Reported by: banking|Updated: May 16, 2015
Ask a banking/financial industry’ CISO, what is a dataleakage and the reply is- more than a headache. Websense a global organization that protects organizations from advanced cyberattacks and data theft works with such industry leaders.
Banking Frontiers spoke with Websense to understand insights on the data-leakage front. Surendra Singh, the Regional Director of Websense and Maheswaran Shanmugasundaram, Regional Specialist share their insights and their learnings that they have observed by working with leading financial organizations.
Many data breaches are being reported worldwide, but there are very few that get reported from India. Would it be safer to assume that we are following best practices to thwart fraudsters?
Unlike US or Europe, India does not have any legislative framework which mandates organizations to report data breaches comprehensively and this could be a probable reason why there are not many data breaches reported in India.
It’s also important to understand that most big brands (JP Morgan Chase, Staples, or Target etc.) that came in news for having data breaches probably had best of breed of breed technologies, security processes and security teams in place to thwart security attacks.
However, we are increasingly witnessing that responsible organizations in India have started to recognize rising global cyber-crimes and data attacks. They have begun to put in place effective IT security measures so that their confidential data is intact and there is minimal impact to their reputation.
When comparing security products, what standards should organizations keep in mind?
Maheswaran Shanmugasundaram: It is recommended to identify the needs and pain points that an organization is trying to address through the security technology and make that as criteria to choose products, Most Organizations when evaluating security products, focus more on functionalities and features of the products rather than checking how those functionalities will benefit them, For example, when technology teams, evaluate a solution like a DLP or an APT- they should look at how the solution can fit the organizational culture, and how the organization as a whole can embrace it as a practice. Additionally organizations should also understand that the tools used in fraud prevention should result in ease of operations with minimal effort.
With attacks becoming so complex and internet access patterns changing, security systems can throw in a number of logs. The volume of these logs has been increasing significantly. Organizations should look at what kinds of alerts are being generated by these tools. This understanding has to be contextual. In the example of Target, the devices detected the threats, but it missed the eyes of the security administrators- they may have taken it as a case of a false alert too. The threat intelligence provided by the security tool is extremely important and the tool should provide enough contexts on logs generated and alert security administrators proactively on high priority incidents.
What lessons can be learnt from some of the historic banking data breaches?
Maheswaran Shanmugasundaram: It is speculated that some of the attacks that have happened in recent past could probably have been initiated by compromising an employee’s identity. Hackers normally try to find the weakest link and for most organization humans are identified to be the weak link and end users have become part of the threat landscape. Organizations needs to revisit their awareness campaigns and move away from passive to active awareness campaigns which can educate end users as and when they are about violate security policies and this would help embedding security as a culture with end users.
Also as mentioned earlier, it’s important for organizations to assess risks periodically and ensure they identify their high risks assets and have a framework to protect their high risks assets against advanced attacks.
Sairaj Iyer: What are your thoughts on data leakage and prevention standards adopted in India?
Surendra Singh, Regional Director- SAARC, Websense
Surendra Singh: There are no specific standards that have been adopted in India specifically around data security. But, many organizations adhere with ISO27001 standards which included data security controls as part of the same, it’s becoming imperative for organizations to have controls deployed to identify and protect their critical data assets. Working with controls would mean that risk parameters are well-judged and adhered to. Additionally by having controls a data centric security framework can be built that helps govern processes, people and technology.
The Information Technology Amendment Act, 2011 has set the ball rolling in addressing the needs of data protection laws in the country. Section 43A of ITAA mandates ‘body corporates’ to implement ‘reasonable security practices’ for protecting the ‘sensitive personal information’ of any individual, failing which they are liable to pay damages to the aggrieved person. There are also other clauses (Section 67C, 69B, 70B, 72A etc.) which mandates organizations to look at data security seriously. The provisions are however not adequate to meet the needs of corporate India holistically to protect their critical data assets.
In a regulated environment like banking, it’s extremely important to deploy appropriate controls and adhere to regulations or standards like US Patriot ACT, PCI, and ISO27001 etc. to ensure critical customer, employee and corporate data is identified and protected comprehensively.
What concerns do you find CIOs grappling with WhatsApp?
Surendra Singh: WhatsApp concerns are a part of the mobility culture. There are two concerns here; one is on data and the second regarding malware infiltration to corporate network. If an organization has a strategy to get BYOD, then it is essential to study the need, evaluate risks and identify controls that needs to be enforced to roll out the strategy effectively, Websense as an organization helps corporates have a content-centric mobile security model. Websense mobility solutions will help organization to protect identified critical data leaking from mobile devices to unauthorized recipients intentionally or unintentionally. Some MDM solutions also offer good controls to compartmentalize data to ensure corporate data doesn’t move into personal data compartments. Device centric security coupled with data awareness we believe will address data theft/loss risks for organizations when they embrace mobility.
The second concern is that, organizations get targeted, when fraudsters or imposters infiltrate into a corporate network. Websense offers real time analysis of content accessed from Internet for malware downloads inappropriate use, detect data thefts etc. and can help organizations enforce acceptable use and security policies even for mobile devices.
It is recommended that organizations do a comprehensive risk assessment on the mobility strategy of an organization before it’s rolled out rather than identifying risks after embracing the same and the risks needs to be evaluated and addressed constantly to ensure their mobility strategy remains effective. Mobile applications developed needs to go through a code review to check for security effectiveness and penetration tests/vulnerability assessments needs to be done to ensure that identified vulnerabilities and security loopholes are patched before they are being shared with employees.
What concerns on the Shadow-IT front?
Maheswaran Shanmugasundaram: The problem occurs when security is considered only after a manipulation, or at the last. Shadow IT broadly brings risks because of two behaviors, end users using unapproved applications for personal use and business embracing applications for business use without the knowledge of IT, Few of the organizations have started using cloud without knowledge of IT or Security teams and security was considered after they embraced Cloud. This approach can result in significant risks for an organization.
Many vendors do observe that some of our RFPs to select a cloud vendor or outsourced vendor do not contain risk parameters and statements pertaining to liabilities in the case of a platform/data breach. How effectively the cloud service provider conduct risk assessment of their cloud infrastructure is not known in advance. There is a need for the industry to hold such discussions in advance and ensure all risks because of embracing Cloud are known and evaluated and methods to manage them are identified before embracing apps.
Organizations also need to have good controls on preventing end users from installing applications and tracking application inventory periodically, it is also recommended to have policies to allow only approved applications to access critical data to eliminate risks of end user installing applications without the knowledge of IT.
Social engineering is touted as posing multiple challenges, especially with factors such as Pradhan Mantri Jan Dhan Yojana, Facebook.org, and mobility being extended to the deepest of rural pockets, coupled with the launch of 4G. What should organizations look to back themselves?
Maheswaran Shanmugasundaram: Customer education is a key challenge here. Rural customers may share transaction details, and obviously their card details too. A multi-level defense system is the need of the hour. Hackers are profiling target users so that they can compromise and launch targeted attacks. It is recommended for organizations to derive processes to launch effective awareness campaign considering rural customers and make these campaigns proactive, Also from an employee perspective, banks should identify hi-risk users and system administrators as these users would be typically would be the target for hackers. We are aware of some organizations that create constructive awareness campaigns by sending simulated phishing emails to their employees and enforce awareness programs for users who click links in the emails or open attachments embedded in such mails, this also helped these organizations to know the high risks users who are prone to social engineering attacks. These organizations also reward employees who detect such phishing mails and report to security teams to motivate employees to be more security aware.
Such effective awareness campaigns coupled with robust security framework would help organizations prevent risks because of social engineering attacks effectively.
What are some of the most sophisticated and advanced cyber criminals currently working on?
Surendra Singh: Our 2015 threat report mentions that advanced cyber crime is far too easy and malware is offered as a service. In the black market, one can invest 800 – 1500 USD to buy malware and launch a complex targeted attack. Compared to the money they would get, the investments sound like peanuts. The attack duration is also becoming shorter. The hacker plans to get things in the shortest duration possible to ensure to evade detection.
These cyber-criminals also collaborate more to ensure they launch complex and advanced attacks which is tough to detect, hence it’s extremely critical for organizations to have an effective framework to detect and prevent attacks as its happening.
Do CMOs and cross-functional teams also deliberate on security?
Surendra Singh: Yes, cross-functional teams are increasingly becoming integral part of security practice as they are the business owners of critical data. It will be difficult for any IT security team to properly define and classify confidential data without the involvement of cross-functional teams. Secondly, different teams require different IT access and controls which can be specified by functional heads to the IT team
This applies to several departments such as marketing, legal and HR. The customers that we have interacted in the past 15 months, we see business actively participating and help work with CIOs and CISOs to ensure their critical assets are protected. But majorly these strategies are driven by CIOs and CISOs.
Gone are days when security remains isolated, business stakeholders are held responsible and accountable. Boards are taking security very seriously and there is a cognizance of the business impact a security breach can create.