<?xml version="1.0" encoding="UTF-8"?><root available-locales="en_US," default-locale="en_US"><static-content language-id="en_US"><![CDATA[<p>T<em>he one thing that people want to protect today is the data that they have. It could be on a mobile device, a laptop, a tablet or on the company's server. However, protecting it has become all the more difficult. That's where Verizon Business comes in. It brings out an annual Data Breach Investigation Report (DBIR) in conjunction with experts including the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police. The DBIR report spans 855 data breaches across 174 million stolen records. <strong>A. Bryan Sartin</strong>, Director, Investigative Response, Verizon Business was in India to attend the Nasscom Security Summit. Sartin spoke to BW's <strong>Anup Jayaram</strong> on the issues in securing data and where India is today.</em><br><br>Excerpts:<br><br><strong>Can you tell us what Verizon Business does on security? How is that important for India now?</strong><br>I head a specialty team in Verizon called the RISK team. That stands for Research, Investigations, Solutions and Knowledge. We have two very specific areas of focus in Verizon. One is, investigations—digital forensics, computers and response, electronic discovery, IT investigations when security is undermined, when security becomes a problem for Verizon customers or for anyone in the world, public or private sector. We are the world's leading non-military IT investigation team. So we are called to perform investigations and coordinate with law enforcement.<br><br>Our second objective is all about intelligence. We see what happens when security becomes a problem and we go case by case picking up artifacts of intelligence, converting that into knowledge, particularly security knowledge. We hope to drive that back into the ground, make our people smarter and drive that back to customers.<br><br>That's one of the reasons I am here. India is a very hot market investigations-wise. There's a tremendous amount of demand for response to electronic crimes, cyber crimes. So we have investigations going on here in India right now. I am not here for supervisory capacity but also speaking to customers. There are a few of them. There is a lot of action here both on the civil and the criminal side. Our electronics discovery business which is litigation support for civil matters has always been a big area. Starting last year, data breach investigations in India have picked up a lot for us.<br><br><strong>Any particular reason for that?</strong><br>I think so yes. At an overarching level, we are seeing some trends. There is a general trend in electronic crimes, away from financially motivated crimes towards "hactivism" and specially cyber espionage and cyber warfare. Cyber espionage in particular is a crime that targets intellectual property. India is heavy in intellectual property. As India grows, intellectual property here will also grow. I would say, based on the demand we see in India now, this is one of the top two or three sources of electronic crime.<br><br><strong>What's the kind of electronic crime that you have seen?</strong><br>The worst in terms of uninteresting and least sophistication are financial crimes. Historically, 90 per cent of all the crime we saw was financially motivated. Those were attacks against banks and insurers, big retailers and targeting consumer records. Ten years ago, we used to see very sophisticated attacks in that arena. But, they have not become more sophisticated. They have in fact become less sophisticated over time. We still see more financial crimes than others. Criminals are picking small targets like hotels, pharmacies, restaurants. That's the boring side. We see the same old stuff over and over again.<br><br>On the other end of the spectrum, hacktivism has been an amazing adversary over the last year with groups like Anonymous. That's a totally different kind of adversary. Instead of being entities closely affiliated to crime, these are anyone not already affiliated to a group. All of us might be Anonymous and not know about it. The nature of these crimes is revenge. They are retaliatory crimes. They are politically motivated and they are to damage the reputation of the victim. And there are thousands of ways to do that. Hacking and stealing data is just one of those. And because of that helping customers understand the nature of the threat, how to detect it, how to prevent it. That's a big focus for us. You can deface someone's website site. You can get into their e-mail system and find embarrassing things and post them online. We have always seen proprietary kind of data posted online. That's clearly an indication that your security is not so effective. <br><br><strong>What's the strangest case that you have seen?</strong><br>In a real twist, we had a major hactivism case in the US this past year where credit card information was stolen and the perpetrators took credit cards and made donations to charities in the victims' names. And pretty sizeable donations in some cases. One of the interesting twists that came out of that was when many of the victims found out what was done with their money were very reluctant to retract the donation even though it was made illegally. That's a funny twist. Isn't it!!<br><br><strong>Recently Yahoo had some IDs hacked into…</strong><br>That's right. The information that you read online made it sound like a sequel injection attack. I am very surprised that it happened. You must have seen in our DBIR, that SQL injection was big three or four years ago. At one point it accounted for 80 per cent of stolen records. It was discovered as a threat in 1998. So, it's been there for over 10 years. It is one of the easiest attacks to detect when it is happening against your systems and networks. It is one of the easiest vulnerabilities to diagnose. You can even do it with a few keystrokes. So to see an entity like that suffer a SQL injection attack in this day and age is a little bit shocking. What didn't shock me is how weak password security is. Apparently, so many of those passwords were posted online. Massive quantities of passwords were common to many websites. And as I understand there were many people who used the same password there and on Google mail. Talk about weak password security.<br><br>That facilitates account takeover. Password security is something most enterprises across the globe have figured out very well. But it needs a lot more. Around 70 per cent of all data breaches, the initial point of entry is remote access. The top five actions that lead to a threat to data, whether you talk about small victims, large victims, you talk about cyber warfare situations, weak passwords security factors into a lot of those.<br><br><strong>How do you analyse the data breaches that you detect?</strong><br>We build attribution tables from every data breach that we investigate. It is the science behind tracking and collecting artifacts and intelligence from each case. About two-thirds of the cases, we can say specifically who is behind the breach even down to the individuals' name. We know their aliases; we know the outlets through which they buy stolen data. Often, we know data breaches they have been affiliated to in the past. Using attribution tables, help us tie-up tools, methods and techniques, down to names of adversaries, and build tables linking individuals to crimes. We do that to set the stage for prosecution. But the more we exchange that kind of intelligence with enforcement agencies and governments around the globe, the better we will get.<br><br><strong>Are people finally prosecuted for such crimes?</strong><br>In fact, very, very often. It is far more often than most people think. Internationally there is a perception, especially in India, that these kinds of crimes never lead to arrests, especially when the perpetrator is outside of India. If the attack comes from China, the US or Mexico, people don't think it leads to something. But they do. That's part of the problem. The public is so interested in the victims, who is getting hacked? And they are interested in whether their data was stolen. People seem to be less interested in criminals being brought to justice for some reason. That's unfortunate.<br><br>That reminds me of the fact that these days is something that is factored into hacktivism is personal information. It is not PII (personal identifiable information); it is as much about that data that people make available willingly online on platforms like Facebook, MySpace and LinkedIn profiles.<br><br><strong>What problems arise from such data posted online?</strong></p>
<table style="width: 200px;" align="left" border="0" cellpadding="8" cellspacing="8">
<tbody>
<tr>
<td><img src="/businessworld/system/files/images/A-Bryan-Sartin-2_BB_200x268.jpg" height="268" width="200"></td>
</tr>
<tr>
<td><strong>Sartin: The RISK Man (BW Pic by Bivash Banerjee)<br></strong></td>
</tr>
</tbody>
</table>
<p>Let me give you an example of what I was referring to. There was a big data breach, intellectual property that was stolen. This made headlines all around the globe. In the investigation we found exactly how it started. The criminal sent eight emails, eight different messages. They included a PDF attachment and there was malware implanted in the header. If someone opened it, it would execute on their system. Only one of the eight victims fell to it and she had some interesting hobbies. One of them was knitting. She had one of these knitting blogs where she would spend an hour a day in her office reading blogs.<br><br>She was a technical person by the way, a member of the security department of that company. She was a trainer. She went around to different company offices and teaching people things like don't tape you password on the keyboard. She receives an email from her favourite knitting blog and it had an attachment which appeared to be a platinum membership subscription. She had never received an email from the knitting blog. And all of a sudden when she sees that, all the security training goes right out of the window. She opens the attachment and there was no text inside the attachment. It's blank.<br><br>Being the technical person she was, she forwarded the mail to the webmaster of the favourite knitting blog and said this is obviously corrupted in transit. So could you please resend it? It spread from there.<br><br><strong>How big a threat are data breaches to the world?</strong><br>They haven't been so big a threat historically. If you look at the number of crimes targeting consumer behaviour, debit cards historically were a big target. In most countries there is this concept of zero liability for the loss, so long as the card holder reports the fraud. The victims really have been banks and the merchants rather than the individuals.<br><br>Cyber warfare targets are very, very different. Instead of being the retailer, the restaurant or the healthcare company, it is the power plants, the water districts, the manufacturing companies, it's the critical infrastructure inside a given country. Most countries around the world, India included, are looking at better ways to secure the nation's assets. They have to prioritize and protect themselves from possibly the most threatening situations, which are things that affect large swathes of voters. Ultimately, water districts and things that take the power grid offline are worst case scenarios. The migration from cyber crimes to cyber warfare and cyber espionage affect the individual consumer more than it has done historically.<br><br><strong>Do you see IT security becoming a bigger threat as we go along?</strong><br>It's getting bigger as we go along. You look at mobility –machine to machine type, the diversified supply chain management and things like that. Mobile workforce and work from home employees. The need for security is becoming more acute, the awareness of that need is becoming more acute. In the last 10 years things have really changed. Security is not something in a box that once you do you have it. It's not out a technology but about a process.<br><br>There was a mindset shift change about 5-6 years ago. Up until then, people thought good security was about protecting everything in the network. Nowadays, people are realising, security is more about data, more than about networks and tangible things. You are responsible for the data as a security professional, whether it is within the confines of your network or outside. With mobile forces being what they are, with tablet computers and smart phones, we are poking more holes in an out of that perimeter. So security needs to change.<br><br><strong>What about when senior official lose their laptops?</strong><br>When people leave Blackberry's in taxicabs and laptops at train stations, there are easy ways to control this. Disk encryption on the laptop is not difficult. Once the content is encrypted you can't use it. If I tell IT and security that I have lost my device, they can instantly wipe it remotely. There are little smart steps that people can take to mitigate the risk.<br><br>There is the other issue of convenience these days with tablets connecting to the company's network. You see CIOs pointing out that end users simply want it to do their job. They need to access their email anywhere in the world with their smart phones. But, they also know that they do not have a good means of securing those devices. So its convenience versus good security, and right now it is convenience that is ahead.<br><br>In India I see some very positive and compelling developments. It is very common in the US. India and the US are very much in the same place. There is a concern over the need for cyber intelligence. You see our data risk report. Take for example that crimes don't happen in minutes. They happen over weeks, months and years. On average it is seven months from point of entry to the time that the victim finds out. In 90 per cent of the times, the victim does not find out on their own but from a third party. Those are shocking statistics. They actually get worse every year, not better. You get a feeling that people are fighting modern era crimes with tools that are from the early 90s. The path forward is cyber intelligence and the sharing of intelligence.<br><br></p>