Here’s how CISOs can haul their organisations towards cyber resilience – ET CISO
https://etimg.etb2bimg.com/thumb/msid-84546030,imgsize-59938,width-1200,height=765,overlay-etciso/news/heres-how-cisos-can-haul-their-organisations-towards-cyber-resilience.jpg
India has always been a soft target just like any other country, as systems are developed keeping the business needs in mind, not security in view. Back around 2010-2015, many e-commerce applications and payment gateways were breached but never advertised or spoken about. However, several reasons drive more news related to data breaches in today’s times like regulatory monitoring, making reporting of cybersecurity incidents mandatory, increased adoption of digital technologies coupled with people awareness, increased transparency among firms to disclose security incidents, posting of data breaches by hackers on social media and selling the exfiltrated on the dark web.
Decoding the nation’s cyber resiliency and what enterprises should do in regards to investing in cybersecurity and becoming resilient to cyber risks, ETCISO spoke to Krishna Sastry, Partner, EY. Sastry has worked at the Ministry of Home Affairs for 23 years and is a member of INTERPOL’s Global Cyber Crime Expert Committee and RBI’s Inter-disciplinary Standing Committee on Cyber Security.
In Sastry’s view, the main reasons why the data breaches are increasing:
* The e-commerce products are developed and pushed in the market without proper security testing. These firms are not following “Secure by Design”, “Secure Development life-cycle” and “DevSecOps” methodologies.
* Lack of proper change management and control, version checking before rolled into production.
* Lack of Regulatory Sandbox for standardising and baselining the products.
* No compliance requirements & Lack of regulatory action in the event of a data breach.
* Enhancing cybersecurity hygiene in this remote working era
“By using MFA, the organisation’s external perimeter can be protected. If there’s MFA enabled for VPN access and internally for sensitive server access, even if the network is compromised, the chance of attackers accessing sensitive servers will be very less as the attacker has to compromise 2 devices and considering MFA can be made on offline devices, it becomes rather impossible. Organisations should not expose external servers for RDP or SSH access using direct connection but use Privilege Identity management solutions which will provide secure access,” Sastry said.
Top cyber risks that Indian enterprises face in this VUCA world
* Ransomware attacks against the National Critical information infrastructure such as banking and ISP Providers.
* Data Exfiltration from Pharma companies especially to steal IPR data.
* Cyber-attacks on COWIN infrastructure making it unavailable and sabotaging the vaccination program.
* Phishing attacks on Indian customers and stealing their personal data.
* Business email compromises frauds on Small and Medium enterprises.
* hatRansom DDoS attacks on Stock Exchanges, and public trading platforms.
What do cybercriminals think while preparing and executing a cyber-attack on an enterprise?
Gone are the days when the attackers were less skilled. Today, they are more skilled and more focused, known as APT attackers. Today cybercrime tactics are matured and organised and are monetised with the use of the dark web and virtual currencies.
“For example, ransomware has become revenue generation malware. Cyber Criminals have their proprietary exploit toolkits and frameworks; domain specialists and research groups, R&D Labs. Cybercriminals are evolving towards immediate monetary benefit rather than a far-fetched possibility. Ransomware attacks serve as an instant means to extort money while data breaches offer long term gains to the attackers by selling the data,” Sastry added.
According to him, there are 3 types of cybercriminals, firstly, the script kiddies who want to make instant money by crypto mining malware; secondly, those who are dedicated to making maximum profit like Revil or Babuk groups who stay in the network for long periods and last but not least, Nation-state, who don’t see monetary benefit generally but their end objective is to steal sensitive data.
“Another observation is that the entire attack “chain” is not conducted by the same group. The lower end job of a phishing attack, reconnaissance, gathering sensitive data about the target etc., is “outsourced” to smaller “attacker” groups on the dark web,” Sastry emphasised.
Cybercriminals staying one step ahead
Attackers are already using AI/ML etc., for various social engineering attacks, IP spoofing, SPAM mail generation, automated vulnerability scanning to identify the vulnerabilities, to develop Sandbox malware; password cracking, DDOS attacks, etc., In 96% of the APT attacks analyzed, the hacking groups automated the initial step of attack i.e., intelligence gathering, initial exploitation.
Sastry highlighted that the attackers have developed excellent web crawlers for gathering information from Open-sources. Cybercriminals are using advanced cryptography for better, robust ransomware and this was seen in Revil groups’ ransomware which is considered to be cryptographically superior. Attackers started using advanced data analytics and ML to map the network and identify possible attack paths. With the increase in attack surface, the TB of logs generated, various Tactics, Tools, Procedure’s (TTP’s), swiftness of the attack it is impossible to monitor and identify the alerts based on rules.
“The cybersecurity community has realised three things: cyber Security is a myth, the focus should be on Cyber defence. Eradication is not possible but it can be mitigated. The “Protect, Detect and Response” strategy is no longer valid. Organizations should now adopt “Detect, Respond and Protect” as the new mantra today is early prediction/ detection and rapid response. CIO’s and CISO’s should leverage similar technologies for the prediction and detection of attacks. For example, using advanced cryptography for better data security; AI, ML capabilities for anomaly detection; compromise assessment, to understand the behaviour of sleeping and intelligent malware, DDoS attack mitigation etc. The need of the hour is moving from existing rule-based Security Operations Centres to Next Generation Cognitive Security Operation Centres with Analytics, AI and ML as the backbone,” Sastry highlighted.
Is India ready to adopt the open-source intelligence model in cybersecurity?
“India is ready to adopt the OSINT model for proactive attack surface mapping. Attackers from across the globe can use tools like Shodan to identify vulnerable servers in India and if we don’t leverage to understand our weaknesses, we’ll largely miss out on the opportunity. These practices are largely unregulated but there’s a high chance that this becomes regulated. There is an urgent need to develop open-source-based Sectorial Security Operations Centres, Vulnerability Scanners, dark-web monitoring tools, Sandboxes to gather threat intelligence to share relevant stakeholders. One of the biggest challenges is that the internet has no boundaries, and anyone can scan external surfaces. It’s pretty much a rat race where we need to stay ahead of attackers,” Sastry said.
CISO strategy to become cyber resilient
Organizations have realised the importance of moving from “Reactive to Proactive to Predictive” technologies and “Trust all to Trust None”. Organisations are now looking for technologies that can increasingly help in early detection/ prediction. The C-Suite is looking at and willing to invest in coming years as these technologies reduce the time and money required to detect threats and at the same time increase the accuracy with which the threats can be identified.
“I think in the coming months/years the cybersecurity spending will be more on three areas: Enterprise Attack Surface Management, NextGen Security Operation Centres with AI and ML as key technologies and Implementing Zero Trust Architecture. CISOs should not only be given a seat at the table but also a free hand in reporting a cyber attack. Apart from corporate reputation, people’s trust is a crucial asset that a brand would lose if a data breach occurs. Effective communication with all the stakeholders and assuring the people that all possible measures are being undertaken is of utmost importance. As a best practice, organizations must earmark 9-12+% of their IT Budget for Cyber Security. Investing in cybersecurity auditing, IT and Data Governance is the first step towards cyber resilience,” Sastry concluded.