global cyber security outlook
TRANSCRIPT
-
8/17/2019 Global Cyber Security Outlook
1/23
In association with Presented by
Hotel Digital Security SeminarSEPT 19, 2014
A.K. Vishwanathan, Senior Director – Enterprise Risk Services, D
GLOBAL CYBER
SECURITY OUTLOOK
-
8/17/2019 Global Cyber Security Outlook
2/23
-
8/17/2019 Global Cyber Security Outlook
3/23
Agenda
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
3
! Current state! Case study
! Solutions
! Way forward
-
8/17/2019 Global Cyber Security Outlook
4/23
Current state
By X Events Ho
4
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
-
8/17/2019 Global Cyber Security Outlook
5/23
Recent trends in India
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
5
0
5000
2008 2009 2010 2011 2012 2013
Number of Cyber Crimes
under IT Act
Over 35 % of theIndian organizationsacross various sectors
have engaged incorporate espionage
Nearly14,000 websites werehacked by cyber criminals tillOctober 2012, an increase ofnearly 57% from 2009.
81% of the CXO in this sectors depicts an increase ininformation security spending over the coming fewyears
Website of Indian Embassy in Tunisia hackedin retaliation to the terrorism attack on KarachiAirportin June 2014. The embassy website was hackedby a group called “Hunt3R
Source : NCRB (National Crime Records Bureau
-
8/17/2019 Global Cyber Security Outlook
6/23
Key information securitychallenges – Pain areas
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
6
01
02
03
04
05
Cyber Spying
Virus and Trojans
Data Theft
Cyber Terrorism
Phishing & Identity Theft
Illegal interception of government data by foreigcountries. NSA has been alleged to plant bugs in Indiaembassy in Washington DC
Infection of government IT systems with malwares thaallow gives control to the hackers. Government oIndia IT systems infected by Conficker worm in 200causing multiple crashes and downtime.
Insecure storage of GOI data leading to unauthorizeaccess by hackers and spies. Alleged Chinese hackers2010 hacked in GOI systems to access NationSecurity Council data
Hacktivism attacks on GOI websites leading reputational damage. Multiple foreign country hackewere responsible for hacking of websites of GOI
Phishing attacks targeted towards GOI employees steal identities and data. GhostNet attacks on IndiGovernment employees was conducted through spephishing attacks
CIA
CIA
CIA
CIA
CIA
The following are they key information security challenges being major organizations in India
Confidentiality : Sensitive content and privacy of data
Integrity : Unauthorized modification of data
Availability : Multiple points in the IT infra preventing single point of failure Source : Times of India
-
8/17/2019 Global Cyber Security Outlook
7/23
Understanding cyber threats
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
7
2
Organizational boundaries have
disappeared – anytime, anyhow,anywhere computing
1Actors with differing motives andsophistication – often colluding with
each other
3Attacks exploit weakest link in the
value / supply chain
5
Traditional controls are necessar
not adequate
4Data is money – criminal undergrmakes for easy monetization
6Regulators and government are k
stakeholders with ever increasing
Loss of PII data, customer data, sensitive
and confidential company data.
Availability of organization’s information is crucial
and loss of such could result in impacting critical
business functions.
Breach of integrity could result in complete
breakdown of trust of the organization. Brand
reputation gets affected majorly leading to los
revenue
Losses resulting from leakage of backend
customer data will impact customer’s trust on
the brand
National Cyber Security Policy formulated wit
on capability building at Nation level
Modern Cyber Threat landscape have evolved over the years. Applications and IT
infrastructures are core pillars in today’s business. Security of core shall ensure security ofthe business.
Criminals pilferage on the PII data for identity
leading to potential damages to customers
-
8/17/2019 Global Cyber Security Outlook
8/23
Industry view – Indian sector view
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
8
Hotels Airlines Travels & Touris
Sensitiveinformation
handled:
Internal strategic
&Customer
Confidential
• Visitor name, address,contact details, unique
identification numbers or
documents – Passport, PAN
card, Driving License, Creditcard etc.
•
Hotel billing details such as
billing and payments ,
outstanding bills etc.
•
List of No. of Rooms
occupied/vacant, pre-bookedrooms, etc.
•
Vendors/Supplier details,
contract details, outstanding
payment details
• Passenger Name, contactdetails, passport, visa
details etc.
• Flight details such as no
of passengers and crew,
passenger and crewpersonal details, city and
time of departure and
arrival etc.
•
Flight details such as
details of flight status,flight maintenance details,
etc.
• Tourists’ Name, AddresContact Details and un
identification numbers o
documents
•
Tourist travel details su
as mode of travel,destination city, duratio
stay and accommodatio
details.
•
List of strategic tie-ups
related financial recordswith the organization
-
8/17/2019 Global Cyber Security Outlook
9/23
Industry view – Indian sector view
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
9
Hotels Airlines Travels &Tourism
Concerns
•
Absence of securitycompliance for information
related controls
•
Compliance controls on
basis of the quality controlsonly
•
Regulatory compliancesin terms of financial or
business controls
•
Absence of security
compliance forinformation related
controls
•
Absence of securitycompliance for informat
related controls
•
Compliance controls on
basis of the quality cononly
Security initiativesin HATT sector
•
Regulatory Implications drive security approach. Initiatives are taken by management todrive security in the organizations
•
Absence of regulatory requirements provides ground for laxity in security initiatives within
organization
-
8/17/2019 Global Cyber Security Outlook
10/23
Paradigm shift: Info security mgt.
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
10
Key questions to consider:
! Strategically!
• Do you have a cyber security strategy including a clear cyber governance framework ?
• How are you evaluating and managing cyber risk?
• Is the existing risk framework adequate to address changing threat landscape?
• How structured and well-tested are you existing incident response and crisis managemecapabilities?
! And tactically!
• What is leaving our network and where is it going?
• Who is really logging into our network and from where?
• What information are we making available to a cyber adversary?
-
8/17/2019 Global Cyber Security Outlook
11/23
Case study
By X Events Ho
11
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
-
8/17/2019 Global Cyber Security Outlook
12/23
Operation hangover
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
12
Recently attackers of unknown origin conducted a large hacking operation on multiple compa
servers hosted in India.
Target Employee in theVictim Company
Attacker creates a malicious
attachment in PDF file and sends to
an unsuspecting and unaware foreign
government employee. The malware
is signed using certificates purchased
by a company in New Delhi, India
1
The users gets infected with malware
that acts as a backdoor to his
system. The attacker is able to pivot
his system to conduct further attacks
in the network.
2
Server hosted in Ind
All data stolen from the company are stored in a server hosted in India
with domain names similar to large ecommerce sites in India. These form
of operational security measures indicate an attempt by the attackers to
hide the operation in plain sight
3
Source : Norm
-
8/17/2019 Global Cyber Security Outlook
13/23
Leading hotel chain in the USA
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
13
A leading US hotel chain was breached by hackers from 2009 – 2010 resulting in s
of 700,000 customer information. They were breached 3 times in the period durin which these information was siphoned out.
2
1
3
Key Security Flaws (as per FTC report)
Absence of Firewalls
Default username and passwords
Weak access controls for remote sites
Failure to conduct regular reviews 4
•
FTC sued the organizationloss of customer informat
• Organization has failed to
the case
•
Investigations proved majocompliance to PCI DSS
requirements by organizat
locations
• 10.6 mil USD was estimat
of data breach
Implications
Source :Media Reports
-
8/17/2019 Global Cyber Security Outlook
14/23
Hospitality industry
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
14
Hospitality, Airlines and Tourism industries depend on exhaustive branding and marketing efforts
of their services. Any impact on their IT infrastructure, websites or data that gets published in theleads to direct effect on their revenue and core business sales.
Incident
• Airways vendors got breached by hackers leading todisclosure of internal employee information and customer
information.
• Data breach was investigated however with no conclusiveroot cause analysis
Impact
• Multiple news reports on the data breach got published
leading to branding and reputational risks for the airlines.
Leading Airlines in US It takes an average of 156 days
businesses to realize that the a
breach has occurred (Trustwave)
43% of CXO officers report thatnegligent insiders are source of
majority of the breaches (IBM)
Source :Media
-
8/17/2019 Global Cyber Security Outlook
15/23
Way Forward
By X Events Ho
15
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
-
8/17/2019 Global Cyber Security Outlook
16/23
Cyber security mgt: Methodology
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
16
-
8/17/2019 Global Cyber Security Outlook
17/23
Cyber security: Maturity mode
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
17
IT Cyber AttackSimulations
Business-WideCyber Attack Exercises
Sector-Wide & Supply ChainCyber Attack Exercises
Enterprise-Wide Infrastructure& Application Protection
Global Cross-Sector ThreatIntelligence Sharing
Identity-AwareInformation Protection
IT BC & DRExercises
Ad Hoc Infrastructure & Application Protection
Adaptive & AutomatedSecurity Control Updates
IT Service Desk& Whistleblowing
Security Log Collection& Ad Hoc Reporting
External & Internal ThreatIntelligence Correlation
Cross-Channel Malicious Activity Detection
24x7 Technology CentricSecurity Event Reporting
Automated IT AssetVulnerability Monitoring
Targeted Cross-PlatformUser Activity Monitoring
Tailored & IntegratedBusiness Process Monitoring
Traditional Signature-BasedSecurity Controls
Periodic IT AssetVulnerability Assessments
P r o a c t i v e T h
r e a t M a n a g e m e n t
Level 1 Level 2 Level 3 Level 4 Level 5
Automated ElectronicDiscovery & Forensics
Situational Awareness of
Cyber Threats
Basic OnlineBrand Monitoring
Automated MalwareForensics & ManualElectronic Discovery
Government / Sector ThreatIntelligence Collaboration
Ad-hoc ThreatIntelligence Sharing
with Peers
Baiting & Counter-Threat
IntelligenceCriminal / Hacker
SurveillanceCommercial & Open Source
Threat Intelligence Feeds
Real-time Business Risk Analytics & Decision Support
Workforce / CustomerBehaviour Profiling
Network & System Centric Activity Profiling
Business Partner Cyber Security Awareness
Targeted Intelligence-BasedCyber Security Awareness
General Information SecurityTraining & Awareness
InternIntellig
SecurMonito
AssetProtec
CyberPrepa
Trainin Aware
Behav Analy
ExternIntellig
Intellig
Collab
E-DiscForen
BrandMonito
Cyber Security Maturity Levels
Basic Network Protection
AcceptableUsage Policy
T r a n
s f o r m a t i o
n
O p e r a t i o n a l E
x c e l l e n c e
B l i s s f u l I g
n o r a n c e
Online Brand &Social Media Policing
Ad Hoc System /Malware Forensics
-
8/17/2019 Global Cyber Security Outlook
18/23
Way forward: Cyber security v2.0
By X Events HoHotel Digital Security Seminar & Webinar, Sept 19, 2014
18
A forward-looking approach to developing your organization’s cyber security capabilities is needed t
ensure on-going cyber threat mitigation and incident response.
-
8/17/2019 Global Cyber Security Outlook
19/23
About us
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
19
X Events manages & supports events
exclusively for the hospitality & travel
industries.
o Our USP is that we are hoteliers
by training. We focus on the two
most important aspects of an
event; content quality and impact.
o We do it because we believe in it.
www.x-events.in
By X Events Ho
HATT is India's young and premium
community for CXOs from theHospitality, Healthcare, Aviation, Traveland Tourism industries.
o With over 1,000 members across
India, we are now poised to expand
globally with a presence in South Eas
Asia and the Middle East by 2016.
www.hattforum.com
FB/hattforum
-
8/17/2019 Global Cyber Security Outlook
20/23
Our host – Brian Pereira
By X Events Ho
20
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Brian is a veteran technology
journalist with two decades ofexperience. He has served aseditor for two magazines: CHIPand InformationWeek India.
He is a respected speaker & hosat conferences worldwide.
In his current role at HannoveMilano Fairs India, Brian serveas project head for CeBITGlobal Conferences,the
world's largest ICT fair thatwill debut in India this Novembein Bangalore.
-
8/17/2019 Global Cyber Security Outlook
21/23
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
21
Five expert speakers 1. Latest threats in digital security (Worms, attacks, viruses, flaws) -
Santosh SatamCEO, SecurBay Services.
2. The immediate action needed to tighten up (Priority list, cost, internal policies- Ambarish Deshpande, MD - India & SAARC, Blue Coat
3. Information loss prevention (Principles & practices) - Geet Lulla, VP - India & MESeclore
4. How to build a business case &
get the management's attention
-
DhananjayRokde, CISO, Cox & Kings Group.
5. Global cyber security outlook - A. K. Viswanathan, Senior Director - Enterprise RiskServices, Deloitte India.
By X Events Ho
The seminar schedule
-
8/17/2019 Global Cyber Security Outlook
22/23
In association with Presented by
-
8/17/2019 Global Cyber Security Outlook
23/23
In association with Presented by
www.x-events.inSEPT 19, 2014
HOTEL DIGITAL SECURITY SEM