The second Global Cyber Security Index (GCI), released by the UN telecommunications agency, International Telecommunications Union (UTC) places India at 23rd position in the list of information secured countries. The rank is among 165 other nations across the world who have committed to cyber security.
The report reveals that only about half of all countries already have a cyber security strategy or are in the process of developing one. It urges countries to engage in cyber security education initiatives and job creation in the sector.
Singapore tops the index with a 0.925 score.
Other countries in the top 10 are United States, Malaysia, Oman, Estonia, Mauritius, Australia, Georgia, France and Canada.
The report says that 38 per cent of these countries have a published cyber security strategy while 12 per cent of governments are in the process of developing one.
The threat is dangerously worrying because in 2016, according to ITU, about one per cent of all emails sent were malicious attacks. The rate is the highest in recent years.
The findings show that there is “space for further improvement in cooperation” at all levels. It further advocates for encouraging governments to consider national policies that take into account cyber security and encourage private citizens to make smart decisions online.
The Indian government has taken a few steps to bring the attacks under control. Under PM Narendra Modi’s tenure, the Central govt established the office of Chief Information Ofiicer of Cyber Security Cell under PM’s office. Dr Gulshan Rai is the first to hold the post.
CERT-In, an emergency response team is set up under the Ministry of Electronics and Information Technology for dealing with a range of cyber-attacks.
Apart from this, the Government of India has four Sectoral Computer Emergency Response Teams to address Cyber Security Threats in Power Systems: Transmission, Thermal, Hydro and Distribution.
All the four utilities have been asked to identify a nodal senior executive as its Chief Information Security Officer (CISO) to lead the process of strengthening organizational systems with respect to cyber security and implement an information security management systems as recommended by rules under the Information Technology (IT) Act 2008.
Organizations face many threats to their information systems and data. Understanding all the basic elements to cyber security is the first step to meeting those threats.
Cyber security is the practice of ensuring the integrity, confidentiality and availability (ICA) of information. It represents the ability to defend against and recover from accidents like hard drive failures or power outages, and from attacks by adversaries. The latter includes everyone from script kiddies to hackers and criminal groups capable of executing advanced persistent threats (APTs), and they pose serious threats to the enterprise. Business continuity and disaster recovery planning are every bit as critical to cyber security as application and network security.
Security should be top of mind across the enterprise, and come with a mandate from senior management. The fragility of the information world we now live in also demands strong cyber security controls. Management should see that all systems are built to certain security standards and that employees are properly trained. All code, for example, has bugs, and some of those bugs are security flaws. Developers are only human, after all.
The human is always the weakest element in any cyber security program. Training developers to code securely, training operations staff to prioritize a strong security posture, training end users to spot phishing emails and social engineering attacks — cyber security begins with awareness.
All companies will experience some kind of cyber attack, even if strong controls are in place. An attacker will always exploit the weakest link, and many attacks are easily preventable by performing basic security tasks, sometimes referred to as “cyber hygiene.” A surgeon would never enter an operating room without washing their hands first. Likewise, an enterprise has a duty to perform the basic elements of cyber security care such as maintaining strong authentication practices and not storing sensitive data where it is openly accessible.
A good cyber security strategy needs to go beyond these basics, though. Sophisticated hackers can circumvent most defenses, and the attack surface — the number of ways or “vectors” an attacker can gain entry to a system — is expanding for most companies. For example, the information and the physical world are merging, and criminals and nation-state spies now threaten the ICA of cyber-physical systems such as cars, power plants, medical devices, even your IoT fridge. Similarly, the trends toward cloud computing, bring your own device (BYOD) policies in the workplace, and the burgeoning internet of things (IoT) create new challenges. Defending these systems has never been more important.
Further complicating cyber security is the regulatory climate around consumer privacy. Compliance with stringent regulatory frameworks like the European Union’s General Data Protection Regulation (GDPR) also demands new kinds of roles to ensure that organizations meet the privacy and security mandates of the GDPR and other regulations.
As a result, growing demand for cyber security professionals has hiring managers struggling to fill positions with qualified candidates. That struggle requires organizations to have a sharp focus on areas of greatest risk.
Types of cyber security
The scope of cyber security is broad. The core areas are described below, and any good cyber security strategy should take them all into account.
Critical infrastructure includes the cyber-physical systems that society relies on, including the electricity grid, water purification, traffic lights and hospitals. Plugging a power plant into the internet, for example, makes it vulnerable to cyber attacks. The solution for organizations responsible for critical infrastructure is to perform due diligence to protect understand the vulnerabilities and protect against them. Everyone else should evaluate how an attack on critical infrastructure they depend on might affect them and then develop a contingency plan.
Network security guards against unauthorized intrusion as well as malicious insiders. Ensuring network security often requires trade-offs. For example, access controls such as extra logins might be necessary, but slow down productivity.
Tools used to monitor network security generate a lot of data — so much that valid alerts are often missed. To help better manage network security monitoring, security teams are increasingly using machine learning to flag abnormal traffic and alert to threats in real time.
The enterprise’s move into the cloud creates new security challenges. For example, 2017 has seen almost weekly data breaches from poorly configured cloud instances. Cloud providers are creating new security tools to help enterprise users better secure their data, but the bottom line remains: Moving to the cloud is not a panacea for performing due diligence when it comes to cyber security.
Application security (AppSec), especially web application security, has become the weakest technical point of attack, but few organizations adequately mitigate all the OWASP Top Ten web vulnerabilities. AppSec begins with secure coding practices, and should be augmented by fuzzing and penetration testing.
Rapid application development and deployment to the cloud has seen the advent of DevOps as a new discipline. DevOps teams typically prioritize business needs over security, a focus that will likely change given the proliferation of threats.
Internet of things (IoT) security
IoT refers to a wide variety of critical and non-critical cyber physical systems, like appliances, sensors, printers and security cameras. IoT devices frequently ship in an insecure state and offer little to no security patching, posing threats to not only their users, but also to others on the internet, as these devices often find themselves part of a botnet. This poses unique security challenges for both home users and society.
Types of cyber security threats
Common cyber threats fall under three general categories:
Attacks on confidentiality: Stealing, or rather copying, a target’s personal information is how many cyber attacks begin, including garden-variety criminal attacks like credit card fraud, identity theft, or stealing bitcoin wallets. Nation-state spies make confidentiality attacks a major portion of their work, seeking to acquire confidential information for political, military, or economic gain.
Attacks on integrity: Also known by its common name, sabotage, integrity attacks seek to corrupt, damage, or destroy information or systems, and the people who rely on them. Integrity attacks can be subtle — a typo here, a bit fiddled there — or a slash and burn campaign of sabotage against a target. Perpetrators can range from script kiddies to nation-state attackers.
Attacks on availability: Preventing a target from accessing their data is most frequently seen today in the form of ransomware and denial-of-service attacks. Ransomware encrypts a target’s data and demands a ransom to decrypt it. A denial-of-service attack, typically in the form of a distributed denial-of-service (DDoS) attack, floods a network resource with requests, making it unavailable.
The following describes the means by which these attacks are carried out.
Attackers aren’t going to hack a computer if they can hack a human instead. Socially engineered malware, often used to deliver ransomware, is the No. 1 method of attack (not a buffer overflow, misconfiguration, or advanced exploit). An end-user is tricked into running a Trojan horse program, often from a website they trust and visit often. Ongoing user education is the best countermeasure against this attack.
Sometimes the best way to steal someone’s password is to trick them into revealing it This accounts for the spectacular success of phishing. Even smart users, well-trained in security, can fall for a phishing attack. That’s why the best defense is two-factor authentication (2FA) — a stolen password is worthless to an attacker without a second factor, such as hardware security token, or soft token authenticator app on the user’s phone.
It’s hard to blame your enterprise if an attacker deploys a zero-day exploit against you, but failure to patch looks a lot like failure to perform due diligence. If months and years pass after disclosure of a vulnerability, and your enterprise has not applied that security patch, you open yourself to accusations of negligence. Patch, patch, patch.
Social media threats
Catfishing isn’t just for the dating scene. Believable sock puppet accounts can worm their way through your LinkedIn network. If someone who knows 100 of your professional contacts strikes up a conversation about your work, are you going to think it strange? Loose lips sink ships. Expect social media espionage, of both the industrial and nation-state variety.
Advanced persistent threats
Speaking of nation-state adversaries, your enterprise has them. Don’t be surprised if multiple APTs are playing hide-and-go-seek on your corporate network. If you’re doing anything remotely interesting to someone, anywhere, you need to consider your security posture against sophisticated APTs. Nowhere is this more true than in the technology space, an industry rich with valuable intellectual property many criminals and nations will not scruple to steal.
Executing a strong cyber security strategy requires you have the right people in place. The demand for professional cyber security folk has never been higher, from the C-suite down to the security engineers working on the front lines. Security leaders have elbowed their way into the C-suite and boardrooms, as protecting company data becomes mission critical for organizations. A chief security officer (CSO) or chief information security officer (CISO) is now a core management position that any serious organization must have.
Roles have also grown more specialized. The days of the generalist security analyst are fading fast. Today a penetration tester might focus on application security, or network security, or phishing users to test security awareness. Incident response may see you on call 24/7. The following roles are the foundation of any security team.
The CISO is a C-level management executive who oversees the operations of an organization’s IT security department and related staff. The CISO directs and manages strategy, operations, and the budget to protect an organization’s information assets.
Also referred to as cyber security analyst, data security analyst, information systems security analyst, or IT security analyst, this role typically has these responsibilities:
- Plan, implement and upgrade security measures and controls
- Protect digital files and information systems against unauthorized access, modification or destruction
- Maintain data and monitor security access
- Conduct internal and external security audits
- Manage network, intrusion detection and prevention systems
- Analyze security breaches to determine their root cause
- Define, implement and maintain corporate security policies
- Coordinate security plans with outside vendors
A good information security architect straddles the business and technical worlds. While the role can vary in the details by industry, is that of a senior-level employee responsible to plan, analyze, design, configure, test, implement, maintain, and support an organization’s computer and network security infrastructure. This requires knowing the business with a comprehensive awareness of its technology and information needs.
The security engineer is on the front line of protecting a company’s assets from threats. The job requires strong technical, organizational and communication skills. IT security engineer is a relatively new job title. Its focus is on quality control within the IT infrastructure. This includes designing, building, and defending scalable, secure, and robust systems; working on operational data center systems and networks; helping the organization understand advanced cyber threats; and helping to create strategies to protect those networks.
The biggest story of 2016 is undoubtedly the alarming rise of cyber crime. A look at global IT industries explains that we’re facing a lack of efficient professionals. According to the Cyber Security Ventures ‘Cyber Security Jobs Report’, there were 1 million cyber security job openings in 2016. The number is expected to grow to 1.5 million by 2019.
Against the backdrop, the scenario of India’s cyber security industry is no exception. A quick glance at one of the most notable security breaches in the country shows:
1) Cyber criminals breached the country’s largest government site – the Indian Railways Catering and Tourism Corporation (IRCTC) website, stealing around 10 million records from the server of the e-ticketing portal.
2) A cyber criminal by the name ‘Faisal’ allegedly breached the website of Canara Bank, defacing it by inserting a malicious page and blocking some of its payment services.
3) Fraudsters broke into the email account of Binny Bansal, CEO of Flipkart, sending two emails to the Chief Financial Officer (CFO) demanding a sum of $80,000.
Further look at similar incidents show that majority of these attacks happened in the e-commerce and banking sectors. The reason for this is found to be a high value of personally identifiable information )PII) in these industries.
According to ‘M-Trends 2016, Asia-Pacific Edition’ by Mandiant Consulting, Indian organizations are more susceptible to data breaches. Poor investments in high-end security solutions are to blame, as experts say. This must sound caution to smaller and bigger organizations both.
In the wake of this, the Indian government has started to invest money in recruiting cyber security experts. Partnerships with top international security firms have also been registered. The recent Memorandum of Understanding (MoU) between the national cyber security agencies of India and the U.K. is a step in the direction. The exchange of technical information on cyber attacks, security incidents and solutions will benefit both countries in fighting cyber crime together.
The civilization has always been interested on protection, let it be primitive or sophisticated present ages. Human Life or property or business, our thoughts revolves on safeguarding the same.
With the advancement with technology, we are getting more engaged with internet and in effect data security is becoming more critical worldwide. Information security is a well-known consideration globally. We are regularly facing attacks, frauds, security breaches, confidentiality issues, information misuse, piracy, sniffing and leakage of data across the domain.
During my last visit to Bangladesh (During 14th to 18th March, 2016) , Bangladesh bank fraudulent activities came to my notice. Bangladesh got into the news for all the wrong reasons. The situation enforced the banks to take corrective actions in line of Cyber Security. We thought of spreading awareness on the domain in Bangldeash through our initiative “Infocon”.
In line with Bangladesh Bank attack, the mandates came to all Banks to cover Information Security and Cyber Security risk/threats in order to secure public money and confidential/critical information.
The Cyber Security Governance and risks assessment are to be enforced across the employees of the organization. There should be preparations for Assessment of technological difficulties and emergency management procedures. The same may be achieved through third party assessment, skill development on security for all Employees.
Information Security should be continuously monitored through Operation Centres 24×7 basis.
PCI-DSS compliance is to be adopted with two-factor authentication systems for Chip-n-Pin based cards. Logs should be collected, maintained, co-related and maintained for all critical assets in order to have proactive measures.
Besides there are needs for ISO 27001:2013, ISO 20000:2011, ISO 9001:2015 standards. Apart from these Risk Assessment Framework based on the industry de-facto standard NIST Controls and FISMA Law/Compliance/ Cobit framework.
People are looking as protecting against malware, ransomware, APT etc
In effect various providers, OEMs positioned their product/solutions to the financial sector potential clients. But different product/solutions on same domain created lots of confusions, dilemma in the customer mind before going for conclusion. Before “Infocom Bangladesh 2016” event is narrated, I will try to explain some of the burning topics on Secuirty which are not only critical for Bangladesh, but across the globe.
Now a days threats are multifold. Every day we are discovering new lines of threats. Ransomware is one of the latest in the bucket. Ransomware is turning out to be one of the most virulent and potentially heart-breaking malware infections to become a victim of. If you are unfortunate enough to accidentally download this type of malicious code — whether through phishing attacks or illegitimate downloads and compromised websites — the malware locks your screen, encrypts your files and attempts to exhort a fee before giving you the cryptographic key required to get your files back. There are many strains of ransomware including CryptoWall, CryptoLocker, CoinVault and Bitcryptor. This malware is nasty enough, however the prediction is that new generations will increase in sophistication — including stealth tactics, the silent encryption of data — on both systems and backups — and potentially the use of kernel components to encrypt files on the fly.
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing and the financial industry. An APT attacker often uses spear fishing, a type of social engineering, to gain access to the network through legitimate means. Once access has been achieved, the attacker establishes a back door.
The next step is to gather valid user credentials (especially administrative ones) and move laterally across the network, installing more back doors. The back doors allow the attacker to install bogus utilities and create a “ghost infrastructure” for distributing malware that remains hidden in plain sight.
PCI-DSS stands for Payment Card Industry Data Security Standard
PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating organizations include merchants, payment card issuing banks, processors, developers and other vendors.
There are three ongoing steps for adhering to the PCI DSS:
- Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
- Remediate — fixing vulnerabilities and not storing cardholder data unless you need it.
Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
PCI Data Security Standard – High Level Overview
|Build and Maintain a Secure Network and Systems||Install and maintain a firewall configuration to protect cardholder data|
|Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||Protect stored cardholder data|
|Encrypt transmission of cardholder data across open, public network|
|Maintain a Vulnerability Management Program (VAPT)||Protect all systems against malware and regularly update anti-virus software or programs|
|Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||Restrict access to cardholder data by business need to know|
|Identify and authenticate access to system components|
|Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||Track and monitor all access to network resources and cardholder data|
|Regularly test security systems and processes|
|Maintain an Information Security Policy||Maintain a policy that addresses information security for all personnel|
Web Application Firewall,Sometimes, in orders to comply with PCI-DSS, some components are essential to implementation as a part of remediation:
- Web Content Filtering,
- Endpoint Security,
- HIPS (Host Based Intrusion Prevention),
- Security Information and Event Management (SIEM),
- Vulnerability Assessment and Penetration Testing Tools (VAPT),
- Data Leakage Protection (DLP),
- File Integrity Monitoring,
- End point Encryption,
- Privilege User monitoring,
- Identity Management (IDM) etc.
ISMS is Information Security Management System and the latest standard is ISO 27001:2013. It is essential to protect company data, not only to protect the future of your systems, but also to protect customer information, that has been entrusted to you. This requires a holistic approach covering price, IT Security, physical security and staff policy & procedures. ISO 27001 is the formal standard against which organizations seek independent certification of all their Information Security Management Systems.
IS0 27001 helps to protect against
- Customer Information leakage
- Virus & hacker attacks
- Incompatible software conflicts
- Failure to back up systems
- Loss or theft of unencrypted backups
- Internal security breaches
- Loss of information resulting from staff turnover
- System downtimeISMS
Ideal Coverage should include:
- ISMS Scope Definitions
- ISO 27001 ” Gap “Analysis Assessments
- Performing an assessment of your existing ISMS
- Information Security Policy and Procedure Development
- Information Security Risk Assessments
- ISMS Manual Development
- ISO 27001 ISMS Implementation Support
- Security Improvement Plans
- Incident Management Plans
- ISMS & Internal Audits
- Management Reviews
- Pre-certification Audits and support
- Post Certification Audits Corrective Action Support
- ISMS Trainings for Management & Employee
- Integration of ISMS with COBIT, COSO, ITIL/ISO 20000 etc
Vulnerability assessments and penetration testing (pen tests for short) are processed to identify threats and Vulnerabilities in the IT landscape using valuable tools, that can benefit any information security program and they are both integral components of a Management process.
A vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
Vulnerability Assessments Follow These General Steps
- Catalog assets and resources in a system
- Assign quantifiable value and importance to the resources
- Identify the security vulnerabilities or potential threats to each resource
- Mitigate or eliminate the most serious vulnerabilities for the most valuable resources
A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data.
Depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Also, there are two primary types of pen tests: “white box”, which uses vulnerability assessment and other pre-disclosed information, and “black box”, which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance.
Penetration Testing Follow These General Steps
- Determination of scope
- Targeted information gathering or reconnaissance
- Exploit attempts for access and escalation
- Sensitive data collection testing
- Clean up and final reporting
With the increase of usage for Social, Mobile apps, Cloud, Big Data, IoT (more precisely SMAC – Social, Mobility, Analytics and Cloud), we are approaching towards a danger zone. Hope you have heard of Jeep Cherokee incident where hackers can take control of a connected car and lead you to death as well.
Prime Infoserv LLP being a domain expert in the category, wanted to spread the awareness on Information Security and “Infocon Bangladesh 2016” took birth. The idea was to empower Enterprises with better wisdom with knowledge for doing proper diligence, understanding the actual need to cover-up the concerns.
The event took place on 16-04-2016 (Saturday) with the audience from major banks. Speakers took sessions on various aspects of cyber security and risks. The knowledge sharing was OEM agnostic in order to spread more awareness so that people can be more empowered to take decision beyond OEM/System Integrator Influence. The sessions were fully interactive like Q&A, discussions with concern areas and off course encouragement with surprise gifts.
Event had kicked off with lunch, followed by discussions on the burning topics as mentioned above.
The attendees were awarded with Trend Micro endorsed certificate.
More details of the events can be fetched from below links:
Infocon is not just an event, rather a process to build eco system surrounding the topic. We intent to create forums where domain experts and attendees can exchange thoughts even after events. There will be follow-up awareness sessions. There are serious thoughts to publish a Book covering pain points and resolutions to spread the awareness.
This retrospection will bring our smile back in order to have peace and fulfilment with wisdom.
We will have follow-up event in Bangladesh. Upcoming events are being planned in Kolkata, Bhutan, London, Africa and Mauritius.
Stay tuned for our upcoming initiatives under the brand “Infocon”.