CICRA shares key insights into exponential cyber attacks and mitigation

A number of recent reports revealed that the tendency of cyberattacks has increased exponentially. Suddenly Sri Lanka was also highlighted with some reports over cyber attacks in relation to the financial sector. CICRA is engaged in capacity building and consultancy services in information security in Sri Lanka and considered as the pioneer in the cyber security domain in Sri Lanka. The Daily FT discussed this matter and the current context of cyber security in the country with CICRA Consultancies Ltd. Director/CEO BoshanDayaratne. Following are excerpts:

By Kiyoshi J. Berman

Q: There are certain reports of a cyber attack on a Sri Lankan bank. What do you know about this?

A:Yes. We also saw some reports in this regard. But, I see this in a different angle. Let me explain… Cyber attacks are no longer news. Everyday there are incidents reported. Given the value of data, the financial sector is in the top of the threat list. According to what I read, not only this particular bank, there are seven more banks in Asia that were hit by the same group of cyber criminals. 

But, there is something I’m worried about. If I have heard correctly, most of the above attacks are through a so called ‘SQL Injection’ attack. Do you know, this hacking tool is more than 15 years old and nowadays hackers use much advanced tools for hacking. So, getting a system hacked by a ‘SQL Injection’ means, you have not even covered your basics. Just imagine – what if this attack is through a new tool. If this information is true, our systems are more vulnerable than we thought. So, the real problem exists there and that’s where the discussions should start.

And the other point is, as I said early, being hit by an attack is not the end of the world. And it tells you indirectly that you have a value. But, my argument is that this is not something to hide. We should take it as it had happened to all of us. If not, at least we should understand that we are also under the threat. Therefore, we should act together and help each other to defeat this anonymous but enormous challenge.

Q: You have made a significant contribution to the enhancement of the cyber security domain of the country. How do you evaluate the present status of the cyber security domain in Sri Lanka?

A: In short, it is good but could do better.When we first started, be frank, some wondered of our intentions but after five years of commitment and hard work, we are really proud of ourselves on what we could to the betterment of the industry. I believe, by now, there would not be anyone in the corporate sector who has not heard of information security and its value.

The corporate sector paid better attention and involvement. Individual organisations made conscious efforts to strengthen their systems, trained their staff and are willing to recruit trained professionals. Generally, the awareness is high among technical staff and top management. 

The Government has also taken valuable actions to make people aware, set up necessary legislations and training programs for government officers are established. We see SL Cert, Lanka Clear and FinCCert are trying to do their part. But, yet a considerably good integration among responsible authorities should be maintained.

In large, there is a lot to do to get to the required standards.

Q: What are the gaps you see? Where should we change?

A: First, you need to know what cyber security is. It is not an audit or merely the compliance. When I evaluate the status, I find most of the issues occur not because the organisations do not think about or act about cyber security but they don’t seem to be getting in to the right track. They don’t seem to be getting the correct guidance. 

Let me be a little technical on this.

First step of cyber security is identifying problematic areas of your system. Proper findings will lead you to better results. So, we do ‘penetration tests’ to identify vulnerabilities of systems. In this, experts in cyber security try to enter into, you say hacking, your system through any possible manner. If that expert can hack into your system in one or the other way means you have a vulnerability. Then, this expert knows where the problem exists, root-cause of the problem, what magnitude it is, what the remedial actions to take are, etc. This expert report will come up with recommendations to strengthen your system.

But, we have seen enough instances, where your ‘so called’ expert comes and ask for ‘login passwords’ to do a penetration test. Just understand, you are spending for something not worth. Also, we have noticed, some security personnel use automated tools to do the penetration testing. In this case, your expert’s report does not provide a comprehensive status of your vulnerabilities. He will not be able to suggest suitable solutions for your system. Then again, you will have to spend for some other ‘real expert’ to provide you solutions. 

Do you see the issue? The problem may not lie with the management actually. They are committed, and they take a policy decision to protect their systems. But, when it comes to the establishment, you make wrong decisions; maybe because of the high pricing. Three parties bid for a ‘penetration test’ and the party that does the automated testing will get the bid because of low prices. Actually, we see sometimes until some huge issue occurs, the company does not know where they made the mistake. So, my advice is not to compromise the security for price. If so, sometimes you may end up spending billions for the remedy. Therefore, bid for the quality of service. Question your solution provider for their capacity and capability. Check what tools they use, etc. before you commit. 

And I have a message for decision makers as well. A completely secured system is a kind of dream. Any system might have defaults. Hackers are smart enough to develop new hacking tools. That is their living right? Get yourself reminded, even Pentagon was once hacked. So, do not find the fault with your team and instead give confidence to your security team to work with quality service providers to identify system vulnerabilities. That would definitely save your system, human resources and more importantly the money.

Q: Even after you do proper testing, establishing secured system, are you really safe?

A:I have two words to emphasise. Monitoring and updating.

Once you establish a system, you need to attend to frequent monitoring and updating. Again you need to have qualified professionals to understand alerts and act immediately. What’s the point, if you are hit by an attack and get to know about six-seven months later?

Also we have noticed that organisations spend for a ‘penetration test’ and you get loads of recommendations, in order to strengthen your system. The finances come into effect and the organisations, by their own, decide to delay or avoid certain recommendations. Yes, we agree, cyber security measures might cost a little high. But, you are going to risk millions and billions of money together with your reputation of business. See what the customer perception is when news comes out of a bank getting attacked. 

The possible way-out may be to talk to your expert and ask for a road map for implementation. I want to emphasise again, if you have recruited ‘real’ experts, then they will guide you for an economical but yet strong cyber security mechanism.

Q: We think only outsiders attack you. But, it is a misconception now I think?

A: Exactly. We have been telling this for years; again a simple example from a different domain. How secret ‘Maliban’ and ‘Munchee’ are on their recipes. Think of the situation of one staff member sells out these secret recipes. You have heard enough stories of match-fixing in cricket. Take an example from our own domain. What is this ‘Edward Snowden’case. All of these are very good examples of internal threats on your organisational data. It exists everywhere. Internal resources, mainly the staff will give-out valuable information of your organisation due to various reasons; could be intended or un-intended. There may be cases the staff is unaware or ignorant. It’s a fact that the humans are the weakest link in cyber security and most of the external attacks find their way into a system through social-engineering methods. That should be addressed through capacity building.

But, there may be cases, where the employees purposefully sell-out valuable information, may be due to disgruntled issues or may be working for some other payroll as well. What matters is, do you have a mechanism to stop such outflow of information or if happens, how to catch the responsible act.  

Therefore, in addition to the battle you have against outside cyber attacks, you should set up a proper DLP, Data Loss Prevention system to protect your data from internal threats. I would say it is basically a managing process. First you identify your data and classify them properly. It is the key. Whatever the product you use, it should be capable of tracking everything, be it emails, copying documents to thumb drives, social media engagements etc. Also, it should have the capacity of linguistic analysis, identify secret-coding we may say. Your system should be able to track android and ios devices as well. Then it’s a matter of managing data in a responsible manner. You may grant access of selected data to an identified set of users. This DLP is a kind of agent sunk into each device and reports its action.

But, make sure that your staff is well aware of the system and make them understand that the system is established for the betterment of both staff and the organisation.

Q: Finally, what are your thoughts of the future, what are you to bring in for the betterment of the industry?

A: Hope for the best. We are moving forward well. As I have mentioned, at the beginning the support was less. But, now it’s improving fast.

To date, we have trained more than 700 IT professionals in cyber security in which more than 250 are Certified Ethical Hackers. Our masters degree program is running of its maximum capacity and we are expecting a set of managerial and executive level information security professionals to be graduated next year. In addition, we could train officers of tri-forces and police, government officers and a number of public sector staff. We could help out top corporate organisations to strengthen their security measures.

More importantly we could enhance the country’s cyber security awareness through the annual Cyber Security Summit and the Ethical Hackers Forum. We could bring the cyber security discussion to the boardroom through encouraging many CEOs of top organisations. We are very satisfied and proud of what we could bring in to the domain in past years.

We have identified a few more areas to give attention. We have already set plans to strengthen the software development sector into the information security table. It is a must, if we are to achieve present goals of the development sector. Also, we are continuously pushing the corporate sector to train their non-IT staff. A number of researches revealed that you must increase the awareness and skills of non-IT staff for a better secure IT system in your organisation.