The year 2011 was clearly a year where the industry woke up to a
new reality. Despite the best defenses and security mechanisms at
their disposal, many large companies such as Sony, Epsilon and
Google were hacked. Every high profile hack bore a pattern that was
highly similar, but extremely difficult to detect by standard
security mechanisms. Most hacking attempts were made successful
using a technique called Advanced Persistent Threats (APTs).
While security was important, APTs changed the perception
completely, as they threatened a company’s survival. Sony is
a perfect example of how APTs can impact the business revenues of a
company. The estimated loss from the hack of its PlayStation
Network is valued at a massive USD 171 million. This includes the
estimated costs related to identify theft protection, customer
support, legal and consulting fees, and most importantly –
the financial hit due to loss of future revenue.
In the wake of this phenomenon, CEOs and corporate boards are
taking a keen, increased interest in security. “Last
year, we saw the landscape change dramatically with respect to
APTs. Till now, information security was a function that was part
of IT. APTs have altered the perception completely, and information
security is now a boardroom discussion,” says Kartik Shahani,
Country Manager, RSA India & SAARC. The only silver lining in
the wave of attacks is the fact that organizations are now aware of
the threats poised by APTs.
This is also corroborated by a recent report by RSA-sponsored
Security for Business Innovation Council (SBIC), which states that
security professionals will bridge the boardroom gap this year. The
Security for Business Innovation Council is a group of Global 1000
security executives committed to advancing information security
worldwide. From India, the council has reputed CISOs such as Felix
Mohan, Senior Vice President and Chief Information Security
Officer, Airtel, and Vishal Salvi, Chief Information Security
Officer and Senior Vice President, HDFC Bank.
The SBIC report calls for a fresh and comprehensive approach to
information security, and highlights the fact that traditional
defense mechanisms are inadequate against sophisticated attacks
such as APTs. For example, data is available from a range of
sources, including information available on social networks and
other public sources. The same information can be harvested by a
hacker to target enterprises or individuals with highly
personalized information.
This problem is more acute in the case of firms in the BFSI
industry, as they hold a large database of customers, and are
hence, one of the highly targeted groups for attacks by hackers. In
India, the RBI has been taking a leading role by providing a
comprehensive list of guidelines related to information security
for banks. Besides standard guidelines, the RBI made
recommendations in broad areas such as IT Governance, IT
Operations, IT Services Outsourcing and Business Continuity
Planning. RBI’s proactive stance has raised the issue of
information security to a different level. For example, RBI’s
guidelines make it clear that banks are required to conduct a
formal gap analysis between their current status and stipulations,
and put in place a time-bound plan to address the gap and comply
with the guidelines. This has helped in catalyzing security-led
initiatives.
Agrees Vishal Salvi, CISO,
HDFC Bank, “Due to guidelines by regulatory bodies, there is
a lot of visibility, interest and expectation related to
information security. Across the industry, there is also interest
among board members who are keen to understand their
responsibilities related to information security.”
As the whole paradigm of security has changed today, Salvi says
that it is extremely important for enterprises to formulate their
own response mechanism. For example, unlike traditional attacks,
APTs are highly targeted, thoroughly researched, amply funded, and
tailored to a particular organization— they employ multiple
vectors and use low and slow techniques to evade detection. This
calls for deploying tools that have the ability to find patterns
from a series of small attacks and show the real big picture to the
organization.
Raising security awareness
While banks will keep on evolving their security infrastructure,
they cannot mandate or control assets that are not owned by the
bank. For example, phishing attacks target innocent users by
impersonating leading banks. While technically banks cannot be held
responsible for actions taken by their users, banks such as HDFC
Bank have taken the lead in preventing fraudsters from sending out
malicious e-mails impersonating the bank. For example, HDFC Bank
uses a service from RSA, which detects a suspicious e-mail or
Trojan emerging from a server, initiates steps to take down the
server, and prevents it from further propagating messages.
To better educate its employees against phishing attacks, HDFC Bank
is also innovatively testing its employees by sending them mails
which are cleverly designed as phishing e-mails. If unsuspecting
employees click these e-mails, then the IT team takes the users
into confidence, and points to them the key differences between a
genuine e-mail and a malicious e-mail.
“From our experience, we have found out that over time,
employees will start making a distinction between a real e-mail and
a phishing e-mail. As more employees become aware, our security
posture will improve considerably,” opines Salvi. To counter
APTs, organizations must have a broad view of security. While
sophisticated tools do help, it is the human aspect that is most
vulnerable – and also, a significant and successful component
of APTs.
For CISOs, APTs represent a massive challenge as well as a huge
opportunity. They can take advantage of the growing level of
interest in APTs, and raise their organization’s security to
a new level, by investing in relevant tools and driving a huge
change in attitude towards information security.