PCQuest : ITstrategy : Tech to Terror Proof Your Organization

Tech to Terror Proof Your Organization

Nobody could have imagined that the latest security threat would be so malicious: Terrorist attacks. But it's happened, and now organizations are scrambling to protect themselves against it. We interacted with 30 CIOs to understand what they're planning to do and provide some advice on how to secure your IT infrastructure

Thursday, January 01, 2009

Print Comment Email Digg Del.icio.us Reddit Twitter

Anil Chopra and Anindya Roy

By now, there's been ample media coverage of the terror attacks in Mumbai, and how terrorists managed to use the loopholes in our system to achieve their objective. Never before was there such an uproar from the entire nation over this episode, which clearly reflects that we've run out of patience at the lax attitude of the govt. toward the country's security. While we wait for the govt. to do something about it, it's time we also did something to combat this menace. After all, security is everyone's responsibility, if we don't want any further loss of lives, property, business, and market reputation. We received lots of queries from many CIOs on how should they use IT to protect their infrastructure. Considering that IT systems are the backbone of most businesses, the CIOs obviously have a reason to worry.

So in order to understand what Indian enterprises are doing to secure their infrastructures, we did a small survey of around 30 CIOs from leading organizations across the country. By and large, everyone's definitely worried. A majority of the CIOs said that their organization was very worried about the security of their infrastructure, and were quite serious about doing something about it. Some of them had even gotten special budgets sanctioned for strengthening their IT security.

The right way to deploy IT security
But before you scramble to deploy high-tech equipment like DFMDs (door frame metal detector), surveillance systems, etc, you need to understand the scope of the problem and the role IT can play in combating terror. Technology can certainly help combat terror, but its usage has to be clearly understood in order to choose the right equipment. For instance, even if the surveillance system detects a terrorist, or the DFMD detects heavy metallic objects being brought into the premises, they can't really stop them. Their objective is to detect and monitor, and not protect. That doesn't mean you shouldn't deploy such systems. You need to understand their effectiveness in combating terror. For instance, the US has deployed video surveillance cameras at many of its airports, which can identify baggage that remains unattended for some time. Similarly, video monitoring technologies have been deployed to check if a vehicle circles a high-rise building more than required, or if a person makes multiple trips to the shopping mall within a specified period of time. All of these technologies can certainly help in raising an alert if something goes wrong.

Unfortunately, that's not how technology has been used in India. For instance, the Taj hotel in Mumbai had also deployed CCTV, but when the terrorists attacked it, they took over the control room because it was located within the hotel's premise itself. Since the terrorists knew the hotel inside out before attacking, they made the control room inaccessible to the security forces. Had the hotel used IP Surveillance, then the entire hotel could have been monitored from outside, and many more innocent lives could have been saved.

In another incident, which was much more mild than this, but puts the point across, is of a close acquaintance of mine who lost her bag in a shopping mall. The bag contained all her cards (credit, ATM, etc), as well as cash. She immediately informed the mall's security personnel about the incident. Thankfully, the mall had CCTV installed at its entrance, and had recorded all movements in that area. Upon playing back the video, they were able to spot the thief (apparently a small boy), walking away with the bag out of the mall. This sounded like good news, but only for a while, because they soon realized that they couldn't identify the thief. The cameras were just not powerful enough to zoom close enough to recognize the thief.

What measures should our govt. take to help organizations protect their IT infrastructure against terror attacks?

The Govt. is now asking us to be compliant with well defined IT security norms.
Jyoti Bandopadhyay, VP-IT, Torrent Power

The govt. should standardize and enforce a uniform security framework that should be accepted by organizations, both in the private and public sector.
Ashish Bharadwaj, UPES

Intelligence & surveillance systems with proactive controls.
BLV Rao, VP-IT Networks & Systems, Infotech Software

Information risk normally leads to business risk. Therefore, the govt. should come forward to issue various directives to corporates as minimum ruling to maintain certain security measures on various Internet / Intranet based communication means (especially Internet and e-mailing) for daily business working.

In the private sector as well, while recruiting personnel, police verification must be kept mandatory before joining.
Sardindu Paul, GM-IT, ElectroSteel

In the IT ministry, the govt. should create a cell to handle and advise corporates and SMBs from time to time on how to protect them from data security threats.
Preet Kumar Singh, CIO, Glencore

Government can create some guidelines in line with SOX, making it mandatory for organizations to adhere to IT security, and to create DR sites for IT infrastructure. Plus, the govt needs to focus on building infrastructure like roads, leased lines and Internet availability. The govt. also needs to develop the capability to intercept and process information flow (through telecom and the Internet) to take preventive and corrective actions for suspicious activities. The police has to help organizations do speedy and authentic scrutiny of new recruits. At present most IT infrastructure is concentrated in Metros. To reduce the risk, we need to create more data centers in tier 2 and tier 3 cities.
Nitin Doshi, Head-IT, Sterlite Industries

Both of the above cases are examples where technology has been used just for the sake of it, without serving any real purpose. Had the mall used CCTV cameras with better optical zoom, they could have identified the thief and nabbed him later. Had IP Surveillance been used, operation Taj would perhaps have ended much faster. You might say that the Taj group would never have imagined in their wildest of dreams that such an episode could ever happen to them. But then, that's how disaster strikes!

So, it's important to understand that IT security goes much beyond surveillance systems. It needs to ensure that the business can spring back into action quickly a fter a terrorist attack. Essentially, a terror strike is an unpredictable disaster, so you need to ensure that your business is able to spring back into operation as quickly as possible after it happens. For instance, post the Sep 11 attack on the world trade center towers, many companies that had offices in those buildings managed to get back to business because they had an effective DR and BCP strategy.

Vi Software

Some Software which can perform all functions we have just described, and are available for purchase today:

Agent Vi: http://www.agentvi.com� (a 90 day trial is available for 3 IP cams on request through the website.

OnSSI: http://www.onssi.com/

Intelli-vision: http://www.intelli-vision.com/

Which security technologies to deploy?
Security is no longer about protecting your data against virus and malicious software attacks, nor is it about protecting it against hacking attempts or against preventing disgruntled employees from stealing information. These you need to do anyways. Today, security also means protection against infrastructure mis-use and information leakage. How do you know that the person you've recently recruited is the person who he/she claims to be? Maybe it's a terrorist. In today's world, it doesn't really sound that absurd. How do you know that your network is not being mis-used by terrorists for communication?

The moment you add this dimension, you see security in a whole new light. For infrastructure mis-use, you need to put stringent access controls in all places, like WiFi networks or in sensitive areas like data centers. For keeping a tab on you employees, you need to put in stringent identity management systems, possibly backed up by police verification.

There would be some measures that would be specific to different types of verticals. The govt. for instance, needs to secure all its websites against information theft, and from being hacked. Large buildings infrastructures like commercial towers, shopping malls, railway stations, etc would need to put in surveillance systems that can monitor specific things like how many times is an unknown person making trips, or report suspicious unattended items lying around for too long, etc.

Page(s) 1 2




	The Slowdown: Learnings for CIOs
	Endpoint security issues
	In search of a Secure Operating System
	The Right Way to Deploy Enterprise Security

Untitled Document

ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice

	Other CyberMedia web sites [Dataquest] [Voice&Data] [CIOL] [Living Digital] [IDC India] [DQ Channels] [the DQweek] [CyberMedia India] [Global Services Media] [CyberMedia Events] [Cybermedia Digital] [CyberAstro] [BioSpectrum] [BioSpectrum Asia] [Computer Shopper] [College Buying Guide] [Voice&DataConnect]