Monday Nov 25, 2024
Monday Nov 25, 2024
Thursday, 3 October 2013 00:00 - - {{hitsCtrl.values.hits}}
In this backdrop, the sixth annual National Conference on Cyber Security, a part of the Sri Lanka Cyber Security Week organised by Sri Lanka CERT, addressed a multitude of issues related to the ever-rising number of threats and a series of experts in the area, both local and foreign, shared many perspectives on different aspects of being connected and the problems posed by the breach of different levels of security.
Kicking off the conference, EMC Corporation Vice President – Systems Engineering, Asia Pacific and Japan Christoph Theisinger delivered the keynote address. He stressed on the need for the establishment of robust information management capabilities, starting from the level of infrastructure up to the level of data analytics and data warehousing. “The fact is that there is a big drive in the market for data analytics and cloud computing. Vulnerability highlights the importance of bringing in security and trust into the mix – investment in technology and people is a guiding light in our conversation,” he noted.
Theisinger explained that this matters because customers have admitted that they are struggling with the continuous availability of infrastructure and how to deal with advanced threats. 85% of breaches take a very long time to discover, giving the malware enough time to serve its purpose inside an organisation. The other embarrassing fact, he revealed, is that 92% of those threats are not discovered by the organisation itself but by a third party, of which there are many examples over the past couple of years.
“The impact of this is hard to quantify in dollar terms but the loss of reputation and trust from customers and citizens can lead to severe financial effects.” Additionally, 53% of all organisations said that they experienced data loss emphasising the importance of backing up data.
Prevalent trends in cyber security today
Organisations need to change the way in which they manage their infrastructure, Theisinger stated. IT organisations are facing situations that require different means to manage threats. The advent of cloud and new types of initiatives like big data has resulted in more data being available. The mix of sensitive information in an organisation and public information paired with development, and extended workforces has resulted in organisations having to open up their systems to outside parties as well.
Advanced threat too is now more formidable than ever. In the past, IT organisations spent a lot of money and effort to build walls to prevent attacks from the outside but not sufficient time has been spent on what happens after malware has been discovered. “Compared to what we were used in the past, where malware had a very generic target, what we see now are specific groups and companies being targeted with a specific goal in mind, maybe even to steal a specific element of information.”
The style of attacks has also changed to such an extent that they fly under the radar – after intrusion into a network has been made, the attack begins step-by-step. Malware programs are now intelligent enough to cover up their traces.“Two major focus elements –depleting the time taken to detect and speeding up response time – this is where we have seen security investments happen and the greater outcome of those investments.”
“The biggest deficiency in detecting and defeating advanced threat is the lack of deeper threat expertise. We need to understand better the types of threats and how to deal with them. 20% of organisations said that they are investing in improving their own understanding, 21% are looking at investment into technology at earlier stages, 41% are investing in people, data analytics services, etc., and 10% are engaging with third parties to deal with it.”
Regaining the security advantage
Theisinger stated that many organisations would agree that a silo of systems does not help with an organisational wide risk management approach. “If organisations adopt a risk-based approach in understanding the threat landscape, in your thinking you automatically break down the system silos and don’t think system by system.”
“It is an investment in process and people, and this investment is greatly supported by implementing new technology that allows organisations to be more focused by using analytics and big data, and at the same time be adaptive with how findings are dealt with.”
At the same time, he cautioned that the measures being implemented should not be disruptive to both attackers and day-to-day users – they need to be focused and less disruptive to the user and this requires threats being dealt with in a holistic way. When people are added to this mix, 
there is a whole umbrella of services that can be built around these technologies.
“It is a journey to maturity and there is a set of deliverables organisations can embark on. Use intelligent services and mechanisms, share threats with other organisations and optimise breach management – the goal is to put stops to the flourishing of cyber threats early on. Investment into the technologies needed would have a positive impact in viewing security investment in terms of ROI as well. What we are protecting here is what the core of what 21st century economies are all about – IT.”
Case study: Thailand
Outlining the implementation of Thailand’s NRCA and the challenges and countermeasures encountered was ThaiCERT Head of and Ministry of Information and Communication Technology, Thailand Electronic Transactions Development Agency (ETDA) Assistant Executive Director Chaichana Mitrpant. His presentation described the steps taken by the Thai government to provide strong public infrastructure and monitor e-commerce amongst its business entities.
The ETDA’s mandate is to promote and support electronic transactions; build important electronic transaction infrastructure, namely legal, technical and standards; conduct research and development in electronic transactions and ICT related areas; and to promote electronic transaction knowledge creation and dissemination and provide related services.
Mitrpant stressed on the importance of having a certification authority in order to have a certain level of control of the identity issued to Thai business entities. The ETDA also oversees the building up of secure e-transaction development, for in order to conduct e-commerce, e-payment systems and e-documentation transfer systems need to be in place to transfer electronic docs.
“These are focal areas we would like to work on in the next three to four years. Three perspectives are important – standardisation that would enable e-transactions to be conducted in an organised manner in order to manage costs, security and privacy, and laws that will recognise e-transactions as being legally acceptable in Thailand,” he outlined.
He then looked at how certificates are being used in Sri Lanka, drawing upon Commercial Bank as an example.“When I accessed their website, I saw that it was secure from the green tab on the URL. I also saw that it has a CA certifying the authenticity of the website. Without this, how can a user trust the website to conduct electronic transactions?” he questioned. “This is a mechanism to build trust and confidence amongst users who want to do business online.”
Private CAs
Mitrpant noted that there are now a lot of certification authorities operating globally and most of them are private entities. He explained that this was due to the fact that over 20 years ago, there were people and business entities that understood the need for CAs before most nations understood the need for being able to identify their people and business entities.
However, Thailand now has a Department of Business Development under the Ministry of Commerce which issues identities to businesses in the country, much like national identity cards for individuals, which allows the government to keep track of business activities and helps facilitate a better quality of living and a more conducive environment for businesses to operate in an easier manner.
“One of the issues that we have to note is that the government allows private entities to provide and manage certification authority and implemented a regulatory scheme for public infrastructure in the country – a process that was started in 2002. By issuing the Electronic Transaction Act, the government was able to provide guidelines for CAs,” Mitrpant stated.
2009 saw the creation of the Thailand PKI Association, which provided a platform for the dissemination of information and to discuss the development of PKI in the country. Since the PKI Association took control of the national CA, it has had to redevelop the whole system as old system was outdated and from 2011 to date, the association has been working on implementation and compliance with international standards.
“We have been running the national root CA since 2005. From the sub CAs that we have – and we have several – the top three are the ones that provide the majority of services to Thai entities.” They are CAT Telecom Public Company Limited, TOT Public Company Limited and Thai Digital ID Company Limited, in addition to public sector CAs such as the SEC, Anti-Money Laundering Office and Bank of Thailand, etc.
The challenge posed by the private entities was that they had commenced operations long the establishment of the national root CAs, leaving the government to figure out how to work with them.
PKI and its role
Since its establishment, the PKI Association has implemented many e-authentication applications including Image Cheque Clearing and Archive System (ICAS) run by the Bank of Thailand, national single window projects for Customs, e-Payment System (PCC), Interbank Transaction Management and Exchange (ITMX) and the Bangkok Mass Transit Project implemented by the Office of Transport and Traffic Policy and Planning.
“
Despite having all these policies, technology and infrastructure, if we don’t have a law that recognises transactions, there is no point in using them. The Electronic Transactions Act has been passed but the law making process takes a long time, especially when it comes to technology, which is not easily understood, and this is an obstacle,” Mitrpant pointed out.
“We would like to recognise the electronic signature as trustworthy as a normal signature and therefore, we want it recognised by the law. However, the law only accepts an electronic signature depending on circumstances. For instance, an electronic signature for a transaction for a million dollars will not be recognised.”
The main issue, he stressed, is trust, confidence and sustainability. “How do we build trust and confidence – how do we encourage people to conduct business online? Once we establish that, how do we sustain that process? CAs in Thailand do not make any money, they run because they are a requirement.”
“My personal opinion is that when a government tries to provide infrastructure to conduct electronic business, a national CA is one mechanism that can be provided to build trust and confidence amongst people and business entities. The problem with private CAs is that how do we know if they are issuing the correct information and that this information is not being abused?” he noted.
The government, he added, should run a national CA program in order to have some control and to encourage people and businesses to conduct biz online in a more secure manner. To ensure sustainability, more law enforcement is required, as are more regulations to make the law clearer. Mitrpant stated that it is also typical amongst government agencies to not share information.
“A framework is need for public information to be shared amongst agencies. Complying with standards and running inoperability tests at many levels are required for the process to be more sustainable.”
Situational awareness
Up next was McAfee SE Team Leader Srinivasa Boggaram who commenced his presentation which the interesting fact that there are now more phones being used than toothbrushes. “Technology is overtaking us, we want to be connected and be everywhere. Technology is definitely helping us but what is the flip side of this?” he asked.
Security is always an afterthought, he pointed out, adding that while most people and entities go ahead with adopting new technology, the secure aspect of using all this is rarely thought about. Taking the information arms race as an example, Boggaram noted that it is now far more sophisticated, state-of-the-art and technological than ever before. An attack at the end of the day is now a line of codes.
“An attack is now not done by some unemployed college fresher – they are conducted by well organised companies, organisations and groups of people with a goal. This is usually an objective to steal something because your IP is valuable to someone and they steal it with a specific objective,” he explained somewhat grimly.
Boggaram used the example of the Operation Shady Rat (OSR) expose which took a couple of months to breach the targeted organisation with the objective of taking control. The group behind it infiltrated the organisation for months, stealing terabytes of data. In other similar cases, attackers have stayed undetected within organisations for over a year with the objective of stealing selected information.
The malware explosion
Sophistication of attack has now reached a new level, he stated, and they are not being detected by security solutions and countermeasures. This is not because the latter are doing a bad job, it is because the attackers are doing a better job. Having no rules or boundaries assist attackers in their work.
“How do you protect yourself? You have to change the way you think and the way in which you look at security. Do away with the traditional way of thinking because it’s not going to help you now,” he asserted. “Breaches are also increasingly being spotted by external forces which is very bad.”
Statistics show that malware is growing year-on-year very rapidly and all of them are new malware and threats. Each statistic shows that they are not recently generated – they are all brand new. About 100,000 new malware samples are created every day – this amounts to 70 threats per minute. “I’m sure people update their antivirus software but how many have antivirus on their mobiles? This too is important. If you are living with 100,000 new viruses every day, are you protected? If you are thinking the way you used to think over the last decade, trying to protect yourself with signatures, you are not going to be protected. Yet, it’s impossible to update your antivirus every minute.. So, what’s the way out?”
He acknowledged that it is a real time effort for vendors like McAfee to keep pace of malware as there are still a lot of unknowns. “The way to go about it is by white-listing. This is the identification of known good files for an IT environment and is a way of addressing those exponential numbers and unknown threats, and this decision has to be made in order to keep out alien applications.”
Even booting or formatting a machine is no longer a way of ensuring that it will erase all malware and needs to be carefully done, he added. Another policy he spoke about was the bring your own device mechanism that has been adopted by many companies – are we ready for this, he questioned.
“To address anything, you need to have visibility – monitoring techniques must advance. What is happening is that in the race to get more protection tools, we are installing and acquiring more technology in order to protect ourselves from attackers but what this leads to is decreased visibility and added complexity. We need technology that is connected, that talk to each other and knows what’s happening. The security industry unfortunately has not reached this level.”
Pix by Sameera Wijesinghe
