Who’s WATCHING You ?

Everyone needs online privacy. The level of privacy, however, is purely personal choice. Many people are not concerned about privacy as such based on argument that they have nothing to hide, however, most of these people are generally not aware of the consequences that can haunt them at any point in their lives. Once you leave a digital footprint somewhere in some byte of data, there will always be a risk that it can be accessed or infiltrated by an unauthorized third party. To reiterate Douglas Adams’ lines from the Hitchhiker’s Guide to the Galaxy, “It’s always out there.”

Privacy is mainly evaded by 3 categories:
•By identity thieves, your personal or business competition
•By business and services that you use and depend on
•By governments and intelligence agencies

By identity thieves or your personal and business competitors:
The most widespread abuse of privacy of individuals is conducted by identity thieves for money or for personal satisfaction. Their motives can vary from financial gain to simply satisfying a personal ego. What they would want is to get access to the passwords of your key online accounts and use them to gain access to your personal as well as financial information. Generally, the identity thieves don’t directly use your data rather sell it in bulk to interested buyers through online forums and groups.

The most common practice for privacy evasion is through spamming, where the attacker gets hold of lots of emails addresses and sends them bulk emails with an attachment. He’ll send you an attractive topic that contains some interesting things like ring-tone or secret pictures or perhaps fake a “reply” to a random, believable subject, which will make some readers, open the attachment.

The attachment usually contains a Trojanhorse or Spyware which will record your keystrokes and send it back to the attacker. For instance, if you typed www.citibank.com followed by 2 words, the attacker would know that you typed username and password. He can then sell or use your information to find buyers who can abuse your information. In this case, the hacker is usually just a middle man who has the requisite expertise to get your information, but might not actually use it himself.

The hackers may also send you an email which may look official from a financial institution that you deal with, asking you to click a link which would take you to an officially looking website. This is usually simply a fake front of a site used for the verification of any information.

Because the average user doesn’t pay attention to the changing URL in the address bar of the browser, there are always a few unsuspecting victims that fall prey to this technique of Phishing.

A personal rival who may have access to your PC for a short duration may install a similar Trojan to log your keystrokes and later look into your family pictures that are present in your mailbox or access your chat logs.

As a business, there might be some competitors who are looking to steal your trade secrets and use them for their advantage. They may use the email techniques as explained above or they may get this done by buying out someone inside your organization. They could place someone as innocent as a sweeper or someone low in the foodchain, who might be given a task to plug a USB thumb drive with an autorun script that copies all the documents into the stick, or even a USB key logger to sit between the keyboard and the PC wirelessly transmitting all the information.

As technology becomes more advanced, if there are creative ways to secure your information, there is always someone working to develop innovative ways to break the system.

Business and services you use and rely on
Although this may not cause you damage as much as the identity theft, but your privacy may still be evaded without your consent in several cases.
Take Google as an example. When you Google something, it remembers the queries you searched for earlier and tracks you through several different ways.

The first way is that it stores a cookie in your browser and tracks anything that is searched for on your computer. Google tracks your computer via that cookie and profiles your personality based on your search habits. For instance if you are travelling with your laptop and you search for various things on your way, Google will know that you like Red Lobster, that you searched for local prayer times, and you also looked for addresses on their maps.

The company will track all this information based on the geo location of the IP address that you connected from.

One of the uses of this information is that Google follows your search habits, correlates them with your location and shows you contextual marketing ads when you go to use Google search or visit any site that runs Google Adsense. Secondly, if you have a Gmail account, it will link all the computers that you have ever checked your email from and also correlate with other people who used those computers. Google may also scan the contents of your email and update your profile for marketing and for any future purpose that even Google might not be aware at this time. The information is there and once it’s out there, it stays there.

Not only this, Google would have already profiled all your friends and colleagues with whom you might have shared your computer even once for checking your email account. The service also knows all your direct friends, family and people you do business with, based on your email transactions, and also knows the exact nature and content of those emails.

Now some people argue that there are hundreds of millions of users who use Gmail and Google will not have time to read everyone’s emails, especially for the innocent ones like the good IT Manager running a clean shop in his organization. But what if one of the guys whom you communicated with does something nasty and the authorities decide to manually scan the detailed history of the all the persons he ever communicated with? The digital footprint that you create only gets stronger with the passage of time.

The other example of privacy invasion is from the companies you do business with. For instance, the companies providing you credit card, mobile phone, discount shopping and online companies from where you purchased something may sell your information to marketing companies that may start calling you for things like insurance or loans. Telemarketing departments of companies, especially those in the financial sector, are known to do this.

By the Governments or intelligence agencies
This also does not bother most people, but privacy advocacy groups in the West, strongly highlight this issue. Wiretapping without warrants has been exposed several times in the US where the Internet, telephone and mobile communications have been known to be recorded and analyzed. In UK, ISPs are required by law to log every single email sent and received by their subscribers for a year.  They are also working on an ‘Interception Modernization Program’ where details of every SMS or email sent, phone call made and website visited is going to be profiled into a single database for every UK resident. So now, not only will your communication be logged, it will also be stored to reflect the habits and behavior or every individual. Remember how in the Hollywood movies, the satellite imagery focuses down to the single individual as an RFID tag? Well, all of this is already happening here!
There have been stories where Microsoft and the NSA (National Security Agency) have put a code in every OS copy
to facilitate Government spying.

Read this document and you’ll get a better idea:
http://www.heise.de/tp/r4/artikel/5/5263/1.html
It has also been revealed in the past that the spy agencies have used the surveillance for business advantages to steal deals worth billions of dollars from foreigners, converting actions in their favor.

This BBC report sheds some light on the subject matter at: http://news.bbc.co.uk/2/hi/europe/820758.stm

Although most people are not too concerned by these actions, there does need to be a clear line drawn for the individual’s ‘space’, after which authorities should not be allowed to invade your privacy in the name of national interest.

Staying Private:
There are an endless number of ways through which others can invade your privacy. I will give few examples of counter techniques that you can use in attempts to safeguard your privacy. Having said that, please understand that these techniques are being shared purely as examples. There are no guarantees that they are actually effective in keeping you off the grid.

In order to avoid becoming a victim of identity theft, you should resist the temptations of opening every email attachment or downloading cool software that may enhance the functionalities of your windows, especially of your browser and chat clients. If you can afford to or are tech-savvy enough, then you should avoid Windows completely and switch to Mac or Linux. If you use a Windows platform, then make sure that your routine Windows account does not have Administrator privileges and latest suite of Internet security software is installed on your machine. The same goes for the IT and IS managers running the smaller organizations.

You should also learn to identify between the original and the phishing sites. For instance, https://www.paypal.com is the real site and http://paypal.database-confirmation.com/index.htm is a phishing site. The front end interface however they look identical and trick users into getting their bank account and credit card information.

In business, you should hire people only after having their background checks verified. You should also get  your systems audited and have some standard security policies made for your organization through an independent security consultant.

Evading and avoiding Google is not easy. There are several search engines available online, but the Google search results are usually most relevant.

If you have several computers in an office sharing an Internet connection, you can get a local proxy server installed, which could be configured with security policies to hide the fingerprints of your local machines. You can use dual browsers on your machine, one with general searching and other for private searching. Browsers like Safari offers switching to private mode, which restricts any trace of your web visits to be stored on your computer, and also doesn’t allow any cookie to be stored from any site on your machine.

For emails, try to avoid public emails accounts all together. You should host an internal email server inside your office for emails between your colleagues. You may also restart your DSL modem daily to renew your public IP address.

Many businesses in the UK have policies in place to block access to public email servers from their offices. This is a practice as part of many multinational companies that operate in Pakistan.

Evading the Government surveillance is even harder. In case you suspect that your ISP is logging everything illegally, you may choose to host a server in a data center in Switzerland, for example, where laws offer best privacy for personal data. You can then run an IPSEC tunnel with high grade encryption between your local office and Switzerland, and use the tunnel for emails, web and even voice traffic. VPN clients are also available for all modern phones that can be used for emails and browsing on the move.

Although IPSEC encryption is very strong and safe, some countries like the UK are making it mandatory for business and individuals to handover their IPSEC secret keys to the police or face imprisonment. According to a news article, UK law enforcement has the legal binding through Part 3 of the Regulation of Investigatory Powers Act (RIPA). Introduced in 2000, the government has held back from bringing Part 3 into effect. In 2006, more than five years after the original act was passed, the Home Office was exercising its muscle to enforce Part Three of RIPA.

Cyber Crimes in Pakistan: An Invasion of Privacy?
While a great deal has been published about Cyber Crimes Act in Pakistan, the premise of the law seems to be faulty. If you compare the local Cyber Crimes to that in effect in other countries, the language seems to be more vague, giving law enforcement even more risky authority than is advisable.

While the Cyber Crimes laws were devised and put into effect at the time of Daniel Pearl’s kidnapping, the language since then, has turned into encapsulating most activity online, and categorizing it as illegal.
While there is no question about the critical importance of the law itself, the unquestionable authority it gives to trigger-happy untrained law enforcement agents or judiciary who may not understand how IPs are spoofed or firewalls are circumvented, puts the average user, at risk.

Privacy is an ethical, legal and birth right of every individual on the planet. Who decides when it is okay to log your SMS or telephone conversations, is something that has been up for heated debate in all corners of civil society.

The integrity of your business is at stake if clients who use your services, can be exposed to unauthorized third parties perusing their personal information. That is a business risk. Laws are meant to facilitate and enable trade, not destroy it.

As more and more of our lives get integrated into the Cloud, it is more realistic that our every move is being tracked in real time. But practicing a few safeguards and measures will help to keep you and your information, well, safe. Privacy is your right. Know it. Fight for it.

Of Mice and Women

There is so much discussion when it comes to gender equality and empowerment, you tend to stop reading the theory and start being practical. A team can be managed and it will barely survive. Lead a team with strong vision and clear purpose, and everyone will be a winner.

I am fortunate to have Samina Rizwan, Managing Director of Oracle Pakistan on the cover and as part of this issue of CEO. She manages her team with dedication and poise that inspires you into being successful. Oracle has played a critical role in representing Pakistan in the international markets and I am proud to have had the opportunity interact with the dynamic team.
Read more

A ‘Trail’ of 25 IT Security Heads

We would have assumed that getting information from a IT Security Manager would have been like pulling teeth but the information gathering once we figured out what to ask. If you look at the 100 CIO survey we did in the December 2008 issue, you will be more familiar with the size and budgets that IT departments have available to them, so for this group, we got down to the core issues with the 25 respondents. Click  here for download CSO Issue 1- Survey- January 2009
cso-issue-1-survey-january-2009

Can you Manage Disaster Proactively?

By CSO Pakistan

Business continuity, Disaster Recovery, Redundancy and Uptime – these are no longer terms restricted to a server room in an IT company. They’ve come out from the technical infrastructure and begun making an impact on real life, practical processes.

The question of whether or not you can manage disaster is perhaps an incomplete one considering humans have been given the will and desire to survive through the most challenging circumstances. So the fact that the survival is already happening, is somewhat irrelevant. What people are becoming more aware of is the fact that they are unable to prepare themselves to cope with disaster. In order to maintain the continuity of business, it is essential to be able to have the necessary backup or secondary switch that you can turn on, and keep going.

A few months ago, we covered LMKR and how they had managed the aftermath of the Marriott Bombing, something that people appreciated around the world. Other IT companies were also able to follow their DR plans and mitigate the aftereffects of the tragic incident, but here’s the point: because IT companies know about all of this because the largest chunk of their business is dependent on their intellectual property. In a world where technology helps manage business, you really don’t have an excuse to get caught unprepared.

Whether it is a natural disaster or an attack of sorts, have you thought to ask your office building on what their DM plan is? How about the school where your children may go? In the event of chaos, what plan of action will be followed? Same list of questions apply to hotels, restaurants, city district planning agencies – this is an endless list. In a lot of cases where disaster planning for physical damage is done, people still fail to plan how they are going to rehabilitate themselves back into the system. It’s the same sustainability (or lack there of) challenge all over again. If you conduct a Business Impact Analysis in your organization, it will help you to figure out what your various operations are and since most apps are linked to one another, how long you can afford to have one app or area down, before it begins impacting the core business function.

You’d like to think that the BIA is something that is done through technology, but it’s not. The majority of the BIA planning is done by an analyst who can communicate with each of the departments and areas and actually assess the importance of every step of the organizational and virtual hierarchy.

Before selecting a Disaster Recovery strategy, the Disaster Recovery planner should refer to the company’s business continuity plan which should specify the key metrics of Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for various business processes. The metrics specified for the business processes must then be mapped to the underlying IT systems and infrastructure that support those processes.

While it is important to have Disaster RPOs and RTOs in place, here’s something to think about: what if the critical data you are currently using, becomes corrupt? Worse yet, what if someone accidentally deletes some portion? Well, the IT manager will head over into the most recent backup data, and simply recover. But because when there is no crisis as such, the data backup is usually done on a 24-hour, daily basis, think about the situation you are creating for the organization – the daily RTO and RPO back is up 24-24 (24 hours each), whilst lets say that you define the disaster RTO and RPO to be 4-4. In the event of an unplanned incident which is not necessarily a disaster, you can’t get to the data until 24 hours later, which means that unless you ‘declare’ the organization to be in a state of disaster, you will have lost 24 hours worth of data! So it is imperative that your regular metrics match with your disaster or in-crisis metrics.

You can always rebuild brick and mortar however once your virtual operations are compromised, there is nothing you can do to bring it back.

Initiating the Process for Business Continuity
Business Continuity is the umbrella which sits on top of Disaster Recovery. Recovering lost data or assets is simply a part of business continuance.

Depending on how your organization is set up and structured, you or your clients need to have real-time access to specific bits of data so that business can be continued.
If you run a company where your major interaction with your customers is through a website interface, then it would serve you well if you were mirroring that website in a secondary location, whereby customers trying to resolve the DNS of one server, can be redirected to another. In case you cluster the application so that you are able to make that switch. Clustering will also help you to reroute your data through an alternate node should an unplanned incident happen on the node outside your organizational premises. This is something which helps you to become more fault tolerant regardless of the fact that the solution you might be running isn’t a high availability solution. So if PTCL gets a cable fault, at least you can still be running your operation.

It is also important to have role-based recovery in place, rather than specify one, single individual who will be responsible for a specific task in the time when the crisis is hot. Different people react differently in the time of crisis and you don’t want to have to put someone in a place he or she can’t handle. Rather, put the position or job description to manage the recovery.

Here are some of the standard backup measures which you may want to keep in mind:

• Backups made to tape or high capacity, highly available media and sent off-site at regular intervals (preferably daily)

• Backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site disk

• Replication of data to an off-site location, which over comes the need to restore the data (only the systems then need to be restored or synced). This generally makes use of Storage Area Network (SAN) technology

• High availability systems which keep both the data and system replicated off-site, enabling continuous access to systems and data

In many cases, an organization may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities. While a lot of companies, especially banks and financial sector organizations, are actively setting up their own DR sites, Pakistan does have a Tier 4 Data Center and Disaster Recovery site running, which is managed by CubeXS Weatherly (cubexsweatherly.com).

In addition to preparing for the need to recover systems, organizations must also implement precautionary measures with an objective of preventing a disaster situation in the first place. These may include some of the following:

• Uninterruptible Power Supply (UPS) and/or Backup Generator to keep systems going in the event of a power failure. Have appropriate fire prevention and anti-virus tools in place.

Developing the DM and BCP:
Naseer Akhtar, President and CEO of Infotech

At what point in a company’s business or operational lifecycle, should the Disaster Management or Business Continuity Plan be developed?
Any business, regardless of its type and size of operation, need a DM and BCP in order to continue and sustain the business operations. Starting from a corner grocery shop, up to a national or a multi-national bank, everyone needs to find alternate service delivery channels to their customers in case of a disaster. The best time to put DM and BCP in place is when ever the realization occurs to continue serving customers.

With such a tumultuous political and economic environment, how can company know what strategy will work best for the company?
Political and economic environment should not impact on decision for a company to develop and implement such strategic initiatives.

What are the different categories which a BCP can be prioritized?
The best approach to strategize, plan and implement BCP is to conduct Business Impact Analysis of each business unit, in order to prioritize various critical functions and processes. You categorize different processes and make redundant, for example, the ones that are mission critical, and work your way down from there. You manage the strategy so that in the event of an incident, your business can continue, albeit from a different location.

How frequently should a DM or BC strategy be revised?
As and when a need occurs, but should be done on an annual basis. And it is a critical component of the policy.

Companies working through all the crises in the world are forced to be reactive as opposed to proactive. Is it possible to make up for lost time?
It’s never too late! Each company must cater for and budget as soon as the importance is realized, and or a situation occurs. This is an evolutionary process but the management must believe in the critical importance of a BCP in place. Until they don’t, the implementation and execution will never work.

What’s the biggest challenge a DM/BCP consultant, faces?
Most companies tend to carry out the planning and implementation exercise internally. Ideally it should be outsourced to an outsider to conduct Business Impact Analysis and suggest a suitable strategy and approach on BCP.

Naseer may be contacted at naseer@infotech.com.pk

Creating and Implementing the Framework

There are risks in every business and with the level of competition and data making the world go round, security has become high priority for organizations everywhere. You need to have someone who knows what the organizational objectives are, and create policies and processes so that the work remains secure and uninterrupted. Because there are so many processes ongoing in a large-scale enterprise, you need a framework which will align business and IT Security strategies. Read more

Where’s the Priority for Security?

Through the CIO Pakistan group on LinkedIn, we asked our members to answer the following question: How has your security priority changed in the past one year? Keeping in mind that all kinds of security goes through an evolutionary process, the demand for security features to better manage corporate data across an enterprise, is also changing. With so much insecurity hanging over everyone, it was interesting to find out just how proactive a company’s IS strategy is.

For example, Mohammad Nawaz, Manager, Business Services at Creative Chaos, says the need for a better Information Security solution has become absolutely important for all organizations. Most companies start by logging all activity over their networks, and try to cap unnecessary access to the internet, or more precisely websites or locations that could potentially be a source of threat to the network.” Though Nawaz didn’t comment on his own company’s evolving strategy, he did continue to say that, “Organizations focus on the overall protection of their infrastructure and their investments within the office space, hence the need for surveillance and asset security solutions, such as IP cameras, locking solutions and personnel entry gadgets are becoming very common, and increasingly used by most companies.”

Chris Kinsville-Heyne, founder of C3i Strategic Solutions based out of Dubai, says that their priority remains the same. “It tends to be our Intellectual Property that we need to be secure about. As C3i Strategic Solutions provides tailored training programs to many blue-chip organizations, much of the information supplied to us by corporations is highly confidential in nature. Ensuring this information remains secure is an absolute priority for us, and rightly so. We have a responsibility placed on us and our clients trust us with sensitive material.”

Though it’s all about securing your intellectual property, one of the biggest known weaknesses in the system is still the human interaction. You can patch network security with firewalls and proxy servers, clean all the viruses you want, but when it comes down to it, while you’re securing the machines, it’s the people that still break through the security measures.

“Security” according to Khurram Jafri, “is not some activity, event or onetime action. It is a continuous process and revolves around technology, people & processes and the strategy may vary from organization to organization. As far as my employer is concerned, we have sound polices and procedures in place for risk management.” Khurram is the Assistant Director, Quality & Risk Management at Ernst & Young in  Pakistan. “EY’s global network is secure being under constant process of evaluation.”

Khurram explains that in the current security situation, everybody needs to have proper security measure in place whether it’s information security or physical security. But with a shift towards IP communications in the marketplace, a lot of companies are able to offer products that are smart devices. Rabia Azfar, Regional Manager Service Delivery and Support at Wateen explains, “As a company, we are mainly focusing on technology-driven surveillance, but I think it is a moral responsibility of each individual to be vigilant about their own surroundings. It is also a need of time to avoid spreading unauthentic information as casual gossip to avoid any chance of a possible breach.” Zeeshan Ahmad, Manager Operations at Aglix says, “Initially we were looking for surveillance and information security management system, but down the road, severe situation in the region compelled us to develop remote surveillance systems. Now Information Security is our prime concern.”

With the availability of infrastructure that makes it possible for you to monitor your industry or operations remotely, it makes sense to take that leap. PTCL’s DDX network which is already in place throughout Pakistan or radio links which can be set up to manage the connectivity and WAN or MAN which the solution runs on.

Security Predictions: What Happens Next?by CSO(us)staff

Security is often described as a ‘reactive’ profession.

Fair enough; incident response is always going to be a critical part of the job. But it’s likewise critical to build a department, an industry, a profession that has its eye on the horizon.

So here’s help. CSO interviewed more than 20 experts across a wide variety of subjects-some squarely in the security wheelhouse, others rather outside that box-and asked a specific variation on the question “What happens next?” You’ll find some ‘2009 security predictions’ here, but also a much broader look at how the worlds of business and government will shape up in the long view.
We kick off this series with three well-known voices (see below) and will add to this index page as we roll out additional prognostications and predictions throughout November and December. When we’re done, we’ll close the loop with a look at common themes from the series.
The better you understand the trends of today and next year, the better you’ll be able to prepare.
Read more

The Weakest Link by CSO Pakistan

Technology, at the end of the day, is only as secure as the person using it. You can have all the content filters and packet sniffing software in place across your network, but if there is someone viewing something he shouldn’t be, there is little you can do. Another example. Install all the anti-virus software applications you can get your hands on and spend day and night to keep them updated. Put in an outgoing quota on your email server so that nobody can send attachment or receive .exe or zipped files. But if someone sends a link to a site which will inadvertently install a small server on your machine, there is nothing you can do to stop it.

You can buy the most secure system in the world at your disposal, but if you have a disgruntled person in your IT department, it is as vulnerable as a sponge. Footprints, access codes, loop holes and exceptions can all be masked into any system, and altering the log so that the knowledge of that backdoor is only known to the person creating it, is all a reality.

You access all your web accounts and even plug into your enterprise network using your cellphone. Like most people, you have your passwords saved. God forbid your cellphone gets into the wrong hands and you will have trouble recalling which accounts you accessed and which passwords you need reset.

Do you see a trend here? You should, because we’re certainly not outlining the script from a movie. No matter what you deploy to secure your network and system, until you do something to secure and mobilize the human factor in any organization, you are going to always be vulnerable. And no, it doesn’t matter whether your organization is small or large. As long as you have people, you are going to have ways to get into the system.

Social Engineering
Social Engineering is something that gives true character and personality to a “smooth talker”. Someone who will use his or her social skills to get you to reveal critical packets of information which can be used to break down your business, is an increased risk in the corporate environment. Ever been in a situation where you divulged some confidential information to a friend or a confidante? Shown off a credit card that has your photo ID on it just so they can ‘wow’ at your smile? A casual conversation where you revealed some classified information to impress someone? In today’s age of increased corporate competitiveness, there are more chances that it will be used to get into a network, gain access through a firewall and exploit an organization.

People! The biggest risk, in this case, is also the biggest asset in any organization. You obviously can’t function without people in place. But security is not about code or software. It’s about seeing the people and noticing a change in their behavior. If there is a modification, debug and defuse it before the problem causes irreparable and irreversible damage to the repute of the organization.

You do need to enforce policies in place and while these policies are there to protect the business, they are also implemented keeping in mind the behavior of the company’s team members.

So next time you think about how secure your office or network is, take a moment to look at the office environment around you. The organization, network or security solution is only as strong as its weakest link.

Usernames and Passwords:by Saquib Baqai

Giving False Hope of Security
“Hold on let me transfer funds online” may have sounded like a distant concept a few years ago, but today it’s happening everywhere. We have moved from the conventional papertrail life to a digital life and with so many advancements so quickly. And everything happens at lightening speeds - just like the transaction.

Information Security is a vast field so what we’ll do in this article, is address the most common mistakes committed in our everyday cyber lives, both intentionally or unintentionally, making an impact on our privacy.
Read more

Cyber Crime: The 2009 Mega Threat by Larry Ponemon

The 2009 Security Mega Trends Survey was conducted by Ponemon Institute and sponsored by Lumension to better understand if certain publicized IT risks to personal and confidential data are, or should be, more or less of a concern for companies. We asked 577 IT security practitioners to consider how 10 Security Mega Trends affect companies today and to predict their impact during the next 12 to 24 months. The opinions of these experts, we believe, will be helpful to companies that are struggling to understand how they should allocate resources to the protection of data during these difficult economic times.

We selected the following mega trends for this study based on input from a panel of experts in IT security. They are: cloud computing, virtualization, mobility and mobile devices, cyber crime, outsourcing to third parties, data breaches and the risk of identity theft, peer-to-peer file sharing and Web 2.0. Read more

Next Page »