Rediff.com« Back to articlePrint this article

Myths on tackling cyber threats busted

January 06, 2010 10:53 IST

Tackling cyber frauds effectively will be the greatest challenge facing us all in the present century, says S S Kumar.

When computer network-based communications were launched, people embraced it with a gleam in their eyes as it would open up vast opportunities for e-governance and e-commerce.

While this opportunity has been fully utilised by almost everyone, governments, state administrations, banks, insurance companies, airlines etc., it has come with its share of problems that emanate from cyber frauds.

Tackling cyber frauds effectively will be the greatest challenge facing us all in the present century. The very fact that the US defence has allotted a substantial amount of funds to encourage development of a fool-proof comprehensive solution against this menace, is proof that no one is taking it lightly.

In India, it has already reared its ugly head, attested by the fact that the nationalised Banks have lost close to Rs 7 crore (Rs 70 million), or probably more, till date, to organised cyber crime. Obviously, what has been done is just not enough. The pity is that most organisations are fumbling in their search for a total comprehensive solution.

Let us explore some of the myths ruling in India:

1. Firewall is the be all and end all of network security:

Nothing could be more misleading than to go by this assumption and get fooled in the process.

A few years back, a detailed study was done by Aberdeen, Gartner and others, who proved that the network security breaches account for no more than 10-25 per cent of all security failures.

The major chunk of it, 75-90 per cent, is due to applications security failures, the way the applications software is written and left exposed to cyber attacks.

Therefore, if someone tries to draw solace from having installed firewall on his network, he is still susceptible to cyber attacks because firewalls address only up to 25 per cent of the likely security failures.

It is like centrally locking your car with a remote without realising that the windows of the car have been left wide open!

2. Development of zero-vulnerability code is the answer

Like the blood pressure and diabetes measuring instruments, security experts have developed scanners that scan your existing code and highlight all those areas of your code that appear vulnerable to cyber attacks.

The developers/testers then sit down and look at means to replace those portions of the code identified as vulnerable with equivalent 100 per cent secure code.  Since no two software developers or testers are equally creative, to avoid dangers of a see-saw in the quality of such fixes, some security companies offer tools , like TeamMentor, that offer ready fixes for such situations, resulting in a  uniform quality of repairs with no variation in quality.

Once the fixes have been put in place, it helps to rescan the same code, so that no other vulnerabilities escape thro'.

3. Encrypting your communications

Encrypting, a favourite of the defence forces, is a process by which the original message is changed in such a way, such that even if somebody intercepts such messages over the computer network, he is unable to decipher the same.

Indian organisations can look at this as an additional measure of security. Hitherto, it was an expensive option but now it has become extremely affordable.

4. Team up with a leader in security solutions

The other common mistake made by most is to opt for the lowest cost solution or for a partial solution for starters. Cyber frauds are a community like terrorists, who are sharpening their skills on a 24 x 7 x 365 basis.

Therefore, the solution you choose has to be not only complete as on today but the company that supplies such solutions, should have shown proven commitment to fight cyber fraud on an on going basis in the future with an active R&D program in house.

This is because a solution which may appear adequate today may fall short of expectation, tomorrow, as the cyber frauds improve their skill set.

Unlike in normal day to day life situations, while you can get away with 80 or 90 per cent preparation, cyber fraud is a totally different scenario, where nothing short of a 100 per cent counter response would suffice.

So, please stop drawing false comfort just because you have installed a firewall because it protects just your network but not your applications code.

It is like a front main door to your premises that has been left just 10 degrees open. It makes no difference to the cyber fraud whether the main door is left open 10 degrees or 90 degrees because all he is looking for is an opportunity to enter your house undetected.

What you need is a main door that can be securely locked from inside and outside to afford you 100 per cent security. The same goes for one's preparation to counter cyber threats – 90 per cent preparation is as good as no preparation.

What is needed 100 per cent comprehensive preparation. Otherwise, it could be a hit or miss affair, inadequate to give you enduring mental peace.

S S Kumar is chairman & MD of ASTRAL Systems that specialises in offering consultancy, training and security solutions to leading organisations in India.

S S Kumar