A company is more likely to be ‘cyber-attacked’ by a former employee rather than a business rival. The average cost of a data theft attack is Rs. 1.8 lakh, with the cost ranging between Rs 20,000 and Rs 1.87 crore. And the occurrence of a computer crime incident is most likely in September, least likely in August, more likely on a Monday, Friday or Saturday and least likely on a Sunday.
In 97 percent of incidents involving obscene e-mails, the victims were female employees. These are some of the interesting facts unearthed by the Computer Crime & Abuse Report (India) 2001-02 that analyzes 6266 incidents of computer crime and abuse that affected 600 organizations spanning the IT, Manufacturing, Financial services, Education, Telecom, Health care and other services sectors in India during 2001 and 2002.
The Computer Emergency Response Team of the Asian School of Cyber Laws (ASCL-CERT) has published the report.
While more incidents are attributed to former employees rather than business rivals, the fact that eight percent of the attacks were attributed to script kiddies is disturbing because in such incidents, persons with relatively low knowledge are able to penetrate organizational networks using freely available ‘hacking tools’.
Data theft accounted for 33 percent of the total reported incidents and includes theft and misappropriation of electronic information and records. The major categories of data reported misappropriated include source and object code (37 percent), credit card information belonging to the organization’s employees and customers (29 percent), business related plans (20 percent) and other confidential information (14 percent).
Of these cases of data theft, 66 percent incidents involved an employee or former employee. The methods employed for data theft showed a wide diversity. E-mail spoofing was used in 52 percent of the incidents involving data theft. E-mail addresses of trusted employees, vendors and others were spoofed in order to misappropriate data. None of the organizations that had fallen prey to e-mail spoofing were using Public Key Infrastructure (PKI) or any other system of entity authentication for e-mail communication.
The use of malicious code (including Trojans, ActiveX bombs, scripting languages, exploitation of Field Code vulnerability of MS Word) has been used in 21 percent of the incidents of data theft. Social engineering techniques had been used in 11 percent of the incidents. Seven percent of the incidents involved media theft wherein laptops, computers, hard disks, removable media like floppy disks, CD ROMS, etc were stolen.
Five percent of the data theft incidents involved the exploitation of remote dial in vulnerabilities while another four percent involved Internet based attacks (including primarily XSS attacks, SQL injection and cookie poisoning). Although most organizations were not forthcoming in terms of the monetary damage caused by the data theft attacks. Based on the responses of 40 percent of the victims of the data theft attacks, it is ascertained that the average cost of a data theft attack is Rs 1.8
The maximum loss disclosed was Rs 1.87 crore, while the minimum was Rs 20,000.
60 percent of the incidents of e-mail abuse related to obscene e-mails. Out of these obscene e-mails, almost all (97 percent) were sent to women employees. 25 percent of the incidents of e-mail abuse related to threatening e-mails.
Most of these were targeted towards the top management of the victim organization. The balance incidents (15 percent) related to e-mails that sought to defame employees of the victim organization.
An interesting trend in relation to e-mail abuse incidents is that a vast majority of them (71 percent) are perpetrated by employees (or former employees) of the victim organization.
Data alteration constitutes 14 percent of the incidents reported in 2001 and 17 percent of the incidents reported in 2002. This category relates to incidents wherein unauthorized alteration of vital information takes place. Incidents included alteration of hospital records, unauthorized changes made to quotations, financial accounts, bank records, etc.
Although most of the incidents of data alteration involved unauthorized access, there were many instances where persons having authorized access to the data made the unauthorized alteration.
Unauthorized access accounted for 18.5 percent of the total incidents and it includes only those cases of unauthorized access wherein no data was suspected to have been misappropriated or stolen. The methods employed for unauthorized access varied from use of malicious code (38 percent), social engineering (29 percent), exploiting remote dial in vulnerabilities (18 percent) and Internet based attacks (15 percent).
55 percent of the unauthorized access was traced to persons / departments within the organization, whereas 30 percent was
traced to rival organizations while 15 percent was untraceable. Although the virus category reflects only five percent of the total incidents reported, it is significant because of the damage potential.
A sustained and targeted virus attack, firstly, can cause severe damage to the victim’s assets and information.
Secondly, because the victim organization would unwittingly send out copies of the computer virus, it would be liable to pay compensation in crores of rupees under the Indian law. These viruses were of various types including Stealth, Polymorphic, Companion, Armoured, and Macro viruses. Denial of service attacks on Web servers, mail servers, ftp servers and even printer’s accounts for three percent of the total incidents reported.
The most interesting fact about this category is that most of the perpetrators were untraceable. In 95 percent of the cases, the attack appeared to be generated from outside India (mainly from the US and Pakistan). The probability of IP spoofing, to mislead the victim about the location of the perpetrator, cannot be ruled out. Interestingly, over 60 percent of the victims did not report the incidents because of the fear of negative publicity. 23 percent did not know whether the police in their area were technically equipped to handle computer crime cases. Nine percent of the victims feared that if the incidents were reported and subsequently publicized in the media, then more such attacks would ensue.
Eight percent of the victims did not know that Indian laws extended to computer crime. Most of these people were under the impression that the IT Act, 2000 was still a bill and consequently, that there were no laws in India to cover computer crime and abuse.
The report has strongly recommended the use of PKI. Incidents of data thefts, unauthorized access, and unauthorized data alteration can be eliminated by proper use of PKI. This translates into the fact that 67 percent of computer crimes affecting corporate can be mitigated by proper implementation of inter and intra organizational PKI, the report states.
PKI is the super-system that puts in place policies, people, processes and technology to harness the power of cryptography and its applications like digital signatures. The Indian law specifically recognizes digital signatures as being the only accepted mode of authentication of electronic records. Although, India is amongst the first few countries in the world to have granted legal recognition to PKI, its use remains minimal primarily because of the lack of awareness about its benefits, the report mentioned.
It was felt that a PKI based system would help in achieving the objectives of information security namely privacy, data integrity, entity authentication, entity identification, message authentication, signature, authorization, validation, access control, certification, time stamping, witnessing, receipt, confirmation, ownership, anonymity, non-repudiation and revocation. The report strongly recommended that organizations deploy PKI based systems.
The use of other cryptography based applications like secure socket layer, etc are also strongly recommended. It was also felt that incidents of this nature must be reported to the enforcement authorities. The number of computer crime and abuse incidents that are not reported to the law enforcement authorities are staggering.
The Indian law provides for imprisonment up to 10 years and damages in crores of rupees for various computer crimes.
Moreover, the law enforcement agencies in various parts of India are fast gearing up to tackle computer crime. This is evidenced by the formation of cyber crime investigation cells in various cities and specifically the Cyber Crime Police Station at
The police and other law enforcement agencies in various states like Karnataka, Goa, Maharashtra, Gujarat, West Bengal, Delhi, Tamil Nadu, Andhra Pradesh have taken measures in nabbing high technology criminals
Cyber News Service