CICRA Ethical Hackers’ Forum explores ‘Security through Obscurity: Is it a Myth?’

Wednesday, 8 April 2015 00:00 -     - {{hitsCtrl.values.hits}}

    By Kiyoshi Berman The fourth Ethical Hackers’ Forum organised by CICRA was held on 20 March in Colombo, themed ‘Security through Obscurity: Is it a Myth?’ AKATI Consulting CEO Krishna Rajagopal set the premise for the forum discussion. “If you look at today’s topic, let’s take a few steps behind and let’s go back to 1883. In 1883 there was a French researcher named Auguste Kerckhoffs who put down six principles in a journal publication. I will do a Google translation of that. He said the system that you create; any security system must be practically if not mathematically indecipherable. Systems should not require secrecy and should not be a problem if the system falls into an enemy’s hands. It should be possible to communicate and remember a key without written notes or correspondence and will be able to change and modify at will. It must be applicable to all kinds of communication and it must be portable. If you look at a nutshell of security through obscurity where obscurity is hiding deep in; security through obscurity would be everything going beyond these six principles. For example, a system should be secure by design not because your enemy doesn’t know how your system works. Now a day’s secrets don’t remain for too long,” he said.     ICTA vision The Chief Guest of the event was Muhunthan Canagey, the newly-appointed CEO of ICTA Sri Lanka. “ICTA carries out our vision as a Government towards going forward in the era of ICT. The ICTA is the apex body of all related ICT matters of the Government and it cuts across all ministries. It was established in 2003 under the current Prime Minister Ranil Wickremesinghe. Subsequently, as things change over years, there has been a change from its original vision as to what it should be today. My role as CEO and Managing Director at ICTA is mainly to bring about change in the ICT sector, not just in the private sector but also within the Government under the mandate of the Prime Minister and government. This would look at Government services being available at your fingertips and will include empowering citizens to be able to be closer to the government and also be involved with policy making while being able to vote on policy matters. This is in fact to bring about more democracy to the country and have you all involved in this, in terms of policies and matters of government. While we do that, we come across the Right to Information Act. The right to information would require Government officials and public office to be able to give information to the public as and when requested within a very specific period of time,” he said.       Real-life experiences Hans Thomasz, Senior Information Security Officer at Qatar Development Bank, based his presentation on real-life experiences in dealing with information security issues that were caused by lack of information security mechanisms in place. He discussed several real incidents where organisations in various fields were compromised due to the carelessness of employees, lack of awareness and security policies within the organisation. Hans also suggested that defence in-depth was a good method to establish information security in an organisation.   Cyber security threats Pravin Srinivasan, Head of Security Sales, Cisco India, delivered the next presentation. He referred to statistics and data relating to cyber security threats throughout his presentation. He pointed out that the new security problem and the industrialisation of hacking means that organisations are constantly under attack. But today’s security solutions have little focus on response because security through obscurity used to be the holy grail of prevention. CISCO’s look for the silver bullet that does not exist is about doing security differently. This involves focusing on strategic imperatives, looking at a threat centric security model, mapping technologies to the model, using the model to address the biggest threat of all, known as advanced malware. Afterwards, a panel discussion was held with the speakers Muhunthan Canagey, Pravin Srinivasan and Hans Thomasz. This was moderated by Krishna Rajagopal.   Defending network infrastructure In terms of defending your network infrastructure, is there a strategy that companies can adopt rather than obscurity. In reply Hans said: “The simplest and the most common thing is to keep monitoring your network continuously. If you fall victim to have a plan to know how soon you can recover. So it comes down to the proactiveness, the ability to reduce the gap from detection to action and ethos.” Krishna explained how storing all passwords in a password protected Excel or Word file can cause a lot of damage because it’s not difficult to crack this password file which thereafter could give access to every other account. “About two weeks ago there was a large forensic case and massive legal action was taken. I was there as an expert witness. This was a huge oil and gas company where 350 servers were breached. This was caused because an administrator had a ‘my password.xls’ file updated on a weekly basis. The root cause was not because the passwords were not changed but ‘my password.xls’.”   Capacity building A question was posed regarding capacity building of those involved in the cyber security industry. Pravin replied to this by saying, “before I answer there are only two or three ladies in here. This industry is very much male dominated and we need to really look into it as it leaves a negative impact on the society. Leaving that aside, you need to take cyber security as a passion. Secondly, let money follow you and not for you to follow money. As long as you take this forward there will be progression. Thirdly, we live in a society which is lot stronger and you can build applications which are a lot stronger and digital world which is a lot stronger. Let’s be realistic, can we be away from this digital world? We can go green and all and try to make changes but the truth is we are very much connected so there is no way that you can take it away. We just have to drive it in a very positive sense; we have to make it a part of our lives and concentrate on the positive aspects that might come out.” Professionals working in the cyber security environment dealing with cyber security incidents need to actually take the role of responding properly to incidents. As advice to cyber security professionals in this regard Pravin said, “I think it’s a matter of security response. In any crisis situation the first response is to fix the problem; get your network back on, get your servers running and back online. But I think it’s also critical, depending on the function and process that is already being in place and your views to get ready to take a step back also. You have to look at it holistically. For instance, when there around 6,000 people on the network screaming their heads off, it’s easy to think of just doing a quick fix and figuring out what happened later. Somebody has to take that step back and figure out what’s happening. The one person who unfortunately happens to be at the forefront of things, is the System Administrator; and he pretty much has the least amount of time to step back and see what’s going on. This is where corporate processes come in. It makes sense to create processes and take it to the management in case they don’t have it.”   Global best practices Advising the corporate IT officers on global best practices, Hans said: “You might be safer today based on the measures you have taken but threats can be back any time. It’s important to be aware of the new technologies, and have a good threat intelligence source feeding you with threat information that’s floating around. Cyber security threats can cross borders. Whether you assume you’re not good enough or you’re ‘unhackable’ can expose you to attacks.” He explained that it is always important to take security and global best practices seriously into consideration.   Big data There was a question from the audience about how big data will be utilised by the Government because only 5% of it is profitably used at the moment. Muhunthan explained that platform required for big data needs deployment: “Big data analytics and high-tech functions need infrastructure. If every Government organisation wants to do this, it would be quite cumbersome. That is why we’re initiating the Government cloud and we would have a complete infrastructure on that. We would also look at incubating new methods of using small devices like the Raspberry Pi. We would be collecting census type of data and when we collect such data we won’t be looking at its use at this moment. We don’t want to make use of the data right now because we don’t know what it will be. We just want to build the data set. We want to bring in financial data, census data and we want to build that infrastructure. Around this area if one were to ask, can we know the quantity of power that has been produced, total units that have been consumed, what is the statement of people who have bills over Rs. 1,000 and those types of data we should be able to provide them. This will also allow you to build apps from this data. Big data is a very wide area. There will be big data for public and big data for other sensitive information. We need to keep data open but we also need to protect data from specific use. We are very serious about big data, right now data is isolated and we want to bring it together so it’s more meaningful.”   Dealing with cybercriminal cases Responding to the question of whether Sri Lanka has an organisation to deal with cybercriminal cases, Muhunthan said: “Under ICTA, there is an organisation called SL CERT which takes care of so many complains. We have threats inside our international gateways and matters of financial fraud and many more that have been reported and taken care of.”   Global standards A question was posed to Krishna about the global standards used in information security. In reply he said: “The most popular would probably be the ISO 27000 which is predominantly used for cyber security and in the banking sector it should be PCIDSS. So the standards are there but it’s about how these have been implemented.” Having discussed several concerns related to information security, the event came to a close allowing the participants to network. Pix by Upul Abayasekara