Hacking at WIPRO
Indian Tech Major WIPRO, which proudly announces its
efforts towards "Enabling Business Transformation Excellence" found itself
embarassed with a total failure of its internal controls leading to
embezzlement of US $ 4 million by one of its employees.
According to the reports available, an employee of WIPRO
working in the finance division is reported to have embezzled US $ 4 million
by stealing a password and using it to transfer money belonging to the
Company. The fraud ran for a period of three years without being detected.
Though a sum of US $ 2 Million appears to have been
recovered, and the Company is sound enough to absorb the remaining loss, the
incident throws up several questions on the soundness of the Information
Security systems at WIPRO. There is an indication that the systems were
inadequate and the Company was negligent in protecting the information assets
of the Company. There is also an indication that the Bank which allowed the
transfer of money was also negligent in handling the authentication systems.
It is also evident that being a listed company bound by the
SEBI Clause 49 declaration, the CFO and CEO had provided a false certification
to the shareholders that "There was compliance of all regulatory requirements"
and that "There was adequate internal controls". The audit committee and
independent directors also need to introspect and see if they have been
diligent.
Company's HR policies and the Security Incident Management
system also need to be reviewed from the perspective of how the perpetrator of
such a crime could only be "suspended" and no police complaint is being lodged
for the commission of this cognizable offence.
It is also necessary to fix the responsibility of the
statutory auditors B S R and Company who audited the finances of the Company.
It is clear that the large amount has been transferred
under instructions through electronic documents which were (presumably) not
backed by Digital Signatures. The case reveals the extent of loss companies
and banks may sustain if they continue to ignore the need to adopt secure
means of authentication recommended by ITA 2008.
It was perhaps not a coincidence that Satyam Computer
Services whose internal frauds of US $ 1.8 billion made news last year had
also been a recipient of a "Golden Peacock Award" for Excellence in Corporate
Governance a little before the fraud broke out.
These two incidents clearly indicate that the IT industry
has a faulty system of evaluation which does not factor in the risks arising
out of Cyber Crimes. The awards and certifications presently being used to
determine the excellence in operations have completely lost credibility.
Naavi.org has been advocating that "There is No Quality
without Security" and "No BCP" without a "Cyber Law Compliance Programme". The
IISF 309 is an Information Security Framework suggested by Naavi to strengthen
the Information Security System in a Company.
The focus of the IISF 309 is securing the Company from the
"Techno Legal Perspective" so that in the event of any loss, the company can
recover the loss through appropriate legal measures. This ability to provide a
"Defensive Legal Shield" (DLS) and an Offensive Legal Sword (OLS) is the need
of the hour to extend the current technical approach to Information Security
ending with a DRP and BCP objective.
Naavi has also floated some initial thoughts on measuring
the Information Security preparedness of an organization through the IS-CMM
system based on the "Theory of IS Motivation".
This Theory of IS Motivation takes into account the fact
that "No Information Security Programme is successful unless it takes into
account the need to incorporate the "Behavioural Science aspects" in the
implementation mechanism.
The current
incident highlights the deficiencies in the traditional approach to
Information Security currently practiced by most Companies and underscores a
need for a change in the approach.
Naavi
February 18, 2010
Related Articles:
Report in ET
Report in moneycontrol.com
Wipro Fraud by an Employee leaves IT Major Red Faced after Satyam Debacle
Post fraud, Wipro reshuffles finance dept
Comments are Welcome at
naavi@vsnl.com