Академический Документы
Профессиональный Документы
Культура Документы
AnInconvenientReality
Theunaccountedconsequencesofnon-genuinesoftwareusage
A DV I S O RY
Table of Contents
Foreword 1
Executive Summary 3
Key Drivers 7
Potential Implications 11
Malware Attacks 21
Network Effect 31
Reputation Risks 43
Appendix: Methodology 51
1
Foreword
ExplosivegrowthoftheInternetinthelasttwodecadeshasmadeitoneofthe
mostusedchannelsforacquiringsoftwarequickly.Atthesametime,higherprofit
marginsandminimalrisksassociatedwithcounterfeiting/crackingofgenuine
software,havegivenopportunitytoanti-socialandanti-nationalelementstomake
non-genuinesoftwareavailableontheInternetaswellasinthephysicalmedia.
Thiscombinedwithlimitedawarenessoftheimplicationsofusingsuchsoftware
inouruserpopulation,exposesourInformation,CommunicationandTechnology
(ICT)infrastructuretovariousinformationsecuritychallenges.
Theobjectiveofthiswhitepaperistosensitizereaders,endusers,government
establishmentsandenterprises,tothevarioussecurityimplicationsassociated
withusageofnon-genuinesoftware.Withthisintentionthepaperconsidersthe
resultsofourresearch,real-lifecasesandhypotheticalscenariostohighlightthe
potentialinformationsecurityconsequencesofnon-genuinesoftwareusage.
Theresearchperformedduringthedevelopmentofthispaperobservedthat
usageofnon-genuinesoftwarecannowbeconsideredasignificantvectorin
weakeningthesecuritypostureatmicroandmacroeconomiclevels.The
informationandtestcasesassembledinthispaperdemonstratethatusingnon-
genuinesoftwarenotonlyincreasesthreatofdatalossandintrusionstopersonal
systems,butalsotocriticalICTinfrastructureofthesociety,therebythreatening
nationalsecurity.Therecannotbeabettertimeforcitizens,governmentsand
corporationstocometogetherintheendeavortomitigatetherisksarisingfrom
theusageofthesepotentiallydangeroussystems.
Akhilesh Tuteja
ExecutiveDirector
KPMGinIndia
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
2
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
3
Executive Summary
Itremainsawellestablishedfactthatuseofunlicensedorpiratedsoftware
resultsinbothimmensefinancialimplicationsduetoinfringementofthe
copyrightlawsaswellastarnishingofthecompany’smarketreputation.Studies
alsoindicatethatdeploymentofsuchsoftwareoftenleadstoorganization-wide
securityrisks,suchaslossofdataprivacy,systemfailuresanddowntime,and •60percentwebsitesproviding
reducedoperationalperformance.Additionally,a2009studycarriedoutbyKPMG cracks,keygens,warezor
indicatesthatnon-genuinesoftwarecanpotentiallydisruptthesmoothfunctioning counterfeitshavepotentialthreat
ofanorganization’soperationsbyadverselyaffectingthesystemsecurity vectors
infrastructure. •39percentorganizationssurveyed
reportedsecurityincidentofnon-
Thispaperseekstoestablishthesignificantdirectandindirectinformation
genuinesoftwaredetectionintheir
securityimplicationsforgovernmentandcorporateorganizationsaswellas ITenvironment
individualswhendeployingnon-genuinesoftware.Thepaperelaboratesthekey
•35percentorganizationscited‘ready
driversmotivatingthedeploymentofnon-genuinesoftware,thesecurity
availability’asthereasonfor
implicationsthereof,andthesuggestedmeasuresandconsiderationswhich employeestousenon-genuine
governmentandcorporateorganizationscanadoptforincreasingawareness software
amongusersregardingsecurityimplicationsofdeployingnon-genuinesoftware
•Correlationcoefficientbetween
wherebyreducingitsusage. softwarepiracyratesandmalware
attacksisastrong0.74
Drivers
Factorssuchaseasyavailability,lowercostsofacquisition,andconvenienceof •Companiesusingnongenuine
acquiringnon-genuinesoftwareaswellastheattractionofdeployingseemingly softwareare43percentmorelikely
tohavecriticalsystemfailures*
effectiveyetfreesoftware,continuetodriveendusersandorganizationstowards
widerangedeploymentofnon-genuinesoftware.
*Source:Impactofunlicensedsoftwareonmid-
Implications marketcompanies-HarrisonGroup
Recentreportsindicateastrongdirectcorrelationbetweenusageofnon-genuine
softwareandsecuritythreatssuchasmalwareandbotnets.
Aspartoftheresearchconductedforthiswhitepaper,wereviewed50websites
offeringnon-genuinesoftwareand/orenablingtoolsandtechniquesforacquiring
suchsoftwarewhichrevealedthatmorethan60percentofthesewebsites
includeavaryingdegreeofthreatvectorsthatcanpotentiallyimpactinformation
systemssecurity.
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
4
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
5
Thesecurityimplicationsofdeployingnon-genuinesoftwarearemulti-
dimensional,includingthreatsthatdirectlyaffecttheend-userandorganization’s
securityaswellasindirectthreatsleadingtoincreasedcostofprotectionand
remediation.Directlyimpactingsecuritythreatsincludelossofdataconfidentiality
andintegrity,aswellasreducedoperationalperformancearisingfrom:
• PhishingAttacks
• MalwareandBotnets
• Ransomware
Indirectsecuritythreatsofdeployingnon-genuinesoftwareincludethe
organizationoruserunknowinglybecomingpartofalargernexusofanti-social
elementsfundingandoperatingillegalpiratedsoftwarebusinesses,thus
contributingtothenetworkoforganizedcrime.
Giventoday’snetworkedenvironment,wheremostcomputingdevicesare
connectedthroughtheInternet,suchthreatsarisingfrominfectednon-genuine
softwarehavefarreachingimplicationsforanentirenetwork.Asystemhaving
non-genuinesoftwarecanadverselyimpacttheoverallsecurityofanetwork.A
largenumberofhackersdeveloppotentiallydangeroussoftwaredisguisedas
softwarewithrichfunctionalitiestolureunsuspectingusers.Theseuserscanthen
becomepartofBotnetsandbecontrolledremotelyforexecutinglargescale
attacks.
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
6
Measures
Thepaperdiscussesthesecurityprogramsadoptedbyselectcorporations
acrossindustrysectorsfordiscouraginguseofnon-genuinesoftwareand
alsoprovidesrecommendationsformitigatingsuchrisks.
Someofthemeasuresthatthegovernmentandindustrymayconsider
include:
• Creatingawarenessamongendusersinhomes,academicinstitutions,
publicandprivateenterprisesagainsttheusageofnon-genuine
software;thisincludesaprogramspeciallytargetedtowardsthestudent
community
• Workingtowardseffectiveimplementationofthelegalandregulatory
frameworktodiscouragedeploymentofinfectednon-genuinesoftware
• Facilitatingfasterandmorefocusedpunitiveactionfornon-compliance,
includingestablishmentofspecialcourts
• Institutionalizationofaninternalprogramwithinthegovernmentand
privateorganizationstomanageandcontroldeploymentofsoftware
assets;suchprogramsshouldincludeperiodicreviews/auditsof
softwareinventoryandmanagementprocessesaroundit
• Implementingcontrolstopreventanddetectusageofnon-genuine
software,especiallyoncriticalInformation,CommunicationandTelecom
(ICT)infrastructure
• Spreadingthegoodword
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
7
TheconsumerbaseforsoftwareinIndiahasoverthelastdecadewitnessedan
unprecedentedexpansiononaccountofasurgeinPCandInternetpenetration
acrossthecountry.Lowproductioncosts,easeofmanufacturingandhighprofit
marginshavefuelledthenon-genuinesoftwaremarketinthecountry.Asperthe
FifthAnnualBusinessSoftwareAlliance(BSA)andIDCGlobalSoftwarePiracy
StudyreleasedinMay2008,Indiahadapiracyrateof69percentin2007.
TheInternetservestobeoneoftheleadingchannelsforacquiringnon-genuine
software.Severalwebsitesandpeertopeernetworksofferinstallablenon-
genuinesoftware,productkeys,keygeneratorsandcracktools.Thereareother
equallypopularchannelslikephysicalmedia(CDsandDVDs)thatareeasily
availableaswell.AscanbeobservedinFigure1,irrespectiveofthemediumused
toobtainnon-genuinesoftware,therisksofgettinginfectedwithmalicious
softwarearefairlysignificant.
35
30
25 33.33 32
Possibility of 20
infection (%) 25
15
10
0
Websites Physical Media Key Generators
Medium
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
8
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
9
Informationsecurityisgenerallyassociatedwithtermslikevirusesandcyber
crime.However,keyinformationsecurityconcernsstemfromvarioussources
including:
• Discontentemployees:Insiderthreatsinitiatedbydisgruntledemployees,
contractorsandconsultants
• Internet:Cybercrime/attackssuchasbotnets,exploitingbrowser
vulnerabilities
• Mismanagement:Databreaches/lossduetomismanagement
• Terroristattacks
• NeglectedendpointsandLANsecurity
• Exploitedvulnerabilitiesduetoimproperpatchmanagement
• Socialengineeringthatcanbeassistedbysocialnetworkingwebsites
• Malwarelikespyware,virusesandtrojanswhichareusuallydownloadedfrom
theInternetbyunsuspectingusers
Theinformationsecuritychainisasstrongasitsweakestlinkandendusersare
usuallyfoundtobethisweakestlink.Asauserclicksonamaliciouslinkonthe
Internetanddownloadsunauthorizedsoftwareoremailattachments,he/shemay
becomeavictimofsocialengineeringattacksandsometimesknowinglyor
unknowinglyinstallcounterfeit/illegalorpiratedsoftwareonhis/hermachine.
WiththerapidriseoftheInternetandpersonal/mobilecomputingacrossall
walksoflife,theexposureofenduserstothesesecuritythreatshasincreased
manifoldandthusneithergovernmentsnorbusinessesareimmunetothese
threats.
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
10
Ouranalysissuggeststhatusersincountrieswithhighersoftwarepiracyrates
tendtobemoresusceptibletomalwareattacks(seeFigure2).Thecorrelation
coefficientbetweenthesetwoisastrong0.74.
80
70 78
60 69 67
50 57
Percent
40
30
29.2
20 25 27 27.8
25 25.4
23
10 1.8
5.2 5.3 5.7 6.2
0
JPN AUS GER FIN IND ALB MOR BAH
Country
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
11
Inthecontextofindividualsandbusinesses,increasedvulnerabilitytomalware,
damagetoreputation,reducedoperationalefficienciesandincreasedtotalcostof
ownershiparesomeofthedownfallsofdeployingnon-genuinesoftware.Froma
broadermacro-economicperspective,theuseofnon-genuinesoftwarehasthe
potentialtoadverselyaffectemployment,taxrevenues,industrygrowthaswell
asnationalsecurity.
160
Revenue losses in India
140 due to software piracy 151
were estimated to be 147
120 USD 2 billion in 2007 132
113
100
Units 80 92
92 97 92 93
91
60 69 83
40
20 5 23 25
15 20 21 9 22 8 10
0
USA LUX NZ JPN SWZ IND ZIM BAN AZB MOL ARM
Country
Human Development Index (Rank) Software Piracy Rate (%)
AsFigure3demonstrates,developingnationssuchasIndiastillremainrelatively
illequippedindealingwithsoftwarepiracy.Non-genuinesoftwareexposesits
users,whethertheyareindividualsororganizations,toaplethoraofinformation
securityrisks.Thisisevidentinthehighcorrelationbetweennon-genuine
softwareusageandmalwareinfections1.
Anysuchsecuritythreatsviz.viruses,worms,spywareandTrojans,exploit
vulnerabilitiesintheoperatingsystemand/orthesoftware/applicationinstalled
onit.Whilecybercriminalsarecontinuouslyonthelookoutforthese
vulnerabilities,softwaredevelopersarebusydevelopingpatchesorhotfixesfor
pluggingthesevulnerabilities.Itisaneverendingwarandtheusersneedto
continuouslydownloadthesepatchesandhotfixestoberelativelysafeinthe
cyberworld.However,usersofnon-genuinesoftwaresufferabigdisadvantage
andareconstantlyvulnerabletotheseattacksduetothelackofpatchesandhot
fixesbeingmadeavailabletothem.
EverytimesuchauserissurfingontheInternetordownloadingfilesthrough
emailsorPeertoPeer(P2P)applications,he/sheissusceptibletoaplethoraof
1Correlationcoefficientof0.74observedinFigure2
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
12
securitythreats.Inadditiontothis,userswhocontinuetodownloadmorenon-
genuinesoftwarefromtheInternetfaceadoubleedgedswordandarenotonly
vulnerabletoanynewthreatsbutarecontinuouslyexposedtomoreofthese
threatseverytimetheyvisitawebsiteprovidingnon-genuinesoftwareor
assistingincracking(installationwithoutlicense)genuinesoftware.
Ourstudy2 of50websitesprovidingvariousenablersforusingnon-genuine
softwareviz.cracks,keygens,serials,warez,etc.revealsthatthereisa
significantlyhighprobabilityofauserbrowsingtheInternetinsearchofnon-
genuinesoftwaretobeexposedtosecuritythreatsasindicatedinFigure4.
35
30
25
30 32
20
Percent
15
10 16
5
0
Potential Malware Auto Redirection / Pop up Unsolicited Content
Threat vectors
2KPMGstudyof50websitesofferingnon-genuinesoftwareand/orenablerstoobtainsuchsoftware.
ReferAnnexureformethodology.
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
13
Asynopsisofthepotentialsecurityimplicationsofdeployingnon-genuine
softwareisoutlinedbelow.
• InvolvementofAnti-SocialElements–Endusersofnon-genuinesoftware
contributetoachainwhichmaypotentiallyfinanceanti-socialactivities
• InformationDisclosureandDataTheft–Usersofnon-genuinesoftware
couldbelosingvaluablepersonalandfinancialdata
• MalwareAttacks–Hiddensecurityandcostimplicationsofusingnon-
genuinesoftwareusage
• ExtortionusingRansomware–Fraudstersusingnon-genuinesoftwareto
extractmoneyfromendusers
• UnsecuredBusinessEnvironments–Usageofnon-genuinesoftware
lowerssecuritypostureofbusinessenvironmentsandcanleadtohigher
criticalsystemfailures,operationaldowntimesandincreaseinthetotal
costofownershipinthelongrun
• NetworkEffect–Securityimplicationsofnon-genuineversionsofa
softwarethatismadeavailabletomassescanacquireexponential
proportionsduetopresenceofalargenumberofpeopleonthenetworks
whereitismadeavailable
• AcademicInstitutionsandStudents–Significantriskstoacademic
institutionsandstudentsthemselvesduetousageofnon-genuine
softwarebystudents
• IncreasedsecurityexposureforGovernment–Governmentsector
susceptibletocyberwarfareandespionageduetousageofnon-genuine
software
• ReputationRisks–Usageofnon-genuinesoftwarecanoftenhavelarge
financialandlegalrisksthatmayimpactreputation
Informationsecurityhasgraduatedfrombeingaboardroomissuetoanissueof
nationalimportance.Thefollowingpagesattempttodemonstrate,throughreallife
casesandhypotheticalscenarios,howacademicinstitutions,governmentsector
organizationsandunsecuredbusinessenvironmentscanbecomepotential
victimsofsecurityconsequencesduetothewidespreaduseofnon-genuine
software.
Thewayforward,forendusers,governmentandprivateorganizations,tomitigate
securityrisksduetousageofnon-genuinesoftwarehavealsobeendiscussed.
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
14
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
15
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
16
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
17
90
80
70
82
60 80 69
65
50
Percent 60
40
30
20
10
0
Exports email Exports Key stroke Exports user Allows remote
addresses system data logger data access
Potential Threat
Consider this…
ApplerecentlylauncheditsiWork09Suite.Posttheproductlaunch;non-genuine
copieswerereadilyavailableonfile-sharingsites.Severalofthenon-genuine
copies,however,containedTrojansoftwarethatwasbundledalongwiththe
installerpackage.Oninstallation,theTrojansoftwareconnectstoaremoteserver
overtheInternetandgrantsaremotecontrolleraccessonthemachinetoenable
maliciousactions.Morethan20,000peoplehavealreadyreportedlydownloaded
therogueinstaller,whichwasbundledwiththenon-genuineversionofthe
iWorks09Suite.
5SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,PublishedApril2009
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
18
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
19
StatisticsfromarecentstudybyScansafe6,asillustratedbelowinFigure6,
indicatethatdatatheftTrojansasapercentageofMalwarehaveincreased
significantlyin2008(from6percentin2007to14percentin2008).
45
40
35
30
25
20
15
10
5
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Percent
6ScansafeAnnualGlobalReport2008
7Impactoftheuseofunlicensedsoftwareinmidmarketcompanies,WhitePaperbyHarrisonGroup,2008
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
20
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
21
Malware Attacks
Rank Software
1 McAfeeVirusScan
2 SymantecNortonAnti-Virus
3 McAfeeInternetSecuritySuite
4 IntuitTurboTax
5 AdobePhotoshop
6 AdobeAcrobat
7 IntuitQuickenHomeandBusiness
8 SymantecNortonpcAnywhere
9 SymantecNortonGhost
10 AdobeCreativeSuite
Table 2 Top 10 pirated software on the Internet
*Source:www.siia.net/piracy/yir_2007.pdf
Thereareseveralwebsiteswhichclaimtoprovideaccesstonon-genuinesoftware
throughproductkeys,cracksandkeygenerators.KPMG’sstudyindicatesthat
employeesdeploynon-genuinesoftwareformultiplereasons,suchaseasy
availabilityoflatestsoftwareversionsandothersasillustratedinFigure7.
8
7
6
5 8
Number of
4
organizations 5 5 5
3
2
1
0
Cheaper Readily available Latest version Others are using it
Reasons for use
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
22
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
23
Consider this…
Auserfindsatorrent8 onapeer-to-peerfilesharingnetworkthatcontainscopies
ofAdobesoftwareandfilesthatappeartobekeygeneratorsforthesoftware.
Unknowntotheuser,Malwarearepackagedwiththetorrentdisguisedaskey
generatorsorotherexecutables.Whentheuserdownloadsthetorrentandruns
suchexecutables,themalwareinfectsthesystemandtypicallyinfectssystem
filesandmorphsintootherseeminglyusefulfiles.
Thelistbelowhighlightssomeofthetypicalactionstakenbysuchmalwarewhile
infectingamachine:
• Createssystemtraypopups,messages,errorsandsecuritywarnings
• Makesoutboundcommunicationtoothercomputers,phones,IMchatroomsandotherservicesusingIRCprotocols
• Readsemailaddressandphonebookdetails
• ChangesInternetExplorer(IE)optionsincludinghomepage,securitytab,color,font,advancedmenu
• ModifiestheWindowsHostFilewhichcouldbeusedtostopusersfromvisitingspecificwebsitesbyredirecting
themtoalternativeaddresseswithouttheirknowledge
• Deletesotherprograms
• Infectsotherprogramfilestoincludeacopyoftheinfection
• Hookscodeintoallrunningprocesseswhichcouldallowittotakecontrolofthesystemorrecordkeyboardinput,
mouseactivityandscreencontents
• Polymorphsandchangesitsstructure
• AddsaRegistryKey(RUN)toautostartprogramsonsystemstartup
• Includesfilecreationcodewhichisusedtotestforinterceptionbysecurityproducts
8TorrentsarefilesdownloadedusingBitTorrentsPeer-To-Peerfilessharingprotocol
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
24
TheinstalledmalwarecouldbeanythingfromadatastealingTrojantoavirus/
wormorevenaremotelycontrolled“bot”.Symantec’srecentreport9 onInternet
securitythreatslistsIndiaasthemostaffectedcountryintheAPJregion,in
termsofdistributionofvirusesandworms(seeFigure8).
Top Countries
9SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,PublishedApril2009
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
25
Consider this...
IfauserwishestoobtainacopyoftheAdobeAcrobatreadersoftware,anduses
thekeyword‘Adobereader’inaGooglesearch,Googlereturnsresultswith
severallinksofferingafreedownloadofAdobeAcrobatreadersoftwarealong
withasponsoredlinkleadingtoamalicious/spoofedwebsite.Clickingonthe
maliciouslinkredirectstheusertoaspoofed‘CNETDownload.com’sitewhich
offersafreedownloadofacopyofAdobereader.Whenauserdownloadsand
runsit,afull,operatingcopyofAdobeAcrobatreaderisinstalled,butwitha
twist.
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
26
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
27
Afterinstallingtheprogram,usersareinterruptedwithmessageboxesatone
minuteintervals.TheMalwareitselfoffersafakeremedyintheformofapointer
toafakesitewhichispresentedasa“Removeallthreats”button.Afteraperiod
oftimeastheusertriestoaccessfilesonthe‘System’driveoftheinfected
system,theransomwarestartsdisplayingamessagethatthefilesareencrypted.
Themessageclearlyindicatesthatthevictimneedstodownloadadecryptorfor
decryptingdataonthe‘System’driveoftheinfectedsystem.Acceptingthe
messageredirectstheuserbrowsertoaMalwarewebsitewhichhoststhe
decryptorandwhichisavailablefordownloadataprice.
Arecentcaseofsuchransomwarewasthatof‘FileFixPro’,aphonyutilitywhich
encryptstheuser’sdocumentsanddemandsthattheuserpurchaseadecryptor
forUSD50fordecryptingthesame.
Fakeanti-virusandsecuritysoftwareisapopulartargetforpropagatorsof
ransomware.ItisestimatedthatfraudstersmakeasmuchasUSD5million
throughplantingfakeanti-virussoftwarealone10.
10ComputerworldSecurity–October31,2008
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
28
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
29
Consider this…
Asperthestudy‘ImpactofUnlicensedSoftwareonMid-MarketCompanies’by
theHarrisonGroup,companiesusingnon-genuinesoftwareare43percentmore
likelytohavecriticalsystemfailures(someofthemlasting24hoursormore).
Apartfrommaintenancecosts,downtimeofITsystemscouldalsotranslateinto
lostrevenues,productivityandotherinvisiblecosts.
Additionally,theuseofnon-genuinesoftwaremakesitdifficultforcompaniesto
installsecuritypatchesandupdates,thusleavingthemexposedtomalware
attacks.Thecostofrecoveringfromsuchattacks/incidentscouldinsomecases
exceedUSD1,000,thusnegatingthevaluetheorganizationwashopingtogain
throughcounterfeitcopiesofsoftware.Thus,thecostsavingsofusingnon-
genuinesoftwareareeradicatedbyasinglesecuritybreach11.
9
Minor System Failure
24
Significant System Failure
Type of failure
43
Critical System Failure
0 10 20 30 40 50 60 70 80
Likelihood (%)
11http://www.microsoft.com/protect/promotions/us/wga_idc_us.mspx
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
30
ReinforcingthisisastudybyMicrosoftillustratedinFigure12,whichindicates
thatoveraperiodoftime,thetotalcostofownershipofpiratedsoftwareisvery
highowingtomaintenancecostsandopportunitylossesduetosystemfailures
andvirusattacks.
Forthepurposeofthisstudy,MicrosoftboughtandtestedCDsandDVDsfrom
variousroadsidevendorsandcarriedoutasurveyofbusinessesdividedbetween
usinggenuineandnon-genuinesoftware.
1.6
1.4
1.2 1.48
1
Total cost of
1.11
ownership 0.8
(INR Lakh)
0.6 0.83
0.79
0.4
0
2 years 2 -3 years 3 -4 years 4 -5 years 5 -6years 6 -7years
Duration
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
31
Network Effect
Consider this…
Itisestimatedthattherearearound30millionChinesehandsetsinthecountry
whichlackanInternationalMobileEquipmentIdentity(IMEI)number13.TheIMEI
isa16-17digitnumberwhichhelpsinuniquelyidentifyingahandsetandits
locationonthenetwork.CurrentlytheCellularOperatorsAssociationofIndia
(COAI)andtheIntelligenceBureau(IB)aremullingoverthesecurityimplications
ofasoftwarewhichwhenuploadedtothesedeviceswouldprovidethese
deviceswithauniqueIMEInumber.Asapreliminarycountermeasure,the
DepartmentofTelecommunications(DoT)hasmeanwhileinstructedallservice
providerstodisconnectthesehandsetsfromtheirnetworks.
Theramificationsofanunlicensedmaliciousversionofsuchasoftware,if
created,areenormous.Evenifdownloadedbyasmallpercentageofthe30
millionChinesehandsetusers,itcouldleadtolargescaletamperingofIMEI
numbers.Giventheincreasingroleofcellphonetranscriptsinmonitoringand
investigatinganti-socialactivities,usageofanon-genuineversionofthissoftware
couldleadtofailureoftheveryobjectiveofmitigatingtheriskduetopresenceof
cellphoneswithoutIMEInumbersonthecellularnetworksinIndia.
Additionally,amaliciousversionofthesoftwarecouldalsoincreasetheriskof
usageofthephonebyamaliciousthirdpartyasalaunchpadfromwhichworms
andTrojansmightlaunchattacksonthenetwork.
12http://www.gartner.com/it/page.jsp?id=509906
13TimesofIndia,dated04April2009
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
32
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
33
AsobservedinFigure13,thethreatofmalwareinmobiledevicesisrapidly
increasingyearonyear.
450
400
350
402
300
366
Malware 250 305
discovered 200
150
100 177
50
44
0
2004 2005 2006 2007 2008
(Average) (Average) (Average)
Year
Unlikeacomputervirusthatcanbeobservedanddissectedonamachinethatis
disconnectedfromanynetwork,wirelessmalwarecanspread—insomecases,
evenmaketransoceanicleaps—themomenttheinfectedphoneispoweredup.It
couldsendunwarrantedMMS(MultimediaMessagingService)andSMS(Short
MessageService)messagestoallcontactsontheinfectedphonewhichhas
maliciousfilesonit.Further,calllogsofthedevicecarryingallpersonaland
professionalcontactsanddataonthephonecouldalsobesenttoacommercial
Internetserverforviewingbyathirdparty.
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
34
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
35
Academic Institutions –
Usage of non-genuine software by students
Rajiv Dalal
Managing Director
Motion Picture Dist. Association
of India (MPDA)
14“HigherEducationUnlicensedSoftwareExperience–StudentsandAcademicsSurvey”,IpsosPublic
Affairs–May2005
15“HigherEducationUnlicensedSoftwareExperience–StudentsandAcademicsSurvey”,IpsosPublic
Affairs–May2005
16AStudyofMalwareinPeertoPeernetworks–AndrewKalafut,AbhinavAcharyaandMinaxiGupta
17AStudyofmalwareinPeertoPeernetworks–AndewKalafut,AbhinavAcharyaMinaxiGupta
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
36
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
37
Percentage
Malware
Definition Typical examples of Limewire files
Function
infected
Acomputerprogramthatisdesignedtodownloadfiles
ontoaPCusuallywithouttheuser’sknowledgeor Win32.Zlobdx
Downloader 45.16percent
consent.Adownloadermayalsobeprogrammedto Win32.Banload.n
performautomaticdownloadsinordertoupdateitself.
Aviruswhichcreatesitselfcopiesonotherdrives, Worm.Alcan.D
Worm systemsornetworksandperformsothermalicious Worm.VB.-16 40.32percent
actionswhichmaycausesystemstoshutdown. Worm.P2P.Poom.A
ARemoteControlSoftwarewhichallowsathird-party
(theattacker)togainaccessandcontrolofavictim’s
computer.BackdoorsconsideredtobeTrojans,can NetBus
Backdoor 25.81percent
bypasssecuritymechanisms.Backdoorsareasecurity BackOrifice
riskbecausetheycangainpersonalinformationoruse
avictim’scomputertoattackaserver.
Asoftwareprogramthatcandisplayadvertising
Adware.ABX.Toolbar
bannerswhiletheprogramisrunning.Adwaremay
Adware.ActiveSearch
Adware trackauser’spersonalinformationandtransfersthe 4.84percent
Adware.Adbars
collecteddatatothirdparties,withouttheuser’s
Adware.AdBlaster
knowledgeorconsent.
Dialerisacomputerprogramusedtoredirectuser’s Adware.Adhelper
telephoneconnectiontothemoreexpensivelinewith Dialer.Antispy
Dialer 4.84percent
higherchargesforacontentprovidedwithorwithouta Dialer.Asdplug
user’sconsent. Dialer.AxFreeAccess
Amalwarethatcutsoffthedataexchangebetween
theuserenteringitandtheintendedrecipient
application.Itrecordsanyinformationthattheuser Keylogger.Cone.Trojan
Keylogger typesatanytimeusinghis/herkeyboardandcansend Keylogger.Mose 3.23percent
ittoathirdparty.Keyloggercreatesthelogfilewhich Keylogger.Stawink
canbesenttoaspecifiedreceiver.TrojanandPup
keyloggersarefunctionallyidentical.
Table 3
Thetablesuggeststhatfilesandunlicensedsoftwareobtainedbystudents
throughP2Pnetworksposesignificantinformationsecurityriskstoeducational
institutions.
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
38
Theriskscouldalsooftenberegulatorynon-compliance.Acaseinpointiswhere
theSoftwareandInformationIndustryAssociation(SIIA)18 wasinvolvedinan
investigationofauniversityinthemid-westregion(USA)wherethestudents
werecreatingWarez19 sites/contentoncollegeservers.
18 WhatisPiracy-ThePiracyproblem(SIIA)
19 "Warez"referstocopyrightedworkstradedinviolationofcopyrightlaws
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
39
Typicallygovernmentdepartments/organizationsaretheoneswhoareinvolved
inlargeturnkeyIToutsourcingcontractswherethescopingofthedeploymentof
genuinesoftwareisseentoremainunclearamongstoutsourcingorganization,
serviceproviderandsoftwarevendor.Ithasbeenseenthatthisincreases
securityexposureduringlargedeploymentsorprojectsingovernment
enterprises.
Consider this...
AgovernmentdepartmentdecidestoupgradetheirexistingITinfrastructure/
networkandinvestsinsubstantialnewIThardware.Whilstoriginaloperating
systemsarepurchasedforkeyservers,unlicensedsoftwareisinstalledonafew
endusersystems.Unknowntotheusers,theunlicensedsoftwareconsistsofa
backdoor,whichallowsthehosttoberemotelycontrolledbyacommand-and-
controlserver.Subsequently,sensitivefilesareaccessedandrelayedtothe
controllersthroughencryptedschemesthatprovidecoverandstealthfrom
existingintrusionpreventionmechanisms.
20Suchasthestudyconductedby‘SpringboardResearch’,aSingaporebasedfirmin2006
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
40
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
41
HighCommissionofIndia,Cyprus H CY 1
HighCommissionofIndia,UnitedKingdom H GB 1
21TrackingGhostNet–InvestigatingaCyberEspionageNetwork,InformationWarfareMonitor(IWM),
Canada,March2009
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
42
IncreasingadoptionofInternetenabledtechnologysolutionscombinedwiththe
highsoftwarepiracyratesinIndiacouldbeacontributingfactorinmakingthe
governmentsectormoresusceptibletoattackssuchasthebotnetattacks
describedabove.AsseenintheFigure14,severalbotnetattackscanbetracedto
countriessuchasChina,Brazil,SouthKoreaandPolandwherethereisamedium
-highsoftwarepiracyrate.
90
In the list of ‘Top 6’ countries (in terms of botnet attacks), China, Brazil,
80
South Korea and Poland have medium-high software piracy rates
70 82
60
50
Units 59
57
40
30 20.6 43
20 7.7
20 23
10 0.166 0.162 0.153 0.142
0
USA China Brazil South Poland Japan
Korea
Country
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
43
Reputation Risks
Consider this...
InMarch2009,BSAreportedtohavesettledclaimsofUSD350,909fromfour
California-basedcompaniesforhavingunlicensedcopiesofsoftwareinstalledon
theircomputers.ThecompaniespaiddamagesintherangeofUSD70,000to
USD110,000forhavingunlicensedcopiesofsoftwaresuchasAdobe,Symantec
andMicrosoftsoftwareinstalledonitscomputers.Aspartoftheindividual
settlements,thecompanieshaveagreedtodeleteallunlicensedcopiesof
softwareinstalledontheircomputers,acquireanylicensesnecessarytobecome
compliant,andcommittoimplementingstrongersoftwarelicensemanagement
practices.
22IndianCopyrightAct&http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=6250
23http://www.itpro.co.uk/index.php/609881/pirated-software-costs-firms-16-million
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
44
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
45
Theintentofthiswhitepaperhasbeentohighlightthefarreachingimpactsof
usingnon-genuinesoftwareonthesecurityofindividuals,businesses,
governmentsandnations.Inthediscussionsabove,wehaveattemptedtobring
totheforefronttheevidentaswellastheconcealedimplicationsthatnon-
genuinesoftwareusagehasonitsstakeholders.
ThesurgeinInternetpenetration,whichprovideseasieraccesstonon-genuine
contentavailableonline,coupledwithnascentcomplianceinfrastructure,lowend
userawarenesslevelsandweaklegalenforcement,poseaformidablechallenge
incombatingnon-genuinesoftwareusage.
TheIndiangovernmenthastakencognizanceofthevariousinformationsecuity
threatsandhassetupCERT-IN(ComputerEmergencyResponseTeam-India)
withthechartertobecomethenation'smosttrustedreferralagencyofthe
Indiancommunityforrespondingtocomputersecurityincidentsasandwhen
theyoccur;thekeyobjectivebeingtoreducetherisksofcomputersecurity
incidents24.
InadditiontotheservicesprovidedbyCERT-IN,theGovernmentofIndia’s
CentralVigilanceCommission(CVC)hasissuedguidelinestocontrolthemenace
ofcounterfeitITproductsincludingoperatingsystems25.India’snewITActthat
wasrecentlypassedbytheparliamentalsochangesthecountry’sapproachto
usergeneratedcontentandpiracyofcopyrightcontentonthewebandmobile.
ManybusinessestodayhavecreatedspecialrolesintheranksofChiefSecurity
officers(CSO)/ChiefInformationSecurityOficers(CISO)tolimitthehazardsof
informationsecuritythreats.Appropriatemindshareonissueslikeweaksecurity
controls,inadequatesecurityorganizations,non-genuinesoftwareusage,low
levelsofsecurityawarenessandmanagementcommitmenttowardsthe
informationsecurityprogram,helpprovidereasonableassurancethatthese
threatsareminimizedandmanagedwell.
24Source:http://www.cert-in.org.in/mission.htm
25Source:http://www.cvc.nic.in/007crd008.pdf
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
46
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
47
Organizationsaretakinginitiativesforconductingsecurityawarenesssessionsto
maketheemployeesawareofthenumerousthreatsand,enablethemtotake
proactivemeasurestosafeguardthemselvesandtheirorganizationsfrom
becomingvictimsofthevariousinformationsecuritythreats.Inasurvey
conductedbyKPMG26,majorityofCIOs/CISOsstatedthattheirorganization
hadanemployeeawarenessprogramonsecurityimplicationsofusingnon-
genuinesoftwareandthattheywerewellawareofindustryinitiativesand
governmentregulationsaroundit(Figure15).
26%
Yes
No
74%
22%
Yes
No
78%
26KPMGsurveyofCIO/CISOs,‘AnInconvenientReality,KPMGinIndia,June2009’
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
48
Oursurveyindicatesthatthepercentageoforganizationsstatingthat,significant
numberofitsemployeesareawareaboutsecurityimplicationsofusingnon-
genuinesoftware,ishigh.Further,thenumberoforganizationswheresecurity
incidentsarebeingreportedforidentification/detectionofnon-genuinesoftware
isalsofairlyhigh(Figure16).
9%
13%
0-25%
25-50%
52% 50-75%
More than 75%
26%
39%
Yes
No
61%
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
49
Theaboveanalysisindicatesthatwhilesomeofthecorporateconsumersare
awareoftherisksofusingnon-genuinesoftwareandaretakinginitiativesto
discourageit,therestillexistsalargesectionofusergroups–smallofficeand
homeusers-thatareignorantofthepotentialconsequences.
• Createaformallistcontainingprogramname,copiesavailable,serial
numbers,versionnumbersandfutureupgraderequirements
• Runawarenesstrainingprogramsforemployeeandcommunicate
organization’scommitmenttogenuinesoftware
• Obtainundertakingfromallthirdpartiestoensuretheyonlysupplyand
usegenuinesoftware
• Ensurecontrolsareenforcedtopreventanddetectinstallationofnon-
genuinesoftware
• Ensurecompliancebyperiodicaudits
Asenduserscontinuetoperceiveacostadvantageinusingnon-genuine
software,thereisanimminentneedfortheindustry,academicinstitutionsand
thegovernmenttoplayanactiveroleincreatingawarenessontherisksof
softwarepiracy.Publiceducationcampaignsandawarenessdirectivesshouldbe
usedasamediumtohelpusersmakeinformedchoiceswithrespecttopurchase
ofsoftware.Educationalinstitutionsshouldimplementeffectivesoftwareasset
managementpoliciestoregulatetheuseofnon-genuinesoftwareintheir
facilities.
• Buysoftwarefromgenuinesources
• Checkonlineforauthenticityoftheserialnumbersonthesuppliers
genuineonlinewebsite
• Validateforgenuineidentificationmarksontheinstallationmedia/
packaging
• Assessthegenuineidentificationmarksonthewebsites,priorto
downloading,todistinguishbetweengenuineandfakewebsitesproviding
downloads
• Preservealloriginallicensesanddocuments
• Adheretopoliciesonusageofgenuinesoftwareintheworkplace
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
50
Theexistinglegalandregulatoryframeworksalsoneedtobestrengthenedand
rigorouslyenforcedtodissuadeindividualsandcorporationsfrombeingapartof
thenon-genuinesoftwarechain.Existinggovernmentinitiativessuchasthe
appointmentoftheCopyrightEnforcementAdvisoryCouncil(CEAC)andcreation
ofpiracytargetingcellsinStatePoliceHeadquartersshouldbeexpandedand
strengthenedbothinscopeandoperations.
• Developmentandrolloutofaprogramforsensitizingstudentsand
parentsalikeonthesecurityimpactsofusingnon-genuinesoftware
• Facilitatefasterandmorefocusedpunitiveactionfornon-compliance;set
upofspecialcourtsdealingspecificallywithIntellectualPropertyissues
maybeconsidered
• Obtainundertakingfromallthirdpartiestoensuretheyonlysupplyand
usegenuinesoftware
• Ensurecontrolsareenforcedtopreventanddetectinstallationofnon-
genuinesoftware
• Ensurecompliancebyperiodicaudits
Onlyaconcertedeffortfromtheindustry,thegovernmentandtheconsumers
canpossiblyensureminimizationofinformationsecurityrisksarisingfromusage
ofnon-genuinesoftware.
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
51
Appendix: Methodology
Themethodologydeployedinthedevelopmentofthiswhitepaperwasprimarilya
combinationoflimitedprimaryresearch,assorteddiscussionswithgovernment
andcorporaterepresentativesandsecondaryresearch.
Weperformedastudyof50selectwebsitesprovidingcounterfeitsoftwareand/
orvariousenablerstonon-genuinesoftware(suchascracks,keygenerators,
serialsandwarez),withtheobjectiveofidentifyingthreatvectorslikepotential
malware,auto-redirections/pop-ups,andunsolicitedcontent.Theapproach
adoptedwastovisitthehomepageandthepageforonesampledownload.
Inaddition,weperformedasurveyofagroupofChiefInformationOfficers/
ChiefInformationSecurityOfficers(CIO/CISO)oforganizationstounderstand
theirviewsonprogramsfor,andawarenessofsecurityimplicationsofusingnon-
genuinesoftware.Thissurveywasperformedusingasurveyquestionnaire
focusingonidentificationof:
• Existenceofemployeeawarenessprogramonsecurityimplicationsofusing
non-genuinesoftware
• Proportionofemployeesawareaboutsecurityimplicationsofusingnon-
genuinesoftware
• Anysecurityincidentreportedonusageofnon-genuinesoftware
• Reasonsforanaverageemployeetousenon-genuinesoftware
• Awarenessaboutmeasurestakenbygovernment/industrytocombat
usageofnon-genuinesoftware
Thesecondaryresearchinformationsourcesinclude:
• BusinessSoftwareAlliance(BSA)–2007GlobalSoftwarePiracyStudy
• ScansafeAnnualGlobalReport2008
• HarrisonGroupWhitepaperonImpactoftheuseofunlicensedsoftwarein
mid-marketcompanies(2008)
• TrackingGhostNet–InvestigatingaCyberEspionageNetwork,Information
WarfareMonitor(IWM),Canada,2009
• IDCwhitepaperonRisksofPiratedSoftware
• SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,
PublishedApril2009
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
52
©2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss
cooperative.Allrightsreserved.
in.kpmg.com
KPMGinIndia KPMGContacts
Bangalore
Solitaire
139/26, 3rd Floor,
Inner Ring Road, Koramangala,
Bangalore 560 071
Tel: +91 80 3980 6000
Fax: +91 80 3980 6999
Chennai
No.10 Mahatma Gandhi Road
Nungambakkam
Chennai 600 034
Tel: +91 44 3914 5000
Fax: +91 44 3914 5999
Hyderabad
8-2-618/2
Reliance Humsafar, 4th Floor
Road No.11, Banjara Hills
Hyderabad - 500 034
Tel: +91 40 6630 5000
Fax: +91 40 6630 5299
Kolkata
Park Plaza, Block F, 6th Floor
71 Park Street
Kolkata 700 016
Tel: +91 33 4403 4000
Fax: +91 33 4403 4199
Pune
703, Godrej Castlemaine
Bund Garden
Pune 411 001
Tel: +91 20 3058 5764/65
Fax: +91 20 3058 5775
©2009KPMG,anIndianPartnershipandamemberfirm
Theinformationcontainedhereinisofageneralnatureandisnotintendedtoaddressthecircumstancesofanyparticularindividual oftheKPMGnetworkofindependentmemberfirms
orentity.Althoughweendeavortoprovideaccurateandtimelyinformation,therecanbenoguaranteethatsuchinformationis affiliatedwithKPMGInternational,aSwisscooperative.
accurateasofthedateitisreceivedorthatitwillcontinuetobeaccurateinthefuture.Nooneshouldactonsuchinformation Allrightsreserved.
withoutappropriateprofessionaladviceafterathoroughexaminationoftheparticularsituation. KPMGandtheKPMGlogoareregisteredtrademarksof
KPMGInternational,aSwisscooperative.