Mitigating cyber threats: The never-ending battle between defenders and attackers

Top cybersecurity experts discuss key role CXOs have to play in tackling cyber threats at FT-CICRA Cyber Security Summit CEO Forum 2018

By Hiyal Biyagamage

It is no secret that the global business community is witnessing a significant rise in cyber threats; often times being targeted by sophisticated hacker groups where the cost of cybercrimes to businesses has grown rapidly. Juniper Research, in a research done in 2016, predicted that the continued reliance on digitisation will be the catalyst for a $ 2.1 trillion criminally driven industry by 2019.

To add to the woes of organisations, hacking groups who have been empowered with substantial monetary support are collaborating with each other to pull off cyber heists. Forbes illustrates this factor perfectly by revealing how cybercrimes have become more lucrative. If only 1% of targets in a three-month ransomware campaign get infected and of those only a small percentage pay the ransom, criminals will still reap a substantial pay-out to the tune of tens of thousands of dollars each month. 

In such context, top cyber security personnel from the region discussed how local businesses and C-level leaders can mitigate rising cyber threats by putting proper cyber security policies within their organisations at the recently-concluded CEO Forum of the 6th Annual Cyber Security Summit, Sri Lanka’s premier annual cyber security awareness initiative, co-organised by Daily FT and CICRA, at Cinnamon Grand Colombo. 

The CEO Forum comprised of a high level panel of cyber security experts including Lakshmi Ramakrishnan – Director, Risk Services, India and South Asia, Visa Inc., Nikita Zaychikov – Senior Manager, InfoWatch Russia, Terry Loo – Vice President, APAC, Cellebrite, SubhoHalder – Co-Founder/CTO, AppKnox, Vishak Raman – Director, Cyber Security, India and SAARC, Cisco Inc. and BoshanDayaratne – Group Director/CEO, CICRA Holdings.  

Battle between 

bad guys and defenders

Setting the context, Vishak Raman, Director, Cyber Security, India and SAARC for Cisco said that end points have become a lot more vulnerable than ever before.

“Hackers are no more going after your crowned jewels and data centres but they really want to come inside and break your endpoints. This applies to your IoT (Internet of Things) and mobile devices as well.”

“It is no more signature based or how you get threat intelligence towards not preventing an attack but predicting an attack. Attacks will happen but how do you get that intelligence much ahead of the curve where the attack is at a controlling stage. It is not one vendor to the other or one technology platform to another. It is about how strongly the ecosystem has been built. Ecosystem is not about the technology part. It is about people, government, responsibilities of citizens and other stakeholders partnering,” said Raman. 

He also mentioned that identifying proper cyber security resilience calls for an action towards building a larger ecosystem, more collaborations and sharing of threat intelligence.

Answering a question from the audience about the importance of appointing board members with proper knowledge on cyber security, Raman mentioned that Cisco in general has witnessed regulators stepping in fiercely more than ever before.

“Regulators are coming forward more proactively by mandating cyber security roles within organisations and regulating mandatory disclosures. I think they are playing a pivotal role in mature as well as in emerging markets. Regulations are getting more prominent, enforcing cyber drills as a mandatory part for the financial institutions. By doing so, they prepare organisations to be ready when the real threat happens. I think it is a combined ownership of the regulator and the boards who represent financial institutions and regulators will play a lot more inclusive role which is good for cyber security.”

A broader 

boardroom discussion

Speaking at the forum, Lakshmi Ramakrishnan – Director, Risk Services, India and South Asia for Visa said cybersecurity has become more a more boardroom discussion 

“Earlier we would see these discussions are restricted to the risk team and they would have conversations with the information security team but today it has become a true CEO discussion with high-level executives having interest about cybersecurity issues.”

“Why is that? Ecosystem is becoming more complex. It used to be an easy, four-to five people completing a transaction sort of an environment but it has become more complex with more interest into it,” she expressed.

This means that there are more and more people involved, more data involved and more touch point which is making it very difficult, said Ramakrishnan. “But it is the same thing leading to innovation also. More people means that there are ways and forms that we are seeing taking place in the electronic payment sector.”

“We were not taught that a watch could make a payment and blockchain is getting huge traction. All because of innovation and everything has to be responsible innovation. That is what the industry is looking up to now - they understand that security is the basis, the backbone of any innovation,” she pointed out. 

When asked why the financial services sector is being constantly attacked for the many obvious reasons, she said, “Like I said before, ecosystem is becoming complex. There are more players and touch points. This is making the whole system bit vulnerable because it is opening up more data points. This is creating too much of data.”

“During last year, the world would have created 2.5 quintillion data. Hackers are after these data and they will specifically target data coming out of financial institutions. Our entire payment ecosystem’s job is to protect that data. Data is the foundation and that is why it needs to be protected.”

According to her, Visa believes in having multiple layers of security and there are four strategic pillars in protecting data where Visa focuses heavily – encryption, human factor, data security standards including the very famous PCI (payment Card Industry standard) and post protection of data.

“Even after protection, if the data goes out, what do we do? The data should be useless for the people who are attacking it. That is what we call as devaluing of data. Even it goes away, hackers cannot use them as they do not have any value anymore. One of the two best examples for devaluing is chip cards and tokenisation.”

“Why do fraudsters need data? They are running as organisations, big agencies and they use artificial intelligence just the same way we are using it. If they can use it, why cannot we as protectors use it? We have tools and products which work on harnessing data and which gives some intelligence output for our consumers to protect themselves even before something happens,” said Ramakrishnan. 

Dealing with 

mobile cyber issues 

Terry Loo – Vice President, APAC of Cellebrite discussed the importance of post investigations and specially touched upon dealing with cyber issues related to mobile devices. 

“Our equipment and solutions are enabling investigators to extract data of a mobile device and go through them. We work closely with law enforcement agencies for post investigations. However, many enterprises today have come to realise that their weakest link is mobile device. The user is either not familiar about the many vulnerabilities.”

Stating that lot of cybersecurity professionals in the industry are not familiar with post investigations they are supposed to do with mobile devices (how to extract data out of a mobile and analyse how the device is interacting with other devices), Loo said.

“Not many professionals within the enterprise sector understand how to deal with mobile devices. How fast could you gather all the data from possible compromised devices when an incident occurs? Is it within an half an hour or few days later? If you have 200 employee within the organisation, will you be able to go through all their devices quickly within three hours? Should you theoretically archive mobile devices which have been issued to employees or implement a strong BYOD policy within the organisation? All these factors are very critical and value concerned when it comes mobile security vulnerabilities.”

He also mentioned that most of the organisations he speaks to in the Asia Pacific region are reactive about forensic investigations. “If there is a breach or suspicion that data has been leaked by an unknown force, they would bring in digital forensic experts. The right thing to do would be prevention. We have seen a lot of larger organisations started doing routine archiving of data for mobile devices, from their mid to top management. That is one crucial step. If an incident happens, they need to do investigations and they need the data for e-discovery and all these elements are actually being infused into their IT policy.”

Data breaches 

increasing day by day

The number of data breaches and data leakages rising every year and the cost of these data breaches rise as well but the problem is to identify how to protect against them, said Nikita Zaychikov – Senior Manager of InfoWatch Russia. 

“As a high level executive, you have to understand what the issue is and here I see one of the main challenges is most of the time, people focus on external threats, which are valid and important, but internal threats like employees and insiders are very important as well because people know exactly what data is important and what measures you have in place. Cybersecurity professionals do not focus much on internal threats sometimes.”

“People are talking about data systems which you have to integrate with different solutions versus so many solutions in the market right now. It is hard for security professionals sometimes to understand which kind of solutions they need right now,” he said.

“In order to do that, you need to have a proper discussion within the boardroom itself with the understanding that various solutions in the market have to be configured according to the specific needs of an organisation; especially when you talk about data as it is unique to any organisation.”

Nikita also spoke about hackers becoming more sophisticated, smarter how can companies need to defend their infrastructure. 

“Hackers are becoming smarter but every company is aware that they have to protect their organisations from them—against external threats. If you talk about internal threats, your employee knows exactly where the client database lies. They even know who the competitors are. There is lack of awareness about internal threats and nobody ever talks about it in media, where much prominence is about external threats. This situation is leading to less companies understanding how important that is. You need to give your security officers the opportunity to put a control to your IT infrastructures in order to mitigate internal threats,” opined Nikita at the forum.  

Putting security 

policies in place

Mobile security expert and Co-Founder of AppKnox, SubhoHalder said many businesses and CEOs are moving towards mobility as a separate business sector. 

“Organisations build apps with different capabilities. For example, you can book a cab through your mobile or complete a bank transaction through your smartphone within few seconds. Mobility as a term is one of the weakest links between organisations and cybersecurity sphere.”

“I have heard many people talking about why organisations should not look at generalists but should always focus on specialists. There are specialists in different domains and using these specialists is how you can keep an edge towards having a secured life cycle within organisations as far as cybersecurity issues are concerned,” said Halder.

Expressing his thoughts about implementing a proper security practice within organisations, Halder said, “Even before you look at threat intelligence, even before you go to regulators and even before it goes to the boardroom, the first thing you should be doing is setting up a security practice inside your organisations. That is the first step forward. Once you have that, automatically it is a progression from that point onwards.” 

He further said, “When you have security practices inside your organisation, what happens next is a boardroom discussion about those practices. Then all the companies who have similar security policies will come together and try to form regulations around those policies. That is how regulations around the world are formed so i am expecting the same in this region as well.” 

“Even with policies in place, there will be data breaches. If one happens, organisations need to move ahead and do a proper forensic investigation and conduct a threat intelligence on top of that. Everything starts from one basic seed which is having a proper security practice,” said Halder. 

Insider threats 

rising in Sri Lanka

Bringing a local perspective to the forum, CICRA Holdings Group Director/CEO Boshan Dayaratne said awareness among organisations about insider threats is lacking. 

“IT security team of an organisation needs to know what is happening around the globe. If they are to protect your IT infrastructure, they should know what to protect and how to protect them. It was the good old days that looking after your computer and the network was a responsibility of the IT department but going forward, it will not be the responsibility of the IT department but your responsibility.” 

“We find insider threat factor is getting bigger and bigger in SL because many CEOs are focused on protecting perimeter defences,” Dayaratne said. Explaining about intentional and unintentional threats, he said, “You put next level firewalls and intensive hardware and software that will cost you millions but you won’t get the results you expected because your internal infrastructure does not match these high end solutions. So you will be back to square one, running your system in default mode.” 

He also pointed out local companies have to look at a proactive approach than a reactive approach when it comes to cybersecurity. 

“Top management of a company also needs to be aware about security and put proper mechanisms in place. In a number of cases we have encountered, many local CEOs look to skip that part of the conversation. Companies need to identify the true need of doing a security assessment; most of the time, companies have been pushed to do a security assessment because of compliances put out by regulators. Compliances don’t give you security but if you are serious about safeguarding your data, you need to hire a professional and check whether someone from outside could penetrate your system,” said Dayaratne.

The CEO Forum was followed by a full-day Summit yesterday, supported by Cisco as the Principal Sponsor, Visa as the Strategic Partner, and Infowatch and Tufin as Co-Sponsors. LankaPay is the Official Payment Partner while Dialog is the Telecommunication Partner. Sri Lanka Insurance is the Insurance Partner. The Ministry of Telecommunication and Digital Infrastructure and ICT Agency of Sri Lanka have endorsed the event. Cinnamon Grand is the Hospitality Partner of the Summit while Triad is the Creative Partner. The Electronic Media Partners of the event are TV Derana, FM Derana, Ada Derana and Derana24X7.

Pix by Upul Abayasekara and Ruwan Walpola