Malicious hackers break into IT systems and get access to critical data. But with ethical hackers’ intervention, these become impregnable
By Deepa Gupta
Even as technology has spiraled, it has come with many security hazards. So, while most of us are constantly connected via emails, chats, apps and social networking sites, little do we realize that the prying eyes of unknown predators are constantly on us, trying to peek into our world. And this hacking, be it for pleasure, harassment or illegal gains, has dangerous connotations for everyone.
In fact, the incidence of cyber crimes has gone up tremendously. According to National Crime Records Bureau data, it reported a jump of 122.5 percent from 2012 to 2013 and cost the government a whopping Rs. 24,630 crore in 2013 alone. With such crimes emerging as a risk to national security, it is time to gird up this sector.
Dearth of professionals
But for that, one needs security professionals and ethical hackers, of which there is a dearth in the country. Due to this, proper assistance is not rendered to the police when it needs to crack down on cyber criminals. To combat the problem, a consortium of information security professionals was created about a year back with the support of the government. Called Indian Infosec Consortium (IIC), a non-profit organization, it has experts who protect cyber space from potential hackers. Only those with precise technical know-how and a thorough knowledge of the legal aspects are taken on board.
Rohit Srivastava, director, IIC, says: “Tremendous internet penetration, social media awareness and various types of cyber harassment, be it sexual or derogatory posts, have greatly increased such crimes in India. And these perpetrators think they can get away with them due to the anonymous nature of the internet.”
And this is where the ethical hacker steps in. Aided by the police, he tracks down cyber criminals. Tarun Wig, information security consultant of Delhi-based Innefu Labs, says: “Law enforcement agencies usually seek our help in cases involving identity theft or corporate fraud. We have to identify a suspect online, track his locations, identify his mode of communication, find out how the hacking took place and determine future methods to block such attacks.”
Right man, right job
It is also important to ensure that the right professional is available to the right people at the right time, says Tamaghna Basu, a Kolkata-based security researcher. “Security has many sub-domains and there are specialized professionals in each of them. But many a time, the police gets hold of the most popular person to help them without knowing for sure if he will be able to crack the case effectively,” says Basu.
It takes a painstakingly long time to crack a case. But as professionals are poorly paid or not paid at all by the police, they do not waste much time and energy in solving a case, says Srivastava. “The last case where I helped the police was in 2006,” he reveals.
Rahul Sasi, a security researcher from Bangalore, who helped the government track down hackers that had plundered data from various departments last year, agrees that there is a paucity of security professionals. Worse, there is no certificate course to learning ethical hacking, he says. “What is needed is practical, hands-on-experience. Only if you know how to build a door, will you know how to break it. Only those with strong programming and engineering skills can be experts in this field. No wonder, the country has only a handful of qualified people in this regard.”
Also, there is a thin line dividing ethical hackers and unethical ones. The former can switch to the role of the latter in no time and for no reason. And that makes it even more difficult to secure the system. IIC membership, therefore, is based on reference. “When you refer people, your own name is at stake. And the peer pressure keeps things on track,” says Srivastava.
New policy
Meanwhile, recently at the International Hacker’s Conference in New Delhi, Dr Nirmaljeet Singh Kalsi, joint secretary, Police II and chief information security officer at the home ministry, spoke about the National Information Security Policy which he had drafted. It was given to IIC for review and got a feedback of 300-plus points, after which, the policy was given final shape.
Today, ethical hacking is a top-paying job if one is working with corporates. “We recently investigated a case of corporate fraud where the mail ID of the accountant of that company had been compromised. Invoices with fraudulent bank accounts in China were sent to customers of the organization, and they ended up depositing the money in these accounts. Monetary loss and loss of reputation were considerable. We were able to identify IP addresses used to carry out the attack and the methodology and also recommended measures to stop further attacks,” explains Wig.
Law enforcement agencies too are waking up to the need for cyber security and training their personnel. They are now able to handle petty cases involving fake passwords, fake profiles and photo morphing on social networking sites, source code theft, intellectual property theft, etc. Srivastava has been assisting military outfits, law enforcement personnel, media agencies and corporates. He has also helped police departments in Mauritius and Malaysia.
No violation
But ethical hackers need legal protection. Pavan Duggal, legal advisor, IIC, says: “The law does not recognize the concept of ethical hacking, but acknowledges ethical hackers as intermediaries. Under law, they can exercise due diligence while discharging their obligations. Ethical hackers who access a client’s computer system with his knowledge do not violate law.” But if they commit unauthorized activities that diminish the value of electronic information of the company, they could face three years imprisonment and Rs. 3 lakh-Rs. 5 lakh fine. They may also have to pay compensation up to Rs. 5 crore for contravention.
The Indian Information Technology Act, 2000, deals with data and information in the electronic form, and defines the offence of hacking under Section 66. Hacking, at that time, was a non-bailable offence, punishable with three years imprisonment and Rs. 2 lakh fine, says Duggal. But the Act was amended to become Information Technology (Amend-ment) Act, 2008, and Section 66 underwent an overhaul. From being a provision that only dealt with hacking, it now looks into other computer-related offences too.
After all no one wants to get caught in a web.
Pavan Duggal
Legal Advisor, IIC
“The law does not recognize the concept of ethical
hacking, but acknowledges ethical hackers as intermediaries. Ethical
hackers accessing a client’s computer system with
his knowledge do not
violate law.”
Rahul Sasi
Security researcher from Bangalore
“What is needed is practical, hands-on-experience. Only if you know how to build a door, will you know how to break it. Only those with strong programming and engineering skills are experts. India has few qualified people in this area.”
Tamaghna Basu
Kolkata-based security researcher
“Security has many sub-domains and there are specialized professionals in each of them. But often, the police gets hold of the most popular person to help them without knowing if he will be able to crack the case effectively.”
Rohit Srivastava
Director, Indian Infosec Consortium
“Internet penetration, social media awareness and various types of cyber harassment have greatly increased cyber crimes in India. And the perpetrators think they can get away with them due to the anonymous nature of
the internet.”