This June, MediaNama held an open house discussion on Securing Online Data, supported by Microsoft and Akamai. This is Part 3 of our coverage of the discussion, which looks into basic cyber security measures for organizations, regulatory issues, and the challenges of adopting cloud in India. Here is Part 1 of our discussion which looks into emerging cyber threats in India. Part 2 of our discussion looks into how ransomware attack users and some Cyber War stories shared by attendees during our discussion.
Cyber Security basics for companies
Any company or organization applying cyber security stacks to its IT infrastructure, will also need to constantly upgrade and audit the security infrastructure in place. Cyber security should be seen as a part of the organisational strategy and not just as an additional system. Manish Tiwari, Chief (Info.) Security Officer, Microsoft India, talked about how negligence of basic cyber security practices affect companies even if they have a well-built security system in place.
“Let’s say you belong to an Insurance sector company, and you have a couple of application which are core insurance apps,”,” he said. “You will have administrators like data base admins, etc. What companies need to look at is, from where do they [admins] administer those servers. How much effort have we taken to secure those workstations from where mission critical applications are being maintained? Being a penetration tester, I worked with large number of organizations including the regulatory space, [corporate] customers, policy makers, government departments, etc. What I see is a repetition of most of these things [lack of basic cyber security practices].”
Vinayak Hegde, an independent cyber security consultant who moderated our discussion, said that there are some basic security fundamentals to be followed:
- Basic network checks: Closing inbound/outbound ports that are not needed. Make sure that all systems are patched up and running, and companies need also to make this a continuous audit process. Audits should also be carried out whenever some new application or software goes into the servers.
- Automated alerts: Making sure that all anomalies in the network, are notified to the admin immediately in form of alerts. An automated or a software designed alert/notification system is most suitable for this.
Tiwari added that companies will also need to secure access to critical servers: Companies will need to pre-plan locations–both physical and network level–of each administrator who administers core/mission critical servers. They will also need to look at how secure are those remote workstations from where mission critical applications/servers are being maintained.
Financial sector the most hit
The financial industry is the most hit in terms of cyber-attacks, Tiwari said, talking about how a common cyber security check list can solve basic security compliance. The Reserve Bank of India (RBI) had come up with two cyber-security policies last year, he said, adding: “If you were to go through (the second RBI policy), it’s got 5 sections in form of a checklist; you could take that out and perhaps, put it in a govt organization for compliance measures. The checklist has only yes or no answer, there is no third option. But the checklist was also built in a manner where you could take that and put it in a hospital or any other industry. So, the point I’m trying to make is 95% of the technology stack everywhere is common, and hence the problems are also common, we need a common checklist which is binding by law for all organizations.”
Organizational readiness is the key challenge
But as pointed above, no amount of investment into cyber security guarantees security, if the basic fundamentals are ignored. Tiwari provides some examples of how the financial industry has been neglecting basic cyber security practices:
“..the biggest challenge is lack of readiness on the part of the organization themselves. We are talking about a situation where applications are still running on windows XP (which is outdated). Or an older system of Linux. That’s the ground reality. All ATMs still run on windows XP. Windows XP’s shelf life was actually supposed to end in 2010, it was on a lifeline until 2014 July, when finally support ended for that. Which means that the industries including some of these ATM manufacturers had a 5 year notice period to upgrade their systems. But even today, we are seeing XP in ATMs. Now, of course, the process has started of upgrading these machines. Why is it late? Because there was no regulatory push to overcome these issues. So who suffers? The end organization i.e. the banking organization suffers, the banking sector here is a customer, they suffer.”
Outside India, corporates have been giving attention to cyber security, especially after revelations by Snowden and Wikileaks. Vinayak Hegde said that “the adversaries—both corporate and government—you saw about the Snowden revelations also, and [because] of this both corporates and governments are becoming better both in terms of technology, because computers are becoming powerful and in terms of intelligence also, the adversaries are becoming more and more aware, because they are state-level actors. And if you see the DNC leaks (from WikiLeaks), for e.g. they were much like targeted attacks at certain people wherein accounts were getting compromised…users were able to take out sensitive data via this method.
Insider threats and what organisations can do about it
Tiwari said a major part of the issue is insider threats, accounting for 80% of data leaks: These could be persons who knowingly or unknowingly trigger data leaks from within the organisation network limits. A large number of banking frauds are committed through just simple emails, Tiwari pointed out. Companies also require a robust screening mechanism, for screening emails which are coming in and digitally sign emails going out. Here are some basic cyber security measures to prevent insider threats:
- Implement digital rights management: Companies who frequently interact with third parties and entities outside the virtual network (via emails, file transfer service, etc.) will to install an automated application of digital rights management. This ensures protection of data, even when that data leaves a companies network boundaries. For e.g. A company which sends data (in form documents, email, etc) from domain XYZ, to another domain ABC which is outside the company can implement digital rights management. The pdf document can be digitally signed to make unreadable to Optical Character Recognition (OCR) softwares when someone tries to convert it into plain text.
- Data classification policy and application whitelisting: Data can be hosted in multiple clouds storages (AWS, Microsoft etc.), and delivered to many different kinds of devices—PCs, Mac, phone, etc. Data is also being churned and routed via different channels when delivered to the end user. But companies host their data on one particular service in most instances, and they might need to create a white list–a list of apps and software that are supported, as well as classify data into as sensitive or confidential data, internal or non-confidential data, and public data. This creates a uniform rule set in place, and can be implemented compulsorily for all devices connecting to the network including mobiles, laptops, desktops, etc. and it could be connecting from any location.
Challenges moving to the cloud in India—regulatory and technology wise
1) Compliance According to Tiwari, India doesn’t need to entirely adopt the cloud since most industries in the country are yet to develop a compliance standard, and this is the biggest challenge in adopting cloud:
“I talked about 4 principal pillars for cyber security. There are also 4 principal pillars, for an assurance level in any technology. Cyber security is only one of them, the second one is compliance, the third is transparency, and the fourth is data privacy. So when you select any technology, including cloud technology, you should see whether it is compliant. Each industry has its own data standard. Incidentally, we don’t have health standard in India, we only have a draft, and I never say it’s a great standard in any case”
2) Data encryption laws: The maximum encryption that you can use in the banking sector is just at 128 bit, which is pretty low and according to Tiwari, this is another challenge facing India for adoption to the cloud. Other than the banking sector, the limitation for rest of the industry is just 40-bit. India’s national encryption policy goes back to 1999 and hasn’t been updated since then. The current government is still working on it.
3) Access to cloud data stored outside the country: Companies might choose cloud vendors outside India to store data instead of storing them internally within their data centres. But as an organization with multiple stakeholders, many administrators and users might require access to this data on-demand. In such an instance, companies can choose a cloud provider who gives an option of putting implementing Bring your own key (BYOK) process. BYOK allows a cloud service provider to ensure that every administrator [in a company] does not have unrestricted access. Access can only be given to a particular data block that admins require, without exposing other confidential or financial data.