed methodology. But they don't do anything that is intelligent. So now you have a new situation where you have a APD where a guy sits inside a network no one knows about. So technology needs to detect that. We have technologies like Netwitness and Silvertail which will detect an anomaly. Once it throws up an anomaly then you start getting granular about finding out what it is. So if we got hacked, what did we lose? How important was it? How will it impact our business? That ‘I don't know' is not acceptable to the industry any longer. Now security is an integral part of business. Business leverages security rather than have it as a measure. Investments used to be to knock of nuisance. But now it is like, if I am going to launch a new service then how secure am I. You have to ask what are the risks associated with it. And what will I lose just in case I get breached.
How much businesses spend on security compared to the total IT spent according to your observations and findings?
The IT spent is roughly 8% of an organization's expenditure. And security is 2-3% of the IT spent. Globally this is pretty much the same. In India this is even lower.
Big Data and Mobility are much talked about issues nowadays. Are they increasing the technical surface of the attackers? What is the role of Big data in security?
In the old days unless you are specific about your phrase you wont be reaching anywhere. But now when all this data comes in and you want to look for some information it becomes predictive. It will start mining out information and start feeding you. This is where the security parameter comes into play.
Do you think Indian companies have matured enough to exchange information on security threats in order to come out with solutions?
It is a pipe dream that we have been pushing very hard for. There are people who are wanting this to be done. There is something called ISSA in the US. They have the financial segment which is called FS ISSA. RSA supports this in terms of technology. In India the sooner it comes the better it is. There are several factors that govern such steps, like accountability, ownership, and acceptability. So there remains many questions like, whether it is going to be a government or non-government body. What kind of information can it share? Can they have cross-border membership. All this factors comes into play and so it is not so simple. US ISSA does allow certain countries to participate in it. So will India be one of those? We do not know that. But intent is definitely there.