Enemy Inside the Gates – Analysing & Neutralising Threats
On June 25 this year, hackers broke into the cyber infrastructure of National Informatics Centre (NIC), which runs the nation’s eGovernance framework. After breaching NIC’s security, the hackers accessed the root directory that hosts the most sensitive data. They issued several fake digital certificates, which NIC failed to detect for several days. According to NIC sources, the breach was the handiwork of hackers from outside India.
The hacking of NIC shows that ensuring the security, availability and reliability of important data has never been tougher than what it is today. Targeted attacks and advanced persistent threats (APTs) are on the rise as our dependence on Internet of things and an interconnected environment expands. Those with malicious intent spend most of their time in identifying the weak links through which attacks can be launched.
The Symantec Internet Security Threat Report (ISTR), Volume 19, reveals that attackers prefer to focus on large organisations. Over 69% of the targeted attacks in India are carried out on large organisations. But this does not mean that the SMBs are safe. The security threat landscape for SMBs is no different, with attackers often targeting smaller businesses that have a relationship with a larger company, using them like pawns in a larger plot. According to the ISTR 19, small businesses in India have received maximum phishing and virus-bearing emails – almost three times as much as the larger targets.
Recent trends like hacktivism, heartbleed etc., have caused significant damage to organisations that are ill prepared to meet the challenge. This pervasiveness and maturity of the cyber attacks is contributing to the growth of the enterprise security market.
According to McAfee, the total enterprise security market in India is expected to be $234 million in 2014. This contributes the highest growth for APAC region at 16.3% CAGR. Next generation firewall, endpoint, web gateway, email gateway, among others constitutes the biggest growth drivers in this market.”
Enterprises across the board, especially sectors such as BFSI, government etc., are readily investing in security solutions. According to a report by KPMG, the information security market in India is expected to grow by 50% in the next three years. The market, including hardware, software and services, will be of nearly Rs 1,200 crore this year.
With digitisation and popularity of smartphones, information access is at the click of the mouse or by a swipe of the finger. The ease of access to information has led to a corresponding rise in the threat of data breaches.
“In the backdrop of changing mobility landscape, enterprises are looking for a highly secure, reliable yet flexible mobile architecture to manage the complex needs of a highly dynamic workforce. The new age enterprise CIO needs to map IT to business in a manner where it is able to contribute to the productivity and help grow revenues. CIOs are therefore looking at increasing end-user productivity while reducing TCO,says Manoj Khilnani, Country Marketing Head Enterprise, BlackBerry India.
While BYOD is considered to be the ideal way of achieving this outcome, it can also increase the risk of security breeches. BYOD brings with it the complexities of securing a varied set of devices, managing access controls to mission critical apps as well as compartmentalising the corporate data from the personal data. However, the growth of workplace mobility has increased the demand for business applications and this provides a great opportunity for developers.
“Often the biggest threat for any organisation is internal – from its employees, contractors, temps, etc., who actually have the control of the information on which the business runs. When we calculate the risk of internal and external sources of business damage, we arrive at an interesting proportion of 80 (internal): 20 (external) and surprisingly we spend heavy amount to safe guard that 20% of the risks, leaving 80% internal ones,notes Suneel Aradhye, Group CIO, RPG Enterprises.
“What is most dangerous here, is the psychological aspect of the attacker. Identify theft, identity fraud, information leakage, system compromising, privilege escalations etc., are common outcomes from the 80% threat class, which comes from inside the organisation,Suneel adds.
Thomson Thomas, Senior Vice President -Business Systems & Technology, HDFC Life, explains, as per recent EY Global Security Survey, nearly one-third of organisations still do not have a threat intelligence program, and slightly more than one-third have an informal program. In terms of vulnerability identification, nearly one in four have no program. Financial services are the most mature of the industries and invest diligently in security programs. However, organisations, regardless of industry or size; should be concerned by the overall lack of maturity and rigour in a number of security areas. In many cases, organisations will need to urgently invest more to improve, innovate and mitigate. After all, the cost of a breach can be far more costly.
If the evolution in Internet-enabled devices, the popularity of social media, the trend of BYOD, and the virtualisation of data centres are leading to a host of new opportunities for the organisations, then they are also creating challenges by development of more opportunities for those with malicious intent.
Hacktivism is the act of hacking, or breaking into a network, in the name of a political or social cause. In most cases the hacktivist does not intend to steal private information, for him hacking is a way of achieving certain political ends. The typical acts of hacktivism include website defacement, denial-of-service attacks (DoS), redirects, website parodies, information theft, virtual sabotage and virtual sit-ins.
The term hacktivism might have gained notoriety fairly recently, but it is quite an old phenomenon. The first hacktivist attack happened in October 1989 when DOE, HEPNET and SPAN (NASA) connected VMS machines world wide were penetrated by the anti-nuclear WANK worm. Today many hacktivists are using highly sophisticated and socially engineered spear-phishing techniques to penetrate the network that they want to target.
“In some cases cyber criminals have pretended that they are from tech support to convince targets to open emails or run malicious programs. Such approaches are a sign that attackers are customising strategies and sharpening their social engineering skills,explains Tarun Kaura, Director Technology Sales, India, Symantec.
Making the heart-bleed
One of the most talked about security breaches this year was the heartbleed bug. A simple virus that attacked open SSLs, it allowed attackers to intercept secure communications and steal sensitive information such as login credentials, personal data, or even decryption keys. The bug affected organisations as well as consumers.
Thomas of HDFC Life says, heartbleed proved an important point that the traditional, static, cyber-security paradigm no longer works; signature-based defences and trying to build bigger firewalls are strategies of the past. With so many potential vulnerabilities, companies cannot simply try to keep all the hackers out. Organisations must quickly detect hackers or a threat and neutralise their capabilities, also there is a need to have networks and systems that are resilient in the face of a cyber-attack.
“To be resilient, companies must be aware of how their systems are vulnerable and be aware of how the systems, their partners, sub-contractors, and clients use, are vulnerable. A fully integrated cyber-intelligence capability enables this kind of resiliency. Also, instead of waiting for hackers to show up on the network, reputation management and intelligence team should actively monitor known threats and seek out and proactively neutralise threats before they can attack the network, he adds.
The heartbleed vulnerability will continue to be a problem for some time, as many organisations are still not fully prepared to tackle the threat.
Tackling social media
In many enterprises, the usage of social media has served as an entry point for cyber attacks. BYOD is rooted in the fact that the mobility of these devices introduces security management issues around access control, data protection and compliance. Additionally, employee-owned devices used for work introduces added IT complexity as it isn’t always clear who owns the device, and furthermore, who owns what data on the device. With the introduction of these new, unsecured and possibly non-compliant devices easily coming inside the walls and leaving with business sensitive information, a security and compliance hole is forcing a re-think of how to best secure the organisation and its business data,says Jagdish Mahapatra, MD India & SAARC McAfee.
“The rise of BYOD is often perceived as bad news for the IT department but smart CIOs and CISOs see it as an opportunity, not a threat. However, the rapid adoption of these trends and the current business environment puts the onus on the CISOs to use new ideas for safeguarding the organisation’s critical data and giving employees freedom to work the way they want – while achieving this end they must also reduce IT complexity,says Pravin Srinivasan, Lead, Security Sales, Cisco India & SAARC.
Dhananjay Rokde, Global Head Information Security, Cox and Kings Group, says, “One must remember that there is no silver bullet for addressing concerns / issues. Although, there are a lot of products that advertise themselves as complete protection and data privacy solutions they can only address a few point-problems. Addressing privacy issues needs attention from the management and process levels. These issues are typically addressed by extensive training, management sensitisation and rigorous governance.”
Since there is no plug and play solution for privacy issues data classification, customer information tagging / flagging and role-based segregation of information are the core steps towards ensuring a successful privacy program. CISOs need to clearly understand and distinguish between data protection and data privacy, and they must run independent programs for addressing each of these issues.
“While spear-phishing attacks have traditionally only targeted emails, we saw last year that a growing number of attackers are using rather aggressive offline tactics. In addition to sending emails, attackers use assertive follow up phone calls to the target for convincing him/her to open the email,explains Kaura of Symantec.
An organisation’s security standards are dependent on the hardware and the software that has been deployed and also the policies that govern the security related issues. The threats are constantly evolving, which makes it impossible to predict the kind of security scenario that the enterprise will face in future.
“The best way for enterprises to deal with threats is to ensure that they put in place the following – infrastructure that is flexible enough to withstand the widest possible range of attacks, monitoring systems that can detect any attack, and then back it up with policies that will help react to the severity of the attack in the most effective manner. Policies that tackle access restrictions – both physical and network based are the most critical components of this mix,says Shridhar Luthria – General Manager & Business Head, ResellerClub, Directi.
While we discuss the right mix for a security policy and the approach for securing an enterprise’s networks, there is an even more daunting task of deciding what percentage of the net IT budget should go procurement or development of security solutions. The budget varies from company to company, and is often linked to the size of the organisation and the kind of work that it is doing. According to Gartner, the information security budgets should be around 8-10% of IT budgets. Companies located in Asian countries face more risks as their IT budgets are often inadequate.
According to Thomas of HDFC Life, organisations are investing more in information security. BFSI and small businesses with a turnover of less than $10 million or businesses located in rapid-growth markets report the highest increases as a percentage of their budgets. Although budgets are on the rise, information security functions continue to feel that budget constraints are their biggest obstacle to delivering value to the business. CIO?/CISO’s need to do a better job of articulating and demonstrating the value of investments in security.”
Ajay Srivastava, Head IT, Spice Retail (Handset Business) on the other hand says that about 2-4% of the total IT budget is spent on security. IT threats are becoming more sophisticated all over the world and organisations are demanding new, robust, affordable and upgraded security solutions in order to protect their confidential data. Organisations are spending generously on it, of an average IT spend of 10-12%, 2-4% goes towards security.”
“Today most companies implement security controls for preventative purposes. Most of the companies spend approximately 70% of their security budgets on preventative measures, with monitoring (detective) and remediation (response) forming the remaining 30%,adds Srivastava.
If you have an interesting article / experience / case study to share, please get in touch with us at email@example.com