Monday Nov 25, 2024
Monday Nov 25, 2024
Thursday, 27 June 2013 01:11 - - {{hitsCtrl.values.hits}}
Consultancies, under the aegis of the US-based EC-Council, hosted the Cyber Security Summit 2013, a series of events that drew attention to this growing menace and through a line-up of international and local experts on the topic, shared insights into how it can be combated at all levels.
The flagship event was a full day summit, the ‘EC-Council Cyber Security Summit’, prior to which a leadership forum with some of the country’s top CEOs and chairmen was held. The series of events ended with the ‘Night Hack’ in the evening, an informative session with live demonstrations on cyber-related vulnerabilities.
The cyber security quagmire
Delivering the keynote address at the EC-Council Cyber Security Summit was EC-Council USA President Jay Bavisi who also addressed the gathering of CEOs at the leadership forum held shortly before the flagship event. Delivering a presentation titled ‘The Cybersecurity Quagmire: Finding the Panacea’, Bavisi painted a rather grim picture of the world today and the plethora of cyber threats that nations, corporates and individuals are exposed to on a daily basis.
He commenced with a short sketch of the EC-Council, describing it as a certification body that governments come to when they get into trouble. “Governments go through a standard process – they enact a national cyber security policy, work with colleges to raise the level of standards, impose strict adherence to the standards and hope that they will be able reduce the gap but then they realise this does not work – corporations, government institutions are still attacked, data is stolen – then they come to where they are today.”
Bavisi then drew some key pointers from the pharmaceutical industry. “Quarantine, hygiene, vaccination – what can we learn from this? A couple of scientific terms – elimination, eradication, control – are key words that governments around the world are using today when battling cyber threats as they are following the same track as the pharmaceutical industry. The medical industry has been using this method to deal with diseases.”
Bavisi noted that despite all the work that has been put into battling cyber attacks – increased IT budgets, policies, procedures, governance and creating new positions that never existed – the ethical hacker, for instance – we are losing and we are losing the battle big time.
He drew upon the current example of the NSA scandal. “The sole purpose of having a program called Prism was to spy on foreign terrorists and yet one of their own was able to use something as low-tech as a pen drive to steal from the agency, go to Hong Kong and become a celebrity.”
He went on to explain that in the US, a fundamental belief of its constitution is privacy and the NSA scandal has therefore created huge issues for the US government. While the US government can stop the NSA from spying on its citizens, they have no way of stopping other governments 
from doing so.
“We are looking at the bubonic plague in a different form, where a completely naturally healthy network is attacked – this is the actual challenge,” Bavisi pointed out. “With Sri Lanka being built as a major force in the world, these are the kinds of lessons you have to learn very quickly.”
“The Central Bank governor deserves a round of applause for being here. Banks are instrumental because they come up with policies and compliance standards and they dictate these as they are the ones with the money,” he said.
Bavisi also outlined the process to combat cyber attacks. The first step is quarantine, through the use of firewalls and IDS, which is a necessary step. The next phase involves the implementation of regulations, policies and procedures. “Edward Snowden is an excellent example of how we could be attacked from inside. Therefore, there needs to be systems education for end-users, much like the process that has been put in place for obtaining a driver’s license.
“The world is now in the middle of the education phase. With secure coding and developers, you will not have to worry about issues such as SQL injections. There also needs to be more technology capabilities built into university education,” he stated.
Immunisation
Following the pharmaceutical industry’s example, active and passive immunisation has also been put in place to combat cyber attacks. Ethical hackers act as active immunisation by hacking organisations ethically but that alone will not solve the problem as there is no widespread use of ethical hackers – the solution has to be implemented.
“Passive immunisation is a must. Compliance nowadays is like telling your wife she looks great in a dress despite the fact that she looks fat in it,” Bavisi stated. “Internal motivation is lacking. There needs to be in-house security courses and a review of the curricula globally on secure coding.”
“With better coding across the world, you will sell more and your clients will be more secure but you need to complete all the required steps. The real work starts the moment you leave this door – what will you do different as a proponent of cyber security to make this change?” Bavisi questioned the audience.
Security before convenience
The Guest of Honour at the event, Central Bank of Sri Lanka Governor Ajith Nivard Cabraal highlighted the importance of addressing cyber attacks and getting the CEOs of companies involved in the process. “Every medicine taken has side effects and we have to be conscious of these side effects,” he cautioned.
“Although we have been set out as the eighth most vulnerable country to cyber attacks, I feel that we have had a reasonably good track record and that we have been able to deliver the results we have wanted to deliver – we shouldn’t be too unhappy or too upset about people who say we are the eighth worst – take heart from the fact that we have done well and we are at a fairly reasonable stage now,” Cabraal stated on a positive note.
He observed that there has been a growing dependency on ICT and that Sri Lanka is no different, referring to it as the ‘lifeblood’ of the nation. 
ICT has created new ways and means of dealing with our day-to-day lives, brought forward new business opportunities, allowed new convenient means of delivering public services and new methods of work, and has brought about new social cultures.
However, there are also new issues, Cabraal pointed out. Privacy is one such issue – can and should citizens be monitored and where do governments draw the line?
“From the point of view of the Central Bank, we are always concerned about risk mitigation – not only with dealing with the risk but also ensuring how those risks would have a lesser impact even if they do materialise. There are risks of faulty systems, improper usage, data corruption, weak internal controls, and improper education. There are also many systems that are used but at a sub-optimum level. Very expensive systems are used in a very limited fashion. Even technology upgrades and external risks such as hostile actions and accidental events can result in various losses,” he stated. Organisations need to consider threats in the context of the most valuable resources in the organisation and see which threats are most likely to create significant risk and which could have a considerable impact, he advised.
Noting that armed or cyber terrorists only have to be lucky on only one day but we have to be lucky everyday to be protected” Cabraal added: “Sri Lanka had not done too badly as far as our results concerned. Organisations within Sri Lanka have been able to protect themselves which means there have been suitable risk management strategies put into place to deal with these issues. "
Governor also called on corporates to look at security first before convenience and in the case of banks they must look at stability before profit in the same way the ICT sector ensures that security is managed and implemented first and looks at convenience later.
Creating trust
LIRNEasia Founding Chair Prof. Rohan Samarajiva stressed on the need to inculcate trust through the installation of safeguards in order to maintain and create trust amongst users of the product or service through his presentation titled ‘Trust in electronically mediated environments: Why we need cyber security’.
“There is a need to strike a balance between the real threats and perceptions that require us to act and the hope that is needed to get people to use the new technology and make their lives better and improve not only their life conditions, but also that of our country. Trust is required when there is a probabilistic assessment. We have systems where you have greater or lesser degrees of risk or situations where we exercise trust or don’t give trust,” he noted.
12.5% of Sri Lankans are now on the internet. He observed that these people have made a calculation that the benefits of engaging in this space are better than the costs and risks and they are willing to manage those risks. For organisations to function there needs to be enough safeguards and the companies in turn need to communicate that they have these safeguards in order to create and maintain trust for users.
Samarajiva stated that the basic findings in economic literature show that there is a correlation between the increase in electronic transactions and economic growth. “Frictions in economy are being reduced, markets are being broadened and productivity of everyday life improves. There, of course, are some negatives, one of which is vulnerability.”
“There is a lot more that can be done by both the Government and private sector. We need to open up more Government data in order to have more applications developed. Without trust, none of this will work because people won’t go into these systems. Without a trust system, if we can’t give people that assurance today, they will not make transactions so we need to understand this issue of trust,” he stressed.
He used the example of credit cards – there is not credit card system with zero fraud, yet, risks are kept at a manageable level. The same applies to the virtual space. “This is a continual battle – people trying to defraud others and on the other side, the white hats trying to shut them down.”
"I agree with the fact that every organisation needs to make cyber security a high priority because you can’t engender trust amongst your users without building security into the very core of your function. The point is that it’s not simply about preventing every single attack because you can’t do that,” he opined.
“Organisations have to create trust because that is the foundation that doing business on an electronic environment is based on and you will not have trust if you don’t pay attention to security. We need to work at multiple levels, it comes down to our organisations and the Government 
must starts paying to attention to these things – unfortunately most Government websites are the most vulnerable to attack. The most important thing is that this is an inherently international system and we need to think beyond national.”
Mobility and virtualisation
CISCO India and SAARC Head of Security Business Diwaker Dayal discussed the two biggest megatrends in the world today – mobility and virtualisation – in his presentation titled ‘Cloud and virtualisation: Cutting costs vs. Cyber threats’.
He first spoke of mobility, pointing out that now, end-users are demanding the devices they want to use today. A employee can use a tablet to check inventory and log in a customer’s order within five minutes. “The whole system now uses automated mobility and the cloud is changing the way things are being deployed and being consumed which has resulted in a lot of chaos in the backdrop of evolving threats and to solve these problems, you need innovative approaches.”
In a survey that CISCO conducted last year amongst 1,300 CFOs and CTOs, a majority expected 50% of applications to move onto the cloud by 2015. While many of them felt they were ready to move onto the cloud, there was a lot of fear. “The lack of security and policy for the cloud was the reason that 66% of those surveyed gave. “The adoption of cloud is an inevitable journey but what we need to do is to make it more secure as it happens. Nothing can be confidential – the NSA scandal with Prism 
showed us this.”
“The current networks were not designed for the cloud. They were designed for scalability and availability, not security. You will get threatened and feel the vulnerability because the current networks are not designed adequately and this is the area that CIOs want to fix. With the whole movement to the cloud, there is any-to-any problem – any user can use any device from anywhere and this is a massive problem from a security point of view. It makes everything an anomaly or unpredictable. CIOs struggle to apply policies on to their users in the organisation. With this kind of situation, there needs to be a radical change.”
“With the cloud era taking off, we will have more attacks and when that happens, the traditional anti-virus software and perimeters will not work anymore. Analytics are needed to battle these threats, something that can be consumed and monitored by the cloud,” Dayal explained.
“The enemy is a human so he will always find a way to overcome the obstacles put in his way," he said.
The dilemma, he stated, is really about conflicting interests as there is always a conflict as to how you want to apply security to your enterprise. If a bank wants to open branches across the world, there is technology that the cloud delivers that allows this to be done quickly, which helps organisations be more agile and fast but they needed to be provided the right risk mitigation and security.
“How much are you willing to spend to protect the asset – this is the balancing act that is left to the CEOs. It is not just the CTOs problem – if the network goes down, the person who is finally responsible to stakeholders is the CEO – they need to understand how budgeting works around security,” he pointed out.
Dayal also said: “As Sri Lanka builds up its infrastructure, you have the chance to build infrastructure that is clean and more intelligent to withstand these sorts of attacks.”
Piracy and malware
Underscoring the threats posed to governments, organisations and individuals due to piracy, which costs great cyber security risks, BSA | The Software Alliance Sri Lanka Committee Consultant Shalini Ratwatte in her presentation stressed on the need for the use of genuine software at all levels in order to battle cyber threats.
“Someone can always be watching what you’re doing. In order to further substantiate the argument that piracy causes security breaches, a sample was conducted amongst five countries in Southeast Asia in which 282 computers were tested for non-genuine software. All computers were branded and were tested in a forensics lab in Taiwan,” she explained as she presented the findings of this study.
68 of the computers contained malware. There was an infection rate was 69% and 74% of the sample DVDs had malware. One third of the malware found bypassed the genuine checks and 891 strains were considered hostile. Hostile is when there is something wrong and illegal done with that strain. The Windows firewall rules had been changed in 97% of computers and Windows updates disabled.
“With pirated software comes huge threats and breaches in security systems, causing malware to creep in. In spite of buying branded hardware, there were many instances of old hardware being swapped which contained threats and malware. Malware can even hide in the background as a normal picture file and therefore appears harmless,” Ratwatte revealed.
“How do consumers stay safe? We are non-IT people, so how can we take responsibility to ensure security and avoid security breaches? One is by buying genuine software, check if there is a certificate of authenticity, a product label and holographic features. Make sure you purchase from authorised dealers. Avoid too good to be true deals as they are suspicious – in anything, not just software,” she advised.
The BSA has identified the three South Asian countries with the highest piracy rates – Indonesia 86%, Thailand 72% and Malaysia 55%. 60% of the software in the Asia Pacific is also pirated.
Securing the code
CICRA Consultancies Head of Consultants and Master Trainer Krishnan Rajagopal focused on the need to ‘secure the goods’ in his presentation titled ‘Securing the code: Penetration testing beyond compliance’.
“Sri Lanka wants to make the BPO industry hit US$ 1 billion. There will be a lot of software products originating from Sri Lanka. The most key factor in this is not writing just good code, but good secure code. It is a general problem that faces all of us. It’s not an IT problem – they don’t only hack IT guys. Sri Lanka is moving towards e-Government and you can have a situation where everything is digital. We have decided to get serious with security because any of us can get hacked,” he pointed out.
Security is getting important, whether in our personal lives or corporate environment. However, he cautioned that one should not get too carried away with security as overdoing it will hamper your system, defeating the purpose entirely – there is a need to strike a balance.
Multiple layers of control are required in cyber security, much like homes are protected with doors, dogs, security systems and gates. The next step is attack surface reduction. Any part of an application that is accessible by a human or another program. Each one of these can be potentially exploited by a malicious user. Any accessible IP address is an attack surface. The less windows, the less chances of breaking in.
It is also important to assume that all applications can and will be compromised. If an application is compromised, then the potential damage that the malicious person can inflict should be contained and minimised accordingly, so that even if you get hacked, you won’t get hacked too badly.
“Deploy applications in more secure configurations by default. This helps to better ensure that customers get a safer experience with your application out of the box, not after extensive configuration. A lot of vendors are making applications secure now. For instance, firewalls are on by default,” Rajagopal advised.
“Twitter, Facebook, Evernote, Apple, New York Times and Coca-Cola were all hacked this year. The root cause of the hack was a website infected by a malware exploited Java plug-in. Research surveys conducted in 2013 show there are now only two types of companies left in the US – companies that have been hacked and companies that don’t know that they have been hacked,” he revealed.
There are now well funded hackers working through highly sophisticated environments. Pointing fingers is not going to help if basic fundamental rules are not followed, he added.
Rajagopal stated: “The purpose of prevention testing is to discover, confirm or disprove the exploitability of any potential vulnerability. However, we do have to approach it with some caution and be methodical and logical in approach. A lot of organisations are being deceived by consulting firms using inexperienced and unskilled testers. Don’t just evaluate the company, evaluate the customer. Don’t be overly ambitious, define your scope. The more intelligence you have on your system and consultant, the better.
Sri Lanka’s banking sector
Central Bank of Sri Lanka Deputy Governor Dr. Nandalal Weerasinghe spoke on how Sri Lanka’s banking sector has dealt with cyber security and presented a series of initiatives that have been undertaken by the regulator and the financial sector in order to combat cyber attacks and increase protection within the sector.
“Banking activities are fast changing with the adoption of modern technology. After telcos, banks are probably the fastest adopters of modern technology. The use of non-cash payment modes are increasing with the changing payment habits of the society,” he said. “We have the responsibility of safeguarding the banking sector and the financial stability of the country.”
While technology has brought about new ways of carrying out banking activities, it has also brought about the need for increased security. The Central Bank, he revealed, changes all passwords every three months and has imposed a number of security checks in order to safeguard its interests. The regulator has also taken a lot of action to protect consumer interest.
Some of these initiatives include the setting up of a computer security incident response team for the financial sector and setting up of BankCSIRT to provide strategic direction in achieving information security and information security risk management. Terminal line encryption has also been imposed, a mandatory requirement to ensure security of credit and debit card transactions originated by merchants which was initiated by the National Payment Council chaired by the CBSL. Furthermore, the CBSL conducts a comprehensive exam as part of its onsite statutory examination of banks.
“Development and continued maintenance is carried out to safeguard eBanking systems and data from both internal and external threats. We also have regular reviews of eBanking projects by our board of directors and we are now working on developing mobile payment and internet banking guidelines. Disaster recovery arrangements are a mandatory requirement for all participants of national payment and settlement systems. Banking system is in the forefront of adopting new technology as well as mitigating risks associated with such adoption,” he stated.
Pix by Daminda Harsha Perera and Upul Abayasekara
The Daily FT-CICRA Consultancies organised EC-Council Cyber Security Summit was backed by CISCO as the principal sponsor and Dialog Axiata as the platinum sponsor. The Summit was endorsed by the ICTA as strategic partner whilst international industry organisation Business Software Alliance lent its support as advocacy partner. HSBC was the official bank and Cinnamon Lakeside Colombo, was the hospitality partner. Union Assurance was the official insurer whilst official printer was OfficeMax. The creative partner was Triad Digital,and electronic media partners were TV Derana, FM Derana and www.adaderana.lk.
