Month: November 2023

Garima Goswamy, Co-Founder & CEO, DridhG Security International Pvt. Ltd. Cyber Attacks As technology has become an integral part of everyone’s life, threats have moved from the physical space to the virtual space. Within a week in August 2023, the websites of two educational institutes in NOIDA were hacked. We are all aware that in November 2022, Delhi’s All India Institute of Medical Sciences (AIIMS) faced a ransomware attack. Such an attack denies a user or an organization to access its files. In this attack, outpatient and research data were wiped out from AIIMS’ primary and back up servers. The database of the Unique Identification Authority of India (UIDAI) too suffered from intrusion from hacking groups in June and July 2021. Forget singular institutes, the city of Mumbai faced a blackout in October 2020 for 10 to 12 hours. It impacted business continuity, halted local transport, and even was responsible to shut down the stock market. It, too, is believed to be a possible result of a cyber-attack. One thing all these attacks have in common is that these were apparently orchestrated by foreign national cyber criminals, who might be sponsored by India’s neighbouring nation states including China, Pakistan, Bangladesh, to name a few. Associated Geopolitical Tussle Between India & Its Neighbours Just as terrorists from other nations, who may or may not have the backing of their countries, there is an army of cyber terrorists whose mission is to attack India. The ban of several Chinese apps by India’s Ministry of Electronics and Information Technology since the India-Chinese face-off along the Line of Actual Control in 2020 is not a coincidence. India’s Foreign Secretary Vinay Mohan Kwatra did state that the reason to ban some Chinese applications pertaining to betting and loans was to stop the spread of misinformation, the spread of disinformation and fake information. Many might not be privy to the speculation that in April 2022, Chinese attackers strategically targeted as many as seven Indian centers in Ladakh which help in electrical dispatch and grid control near India-China border. There are reports which suggest that the cyber-attack at AIIMS was also orchestrated by the Chinese government aimed to gather data of Very Important Persons (VIPs) of India and Indian celebrities. Similarly, Chinese hackers may be behind the Unique Identification Authority of India (UIDAI) 3 attack, for as per a report, the breaches were doctored through a malware named Winnti, deployed by Chinese Advanced Persistent Threat (APT) groups, known to be state sponsored. Recorded Future, a US based cyber security company, claims that the Mumbai 2020 blackout was the work of multiple malwares deployed by another Chinese group RedEcho. While the Chinese government denies their role in these attacks, there are some foreign national groups of cyber criminals who are very vocal about their involvement of hacking India’s websites as they are motivated by political hate towards our nation. Upon hacking a school website on 10 August 2023, they identified themselves as ‘Muslim Hackers from Bangladesh’ who believe they are freedom fighters as their message read “When liberty is at risk, expect us.” These might be rogue elements from Bangladesh and supposedly became increasingly active since an incident when a Bhartiya Janata Party leader Nupur Sharma had allegedly made some derogatory remarks against the Prophet Muhammad. These are different from cyber criminals who engage in ransomware attacks which strategically attack another nation’s critical infrastructure. Hacktivists are mainly motivated by religion and politics and want to publicize themselves and deface websites to show the loopholes in the targeted country’s cyber security. “Just as terrorists from other nations, who may or may not have the backing of their countries, there is an army of cyber terrorists whose mission is to attack India. The ban of several Chinese apps by India’s Ministry of Electronics and Information Technology since the IndiaChinese face-off along the Line of Actual Control in 2020 is not a coincidence. India’s Foreign Secretary Vinay Mohan Kwatra did state that the reason to ban some Chinese applications pertaining to betting and loans was to stop the spread of misinformation, the spread of disinformation and fake information” Game Changer – Geopolitical Cyberwar A prominent hacktivist group which has carried out several Distributed Denial of service (DDoS) attacks since June 2022 is called ‘Mysterious Team Bangladesh.’ Here hackers flood a website with so much of traffic that legitimate users cannot access it. As per a report published by Group IB, MTB is associated with 750 DDoS attacks and as many as 70 cases of website defacement mainly targeting India’s government, financial and transportation sectors. They also target Israel and other countries. While this particular group might not be state sponsored, an increase in activity by state sponsored hackers is related to the Russia-Ukraine conflict where at least 19 state sponsored groups from Ukraine, Russia, China, Belarus, North Korea and Iran carried out attacks in relation to the conflict. This probably influenced state sponsored groups from other countries not directly involved with the Russia-Ukraine conflict to conduct cyber espionage in their neighbouring countries. In fact, it is noteworthy that now ‘camps’ exist! There is a collaboration between India and Nepal Hacktivists on one side and Pakistan, Bangladesh, Malaysia and Indonesia on the other side. Unlike international ransomware groups which may have targets on occasional events, hacktivists work on a daily basis to weaken their adversaries. Let’s have a look at what are these online hackers from these two camps doing? Defacing websites: Indian Cyber Force defaced the website of Pakistan’s Regional Forensic Science Laboratory Swat. Distributed Denial of Service (DDoS) Attacks: Indonesian GANOSEC targeted Indian sites: kerala.gov.in; incometax.gov.in, and rajpolice. gov.in Data leaks: MTB managed to release internal login information of All India Council of Technical Education (AICTE). Indian Cyber Force and Black Dragon Sec leaked several passport and other government identification information of Pakistani nationals. What should be done? To be aware of such daily attacks is pertinent for government and organizations, so that they can prioritize investing in adequate…

John Davies, Managing Director of TDSi The idea of ‘Frictionless Access Control’ is not a new one, but in the wake of the COVID pandemic we are all more aware of the need for security systems that operate and rapidly adapt to changing needs, without causing users unnecessary inconvenience. The key issue, and indeed balancing act, with this approach is always ensuring security continues to actually be ‘secure,’ whilst also making life easier for the authorised people that rely on it as part of their daily routine So, have we reached true Frictionless Access Control yet? We need to start by understanding what the concept actually means. What is Frictionless Access Control? Frictionless Access Control refers to a set of technologies and systems designed to provide secure access to physical spaces (such as buildings, offices, or restricted areas) with minimal or no inconvenience to authorised individuals. The goal is to streamline and simplify the process of gaining access while maintaining a high level of security. What Powers Frictionless Access Control? The obvious answer is technology advancements. Over the last decade or so there have been significant advancements in access control technologies, including biometrics (such as fingerprint and facial recognition), contactless card systems (like RFID or NFC), and smartphone-based access control credentials (such as Apple Wallet, Google Wallet, and the introduction of Ultra-Wide Band – UWB – for highly effective short-range communications). These technologies aim to reduce the friction associated with traditional access methods like keys or PINs. Implementation is of course another key factor. The effectiveness of Frictionless Access Control depends on how well it is implemented, be that the close integration of hardware and software, user training, and security protocols, all of which play a crucial role in achieving seamless and secure access control. Sector driven demands are also an important element in driving Frictionless Access Control. For example, the Proptech (property technology) sector uses technology to optimise the way people buy, sell, research, market, and manage a property. This includes looking for ways to deliver a better user experience by improving how people interact with the built environment, so effortless access control technology is very well placed to help with this. Making it Work As we have already discussed, security versus convenience is the crucial question here. There is often a trade-off between security and convenience and achieving higher levels of security may require additional authentication steps or slower access processes, which can introduce some friction. Striking the right balance between security and convenience is essential. This of course depends on the type of security deployment and the value/ vulnerability of the people and property it protects. For example, Frictionless Access Control may work well in certain situations such as corporate environments, where users are familiar with the technology and the access points are well-maintained. However, it may face challenges in more complex or high-security settings such as financial institutions, military installations, or sites with vulnerable people (such as schools and colleges). Potential Stumbling Blocks Careful consideration needs to be paid to how using a frictionless approach could compromise security. For example, biometric technologies used in Frictionless Access Control can raise concerns about privacy and data security (there are many ethical debates over the collection and storage of such personal data). Ensuring that user data is protected and used responsibly is critical and will always need to take precedence over user convenience. Cost is another key consideration. Implementing Frictionless Access Control systems can be expensive, particularly if it involves the deployment of advanced high security biometric or contactless technologies. Organisations need to weigh the cost against the benefits and available budget. The convenience of employees will not always be the prime concern. Is Frictionless Access Control Achievable? The short answer is yes, absolutely. In fact, although it was accelerated by the desire for ‘non-touch’ solutions thanks to COVID, Frictionless Access Control was already a reality well before the pandemic and is quickly transforming the way we, as users, interact with our Access Control Systems. The rapid development and integration of advanced technologies such as Facial Recognition and Smart or Mobile credentials, with traditional access methods, are evolving into seamless, touchless experiences. Although these advanced technologies are often more secure than the traditional card or fob-based credentials, true frictionless access is only as good as the speed and accuracy with which the technology can function – which in the past has often been a limiting factor to its mass adoption. Any organisation considering whether Frictionless Access Control is right for it needs to carefully assess its needs, risks, and resources when considering the adoption of these systems and must ensure that they are deployed and managed with a focus on both security and user experience. *Views expressed in the article are solely of the Author  

Dominic K. P., Managing Director, Blue & Gray With booming infrastructures in India, is no stranger to the devastating impacts of fire-related incidents. As urbanization progresses, the risk factors associated with fires in commercial and residential buildings increase. Insurance companies play a pivotal role, not only in providing financial coverage against such tragedies but also in actively promoting the adoption of robust fire systems. Here’s a closer look at their influential role. Mandatory Fire Insurance for Commercial Establishments Many Indian cities have made it mandatory for commercial establishments to have fire insurance. Insurance companies, recognizing the immense risks involved, stipulate that these businesses must have standard fire safety measures in place before they can be insured. This indirectly forces businesses to adopt fire systems and comply with safety norms. Implementing an effective functional Fire Protection system and Passive Fire Protection in a building can significantly contribute to obtaining better insurance premiums. Insurance companies must assess the risks associated with a property when determining premiums. The Role of a Passive Fire Protection in Reducing The Risk A well-designed Passive Fire System plays a crucial role in reducing risks and containing fires within a building. Passive fire protection systems should be an integral part of the building to reduce the risk and containment of fires within a building. Insurance companies must recognize the value of such systems in preserving life and property, and they may reward property owners with better premiums for investing in and maintaining a robust passive fire protection infrastructure. Regular inspections, maintenance, and documentation of these systems are essential to demonstrate an ongoing commitment to safety and risk mitigation. Premium Reduction as an Incentive Insurance companies should offer premium discounts to entities that go above and beyond the minimum fire safety requirements. This not only encourages businesses to invest in advanced fire protection systems but also promotes a culture of safety and preparedness. Regular Audits and Inspections To ensure compliance, insurance companies often conduct routine audits and inspections of the insured properties. These inspections verify the functionality and maintenance of fire safety equipment. Non-compliance or neglect can lead to a cancellation of the policy. Collaborations with Certified Contractors Insurance companies should collaborate with fire protection contractors, offering packages that include both fire protection installers and passive fire applicators. Such collaborations make it financially attractive for businesses and occupants to invest in quality fire safety equipment. Knowledge Dissemination & Training A robust fire system is only as effective as the people operating it. Recognizing this, many insurance companies in India should host workshops, training sessions, and awareness campaigns on fire safety. By educating the insured about the importance and proper use of fire systems, they not only reduce risks but also ensure that in the event of a fire, damage is minimized. Claims and Feedback Loop After any fire-related incident, insurance companies should engage a third-party Fire Risk auditor or Fire experts or Retired Fire Officers to conduct thorough investigations to determine the cause and assess the effectiveness of the installed fire systems. This feedback loop is vital. It helps in understanding any new risks and refining the requirements for future policies. Conclusion As India continues to grow and urbanize, the challenges posed by firerelated risks will only escalate. Insurance companies, by intertwining the need for safety with financial incentives, play a crucial role in ensuring that buildings are well-equipped to combat these threats. Their proactive approach not only safeguards assets and lives but also reinforces the importance of a culture of preparedness and a Fire-Safe India. *Views expressed in the article are solely of the Author