Sunday Nov 24, 2024
Sunday Nov 24, 2024
Friday, 8 August 2014 01:05 - - {{hitsCtrl.values.hits}}
By Cassandra Mascarenhas
Cybercrime has now become a commonplace term, intertwining itself into the daily lives of people, into enterprises and even governments, silently striking when least expected and causing billions of dollars’ worth of losses every year globally. The battle lines have been drawn and it is now up to everyone, whether an individual, company or country, to arm themselves against this menace.
Facilitating this movement, the EC-Council Cyber Security Summit 2014 was held in Sri Lanka for the second consecutive year, organised by Daily FT and CICRA Holdings. Bringing together global experts on the topic of cyber-security during the day-long proceedings which featured a CEOs Breakfast Forum, a full-day summit and concluded with a ‘Night Hack’. Furthermore, the Summit saw the forging of new partnerships with CICRA Holdings appointed as a reseller for InfoWatch software solutions.
Preventing data loss
Unfortunately although Kaspersky Lab Co-Founder and Infowatch Group of Companies CEO Natalya Kaspersky was unable to make it to Sri Lanka, in her stead, Infowatch Group of Companies Deputy CEO Vsevolod Ivanov stepped up to discuss whether it is in fact possible to protect businesses from data loss.
The number of IT tools available is growing as are the numbers, types and varieties of IT threats. In his presentation, Ivanov chose to focus on threats against enterprises and businesses. IT, markets (competition), threat models, personnel and regulation were named as the main drivers of information security in enterprises.
“We have also witnessed the dissolving of the enterprise perimeter because of the use of smartphones, the cloud, BYOD (Bring Your Own Device) – a very controversial thing as if you disallow it, you sacrifice flexibility and mobility. All these trends complicate the enterprise’s protection and the security model. 10 years ago, you could install an antivirus to all machines but now it’s just not enough because everything is not controllable,” Ivanov pointed out.
He took a quick look at existing security measures usually employed by enterprises, noting that the definition of confidential data, building of a threat model and the appointment of responsible people are steps that have to be undertaken. Blocking of data transfer channels such as email, internet and USB ports tend to be too complicated and result in long lists of rules. Employee tracking through CCTV cameras, Radmin etc., are hard to do, have low effectiveness, might be prohibited by law and brings into question ethical sensitivities.
An effective data loss prevention software (DLP) could play a very effective role in mitigating cyber threats, Ivanov stated. The installation of a DLP provides a helicopter view of corporate information flows, allows confidential information blocking and has permanent automatic updates and support for all information flow types. Importantly, it provides protection against internal threats, to which companies are more susceptible.
“Data loss causes a great deal of problems in enterprises, from loss of money to reputational damage,” he pointed out. Ivanov then drew upon the example of a bank that Infowatch had worked with. The installation of an effective DLP prevented the loss of 15,000 records of clients’ confidential data which a malefactor had wanted to sell on the black market and saved the money and reputation of the client – estimated losses were finally calculated to be $ 32 million.
Software Defined Networking for security
Cisco Customer Solutions Architect Joshua McCloud delivered a highly in-depth presentation on what he termed the next generation threat defence – Software Defined Networking (SDN) for security.
“Although SDN is still in its early stages, it has proved that it can help address a lot of the complexities in security through automation. Over past five years, there has been lots of advancement in easing complexities in the data centre which allows it to be more responsive to the needs of IT. Unfortunately, we haven’t seen the same capability benefit the broader enterprise infrastructure,” McCloud stated.
Infrastructure is a key piece of our security capabilities, he observed. The issue arises as to how it can be managed in a cohesive way. He noted that 80-90% of IT administrators spend time on maintaining and managing infrastructure, leaving very little time for anything else, with next to no business benefit.
“There is now the ‘Internet of Everything’ – the core of which lies in connecting 99% of devices that are currently unconnected. This poses a huge opportunity for businesses because it makes every business is an IT company. Your primary value delivered maybe around something else but IT is how you deliver it. Internet of Things is the first step. Internet of Everything is what happens after that – these devices produce data so there is an opportunity for them to work with each other,” he explained.
He went on to note that this data can be taken and translated into how it could deliver value to businesses as well as in our day-to-day lives. The imperative for CEOs is about entering new markets and creating new business models, and professionals in IT have to be focused on how IT becomes an enabler of business, in order to reach that end. For this, security needs to be removed as a barrier to achieving business opportunities.
McCloud then drew from a survey group Cisco had held where they got industry leaders to speak on software defined networking. It revealed that the main concern in dealing with IT was complexity and difficulty. The primary issues with SDN deal with visibility and control, end-to-end and real time.
He then went on to build a case for the use of SDN, going into the technicalities of the framework and highlighting many situations in which it can be used to streamline security functions through automation, which is its primary capability, which in turn gives security professionals more time to be strategic and makes the security function more agile and efficient.
The Threat Evolution
Cisco Principal Consultant Srikanta Prasad drew the much-coveted spot right after lunch, which may explain why he chose to dive straight into the deep-end in his presentation on the ‘Role of Cyber Security in National Security Frameworks’ by detailing several instances where cyber-war has been waged against nations and military organisations – Titan Rain, Operation Orchard, Estonia, and Moonlight Maze were a few examples he drew upon. Operation Orchard was named as a classic example of how information can be used to subvert military operations.
“Imagine the plight of civilian installations if a military establishment can be breached in such a manner. These kinds of situations are becoming more and more prevalent today. A couple of months back, four utility companies in the US were compromised and attackers were able to gain access to the SCADA systems and control how much water was pumped out,” he revealed.
A nation’s survival and growth depends on these critical installations which in turn are dependent on IT, he observed, which shows that IT has a major role to play in how prosperous a country becomes. Drawing upon the public announcement by the Black Hat Conference hackers about being able to control airplanes by hacking into the flight’s inflight entertainment system, Prasad emphasised on the need for having a very different approach to security.
“We aren’t telling you that we have a silver bullet that will answer all your problems but we do have a journey to embark on. What is the future of threats going to be? No one knows. The vulnerability that does not exist today could be discovered by a smart guy and be an issue tomorrow. The future of security can never be written in stone – it needs to be rewritten as and when the threats turn up,” he stated.
Silos of solutions will not solve your security issues, Prasad said. It requires a system-based approach, with the functions working together as a system. After defence mechanisms are put in place, they need to be tested to see if there are loopholes in the system.
“A plausible approach is integrated platform for defence, discovery and remediation. Firewall > content gateways > integrated platform > virtual > cloud. It needs to cover the entire surface of attack surface and threat surface, from devices to endpoints,” Prasad explained.
At Cisco, a policy orchestration is used that ensures that the right amount of security is deployed to the end-user wherever he/she goes. He added that Cisco could provide information about where an attack comes from and specific IT addresses that have histories of hosting such malware so that users can be blocked from going there. Cisco also helps its customers by using cloud-based intelligence which ensures that the propagation is stopped right at the source.
He too then touched on SDN, stating that their aim was to leverage the power of SDN to increase the sensitivity of the network. “What we are trying to do is to expand the scope of the SDN for security services to have a common management plane for all devices, so that a switch, router or app can 
understand vulnerabilities. It’s a vision we have where apps can drive network behaviour. We will have the whole network participating in the security function and it will unlock a 
whole new level of visibility.”
Microsoft’s Digital Crime Unit
Up next was Microsoft Regional Director Intellectual Property for Asia-Pacific and Japan Keshav Dhakad, to throw some light on a little-known aspect of Microsoft’s operations – its 
Digital Crimes Unit. Located in Redmond, USA, it is a first in the IT world, a state-of-the-art research and development centre which has forged partnerships with law enforcement agencies, governments, academia and of course, Microsoft’s customers.
Cyber-criminal organisations are now run like enterprises, Dhakad observed, costing businesses nearly $113 billion a year. These happen in real time and have affected one in five small and medium enterprises and 50% of online adults.
“It’s a new era in the fight against cybercrime. What we are trying to do to is disrupt those who try to attack our platforms. There are three areas we are working on – malicious software crime (viruses, worms, Trojans, botnets), IP crimes (counterfeiting, end-user policy) and child exploitation (child abuse images, sex trafficking),” he explained.
Microsoft leverages big data on cybercrime intelligence to learn about infections that exist in the environment because botnets are a very serious threat and the corporation is investing millions of dollars to disrupt their network.
“Fraudulent websites and unsecure supply chains one of the most critical elements in the distribution of malware, as well as counterfeit software. You need to have clean and genuine IT, else everything you build on top of it will crumble,” Dhakad cautioned.
Once millions of computers are captured the computers can dance at the whims and fancies of the botnet operator. They can launch spam distribution, denial of service attacks, click fraud to name a few. Microsoft’s botnet enforcement is about the proactive disruption of cybercriminal networks because they create more damage, he explained, sharing some examples of the botnet cases that Microsoft helped bring down, including the world’s largest spambot Rustock in 2009 which sent out 30 million spam a day and 2011’s Zeus which infected 13 million PCs and caused $100 million worth of losses.
“The sophistication of cybercrime code is growing in leaps and bounds. We don’t want our platforms to be the ones for these guys (cybercriminals) to be able to do their business on. Our objective is that when they think of Microsoft they will not want to attack our platforms. We feel accountable as a tech company to make our customers feel safer and make the internet safer.”
He revealed that 152 million infections are being observed in Asia at the Digital Crimes Unit today and added that the viewing of big data has helped them fine-tune their detection capabilities.
The malware followed certain boundaries which helped us see that they were attacking European countries, code that would target certain European languages, although not their own as they didn’t want their law enforcement officers after them. All this was possible through the big data view.
“We are not thought of as a cyber-security company. Yet, we have 500,000 servers worldwide and after the Pentagon, we are the second most experienced entity to understand cyber-attacks and to defend them. We also have a worldwide sensor network and ecosystem insight which allows us to collect data which allows us to understand how these threats are evolving and to take proactive action,” Dhakad stated.
Net wars
The ever-entertaining CEO of the AKATI Consulting Group Krishna Rajagopal, addressing the Cyber Security Summit for the second year running, commenced his presentation with a brief about serial hacker ‘Darth Maul’ and concluded with step-by-step methodologies on keeping corporate networks safe.
Serial hacker Darth Maul commenced his large-scale operations in 2010, by hacking AT&T through which he leaked 114,000 records to the public, including the NY Mayor, White House Chief of Staff, people from NASA, etc. The following year, he broke into Sony consecutive times, leaking almost 77 million records and causing Sony financial losses of $ 171 million – most of these attacks were via SQL injection.
In 2012, he hacked Amazon and Zappos, leaking 24 million records. The next year, he broke into the US’s satellites and took control for about 12 minutes. In 2014, he hacked and brought down the biggest Bitcoin exchange, Mt. Gox in the world, causing it to shut down.
“What was going on? What do you think is the next target for Maul and his friends? These targets change – it’s all based on motivation and trend. What do you think his trends are? Right at the top in 2009 was Brute Force. Today, the trend has changed because nowadays, they use stolen credentials. For a lot of attackers, it’s about ego. Phishing and SQL injections are issues that have stayed constant,” Rajagopal noted. “Web application attacks are the most common technique for Maul, followed by POS intrusions and cyber espionage. 2% of attacks are unaccounted for.”
How does Maul do it?
“Usually I just find one disgruntled employee. Just one,” Maul stated in response to this question. Every company has one of them – bonus time is the best time to find them, Rajagopal quipped.
McAfee rated Britney spears, Lily Collins, Avril Lavigne and Sandra Bullock among the top 10 most dangerous celebrities last year. “At the end of the day, we are actually the weakest link. Regardless of the money you spend on perimeter security, your users are the weakest link. If there are hard-core fans of a celebrity, they are bound to click on these images – even security guys!” he pointed out.
Rajagopal went on to detail some practical steps an end-user could take in order to protect himself: “Secure your passwords. Keep it long and strong and never reveal them to anyone. Prevent malware. Use protection software, anti-virus, anti-malware, firewalls, etc. and be sure they are turned on. Keep your tools sharp. Install software updates, get the latest updates and make regular backups. Be safe – never click on a link in an email, avoid dodgy websites and stay aware on the internet.”
For corporate networks, he adopted the strategy of ‘defence in depth’, listing out the four steps of prediction, prevention, detection and response. For prediction, hire good security consultants and have an emerging threats team – either do it manually (go online and keep up to date with issues) or subscribe to advisory services.
He stressed on the importance of prevention as this delivers better ROI than responding to attacks that have already happened. While there is no such thing as 100% security, detection is very important. “When an attack slips past defences, it must be properly identified and contained. Have a risk assessment team which meets often to track the emerging vulnerabilities and determine the risk and applicability to the environment.”
Finally, for response, Rajagopal stated that it is vital to have a response procedure that the staff is aware of. “Develop an IT Emergency Response Process and have it as part of the DR exercises. Have a security operations centre (SOC) response team which monitors incidents and quickly addresses them. Implement the ‘Secure Default’ concept – Make sure that everything that comes out is secure. Implement ‘Least Privilege’ and try to reduce the attack surface together with defence in depth, you should be fine.”
The Cyber Security Summit 2014 was supported by US-based International Council of Electronic Commerce Consultants (EC-Council), the world’s largest vendor neutral cyber security education provider and CICRA Consultancies Ltd., Sri Lanka’s pioneering cyber security training and consultancy provider. CISCO and Microsoft were strategic partners for the events, whilst InfoWatch was the technical partner.
The events were supported by the Ministry of Telecommunications and the ICT Agency (ICTA). The Official Telecom Partner was Dialog Axiata, Official Electronic Payments Partner was LankaPay whilst Continental Insurance was the Official Insurer. Creative Partner was Triad and Official Printer was OfficeMax. Electronic Media Partners were TV Derana, FM Derana, and Ada Derana 24×7. The Hospitality Partner was Cinnamon Lakeside Colombo.
Pix by Upul Abayasekara
Cabraal tells IT security professionals to gear up to protect a bigger economy
''Every challenge, if you prepare and face up to it, wouldn’t be such a massive challenge. We had a similar threat when the GSP + was withdrawn – for two years, we prepared and by the time it happened as expected, nothing happened. There was no difference in the way people did business, the threat was managed and then the threat was there no longer – Central Bank of Sri Lanka Governor Ajith Nivard Cabraal''
Central Bank of Sri Lanka Governor Ajith Nivard Cabraal featured as a guest speaker at the Summit, bringing to the table what should be looked at by the users of ICT in various other applications. He noted that this is definitely a time when the country needs to secure in its platforms, as it is moving into a new phase of economic development.
Cabraal, offering a quick overview of the Sri Lankan economy, stated that in 2005, the country’s GDP was $ 24 billion but today, we are at $ 67 billion and at the end of the year will stand at $ 77 billion. This is projected to rise to $ 89 billion by $ 89 billion and $ 101 billion by 2016 – a threefold increase in a 10-year period.
“Lots of applications are being applied all the time in a wide range of activities through the use of ICT. While this very encouraging for the people using it, for the people managing it, it’s a nightmare. For the people providing the security, it’s a bigger nightmare. It poses huge challenges for those working on systems and preparing systems for the future.”
Cabraal questioned as to what would happen when the country’s GDP reaches $ 150 billion? It would mean coping with a large number of transactions, issues and challenges, and ensuring that these systems have no downtime. The more ICT drives the economy, the greater the population’s reliance on it and greater the impact of threats.
“Every challenge, if you prepare and face up to it, wouldn’t be such a massive challenge. We had a similar threat when the GSP + was withdrawn – for two years, we prepared and by the time it happened as expected, nothing happened. There was no difference in the way people did business, the threat was managed and then the threat was there no longer,” he said. “This would range across many functions of our economy – small businesses to large, public to private sector, every entity and individual will use ICT and they all need to have systems that are safe.”
He was pleased to announce that the subject is being addressed in a professional manner by experts in the field. By 2020, Sri Lanka is aiming to raise literacy rates to 90%. “You will find that this is the new Sri Lanka we are talking about. It needs to embrace ICT to leapfrog to the next level of development and in that backdrop, you will learn the pitfalls and be prepared to deal with it, allowing Sri Lanka to move into the next phase of development seamlessly and take us to 2020 safely.”
