Why India is so vulnerable to Cyber Attacks?

In mid-August, news reports on the Scorpène leak — over 22,000 pages of sensitive data related to India’s Scorpène-class submarines was compromised — sent the Indian Navy and the government into a tizzy.

The dust had barely settled on the matter when news of one of the biggest breaches of financial data — information related to over three million debit cards was said to be hacked — sent millions scrambling to ATMs to change their security pin codes.

The Indian government and other organizations here have been the target of cyberattacks for a while now. Apart from the big attacks, smaller hackings like the defacement of government or institutional websites keep occurring intermittently. As recently as November 7, the websites of seven Indian missions in Europe and Africa were hacked and the data was allegedly made available online.

Earlier this year, popular music streaming service Gaana.com was hacked and the personal information of millions of users was stolen. Then there was the cyberattack on online ticketing platform RedBus.

As more and more financial transactions go online and digital financial inclusion rises, we’re left that much more vulnerable to data theft and security breaches. Spurred by the recent ban on Rs 500 and Rs 1,000 notes and the Modi government’s push toward making India a cashless economy, the number of digital financial transactions through netbanking, mobile wallets and online recharges have seen a sharp spike in the past week.

It’s for the first time in history that millions of Indian users are financially viable targets and cyber criminals are unlikely to miss this chance.

The threat of cyberattacks is right upon our doorstep. Let’s take a look at how prepared we are to face this almost certain eventuality and where the loopholes are.

Communication conundrum

The Indian Computer Emergency Response Team (CERT-in) under the Ministry of Electronics and Information Technology (MEIT) is the national nodal agency tasked with dealing with cybersecurity threats in India. One of its responsibilities is to look into cybersecurity incidents that concern Indian users and to issue guidelines, advisories, vulnerability notes, etc relating to preventing, responding and reporting of cybercrime incidents.

Although CERT-in publishes security alerts regularly, if one goes through their security alerts, their messaging doesn’t guide regular internet users when incidents happen, nor does it proactively investigate leaks or publish remedial measures. You could see that even in the case of recent events like the AXIS Bank hacking and the debit card information leak, no guidelines were issued by CERT-in. It seems like the entire system was caught unaware. But, with an increasing number of cyberattacks affecting millions occurring in India, it’s time for CERT-In to establish an easily accessible communication channel to reach out to users when required.

Government agencies too don’t bother to keep the public informed when a cybersecurity breach occurs. Point in case, the National Informatics Centre (NIC), India’s “prime builder” of e-governance applications. In June 2014, the NIC, which holds several intermediate certificate authority (CA) certificates trusted by the Indian Controller of Certifying Authorities (India CCA), was caught issuing unauthorized certificates related to Google’s domain. Google alerted the NIC and blocked the certificates. A week later, the NIC responded that its issuance process had been compromised and that it had issued only four certificates.

The NIC, which spearheads the implementation of ICT applications in social and public administration, didn’t give the public any other information about this security compromise. There may have been many other unauthorized certificates issued that could have put citizens using e-governance apps at risk of data loss. With zero communication from CERT-In and from government agencies, it becomes almost impossible for people and companies to defend against cyberattacks.

Private organizations in India are equally bad when it comes to communicating about data breaches. They are secretive and even careless about hackings or leaks. Read how an ethical hacker found a bug in Ola’s APIs and broke into their money transaction system. He informed the company about the “hack”, in response to which Ola allegedly requested him not to disclose the bug in public.

Butchering the bugs

Across the world, bug bounty programs are becoming an important way of detecting and fixing security loopholes. But most organisations in India don’t have a way to report vulnerabilities securely or any bug bounty programs in place.

To tackle bugs, organizations can also tap into resources such as the OWASP Top Ten, an awareness document on web application security flaws published by the Open Web Application Security Project (OWASP). The OWASP is a not-for-profit open community dedicated to encouraging and enabling institutions to develop, operate and maintain applications that can be trusted.

The OWASP Top Ten provides a window into the world of the most critical web application security flaws. The recent leaks from India and around the world find a place in the OWSAP Top Ten. Adopting the awareness document can be help companies change their software development culture into one that produces secure code.

Conferences and meetups are another platform for exchanging ideas and information on security threats and best practices to prevent and tackle them. Null, India’s largest open security community, organises such meetups and conferences to spread information security awareness. Though it is doing great work, Null, registered as a non-profit, is being able to reach out to a only a small set of technologists. The information security field needs more such events and sharing of information and knowledge to tackle rising cybersecurity threats.

So, why do Indian companies ignore imperative security issues exposing themselves to cyberattacks? Here are the reasons:

Speed thrills, and leaves companies open to breaches

More often than not, software and application developers wear blinkers. They have a first-to-market mindset and are completely focused on development, with a tendency to ignore security and privacy issues.

While building minimum viable products (MVP) — development of a new product with just sufficient features to satisfy early adopters — security is completely ignored. As the product gets more users, the focus shifts to scalability. After an MVP becomes a success, there is a good chance that final product is built without much re-architecture to include security and privacy aspects in the final, complete set of features.

When process is boring

Unless a product has a multi-year development cycle or an organisation follows a secure software development lifecycle, architects usually don’t perform threat modeling. A threat model is a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through security glasses.

“If organizations start with threat modeling and follow the secure software development lifecycle, a good bunch of threats can be mitigated/answered, but unfortunately that’s not the case most of the times,” said Krishna Chaitanya T, an application security consultant at a leading IT company, in a Twitter direct message interview. He tweets from @novogeek.

Without threat modeling, it’s impossible to develop, test or deploy a product that is both reliable and secure. But, most organizations, both small and big, ignore it in the interest of faster delivery of products and services.

Ignoring internal security threats

Internal security is often the most ignored aspect of IT in organizations and creates the biggest security gaps. If data flows to and from different departments without a proper logging and monitoring process, it becomes difficult to protect and later identify the point of leak in case a breach happens.

Earlier this year, three Kolkata-based employees of Wipro were arrested in a case related to data security breach of a UK telecom company. Though there is not much information on the incident in the public domain, the high-profile hacking reportedly took place in October 2015. The matter came to light during a data security review by the telecom firm, TalkTalk, which then alerted the Indian police. The incident is a clear example of how lack of processes in data flows between an organization and the vendors can lead to security breaches. This is not new to the Indian BPO sector, which has seen many more customer data leaks in the past.

Now, there are thousands of BPOs servicing Indian companies as well. Given the callousness with which how Indian companies treat customer data, BPOs seem to be the biggest threat to data security breaches, whether it be banks or telecom firms.
The rise of big data and analytics leaves even more security gaps in customer data handling. With companies trying to mine big data to gain marketing and customer insights, it’s highly likely that customer data gets shared with various vendors. If proper processes and vetting are not in place when the data leaves the concerned organization, there’s a high risk of leaks.

Personal online security hygiene of employees is also usually ignored by Indian companies. With employees increasingly bringing their own devices to work, accessing their personal e-mail and social media sites in office and the overall merging of work and personal life online, cyber threats can easily creep in through unsecured personal accounts. Companies need to promote good personal security hygiene, especially for teams working in critical areas.

Struggling with system maintenance

Maintenance is the biggest and most important work of a company’s IT department. Unlike most physical products, software products are constantly and rapidly evolving. Most IT teams, in their hurry to incorporate software upgrades and changes, overlook the all-important issue of robust testing before rolling out new codes.

There have been many instances in which even a small change in a code that got tested badly (forget security testing) has created havoc among consumers. The recent leak of customer data from Red Cross Australia shows how badly IT systems are setup in medium-sized organisations. A third-party vendor with whom the database was shared had it stored in a web accessible folder. So, the entire database dump was available on the internet.

Some data breaches are simple and straightforward and are dependent on how system passwords are maintained or how the backups are managed. There are also instances where developers have leaked sensitive customer data in logs, through comments in the code, or through external API calls and content delivery networks.

Tackling external threats

There are external threats for which organisations can’t be 100% prepared, but they should have a plan of action in place to monitor such threats and mitigate attacks as and when they happens. The latest hack is zero day exploits (that take advantage of a security vulnerability on the same day that the vulnerability becomes known), which are being used by both blackhats and institutions alike to gain an edge in upping cybersecurity. There is probably no better way of handling zero days than keeping your eyes and ears open and your software up to date.

To insulate itself from external threats, if an organisation is using products from different vendors, it’s a must to make sure all those vendors report to you about the threats. However, according to the last KMPG Data Security Privacy Survey, more than half the organisations surveyed do not mandate vendors / third parties to report new threats and vulnerabilities in their products / services. This qualifies as borderline negligence.

It’s now or never. Indian organisations must pay attention to security and develop a holistic approach to keep the bugs and hackers out of their systems. This is possible by building better cooperation between private and public institutions, building a better community of security experts, sharing knowledge of best practices. Most importantly, they need to include the end user in the process-building activity and keeping them informed in case something goes wrong.

This post first appeared on FactorDaily as Why are Indian users so vulnerable to cyberattacks?. Edited by Prakriti.