Thursday, April 28, 2016

Securing Sensitive Files and Documents from Leakages



It comes as no surprise to me that organization’s most sensitive and critical documents are still stored in unstructured files and documents that are commonly subject to data loss and leakages. The focus of IT security professional in most modern day organizations has been towards securing networks and databases while neglecting the most important aspects of information that resides in files and documents. Given the proliferation of smart phones and devices that are connected to the internet securing the information stored on such files are becoming of pivotal importance and any lapse can be detrimental for organizations information security policy. 

Lately, many organizations knowingly or unknowingly have allowed their employees to be more productive by embracing apps, software’s and storage devices without giving a thought to the security of critical documents. Some common scenarios that I have come across recently are:

  • Sending of official documents/files without encrypting or password protecting them using personal email accounts such as Gmail, Hotmail and Yahoo. 
  • Transfer of confidential data using USB, memory cards and external hard disks and in plain text format. 
  • Uploading of sensitive data on public storage services as Dropbox, one drive and Google for accessing on other internet connected devices. 
  • Sharing of folders on public networks with access permission set to “everyone”.
  • Sending of confidential files and letters using communications apps such as Whatsapp, Viber, Tango and Skype. 
  • System administrators failing to understand the number of file sharing software’s being used on the system in workspace environment. 
  • Installing unverified software’s as protector against malware, spyware, Trojans and viruses. 

In any organization controlling everyday sensitive files and documents is becoming more complex and difficult than securing databases. The primary reasons are firstly employers fail to deliver a safe working environment where productivity is not compromised and secondly employee’s fatalistic attitude towards data security. Given the recent rise in hacks and leakages of sensitive data like Panama papers and previous to that Snowden leakages that is still making news despite passing of almost three years since its revelations reminds the need of the hour for organizations to invest in information security control mechanisms. Organizations that want to stay in business and flourish in the information economy need to make critical considerations on:

  • Controlling and limiting access to all important documents on any connected device and ensure files are encrypted.
  • Adopting measures that prevents documents to be forwarded or shared maliciously.
  • Removing access to documents once it’s no longer required. 
  • Control and handling of files and folders by limiting access on the foundation of need to know basis. 
  • Encrypting everything on any storage devices.

Thursday, April 21, 2016

Parlimentarians fail to understand the Cyber Crime Phenomena



The securitization of cyberspace is a transformation of the domain into a matter of national security and perhaps one of the most important forces shaping today’s global communications. Using war on terrorism and national action plan as a pretext the ruling party in Pakistan has passed the Prevention of Electronic Crimes Bill 2015 in the National Assembly during presence of handful of parliamentarians. The bill if also passed in Senate will be detrimental for the growth and development of the internet in the country. Given the important role internet is set to play for economic development in Pakistan it is horrific to see the mannerism in which the despotic bill was passed. The Nazis destroyed the independence of the press by passing series of draconian laws and it seems Parliamentarians are exactly imitating the same with the freedom of the internet by passing of this bill.

As cyberspace infiltrates all aspects of our society, economics and politics it was hoped that the government will be more responsible with the drafting of the bill as it not only affects millions of internet users in the country but also put in risks the digital rights of next generation tech users with inadequate protections for privacy and basic human rights. The bill has been engineered with the pretext of protecting national security but it seems to be conscripted to benefit the aristocracy much more than the general populace. 

The bill on which I have spoken and written a lot before as well is still extremely vague in its definitions despite claims of the Minister and fails to understand the cybercrime phenomena that requires a multistakeholder approach to tackle complex technical and legal issues transcending our national territorial jurisdictions. Furthermore, most sections of the bill aims to criminalize innovation and development a critical part responsible for the success of the very internet we know today. Pakistan requires talent that can engineer a next Google, Facebook or create applications for encryption and security to protect our national assets and become less dependent on foreign technologies but this bill aims to criminalize all these efforts.

The globalization of internet is shifting economic developments in two important directions. First, given the aging population and near-saturated market penetration in the advanced economies, most of the expansion of the internet related market will take place in developing countries like Pakistan, India, and Bangladesh. Secondly, the spread of internet is expected to increase the share of developing countries in the internet economy presenting a historic opportunity for the young and poor in Pakistan to improve their economic condition but with the bill instead of aiming to promote the use of technologies is more inclined towards discouraging it’s use.

Overregulation of internet with the Cybercrime bill might deprive users of major benefits the information economy brings. To fully reap the benefits of a modern, rapidly changing economy, Pakistan need to better prepare their citizens for the demands of a changing information economy, and they need to adjust laws and social protection systems to ease the transition from labor market to information one.

It appears that parliamentarians have failed to understand the nature of cybercrime phenomena and seems to be determined to address it using the narrow hole of national security without considering its impact on innovation and long term economic development.

Wednesday, April 20, 2016

Short Measures and Broadband in Pakistan

The oldest known source for the expression "baker's dozen" dates to the 13th century in one of the earliest English statutes, instituted during the reign of Henry III (1216–1272), called the Assize of Bread and Ale. Bakers who were found to have shortchanged customers could be subject to severe punishment. To guard against the punishment of losing a hand to an axe, a baker would give 13 for the price of 12, to be certain of not being known as a cheat. Specifically, the practice of baking 13 items for an intended dozen was insurance against "short measure", on the basis that one of the 13 could be lost, eaten, burnt, or ruined in some way, leaving the baker with the original legal dozen.

A few centuries on from the initiation of the baker's dozen, and we have trading standards funded and operated by the government and off course regulators too. Their TOR extends far wider than preventing the short changing of customers, and also includes misrepresentation in advertising and supply.

But when we look at today's ridiculous practice of sellers including those magic words 'up to' in the fine print, they appear to be able to get away with just about anything.

Take broadband service. If two of us purchase a broadband service of 'up to' 8Mbps at Rs 6999 per month, and I get 3.1Mbps and you get 2.2Mbps, should we be content, and should regulatory officers let it slip through?

I rather think not!

Think of what this would mean when applied to other products:

Would you accept an unopened pack of Cornflakes sold by weight at 350g that only contains 290g? A new jar of apple jam marked up at 450g but has only 220g? A box of a dozen eggs with three missing? A liter of petrol that is only 330ml? Or a pair of trousers with legs which are supposed to be 85cm, yet turned out to be only 46cm? Actually those trousers are a pair of shorts!

It appears that, as long as 'up to' is in the small print, a dozen eggs is really 'up to a dozen eggs'. That seems reasonable, why didn't I get it first time around?

In short: The words 'up to' ought not to be a license for short changing in the supply or trading of anything or should it be Mr. Regulator?

Head in Hands anyone on the same block?