Awards & Recognition Won by Prashant Mali in 2014

Cyber Security: Build a Culture of Prevention in Your Organisation

Cyber Security:  Build a Culture of Prevention in Your Organisation

Prashant Mali, 

Cyber Security Policy & Law Expert - India

“You cannot buy the revolution. You cannot make the revolution. You can only be the revolution. It is in your spirit, or it is nowhere.” 
― Ursula K. Le Guin, The Dispossessed

Today all organization’s need “Cyber Security Revolution”  i.e they need to bring in culture of cyber security within their organization. A strong cyber security culture is both a mindset and mode of operation. One that’s integrated into day-to-day thinking and decision-making can make for a near-impenetrable operation. Conversely, a security culture that’s absent will facilitate uncertainty and, ultimately, lead to security incidents that you likely can’t afford to take on. This is also brings us to have Cyber Insurance as part of the organisations culture.

What is a organizations cyber security culture?

An organisation's cyber security culture is the styles, approaches and values that it wishes to adopt towards cyber security.

The lack of robust security protocols and standards for data exchange between enterprise systems, devices and personal/home devices can put organizations at increased risk and exposure. However, by employing a comprehensive threat intelligence strategy, organizations can more effectively, proactively and sustainably defend against threat adversaries. The development of policies, procedures and training can further prevent attacks and raise user awareness to be mindful of clicking links, executing files or sharing account information. “When building cyber security capabilities, a Chief Security Officer must be able to identify data in an organizational environment, know the systems, devices and networks on which they are located, and build a security profile around them that addresses potential vulnerabilities,”

A strong cyber defense strategy should address how to prepare and monitor attacks, respond and ultimately recover from breaches. At a minimum, security architecture should be able to stall adversarial efforts, thwart attacks at each phase and facilitate a rapid response. Today, there are several cyber security frameworks that organizations may use as guidelines - such as ISO, COBIT and NIST - to develop security architecture. By overlaying these with counter-responses to the tactics, techniques and procedures that a threat adversary may employ, CISO’s can develop a robust defensive infrastructure. 

Many of these defensive strategies can be broadly characterised into the following three classifications:

1. Mitigate threats before they enter a network by having the basic controls in place -such as ensuring that operating systems and anti-malware, web filtering and antivirus software on servers and endpoints are updated and patched to reduce the risk of vulnerabilities and infections. At a primary level, preventive measures can be employed by implementing layers of firewall technology to stop known attacks. At a secondary level, the potential damage of a breach can be mitigated through automated alerts and notifications that quickly activate appropriate response measures according to security protocols. By training employees and building a culture of cyber security from top management to workers on ground, many breaches can be prevented upstream through user awareness of potentially malicious links, emails, websites, advertisements and files. As Kevin Mitnick notes in his book, The Art of Deception: Controlling the Human Element of Security, these technological methods of protecting information may be effective in their respective ways; however, many losses are not caused by a lack of technology or faulty technology but rather by users of technology and faulty human behavior. It stands to reason then that people not only can be part of the problem, but also they can and should be part of the solution.

2. Discover threats that have entered or tried to enter systems. No organization can prevent every cyberattack, but it is important to build a response system that can alert your security staff, rapidly identify a breach and its scope, and notify other enforcement points so that a breach can be contained without extensive collateral damage. Depending on the adversary, an organization may be better served by disrupting and throttling an attack rather than responding with a knee-jerk reaction that tips off an adversary to engage in additional attacks.

3. Respond to any threats that have breached the network. In addition to deploying sandbox appliances which can test and detect novel threats, it may be recommended for some organizations to deploy internal network firewalls and mitigate an attack once a network has already been breached. Depending on the extent to which data is stored on internal or external servers, organizations may need to develop coordinated responses to a breach with other entities.

The risk of cyber attacks is no longer limited to the IT desk, it is a key business issue that must be addressed by the Board. No organization can be completely immune from cyber attacks and adversaries. However, they can take appropriate measures to erect defenses and integrate cyber security into the business environment and culture. Management buy-in, establishing policies and updating them regularly, identifying and communicating the security awareness goals and message clearly and often, and performing assessments are crucial to a successful cyber security awareness program. By implementing some of these changes, organizations can achieve higher levels of cyber security awareness maturity and benefit from a stronger cyber security culture. 

Definitions for Cyber World

Definitions for Cyber World

Cyberspace 

Cyberspace is the total landscape of technology-mediated

communication. This includes not only the internet and the World Wide

Web but also mobile and fixed phone networks, satellite and cable

television, radio, the Global Positioning System (GPS), air traffic control

systems, military rocket guidance systems, sensor networks, etc. As more

devices become interlinked through the processes of digital convergence,

cyberspace is rapidly covering more of our physical world and channels of

communication and expression. Importantly, cyberspace also includes the

people that use these devices and networks.

The Internet 

A subset of cyberspace, the internet is a system of

interconnected computer networks. The internet is comprised of both

hardware and software that facilitate data transfer across a network of

networks, ranging from local to global in scale, and encompassing private,

public, corporate, government and academic networks. Functioning

primarily as a global data exchange system, it carries a wide range of

resources such as email, instant messaging, file transfer, virtual worlds,

peer-to-peer file sharing, and the 

World Wide Web(WWW)

The Web The World Wide Web (or, simply, web) is a more recent

development than the internet, with its origins in the European academic

community of the late 1980s. The web is one of the many services reliant

on the internet. It consists of an assemblage of files (audio, video, text,

and multimedia), each assigned an address, which are connected to one

another through the formation of hyperlinks (more commonly, links). The

contents of the web are (usually) accessed via the internet using software

known as browsers.

User-generated Content 

User-generated content (also usercreated

content) is an umbrella term referring to a wide range of

online materials that are created by internet users themselves. Usergenerated

content has blurred the distinction between the ‘producers’

and ‘consumers’ of information. It is thought to be behind the massive

expansion of the internet in recent years, which now encompasses a wide

variety of blogs, discussion and review sites, social networking sites, and

video and photo sharing sites. Radicalisation Most of the definitions currently in circulation

describe radicalisation as the process (or processes) whereby individuals

or groups come to approve of and (ultimately) participate in the use of

violence for political aims. Some authors refer to ‘violent radicalisation’ in

order to emphasise the violent outcome and distinguish the process from

non-violent forms of ‘radical’ thinking. 

Extremism 

Extremism can be used to refer to political ideologies

that oppose a society’s core values and principles. In the context of liberal

democracies this could be applied to any ideology that advocates racial

or religious supremacy and/or opposes the core principles of democracy

and universal human rights. The term can also be used to describe the

methods through which political actors attempt to realise their aims, that is,

by using means that ‘show disregard for the life, liberty, and human rights

of others’.

Zee 24 Taas Rokthok,WhatsApp Issues Adv Prashant Mali

Cyber Pornography in India – Sprouting of a Hydra’s head

Cyber Pornography in India – Sprouting of a Hydra’s head

By Adv. Prashant Mali, Cyber Law & Cyber Security Expert, Author, Speaker

Email : prashant.mali@cyberlawconsulting.com | Mobile : +919821763157

The etymology of pornography can be traced to graphos (writing or description) and porneia (prostitutes) and hence it means the description of the life, manners, etc. of prostitutes and their patrons. The first known use of the word to describe something similar to pornography as understood today was in eighteenth century, when the city of Pompeii was discovered. The entire city was full of erotic art and frescoes, symbols, inscriptions and artifacts that were regarded by its excavators as ‘pornographic’. One of the commonly accepted definitions of “pornography” in modern times defines it as sexually explicit material that is primarily designed to produce sexual arousal in viewers. In India, pornography is seen as an aggravated form of obscenity.

In the India Amateur pornography production with or without consent from women is higher than the consumption of industry-produced porn.

There needs to be an amalgamation of Education, Law, Technology and Governance for effective control of pornography over the Internet. The law alone will be toothless if not enforceable.

Now, if rightly said 2/3 part of India’s population is below 35 years, that also signifies a sexually active population in a timid culture of India where anything related to sex itself is a taboo. Watching Cyber pornography is the way out for these sex oppressed minds to exercise their Right to Privacy and feed their information related hungry minds.

Digression is synonymic with excursion then yes the age we are discussing have all right to do so. Distortion, if you believe cyber pornography as “act committed by real humans” is a wrong word in the context itself. Distress if synonyms to pain and suffering then it only signifies to the petitioners feelings coz audience to the cyber pornography never feel the distress unless physically incapacitated. Seeing Cyber Pornography as Manoranjan itself is a half cooked thought. I feel Cyber pornography is viewed for pleasure (i.e for prasannata, Khushi, anannd) . To argue further, I would refer to Freudian psychology, the pleasure principle is the instinctual seeking of pleasure and avoiding of pain in order to satisfy biological and psychological needs. Specifically, the pleasure principle is the driving force guiding the individual identification or id. Epicurus in the ancient world, and Jeremy Bentham in the modern laid stress upon the role of pleasure in directing human life, the latter stating:"Nature has placed mankind under the governance of two sovereign masters, pain and pleasure. Cyber pornography has grown so much coz it is associated with pleasure and not with manoranjan  (entertainment) as claimed by petitioner.

Manobhanjan(Destruction of Mind), some gurus have said that to attend Samadhi, Manobhanjan that is destroying the mind is also another path, so this theory and idea becomes debatable.    

The statistics used in the said petition under discussion are based on News Paper reports, never a credible evidence in any courts of Law, it states that 70% of the traffic online is connected to pornography. The survey done by the company in 2010 namely ExtremeTech reveals that it is exactly the opposite that only 30% of the internet traffic relates to pornography. India now has over 20 crore Internet users in around 121 crore population and labeling 14 crore people as cyber pornography watchers is more than ambitious.

Concerns raised by the petitioner with regards to Child pornography are justified but I think around 120 countries including India has strong laws related to child pornography due to the ratification of the Optional Protocol on Child Pornography.  Section 67B of The IT Act, 2000 deals with child pornography and not only watching or transmitting child pornography is a crime but even searching for child pornography related material on Google is a Non-Bailable and Cognizable offence. So it is clear when it comes to child pornography India already has Law, the question is of equal enforcement throughout the country and effective preemptive measures. Indian ISP association along with police should have a monthly review meeting to ban certain branded websites spreading child pornography and some types of extreme porn. Even though I sympathize with the view of Government that not all porn sites can be banned due to technological issues, but I strongly suggest that there has to be concerted efforts by the stake holders to show some action which can serve as detrimental to child porn industry operating or exhibiting within cyber boundaries of India. Action speaks louder than thousand words that is what is missing when it comes to banning few known websites, even if websites sprout like Hydras head  .

With almost negative or miniscule amount of sexual education across the country, limited pornography also serves as a tool to sexual education for information seekers. If pornography is a threat to women then I feel  they should be protected by better implementation of legal reforms and stronger rights against invasion of their privacy, this includes exploitation of her body by taking image or video without her consent. Sexually explicit material has been around in India in the form of temple statues, Kamasutra e.t.c. but that was what we call soft porn (and should not be confused with violent porn). Even print porn has only been around in India for last 2 decades or so and is strictly censured, again to soft porn levels. What India is being exposed to right now, all of a sudden, is violent porn from the west.

Law as it stands :

Pornography or obscenity is very sensitive issue all over the world yet there is no settled definition of the word under any law. Whether a given pornographic ‘work’ may be termed obscene will be determined by applying what is known as the Miller test (the three-prong obscenity test), which was developed by the US Supreme Court in the landmark case of Miller v. California. This test poses three fundamental questions about the work under scrutiny:

§  Whether the average person, applying ‘contemporary community standards’, would find that the work, taken as a whole, appeals to the prurient interest

§  Whether the work depicts or describes, in a patently offensive way, sexual conduct specifically defined by applicable state law

§  Whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value

Section 292 of the Indian Penal Code (IPC) defines obscenity as that which is

‘lascivious or appeals to the prurient interest or tends to deprave or corrupt persons’. In recent supreme court judgment  Aveek Sarkar & Anr Versus State of West Bengal & Ors on obscenity, it was held that nude picture of women is not obscene per se. This judgment overruled the Hecklin test which was used to interpret obscenity by courts till date for deciding cases on obscenity.

Besides shunning the temptation of sharing salacious videos, the mobile user should be wary of misusing his mobile to invade somebody's privacy. Section 66E, one of the amendments made to the IT Act, 2000, introduced punishment up to three years for whoever "intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person".

Under S.354C of the Indian Penal Code on voyeurism, the offences included are capturing the image of a woman in a private or sexual act with a hidden camera or device, without the consent of the woman. If the woman consents to the capture of the images but not to its dissemination, then it is still an offence under the same law and the imprisonment is from three to seven years. Forcibly showing pornography to a woman is also included under sexual harassment under S.354A of the Indian Penal Code.

Summing up Section 66E,67,67A,67B of The IT Act, 2000 addresses issues of pornography and Child Pornography along the lines of POCSO. 

Cyber Pornography and Right to Privacy

Canadians have the right to be anonymous on the internet, and police must obtain a warrant to uncover their identities, Canada's top court has ruled in R. v. Spencer, 2014 SCC 43. The landmark decision from the Supreme Court  bars internet service providers from disclosing the names, addresses and phone numbers of their customers to law enforcement officials voluntarily in response to a simple request .

In India, our Constitution does not contain a specific provision as to privacy but the right to privacy has been spelt out by our Supreme Court  from the provisions of Art. 19(1)(a) dealing with freedom of speech and expression, Art. 19(1)(d) dealing with right to freedom of movement and from Art. 21, which deals with right to life and liberty In Govind v. State of MP, Mathew J. developed the law of privacy. The learned Judge held that privacy claims deserves to be denied only when important countervieling interest is shown to be superior, or where a compelling state interest was shown If the court then finds that a claimed right is entitled to protection as a fundamental privacy right, a law infringing it must satisfy the compelling state interest test. Then the question would be whether the state interest is of such paramount importance as would justify an infringement of the right. In Naz Foundation v. Government of NCT of Delhi, the Delhi High Court took the right of privacy the Delhi High Court took the right of privacy to new level. The Court held that privacy recognises a right to a sphere of private intimacy and autonomy which allows us to establish and nurture human relationships without interference from the outside community. The way in which one gives expression to one’s sexuality is at the core of this area of private intimacy. If, in expressing one’s sexuality, one acts consensually and without harming the other, invention of that precinct will be a breach of privacy. Now, since manufacturing and viewing of pornography are medium of expression of one’s sexuality, it must fall within the ambit of right to privacy, provided it is manufactured and viewed privately by consenting adults and thereby not causing any harm to the others.

Conclusion

The line demarcating the ‘decent’ from the ‘obscene’ is still vague, and the distinction is purely ambiguous as it is based on individual interpretation. The concept of only ‘Violent Pornography’ which includes (rape, fetish, kinky, sadomasochism) needs to be adequately defined  in any existing  Law, to enable insertions of  new sections competent to deal with it, or modify the existing provisions in law to effectively tackle the problem. The restriction on ‘Violent Pornography’ via using” Intelligent Filters “ linked to globally available databases or self created updatable databases at ISP levels can prove as an efficacious remedy to arrest it in some proportions as completely eradicating cyber pornography would be like plucking out hydra’s sprouted heads which are known to regenerate.

How Phishing is Done via Malicious Code

Hackers to phish out your personal data  very easily as it is to sit in a canoe on a still pond, cast the bait and wait for the fish to bite.

So many people fail to learn about phishing scams, a favorite and extremely prevalent scam among cybercriminals.

A type of phishing scam is to lure the user onto a malicious website. ZeuS (Zbot) is such an example, planted on websites; visit that site and it will download a virus to your device that will steal your online banking information, then forward it to a remote server, where the thief will obtain it. Very clever.

But that ingenuity is contingent on someone being gullible enough to open a phishing e-mail, and then taking that gullibility one step further by clicking on the link to the malicious site.

10 Phishing Alerts

• An unfamiliar e-mail or sender. If it’s earth-shaking news, you’ll probably be notified in person or via a voice phone call.
• An e-mail that requests personal information, particularly financial. If the message contains the name and logo of the business’s bank, phone the bank and inquire about the e-mail.
• An e-mail requesting credit card information, a password, username, etc.
• A subject line that’s of an urgent nature, particularly if it concludes with an exclamation point.

Additional Tips

• Keep the computer browser up-to-date.
• If a form inside an e-mail requests personal information, enter “delete” to chuck the e-mail.
• The most up-to-date versions of Chrome, IE and Firefox offer optional anti-phishing protection.
• Check out special toolbars that can be installed in a web browser to help guard the user from malicious sites; this toolbar provides fast alerts when it detects a fraudulent site.

How NSA Allegedly Hacks into your Network ?

How NSA Allegedly Hacks into your Network ?

The United States' National Security Agency succeeded years ago in penetrating the company's digital firewalls. An NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.

The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA's department for Tailored Access Operations (TAO). In cases where TAO's usual hacking and data-skimming methods don't suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such "implants," as they are referred to in NSA parlance, have played a considerable role in the intelligence agency's ability to establish a global covert network that operates alongside the Internet.

Some of the equipment available is quite inexpensive. A rigged monitor cable that allows "TAO personnel to see what is displayed on the targeted monitor," for example, is available for just $30. But an "active GSM base station"  a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.

The ANT division doesn't just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer's motherboard that is the first thing to load when a computer is turned on.

This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this "Persistence" and believe this approach has provided them with the possibility of permanent access.

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of the latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are "remotely installable"  in other words, over the Internet. Others require a direct attack on an end-user device , an "interdiction," as it is known in NSA jargon,  in order to install malware or bugging equipment.