How safe Is India's IT network?

Prabir Vohra, Senior Vice President, Technology, ICICI Bank, was going through log reports for the bank’s website a few months ago when he noticed something peculiar. It seemed that there had been a deliberate attempt by ‘web terrorists’ to launch a Distributed Denial of Service (DDoS) attack on the bank’s website.

“The first we got to know of this attack (on the bank’s site) was when we read the logs”  - Prabir Vohra, Senior VP, Technology, ICICI Bank

ICICI isn’t just India’s largest private bank, but also one of its most wired. The bank estimates that only 13-14 per cent of its transactions actually take place ‘physically’, with the others happening over the internet and ATM networks. For example, some 400,000 transactions (as against merely checking account status) are said to take place on the bank’s portal every day. “It was a great vote of confidence in the systems that we have in place that the first we got to know of this attack was when we read the logs, but it also highlighted the clear and present danger that exists,” says Vohra.

ICICI Bank is hardly the only one vulnerable to cyber-attacks. As the internet economy in India takes off, just about every company is a potential target. Those will include not just the so-called old economy companies, which are moving more and more of their business (including supply chain management) online, but also internet companies.

That’s pushing up the quantum of online transactions. There are no reliable figures available yet, but industry executives estimate that online transactions in India have topped the Rs 100-crore-a-day mark.

How to protect your network

It starts with creating a security plan for your network. Assess: Analyse your current state of security. Check the network for common system misconfiguration and missing security updates. Identify assets that need to be protected such as hardware, software, data etc. Calculate exposure for each asset and services against each threat.

Use this formula: Probability x Impact = Exposure to generate an ordered list of security priorities.

Plan: Don’t rush into implementation. The objective is not to eliminate all risk at all cost, but to minimise the risks. There are three main trade-offs: functionality versus security required; ease of use versus security; cost of security versus risk of loss. Create a detailed plan that includes, among other things, procedures for preventing, detecting and responding to security incidents.

Execute: Communicate with the staff and provide regular training. Test measures for technical adequacy and obtain participant feedback.

Monitor: Research new threats, and include new risks as you become aware of them. Subscribe to security bulletins and train users. Modify the plan when changes occur in personnel, organisation, hardware or software. Conduct ongoing maintenance such as virus updates, new user training, and backups.

Source: CERT-In; for more information, log on to: www.secureyourpc.in run by CERT-In.

The Indian Railways’ booking site, IRCTC, alone logs 37,000 transactions a day (for July 2007). Given an average ticket size of Rs 800 (August 2007), it means train passengers will spend almost Rs 1,000 crore online this year. Besides 40 per cent of airline ticketing are done online. All told, Indians are expected to spend over Rs 30,000 crore online in FY 2007-08.

World Wide Trap Those who are inclined to believe that the damage a network attack can cause is limited, need only consider what happened in Estonia. Perhaps the most wired nation in northern Europe, Estonia ground to a halt in late April and early May this year when sustained attacks on the websites and networks in the small Baltic nation paralysed its websites. Even though Estonia blamed Russia, the massive DDoS attack (see The DDoS Attack: How it Works) came from computers all over, including some from India.

It’s not just DDoS attacks that companies should be scared of. Cyber-rogues don’t just like bringing a network down, but they also like stealing stuff—credit card details, for instance.

Unlike countries in Europe and the US, where guidelines force companies to reveal the scale of such attacks, India has no such rules. That’s why the only attacks that media and general public get to hear about are ‘defacement’ attacks, where (not the best) hackers break into a webpage and change its content to prove a (usually political) point.

But Indian dotcoms have been attacked. Three years ago, a dota halt in late April and early May this year when sustained attacks on the websites and networks in the small Baltic nation paralysed its websites. Even though Estonia blamed Russia, the massive DDoS attack (see The DDoS Attack: How it Works) came from computers all over, including some from India.

It’s not just DDoS attacks that companies should be scared of. Cyber-rogues don’t just like bringing a network down, but they also like stealing stuff—credit card details, for instance. Unlike countries in Europe and the US, where guidelines force companies to reveal the scale of such attacks, India has no such rules. That’s why the only attacks that media and general public get to hear about are ‘defacement’ attacks, where (not the best) hackers break into a webpage and change its content to prove a (usually political) point.

But Indian dotcoms have been attacked. Three years ago, a dotcom CEO was horrified to learn that a server had been broken into, and even though it stored no user data and was instead being used to send spam. The security policy was subsequently dramatically altered.

“We have a full-time security team that now monitors logs and access on a real-time basis,” says the CEO, who requested that he not be named. Rajat Mohanty of Paladion, a managed security solutions company, talks about ‘a large’ e-commerce portal in India that was hacked into “a couple of years ago.” But in this case, the hackers did something completely different. “They loaded the home-page with ‘trojans’, which stealthily loaded themselves onto the computer of the visitors,” says Mohanty.

What is scary, according to Mohanty, is when e-commerce sites are set up, they get so involved in setting up the site navigation and product offering that security often takes a back seat.

The Ddos attack: How it works

Denial of service happens when a website server receives multiple requests in a very short span of time, overwhelming its capability to deliver and thus crashing it. When done with a malicious intent—unlike, say, times when news websites get overloaded due to breaking news events—it can be classified as an attack. Until recently, such attacks came from ‘select’ computers with known Internet Protocol (IP) addresses and ‘smart’ web servers block traffic from those IP addresses. However, hackers have managed to start ‘Distributed Denial of Service’ (DDOS) attacks, which use requests from thousands of infected computers to mount an attack. As the attacks are coming from several thousand computers all the time, the web servers cannot shut down traffic and the website collapses under the load. Hackers often use such attacks to extort websites, threatening them with attack unless they pay ‘insurance’ money, a rather intricate form of internet extortion! Trojans, which are so-called because of the way they function (an allusion to the ‘Trojan Horse’ in Homeric epics), can be a type of programme that installs on your computer and stays under the radar (as a ‘bot’) until it receives ‘an order’ from a ‘command and control’ (C&C) server. The other way ‘bots’ are created is when users are tricked into installing a piece of software on their computer. According to one security expert, there are at least “50,000 plus ‘bots’ and 5 C&C systems in India.” And the latest bit of software to get everyone worried is a worm called ‘Storm’, which uses peer-to-peer replication. It is estimated to have infected between 1-10 million PCs across the world.

 And even though some e-commerce websites now work either through the issuing banks or the credit card (MasterCard, Visa) networks to process payments, at least one large travel site confirmed to BT that it stored credit card records, “to process some of the offers we run.” The company claims that the records ‘were secure’, but a security expert points out that comparing the level of security at a small dotcom and a financial service provider is like comparing, “a sardine to a shark.”

The risk, according to Vishal Dhupar, MD, Symantec India, an IT security solutions provider, is greatest not for large enterprises, but for smaller companies.

“Large companies have the technical knowhow and resources to spend on security solutions, with smaller companies the risk is that their security measures are often reactive rather than proactive.” He also cites a Confederation of Indian Industry (CII) report from 2005 which points out that 38 per cent of companies (in the sample) did not have a security policy.

But there is no doubt that Indian companies are spending more on security. “In 2001, IT security took up maybe 4 per cent of a company’s IT budget, today, I would estimate that number at 15-20 per cent,” says Mohanty.

However, more money spent, does not always mean better security. Conflicting security systems could possibly leave holes in the boundary walls of a company’s IT system (See How to Protect Your Network).

Yet, at the government level, Indian network managers sound fairly confident. “I would believe given the amount of information that resides in India today, our networks are fairly secure.

That is not to say that we should get complacent, and as the amount of information we put online increases, we will need to increase network security,” says Gulshan Rai, Director, Computer Emergency Response Team-India (CERT-In). Estonia learnt that the hard way. India needn’t.