&
BY @enterpriseitworld
@entitworld
FOR THE CIOs. BY THE CIOs.
@enterpriseitworld
INFO QUEST R S 1 9 9 | PA G E S 5 6 | V O LU M E 0 5 | I S S U E 0 2
A JOURNAL ON INTERNET SECURITY
19 JULY 2019
A Special Supplement on Cyber Security
Infoquest is a journal of Internet Security and mouthpiece of Infosec Foundation. Infosec Foundation is a multi-disciplinary and multi-user based initiative for increasing awareness and sharing best practices
BY
2
&
CONTENTS
FOR THE CIOs. BY THE CIOs.
04
05
06
08
10
11
12
14
16
19
20
22
24
28
30
Chairman’s Message
The Tale of Information Security
Four Essential Concepts to Secure Your Cloud
Soaring New Heights
MAKE AWARE – The Weakest Link
What it takes to Build a Security Culture?
Today’s “Cyber Attacks” are best countered through a risk based rigorous process approach
How to Improve the Effectiveness of Data Loss Prevention (DLP) Program
General data protection regulation (GDPR) and its impact in India (Part : I)
Leve raging Incident Management for Continual Improvement
Role of Artificial Intelligence & Machine Learning in Cyber Security
INDUSTRY 4.0 Security
Industry 4.0 Vs Cyber-Security
Why our mobile phones have extremely weak security?
Zero Trust security – The evolving Cyber Framework
BY
&
3
FOR THE CIOs. BY THE CIOs.
EDITORIAL
FOR THE CIOs. BY THE CIOs.
Publisher: Sanjib Mohapatra Chief Editor: Sanjay Mohapatra Senior Editor: Pooja Jain Associate Editor: Deepak Singh Designer: Ajay Arya
TIME TO SHARE EXPERIENCE
Assistant Designer: Rahul Arya Web Designer: Vijay Bakshi Technical Writer: Manas Ranjan Lead Visualizer: DPR Choudhary Social Media Manager: Ravish MARKETING
It is my Immense pleasure to present you the 8th Edition of InfoQuest, the special issue on Information Security. This has been created by the joint efforts of InfoSec Foundation and Enterprise IT World. As everyone is aware Information Security is becoming a global concern for everyone, therefore a a huge scale of awareness is required among the security professionals to understand the trend. There is a gap between the experts and emerging professional from the stand point of knowledge. The objective of InfoQuest is to bridge the knowledge gap by putting together the viewpoints of the thought leader of information security. Starting from the consumers to the business leaders to legislatures and law enforcing authorities - everyone is trying to find out the answers to getting immunity from hackings and threats. Every day we get surprises from the market that about certain bank got syphoned off million dollars or certain government sites being defaced or hacked; even personal data are available in the internet. Earlier yeas, these incidents used to take place due to fault of the internal resources or by mistake of the users but today these incidents are orchestrated by the external agents and it is keeping on growing at a faster pace. As the whole world is moving towards massive digitization and automation, IOT devices and edge computing is becoming centrifugal character. These trends are certainly good for the organizational and national growth but at the same time, these are bringing massive vulnerability. Cyber criminals are working persistently to penetrate the systems through these end devices. Therefore, the security professional – specially the emerging leaders need to keep tab of the trend. InfoQuest is the only magazine which can put all the experiences and expertise together highlight a wide verity of issues, challenges and trends. The beauty of this effort is that we bring this special issue whenever there is a mass gather of the security professionals. This time we are unveiling this issue directly in Security Symposium & Cyber Sentinel Award, which is kick starting from Bangalore on 19th July 2019. By this we will be able to reach out to maximum audience. I must thank all the contributors of articles and research, content and designing teams of Infosec Foundation and Enterprise IT World for their relentlessly work to bring out such a nice manuscript on information security. Thanks to all the readers who have encouraged us to work hard to involve various aspects of information security and discuss in detail about the nuances of the subject matter. Sincerely yours, Sanjay Mahapatra Chief Editor
EDITORIAL BOARD
01 02 03
Sudipta Biswas Pritam Bhattacharya Sanjay Mohapatra
04 05 06
Marketing Manager: Kajal Sharma kajal@accentinfomedia.com SALES CONTACTS Delhi 6/102, Kaushalya Park, Hauz Khas New Delhi-110016 Phone: 91-11-41055458 E-mail: info@accentinfomedia.com EDITORIAL OFFICE Delhi: 6/103, (GF) Kaushalya Park, New Delhi-110016, Phone: 91-11-41657670 / 46151993 info@accentinfomedia.com Printed, Published and Owned by Sanjib Mohapatra Place of Publication: 6/103, (GF) Kaushalya Park, Hauz Khas New Delhi-110016
Phone: 91-11-46151993 / 41055458
Printed at Karan Printers, F-29/2, 1st floor, Okhla Industrial Area, Phase-2, New Delhi 110020, India. All rights reserved. No part of this publication can be reproduced without the prior written permission from the publisher. Subscription: Rs.200 (12 issues) All payments favouring: Accent Info Media Pvt. Ltd.
Sanjib Mohapatra Pooja Jain Sushobhan Mukherjee
BY
4
&
FOR THE CIOs. BY THE CIOs.
CHAIRMAN’S MESSAGE
SUSHOBHAN MUKHERJEE,
I
CHAIRMAN, INFOSEC FOUNDATION
t has been a wonderful journey for last three years with Infosec Foundation. As many of you know already, this is a NonProfit platform that aims to confluence the Global CxOs for the cause of Cyber Security. A small awareness training in Bangladesh post the Bangladesh Bank heist, gradually evolved as a global movement which had attained momentum with many community driven initiative, mass awareness drives, trainings, seminars, workshops, round tables, symposiums and International Summits. In the era of digital transformation, Cyber security has evolved gradually with adoption of several new frameworks. The mission of Infosec Foundation is to stabilize the cyber wave and extend benefits to the grass root level. In line of the community driven approach we reached many domestic and global cities like Kolkata, Mumbai, Bangalore, Delhi, Dhaka, London, Glasgow and many others in order to have cross pollination and have harmony between cyber security stake holders including users, government, law enforcement, OEM etc.
Apart from Security Symposium and International Summits, we had tried to collaborate with similar association so that the benefits can converge collectively to the society. Besides, our mouthpiece “InfoQuest”, the cyber security journal gained attention and we could continue to reach on its eighth issues with the contribution from the eco system, industry. Similar to our last year’s journey, we are starting our Multi-City Security Symposium (Kolkata-Bangalore-Delhi-Mumbai) this year in July - August. Last November mega summit in Kolkata was as Grand success with the theme ‘Cyber Resilience and Agility in your Digital Future”. The event was graced by many eminent personalities like Dr. Gulshan Rai (CISO, Govt. of India), Ms. Vaishali Bhagwat (Advocate, Cyber Legal Expert), Dr. Ajeet Bajpai (DG, NCIIPC), Mr. Gant Redmon (IBM, United States), Mr. Debasish Sen IAS (Additional Chief Secretary, Information Technology & Electronics, Govt. of West Bengal), Mr. Rana Pratap Sircar (Lead - Innovation in Service Delivery Unit of Ericsson BA Digital Services), Mr. Michael Joseph (Fortinet), Mr. Vishak Raman (Cisco), Mr. Shrikant Shitole (Country Head, FireEye), Mr. Gautam Kapoor (Partner, Risk Advisory, Deloitte India), Mr. Anup Deb (IBM Resilient, Singapore), Dr. S. Amar Prasad Reddy (Director General, National Cyber Safety and Security Standards), Mr. Gigi Joseph (BARC), Mr. Dinesh O Bareja (COO - Open Security Alliance) and many others. There were 250+ people attended the event with delegations from all leading corporates, enterprises, academia, government, law enforcement agencies, manufacturers, providers etc. not only from India, but also from Bangladesh, Singapore, United States and United Kingdom in order to have true global flavor. The summit had great deliberations in exchanging thoughts, knowledge, ideas, and case studies on cyber security among the speakers, audience, attendees, participating stakeholders. The same had not only generated great enthusiasm over networking, but also generated direct business opportunity. The event has raised several voices, concerns from the community, extended government / policy makers’ roadmap, articulated steps on synchronization between stakeholders and surely created platform for enriched knowledge in order to have better wisdom.
Similarly last February, there was an International Summit in Bangladesh which was focused on the Cyber Security Road-map for Industry 4.0. The event was graced by Mr. M. A. Mannan, Honorable Minister, Ministry of Planning, Republic of Bangladesh along with Mr. K.A.M. Majedur Rahman (Managing Director, Dhaka Stock Exchange). Besides few eminent key speakers like Mr. Mohammad Arfe Elahi (Chief Technology Officer, A2I, PMO), Dr. Muhammad Abdul Mazid (Adviser – A K Khan and Company Limited), Mr. Ahmed Rokibur Rahman (Wooribank), Mr. Syed Moinuddin Ahmed, (Additional Managing Director & Company Secretary, Green Delta Insurance), Mr. Tapan Sarkar (Founder President CTO Forum, Managing Director ADN Edu Services Ltd.), Mr. B. M. Zahid-ul Haque (Head of Information Security, BRAC Bank Limited), Mr. Syed Almas Kabir, President (BASIS), Mr. Espen Haagenrud, (CISO, Grameen Phone), Mr. Azim U. Hoque (CoFounder at Cyber Security Forum, Founder and President at University IT Forum), Mr. Tanveer Ehsanur Rahman (CTO, Novo Telecom) etc. has also addressed the gathering with their knowledge and great insight. Risk mitigation strategies with Industry 4.0 waves especially for the critical infrastructure was the major deliberation during the summit. It is a great pleasure to ride the momentum of Infosec Foundation and it’s one of the integral torchbearer “Infoquest”, the Print Journal. Infoquest is an essential tool for Infosec Foundation’s mission of creating awareness about Information Security. Infoquest’s another important responsibility is to create an intellectual foundation to document and communicate across domains and practices about our campaigns and activities. We visualize that the corpus we all together are building in a collective and spontaneous manner will be an important and relevant corpus for the next generation. I thank our editorial team, sponsors, contributors and readers for bringing this special issue. This is also a vindication of great team-work and I thank you all once again. Best Regards, Sushobhan Mukherjee Chairman, Infosec Foundation
BY
&
5
FOR THE CIOs. BY THE CIOs.
SOARING NEW HEIGHTS
ANUP KANTI DEB
SEGMENT LEADER THREAT MANAGEMENT SOLUTION, IBM SECURITY (ASIA PACIFIC)
AUTHOR’S BIO Anup leads the Cyber Security - Incident Response business for IBM across Asia Pacific region. He comes with a rich background of working in the Cyber Security Industry having specialized in the area of Cyber Security -Risk and Compliance. He is also a Subject matter expert in Incident Response. He is currently expanding IBM Resilient business footprint within the region. Throughout, Anup has been an eminent speaker at industry events, conferences across the region and an active blogger, possesses excellent communication, presentation skills and is decorated with multiple professional awards. Anup has also previously worked with emerging technology start-ups and leading IT companies globally.
It is wonderful to see Infoquest continuing its journey since 2016. In line with the vision of Infosec Foundation, Infoquest’s focus was to generate mass-awareness about Information Security and to bring inter-disciplinary sharing of minds and best practices, which we not only felt to be a necessity but also a market-gap. In the era of Digital Transformation, everything is moving towards digital and India is not left behind. Of 34% of Indian population, i.e. total 460 million, there are 250million Facebook users, 200million WhatsApp users. People spend time on internet for around 8hours a day and out of this time, 2 hours is spent on social media. Hence we like or don’t, we want or not, we can’t escape this digital storm. Shopping, Health care, Banking facilities gradually coming home instead of ourselves going there and in effect entire user behavior and experience pattern are creating a new paradigm. Since the entire disruption is linked to connectivity, more precisely Internet, cyber security has become a burning topic for all of us. As per information reported to and tracked by Indian Computer Emergency Response Team (CERT-In), a total of 22,207 Indian websites including 114 government websites were hacked during April 2017 to January 2018. A total number of 493 affected websites were used for malware propagation. Even after so many precautionary measures and spending at government level, if this is the scenario, then you can imagine the situation for private enterprise, SME and surely individual like us. Yes, none of us are secured in any corner of the world. So what should we do? Should we keep on cribbing, keep on blaming government, law enforcement, policy makers? Or leave everything on our luck. In this context, Infosec Foundation started working three years back. We thought of doing something ourselves instead of passing the buck to others. We thought of creating a platform where all the different stakeholders related to cyber security can meet, collaborate, exchange thoughts and in effect have better wisdom to take wiser decisions. The concept originated from Kolkata, the city of joy and gathered momentum
in globally. As a result, we have chapters in all metros in India now and along with Enterprise IT World we are organizing this CISO Symposium to have cross border collaboration and knowledge sharing and exchange of best practices in cyber security. The mission is driven for the common people like you and Infoquest is playing the role of a mouthpiece and a print-media way to reach readers and interested institutions on PanIndia basis. Thanks to our partner Enterprise IT world, we hope that we shall continue to reach readers in Pan-India basis and will venture further in the globe. From 2016 till date, we have conducted International Summits, Seminars, Workshops, and Trainings in Cyber Security space to spread awareness globally. As a part of this endeavor, a Four City CISO event was concluded last year in Bangalore, Delhi, Mumbai and Kolkata along with the international Infosec Summit in Kolkata. In line with the same, we are stepping ahead to conduct Security Symposiums in Three International Cities – Dhaka-Dubai and Colombo for the confluence of Global CISO’s to brainstorm on the future and impending challenges to conclusively emerge as Cyber Security Game Changer across the Globe. We are taking many initiatives so far like awareness campaigns through mass media, training/ workshops/seminars for youth and elderly people through local police stations/clubs. Our team was instrumental in interlocking with all different stakeholders (like law enforcement agencies, government, Banking & NBFC, Healthcare, Telecom, Energy & Utilities, Manufacturers, Providers, users) and had many initiatives to breach the GAP between demand and supply. We have already had five chapters in five global cities and started influencing cross pollinations of cyber knowledge and wisdom. Cyber Helpline and Cyber Friend Mobile App are on its way to kick-off. With the support from government and connections through academia we are all set to rise and build next generations of cyber army. Stay tuned with our regular activities, join end, engage and ride the thrilling journey towards your digital future.
BY
6
&
FOR THE CIOs. BY THE CIOs.
TODAY’S “CYBER ATTACKS” ARE BEST COUNTERED THROUGH A RISK BASED RIGOROUS PROCESS APPROACH AUTHOR’S BIO
A Cyber Security Professional, holding experience of 20 years in this domain. His forte encompasses information security audit, cyber risk assessment, cyber incident handling and digital forensics. He has been instrumental in establishing India’s first “Cyber Range” at Gurgaon which is being used by national security agencies to enhance their cyber security competency. He is an empanelled information security Lead Auditor at BSI (National Compliance Body of Govt. Of UK). He has extensive experience in conducting information security audits (against different international standards and Govt. Mandates) not only in India, but also beyond boundaries in Europe, Singapore and UAE. Currently as Director Cyber Security at Praxis Business School, he has taken the responsibility to create a Centre of Excellence to develop trained cyber worrier and strengthen national capacities on advanced threat hunting and attack combating techniques.
TATHAGATA DUTTA,
DIRECTOR CYBER SECURITY AT PRAXIS BUSINESS SCHOOL
A
s cyber attackers grow more sophisticated, the best and most realistic cyber defense strategy for CIOs is process-based. Perhaps the most challenging question associated with cybersecurity is determining whether “enough” security has been implemented. Many try to boil this down to a few simple questions, namely what security tools should be bought and how much money should be spent in total on cyber security, etc. Those questions presume that there is some sort of formula through which companies can determine with great accuracy that which cyber tools and total money needed in order to dramatically increase security. It would be nice if that were the case, but just like it would be nice to find a way to turn lead into gold, it is a flight of fancy that is destined to fail. We have to remember, there is no such thing as
a cyber-jacket when it comes to defensive technologies or services. The cyber threat constantly morphs thanks to highly motivated and skilled attackers, and, cyber criminals are smart enough to act like water: they follow the path of least resistance. Unfortunately there is no good rule of thumb of what that security profile should look like. Every business is different, and some will be more consistent targets of cyber-attacks than others. Moreover, even if one could say “X” percent of the information technology budget should be spent on cybersecurity, there is no guarantee that the money will be spent wisely. That leaves us with a process-based model. A popular formula to use here is a “risk-based” strategy. Even though technology has progressed, the way companies need to handle security today is fundamentally different from the approach they took 5 years ago. And there are many reasons for this. But two trends in particular are driving the new conception of cyber security for businesses. First, the increasing digitalization of processes and businesses is happening at an unprecedented pace. So a cyber-security incident isn’t just something that causes extra hours in a company’s IT department. Today, IT often powers business engines along the whole value chain, and a single incident can bring operations to a grinding halt, and even threaten the existence of a company. Secondly, the threats are growing, both in number and sophistication. Numbers of cyber-
attacks are increasing exponentially year on year. Sources say couple of years back the numbers of cyber-attack was on average of 81 attacks per minute. The number of attack (reported or unreported) is expected to have doubled year on year. At the same time, recent years have seen malware reach a new level of sophistication. One of the reasons this is happening is due to the emergence of nation states as cyber attackers. They put tremendous Resources into finding and exploiting weaknesses in the cyber defenses of both state agencies and corporates. As because criminals often repurpose exploits from nation-state attacks, businesses need to consider how this trend increases the overall sophistication of online threats. It may seem odd that the inherently technological problem of cyber-attacks is best countered through a rigorous process and not strictly technological solutions. Yet, given the extraordinary pace of maturation associated with cyber-attacks, it makes perfect sense to rely on a process to determine optimal defense strategies. In doing so, companies will not only protect themselves from cyber threats but will also create a fantastic record based tool of decision-making that will undoubtedly deter litigation. That alone should drive a movement towards process-based defenses. Globally recognized standards and frameworks like ISO 27001, PCI DSS, COBIT, etc. may be referred / followed (considering the nature of trade) to ensure process backed security resilience.
BY
&
7
FOR THE CIOs. BY THE CIOs.
SUBSCRIPTION FORM
INFOQUEST IS THE PRINT PUBLICATION ON CYBER SECURITY AND THE OFFICIAL INTERFACE OF INFOSEC FOUNDATION PLATFORM. INFOQUEST IS BEING PUBLISHED QUARTERLY. INFOQUEST IS THE TORCH BEARERS OF THE MOVEMENT INFOSEC FOUNDATION. IF YOU ARE INTERESTED TO JOIN US IN THE JOURNEY, THEN YOU MAY SUBSCRIBE THE MAGAZINES. NAME....................................................................................................................................... ADDRESS................................................................................................................................. OCCUPATION........................................................................................................................... REPRESENTING COMPANY..................................................................................................... DESIGNATION......................................................................................................................... CITY..........................................STATE............................ZIP CODE......................................... E-MAIL..................................................................................................................................... MOBILE..........................................
MAGAZINE SUBSCRIPTION (EACH EDITION)
RS 199/-
YEARLY SUBSCRIPTION (FOUR EDITIONS)
RS. 600/-
Feel free to send your queries to editor@infoconglobal.org Payment can be made by A/C Payee Cheque/Demand Draft to “XXXX”.
BY
8
&
FOR THE CIOs. BY THE CIOs.
LEVE RAGING INCIDENT MANAGEMENT FOR CONTINUAL IMPROVEMENT AUTHOR’S BIO
Ganesh has over 30 years of experience in IT & Services and Engineering industry with diverse Management experience with specialization in IT Security, Risk & Compliance, Project Management, Strategic Planning and Supply Chain Management. Ganesh is a Lead auditor in ISO 9001, and is trained in Project Management, Eli Goldratt’s Theory of Constraints, six sigma & holds several Security Certifications. Ganesh holds a Bachelor’s degree in Technology from Indian Institute of Technology, Madras. Ganesh is currently working with Aithent as SVP-PMO & CISO since March’19. He last worked at Quattro for 12 years where he was SVPChief Information Security & Privacy Officer responsible for Cyber Security & Privacy and Quality. He has developed 7 products for financial services and spearheaded the implementation of ISO 27001, SSAE 18, PCIDSS, Data Protection Act, 1998, GDPR & RBI regulations. He has won several awards in the Information security & Privacy space and has addressed several conferences as a key note speaker/panelist
INTRODUCTION:
GANESH VISWANATHAN,
SENIOR VP-PMO & CISO, AITHENT TECHNOLOGIES PVT. LTD.
Given the current threat landscape which is constantly mutating with arrival of new threat vectors and increasing sophistication of attacks; the volume of attacks is spiraling with low probability of detection, volatility of attacks is growing by the day, attacks come unannounced and they are in the system up to 6 months prior to the actual attack and are doing reconnaissance or scanning the network or are already exfiltrating the sensitive data or are erasing your files or the attackers are installing a backdoor as part of an exploit; cyber vulnerabilities are growing at a rapid clip; we have to develop an integrated and holistic approach to manage cyber incidents. Planning is the sine qua non for an excellent execution. As the saying goes “By failing to prepare, you are preparing to fail”. Develop a detailed Business Continuity Plan (BCP) to plan for various contingencies that arise out of multitude of threats so that regular Business can continue smoothly. For the Communications, hardware and IT systems which constitute the vital support systems, develop a Disaster Recovery (DR) plan. Make sure that the BCP/DR Plan it is communicated to all the stakeholders and a refresh training is conducted periodically. To check readiness of employees in case of any emergency do a Call Tree testing at least once in 6 months. The employee contact list should be updated on a monthly basis for ensuring that the proposed call tree exercise in case of an actual disaster is accurate and meaningful. Resiliency testing of key services should be conducted at least annually to ensure a robust business continuity program. Besides do a quarterly
BY
&
9
FOR THE CIOs. BY THE CIOs.
fire drill and appoint a fire marshal for each Floor shift wise. Do a periodic audit of your Fire preparedness. A mock drill needs to be carried out for Earthquake preparedness too. Employees should be educated about the Do’s and Don’ts through posters, screen savers, class room training and regular email updates. Critical network equipment such as routers, core switches and critical servers should also be subjected to a Disaster recovery (DR) testing. Every step of Disaster Recovery plan is tested as part of DR testing to check the timely restoration of business-critical applications, recovery of data and continuation of operations after a service interruption. DR Testing is an investment for the success of BCP. It gives us the confidence that the DR plan shall works as intended when deployed during an Emergency. The BCP plan is a live document and needs to be updated based on learnings from incidents/disasters. Ensure that hard copies of it are kept offsite to handle any emergency. An incident is an event that could lead to loss of, or disruption to, an organization’s operations, services or functions. Incident Management describes the activities to identify, analyze, and correct the occurrence of any disruptive event Following are the steps to be followed for a successful Incident Management Program: 1. Detection: Identify all issues that emanate from Infrastructure monitoring tools be it memory, CPU, Disk space or Alerts from a Data Leak Protection (DLP) solution or Intrusion Prevention system (IPS) or a Firewall. Record user issues in terms of latency, response time, space availability. Record the voice of the user as he or she may detect unknown problems by Co Workers which could lead to potential information security incident such as Tailgating when entering the building premises or the Operations floor or Carrying mobile phones in a sanitized operations area where it is strictly prohibited. Sharing of passwords is also considered as an Incident. A whistle blower policy needs to be developed which will reinforce the appropriate code of conduct at work place. Log all Incidents and identify the trends. Identify if the incident is a New or Recurring one to investigate ownership and responsibility. Classify the incident as a Service related or Hardware or Software or Compliance (Not following laid out Policy or SOP by Employee) Prioritize the incident in terms of severity as per the Severity matrix based on Impact, Urgency or Risk. Impact is high if
large number of users are unable to use a service. Urgency is high if the service is critical to client and downtime will affect the business. Risk is high if a Fire suppressant system malfunctions in a Data center or the Precision AC fails, and temperature raises. 2. Diagnosis: As part of trouble shooting, investigate the root cause. Tools such as 5W, 1H can be deployed for a logical analysis. Identify Who was involved, What happened, Where did the incident happen, When did it happen, Why did it happen and How did it happen. Follow the Escalation procedure for cases where incident needs to be notified (client end) or resolved (In-house/Vendor) at a higher support level. 3. Resolve/Repair: Fix the issue by going for a temporary workaround or a permanent fix. In case it is a temporary fix the plan for permanent fix must documented along with any support (In terms of time, spare, additional resources etc.). The repair may involve replacing a part (hardware) or Uninstalling the infected software. Installation of a fresh patch/ latest version of the software /Running an Anti-Virus software/Rebuilding OS or a simple configuration change (software) or following a new SIPOC (Process map)/SOP. This may also involve a coordinated shutdown of associated parts, wiping the infected devices and rebuilding the Operating system. 4. Recovery: It entails Service restoration or a System (Network) Validation. New Passwords must be created for all the compromised systems. 5. Documentation, Follow-up & Closure: Once the correction is completed document the findings in an Incident Report detailing all the steps followed. This will help prevent recurrence of the incident. Carry out a review to determine if the detection was without any delay, if the preparations were adequate and if cross functional support was timely. Monitor activities post incident to check if the threat vectors are reappearing which may cause the incident to reoccur. Post this the Incident can be formally closed. Conclusion: By following the five steps in the Incident Management Framework as part of Incident Response, organization will reap the benefits through continual improvement in the client SLA’s and key Security Metrics. It will act as a springboard to defend the organization from both external and internal threats thus helping them to protect their digital assets. This structured methodology will make the Cyber security robust, resilient and reliable thus validating the proverb “An ounce of prevention is worth a pound of cure”.
BY
10
&
FOR THE CIOs. BY THE CIOs.
INDUSTRY 4.0 VS CYBER-SECURITY
I
GYAN PRAKASH,
VICE PRESIDENT – ENTERPRISE IT SCADA GEOINFORMATICS PVT. LTD.
AUTHOR’S BIO
Gyan Prakash is leading eastern region business unit of SCADA Geoinformatics Pvt Ltd. as Vice President – Enterprise IT. He possesses expertise in Industrial Automation, Industrial 4.0, and Manufacturing ERP with handling of all operations of Business Units. He joins SCADA with 10 years of industry experience with large business conglomerates Quess Corp Ltd, ADANI Group and TATA Consultancy Services. He is articulated Leader with notable success in directing a broad range of corporate IT initiatives and won industry prestigious Eminent CIOs - 2018, CIO 200 – 2017 & IT Next 100 – 2016 Awards. He is avid reader and writer in technological and strategic business issues. He will be available at linkedin. com/in/gyan-prakash-3a455b9.
ndustry 4.0 acts as a bridge between Information technology & Operational Technology, which was missing a long time. It provides an entry to plant from remote and that is the beauty of Industry 4.0 which makes it SMART. The concept of SMART factories is truly a revolution where we can talk with machines. Industry 4.0 will connect every physical component of a factory and every stakeholder in an integrated communication system with the goal of improving the efficiency and flexibility of the production chain. But, flipside of coin is that we are inviting a big bunch of cyber threats to our factories. The data that flows is extremely valuable: not just the blueprints, but an exact description of its manufacturing process, down to the settings of every tool and the delivery date of every component. This would be extremely valuable to anyone digging for economic intelligence, or simply to replicate the entire production chain in a new factory in order to produce knock-offs of a successful product. This needs to set up a cell in all manufacturing organization, whose vision is to make the factories secure so that there will not be any breach at any cost. The business leaders need to understand the consequences of data/information breach and they need to take cyber security in their main agenda of financial year. The business leader needs to go for management level training programs to understand cybersecurity in detail, so that they can set up a cell within their organization to guard the SMART Factories like old age fortress. This issue asks business executives to take on security matters personally. They may even opt to hire someone knowledgeable and skilled enough to manage a strong cybersecurity team within the business organization. A business should prevent leaks in their IT systems at all costs, as the whole organization would be at risk. Manufacturing companies can avoid common security issues by implementing basic best practices such as the following: 1. Restrictions on Credentials - Individuals who are granted access to files and systems should be identified and given the most restrictive permissions. 2. Mapping of Network - The IT machines and production machines that are allowed to communicate with one another should be identified. There should be restrictions as to which devices in the IT network should be capable of information exchange with which devices in the OT network. 3. Identification of Assets - Unnecessary services in the network should be disabled. Doing so can help prevent exploitation of vulnerable services. Determine what processes and assets are critical to the organizations ability to operate and what the threat vectors. Draw a map detailing processes, correlated against a network map, to get a comprehensive view. You can’t manage risks to assets or devices that you don’t know about. 4. Software Patching - When code flaws are found in software, updates will be released as soon as possible. Organizations need to determine how these can be implemented and rolled out to affected devices within the environment. 5. Reskilling of Manpower - Understand the ‘blue-collar’ workforce and how working practices have changed. Many now use technology to perform tasks, so make them aware of the cyber threats they face. For example, engineers should not be able to just plug in a USB stick without first checking that it is free of malware and its operating system is up to date. Security is critical to the success of Industry 4.0 adoption. The resilience of production processes strongly depends on the manufacturing companies’ awareness of the current threat landscape and the employed security framework for protecting against attacks. As the pace of change accelerates and new technologies proliferate, the task of monitoring and understanding the emerging opportunities and evolving threats unleashed by this digital transformation is becoming a full-time task.
BY
&
11
FOR THE CIOs. BY THE CIOs.
THE TALE OF INFORMATION SECURITY AUTHOR’S BIO
Kaushik Chakravarty is the General Manager Information technology at the GPT Group, Kolkata, India. In this role, he oversees all aspects of information technology, information security, data and analytics for the world’s largest aerospace company. He also supports the growth of business through IT- and analytics-related revenue generating programs.
KAUSHIK CHAKRAVARTY,
GENERAL MANAGER- IT, GPT GROUP
S
ecurity by its own definition is the state of being free from danger or threat. A concept that is we feel sometimes forgotten in the hustle and bustle of daily life in this modern world. We can go back in time to see early examples in the Ancient Egyptian Pharaohs who hired private security guards for personal protection. Or to Ancient Rome where emperors had security guards for personal, family and property security. In Greek mythology, the closest thing to a “God of Security” wasn’t a god at all, but the giant monster Argus, who was considered the perfect security guard because of his ability to keep at least one of his hundreds of eyes open while sleeping. Argus was a fearsome warrior to contend with, but he wasn’t invincible. He ended up the wrong side of Zeus, who sent his son Hermes to kill
Argus. As the story goes, Hermes lulled the giant into a deep, eye-closing slumber. Then, when Argus was no longer “watching,” Hermes cut his head off. Argus is an interesting, if imprecise, symbol for today’s infosecurity professional. We, too, pride ourselves on our ability to keep constant vigilance over our systems, networks and data. Unfortunately, we’re often undermined by the cunning of our adversaries and their ability to exploit our vulnerabilities. Lacking the tools and knowledge to gather, analyze and apply objective data to our policies and initiatives, we, like the ancients, uncritically accept common truisms about the “way to do security,” rarely questioning their validity or applicability. For security to mature as a business discipline, security professionals must shed the common myths that justify our beliefs and give meaning to our activities, and develop a framework of critical thinking that tests the generalities of the best way to secure the enterprise. We find out how the digital age and new technologies have changed the very nature of insurance. As the computer era revolutionized the processing, storage and sharing of information, the stakes went up for information security. The need to protect personal, financial and classified information resulted in the rapid development of mathematical and computational methods of protecting information. One of the biggest problems in modern information security is that of the exchange of secret keys. The recipient of message cannot decipher it without knowing the key that the sender used for encryption. This key must be kept secret, or else anyone could decipher the message. Targeted attacks are becoming very popular amongst cybercriminals today and they are aimed at specific organizations and the sectors
they operate in. Cybercriminals have the desire, ability, patience and skills to invest their time and resources into these modern attacks to achieve financial gains. In these attacks they will learn as much as they can about the target and its thirdparty suppliers. The malware is created specifically for the organization based on the information gathered in the reconnaissance phase. As can be seen, there are not that many differences between building a castle and securing an organization’s data. It is essential that strong boundaries be established both physically and logically around the data and information that is being protected. Information, either literal or electronic, is the key to any Kingdom, whether medieval or corporate. It must be protected at all times. The cyber threat landscape is advancing more rapidly than the security architectures can devise attack prevention solutions. Sharing of threat intelligence and innovation in not only technical solutions but also methods for implementing organizational change – knowledge about ‘what works’ – is vital if industry is to neutralize the risks and build a cyber-secure economy. The geographical bias in the contemporary debate around cybersecurity creates two challenges for the knowledge ecosystem: avoiding group-think around threat characterization and solutions; avoiding transplant of organizational change methods from one geography to another locale, without adaptation to, or redesign for, other business cultures, traditions and communications. To mitigate pan-industry ‘group- think’, cybersecurity requires a more nuanced, adaptive and inclusive dialogue, far beyond sharing threat intelligence and debating compliance standards. Cybersecurity is a pre-requisite for enabling business as usual: it is a core requirement for both securing the information technology that powers standard business operations and creating
BY
12
&
FOR THE CIOs. BY THE CIOs.
MAKE AWARE – THE WEAKEST LINK
MANSI THAPAR,
JAQUAR GROUP - HEAD SECURITY, DPO
AUTHOR’S BIO
A change catalyst, with 18 years of experience in various IT domains like Information Security and Risk Management, SDLC, Compliance, Release management, delivery, Programme Management, Operations, critical business processes management etc. PMP & Six Sigma Black Belt, ISO 27001 Implementer certified Professional, currently working in Jaquar Group as Head Security, DPO, with an eye for detail and data and continuously thriving to achieve new heights personally and professionally, keeping a sharp focus on activities to give back to the world her knowledge and expertise in any way possible.
Two years back, Words like Hacked, Virus, Ransomware, Phishing emails, Data breach, Malware were understood by IT specialists and not common man. But today, these words are known, understood and dreaded by people all over the World. Industry Gurus like Ginni Rometty (IBM’s chairman and president) and Warren Buffett (chairman and CEO of Berkshire Hathaway) quoted “Cybercrime is the greatest threat to every company in the world. “Cyber-attacks are the number one problem with mankind, even worse than nuclear weapons.” Having said that, we as security professionals work endless to identify, protect, detect, respond and recover from security incidents. We deploy world class perimeter, network, port and end point security to protect our corporates from incidents and protect our crown jewels from being breached. But somewhere in this constant endeavor, we miss to cater to the main reason for cyber incidents. – THE HUMAN FACTOR. Various reports indicate Human error to be the most dominant reason for cyber-attacks in an organization. Top 5 human errors being falling for email phishing, letting unauthorized users accessing corporate devices, poor user managed passwords, poorly managed privileged accounts and mis-delivery. All these points, have one underlying solution – USER AWARENESS. I know most of you must have automated measures in place for privileged accounts, auto password policy etc., but breaches still happen. Below are some of the tips/topics on creating a security training programme to close the gap between the weakest link (Human Factor) and security Training module should cover at least the following mentioned awareness trainings • Email security • Mind of a hacker • Use of Freeware • Passwords • Clear Desk • Privacy • Security of mobile devices • Social engineering • Identity theft • Insider threats • Securing supplier relationships • Access control • Backup Importance • Cloud security • Importance of Cybersecurity • Viruses • Protecting intellectual property
BY
&
13
FOR THE CIOs. BY THE CIOs.
Users need to complete these self-paced or class room trainings within 3 months of joining the organization. On completion of 3 months, an exam may be organized to ensure user knowledge and if he/she fails to clear, special steps should be taken to educate the user. Mock spam emails, mock discussions on access management and data breaches can be conducted
to understand user awareness and alertness. Banners in cafes, computer screens, application login screens, displays can be done giving awareness on security. Family education day can be organized in organizations where education to kids and families on how to deal with cybercrime is provided. A culture of no blame should be induced in
the organization where user can freely voice their queries and concerns for security and can report incidents freely. Let us all join hands and work towards making most people aware of this new threat which is circling our mankind!
BY
14
&
FOR THE CIOs. BY THE CIOs.
HOW TO IMPROVE THE EFFECTIVENESS OF DATA LOSS PREVENTION (DLP) PROGRAM INTRODUCTION
REETWIKA BANERJEE,
ENTERPRISE DATA PRIVACY CONSULTANT- ACCENTURE
AUTHOR’S BIO
Reetwika Banerjee is a professional Cyber Security Expert, presently associated with Accenture as their Enterprise Data Privacy Consultant. Her principal role is to advocate senior management on hi-tech cyber security threats and how to prevent confidential data leakages out of their organization’s network. She is also an internationally awarded author. Her latest book ‘Cyber Security at your Fingertips’ was released at the New Town Book Fair 2018 by eminent Judges of Bangalore and Calcutta High Courts. To chase her passion and educate common people about security threats, need of data privacy, prevalent cybercrimes and their preventions, Reetwika contributes as a regular columnist to many multinational news portals and forums. You may write to Reetwika at: reetwikab@gmail.com.
Data is now recognized as one of the most valuable corporate assets that need to be protected at any cost. Loss of critical data may lead to direct financial losses like loss of business, dropped stock index, huge penalties etc. at the same time face losses such as goodwill, customer confidence, noncompliance, legal liabilities etc. Thanks to the global digital boom, last five years have experienced exponential increase in business data volume across industries. Thus, it is becoming extremely critical for all business houses (be it small, SMB or large) to implement strong data protection strategies in order to prevent devastating financial or notional losses. As explained in my previous article, Data Loss Prevention (DLP) is the method of monitoring, detecting and blocking of sensitive data leakage out through organization’s various communication channels. It can be done using a set of scientific tools, processes and techniques. Sourced from one of the recent Gartner reports, more than 100 Data Loss Prevention (DLP) solutions have come up in the market in recent times, each catering to the differential needs of the organizations. Apart from market leaders like RSA and Symantec, there are many others which offer customized data loss prevention solutions based on business needs. Pricing model varies from per core, fixed licensing cost to per user basis. Whoever be your DLP partner, any data leakage prevention solution requires significant resource investments and thus organizations need to ensure they are getting a positive return on investment. Common Pitfalls of DLP Solutioning No doubt, the key to a successful deployment of DLP solution remains with the accuracy of its results. Let us take a sneak peek of the common pitfalls of DLP program before discussing about DLP policy optimization. The following list summarizes the key challenges faced post implementation of a DLP solution in any business house. Challenge 1: Huge Number of False Positives Large organizations often generate up to 80% false positives after companywide installation of DLP tool at its endpoints and networks. Does not matter what’s the reason, from a DLP architect’s point of view it will not only lead to unproductive time and resource consumption, but also may end up in late actioning on true incidents. Challenge 2: Repeat Offenders It is often seen that there has been a common segment of repeat offenders,
BY
&
15
FOR THE CIOs. BY THE CIOs.
violating the DLP polices even after regular CIO notifications, awareness emails, controllership notices, desktop campaigning etc. are circulated. This may be due to ignorance, justified business requirements, personal curiosity, seniority or intentional breaches. Whatever may be the root cause, high count of repeat offenders brings down the effectiveness of overall DLP solution, making DLP architect’s life miserable. Challenge 3: Commonly Recurring Top Domains Like repeat offenders, it is often found that maximum number of DLP incidents are generated from the domains of commonly recurring business units such as Marketing, Sales, Training, Recruitment HR, Legal functions etc. This is primarily because due to the very nature of their work, the users need to frequently exchange files with external domains outside company network. Blocking their actions through DLP may lead to hindering legitimate business responses. Challenge 4: Inefficient Rules and Keywords Whenever a DLP solution is deployed, default policy and rule settings are configured based on regular expressions (RegEx) that might look similar to standard sensitive data forms like Personally Identifiable Information (PII), Personal Health Information (PHI) or Payment Card Information (PCI). If these keywords are wrongly defined at the time of configuring the DLP tool, the results might go topsy turvy. Challenge 5: Architectural Design Issues DLP design flaws such as selecting improper DLP tool (vendor), policy definition, architectural flaws, faulty operational model, insufficient coverage areas (endpoint/ network/rest), encrypted traffic etc. can vehemently impact the performance of DLP implementation. Best Practices for DLP Policy Optimization One point is beyond doubt that accuracy of DLP output is the key to success which can only be achieved by optimizing the DLP policies. Blindly blocking external data movements cannot be set as a default action at the enterprise level. Depending on the different business units, DLP policies should be defined and followed accordingly. However extensive be the DLP deployment, business objectives will not be met till it ensures smooth running of business with no data breach. For that organizations need to be cautious about the common pitfalls we just discussed and at the same time follow certain industry best practices to maximize DLP policy optimization. Phase wise Deployment Even if the business is small in scale, DLP deployment must be planned in phases identifying a handful of business functions at a time, depending on the size of the organization. After the DLP tool is installed, a pilot run on sample users must be tested, run, closely monitored, analyzed and then fine-tuned to meet the desired precision of results. Once it is successful, the
same can be rolled out to next level. Thorough Analysis of DLP Incidents In depth monthly analysis of the generated DLP incidents will help architect to evaluate the efficiency of current DLP rules and keywords. Dedicated team of analysts must be identified to do the just in time and post log analysis of the reported DLP incidents. Score based Policy Analysis Based on the analysis performed, evaluate the efficiency of current policies against a scoring system based on criteria like no of false positives, no of repeat offenders, top breaching domains, highest grossing BUs etc. against total user population and DLP rules. This will give a clear picture of the ineffective DLP policies in place and can be actioned upon accordingly. Finetune the DLP Rules, RegEx and Keywords Based on the incident analysis, fine-tuning of the current DLP rules, RegEx and keywords would help in significant reduction of false positives. BU Customized DLP Policies If any special requirements arise for a designated Business Unit (BU) to violate the organization’s DLP policies, then there must be provisions to customize the DLP policies for that BU. This will significantly bring down the count of false positives and repeat offenders. Approved Security Exceptions If a trend is observed in terms of any repeat offenders or top domains generating similar types of DLP incidents in last 6 months, it is better to analyze deeper and investigate if there are any business needs for the related violations. If yes, then it is suggested to have a security exception approved by the CISO to reduce the number of repeat offenders and/or top domains contributing significantly to the count of DLP breaches. Conclusion The purpose of data protection is not just to safeguard the owner’s privacy, but to protect the fundamental rights and freedoms of all the entities who are related to that piece of personal data. To ensure that sensitive information is secure, it’s important to know where these data reside in the environment, are they getting processed for any business need, who all will have access to that data during and after processing etc. For any organization, dealing with large volumes of restricted data (ex: subscriber info, customer database, payment card details, legal contracts, patient health records, financial reports etc.), it is always advised to implement Data Discovery and Data Classification solution packs before it passes through the DLP program. Together, it will help in significantly improving the efficiency of DLP program and thus make the overall ecosystem more stabilized.
BY
16
&
FOR THE CIOs. BY THE CIOs.
ROLE OF ARTIFICIAL INTELLIGENCE & MACHINE LEARNING IN CYBER SECURITY AUTHOR’S BIO
A Graduate Engineer with 32 years industry experience in the domain of Information Technology & Information Security. His past assignments were in Companies like GEC & BHEL. He is an expert in Information System Security Domain with Deep Exposure in Governance, Compliance, and Procedures & Strategies. His Knowledge Covers a wide spectrum with a holistic view on people, process and technology, focusing on Information security, data protection, privacy, incident management and audits. He is certified ISO 27001 Lead Auditor, Ethical Hacker, CIISA & CISP, an active member of DSCI, Kolkata Chapter & NASSCOM & Core Committee member of Infosec Foundation.
SUDIPTA BISWAS,
CORE COMMITTEE MEMBER OF INFOSEC FOUNDATION
A
rtificial intelligence(AI) and Machine learning(ML) are changing the natural order of things—right from how we work and how the economy runs, to the nature of today’s warfare, communications, privacy protection norms, etc. Classic example of AI is Driver-less Car. While their long-term impact remains uncertain, these technologies are a huge help to cyber security
experts as they can be used to quickly identify and analyse possible attacks. Artificial intelligence (AI) is the ability of a computer program or a machine to think, learn and act like a human being. It is also a field of study that tries to make computers smart. The main goal of AI is to enable the development of computer systems that are able to do the things that humans do. AI involves the study of different methods for making computers behave as intelligently as people. It is the concept of making machines capable of performing tasks without human intervention, such as building smart machines. Machine learning (ML) is a subset of AI and is based on the idea of writing computer algorithms that automatically upgrade themselves by discovering patterns in existing data, without being explicitly programmed. It is also used to automatically analyse the way interconnected systems work in order to detect cyber-attacks and limit their damage. The entire processing of ML tools depends on data. The more data
an algorithm obtains, the more accurate it becomes and thus, the more effective the results it delivers. The role of machines in cyber security Machine learning and artificial intelligence (AI) are being applied more broadly across industries and applications than ever before, as computing power, data collection and storage capabilities increase. From the cyber security perspective, this means new exploits and weaknesses can quickly be identified and analysed to help mitigate further attacks. The perfect fit Machines are much better and more cost-efficient than humans when it comes to handling huge amounts of data and performing routine tasks. This is exactly what the cyber security industry needs at the moment, especially with the large number of new threats appearing every day. Most of these new threats can easily be classified under
BY
&
17
FOR THE CIOs. BY THE CIOs.
existing families or familiar types of threats. In most cases, spending time looking at each new threat in detail would, in all probability, be a waste of time for a researcher or reverse engineer. Human classification, especially in bulk, will be error-prone due to boredom and distractions. Machines, however, do not mind going through the same routine, over and over, and they perform routine, repetitive tasks much faster and more efficiently than people do. But that doesn’t mean they always get it right. Even with AI, it is necessary to keep an eye on the work to check whether the algorithms are still working within the desired parameters. AI and ML without human interference might drift from the set path. But working in partnership with AI, researchers are relieved of the burden of menial work. The impact of AI and ML The past five years have seen a tremendous rise in the use of AI and ML technologies for enterprises. Most applications can be attributed to advancements in computing power and the evolution of paradigms like distributed computing, Big Data and cloud computing. Early commercial applications of ML were pioneered by technology giants like Google, Amazon and Facebook. These businesses managed to build a store of valuable behavioural data from millions of users. In order to effectively collect, cleanse, organise and analyse their consumer data, these companies built scalable Big Data frameworks and applications which were then open sourced to the world. This helped these frameworks to improve fast and allowed businesses to derive more value from their data. Organisations are already beginning to use AI to bolster cyber security and offer more protection against sophisticated hackers. AI helps by automating complex processes for detecting attacks and reacting to breaches. Machine learning and artificial intelligence (AI) are being applied more broadly across industries and applications than ever before, as computing power, data collection and storage capabilities increase. From the cyber security perspective, this means new exploits and weaknesses can quickly be identified and analysed to help mitigate further attacks. How is Artificial Intelligence being used? In order to detect unusual behaviour on a network, there are newer security technologies that are using Artificial Intelligence programs. AI uses machine learning to detect similarities and differences within a data set and report any anomalies. Machine learning is a part of AI that can help to recognize patterns in data and predict effects based on past experience and data. AI systems, in most of the cases, use machine learning technology to generate results that replicate human functioning. As per an article published in Forbes titled Separating Fact From Fiction:
The Role Of Artificial Intelligence In Cybersecurity, ML, coupled with application isolation, prevents the downside of malware execution — isolation eliminates the breach, ensures no data is compromised and that malware does not move laterally onto the network. Another way that cyber-attacks are changing are in terms of speed. Humans are not able to detect the abnormalities at the speed that the attacks happen. AI, however, can assess a huge amount of data generated on a network to identify what doesn’t belong there. AI solutions can work effectively if there are powerful input data, so organizations can start to capture their log data and consolidate into a common data repository so that the broad set of AI-enabled tools and analytics can become effective. There should also be a complete visibility to all aspects of the network, which includes internal network communication, server logs, etc. Security experts are hoping to use predictive analytics to frame new ways to deal with cyber threats. These are insight driven solution enabled with the help of AI. Machine learning can help in anti-malware, performing dynamic risk analysis and detecting anomaly. AI techniques can be made to learn to remove the noise or unwanted data, and facilitate security experts to understand cyber environment for detection of any anomalous activity. AI can also benefit cyber security with automated techniques to generate cyber courses of action (COAs) whenever cyber threats are detected. It is believed that now is the time to seriously contemplate artificial intelligence for cyber-security for any business. If you wish to protect your business data against cyber-attacks How AI and machine learning can help prevent cyber attacks AI systems and deep learning algorithms are already helping cybersecurity professionals develop effective solutions to fight against cyber-crime. If it weren’t for artificial intelligence and machine learning, the cybersecurity landscape would be very different than it is right now. As cyber threats evolve, and the attacks become more complex and widespread, conventional defense tools are often not enough to detect and stop them on time. Therefore, security solutions that are powered by machine learning are the next big thing in cybersecurity. Thanks to their ability to learn and adapt over time, such tools can promptly eliminate well-known threats, as well as respond to new emerging risks before they do any harm, by recalling and processing data from prior attacks. Another benefit of artificial intelligence is the ability to perform specific tasks on its own, this way saving time and reducing the risk of human error. Unlike people, AI systems don’t make mistakes as they handle threats according to a
BY
18
&
standardized playbook, this way responding to each threat in the most effective way. With the AI systems on their side, security experts can spend less time performing routine tasks and focus on building a stronger defense that would allow stopping sophisticated cyber-attacks before they even occur. Therefore, implementing machine learning and AI systems is crucial to stay one step ahead of cybercriminals. And yet, no technology is a silver bullet, and AI is just a tool, which can only do what criminals or security experts command it to do. AI and ML may become new paradigms for automation in cybersecurity. They enable predictive analytics to draw statistical inferences to mitigate threats with fewer resources. ... Applications for automated network security include self-encrypting and self-healing drives to protect data and applications. In the current world of data del¬uge, it is nearly impossible for humans alone to analyze the billions of logs generated from the existing infrastruc¬ture components. Integrating AI into the existing systems including Security Monitoring Solutions, SIEM, Intru¬sion Detection Systems, Cryptograph¬ic technologies and Video vigilance systems can help in addressing many of these challenges to a larger extent. Application of AI based technologies into the existing systems will bring in much enhanced systems that help in better decision making. Some of the key areas where in the functionalities of AI makes a difference are: • Data Mining • Pattern Recognition • Fraud Detection • Analytics • Fuzzy Logic • Development of expert Systems Within the Cyber security sector, these attributes of AI can bring in tre¬mendous benefits, out of which some of them are already in place and there are huge opportunities yet to explore. Machine learning based antivirus sys¬tems and tools can help in quickly and accurately identifying malware like Polymorphic virus based on its con¬tinuous learning capabilities. Such sys¬tems can detect suspicious files based on the behavioural or structural analysis and it helps in detecting threats at an early stage. It can easily determine the likelihood of a malicious virus attack by analysing and breaking down the DNA of each file. Along with AI and ML, another aspect of security which CISOs are concerned about is compliance. Every organization needs to be compliant with numerous regulations and noncompliant to any of these can lead to heavy fines. For example,
FOR THE CIOs. BY THE CIOs.
General Data Protection Regulation (GDPR) which will be a reality in few months can cost €20m or 4% of annual global turnover if the organization is found non-compliant. AI and ML with sup¬port of cognitive computing is ena¬bling the enterprises to keep a track of their compliance status to avoid any legal issues. As the digital world is moving fast, we can expect completely automated Cyber-attacks orchestrated by intelli¬gent machines. These expert systems will have the potential to analyse the DNA of past attack models, strategies and utilize its acquired knowledge for organizing new attack models attacks that have higher success rates and larg¬er impact. As human resources alone won’t be enough to combat this, the need of the hour for global organiza¬tions, Government and defence agen¬cies is to suit up their existing Cyber security and defence environment with AI and its underlying technologies. “Cybersecurity solutions that rely on ML use data from prior cyber-attacks to respond to newer but somewhat similar risks.” In this way, an AI system powered by ML can leverage what it knows and understands about past attacks and threats to identify other attacks in the same vein or style. Because hackers are consistently building upon older threats – including new abilities or tweaking previously used samples to build out a malware family – utilizing AI and ML systems to look out for and provide notification of emerging attacks could be incredibly beneficial to stemming the tide of zero-day threats. AI and ML have made it a bit easier to detect the proliferation of malware and identify early on in the lifecycle if a file/ resource is showing signs of belligerent behaviour. This level of automation has been possible with pattern detection, behaviour-based anomaly detection and advanced use of heuristics – all based on Machine-learned solutions – to keep the intruders out. Types of artificial intelligence applications being used in cyber security solutions: It is up to human imagination. For the sake of clarity, following application categories can be examined: • Spam Filter Applications (spamassassin) • Network Intrusion Detection and Prevention • Fraud detection • Credit scoring and next-best offers • Botnet Detection • Secure User Authentication • Cyber security Ratings • Hacking Incident Forecasting
BY
&
19
FOR THE CIOs. BY THE CIOs.
WHY OUR MOBILE PHONES HAVE EXTREMELY WEAK SECURITY?
W
CHITRANJAN KESARI,
HEAD IT, KANAKIA GROUP
AUTHOR’S BIO
A Management professional by profession, with a deep interest in technology. He belong to a teacher family, high educated teacher family that values education and integrity. During his 20 years of career, he understand importance of learning and core values in leadership roles. Abide writer and winner of several awards, deep follower of Seva, Sadhana and Satsang, belief in the present moments of life. Currently working on several AI based innovative protects to improve customer experience.
e are surprised to when I install a security software in my phone and found that lots of infection, prone for infection are found in my mobile phone. After installation I believe that our mobile phones are extremely vulnerable and stand a strong chance of coming under
cyber-attack. Recently we have heard lots of news on cybercrime, data theft, mobile attack, ATM attack, transferring of money from one account to another, sharing of OTP etc. This generational model of security threat is very advanced cyber threads, well aware attacks, advanced in nature, looks attackers are more investing in their research for cyber-attacks compare with investment in cyber security. The first generation of threat were viruses on floppy discs, and prone to be infection on DOS/windows95 based computers, that would target single computers and Novel Network infected other DOS based computers also, the second generation of viruses attacked networked computers, Novel and Windows NT the third generation involved browser based threats etc. Generation of affects makes them bigger and bigger more days. New generation of attacks are creating lots of business problem. Cryptocurrency are more buzz word these days, we already have taken lots of protection on several types of Ransomware, and on the basis of this they are asking for ransom money for the same for un blocking of data etc. Why we are thinking only for desktop/laptop protection, why not for our mobile phones. None of the company investing any amount on mobile basic security, today, and our mobile phones contain more information than our desktops. Phones also acts as a lockers for personal data especially photographs, online storage, one drive, google drive all are linked with our mobile phone. Sometimes we received some link on our sms to open for different opportunity, gift, insurance, mutual fund account opening, bank account statement etc. in these days we found some cases of attacks on phones through malware sent inside a sms text, which have the capacity to remotely take over a mobile phone. The result was hackers gaining knowledge of banking passwords and other credentials, even sim swap and encrypted WhatsApp message app is vulnerable and has been targeted by online fraudsters. As per data shows India faced higher number of cyber-attacks and 45 percent of the total attacks happens globally only in India. In overall scenario, we have to wake up and do something for our mobile phones and start using our basic cyber security, anti-virus for mobile phones, awareness about clicking and opening of any link from mobile etc. overall, healthy habit can protect our mobile with virus and malware.
BY
20
&
FOR THE CIOs. BY THE CIOs.
FOUR ESSENTIAL CONCEPTS TO SECURE YOUR CLOUD
T
RAJESH MAURYA,
REGIONAL VICE PRESIDENT, INDIA & SAARC, FORTINET
AUTHOR’S BIO
Rajesh Maurya has a rich experience of 24 Years in Information Technology and has held positions in Business Planning, Sales, Marketing, Channel Management as well as Team Management with organizations in Information Security, Network Management & IT Consulting. Rajesh Maurya, has been with Fortinet since 2004 and is has been heading the SAARC region as Regional Vice President since 2014. He has driven Fortinet’s aggressive growth plan in the region, through market penetration and expansion of customer base across verticals and regions. Before joining Fortinet he has worked with Sify Technologies and Microland. Rajesh Holds a MCS & Graduation in Economic & Financial Accounting.
he most important attribute of the cloud is that critical business applications, can be deployed, managed, and distributed faster and easier than by any other method, giving employees and customers real-time access to critical information—wherever they are located and on whatever device they are using. This requires nimble resources that can scale and move, and applications that are simple and intuitive to use, have access to real-time data, and can be quickly updated to meet constantly evolving trends. Likewise, internal workflows across devices—and different clouds—need to be highly available, flexible, and responsive in order to support critical functions and complete transactions. Security is just as critical a component of any cloud environment—especially as cybercriminals look to exploit the rapidly expanding attack surface. But to be effective, it needs to be as agile and dynamic as the cloud infrastructure being protected. And, it is just as impossible to protect a cloud environment using legacy security solutions as it is to build a cloud using legacy network components and traditional application development strategies. Effective security not only needs to protect connections between data and users, but also secure literally every connection to every physical or virtual device across the distributed infrastructure. Even those that are constantly moving across—and even between—multi-cloud installations. In such an environment, complexities arise from the use of different security solutions, as deploying security solutions that are only available on a single cloud platform may not be available on others, and may have functional limitations. Such deployments have actually imposed limits on the true potential of the cloud. Too many organizations have failed to address this security challenge holistically, often overwhelmed by the scope and scale of the challenge. Four Essential Cloud Security Concepts To address these challenges, organizations need to incorporate the following four security concepts into their cloud development strategies: 1. Security-led cloud development: Security breaches tend to be the result of a determined cybercriminal exploiting the weakest link in an organization’s attack surface. And for many organizations, the adoption of the cloud has expanded their attack surface exponentially. Eliminating those weak links requires security to be enforced consistently everywhere, even when the infrastructure is in a state of constant flux. Because infrastructures are expanding and changing so rapidly, it is essential that an overall security plan become the foundational requirement for any network changes. Mandating that proper security tools, policies, and procedures are in place before any new resources are spun up allows security to adapt in sync with infrastructure and application changes. This requires selecting security
BY
&
21
FOR THE CIOs. BY THE CIOs.
with infrastructure and application changes. This requires selecting security tools that understand the infrastructure in which they have been placed, and that can also operate consistently across all environments—including multi-cloud— to enforce policies and ensure visibility that enables secure applications and connectivity from data center to cloud. Even minor variations in adaptability and enforcement can create security gaps that cybercriminals are all too willing and able to exploit. 2. Cloud-native security: Since data and workflows will need to move throughout the infrastructure and to the cloud, security needs to function consistently. Selecting a cloud firewall from the same vendor that is protecting the organizations physical assets will not necessarily solve that problem. There is a need for these solutions to interact seamlessly with cloud services and subscribe themselves to these services as well as identify cloud based resources in the same logical way that they identify other resources. That said, the underlying technology used for protecting networks is very different from the tech used for protecting cloud based resources, but the practice of managing security needs to remain similar. That is why native integration into the cloud infrastructure is critical. Compounding this problem is that cloud environments also operate very differently from each other and organizations can often end up with a heterogeneous set of technologies in use, with disparate security controls in various cloud environments. This can create additional challenges for coordinating and enforcing security. In addition to cloud native integration, security tools also need to be able to translate policies on the fly so they are enforced consistently across environments. That requires selecting a vendor with solutions that are natively integrated into as many cloud platforms as possible to ensure consistent security and connectivity from data center to cloud, no matter the cloud infrastructure. 3. Multiple form factors: Consistent security enforcement depends on the same security solutions being deployed across as many platforms and in as many different form factors as possible. Applications, for example, should be able to make calls to a cloud-based security solution to identify and protect specific data and transactions. Container-based applications should have access to containerized security tools in order to easily integrate security functionality into the application chain. And ideally, these tools should be the operated in the exact same way as solutions deployed everywhere across your distributed infrastructure, including at branch offices and edge devices. However, don’t fall into the trap of thinking that a virtual version of your network firewall will be adequate for your cloud or container deployment. As stated previously, each form factor of a solution needs to integrate natively into the environment
in which it is placed if you want consistency in enforcement combined with the ability to address the unique challenges of individual ecosystems. 4. Central management: One of the biggest complaints from network administrators is that they cannot see and manage their entire network through a single console that extends visibility across physical and virtual networks. A management solution that can see and close the gates against an attack in one area of the network but not in another is likely lead to a compromised infrastructure. To eliminate gaps in security enforcement, organizations need a single pane of glass to gain visibility and define consistent security policies throughout the entire infrastructure to effectively manage risk. Security solutions need to share and correlate threat intelligence, receive and implement centrally orchestrated policy and configuration changes, and coordinate all resources to respond to detected threats. Rethink Your Security Traditional security models where devices are placed at a network gateway to monitor predictable traffic and devices are obsolete. Today, security needs to span your distributed infrastructure, dynamically scale when application resources grow, and automatically adapt as the infrastructure continuously adjusts to changing demands. And just as important, it also needs to ensure consistent functionality and policy enforcement regardless of its form factor or where it is deployed. Achieving that may require you to rethink your current security infrastructure. If the cloud is going to play a significant role in the future of your organization, you may be better off finding a single vendor that supports your overall application lifecycle and infrastructure roadmaps and expansion plans—especially a solution that provides consistent protection and functionality across multiple public and private cloud domains, even if that means replacing the traditional security hardware you have deployed on-premise. By leveraging native integration capabilities of a broad protection toolset – which can all be automated and centrally managed are the security foundations necessary to enable uniform policy enforcement, collaborative threat sharing, centralized management and orchestration, and a single view across your entire distributed infrastructure and powers your organization with the confidence to deploy any application on any cloud infrastructure. Without a powerful, integrated, and automated security framework designed to span, grow, and adapt to your entire network, you are flying blind, and today’s aggressive cybercriminals are all too willing and able to exploit that weakness.
BY
22
&
FOR THE CIOs. BY THE CIOs.
WHAT IT TAKES TO BUILD A SECURITY CULTURE? AUTHOR’S BIO
Ravinder Arora currently working as Information Security Specialist, GENPACT With 15 years of working experience he was the winner of TOP100 CISO, Innovative CIO, India’s Top CSO, Info-Sec Maestros. Won Award for Head Information Security, Speaker, Trainer Head Information Security – IRIS Software Technology Expertise – Application Development, Business Intelligence, Disaster Recovery & Business Continuity, Datacenter Management, IT Operations Management, IT Asset & Infrastructure Management, IT compliance and Risk Management, Security Architecture & Design, Network Security (Wireline and Wireless), Security Operation Centre (SOC), Data Centre Security, Web & Email Security, Application & Database Security, Security Incident Management, Access Control, End point Security, Risk Assessment, Vulnerability Management, Security Polices and Security Audit & Compliance. Business & Management Expertise – Project & Program Management, Training and Education, Vendor Management, Budgeting & Financial Management, Risk and Compliance Management He is Member of Data Security Council of India and Member of National Skill Development Mission.
RAVINDER ARORA,
INFORMATION SECURITY SPECIALIST, GENPACT
An organization’s security culture requires care and feeding. It is not something that grows in a positive way organically. You must invest in a security culture. A sustainable security culture is bigger than just a single event. When a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever.
BY
&
23
FOR THE CIOs. BY THE CIOs.
Why does an organization need a security culture? The primary answer is something that deep down we all know. In any system, humans are always the weakest leak. Security culture is primarily for the humans, not for the computers. The computers do exactly what we tell them to do .With use of technology and widespread connectedness to the environment, organizations increasingly have become exposed to numerous and varied threats. Outsourcing and off-shoring bring new partners into an extended enterprise, with different technologies, cultures, and sensitivities to information management. Contracting, telecommuting, and mobile workers all contribute new security risks. A survey conducted by Computer Security Institute with the participation Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad clearly stated that “Overall financial losses from 530 survey respondents totaled $201,797,340…” “Cyber-crimes and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks.” Now time has come that organizations should elevate the level of information security education and knowledge within their organizations. A growing challenge is establishing and maintaining a strong security program. Organizations that do not have such a program need to look seriously at beginning a security awareness program to strengthen its defense system and protect their information resources. Technology alone is not a comprehensive solution. Management commitment Management awareness, commitment, and support are a few of the more common reasons given for security awareness. Involving top management and getting their support is essential in building a strong security awareness program that employees will take seriously. If management commitment is increased, and the security awareness goals and message are communicated and communicated often, progress and improvement can be made in creating a security culture. Dealing with globalization A growing challenge is establishing and maintaining a strong security program that spans the globe. Even in organizations in which the security group has implemented a strong core program, it’s still challenging to get business units worldwide to take ownership of their security risks. Complying with laws and standards Many organizations find it challenging to stay in compliance with various government laws and regulations, such as the Sarbanes-Oxley Act and the Health Insurance Portability and
Accountability Act (HIPAA), as well as industry standards, including the Payment Card Industry Data Security Standard (PCI-DSS). Security Awareness Training Security awareness training needs a foundation of policies. Although many types of policies are in place, there must be more development of policies for incidents reporting, availability/disaster recovery, and social engineering. These policies are extremely important and should be included within an organization’s information security program. Once they are developed, it is crucial that employees receive training on these topics. More important part is that the organization has the right people to implement security successfully, meaning individuals who take ownership of security and build good relationships with others in the organization. Information security team has to conduct information security trainings to all employees and these trainings should be are mandatory for all employees including top management, like: • Conduct polls or surveys about current security practices with a random prize drawing for all responders • Publish posters, short videos, and other “quick and easy” multi-media content • Plan a contest for users and let them design posters or other security-themed content • Develop an information security intranet site and host all information security policies on it • Broadcast a monthly information security newsletter covers a basic security practice By implementing some of these changes, organizations can increase coverage of components found in more formalized security awareness programs, achieve higher levels of security awareness maturity, and benefit from a stronger security culture. We can protect the company’s and customers’ information assets, business operations and intellectual property, from a wide range of threats. Organizations can minimize business damage and ensure business continuity in the event of disasters and reduce chances of business interruptions as well as reduce business risks. All employees have to understand that information security is everyone’s responsibility. Any information security leak could lead to serious reputation lose for any organizations. Security is not a practice, it’s a culture!
BY
24
&
FOR THE CIOs. BY THE CIOs.
GENERAL DATA PROTECTION REGULATION (GDPR) AND ITS IMPACT IN INDIA (PART : I) AUTHOR’S BIO
Bivas Chatterjee qualified in Law from University of Calcutta in the year 1997, thereafter he pursued his Masters in Law from the Kakatia University. He is currently Special Public Prosecutor in Cyber Laws and Electronic evidence related cases, engaged by Government of West Bengal for entire West Bengal and for before Hon’ble High Court at Calcutta. He has over sixteen years of professional experience and has experience of working in cyber law. He deals with major Information Technology, telecom and infrastructure companies. He is also the author of Electronic Evidence, Cyber Criminal Manual, Cyber Security and The Law, Cyber Contract (Legal Analysis), Dense Cloud (Legal Analysis of Cloud), Information Technology Manual, Your Ultimate Protection Guide, Cyber Adjudication. CID, West Bengal got its first conviction as well as five conviction in cybercrime and electronic evidence related cases where he was the special public prosecutor. He is certified in Cloud, Block chain, Bitcoin, AI, IOT, Data Science, Cyber Forensics from various prestigious Universities and organization throughout the world. Under his lead in West Bengal we saw five consecutive conviction in cyber-crime and Electronic Evidence related cases. He is also the legal adviser for CID West Bengal for Cyber Crime and Electronic evidence related cases.
BIVAS CHATTERJEE
ADVOCATE, KOLKATA HIGH COURT
DATA AND THE MODERN ERA: Data is the ‘Air’ of the modern lifestyle. The different types of Personally Identifiable Information i.e. person’s name, picture, contact details, location data, race, sexual orientation, Social security number, location, online identifiers and genetic information and face orientation are all been collected by invisible data broker. These invisible data brokers without our knowledge are collecting, packaging and selling our personal private data online and offline. It is also alleged that the different e-commerce and social site companies are collecting, storing and tracking our data. Our life is converted into data package where we are only products. Our every purchase, every journey, every likes and dislikes, hobbies, thinking and thus every part of our life are digitized, tracked and logged. Today all around we can find a data war where unknown and invisible data brokers are stealing our data and profiling us. We know the corner stone of all the laws in the world is human dignity. But technologies are moved on rapid speed while law on the other hand moves slowly. Today with the more use of various algorithm the strain relationship of law and data analytics or Artificial Intelligence are becoming prominent. The intention of the
BY
&
25
FOR THE CIOs. BY THE CIOs.
privacy legislation is to put a tap on unauthorized collection, share management and use of one’s personal data. There is an ongoing conflict between Human Rights and Organization Right. Online social media organizations are accessing one’s shared information and identifying a person and thus controls his autonomy. Any kind of algorithmic failure will jeopardize one’s identity and autonomy in the days to come. In the modern times Cambridge Analytica has proved to be a woke up call. Case Study : Recently, a family in USA alleged that their private conversations in their house was collected and spied through one AI enabled smart speakers and sent the conversations to the persons in the contact list. AMAZON later refuted that allegation. GENERAL DATA PROTECTION REGULATIONS: GDPR is the biggest revolution in the Data Protection Law of the World. Europe has its privacy law or directives since 1990 and 1994 long before the GDPR came into effect. • It was placed in April, 2016 by EU Parliament • It came into effect on May 25th, 2018 • It has 99 articles and Pages of long and complex regulations • Companies who have no physical existence but collecting and processing the personal data of Europe are governed by these regulations. • GDPR concerns on transfer of personal data outside Europe. • Data subject’s consent must be clear, freely given, informed and specific and can be withdrawn without any consequence. • The main function of GDPR is to protect the personal data of an individual assuring its proper security, governance, management and help in preventing personal data of the individual not being misused. • In GDPR compliance, companies have to implement solutions and processes that enable it to protect, discover, classify and monitor data. In GDPR there are two significant players One is controller and another is processor. The Controller who ask for personal data are duty bound to inform and take informed consent as to how they used one’s personal data. Both the Controller and Processors are responsible for data breach in organizations. Processor only process the data as per the direction of the Controller. The Processor cannot use the personal data violating the regulations. Text with EEA relevance As per clause 173: This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. Some of the important articles of GDPR are discussed herein below:
ARTICLE 1: Subject-matter and objectives: 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. 3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. ARTICLE 2: GDPR 2. This Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU (c) by a natural person in the course of a purely personal or household activity (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. ARTICLE 3: Territorial scope 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. ARTICLE 4: Definitions For the purposes of this Regulation: 1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. 12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. ARTICLE: 5: Principles relating to processing of personal data 1. Personal data shall be:
BY
26
&
a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’). c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’) d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) f) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) ARTICLE: 6: Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes. ARTICLE: 7: Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data’ ARTICLE: 9: Processing of special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. ARTICLE: 21: Right to object 2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. ARTICLE: 33: Notification of a personal data breach to the supervisory authority 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. ARTICLE: 34: Communication of a personal data breach to the data subject: 1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall
FOR THE CIOs. BY THE CIOs.
communicate the personal data breach to the data subject without undue delay. ARTICLE: 52: Independence: 1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation. ARTICLE: 82: Right to compensation and liability 1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. ARTICLE: 83: General conditions for imposing administrative fines 6 Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. IMPACT: GDPR is already have a global impact to consumer in case of personally identifiable information The GDPR has expanded the very definitions of personal data. The companies dealing with the personal data have to notify any breach of data or hacking of the data of the organization concerning the personal data of the citizen of all the European Union countries within 72 hours. People also says that GDPR is a defacto world regulations. BRIGHTER side of the GDPR: • Companies will get chance to reorganize its digital infrastructure and may earn confidence of global citizen. • The personal data of the citizens will be protected. • GDPR is preparation ground for the legislature and of the entire world for drafting and getting their data privacy law EFFECTS OF GDPR: • GDPR is a journey and not destination. As in fact it is an ongoing continues compliance. After the full compliance of GDPR, organizations have to show reasons to hold data and keep it safe. The companies have to approve data subject’s consent if they want to keep their information. • Every country other than European countries are closely watching and following the after effect or aftermath of GDPR came into effect. • The compliance cost of GDPR is very high for companies as it has to spend four to five times more on the compliance employee structure barring the huge initial investment for a GDP compliant infrastructure within the company. • The GDPR compliance is not a one-time investment but it’s a journey with ongoing process and hence continues expenditure to
BY
&
27
FOR THE CIOs. BY THE CIOs.
be incurred. • As per a 2018 reliable source report 60% companies of the world have to spent one million of dollar on GDPR compliance. • Given in the existing corporate structure of India the big question is whether the Companies are ready to handle GDPR compliance or being forced to stop their operations in EU countries. COMPLIANCE: In compliance of GDPR a company should put stress on the following issues: 1) Type of personal data collected, store and used. 2) To see whether the workings of the company coming within the scope of GDPR. 3) The scope and definition of Data Processor and Data Controller in the company. 4) Company’s Data Breach Response Plan 5) Company’s high level responsibility for data security As per a 2018 reliable source report 60% companies of the world have to spent one million dollars on GDPR compliance. OBLIGATIONS OF CORPORATES: Obligations to • implement privacy by design (relevant to Article 25 and 32 of GDPR) • perform data protections impact assessments (relevant to Article 35 of GDPR) • report data breaches (Article -33 and 34) • appoint Data Protection Officer (Article 37) • ask for consent for direct marketing • explain purpose of data collection from the consumer SECTORS TO COMPLY: 1) Companies which collect huge data for example telecom, insurance, health and personal data, banking or financial data 2) Companies working on data analytics and artificial intelligence 3) Companies having online web, App and mobile data services 4) Blog and Website having log in page 5) Companies dealing with personal data of an individual like email, phone number, date of birth, national identifiers, 6) Organizations dealing with online identifications like using cookies, IP address, GPS data, Religious and political view, sexual orientations, 7) Companies dealing with children information 8) Online service providers who are processing the data of one customer who deals with the EU Citizen data HOW TO FACE THE CHALLENGE: 1) Having a good information security, practice/standard to protect the personal data of an individual 2) good planning to cover the various GDPR compliances 3) Companies data controller and data processor have to frame a policy and philosophy to minimize the exposure of personal data they are using and only stick to the approved purpose 4) Companies should frame a design a cyber-security policy to
minimize any data breach 5) Make or assign a dedicated individual or group of individuals who will focused on the compliance of GDPR 6) Scan within the organizations all the systems which posts the data 7) There has to be transparency in the policy and purpose of the personal data within the organizations telling that what they do and they do what they say 8) Every organization should care about GDPR to face and prepare for the Indian data privacy legislation (i.e. Personal Data privacy Bill if converted into ACT) about to come shortly. 9) Finding out whether the company or organizations is a data controller or data processor 10) Scan the data transfer process between the company and the third party 11) Need to detail the personal data which is collected in the system and determined whether the data be automatically deleted and can be ported. 12) Keeping Details of the consent obtained from the person whose personal data is used 13) To have a periodical review policy to see and assess the security control policy and data breach plan so that any data breach can be reported within 72 hours. Consequences of Non-Compliance: 1) Companies may lose customers, 2) Companies may lose trust in the broader market 3) may bear the cost of getting new customers 4) Bear the cost of huge fine 5) will face cyber security issue and frequent data breach 6) may not avail the competitive advantage THE PENALTY IN GDPR IS SEVERE. Non-compliance of regulations will result in fine upto 20 Million Euro or 4percent of annual global turn over, whichever is higher. Relationship between GDPR and algorithm of AI & Data Analytics The GDPR and its requirement has challenged greatly on the operation and use of the algorithm of Artificial intelligence and Data analytics in the following ways: 1) As per GDPR there has to be a clear and unambiguous consent from the person whose personal data are being used. 2) Algorithm of AI and Data Analytics has to be fair and should not result in bias and discrimination. 3) The personal data should be used for Consented purpose. 4) Clarity as to who will be Controllers and who will be Processors. 5) Every individual whose personal data are used be allowed to access their personal data 6) Data are to be used and held for the consented specific purpose, not other than that. 7) There cannot be any lack of accuracy resulting in discrimination. 8) There cannot be any lack of Security measures, risk and accountability issue.
BY
28
&
FOR THE CIOs. BY THE CIOs.
INDUSTRY 4.0 SECURITY AUTHOR’S BIO
A competent professional with more than 22+ years of experience including 9+ years in Information Security Operation and Project Management. Experience includes different industries (Manufacturing, Printing and publishing, FMCG, Retail etc) and information security domain in both Office and Process Control. Proven track record of managing complex projects within the defined goals for cost and project margin, schedule, quality, operational excellence, optimal usage of tools, customer and employee satisfaction. Specific areas of expertise are in IT-OT security including compliance review, Risk Management in SCADA systems. Experience include Architecture, Design & Implementation of SIEM solution, Architecture, Design & Implementation of Network & Host based IPS/IDS solution, Architecture, design and process implementation of Mobile Device Management (MDM) and Mobile Security practice across different platform, Process design and implementation of 802.1x based authentication for Wired & Wi-Fi network, Create frame work for IT security policy, standard and procedure and Network & System security design and consulting Have adequate knowledge of global standards and industry best practices in IT-OT information security domain like ISA/IEC-62443 (Security for Industrial Automation and Control Systems) and NIST 800-82r2 (Guide to Industrial Control Systems Security). A die heart kishore Kumar and Jagjit Singh’s fan. Bachelor’s Degree in science from Calcutta University and completed diploma in Aircraft Maintenance Engineering.
AMIT DASGUPTA
I
ndustrial Revolution is a major change of industrialization and innovation process from the previous era. The Industrial Revolution’ refers to a period of massive economic, technological, social and cultural change which affects humans to huge extent. First Industry Revolution refers as Industry 1.0, Second as Industry 2.0 and so on Industry 1.0 -> Industry 2.0 -> Industry 3.0 -> Industry 4.0 -> 1760/80 - 1830/40 1870-1914 19602013-continue Industry 1.0 refers to the first industrial revolution. It was marked by a transition from hand production methods to machines through the use of steam and water power. The implementation of new technologies took a long time, the precise dates are a debatable subject but the 1760/80s to the 1830/40s are most common. It was largely started in Britain and, Belgium became the second country in Europe which was transformed economically. Industries which were hugely affected were the textile manufacturing, iron, agriculture, and mining industries.
Industry 2.0; the second industrial revolution occurred in between 1870 and 1914. It was made possible by electricity which allowed for factory electrification and the modern mass production line. It was also a period of great economic growth, with an increase in productivity. It caused a surge in unemployment since many workers were replaced by machines in factories. Industries which were hugely affected were steel, railroads, petroleum, chemicals and electricity producing industries. Industry 3.0; the third industrial revolution occurred in the late 20th century after the end of the two World wars. The speed of Revolution 3.0 is brutal due to its digital and exponential nature. It is also called digital revolution and Industry 3.0 began using memory-programmable controls and computers. There was extensive use of computer and communication technologies in the production process. Disruptive innovation created value creation. Industry 4.0, builds on the developments of the Industry 3.0. Production systems those are already have computer technology are expanded by internet network connection. These allow them to communicate with other facilities. This is the next step in
BY
&
29
FOR THE CIOs. BY THE CIOs.
production automation. The networking of all systems leads to “cyber-physical production systems”. So production systems, components and people are connected and can communicate via vast network. Digitization and integration of processes will help immensely in product development, manufacturing and services. Digitization of product and service offerings generates huge data on product use and its help to meet customer’s needs. Industry 4.0 connects internet with manufacturing techniques to enable systems to share information, analyze it and use it to guide intelligent actions which will provide more insight on the status of the factory. Furthermore, peer-to-peer comparison produces information from various components which provides best predictive maintenance environment and near-zero downtime. It will help to lower the cost of doing business. There are several challenges but following are the most critical A. IT-OT security issues, which are aggravated by opening up the previously closed production units B. Secure, reliable and stable way to communicate in between critical machines C. Maintaining integrity of production processes D. Compensatory actions for any types of IT snags to stop expensive production outages E. Protection of industrial Intellectual Property Let’s first understand basic Industrial functionality. Supervisory Control and Data Acquisition (SCADA) is a distributed control system architecture used to control geographically spread assets. A SCADA control center monitors alarms and processes long distance field sites data. It is generally push automated or operator-driven supervisory commands to field devices to control native operations. Its task includes collecting sensor data, operating valves, pumps etc. over long-distance communication networks. Distributed Control Systems (DCSs) are a generally localized version of SCADA. DCS operational control is near shop floor/ plant so it’s more secure, cost-effective and reliable. Programmable Logic Controllers (PLCs) are extensively used in most Industrial process. PLCs are solid-state closed-loop control system components that are used in SCADA and DCS for operational control. Due to localize in nature DCS, PLC communications perform on high speed reliable LAN. Industrial Control System (ICS) is a general term used to describe a wide variety of control systems equipment that’s used to control Industrial process. ICS is usually installed by using SCADA systems or DCS and PLCs. All systems receive data from remote sensors and measure its Process Variables (PV). Then compare these PV with predefined Set Points and as per results command functions are executed to control process through Final Control Elements (FCE) like valves, pumps etc. Operational Technology (OT) refers to the combination of
hardware and software which are dedicated for physical process changes. OT is used to monitor and/or control physical devices such as valves, pumps and so on. A Cyber-Physical System (CPS) refers to any network connected to machine/instrument which is a physical world. General Characteristics of any CPS/ICS systems are as follows a Ability to interact with the physical environment over a communication channel to receive input and/or response. Security of end devices and communication channel are need for concern a Management and device control are generally distributed in nature. Authorization and authenticity are need for concern here aInvolves real time control loops with predefined performance requirements. Confidentiality are need for concern a It may be spread over a large geographical area. Lacks of physical securities are challenges for remote components. In the case of Cyber Security the prime focus is to protect data itself. Data privacy and identity protection are the top priorities. In the case of Cyber-Physical Systems Security visibility into the controls is very important. Due to interactions with physical devices, a security breach in CPS has physical safety implications for its inherent environmental interactions. These characteristics make CPS security more complex. It is important to evaluate the current assets, technology and understand their working process for any new industrial deployment for future industrial acceleration. Practical transition mechanisms need to be adopted for greater efficiencies without compromising inherent resiliency. Automation, Industrial Internet of Things, robotics, cloud computing and more technologies are advancing at high speed, and most industries are struggling to keep pace with these. With SMART machines, organizations easily gather data that can help them to improve productivity and implement predictive maintenance. Aggregating and analyzing that data is more challenging. The entire industry needs to improve upon their data mining capacities so that they can make faster and better real-time decisions. As the number of connected products in industrial operations increases, external and internal vulnerabilities multiply in the industry. Industries need to take preventative steps to secure valuable intellectual property and protect their investments in new high-tech modern equipment, which can be exploited if not configured properly. The majority of Industries are relying on outdated security systems incapable of addressing the number and complexity of modern threats, leaving many of them vulnerable to costly breaches. Businesses need to employ more sophisticated ways of securing their networks, as the traditional firewall approach may not be adequate to keep hackers from accessing them and doing real damage.
BY
30
&
FOR THE CIOs. BY THE CIOs.
ZERO TRUST SECURITY – THE EVOLVING CYBER FRAMEWORK AUTHOR’S BIO
Sushobhan Mukherjee has 20 years of experience in IT consulting, Technology, process and corporate relationship. He is a cybersecurity practitioner and design architect since his stint with all major telecom /IT operators like Tata, Airtel, Sify in India. For last eight years, he has been an entrepreneur and institution builder. He is the Co-founder and CEO of Prime Infoserv LLP, one of the leading Technology Integrator and Infosec consulting Company from eastern India, working with Indian and global brands. Besides he is the chairman for Infosec Foundation, a non-profit initiative to build cyber security eco system across the globe through community built-up exercise.
P SUSHOBHAN MUKHERJEE,
CHAIRMAN- INFOSEC FOUNDATION & CO-FOUNDER AND CEO OF PRIME INFOSERV LLP
reface Zero trust security is a new buzz word in the cyber space. Initially the model for The Zero Trust Network, or Zero Trust Architecture, was crafted by John Kindervag, a principal analyst at Forrester Research Inc. way back in 2010. Now, in present times, with the increase of data volumes and soposticated cyberattacks, the pressure of implementing Zero Trust as the technologies is gaining momentum. Zero trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless sitting inside or outside of the network perimeter. It is a holistic approach for network security that incorporates several different principles and technologies.
Traditional IT network security, it is difficult to gain access from outside the network, whereas everyone inside the network is trusted by default. In effect, once an attacker gains access to the network, they have free reign over everything inside. However, with present trends, enterprises no longer have their data in just one place; rather it is often spread across cloud. This makes the situation more difficult to have a single security control for an entire network. Zero trust security means that no one is trusted by default from inside or outside the network and verification is required from everyone trying to gain access to resources on the network. With the rise of attack sophistication and insider threats, new security measures need to be adopted in order to restrict them from spreading once inside. Traditional security models
BY
&
31
FOR THE CIOs. BY THE CIOs.
were meant to protect the perimeter, threats that get inside the network are left invisible, uninspected and free to morph and move wherever they choose to successfully extract sensitive, valuable business data. Zero Trust, rooted in the principle of “never trust, always verify,” is designed to address lateral threat movement within the network by leveraging micro-segmentation and granular perimeters enforcement, based on user, data and location. Lateral movement defines different techniques that attackers use to move through a network in search of valuable assets and data. With traditional perimeter-based security, businesses can define sub-perimeters within their organization networks using a specific set of rules for each using context around user, application traffic direction, etc. These sub-perimeters are designed to identify the spread of an attack within an organization and stop the unrestricted lateral movement throughout the network. Core principles and technologies Zero Trust works on the principle that nothing should be trusted and should always be verified. Within this framework, several technologies and best practices make up a Zero Trust architecture. Here are a few of the main principles: • No Trust, a philosophy behind a zero trust network assumes that there are attackers both within and outside of the network and in effect, no one should be automatically trusted. • Least-privilege access, which means
only allowing access to the information someone needs. This reduces pathways typically used by malware and attackers and reduces the chances of internal data exfiltration. • Micro-segmentation divides a network into separate segments with different access credentials. This increases the means of protection and keeps bad actors from running rampant through the network even if one segment is breached. • Multi-Factor Authentication (MFA) requires two or more ways to prove someone is who they say they are. Using an MFA tool provides reliable identity verification that is necessary for any Zero Trust model. MFA simply means requiring more than one piece of evidence to authenticate a user; just entering a password is not enough to gain access. • Risk-adaptive security controls are necessary in order to analyze human and
entity behavior and identify potentially risky activities in near-real time. Gartner calls this Continuous Adaptive Risk and Trust Assessment (CARTA). • Access Control: In addition to controls on user access, zero trust also requires strict controls on device access. Zero trust systems need to monitor how many different devices are trying to access their network and ensure that every device is authorized. This further minimizes the attack surface of the network.
ate connection method is the only way to determine and enforce policy that ensures secure access to your data. • Access Control: Adoption of a leastprivileged access strategy and strictly enforce access control. By doing this, businesses can significantly reduce the pathways for attack-
ers and malware. • Introspection: Always all traffics are to be logged and inspected. Effectiveness of the same lies in identification of the appropriate junctions for inspection and build in the inspection points. Security rules, based on business policies, should be used to identify
The objective • Data Protection: Ensuring all data and resources are accessed securely, based on user and location. The traffic and data flow need to be identified so that it can map the business flows, and in order to have the visibility to the application, users and flows. Understanding who the users are, what applications they are using and the appropri-
BY
32
&
and allow or deny the traffic and activity to move through the “inspection points” gating your sub perimeters. This enables the segmentation of sensitive resources and establishes trust boundaries to help prevent the exfiltration of sensitive data. • More authentication methods to add to counter credential based attacks. • Never trust, always keep adding context and keep your roles up-to-date. The model: Forrester has outlined a roadmap for a successful zero trust implementation. Here is Forrester’s five-step model, paraphrased: o Identify your sensitive data at rest and in motion g Perform data discovery and classification g Segment and zone the network based on data classification o Map the acceptable routes for sensitive data access and egress g Classify all resources involved in the electronic exchange of sensitive data g Evaluate the workflow of data and redesign, if necessary g Verify the existing workflows, like PCI architectures, and verify designs o Architect zero trust micro perimeters g Define micro perimeters, zones, and segmentation around sensitive data g Enforce segmentation using physical and virtual security controls g Establish access based on these controls and the micro perimeter designs g Automate rule and access policy baselines g Audit and log all access and change control o Monitor the zero trust environment, in detail, with security analytics g Leverage and identify existing security analytics solutions already existing within the organization g Determine the logical architecture and best placement for your security analytics tools g If a new solution is needed, identify a vendor that is moving in the same security direction as your organization and that can provide analytics for your other security solutions o Embrace security automation and adaptive response g Translate business process into technology automation g Document, assess, and test security operation center policies and procedures for effectiveness and response g Correlate policies and procedures with security analytics automation and determine what can be lifted from manual processes. g Verify the security and implementation of automation within your environment and current solutions
FOR THE CIOs. BY THE CIOs.
Implementation Roadmap There can be multiple approaches to the model but there are a few considerations most everyone will need to include in order to implement an efficient Zero Trust architecture: • Consider the technologies you will need to add to your current stack such as: o Next Generation Firewall o Risk-Adaptive Security Tools o Multi-Factor Authentication o Secure Web and Email Gateways o Threat Isolation and Network Sandboxing o Network Forensics and Encrypted Traffic Management o Privileged Access Management or Identity Management o Vulnerability Management o Security information and event management along with Security Orchestration and Automation o Data Loss Prevention (DLP) and User Behavior Analysis (UBA) o Cloud Application Security • Adopt Zero Trust Security Best Practices o Add prioritized cloud technologies to replace unauthenticated legacy services and systems. o Design zero trust architecture based on how data moves across the network, and how users and apps access sensitive information. o Extend identity controls to the endpoint to recognize and validate all devices. Just verifying users is not enough. o Organize users by group/role to support device policies. For more insight on implementing Privileged Identity Management (PIM), read our article here. o Leverage automatic de-provisioning, along with the capacity to wipe, lock and un-enroll stolen or lost devices. o Educate and coach end users to be part of the solution in the new zero trust environment. Otherwise, they will be part of the problem. o Regularly update end user rights based on changes to roles/jobs, as well as changes to prevailing security policies and compliance requirements. • Understand Access Needs – decide who needs access to what in your organization. Remember to grant the least privilege that someone needs and nothing extra. • Consider Your Culture – at the macro level and at the granular security level a company’s culture will dictate the efficacy of any security model. In the case of Zero Trust where you understand the threats come from outside and within, a supportive and educated workforce is key.
BY
&
33
FOR THE CIOs. BY THE CIOs.
& PRESENTS
SECURITY
SY M P O S I U M
NOMINATION FORM
for Cyber Sentinels Awards
A N D AWA R D S 2 0 1 9
Click to Register 19-JULY 2019 BENGALURU
02-AUG 2019 KOLKATA
09-AUG 2019 NEW DELHI
30-AUG 2019 MUMBAI
Theme: Zero Trust Security: Capitalizing on the Adoption Wave
For more information, write to sanjay@accentinfomedia.com, sanjib@accentinfomedia.com
2019