March 2010

I-T Dept Hacked, 14 cr Siphoned

Views: 158

As we know that governments’ have been confronted with the increasing need for providing services electronically and providing access to information to partners, suppliers, consumers, contractors, and remotely distributed employees. But hacking events like occurred in the I-T department forces us to rethink about the strategies adopted for the same. The incident throws light on the security enhancement need, which has to be in place if we have to save our systems from such attacks.

Security, In today’s business environment, it is the one word that continually poses challenges to organisations looking to protect their data assets. Everything from financial information, transactions, and intellectual property to customer and employee data—it all assumes an increased level of vulnerability as network access is broadened both within the organisation and externally.

Password-based authentication is very expensive for organisations. The fi nancial burden of resetting passwords represents a signifi cant portion of an IT help desk workload. But there is a bigger picture to look at these days in terms of what it can cost an organisation should a data breach occur. The impact can   be staggering on both fi nances and reputation.

That is what happened in the case of IT Department, where due to the password
hacking Rs. 14 Cr was stolen

As networks become increasingly exposed through a wide range of access points, the traditional user name and password method of authentication is no longer suffi cient for establishing and trusting user identity. Passwords are often so simple that they can be easily guessed, or so complex that the user needs to write them down, which is weakening security. And while changing passwords on a regular basis can somewhat minimize the risk of guessing or a brute force attack, the aforementioned vulnerabilities are still present. Yet most of the departments and companies continue to rely on passwords as their only means of user authentication.

But these events of password hacking and identity theft can be minimized; with the use of Public Key Infrastructure (PKI) based two factor authentication and encryption for data residing on the hard disks. The use of two-factor authentication provides a signifi cant increase to the level of network security by forcing a user to provide two means of identifi cation when attempting to log in. In most cases, this is a password (something you know) and a security token (for example, USB or smart card – something you have). These devices are small enough to carry and typically store cryptographic keys, digital certifi cates, and digital signatures. Since the user’s digital credentials are saved on the USB token/smart card instead of the computer’s hard drive, they are protected from compromise. Similarly with the help of encryption of data at rest inside the hard drives its confi dentiality can be maintained i.e. only the user who will be able to provide the correct authentication can have access to the data otherwise nobody can see the data in readable format. Below fi gure (Fig 1.1) shows the difference in having encryption with two factor authentication and not having the same.

As networks become increasingly exposed through a wide range of access points, the traditional user name and password method of authentication is no longer suffi cient for establishing and trusting user identity. Passwords are often so simple that they can be easily guessed, or so complex that the user needs to write them down, which is weakening security. And while changing passwords on a regular basis can somewhat minimize the risk of guessing or a brute force attack, the aforementioned vulnerabilities are still present. Yet most of the departments and companies continue to rely on passwords as their only means of user authentication.

These initiatives are very much important in the case of e-Governance projects undergoing and the projects which are been planned for the future. As these involve usage of electronic means for enhancing the reach of the services offered to the citizens and providing the same in an effective manner, there is a need of bolstering the security and confi dence, so that more and more people start using these facilities. We have already discussed how we can secure the information assets using PKI based security solutions, with the help of which integrity, confi dentiality and non-repudiation of data can be maintained. If we have to make these e-Gov initiatives successful and to kill the cases of identity frauds, public key infrastructure security should be considered as an implicit part.

Also if the security infrastructure has to be strengthened then organsation as a whole should be secured i.e. data in any form should be protected from any kind of malicious activity. For the same there should be some kind of integrated suite of Data centric security solutions in place (Fig 1.2).

So we had seen that how use of PKI based Authentication and Data Security could have solved the problem of hacking and save the organsation from such kind of attacks and how this incident shows the need for e-Governance programs to review their state of Security preparedness and including Security  as an essential component of the long lasting infrastructure.

Comments

comments

Click to comment

Leave a Reply

Your email address will not be published.

Latest News

To Top