Presenting security trends from RSA Conference 2017, which underline the need to rethink ways to protect the digital economy of organization and nations
No one forgets a breach.
In October 2016, what is being touted as the 'biggest ever breach of financial data in India', as many as 3.2 million debit cards were compromised. Of the cards breaches, at least 2.6 million were on the Visa and MasterCard platform while 600,000 were on the RuPay platform. State Bank of India (SBI), India's largest bank, which has over 13000 branches, was worst hit. The bank blocked and re-issued around six lakh debit cards to customers.
The report of the breach also indicated that a malware-related security breach took place in a non-SBI ATM network. On 7th February 2017, Hitachi Payment Services confirmed that the malware had originated in the ATM network.
In a press statement released by the company, it said: We confirm that our security systems had a breach during mid-2016. As soon as the breach was discovered, we followed due process and immediately informed the Reserve Bank of India (RBI), National Payments Corporation of India (NPCI), banks and card schemes to ensure the safety of their customers’ sensitive data.
The due process is also an order released by the Ministry of Electronics and Information Technology and CERT-In, on January 4, 2017, which stated: Service providers, intermediaries and body corporate shall report the cyber security incidents to CERT-In within a reasonable time of occurrence or noticing the incident to have scope for timely action. The type of security incidents shall be mandatorily reported to CERT-In as early as possible to leave scope for action.
Even before the infamous breach took place, the Reserve Bank of India (RBI) in June 2016 had issued a directive, mandating banks to report any cyber security incident within two to six hours. RBI had also warned lenders that any delay in reporting and flagging loan frauds could result in banks and bankers being charged for abetting the criminal offence.
In October 2016, following the directive, Axis Bank was one of the few banks who filed a preliminary report about a breach to RBI. But despite the obligatory requirement, RBI had said in a statement in 2016 that, “banks have been ‘hesitant’ to share incidents of cyber attacks.”
Other countries have started taking concrete steps towards cyber security.
In the United States, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. The European authorities in August 2016 had approved the EU General Data Protection Regulation which mandates companies operating in Europe to report cyber breaches to national authorities within 72 hours.
According to a 2016 Cost of Data Breach Study, sponsored by IBM and independently conducted by Ponemon Institute LLC, there was a 29% increase in total cost of data breach since 2013 while the average cost of data breach was USD 4 million.
In 2017's Union Budget, finance minister, Arun Jaitley, announced plans by the Indian government to enhance India's digital footprint. The government's mission is to achieve a target of 2,500 crore digital transactions for 2017-18 through UPI, USSD, Aadhar Pay, IMPS and debit cards.
However, the regulations imposed by the RBI and the government that, though mandates incidence reporting by organizations and government bodies, may definitely bring in more transparency in the system, but will it be enough to curb the increasing number of incidences, such as cyber warfare, intellectual property crimes, ransomware and IoT related incidents? Will it be enough to safeguard the government's 'Digital India' vision?
Presenting security trends from RSA Conference 2017, which underline the need to rethink ways to protect the digital economy of organization and nations.
Cloud security shakeup
Cloud officially went mainstream in India a few years ago. According to research firm, Gartner, the public cloud services market in India is projected to grow 38% in 2017, although the highest growth will continue to be driven by infrastructure as a service (IaaS) which is projected to grow at 49.2%, followed by 33% in software as a service (SaaS) and 32.1% in platform as a service (PaaS).
Gartner says that the increase of SaaS and PaaS are indicators that the migration of application and workloads from on premises data centers to the cloud, as well as the development of cloud ready and cloud native applications, are fuelling the growth in the cloud space.
Clearly, the industry mindset has shifted from server to service-based approach, which is driving organizations and governments to change the way they think about delivering systems and applications. And yet, the shift from server to service-based thinking is transforming the way organizations think about, design, and deliver computing technology and applications. And yet, security still remains the biggest concern for CISOs and their organizations. It may be due to the reason that data breaches are becoming ever bigger and more common; case in point, the SBI breach or the more recent disclosure by Yahoo! At the RSAC 2017, Cloud Security Alliance (CSA) listed down 12 critical issues to cloud security that it says will serve as an up-to-date guide to help cloud users and providers make informed decisions about risk mitigation within a cloud strategy:
- Data Breaches: The risk of data breach is not unique to cloud computing, but it consistently ranks as a top concern for cloud customers
- Weak Identity, Credential and Access Management: Organizations planning to federate identity with a cloud provider need to understand the security around the cloud provider’s identity solution, including processes, infrastructure, segmentation between customers and implemented by the cloud provider
- Insecure APIs: From authentication and access control to encryption and activity monitoring, the API interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy
- System and Application Vulnerabilities: With the advent of multitenancy in cloud computing, systems from various organizations are placed in close proximity to each other, and given access to shared memory and resources, creating a new attack surface
- Account Hijacking: Organizations should look to prohibit the sharing of account credentials among users and services and leverage strong two-factor authentication techniques where possible
- Malicious Insiders: The “Insider Threat” does not always involve malicious actors. Insiders might not necessarily be malicious but are “just trying to get their job done”
- Advanced Persistent Threats (APTs): Combating complex APTs may require more advanced security controls, process management, incident response plans and IT staff training, all of which can lead to increased security budgets
- Data Loss: Cloud consumers should review the contracted data loss provisions, ask about the redundancy of a provider’s solution, and understand which entity is responsible for data loss
9. Insufficient Due Diligence: An organization that rushes to adopt cloud technologies and choose CSPs without performing due diligence exposes itself to a myriad of commercial, financial, technical, legal and compliance risks
- Abuse and Nefarious Use of Cloud Services: Malicious use of cloud service resources can reduce available capacity for legitimate customers hosted by cloud service providers
- Denial of Service: DoS attacks take advantage of vulnerabilities in web servers, databases or other cloud resources
12. Shared Technology Vulnerabilities: A single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud
You may not remember the ransomware-like virus that was written in 1986 by two Pakistani brothers that infected IBM PCs running unlicensed copies of medical software they had created. After infecting, the virus would display a copyright notice including the names and contact details of the brothers to obtain a cure.
Only that it wasn't ransomware but an attempt to protect their software from unwarranted piracy.
20 years later, the corporate world came face to face with ransomware when it was already being confronted by insider threats, DDoS and phishing attacks, malware, and SQL injections. And slowly the attack perimeter of ransomware spread to markets and countries.
Cyberspace was no longer safe and the need to protect it from the unknown adversary became extremely important. Suddenly it wasn't the insider who was dangerous or unpredictable enough.
According to a SANS Institute global survey, ransomware and phishing attacks are causing the financial industry maximum harm. Of those that were able to quantify their losses, the largest group (32%) reported losses between USD 100,001 and USD 500,000.
In India, The National Crime Record Bureau (NCRB) registered a total of 11,592 cybercrime cases in the year 2015, recording a rise of 20% reported incidents from 2014 to 2015. Similar data for the year 2016 is under collection. The RBI has also registered a total of 8,689 cases of frauds involving credit cards, ATM/debit cards and internet banking during the year 2017 (up to December 2016).
Interestingly, the reported incidents have increased in the last few years in India, but so have the number of cyber security incidents.
In India, a total of 50,362 cyber security incidents were observed during the year 2016 as compared to 49,455 in 2015. The type of cyber security incidents, said the Minister of State for Electronics and IT, P P Chaudhary, in a written reply to Lok Sabha, included phishing, scanning/probing, website intrusions and defacements, virus/malicious code and denial of service attacks.
India at 16.9% was among the five countries, which included China and Pakistan, at the risk of being exposed to cyber attacks. India also ranked fourth globally, among the countries most affected by ransomware.
A diagnostic centre in Delhi was recently a victim of a ransomware attack where cyber criminals gained illegal access to its servers and encrypted the data.
Then the diagnostic centre received anonymous emails from the hackers demanding a ransom of USD 1,300 in the form of bitcoins.
These attacks are no longer rare, as the data may have indicated, and they are no longer restricted to financial institutions anymore.
The insecurity in IoT
The Internet of Things created lot of buzz at the RSAC 2017 as a new threat vector. The Dyn DDoS attack last year, where the Mirai botnet leveraged insecure IoT devices to cause widespread internet outages – impacting services of websites, such as Twitter, Reddit, to Liberia, a country in Africa with a meagre population of 4.5 million.
A survey of IT and cybersecurity professionals conducted globally by Information Systems Audit and Control Association (ISACA), indicates that the the growth of connected devices is surpassing the organization's ability to manage the devices as well as safeguard their data and systems. According to the survey, 73% respondents don’t think current security standards in the industry sufficiently address the Internet of Things and believe that updates and/or new standards are needed. Privacy is also an issue; 84% believe that IoT device makers don’t make consumers sufficiently aware of the type of information the devices can collect.
ISACA recommends ways for organizations to make sure that they safely embrace IoT devices in the workplace:
- Ensure all workplace devices owned by organization are updated regularly with security upgrades
- Require all devices be wirelessly connected through the workplace guest network, rather than internal network
- Provide cyber security training for all employees to demonstrate their awareness of best practices of cyber security and the different types of cyberattacks
Best Practices for Manufacturers of IoT Devices
Additionally ISACA also suggests best practices to manufacturers of IoT devices:
- All developers who build software must have appropriate performance-based cyber security certification, to ensure safe coding practices are being followed
- Insist all social media sharing be opt-in
- Encrypt all sensitive information, especially when connecting to Bluetooth-enabled devices
- Build IoT devices that can be automatically updated with new security upgrades
According to apex IT body, NASSCOM, the industrial applications of Internet of Things (IoT), primarily in verticals, such as manufacturing, automotive and transportation and logistics, are expected to drive IoT revenues by 2020 in India.
At the RSAC 2017, Michael Assante, Technical Director for the US National team and Director of Critical Infrastructure & ICS at the SANS Institute, highlighted the attacks in 2015 and 2016 that caused power outages in Ukraine. These attacks were successful in hijacking automation systems to cause outages followed by a series of well-sequenced and damaging payloads unleashed on workstations, servers, and embedded devices. The attacks left their targets with little confidence in relying on their remaining automation; forcing them to operate in a degraded manual state," said Assante.
According to a SANS 2016 State of ICS Security Survey, the stakes are nothing less than existential in the context of Industrial IoT, regardless of whether we consider reputations, finances or human lives. A little less than 37% of organizations have a security strategy to address the convergence of enterprise IT and operations. For the rest, SANS recommends steps to start thinking of the insecurity in IIoT as a real threat:
- Create policies defining how organizations will manage through this ongoing evolution of the threat landscape, established by senior leaders and backed with their full support, are required to fulfil organizational responsibilities to stakeholders at all levels
- Prompt and sustained action is needed to protect lives and livelihoods alike
- Organizations built on the dependency and reliability of their control systems must recognize the rising level of risk and focus resources on addressing the serious threats to their continued operations
The role of the CISO
According to PwC's Global Information Security Survey 2017, today’s CISO or CSO should be a senior business manager who has expertise not only in cybersecurity but also risk management, corporate governance and overall business objectives.
He/she should have access to key executives to provide insight into business risks and should be able to competently articulate risk-based cybersecurity issues to the C-suite and Board. "Put simply, the cybersecurity leader should have the ability to effect change on par with C-level executives," the report said.
The findings also point to the fact that in larger organizations, the information security function is more often organized under the CIO. PwC recommends that CISOs and CSOs should be independent of CIOs to allow for internal checks and balances, as well as the ability to escalate security issues to corporate leadership and the Board. Additionally, PwC recommends that the CISO or CSO may be empowered with all the necessary skills and authority, but will be unable to do the job without adequate budget.
Speakers at the RSA Conference 2017 also insisted the CISOs to report to the CEO and the board instead of the CIO. John Pescatore, Director at SANS Institute and former Gartner fellow, said, “CISOs must communicate with or report their boards and CEOs on the 'state of security' of the organization on a regular basis and must get their support to change to increase security and introduce training programs. “All these things also help them convince CEOs and boards to back a CISO's security strategies to drive change,” said Pescatore.