Introduction - Part 01 - Prof. Saji K Mathew

00:16

Good morning and welcome to this course - Cybersecurity and Privacy.

00:23

I want to welcome you and I thank you for signing in for the course Cybersecurity and

00:31

Privacy.

00:33

Today is the day of introduction and therefore we will be breaking the ice and also get to

00:41

know what the course would contain, in terms of contents of what I would deliver from this

00:49

course and what I expect you to do as part of this course or the coursework.

00:56

These are the two main things that we will discuss but I will also try to motivate you

01:03

about the topic.

01:06

So that is very important when we start- Is this topic important?

01:14

Is cybersecurity an important topic?

01:17

And should it really bother or should it really be a matter of concern for practising managers,

01:27

irrespective of what you manage?

01:30

Should managers be concerned about cybersecurity?

01:32

And if so, why?

01:36

That is something that we would try to address in the first session so that you have a clarity

01:41

of why one should credit a course or why one should actually spend so much time going through

01:54

a six credit course to do, to understand cybersecurity and privacy.

02:01

So the title is Cybersecurity and Privacy.

02:06

I just want to know what is your understanding about cybersecurity?

02:13

So you can just talk about, what do you mean when you hear this term cybersecurity?

02:18

There are two terms- cybersecurity and privacy.

02:22

So it is an "and" there.

02:24

So feel free to talk about it.

02:29

As to what is your understanding?

02:31

So, cybersecurity is more about vulnerability management of the computers and the network

02:36

system, so that the data whatever is there that gets protected and you know unauthorized

02:39

use of the data without the knowledge of the owner.

02:47

Okay good.

02:48

So you have three keywords.

02:49

One is data, other is about vulnerability, third is about unauthorized access.

02:57

So these are certain key terms that is associated with cybersecurity .Anything else?

03:04

Any other thoughts on cybersecurity?

03:07

Okay, what do you think about privacy?

03:14

That is the second term.

03:15

See, the title is actually consisting of two key terms- cybersecurity and privacy.

03:19

Okay good.

03:21

So we talked about two things one is privacy,is about me and my data which I choose to disclose,

03:30

I choose not to disclose and other is the security layer which exists at some level,

03:41

some system level.

03:42

Alright, so there are two things cyber security and privacy and the interface or the intersection

03:50

between the two is also important.

03:52

So, how is cybersecurity and privacy related?

03:57

So that is another aspect of the course.

04:01

Okay, let me actually give you some more background information as we go, to get a motivation

04:10

to understand- Is cybersecurity and privacy a current topic?

04:15

Is it an important topic?

04:17

And is it relevant to managers?

04:22

So, here is an email I received some time back from the director of IIT Madras and when

04:33

you receive an email in your official emailbox and it is from the top boss,you pay attention

04:41

to it.

04:42

So his name is written and it is a request and there is content of course to meet him

04:51

and of course it ends well, best regards, name and designation, right.

05:03

So what should I do to this email?

05:10

And I know Professor Ramamurthy ,he does contact people when he wants to give some specific

05:16

roles or administrative roles particularly ,he did have this habit of calling up people

05:23

or writing personal emails and doing like this.

05:27

So this is an instance of that kind.

05:30

So what should be my response?

05:41

I should check the email id.

05:44

Why should I do that?

05:46

Because you know ,we do not check the sender id when you get an email from your colleague

05:51

or from your area head or department head .We just have a lot of communications going

05:59

on.

06:01

No.

06:04

How, why should I doubt this mail?

06:07

Sir, there is no need to be suspicious according to me because it does not demand anything

06:22

like sensitive information from you, just asking you to drop an email.

06:28

But I must tell you, I did check who sent this mail.

06:34

I got suspicious.

06:38

Can you imagine, what is the source of suspicion?

06:46

This is?

06:50

Well, that is okay.

06:57

It is an internal mail, so this is fine.

07:01

The signature part is fine, the address, everything is fine.

07:08

Okay, it looks informal.

07:12

The pattern is different from the other way of getting the same.

07:17

Okay, yeah, I agree with you there is a slight change in the pattern, this is written like

07:24

a very personal mail, you know, there can be some personal element when people write

07:32

you professionally.

07:34

But more than so but it is very personal.

07:37

Can I have a quick, that is also fine,moment please.

07:44

So this does not sound professional ,as you sensed, I also sense you know I do not expect

07:51

him to say-" Can I have a quick moment with you?", right.

07:55

So I became suspicious at that particular content.

07:59

This cannot be from the director, okay or this may not be from the director because

08:04

this is not the choice of words when you typically write to a colleague or in a professional

08:12

setting.

08:13

So and then, of course, as you suggested I decide who is sending this email, of course

08:19

that is the first check all of us can do when we have a doubt,okay.

08:26

And I found this email coming from a Gmail, not from the IITM domain and therefore this

08:37

is obviously suspicious and we call this kind of mails as phishing mails.

08:44

We typically call it phishing mails, but it is not just a phishing mail.

08:49

Phishing mail, all of us get every day, in fact a lot of junk mail comes asking for our

08:57

bank details or other kinds of personal information.

09:01

We know that this is obviously phishing mail but here it takes time to resolve this because

09:07

it is a colleague or it is a director and his address is given at the end.

09:14

And the sender also knows that, well, I am a faculty member of IIT Madras and Professor

09:21

Bhaskar Ramamurthy is the director, of course, the former director.

09:27

So someone knows, who is who, in an organization okay.

09:32

Somebody has actually collected background information, okay.

09:35

We call it typically social engineering okay.

09:38

So, this is social engineering based phishing mails, where the chance of one responding

09:46

to this is much higher, okay.

09:48

So not just a phishing mail someone from Africa writing ,I have a lot of funds to transfer

09:53

why do not you share your bank account details.

09:57

We obviously know, I do not have, I do not know anyone out there but this is from a non-circle

10:03

based on social engineering and this is called spear phishing ,okay.

10:08

Spear phishing is very specific ,based on social engineering where people or the hacker

10:15

or the hands behind this, have done background study, okay.

10:22

So then subsequently of course, Professor Ramamurthy sent a follow-up mail to all the

10:28

colleagues because he knew that this phishing mail was circulating in the institute ,okay.

10:36

So, this is sometime back and this is very recent, okay.

10:39

So ,couple of weeks back, the head of our department wrote, again a similar mail- "Can

10:46

you do something for me?"

10:48

right.

10:49

And here,again you see, the professor, you know, the proper title of the faculty member,

10:55

the name and the signature, you say it is full signature.

11:00

So, you usually tend to reply immediately, okay.

11:04

So, what I essentially want to say here is that, we face this kind of problems or this

11:14

kind of threats in the world of internet, in the world of so called, cyber world often

11:24

and it is all part of our experience or it has become part of our day to day experience.

11:31

What I am trying to do is to sample, to sample some instances which I came across either

11:40

individually or from newspapers and to give you a sense of what is going on in the environment

11:45

in the current times, okay.

11:47

This is a text message I received,you know, in fact two weeks back and the text message

11:58

asked me to do a verification of my PAN card, okay and it gives a link to the SBI site and

12:06

I am sure all of you have,most of us have our account in the State Bank of India,okay.

12:12

And of course, since this is request from a bank, you tend to respond to it ,right and

12:20

it led me to this site, you know SBI and this login page looks exactly the same, okay, the

12:27

bank logo and whatever fields you generally fill in, in the same font, in the same format

12:35

is given and then you have to enter the captcha code and looks like I should be entering this

12:40

data and signing in, to do whatever formality is required to keep my account on.

12:47

But is there a problem here, I think by now all of us or most of us are familiar, so when

12:53

you get a message to sign in somewhere, you go and the first thing that you look is what

12:58

is the what is the website, is it giving the right address or it is giving a fake address

13:08

In this case, we know that this is not SBI website from where we sign in, it is online

13:18

SBI, but it is something else.

13:19

So, as soon as ,even when I sign into a bank account on a regular basis, I of course check

13:27

the address because sometimes a wrong address may pop in and we may be signing in and the

13:33

signing in data including your username, password may be going elsewhere.

13:38

So, yeah, let me continue this so, I just show you some things I faced as an individual,

13:47

okay as an individual or of course this phishing mail is something that went to everyone so

13:55

as a group or as an organization, we do come across instances of cyber security or cyber

14:04

security related issues and these are clips from leading newspapers of India where it

14:12

recently reported increasing number of cyber attacks, okay.

14:17

And the last piece is about ransomware attacks, have you heard of ransomware attacks?

14:24

okay but denial of service attack is different from ransomware, we will be we will be discussing

14:29

a case on denial of service but ransomware is a, is another kind of a security threat

14:39

where the one who attacks, so the hacker, takes control of your machine and encrypts,

14:51

in fact encrypts your machine and ask you for money to release it.

14:56

It is like when you lock your house and go away and when you come back you find that

15:03

your house is, there is another layer of a lock on your house and you cannot enter the

15:10

house because somebody else has locked and the hacker is quite fair, well, I will give

15:17

you the key to enter but give me some money, okay ,and let us not make let us not make

15:23

it complicated, just give me some money, the key is with me- take the money, take the key,

15:27

unlock and go in, okay.

15:29

So it is ransom, you know the word ransom is, about you know, it is about paying to

15:34

release someone ,okay ,so ransom redemption etc related words, so you have to pay a ransom

15:44

to release your machine from someone else's control,okay, ransomware infact ransomware

15:52

is one of the most frequent attacks, in terms of threat intelligence in today's world,ransomware

16:01

has become very common and this is something about which the world,as a whole is concerned

16:08

about, okay.

16:12

Here is a report ,again from newspapers, as I said, this is another sample which happened

16:20

predominantly in the western world, where the POS machines, you know, the POS machines

16:28

are typically in a retail store, when you buy something and when you check out ,there

16:32

is a POS point of sale machine, where you actually do the checkout process and make

16:38

the payment and then take your items and come out, but if suppose in a very busy day on

16:47

a retail store if the POS machine stops working, okay, then you know the kind of chaos and

16:54

also you know the operations just stop there because companies which are automated, they

17:01

would not have a manual process to continue business, okay.

17:04

So your shops just close down and this did happen in 2021 when retail stores which used

17:14

the POS software built by Kaseya,okay, Kaseya is an IT company which provided POS solutions

17:24

and several retail stores in the west stopped because there was a ransomware attack, you

17:31

see, what is the ransomware attack- the hacker just want 70 million dollars to restore the

17:41

machine and the most of the times, the hacker is very is a good thief, you know you call

17:48

it good thieves, you pay the money and it is done, you know, the machine is released

17:53

but if you do not pay the money it is, it is very very difficult, okay, to become operational

18:01

and generally in my reading, I found that companies just pay the money and restart the

18:08

business okay.

18:09

The only exception I came across is in Chennai, okay, so Chennai corporation’s PC’s were

18:17

attacked by hackers and it was a ransomware attack, okay and Chennai corporation refused

18:23

to pay the money, okay, because they found that the machines were very outdated ,okay,

18:28

so they were running on windows 8 and it is very easy to take control of machines which

18:34

are not updated with the operating systems and they said ,okay, let it be locked forever

18:40

so they did not pay but for critical business operations when ransomware attack happened

18:49

,okay, so it is huge loss, okay, so per hour loss will be very huge as compared to the

18:56

ransom that the hacker is asking for ,okay.

18:58

So and that has become a serious nuisance in today's world and here is more report so

19:06

I am not exactly following a chronological order in actually presenting to you the different

19:12

cyber attacks that happened in the recent times but this is November-December 2022,

19:20

you must have read this in newspapers about All India Institute of Medical Sciences.

19:25

So, five servers were hacked by the cyber criminals and they took control and you know

19:34

the biggest concern when a hospital's data center gets, comes under attack, okay, this

19:44

is a different type of data, this is healthcare data,okay, and someone takes control or someone

19:54

gets access, you know, you said unauthorized access, okay, somebody gets unauthorized access

20:00

to my personal health data, okay, in India we may not be so concerned about health data

20:08

but health data when it goes into the wrong hands has huge implications ,can you imagine

20:18

why,so much so that in the US, there is a act called HIPAA, okay ,so that relates to

20:28

healthcare it is a regulation for healthcare data alone, why is the world so concerned

20:33

about healthcare data protection, can you can you just imagine and give me some quick

20:41

answers, once you have a health condition.

20:43

So health care data is super sensitive because the the person whose health data is leaked

20:59

the the person actually faces huge embarrassment ,okay and it the person also can face losses

21:07

in an organization or it may have higher consequence and that is why the top hospital of the country

21:16

when their servers were attacked or came under cyber threat, it became a huge concern, huge

21:24

national concern.

21:26

So we see cyber attack happening in all spheres, you know, all domains, it is not just, we

21:33

just saw Kirloskar, you know ,it is a manufacturing company, we saw AIIMS healthcare, these are

21:38

all very recent news, so you just open the newspaper, everyday newspaper this is what

21:44

I see , there is some piece of information or some, something that is covered about cyber

21:50

security, almost everyday, okay.

21:52

So we all talk about digital world,digitization, digital India and so on, so you see a very

21:58

bright side of how digital technologies are actually enabling the growth of the economy

22:03

or enabling the country to actually progress, be in the line of progress, we also see alongside

22:09

a dark side,there is a bright side- very bright side of digital and there is also a dark side

22:17

or the dark world that develops alongside and that is the concern of cyber security

22:23

okay, so the world consist of good people and bad people, okay.

22:27

So there are bad people in the world ,who understands the weaknesses or as you use the

22:36

word vulnerabilities and can exploit those vulnerabilities very, very well and damage,

22:44

cause damage and losses the impact of such actions can be very high ,okay, to the extent

22:53

that the recent, I think this is E&Y report, which is summarized in the newspaper, which

23:00

shows 91 percent of the organizations reported at least one instance of cyber incidence in

23:08

an year, at least one incident.

23:11

So think about that 91 percent of organizations do actually face at least one incident an

23:18

year, okay and it goes on to report how cyber security is becoming a top priority for CEOs

23:25

or leaders of the organizations.

23:31

So this is, the this piece is of grave concern to me, okay, so you know the changes that

23:38

is happening in transportation.