In emerging economies like India where the government is undertaking large scale digital initiatives and schemes, security has become a major concern. Cyber experts believe that the damage done by WannaCry ransomware is an issue of under-reported magnitude.
The use of pirated and outdated software is rampant among Indian users as well mid-size and small IT organizations. Fearing licensing issues, a huge number of these incidents will not be reporting the losses, concludes expert opinion on the latest cyber attack.
According to the Centre’s instruction to CERT-IN (Computer Emergency Response Team), “all the information of reported ransomware” have been collected into a report. Many of the cases across the country were isolated but the wave of attacks certainly shows that the impact to India is certainly a caution alarm.
The report states these places as worst hit by WannaCry:
1. 10% of Vadodara’s total computers in the District Administration Collectorate Office.
2. Computers in Panchayat offices of Wayanad and Pathanamthitta districts in Kerala.
3. 120 computers connected with Gujarat State Wide Area Network in Gujarat.
4. 18 systems of Andhra Pradesh Police Department.
5. Systems in the Tirumala Tirupati Devasthanams (TTD) Shrine in Andhra Pradesh.
6. Computers of the Personnel Department of the Southern Railways’ Palakkad Division.
7. Computers in several locations of the Police Department of Maharashtra.
8. Many attacks happened in computers across Kerala and Tamil Nadu.
With global market trends shifting towards complete digitization, the nature of corporate asset value has also been changing. Maximum companies now consist of either intellectual property (IP) or other intangibles. As with AI, digital disruption in finance sector brings with it the corresponding risk of digitizing corporate assets.
According to latest research, corporations across the world are losing billions of dollars every year from the loss of altered or destroyed financial consumer data, traded algorithms, etc. Adding regulatory and legal exposure, the risk only multiplies.
Cyber systems are becoming even more insecure with the explosion of networked connection of almost every physical asset from phone cameras to refrigerators, known widely as “Internet of Things”. On the other hand, hackers are improvising their tricks. Attacks are being launched against commercial entities for political or economic purposes.
Surprisingly, cyber attacks are cheaper and easily accessible, with even weaker law enforcements. Less than 2% of cybercriminals are prosecuted. The imbalance is worsened because corporate entities undermine cybersecurity.
Cloud computing is cost-efficient but the matter of security gets complicated. Hence, corporate organizations are urgently faced with the need of maintaining their enterprises without risking their security.
To cope with the above, many associations set guidelines for their clients to follow.
The National Association of Corporate Directors’ Cyber Security Handbook has identified five core principles for corporate boards to enhance their cyber-risk management:
1.Understand that cybersecurity is an enterprise-wide risk management issue. Thinking of cybersecurity as an IT issue to be addressed simply with technical solutions is an inherently flawed strategy. The single biggest vulnerability in cybersystems is people – insiders. Cybersecurity costs are managed most efficiently when integrated into core business decisions such as product launches, M&A and marketing strategies. Moreover, in an integrated world, organizations must take into account the risk created by their vendors, suppliers and customers as their weaknesses can be exploited to the detriment of the home system.
2.Directors need to understand the legal implications of cyber-risk. The legal situation with respect to cybersecurity is unsettled and quickly evolving. There is no one standard that applies, especially for organizations that do business in multiple jurisdictions. It is critical that organizations systematically track the evolving laws and regulations in their markets.
3.Boards need adequate access to cybersecurity expertise. Although cybersecurity issues are becoming as central to business decisions as legal and financial considerations, most boards lack the needed expertise to evaluate cyber-risk. Many boards are now recruiting cyber professionals for board seats to assist in analysing and judging staff reports. At a minimum, boards should regularly make adequate time for cybersecurity at board meetings as part of the audit or similar committee reports.
4.Directors need to set an expectation that management have an enterprise-wide cyber-risk management framework in place. At a base level, each organization ought to have an enterprise-wide cyber-risk team led by a senior official with cross-departmental authority that meets regularly, has a separate budget, creates an organization-wide plan and exercises it.
5.Based on the plan, management needs to have a method to assess the damage of a cyber-event. They need to identify which risks can be avoided, mitigated, accepted or transferred through insurance. This means they need to identify which data, and how much, the organization is willing to lose or have compromised. Risk mitigation budgets need to then be allocated appropriately between defending against basic and advanced risks.
Any organization must follow these principles to establish a sustainably secure cyber-risk management system.
How much information security is enough security ?
Infocon is an initiative by Prime Infoserv, Kolkata and Wordsmith has been a collaborator in the initiative. Any contemporary CXO who is not concerned with the theme and confusion called Information Security is either non-existent or soon will face bankruptcy judge.
Billions are lost by private and public institutions worldwide through loopholes in securing information. Information is literally money. If you are a financial institution and if your customer database is compromised, then the fall-out can be seriously embarrassing to catastrophic.
The Problem of Mr. K, a CIO of the castle called Kolkata
Mr. K is a CIO of a large healthcare company in Kolkata. His 60% life was spent without internet and when his career is at the matured peak, he finds that he needs to reckon with information security. His CEO has instructed him to “do something”. What he should do ?
In case of an enterprise, any “doing” needs management time, money and attention (follow-up). More important, no vendor appears to be able to answer the question : “How much information security is good security ? “How much I should spend, considering the solutions are correct ?”
Mr. K, found to his great confusion that he is not able to get these “figures”.
In a autumn morning in Kolkata, post-Durga Puja last year, I and Sushobhan, CEO of Prime met Mr. K in his East Calcutta office, overlooking the wetlands of Calcutta that appear to be merging with the Sunderbans. Mr. K narrated his predicament, especially the most important one – “How much money and resource he should ask for approval ? ” from his top management to implement the solution selected. The problem with the solution was its very nature : the solution is directly connected to the threat – real, perceived, imagined or enmeshed in the business interest of the information security vendor.
The Mathematical Model
In other words, we need an analytic framework backed up by the cold, austere and objective mathematical perspective other than paranoia, vendor interest, disaster porn, technical jargon, hardware and software vendor with their exotic offerings lined up in the form of priests of some esoteric cult.
There is a mathematical model called Gordon-Leob model that does exactly that. It uses mathematical tools like probability, confidence interval, distribution to produce a mathematically verifiable statement
After the coffee, I and Sushobhan told Mr. K that he should spend no more than 37% of the amount X, where X is calculated by
X = Cost * Maximum probable vulnerability * Impact Constant * Quantified Risk
Mr. K was delighted. He is now at least dealing with arithmetic, not anxiety-metric.
In due course, we did find out X for his organization by using a 4 step method which is basically a combination of police work + detective work. In the first step, we did a vulnerability analysis and logged all known risks, in the 2nd step, we had assigned some metric to those risks in consultation with the company. In the 3rd step, we calculated the probabilities of such events, in the final step, we tabulated the impact and then estimated X.
Since then, we have been working in this area with clients in India, Bangladesh, UK and everywhere we found one common aspect : lack of awareness. Then the idea of Infocon was born.
Infocon 2016 is happening on 18th November – a platform for sharing our confusion, triumph, fear, best practices and combining our torches in a same direction to create a path in the literal jungle of information which not only has exotic fruits, flowers and scenes but ferocious enemies.
The civilization has always been interested on protection, let it be primitive or sophisticated present ages. Human Life or property or business, our thoughts revolves on safeguarding the same.
With the advancement with technology, we are getting more engaged with internet and in effect data security is becoming more critical worldwide. Information security is a well-known consideration globally. We are regularly facing attacks, frauds, security breaches, confidentiality issues, information misuse, piracy, sniffing and leakage of data across the domain.
During my last visit to Bangladesh (During 14th to 18th March, 2016) , Bangladesh bank fraudulent activities came to my notice. Bangladesh got into the news for all the wrong reasons. The situation enforced the banks to take corrective actions in line of Cyber Security. We thought of spreading awareness on the domain in Bangldeash through our initiative “Infocon”.
In line with Bangladesh Bank attack, the mandates came to all Banks to cover Information Security and Cyber Security risk/threats in order to secure public money and confidential/critical information.
The Cyber Security Governance and risks assessment are to be enforced across the employees of the organization. There should be preparations for Assessment of technological difficulties and emergency management procedures. The same may be achieved through third party assessment, skill development on security for all Employees.
Information Security should be continuously monitored through Operation Centres 24×7 basis.
PCI-DSS compliance is to be adopted with two-factor authentication systems for Chip-n-Pin based cards. Logs should be collected, maintained, co-related and maintained for all critical assets in order to have proactive measures.
Besides there are needs for ISO 27001:2013, ISO 20000:2011, ISO 9001:2015 standards. Apart from these Risk Assessment Framework based on the industry de-facto standard NIST Controls and FISMA Law/Compliance/ Cobit framework.
People are looking as protecting against malware, ransomware, APT etc
In effect various providers, OEMs positioned their product/solutions to the financial sector potential clients. But different product/solutions on same domain created lots of confusions, dilemma in the customer mind before going for conclusion. Before “Infocom Bangladesh 2016” event is narrated, I will try to explain some of the burning topics on Secuirty which are not only critical for Bangladesh, but across the globe.
Now a days threats are multifold. Every day we are discovering new lines of threats. Ransomware is one of the latest in the bucket. Ransomware is turning out to be one of the most virulent and potentially heart-breaking malware infections to become a victim of. If you are unfortunate enough to accidentally download this type of malicious code — whether through phishing attacks or illegitimate downloads and compromised websites — the malware locks your screen, encrypts your files and attempts to exhort a fee before giving you the cryptographic key required to get your files back. There are many strains of ransomware including CryptoWall, CryptoLocker, CoinVault and Bitcryptor. This malware is nasty enough, however the prediction is that new generations will increase in sophistication — including stealth tactics, the silent encryption of data — on both systems and backups — and potentially the use of kernel components to encrypt files on the fly.
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing and the financial industry. An APT attacker often uses spear fishing, a type of social engineering, to gain access to the network through legitimate means. Once access has been achieved, the attacker establishes a back door.
The next step is to gather valid user credentials (especially administrative ones) and move laterally across the network, installing more back doors. The back doors allow the attacker to install bogus utilities and create a “ghost infrastructure” for distributing malware that remains hidden in plain sight.
PCI-DSS stands for Payment Card Industry Data Security Standard
PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating organizations include merchants, payment card issuing banks, processors, developers and other vendors.
There are three ongoing steps for adhering to the PCI DSS:
- Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
- Remediate — fixing vulnerabilities and not storing cardholder data unless you need it.
Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
PCI Data Security Standard – High Level Overview
|Build and Maintain a Secure Network and Systems||Install and maintain a firewall configuration to protect cardholder data|
|Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||Protect stored cardholder data|
|Encrypt transmission of cardholder data across open, public network|
|Maintain a Vulnerability Management Program (VAPT)||Protect all systems against malware and regularly update anti-virus software or programs|
|Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||Restrict access to cardholder data by business need to know|
|Identify and authenticate access to system components|
|Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||Track and monitor all access to network resources and cardholder data|
|Regularly test security systems and processes|
|Maintain an Information Security Policy||Maintain a policy that addresses information security for all personnel|
Web Application Firewall,Sometimes, in orders to comply with PCI-DSS, some components are essential to implementation as a part of remediation:
- Web Content Filtering,
- Endpoint Security,
- HIPS (Host Based Intrusion Prevention),
- Security Information and Event Management (SIEM),
- Vulnerability Assessment and Penetration Testing Tools (VAPT),
- Data Leakage Protection (DLP),
- File Integrity Monitoring,
- End point Encryption,
- Privilege User monitoring,
- Identity Management (IDM) etc.
ISMS is Information Security Management System and the latest standard is ISO 27001:2013. It is essential to protect company data, not only to protect the future of your systems, but also to protect customer information, that has been entrusted to you. This requires a holistic approach covering price, IT Security, physical security and staff policy & procedures. ISO 27001 is the formal standard against which organizations seek independent certification of all their Information Security Management Systems.
IS0 27001 helps to protect against
- Customer Information leakage
- Virus & hacker attacks
- Incompatible software conflicts
- Failure to back up systems
- Loss or theft of unencrypted backups
- Internal security breaches
- Loss of information resulting from staff turnover
- System downtimeISMS
Ideal Coverage should include:
- ISMS Scope Definitions
- ISO 27001 ” Gap “Analysis Assessments
- Performing an assessment of your existing ISMS
- Information Security Policy and Procedure Development
- Information Security Risk Assessments
- ISMS Manual Development
- ISO 27001 ISMS Implementation Support
- Security Improvement Plans
- Incident Management Plans
- ISMS & Internal Audits
- Management Reviews
- Pre-certification Audits and support
- Post Certification Audits Corrective Action Support
- ISMS Trainings for Management & Employee
- Integration of ISMS with COBIT, COSO, ITIL/ISO 20000 etc
Vulnerability assessments and penetration testing (pen tests for short) are processed to identify threats and Vulnerabilities in the IT landscape using valuable tools, that can benefit any information security program and they are both integral components of a Management process.
A vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
Vulnerability Assessments Follow These General Steps
- Catalog assets and resources in a system
- Assign quantifiable value and importance to the resources
- Identify the security vulnerabilities or potential threats to each resource
- Mitigate or eliminate the most serious vulnerabilities for the most valuable resources
A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data.
Depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Also, there are two primary types of pen tests: “white box”, which uses vulnerability assessment and other pre-disclosed information, and “black box”, which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance.
Penetration Testing Follow These General Steps
- Determination of scope
- Targeted information gathering or reconnaissance
- Exploit attempts for access and escalation
- Sensitive data collection testing
- Clean up and final reporting
With the increase of usage for Social, Mobile apps, Cloud, Big Data, IoT (more precisely SMAC – Social, Mobility, Analytics and Cloud), we are approaching towards a danger zone. Hope you have heard of Jeep Cherokee incident where hackers can take control of a connected car and lead you to death as well.
Prime Infoserv LLP being a domain expert in the category, wanted to spread the awareness on Information Security and “Infocon Bangladesh 2016” took birth. The idea was to empower Enterprises with better wisdom with knowledge for doing proper diligence, understanding the actual need to cover-up the concerns.
The event took place on 16-04-2016 (Saturday) with the audience from major banks. Speakers took sessions on various aspects of cyber security and risks. The knowledge sharing was OEM agnostic in order to spread more awareness so that people can be more empowered to take decision beyond OEM/System Integrator Influence. The sessions were fully interactive like Q&A, discussions with concern areas and off course encouragement with surprise gifts.
Event had kicked off with lunch, followed by discussions on the burning topics as mentioned above.
The attendees were awarded with Trend Micro endorsed certificate.
More details of the events can be fetched from below links:
Infocon is not just an event, rather a process to build eco system surrounding the topic. We intent to create forums where domain experts and attendees can exchange thoughts even after events. There will be follow-up awareness sessions. There are serious thoughts to publish a Book covering pain points and resolutions to spread the awareness.
This retrospection will bring our smile back in order to have peace and fulfilment with wisdom.
We will have follow-up event in Bangladesh. Upcoming events are being planned in Kolkata, Bhutan, London, Africa and Mauritius.
Stay tuned for our upcoming initiatives under the brand “Infocon”.