Ten years ago, “cyber warfare” was an unfamiliar term in India. If it was recognized, it was something abstract that occurred to the United States’ Pentagon servers, where kids could break in and access data. It certainly had nothing to do with India. Then, when the Indian Computer Emergency Response Team (CERT-In, apex authority in India for Cyber Safety) reported “5200 Indian websites defaced,” Indian netizens woke up. Indian banks started issuing phishing alerts for numerous phishing scams. (In 2007 alone, 392 cases were reported to CERT-In by various Indian and worldwide agencies — an average of 32 phishing cases a month.) GSM users started getting viruses on their handsets. The Pakistani terrorist network started using Russian servers to e-mail threats, posing as Indian terrorist groups. All of a sudden, cyber warfare became an all-too-real phenomenon.

Cyber and communications crimes attained maturity as a result of two incidents. The first was the hacking of a wireless network by the so-called Deccan Mujaheedin terrorists (desperate Pakistani terrorists use such generic names for projecting it as an Indian outfit), which resulted in an e-mail threat that implicated a foreigner. The second incident was the Pakistani terrorists Lashkar-e-Taiba’s (Jamaat-ud-Dawa) use of a satellite phone and Russian server during the attack on Mumbai, which resulted in the deaths of more than 180 Indians and foreign citizens alike – women and children among them.

Technology used by hackers and other violators — past and future

Cybercriminals count DNS servers–the phonebooks of the Internet—among their technology of choice to amplify their assaults and disrupt online business. Social engineering — nontechnical ways of gaining access to otherwise inaccessible information — has also become a big threat in recent years. One growing form of social engineering is the use of e-mail to get into networks. The hackers can then send e-mails with embedded code designed to gather information from their targets’ networks. The message may have a line in it that says something like “Click here for more information,” which will actually establish a link to a data collection site set up by the hacker. A bigger issue is Microsoft Word attachments that execute Trojan horses when opened. The attachment may include a virus or a worm, but it could also execute a keystroke logger or some other program for opening up a back door into a target’s network.

Many of today’s hackers and other violators also use blogs to store and distribute malicious code. Different hackers use blogs different ways. Some may create a blog on a legitimate service, then post viral or keylogging code on the page, and entice users to visit the page — where they’re infected — using spam or spim. Others may use the blog only as storage for malware that previously-planted Trojan horses access to update themselves or install a keylogger onto the infected PC.

Threat environment

Cyber warfare goes far beyond malicious hacking by teenagers seen years ago. This phenomenon occurs in a parallel, virtual world, and is essentially the “New Cold War”—it’s organized, it’s coordinated and it’s well-funded. Cyber attackers are motivated politically, financially or maliciously.

In recent press coverage, it was reported that Indian ministries, government departments and other Web sites have been attacked by Chinese and Pakistani hackers. Attacks for financial gain are increasing with scams to phish for personal financial data then reselling the stolen financial information.

According to India’s CERT-In, in 2006, a total of 5,211 Indian Web sites were defaced, averaging about 14 Web sites per day. Of all hacking incidents in October 2006, about 61 percent related to phishing, 27 percent to unauthorized scanning and 8 percent to viruses/worms under the malicious code category. India, like the western countries, has witnessed a massive rise in phishing attacks with incidents in 2006 180 percent higher than in 2005, and the trend carrying through into 2007.

In August 2008, Silicon India News reported that an unknown Indian hacker was being charged with the greatest cyber-heist in history for allegedly helping a criminal gang steal identities of an estimated 8 million people in a hacking raid that could ultimately net billions in illegal funds.

What are the future of cyber threats?

The usage of Trojans continues to dominate cyber warfare. And the use of bots and armies of botnets to unleash DDoS attacks and bring down networks will continue to be a critical part of cyber warfare as well.
According to the most recent Symantec Global Internet Security Threat Report, viruses accounted for 15 percent of potential infections by malicious code, worms accounted for 22 percent, back door 13 percent and Trojans 71 percent. The Symantec report also cited the United States, China and Germany as the top three countries with the most malicious activity from the period July 1, 2007 through December 31, 2007. (India was not ranked in the top 10.)

Economic cost of such threats

In 2006, IBM conducted a global survey (excerpts from The Hindu) of more than 3,000 CIOs or other individuals qualified to answer questions about their company’s IT practices. It included 150 respondents from India. The survey showed that Indian businesses perceived cyber crime (44 percent) as a greater threat than physical crime (31 percent) to their business. Indian businesses felt that loss of revenue (75 percent versus 72 percent of global businesses) ranks as the highest key cost associated with cyber crime. Loss of market capitalisation (72 percent versus 47 percent of global businesses) ranks as their second-highest cost. Other costs for Indian businesses include damage to their brand/reputation (65 percent), loss of current customers (64 percent), loss of employee productivity (60 percent), loss of prospective customers (57 percent), and the cost of restoring service (53 percent), the report stated.

To get a general idea of the economic impact of this malicious behaviour, as per information from a 2007 report by Computer Economics, “Malware cost damages declined worldwide, but still exceed $13 billion. In 2006, direct damages fell to $13.3 billion, from $14.2 billion in 2005, and $17.5 billion in 2004.” However, the report states that this may be due to an underappreciation of the seriousness of bots. Additionally, although most organizations track the frequency of malware attacks, most do not formally track the economic impact of these events.

Are We prepared?

The 2006 IBM survey showed overconfidence by Indian businesses to contain growing cyber crime threat. Sixty-nine percent of Indian businesses believed they are adequately safeguarded against organised cybercrime (compared with 59 percent of global businesses). When asked which were the two initiatives that were the most important to undertake over the next year, Indian IT executives said:

a) Upgrading firewall (62 percent vs. 28 percent of global businesses)
b) Implementing vulnerability/patch management systems on the network (31 percent vs. 19 percent of global businesses)

Historically and currently, Indian IT companies and operators used or are using siloed applications and installed them incrementally to address specific needs, each of them deployed to solve a specific problem. This practice led to a dispersion of information across many products that do not interact with each other, and a large operational investment to manage and maintain this complex infrastructure.

Operators most often use deep packet inspection (DPI) for traffic management, and a wide range of solutions for traffic security, including firewalls, intrusion detection systems (IDSs), security event managers (SEMs) and network behavior anomaly detection (NBAD).

Each of these solutions brings something novel and important from an operational perspective, either as a useful tool to better manage the traffic itself or as a fundamental security shield against an ever-growing number of threats. Although each of these products is needed to carry out a specific type of analysis and function, a system that leverages the strengths of each can dramatically improve operational efficiencies. A system that can correlate and analyze all the information captured and processed, interpret and cluster associated alerts, and manage the overall infrastructure as a whole (monitor, diagnose, act on the data collected from a large pool of such solutions) from a single console is even more powerful.

To be brief, security without traffic intelligence won’t work, stovepipe solutions won’t work, and a “box” alone won’t work.

Narus: Defending India’s telecoms against cyber attacks

Narus is the only vendor to offer a real-time traffic intelligence system to adequately protect carrier-class networks. Narus shields some of the world’s largest carrier networks, and as such it sees 35 percent of the world’s Internet traffic. As a company, Narus is focused on helping its customers protect and manage their IP networks on a worldwide basis.

Currently, Narus projects that by the end of 2009, two-thirds of the IP-based service providers in India will use the NarusInsight real-time traffic intelligence software to protect and manage their large and complex IP networks. This software detects potential attacks and other network abnormalities in real time and directs actions that can prevent security breaches, unwanted traffic and network outages. Narus also provides carriers with software that enables them to meet India’s Department of Telecommunications Lawful Interception and Monitoring System regulations.

Going forward, Narus expects to play an even greater role in the management and security of networks belonging to India’s telecoms due to:

1) The growing number of carriers operating in India
2) The addition of new voice and data services these carriers are providing customers, such as voice-over-IP, cable and wireless
3) The greater sophistication of security threats, which include hackers who are becoming more adept at disabling entire networks. One example was evident in the 2007 Estonia attacks, which threatened an entire country’s commerce. A more recent example is Russia’s purported attack on Georgia’s IP networks.

While Narus is based in Silicon Valley, it has had a presence in Bangalore since 2004 and recently opened an office in New Delhi. Narus’ India teams do important research and development of new products, customer support, consulting, and sales. To that end, Avinash Agrawal was recently appointed to lead Narus’ India operation as managing director. Moreover, Narus’ worldwide engineering organization is managed by an Indian executive, Yogi Mistry, who is based in Silicon Valley.

Satyam Infoway (SIFY) is the first company in India to adopt NarusInsight. NarusInsight helps Sify to protect and manage its network traffic, capturing and analyzing network events on Sify’s backbone. It also helps Sify to evolve traffic intelligence solutions to include gray VoIP and network security.

Sify also uses Narus to meet government mandates for real-time intercept and precision targeting. (Thanks to Narus’ certification by the Telecommunications Engineering Centre, Department of Telecommunications, all Indian service providers may now leverage Narus technology to meet this mandate.)

NarusInsight

NarusInsight is Narus’ flagship product, and is the most scalable traffic intelligence system for capturing, analyzing and correlating IP traffic in real-time.

NarusInsight provides a total network view across the world’s largest IP networks. This includes:
* Deep traffic inspection and full correlation of Layer 2 and Layer 7 information across all links and elements
* Industry-leading packet processing performance that supports network speeds up to OC-192/10G off the wire and uses a distributed architecture to scale so it can process multi-petabytes of data
* Carrier-class scalability and reliability with over 2.7 petabytes of IP traffic processed at a single customer, driving 100 billion packet records per day (greater than 7 terabytes) to upstream security applications
* Full traffic correlation across every link and element on the network
* Entropy-based security algorithms to provide unprecedented early detection of sophisticated anomalies such as low-volume and polymorphic worms and next-generation traffic analysis with advanced algorithms for real-time security, intercept and traffic classification and mitigation.

One of the key benefits of NarusInsight is that its programmable analytics engine provides flexibility to customers to develop their own solutions and proven integration models with third-party applications such as Cisco, IBM, Oracle, NetWitness, Frontix, Omniture and other customer applications.

Spend on network security appliance and software market

According to Gartner, Worldwide security software revenue will increase from nearly $8.3 bln in 2006 to more than $13.5 bln in 2011. As per IDC Asia/Pacific (excluding Japan) will grow from US$4.7 billion in 2007 to US$9.1 billion in 2012. RNCOS, an industry research firm brought out a study “Global IT Security Market Forecast to 2012.” The study states that the Indian IT security industry is moving strongly, and is expected to continue scoring solid growth in near future with further widening of security war chests. IT and BPO industries are currently the two biggest consumers of security solutions in India, boosting growth in the country’s IT security industry. The SMB segment is projected to spend around 44-48% of the total IT spending in the country. The Indian IT security market in 2006-2007 was totaled at nearly Rs. 210 Crore (US$ 46.8 Million), and by 2010 end, it is forecasted to surge to Rs. 1,958 Crore (US$ 464.4 Million) on account of increasing demand from business sector and continuous IT development in infrastructure. The growth momentum is likely to remain inclined towards the service side, where most of the solution providers will target managed services.