Security For Growth And Governance
July | 21 | 2010 Volume 01 | Issue 04
IN-SHORT
GoI to Develop Framework on Data
Protection PAGE 02
OPINION
International
Cyber Terrorism PAGE 07
IN-PERSON
No Excuses for Inaction PAGE 04
A 9.9 Media Publication
IN-DEPTH
EDITORIAL
ANURADHA DAS MATHUR | editor@csoforum.in
Another balancing act... CISOs must tread carefully while
contributing to the privacy environment in India
E
very CXO spends a lifetime doing a balancing act. Between long-term and shortterm, macro and micro, across stakeholders, and between conflicting objectives. CISOs are no exception. Choosing between two rights is a tough call – for example, how do you choose between creating a friendly and open workplace to attract talent versus a secure environment for information and data? The dilemmas of this kind are only likely to increase. The critical one on the horizon is the trade-off between security and privacy. As many of you are aware, so far there is no privacy law in India – in fact, the concept itself is not clearly understood or defined. However, there is increasing acceptance that there is a need for privacy to be addressed by the government as well as body corporates – legally and operationally. Herein lies an unprecedented opportunity for CISOs to contribute towards policy-making in India... They can help ask and answer several questions. First of all, where on the privacy barometer should India be – stringent or lenient? And what would the implications of the choice be for citizens as well as companies? Secondly, does the Indian psyche (which is admittedly ‘less private’ than western societies) be an advantage or do we follow others’ norms? What extent of litigation can our judicial system deal with – and should that be a factor in deciding how we position ourselves? What will this imply for companies that extensively serve ‘stringent’ geographies? And finally, how should we balance the ‘ideal’ situation with what is ‘implementable’? As practitioners, CISOs have the insight and experience to contribute meaningfully to the evolution of the privacy environment in India. However, they will have to do the ‘balancing act’ – and give inputs that resonate as much with policy-makers as they do with their own customers, employees and other stake-holders. Extreme and ‘unidimensional’ inputs at this stage could jeopardise the journey even before it begins... So here’s to ‘a fine balance’...
VOLUME 01 | ISSUE 04 | 21 JULY 2010 Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur EDITORIAL Editor-in-chief: Rahul Neel Mani Editor (Online): Geetaj Channana Associate Editor: Dominic K Resident Editor (West & South): Ashwani Mishra Assistant Editor: Aditya Kelekar Principal Correspondent: Vinita Gupta Correspondent: Sana Khan DESIGN Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Manager Design: Chander Shekhar Sr. Visualisers: PC Anoop, Santosh Kushwaha Sr. Designers: Prasanth TR, Anil T & Suresh Kumar Designer: Sristi Maurya Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi ADVISORY BOARD Arup Chatterjee, CISO, WNS Global Services (P) Ltd Burgess Cooper, Head, IT Security, Vodafone Essar Limited Felix Mohan, CISO, Bharti Airtel Limited Japjit S Sandhu, VP & Head IT, VFS Global KR Krishnakumar, Group CISO, Aditya Birla Group Murli Nambiar, VP, Information Security, Reliance Capital Pradeep Sekar, Senior VP & Head IS, Citi India, Srilanka & Bangladesh Prof. Ponnurangam, Professor IIITD Raghu Raman, CEO, National Intelligence Grid Satish Warrier, Associate VP, IS, Godrej Industries Sunil Dhaka, CISO, ICICI Bank Ltd. Vishal Salvi, Senior VP & CISO, HDFC Bank SALES & MARKETING VP Sales & Marketing: Naveen Chand Singh National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager: Rachit Kinger Asst. Brand Manager: Arpita Ganguli GM South: Vinodh K (09740714817) Senior Manager Sales (South): Ashish Kumar Singh GM North: Lalit Arun (09582262959) GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284) PRODUCTION & LOGISTICS Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House,Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Editor: Anuradha Das Mathur C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed at Silverpoint Press Pvt. Ltd. D 107,TTC Industrial Area, Nerul.Navi Mumbai 400 706
CSO FORUM 21 JULY 2010
1
IN-SHORT Government of India to Develop Framework on Data Protection
T
Adolescent Cyberbullies
and their victims may have physical, mental health problems ADOLESCENT victims and perpetrators of elecdifficulty of escaping from it, the breadth of the potential audience and the anonymity of the pertronic bullying appear more likely to report havpetrator," the authors write. ing psychiatric and physical symptoms and probAndre Sourander, M.D., Ph.D., of Turku lems, according to a report in the June issue of University, Turku, Finland, and colleagues disArchives of General Psychiatry, one of the JAMA/ tributed questionnaires to 2,438 Finnish adolesArchives journals. cents in seventh and ninth grade (age range, 13 Cyber bullying is defined as an aggressive, years to 16 years). Of those, 2,215 (90.9 percent) intentional, repeated act using mobile phones, were returned with sufficient information for computers or other electronic forms of contact analysis. In addition to information against victims who cannot easily about cyber bullying and cyber victimidefend themselves, according to backsation, the teens were asked to report ground information in the article. In a their demographic information, genU.S. survey on Internet use among individuals aged 10 to 17 years, 12 percent India ranks eral health, substance use, traditional bullying behaviour and psychosomatic reported being aggressive to someone symptoms, such as headache and online, 4 percent were targets of aggression and 3 percent were both aggressors with the most abdominal pain. "Policy makers, educators, parents and targets. "There are several special Zombies at and adolescents themselves should be features regarding cyber bullying when 13 % aware of the potentially harmful effects compared with traditional physical, SOURCE: COMMTOUCH Q2 2010 of cyber bullying," the report said. verbal or indirect bullying such as the INTERNET THREATS TREND REPORT
ILLUSTRATIONS BY PHOTOS.COM
DATA BRIEFING
No.1
2
CSO FORUM 21 JULY 2010
he Government of India (GoI) may have dragged its feet for a long time before finally passing the amendment to the IT Act in 2008, but looks like it's pretty serious about putting the process for future amendments on the fast track. GoI has constituted a Group of Officers under the Chairmanship of Secretary, Department of Personnel and Training to develop a framework that could balance the country’s interests and concerns on privacy, data protection and security and which could respect the domain legislations on the subject. The framework developed by the Group would include legal provisions, principles and elements of data protection, security and privacy. While developing the framework, the Group will keep in view the existing provisions of various laws regarding protection of data and privacy of individuals. The Group is supposed to submit its report within three months.
Global Security Threats & Trends: Cisco 2009 Annual Security Report CISCO Security Intelligence Operations announces the Cisco 2009 Annual Security Report. The updated report includes information about 2009 global threats and trends, as well as security recommendations for 2010. Managing and securing today's distributed and agile network is increasingly challenging, with cloud computing and sharing of data threatening security norms. Online criminals are continuing to exploit users trust in consumer applications and devices, increasing the risk to organisation and employees.
Report Highlights Online criminals have taken advantage of the large social media following, exploiting users' willingness to respond to messages that are supposedly from people they know and trust. Politically-motivated threats are increasing, while governments are teaming up and promoting online security. Up to 90 percent of spam is untargeted. That includes spam delivered by botnets that floods inboxes with messages from supposed banks, educational institutions, and service providers. More than 80 percent of the Web can be classified as "uncategorised" or "unknown", making it challenging for traditional URL filtering technology. The new Cisco cyber crime Return on Investment Matrix tracks the performance of the underground online criminal marketplace, helping organisations understand the latest targets.
IN-PERSON
No Excuses for Inaction From being the CIO and CTO, National Security Agency (NSA) to positions such as the Associate Deputy Director of National Intelligence for Information Integration. Dr. Prescott Winter currently is the CTO, Public Sector, ArcSight. He spoke to Dominic K
4
CSO FORUM 21 JULY 2010
CTO, Public Sector, ArcSight
business resources. In an open environment or in a proprietary based system with shared resourses with multiple business partners and social networking platforms, the network perimeters turn porous and will remain porous. Two things are common and clear in any attack: 1.You are the target and they will do all it takes to gain access to your systems and network resources. 2.Your networks are not always defendable in the strictest sense. It's critical to know who are in the network and what are they doing and to check whether they are following enterprise policies. If not, then find remedial measures. This requires technical and operational capabilities. Having such capabilities will help you spot the danger signs quickly. Out of 25,00,000 events, only 100-150 might be relevant, and of that just 20-30 might be at some point be critical. Once we get relevant information and inputs on the attack, we need to build a correlation and point the IP addresses. This needs to be followed up relentlessly till we come to a logical conclusion.
“In 2010 we are logging about 6 million attacks per day.�
What is the impact of cyber crime on enterprises and government agencies? How can the government address the same? Cyber crime or theft is a diplomatic and law enforcement responsibility and should be handled together. This depends on the depth and criticality of the attack and if the attack was meant to harm or modify the military capabilities. It is important to make sure that we know
BY DR. PRESCOTT WINTER
what the attack is all about. It is important to understand the technical and the operational response. This is because almost all the enterprises use similar kind of technological and online systems. The principal point is to recognise that you are the target of cyber espionage, cyber fraud, cyber theft or cyber warfare related activities. The fact still remains that someone out there is persistent in targeting your systems and network to gain information and critical
Does being proactive complement addressing cyber crimes for enterprises? We cannot be proactive all the while and hence we will be reactive based on the incident and event. You can be well prepared by having the right technology and having skilled team members. Back in United States we follow SANS Institute's 20 recommended best practices. It is very well documented and is a must for all information security stakeholders. These is no excuse for not doing it. What are the latest trends in internal and external forms of cyber crime in US and across the globe. Statistics say that in 2006 Pentagon alone faced about 6 million attacks per year. In 2008 the number of attacks had increased to 350 million per year. Whereas now, in 2010, we are logging about 6 million attacks per day!
COVER STORY
Enterprise security planning aligns information security policies, practices and applicable security technologies with the business vertical. By Dominic K
ILLUSTRATION BY SANTOSH KUSHWAHA
T
oday, in many of the enterprises, most of the critical business systems and large parts of the IT infrastructure are automated. Therefore it is important to translate the business needs of the organisation into a strategic technology plan that details how information technology contributes to achieving the goals of providing secure and sustainable services to partners, employees and customers.
Critical Factors to Successful Security Strategy This highly critical process, in this age of increased security, involving the creation and integration of an information security architecture within the Enterprise Architecture (EA) is given only ancillary attention even though an information security architec-
ture is essential to having a complete EA. Equally important, a security architecture is absolutely necessary to fully understand the nature of all information technology threats facing an enterprise. If information security is to be both cost effective and operationally efficient in the 21st century, Enterprise Security Planning (ESP) is a “must have� requirement. Every CISO needs to define a security policy that takes into account the business goals, the services and products of their enterprise and add to this, the impact of security incidents on them. A well coordinated incident management team is necessary. And finally, motivated and enthusiastic people: not only those who devise, implement and operate security management systems, but also all those who need to adhere to their responsibilities for the protection of the information they use in the course of their work.
CSO FORUM 21 JULY 2010
5
COVER STORY
Gaining Management Confidence “It is essential that the top management of the enterprise demonstrate their commitment to the policy consistently,” says Vishal Salvi, Sr. VP and CISO, HDFC Bank. An analysis of the risks to the goals of the enterprise due to the people, processes and systems who achieve those goals, and from the environment in which the enterprise works is important. The analysis has to be convincing for the top management – as well as the rest of the key people in the enterprise – to commit to the time, money and effort required for the implementation of mitigating controls. Implementing the right controls that mitigate the relevant risks also ensures that top management will back CISOs in the implementation of controls that enforce the security policy of the enterprise. The activities required for security often need to be performed by people as they go about their work executing processes or operating, configuring or administering technological systems. Security activities must be embedded in the standard operating procedures of their regular duties. All people must be made aware of their responsibilities for compliance with the security policy, and penalties imposed if they do not. “A judicious mix of the carrot and stick approach is required to ensure effective implementation. In cases of negligence or intentional violation of InfoSec policies and procedures, suitable punitive action is advisable to bring in the desired discipline. On the other hand, employees who are outstanding and go out of their way to improve the InfoSec posture of the company, must be rewarded with prizes & awards,” says Warrier.
Centralised Focus Centralisation does have several merits. One can exercise greater control in enterprise security. Instances of deviations and violations are minimised and can be detected more easily from the central location. However, InfoSec comprises confidentiality, integrity and availability. So as far as the ‘availability’ aspect is concerned, since it is a centralised architecture, it also becomes a single-point of failure. So adequate contingency plans, with standby systems are required. P D Mallya, Head- Security Audit and Architecture, Infosys says “Consolidation and centralisation of IT infrastructure (for example by virtualization hardware) has many functional
6
CSO FORUM 21 JULY 2010
Enterprise Security and Risk Management goals:
1
Manage risk to improve organisational security posture through consolidation of IT infrastructure.
2
Support continuity of IT operations by utilising the enterprise data centre effectively and efficiently which further complements business continuity planning.
3
Improve security processes by incorporating Information Technology Infrastructure Library (ITIL) process methodologies into security operations.
4
Enhance cyber incident response capabilities by expanding preventive activities, forensic services and cyber incident planning.
5
Protect the confidentiality, integrity and availability of the IT information by defining and implementing a consistent approach that meets legal and regulatory requirements relating to confidential and/ or personal information (PI).
6
Support efforts to simplify and standardise identity management for employees, partners, vendors and customers.
7
Provide well documented information with a detailed security framework and guidance by enhancing awareness and periodic training.
advantages – including reduction in power consumption, data centre space, to name a few. They however require the greatest rigour in the design, configuration, management and operational processes for security, as well as in the security of the applications they host."
Key Challenges and Best Practices The main challenge is getting employees to appreciate the importance of adhering to the established policies and procedures. At times, even technical personnel tend to take these procedures lightly. We hear instances of system administrators using the same, weak password for not one, but all the servers. “I would strongly suggest that an enterprise desirous of having an effective security framework in place should focus a lot on employee awareness and training, and sensitise them to the various infosec risks. This coupled with a fairly robust security infrastructure that also includes constant review and monitoring can make an organisation fairly secure,” says Salvi. The point is further reiterated by Mallya: “Management support, a comprehensive policy, optimal controls based on a sound, down-to-earth, business goals related to risk analysis, an awareness of the effectiveness of controls and a commitment to continuously improve them.” Such parameters should provide a reasonable assurance to an enterprise that it can securely pursue its business goals and dreams. The sheer pace of technological change is unmanageable at times. It requires effort to write good software, and it requires more effort to write good and secure software. Attempts by malicious hackers to attack systems will focus more and more on Web application software as operating systems and other standard software mature in their security. Another aspect of technological change is that systems are becoming increasingly powerful and increasingly difficult to deploy securely, but people want to use them for the sheer functionality they provide. Examples are mobile phones and USB devices that are rapidly diminishing in size and equally rapidly increasing in power and capabilities, and social networking and other sites on the Internet, which can lead to information leakage or infection with Trojans and other malware. Finally, as always, people are the weakest link. It is well established that consistent and vigorous security awareness programs, coupled with deterrents, serve a useful role.
OPINION BY DOMINIC K dominic.k@9dot9.in
THE AUTHOR IS Associate Editor, CSO Forum
Cyber Espionage and Legalities with Neutral Countries I'M WONDERING for the past couple of
weeks on how neutral countries fit in the cyber war threat situation. During kinetic warfare, countries have to give explicit permission to use their territory. Neutral countries will not give such permission, and will be forced to act when one of the parties during a war tries to use their territory for hostile acts. For example, during World War 2, the Swiss were firing upon any military aircraft entering their airspace. Have you ever wondered as enterprise information security chiefs on how this applies to cyber conflicts from a legal perspective? Does a country need to obtain permission (will they ever, I doubt?) to route cyber attack-related traffic over the cyberspace of other countries? Do neutral countries have an obligation to try to prevent any cyber attacks from being routed over their networks? Are cyber warriors criminally liable under the jurisdiction of neutral countries when they route attacks over their networks? I'm fully aware of the technical difficulties associated with these questions, such as the fact that one cannot always predict the attack vector and the traffic path taken over
the Web. Nevertheless, it is time for enterprises to explore the legal ramifications. Add to this the social engineering tricks. We know social engineering is effective and employees constitute a big vulnerability. There has to be a balance between security and transparency. The board expects pragmatic management of risks. Consider client side Web vulnerability: an unsuspecting user in your enterprise surfs a non friendly website and downloads a tool or document containing malware – perhaps specially crafted to extract data and valuable information from your enterprise. The user uses the tool or document and you can guess the rest. Yet another scenario is when a talented social engineer makes contact via social networking portal with people who have just joined an enterprise – an enterprise with valuable Intellectual Property (IP). The social engineer may make contact via LinkedIn or some other social networking site and introduce himself (using a false identity) as a person from the support group at the enterprise. A few weeks later the social engineer contacts the same person from
There has to be a balance between security and transparency. The board expects pragmatic management of risks.
and tells the employee of some planned maintenance work adds that he need not worry as it should not impact the employee. Later, he again contacts the employee but this time indicating there is a new corporate email site planned for the company, and that he would like the employee to go to the site and test it out to make sure everything is OK. He enquires with the employee about his official email address. In the background the social engineer has cloned the company's e-mail site and put in place some phishing code. He emails the employee and tells the employee the mail site is ready for test, providing a link to the site – the employee visits the site using the bogus link and logs in using his network password. The employee never hears from him again. The email address for the employee contains the active directory user name, and the password was harvested on the cloned website. The social engineer now has complete “invisible” access to the company network. Strong two-factor authentication I hear a lot – yes. But how many businesses have it in place today?
CSO FORUM 21 JULY 2010
7
OPINION JON STOUT
THE AUTHOR IS is the CEO of Aspiration Software.
International Cyber Terrorism The Case for an Aggressive Offense AMERICA is at war and the latest front is the war on cyber terrorism. The Internet and associated networks have been under attack from many sectors including hackers, disgruntled employees, financial fraud perpetrators, cyber criminals and now state-sponsored cyber terrorists. What started out as a small number of annoying viruses, malware, Trojan horses and worms has now blossomed into aggressive attacks on our military and industrial segments. U.S. computer networks are under constant cyber attacks, by direct assaults by remote sites, by probes by hackers and criminal networks, and by espionage from foreign countries. President Barack Obama last year declared that the cyber threat is one of the nation’s most serious economic and national security challenges. While there are rapid developments in the area of defenses against cyber terrorism, this article makes the case that a strong offensive strategy is required as well as comprehensive defensive measures.
International Cyber Terrorism Recently, cy er attacks can be traced to totalitarian regimes that either directly
8
CSO FORUM 21 JULY 2010
support and encourage or harbor cyber terrorists. While initial attacks from this area have been intermittent and scattered, military bases and the electric grid have been penetrated. The threat to cause significant damage is ever present and growing. Defensive measures, while critically important, are not enough and cyber criminals must be countered with aggressive offensive attacks.
The Strategy Must Include Offense The concept of defenses against cyber terrorism is easier to understand than an offensive strategy because the defensive attack point is easy to identify. The owners or operators of a particular site can identify their own assets that are at risk. An offensive strategy, however, must identify the attacker and the amorphous, cross-border nature of the Internet often shields attackers. Some attackers can hide their toxic programs in legitimate domestic computer installations. In cyberspace, it is difficult to deliver an effective response if the attacker’s identity is not known. In addition, there is no international consensus on the definition of
The “war” metaphor is potentially problematic, because it could shift responsibility of cyber crime onto governments, as some private industries would like to see happen.
use of force, in or out of cyberspace, and many experts said uncertainty creates the potential for disagreements among nations. Nevertheless, some experts have noted that police officers don’t have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack. The escalating threat of cyber terrorism defies borders, operates at the speed of light, and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers. The U.S. should counter computer-based attacks swiftly and forcefully and act to thwart or disable a threat even when the attacker’s identity is unknown, and we have the technology required to carry out even preemptive offensive attacks. Offensive cyber warfare sends a powerful message to cyber criminals beyond the reach of U.S. criminal laws and regulations and rapid destruction of state-sponsored criminal networks would have a chilling effect on future criminal actions. Offensive measure must be used responsibly but proactively.