Re-thinking corporate cyber security risk landscape

The Bombay Stock Exchange (BSE) today organized a webinar titled: Corporate Cyber Risk Landscape.

The participants were, Ms. Khushboo Jain, Advocate, Supreme Court, Ashishkumar Chauhan, MD and CEO, BSE,  Lt. Gen. Rajesh Pant, National Cybersecurity Co-ordinator, Brijesh Singh, Inspector General, Maharashtra, Prof. Yuval Shavitt, Cyber security expert, Tel Aviv University, Israel, and Shivkumar Pandey, CISO, BSE.

Ms. Khushboo Jain, Advocate, Supreme Court, said we have to now connect, convert, and reboot. When we talk about cyber attacks, we need a solid foundation. Maharashtra has a nodal agency for cyber security. Cyber criminals have become business savvy.

Ashishkumar Chauhan, MD and CEO, BSE, said the challenge on how to secure remote working practices needs to be looked at. With the steady increase in cybercrimes, lots of organizations are at risk. Eg., Garmin was attacked. Such kind of breaches can lead to degradation and changes in consumer behaviour. Personal data also continues to be an effective target in the pandemic. Although it is impossible to be 100% secure, there needs to be some action to secure networks. BSE is fully compliant with the regulations provided by SEBI. Endpoint protection, training and protection, etc., are being provided.

Banking industry key target

Lt. Gen. Rajesh Pant, National Cybersecurity Co-ordinator, said that the banking industry has been the key target of the cyber attacks. We are wondering where has the perimeter gone. It has even extended to the homes of the people. We are looking at risks at the endpoint, identity level, etc. We cannot trust the other person at the other end, online. Combined with geolocation, there needs to be better identification of cyber attacks. Enterprises also need to ensure that the identity of the person is the same that he or she is. There are about 15 areas for cyber attacks, within mobile phones. There are also laptops, PCs, etc.

When you come to the network, you need to see the root of trust. You need to see where there is encryption. Behavior analysis and AI will play a major role in blocking out cyber attacks. There are talks of zero and sub-zero trust. You have to go down to a new level beyond that. Cyber attacks are getting more sophisticated. There was a Twitter attack on July 15. A number of bitcoins were being provided, if you gave some amount. Accounts of Bill Gates, Obama, etc., were also compromised. Many people fell for it.

Today, the creativity of the cyber criminals is simply amazing. They are getting more smart by each day. There are also mafias, nations, etc. These fraudsters have a sense of following the money trail. It is a very dangerous game being played against the finance companies. Vulnerabilities will always be there. We need to make sure that the networks safe and secure.

Businesses at constant threat

Brijesh Singh, Inspector General, Maharashtra, said there used to be talk about bring your office home. Devices have also started to come home. This has opened up a huge surface areas for the malicious actors. The adversarial landscape is very interesting. There are well researched crime states. Your businesses are now at a constant threat.

There was a write-up on the fabric of security. The essential thing is to detect and respond to these attacks. There have been examples of data breaches. Year 2019 had 8 billion data breaches. May of 2020 has already seen 8.8 billion data breaches! Today, ransomware can also be a data staging attack. They can also be used for blackmailing. Data theft is also very key. People are looking to steal data. It is like a tsunami.

There are businesses who are also getting compromised. These need continued surveillance. Cyber security is a leadership, and core issue. There can be situations where all trails get wiped out. Hacking is evolving by the second. The attacker begins, where you end! It is important that you understand your risk. There can be risks across education, pharma, smart cities, etc.

You have to understand your business well. Earlier, attacks were on the accounts. Next, there were attacks on the infrastructure. Next, they will be sitting inside your technology. The greatest risk is phishing. Malicious attackers understand who you are, and what are your passwords. It is essential to understand the modus operandi of these attacks. You also need to be smart about taking backups. You should also make your staff aware. You can apply your own document to your own systems. There are latest cyber threats that are masquerading. BSE has one of the best systems ever seen. We need to re-iterate that cyber risk is existing.

BGP attacks

Prof. Yuval Shavitt, Cyber security expert, Tel Aviv University, Israel added that today, the attacker detects the traffic to its network. IP hijack attacks are the first stage of any advanced persistent threats (APTs). Mitigating attacks early will stop the APT before it manages to do harm. It can be used to break encryption (DROWN) attacks. In the past, Border Gateway Protocol (BGP) was used for IP hijack attacks. There is a recent trend to move to stealthier attacks, such as data-plane manipulation and stealth BGP attacks. There were 14,000 incidents in 2017.

Current solutions monitor only BGP and there is limited path analysis. BGProtect solution do active monitoring. There is a global BGProtect SaaS solution. The BGProtect SOC and customer management systems gets alerts. There are unique AI rule engines with novel deep learning engine. There are unique databases. There is also a need to deploy advanced deep learning technology.

An example was the hijack of traffic from Canada to a Korean government network that was done using China Telecom PoP in Maryland, USA. There was a stealth hijack from the OVH cloud in France through to Kiev to NYC. There is also bad configuration of DNS. Traffic from DNS traffic to the K root server was directed to Iran by Tata. BGProtect notified the Indian embassy in Tel Aviv. The problem was solved within hours. A last example was when over 3,500 APs were directed to Bangladesh. All these routes suffered tremendous delays. IP hijack is a significant risk. Infrastructures, government entities, financial entities, and valuable data holders are all at risk. We need to understand the geography of the attacks.

Legal aspects

In her talk, Ms. Khusbhu Jain touched upon the legal aspects of a cyber attack. There are legal aspects and parts of the cyber threats. You need to understand how you will be impacted when a cyber attack occurs. Eg., you hear that there is a data breach on your company. One has to understand how to handle the legal part. You must have a team to handle the breach. You need to prepare for damage control and crisis management. You need to understand the kind of data that has been breached, and who are the customers impacted, and how. You also need to understand the nature of data that is breached. Eg., critical data.

What kind of safety measures do you need to follow? Let's take GDPR. GDPR (General Data Protection Regulation) sets a maximum fine of €20 million (about £17.8 million) or 4% of annual global turnover – whichever is greater – for infringements. However, not all GDPR infringements lead to data protection fines.

The kind of safety measures applied has to be exact. You have to prepare, prior to an attack. However, one cannot avoid a cyber attack. The kinds of audits, systems, compliance, etc., have to be in place. There may be a specific industry-wide standards later. As of now, we have to comply with the ISO/IEC 27000-series. There is need to have a proper SOP in place. There is a need to understand the data principles, data breach principles, etc.

Shivkumar Pandey, CISO, BSE delivered the vote of thanks. Changing the system to meet the needs of the business is important. There should be better understanding between finance, technology and law.