Cyber Security Expertise in India

Indian industries are already facing a shortage of skilled security professionals. The major dearth is of competent experts who understand the subject very well and can work to mitigate the risks. The shortage is going to be more acute, as demands for compliance goes up with regulations like IT Act, sectoral guidelines issued by RBI and SEBI and stringent penalties provisioned under amended UASL for Telecom sector. To deal with this challenge, a multi-pronged approach is best suited, that targets multiple levels – entry level, vocational, college/University education and on-job training.
Joint Working Group of the National Security Secretariat has recommended setting up of the Institute of Cyber Security professionals of India, to train and certify professionals in Cyber Security, very similar to how the Institute of Chartered Accountants operates. This is an excellent idea, but the success will depend on aligning the course content with industry requirements. International certifications like CISA, CISSP are preferred globally today because the courses are designed with active involvement of the industry. However, these certifications are expensive and will have a limited contribution to capacity building in India. India needs its own strategy.

Initiatives from Trade bodies like ASSOCHAM and Skill Sector Councils, under NSDC’s PPP model, are perhaps the best bet at this moment. Qualification Packs or Skill requirements are being defined for different levels of jobs in consultation with the industry. The council will have private partners who will train and certify aspiring candidates in line with requirements laid out in the qualification packs. A Skill Sector Council, specifically for Cyber Security will go a long way in assigning priorities it deserves. Currently, it is included in IT/ITES SSC.

Coordination and collaboration among different entities working in this area are important so that duplication of effort is minimized at the government and industry level. Cyber Security Integrators (India) is working towards providing specialized content to students and corporate executives through a hybrid model, with both online and classroom training bundled. With quality training, India will meet domestic as well as global needs in Cyber Security.

Plane Hacking Case Points to Deeper Cyber-Security Issues for Airlines

Security researcher Chris Roberts made headlines last month when he was hauled off a plane in New York by the FBI and accused of hacking into flight controls via his underseat entertainment unit.

Other security researchers say Roberts – who was quoted by the FBI as saying he once caused “a sideways movement of the plane during a flight” – has helped draw attention to a wider issue: that the aviation industry has not kept pace with the threat hackers pose to increasingly computer-connected airplanes.

Through his lawyer, Roberts said his only interest had been to “improve aircraft security.”

“This is going to drive change. It will force the hand of organisations (in the aviation industry),” says Jonathan Butts, a former U.S. Air Force researcher who now runs a company working on IT security issues in aviation and other industries.

As the aviation industry adopts communication protocols similar to those used on the Internet to connect cockpits, cabins and ground controls, it leaves itself open to the vulnerabilities bedevilling other industries – from finance to oil and gas to medicine.

“There’s this huge issue staring us in the face,” says Brad Haines, a friend of Roberts and a security researcher focused on aviation. “Are you going to shoot the messenger?”

More worrying than people like Roberts, said Mark Gazit, CEO of Israel-based security company ThetaRay, are the hackers probing aircraft systems on the quiet. His team found Internet forum users claiming to have hacked, for example, into cabin food menus, ordering free drinks and meals.

That may sound harmless enough, but Gazit has seen a similar pattern of trivial exploits evolve into more serious breaches in other industries. “It always starts this way,” he says.

Anxious airlines
The red flags raised by Roberts’ case are already worrying some airlines, says Ralf Cabos, a Singapore-based specialist in inflight entertainment systems.

One airline official at a recent trade show, he said, feared the growing trend of offering inflight WiFi allowed hackers to gain remote access to the plane. Another senior executive demanded that before discussing any sale, vendors must prove their inflight entertainment systems do not connect to critical flight controls.

Panasonic Corp and Thales SA, whose inflight entertainment units Roberts allegedly compromised, declined to answer detailed questions on their systems, but both said they take security seriously and their devices were certified as secure.

Airplane maker Boeing Co says that while such systems do have communication links, “the design isolates them from other systems on planes performing critical and essential functions.” European rival Airbus said its aircraft are designed to be protected from “any potential threats coming from the In-Flight-Entertainment System, be it from Wi-Fi or compromised seat electronic boxes.”

Steve Jackson, head of security at Qantas Airways, said the airline’s “extremely stringent security measures” would be “more than enough to mitigate any attempt at remote interference with aircraft systems.”

But experts question whether such systems can be completely isolated. An April report by the U.S. General Accountability Office quoted four cyber-security experts as saying firewalls “could be hacked like any other software and circumvented,” giving access to cockpit avionics – the machinery that pilots use to fly the plane.

That itself reflects doubts about how well an industry used to focusing on physical safety understands cyber-security, where the threat is less clear and constantly changing.

The U.S. National Research Council this month issued a report on aviation communication systems saying that while the Federal Aviation Administration, the U.S. regulator, realised cyber-security was an issue, it “has not been fully integrated into the agency’s thinking, planning and efforts.”

The chairman of the research team, Steven Bellovin of Columbia University, said the implications were worrying, not just for communication systems but for the computers running an aircraft. “The conclusion we came to was they just didn’t understand software security, so why would I think they understand software avionics?” he said in an interview.

Slow response
This, security researchers say, can be seen in the slow response to their concerns.

The International Civil Aviation Organisation (ICAO) last year highlighted long-known vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them.

Researchers like Haines have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controllers.

And that’s just the start. Aviation security consultant Butts said his company, QED Secure Solutions, had identified vulnerabilities in ADS-B components that could give an attacker access to critical parts of a plane.

But since presenting his findings to vendors, manufacturers and the industry’s security community six months ago he’s had little or no response.

Nasscom task force to make India hub for cyber security research

NEW DELHI: IT industry lobby groupNasscom on Monday launched ‘Nasscom Cyber Security Task Force’, which aims to make India the hub for cyber securityrelated research, training and products. The development comes nearly three months after Prime Minister Narendra Modi exhorted the domestic IT industry and youth to help address the global cybersecurity challenge.

In March, Modi has said that the country’s IT industry should come forward to help the government achieve its goals for Digital India, and called for increased innovation and a wider focus on the global challenge of cyber security. The task force, being chaired by NIIT chairman Rajendra Pawar, will come up with a comprehensive cyber security plan within the next 12 weeks.

It aims to take the cyber security industry market share in India from 1% of the IT-BPM industry to 10% by 2025, with a trained base of 1 million certified cyber security professionals, as well as build over 100 security product companies in India.

“This task force will study the Indian cyber security ecosystem to identify issues and challenges and develop an action plan to address the priority issues,” said BVR Mohan Reddy, chairman, Nasscom.

“It will also identify possible intervention opportunities for the Indian IT industry in global cyber security space and bring together stakeholders from across the board to develop cutting-edge technologies and address the global market requirements.” The task force has proposed four working groups focused on industry development, policy enablement, technology development and skill development.

Recommendations from these groups will enable the task force to come up with a comprehensive cybersecurity plan for the country. The National Cyber Security Policy of India, announced in 2013, aims to create 500,000 skilled workers in the field of cyber security in India by 2018. Pawar said that while the number of cyber security professionals are increasing, quality of the talent available is a bigger area of concern. “The challenge is finding that ultra-specialised group of people (in cyber security),” he said.

“Cyber security is a multi-dimensional concept that includes many disciplines and fields. Nations have to take appropriate steps in their respective jurisdictions to create necessary laws, promote the implementation of requisite security practices, incident management, and information sharing mechanisms, and continuously educate both corporate and home users about cybersecurity,” said R Chandrashekhar, president, Nasscom.

Containing the Zombie Malware Outbreak

Malware has been turning computers into what security pros calls “zombies” since the turn of the century. Ever since, the security industry has struggled to keep pace with new malware variants to keep the threats in check. An approach called “containerization” adds a promising new way to control the zombie outbreak once and for all.

Just as zombies in pop culture suck the brain power from their victims, certain malware can turn your PC into its own oblivious slave. It creates a zombie-like machine running in the background without you even knowing, enabling cyberattackers to tap the power of your computer to spread spam, viruses and spyware across the globe.

Your computer could be operating as part of a botnet, sending out email spam, stealing confidential information, or furthering the spread of malware at this very moment.

Computers can become zombies in many ways, but the most common technique is through a Trojan virus installed via malicious email attachments or drive-by downloads from infected websites.

For instance, after you download and open a seemingly innocent email attachment, the Trojan runs quietly in the background and allows the attacker full access to everything on your computer. When antimalware technology isn’t used to protect against unknown threats — or if it is not continuously updated — users are at risk of a zombie takeover.

Consequently, the best new way to stem zombie infections both online and offline is with a four-layer approach.

Layer 1: Filters and Firewalls
Given that roughly 80 percent of corporate infections originate from email attachments and webpage links in emails, start with an email filter to begin setting up your preperimeter defenses.

Make sure to automate hardware and software maintenance to keep virus pattern files updated in real time. Reinforce your spam filter with a content/Web-page filter that disallows access to known infected pages. A cloud-based approach will make this automation much easier.

With your preperimeter defensive layers in place, use a properly configured firewall or unified threat management (UTM) tool at the network perimeter. Set firewall rules to deny any unsolicited traffic either inbound or outbound.

UTMs, with an antivirus gateway feature, also will help to identify any infected attachments that your antispam filter may miss. Optionally, add an intrusion detection system (IDS) or network intrusion detection system (NIDS) with deep packet inspection (DPI) and a network access control system (NACS).

Layer 2: Internal Defenses
Next focus on your internal defenses. Standard antivirus tools have a role to play in desktop defense, but they are not enough anymore. These defenses are key to preventing malware because the zombie battle is won or lost on the desktop. It is the place where the infected attachment is opened, the link to an infected Web page is clicked, and where the infected USB stick is inserted.

Your desktop’s arsenal in the zombie war should include an antivirus tool to weed out the known bad (blacklisted) files, and it should include a whitelist component to identify known good files and not inhibit their operation.

While whitelisting employs a default-deny approach to containing files, it’s not 100 percent effective either. The whitelist’s inherent limitations make it difficult to keep up with new, legitimate applications and updates.

Layer 3: Automatic Containment
This is where automatic containment comes into play. It is the third and most critical weapon in the arsenal because it isolates and contains any other files, the ones that are neither known good nor known bad. These are the zombies in disguise.

Containerization changes the default method of handling unknown files. Instead of always allowing them into an endpoint (default-allow), it automatically isolates them in a virtualized environment on your computer where they can be safely run, analyzed and classified as good or bad.

Containerization is a security mechanism for isolating a running program, such as an unknown file, in a tightly controlled environment. Like whitelisting, a container employs a default-deny strategy to restrict access of all unknown applications to important files, folders and settings.

Containing a program prevents malware from installing any botnets or other zombie utilities on your system. If the program turns out to be malicious, no harm is done. While blacklists cannot protect against these new zombie threats because they haven’t yet been identified, a container can. If an exploit downloads malicious software while in a sandbox, it will be isolated and unable to spread.

Unlike traditional whitelist solutions, a container’s default-deny approach refuses all zombie-containing files permission to install or execute outside of its virtual container, except when specifically allowed by the user, or when the file is identified to contain binaries that are known to be safe, such as signed code.

Layer 4: Data Backup
Your final layer of defense is your critical data backup system. If the zombies do get through, you can always fall back on the Nuke All button and rebuild from scratch. (But who really wants to do this?).

Preventing your computers from becoming part of the walking dead of botnets, spreading spam, malware and other havoc, requires a new four-layer approach to containment.

Combining traditional antivirus tools, whitelists and backup with new containerization techniques for unknown file security will enable users to access and work with the files as they execute within the container’s virtual environment. The result is complete protection without the loss of time, money or productivity

Friendly Hackers

Here’s a surprise — there are as many friendly hackers as there are malicious ones.
At least 32 previously unknown vulnerabilities were aired at the recent Black
Hat hacker conference in Las Vegas. More will come from the other big hacker
conference, Def Con. Some of those bugs have been found in control systems for
factories, power plants and other key installations.
These people are not doing this out of sympathy for the rest of us. Finding
vulnerabilities can pay well. Increasing numbers of firms run bug bounty schemes
that reward hackers for finding the vulnerability. Payment is a good reward
for work that can be time-consuming, technically challenging and dull. Some
vulnerability researchers spend weeks pursuing a hunch only to find out that it
leads nowhere. Others use lots of computers, running scripts for days, battering
away at software to see how it reacts when given different kinds of input. It might
take tens of thousands of tries to get a result. In those cases, more often than not,
finding the problems makes sites and services more secure. They are definitely
helping. Having more people look over software is a good way to find its flaws.
And the reason you don’t hear much about these “white-hat hackers” is because
most work to a “responsible disclosure” ethic that gives the firm that made the
software a chance to fix it before public knowledge about it spreads. The ethical
hackers can often come up with a patch for the problem, produce defenses or
close the hole.
There are also more information groups that attempt to make hackers put their
technical skills to good use. Initiatives such as “I Am The Cavalry” recruit security
folks and get them to spread the word about making secure software.
So how does this help your company? Well, it won’t help at all if you remain
unaware of the fix and you do nothing. You need to update your phone, update
your browser, update your operating system, update your servers, update your
applications. The basic advice is: update everything you can. Thanks to those
friendly hackers, you will be able to block the vast majority of intrusion attempts,
because they exploit known vulnerabilities. Now here is the problem – is your
IT department fully current with all these bAug fixes, and able to implement
updates on all devices in a matter of hours? If not, then they should be made
aware of several products in the market that accept threat intelligence feeds and
can update tens of thousands of devices within minutes. This is one example
where the good guys have the upper hand on the bad guys.

The Insider Threat

In a recent report by PwC1, they concluded that only about 10% of cyber crimes
have been perpetrated by insiders in 2014/15. However that is rising faster than
external hacking, and the consequences are often far more damaging.
The 5 major categories of insider crime are Fraud, Espionage, Sabotage,
Unauthorized Disclosure and Intellectual Property Theft. That last category of IP
theft is most damaging. It almost always happens during normal working hours,
and so it is imperceptible from normal behavior. The individual may use their own
privileges to download the sensitive information, or they may impersonate another
employee with higher privileges (by bribing, stealing or using social engineering).
Then they take the data to their new employer, or release it to news agencies to
cause a scandal, or sell it on the dark web, or use it to climb the company promotion
ladder by appearing smarter than their colleagues.
Sometimes this is associated with a staff member’s role – you give IT systems
administrators the keys to the vault, and that can be more risky if they are contractors
rather than loyal employees.
Sometimes you can be alerted to this threat by non-technical means. For example,
IP theft usually happens within 30 days of termination / resignation, and sabotage
is often related to an employee’s psychological or behavioral issues.
Many businesses rely on technology tools that prevent download to external storage
devices (memory sticks, disc drives) and monitor network traffic for anomalies
(uploads to websites or large file attachments to emails). Some companies also
enforce “separation of duties” by requiring two or more keys to open the data
vaults. But these point solutions are imperfect, and you will never know if they are
being circumvented because you will never discover the data loss.
Thankfully there is a much more complete solution. The media industry
solved this problem, because they were threatened with extinction by illegal
downloads & copying of music, movies, books etc. They “wrapped” each file in
a container that only allowed it to be opened by the right person in the right
place at the right time (that’s called Digital Rights Management). You can apply
the same principles to protect your company’s IP. Firstly, when a file (or email,
text message, social networking post etc.) is created by an end user, the content
is monitored in real time and the company policy is applied to classify it as
public, restricted, confidential, secret etc. Based on that classification, the data
gets put into different types of envelopes (wrapping). The most sensitive data
is containerized into an encrypted format with watermarking and expiration

time stamping, only able to be read by the right person who authenticates to
your Active Directory system. Then it doesn’t matter that you accidently send
a confidential email to the newspaper instead of to your boss, and it doesn’t
matter that you leave your laptop on the train, or someone downloads data
onto a memory stick and gives it to a competitor. Does your organization have
this simple control in place?

Easy Money

Cyber security attackers have become extremely sophisticated at implanting
malware in your systems and evading detection as they quietly steal your sensitive
data. While that threat is increasing in popularity among clever hackers, there
remains a thriving community of criminals who are far less sophisticated and are
making a good living out of one of the oldest forms of cyber security compromise
– the Denial of Service attack.
In the early days of cyber security, the most primitive attack was a “broadcast storm”
where the attacker set out to cripple a website by bombarding it with spurious
requests, thereby flooding the network or overwhelming the server capacity and
causing the website to freeze. This was usually done to make a political statement or
demonstrate the cleverness of the attacker, but it was considered a mere irritation
because no lasting harm was done, and no data was stolen or corrupted.
These attack mechanisms grew in sophistication by using servers scattered over the
globe to propagate the attacks (called a Distributed Denial of Service attack, DDos)
thereby making them much harder to block. Almost anybody can find software on
the web to launch such an attack (such as MyDoom or Stacheldraht). But criminals
didn’t pay much attention to this, because there was no money to be made. Well,
that has all changed….
The US Federal Bureau of Investigation (FBI) recently reported that hackers
threatened more than 100 companies including big banks and brokerages in the
financial sector to take their websites offline with distributed denial of service
(DDoS) attacks, unless they pay large sums.
The cyber branch at the FBI’s New York office said that the companies have been
receiving such DDoS threats since April 2005. They added that some companies
have paid the ransom money, amounting typically to many tens of thousands of
dollars. These companies end up facing further trouble as hackers know that they
are willing to engage. Most of the companies are willing to pay the money to avoid
service disruption that could lead to big losses. A distributed denial of service
outage could mean losses of more than $100,000 an hour for financial companies,
according to information services and analytics company Neustar.

In the past criminals avoided this sort of extortion because they could be tracked
down through the banking system. However they now demand payment in
Bitcoins, created digitally by an anonymous community of people that anyone can
join. Bitcoins are transacted using computing power in a distributed network, and
are called a “cryptocurrency”. When your Bitcoins are sent, there’s no getting them
back, unless the recipient returns them to you. They’re gone forever. This makes
extortion much more attractive for criminals, because there is almost no chance of
being tracked down by law enforcement authorities. Easy money.

Your Health Check

When you see your doctor for a medical check-up, the results are kind of
predictable, and not very actionable – lose weight, get more exercise, and avoid
stress. A cyber security health check can be much more insightful and actionable,
and I recommend that your company does this regularly.
A cyber security diagnostic includes:
Focus on the important stuff. Does your company have a document classification
scheme that allows you to identify the relatively small proportion of highly sensitive
information, thereby allowing you to take special measures to protect it.
Awareness. Do your staff appreciate the threat, understand the common techniques
used by hackers, and follow your company guidelines on good practices?
Prevention. Do you have an adequate set of products in place (firewalls, antivirus
software, URL blocking etc.) to avoid an intruder finding an easy gap in your
defenses? Are these devices properly configured to work together? Do you have
good processes to oversee your defenses? Have you conducted an independent
penetration test to see how this works in practice?
Detection. How good is your security architecture at detecting a successful
intrusion? Do you have the skilled staff and processes to see these alerts buried in
all the noise of thousands of security events every day?
Reaction. Do you have skilled staff who can respond promptly to an intrusion, and
minimize the impact? Do you have an incident response plan for a significant event
that addresses all the consequences (operational, legal, PR etc.). When did you last
hold a practical test of how well that plan copes with a real event?
Day-to-Day operations. Do you understand the strengths, weaknesses and
improvement plan you should be following? Is this dependent on a few key staff
members? How trustworthy are they with your sensitive assets, and how would you
cope with one of them leaving suddenly?

Whether it be your personal health, or the health of your company cyber security
controls, you should always seek the advice of an experienced professional who does
this work all the time. They will recognize the symptoms of a problem much quicker
than someone close to you, and they have a deeper knowledge of your choices in
dealing with a problem. Just as a general practitioner may advise major surgery
and a specialist may come up with much less intrusive solutions, the same is true
in cyber security. There is a great deal of nonsense and misinformation surrounding
this topic, and an expert specialist may be able to help you avoid wasted spend
and painful consequences. Companies that undertake a cyber-security health check
are generally dismayed by the findings, but a year later they are in much better
shape and spending less on this issue than they were before because they took the
medicine prescribed for them.

An Architect’s Nightmare

Your digital security architect has a terrible job. The bad guys are smart,
sophisticated, and quick at evolving their attack techniques. Your company is slow
to respond, unwilling to invest, and almost certainly ignorant of the risks they are
taking with their valuable assets. You are a sitting duck, and probablyhavealready
been compromised but don’t know it.
The poor architect’s job is made worse by the extremely fragmented array of
security products to prevent and detect an intrusion. They are riddled with overlap
in function and constructed in a way in which impedes rather than encourages
integration and system alignment.
The architect does not have the ability in today’s climate to wait out the storm in
hopes that companies develop well thought out products that work in conjunction
with one another — compliance obligations demand that they implement security
products to handle all threats.
So when they look at data loss prevention, security information and event
management, next generation firewalls, malware protection and more it is obvious
that these technologies are very close to one another. They are similar in how they
go about assessing and managing threats in that they analyse network and data
traffic for anomalies and isolate and alert patterns which are of concern and may
be indicative of intrusive behaviour. Today you need all of them if you want to
be secure and compliant, and they are all expensive. The funding to implement,
manage, monitor and maintain these systems is excessive, especially since other
than reducing risk it serves no obvious business benefit. Moreover, the cost to
manage these systems detracts from your ability to use funding to innovate or
improve business services.
Large-cap companies are the only ones able to deal with this complexity and cost,
by employing the whole spectrum of skilled professionals required to deal with the
diversity of issues, and by implementing lots of overlapping products in order to
leave no gaps. This is extremely wasteful, and impossible for mid-cap and small-cap
companies to resource.
Common sense dictates this has to change. A ray of hope has come with recent
aggregation of security companies and systems such as Intel, Cisco, Microsoft and IBM
acquiring smaller technologies to integrate within solutions. In addition, we are seeing
smaller companies trying to grow by merging or acquiring other providers. So maybe
there is hope of comprehensive product suites emerging, but meanwhile smaller
companies must look to third party providers to offer virtual IT security teams (i.e.
fractional use of shared resources) to provide the broad range of coverage required to
deal with the increasingly sophisticated threat.

The Humble Password

Cyber security is an extremely complex science, but the most important aspect is
the humble password. If I know your password, then I can impersonate you and get
access to your sensitive data. Whereas a simple 7-digit alpha-numeric password can
be cracked in a matter of minutes, the entropy of a “strong” password is uncrackable.
The problem with a Strong password – one that is made up of 15 or more upper and
lower case characters, digits and special characters – is that it is difficult for users to
remember. Researchers have shown that the average person can remember less
than 5 complex passwords. Thus many people use simple passwords that offer
almost no security at all, and worse still, they use similar passwords for a wide
rangeof systems access.
To overcome human memory limitations, vendors offer password vaults where
you can use one strong password to access all your other strong passwords. But
these products may have their own weaknesses, because the vendor has to offer
an override in the event that the master password gets forgotten, and the hackers
know about these back doors.
One solution is a password vault plus two-factor authentication, requiring a smartcard
as well as your password to log in. With this type of two-factor authentication, even if
your master password is decrypted, hackers still can’t access your accounts.
A more promising solution is to use a biometric authentication system. Fingerprint
readers in particular are becoming cheap, and are increasingly found on laptops
and smartphones such as Apple’s iPhone. The problem with a biometric like a
fingerprint is that a fingerprint reader digitizes a limited amount of information,
and so most fingerprint information is the equivalent of a not very complex
password. With this information (which can be acquired by taking a photograph
of a fingerprint left on almost any surface) hackers can impersonate the legitimate
user by making a copy of their fingerprint out of a suitable material and using
the copy to fool the fingerprint reader. This sounds like James Bond stuff, but it is
actually not that difficult to do.
Fingerprint readers aren’t as secure as a complex password, but it may be more
secure for you if you don’t want to use a complex password for each account you
visit. That means that, for most people, fingerprint authentication is the most secure
system that they are capable of using.
A more promising password alternative is a biometric authentication solution
based on “continuous authentication.” These systems use a combination of
biometrics such as facial and voice recognition, typing patterns, or mouse
manipulation speed to check that a user’s characteristics match the profile of the
user that he purports to be. Rather than authentication being a one-off process,
the system continues to monitor the user to get a more accurate picture of the
user, and whether the person using the system at a given time is the same as the
person who originally logged on.
While financial institutions may well end up deploying these sorts of systems more
widely, the truth is that for many online retailers and other organization the cost of
deploying anything more than a password system is too expensive to justify, and a
password system is “good enough.”
When you look at the cost-to-security ratio, you will find that it is hard to find
anything at the moment that will offer a higher level of security than a password
for the same cost. Just make sure your passwords are strong.