Good morning and welcome to this course Cybersecurity and Privacy. I want to welcome you and I thank you for signing in for the course. Cybersecurity and Privacy.
Today is the day of introduction and therefore, we will be breaking the ice and also get to know what the course would contain in terms of contents of what I would deliver from this course and what I expect you. to do as part of this course or the coursework. These are the two main things that we will discuss, but I will also try to motivate you about the topic.
So, that is very important when we start. Is this topic important? Is cyber security an important topic?
and should it really bother or it should it really be a matter of concern for practicing managers. Irrespective of what you manage, should managers be concerned about cyber security and if so why? That is something that we would try to address in the first session so that you have a clarity of why? one should credit a course or one should actually spend so much time going through a 6 credit course to do to understand cyber security and privacy, ok.
Yeah, so the title is cyber security and privacy. I just want to know what is your understanding about cyber security. So, you can just talk about what do you mean when you hear this term cyber security.
There are two terms cyber security and privacy. So, it is an ant there. So, feel free to talk about it as to what is your understanding. Cyber security is more about you know vulnerability management of the computers and the network system so that the data whatever is there that gets protected and we know unauthorized use of the data without the knowledge of the owners. Ok good, so you have three key words, one is data, other is about vulnerability, third is about unauthorized access.
So, these are certain key terms that is associated with cyber security, anything else, any other thoughts on cyber security. What do you think about privacy? That is the second term, see the title is actually consisting of two key terms, cyber security and privacy.
Good, so you talked about two things, one is privacy is about me and my privacy is about data which I choose to disclose, I choose not to disclose and other is the security layer which exist at some level, some system level, alright. So there are two things cyber security and privacy and the interface or the intersection between the two is also important, ok. So how cyber security and privacy.
So, that is another aspect of the course. Let me actually give you some more background information as we go to get a motivation to understand is cyber security and privacy a current topic, is it an important topic and is it relevant to managers. So, here is an email I received sometime back from the director of IIT Madras. And when you receive an email in your official email box and it is from the top boss, you pay attention to it, right.
So, his name is written and it is a request and there is content of course, to meet him and of course, Of course, it ends well, best regards name and designation, right. So what should I do to this email? And I know Professor Ramamurthy, he does contact people when he wants to give some specific roles or administrative roles particularly here.
He did have this habit of calling up people or writing personal emails and doing like this. So, this is an instance of that kind. So what should be my response?
I should check the email id? Why should I do that? Because you know we do not check the sender ID when you get an email from your colleague or from your area head or department head, we just have a lot of communications going on. Can we have this email spoofing?
No, how, why should I doubt this mail? Sir, there is no need to be suspicious according to me because it does not demand anything like sensitive information from you. It is just asking you to drop an email. Yeah, but I must tell you I did check who sent this mail. I got suspicious.
Can you imagine what is the source of suspicion? This is? Sir, I need to update the address of the contact. Well, that is ok.
That is ok. Yeah, yeah. It is an internal mail, so this is fine.
The signature part is fine, the address, everything is fine. Could it be informed? It looks informal. The pattern is different from the other way that you see.
Ok, yeah, yeah, I agree with you. There is a slight change in the pattern. This is written like a very personal mail.
There can be some personal element when people write to you professionally, but more than so, but it is very personal. Can I have a quick? That is also fine, moment please. So this does not sound professional as you sensed, I also sensed, I do not expect him to say can I have a quick moment with you.
So I became suspicious at that particular content. This cannot be from the director or this may not be from the director because this is not the choice of words when you typically write to. a colleague or a in a professional setting.
So and then of course, as you suggested I decide who is sending this email of course, that is the first check all of us can do when we have a doubt. And I found this email coming from a Gmail not from the IITM domain and therefore, this is obviously suspicious and we call this kind of mails as fishing mails, we typically call it fishing mails. But it is not just a fishing mail, fishing mail all of us get every day, in fact a lot of junk mail comes asking for our bank. bank details or other kinds of personal information.
We know that this is obviously phishing mail, but here it takes time to resolve this because it is a colleague or it is a director and his address is given at the end. And the sender also knows that well I am a faculty member of IIT Madras and Professor So, someone knows who is who in an organization, somebody has actually collected background information, we call it typically social engineering. So, this is social engineering based phishing mails where the chance of one responding to this is much higher.
So, not just a phishing mail someone from After you are writing, I have a lot of funds to transfer, why do not you share your bank account details, we obviously know, I do not have, I do not know anyone out there. But this is from a non-circle based on social engineering and this is, this is called spearfishing, okay, spearfishing is very specific based on social engineering where people or the hacker or the hands behind this have done. background study, ok. So, then subsequently of course, Professor Ramamurthy sent a follow-up mail to all the colleagues because he knew that this phishing mail was circulating in the institute, ok.
So, this is sometime back and this is very recent, ok. So, couple of weeks back the head of our department wrote again a similar mail, can you do something for me, right? And here again you see the professor you know the proper title of the faculty member, the name and the signature you say it is full signature. So you usually tend to reply immediately ok.
So what I essentially want to say here is that we face this kind of problems or this kind of threats in. The world of internet in the world of so called cyber world often and it is all part of our experience or it has become part of our day to day experience. What I am trying to do is to sample, to sample some instances which I came across either individually or from newspapers and to give you a sense of what is going on in the environment in the current times ok. This is. a text message I received you know in fact two weeks back and the text message asked me to do a verification of my PAN card ok and it gives a link to the SBI side and I am sure all of you have most of us have our account in the State Bank of India ok and of course census is.
Request from a bank you tend to respond to it right and it let me to this site you know SBI and this login page looks exactly the same ok. The bank logo and whatever fields you generally fill in the same font in the same format is given and then you have to enter the captcha code and looks like I should be entering this data and signing in to do whatever formalities required to keep my account on. But is there a problem here?
I think by now all of us or most of us are familiar. So when you get a message to sign in somewhere, you go and the first thing that you look is what is the website? Is it giving the right address or it is giving a fake address?
In this case, we know that this is not SBI. website from where we sign in, it is online SBI, but it is something else. So, as soon as even when I sign into a bank account on a regular basis, I of course, check the address because sometimes a wrong address may pop in and we may be signing in and the signing in data including your username, password may be going elsewhere. So, yeah let me continue this. I just show you some things I faced as an individual, as an individual or of course, this phishing mail is something that went to everyone.
So as a group or as an organization, we do come across instances of cyber security or cyber security related issues and these are clips from leading newspapers of India. where it recently reported increasing number of cyber attacks ok. And the last piece is about ransomware attacks, have you heard of ransomware? ransomware attacks.
Ah ok, but denial of service attack is different from ransomware. We will be discussing a case on denial of service, but ransomware is another kind of security threat where the one who attacks, so the hacker takes control of your machine. And encrypts, in fact encrypts your machine and ask you for money to release it.
It is like when you lock your house and go away. And when you come back you find that your house is there is another layer of a lock on your house and you cannot enter the house because somebody else is locked. And and the hacker is quite fair well I will give you the key to enter, but give me some money ok.
And let us not make let us not make it complicated just give me some money the key is with me take the money take the key unlock and go in ok. So, it is ransom you know the word ransom is. is about you know it is about paying to release someone ok. So, ransom, redemption, etcetera related words. So, you have to pay a ransom to release your machine from someone else's control ok, ransomware.
In fact, ransomware is one of the most frequent attacks in terms of threat intelligence in today's world, ransomware has become very common and this is something about which the world as a whole is concerned about. Here is a report again from newspapers, as I said this is another sample which happened predominantly in the western world where The POS machines, you know the POS machines typically in a retail store when you buy something and when you check out there is a POS, point of sale machine where you actually do the checkout process and make the payment and then take your items and come out. But if suppose in a very busy day on a retail store if the POS machine stops working, then you know the kind of KOs and also you know the operations just stop there because companies which are automated they would not have a manual process to continue business ok. So your shops just close down and this is this did happen in 2021 when retail stores which used the POS software built by Kaseya ok. Kaseya is an IT company.
which provided POS solutions and several retail stores in the west stopped because there was a ransomware attack. You see what is the ransomware attack? The hacker just want 70 million dollars to restore the machine and the most of the times the hacker is very is a good thief you know you call it good thieves.
You pay the money. And it is done, you know the machine is released. But if you do not pay the money, it is very very difficult to become operational. And generally in my reading, I found that companies just pay the money and restart the business.
The only exception I came across is in Chennai. So, Chennai corporation species were attacked by hackers. And it was a ransomware attack, ok. And Chennai Corporation refused to pay the money, ok, because they found that their machines were very outdated, ok.
So, they were running on Windows 8 and it is very easy to take control of machines which are not updated with the operating systems. And they said, ok, let it be locked forever. So, they did not pay.
But for critical business operations, when ransomware attack happened. So, it is huge loss, so per hour loss will be very huge as compared to the ransom that the hacker is asking for. So, and that has become a serious nuisance in today's world. And here is more report, so I am not exactly following a chronological order in actually presenting to you the different cyber attacks that happened in the recent times, but this is November, December. 2022, you must have read this in newspapers about.
All India Institute of Medical Sciences, 5 servers were hacked by the cyber criminals and they took control. And you know the biggest concern when a hospital's data center gets, comes under attack, ok. This is a different type of data.
This is healthcare data, ok. And someone takes. controlled or someone gets access you know you said unauthorized access ok. Somebody gets unauthorized access to my personal health data ok. In India we may not be so concerned about health data, but health data when it goes into the wrong hands has huge implications.
Can you imagine why? So much so that. In the US, there is an act called HIPAA, so that relates to healthcare, it is a regulation for healthcare data alone.
Why is the world so concerned about healthcare data protection? Can you just imagine and give me some quick answers once you have a health condition? So healthcare data is super sensitive because the The person whose health data is leaked, the person actually faces huge embarrassment, ok and the person also can face losses in an organization or it may have higher consequence and that is why the top hospital of the country when.
their servers were attacked or came under cyber threat, it became a huge concern, huge national concern. So, we see cyber attack happening in all spheres, you know, all domains. It is not just, we just saw Kirloskar, you know, it is a manufacturing company, we saw Ames Healthcare, these are all very recent news.
So, we just opened the newspaper, everyday newspaper, this is what I see. There is some piece of information or some something that is covered about cyber security almost every day ok. So, we all talk about digital world, digitization, digital India and so on.
So, you see a very bright side of how digital technologies are actually enabling the growth of the economy or enabling the country to actually progress, be in the line of progress. We also see alongside a dark side, there is a bright side, very bright side of digital and there is also a dark side or the dark world that develops alongside and that is the concern of cyber security. So, the world consists of good people and bad people. So, there are bad people in the world who understands the weaknesses or as you use the word vulnerabilities and can exploit those vulnerabilities very, very well and damage, cause damage and losses, the impact of such actions can be very high.
To the extent that the recent, I think this is E&Y report which is summarized in the newspaper which shows 91 percent of the organizations reported at least one instance of cyber incidents in an year, at least one incident. So think about that, 91 percent. of organizations do actually face at least one incident an year ok.
And it goes on to report how cyber security is becoming a top priority for CEOs or leaders of the organizations ok. So, this is the this piece is of grave concern to me ok. So, you know the changes that is happening in transportation.