Wednesday, 6 August 2014 01:37
-
- {{hitsCtrl.values.hits}}
A siren call was issued yesterday at the EC-Council Cyber Security Summit 2014, rallying the country, government, the public and private sectors, and individuals, to arm themselves against one of the biggest wars being waged globally today – the threat of cyber-terrorism and cyber-attacks, which have firmly established themselves as one of the largest and most elusive risks the world has faced.
Held for the second consecutive year in Sri Lanka, the EC-Council Cyber Security Summit 2014 jointly organised by Daily FT and CICRA Holdings is an event that brings into focus how vulnerable entities are to cybercrime and through a line-up of international experts on the subject, discusses how companies can be secured against this ever-growing threat.
The speakers this time around were no less impressive than the previous year, and included Minister of Economic Development Basil Rajapakse as Chief Guest, Anura Siriwardena, Kaspersky Lab Co-Founder Natalya Kaspersky via video conference, as she was unable to make it herself, EC-Council President and CEO Jay Bavisi, Secretary to the President Lalith Weeratunge, Infowatch Group of Companies Deputy CEO Vsevolod Ivanov, and specialists from CISCO and Microsoft, amongst others.
Delivering the pre-mission briefing, Daily FT Editor Nisthar Cassim noted that although Sri Lanka has emerged from one war, it is now facing another, along with the rest of the world – the war against cyber security.
“Sri Lanka post-war is progressing towards a goal of achieving a $ 1 billion economy within the next few years. For that economy to serve the people of Sri Lanka, the key economic sectors must be protected. We therefore felt it is important to increase the awareness and preparedness of all public and private sector institutions and individuals,” he stated.
Building ‘Threat Models’
Unfortunately one of the summit’s key speakers, Kaspersky Lab Co-Founder Natalya Kaspersky, was unable to make it to Sri Lanka due to health reasons but joined the congregation via a live Skype linkup, delivered a short yet pertinent message.
Focusing on protection for enterprises, she revealed that armed with their knowledge of problems faced by different enterprises, they have been working on making different types of software to protect enterprises, yet noted that the decision lies within the enterprise itself to choose protection that is suited to its needs.
She stated that a person in charge of information security should consider five things, the first being information technology, as it drives information security. “Trends like ‘Bring Your Own Device’ (BYOD) and the implementation of cloud all influence information security and change it significantly.”
The second item is to heed what regulations tell companies in order to protect the enterprise. Although it is not as obligatory in the Asia Pacific as it is in Europe and the US, she pointed out that the trend of regulation exists.
The third are the threats themselves. “What is most important to us today is to identify what kind of threats we are dealing with. There are internal and external threats and the recent trend is that more and more companies are affected by internal threats, as there are lots of tools to protect them from external circumstances but few to deal with internal. Build a threat model which outlines what is important to the company and what steps should be taken to make the enterprise safe,” Kaspersky advised. After a threat model is built, a suitable solution can be chosen to counter the threats.
The fourth item is to look at the tools available in the market and the fifth, unsurprisingly, are the personnel who will implement the measures in the company. “We witness a shortage of information security personnel and unfortunately, it’s becoming a problem.”
Post-PC transition
EC-Council President and CEO Jay Bavisi, back in Sri Lanka for the third consecutive year, tackled the upcoming trend of post-PC transition and the security issues it brings up. A computer over the decades has advanced from the abacus to today’s handheld devices – and this rapid transition has brought about changes that affect countries, companies and citizens.
Computing has evolved, so how will security change along with it, Bavisi questioned. “Things in our past no longer affect our future.”
He defined a post-PC device as one with a multi-touch user interface, pinch-to-zoom gestures, GPS, LTE, voice, data recognition etc. Security is no longer about dealing with computers stacked across an office – this is an era where devices will just keep popping up.
As examples, he referred to ‘Cotton Candy’ a powerful pen drive and the ‘Raspberry PI’, an even more advanced piece of portable equipment. A laptop is soon becoming a thing of the past. A simple example of the post-PC trend is the iPhone, where the unit alone currently rakes in $ 88.4 billion, whereas all of Microsoft makes $ 73 billion.
“We are having serious security problems. Mobility is becoming the nightmare of corporations and security professionals. Enterprises too have to move in this direction. A 103 billion apps have been downloaded on iTunes but how many are questioning the secureness of these apps? You’re giving your contacts and personal information on your phone to hundreds of people you have never met – do you have the power to deal with it?”
Reading the fine text
He asked the audience when the last time was when they read the fine text that appears just before downloading an app. Bavisi pointed out that no one thinks what downloading these would do to personal security. There is no longer any privacy with the emergence of networks such as Facebook and Twitter. “In the post-PC era, there is no such thing as privacy and you have to deal with it. In the post-PC era do you own security? No! When you download the apps, you’re the puppet and the developer of the app owns your security. Have you run an anti-virus against the app? Have you read the small text? Think about the things that most people don’t think about. We are outsourcing our security. Even though there are anti-viruses for phones, how many use them? Will they protect you? I don’t know!” Bavisi exclaimed, driving his point home.
With the dawn of this new era, 1.3 billion people are moving into an era without firewalls. This is the new threat coming up. Although a company could outsource the functionality of enterprise protection, it is impossible to outsource the risk.
“The way we deal with cyber criminals is going to change – we need to embrace mobility. This is why countries across the world are quickly moving towards a cyber-security strategy. It’s about bringing an entire mindset change to the nation through schools and colleges. What is happening in your country?”
A corporation being under attack brings down employee morale and shareholder confidence, and forces the entity to deal with law enforcement officers, the press, securities commission and many more stakeholders. Furthermore, if an enterprise has got virtualisation involved, this opens another can of worms as your data may reside in a different country entirely, subjecting the company to the their laws and regulations. “Is your company ready to deal with this?” Bavisi questioned. “The risk is going to be in the end-point – your employees,” he ended, on a precautionary note.
Assistance to protect our info: Govt.
Secretary to the President Lalith Weeratunge took to the stage next to offer a national perspective on cyber security. He noted that there is a lot to be done in Sri Lanka as the country moves towards new technology, but without understanding the risks involved when using these devices.
“The range of cyber-attacks are very wide. There have been many attacks on our Government websites and not many knew how to handle them, let alone remedy them,” he admitted. “Years ago, the Government was quite alert to this. We created a government cloud and also have a security incident reporting team which works 24 hours a day and they are also people who have been helping the Government keep its information intact and they educate people from government institutions as well.”
With the proliferation of IT comes the need for a very informed cyber security system now, he stated. Weeratunge pointed out that Sri Lanka was one of the first countries in the region to have electronic laws put in place via statues and also shared the news that the Chief Justice has given the green light for the entire courts system to be computerised – yet, this brings about more security issues. While judicial information will be easily accessible by the public, it brings about the issue of how secure this data will be.
“We will need assistance to protect our information. If we are to combat crimes which fall into this domain, we need to have special procedures and forensics, and jurisdiction to other countries. We also have to strengthen the capacity of our law enforcement and Judiciary in order to receive international assistance if and when required. The police force needs to be educated and experts who can deal with such issues to be recruited,” Weeratunge said.
He asserted that the State universities have been very forthcoming and informative with their assistance in battling cybercrime, and stressed on the importance of ensuring that the younger generation have the basics of cyber security inculcated into their minds, in order to receive their assistance in time to come. “If these can be simplified and brought into the education system that would be a great step.”
“The LTTE was quite advanced in the technology that they used but we lagged behind. However, the Defence Secretary had the foresight to bring about a transformation in the entire intelligence system so that we could deal with such issues. We also enacted the Computer Crimes Act of 2007, set up SL CERT, and just a few weeks ago, Cabinet approved the signing of the Budapest Convention, granting us access to computer systems and networks in other countries. As a middle income country, we have surpassed some of the MDGs but we need to do more.”
The US-based International Council of Electronic Commerce Consultants (EC-Council) is the world’s largest vendor neutral cyber security education provider.
CICRA Consultancies Ltd., is Sri Lanka’s pioneering cyber security training and consultancy provider.
CISCO and Microsoft were strategic partners for the events, whilst InfoWatch was the technical partner. The events were supported by the Ministry of Telecommunications and the ICT Agency (ICTA). The Official Telecom Partner was Dialog Axiata, Official Electronic Payments Partner was LankaPay whilst Continental Insurance was the Official Insurer. Creative Partner was Triad and Official Printer was OfficeMax. Electronic Media Partners were TV Derana, FM Derana, and Ada Derana 24x7. The Hospitality Partner was Cinnamon Lakeside Colombo.
Pix by Daminda Harsha Perera & Upul Abayasekara