An Inconvenient Reality - Final

I N F O R M AT I O N , C O M M U N I C AT I O N A N D E N T E RTA I N M E N T
AnInconvenientReality
Theunaccountedconsequencesofnon-genuinesoftwareusage
A DV I S O RY
Table of Contents
Foreword 1
Executive Summary 3
Key Drivers 7
Potential Implications 11
Involvement of Anti-Social Elements 15
Information Disclosure and Data Theft 17
Malware Attacks 21
Extortion Using Ransomware 25
Unsecured Business Environment 29
Network Effect 31
Academic Institutions – Usage of non-genuine

software by students 35
Increased Security Exposure for Government 39
Reputation Risks 43
Seeing the larger picture 45
Appendix: Methodology 51
1
Foreword
ExplosivegrowthoftheInternetinthelasttwodecadeshasmadeitoneofthe
mostusedchannelsforacquiringsoftwarequickly.Atthesametime,higherprofit
marginsandminimalrisksassociatedwithcounterfeiting/crackingofgenuine
software,havegivenopportunitytoanti-socialandanti-nationalelementstomake
non-genuinesoftwareavailableontheInternetaswellasinthephysicalmedia.
Thiscombinedwithlimitedawarenessoftheimplicationsofusingsuchsoftware
inouruserpopulation,exposesourInformation,CommunicationandTechnology
(ICT)infrastructuretovariousinformationsecuritychallenges.
Theobjectiveofthiswhitepaperistosensitizereaders,endusers,government
establishmentsandenterprises,tothevarioussecurityimplicationsassociated
withusageofnon-genuinesoftware.Withthisintentionthepaperconsidersthe
resultsofourresearch,real-lifecasesandhypotheticalscenariostohighlightthe
potentialinformationsecurityconsequencesofnon-genuinesoftwareusage.
Theresearchperformedduringthedevelopmentofthispaperobservedthat
usageofnon-genuinesoftwarecannowbeconsideredasignificantvectorin
weakeningthesecuritypostureatmicroandmacroeconomiclevels.The
informationandtestcasesassembledinthispaperdemonstratethatusingnon-
genuinesoftwarenotonlyincreasesthreatofdatalossandintrusionstopersonal
systems,butalsotocriticalICTinfrastructureofthesociety,therebythreatening
nationalsecurity.Therecannotbeabettertimeforcitizens,governmentsand
corporationstocometogetherintheendeavortomitigatetherisksarisingfrom
theusageofthesepotentiallydangeroussystems.
Akhilesh Tuteja
ExecutiveDirector
KPMGinIndia
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
2
3
Executive Summary
Itremainsawellestablishedfactthatuseofunlicensedorpiratedsoftware
resultsinbothimmensefinancialimplicationsduetoinfringementofthe
copyrightlawsaswellastarnishingofthecompany’smarketreputation.Studies
alsoindicatethatdeploymentofsuchsoftwareoftenleadstoorganization-wide
securityrisks,suchaslossofdataprivacy,systemfailuresanddowntime,and •60percentwebsitesproviding
reducedoperationalperformance.Additionally,a2009studycarriedoutbyKPMG cracks,keygens,warezor
indicatesthatnon-genuinesoftwarecanpotentiallydisruptthesmoothfunctioning counterfeitshavepotentialthreat
ofanorganization’soperationsbyadverselyaffectingthesystemsecurity vectors
infrastructure. •39percentorganizationssurveyed
reportedsecurityincidentofnon-
Thispaperseekstoestablishthesignificantdirectandindirectinformation
genuinesoftwaredetectionintheir
securityimplicationsforgovernmentandcorporateorganizationsaswellas ITenvironment
individualswhendeployingnon-genuinesoftware.Thepaperelaboratesthekey
•35percentorganizationscited‘ready
driversmotivatingthedeploymentofnon-genuinesoftware,thesecurity
availability’asthereasonfor
implicationsthereof,andthesuggestedmeasuresandconsiderationswhich employeestousenon-genuine
governmentandcorporateorganizationscanadoptforincreasingawareness software
amongusersregardingsecurityimplicationsofdeployingnon-genuinesoftware
•Correlationcoefficientbetween
wherebyreducingitsusage. softwarepiracyratesandmalware
attacksisastrong0.74
Drivers
Factorssuchaseasyavailability,lowercostsofacquisition,andconvenienceof •Companiesusingnongenuine
acquiringnon-genuinesoftwareaswellastheattractionofdeployingseemingly softwareare43percentmorelikely
tohavecriticalsystemfailures*
effectiveyetfreesoftware,continuetodriveendusersandorganizationstowards
widerangedeploymentofnon-genuinesoftware.
*Source:Impactofunlicensedsoftwareonmid-
Implications marketcompanies-HarrisonGroup
Recentreportsindicateastrongdirectcorrelationbetweenusageofnon-genuine
softwareandsecuritythreatssuchasmalwareandbotnets.
Aspartoftheresearchconductedforthiswhitepaper,wereviewed50websites
offeringnon-genuinesoftwareand/orenablingtoolsandtechniquesforacquiring
suchsoftwarewhichrevealedthatmorethan60percentofthesewebsites
includeavaryingdegreeofthreatvectorsthatcanpotentiallyimpactinformation
systemssecurity.
4
5
Thesecurityimplicationsofdeployingnon-genuinesoftwarearemulti-
dimensional,includingthreatsthatdirectlyaffecttheend-userandorganization’s
securityaswellasindirectthreatsleadingtoincreasedcostofprotectionand
remediation.Directlyimpactingsecuritythreatsincludelossofdataconfidentiality
andintegrity,aswellasreducedoperationalperformancearisingfrom:
• PhishingAttacks
• MalwareandBotnets
• Ransomware
Indirectsecuritythreatsofdeployingnon-genuinesoftwareincludethe
organizationoruserunknowinglybecomingpartofalargernexusofanti-social
elementsfundingandoperatingillegalpiratedsoftwarebusinesses,thus
contributingtothenetworkoforganizedcrime.
Giventoday’snetworkedenvironment,wheremostcomputingdevicesare
connectedthroughtheInternet,suchthreatsarisingfrominfectednon-genuine
softwarehavefarreachingimplicationsforanentirenetwork.Asystemhaving
non-genuinesoftwarecanadverselyimpacttheoverallsecurityofanetwork.A
largenumberofhackersdeveloppotentiallydangeroussoftwaredisguisedas
softwarewithrichfunctionalitiestolureunsuspectingusers.Theseuserscanthen
becomepartofBotnetsandbecontrolledremotelyforexecutinglargescale
attacks.
6
Measures
Thepaperdiscussesthesecurityprogramsadoptedbyselectcorporations
acrossindustrysectorsfordiscouraginguseofnon-genuinesoftwareand
alsoprovidesrecommendationsformitigatingsuchrisks.
Someofthemeasuresthatthegovernmentandindustrymayconsider
include:
• Creatingawarenessamongendusersinhomes,academicinstitutions,
publicandprivateenterprisesagainsttheusageofnon-genuine
software;thisincludesaprogramspeciallytargetedtowardsthestudent
community
• Workingtowardseffectiveimplementationofthelegalandregulatory
frameworktodiscouragedeploymentofinfectednon-genuinesoftware
• Facilitatingfasterandmorefocusedpunitiveactionfornon-compliance,
includingestablishmentofspecialcourts
• Institutionalizationofaninternalprogramwithinthegovernmentand
privateorganizationstomanageandcontroldeploymentofsoftware
assets;suchprogramsshouldincludeperiodicreviews/auditsof
softwareinventoryandmanagementprocessesaroundit
• Implementingcontrolstopreventanddetectusageofnon-genuine
software,especiallyoncriticalInformation,CommunicationandTelecom
(ICT)infrastructure
• Spreadingthegoodword
7
At the outset …Key Drivers
TheconsumerbaseforsoftwareinIndiahasoverthelastdecadewitnessedan
unprecedentedexpansiononaccountofasurgeinPCandInternetpenetration
acrossthecountry.Lowproductioncosts,easeofmanufacturingandhighprofit
marginshavefuelledthenon-genuinesoftwaremarketinthecountry.Asperthe
FifthAnnualBusinessSoftwareAlliance(BSA)andIDCGlobalSoftwarePiracy
StudyreleasedinMay2008,Indiahadapiracyrateof69percentin2007.
TheInternetservestobeoneoftheleadingchannelsforacquiringnon-genuine
software.Severalwebsitesandpeertopeernetworksofferinstallablenon-
genuinesoftware,productkeys,keygeneratorsandcracktools.Thereareother
equallypopularchannelslikephysicalmedia(CDsandDVDs)thatareeasily
availableaswell.AscanbeobservedinFigure1,irrespectiveofthemediumused
toobtainnon-genuinesoftware,therisksofgettinginfectedwithmalicious
softwarearefairlysignificant.
35
30
25 33.33 32
Possibility of 20
infection (%) 25
15
10
0
Websites Physical Media Key Generators
Medium
Figure 1: Possibility of infection through channel used for acquiring non-

genuine software
*Source:IDCStudy-TheRisksofobtainingandusingpiratedsoftware-2006andMicrosoft® Internal
Study:DangersofCounterfeitSoftware
8
9
Informationsecurityisgenerallyassociatedwithtermslikevirusesandcyber
crime.However,keyinformationsecurityconcernsstemfromvarioussources
including:
• Discontentemployees:Insiderthreatsinitiatedbydisgruntledemployees,
contractorsandconsultants
• Internet:Cybercrime/attackssuchasbotnets,exploitingbrowser
vulnerabilities
• Mismanagement:Databreaches/lossduetomismanagement
• Terroristattacks
• NeglectedendpointsandLANsecurity
• Exploitedvulnerabilitiesduetoimproperpatchmanagement
• Socialengineeringthatcanbeassistedbysocialnetworkingwebsites
• Malwarelikespyware,virusesandtrojanswhichareusuallydownloadedfrom
theInternetbyunsuspectingusers
Theinformationsecuritychainisasstrongasitsweakestlinkandendusersare
usuallyfoundtobethisweakestlink.Asauserclicksonamaliciouslinkonthe
Internetanddownloadsunauthorizedsoftwareoremailattachments,he/shemay
becomeavictimofsocialengineeringattacksandsometimesknowinglyor
unknowinglyinstallcounterfeit/illegalorpiratedsoftwareonhis/hermachine.
WiththerapidriseoftheInternetandpersonal/mobilecomputingacrossall
walksoflife,theexposureofenduserstothesesecuritythreatshasincreased
manifoldandthusneithergovernmentsnorbusinessesareimmunetothese
threats.
10
Ouranalysissuggeststhatusersincountrieswithhighersoftwarepiracyrates
tendtobemoresusceptibletomalwareattacks(seeFigure2).Thecorrelation
coefficientbetweenthesetwoisastrong0.74.
80
70 78
60 69 67
50 57
Percent
40
30
29.2
20 25 27 27.8
25 25.4
23
10 1.8
5.2 5.3 5.7 6.2
0
JPN AUS GER FIN IND ALB MOR BAH
Country
Malware Infection Rate Software Piracy Rate
Figure 2: Malware infections are more in countries with higher software

piracy
*CCM:ComputersCleanedperMilrepresentsthenumberofcomputerscleanedperthousand
executionsoftheMaliciousSoftwareRemovalTool
**MalwareInfectionRates’aspublishedintheMicrosoftSecurityIntelligenceReport2008
***PiracyratesaspublishedintheBusinessSoftwareAlliance(BSA)-2007GlobalSoftwarePiracyStudy
11
At the outset …Potential Implications
Inthecontextofindividualsandbusinesses,increasedvulnerabilitytomalware,
damagetoreputation,reducedoperationalefficienciesandincreasedtotalcostof
ownershiparesomeofthedownfallsofdeployingnon-genuinesoftware.Froma
broadermacro-economicperspective,theuseofnon-genuinesoftwarehasthe
potentialtoadverselyaffectemployment,taxrevenues,industrygrowthaswell
asnationalsecurity.
160
Revenue losses in India
140 due to software piracy 151
were estimated to be 147
120 USD 2 billion in 2007 132
113
100
Units 80 92
92 97 92 93
91
60 69 83
40
20 5 23 25
15 20 21 9 22 8 10
0
USA LUX NZ JPN SWZ IND ZIM BAN AZB MOL ARM
Country
Human Development Index (Rank) Software Piracy Rate (%)
Figure 3: Software piracy trends higher in developing nations

Source:BSA-2007GlobalSoftwarePiracyStudy/UnitedNationsHDIRankings
AsFigure3demonstrates,developingnationssuchasIndiastillremainrelatively
illequippedindealingwithsoftwarepiracy.Non-genuinesoftwareexposesits
users,whethertheyareindividualsororganizations,toaplethoraofinformation
securityrisks.Thisisevidentinthehighcorrelationbetweennon-genuine
softwareusageandmalwareinfections1.
Anysuchsecuritythreatsviz.viruses,worms,spywareandTrojans,exploit
vulnerabilitiesintheoperatingsystemand/orthesoftware/applicationinstalled
onit.Whilecybercriminalsarecontinuouslyonthelookoutforthese
vulnerabilities,softwaredevelopersarebusydevelopingpatchesorhotfixesfor
pluggingthesevulnerabilities.Itisaneverendingwarandtheusersneedto
continuouslydownloadthesepatchesandhotfixestoberelativelysafeinthe
cyberworld.However,usersofnon-genuinesoftwaresufferabigdisadvantage
andareconstantlyvulnerabletotheseattacksduetothelackofpatchesandhot
fixesbeingmadeavailabletothem.
EverytimesuchauserissurfingontheInternetordownloadingfilesthrough
emailsorPeertoPeer(P2P)applications,he/sheissusceptibletoaplethoraof
1Correlationcoefficientof0.74observedinFigure2
12
securitythreats.Inadditiontothis,userswhocontinuetodownloadmorenon-
genuinesoftwarefromtheInternetfaceadoubleedgedswordandarenotonly
vulnerabletoanynewthreatsbutarecontinuouslyexposedtomoreofthese
threatseverytimetheyvisitawebsiteprovidingnon-genuinesoftwareor
assistingincracking(installationwithoutlicense)genuinesoftware.
Ourstudy2 of50websitesprovidingvariousenablersforusingnon-genuine
softwareviz.cracks,keygens,serials,warez,etc.revealsthatthereisa
significantlyhighprobabilityofauserbrowsingtheInternetinsearchofnon-
genuinesoftwaretobeexposedtosecuritythreatsasindicatedinFigure4.
35
30
25
30 32
20
Percent
15
10 16
5
0
Potential Malware Auto Redirection / Pop up Unsolicited Content
Threat vectors
Figure 4: Threat vectors on websites providing non-genuine software

Source:AnInconvenientReality,KPMGinIndia,June2009
2KPMGstudyof50websitesofferingnon-genuinesoftwareand/orenablerstoobtainsuchsoftware.
ReferAnnexureformethodology.
13
Asynopsisofthepotentialsecurityimplicationsofdeployingnon-genuine
softwareisoutlinedbelow.
• InvolvementofAnti-SocialElements–Endusersofnon-genuinesoftware
contributetoachainwhichmaypotentiallyfinanceanti-socialactivities
• InformationDisclosureandDataTheft–Usersofnon-genuinesoftware
couldbelosingvaluablepersonalandfinancialdata
• MalwareAttacks–Hiddensecurityandcostimplicationsofusingnon-
genuinesoftwareusage
• ExtortionusingRansomware–Fraudstersusingnon-genuinesoftwareto
extractmoneyfromendusers
• UnsecuredBusinessEnvironments–Usageofnon-genuinesoftware
lowerssecuritypostureofbusinessenvironmentsandcanleadtohigher
criticalsystemfailures,operationaldowntimesandincreaseinthetotal
costofownershipinthelongrun
• NetworkEffect–Securityimplicationsofnon-genuineversionsofa
softwarethatismadeavailabletomassescanacquireexponential
proportionsduetopresenceofalargenumberofpeopleonthenetworks
whereitismadeavailable
• AcademicInstitutionsandStudents–Significantriskstoacademic
institutionsandstudentsthemselvesduetousageofnon-genuine
softwarebystudents
• IncreasedsecurityexposureforGovernment–Governmentsector
susceptibletocyberwarfareandespionageduetousageofnon-genuine
software
• ReputationRisks–Usageofnon-genuinesoftwarecanoftenhavelarge
financialandlegalrisksthatmayimpactreputation
Informationsecurityhasgraduatedfrombeingaboardroomissuetoanissueof
nationalimportance.Thefollowingpagesattempttodemonstrate,throughreallife
casesandhypotheticalscenarios,howacademicinstitutions,governmentsector
organizationsandunsecuredbusinessenvironmentscanbecomepotential
victimsofsecurityconsequencesduetothewidespreaduseofnon-genuine
software.
Thewayforward,forendusers,governmentandprivateorganizations,tomitigate
securityrisksduetousageofnon-genuinesoftwarehavealsobeendiscussed.
14
15
The story so far…

Involvement of Anti-Social Elements
Setting the context

Organizedcrimegroupsareoftenassociatedwithillegitimatefinancial “In the modern world, information
transactionssuchasmoneylaundering.Productionofnon-genuinesoftwareis controls every aspect of
emergingasanothermeansofgeneratingrevenueforanti-socialelements.Since Governance and every sector of
theoperatingcostsamounttoonlyafractionofsalesrevenue,theremaining economy. The security of ICT
revenueoftenendsupinalargerresourcebasebeingusedtofundcounterfeit (Information, Communication and
products,prostitution,weaponstrading,andpossiblyeventerrorism.
Technology) infrastructure,
resources and data, therefore,
Why is software piracy such a lucrative business for organized crime groups?
assume high importance, priority
HighMarkups Asmuchas1000percentowingtomarginalcostofproduction and urgency which may even be
HighDemand Highdemandasconsumersperceiveacostadvantage higher than the physical security.
We have a policy of periodic
LowEntry Organizedcrimegroupsusetheirexistinginfrastructureasdistribution
Costs cells review of our security policy for
Documentedevidenceontheinvolvementoforganizedcrimesgroupsis ICT infrastructure, resources and
MinimalRisk
sparseandevenwhenimplicated,thepenaltieslevied(INR50,000– data to mitigate risks from various
Level
2,00,000)aremarginalfortheselargeandwell-resourcedorganizations
threats. This is a big challenge
Victimless Usersofnon-genuinesoftwareareusuallyawareoftheproducttheyare keeping in view the size spread
Crimes buyingandarethusconsideredtobecomplicitinthecrime
and capacity of the organization.
Table 1
Our security policy prohibits
employees from using any non-
Consider this…
genuine software owing to their
In2000,AliKhalilMehri,aLebanesebusinessman,wasarrestedbyParaguayan
authoritiesforallegedlysellingmillionsofdollarsworthofpiratedandcounterfeit high security risks. However, the
softwareandfunnelingtheproceedstoterroristorganizations3.Documents software vendors should also
seizedduringtheraidindicatethatthesalesofcounterfeitgoodswereusedfor support our cause by making the
fundraisingbyterroristorganizationsintheMiddleEast. software available at affordable
InIndia,therehavebeenwelldocumentedcasesoforganizedcrimegroups prices, at Purchasing Power
beinginvolvedintradeofcounterfeitgoodstofundtheiractivities.Theraidsin Parity (PPP), i.e. on the basis of
20054,oflargescaleshipmentsofcounterfeitgoodsbelongingtothecriminal average earnings of a common
organizationsoperatinginIndia,bytheUSandPakistaniauthorities,highlightthe
man. This would, on the one hand,
roleplayedbycounterfeitgoodsinfinancingthemurkyworldoforganizedcrime
encourage the use of genuine
andterrorism.
software; on the other hand this
would definitely help in
Would you like to be part of a chain that potentially finances anti- discouraging use of non-genuine
social / anti-national activities or would you much rather spend
software in the country.”
that little extra and contribute to the security of our society and
country? Nirmaljeet Singh Kalsi
Joint Secretary
Ministry of Home Affairs
3MiddleEastIntelligenceBulletin:Hezbollah’sGlobalFinanceNetwork:TheTripleFrontierbyBlanca Government of India
Madani
4FilmPiracy,OrganizedCrimeandTerrorism"-RANDSafetyandJusticeProgramandtheGlobalRiskand
SecurityCenter
16
17
Information Disclosure and Data Theft
Setting the context

Withrampantinstancesofmalwareinnon-genuinesoftware,datatheftand
disclosureofconfidentialinformationareoftenpotentialsecuritythreats.Arecent
reportfromSymantec5 showsthat82percentofthreatstoconfidential
informationintheAsiaPacificJapan(APJ)regionwereclassifiedasthreatsthat
exportuserdata(seeFigure5)
90
80
70
82
60 80 69
65
50
Percent 60
40
30
20
10
0
Exports email Exports Key stroke Exports user Allows remote
addresses system data logger data access
Potential Threat
Figure 5: Threats to confidential information in the Asia Pacific Japan Region
Consider this…
ApplerecentlylauncheditsiWork09Suite.Posttheproductlaunch;non-genuine
copieswerereadilyavailableonfile-sharingsites.Severalofthenon-genuine
copies,however,containedTrojansoftwarethatwasbundledalongwiththe
installerpackage.Oninstallation,theTrojansoftwareconnectstoaremoteserver
overtheInternetandgrantsaremotecontrolleraccessonthemachinetoenable
maliciousactions.Morethan20,000peoplehavealreadyreportedlydownloaded
therogueinstaller,whichwasbundledwiththenon-genuineversionofthe
iWorks09Suite.
5SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,PublishedApril2009
18
19
StatisticsfromarecentstudybyScansafe6,asillustratedbelowinFigure6,
indicatethatdatatheftTrojansasapercentageofMalwarehaveincreased
significantlyin2008(from6percentin2007to14percentin2008).
45
40
35
30
25
20
15
10
5
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Percent
Monthly Volume Yearly Volume
When you use non-genuine

Figure 6: 2008 Block Volume – Data Theft Trojans
software you could actually
Otherstudiesindicatethatcompaniesusingnon-genuinesoftwareare73percent be losing valuable personal
morelikelytoloseconfidentialdataand28percentmorelikelytolosea and financial data to
customer’spersonalinformation7.Asaresult,therisksoflosingconfidentialdata malicious users; this could
byusingnon-genuinesoftwarearesignificantforcompaniesaswellasfor have far wider ramifications
individuals.
in terms of reputational,
legal, financial or even
business continuity risks for
individuals and
organizations alike.
6ScansafeAnnualGlobalReport2008
7Impactoftheuseofunlicensedsoftwareinmidmarketcompanies,WhitePaperbyHarrisonGroup,2008
20
21
Malware Attacks
Setting the context

Oneofthecommonmethodsofaccessing/obtainingnon-genuinesoftwareis
throughtheInternet.AlookattheTop10piratedsoftwaresontheInternetasper
the‘2007Anti-PiracyYearinReview’reportreleasedbytheSoftwareand
InformationIndustryAssociationshowsthatseveralpopularsoftwareshavetheir
non-genuineversionseasilyavailableontheInternetforafractionoftheiroriginal
costs.
Rank Software
1 McAfeeVirusScan
2 SymantecNortonAnti-Virus
3 McAfeeInternetSecuritySuite
4 IntuitTurboTax
5 AdobePhotoshop
6 AdobeAcrobat
7 IntuitQuickenHomeandBusiness
8 SymantecNortonpcAnywhere
9 SymantecNortonGhost
10 AdobeCreativeSuite
Table 2 Top 10 pirated software on the Internet
*Source:www.siia.net/piracy/yir_2007.pdf
Thereareseveralwebsiteswhichclaimtoprovideaccesstonon-genuinesoftware
throughproductkeys,cracksandkeygenerators.KPMG’sstudyindicatesthat
employeesdeploynon-genuinesoftwareformultiplereasons,suchaseasy
availabilityoflatestsoftwareversionsandothersasillustratedinFigure7.
8
7
6
5 8
Number of
4
organizations 5 5 5
3
2
1
0
Cheaper Readily available Latest version Others are using it
Reasons for use
Figure 7: Reasons for employees to use non-genuine software

*Source:KPMGstudy
22
23
Consider this…
Auserfindsatorrent8 onapeer-to-peerfilesharingnetworkthatcontainscopies
ofAdobesoftwareandfilesthatappeartobekeygeneratorsforthesoftware.
Unknowntotheuser,Malwarearepackagedwiththetorrentdisguisedaskey
generatorsorotherexecutables.Whentheuserdownloadsthetorrentandruns
suchexecutables,themalwareinfectsthesystemandtypicallyinfectssystem
filesandmorphsintootherseeminglyusefulfiles.
Thelistbelowhighlightssomeofthetypicalactionstakenbysuchmalwarewhile
infectingamachine:
• Createssystemtraypopups,messages,errorsandsecuritywarnings
• Makesoutboundcommunicationtoothercomputers,phones,IMchatroomsandotherservicesusingIRCprotocols
• Readsemailaddressandphonebookdetails
• ChangesInternetExplorer(IE)optionsincludinghomepage,securitytab,color,font,advancedmenu
• ModifiestheWindowsHostFilewhichcouldbeusedtostopusersfromvisitingspecificwebsitesbyredirecting
themtoalternativeaddresseswithouttheirknowledge
• Deletesotherprograms
• Infectsotherprogramfilestoincludeacopyoftheinfection
• Hookscodeintoallrunningprocesseswhichcouldallowittotakecontrolofthesystemorrecordkeyboardinput,
mouseactivityandscreencontents
• Polymorphsandchangesitsstructure
• AddsaRegistryKey(RUN)toautostartprogramsonsystemstartup
• Includesfilecreationcodewhichisusedtotestforinterceptionbysecurityproducts
8TorrentsarefilesdownloadedusingBitTorrentsPeer-To-Peerfilessharingprotocol
24
TheinstalledmalwarecouldbeanythingfromadatastealingTrojantoavirus/
wormorevenaremotelycontrolled“bot”.Symantec’srecentreport9 onInternet
securitythreatslistsIndiaasthemostaffectedcountryintheAPJregion,in
termsofdistributionofvirusesandworms(seeFigure8).
Top Countries
Rank Viruses Worms Backdoors Trojans
1 India India China China
2 China China India India
3 Indonesia Japan Japan Japan
Figure 8: Internet Security Threats in the APJ Region
9SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,PublishedApril2009
25
Extortion Using Ransomware
Setting the context

Severalwebsitesclaimtooffergenuinesoftwareandutilitiesatthrowaway
prices.Fraudstershavefoundanotherinnovativewayofsqueezingmoneyoutof
theunsuspectingenduser.
Consider this...
IfauserwishestoobtainacopyoftheAdobeAcrobatreadersoftware,anduses
thekeyword‘Adobereader’inaGooglesearch,Googlereturnsresultswith
severallinksofferingafreedownloadofAdobeAcrobatreadersoftwarealong
withasponsoredlinkleadingtoamalicious/spoofedwebsite.Clickingonthe
maliciouslinkredirectstheusertoaspoofed‘CNETDownload.com’sitewhich
offersafreedownloadofacopyofAdobereader.Whenauserdownloadsand
runsit,afull,operatingcopyofAdobeAcrobatreaderisinstalled,butwitha
twist.
Figure 9: Ransomware message: An example

*Source:www.phirelabs.comandwww.zdnet.com
26
27
Afterinstallingtheprogram,usersareinterruptedwithmessageboxesatone
minuteintervals.TheMalwareitselfoffersafakeremedyintheformofapointer
toafakesitewhichispresentedasa“Removeallthreats”button.Afteraperiod
oftimeastheusertriestoaccessfilesonthe‘System’driveoftheinfected
system,theransomwarestartsdisplayingamessagethatthefilesareencrypted.
Figure 10: An example message from ransomware asking for ransom
Themessageclearlyindicatesthatthevictimneedstodownloadadecryptorfor
decryptingdataonthe‘System’driveoftheinfectedsystem.Acceptingthe
messageredirectstheuserbrowsertoaMalwarewebsitewhichhoststhe
decryptorandwhichisavailablefordownloadataprice.
Arecentcaseofsuchransomwarewasthatof‘FileFixPro’,aphonyutilitywhich
encryptstheuser’sdocumentsanddemandsthattheuserpurchaseadecryptor
forUSD50fordecryptingthesame.
Fakeanti-virusandsecuritysoftwareisapopulartargetforpropagatorsof
ransomware.ItisestimatedthatfraudstersmakeasmuchasUSD5million
throughplantingfakeanti-virussoftwarealone10.
Have you ever considered the possible security implications of

downloading software online from an untrusted source? What
could be the underlying motive for making popular software
available through alternative sources that are not trusted?
A question worth giving a hard thought to.
10ComputerworldSecurity–October31,2008
28
29
Unsecured Business Environments
Setting the context

Itisacommonmisconceptionthatuseofnon-genuinesoftwareleadstocost
reduction.Recentstudiesshowthatcompanies(includingSmallOffice/Home
Office(SoHo)organizations)whousenon-genuinesoftwarecanincursignificant
operationaldowntimesandmaintenancecosts,thusmakingtheuseofnon-
genuinesoftwareanexpensivepropositioninthelongrun.
Consider this…
Asperthestudy‘ImpactofUnlicensedSoftwareonMid-MarketCompanies’by
theHarrisonGroup,companiesusingnon-genuinesoftwareare43percentmore
likelytohavecriticalsystemfailures(someofthemlasting24hoursormore).
Apartfrommaintenancecosts,downtimeofITsystemscouldalsotranslateinto
lostrevenues,productivityandotherinvisiblecosts.
Additionally,theuseofnon-genuinesoftwaremakesitdifficultforcompaniesto
installsecuritypatchesandupdates,thusleavingthemexposedtomalware
attacks.Thecostofrecoveringfromsuchattacks/incidentscouldinsomecases
exceedUSD1,000,thusnegatingthevaluetheorganizationwashopingtogain
throughcounterfeitcopiesofsoftware.Thus,thecostsavingsofusingnon-
genuinesoftwareareeradicatedbyasinglesecuritybreach11.
9
Minor System Failure
24
Significant System Failure
Type of failure
Loss of Sensitive Data 28

(Personal)
43
Critical System Failure
Loss of Sensitive Data 73

(Business)
0 10 20 30 40 50 60 70 80
Likelihood (%)
Figure 11: Likelihood of System Failure for companies using non-genuine

software
*SampleSize:OriginalXPUsers–144,PiratedXPUsers–160
*Source:MicrosoftAnalysisofRisksandIssuesAssociatedwiththeUsageofPiratedSoftware
11http://www.microsoft.com/protect/promotions/us/wga_idc_us.mspx
30
ReinforcingthisisastudybyMicrosoftillustratedinFigure12,whichindicates
thatoveraperiodoftime,thetotalcostofownershipofpiratedsoftwareisvery
highowingtomaintenancecostsandopportunitylossesduetosystemfailures
andvirusattacks.
Forthepurposeofthisstudy,MicrosoftboughtandtestedCDsandDVDsfrom
variousroadsidevendorsandcarriedoutasurveyofbusinessesdividedbetween
usinggenuineandnon-genuinesoftware.
1.6
1.4
1.2 1.48
1
Total cost of
1.11
ownership 0.8
(INR Lakh)
0.6 0.83
0.79
0.4
0.2 0.35 0.38
0
2 years 2 -3 years 3 -4 years 4 -5 years 5 -6years 6 -7years
Duration
Figure 12: Increased Total Cost of Ownership

*Source:Microsoft–IDCBusinessSurvey
Organizations may perceive that usage of non-genuine software

reduces costs. However critical system failures, operational
downtimes and loss of critical data, may in fact, increase the total
cost of ownership in the long run.
31
Network Effect
Setting the context

Today,Indiaisbeingrecognizedasthefastestgrowingmobilephonemarketin
theworld.AccordingtoGartner12,IndiancellularservicerevenueswereUSD
8.95billionin2006andareprojectedtogrowatacompoundannualgrowthrate
(CAGR)of18.4percenttoreachUSD25.617billionby2011.
Consider this…
Itisestimatedthattherearearound30millionChinesehandsetsinthecountry
whichlackanInternationalMobileEquipmentIdentity(IMEI)number13.TheIMEI
isa16-17digitnumberwhichhelpsinuniquelyidentifyingahandsetandits
locationonthenetwork.CurrentlytheCellularOperatorsAssociationofIndia
(COAI)andtheIntelligenceBureau(IB)aremullingoverthesecurityimplications
ofasoftwarewhichwhenuploadedtothesedeviceswouldprovidethese
deviceswithauniqueIMEInumber.Asapreliminarycountermeasure,the
DepartmentofTelecommunications(DoT)hasmeanwhileinstructedallservice
providerstodisconnectthesehandsetsfromtheirnetworks.
Theramificationsofanunlicensedmaliciousversionofsuchasoftware,if
created,areenormous.Evenifdownloadedbyasmallpercentageofthe30
millionChinesehandsetusers,itcouldleadtolargescaletamperingofIMEI
numbers.Giventheincreasingroleofcellphonetranscriptsinmonitoringand
investigatinganti-socialactivities,usageofanon-genuineversionofthissoftware
couldleadtofailureoftheveryobjectiveofmitigatingtheriskduetopresenceof
cellphoneswithoutIMEInumbersonthecellularnetworksinIndia.
Additionally,amaliciousversionofthesoftwarecouldalsoincreasetheriskof
usageofthephonebyamaliciousthirdpartyasalaunchpadfromwhichworms
andTrojansmightlaunchattacksonthenetwork.
12http://www.gartner.com/it/page.jsp?id=509906
13TimesofIndia,dated04April2009
32
33
AsobservedinFigure13,thethreatofmalwareinmobiledevicesisrapidly
increasingyearonyear.
450
400
350
402
300
366
Malware 250 305
discovered 200
150
100 177
50
44
0
2004 2005 2006 2007 2008
(Average) (Average) (Average)
Year
Figure 13: Growth of Mobile Malware

*Source:http://www.cellphonehits.com
Unlikeacomputervirusthatcanbeobservedanddissectedonamachinethatis
disconnectedfromanynetwork,wirelessmalwarecanspread—insomecases,
evenmaketransoceanicleaps—themomenttheinfectedphoneispoweredup.It
couldsendunwarrantedMMS(MultimediaMessagingService)andSMS(Short
MessageService)messagestoallcontactsontheinfectedphonewhichhas
maliciousfilesonit.Further,calllogsofthedevicecarryingallpersonaland
professionalcontactsanddataonthephonecouldalsobesenttoacommercial
Internetserverforviewingbyathirdparty.
The security implications of any non-genuine software for mobile

phones must be carefully understood. Imperative is to create
stringent safeguards to ensure that malicious non-genuine
versions of any such software are not made available.
34
35
Academic Institutions –
Usage of non-genuine software by students
Setting the context

AccordingtoastudycommissionedbyIpsos14 afewyearsago,61percentofthe “When a user illegally
studentssurveyed,neverorrarelypaidforcommercialsoftwareprograms.In downloads a movie, song,
addition,justundertwo-thirdsofthecollegeanduniversitystudentssurveyed,do game, or software – his / her
notconsiderswappingordownloadingdigitalcopyrightedfiles(software,music computer is likely to have
andmovies)withoutpayingforthemasunethical.Amongstudentswhosaythey
been incorporated into the
wouldalwaysdownloadmusicormovieswithoutpayingforthem,27percent
P2P network, possibly
saidtheyregularlydownloadandsharesoftwarethroughapeer-to-peer(P2P)
network15.Empiricalstudiesalsosuggestthatstudentstendtoretaintheir
without the user’s
attitudestowardsusageofnon-genuinesoftwareastheygraduatetohigher knowledge. It also means
studies. that the user’s computer has
very possibly been exposed
to harmful viruses, worms
Consider this…
and Trojan horses, as well
StudentswidelyuseP2PsharingnetworkssuchasLimewire,Morpheusand
KaZaAtosharefiles.Thesenetworksarealsoapopularsourceforsharing
as annoying pop-up
software,keygeneratorsandcracktools.However,unknowntotheuser,these advertisements. There is a
filescancontainmalicioussoftwareintheformofTrojansandWormswhichpose real danger as well that
significantsecurityrisks.AsperastudyconductedbytheIDC,59percentofthe private information on the
keygeneratorsandcracktoolsdownloadedfromP2Pnetworkscontained computer has been
maliciousorunwantedsoftware.Anotherrecentstudy16 showedthat68percent
accessible to others on the
ofalldownloadableresponsesinLimewirecontainedarchivesandexecutables
network – providing
containingmalware.SomeofthetypicalmalwareencounteredinP2Psiteslike
Limewire17 arelistedinTable3.
opportunities for identity
thieves to obtain personal
and financial information
from network users who in
most cases have no idea
that their data is
vulnerable.”
Rajiv Dalal
Managing Director
Motion Picture Dist. Association
of India (MPDA)
14“HigherEducationUnlicensedSoftwareExperience–StudentsandAcademicsSurvey”,IpsosPublic
Affairs–May2005
15“HigherEducationUnlicensedSoftwareExperience–StudentsandAcademicsSurvey”,IpsosPublic
Affairs–May2005
16AStudyofMalwareinPeertoPeernetworks–AndrewKalafut,AbhinavAcharyaandMinaxiGupta
17AStudyofmalwareinPeertoPeernetworks–AndewKalafut,AbhinavAcharyaMinaxiGupta
36
37
Percentage
Malware
Definition Typical examples of Limewire files
Function
infected
Acomputerprogramthatisdesignedtodownloadfiles
ontoaPCusuallywithouttheuser’sknowledgeor Win32.Zlobdx
Downloader 45.16percent
consent.Adownloadermayalsobeprogrammedto Win32.Banload.n
performautomaticdownloadsinordertoupdateitself.
Aviruswhichcreatesitselfcopiesonotherdrives, Worm.Alcan.D
Worm systemsornetworksandperformsothermalicious Worm.VB.-16 40.32percent
actionswhichmaycausesystemstoshutdown. Worm.P2P.Poom.A
ARemoteControlSoftwarewhichallowsathird-party
(theattacker)togainaccessandcontrolofavictim’s
computer.BackdoorsconsideredtobeTrojans,can NetBus
Backdoor 25.81percent
bypasssecuritymechanisms.Backdoorsareasecurity BackOrifice
riskbecausetheycangainpersonalinformationoruse
avictim’scomputertoattackaserver.
Asoftwareprogramthatcandisplayadvertising
Adware.ABX.Toolbar
bannerswhiletheprogramisrunning.Adwaremay
Adware.ActiveSearch
Adware trackauser’spersonalinformationandtransfersthe 4.84percent
Adware.Adbars
collecteddatatothirdparties,withouttheuser’s
Adware.AdBlaster
knowledgeorconsent.
Dialerisacomputerprogramusedtoredirectuser’s Adware.Adhelper
telephoneconnectiontothemoreexpensivelinewith Dialer.Antispy
Dialer 4.84percent
higherchargesforacontentprovidedwithorwithouta Dialer.Asdplug
user’sconsent. Dialer.AxFreeAccess
Amalwarethatcutsoffthedataexchangebetween
theuserenteringitandtheintendedrecipient
application.Itrecordsanyinformationthattheuser Keylogger.Cone.Trojan
Keylogger typesatanytimeusinghis/herkeyboardandcansend Keylogger.Mose 3.23percent
ittoathirdparty.Keyloggercreatesthelogfilewhich Keylogger.Stawink
canbesenttoaspecifiedreceiver.TrojanandPup
keyloggersarefunctionallyidentical.
Table 3
Thetablesuggeststhatfilesandunlicensedsoftwareobtainedbystudents
throughP2Pnetworksposesignificantinformationsecurityriskstoeducational
institutions.
38
Theriskscouldalsooftenberegulatorynon-compliance.Acaseinpointiswhere
theSoftwareandInformationIndustryAssociation(SIIA)18 wasinvolvedinan
investigationofauniversityinthemid-westregion(USA)wherethestudents
werecreatingWarez19 sites/contentoncollegeservers.
Whilst, some educational

institutions in India have
documented policies in place
to discourage usage of non-
genuine software, the extent
of their effectiveness in
serving as a deterrent to
students is debatable.
Effective student awareness
programs, counseling and
appropriate disciplinary
actions would go a long away
in curbing the rampant usage
of non-genuine software by
the student community.
18 WhatisPiracy-ThePiracyproblem(SIIA)
19 "Warez"referstocopyrightedworkstradedinviolationofcopyrightlaws
39
Increased Security Exposure for Government
Setting the context

Studies20 showthattheITspendbytheIndianpublicsectorisoneofthefastest
growingamongstAsiancountries.Withinthepublicsector,asignificant
percentageofITspendisdonebythedefense,internalsecurityagencies(such
astheintelligence,immigration)andpublicsafetyagencies.
Typicallygovernmentdepartments/organizationsaretheoneswhoareinvolved
inlargeturnkeyIToutsourcingcontractswherethescopingofthedeploymentof
genuinesoftwareisseentoremainunclearamongstoutsourcingorganization,
serviceproviderandsoftwarevendor.Ithasbeenseenthatthisincreases
securityexposureduringlargedeploymentsorprojectsingovernment
enterprises.
Consider this...
AgovernmentdepartmentdecidestoupgradetheirexistingITinfrastructure/
networkandinvestsinsubstantialnewIThardware.Whilstoriginaloperating
systemsarepurchasedforkeyservers,unlicensedsoftwareisinstalledonafew
endusersystems.Unknowntotheusers,theunlicensedsoftwareconsistsofa
backdoor,whichallowsthehosttoberemotelycontrolledbyacommand-and-
controlserver.Subsequently,sensitivefilesareaccessedandrelayedtothe
controllersthroughencryptedschemesthatprovidecoverandstealthfrom
existingintrusionpreventionmechanisms.
20Suchasthestudyconductedby‘SpringboardResearch’,aSingaporebasedfirmin2006
40
41
ArecentinvestigationconductedbyInformationWarfareMonitor21 showsthat "Government departments

theabovescenarioisnotfarfetchedfromreality.Theinvestigationrevealedthe
cannot use, or condone the use
existenceofaglobalmalwarebasedcyberespionagenetwork(termedasthe
GhostNet)whichcompromisedatleast1295computersin103countries,
of, unauthorized software. The
including53IPaddressesinIndia.Alargepercentageofthetargetswerelocated consequence of usage of non-
ingovernmentinstitutionssuchasembassiesandministriesofforeignaffairs, genuine software in our
includingseveralIndianembassies,asillustratedinTable4. department could be serious
from a security perspective.
The risk of compromise of our
Organization Confidence Location Infections databases not only impacts the
NationalInformaticsCenter,India L IN 12 reputation of the department
SoftwareTechnologyParksofIndia L IN 2 and the ministry, but also is a
OfficeoftheDalaiLama,India H IN 2 kind of ransomware that could
TibetanGovernmentinExile,India H IN,US 4
be used by malicious elements
EmbassyofIndia,Belguim L BE 1
of the society to track financial
EmbassyofIndia,Serbia L CS 1
positions of citizens and hold
EmbassyofIndia,Germany H DE 1
them for ransom."
EmbassyofIndia,Italy H IT 1
Neeraj Kumar
EmbassyofIndia,Kuwait H KW 1
Joint Director of Income Tax
EmbassyofIndia,USA H US 7 Directorate of Income-Tax (Systems)
EmbassyofIndia,Zimbabwe H ZA 1
HighCommissionofIndia,Cyprus H CY 1
HighCommissionofIndia,UnitedKingdom H GB 1
Table 4: Government of India institutions affected by GhostNet

*Source:TrackingGhostNet–InvestigatingaCyberEspionageNetwork,InformationWarfareMonitor
(IWM),Canada,March2009
21TrackingGhostNet–InvestigatingaCyberEspionageNetwork,InformationWarfareMonitor(IWM),
Canada,March2009
42
IncreasingadoptionofInternetenabledtechnologysolutionscombinedwiththe
highsoftwarepiracyratesinIndiacouldbeacontributingfactorinmakingthe
governmentsectormoresusceptibletoattackssuchasthebotnetattacks
describedabove.AsseenintheFigure14,severalbotnetattackscanbetracedto
countriessuchasChina,Brazil,SouthKoreaandPolandwherethereisamedium
-highsoftwarepiracyrate.
90
In the list of ‘Top 6’ countries (in terms of botnet attacks), China, Brazil,
80
South Korea and Poland have medium-high software piracy rates
70 82
60
50
Units 59
57
40
30 20.6 43
20 7.7
20 23
10 0.166 0.162 0.153 0.142
0
USA China Brazil South Poland Japan
Korea
Country
Botnet Attacks (USD Million) Software Piracy Rate (%)
Figure 14: Correlation between software piracy and botnet attacks

*Source:BusinessSoftwareAlliance(BSA)-2007GlobalSoftwarePiracyStudy,www.Securityfocus.com
As countries jostle for supremacy over the strategic cyber

domain, the threat of cyber espionage is an existing reality.
Installation of non-genuine / unlicensed software on any IT
systems in government offices may result in irretrievable losses
of strategic information to hostile third parties.
43
Reputation Risks
Setting the context

Thegovernmentcancriminallyprosecuteanorganizationforcopyright
infringementandifconvicted,finescanrangefromINR50,000-2,00,000anda
minimumjailsentenceof7daysgoingupto3yearscanbeleviedaswell22.
AccordingtotheBSA23,in2008,non-genuinesoftwarecostbusinessesinthe
UKasmuchas£16millioninlegalfines.Lastyear,theBSAtook294legal
actionsonbehalfofitsmembersintheUKandmorethan3,000legalactions
wereconductedacrossEuropeandAfrica.
Consider this...
InMarch2009,BSAreportedtohavesettledclaimsofUSD350,909fromfour
California-basedcompaniesforhavingunlicensedcopiesofsoftwareinstalledon
theircomputers.ThecompaniespaiddamagesintherangeofUSD70,000to
USD110,000forhavingunlicensedcopiesofsoftwaresuchasAdobe,Symantec
andMicrosoftsoftwareinstalledonitscomputers.Aspartoftheindividual
settlements,thecompanieshaveagreedtodeleteallunlicensedcopiesof
softwareinstalledontheircomputers,acquireanylicensesnecessarytobecome
compliant,andcommittoimplementingstrongersoftwarelicensemanagement
practices.
Wouldn’t you rather be involved with improving business

efficiencies and productivity instead of wasting time and
resources in settling legal suits and re-establishing reputation?
22IndianCopyrightAct&http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=6250
23http://www.itpro.co.uk/index.php/609881/pirated-software-costs-firms-16-million
44
45
The way forward

Seeing the larger picture …
Theintentofthiswhitepaperhasbeentohighlightthefarreachingimpactsof
usingnon-genuinesoftwareonthesecurityofindividuals,businesses,
governmentsandnations.Inthediscussionsabove,wehaveattemptedtobring
totheforefronttheevidentaswellastheconcealedimplicationsthatnon-
genuinesoftwareusagehasonitsstakeholders.
ThesurgeinInternetpenetration,whichprovideseasieraccesstonon-genuine
contentavailableonline,coupledwithnascentcomplianceinfrastructure,lowend
userawarenesslevelsandweaklegalenforcement,poseaformidablechallenge
incombatingnon-genuinesoftwareusage.
TheIndiangovernmenthastakencognizanceofthevariousinformationsecuity
threatsandhassetupCERT-IN(ComputerEmergencyResponseTeam-India)
withthechartertobecomethenation'smosttrustedreferralagencyofthe
Indiancommunityforrespondingtocomputersecurityincidentsasandwhen
theyoccur;thekeyobjectivebeingtoreducetherisksofcomputersecurity
incidents24.
InadditiontotheservicesprovidedbyCERT-IN,theGovernmentofIndia’s
CentralVigilanceCommission(CVC)hasissuedguidelinestocontrolthemenace
ofcounterfeitITproductsincludingoperatingsystems25.India’snewITActthat
wasrecentlypassedbytheparliamentalsochangesthecountry’sapproachto
usergeneratedcontentandpiracyofcopyrightcontentonthewebandmobile.
ManybusinessestodayhavecreatedspecialrolesintheranksofChiefSecurity
officers(CSO)/ChiefInformationSecurityOficers(CISO)tolimitthehazardsof
informationsecuritythreats.Appropriatemindshareonissueslikeweaksecurity
controls,inadequatesecurityorganizations,non-genuinesoftwareusage,low
levelsofsecurityawarenessandmanagementcommitmenttowardsthe
informationsecurityprogram,helpprovidereasonableassurancethatthese
threatsareminimizedandmanagedwell.
24Source:http://www.cert-in.org.in/mission.htm
25Source:http://www.cvc.nic.in/007crd008.pdf
46
47
Organizationsaretakinginitiativesforconductingsecurityawarenesssessionsto
maketheemployeesawareofthenumerousthreatsand,enablethemtotake
proactivemeasurestosafeguardthemselvesandtheirorganizationsfrom
becomingvictimsofthevariousinformationsecuritythreats.Inasurvey
conductedbyKPMG26,majorityofCIOs/CISOsstatedthattheirorganization
hadanemployeeawarenessprogramonsecurityimplicationsofusingnon-
genuinesoftwareandthattheywerewellawareofindustryinitiativesand
governmentregulationsaroundit(Figure15).
26%
Yes
No
74%
Employee awareness program on security implications of non-genuine

software
22%
Yes
No
78%
Aware of measures taken by industry / government to combat usage of non-

genuine software
Figure 15
*Source:KPMGstudy
26KPMGsurveyofCIO/CISOs,‘AnInconvenientReality,KPMGinIndia,June2009’
48
Oursurveyindicatesthatthepercentageoforganizationsstatingthat,significant
numberofitsemployeesareawareaboutsecurityimplicationsofusingnon-
genuinesoftware,ishigh.Further,thenumberoforganizationswheresecurity
incidentsarebeingreportedforidentification/detectionofnon-genuinesoftware
isalsofairlyhigh(Figure16).
9%
13%
0-25%
25-50%
52% 50-75%
More than 75%
26%
Percentage of employees aware of security implications of using non-

genuine software
39%
Yes
No
61%
Any security incident reported on identification of non-genuine software in

organizations
Figure 16
*Source:KPMGstudy
49
Theaboveanalysisindicatesthatwhilesomeofthecorporateconsumersare
awareoftherisksofusingnon-genuinesoftwareandaretakinginitiativesto
discourageit,therestillexistsalargesectionofusergroups–smallofficeand
homeusers-thatareignorantofthepotentialconsequences.
Organizations should institute a program for discouraging use of non-

genuine software
• Createaformallistcontainingprogramname,copiesavailable,serial
numbers,versionnumbersandfutureupgraderequirements
• Runawarenesstrainingprogramsforemployeeandcommunicate
organization’scommitmenttogenuinesoftware
• Obtainundertakingfromallthirdpartiestoensuretheyonlysupplyand
usegenuinesoftware
• Ensurecontrolsareenforcedtopreventanddetectinstallationofnon-
genuinesoftware
• Ensurecompliancebyperiodicaudits
Asenduserscontinuetoperceiveacostadvantageinusingnon-genuine
software,thereisanimminentneedfortheindustry,academicinstitutionsand
thegovernmenttoplayanactiveroleincreatingawarenessontherisksof
softwarepiracy.Publiceducationcampaignsandawarenessdirectivesshouldbe
usedasamediumtohelpusersmakeinformedchoiceswithrespecttopurchase
ofsoftware.Educationalinstitutionsshouldimplementeffectivesoftwareasset
managementpoliciestoregulatetheuseofnon-genuinesoftwareintheir
facilities.
Users need to be more aware
• Buysoftwarefromgenuinesources
• Checkonlineforauthenticityoftheserialnumbersonthesuppliers
genuineonlinewebsite
• Validateforgenuineidentificationmarksontheinstallationmedia/
packaging
• Assessthegenuineidentificationmarksonthewebsites,priorto
downloading,todistinguishbetweengenuineandfakewebsitesproviding
downloads
• Preservealloriginallicensesanddocuments
• Adheretopoliciesonusageofgenuinesoftwareintheworkplace
50
Theexistinglegalandregulatoryframeworksalsoneedtobestrengthenedand
rigorouslyenforcedtodissuadeindividualsandcorporationsfrombeingapartof
thenon-genuinesoftwarechain.Existinggovernmentinitiativessuchasthe
appointmentoftheCopyrightEnforcementAdvisoryCouncil(CEAC)andcreation
ofpiracytargetingcellsinStatePoliceHeadquartersshouldbeexpandedand
strengthenedbothinscopeandoperations.
Considerations for the Government
• Developmentandrolloutofaprogramforsensitizingstudentsand
parentsalikeonthesecurityimpactsofusingnon-genuinesoftware
• Facilitatefasterandmorefocusedpunitiveactionfornon-compliance;set
upofspecialcourtsdealingspecificallywithIntellectualPropertyissues
maybeconsidered
• Obtainundertakingfromallthirdpartiestoensuretheyonlysupplyand
usegenuinesoftware
• Ensurecontrolsareenforcedtopreventanddetectinstallationofnon-
genuinesoftware
• Ensurecompliancebyperiodicaudits
Onlyaconcertedeffortfromtheindustry,thegovernmentandtheconsumers
canpossiblyensureminimizationofinformationsecurityrisksarisingfromusage
ofnon-genuinesoftware.
51
Appendix: Methodology
Themethodologydeployedinthedevelopmentofthiswhitepaperwasprimarilya
combinationoflimitedprimaryresearch,assorteddiscussionswithgovernment
andcorporaterepresentativesandsecondaryresearch.
Weperformedastudyof50selectwebsitesprovidingcounterfeitsoftwareand/
orvariousenablerstonon-genuinesoftware(suchascracks,keygenerators,
serialsandwarez),withtheobjectiveofidentifyingthreatvectorslikepotential
malware,auto-redirections/pop-ups,andunsolicitedcontent.Theapproach
adoptedwastovisitthehomepageandthepageforonesampledownload.
Inaddition,weperformedasurveyofagroupofChiefInformationOfficers/
ChiefInformationSecurityOfficers(CIO/CISO)oforganizationstounderstand
theirviewsonprogramsfor,andawarenessofsecurityimplicationsofusingnon-
genuinesoftware.Thissurveywasperformedusingasurveyquestionnaire
focusingonidentificationof:
• Existenceofemployeeawarenessprogramonsecurityimplicationsofusing
non-genuinesoftware
• Proportionofemployeesawareaboutsecurityimplicationsofusingnon-
genuinesoftware
• Anysecurityincidentreportedonusageofnon-genuinesoftware
• Reasonsforanaverageemployeetousenon-genuinesoftware
• Awarenessaboutmeasurestakenbygovernment/industrytocombat
usageofnon-genuinesoftware
Thesecondaryresearchinformationsourcesinclude:
• BusinessSoftwareAlliance(BSA)–2007GlobalSoftwarePiracyStudy
• ScansafeAnnualGlobalReport2008
• HarrisonGroupWhitepaperonImpactoftheuseofunlicensedsoftwarein
mid-marketcompanies(2008)
• TrackingGhostNet–InvestigatingaCyberEspionageNetwork,Information
WarfareMonitor(IWM),Canada,2009
• IDCwhitepaperonRisksofPiratedSoftware
• SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,
PublishedApril2009
52
in.kpmg.com
KPMGinIndia KPMGContacts
Mumbai Pradip Kanakia

KPMG House, Kamala Mills Compound Head of Markets
448, Senapati Bapat Marg, Tel: +91 (80) 3980 6100
Lower Parel, e-Mail: pkanakia@kpmg.com
Mumbai 400 013
Tel: +91 22 3989 6000 Akhilesh Tuteja
Fax: +91 22 3983 6000 Executive Director
Tel: +91 (124) 3074800
Delhi
DLF Building No. 10, e-Mail: atuteja@kpmg.com
8th Floor, Tower B,
DLF Cyber City, Phase 2, Gurgaon 122 002
Tel: +91 124 307 4000
Fax: +91 124 254 9101
Bangalore
Solitaire
139/26, 3rd Floor,
Inner Ring Road, Koramangala,
Bangalore 560 071
Tel: +91 80 3980 6000
Fax: +91 80 3980 6999
Chennai
No.10 Mahatma Gandhi Road
Nungambakkam
Chennai 600 034
Tel: +91 44 3914 5000
Fax: +91 44 3914 5999
Hyderabad
8-2-618/2
Reliance Humsafar, 4th Floor
Road No.11, Banjara Hills
Hyderabad - 500 034
Tel: +91 40 6630 5000
Fax: +91 40 6630 5299
Kolkata
Park Plaza, Block F, 6th Floor
71 Park Street
Kolkata 700 016
Tel: +91 33 4403 4000
Fax: +91 33 4403 4199
Pune
703, Godrej Castlemaine
Bund Garden
Pune 411 001
Tel: +91 20 3058 5764/65
Fax: +91 20 3058 5775
©2009KPMG,anIndianPartnershipandamemberfirm
Theinformationcontainedhereinisofageneralnatureandisnotintendedtoaddressthecircumstancesofanyparticularindividual oftheKPMGnetworkofindependentmemberfirms
orentity.Althoughweendeavortoprovideaccurateandtimelyinformation,therecanbenoguaranteethatsuchinformationis affiliatedwithKPMGInternational,aSwisscooperative.
accurateasofthedateitisreceivedorthatitwillcontinuetobeaccurateinthefuture.Nooneshouldactonsuchinformation Allrightsreserved.
withoutappropriateprofessionaladviceafterathoroughexaminationoftheparticularsituation. KPMGandtheKPMGlogoareregisteredtrademarksof
KPMGInternational,aSwisscooperative.

An Inconvenient Reality - Final

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

An Inconvenient Reality - Final

Загружено:

Авторское право:

Доступные форматы

I N F O R M AT I O N , C O M M U N I C AT I O N A N D E N T E RTA I N M E N T

Involvement of Anti-Social Elements 15

Information Disclosure and Data Theft 17

Extortion Using Ransomware 25

Unsecured Business Environment 29

Academic Institutions – Usage of non-genuine

Increased Security Exposure for Government 39

Seeing the larger picture 45

At the outset …Key Drivers

Figure 1: Possibility of infection through channel used for acquiring non-

Malware Infection Rate Software Piracy Rate

Figure 2: Malware infections are more in countries with higher software

At the outset …Potential Implications

Figure 3: Software piracy trends higher in developing nations

Figure 4: Threat vectors on websites providing non-genuine software

The story so far…

Setting the context

Information Disclosure and Data Theft

Setting the context

Figure 5: Threats to confidential information in the Asia Pacific Japan Region

Monthly Volume Yearly Volume

When you use non-genuine

Setting the context

Figure 7: Reasons for employees to use non-genuine software

Rank Viruses Worms Backdoors Trojans

1 India India China China

2 China China India India

3 Indonesia Japan Japan Japan

Figure 8: Internet Security Threats in the APJ Region

Extortion Using Ransomware

Setting the context

Figure 9: Ransomware message: An example

Figure 10: An example message from ransomware asking for ransom

Have you ever considered the possible security implications of

Unsecured Business Environments

Setting the context

Loss of Sensitive Data 28

Loss of Sensitive Data 73

Figure 11: Likelihood of System Failure for companies using non-genuine

0.2 0.35 0.38

Figure 12: Increased Total Cost of Ownership

Organizations may perceive that usage of non-genuine software

Setting the context

Figure 13: Growth of Mobile Malware

The security implications of any non-genuine software for mobile

Setting the context

Whilst, some educational

Increased Security Exposure for Government

Setting the context

ArecentinvestigationconductedbyInformationWarfareMonitor21 showsthat "Government departments

Table 4: Government of India institutions affected by GhostNet

Botnet Attacks (USD Million) Software Piracy Rate (%)

Figure 14: Correlation between software piracy and botnet attacks

As countries jostle for supremacy over the strategic cyber

Setting the context

Wouldn’t you rather be involved with improving business

The way forward

Employee awareness program on security implications of non-genuine

Aware of measures taken by industry / government to combat usage of non-

Percentage of employees aware of security implications of using non-

Any security incident reported on identification of non-genuine software in

Organizations should institute a program for discouraging use of non-