Neena Godbole warns about Antiforensic Tools


Neena Godbole spoke to Apurva Joshi – CEO of Fraudexpress and explained the role of technology in fighting the frauds.

I hold a Master’s Degree in Science from IIT Bombay ‐ graduated from IIT Bombay in the year 1981. I also have an M.S. Engg Degree in Computer Science from Newport University, California USA and a post graduate diploma in Computer Engineering from Pune along with a post graduate Diploma in Business Management from Xavier Institute of Management, Bombay. I have been working since 1981 in various roles in the IT/software industry. For more than the last 4 years I am working with information systems security, data privacy and regulatory compliance area. I also have professional certification like CISA, CIPP/IT, ITIL and many others. Two of my 3 books are in security domain. In 2009, Wiley India published my comprehensive book on Information Systems Security. The book has been very well received in the industry and has become a reference book for those who appear for professional certifications such as the CISA, CEH, CISSP etc. In 2011, my co‐authored book on Cyber Security was published by Wiley India. The book has been blessed in form of Foreword by an eminent personality in security domain such as Dr. Kamlesh Bajaj who is the CEO of Data Security Council of India (DSCI) – an organization that has been doing foundational work in the domain, working with industries and also with Govt. of India. The cyber security book is now established as the standard reference book on many computer forensic courses in India including the one at the GTU (Gujrat Technical University). I have been a recipient of many awards, rewards and special recognition for delivery of value adding work and contribution in the industry where I worked.

So, when and how did you start in antifraud/ security and forensic functions field?
My involvement has been in an interface role and it started when I became part of business controls team in my organization. About 1.5 years back, I became instrumental in rolling out an organization wide Incident Management and Reporting system. It was not easy as I had to interface with a very large number of people, mainly our business unit heads. “Incidence reporting” can get very political when it enters organization’s score card!! Every business wants to make their best to keep their negative publicity down in case an incident has occurred in their business. Moreover, each team/dept/unit has its own definition about what an ‘incident’ is!! In such a milieu it was a herculean effort to get the incident reporting procedure rolled out.
When an organization is involved in handling the work outsources to them, there comes with it client’s trust that personal sensitive information and confidential data of client will be handled with due care. Many data incidents take place in our global business today –  incidents such as data theft, inappropriate use of confidential data to name a few. Having controls to avoid/minimize such incidents and testing of those controls is what I am involved with. Sometimes that work needs me to interface with forensic agencies. I do have industry networking with computer forensic professionals because my work makes me be in touch with them professionally.

What are your views on antifraud and forensic functions field?
Although India is considered as the country with lower rate of Internet penetration, there were more than 71 million users of Internet in India in 2009 alone! Imagine the scene today while the usage is growing at a rapid rate.
Given the 24 X 7 connectedness in today’s global business era, phenomenal growth in the use of Internet and related technologies as well growing use of mobile technologies and the fact that our young generation is so savvy in using those technologies, there is greater than never risk now. The ease of using most of the technologies, changing values and deteriorating social fabric etc. makes breeding of criminal mind easy. The inception of online banking facilities and their growing use has opened the entire financial area for possible frauds including those at the ATMs! All this makes a strong case for there being antifraud agencies and I am so glad that initiatives like FraudExpress magazine are now in place. This is indeed the need of the hour. We need an approach and effort at a war footing level to raise cyber security awareness in the country and I am glad I am doing my bit by delivering educational talks on this topic in various forums.
Through my discussions with forensic professionals and cyber cell investigation officers, it seems that computer forensic professionals are in short supply currently. There is certainly a need for greater education in this domain supported by forensic labs where people can be trained. As mentioned in my book on Cyber Security, ‘anti‐forensics’ are the adversaries for whatever forensics professional does! There will always be a ‘race’ – one trying to out‐do the other! Another interesting phenomenon I note is the ever increasing miniaturization of storage devices and feature richness of mobile devices.
Let us not forget the mushrooming number of cyber café’s in India. Our study shows that a large majority of them are not monitored. In India the ratio of laptop/PC to persons is still very low and that probably is the reason for the number of cyber cafes mushrooming – cyber café market doubles every two years and most cyber crimes are said to be traced to cyber cafes.

Which is the most memorable case that you have witnessed in your career? What was remarkable about those cases?
Obviously, for reasons of confidentiality I am not going to disclose the names but there have been two cases that I am aware of. In one source code was sent by an employee in one organization to his spouse working in another organization that was the competition organization. This happened in an organization that was said to have most stringent security controls and employee education!
In another case, confidential mails were found published on the Internet – mails disclosing the details of a large contract and many internal aspects of it. Both cases happened in an organization that had many security controls, continuous awareness sessions on cyber security etc. This happened in an organization that had a very demanding and tough client when it came to security controls. They even had a physically secluded work area. When the laptop of suspected employee was taken to forensics lab, nothing could be found attributable to the employee. It remained a puzzle. The employee left the organization. The organization suffered a loss as it lost face with its client. Incidents of this kind only go to show that there is no such thing as ‘full proof’ controls or full proof defence. Data incidents will continue to happen and we can only hope to minimize the damage, negative image, blow to brand image. Controls and measures will at least help us to soften the blow if we cannot not avoid it altogether. The fear of law and punishment has to be made deeply ingrained in people’s mind. Today that seems not to be so either due to total unawareness or due to callousness.

Tell us about your books in security domain. What inspired you to write them?

Writing has been my passion for many years. I believe in creating Knowledge Artifacts useful to professionals. I did that from my previous work domain and now I have done also in the security domain where I have been working. I take a lot of efforts in manuscript development. It is always my effort to deliver a quality product. Going by the market feedback received on my books, I can say that it has happened with my books too. The book on cyber security is written from the main objective of creating awareness for public at large. The book also works as reference book to several certification exams in the related domain. The previous book on information security was taken up based on the observation that there was no complete book on the topic. Today many universities have been able to create courses based on that book. For example, the topics addressed in my information security and cyber security books map well with C‐DAC’s Post Graduate Diploma course in Information Security and Cyber Security. My sole authored comprehensive book on information systems security (published in 2009) has been well received in the industry and also been of interest at the IIM Ahemedabad among so many other premium institutes in India. Other courses and institutes that have adopted this book are ‐ (1)
University of Mumbai, Systems Security course for Computer Engineering program and B.E. (Computer Engineering), (2) Information and Network Security (3) Anna University of Technology, Tiruchirappalli, for their course in Information Systems Security Management at their M.S course. (4) University of PUNE ‐ Master Degree in Computer Management (M.C.M.), Information Security paper etc. and many others.

In your opinion, what is the scope of antifraud and security
functions field in India?
There is a lot of scope, no doubt. Remember what I mentioned when you asked me about my views on anti‐fraud and forensic functions field. From my experience of talking with small size organizations in the manufacturing domain, it emerges that awareness is pretty low both about information security and cyber security. Manufacturing sector is just one vertical. Today the awareness in the financial domain industry is much higher probably because people can appreciate the hit to their money but may be not so much about loss to privacy!! Take for example the hospitality industry, the healthcare industry. My interactions in this domain show that here data privacy awareness is not so high and nor is information security/cyber security awareness. Frauds do not take place only by misappropriating people’s money and other financial resources. Frauds can also take place by stealing sensitive personal information and there a lot of such information accumulated in the common course of business transactions in the hospitality industry as well as in the healthcare industry. The US has stringent laws when it comes to protection of personal data and Europe is paranoid about privacy. In India, there is a need for a lot – with section 43‐A of the Information Technology Act of India (2008 amendments), I am sure a new era has dawned. In all, there is a tremendous scope of fraud investigation professionals, digital forensics/computer forensic professionals in India. Let us not forget that India is among the hottest destination for business outsourcing. With business, lots of data gets exchanged or shared and some of that data could be highly confidential, sensitive, whose loss or misuse could create tremendous damages and liabilities.

What is your estimate of the industry according to you? How many people are employed and what could be the combined revenues?
This is tough! One can only provide a very rough estimation on these aspects. To my knowledge there is no centrally maintained statistics and other information on this. For example, when I see the site for anti fraud network, I do not see any listing under India.
According to INDIAFORENSIC’s 3rd Annual report on the status of forensic accounting in India, Citi Bank is the single biggest bank in the banking sector which employs highest number of Certified Anti‐money laundering experts and the Certified Forensic Accounting Professionals. The second highest concentration of forensic professionals is in the Big four accounting firms. For example, KPMG is said to have more than 300 professionals working for their forensic team. I see that forensics related certification programs are on the rise and with that, we should see a rise in the number of professionals in the coming years. It is even tougher to comment on the revenues – I am not sure if there is an official source for that information. I strongly feel that we need a good alliance among the law enforcement agencies, legal professionals and forensic investigators. Forensic professionals alone won’t suffice.

What are the career opportunities that you see in this field?
There are tremendous opportunities today as cyber crimes are on the rise (due to the factors mentioned earlier). Also on the rise are frauds which need investigation though from a country standpoint it is shameful to mention this, post Satyam scam, the need of the forensic accountants was felt across the IT industry. It is not surprising then, that you will see hundreds of web link displaying job opportunities for fraud investigation role. In our book on cyber security, we have devoted a full chapter on explaining the number of roles and careers in cyber security and we urge people to read the book as well as that chapter. There is a caveat! When something is perceived as glamorous and is in demand, it sales like a hot cake! Everyday we see so many advertisements with institutes coming up with forensics courses. One must validate their authenticity. Most may be authentic but all would not be. So, it is up to an individual to be cautious and validate the authenticity.

How does one become forensic accountant/security professional what qualifications, background and qualities looked for?
Let me be frank here ‐ although many youngsters look for entering the forensic for the glamour and lime light attached to it, they ought to be aware of the onerous responsibility it puts on their shoulders when they become forensic professionals. Forensic investigation is like gem mining ‐ only when you dig thousands of meters deep down, may you get some worthwhile stuff. Patience, diligence and discipline are a must for those who wish to enter the field. Deep technical knowledge about computers and other computing technologies are essential but that knowledge can be gained. In my view, equally crucial is the sense of professional ethics and the art of communication and networking because a forensic professional needs to interface with a number of agencies – the police, the lawyers, the government official, apart from the impacted person
with whom a fraud/cyber crime has happened. Please refer to Chapter 12 of our book – it is about careers in cyber security and there is a wealth of useful information provided in that chapter.

What is your advice to the students aspiring to become cyber
forensic professionals?
Deep technical knowledge, logical thinking and preferably some prior experience are required for entering the field. Honesty, hard work, diligence, discipline, being detailed oriented and habit of documentation ‐ are the absolute essentials when working on a case. Integrity and ethical values when the case stands. Above all, you need a will to prevail and an attitude that you will not give up. I’d like to point attention of aspirants to the toil and hard work that that may get overlooked in the shining light of the glamour and thrill that is often attached to the field forensics!!