| Insecure Computer Networks In India! |
| By : Flynn Remedios | Previous | Next |
| Posted on : 24 Jun, 2007 | Total Views : 173 |
"E-security very poor in India"
With attacks on some of the top dot.coms in the world, security issues have once again assumed importance. To get a feel of India's Internet security status, Thinktank invited comments from software and Internet security experts and a couple of India's fastest growing dot.coms. Excerpts of their replies are reproduced below:
How do you see Internet security consciousness in India?
Shuvam Misra: Our security consciousness is very low, compared to Western countries. We have the following cultural reasons for being poor in security issues:
We have a tradition of working with the spoken word. We don't record things in writing. This is a cultural trait we have developed since the Vedic times, and it has many advantages, but it makes for poor audit trails when we attempt to trace back security violations.
We don't understand the importance of adherence to processes. We respect individual brilliance, but we are poor at harnessing a team of average people to achieve overall high quality by employing systems and processes. Our country has created brilliant mathematicians and scientists, but not brilliant zero-defect assembly lines like the Germans or the Japanese.
Adherence to processes is at the core of any security implementation. Our lack of respect for processes results in security lapses.
We don't pay for services in our country, though we pay for "boxes", e.g. hardware or software. Implementing good security processes and systems is primarily a services issue. You may have to pay good consulting houses to do a good job of analysing your requirements and implementing a security system that fits your organisation. We are unwilling to do this, because we don't think this is "value for money." At the same time, we do not have a problem spending crores on licences for MS Office, for instance, because we believe we are getting something tangible out of it.
Our culture accepts mediocrity, a trait made famous by the phrase "chalta hai", which captures this mindset. We can take imperfection in our stride.
However, this mindset makes for poor proactive planning for disasters and contingency preparedness. We are probably less active than many Western nations in opting for property insurance, planning for disaster recovery, and installing security systems. Security systems, like insurance, are a cost centre until they are needed to protect your assets. We have this attitude of "jab hoga tab dekha jaiga" towards all these issues.
Some economists (refer to Ajay Shah, ajayshah@igidr.ac.in) have pointed out that the Indian industry has a short-term focus. They have justified this focus as being natural in an environment where the cost of capital is high, thus forcing industrialists to look for short recovery periods for their investment. This makes us take to trading more easily than manufacturing, for instance.
I cannot comment on the economic theory, but it is a fact that Indian industry has a short-term perspective. And like insurance, security systems are a low priority unless you have a long term perspective.
These are the real cultural issues due to which Indian organisations have poor information security systems and processes.
Flynn Remedios: While it is true that even abroad, most websites aren't secure, the commercial ones do have some levels of security. Secondly, since most Indian sites are hosted abroad, they are at the same security levels as their counterparts. However, intranets and corporate LANs (WANs etc) abroad do have reasonably good security. Many airlines and other big multinational corporates have implemented some kind of firewalling system that serves as a basic security barrier.
However, security is not just implementing a firewall. A comprehensive internet/Intranet security blanket would also include a set of processes, systems, and practices that have to be followed. It also includes security audits, risk management and analysis, a disaster recovery plan and lots more. It requires back up servers housed at different locations that can run even if one of them gets broken into. Unfortunately in India, Indian companies have not as yet begun to allocate resources for adequate network security. It is still not priority number one.
Kumud Goel: Security on computer systems and networks even in large organisations in India is very poor.
There are people who can hack VSNL or any other major server in India. We need a fiasco before people will wake up and organisations will spend money on security. Senior managers know nothing of the dangers and don't want to spend a dime. Remember it took a Bhopal Tragedy in this country for people to wake up to safety.
K Vaitheeswaran: I think the security levels in India are quite good. This is the power of the web where you cannot have significantly different levels across countries, since the whole web is one global network. Of course, the USA is ahead in this area by a year or so.
How much is the credit card option on the Web secure in India?
Vaitheeswaran: Credit cards transactions over the web need to be secure in three different ways. Firstly, the store must offer SSL (Secure Socket layer) links to ensure encryption and decryption.
This eliminates third party misuse. Secondly, the store must ask personal details beyond what is available on the card itself - this reduces the threat of someone stealing a card and using it over the web. Thirdly, the online merchants themselves must build up credibility and loyalty with the customers, by securing their internal systems and processes.
There are no payment gateways available. Some banks are working on this and we feel in a couple of months, online authorisation and verification of credit cards will be a reality in India.
Goel: Without trying to sound as if I am crying wolf; US and foreign laws have been effective where a credit card number is enough to get people to sell goods. In India this will not work.
Shuvam: This is made out to be bigger than it really is. The following steps are taken to reduce this risk, which many of your readers probably don't know about:
AVS (Address Verification Service): This involves asking the customer to enter his credit card billing address. If this matches with the address on record with VISA/MasterCard, the transaction is permitted. This simple security check is very hard to break if you have a stolen credit card.
Most sites use SSL, which makes the data very difficult to steal while it travels over the Net.
Most major sites allow you to use Cybercash, Cyberwallet or similar schemes, where the credit card information never reaches the merchant's Web server. It travels directly from your PC to the payment gateway in encrypted format.
Abroad, a consumer can issue a stop-payment on a transaction after he receives his monthly credit card statement. There, the credit card companies strictly follow the policy of "customer is always right", and thus you can stop your monetary loss even if someone has used your card number to make purchases. The hit is taken either by the merchant or the card-issuing bank.
Some credit card companies are allowing you to set spending limits, thus reducing your exposure temporarily. This is being offered by ICICI Bank in India, I believe.
All in all, I believe it is as risky to use a credit card in a restaurant as it is to use it on the Internet, given a little care. Some of the real risks of credit card fraud are not related to the Internet.
Flynn: I would view it as a major threat. Even those sites which use digital certificates, certification authorities etc including encryption or some other means of secure transaction are not completely immune to hackers.
It is a major risk and like all risk factors needs to be addressed. This does not mean that consumers should be scared into not transacting on the Net. Instead, online commerce sites should augment their security, including getting a security risk audit and analysis done. This could help minimise the risk factors.
