@entitworld
@enterpriseitworld
@enterpriseitworld
R S 1 9 9 | PA G E S 3 6 | V O LU M E 0 1 | I S S U E 0 3
A Special Supplement on Cyber Security
A JOURNAL ON INTERNET SECURITY 17 FEBRUARY 2019
BY
& FOR THE CIOs. BY THE CIOs.
Infoquest is a journal of Internet Security and mouthpiece of Infosec Foundation. Infosec Foundation is a multi-disciplinary and multi-user based initiative for increasing awareness and sharing best practices
3
CONTENTS R S 1 9 9 | PA G E S 3 6 | V O LU M E 0 1 | I S S U E 0 3
FEB 2019
12
04
06
08
10
The Need for Standardization in Digital Services Delivery
Emerging Cyber Security Challenges – New Threat Landscape
14
17
18
20
22
24
30
32
The Genesis and the genetic of Infoquest
Emerging Cyber Security Challenges – New Threat Landscape
27
Threat Hunting Need of the hour!
The CISO Insomniac VS Human firewall
New Magna Carta for the Data Age
26
Cyber Security And The 80-20 Principle
Cyber Awareness
Online banking frauds in India
28
Prevent Enterprise Data Breaches Through Data Loss Prevention (DLP) Program
ISO/IEC 27018 Safeguarding Personal Information in the Cloud
How to develop Secured Applications
Cyber Bullying– Todays epidemic
Cyber Mitro
Cyber Security And The 80-20 Principle
BY
4
&
FOR THE CIOs. BY THE CIOs.
THE GENESIS AND THE GENETIC OF INFOQUEST AUTHOR’S BIO
Sushobhan Mukherjee has 20 years of experience in IT consulting, process and corporate relationship. A cyber security practitioner and design architect since his stint with all major telecom /IT operators like Tata, Airtel, Sify in India. For last eight years, he has been an entrepreneur and institution builder. He is the Co-founder and CEO of Prime Infoserv LLP, one of the leading Technology Integrator and Infosec consulting ecosystem in India working with Indian and global brands. Besides he is the chairman for Infosec Foundation, a non-profit initiative to cyber awareness across the globe. He took the message and mission of Infosec Foundation in India, Bangladesh, Africa and UK. He is committed to the cause of Information security and will continue this campaign of defense, offense and pro-active and preemptive protection with your co-operation and support.
SUSHOBHAN MUKHERJEE,
CHAIRMAN, INFOSEC FOUNDATION & CEO OF PRIME INFOSERV LLP
I
t is wonderful to see Infoquest continuing its journey since 2016. In line with the vision of Infosec Foundation, Infoquest’s focus was to generate massawareness about Information Security and to bring inter-disciplinary sharing of minds and best practices, which we not only felt to be a necessity but also a market-gap. In the era of Digital Transformation, everything is moving towards digital and India is not left behind. Of 34% of Indian population, i.e. total 460 million, there
BY
&
5
FOR THE CIOs. BY THE CIOs.
are 250million Facebook users, 200million WhatsApp users. People spend time on internet for around 8hours a day and out of this time, 2 hours is spent on social media. Hence we like or don’t, we want or not, we can’t escape this digital storm. Shopping, Health care, Banking facilities gradually coming home instead of ourselves going there and in effect entire user behaviour and experience pattern are creating a new paradigm. Since the entire disruption is linked to connectivity, more precisely Internet, cyber security has become a burning topic for all of us. As per information reported to and tracked by Indian Computer Emergency Response Team (CERT-In), a total of 22,207 Indian websites including 114 government websites were hacked during April 2017 to January 2018. A total number of 493 affected websites were used for malware propagation. Even after so many precautionary measures and spending at government level, if this is the scenario, then you can imagine the situation for private enterprise, SME and surely individual like us. Yes, none of us are secured in any corner of the world. So what should we do? Should we keep on cribbing, keep on blaming government, law enforcement, policy makers? Or leave everything on our luck. In this context, Infosec Foundation started working three years back. We thought of doing something ourselves instead of passing the buck to others. We thought of creating a platform where all the different stakeholders related to cyber security can meet, collaborate, exchange thoughts and in effect have better wisdom to take wiser decisions. The concept originated from Kolkata, the city of joy and gathered momentum in globally. As a result, we have chapters in all metros in India now and along with Enterprise IT World we are organizing this CISO Symposium to have cross border collaboration and knowledge sharing and exchange of best practices in cyber security.
The mission is driven for the common people like you and Infoquest is playing the role of a mouthpiece and a print-media way to reach readers and interested institutions on pan-India basis. Thanks to our partner Enterprise IT world, we hope that we shall continue to reach readers in pan-India basis and will venture further in the globe. From 2016 till date, we have conducted International Summits, Seminars, Workshops, Trainings in Cyber Security space to spread awareness globally. As a part of this endeavor, a Four City CISO event was concluded last year in Bangalore, Delhi, Mumbai and Kolkata along with the international Infosec Summit in Kolkata. In line with the same, we are stepping ahead to conduct Security Symposiums in Three international Cities – Dhaka-Dubai and Colombo for the confluence of Global CISO’s to brainstorm on the future and impending challenges to conclusively emerge as Cyber Security Game Changer across the Globe. We are taking many initiatives so far like awareness campaigns through mass media, training/workshops/seminars for youth and elderly people through local police stations/clubs. Our team was instrumental in interlocking with all different stakeholders (like law enforcement agencies, government, Banking & NBFC, Healthcare, Telecom, Energy & Utilities, Manufacturers, Providers, users) and had many initiatives to breach the GAP between demand and supply. We have already have five chapters in five global citties and started influencing cross pollinations of cyber knowledge and wisdom. Cyber Helpline and Cyber Friend Mobile App are on it’s way to kick-off. With the support from government and connections through academia we are all set to rise and build next generations of cyber army. Stay tuned with our regular activities, join end, engage and ride the thrilling journey towards your digital future.
BY
6
&
FOR THE CIOs. BY THE CIOs.
THE CISO INSOMNIAC VS HUMAN FIREWALL AUTHOR’S BIO
B M Zahid ul Haque is an information security & risk management practitioner and technologies expert with around 17 years of experience in country & abroad. He worked in several senior roles in different sectors. Haque is member of various national and international security expert groups and committees on cyber-security, keynote speaker at several conferences and author on Risk Management and Cyber Security. He is also an International trainer of Cyber Security and honorary proctor of Mile2 USA. Haque is the Head of Information Security (/CISO) of BRAC Bank Limited and Overall Responsible of Information Security and cyber security initiatives. He is having multiple professional designations (include CISSO, CISM, LCSM, CBE, CPEH, LCSM, CLFE, PMP, CIHE, LPM, LITGM, LA 9001, LA ISO 27001, LA 30301, LI ISO 37001, COBIT 5, CPISI, Security+ etc.), vendor certifications (e.g. OCP, MCTS, LRPA, LRSA, CCT etc.), others Certifications (e.g. ITIL, CPM, CNE, CBM, CSAD, CSE, CO2L, CPPM) and MSc in Computer Engineering. He is a member of ISACA, CTO Forum, OWASP, CROB, ISSA and Infosec foundation. He has been awarded several times include National award for Cyber Security initiative.
B M ZAHID UL HAQUE
HEAD OF INFORMATION SECURITY (CISO) BRAC BANK LIMITED
A
s the role of technology increases, business risks due to underlying and unidentified system vulnerabilities also increases. Existence of these risks within the business ecosystem when exploited could lead to severe financial, regulatory and brand impacts. This makes implementation of adequate cyber security controls mandatory. It is no longer a matter of if there will eventually be a security breach, it’s a matter of when, and how to identify, response and how much damage can be reduced.
BY
&
7
FOR THE CIOs. BY THE CIOs.
BIBLIOGRAPHY
The National Cyber Security Centre (NCSC) website (https://www.ncsc.gov.uk) Stephen Barnes, Author: two types of companies (www.dynamicbusiness.com.au)
Cybersecurity is now one of the most important topics on the agendas of management and boards. Almost every days, there are new stories about cyber incident or data breaches. So have you developed your cyber security road map? Where did you start? Cyber-attacks are relatively inexpensive to mount yet highly profitable, which means it’s likely these attacks will only increase in frequency and reach. The Board through a cyber-security strategy ensure that management is fully engaged in making the organization’s systems as resilient as economically feasible in the face of this onslaught. For organizations that recognize this, comprehensive cyber security plans are already in place. Skilled teams regularly tweak company systems to respond to the latest threats, and staffs are aware about how to identify and respond to anything from phishing emails to password laziness. Digital transformation is happening around with or without our actions. The most successful CISOs will drive this transformation from a proactive point of view instead of reacting to internal and external voices. Within your own organization, it is important to think about your level of cyber security maturity and preparedness with regard especially to major security components; like,
DATA CLASSIFICATION Organization should have a data classification policy. Though that you shall identify the data that need to be protected, Data value, categorizing and of course who should access what.
SECURITY CONTROL IMPLEMENTATION Organization may adopt multiple standard security controls/ frameworks; like Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53), ISO 27001, SANS Critical Security Controls, PCI-DSS, COBIT. Control shall be combination of people, process and technology.
REGULAR ASSESSMENT AND VERIFICATION OF SECURITY CONTROLS You can do it internally and also verify it by external party as 3rd eye. Continuous Vulnerability & threat management should be in place. Periodic Vulnerability Assessment are not enough anymore.
INCIDENT PREPAREDNESS PLANNING
AND TESTING Be prepared for any cyber incident. Document it and simulate periodically.
RISK MANAGEMENT “There are only two types of companies: Those that have been hacked and those that will be hacked. And even they are converging into one category: companies that have been hacked and will be hacked again.” Robert S. Mueller, Director FBI made this famous quote but almost by the time he made the quote it was out of date – it should be ‘There are only two types of companies: Those that have been hacked and those that don’t know they have been hacked.’ Even with robust security processes in place, organizations can suffer a breach. The organization can evaluate the overall effectiveness of its cybersecurity process and decide whether to mitigate, minimize, accept that risk or transfer that risk through a cyber-risk management policy. The National Cyber Security Centre (NCSC) have identified a range of questions which will help generate the right discussions between board members and their CISOs and increase awareness of key topics in cyber security. As a CISO should be able to answerHow do we defend our organization against phishing attacks? How does our organization control the use of privileged IT accounts? How do we ensure that our software and devices are up to date? How do we make sure our partners and suppliers protect the information we share with them? What authentication methods are used to control access to systems and data? No matter how good or strong your technology defenses are – next-gen firewalls, anti-Malware software, Privilege Access Management, Anti APT, DLP, SIEM, intrusion protection systems, or how robust your internal controls and processes are people remain the weakest link. It is analogous to driving a car – there are road rules, line markings, warning signs – or policies and procedures – and yet people still ignore them or disregard them. There is no security patch for user mistake or lack of awareness. User should be human firewall!
BY
8
&
FOR THE CIOs. BY THE CIOs.
CYBER AWARENESS
T
ANIL CHIPLUNKAR
LEAD AUDITOR ISO27001 (IRCA ACCREDITED), CERTIFIED FRAUD EXAMINER (CFE), CERTIFIED INFORMATION SECURITY MANAGER (CISM), CERTIFIED FORENSIC ACCOUNTING PROFESSIONAL (CFAP), CERTIFIED ANTI-MONEY LAUNDERING EXPERT (CAME), ASSOCIATE OF BUSINESS RESILIENCY CERTIFICATE CONSORTIUM INTERNATIONAL (ABRCCI)
he cyber space or cyber world is typically any the collaboration of all devices connected to internet. The internet provided many benefits to corporates, industries, governments, schools as well as individuals. However, it enabled malicious users to perform their activities using internet from anywhere in the cyber world and try to remain hidden. Today we all use internet services in some or the other forms including email, on-line applications, games on computers and mobiles, social media sites like Facebook, Twitter, and Instagram etc. and for many such functions. This necessitates use of internet in a secured, sensible, and safest possible way to avoid the risks posed by malicious users / applications present out there in the cyber space. Mobiles phones are also part of the cyber space as all these smart devices interact with internet all the time for running various utilities and games. The applications like google map allows the service provider to know mobile phones location including the path the person is taking to reach the destination. The games on mobile phones do ask for accessing multiple utilities like SMS, Address Book, Camera, WiFi etc. but all of the games may not really require these accesses. There is a possibility of a malware being installed by disguising as a game and can misuse these permissions. The popularity of mobile phones provided much wider attack surface that can be targeted by the malicious users. The users of computers and related tools are comparatively more aware about the cyber risks but the mobile phones being used practically by everyone including little children who do not have even a hint of the kind of cyber threats / risks. Theft or misplacing the mobile phones pose various security risks such as the information stored on these devices can be misused by the person getting hold of these devices. As stated by KnowBe4, “today, only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% target instead users through Social Engineering”
RISKS Following is an indicative list of various risks which are posed via internet / because of interconnection of multiple devices to the cyber space i.e. internet. l Phishing / Spamming / Vishing / Executive Targeting – Sending unsolicited emails to a large audience and try to steal information or block the email server access by overloading the server by number of emails. Similar to emails, SMS or indiscriminate voice calls can also be used for carrying out the malicious activities. Advanced techniques in phishing are used to target specific individuals and this technique is called spear phishing or executive
BY
&
9
FOR THE CIOs. BY THE CIOs.
AUTHOR’S BIO
Anil has 33+ years of experience in Information Systems and has been working in information security space for last 20+ years. Successfully managed and delivered consulting projects for implementing Information Security Management System (ISMS), Business Continuity Management System (BCMS), Governance and Compliance reviews for several clients. Was involved in formulating Security Strategies, Governance framework, Policies & Procedures; Information Security Audits and IS Risk Assessment as well as improved information security architecture covering information technology, physical and environmental security, logical access controls, security in information systems development process, etc. Performed digital fraud investigations and advisory services to various organizations from verticals like BFSI, IT/ITES, Manufacturing and Pharmaceuticals etc. for fraud risk management. Worked across Asia Pacific, Middle East Countries: India, Nepal, Sri Lanka, Hong Kong, Singapore, Japan, Korea, Taiwan, Indonesia, Malaysia, Philippines, Thailand, Saudi Arabia, Jordan, Oman, Bahrain and Australia.
targeting l Impersonation – In the cyber space, it is comparatively easy to assume somebody’s identity and project different identity by hiding the original identity of the user. This is termed as impersonation and in the cyber world, it becomes challenging to verify the exact identity of a user unless strict controls are implemented. l Social Media Scamming – As the term indicates there can be various types of scams run by the malicious users using social media. The scams can be fake promotional sales, fake lotteries, fake work-from-home schemes, fake recruitment drives etc. l Targeted Malware (Exploits insertion / Bot Harvesters) – These are the applications targeted to harm specific companies’ / government departments / devices to paralyze the operations of the target. • Credentials theft – Malicious links shared via email, SMS, WhatsApp can be used to trick the user in giving away the user’s credentials like user ID, password, PIN number etc. l Physical access (such as tailgating) – This includes following a legitimate user who has access to a restricted area with the aim of gaining unauthorized access to secured areas. l Shoulder surfing – When operating in public places or even cyber cafes, there is a possibility of someone overlooking the user’s shoulder to get information about the user’s credentials. l Dumpster diving – Is a technique used to gain information from the dustbin of the competitor as there are number of organization / departments just throw away old papers, devices without taking due care. l Social engineering – It is a technique used for exploiting the weakness in human psychology or behavior to gain illegitimate access to devices / information. There are people who are called as ‘social engineers’ and these personnel can use their skills in either way like to steal / misuse the data / information or to test the ‘possibility of exploitation’ and advise users / organizations
for suitable preventive measures. This is a very effective technique where the focus is not on technological weaknesses but more on human weaknesses. Prevention – key is “be ALERT” As discussed above, there are many risks present is the cyber space / world and they can be prevented by being alert, taking proactive care and using technical tools. l Protect devices with known / reputed anti-malware application l User strong passwords for application and avoid using same credentials across multiple applications l Do not store user credential on devices including mobile phones l Do not share the credentials with anyone without any specific need l Do not post personal information on social media sites unless necessary or the site is trusted because the information shared over internet is always available on the internet somewhere l Take utmost care while accessing internet in public place as well as while communicating information l Do not join any open forums or reply to messages asking for information / funds without properly verifying the authenticity of the forum / messages l To protect the availability of critical information, take periodic backup of this information l Do not download any applications / games unless verified to be safe (there are various tools available to check the security) and while installing do provide the access to device functions carefully The cyber security can be as strong as the weakest link and in this case the weakest link is ‘human’ (all of us) so it is of utmost important to be a responsible user and follow all the preventive techniques. This will enable a safe cyber working experience.
BE SAFE – SPREAD THE AWARENESS – PROTECT YOURSELF AND THE COMMUNITY FROM THE CYBER RISKS
BY
10
&
FOR THE CIOs. BY THE CIOs.
THE NEED FOR STANDARDIZATION IN DIGITAL SERVICES DELIVERY AUTHOR’S BIO
Dr. Sundeep Oberoi has 35 years of industry, research and entrepreneurial experience in diverse areas of Information and Communication Technology. He has a Ph.D. in Computer Science from I.I.T Bombay, an M.Tech in Computer Science from I.I.T. Delhi and a B.Tech in Chemical Engineering from I.I.T. Kanpur. Currently, Dr. Oberoi is Global Head for Delivery of the Enterprise Security and Risk Management Unit in TCS. In this role is responsible for the delivery of all Managed Security, Professional Services and Operations Support Services in the Security and Risk Management area for all TCS customer engagements globally. Prior to this Dr. Oberoi has been in a variety of roles in the Tata Group and involved in several mission critical projects for the Government of India. Dr. Oberoi is the author of two books and several conference and journal publications, and holds the CISSP credential. He is deputee of Trustee (TCS CEO) on the WEF’s Future of Internet Initiative & currently serving member of the WEF’s GAC-Cybersecurity. He has a wide spectrum of experience in Delivery Management of large and critical programmes, technology development, product development, business development, system integration and management of research laboratories and is currently the chair of ISO / IEC / JTC1/ SC7 – Sub-committee on systems and software engineering.
SUNDEEP OBEROI
T
oday a significant of portion of services are being delivered digitally to consumers. The consumer interaction channels may be via a web application, a mobile app, a mobile POS terminal or an IVR interface or a combination of these, in addition to delivery mechanisms for physical goods. Each service provider uses a different combination of interaction channels with widely differing user interfaces and experiences. These are implemented with various degrees of usability, reliability, security and privacy. Poor implementation results in very high levels of time wasted and possible risk of security breaches leading to financial loss and privacy impact. Since many of these services are essential services such as banking and citizen services delivered by Government departments, there will be significant benefit in standard-
BY
&
11
FOR THE CIOs. BY THE CIOs.
AUTHOR’S BIO
An Information Technology Practitioner with leadership experience in IT Public Policy, Corporate Industry Forums, Information Technology Standards, & Program Implementation. Anupam is a Cheveninig Fellow on Cyber security. Additionally, he has Finance Degree from ICAI & ICWAI, India; IT Security Degree from ISACA, USA & Internet Governance Certification from University of Aarhus, Germany & Next Generation Leaders Program of Internet Society in association with DIPLO Foundation. In the current role of specialist in Corporate Industry Forums & Standards Cell, working on initiatives to align individual growth, business growth and influence market through structured plans & programs across TCS. He is the Co Secretariat & Chair Support for ISO IEC JTC 1 SC7 on Software & Systems Engineering. He is the Co founder of India Internet Foundation , a not for profit organization which is working on setting up community driven, bottom up neutral Internet Exchange points across the country and hosts couple of root server instances, contributing to critical Internet Infrastructure of India. He also serves as Chair of Internet Society Kolkata & A firm believer of the fact if you can dream it, you can do it.
ANUPAM AGRAWAL
izing certain important aspects of this service delivery. This note identifies the following important areas for digital service delivery standardization. The issue of payment systems has been left out of this note since the authors believe that electronic systems are incorporated into digital service delivery in a reasonably modular way and there is a whole regulatory and standardization regime that adequately covers this aspect. • Registration and Identity Proofing Many digital services require registration and of those several require an Identity Proofing process that may involve uploading of electronic copies of documents, submission of hard copies of documents, authentication based upon data already available with the service provider of (like mobile number, personal details like birth date, mother’s maiden name, postal code etc.) or the use of Aadhaar identity authentication. • Recovery of Authentication Credentials Currently the most prevalent method of recovery of authentication credentials is via a “forgot password” functionality which may authenticate the user over and IVR channel or via an SMS based OTP to a
registered mobile number. If authentication is successful a temporary password (or a link that permits an initial login and the creation of a new password) is sent to the registered email-id. In a small number of instances a new credential like a temporary password or new PIN is delivered via post or a courier company. • SLA on Synchronous Channels In many instances the interface for interaction is via an IVR channel. There are deep menus and indeterminate wait times. There may not be a distinction between and emergency type interaction and a routine type interaction. Finally, when a human service agent is connected to the user, there may be a call drop and there is no method to reconnect the call and resume the conversation where is was interrupted. • Issue Redressal Systems Some providers provide a method to log issues either via a web interface, email, a phone interface or by physical post. A few providers may assign an issue/problem/request number and that may allow for limited follow up and tracking.
BY
12
&
FOR THE CIOs. BY THE CIOs.
CYBER SECURITY INCIDENT RESPONSE AND MANAGING RISK AUTHOR’S BIO
Anup leads the Cyber Security - Incident Response business for IBM across Asia Pacific He comes with a rich background of working in the Cyber Security Industry having specialized in the area of Cyber Security -Risk and Compliance . He is also a Subject matter expert in Incident Response. He is currently expanding IBM Resilient business footprint within the region . Anup has also previously worked with emerging technology startups and leading IT companies including Hewlett Packard , Orange Business Services, Wipro and HCL.
I
ANUP KANTI DEB
RESILIENT SEGMENT BUSINESS LEADER – IBM RESILIENT -CYBER RESPONSE IBM SECURITIES (APJ)
ncident Response is an ongoing process, a lifecycle which requires a risk mitigation strategy covering operational, legal and reputational risk .A typical cybersecurity attack can result in a combination of attack across target segments within an organizational network and data that can result in critical infrastructure being exposed lacking security controls to mitigate risks. A good cybersecurity framework is therefore an imperative keeping into consideration how an organization builds its cybersecurity strategy that encompasses an integrated and holistic approach centered around security orchestration, analytics and incident response , It is fundamental for an organization to have critical controls in place across prevention , detection and response environments that can help organizations build resiliency in providing a consistent and predictable recovery experience that can seamlessly respond to IT complexities and interdependencies across all environments. Incident response plan must be designed in a way that can help organization respond quickly and efficiently in the event of a breach involving stakeholders and other lines of business (LOB) including the InfoSec and IT teams .Involving stakeholders across the organization helps in facilitating accountability and transparency with an objective to mitigate and minimize risk , The incident response team should expand beyond responding to security threats but should include management , human resources , legal ,audit and risk management specialist ,general council and public relations. A case in point for example is in the case of insider threat a response
BY
&
13
FOR THE CIOs. BY THE CIOs.
plan mandates involvement of HR to check employee background, responsibilities and credential fundamentally key to minimizing risk .Similarly a response process should include a general council attorney to ensure that any evidence collected maintains its forensic value in the event that the company chooses to take legal action. Target, Yahoo are case studies illustrating the importance involving team early from the legal, compliance and public relations that can address risk. In essence incident response is about managing risk and incident response must be a holistic approach to managing risk which can impact operational, legal as well as Reputation of an organization. Incident response must not be treated as an isolated event and therefore incident simulations, tabletop exercises and reporting is key process to incident response planning enabling teams to test response plans, identify gaps, and refine response processes that defines an incident response preparation. In order to address incidents it is important to ensure that an IR plan include a) Documentation and establishing policies, procedures, and agreements for incident response management b) define communication guidelines key to incident response preparation c) incorporate threat intel feeds for enrichment and better prepare of investigations to identify indicators of compromise ( IOC ) d) conduct operational threat hunting exercises to have a an alert and prepared team security team helping response to be more proactive . Another very pertinent aspect of Incident response is Communication. Communication strategy must encompass both internal and external stakeholders. In order to know what to communicate to whom, an organization should assess the potential impact of the cyber security incident; for example if it concerns to only internal or also external stakeholders. The magnitude of the incident including evidence of data leakage may involve external stakeholders. Depending on impact of the cyber breach, an organizations cyber security incident communication will have different objectives. For example a Privacy data breach would involve notification and adhering to the privacy www.infosecglobal.co.in Page 13 of 50 data breach regulation of the respective country regulations. In today’s context some of the external regulatory guidelines may be complex (ex GDPR) and would need a proper communication strategy in place in order to comply with regulatory obligations. Global, national, and local privacy breach requirements are more complex than ever before and is continually evolving. Privacy and legal teams can spend days working to meet regulatory obligations after an incident .Communication therefore is the key to mitigate any risk both from a reputational and legal standpoint. In a digital age communication is an important strategy to mitigate risk and an extremely critical component to the basic operations of a company and therefore incorporating a
communications strategy that takes into account business, legal and regulatory requirements should be a priority. Containment and Recovery of security incident is an important step for any incident response plan keeping into consideration business continuity demands and disaster recovery solution. This includes prioritizing which assets to rebuild first and ensuring business continuity. Recovery process should include addressing the attackers point of penetration or associated vulnerabilities to be eliminated on priority and systems restored. Here it is important to ensure identified CIRT members or owners to work hand in hand with the Business continuity planning team together to ensure smooth running of business operation. Post containment of a breach, the next phase of an incident response plan is to eliminate the root cause of the breach. An Incident plan eradication program need to be designed to ensure malware be securely removed, systems be hardened, patched and most importantly updates being applied. This is critical given that any trace of malware or security issues if remains in the affected systems the risk will continue existing and liability could increase. Eradication and recovery should be done in a phased approach so that remediation steps are prioritized. Post incident event analysis is a critical component of any incident response plan as it provide an opportunity for the stakeholders to reflect an incident and apply lesson learnt in order to make an incident response place proactive and efficient. It also helps to improve security measures, identify early potential gaps and be more prepared in future. Conclusion and the Future State of Incident Response: Given the explosion in autonomous and other devices connected to the net, access to smart phones even in emerging economies and service providers in transformation, social networks in ferment and organizations digitalization relying on DevOps, we must be prepared to have a matrix for positive possibilities but increasing threat surfaces exposed. This will lead to multi-vector threats being executed on corporate as well as private targets and risk factors will become even more exposed. Therefore the state has to make private citizens aware on cyber safety. As far as enterprises and corporations are concerned they will need to deploy appropriate counter measure incident response technology that can be real time anticipate and proactively respond, subscribing to threat intel feeds and intel sharing across verticals combining the capability to bring in people , process and technology together to response from attackers . This can happen possibly through Artificial Intelligence and Intelligent Orchestration. AI combined with intelligent orchestration will help to drive added capability that will help in shortening the triage and proving expert knowledge at the point of Cyber decision making that can Outsmart, Outpace and Outmaneuver Cyberattacks
BY
14
&
FOR THE CIOs. BY THE CIOs.
EMERGING CYBER SECURITY CHALLENGES – NEW THREAT LANDSCAPE AUTHOR’S BIO
A Graduate Engineer with 32 years industry experience in the domain of Information Technology & Information Security. His past assignments were in Companies like GEC & BHEL. He is an expert in Information System Security Domain With Deep Exposure in Governance, Compliance, Procedures & Strategies. His Knowledge Covers a wide spectrum with a holistic view on people, process and technology, focusing on Information security, data protection , privacy ,incident management and audits. He is certified ISO 27001 Lead Auditor, Ethical Hacker ,CIISA & CISP, an active member of DSCI ,Kolkata Chapter & NASSCOM & Core Committee member of Infosec Foundation]
C
yber Security Challenges have increased manifold & there is paradigm shift in Threat Landscape. In spite of substantial spending on legacy security products, advanced attackers are bypassing these defenses at ease making the life of Security Professional miserable. There’s no single technical answer. Attackers will always exist and innovate and find a way into any organization data no matter how secured is the defense mechanism. Breaches are inevitable. The shift in security outlook needs to change from “keep them out” to “early detection and response before damage is done”.
NEW THREAT LANDSCAPE SUDIPTA BISWAS
VICE PRESIDENT AND CHIEF INFORMATION SECURITY OFFICER, PRIME INFOSERV LLP
Attacks have changed in form, function, and sophistication. The main difference is the new threats (advanced attacks, APTs etc) are actively driven by humans, as opposed to previous generation attacks which were malware based attacks (viruses, Trojans, worms etc) These advanced attacks utilise both malware designed to infect many systems as well as sophisticated, zero-day malware to infect targeted systems. They use multiple attack vectors like Web, email, and application-based attacks. And today’s attacks are aimed at getting valuable data assets—sensitive financial information, intellectual property, authentication credentials,
BY
&
15
FOR THE CIOs. BY THE CIOs.
insider information—and each attack is often a multi-staged effort to invade networks, spread, and ultimately hack the valuable data.
LIMITATIONS OF TRADITIONAL SINGLEVECTOR DEFENSES Most of the Security organizations are looking for malware based attacks instead of human attackers who may use malware as part of their advanced attacks. Hence new generation of threats are able to bypass traditional security defense. • Firewalls: Firewalls allow generic http Web traffic. Next-generation firewalls add layers of policy rules based on users and applications & consolidate traditional protections such as IPS and AV but do not add dynamic protection that can detect threat content or behavior. • IPS: Works on Signatures, packet inspection, DNS analysis. It will not detect anything unusual in a zero-day exploit, especially if the code is heavily disguised or delivered in stages. • Anti-virus and Web malware filtering: Since the malware and the vulnerability it exploits are unknown (zero-day), and the website has a clean reputation, traditional AV and Web filters will let it pass. The volume of vulnerabilities in browser plug-ins like Adobe and the exponential combinations of these browsers with operating systems make it hard for AV vendors to keep up. • Email spam filtering: Spoofed phishing sites use dynamic domains and URLs, so blacklisting lags behind criminal activities. It takes more than 26 hours to shut down the average phishing site. Malicious code can also be carried in laptops, USB devices, or via cloud-based file sharing to infect a machine and spread laterally when it connects into the network. It is common for mobile systems to miss updates to DAT files and patches, so they are vulnerable to both known and unknown exploits. In general, even up-to-date machines can be infected using zero-day exploits and social engineering techniques, especially when the system is off the corporate network. Once in place, malware may replicate itself—with subtle changes to make each instance look unique—and disguise itself to avoid scans. Some will turn off AV scanners, reinstall after a cleaning, or lie dormant for days or weeks. Eventually, the code will pass on login credentials, financial data, and other valuables. Many compromised hosts provide a privileged base so the criminal can explore further or expand his botnet with new targets. Most companies don’t analyse outbound traffic for these malicious transmissions. Those organizations that do monitor outbound transmissions use tools that look for “known” bad actor addresses and regulated data. • Web filtering: Most outbound filtering blocks adult content or timewasting entertainment sites. Many enterprises restrict social networking sites. “There is widespread agreement that advanced attacks are bypassing
our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it.” – Gartner, Inc., 2012 “
THE FIVE STAGES OF MULTI-VECTOR ATTACKS The new generation of attacks are complex, use multiple attack vectors to maximize the chances of breaking through defenses. Multi-vector attacks are typically delivered via the Web or email. They leverage application or operating system vulnerabilities, exploiting the inability of conventional network-protection mechanisms to provide a full-proof defense. In addition to using multiple vectors, advanced targeted attacks also utilize multiple stages to penetrate a network and then steal valuable information. This makes it far more likely for threats to go undetected. The five stages of the attack life cycle are as follows: System exploitation : The attack attempts to set up the first stage, and exploits the system using casual browsing. It’s often a blended attack delivered across the Web or email with the email containing malicious URLs. Malware executable payloads are downloaded and long-term control established: A single exploit translates into dozens of infections on the same system. With exploitation successful, more malware executables—key loggers, Trojan backdoors, password crackers, and file grabbers—are then downloaded. This means that criminals have now built long-term control mechanisms into the system. Malware calls back : As soon as the malware installs, hackers establish a control point within organizational defenses. Once in place, the malware calls back to criminal servers for further instructions. The malware can also replicate and disguise itself to avoid scans, turn off anti-virus scanners, reinstall missing components after a cleaning, or lie dormant for days or weeks. By using callbacks from within the trusted network, malware communications are allowed through the firewall and will penetrate all the different layers of the network. Data exfiltration : Data acquired from infected servers is transmitted via encrypted files over a commonly allowed protocol, such as FTP or HTTP, to an external compromised server controlled by the criminal. Malware spreads laterally : The hacker now works to move beyond the single system and establish long-term control within the network. The advanced malware looks for mapped drives on infected laptops and desktops, and can then spread laterally and deeper into network file shares. it will map out the network infrastructure, determine key assets, and establish a network foothold on target servers.
HOW THE NEW GENERATION OF THREATS BYPASS TRADITIONAL SECURITY Cybercriminals combine Web, email, and file-based attack vectors in a staged attack, makingW it far more likely for their attacks to go unde-
BY
16
&
tected. Today’s firewalls, IPS, AV, and Web gateways have little chance to stop attackers using zero-day, one-time-use malware, and APT tactics. These blended, multi-stage attacks succeed because traditional security technologies rely on fairly static signature-based or pattern matching technology. Many zero-day and targeted threats penetrate systems by hiding newly minted, polymorphic dropper malware on innocent Web pages and in downloadable files like JPEG pictures and PDF documents. Or they use personalized phishing emails sent to carefully selected victims with a plausible-looking message and malicious attachment targeting a zero-day vulnerability. Or they use social media sites embedding tweets that include a shortened URL masking the malicious destination. Each time a victim visits the URL or opens the attachment, a malware payload installs on the victim’s computer. This malware code often includes exploits for multiple unknown vulnerabilities in the OS, plug-ins, browsers, or applications to ensure it gains a foothold on the system.
NEXT GENERATION THREAT PROTECTION(NGTP) Today’s Corporations, Financial Institutions, Educational Institutes, Government agencies are experiencing unprecedented cyber-attack activity — both in number and severity. In a never-ending game of cat and mouse, the cat currently has the upper hand. And unless your organization is prepared, you may be its next victim. By now it is pretty evident that how serious today’s next-generation threats are and why traditional security defenses are helpless to stop them. Now it’s time to unveil a new category of network security defense ie Next-generation threat protection - What is really needed to combat today’s most sophisticated cyber attacks.
SIGNATURE-LESS DEFENSES Organizations today need to explore a new threat protection model in which their defense-in-depth architecture incorporates a signature-less layer that specifically addresses today’s new breed of cyber attacks. Although traditional security defenses are critical for blocking known cyber-attacks, experience has shown that it’s the unknown cyber-attacks that are most dangerous, and on the rise. And since these zero-day, polymorphic, and APTs are largely unknown and becoming the new norm for successful breaches, the world needs a signature-less solution to stop them.
PROTECTION — NOT JUST DETECTION In earlier days there were intrusion prevention systems (IPS) & intrusion detection systems (IDS). An IDS, by design, can only detect known threats (or unknown threats targeting known vulnerabilities). As time progressed, organizations demanded that their IDS not only detect but also block cyber attacks. Thus, IPS was born. In that vein, the world needs an advanced threat protection platform that not only detects the threat, but blocks it, too, across all potential entry vectors.
MULTI-STAGE PROTECTION ARCHITECTURE In a perfect world, IT would maintain full control of every computing
FOR THE CIOs. BY THE CIOs.
device on the network. Then only worry about cyber attacks originating from outside the network and attempting to penetrate it through the perimeter. Of course, with mobile computing on the rise and IT being compelled to implement bring your own device (BYOD) policies, sometimes cyber attacks are hand-carried right through the office front door. What the world needs is an advanced threat protection solution that not only monitors cyber attacks from the outside in, but the inside out, as well — across all stages as they attempt to communicate out or spread laterally through the network. If you can’t stop threats from entering through the Web, email, or the office front door, then at least stop them from communicating out and spreading further. Highly accurate detection engine www.infosecglobal.co.in Page 18 of 50 As with traditional signature-based defenses, detection accuracy is king. What is required to adequately defend against next-generation threats is an advanced threat protection solution that is highly accurate, with no false positives (good files classified as bad) and no false negatives (bad files classified as good). False positives and false negatives are products of security platforms with poor detection capabilities. False positives are mainly a “nuisance” as they consume valuable security analyst cycles time after false alarms. False negatives, on the other hand, can be dangerous as advanced malware passes right through the network security device completely undetected. Backed by global threat intelligence Every cyber-attack has a “ground zero” — a single host that is the first target on Earth to ever experience a given cyber-attack. What is really needed , is a mechanism for allowing advanced threat protection systems to share intelligence, not only within a single organization, but also among different organizations globally. We may not live in a perfect world. But there is an ideal solution for combating today’s most sophisticated attacks. Defining Next-Generation Threat Protection Next-generation threat protection (NGTP) is a new breed of network security technology specifically designed to identify and defend against today’s new breed of cyber-attacks. Intended to augment — not replace — traditional security systems, NGTP represents a new layer in the defense-in-depth architecture to form a threat-protection fabric that defends against those cyber-attacks that go unnoticed by common signature-based defenses. NGTP platforms customarily ship on high-performance, purposebuilt rackmount appliances. Preferred NGTP vendors offer an integrated platform that inspects email traffic, Web traffic, and files at rest, and shares threat intelligence across those attack vectors. NGTP platforms are unlike any network security offering on the market. NGTP appliances inspect traffic and/or files looking for thousands of suspicious characteristics, including obfuscation techniques like XOR encoding and other disguising behavior. Sessions are replayed in a (safe) virtual execution environment (think virtual machines, but using a custom-built virtualization engine specifically designed for security analysis) to determine whether the suspicious traffic actually contains malware
BY
&
17
FOR THE CIOs. BY THE CIOs.
NEW MAGNA CARTA FOR THE DATA AGE BIBLIOGRAPHY AND FURTHER READING
Data and Goliath, The Hidden Battle to Collect Your Data and Control your world –Bruce Schneier, W.W Norton and Company, First Edition, 2015
PRITAM BHATTACHARYYA IS FOUNDER AND CHIEF OF WORDSMITH COMMUNICATION AND CHIEF COMMUNICATION OFFICER, INFOSEC FOUNDATION
FOUR AGES OF MAN Oswald Spengler, a German philosopher and historian, writing in his magnum opus in the first quarter of the last century, literally translated as Decline of the land where the sun sets (Der Untergang des Abendlandes) compared Civilization as per seasons of the year. A Culture is more like an organism where it grows, reaches its peak, declines and then takes its exit from the world stage. This process touches every sphere of human endeavour – politics, science, arts, economic life, freedom, liberty, world-view, mathematics, moral and every sphere stands a witness of the age where the Culture is. In this analysis, we are currently in Information age, preceded in order of dominant tone – Hunting, Agriculture, Industrial and now Information age. In the Age of Hunting, physical force was the guiding force of survival and growth. In agricultural age, it was knowledge and information about basis weather and seasonal data and manual labour, in industrial age, it is land, labour, organization of labour and capital and in this age, the Fourth Age of Man – Data and Information are dominant. In an age which we call mediavel and depending heavily on land and its produce, i.e agriculture, a remarkable document emerged in England, called Magna Carta. Magna Carta Libertatum (Medieval Latin for “the Great Charter of the Liberties”), commonly called Magna Carta (also Magna Charta; “Great Charter”),[a] is a charter of rights agreed to by King John of England at Runnymede, near Windsor, on 15 June 1215. This was for the first time in history, we find a documented charter that grants rights rather than favours someone with something as a part of a contract which the dominant party (king) can change at his pleasure. It was not perfect but pioneer in the history of Power – of the ruler and the ruled, of the individual and the more-powerful collective – king with his council of Ministers, Lords, Barons and such oligarchs.
The purpose of this essay is to argue that in this Information age, we need to revisit this age and learn from it. We need to have a new Magna Carta for the Data age. The core of the argument is this: Information age is not about technological wizardry alone – in its subterranean channels flow the same lust of power as it flows in the veins of powerful and ambitious men who need to be always checked to ensure our liberty.
OUR AGE: THE INFORMATION AGE Data is the exhaust and the propellant of the Information age. Government and Corporation are involved in a mutual feed back system in terms of access to data and also to make money out of it. l Privacy is directly related to liberty. A man living in a house with 4 walls made of glass has no liberty. l The mathematics of encryption is of the “Platonic world of perfection” but in the actual implementation in this imperfect world, the Platonic world loses its perfections and hence all security systems are vulnerable - this is a metaphysical wisdom. l We may be more intimate to our emails (and vice versa) than people we live with and those who have access to our data know this. This is a danger. l Countries (technically called state actors) quite often use non- state actors and proxies to wage “war” or “strategic strikes” and this has created a market of its own. Economic wisdom is that as long as there is an incentive, there will be activities. l When we sign-up with mega corporations - the agreement is written unilaterally in a legalese that is beyond the understanding of almost all people. This is more like a medieval serf harvesting his Lord’s fields. Here, users are the serfs producing data and the owners sell the harvest as well as reserves the right to change the contract anyway they wish. This is dangerous when more and more people are being networked. l l
CONCLUSION Modern Science – father of the technological age where we live was a rebel and was born after a great conflict with the world-view of the Christian church, in the Western Europe, three hundred years after Magna Carta. It was evident that when Man was free to enquire about the Heavens above will sooner or later enquire and critically as how and under what logical foundations we are governed. That age is at its nadir now – when we talk of “Data Science” where an extremely dangerous doctrine where free enquiry is replaced by “models” that is solely driven on data-fit and no one is questioning on the underlying phenomena. However, in the political sphere, things are different. Even though the spirit of free enquiry in science is all but gone, political memory is relatively burning better. Within a decade of the rise of mega corporations who are the custodians of our data, thinking men find a strange parallel that such an unbridled power might be lethal to our liberty as citizens, users and customers. A new Magna Carta – a call for a new Magna Carta is a bright sign. When modern science is failing to teach us to be deeply critical or is a coy hand-maiden to technology and its controllers, global customers and users and citizens are feeling that their liberties are not safe. History has taught us that a healthy suspicion about any concentrated power always help the flame of liberty glow brighter. An age, which Spengler would have surely classified as “Winter for a Culture”, this sentiment is a sentinel of hope, not ordinary optimism or so called positivity but Hope when one who hopes and the age where one lives are far apart.
BY
18
&
FOR THE CIOs. BY THE CIOs.
ONLINE BANKING FRAUDS IN INDIA AUTHOR’S BIO
Tathagata Datta is a Cyber Risk Analyst, having 20+ years of industry experience in the domain of IT Infrastructure and Cyber Security. Specialist in process consulting, cyber incident handling and digital forensic analysis. He is an empaneled Information Security Lead Auditor at BSI and had been a Subject Matter Expert at International Council of E-Commerce Consultant (ICECC). He is a member of Data Security Council of India (DSCI), Core committee member of InfoSec Foundation. He is a consultant practitioner of IT Act, Cyber Law and Social Media Law. He is also associated with print media as a crime reporter and also an executive member of International Human Rights and Anti-Crime Organisation.
HOW TO RECOVER LOST MONEY UNDER INFORMATION TECHNOLOGY ACT, 2000?
TATHAGATA DATTA
MCA, MTM, CEH, CHFI, ISO 27001:2013 LA/LE, CCSK, CLOUD SECURITY AUDITOR (CSA STAR)
The cyber space is increasingly used by organized criminal groups to target credit cards, bank account and other financial instruments for fraudulent transactions. Online fraud is considered to be third amongst economic crimes prevalent in India according to Global Economic Crime Survey 2011, conducted by Price House Water House Cooper, which reveals the propensity of such crimes in India. The major forms of cyber fraud include online auctions, internet access services, work at home plans, payment methods using debit/credit card, phishing etc. Nabbing a cyber fraudster who might have committed the offence sitting at a distant location possibly on a foreign shore will be difficult for a common person. What are the legal recourses that can be taken to recover the lost amount? But what happens when the bank or other intermediaries like telecom companies fails to provide adequate security measures to protect the customer from illegal and fraudulent transfers? What happens when there is a lapse on the part of the banks and other intermediaries during such fraudulent transaction?Banking frauds methods Most of the online banking frauds are conducted either through phishing, stealing of banking information or through cloning of credit/debit cards. In phishing, a fraudster will send
BY
&
19
FOR THE CIOs. BY THE CIOs.
an email pretending to be sent from the bank to the victim asking for their personal details including banking information like PIN code or banking user name and password on some pretext or the other. Once the person reveals such crucial information, the fraudster may withdraw or transfer the money from the account of the victim. In most cases, due to lack of awareness, people fall into the traps of such fraudster and loses huge sums of amount. A selected study of banking frauds revealed that the fraudsters mostly apply the following tactics to defraud innocent people: l Stealing of the original credit/debit cards and using the cards at shopping merchants (POS purchases) l Cloning/duplication of credit/debit card l Phishing scams where the information has been revealed by the customer himself l Leakage of PIN/credit card/debit card numbers by the handlers of such information/payment gateways/banks (voluntary or involuntary like hacking, physical intrusion, data breach) l Usage of stolen/duplicate/cloned mobile SIM card to receive one time password (OTP) of mobile/net banking and transaction made using such information
RESPONSIBILITIES AND LIABILITIES OF BANK Generally, intermediaries are not liable for the offence committed by the users or third parties using their network or system. However, they might be liable for non-compliance of due diligence requirements under the law. (Please read the chapter on Intermediary liability for details) A body corporate handling sensitive personal data (which includes financial information such as bank account, credit card or debit card or other payment instruments, password) and stores such information in a computer, is required to maintain reasonable security practices and procedures to protect such data. If due to negligence of the body corporate in handling such sensitive personal data causes wrongful loss to such person, the body corporate is liable to pay adequate damages as compensation to such person. Now days, most banking functions have moved to core banking system and a large number of transactions are made using internet banking, mobile banking or use of debit/credit cards. A significant number of urban and semi-urban customers of the banks use debit/credit cards for their everyday purchases through e-commerce sites or withdrawal of money through ATMs. The banks are in possession of sensitive personal information of their customers including account numbers, PIN, credit/debit card numbers and other financial information of the customer in an electronic form. The banks are responsible for protection of such information from unauthorized usage through maintaining reasonable security procedures laid down in different rules and regulations issued by RBI and other bodies. Some of the important rules and guidelines which govern maintenance of reasonable security standards for banks include, Master Circular - Know your Customer (KYC) norms, Anti-Money Laundering standards,
Combating of financial terrorism, Obligations of banks under Protection of Money Laundering Act, 2002 and by RBI and other international standards for information technology security (ISO standards).
BREACHES IN DATA SECURITY BY THE BANKS AND TELECOM OPERATORS Some of the common breaches in security procedures by banks and telecom operators include: • Non-compliance of KYC norms of customers by banks. Most of the proceeds of the fraudulent transactions are transferred either in “mule accounts” (accounts of innocent persons are used to transfer money in promise of payment of a certain percentage) or in accounts where the identity of the customers cannot be verified. Such accounts are generally created by using either apparently fraudulent documents or no proper documents as such. • Non-compliance of KYC norms by the telecom operators while issuance of duplicate • SIM card. In a large number of cases, the fraudster has obtained a duplicate SIM card of the victim’s mobile, which was later used to receive one-time password or make mobile banking transaction. Due to issuance of duplicate SIM card, the victim’s original SIM will get disabled and he will not be able to receive transaction messages. • Non-installation of CCTVs or non-working of CCTVs in banks, ATMs which is a necessary security procedure for banks • No mechanism to identify and flag suspicious transaction patterns • Failure to notify the customer of suspicious transactions (either through SMS or email) on a live basis.
HOW TO RECOVER LOST MONEY THROUGH FRAUDULENT BANK TRANSFERS UNDER INFORMATION TECHNOLOGY ACT? One can file an application before the Adjudicating Officer appointed under Section 46 of Information Technology Act, 2000 claiming breach of reasonable security procedures by the bank. An analysis of selected cases ordered by the Adjudicating Officer in the state revealed that the banks and the telecom operators in most cases have failed to maintain reasonable security procedures, including non-compliance of KYC norms, Anti-money laundering guidelines, and automatic suspicious transaction monitoring facilities. As per Section 43A of Information Technology Act, 2000 the banks and other intermediaries who have failed to maintain reasonable security procedure must pay adequate damages as compensation to such person to cover the loss. The Adjudicating Officer has the power to adjudicate in the matters where the claim does not exceed Rs. 5 Crores. The bank must prove that they have maintained reasonable security procedures to prevent such fraudulent acts. In case the bank fails to prove that they have maintained reasonable security procedure, the Adjudicating Officer who has the powers of a Civil Court, may order the bank to pay damages as compensation to the victim.
BY
20
&
FOR THE CIOs. BY THE CIOs.
ISO/IEC 27018 SAFEGUARDING PERSONAL INFORMATION IN THE CLOUD AUTHOR’S BIO
Nirupam Sen has 18+ years of industry experience and is currently associated with the British Standards Group as Business Head – East. He is the profit entre of BSI in Eastern India, He has extensive knowhow in capacity building and auditing of management systems like- Information Security, Business Continuity, Risk Management and Quality Management He has experience in certifications of organizations with best practices like ISO 27001, ISO 9001, ISO 22301 across all industry verticals. An MBA in Systems by profession, he is also a certified lead auditor in Information Security, IT Service Management and Quality Management. He also holds an IBMAdvance Certificate in Software Engineering and is currently pursuing his Work Integrated Learning Programme from BITS Pilani.
NIRUPAM SEN
MCA, MTM, CEH, CHFI, ISO 27001:2013 LA/LE, CCSK, CLOUD SECURITY AUDITOR (CSA STAR)
T
he protection of private information has never been a higher priority. Many national and international bodies, including the International Organization for Standardization (ISO), the US government and the European Union, are all taking steps to address this issue. One initiative they share in common is ISO/IEC 27018 and the additional controls that extend ISO/IEC 27001 to secure information held by Cloud Service Providers (CSPs). What specifically does ISO/IEC 27018 offer customers of cloud services, and why is it important? Potential exposure of personal data is at the top of the international agenda. The overwhelming number of high profile security breaches has focused people’s attention on how their individual details need to be protected. If you look at the list of breaches and the number of people affected, you can see the scale of the problem: the US Office of Personnel Management data on over 21m government employees was stolen and the attack on the Carphone Warehouse in the UK affected more than 2m of their customers were affected. These represent just the tip of the iceberg of attacks over a three-month period in 2015. In fact, McAfee have estimated 800 million data records were lost in 20131. Yet companies are spending even more on security. According to figures from Gartner, global IT security spending is set to
reach $76.9 billion in 20152. While the image of the socially misfit hacker resonates with many people; most attacks from outsiders are carried out by sophisticated criminal gangs or state- sponsored organizations, making it particularly difficult to take action against them. There’s an more insidious risk, that of the insider who, deliberately or unintentionally,leaves a company open to attack. These are often more dangerous as they often go unreported or are covered up. According to research from PricewaterhouseCooper3, 75% of organizations who suffer from security compromises committed by employees do not involve law enforcement nor bring any legal charges. This means that those organizations’ customers are vulnerable, and any companies who hire those individuals in the future would be unaware of their past and may be open to further attacks. It’s little wonder that there’s so much anxiety about how personal data is protected and, in particular, why there is so much fear about the cloud as well as why there’s still a reticence to entrust data to CSPs It’s for these reasons that the European Union, for example is looking at new regulations on Data Protection in an attempt to harmonize the legal situation across the continent. When it comes to Europe, there are a variety of local data protections laws, making it especially difficult for cloud providers to operate. The cloud crosses international borders, while the laws governing data security are primarily country specific. Part of the issue also has been the way that organizations hold data – there’s a legal separation when it comes to cloud providers. They hold data on behalf of their customers, yet the customer has the legal responsibility for what happens to that data. This is where the fears about CSPs are really centered all are happy to talk about their security expertise, the amount they spend on data protection and the physical barriers they put in place to prevent breaches, but there’s an underlying anxiety as to whether the CSPs are going to treat confidential data in the same way as their customers would. While the European Union is trying to introduce some coherence into the data protection arena, the US has to contend with a different situation. From an international perspective, ISO has developed a family of standards for information security which provides a framework for companies to develop processes and procedures to address information security concerns throughout an organization.
BY
&
21
FOR THE CIOs. BY THE CIOs.
THE SCALE OF DATA BREACHES
24:00:00 2,803
00:01:00 1,94
01:00:00 116,79
00:00:01 32
The leading standard in this group is ISO/IEC 27001, which is the most widely-recognized standard for protecting sensitive information from unintentional distribution and unauthorized access. With its 114 controls, ISO/IEC 27001 can mitigate risks involved with the collection, storage and dissemination of information by: l Allowing organizations to comply with increased government regulation and tough industry specific requirements l Providing the requirements for an effective information security management system l Letting organizations grow knowing that all their confidential information will stay confidential In the States, there’s no national law regulating how personal data is used. The different polices of the individual states can also cause a degree of confusion. This is exacerbated by various regulatory demands placed by different industries. All these factors combine to make formulating a coherent data policy rather difficult. In August 2015, in an effort to address this, the National Institute of Standards Technology advised Federal agencies to “use relevant international standards for cybersecurity, where effective and appropriate, in their mission and policymaking activities.”4 As agencies for the US government implement these standards, they will begin to demand their contractors and supply chains to also conform to the requirements of various standards The ISO/IEC 27018 standard ISO/IEC 27001 only goes so far. To allay the additional fears created by the cloud, ISO launched a new standard, ISO/IEC 27018, in the autumn of 2014. CSPs will want to adopt this standard to help reassure their customers about the security of their data. The new standard, which is an extension of ISO/ IEC 27001 and ISO/IEC 27002 standards, provides guidance to organizations concerned about how their cloud providers are handing personally identifiable information (PII). It’s a bit of legal minefield for organizations and one of the reasons that the EU discussions have been so drawn out, however some legal definitions needed to be established first. Key among them is PII itself; this is the definition on which all discussions hang. PII has been defined as any information that (a) can be used to identify the PII principal to whom such information relates, or (b) might be directly or indirectly linked to a PII principal. That, of course, raises another question, what is meant by a PII principal? This is a little trickier as some countries refer to this entity as the data subject. Likewise, there’s some vagueness about the term PII controller, sometimes called a data controller, but the central point is that the PII controller is the person who determines the purposes for which that data is processed.
WHAT DOES ISO/IEC 27018 CONTAIN? There are several guidelines within the standard. According to the ISO definition, these are: l To help the public cloud service provider comply with applicable obligations when acting as a PII processor, whether such obligations fall on the PII processor directly or through contract l To enable the public cloud PII processor to be transparent in relevant
matters so that cloud service customers can select well-governed, cloudbased PII processing services l To assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement l To provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities in cases where individual cloud service customer audits of data hosted in a multi- party, virtualized server (cloud) environment might be impractical technically and might increase risks to those physical and logical network security controls in place While these are the bare principles, if we look at the ramifications of what these mean and how they can help customers, then we can see that, for the first time, there’s a real framework for handling personal data.What ISO/IEC 27018 does is ensure that a cloud provider documents how personal data is handled, what procedures it has in place and how it reacts to customer requests. It can also assist in drawing up stronger contractual agreements. It can help benefit the cloud provider too. The standard will help set out how CSPs can train staff about PII, set a documentation procedure in place and provide guidelines to follow. And ISO/IEC 27018 will also provide real transparency so personal data, and how it’s handled, are not just afterthoughts. There are three areas an organization needs to question when implementing the standard. l Are there existing legal and statutory requirements that an organization must follow, including any industry-specific rules and regulations l Does adherence of ISO/IEC 27018 entails additional risks to the organization, and l Will the adoption of such a standard run counter to an organization’s corporate policies and business culture?
CONCLUSION There is little doubt that the cloud industry is in need of standardization to provide adequate and effective information security. According to a survey from TrustE, carried out at the end of 2014, 92% of British online users were worried about their privacy; that’s an increase from 89% in 20135. The arrival of ISO/IEC 27018 helps to concentrate the industry’s focus on providing increased security to protect PII. The standard is already being supported by some major cloud vendors: Microsoft has incorporated it into Azure , Office 365, Dynamics CRM and Global Foundation Services and both Amazon Web Services and Dropbox have also achieved certification to ISO/IEC 27018. Many more CSPs are expected to follow. Organizations will increasingly move information to the cloud to benefit from the greater flexibility of technology as well as the decreased demand on resources, but there will only be a high level of adoption when security, specifically privacy concerns, are answered.The impending European regulation will ensure that a new approach to privacy will be the order of the day. ISO/IEC 27018 will help to provide a set of guidelines for customers and cloud providers alike. It won’t be a substitute for national and international regulations, and its wide-scale adoption won’t mean that providers would automatically follow legal demands, but it will be an important step along the way.
BY
22
&
FOR THE CIOs. BY THE CIOs.
CYBER BULLYING– TODAYS EPIDEMIC
NIRALI BHATIA
CYBER PSYCHOLOGIST COUNSELLING PSYCHOLOGIST
C
yber Bullying is quite a buzz word today in the internet world. The grave point of concern is its growing impact on our lives. Commonly known as Internet Bullying, it is amongst the far & wide growing form of teen or child violence that can do a lot of harm, mostly mental and even physical at times. It can lead to anxiety, depression, lack of confidence and even suicide. ct it also gives platform to normal people as well to unleash their dark side & seek pleasure in dark fun. Cyberbullying is bullying that takes place using electronic technology & communication. Examples of cyberbullying include mean text messages or emails, rumours sent by email or posted on social networking sites, embarrassing pictures, videos, websites or fake profiles, blackmail,
hacking and threats. Technically it’s called Bullying when children below age of 18 are involved at the either end - as a bully or as a victim. While it falls under harassment category if there are adults involved. Over 80 percent of teens (world-wide) use a cell phone regularly, making it the most popular form of technology and a common medium for cyber bullying. 13 years old Alisha (name changed) is going for counselling sessions for last 5 months to build up her self-confidence & be able to make friends again. Alisha is one of the victims of cyber bullying. Sleep over party fun when goes in cyber space, one can’t imagine what kind of trouble it can invite. While she was asleep, her friends did some make up on her face with toothpaste & lipstick to make her look funny. Their intent was simple to have some fun. But the closed room fun became subject to public ridicule & humiliation when the picture was posted on Instagram. One nasty comment attracted many more unpleasant comments making fun of her physical appearance, intelligence, etc. breaking her self-confidence with every like received on such comments. Her parents reported that she started staying quiet, alone and became very sensitive. She would avoid & refused to attend any social events, even the birthday parties of her friends. Even her teachers complained that she doesn’t talk to anyone in the class & neither gets involved in any class activity. This was very unlikely of her according to them. Her parents were unaware of actual trigger but knew something was not right & hence sought professional help. Cyber bullies are highly intimidating. They thrive on having an audience. Display of power, vengeance and thrill are some of the reasons why people bully. Popularity & entertainment are usually the driving factors for children to indulge in bullying. India as a country stands 4th in cyber bullying. Also what is noteworthy is if 1 of 10 children has been bullied online, about 50% of children are also the cyber bullies. Knowingly or unknowingly people contribute to the bullying in virtual space. Somewhere it’s the feeling of superiority or simply having fun by demeaning someone that leads to a criminal act such as bullying. The case shared here is a classic example of same. Let us understand that the damage such crimes can do is magnanimous and very deep due to the nature of cyber space. Physical wounds heal faster than mental ones. As much is the impact of physical harassment even more is that of the virtual harassment, intent being more or less the same. Given the magnitude of the internet/cyber space the criminal acts are more dreadful & intense. Trolling is one of the most common forms of bullying besides others such as Harassment It involves the bully sending offensive and
BY
&
23
FOR THE CIOs. BY THE CIOs.
24X7
WIDE AUDIENCE
WHY IS CYBER BULLYING DIFFERENT?
ANONYMO US & IMMEDIAT E POSTING
FAST DISTRIBUTION
DIFFICULT TO TRACE IRREVERSIB LE & IMMEDIET E DAMADE
KNOW WHAT TO DO IF VICTIM OF CYBER BULLYING l l l l l l l l l l l
Do not respond or retaliate Tell your parents/adults Take Screenshots Report as Abuse Block the person Warn the person of legal action Change your passwords Delete the posts Report to Anti Bullying Organizations Get going with your work Get counselled
malicious messages to an individual or a group and is often repeated multiple times. Cyberstalking is one form of harassment that involves continual threatening and rude messages, and can lead to physical harassment in the real, offline world. Flaming Flaming is similar to harassment, but it refers to an online fight exchanged via emails, instant messaging or chat rooms. It is a type of public bullying that often directs harsh languages, or images to a specific person. Exclusion Exclusion is the act of intentionally singling out and leaving a person out from an online group such as chats and sites. The group then subsequently leave malicious comments and harass the one they singled out. Outing Outing is when a bully shares personal and private information, pictures, or videos about someone publicly. A person is “outed”
when his information has been disseminated throughout the internet. Masquerading Masquerading is a situation where a bully creates a fake identity to harass someone anonymously. In addition to creating a fake identity, the bully can impersonate someone else to send malicious messages to the victim. 19 years old Dev (name changed) was extremely nervous, scared & suicidal when he sent an email to me seeking help. He was being bullied and blackmailed. He was asked to perform heinous sexual acts & favours or pay up a huge ransom amount. Dev was just surfing the net on his smart phone and a banner caught his eye. He clicked on it which opened a WhatsApp chat window with a pretty girls face as the display picture. After a very brief chat with that girl they decided to get on a video chat and he made the call to that number. There was no one on other end, just a black screen. So assuming its poor connection he disconnected within a few seconds. Immediately he got a video of screen showing incoming call from his number with his display pic. The girl (as he assumes seeing the DP) messages him, “I am going to report to police for harassment as I have the evidence that you are calling me at night odd hours”. She had deleted all previous messages of their conversation so he could not have the chat were she had written okay let’s do video chat. Dev apologised feeling he had offended but the girl started bullying with her threat to lodge a complaint & asked him to perform indecent sexual acts or pay up XXX amount. The above mentioned case is a perfect example of how cyber criminals are luring young users & then taking advantage of their ignorance & fear to bully & blackmail them. In cyber space the adventure of exploring new can turn out to be extremely risky. 3A’s of cyber space - Anonymity, Authority and Attention makes it very luring for psychologically sick or criminal minded people to vent or act out their intents.
BY
24
&
FOR THE CIOs. BY THE CIOs.
CYBER SECURITY AND THE 80-20 PRINCIPLE AUTHOR’S BIO
A Cyber Security enthusiast and a blogger with 15+ years of experience in strategizing, implementing, managing Cyber Security for various industry verticals including Retail, Hospitality, Manufacturing, Supply Chain. Experience in multiple cyber security domains including Perimeter, SOC, Risk Assessment and Advisory, IDAM. Security Architecture for Hybrid Cloud Deployments, SaaS, eCommerce, B2B EDI, Webservices, API integrations, ePayments, etc. 15+ years of industry experience with a Bachelor’s Degree in Commerce from Calcutta University.
20% CONTROLS
JAYDEEP PALANA
T
his post is an attempt to explain how common sense, little bit of knowledge, a combination of available controls coupled with a sincere effort can do wonders in building a solid, layered and resilient cyber defense system that can defend your IT environment at affordable costs. ADVANCED perhaps, is the most overstated and widely used term in Cyber Security. Advanced Attacks, Advanced Malware, Advanced Persistent Threats, etc. Talking about the safeguards, there are tons of “Advanced” solutions equipped with sandboxing, machine learning, threat intel and so on. “Advanced Threats”, “Zero Day Exploits” that we
80% THREATS
keep hearing or reading about are not used often. That’s because attackers know there are hundreds and thousands of unpatched systems with known, old vulnerabilities waiting to be exploited. OS, Office Acrobat, Browsers, Flash, etc. That’s to enter a network. Then they know organizations irrespective of their type or size often fail to implement even basic security hygiene so low hanging fruits are waiting to be grabbed. Remember “WannaCry”? Zero day? Remember Apache Struts vulnerability exploited in Equifax breach? How advanced?
“WHY WASTE BULLETS WHEN BAMBOO STICKS CAN DO THE JOB? “ While there is much hype around advanced threats and safeguards, there is another school of thought that believes in working from ground up (security hygiene) and implementing a layered defense by smartly using existing controls available in most IT environments. The requirement is a (small) bunch of (moderately) skilled, curious and passionate people in cyber security team. Good know-how of operating systems, networks, active directory, understanding of how threats work, etc.). And a culture of constant
BY
&
25
FOR THE CIOs. BY THE CIOs.
self-learning to keep up with the changing threats. It surely makes sense to invest into “FANCY TOYS” because it’s impossible to deal with the huge volume and variety of threats without tools and automation. However, one needs advanced thinking and approach, not just products to defend an organization from cyber-attacks. Remember, any product is as smart and effective as the people configuring / using it. A number of organizations across sectors who witnessed breaches in recent past must be having all the advanced tools / products. They may have been victims of targeted and really advanced attacks, however, most organizations in general don’t have resilience against casual / volumetric attacks. I strongly believe organizations often spend most (all?) of their resources trying to prevent initial exploits. Exploit is not the end but just a means to achieve the end goal. There is lack of a cohesive strategy to restrict the attacker from achieving the “objective” once he or she is in. There are a number of things an attacker needs to accomplish between the initial exploit and achieving the ultimate objective (e.g. data exfiltration). And that gives a reasonable window of opportunity to defenders. To deal with majority of cyber-attacks, there is a defense in depth strategy based on “The 80:20 PRINCIPLE”. The trick is, “with 20% of basic hygiene and smartly implemented controls, you can possibly deal with 80% of the attacks”. That’s because majority of attacks employ no rocket science. They only take advantage of poor security hygiene, ignorant users or IT guys. Before exploring “The 80:20 PRINCIPLE”, it is important to understand how the attackers think, what techniques they employ and how the attacks work. “Attackers are moderately skilled people who know slightly more about your network than you do.” – Jessica Payne, Microsoft” Most cyber attacks typically use commodity malware, office macros, images with steganography, links/code embedded in PDF’s, etc. Once they get entry into a network, they steal credentials, move laterally to other targets until they get their hands on something really cool (e.g. Domain Admin, File Server). All this using tools that are supposed to be used by people doing cyber security (Powershell, Mimikatz, Bloodhound, etc.). This illustration explains of how a “not so advanced” attack can result into a high impact breach: l So our casual attacker Jimmy sends a nicely composed spear
DELIVER
RECON WEAPONIZE
phishing email to Rose, a low privilege user. The email has a word document with a tiny Santa’s image and a Christmas message. l It says if you want to view what surprise Santa has for you, click “View” (enable Macros). Rose clicks “View” excitedly and the VB script executes and downloads exploit code from a C2 server to exploit unpatched flash vulnerability. The arbitrary code runs, flash is exploited and Jimmy now has access to kernel mode l To obtain credentials Jimmy runs Mimikatz or any other creds dumping tool to read credentials from LSASS in memory. He can also lay hands on SAM database on workstation. l Using the harvested credentials of local admin on Rose’s workstation, Jimmy now moves laterally trying to compromise other workstations and guess what? Local Admin credentials are similar on most workstations (very likely in real world). l Once on domain admin’s workstation, Jimmy tries to steal Domain Admin password with similar trick and succeeds. “Check and Mate”. l Now since Jimmy is domain admin, he can abuse trust that Applications and Databases have in AD and steal data without any resistance. l What next? Data exfiltration over http or TLS to a “notknowntobebad.url”, clear event logs, etc. So a cleverly crafted spearphishing email with a word document can literally take over Active Directory Domain (Network) and exfiltrate information. All this without use of a “Zero Day” or “Rocket Science”. All that is required is a curious user clicking at wrong places of an email or an attachment. We will now explore how “The 80:20 Principle” can help at various stages of the Cyber Kill Chain. for mapping this attack to Cyber Kill Chain, we will use MITRE’s “Att&ck” (Adversarial Tactics, Techniques, & Common Knowledge) framework. I like it because it nicely illustrates a post-exploit adversarial behavior. It’s the “Exploitation” phase and onwards that defenders can start playing actively. We will now see which of the available controls can be used to prevent an attacker from achieving his/her objectives. If the attacker defeats one layer, the next layer in succession acts as a backup.
MAINTAIN
CONTROL EXPLOIT
EXECUTE
MITRE We will now see which of the available controls can be used to prevent an attacker from achieving his/her objectives. If the attacker defeats one layer, the next layer in succession acts as a backup.
INNITIAL ACCESS EXECUTIVE PERSISTENCE PRIVILEGE ESCALATION DEFENSE EVASION CREDENTIAL ACCESS DISCOVERY LATERAL MOVEMENT COLLECTION EXFILTRATION COMMAND AND CONTROL
BY
26
&
“Att&ck” Phase
Attack Vector /
Available Controls
FOR THE CIOs. BY THE CIOs.
Result
Technique / Enablers • Initial Access • Execution • Persistence • Defense Evasion
• Word document with a Macro • Exploit for vulnerable Flash
Control-1 Macros are required as they do some really cool stuff. But it is not wise to trust macros coming from external sources. Either verify them or simply don’t run Macros coming from outside / external domains. Disable all macros except those that are Digitally Signed https://support.office.com/en-us/article/ enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6 Disable Macros for mails coming from external domains (Internet) using Active Directory policies https://www.thewindowsclub.com/block-macro-malware-microsoft-office
If the user clicks on enable macro through the word attachment, the execution of macro will be prevented since it came from an external domain or was not digitally signed.
Control-2 Use a smart combination of Application Control Policies and HIPS rules, etc. to reduce the overall attack surface (risk exposure) of workstations. These illustrative policies can be created with most Endpoint Security products. a) Prevent executable content from email client and webmail b) Do not allow Office applications to create child processes c) Prevent Office applications from creating executable content d) Do not allow VBScript (even Javascripts) from launching downloaded executable content
Even if the exploit code in macro runs it will be prevented by the combination of HIPS and application control policies.
Control-3 “Patching delayed is patching denied.” Regularly patch software running on endpoints and not just operating systems. Known vulnerabilities are exploited to gain entry into a network. If immediate patching is not feasible, implement Host Intrusion Prevention Systems (HIPS) HIPS prevents known exploits (vectors) from running on a host. It is not a remedy but an interim control. HIPS is not install and forget thing. Review HIPS to ensure your policy comprehensively covers for known CVE’s. Credential Access and Privilege Escalation
Credential dump from LSASS to obtain Local Admin Passwords
Control for Credential Access Configure LSA Protection (Local Security Authority): Windows provides enhanced protection for LSA to prevent reading memory and code injection by unprotected processes.
If the attacker evades HIPS and other controls, the patch will not allow exploitation of Flash preventing escalation of privilege
Even if the workstation is compromised, credentials will not be available for the attacker to elevate privilege or to compromise other systems in the network.
Note: This may interfere with LSA plug-ins (e.g. smartcard drivers) unless they meet pre-requisites. https://docs.microsoft.com/en-us/windows-server/security/ credentials-protection-and-management/configuring-additional-lsa-protection
Discovery and Lateral Movement
Ping or scan/probe/ recon other systems in network. Use available communication channels to reach to other hosts.
Controls for Discovery and Lateral Movement: Control-1: Configure Host Firewalls such that communication not required for business as usual is blocked. Though attackers may use allowed channels like http/https, restricting number of communication channels greatly reduces the attack surface and casual attacks that rely on easily available channels can be dealt with. Things like port scans, SMB, NetBios, RPC, etc. shall be blocked between workstations. Whitelist a few file and print servers, Domain Controllers and other dependent hosts in the network while restricting well known propagation channels in general. Use randomized passwords for Local Admins on each computer to deal with unauthorized harvesting and replay of credentials or “pass the hash” type of attacks. Control-2: Microsoft provides LAPS (Local Admin Password Solution) a free tool to randomize passwords. LAPS sets a unique, random password for the common local administrator account on every computer in the domain. Domain administrators can authorize specific users to read passwords. It is easy to implement.
Restrictive Host Firewall Policies reduce the possibility of discovery and lateral movement by allowing only required communication between hosts. There are very limited requirements for which workstations need to communicate among themselves.
LAPS provides secure and easy management of local admin passwords. It also prevents reuse of passwords on multiple hosts typically used in pass the hash attacks.
https://www.microsoft.com/en-us/download/details.aspx?id=46899
When attackers are living off the land, why can’t defenders do the same? As illustrated above, “The 80:20 Principle” employs a combination of existing controls to build a resilient environment that can withstand majority of cyber-attacks. Defense in depth can’t be achieved by just staking up layers of products without a good understanding of attacks. You have to assume that the attacker will break one layer and accordingly plan next layer of defense. When used smartly, a combination of multiple controls can act like layers of barriers that will deter, delay, prevent the attacker and compel him/her to try something silly and make some noise. In case if it fails to prevent an attack, the least, it will get detected if you have a reasonably
good surveillance in place. When you have done your bit for the majority of the attacks it’s time to focus on “20%” i.e. more sophisticated, targeted attacks and channelize your security investments and resources towards plugging the remaining gaps with investments in technology, people, training, etc. Cyber Resilience is not an end goal but a constantly moving target and chasing it requires knowledgeable, passionate people who can align defenses in line with the attack surface and risk exposure. Disclaimer: These are my personal views and in no way represent views of the organization I am employed with/ have worked for in the past. The post is based my experience and reading and don’t represent views of any individuals or organizations in particular. Looking forward to learn from your comments, feedback and suggestions.
BY
&
27
FOR THE CIOs. BY THE CIOs.
THREAT HUNTING - NEED OF THE HOUR! AUTHOR’S BIO
With nearly nine years of experience in network and information security, Aditya Khullar holds a unique blend of visionary leadership with expertise to lead strategic planning, direct multi-functional operations, and re-structuring business models. Prior to his stint at Paytm, Khullar worked for various global firms and projects such as Aricent Technologies, HCL Infosystems, Bank of America and Interglobe Enterprises. In his present role, Khullar leads the technical aspects for cyber security verticals in Paytm and its subsidiaries.
ADITYA KULLAR
CO-FOUNDER OF CALIFORNIA-BASED CYBERSECURITY COMPANY TANIUM
T
hreat Intelligence - It is the one word we all have heard various times recently. The subject has been under constant scrutiny for a while now, but do we understand it? Moreover, since it has been viewed very differently from different viewpoints of various security professionals, To start with let’s get to the crux of it. The ultimate goal is to provide a binary answer to the question, “Do I have a compromised system in my Infrastructure?” This system can be a server or an EUD (A End user device). To understand about compromised system, there is a wonderful saying by Mr. John Strands, i.e., “Beaconing + Blacklisting=OMG! We are in trouble”. This means that any system that makes a continuous connection to a blacklisted IP is a compromised system. In simple words, threat hunting is the black box that takes input and gives output. What are all the things it encompasses? Well, we need some way to collect info and figure out whether we are already compromised or not. We also need to understand that those outputs may be a formalized incident handling process put in place, or a team that does forensic investigation of subject, or it might be just a simple policy which says, “Hey, when a system gets compromised throw it away and put a new system on the wire.” Even though that may sound silly but that is a possible answer for most of the organizations. The process of threat hunting spans throughout various technology teams. For Example: ‘I just found a system which is beaconing to unknown/blacklisted IP?’ Now to reach that point, we need a lot of work before and after identifying the system. We require complete
scanning of the system, leading to putting in incident response plans in place and after that we turn to forensics mode to get to deeper end of the cause. To resolve this chaos, it is beneficial to implement Proactive Threat Intel rather than reactive mode monitoring. All in all, Global threats can be listed in 5 types: l Remote Exploits (Public/Private) l Local Exploits/ Insider Threats l Browser Based attacks (Malicious advertising campaigns) l Document based attacks (Malicious attachments like excel files, PPT , Word docs delivered through Phishing campaigns) l DOS/DDOS (Volumetric/Computational and Asymmetric attack vectors) Then the next Question that arises is, “We have a lot of tools which gives a lot of feeds, so what is different in threat hunting which makes it difficult to implement?” In a typical security tool, the process is to collect a lot(I mean tons) of data because it is satisfying to see whole network on a single dashboard, ‘it will give data to the management team’ and then ‘the team will educate itself and find threats out of it’. And this last part is the distinguishing element of the threat hunting process, in comparison to other mainstream tools. So going further, what are the basic frameworks that could to be used as the helping hand for the threat hunting process? One of the most common framework that is taken into consideration when talking about the tool is- MITRE ATTACK framework. It is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. Secondly, while rating a vulnerability always do a manual assessment basis NIST/NVD calculations with an automated scan using tools like Qualysguard, Nessus etc. In the end We should understand that - The process of threat hunting may seem to be a great alternative to proactively monitor assets but a threat hunting program cannot be Implemented by every organization. To build a Threat hunting team, one needs threat intelligence mindset, excellent technology engineers and pro-active tools which can give threat feed of an exploit/attack vector being seen in world space.
BY
28
&
FOR THE CIOs. BY THE CIOs.
PREVENT ENTERPRISE DATA BREACHES THROUGH DATA LOSS PREVENTION (DLP) PROGRAM AUTHOR’S BIO
Reetwika Banerjee is a professional Cyber Security Expert, presently associated with Accenture as their Enterprise Data Privacy Consultant. Her principal role is to advocate senior management on hi-tech cyber security threats and how to prevent confidential data leakages out of their organization’s network. She is also an internationally awarded author. Her latest book ‘Cyber Security at your Fingertips’ was released at the New Town Book Fair 2018 by eminent Judge (Retd.) of Bangalore High Court Mr. Gautam Ray and senior Advocate of Calcutta High Court Mr. Biman Saha. To chase her passion and educate common people about security threats, need of data privacy, prevalent cybercrimes and their preventions, Reetwika contributes as a regular columnist to the esteemed multinational news portal ‘Different Truths’. You may write to Reetwika at: reetwikab@gmail.com.
INTRODUCTION
REETWIKA BANERJEE
(MBA IN CYBER SECURITY CERTIFIED DLP ADMIN (SYMANTEC & RSA), CLOUD SECURITY AUDITOR, ISO 31000 RISK ASSESSOR, ISO 27001 LI, PIMS WITH GDPR LI, PCI DSS LI)
Data Loss Prevention (DLP) is the method of monitoring, detecting and blocking of sensitive data leakage out through organization’s various communication channels. It can be done using a set of scientific tools, processes and techniques which we will discuss here. However, DLP must be looked upon as a tailored security strategy rather than a readymade security appliance. The most common application area of Data Loss Prevention is to comply with the requirements of various data security standards and international privacy laws like General Data Protection Regulation (GDPR), ISO 27001, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) etc. Other use cases may include protection of Intellectual Properties (IP) and enhanced data visibility into the internal data movement which in turn can prevent insider threats to a large extent. DLP can also be used as a tool to carry out entity behavior analysis, study user browsing pattern, do silent email monitoring, etc.
WHERE DO DATA LEAKAGES HAPPEN Sensitive data (example: Social Security Number, Employee
BY
&
29
FOR THE CIOs. BY THE CIOs.
information. A Data Loss Prevention solution comprises of policies to prevent any unauthorized transmission or disclosure of sensitive information to illegitimate users. If there are any policy violations, the solution will auto generate incidents which need to be addressed by the support team immediately. Whenever any suspicious activity is noticed within the internal data environment, the DLP tool flags a security incident. The DLP Management security solution ensures monitoring of the security events logged by the system. The reported incidents generated by the business applications, operating systems, network and security devices, wireless access points and databases are analyzed in near real time by the Compliance team and the right business owners are alerted for immediate action. Respective team then gears up as per the priority of the incident. This DLP incident management process is typically termed as Data Loss Prevention Remediation. records, Payment Card info, Intellectual Property, Customer Data, Patient health records etc) may reside in different forms scattered across the environment, residing mainly in three states – in-use (at endpoints like desktops, laptops, printers, end user machines, screenshots etc), in-motion (network traffic through wireless hotspots, intranet, websites, telephony, mobility solutions, emails, exchange servers etc) or at-rest (archived data at databases and external data storages like USBs, pen drives, discs, magnetic tapes, unused hard drives, external hard disks, memory cards etc). Ex-filtration or transmission of company’s sensitive data can happen through any of these sources posing immense risk to IT assets and company data. The leakage can be intentional or unintentional, but the risk of breach can have detrimental impacts on the organization and its clients.
DATA LOSS PREVENTION PROGRAM MANAGEMENT DLP program management is a three stage process – Sensitive Data Discovery, DLP System Integration and Incident Remediation. Sensitive Data Discovery The DLP program management starts with the identification of sensitive data and their respective locations in the entire ecosystem (Data in Motion, Data in Use and Data at Rest) which is technically termed as Data Discovery. Different hi-tech tools are available in the market which can be integrated with the DLP solutions to carry out data discovery; some even come with a bundled discovery offering along with the DLP tool. DLP System Integration Once that is done, the next step is to choose and define the internal DLP policies and regular expressions (RegEx) as accurately as possible because that will determine the level of effectiveness of the overall DLP program. Few additional system components might need to be integrated with the chosen DLP suite to ensure comprehensive results. Incident Remediation After the DLP operating model is set up, the efficiency is tested through incident management, initially with a pilot run and then spanning across slowly throughout the enterprise. Actions can be taken in four ways – Detect the breach and notify the user, block the data transfer, quarantine it or encrypt the sensitive data suitably and then allow the data movement out of the enterprise. A DLP incident is defined as any inadvertent loss of sensitive
SEVEN PHASES OF DLP LIFECYCLE An end user may send or share sensitive data in a variety of ways outside the company’s network. All of these get identified by the DLP tool and actioned upon by a layered remediation team. The first level (L1) remediation team does the gating analysis and escalates their incidents to the higher level (L2) to investigate. The respective end user whose action triggered the DLP incident is then educated by the L2 team with Remediation Plans and policy exceptions if backed up with a justified business reason. The DLP lifecycle typically comprises of seven phases – end user tries to send sensitive data outside the company, DLP tool identifies and actions against the unauthorized data transfer, Remediation team triages the incident, educates end user about the action taken (allow/ block/ quarantine/ exception) and finally closes the incident. If it is found to be a false positive trigger, the L1 analyst closes the incident with appropriate comments.
CRITICAL SUCCESS FACTORS OF DLP PROGRAM One of the most critical success factors of DLP program management is the appointment of a proficient DLP administrator who will be able to continuously measure the effectiveness of the implemented solution. With increase in data volume and number of users, the count of false positives may go abnormally high, slowly diminishing the overall efficiency of the DLP process. Lack of proper balance would indicate the time to fine tune the DLP policies. Only an expert will be able to determine the appropriate time to call for reconciliation. The DLP admin must be well trained in conducting incident trend analysis and policy exception handling on a regular basis. Any indicative premonitions must be discussed immediately with company’s security leadership. However, the success of DLP execution lies with the selection of the most appropriate DLP tool in the initial phase of the program. Innumerable DLP service providers are available in the global market, each specializing in different aspects of data management with varying degrees of flexibility and licensing models. The business and security leads of the organization must take an envisioned call in selecting their DLP implementation partner as per company’s needs, countries of future operation, data types and targets to achieve by implementing the DLP solution. Let me highlight here, implementation of DLP is a pricey, vigorous, long term and resource consuming technical solution. So, essentially choosing the right partner becomes immensely critical in the long run.
BY
30
&
FOR THE CIOs. BY THE CIOs.
HOW TO DEVELOP SECURED APPLICATIONS AUTHOR’S BIO
High-achieving management professional with 25+ years of hardcore experience in Information Technology, possessing excellent communication, organizational and analytical capabilities. Devises innovative solutions to resolve business and technology challenges. Well-versed in analyzing and mitigating risk and finding cost-effective solutions. Excels at boosting performance and productivity by establishing realistic goals and enforcing deadlines. Strong Business Process Management skills and experience including Process Mapping & Modeling, Process Visualization, Business Process Analysis, Business Process Frameworks & Methods, Business Rules, and Business Process Standards such as BPMN, BPEL, ISO (QMS and ISMS). •Winner of ‘IBM India Customer dedication Award’ for high level of Client satisfaction in IBM India •Winner of ‘BRAVO Award’ for outstanding contribution in IBM India •Winner of ‘BRAVO Award’ for contribution to General Motors Project at IBM India
I BHASKAR DAS
ISO CONSULTANT - PRIME INFOSERV LLP
t has been observed that usually an application is developed from a functionality first perspective, with quality as a part of the standard software development lifecycle but with security as a distant third priority. This is really unfortunate. Designing an application is an exercise in meeting a business goal. The application design and development stage is the ideal time to consider how security requirements and business needs intersect. Building security into the software development lifecycle is definitely a sound business decision. There may be a cost in securing application vulnerabilities, but allowing applications to be exposed to malicious activities has costs as well. Prevention is a more reasonable cost to justify and ultimately a much lower cost for an organization to absorb. Detecting and preventing code flaws early in the software development life cycle leads to significant cost savings. Unfortunately, the path to securing an application too often begins with rigorous testing for vulnerabilities, to ensure the application will not compromise, or allow others to compromise, data privacy and integrity but is already too late. Developing secured code should begin during requirement definition and continue throughout design and development, as well as during testing and deployment. If we wait until testing we are almost guaranteed to find insecurities, and
BY
&
31
FOR THE CIOs. BY THE CIOs.
all too often, we will not find all of them or even miss the most critical flaws. Secure coding has the most intrinsic relationship with data privacy and integrity and is the most effective way to verify that the security requirements set forth during design have been met. The best method to ensure code security is through a Secured Development Process that includes source code review and accomplishes the following things: l It is important to create consistent processes and policies for a culture of improved security. l When it comes to dangerous vulnerabilities, large scale design flaws can be more dangerous than the individual coding errors that are more traditionally associated with application vulnerability, such as buffer overflows. Fixing individual vulnerabilities will have little effect if data is not encrypted, authentication is weak, or there are open backdoors in an application. l When reviewing existing code, Application Developers must identify all vulnerabilities in the code, prioritize and triage those vulnerabilities in the context of the organization, and then remediate the greatest risks first. Developing secure source code requires vigilance in examining all of the places vulnerabilities may exist, not just those where we expect them to exist for example, through penetration testing. Even with the use of automated tools, the Application Developer needs to validate implementation and design practices, including native code and code reuse practices, and whether or not they could result in vulnerabilities. Along the way, to effectively measure the risk posed by any given application, Application Developers should watch particularly for the two key categories of errors: l Error in Coding: These types of defects are usually not very significant and will usually stand alone when identified and remediation is applied. They are characterized by loose program practices such as buffer overflows and call-timing mismatches. l Flaws in Design: This category includes security mechanisms that, when defined properly from the outset, can be part of the positive security in an application, as opposed to an area of risk. These include authentication, encryption, the use of insecure external code types, and validation of data input as well as application output. However, if poorly implemented, they can open up the application to just as much risk as a buffer overflow. Identifying vulnerabilities in the application is not just about finding a better way to define the need for security in the development process, but about looking at all of the places where vulnerabilities of all types
can lurk and identifying the potential risk to an organization if those vulnerabilities were to be exploited. The most common approaches to vulnerability detection are manual code review and penetration testing. Each method approaches the analysis in a different way. Manual code reviews can thoroughly analyse an application across a wide matrix of criteria, but are time-consuming and expensive and do not scale to be a part of the development process given the complexity of most software code. Often manual code review is only performed on those areas in an application that are believed to present the greatest risk, leaving large areas of the application wide open. Vulnerabilities have no prejudice, however, and can exist anywhere. Penetration tests, when automated, are easily repeated, but must by necessity fall at the end of the lifecycle when the application is complete, rather than being a tool employed from the start. Additionally, they have a more narrowly defined set of vulnerabilities than source code analysis, which identifies a broader array of potential vulnerabilities beyond the expected ones. Automated source code analysis arms organizations with the ability to evaluate every application, both existing applications as well as code under development against critical classes of code vulnerabilities, including: l Security related functions l Input/output validation and encoding errors l Error handling and logging vulnerabilities l Insecure components l Coding errors Following the path of security-related issues through the source code of an application can dramatically reduce the vulnerability of the application and the critical data it processes and protects. It is important to treat every existing and under development application as a security risk until it is proven otherwise, simply because of the risk such vulnerabilities can pose to the business. No single tool will be the silver bullet to make all software secure, simply because the breadth of legacy code in use is so vast, but tools do help Application developers and code reviewers assess applications to quickly identify the most potentially damaging vulnerabilities and triage those applications for remediation. Taking a risk based approach to remediating the code base, starting with the most critical problems first, is the most effective means to developing secured applications. If an Organization integrates this analysis efficiently and effectively into their software development lifecycle practices will not only improve their own security state but reap substantial business benefits for themselves and all those that rely on their Applications.
BY
32
&
FOR THE CIOs. BY THE CIOs.
CYBER MITRO INFOSEC FOUNDATION TEAM
C
yber-attacks, Hacking, Banking fraud, Ransomware, Bitcoin, Cyber Forensics, Cyber Law – some of the recent keywords from the current news affairs have left common people in high and dry situation where people are wondering as to what are the measures to be adopted, what to do, where to seek help from. The ground reality is that in case of such a cyber-fraud, the victim is clueless about the way forward. Most of the times multiple stake holders try to divert the victim to other’s court and in effect the victim gets confused and do not see any roadmap on resolution. “InfoConnect” is aspired to be country’s first cyber helpline driven by Infosec Foundation, a nonprofit platform dedicated to cyber security. We are working on a collaborative framework to blend user, manufacturer, police, government, providers, policy makers, law enforcement agencies at state, regional and national level, prosecutors and other stakeholders. InfoConnect will be a Toll Free helpline where people, organizations can call up seeking assistance on their issues, get emergency support, get knowledge about Cyber Law and legal assistance and many more. InfoConnect works as a friend, philosopher and guide to provide first-hand strategies and roadmap on cyber related issues. It provides the much-needed handholding before reaching the designated stakeholder. InfoConnect is unique and adds the following value to the citizen: l Immediate psychological relief that you are talking to a helpline where people are dealing with the specific kind of crime you are victim of. l The helpline is backed-up by a team of technology experts, banking experts, police, law enforcement, legal professionals and prosecutors so that you have a comprehensive assessment of your situation and you are provided guidance regarding the steps to be followed. l Such kind of a helpline is a deterrent as cyber criminals capitalize on the lack of awareness and inexperience of users / victims who find themselves helpless while they are victim of such crimes. The first step of this helpline, Infosec Foundation Lunched a “Cyber Mitro” Mobile app during Infosec Foundation 3rd International Infosec Summit held in Kolkata last 16th November, 2018. The following features are available in the Cyber Helpline Mobile App:
a). Spreading General Awareness through Advisory, Case Studies, Reports, Articles and Videos b). Filing a Complaint on issues like Banking, Law Enforcement etc. c). Knowledge Base on: l Cyber Laws of India l RBI / IDRBT guidelines for any financial cyber fraud l CERT/ NCIIPC Guidelines l Contact Details Different Government and Law enforcement authorities d) Case-id generation with auto mail and sms confirmation to the registered mailed/mobile number e) Regular push notification for awareness building for users who downloads the app f) Knowledge Development l Cyber Security related question answer game. If answer correctly an explanation with live example will be provided.
BY
&
33
FOR THE CIOs. BY THE CIOs.
l An enterprise can set specific questions for their employees’ knowledge update. l Safety procedure and theft management guidelines. l Social media security best practices like dos and don’ts. g) Interactive Simulations l Interactive based live demo simulations that can be adjusted user specific or organization specific. l Mini puzzle games containing a cyber-thief behavior and policing policies to capture the thief. h) Cyber Security Help Center l Contact details of nearest cyber security help center nearest to user location in case of emergency. l Hotline number for getting Govt. guideline and complain registration. i) News Feed l News updates on latest news feeds regarding current best practices. l Current attacks going on in the world and how it could have
been avoided. l Latest technologies and device news feeds. j) Antivirus, anti-spyware, anti-malware protection system. k) Histogram l User behavioral histogram data related to Knowledge Development, Interactive Simulations and Threat analysis. l Analysis graph of the same for user understanding. l) Next Phases will have built in Antivirus, Asset Management, Mainatence and Management kind of features in the next versions. Functionalities a) Downloadable app from Google Play (Google App Store) b) App needs to be ”Verified by Google” marked while downloading from Google Play c) Registration through mobile number and two-factor verification via OTP. Mandatory for incident reporting d) App’s home page should display the motto of the App
BY
34
&
FOR THE CIOs. BY THE CIOs.
FOR THE CIOs. BY THE CIOs.
Publisher: Sanjib Mohapatra
EDITORIAL
Group Editor: Sanjay Mohapatra Senior Editor: Chitresh Sehgal
It is a pleasure to present the 7th Edition of Infoquest. Information Security is fast evolving and besides standard issues, Privacy and Social Contract on the Ownership, Control and Regulation of Data among citizens, governments and corporations are becoming crucial aspects of our Age. There was a time when we used to hear something called “Digital Divide” and this is mutating into “Security Divide.” Infoquest – a Journal on Information Security, started as an inclusive, broad-based journal on Information security by Infosec Foundation three years back as a print-journal. In an age when mortality rates of print journals are high and it is nice to look back and see that Infoquest has passed three years mark since its inception. This issue of Infoquest which will see the light of the day in the Security Symposium & Cyber Sentinel Award Bangladesh on 17th February 2019 at Pan Pacific Sonargaon, Dhaka has the privilege of marshaling past experience on all its constituent making process – contribution, thematic relevance, content, scope and presentation. It is our hope that Infoquest has been able to bring together multiple dimensions and variety in its contribution for a wide audience. I thank all the contributors – those whose work got published and also those whose work we could not include in this issue for some of our methodological policy constraint. Thanks to Infosec Foundation and Enterprise IT world for being the patrons, our sponsors, our editorial team members with a special mention of Mr. Sudipta Biswas, and good luck at critical moments. Our team hopes that our readers will find our efforts useful, relevant and worthy of continuing attention and support. Thanks to our readers, publishers, sponsors, contributors and the editorial team and we shall be back soon with our 8th Edition. Sincerely yours, Pritam B Wordsmith Editor-in-Chief
EDITORIAL BOARD
01 02 03
Sudipta Biswas Pritam Bhattacharya Sanjay Mohapatra
04 05
Associate Editor: Deepak Singh Designer: Ajay Arya Assistant Designer: Rahul Arya Deepak kumar Web Designer: Vijay Bakshi Asst. Web Designer: Sangeet Technical Writer: Manas Ranjan MARKETING Marketing Manager: Nidhi Shail nidhi@accentinfomedia.com SALES CONTACTS Delhi 6/102, Kaushalya Park, Hauz Khas, New Delhi-110016 Phone: 91-11-41055458 E-mail: info@accentinfomedia.com EDITORIAL OFFICE Delhi: 6/103, (GF) Kaushalya Park, New Delhi-110016, Phone: 91-11-41657670 / 46151993 info@accentinfomedia.com INFOSEC FOUNDATION DL 124, Salt Lake, Sector – II, Kolkata – 700091, West Bengal, India Phone : +91 33 4008 5677 Email: info@infoconglobal.org Web : www.infosecglobal.co.in Printed, Published and Owned by Sanjib Mohapatra Place of Publication: 6/103, (GF) Kaushalya Park, Hauz Khas New Delhi-110016
Phone: 91-11-46151993 / 41055458
Printed at Karan Printers, F-29/2, 1st floor, Okhla Industrial Area, Phase-2, New Delhi 110020, India. All rights reserved. No part of this publication can be reproduced without the prior written permission from the publisher. Subscription: Rs.200 (12 issues) All payments favouring: Accent Info Media Pvt. Ltd.
Sushobhan Mukherjee Sanjib Mohapatra
MEGA CIO SUMMIT & AWARDS 2019
JUNE 2019
FOR MORE INFORMATION, WRITE TO sanjay@accentinfomedia.com, sanjib@accentinfomedia.com, Priyanka@accentinfomedia.com, Nidhi@accentinfomedia.com EVENT BY
ORGANISED BY
TOP 6 CYBER ATTACK TRENDS
Arm yourself with all the facts in the first volume of the 2019 Security Report: Cyber Attack Trends Analysis and stay ahead of evolving cyber threats.
Watch now<https://www.youtube.com/watch?v=zp6L7tQaNEY> Get the detailed Report: http://bit.ly/2W6gx7L To know more : Visit www.checkpoint.com Reach us at : marketing_india@checkpoint.com FollowUs: SR_high_res_ad_22x31cm.indd 1
08-Feb-19 11:35:15 AM