Monday Nov 25, 2024
Monday Nov 25, 2024
Wednesday, 26 June 2013 00:00 - - {{hitsCtrl.values.hits}}
The flagship event was a full-day summit, the ‘EC-Council Cyber Security Summit,’ prior to which a leadership forum with some of the country’s top CEOs and chairmen was held. The series of events ended with the ‘Night Hack’ in the evening, an informative session with live demonstrations on cyber-related vulnerabilities.
State of denial 
“CEOs around the world never want to hear about security,” remarked EC-Council USA President Jay Bavisi candidly, as he addressed the gathering of CEOs and chairmen at the leadership forum. He compared the job of a CEO of a company to that of being the head of a family. “I’m the CEO of my family and my wife is the CIO. I travel tremendously so I’m not able to monitor the information flowing into my house so my wife manages all the information and provides me with crisp succinct information. I create wealth and my wife multiplies it.”
As a CEO of a global company himself, he noted that a problem that a lot of companies are facing is that CEOs are disconnected from the security of the company because they see it as an external issue and that this is one of the core reasons why a lot of corporations are not able to advance very quickly to protect themselves. “Unless you play the role of a mother or father as a CEO and your company is your child and you view a threat against your company as really being your own problem, you are not going to be able to make leaps and bounds in the security posture of your organisations.”
“Compliance is not enough. It’s not a yardstick. You can’t say ‘I’ve never been hacked so why are we talking about hacks?’ The worst hack is when you don’t even know it’s going on. We are in a state of denial,” he stated.
Bavisi pointed out that no company has an IT security budget larger than the Pentagram – and yet, the Pentagram has been hacked over and over again. “One of the NSA’s very own pulled off a massive espionage by stealing documents in the USB drive. If that can happen to the NSA, what about you?
He also acknowledged that there has been a massive change in the demographic of users. 20 years ago, a CEO could be forgiven for not understanding cyber security and social media. Today, such a CEO cannot be forgiven. “If a CEO does not understand cyber security 
and social media, he should be fired because all clients, customers and people use social media. Governments are waking up to this and realising that they are losing elections because they aren’t on social media,” he said.
It took mankind thousands of year to communicate one to one. Then came the Roman Empire, with which commenced many to one. The current era is one with many to many communication, he stated, and trying to hold onto a business in the middle of this is not easy.
“That’s the truth of a CEO today. If you think your organisation is not going to be hacked, you will be hacked. The best education you can get is getting your companies hacked once and then you will realise; budgets that were previously not available will become available and time that was not there will be found,” Bavisi pointed out.
The EC-Council in line with this creates ethical hackers for governments across the world. In turn, the EC-Council also constantly gets attacked because the bad guys see it as an immediate threat. In fact, Bavisi revealed that 30 days ago, he woke up to headlines that said that the EC-Council had been hacked. “You cannot stop the blogs when this happens. You need to be prepared for when you get hacked, so get your disaster recovery teams in place and your PR ready so that each team knows what to do.”
It turned out that it was not a hack but a window that was left open by one of the EC-Council’s own web developers but the damage had been done. “All of our files are encrypted as well but the world did not want to listen. We had to issue statements and business was affected. This is going to happen to your organisation,” he warned ominously.
“Companies have gone bankrupt after being hacked. Sony’s business came down as did J.P. Morgan’s – CEOs have had to come in front to apologise. Imagine yourself standing in front of your shareholders saying I’m sorry we got hacked and I will do a better job next time – it is better is to implement a strategy that minimises your risk.”
‘Hack-tivism’
CICRA Consultancies Head of Consultants and Master Trainer Krishnan Rajagopal stressed on the fact that the actual problem they have identified through conducting dozens of investigations is the fact that security is brought into the boardroom as an actual issue only after a security breach. “Security has to be a boardroom issue nowadays. When we get hacked, it becomes a game changer.”
He observed that while over the years, security has changed, IT security is still handled much like physical security is, by a person with an enforcement or military background – trying to tackle a new game with the same physical tactics – which obviously will not work. “The moment we are online today, we are borderless. It’s a global industry which also means that it is a flat world for hackers. Anyone anywhere could be looking at you.”
Rajagopal drew upon the example of a security breach by one of CICRA’s own clients, a company that makes armour and weaponry that was ambushed during a legal battle with competitors when the competitors revealed personal information. “The CFO kept leaving his laptop behind in office because he found it too heavy to carry it home. An office cleaner hired by the competitors simply plugged a USB into the CFO’s laptop every evening, giving them access to personal information. This cost our client millions of dollars.”
Earlier, when people were upset with an organisation, they picketed on the streets. Today, they hack you, Rajagopal pointed out. This is called ‘hack-tivism,’ with hackers even sending organisations the time and date of hacking, knowing that there is more than one way of hacking into systems. Furthermore, a hacker could be anywhere in the world which is a big problem. 2013 has been quite the year for hackers so far with Facebook, Twitter, Apple, New York Times and Coca-Cola being amongst the organisations that were hacked in this year alone.
“We always look at this problem as a traditional problem, a contained problem, which won’t work. When it is borderless, anything can happen. YouTube has countless demonstrations of how someone anywhere in the world could do simple attacks. Hackers take it as 
revenge, a way of venting their anger, or as a form of fun – they don’t even know who you are and to help them with this is Google, to help them find random people,” he explained.
Advanced persistent threat is a more serious form of hacking, where governments launch attacks against another government – these are generally very well funded. Cyber warfare occurs when a party gets a group of hackers to hack another party – you now hear of US-based companies being hacked by China and vice versa.
“Advanced persistent threat is real. Operation Olympic Games was one where we investigated an African power plant linked to a Middle Eastern company. They used the SCADA system to operate their turbines and one day, they lost control of the system and the turbines moved faster and faster until they started smoking and collapsed. They changed the turbine, the entire controller but the turbine still crashed – all caused by a hack,” he shared.
In response to a question about industries that are more vulnerable to hacking, Rajagopal stated that government agencies, financial institutions, telcos and such are obvious targets but that any organisation could be a victim of indirect attacks.
Integrated security systems
CISCO India and SAARC Head of Security Business Diwaker Dayal focused on megatrends prevalent in the world today, how these have increased the threat of security breaches and finally, how CEOs need to strike the right balance when dealing with cyber threats.
“The level of security threats across the world are rising – how ready are your IT and security professionals to deal with it,” he questioned. “It’s chaos out there and heads of businesses have to operate in a very dynamic and volatile environment.”
The two megatrends that he identified were mobility and cloud and virtualisation. These two trends have completely changed the speed at which decisions are made by enterprises. “These two megatrends can be observed in any country and they have levelled the playing field for everybody. Threats have also evolved which is why this summit is relevant – how can we be more innovative?”
Security is a unique challenge, he noted, while adding that it is also a very profitable business as it’s a cat and mouse game. It needs to be kept in mind that it is other people that are behind cyber attacks and not machines. Cyber attacks originally commenced in the ’80s when people wanted access to free international calls – now it has evolved into organised crime. Entire nations can be targeted through cyber crime rings.
“Crime syndicates are using hacking as a money making machine. Only $ 50,000 is needed to create a program to swindle half a million dollars from bank accounts – it’s simply an easier way to make money. We need to make sure we are ready for these kinds of threats,” Dayal stated.
The problem with current security strategy is the fact that it doesn’t scale, he identified. Furthermore, IT megatrends are creating the ‘any-to-any’ problem – any user on any device on any medium can access any network on any cloud. “There are so many moving parts which increase the complexity leading to more uncertainty and risk which is why we need to look at how we are deploying IT infrastructure.”
“Achieving balance is challenging, as is making IT security say yes to accelerating your business. As business heads, you have a bigger picture to balance, maintaining growth while ensuring that security is not a speed breaker but instead breaks of a car because they actually make the car go faster,” he explained.
Dayal revealed that in a survey conducted by CISCO amongst their customers, one of the biggest problems identified was that there are now too many vendors addressing security problems resulting in a myriad of boxes doing different things. “This is something that needs to change,” he asserted. “New infrastructure being built needs to be integrated and intelligent so as to deal with not only current needs but future needs as well.”
Pix by Daminda Harsha Perera and Upul Abayasekara
