SlideShare ist ein Scribd-Unternehmen logo
1 von 68
Downloaden Sie, um offline zu lesen
India Cyber Risk and Resilience Review 2018
UNDERSTANDING the THREATS & PLANNING YOUR DEFENCES
CII Whitepaper India Cyber Risk & Resilience Review 2018
Cyberspaceisrapidlytransformingourlives–howwelive,interact,
govern and create value. With the JAM (Jan Dhan, Aadhaar and
Mobile) trinity, India is at the forefront of global digital
transformation. “Digital India” is being hailed as the world's largest
technologyledprogrammeofitskind.
While internet, smartphones and modern information and
communication devices have been great force multipliers, endless
connectivity and proliferation of IoT devices is giving rise to
vulnerabilities, risks and concerns. Cyber security is today ranked
among top threats by governments and corporates. Heightened
concernsaboutdatasecurityandprivacyhaveresultedinaspateof
regulations in India and across the world. India is in the process of
discussing and enacting its own comprehensive data security and
privacyregulation,aswellasverticalspecificones.Cybersecurityis
an ecosystem where laws, organisations, skills, cooperation and
technical implementation would need to be in harmony to be
effective.
Overall, a robust regulatory framework based on global and
country-specific regulations, development of a holistic cyber
security eco-system (academia and industry as well as
entrepreneurial) and a coordinated global approach through
proactive cyber diplomacy would help to secure cyber space and
promote confidence and trust of key stakeholders including
citizens,businesses,politicalandsecurityleaders.
CII has been actively working in the cyber security space. The CII
Task Force on Public Private Partnership for Security of the Cyber
Space has been set up to bring about improvements in the legal
framework to strengthen and maintain a safe cyberspace eco-
system by capacity building through education and training
programmes. We would facilitate collaboration and cooperation
between Government and Industry in the area of cyber security in
general and protection of critical information infrastructure in
particular, covering cyber threats, vulnerabilities, breaches,
potentialprotectivemeasures,andadoptionofbestpractices.
The Conference on Securing Cyber Space in conjunction with the
Global Exhibition on Services would be a vibrant platform for
discussing these issues. I look forward to the deliberations at the
Conference.
Message from Confederation of Indian Industry
India Cyber Risk and Resilience Review 2018
Chandrajit Banerjee
Director General
Confederation of Indian Industry
In today's rapidly evolving global digital world, the threat
landscapeisincreasinglybecomingdynamicandcomplex.Since
the Target Data Breach in late 2013, various high profile
businesses and government organizations have been targeted
by adversaries causing irreparable financial as well as
reputational damages. One of the common threads that
emerges from these landmark data breaches is that majority of
the threats remain constant, while the threat vectors keep
changing. As we build our cyber defences, adversaries
continually refine and develop new methods to attack while
evading detection as well. Public disclosures made by
companies like Sony Entertainment has brought to light the
extent of financial losses caused by such breaches and has
helped the issue of cyber security move from the IT department
tothecorporateboardroom.
The current government's push towards Digital India has led to
rampant growth in digital initiatives including smart cities and
e-governance. With the proliferation of the internet,
adversaries are finding increased avenues to launch attacks
against lucrative targets. India's growing social media
population, unaware of the potential risks have proved to be a
ready base for the attackers for malware infections, stealing
Personally Identifiable Information (PII) and carrying out online
frauds. While defacement of Indian government websites have
been common, serious attacks like the one that breached the
information security of Indian Navy, has pushed the need for
advancedandsophisticatedcyberdefences.
Easy access to encrypted messaging applications and the dark
web has aided many terrorist organizations to effectively evade
thelawenforcementagencieswhiletheyplannedandexecuted
their attacks. In the wake of the current geo-political scenario,
issues of data sovereignty, data localization, encryption, and
data compatibility have been hot topics of discussions within
governmentsandlawenforcementagencies.
India needs to rapidly step-up its cyber security efforts by
building sophisticated cyber intelligence and response
capabilities along with ensuring a steady supply of skilled cyber
security professionals to compliment the investment in
technologyandsecurityinfrastructure.
The India Cyber Security & Resilience Review 2018 is intended
to present research, insights and perspectives on the current
cyber security landscape while exploring potential defence
mechanismsagainstcommittedandsophisticatedadversaries.
India Cyber Risk and Resilience Review 2018
Foreword
CONtents
Ÿ MacroView:DecipheringtheGlobalCyberSecurityLandscape
Ÿ AttackVectorTrends
Ÿ InternetofThings
Ÿ AdvancedPersistentThreatsandHacktivism
Ÿ SmartCitiesandCriticalInfrastructure
Ÿ TheRiseofState-SponsoredAttacks
Ÿ SocialMediaAnalyticsCloud(SMAC),BYOD
Ÿ TheWeakestLink:Humans
Ÿ CyberSupplyChainSecurity
Ÿ AdoptionofMoreSophisticatedSecurityTechnologies
Ÿ CyberInsurance
Ÿ CyberResilienceTrends
Ÿ Recommendations
Ÿ Contributors
Ÿ References
Macro View: Global Cyber Security Landscape
An overview
The environment around us is increasingly getting “Smart &
Connected” with pervasive use of computing for almost all our
personal and business interactions. Technological Innovations
coupled with multi-fold increase in available bandwidth have
led to computing devices getting more capable and geographic
boundaries getting blurred. With massive amounts of data
being generated and shared, cyber criminals are always on the
lookout for ways and means to leverage any vulnerabilities in
ourdefenses.
HAZYCONFINESOFCYBER-ATTACKSURFACE
The dynamic nature of the digital environment and the fast
paced advancements in technology is constantly challenging
the definition of the “network perimeter”. Businesses are
increasingly becoming mobile with the adoption of cloud
computing enabling employees to access resources from
outside the corporate network even using personal devices. An
exponential rise in personal data in the recent past can be
attributed to smart devices getting affordable and propagation
ofexciting“freeservices”.
“Smartphone connections to rise to 5.9 Billion by 2020 and
160.0 Exabytes of IP traffic to grow by 2019”, while these
advancements are aimed at increasing productivity and
enhancing user experience. The scattered network surface has
become a glaring concern for security professionals world-wide
as adequately protecting multiple entry points often proves to
be a daunting task. With rapidly changing expectations of
1
MacroView: Global Cyber Security Landscape
India Cyber Risk and Resilience Review 2018
Organised Crime Insider
Nation State Hacktivist
Competitor
LOW
MEDIUM
HIGH
VERY HIGH
VERY LIKELY LIKELY POSSIBLE REMOTE
Fake website
Website compromise for
crypto currency mining
Intellectual
property theft
Targeted attacks on
payment system
Ransom ware
Distributed Denial of
Service attacks
Client
data theft
Social
engineering
CEO Fraud & Business
email Compromise
Accidental
data loss
Sabotage
Data manipulation
Malicious data
disclosure
Social media
attack &
hijacking
Distributed
denial of
service
attack
Social media
impersonation
Website
defacement
Client
data theft
Intellectual
property theft
Client
data theft
Malware
distribution
to clients
Intellectual
property theft
Trading strategy theft
Source: KPMG International
CYBER SECURITY RISK RADAR
consumers of technology as well as regulators, organizations
will have to invest to develop enhanced protection for its
internalaswellasexternalcommunicationchannels.
RISEOFSOPHISTICATEDADVERSARIES
Infamous data breaches of the recent past include Yahoo
breach and Equifax, which is one of the largest credit bureau in
the US, were a grave reminder of how the adversaries are not
only becoming increasingly sophisticated but are also capable
of carrying out attacks while evading detection. The ability of
the attackers to infiltrate protected networks and remain
dormant before launching the actual attack has raised concerns
abouttheeffectivenessofourintrusiondetectionmechanisms.
Many organizations assume that they could never become
victims of targeted attacks, that Advanced Potential Threats
(APTs) are mostly used against governments, financial
institutions, and other critical infrastructure like energy and
utilities companies. However, according to reports, the same
techniques of targeted attacks are being used on a wide range
of industries and companies. Though these targeted attacks are
designed to escape the conventional detection methods,
intelligently designed incident response frameworks, can
minimize the impact of an APT by fighting back. In the absence
of a strong security framework, the attackers disguise as
legitimate traffic and establish connections to critical assets
siphoningoffvaluabledatawithease.
While the media has covered most sensational attacks like
Google, Adobe, RSA, Lockheed Martin, SONY, and PBS;
thousands of attacks have not been reported by government
agenciesandcorporations.
APTs focus on the weakest links of the defense chain, the target
is usually a specific vulnerability in the system and, more
importantly, specific people; people with the highest-level
accesstothemostvaluableassetsandresources.
AMALGAMATIONOFATTACKVECTORS
Both security professionals and attackers use combination of
attack vectors to penetrate networks. While weak passwords
remain the most frequently exploited vulnerability; system
misconfigurations and unsupported legacy systems are the
areas frequently targeted by the attackers. Attackers use
techniques like social engineering through Malvertising and
Spear-Phishing to gain initial access to a protected network and
subsequently use a combination of attack vectors to gain high
levelaccessandcompromisethenetwork.
MacroView: Global Cyber Security Landscape
India Cyber Risk and Resilience Review 2018 2
MacroView: Global Cyber Security Landscape
India Cyber Risk and Resilience Review 2018
AVERSIONTODISCLOSURE
The biggest fear of disclosing data breaches is the economic
impactcausedbydipininvestorconfidence,regulatorpenalties
and litigation. Several studies have shown that companies that
have been victims of a data breach have suffered a significant
drop in their stock value, taking them as long as two quarters to
recoverfromthedamage.
Inadequate data on security breaches makes it difficult for
analysts to accurately estimate the costs and impacts of
cybercrime. This hampers the ability of organizations to
effectivelyengageinriskmanagementandhelptheircustomers
understandthemeasurestakentosafeguardtheirdata.
25%
30%
8%
23%
10%
4%
System downtown
$ 1,252,650
Theft of
information assets
$ 1,152,438
IT and end user
productivity loss
$ 1,503,180
Damage to
infrastructure
$ 501,060
Reputation damage
$ 400,848
Lawsuits, fines and
regulatory actions
$ 200,424
COST OF ENDPOINT ATTACKS
Source: The Ponemon Institute
3
Attack Vector Trends
Innovative means of targeting the future cyber space
CYBERSPACEANDINDIA
India is one of the key players in the digital and knowledge-
based economy, holding more than a 50% share of the world's
outsourcing market. Pioneering and technology-inspired
programmes such as Aadhaar, MyGov, Government e-Market,
DigiLocker, Bharat Net, Startup India, Skill India and Smart Cities
are propelling India towards technological competence and
transformation. India is already the third largest hub for
technology-driven startups in the world, and its Information
and Communications Technology sector is estimated to reach
the $225 billion landmark by 2020. However, these
achievements come with a problem: innovation in technology,
enhanced connectivity, and increasing integration in commerce
and governance also make India the fifth most vulnerable
country in the world in terms of cybersecurity breaches,
according to the Internal Security Threat Report of 2017 by
Symantec.
Cyberspace is going to grow exponentially. This growth will
frame a landscape having billions of agile people using wide
variety of devices, all of them connected in a way and sharing
data enormously. This will orient the businesses in India and
abroad towards being more cyber dependent, presenting
globalopportunitieswithsignificantcybersecurityrisks.
EMERGINGTHREATLANDSCAPE
An analysis from anti-virus software firm Bitdefender found
ransomwarepaymentshit$2billionin2017,twiceasmuchasin
2016. Meanwhile, Trend Micro predicts global losses from
another growing trend, compromised business email scams,
will exceed $9 billion in 2018. The cyberattacks in the last year
have highlighted the alarming vulnerability of our personal
information. More tools used by government hackers have
become public, and it's easier than ever to create sophisticated
ways to spread malware or ransomware or steal data from
companies. Companies also frequently fail to patch security
flaws in a timely manner. Attack vectors like viruses, worms,
spyware, malware, etc have proved to be the utilities for data
theft, cyber espionage and modern artillery of cyber-attack,
cyber crime, cyber warfare. These vectors have not only
advanced with technology but multiplied and adapted to be the
weaponofchoiceforcyberdestruction.
There were major hacks in the last year in organisations such as
the CIA, Deloitte, Cellebrite, the entire City of Dallas, Virgin
America, Verifone and dozens of universities and US Federal
Agencies,includingOxford,CambridgeandNYU.
AttackVectorTrends
India Cyber Risk and Resilience Review 2018 4
MALVERTISINGATTACKS
Late in 2017, news broke of multiple malicious hacker groups
using rigged onlineads to push malwarethat hijacked the user's
computer resources to generate cryptocurrencies. There was a
majorshiftinthemaliciousadvertising(malvertising)landscape
as cyber criminals looked for new ways to trap online ads to
plant viruses, trojans, spyware and other unwanted software
into computer systems. There were also malicious hackers
targeting old WordPress software security flaw to infect more
than 1,000 websites with malware capable of injecting code to
serve malicious ads. A compromised advertising is believed to
be responsible for the malicious ads campaign, which aimed to
infectusers'computersandphoneswithmalwareinthisattack.
Mobile device users, social networking and retail ecommerce
business in India are expected to grow massively. Along with it,
online advertisement business will expand as they are
interlinked. Increased surface and massive user base will make
Indiaalucrativebaseformalvertisingattackincominglustrum.
RANSOMEWARESURGE
As many as 67% of Indian businesses were hit by ransomware
and 91% of them have claimed to be running an up-to-date
endpoint protection when the attack occurred. India also has
AttackVectorTrends
India Cyber Risk and Resilience Review 2018
Source: Accelerite
CYBER ATTACKS IN 2017
Jan
May
June
July
Aug
Sept
Oct
Nov
Cerber
Jaff
Spora
Wannacry
Crysis
Petya Not Petya Nyetya Golden Eye
Ethereum Hack Equifax Data Breach
Locky Diablo6 Ransomware Attack
Dragonfly 2.0 Attack
KRACK Wi-Fi Bad Rabbit
IcedID Trojan Attack
5
AttackVectorTrends
the highest level of infection among the 10 countries, followed
byMexico,US,andCanada,whiletheglobalaverageofattacked
companies is 54%. Ransomware will dominate the
cybersecurity landscape in 2018, with businesses large and
smallpayingmillionsofdollarstounlockencryptedfiles.
The level of sophistication in distribution methods and attack
vectors has expanded as well. There is a new compliance
mandate which adds to the cost of ransomware attacks,
regardless of whether data is recoverable or whether the victim
pays the ransom. 15% or more businesses in top 10 industry
sectors have been impacted by ransomware. One in four
businesses hit with ransomware have more than 1000
employees. Nearly half of ransomware attacks infect at least 20
employees.
The statistics do suggest, however, that attackers are gradually
shifting away from high volume “spray and pray” email
campaigns to more tightly targeted and cleverly customized
attacks aimed at larger companies with deeper pockets.
Increasingly, the ransomware model is to land and expand. As
per reports, one in five businesses that paid ransom never got
theirfilesback.
For example, hackers may choose to target critical systems such
as power grids. Should the victim fail to the pay the ransom
within a short period of time, the attackers may choose to shut
downthegrid.
CRYPTOCURRENCY
This is also aiding the growth of ransomware as ransom
payment becomes easier. Bitcoin extortion is a latest form of
cyber extortion carried out using a combination of malware,
spear-phishing and ransomware. Its era started in India with
attacks on three banks and a pharmaceutical company
executingacrypto ransomwareinJanuary2016.
2017 saw the proliferation of cryptomining malware, or
malicious software which surreptitiously mines for Monero and
other cryptocurrencies. Minerva Labs found that attackers have
turned to these tools to attract comparatively less attention
from law enforcement and anti-fraud professionals, while
enjoying a high level of anonymity and ease of cashing out illicit
gains. Indeed, these factors led attackers to victimize 1.65
million users in the first nine months of 2017 with malware that
consumed their machines' CPU, drove up power consumption
(and possibly cloud service payments), and in some cases
accompaniedotherdigitalthreats.
6India Cyber Risk and Resilience Review 2018
AttackVectorTrends
SOMENOTABLEEXAMPLESSTANDOUT:
Ÿ PhotoMiner spreads laterally on networks while collecting
credentials for servers, trojanizing files stored on it, infecting
users,collectingnewinformationaboutpivotingservers.
Ÿ SnatchLoader is a typical downloader that added a
cryptomining module in 2017. It's likely this malware will be
thefirstofmanytodoso.
Ÿ CoinHive earned sixth place on Check Point's 10 top malware
forOctober2017.
TRENDING:RANSOMWAREASASERVICE
Ransomware is available as a service in costing a percentage of
profit and upfront fee. This would enable even the least tech
savvy cybercriminal to perform ransomware attacks without
hassle, thus increasing the likelihood and probability of these
attacksincomingyears.
WANNACRY
It was a devastating ransomware attack which affected several
hundred thousand machines which have crippled banks, law
enforcement agencies and other infrastructure. It was the first
strain of ransomware to use EternalBlue, exploiting
vulnerability in Microsoft's Server Message Block (SMB)
protocol. A May 2017 worldwide WannaCry ransomware attack
was estimated to have affected more than 200,000 computers
across 150 countries, with total damages ranging from
hundredsofmillionstobillionsofdollars.
NOTPETYA
It started as a fake Ukranian tax software update, and infected
hundredsofcomputersinover100countriesinafewdays.Itisa
variant of Petya, but uses the same exploit behind WannaCry. It
hit a number of firms in the US and caused major financial
damage. For example, the attack cost pharmaceutical giant
Merck more than USD 300 million in Q3 of 2017 alone, and a
similar amount in Q4. In 2018 extortion is expected to rise as
attackers look for new, innovative, machine enabled ways to
increasethereturnontheirefforts.
HEADLESSWORM
IoTislikelytoexperiencetheemergenceofnewgenesofworms
and viruses having ability to propagate from device to device.
Headless worms are an anticipated type of malware attack that
targets “headless devices”, or gadgets that run on their own
without having to be directed by a user. A headless worm could
allowattackerstogrowabotnetmoreefficiently,enablingthem
tolaunchevenlargerattacks.
India Cyber Risk and Resilience Review 2018 7
AttackVectorTrends
GHOSTWAREANDBLASTWARE
Ghostware conceals its tracks by erasing all traces of its activity
once a system is breached. This type of malware makes it
especially difficult to figure out what has been compromised
during a breach. It also makes it hard for network security
specialists to fix the weaknesses that lead to the successful
attack, since this type of malware doesn't leave a trail that
indicatesitspointofentry.
Along with Ghostwares, cybercriminals may deploy Blastwares
for performing severe damage to critical infrastructure and
organization networks. After installation, it continues to
perform its intended activity until is suspects to be detected or
reverse engineered. Upon suspicion of detection, it will self-
destruct and crash the whole system permanently. Blastware
are expected to be used in case of state-sponsored cybercrime
orHacktivism.
Currently, India is one of the top countries having devices
infected by malwares. These emerging malware families are
going to add up to the problems in creation of a secure Indian
Cyberspaceforbusinesses.
EQUIFAX
Cybercriminals penetrated Equifax (EFX), one of the largest
credit bureaus, and stole the personal data of 145 million
people. It was considered among the worst breaches of all time
because of the amount of sensitive information exposed,
includingSocialSecuritynumbers.
BADRABBIT
Another major ransomware campaign, called Bad Rabbit,
infiltrated computers by posing as an Adobe Flash installer on
news and media websites that hackers had compromised. Once
the ransomware infected a machine, it scanned the network for
sharedfolderswithcommonnamesandattemptedtostealuser
credentials to get on other computers. The ransomware, which
hit in October 2017, mostly affected Russia, but experts saw
infectionsinUkraine,TurkeyandGermany.
MORESANDBOX-EVADINGMALWARE
Sandboxing technology has become an increasingly popular
method for detecting and preventing malware infections.
However, cyber-criminals are finding more ways to evade this
technology. For example, new strains of malware are able to
recognise when they are inside a sandbox, and wait until they
areoutsidethesandboxbeforeexecutingthemaliciouscode.
India Cyber Risk and Resilience Review 2018 8
AttackVectorTrends
PHISHINGANDSPEARPHISHING
On 22 March 2016, Pivotal fell prey to a Phishing attack. A
phishing email was sent to Pivotal employees, ostensibly by
Pivotal CEO requesting for payroll information. Assuming it's a
legitimate mail an employee sent W-2 tax information of all
employees to an unknown party. No customer information was
compromised as part of this incident. After attack confirmation,
Pivotal sent a memo to its staff containing information of the
incident.
As many as 534 phishing incidents were reported last year, of
which 342 involved phishing websites hosted outside India,
according to Indian Computer Emergency Response Team
(CERT-In). The statistics of phishing attacks clearly indicate that
allbusinessandgovernmentagenciesinIndiaarelikelytosuffer
more sophisticated and advanced phishing attacks in coming
years.
TWO-FACEDMALWARE
Two-faced malware gets its name from how it presents one safe
“face” to your anti-virus, but retains its malicious “face” once it
is dubbed safe. This type of malware attack works by
recognizing when the computer's anti-virus isolates the
malwareintoasandbox.
A sandbox is a designated “safe zone” used to test/check
questionable programs before they are given access to a
computers' drive and/or network. Two-faced malware senses
when it has been placed in a sandbox and escapes detection by
ceasing all malicious activity while isolated. In doing this, the
malware tricks the anti-virus into flagging said program as safe,
anditisreleasedbackontothecomputer.
ARTIFICIALINTELLIGENCE(AI)POWEREDATTACKS
According to security experts, 2018 will not only be a bad year
for data breaches, but the year of AI-powered cyberattacks,
which makes prevention more difficult. In such attacks,
machine learning is used to study patterns of normal user
behaviorwithinacompany'snetwork.
It could help human cybercriminals customize attacks. AI
systems can help gather, organize and process large databases
to connect identifying information, making this type of attack
easier and faster to carry out. Furthermore, AI systems could
even be used to pull information together from multiple
sourcestoidentifypeoplewhowouldbeparticularlyvulnerable
toattack.
India Cyber Risk and Resilience Review 2018 9
AttackVectorTrends
According to reports, artificial intelligence will make existing
cyber-attack efforts like identity theft, denial-of-service attacks,
and password cracking more powerful and more efficient. It can
steal money, cause emotional harm and even injure or kill
people. Larger attacks can cut power to hundreds of thousands
of people, shut down hospitals and even affect national
security.
LANDANDEXPANDATTACKS
In case of land and expand attacks, the attackers gain access to
the system and expand their access throughout the network.
Sophisticated cyber attackers follow a systematic approach
involving careful reconnaissance, scanning, access, and
escalation.
In most cases, hackers gain privileged access using stolen
credentials. The intruders once in, extract credentials that will
give them lateral motion throughout the network. To
accomplish this, attackers look for SSH keys, passwords,
certificates, Kerberos tickets and hashes of domain
administrators. Often, hackers will quietly monitor and record
activity on compromised systems. Then, they can use this
informationtoexpandtheircontrolofthenetwork.
UPCOMINGTHREATSIN2020
Security firms are coming up with intelligent techniques for
threat detection along with application of big-data analytics for
threat prediction. To bypass astute systems, attackers will be
coming up with innovative attacks that will not only penetrate
the most secure and impregnable system but will also remain
undetectedforquitealongperiodoftime.
Last year, nearly 100 cyber security deals were happening every
quarter with average top line multiple of 9.4x and bottom line
multiple of 54.3x. This is much higher than the corresponding
number and valuation in IT field. Cyber Security market
continues to register double-digit growth, projected to become
a $232 billion global market by 2022 with an impressive
compoundedannualgrowthrateof11%.
In future, we may see furtive attacks for data theft on a system
covered under a direct DoS, malware or botnet attack. The
direct attacks would act as a distraction allowing the attackers
toperformtheirintendedactions.
India Cyber Risk and Resilience Review 2018 10
Internet of Things
Increasing connected devices; increasing attacker incentives
InternetofThings
When security researchers ran experiments on devices used on
a daily basis like coffee machines, video streaming USB dongles,
baby monitors and home security systems, it was found that all
ofthedevicestestedcouldbehackedinsomeway.Itisworrying
to know that a baby monitor enables a hacker to access the
camera connected to the same network and watch video feed
from it. Further, other products from the same vendor were
susceptible to giving away the user's credentials to the hackers.
Broadcasting of unencrypted information has proven to be the
Achille’s heel of the devices succumbing to an attack. Other
findingsstatethatuseofmagnetsbyattackerscanrenderhome
security systems ineffective in stopping them from opening or
closingawindowwhichwasmeanttobeprotected.
India Cyber Risk and Resilience Review 2018
TOP USES OF IOT
50% 45%40%40%48%
SMART / AUTOMATED
BUILDING
IMPLEMENTATION
VIDEO
SURVEILLANCE
PHYSICAL BUILDING
SECURITY
EASE-OF-USE FOR
CUSTOMERS AND
EMPLOYEES
DATA COLLECTION FOR
BETTER BUSINESS
DECISIONS
Source: US Department of Energy
11
SIGNIFICANCEOFIoT
IoT is based on the simple requirement of devices
communicating with each other without human interference.
While the inter-connection in most cases is immensely
beneficial, the problem is that it makes the consumer highly
susceptible to cyber-attacks. A study revealed that 70 % of IoT
devices have serious security vulnerabilities, such as insecure
web interfaces and data transfers, insufficient authentication
methods, and a lack of consumer knowledge which leaves users
opentoattacks.
So,itisnotonlythecriticalinfrastructure,mostofwhichisbeing
considerably hardened, but also the periphery which is
becoming the preferred point of entry. The challenge is to
understand the interconnectedness of devices which is a
convenience and a risk. In this regard, access to one provides
accesstoall.
That's a risk that security professionals need to be prepared to
face by integrating password requirements, user verification,
time-out sessions, two-factor authentication and other
sophisticated security protocols. IoT is at a nascent stage at the
momentbuthasshownalotofpotentialtobeagamechanger.
The real value generated from IoT is from the analytics run on
the user data collected by the devices. Trends and patterns can
be found that businesses can leverage. IoT is set to change the
way people live and make cities smarter. The future is a move
from independently used devices and sensors to cross vendor
devices communicating to give a truly synergized service. With
wearables and healthcare devices leveraging the internet of
things, the future looks towards a highly connected and
efficientwayoflife.
BusinessesarefindingnewwaystouseIoTintheirproductsand
services to create value for their customers. IoT is expected to
derive a range of benefits like improvements to products,
supply chain insight, extended product lifecycle and a smarter
way of life. The European Union has planned a system called
'eCall' which will cut down 50 to 60% of the response time for
emergencyservices,tobeinstalledontoeveryvehicle.
With the number of 'Things' which will be connected set to go
up by 30% in 2018 as per Gartner, the up side of having devices
connected to each other will also increase the possibilities for
attackerstoexploitvulnerabilitiestogainunauthorizedaccess.
InternetofThings
India Cyber Risk and Resilience Review 2018 12
InternetofThings
RISKSTOIoT
Risks to organizations and governments have risen by the
emergence of the widespread IoT, securitiy experts classify
these risks into three categories viz. Business Risk, Operational
RiskandTechnicalRisk.
Business risks encompass user privacy risk, brand image risk,
compliance risk, financial risk, and Health & Safety risk. These
risksaffectbusinessesdirectly.Operationalrisksincludevarious
aspects like risk of degraded performance, access control and
shadowusagerisks.
Technical risk is directly linked to the devices/ sensors that
comprise the IoT. Most of the time with the aim of shorter 'Time
to Market', not giving security a priority during the
development phase of products is normal. This results in a huge
number of vulnerable devices being rolled out to the
consumers. Multiple security breaches have resulted due to
improper management of sensitive information and user
privacyrelatedtoautomationanddigitizationofdevices.
Securityresearcherssaythat21%ofDDoS(DistributedDenialof
Service) attacks use devices from IoT instead of the
conventional Botnet of computers and laptops. Such statistics
highlight how difficult it is to keep devices secure as compared
with conventional computers. Vulnerabilities that require
hardwareupgradetobefixedarethebiggestchallengefacedby
devicemanufacturers.
MITIGATION
Governments and businesses must focus on securing the IoT
environmentbyundertakingthefollowingmeasures:
Ÿ PerformRiskAssessment
Ÿ Business Impact Analysis to understand the extent of the
damagethatcanbecaused
Ÿ Setupcyberresponseandincidentmanagementteams
Ÿ Incorporate stringent security measures in the SDLC
(Software Development Life-Cycle) and during manufacturing
ofdevices
Ÿ Check complete paths for data flow between devices for
loopholesleadingtopotentialdataexfiltration
Ÿ Implementadaptivepoliciesandprocedures,andgovernance
initiatives
Ÿ Encryptalldatairrespectiveofwhetherintransitorstored
Ÿ Gathercybersecurityintelligencetoanticipatenewattacks
Ÿ Maintainapatchmanagementsystem
Ÿ Educate and make people aware as they are the weakest link
inanysecureenvironment
India Cyber Risk and Resilience Review 2018 13
InternetofThings
India Cyber Risk and Resilience Review 2018
2017 IOT MALWARE ACTIVITY MORE THAN DOUBLED 2016 NUMBERS
IOT DEVICES AT RISK: MALICIOUS PROGRAMS TARGET “THE INTERNET OF THINGS”
2008 2009
PSYBOT
2010
TSUNAMI
2014
GAFGYT
2015
TROJAN.LINUX.
PNSCAN
2016
MIRAI
2017
BRICKERBOTHYDRA
Emergence OF
Psybot the first in
the wild
malicious
programs for the
MIPS platform
The first malware
programme
targeting IoT
devices
A cross platform
IRC backdoor
with DDoS
capabilities
An IRC back door
capable of
scanning IP
ranges to find
vulnerable
devices
A Trojan infecting
vulnerable
devices with the
Tsunami
backdoor
and its clones
Hajime, Remaiten
and Moose
A bot infecting
IoT devices and
rendering them
inoperable
The number of new malware samples in the wild this year targeting connected internet of things (IoT) devices has already more than doubled last year's
total.
Currently, over 6 Billion 'smart' devices exist globally. It was when the Mirai Botnet emerged in 2016 that the whole world learned how dangerous such
devices may become in the hands of cyber criminals. However, the history of Malware attacking IoT devices began much earlier.
14
Advanced Persistent Threats and Hacktivism
Cyber-crime organizations and a new wave of activism
AdvancedPersistentThreats(APTs)leadtobroadlyfourtypesof
losses to victim organizations; technical costs, productivity loss
cost, revenue costs, reputation loss costs. An Adelaide-based
communications, metal detection and mining technology firm's
experience provides an insight on the long term impacts of
hacking on companies. Executives at the said company were
unable to decipher the reason for a dip in sales and prices of
their metal detectors till the service centers reported receiving
faulty metal detectors with unrecognizable and inferior parts.
With the Australian government not offering support, the
company had to hire a private investigation firm in China for
raiding counterfeit factories. Security researchers found that
the attackers had managed to hack into an employee's laptop
when he used a hotel's Wi-Fi during a business trip in China. The
company's metal detector blueprints were exfiltrated to a
Chinese manufacturing chain selling counterfeit detectors in
Africa.
APTs have made their presence felt with incidents involving
Sony, Lockheed Martin, RSA, Google, Iran's nuclear facility and
the likes. APTs are advanced in the sense that they have the
expertise and intelligence gathering techniques to target
organizations and governments. They 'Persist' in the victim
Advanced Persistent Threats & Hacktivism
India Cyber Risk and Resilience Review 2018
Source: Varonis
ADVANCED PERSISTENT THREAT (APT) LIFECYCLE
15
systems to extract as much intellectual property as possible.
Financial theft is not usually the only objective. APTs operate
below the radar and are difficult to detect. APTs which are
criminal organization or state backed, operate in the following
phases: Social Engineering, Infiltration, Maintain Access, Data
Exfiltration,andCoverTracks.
Hacktivism and Cyber Espionage incidences have shed light on
theextentofsophisticationthatattackershave.
HACKTIVISM
The term 'Hacktivism' was coined by juxtaposing 'Hack' and
'Activism' by a group of hackers that use the internet for
activism instead of the conventional banner wielding methods.
Hacktivism has stemmed from the belief that all information on
the internet should be free and accessible to all. It gained media
attention during the WikiLeaks era by being at odds with
organizations and governments over state sponsored
censorship of the internet. The most common form of a
hacktivist is the DDoS (Distributed Denial of Service) attack
which targets servers with millions of request bombardments
making the servers go down. Such motives are a topic of debate
with some calling them criminal and others deeming them
noble.
RISKS
APTs and Hacktivists pose an evolving threat to organizations
and government agencies. Increased sophistication of Social
Engineering and Spear Phishing coupled with insufficient
Information Security procedures and practices elevate the risks
for organizations globally. Security experts are predicting that
the future will see 'persistency' of APTs vanish to enable better
stealth. In its place, 'Access-as-a-Service' of already breached
systems for the highest bidder will gain prevalence. The threats
are here to stay and become more intelligent. Researchers have
presented analysis which points at the fact that unemployment
will only add to the growth of professional Hacktivist groups like
'Anonymous'. With the Indian population that is connected to
the internet increasing at a exponential rate, hacktivism will
gain grounds in India. The young will realize the potential of
promotingtheirmessageoncyberspace.
MITIGATION
Acknowledging the widespread presence of APTs and
Hacktivismalongwiththerisksthattheypose,isthefirststepto
build resilience. The following mitigation steps must be taken to
mitigate risks and to build resilience. Defense-in-Depth or
multi-layered security controls are the need of the hour to
protectagainstsophisticatedattacks.
Advanced Persistent Threats & Hacktivism
India Cyber Risk and Resilience Review 2018 16
LARGEORGANIZATIONSANDGOVERNMENTS
Ÿ A proper policy and governance framework must be
formulated
Ÿ Real-time email and content analysis, intrusion detection
and prevention systems to gather intelligence and stop
attacksfaster
Ÿ Pro-active patch management to fix vulnerabilities before
hackersgettothem
Ÿ To reduce the impact of social engineering attacks, adhere to
the'Leastprivilegepolicy'
Ÿ SecurityInformation and Event Management (SIEM) systems
shouldbeinplace.
Ÿ Understand that risks cannot be completely mitigated and
that recovery plans must also be in place and tested on a
regularbasis
Ÿ Appropriatedatadisposalpolicy
Ÿ Media monitoring for hostile comments/views about your
organization
MEDIUM-SIZEDORGANIZATIONS
Ÿ ProtectinformationlikeIntellectualPropertywhenintransit
Ÿ Prefermulti-factorauthenticationtosystems
Ÿ Fraud risk management assessment and proper monitoring
ofloginsfromvariousgeographicallyseparatedlocations
Ÿ Employsecurityprofessionalsinyourorganization
Ÿ Encryptcertainsensitivedataintransitandwhenstored
Ÿ Invest in cyber intelligence gathering so that proactive
measurescanbetaken
SMALLORGANIZATIONS
Ÿ Minimize the number of Internet connections and
implementfilteringofwebsites
Ÿ Employ “whitelisting” to prevent programs unauthorized
accesstothenetworkandotherresources
Advanced Persistent Threats & Hacktivism
India Cyber Risk and Resilience Review 2018 17
Smart Cities and Critical Infrastructure
Emerging risks to smart cities and critical infrastructure in India
SmartCities&CriticalInfrastructure
SMARTCITIESINDIA
Following Moore's Law computing and mobile devices are
advancing technologically and are becoming smarter
periodically. This phenomenon has led to the development of
Smart Cities and eventually a Smarter Nation. India has a
mission of developing 98 smart cities. The Roadmap is already
in place and development activities are in full swing to achieve
thismission.
Industrial corridors created by smart cities between
metropolitan cities will foster rapid business development
leading to economic growth. Smart cities development will
improve quality of living by local area development and
nurturing technologies that lead to smarter outcomes. The
critical infrastructures of smart cities along with SMAC (Social
media, Mobility, Analytics, Cloud) lays the foundation for
essential and support services of these cities. Application of
smartsolutionswillenablecitiestousetechnology,information
anddatatoimproveinfrastructureandservices.
Smart cities have well networked and seamlessly interacting
systems. Compromise of one system will leave the complete
network vulnerable to failures; making it easy for attackers to
gain control and sabotage the cyber ecosystem of cities. With
India Cyber Risk and Resilience Review 2018
Source: Ministry of Housing and Urban Affairs, Government of India
Adequate
Water
Supply
Assured
Electricity
Supply
Sanitation, including
Solid Waste
Management
Efficient Urban
Mobility and
Public Transport
Affordable
Housing, especially
for the Poor
Robust IT
Connectivity and
Digitalization
Health and
Education
Sustainable
Environment
Good Governance,
especially
E-governance and
Citizen Participation
Safety and Security of Citizens, particularly Women,
Children and the Elderly
THE CORE INFRASTRUCTURE ELEMENTS IN A SMART CITY
WOULD INCLUDE:
18
IoT,thecyberlandscapeofSmartCitiesbroadens,comprisingof
critical infrastructure, smart phones, headless devices, etc. The
increasing attack surface makes it susceptible to invasion by
viruses, malicious worms, malwares and other threat vectors.
With the increase in cyber-attacks and attack vectors, making
smartcitiescyberresilientwillbeabigchallengefornations.
CYBER-ATTACKONCRITICALINFRASTRUCTURE
In December 2015, Ukraine experienced a cyber-attack
disabling its power stations causing a blackout for several hours
in Ivano-Frankivsk region. 225,000 homes were affected in this
attack. Attackers used malware to take down three power
substations on the Ukrainian national grid. This attack was
coupled with DoS attack on phone systems inhibiting the ability
of users to report the blackout. The attack has highlighted the
severity of damage caused by targeting critical infrastructure
highlightingitasthenextpotentialtarget.
Critical infrastructure like power grids, oil and gas, water, etc.
are interconnected and controlled using ICT technologies these
days. Cyber secure critical infrastructures act as enablers for
growth and development of business and economy of a nation.
Modern societies are highly dependent on critical
infrastructure that provides essential and supporting services.
Attack on critical infrastructures will not only lead to system
failures but will also have a cascading effect leading to damage
or loss in terms of resources, money or human life. Data theft is
not the motive of the cyber-attack on critical infrastructure so
they are usually state sponsored. But as the count of data
thieves is quite high we may see attacks leading to the sale of
credentialsofcriticalinfrastructure,andcyberextortion.
PROTECTINGCRITICALINFRASTRUCTUREANDSMARTCITIES
Ÿ Increasing cyber security awareness amongst Indian citizens
and stakeholders of critical infrastructure by imparting
training sessions, conducting awareness drives and
campaigns.
Ÿ Implementing ISO 22301 for minimising the impact of cyber-
attacksoncriticalinfrastructureonbusinesses.
Ÿ Adapting and implementing international frameworks for
improvingcriticalinfrastructurecybersecurity.
Ÿ Developing laws and policy for protection of cyber and
criticalinfrastructureofsmartcities.
Ÿ Coming up with internationally accepted security standards
that will be integrated into existing and emerging devices
during manufacturing. This integration will introduce the
security aspect into devices, making them more cyber
resilient.
SmartCities&CriticalInfrastructure
India Cyber Risk and Resilience Review 2018 19
SmartCities&CriticalInfrastructure
India Cyber Risk and Resilience Review 2018
Ÿ Perform appropriate testing of devices and vulnerability
assessment and penetration testing of ICT technologies used
inbuildingsmartcitiesandcriticalinfrastructure.
Ÿ Development of dedicated government agencies taking
responsibility of enforcing cyber laws and cyber security in
smartcitiesandcriticalinfrastructureimplementation.
Ÿ IoT will increase source of data and amount of data flowing
across smart cities. Big-data analytics can be applied for
generating threat intelligence for risk mitigation and attack
prediction.
20
The Rise of State-Sponsored Attacks
Malicious attacks on infrastructure networks
Often, inspite of countries being aware or capable of stopping
cyber-attacks, turn a Nelson's eye since it meets their political
objectives. These attacks are often politically motivated,
targeted, sophisticated, well-funded and could be incredibly
disruptive. Such attacks are used to acquire intelligence,
obstruct the objectives of a political entity or even target
electronic voting systems and manipulate public opinion. For
example, during 2016, much of the news was dominated by
reports of Russian agencies using cyber-attacks to extract
information that could be used to influence the US presidential
election.
Last year, in June it was reported by the Washington Post that
Russiangovernmenthackerspenetratedthecomputernetwork
oftheDemocraticNationalCommitteeandgainedaccesstothe
entire database of opposition research on presidential
candidate Donald Trump. In December it was reported that
Russian hackers tried to penetrate the computer networks of
theRepublicanNationalCommittee,usingthesametechniques
that allowed them to infiltrate its Democratic counterpart.
There are also isolated attacks on different nation states by the
majorplayerssuchasRussia,UK,NorthKorea,US.
MITIGATION
Ÿ Governments must ensure that their internal networks are
isolatedfromtheinternet,andthatextensivesecuritychecks
are carried out on the staff; as given the level of
sophistication, expertise and finance behind these attacks,
theyaredifficulttoprotectagainst.
Ÿ Thestaffofanorganisationneedstobesufficientlytrainedto
spotpotentialattacks.
Ÿ Governments should avoid purchasing technology from
untrustedsources.
CYBERTERRORISM
Cyberterrorism is the use of the Internet to conduct violent acts
that result in, or threaten, loss of life or significant bodily harm,
to achieve political gains through intimidation. It is also
sometimes considered an act of Internet terrorism where
terrorist activities, including acts of deliberate, large-scale
disruption of computer networks, especially of personal
computers attached to the Internet by means of tools such as
computer viruses, computer worms, phishing, and other
malicious software and hardware methods and programming
scripts.
The Rise of State-Sponsored Attacks
India Cyber Risk and Resilience Review 2018 21
The Rise of State-Sponsored Attacks
Cyberterrorism can cause massive damage to government
systems, hospital records, and national security programs,
which might leave a country, community or organization in
turmoilandinfearoffurtherattacks.Forterrorists,cyber-based
attacks have distinct advantages over physical attacks. They can
be conducted remotely, anonymously, and relatively cheaply,
and they do not require significant investment in weapons,
explosive and personnel. The effects can be widespread and
profound. Incidents of cyberterrorism are likely to increase.
They will be conducted through denial of service attacks,
malware,andothermethodsthataredifficulttoenvisiontoday.
India Cyber Risk and Resilience Review 2018
GENESIS AND MANIFESTATION OF CYBER TERRORISM
Target
Motivation
CYBER
TERRORISM
Tools of
attack
Domain
Method of
action
Impact
§ Critical National Information
Infrastructure computer system
§ Critical Infrastructure
§ Civilian Population
§ Mass disruption or seriously interfere
critical services operation
§ Cause fear, death or bodily injury
§ Severe economic loss
§ Network Warfare+
§ Psychological operation
§ Cyber space
§ Unlawful means
§ Political
§ Ideological
§ Social
22
The Rise of State-Sponsored Attacks
India Cyber Risk and Resilience Review 2018
Source:
THE DISTRIBUTION OF CYBER-ATTACKS ACROSS CULTURAL, SOCIAL, ECONOMIC AND POLITICAL MOTIVATIONS
POLITICALLY
MOTIVATED
SOCIO-
CULTURAL
MOTIVATION
ECONOMICALLY
MOTIVATED
1995, France, web attack
1996, USA ,doJ, web attack
1998, Indonesia, East Timor conflict
1998, Mexico, Presidential website
1999, Serbia, Kosovo war
1999, Belgrade, Chinese embassy
2001, USA/ CHINA, Spy plane
2003, USA, Titan rain
2008, USA/CHINA strategic inf
2009, USA, spies on electrical grid
2009, China, Ghost net
2008-09, China IT professionals to cyber crime
2009, E-crime survey
2009, Ukraine IT professionals to cyber crime
2009, Health records ,Virginia ,USA
1999, CIH, Chernobyl virus
2005, Indonesia/Malaysia, ambalat
2005, Korea/Japan, territorial conflict
2008, Belarus /Eastern Europe
DOS Attack
2008, Israel/ Palestine, conflict
2009, April fools conflicted worm
1998, India, BARC
1999, Germany, G8 summit
1999, China/Taiwan, cyber conflict.2000, India/ Pakistan, Kashmir conflict
2000, Israel/ Palestine, Lucent tech
2001, Japan, Education ministry website
2001, China/Japan, Yasukuni shrine
2007, Estonia/ Russia, DOS attack
2008, Russia/Georgia conflict
2008, China/French embassy web
23
Social,Mobile, Analytics, Cloud (SMAC) & BYOD
Surfacing trends, unfolding greater risks
SMAC
SMAC or Social, Mobile, Analytics and Cloud Computing is a
platform that organizations are leveraging to drive innovation
and gain competitive advantage. The combined power of all
elements in SMAC enable businesses to gain customer insight
among other things. Retailers, for example, today get alerted by
atweetfromadisgruntledcustomer.Thecurrentgovernmentis
adopting SMAC platforms to aid in faster decision making and
connecting with the people to hear them out as well as making
e-Governanceinitiativesmoreefficient.
ThetremendoussurgeinthedatacreatedandhandledbySocial
Media, consumer behavior shifting to mobility, harnessing data
using analytics and getting real time information that can be
leveraged through cloud has brought with it a plethora of cyber
security risks. The bright side of dealing with these risks is that
the technologies being used in SMAC are not new but only
workingtogetherinsync.
BYOD
BYOD (Bring Your Own Device) has been gaining popularity
because of its benefits like lower costs to the organization,
greater employee flexibility, and familiarity of technology. The
employees are happy as they get to work on a familiar device.
Organizations not only save on the CAPEX but also OPEX as
managingdevicesdoesnotconcernthem.Butatthesametime,
with insider threats growing in large numbers, Identity and
AccessManagement(IAM)needtobeinplace.
Cyber risks arise with all the data associated with SMAC and
BYOD. Social Media helps in coordinating violent protests and
also enables radical groups to bring terror globally. The Mumbai
terrorattacksof2008firsthighlightedtheuseofsocialmediaby
terrorists for coordinating attacks. India is the second most
targeted country for cyber-crimes via Social Media. In recent
times, the nationwide shutdowns in April 2018 were
extensively planned using social media. Rumour mongering has
become a serious threat due to circulation of disruptive content
onsocialmedia.
RISKS
Major risks revolving around BYOD are inadequately secured
mobile devices, risks due to applications installed on the
devices, and the environment risks along with the lack of
awareness and carelessness. Considering the pace at which
start-ups are mushrooming in India, there will be an increased
Social,Mobile, Analytics, Cloud (SMAC) & BYOD
India Cyber Risk and Resilience Review 2018 24
use of BYOD initiatives. The analytics boom coupled with cloud,
mobility and significant social media penetration will also
ensure increased usage of SMAC platforms. Entry has become
simpler with endless devices, particularly smartphones and
wearable technologies, and less than aware consumers. It is
imperative that the security aspect is taken care of before
implementingBYODandSMAC.
MITIGATION
SMAC:
Ÿ It is a good practice to define policies and procedures
regarding the use of customer data and that too after formal
consent
Ÿ A comprehensive security strategy that considers all four
aspectsofSMACasawholeinsteadofdealingwithindividual
aspects should be prepared and aligned with business
securityandresilienceplan
Ÿ Identity and Access Management along with strict access
control should be a key component of the security strategy
forSMAC
Ÿ Identifying various users, devices, applications comprising
SMAC for risk management along with taking care of
regulatory compliance will go a long way in mitigating risks
associatedwithSMACplatforms
Ÿ Public clouds have been under scrutiny because of doubts
over their security, it is recommended that hybrid cloud be
used, and sensitive data be preferably stored on private
cloudtogetthebestofbothworldsofcostandsecurity
Social,Mobile, Analytics, Cloud (SMAC) & BYOD
India Cyber Risk and Resilience Review 2018
Source: The Ponemon Institute
CYBER SECURITY RISKS ASSOCIATED WITH BYOD
72%
Data leakage / loss
Unauthorised access
to company data
and system
User download unsafe
apps or contents
Malware
Lost or stolen devices 50% / vulnerability expliots 49% / inability to control endpoint security
48% / ensuring security software is up to date 39 % / compliance with regulations 38 %
/ device management 37 % / network attacks via wi-fi 35% / others /none 4%.
56% 54% 52%
25
Social,Mobile, Analytics, Cloud (SMAC) & BYOD
India Cyber Risk and Resilience Review 2018
BYOD:
Ÿ Mobile Device Management Systems must be used to keep
track of the devices on the network and use multi-factor
authentication
Ÿ Removablemediashouldbescannedassoonasaconnection
tothecorporatenetworkisestablished
Ÿ Promote regular updating, patching and device data
encryption
Ÿ InfectionandIncidentresponsesystemsshouldbeinplaceto
dealwithaninfectioninthecorporatenetwork
Ÿ Generate awareness about permissions requested by
applicationsondevices
Ÿ Implement security control frameworks like the ones given
byNIST(NationalInstituteofStandardsandTechnology)
26
The Weakest Link: Humans
Theweakestlinkinthesecuritychain
TheWeakestLink:Humans
Call center employees of a US telecom service giant accessed
information of more than 278,000 customer accounts without
authorization in 2015 with losses amounting to $25 million.
They got hold of PIIs (Personally Identifiable Information) that
could be used to unlock the company mobile phones. This
information was given to third parties who submitted 290,803
handsetunlockrequestsviatheonlinecustomerunlockrequest
portal. Not only did the telecom giant suffer financial loss, but
alsoreputationloss.
An Insider threat is any threat to an organization that originates
from people who are associated with it and possess access to
sensitive information which can lead to fraud, cyber sabotage
and theft. Risks arising from human actions can be either
intentionalorunintentional.
India is no stranger to incidents involving insider threats.
Hindustan Unilever Ltd (HUL) has dragged three of its former
employees to the Bombay High court in April 2018 for allegedly
stealing data related to manufacturing of its products and other
confidentialinformation.
Intentional risks span from threat sources like layoffs leading to
disgruntled employees, to temptation of financial gain from
selling of intellectual property to the highest bidder.
Unintentionalrisksareduetocarelessness,lackofduediligence
on the part of employees or a plain human error. An external
actor gains access to internal networks and data using
credentials of legitimate users obtained by various social
engineeringtechniques(Single-stage/Multi-stageattacks)orby
buyingcompromiseddataoffthe'DarkWeb'.
According to a Crowd Research Partners 2018 report on insider
threats, 90% of organizations felt vulnerable to insider attacks.
The top three risk factors enabling the insider threat
vulnerability are excessive access privileges (37%), endpoint
access (36%), and information technology complexity (35%).
Many organizations tend to overestimate their defensive
capabilities and underestimate effectiveness of social
engineering. Recent incidents indicate that social engineering
and phishing attempts continue to succeed despite the
awarenessgeneratinginitiativesundertakenbyorganizations.
“No security solution is ultimately stronger than its weakest
link”. With the growing trend of virtual organizations, hyper-
connectivity and mobility, insider threats will only grow as
insiders believe that the probability of getting caught stealing
informationreduceswhenoffsite.
India Cyber Risk and Resilience Review 2018 27
MITIGATION
It is important to assess all possible threat sources leading to
insider risks. Also, the management must understand and
promote the fact that insider risk cannot be taken by the
information security vertical alone, it has to be a cross
functional process throughout the organization. The right way
to go about mitigating insider threats is to prepare an insider
threat program and implement controls before association,
during employment and after termination of employment.
Identifying the valuable assets of the organization, having a
response and resilience plan is imperative along with the
IdentityandAccessManagementprogram.
PRE-EMPLOYMENTSCREENING
Ÿ Proactivecybersecurityintelligencegatheringforidentifying
threatsourcesinadvance
Ÿ Backgroundscreeningsandreferencecrosschecking
Ÿ Foster a risk-centric approach to the rising cyber security
threats
Ÿ Implement multi-factor authentication as weak, stolen or
default passwords continue to remain a major weak link in
datatheft.
TheWeakestLink:Humans
India Cyber Risk and Resilience Review 2018
National
Security
Commerce
Utilities
management
Governance
& military
Energy
security
Water
security
Food
security
Trade
Social
cohesion
supporting
cyber
technologies
CYBER DEPENDENCY
28
TheWeakestLink:Humans
DURINGEMPLOYMENT/ASSOCIATION
Ÿ Integrate the threat management plan with business
strategyandcybersecuritypractices
Ÿ Identify critical data and implement data protection instead
offocusingtoomuchonperimeterhardening
Ÿ Hold regular cyber security awareness and training sessions
as most cases of insider risk are because of careless and/or
untrainedusers
Ÿ Make use of User Behavior Analytics (UBA) which involves
detection of unusual activity by monitoring user actions
especially of those with elevated privileges and/or with
access to sensitive data. Identification of risk tolerant
employees/partnerscanalsobedone
Ÿ Virtual Environments need to harden in a stringent manner,
have a data leakage prevention practice, and block
unapprovedsoftware
Ÿ Implement the 'Least-privilege policy' and grant permissions
onlyonaneed-to-knowbasis.Blockrootaccesstousers
Ÿ Include segregation of duties in every critical business
process
Ÿ Implement and regularly test a Business Continuity and
DisasterRecoveryplan
AFTERTERMINATION
Ÿ Reaffirmemployeeagreementsatthetimeofdeparture
Ÿ Increase monitoring of employees with impending
departure
Ÿ Get rid of means of access after departure by revoking
access,disablingex-employeeaccounts
India Cyber Risk and Resilience Review 2018 29
Cyber Supply Chain Security
How secure is your third party?
CYBERATTACKSVIATHIRDPARTY
In late 2013, the Target data breach shocked the whole retail
industry when the investigation revealed a third party
compromise or exposure can transmogrify a secure ecosystem
of business into a vulnerable one. Data breach at Home Depot,
Boston Medical Center, PNI Photo hack that led to compromise
of online photo services at CVS, Costco, Sam's Club are few
supporting examples. In March 2016, Amex notified
cardholders about their account information which may have
been exposed after a third-party service provider suffered a
data breach. Systems owned or controlled by Amex remained
unaffected. Confidential customer data may have been
disclosed regardless of all security measures implemented by
Amex. These attacks are eye openers; illustrating the new
course adopted by cyber criminals for attacking larger
organizations by targeting trusted third-party vendors with
fewer or no security controls. Furthermore, Terrorist attacks on
the supply chain have increased 16% year on year according to
BSI's report on Terrorist Threats to International Trade and the
SupplyChain.
SUPPLYCHAINANDOUTSOURCING
Decades of advancement in technologies, Internet, mobile
devices, cloud computing along with globalization have
revolutionized the supply chain operations all over the world.
Organizations can now overcome geographical boundaries,
technological barriers and share large amounts of critical
business data with just a few clicks. Today, supply chain of a
company probably can comprise suppliers and business
partners located across the globe, along with environmental
and operational risk increase in attack surface which has made
supplychainpronetoinformationandcyberrisk.
India has become the world's choice as an outsourcing
destination, indicating India as a Hub of third party service
providers providing catalogue of IT and other services across
the globe. Cloud services and third party providers are business
enablers, empowering SMB's with platform and subscription
services. Customers trade off ownership, control and insight
over their data for the benefit of third party services making
these providers source of cyber risk for themselves. The
forecast shows a rising trend of outsourcing, which implies
increased involvement of third parties involved in all
businesses. The longer the chain of suppliers in a business, the
more vulnerable it makes an organization associated with it to
cyber-attacks.
Cyber Supply Chain Security
India Cyber Risk and Resilience Review 2018 30
Cyber Supply Chain Security
VENDORISTHEWEAKLINK
Third party vendors are the weakest link of any supply chain
which are exploited by attackers to get extensive access to the
destined organization assets. Enterprises are more focused on
securing their own networks, data and users. Many times,
enterprises will have a vast network of suppliers and partners,
made up of many smaller partners which blurs the visibility of
the complete supply chain from the cyber security perspective;
these chains can be easier targets for attackers when enterprise
hasimplementedanin-housesecurityprogram.
FACEBOOK/CAMBRIDGEANALYTICADATASCANDAL
TherecentacceptanceofdataleakfromFacebookturnedoutto
be an eye-opener for users and governments. In March, a
whistleblower came forward to say that Cambridge Analytica, a
data-mining firm, allegedly improperly accessed Facebook user
data through a third-party quiz app, and it used that data to
buildpsychologicalprofilestotargetvoterswithpoliticalads.
When a user installs a new app using Facebook, the app
company gets access to the user's Facebook profile. According
to reports, roughly 87 million people's personal information
was accessible to Cambridge Analytica. If Cambridge Analytica
was able to put certain ads into specific people's feeds, it could
have influenced their political views on Facebook. The users
wereserved(attimesmisleading)adsthatrelatedtoissuesthey
felt strongly about, and that was designed to provoke a reaction
and a share. The probe has been launched to investigate the
effectsofthisdataleak.
SECURINGTHESUPPLYCHAIN
With India becoming the hub of 3rd party services and statistics
indicating rise in cyber-crime in India, it has become a necessity
to ensure supply chains are cyber secure in India to ensure
prominentbusinessgrowth.
Organizations need to implement the below measures to be
resilienttocyber-attacksviathirdparty:-
Ÿ Use common machine language so that security teams and
vendors can better communicate, measure, and improve
theirprograms.
Ÿ Make security controls a mandatory requirement for
suppliers and require them to adhere to the same data
handlingprocessesandproceduresasoftheorganization.
Ÿ Implementing ISO 27001, ISO 22301 for information security
and BCP. Moreover, ensuring compliance for continued focus
oninformationsecurityinsupplierrelationship.
Ÿ Implementing standard BS 31111 for enabling better decision
India Cyber Risk and Resilience Review 2018 31
Cyber Supply Chain Security
making by providing essential guidance for executive
managementtomanagetheircyberriskandresilience.
Ÿ Furthermore, comply with upcoming General Data Protection
Regulation(GDPR)standard.
Ÿ UseframeworksprovidedbyMITREandtheNationalInstitute
of Standards and Technology (NIST) which can measure
operationsandcontrols.
Ÿ Conducting regular audits of third parties by external auditors
toensurecompliance.
Ÿ Having well documented BCP and DRP to ensure continued
businesswithminimumimpactincaseofcyber-attacks.
Ÿ Ensuring Cyber insurance is in place to minimize the loss
arisingfromthedatabreachduetothirdpartycompromises.
Ÿ Gain clear insight of all the parties involved in the supply
chain.
Ÿ Develop first line of defense by educating all users about
informationandcybersecurityrisks.
Ÿ Implementing Vendor risk management and Cyber Risk
managementprogram.
Ÿ Organizations can use Big-data analytics and open-source
technology with learning algorithms to identify discreet
supplierriskeventsfromacrosstheinternetandsocialmedia.
India Cyber Risk and Resilience Review 2018 32
Cyber Supply Chain Security
India Cyber Risk and Resilience Review 2018
SUPPLY CHAIN ATTACK
Phishing
Identify
theft
Web
application
attack
Web
based
attack
Identify
theft
Phishing e-mail to
developers of Chrome
extensions
Credential theft of
Chrome developer
account
Chrome extension
tampering
Internet traffic
manipulation &
malvertising
CloudFlare accounts
credential theft
Compromised Chrome extension
pushed to systems
“ENISA Threat Landscape” Threat Type
Identified Threat
1
2 3 4
5
Relates to Threat Type
Steps of the attack
Source: European Union Agency for Network and Information Security
33
Adoption of more sophisticated security technologies
Can new technologies keep up with evolving risks?
sophisticated security technologies
There are several new security technologies that are likely to
seewideradoptioninthenextfewyears.
BLOCKCHAIN
A Blockchain is a distributed ledger technology that allows
digital information to be distributed but not copied. Originally
devised for the digital currency, Bitcoin, the tech community
eventuallyfoundotherpotentialusesforthetechnology.
Blockchain has the potential to improve data integrity, digital
identities and enabling safer IoT devices to prevent DDoS
attacks. It offers a secure way to exchange any kind of goods,
services, or transactions. Industrial growth increasingly
depends on trusted partnerships; but increasing regulation,
cybercrimeandfraudareinhibitingexpansion.Toaddressthese
challenges, Blockchain will enable more agile value chains,
faster product innovations, closer customer relationships, and
quicker integration with the IoT and cloud technology. Further,
Blockchain provides a lower cost of trade, with a trusted
contract monitored without intervention from third parties
who may not add direct value. It facilitates smart contracts,
engagements, and agreements with inherent, robust cyber
security features. The technology is likely to impact everyone
from banking to power, education, healthcare, government and
public sector. It is likely to provide confidentiality, integrity, and
availability, offering improved resilience, encryption, auditing,
and transparency. Hence, companies are targeting a range of
use for the blockchain technology from medical records
management, to decentralized access control, to identity
management.
India Cyber Risk and Resilience Review 2018
Source: IBM infographic
THREE KEY BENEFITS OF USING
FORBLOCK CHAIN IoT
BUILD TRUST
Ÿ Build trust between parties and devices.
Ÿ Reduce risk of collusion and tampering.
REDUCE COST
Ÿ Reduce cost by removing overheads associated
with middlemen and intermediaries
ACCELERATE TRANSACTIONS
Ÿ Reduce settlement time for days to near
instantaneous
34
REMOTEBROWSERS
Remote Browsers is a technology which allows a user to browse
freely without exposing the corporate network. It achieves just
that by executing the code of a web page inside a secure virtual
container, located between a user's device and the Internet.
Files can be rendered remotely but only a visual representation
of the web content is sent to the user, and any malicious activity
isconfinedtothatcontainer.
So even if a naive user opens an infected email attachment, that
malware has nowhere to go—it will never touch their machine.
And at the end of each session, the disposable container is
destroyed, along with any malicious content. Hence, it can be
helpful for isolating a user's browsing session from the
network/endpoints. By moving browsing off the endpoint
device, off the corporate network, the impact of an attack is
greatly reduced, and the exfiltration of potentially sensitive
datacanbeprevented.
DECEPTIONSTECHNOLOGIES
Deception technologies imitate a company's critical assets and
act as a trap for attackers looking to steal this data. Deceptions
Technologies Endpoint Detection and Response (EDR) and
Network Traffic Analysis (NTA). EDR can monitor endpoints and
alertsystemadminsofsuspiciousbehaviorandNTAcanbeused
to monitor network traffic to help determine the type, size,
origin,destinationandcontentsofdatapackets.
SOPHISTICATEDREAL-TIMECHANGEAUDITINGSOLUTIONS
This technology secures critical assets by detecting and
responding to user privilege abuse and suspicious file/folder
activity — either based on single event alert or threshold
condition. It can detect account modifications, deletions,
inactive user accounts, privileged mailbox access and a lot
more.
sophisticated security technologies
India Cyber Risk and Resilience Review 2018 35
Cyber Insurance
Transferring the financial aspect of cyber risk
Cyber Insurance
In India, according to IBM and Ponemon Institute reports, the
costs of data breaches are hurting organizations significantly.
Companies are incurring INR 4,210 per employee in 2017 as
compared to INR 3,704 in 2016, according to the 2017 Cost of
Data Breach Study. Notably, there has been a significant
increase in both; first party and third-party losses. The average
total organizational cost of data breach increased by 12.3% to
INR 11 crore from INR 9.7 crore. The cost includes not only the
financial loss incurred by companies but also the cost of
managing a breach. The report identified malicious or criminal
attacks as the most common root cause of a data breach with
41%ofcompaniesexperiencingthis.Ashighas33%attributeda
breach to system glitches, while 26% involved employee or
contractornegligence.
With cybercrime enjoying a place in the top four economic
crimes in the world, India does not lag in terms of financial
losses arising due to cybercrime. According to reports by Indian
Computer Emergency Response Team (CERT-In), the number of
cyber security incidents reported were: 44,679 in 2014, 49,455
in 2015, 50,362 in 2016 and over 53,000 in 2017. Threats
reported include phishing attacks, website intrusions and
defacementsordamagestodataaswellasransomwareattacks.
India has seen its share of cyber-attacks leading to significant
financial losses with incidents like the recent defacement of the
Defence Ministry and Supreme Court's website. All such cyber
securitybreacheshaveahugefinancialimpact.
Cyber risk can be mitigated by transferring a part of the risk i.e.
financial risk to an insurance provider. Many business leaders
areunawareofthis.
BUILDINGACASEFORCYBERINSURANCE
The growing online presence of businesses bring with them the
risks associated with the internet. The burgeoning e-commerce
and logistics industry in India, the increasing presence of
Online/Mobile banking facilities and government initiatives like
'Digital India' and 'Smart Cities' coupled with the rising
sophistication of cyber-attacks make a strong case for Cyber
Insurance. Organizations in India have been slow to act on the
increasing cyber risks by buying cyber insurance with most
policies being bought mainly by BPOs who have it as a mandate
in their contract with clients. Healthcare and Hospitality sectors
with their sensitive data have been the most neglected
regarding cyber insurance. High premiums and several
exclusions in the policy pose hurdles for the spread of cyber
security. But the cyber insurance market has matured and
growing at a rapid pace with it slated to grow to USD 7 billion by
India Cyber Risk and Resilience Review 2018 36
2020. Different industries have different insurance
requirements, so there needs to be a high degree of
customization in the cyber insurance policy rather than a 'one-
size-fits-all' approach adopted traditionally by insurance
providers. Most organizations generally insure their assets, buy
health cover for employees but neglect their cyber liabilities. It
ishighlyrecommendedthatcyberliabilitybecoveredtoo.
BUYINGCYBERINSURANCE
It is important to note that buying a cyber-insurance cover does
not mean overlooking other aspects of the cyber security
program. No risk can be completely mitigated and there is
always a residual risk. Cyber Insurance is bought to cover the
financial losses incurred in case of an unlikely event where the
organization's systems are breached even after a proper cyber
security plan is in place. Exclusions are always in place which do
not cover losses due to reputation loss, loss of future revenue
arisingduetoreputationdamageandlossesincurredduetothe
reduced value of intellectual property. First party coverage-
covering the entity which was the victim of a cyber-breach and
third-party coverage-covering vendors and IT service providers
areincludedinmostpolicies.
Cyber Insurance should be included in the Risk Management
plansoforganizations.
It is not very easy to determine the amount of cover that an
organization needs. Techniques like cyber modelling and
benchmarking help in arriving at a figure. Modelling deals with
extrapolating past data to predict the 'what, how frequently
and to what extent' of cyber-attacks. A drawback of this
Cyber Insurance
India Cyber Risk and Resilience Review 2018
Source: EY Global Information Security Survey 2017-18
Key findings - Cyber security survey
87%
of respondents say they
need up to 50% more
cyber security budget.
77%
of respondents
consider a careless
member of staff as the
most likely source of
attack.
48%
do not have Security
Operation Centre, even
though they are
becoming increasingly
common.
36%
of boards have
sufficient cyber security
knowledge for effective
over sight of cyber
risks.
12%
feel it is very likely they
would detect a
sophisticated cyber
attack.
63%
of the organisations still
keep cyber security
reporting mostly within
the IT function.
57%
do not have, or only
have an informal,
threat intelligence
program.
89%
say their cyber security
function does not fully
meet their
organisations needs.
37
Cyber Insurance
technique is the scarce availability of data available for
predictions and lack of understanding the insurable and
uninsurable assets of the organization. Benchmarking, as the
name suggests, provides a baseline to work with. This baseline
is arrived at by analyzing the amount of coverage similar sized
firms take in a similar industry. It is highly advised that a holistic
approach is undertaken when determining the cover to be
bought. The overall risk environment of the organization,
industry specificfactors and future trends should be considered
beforebuyingacyber-insurance.
OUTLOOK
Organizations in the USA purchase around 90% of the world's
cyber insurance. The buying is set to spread across the world.
The cyber insurance market is expected to grow to 7.5 billion
USD in premiums by 2020. More stringent exclusions and
conditions are expected to be included in the policy document.
The cost of buying a cyber-insurance is not expected to fall as
the number of insurance providers are very less. Cyber
insurance cover will be incorporated in cyber resilience plans of
an organization. It is imperative that organizations be aware of
what they can potentially lose and to what extent can these
lossesbeborne.
India Cyber Risk and Resilience Review 2018 38
Cyber Resilience Trends
New waves of fortification
Cyberspace has emerged as a global common. It requires safe
and secure navigation by nations for trade, commerce and
communication. Therefore, cyber security has become
imperative in every sense of the word; be it social, political,
economicormilitary.
India is an emerging economy with a lot of potential resources
andskilledworkforcewidelyavailableforbusinessestoexpand.
ICT(InformationandCommunicationTechnologies)continueto
find its place in all industries. Urbanization and digitization
projects like Digital India, Aadhaar, Smart Cities by the
government of India are significant steps towards becoming a
Smarter Nation. As a smarter nation India would provide high
quality of living to its people, embracing technologies with
smarteroutcomesandensurebusinesssustainability.Incoming
years, cyberspace of India would expand massively, touching
many aspects of our lives. Expansion will bring in new risk and
threatsasachallengeforIndiainsecuringitscyberspace.
Indiahasmadesignificantinvestmentsincreatingorganizations
and their supporting structures to build cyber security
capability, capacity and delivery mechanisms. India is ranked
23rdoutof165nationsina2017globalindexthatmeasuresthe
commitment of nations across the world to cybersecurity.
Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018
Source: Times of India
HOW THE GOVERMENT HAS BEEN
INCREASING ITS CYBER DEFENCE
JUNE 2016 MARCH 2017
JUNE 2017 APR 2017
SEPT 2017 JAN 2018
RBI announces frame works of cyber
security and banks
Ministry of power announces setting
up of 4 sect oral Computer
Emergency Response Teams for
power transmission and distribution
RBI release IT framework for NBSC
sector
IRDA releases guidelines on
information and cyber security for
insurers
Sebi releases note on cyber
security and cyber resilience
Framework for registrars to issue /
share transfer agents
UIDAI introduces 16-digit virtual ID
to mask Aadhaar numbers.
UIDAI announces it will introduce
facial authentication for Aadhaar by
June 2018
39
However, the emerging threats have overtaken India's pace and
scale of efforts. India therefore needs to review and re-boot its
efforts to raise the cyber security bar to meet 21st century
challenges.
The following trends need to be addressed, in India, for it to
becomeacyberresilientnation.
LACKOFSKILLS
A lack of supply and increasing demand has made it impossible
forcompaniestofieldthesecurityprogramswhichtheyneedto
defend their business. Furthermore, the skills shortage and
inadequate numbers are having an impact on the existing
cybersecurity workforce (i.e. overwhelming workload, limited
time for training, etc.), processes (limited proactive planning,
limited time to work with business units, etc.) and technology
(limited time to customize or tune security controls, etc.).
Notably, more than one million cyber security professionals are
requiredinIndiaby2020.
COMPANIES ARE LIKELY TO BE HESITANT TO COMPLY WITH
THEGDPR
TheGeneralDataProtectionRegulation(GDPR)standardwillbe
coming into effect on 25 May 2018. It consists of increased
territorial scope, stricter consent laws and elevated rights for
data subjects to name a few. However, as per the reports, many
companieswillchoosenottocomply,astheyclaimthatthecost
ofcomplianceoutweighstherisks.
CYBERDIPLOMACY
Cyber diplomacy refers to the use of diplomatic tools, and the
diplomatic mindset, to resolve issues arising in cyberspace.
Historically, diplomacy has happened in secrecy, behind closed
doors. However, new communication technologies are making
diplomacy more open and public. These technologies are
creating opportunities for governments to interact effectively
withthepublic,resultinginthecyberspacequicklybecomingan
arena for international diplomacy. Furthermore, it is not limited
justtogovernments,thesamecouldbecarriedoutbynon-state
actors,includingcompaniesandNGOs.
Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018 40
Cyber Resilience Trends
Initiatives to Build Consensus and Co-operation on Cyber
Incidents:
The proliferation of e-commerce has led to an unprecedented
spurt in cybercrimes and other malicious acts committed in and
through cyberspace, with an estimated cost to the global
economy of over USD 400 billion per year. The borderless
nature of cyberspace makes it incumbent for all nations to
cooperate for combating and preventing such acts, including
information exchange between law enforcement, military, and
technical groups. Thus, the consensus in approach while
addressing incidents and other cooperative agreements
between the parties can contribute greatly to global stability
and increase trust in the e-business space. India can assist in
developing specific mechanisms for improving cooperation to
investigate and respond to cyber incidents and explore ways to
contributetooveralltrustbuildingamongstthenations.
Confidence Building Measures for Strategic Stability and
SettingNormsforStateBehaviorinCyberSpace:
The cyber space security is synonymous with survival and
sustenance of society in terms of social, economic, political and
military capability as the continued growth of cyber-attacks by
malicious actors of all kinds have reached an intolerable point.
This is coupled with far-reaching decisions being taken by
military planners to build information weaponry. Stronger
cybersecurity cooperation among major nations to deal with
these threats is essential. While multilateral and multi-
stakeholder bodies such as the United Nations Group of
Governmental Experts (UN GGE) and others have made some
progress on the development of norms of behavior and
cybersecurity standards, practical cooperation and concrete
agreementamongnationsislagging.Indiashouldworktowards
building common understanding on potential norms of
behaviorincyberspace.
Taking Prominent Role for Building Regional Co-operation
AmongstASEAN&BRICSNations:
CountriesacrosstheglobeincludingChina,IndiaandtheUnited
States are engaged in a variety of bilateral and regional security
conferences separately, as well as jointly. Established regional
forums, such as the BRICS and the ASEAN Security Forum can
further provide an opportunity to increase cooperation on
cyberspace issues and build trust. India should proactively
participatetoemergeasanopinionbuilder.
India Cyber Risk and Resilience Review 2018 41
Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018
Train 1,000,000 people in cyber security skill by 2020
years
42
Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018
CYBERREGULATION
There has been a rapid increase in the use of the online
environment where millions of users have access to internet
resources and are providing content daily. As a result, countries
across the world are drawing up regulations to address threats
to cyberspace. The major area of concern where regulation is
desirable is data protection and data privacy so that industry,
public administrators, netizens, and academics can have
confidenceasonlineusers.
In 2017, the US State Department passed the Cyber Diplomacy
Act of 2017 bill. The bill recognizes the degree to which
protecting security in cyberspace and promoting digital
communications as a vital economic, social, and political bridge
hasbecomecriticaltothemissionoftheUSgovernment.
In India, the government has formed a ten-member committee
under Justice B N Srikrishna to deliberate on a data protection
framework for the country. The committee is to identify key
data protection issues in India and recommend methods of
addressing them. Meanwhile, Digital Information Security in
Healthcare Act (DISHA) is proposed to secure digital health
records. All medical institutions maintain reports that contain
every minute detail such as diagnosis of the disease, and the
treatment recommended including any prescriptions given to
the patient. Every hospital is supposed to keep the record of the
patients safe because it consists of sensitive personal
information about the patient. To protect the data, DISHA
provides tougher privacy and security measures for digital
health data. With rapid changes and advancements in
cyberspace,moresuchregulationsarerequiredtobedrawnup.
ARTIFICIALINTELLIGENCEINCYBERSECURITY
The implementation of AI systems in cyber security can serve as
a real turning point. These systems come with several
substantial benefits that will help prepare cybersecurity
professionals for taking on cyber-attacks and safeguarding the
enterprise.
AI algorithms use Machine Learning (ML) to adapt over time
which makes it easier to respond to cybersecurity risks. New
generations of malware and cyber-attacks can be difficult to
detect with conventional cybersecurity protocols. They evolve
over time, so more dynamic approaches are necessary.
Cybersecurity solutions that rely on ML use data from prior
cyber-attackstorespondtonewerbutsomewhatsimilarrisk.
43
Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018
TALENT-CENTRIC
1
Ÿ Talent management.
Ÿ Board and 3 LOD roles and
responsibili es.
Ÿ Risk and security culture
Ÿ Training & awareness
Built on a founda on that makes
cyber security everyone's responsibility:
Organisations
Objectives
Organisations
Outcomes
Another great benefit of AI systems in cybersecurity is that they
will free up an enormous amount of time for tech employees. AI
is most commonly used to detect simple threats and attacks.
Given that the simplest attacks usually have the simplest
solutions, the systems are also likely be able to remedy the
situationonitsown.
Another way AI systems can help is by categorizing attacks
based on threat level. When deep machine learning principles
are incorporated into systems, they can adapt over time, giving
adynamicedgeovercyberterrorists.
AI systems that directly handle threats on their own do so
accordingtoastandardizedprocedureorplaybook.Ratherthan
the variability (and ultimately inaccuracy) that comes with a
human touch, AI systems don't make mistakes in performing
their function. As such, each threat is responded to in the most
effectiveandappropriateway.
Cyber attacks are becoming more common, more
sophisticated, and more impactful. However, AI systems can
help address some of those problems and ultimately give
businessanadvantagewhenfacingacyber-attack.
44
Recommendations
Technology | skills | policy
India needs to recognize and align to the transformative,
disruptive and game-changing role of cyber security to majorly
drive the 21st-century global economies, military doctrines,
demographic preferences of societies and even the political
influences. Hence, development of Work Force, Research
&Technology, Infrastructure and Policy is required for Building
NationalCyberSecurityCapability.
WORKFORCEDEVELOPMENT:
Ÿ Develop workforce as an enabling national asset to meet
domesticaswellasglobalsecuritymarketneeds.
Ÿ Educating employees regarding cybersecurity will make them
thefirstlineofdefenseforanyindustryandnation.
Ÿ Mandate universities/ colleges to offer education in ICT
Securityatgraduate,postgraduateandPh.D.levels.
Ÿ Foster extensive collaboration with overseas universities for
facultyandcoursecontents.
Ÿ Foster global research and technology collaborations.
Integrate Cyber Security & ICT Work Force and position
globally.
Ÿ Buildregionalsecurityinnovationhubsforglobalclients.
Ÿ Mandate creation of independent cadre alongside ICT Jobs,
developbestpracticestorecruitandretainprofessionals.
Ÿ BuildNationalSkillRegistryforCyberSecurity.
Recommendations
India Cyber Risk and Resilience Review 2018
TECHNOLOGY
INFRASTRUCTURE
Improving national
cyber security
capability WORK FORCE
DEVELOPMENT
POLICY
45
RESEARCHANDTECHNOLOGY:
Ÿ Develop science of Cyber Security at schools and colleges
through specialized capsules and by amending the core
curriculum.
Ÿ Developandmandateuniversityleadresearch&innovation.
Ÿ Promote and support the use of next-generation
cybersecuritytechnologies.
Ÿ Develop a national initiative for the indigenous development
ofcoresecuritytechnologies,platforms&solutions.
Ÿ Build experiments and exercises, pilot projects to support
widerparticipationincybersecurityexercises.
Ÿ PromoteIPbuildinginsecurityunderanationalinitiative.
Ÿ PromoteprivatesectorR&D.
INFRASTRUCTURE:
Ÿ Mandate development and/ or adoption of globally
recognized security standards, frameworks and platforms,
andguidelines.
Ÿ Establish laboratories, Centers of Excellence (COEs) aligned to
institutes/ universities, industry and professional end user
agencies.
Ÿ Mandate creation of cyber security testing, certification &
clearing houses. a national cyber test facility providing for
network emulation, monitoring and audit, vulnerability
analysis, simulated attacks, graduated response,
performanceanalysis,andsecurityassurancemodeling.
Ÿ Mandate creation of strong legal & regulatory framework for
cyberrelatedissues.
Ÿ New agencies and law firms would evolve for providing cyber
securitylegalservicesinIndiaandasaservicetotheworld.
Ÿ Mandate creation of Regional Security R&D & Innovation
Hubs comprising of security industry clusters, R&D centers
andacademicinstitutions.
Ÿ Create Cyber Security industry clusters trained in high end
securityproducts&solutions.
Ÿ Foster extensive overseas collaborations through alliances,
partnershipsandjointventures.
Ÿ Allow 100% FDI in critical technology areas of ICT security
suchasTechnologies&ProductsDevelopment,LargeSystems
Engineering&Integrationetc.
POLICYFORENABLINGECOSYSTEM
Ÿ There is a need to understand and address gaps such as
incoherent, silo driven, inadequate focus to understand
volume and complexity of full spectrum cyber security, and its
Recommendations
India Cyber Risk and Resilience Review 2018 46
Recommendations
impactonnationalsecurity.
Ÿ Create a common body of knowledge for Cyber Security
includingcyberwarfare.
Ÿ Build cyber security savvy leadership, subject matter experts,
solution architects and system engineers to address the
inadequate comprehension of lack of cyber security
capability and its bearing on national security including the
militarydimension.
Ÿ Foster system strategic thinking, at national scale about cyber
warfare and build operational requirements, articulate and
validatecyberdoctrine.
Ÿ Create strategic level focus on program blue print, stake
holder agreement, resource allocation, funding priority and
allocation, policy issues thought leadership building, training
insecuritysystemsengineering.
Ÿ Create Program Execution Levers through investments in
system engineering expertise, and system integration
facilities.
Ÿ Indian diaspora and IT industry could be leveraged for
buildingglobalscalecybersecuritycapability.
Ÿ Government needs to make security technologies attractive
fortheprivatesectortoinvestincapabilitybuilding.
India Cyber Risk and Resilience Review 2018 47
MitKat Advisory Services Private Limited
511 Ascot Center, Near Hilton Hotel, Andheri (E), Mumbai – 400 099
T (Mumbai) : +91 22 2839 1243
T (Gurgaon): T (Singapore)+91 124 455 9200 | : +65 8171 7554
E W: | :contact@mitkatadvisory.com www.mitkatadvisory.com
The Confederation of Indian Industry (CII) works to create and sustain an environment
conducive to the development of India, partnering industry, Government, and civil society,
through advisory and consultative processes. CII is a non-government, not-for-profit, industry-
led and industry-managed organization, playing a proactive role in India's development
process. Founded in 1895, India's premier business association has over 8000 members, from
the private as well as public sectors, including SMEs and MNCs, and an indirect membership of
over200,000enterprisesfromaround240nationalandregionalsectoralindustrybodies.
CII charts change by working closely with Government on policy issues, interfacing with
thought leaders, and enhancing efficiency, competitiveness and business opportunities for
industry through a range of specialized services and strategic global linkages. It also provides a
platform for consensus-building and networking on key issues. Extending its agenda beyond
business, CII assists industry to identify and execute corporate citizenship programmes.
Partnerships with civil society organizations carry forward corporate initiatives for integrated
and inclusive development across diverse domains including affirmative action, healthcare,
education, livelihood, diversity management, skill development, empowerment of women,
andwater,tonameafew.
The CII theme for 2016-17, , emphasizes Industry's role inBuilding National Competitiveness
partnering Government to accelerate competitiveness across sectors, with sustained global
competitiveness as the goal. The focus is on six key enablers: Human Development; Corporate
Integrity and Good Citizenship; Ease of Doing Business; Innovation and Technical Capability;
Sustainability; and Integration with the World. With 66 offices, including 9 Centres of
Excellence, in India, and 9 overseas offices in Australia, Bahrain, China, Egypt,France, Germany,
Singapore, UK, and USA, as well as institutional partnerships with 320 counterpart
organizations in 106 countries, CII serves as a reference point for Indian industry and the
internationalbusinesscommunity.
Confederation of Indian Industry
The Mantosh Sondhi Centre
23, Institutional Area, Lodi Road, New Delhi - 110 003 (India)
: 91 11 45771000 / 24629994-7 * : 91 11 24626149T F
: * :E Winfo@cii.in www.cii.in
AboutCii
MitKat Advisory is a global provider of integrated security and risk mitigation solutions and
services. MitKat works collaboratively with leading global corporations, government and non-
government organizations to protect people, assets, information and reputation. MitKat's
team consists of best-in-class consultants from diverse backgrounds. For details, kindly visit
www.mitkatadvisory.com
MitKat has offices in Delhi NCR, Mumbai, Bengaluru and Singapore, and through its network of
partners, delivers operational support and risk management services across Asia and Africa.
MitKat'sservicesinclude:
§ Informationsecurityandbusinesscontinuityadvisory
§ Managedsecurityservices
§ ITsecurityconsultingandimplementationassistance
§ Physicalsecurityandsafetyconsulting&design
§ ThreatIntelligenceandtravelriskmanagement
§ BusinessIntelligence,duediligenceandintegrityriskmanagement
§ Operationalsupportandembeddedsecurityservices
§ Women'ssafetyandempowerment
§ Skills&entrepreneurshipdevelopmentandCSRadvisory
MitKat is technology and vendor-agnostic and is able to offer impartial and unbiased advice to
its clients to design and solutions to suit their specific business'fit-for-purpose' 'best value'
andoperationalneeds.
MitKat integrity,is an equal opportunities employer and committed to highest standards of
ethics, governance and compliance.
About Mitkat
India Cyber Risk and Resilience Review 2018 48
CII Whitepaper India Cyber Risk & Resilience Review 2018
www.mitkatadvisory.com

Weitere ähnliche Inhalte

Was ist angesagt?

Cyfirma cybersecurity-predictions-2022-v1.0 c
Cyfirma cybersecurity-predictions-2022-v1.0 cCyfirma cybersecurity-predictions-2022-v1.0 c
Cyfirma cybersecurity-predictions-2022-v1.0 cAanchal579958
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityBooz Allen Hamilton
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...ijtsrd
 
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know AboutThe 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know AboutBernard Marr
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity reportKevin Leffew
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Gsn 2014 digital yearbook of homeland security awards
Gsn 2014 digital yearbook of homeland security awardsGsn 2014 digital yearbook of homeland security awards
Gsn 2014 digital yearbook of homeland security awardsChuck Brooks
 
Information Security
Information SecurityInformation Security
Information Securitytrunko
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Protecting Against Web Threats
Protecting Against Web ThreatsProtecting Against Web Threats
Protecting Against Web ThreatsKim Jensen
 
Adrian Ifrim - prezentare - Cyber Security Trends 2020
Adrian Ifrim - prezentare - Cyber Security Trends 2020Adrian Ifrim - prezentare - Cyber Security Trends 2020
Adrian Ifrim - prezentare - Cyber Security Trends 2020Business Days
 
50+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 201550+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 2015Marcos Ortiz Valmaseda
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security smallHenry Worth
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionEMC
 
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020Business Days
 
HE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSourceHE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSourceBrian Arellanes
 

Was ist angesagt? (19)

Insights success the 10 best performing cyber security solution providers 4th...
Insights success the 10 best performing cyber security solution providers 4th...Insights success the 10 best performing cyber security solution providers 4th...
Insights success the 10 best performing cyber security solution providers 4th...
 
Cyfirma cybersecurity-predictions-2022-v1.0 c
Cyfirma cybersecurity-predictions-2022-v1.0 cCyfirma cybersecurity-predictions-2022-v1.0 c
Cyfirma cybersecurity-predictions-2022-v1.0 c
 
Cybersecurity in the Age of Mobility
Cybersecurity in the Age of MobilityCybersecurity in the Age of Mobility
Cybersecurity in the Age of Mobility
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
 
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know AboutThe 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity report
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
 
Gsn 2014 digital yearbook of homeland security awards
Gsn 2014 digital yearbook of homeland security awardsGsn 2014 digital yearbook of homeland security awards
Gsn 2014 digital yearbook of homeland security awards
 
Information Security
Information SecurityInformation Security
Information Security
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
Protecting Against Web Threats
Protecting Against Web ThreatsProtecting Against Web Threats
Protecting Against Web Threats
 
Adrian Ifrim - prezentare - Cyber Security Trends 2020
Adrian Ifrim - prezentare - Cyber Security Trends 2020Adrian Ifrim - prezentare - Cyber Security Trends 2020
Adrian Ifrim - prezentare - Cyber Security Trends 2020
 
50+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 201550+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 2015
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud Prevention
 
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
Cosmin Vilcu - Sonicwal - prezentare - Cyber Security Trends 2020
 
HE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSourceHE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSource
 

Ähnlich wie CII Whitepaper India Cyber Risk & Resilience Review 2018

Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and AdaptabilityPat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptabilityitnewsafrica
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
Cyberfort syllabus & career
Cyberfort syllabus & careerCyberfort syllabus & career
Cyberfort syllabus & careerAmit Kumar
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Vertex Holdings
 
5G-and-IoT-vs-cyber-security.pdf internet
5G-and-IoT-vs-cyber-security.pdf internet5G-and-IoT-vs-cyber-security.pdf internet
5G-and-IoT-vs-cyber-security.pdf internetsuperintendingengine17
 
Cybersecurity Predictions For 2022.pdf
Cybersecurity Predictions For 2022.pdfCybersecurity Predictions For 2022.pdf
Cybersecurity Predictions For 2022.pdfYamuna5
 
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTIONAI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTIONChristopherTHyatt
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookMargarete McGrath
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020CBIZ, Inc.
 
Combating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCombating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCognizant
 

Ähnlich wie CII Whitepaper India Cyber Risk & Resilience Review 2018 (20)

Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and AdaptabilityPat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
Pat Pather- Cyber Security Unchartered: Vigilance, Innovation and Adaptability
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Cyberfort syllabus & career
Cyberfort syllabus & careerCyberfort syllabus & career
Cyberfort syllabus & career
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
 
5G-and-IoT-vs-cyber-security.pdf internet
5G-and-IoT-vs-cyber-security.pdf internet5G-and-IoT-vs-cyber-security.pdf internet
5G-and-IoT-vs-cyber-security.pdf internet
 
Class activity 4
Class activity 4 Class activity 4
Class activity 4
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
1402.1842.pdf
1402.1842.pdf1402.1842.pdf
1402.1842.pdf
 
Cybersecurity Predictions For 2022.pdf
Cybersecurity Predictions For 2022.pdfCybersecurity Predictions For 2022.pdf
Cybersecurity Predictions For 2022.pdf
 
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTIONAI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
AI IN CYBERSECURITY: THE NEW FRONTIER OF DIGITAL PROTECTION
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
 
Global Cybersecurity Market (2017 - 2022)
Global Cybersecurity Market (2017 -  2022) Global Cybersecurity Market (2017 -  2022)
Global Cybersecurity Market (2017 - 2022)
 
Security Threats Predictions in 2015 – Netmagic
Security Threats Predictions in 2015 – NetmagicSecurity Threats Predictions in 2015 – Netmagic
Security Threats Predictions in 2015 – Netmagic
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
188
188188
188
 
Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020
 
Combating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCombating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced Analytics
 
Cyber security
Cyber security Cyber security
Cyber security
 

Mehr von Confederation of Indian Industry

Composite Water Management Index - A Tool for Water Management
Composite Water Management Index - A Tool for Water Management Composite Water Management Index - A Tool for Water Management
Composite Water Management Index - A Tool for Water Management Confederation of Indian Industry
 
Ease Of Doing Business - Reforms in Maharashtra - May 2018
Ease Of Doing Business - Reforms in Maharashtra - May 2018 Ease Of Doing Business - Reforms in Maharashtra - May 2018
Ease Of Doing Business - Reforms in Maharashtra - May 2018 Confederation of Indian Industry
 
Broadband 2022: Unlocking a Trillion Dollar Digital Economy
Broadband 2022: Unlocking a Trillion Dollar Digital EconomyBroadband 2022: Unlocking a Trillion Dollar Digital Economy
Broadband 2022: Unlocking a Trillion Dollar Digital EconomyConfederation of Indian Industry
 

Mehr von Confederation of Indian Industry (20)

Multilateral Newsletter May 2018 Edition
Multilateral Newsletter May 2018 Edition Multilateral Newsletter May 2018 Edition
Multilateral Newsletter May 2018 Edition
 
Economy Matter - June 2018
Economy Matter - June 2018Economy Matter - June 2018
Economy Matter - June 2018
 
Composite Water Management Index - A Tool for Water Management
Composite Water Management Index - A Tool for Water Management Composite Water Management Index - A Tool for Water Management
Composite Water Management Index - A Tool for Water Management
 
Transition to GST: A year into the system
Transition to GST: A year into the systemTransition to GST: A year into the system
Transition to GST: A year into the system
 
SME - The Game Changers
SME - The Game ChangersSME - The Game Changers
SME - The Game Changers
 
Ease Of Doing Business - Reforms in Maharashtra - May 2018
Ease Of Doing Business - Reforms in Maharashtra - May 2018 Ease Of Doing Business - Reforms in Maharashtra - May 2018
Ease Of Doing Business - Reforms in Maharashtra - May 2018
 
Multilateral Newsletter March-April 2018
Multilateral Newsletter March-April 2018Multilateral Newsletter March-April 2018
Multilateral Newsletter March-April 2018
 
Economy Matters - May 2018
Economy Matters - May 2018Economy Matters - May 2018
Economy Matters - May 2018
 
CII Commuique May 2018
CII Commuique May 2018CII Commuique May 2018
CII Commuique May 2018
 
Ease of Doing Business
Ease of Doing Business Ease of Doing Business
Ease of Doing Business
 
Broadband 2022: Unlocking a Trillion Dollar Digital Economy
Broadband 2022: Unlocking a Trillion Dollar Digital EconomyBroadband 2022: Unlocking a Trillion Dollar Digital Economy
Broadband 2022: Unlocking a Trillion Dollar Digital Economy
 
Indian Industry's Inclusive Footprint in South Africa
Indian Industry's Inclusive Footprint in South Africa Indian Industry's Inclusive Footprint in South Africa
Indian Industry's Inclusive Footprint in South Africa
 
Policy Watch March 2018
Policy Watch March 2018Policy Watch March 2018
Policy Watch March 2018
 
India meets Britain Tracker
India meets Britain Tracker India meets Britain Tracker
India meets Britain Tracker
 
Economy Matters April 2018
Economy Matters April 2018Economy Matters April 2018
Economy Matters April 2018
 
CII Communique April 2018
CII Communique April 2018CII Communique April 2018
CII Communique April 2018
 
CII-NITI Aayog's 'Cleaner Air Better Life Initiative'
CII-NITI Aayog's 'Cleaner Air Better Life Initiative'CII-NITI Aayog's 'Cleaner Air Better Life Initiative'
CII-NITI Aayog's 'Cleaner Air Better Life Initiative'
 
Annual CSR Tracker 2017
Annual CSR Tracker 2017Annual CSR Tracker 2017
Annual CSR Tracker 2017
 
CII IWN - EY Report - The Future is HERe
CII IWN - EY Report - The Future is HEReCII IWN - EY Report - The Future is HERe
CII IWN - EY Report - The Future is HERe
 
CII Mission Manufacturing Jan-Mar 2018
CII Mission Manufacturing Jan-Mar 2018 CII Mission Manufacturing Jan-Mar 2018
CII Mission Manufacturing Jan-Mar 2018
 

Kürzlich hochgeladen

TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 

Kürzlich hochgeladen (12)

TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 

CII Whitepaper India Cyber Risk & Resilience Review 2018

  • 1. India Cyber Risk and Resilience Review 2018 UNDERSTANDING the THREATS & PLANNING YOUR DEFENCES
  • 3. Cyberspaceisrapidlytransformingourlives–howwelive,interact, govern and create value. With the JAM (Jan Dhan, Aadhaar and Mobile) trinity, India is at the forefront of global digital transformation. “Digital India” is being hailed as the world's largest technologyledprogrammeofitskind. While internet, smartphones and modern information and communication devices have been great force multipliers, endless connectivity and proliferation of IoT devices is giving rise to vulnerabilities, risks and concerns. Cyber security is today ranked among top threats by governments and corporates. Heightened concernsaboutdatasecurityandprivacyhaveresultedinaspateof regulations in India and across the world. India is in the process of discussing and enacting its own comprehensive data security and privacyregulation,aswellasverticalspecificones.Cybersecurityis an ecosystem where laws, organisations, skills, cooperation and technical implementation would need to be in harmony to be effective. Overall, a robust regulatory framework based on global and country-specific regulations, development of a holistic cyber security eco-system (academia and industry as well as entrepreneurial) and a coordinated global approach through proactive cyber diplomacy would help to secure cyber space and promote confidence and trust of key stakeholders including citizens,businesses,politicalandsecurityleaders. CII has been actively working in the cyber security space. The CII Task Force on Public Private Partnership for Security of the Cyber Space has been set up to bring about improvements in the legal framework to strengthen and maintain a safe cyberspace eco- system by capacity building through education and training programmes. We would facilitate collaboration and cooperation between Government and Industry in the area of cyber security in general and protection of critical information infrastructure in particular, covering cyber threats, vulnerabilities, breaches, potentialprotectivemeasures,andadoptionofbestpractices. The Conference on Securing Cyber Space in conjunction with the Global Exhibition on Services would be a vibrant platform for discussing these issues. I look forward to the deliberations at the Conference. Message from Confederation of Indian Industry India Cyber Risk and Resilience Review 2018 Chandrajit Banerjee Director General Confederation of Indian Industry
  • 4. In today's rapidly evolving global digital world, the threat landscapeisincreasinglybecomingdynamicandcomplex.Since the Target Data Breach in late 2013, various high profile businesses and government organizations have been targeted by adversaries causing irreparable financial as well as reputational damages. One of the common threads that emerges from these landmark data breaches is that majority of the threats remain constant, while the threat vectors keep changing. As we build our cyber defences, adversaries continually refine and develop new methods to attack while evading detection as well. Public disclosures made by companies like Sony Entertainment has brought to light the extent of financial losses caused by such breaches and has helped the issue of cyber security move from the IT department tothecorporateboardroom. The current government's push towards Digital India has led to rampant growth in digital initiatives including smart cities and e-governance. With the proliferation of the internet, adversaries are finding increased avenues to launch attacks against lucrative targets. India's growing social media population, unaware of the potential risks have proved to be a ready base for the attackers for malware infections, stealing Personally Identifiable Information (PII) and carrying out online frauds. While defacement of Indian government websites have been common, serious attacks like the one that breached the information security of Indian Navy, has pushed the need for advancedandsophisticatedcyberdefences. Easy access to encrypted messaging applications and the dark web has aided many terrorist organizations to effectively evade thelawenforcementagencieswhiletheyplannedandexecuted their attacks. In the wake of the current geo-political scenario, issues of data sovereignty, data localization, encryption, and data compatibility have been hot topics of discussions within governmentsandlawenforcementagencies. India needs to rapidly step-up its cyber security efforts by building sophisticated cyber intelligence and response capabilities along with ensuring a steady supply of skilled cyber security professionals to compliment the investment in technologyandsecurityinfrastructure. The India Cyber Security & Resilience Review 2018 is intended to present research, insights and perspectives on the current cyber security landscape while exploring potential defence mechanismsagainstcommittedandsophisticatedadversaries. India Cyber Risk and Resilience Review 2018 Foreword
  • 5. CONtents Ÿ MacroView:DecipheringtheGlobalCyberSecurityLandscape Ÿ AttackVectorTrends Ÿ InternetofThings Ÿ AdvancedPersistentThreatsandHacktivism Ÿ SmartCitiesandCriticalInfrastructure Ÿ TheRiseofState-SponsoredAttacks Ÿ SocialMediaAnalyticsCloud(SMAC),BYOD Ÿ TheWeakestLink:Humans Ÿ CyberSupplyChainSecurity Ÿ AdoptionofMoreSophisticatedSecurityTechnologies Ÿ CyberInsurance Ÿ CyberResilienceTrends Ÿ Recommendations Ÿ Contributors Ÿ References
  • 6. Macro View: Global Cyber Security Landscape An overview
  • 7. The environment around us is increasingly getting “Smart & Connected” with pervasive use of computing for almost all our personal and business interactions. Technological Innovations coupled with multi-fold increase in available bandwidth have led to computing devices getting more capable and geographic boundaries getting blurred. With massive amounts of data being generated and shared, cyber criminals are always on the lookout for ways and means to leverage any vulnerabilities in ourdefenses. HAZYCONFINESOFCYBER-ATTACKSURFACE The dynamic nature of the digital environment and the fast paced advancements in technology is constantly challenging the definition of the “network perimeter”. Businesses are increasingly becoming mobile with the adoption of cloud computing enabling employees to access resources from outside the corporate network even using personal devices. An exponential rise in personal data in the recent past can be attributed to smart devices getting affordable and propagation ofexciting“freeservices”. “Smartphone connections to rise to 5.9 Billion by 2020 and 160.0 Exabytes of IP traffic to grow by 2019”, while these advancements are aimed at increasing productivity and enhancing user experience. The scattered network surface has become a glaring concern for security professionals world-wide as adequately protecting multiple entry points often proves to be a daunting task. With rapidly changing expectations of 1 MacroView: Global Cyber Security Landscape India Cyber Risk and Resilience Review 2018 Organised Crime Insider Nation State Hacktivist Competitor LOW MEDIUM HIGH VERY HIGH VERY LIKELY LIKELY POSSIBLE REMOTE Fake website Website compromise for crypto currency mining Intellectual property theft Targeted attacks on payment system Ransom ware Distributed Denial of Service attacks Client data theft Social engineering CEO Fraud & Business email Compromise Accidental data loss Sabotage Data manipulation Malicious data disclosure Social media attack & hijacking Distributed denial of service attack Social media impersonation Website defacement Client data theft Intellectual property theft Client data theft Malware distribution to clients Intellectual property theft Trading strategy theft Source: KPMG International CYBER SECURITY RISK RADAR
  • 8. consumers of technology as well as regulators, organizations will have to invest to develop enhanced protection for its internalaswellasexternalcommunicationchannels. RISEOFSOPHISTICATEDADVERSARIES Infamous data breaches of the recent past include Yahoo breach and Equifax, which is one of the largest credit bureau in the US, were a grave reminder of how the adversaries are not only becoming increasingly sophisticated but are also capable of carrying out attacks while evading detection. The ability of the attackers to infiltrate protected networks and remain dormant before launching the actual attack has raised concerns abouttheeffectivenessofourintrusiondetectionmechanisms. Many organizations assume that they could never become victims of targeted attacks, that Advanced Potential Threats (APTs) are mostly used against governments, financial institutions, and other critical infrastructure like energy and utilities companies. However, according to reports, the same techniques of targeted attacks are being used on a wide range of industries and companies. Though these targeted attacks are designed to escape the conventional detection methods, intelligently designed incident response frameworks, can minimize the impact of an APT by fighting back. In the absence of a strong security framework, the attackers disguise as legitimate traffic and establish connections to critical assets siphoningoffvaluabledatawithease. While the media has covered most sensational attacks like Google, Adobe, RSA, Lockheed Martin, SONY, and PBS; thousands of attacks have not been reported by government agenciesandcorporations. APTs focus on the weakest links of the defense chain, the target is usually a specific vulnerability in the system and, more importantly, specific people; people with the highest-level accesstothemostvaluableassetsandresources. AMALGAMATIONOFATTACKVECTORS Both security professionals and attackers use combination of attack vectors to penetrate networks. While weak passwords remain the most frequently exploited vulnerability; system misconfigurations and unsupported legacy systems are the areas frequently targeted by the attackers. Attackers use techniques like social engineering through Malvertising and Spear-Phishing to gain initial access to a protected network and subsequently use a combination of attack vectors to gain high levelaccessandcompromisethenetwork. MacroView: Global Cyber Security Landscape India Cyber Risk and Resilience Review 2018 2
  • 9. MacroView: Global Cyber Security Landscape India Cyber Risk and Resilience Review 2018 AVERSIONTODISCLOSURE The biggest fear of disclosing data breaches is the economic impactcausedbydipininvestorconfidence,regulatorpenalties and litigation. Several studies have shown that companies that have been victims of a data breach have suffered a significant drop in their stock value, taking them as long as two quarters to recoverfromthedamage. Inadequate data on security breaches makes it difficult for analysts to accurately estimate the costs and impacts of cybercrime. This hampers the ability of organizations to effectivelyengageinriskmanagementandhelptheircustomers understandthemeasurestakentosafeguardtheirdata. 25% 30% 8% 23% 10% 4% System downtown $ 1,252,650 Theft of information assets $ 1,152,438 IT and end user productivity loss $ 1,503,180 Damage to infrastructure $ 501,060 Reputation damage $ 400,848 Lawsuits, fines and regulatory actions $ 200,424 COST OF ENDPOINT ATTACKS Source: The Ponemon Institute 3
  • 10. Attack Vector Trends Innovative means of targeting the future cyber space
  • 11. CYBERSPACEANDINDIA India is one of the key players in the digital and knowledge- based economy, holding more than a 50% share of the world's outsourcing market. Pioneering and technology-inspired programmes such as Aadhaar, MyGov, Government e-Market, DigiLocker, Bharat Net, Startup India, Skill India and Smart Cities are propelling India towards technological competence and transformation. India is already the third largest hub for technology-driven startups in the world, and its Information and Communications Technology sector is estimated to reach the $225 billion landmark by 2020. However, these achievements come with a problem: innovation in technology, enhanced connectivity, and increasing integration in commerce and governance also make India the fifth most vulnerable country in the world in terms of cybersecurity breaches, according to the Internal Security Threat Report of 2017 by Symantec. Cyberspace is going to grow exponentially. This growth will frame a landscape having billions of agile people using wide variety of devices, all of them connected in a way and sharing data enormously. This will orient the businesses in India and abroad towards being more cyber dependent, presenting globalopportunitieswithsignificantcybersecurityrisks. EMERGINGTHREATLANDSCAPE An analysis from anti-virus software firm Bitdefender found ransomwarepaymentshit$2billionin2017,twiceasmuchasin 2016. Meanwhile, Trend Micro predicts global losses from another growing trend, compromised business email scams, will exceed $9 billion in 2018. The cyberattacks in the last year have highlighted the alarming vulnerability of our personal information. More tools used by government hackers have become public, and it's easier than ever to create sophisticated ways to spread malware or ransomware or steal data from companies. Companies also frequently fail to patch security flaws in a timely manner. Attack vectors like viruses, worms, spyware, malware, etc have proved to be the utilities for data theft, cyber espionage and modern artillery of cyber-attack, cyber crime, cyber warfare. These vectors have not only advanced with technology but multiplied and adapted to be the weaponofchoiceforcyberdestruction. There were major hacks in the last year in organisations such as the CIA, Deloitte, Cellebrite, the entire City of Dallas, Virgin America, Verifone and dozens of universities and US Federal Agencies,includingOxford,CambridgeandNYU. AttackVectorTrends India Cyber Risk and Resilience Review 2018 4
  • 12. MALVERTISINGATTACKS Late in 2017, news broke of multiple malicious hacker groups using rigged onlineads to push malwarethat hijacked the user's computer resources to generate cryptocurrencies. There was a majorshiftinthemaliciousadvertising(malvertising)landscape as cyber criminals looked for new ways to trap online ads to plant viruses, trojans, spyware and other unwanted software into computer systems. There were also malicious hackers targeting old WordPress software security flaw to infect more than 1,000 websites with malware capable of injecting code to serve malicious ads. A compromised advertising is believed to be responsible for the malicious ads campaign, which aimed to infectusers'computersandphoneswithmalwareinthisattack. Mobile device users, social networking and retail ecommerce business in India are expected to grow massively. Along with it, online advertisement business will expand as they are interlinked. Increased surface and massive user base will make Indiaalucrativebaseformalvertisingattackincominglustrum. RANSOMEWARESURGE As many as 67% of Indian businesses were hit by ransomware and 91% of them have claimed to be running an up-to-date endpoint protection when the attack occurred. India also has AttackVectorTrends India Cyber Risk and Resilience Review 2018 Source: Accelerite CYBER ATTACKS IN 2017 Jan May June July Aug Sept Oct Nov Cerber Jaff Spora Wannacry Crysis Petya Not Petya Nyetya Golden Eye Ethereum Hack Equifax Data Breach Locky Diablo6 Ransomware Attack Dragonfly 2.0 Attack KRACK Wi-Fi Bad Rabbit IcedID Trojan Attack 5
  • 13. AttackVectorTrends the highest level of infection among the 10 countries, followed byMexico,US,andCanada,whiletheglobalaverageofattacked companies is 54%. Ransomware will dominate the cybersecurity landscape in 2018, with businesses large and smallpayingmillionsofdollarstounlockencryptedfiles. The level of sophistication in distribution methods and attack vectors has expanded as well. There is a new compliance mandate which adds to the cost of ransomware attacks, regardless of whether data is recoverable or whether the victim pays the ransom. 15% or more businesses in top 10 industry sectors have been impacted by ransomware. One in four businesses hit with ransomware have more than 1000 employees. Nearly half of ransomware attacks infect at least 20 employees. The statistics do suggest, however, that attackers are gradually shifting away from high volume “spray and pray” email campaigns to more tightly targeted and cleverly customized attacks aimed at larger companies with deeper pockets. Increasingly, the ransomware model is to land and expand. As per reports, one in five businesses that paid ransom never got theirfilesback. For example, hackers may choose to target critical systems such as power grids. Should the victim fail to the pay the ransom within a short period of time, the attackers may choose to shut downthegrid. CRYPTOCURRENCY This is also aiding the growth of ransomware as ransom payment becomes easier. Bitcoin extortion is a latest form of cyber extortion carried out using a combination of malware, spear-phishing and ransomware. Its era started in India with attacks on three banks and a pharmaceutical company executingacrypto ransomwareinJanuary2016. 2017 saw the proliferation of cryptomining malware, or malicious software which surreptitiously mines for Monero and other cryptocurrencies. Minerva Labs found that attackers have turned to these tools to attract comparatively less attention from law enforcement and anti-fraud professionals, while enjoying a high level of anonymity and ease of cashing out illicit gains. Indeed, these factors led attackers to victimize 1.65 million users in the first nine months of 2017 with malware that consumed their machines' CPU, drove up power consumption (and possibly cloud service payments), and in some cases accompaniedotherdigitalthreats. 6India Cyber Risk and Resilience Review 2018
  • 14. AttackVectorTrends SOMENOTABLEEXAMPLESSTANDOUT: Ÿ PhotoMiner spreads laterally on networks while collecting credentials for servers, trojanizing files stored on it, infecting users,collectingnewinformationaboutpivotingservers. Ÿ SnatchLoader is a typical downloader that added a cryptomining module in 2017. It's likely this malware will be thefirstofmanytodoso. Ÿ CoinHive earned sixth place on Check Point's 10 top malware forOctober2017. TRENDING:RANSOMWAREASASERVICE Ransomware is available as a service in costing a percentage of profit and upfront fee. This would enable even the least tech savvy cybercriminal to perform ransomware attacks without hassle, thus increasing the likelihood and probability of these attacksincomingyears. WANNACRY It was a devastating ransomware attack which affected several hundred thousand machines which have crippled banks, law enforcement agencies and other infrastructure. It was the first strain of ransomware to use EternalBlue, exploiting vulnerability in Microsoft's Server Message Block (SMB) protocol. A May 2017 worldwide WannaCry ransomware attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundredsofmillionstobillionsofdollars. NOTPETYA It started as a fake Ukranian tax software update, and infected hundredsofcomputersinover100countriesinafewdays.Itisa variant of Petya, but uses the same exploit behind WannaCry. It hit a number of firms in the US and caused major financial damage. For example, the attack cost pharmaceutical giant Merck more than USD 300 million in Q3 of 2017 alone, and a similar amount in Q4. In 2018 extortion is expected to rise as attackers look for new, innovative, machine enabled ways to increasethereturnontheirefforts. HEADLESSWORM IoTislikelytoexperiencetheemergenceofnewgenesofworms and viruses having ability to propagate from device to device. Headless worms are an anticipated type of malware attack that targets “headless devices”, or gadgets that run on their own without having to be directed by a user. A headless worm could allowattackerstogrowabotnetmoreefficiently,enablingthem tolaunchevenlargerattacks. India Cyber Risk and Resilience Review 2018 7
  • 15. AttackVectorTrends GHOSTWAREANDBLASTWARE Ghostware conceals its tracks by erasing all traces of its activity once a system is breached. This type of malware makes it especially difficult to figure out what has been compromised during a breach. It also makes it hard for network security specialists to fix the weaknesses that lead to the successful attack, since this type of malware doesn't leave a trail that indicatesitspointofentry. Along with Ghostwares, cybercriminals may deploy Blastwares for performing severe damage to critical infrastructure and organization networks. After installation, it continues to perform its intended activity until is suspects to be detected or reverse engineered. Upon suspicion of detection, it will self- destruct and crash the whole system permanently. Blastware are expected to be used in case of state-sponsored cybercrime orHacktivism. Currently, India is one of the top countries having devices infected by malwares. These emerging malware families are going to add up to the problems in creation of a secure Indian Cyberspaceforbusinesses. EQUIFAX Cybercriminals penetrated Equifax (EFX), one of the largest credit bureaus, and stole the personal data of 145 million people. It was considered among the worst breaches of all time because of the amount of sensitive information exposed, includingSocialSecuritynumbers. BADRABBIT Another major ransomware campaign, called Bad Rabbit, infiltrated computers by posing as an Adobe Flash installer on news and media websites that hackers had compromised. Once the ransomware infected a machine, it scanned the network for sharedfolderswithcommonnamesandattemptedtostealuser credentials to get on other computers. The ransomware, which hit in October 2017, mostly affected Russia, but experts saw infectionsinUkraine,TurkeyandGermany. MORESANDBOX-EVADINGMALWARE Sandboxing technology has become an increasingly popular method for detecting and preventing malware infections. However, cyber-criminals are finding more ways to evade this technology. For example, new strains of malware are able to recognise when they are inside a sandbox, and wait until they areoutsidethesandboxbeforeexecutingthemaliciouscode. India Cyber Risk and Resilience Review 2018 8
  • 16. AttackVectorTrends PHISHINGANDSPEARPHISHING On 22 March 2016, Pivotal fell prey to a Phishing attack. A phishing email was sent to Pivotal employees, ostensibly by Pivotal CEO requesting for payroll information. Assuming it's a legitimate mail an employee sent W-2 tax information of all employees to an unknown party. No customer information was compromised as part of this incident. After attack confirmation, Pivotal sent a memo to its staff containing information of the incident. As many as 534 phishing incidents were reported last year, of which 342 involved phishing websites hosted outside India, according to Indian Computer Emergency Response Team (CERT-In). The statistics of phishing attacks clearly indicate that allbusinessandgovernmentagenciesinIndiaarelikelytosuffer more sophisticated and advanced phishing attacks in coming years. TWO-FACEDMALWARE Two-faced malware gets its name from how it presents one safe “face” to your anti-virus, but retains its malicious “face” once it is dubbed safe. This type of malware attack works by recognizing when the computer's anti-virus isolates the malwareintoasandbox. A sandbox is a designated “safe zone” used to test/check questionable programs before they are given access to a computers' drive and/or network. Two-faced malware senses when it has been placed in a sandbox and escapes detection by ceasing all malicious activity while isolated. In doing this, the malware tricks the anti-virus into flagging said program as safe, anditisreleasedbackontothecomputer. ARTIFICIALINTELLIGENCE(AI)POWEREDATTACKS According to security experts, 2018 will not only be a bad year for data breaches, but the year of AI-powered cyberattacks, which makes prevention more difficult. In such attacks, machine learning is used to study patterns of normal user behaviorwithinacompany'snetwork. It could help human cybercriminals customize attacks. AI systems can help gather, organize and process large databases to connect identifying information, making this type of attack easier and faster to carry out. Furthermore, AI systems could even be used to pull information together from multiple sourcestoidentifypeoplewhowouldbeparticularlyvulnerable toattack. India Cyber Risk and Resilience Review 2018 9
  • 17. AttackVectorTrends According to reports, artificial intelligence will make existing cyber-attack efforts like identity theft, denial-of-service attacks, and password cracking more powerful and more efficient. It can steal money, cause emotional harm and even injure or kill people. Larger attacks can cut power to hundreds of thousands of people, shut down hospitals and even affect national security. LANDANDEXPANDATTACKS In case of land and expand attacks, the attackers gain access to the system and expand their access throughout the network. Sophisticated cyber attackers follow a systematic approach involving careful reconnaissance, scanning, access, and escalation. In most cases, hackers gain privileged access using stolen credentials. The intruders once in, extract credentials that will give them lateral motion throughout the network. To accomplish this, attackers look for SSH keys, passwords, certificates, Kerberos tickets and hashes of domain administrators. Often, hackers will quietly monitor and record activity on compromised systems. Then, they can use this informationtoexpandtheircontrolofthenetwork. UPCOMINGTHREATSIN2020 Security firms are coming up with intelligent techniques for threat detection along with application of big-data analytics for threat prediction. To bypass astute systems, attackers will be coming up with innovative attacks that will not only penetrate the most secure and impregnable system but will also remain undetectedforquitealongperiodoftime. Last year, nearly 100 cyber security deals were happening every quarter with average top line multiple of 9.4x and bottom line multiple of 54.3x. This is much higher than the corresponding number and valuation in IT field. Cyber Security market continues to register double-digit growth, projected to become a $232 billion global market by 2022 with an impressive compoundedannualgrowthrateof11%. In future, we may see furtive attacks for data theft on a system covered under a direct DoS, malware or botnet attack. The direct attacks would act as a distraction allowing the attackers toperformtheirintendedactions. India Cyber Risk and Resilience Review 2018 10
  • 18. Internet of Things Increasing connected devices; increasing attacker incentives
  • 19. InternetofThings When security researchers ran experiments on devices used on a daily basis like coffee machines, video streaming USB dongles, baby monitors and home security systems, it was found that all ofthedevicestestedcouldbehackedinsomeway.Itisworrying to know that a baby monitor enables a hacker to access the camera connected to the same network and watch video feed from it. Further, other products from the same vendor were susceptible to giving away the user's credentials to the hackers. Broadcasting of unencrypted information has proven to be the Achille’s heel of the devices succumbing to an attack. Other findingsstatethatuseofmagnetsbyattackerscanrenderhome security systems ineffective in stopping them from opening or closingawindowwhichwasmeanttobeprotected. India Cyber Risk and Resilience Review 2018 TOP USES OF IOT 50% 45%40%40%48% SMART / AUTOMATED BUILDING IMPLEMENTATION VIDEO SURVEILLANCE PHYSICAL BUILDING SECURITY EASE-OF-USE FOR CUSTOMERS AND EMPLOYEES DATA COLLECTION FOR BETTER BUSINESS DECISIONS Source: US Department of Energy 11
  • 20. SIGNIFICANCEOFIoT IoT is based on the simple requirement of devices communicating with each other without human interference. While the inter-connection in most cases is immensely beneficial, the problem is that it makes the consumer highly susceptible to cyber-attacks. A study revealed that 70 % of IoT devices have serious security vulnerabilities, such as insecure web interfaces and data transfers, insufficient authentication methods, and a lack of consumer knowledge which leaves users opentoattacks. So,itisnotonlythecriticalinfrastructure,mostofwhichisbeing considerably hardened, but also the periphery which is becoming the preferred point of entry. The challenge is to understand the interconnectedness of devices which is a convenience and a risk. In this regard, access to one provides accesstoall. That's a risk that security professionals need to be prepared to face by integrating password requirements, user verification, time-out sessions, two-factor authentication and other sophisticated security protocols. IoT is at a nascent stage at the momentbuthasshownalotofpotentialtobeagamechanger. The real value generated from IoT is from the analytics run on the user data collected by the devices. Trends and patterns can be found that businesses can leverage. IoT is set to change the way people live and make cities smarter. The future is a move from independently used devices and sensors to cross vendor devices communicating to give a truly synergized service. With wearables and healthcare devices leveraging the internet of things, the future looks towards a highly connected and efficientwayoflife. BusinessesarefindingnewwaystouseIoTintheirproductsand services to create value for their customers. IoT is expected to derive a range of benefits like improvements to products, supply chain insight, extended product lifecycle and a smarter way of life. The European Union has planned a system called 'eCall' which will cut down 50 to 60% of the response time for emergencyservices,tobeinstalledontoeveryvehicle. With the number of 'Things' which will be connected set to go up by 30% in 2018 as per Gartner, the up side of having devices connected to each other will also increase the possibilities for attackerstoexploitvulnerabilitiestogainunauthorizedaccess. InternetofThings India Cyber Risk and Resilience Review 2018 12
  • 21. InternetofThings RISKSTOIoT Risks to organizations and governments have risen by the emergence of the widespread IoT, securitiy experts classify these risks into three categories viz. Business Risk, Operational RiskandTechnicalRisk. Business risks encompass user privacy risk, brand image risk, compliance risk, financial risk, and Health & Safety risk. These risksaffectbusinessesdirectly.Operationalrisksincludevarious aspects like risk of degraded performance, access control and shadowusagerisks. Technical risk is directly linked to the devices/ sensors that comprise the IoT. Most of the time with the aim of shorter 'Time to Market', not giving security a priority during the development phase of products is normal. This results in a huge number of vulnerable devices being rolled out to the consumers. Multiple security breaches have resulted due to improper management of sensitive information and user privacyrelatedtoautomationanddigitizationofdevices. Securityresearcherssaythat21%ofDDoS(DistributedDenialof Service) attacks use devices from IoT instead of the conventional Botnet of computers and laptops. Such statistics highlight how difficult it is to keep devices secure as compared with conventional computers. Vulnerabilities that require hardwareupgradetobefixedarethebiggestchallengefacedby devicemanufacturers. MITIGATION Governments and businesses must focus on securing the IoT environmentbyundertakingthefollowingmeasures: Ÿ PerformRiskAssessment Ÿ Business Impact Analysis to understand the extent of the damagethatcanbecaused Ÿ Setupcyberresponseandincidentmanagementteams Ÿ Incorporate stringent security measures in the SDLC (Software Development Life-Cycle) and during manufacturing ofdevices Ÿ Check complete paths for data flow between devices for loopholesleadingtopotentialdataexfiltration Ÿ Implementadaptivepoliciesandprocedures,andgovernance initiatives Ÿ Encryptalldatairrespectiveofwhetherintransitorstored Ÿ Gathercybersecurityintelligencetoanticipatenewattacks Ÿ Maintainapatchmanagementsystem Ÿ Educate and make people aware as they are the weakest link inanysecureenvironment India Cyber Risk and Resilience Review 2018 13
  • 22. InternetofThings India Cyber Risk and Resilience Review 2018 2017 IOT MALWARE ACTIVITY MORE THAN DOUBLED 2016 NUMBERS IOT DEVICES AT RISK: MALICIOUS PROGRAMS TARGET “THE INTERNET OF THINGS” 2008 2009 PSYBOT 2010 TSUNAMI 2014 GAFGYT 2015 TROJAN.LINUX. PNSCAN 2016 MIRAI 2017 BRICKERBOTHYDRA Emergence OF Psybot the first in the wild malicious programs for the MIPS platform The first malware programme targeting IoT devices A cross platform IRC backdoor with DDoS capabilities An IRC back door capable of scanning IP ranges to find vulnerable devices A Trojan infecting vulnerable devices with the Tsunami backdoor and its clones Hajime, Remaiten and Moose A bot infecting IoT devices and rendering them inoperable The number of new malware samples in the wild this year targeting connected internet of things (IoT) devices has already more than doubled last year's total. Currently, over 6 Billion 'smart' devices exist globally. It was when the Mirai Botnet emerged in 2016 that the whole world learned how dangerous such devices may become in the hands of cyber criminals. However, the history of Malware attacking IoT devices began much earlier. 14
  • 23. Advanced Persistent Threats and Hacktivism Cyber-crime organizations and a new wave of activism
  • 24. AdvancedPersistentThreats(APTs)leadtobroadlyfourtypesof losses to victim organizations; technical costs, productivity loss cost, revenue costs, reputation loss costs. An Adelaide-based communications, metal detection and mining technology firm's experience provides an insight on the long term impacts of hacking on companies. Executives at the said company were unable to decipher the reason for a dip in sales and prices of their metal detectors till the service centers reported receiving faulty metal detectors with unrecognizable and inferior parts. With the Australian government not offering support, the company had to hire a private investigation firm in China for raiding counterfeit factories. Security researchers found that the attackers had managed to hack into an employee's laptop when he used a hotel's Wi-Fi during a business trip in China. The company's metal detector blueprints were exfiltrated to a Chinese manufacturing chain selling counterfeit detectors in Africa. APTs have made their presence felt with incidents involving Sony, Lockheed Martin, RSA, Google, Iran's nuclear facility and the likes. APTs are advanced in the sense that they have the expertise and intelligence gathering techniques to target organizations and governments. They 'Persist' in the victim Advanced Persistent Threats & Hacktivism India Cyber Risk and Resilience Review 2018 Source: Varonis ADVANCED PERSISTENT THREAT (APT) LIFECYCLE 15
  • 25. systems to extract as much intellectual property as possible. Financial theft is not usually the only objective. APTs operate below the radar and are difficult to detect. APTs which are criminal organization or state backed, operate in the following phases: Social Engineering, Infiltration, Maintain Access, Data Exfiltration,andCoverTracks. Hacktivism and Cyber Espionage incidences have shed light on theextentofsophisticationthatattackershave. HACKTIVISM The term 'Hacktivism' was coined by juxtaposing 'Hack' and 'Activism' by a group of hackers that use the internet for activism instead of the conventional banner wielding methods. Hacktivism has stemmed from the belief that all information on the internet should be free and accessible to all. It gained media attention during the WikiLeaks era by being at odds with organizations and governments over state sponsored censorship of the internet. The most common form of a hacktivist is the DDoS (Distributed Denial of Service) attack which targets servers with millions of request bombardments making the servers go down. Such motives are a topic of debate with some calling them criminal and others deeming them noble. RISKS APTs and Hacktivists pose an evolving threat to organizations and government agencies. Increased sophistication of Social Engineering and Spear Phishing coupled with insufficient Information Security procedures and practices elevate the risks for organizations globally. Security experts are predicting that the future will see 'persistency' of APTs vanish to enable better stealth. In its place, 'Access-as-a-Service' of already breached systems for the highest bidder will gain prevalence. The threats are here to stay and become more intelligent. Researchers have presented analysis which points at the fact that unemployment will only add to the growth of professional Hacktivist groups like 'Anonymous'. With the Indian population that is connected to the internet increasing at a exponential rate, hacktivism will gain grounds in India. The young will realize the potential of promotingtheirmessageoncyberspace. MITIGATION Acknowledging the widespread presence of APTs and Hacktivismalongwiththerisksthattheypose,isthefirststepto build resilience. The following mitigation steps must be taken to mitigate risks and to build resilience. Defense-in-Depth or multi-layered security controls are the need of the hour to protectagainstsophisticatedattacks. Advanced Persistent Threats & Hacktivism India Cyber Risk and Resilience Review 2018 16
  • 26. LARGEORGANIZATIONSANDGOVERNMENTS Ÿ A proper policy and governance framework must be formulated Ÿ Real-time email and content analysis, intrusion detection and prevention systems to gather intelligence and stop attacksfaster Ÿ Pro-active patch management to fix vulnerabilities before hackersgettothem Ÿ To reduce the impact of social engineering attacks, adhere to the'Leastprivilegepolicy' Ÿ SecurityInformation and Event Management (SIEM) systems shouldbeinplace. Ÿ Understand that risks cannot be completely mitigated and that recovery plans must also be in place and tested on a regularbasis Ÿ Appropriatedatadisposalpolicy Ÿ Media monitoring for hostile comments/views about your organization MEDIUM-SIZEDORGANIZATIONS Ÿ ProtectinformationlikeIntellectualPropertywhenintransit Ÿ Prefermulti-factorauthenticationtosystems Ÿ Fraud risk management assessment and proper monitoring ofloginsfromvariousgeographicallyseparatedlocations Ÿ Employsecurityprofessionalsinyourorganization Ÿ Encryptcertainsensitivedataintransitandwhenstored Ÿ Invest in cyber intelligence gathering so that proactive measurescanbetaken SMALLORGANIZATIONS Ÿ Minimize the number of Internet connections and implementfilteringofwebsites Ÿ Employ “whitelisting” to prevent programs unauthorized accesstothenetworkandotherresources Advanced Persistent Threats & Hacktivism India Cyber Risk and Resilience Review 2018 17
  • 27. Smart Cities and Critical Infrastructure Emerging risks to smart cities and critical infrastructure in India
  • 28. SmartCities&CriticalInfrastructure SMARTCITIESINDIA Following Moore's Law computing and mobile devices are advancing technologically and are becoming smarter periodically. This phenomenon has led to the development of Smart Cities and eventually a Smarter Nation. India has a mission of developing 98 smart cities. The Roadmap is already in place and development activities are in full swing to achieve thismission. Industrial corridors created by smart cities between metropolitan cities will foster rapid business development leading to economic growth. Smart cities development will improve quality of living by local area development and nurturing technologies that lead to smarter outcomes. The critical infrastructures of smart cities along with SMAC (Social media, Mobility, Analytics, Cloud) lays the foundation for essential and support services of these cities. Application of smartsolutionswillenablecitiestousetechnology,information anddatatoimproveinfrastructureandservices. Smart cities have well networked and seamlessly interacting systems. Compromise of one system will leave the complete network vulnerable to failures; making it easy for attackers to gain control and sabotage the cyber ecosystem of cities. With India Cyber Risk and Resilience Review 2018 Source: Ministry of Housing and Urban Affairs, Government of India Adequate Water Supply Assured Electricity Supply Sanitation, including Solid Waste Management Efficient Urban Mobility and Public Transport Affordable Housing, especially for the Poor Robust IT Connectivity and Digitalization Health and Education Sustainable Environment Good Governance, especially E-governance and Citizen Participation Safety and Security of Citizens, particularly Women, Children and the Elderly THE CORE INFRASTRUCTURE ELEMENTS IN A SMART CITY WOULD INCLUDE: 18
  • 29. IoT,thecyberlandscapeofSmartCitiesbroadens,comprisingof critical infrastructure, smart phones, headless devices, etc. The increasing attack surface makes it susceptible to invasion by viruses, malicious worms, malwares and other threat vectors. With the increase in cyber-attacks and attack vectors, making smartcitiescyberresilientwillbeabigchallengefornations. CYBER-ATTACKONCRITICALINFRASTRUCTURE In December 2015, Ukraine experienced a cyber-attack disabling its power stations causing a blackout for several hours in Ivano-Frankivsk region. 225,000 homes were affected in this attack. Attackers used malware to take down three power substations on the Ukrainian national grid. This attack was coupled with DoS attack on phone systems inhibiting the ability of users to report the blackout. The attack has highlighted the severity of damage caused by targeting critical infrastructure highlightingitasthenextpotentialtarget. Critical infrastructure like power grids, oil and gas, water, etc. are interconnected and controlled using ICT technologies these days. Cyber secure critical infrastructures act as enablers for growth and development of business and economy of a nation. Modern societies are highly dependent on critical infrastructure that provides essential and supporting services. Attack on critical infrastructures will not only lead to system failures but will also have a cascading effect leading to damage or loss in terms of resources, money or human life. Data theft is not the motive of the cyber-attack on critical infrastructure so they are usually state sponsored. But as the count of data thieves is quite high we may see attacks leading to the sale of credentialsofcriticalinfrastructure,andcyberextortion. PROTECTINGCRITICALINFRASTRUCTUREANDSMARTCITIES Ÿ Increasing cyber security awareness amongst Indian citizens and stakeholders of critical infrastructure by imparting training sessions, conducting awareness drives and campaigns. Ÿ Implementing ISO 22301 for minimising the impact of cyber- attacksoncriticalinfrastructureonbusinesses. Ÿ Adapting and implementing international frameworks for improvingcriticalinfrastructurecybersecurity. Ÿ Developing laws and policy for protection of cyber and criticalinfrastructureofsmartcities. Ÿ Coming up with internationally accepted security standards that will be integrated into existing and emerging devices during manufacturing. This integration will introduce the security aspect into devices, making them more cyber resilient. SmartCities&CriticalInfrastructure India Cyber Risk and Resilience Review 2018 19
  • 30. SmartCities&CriticalInfrastructure India Cyber Risk and Resilience Review 2018 Ÿ Perform appropriate testing of devices and vulnerability assessment and penetration testing of ICT technologies used inbuildingsmartcitiesandcriticalinfrastructure. Ÿ Development of dedicated government agencies taking responsibility of enforcing cyber laws and cyber security in smartcitiesandcriticalinfrastructureimplementation. Ÿ IoT will increase source of data and amount of data flowing across smart cities. Big-data analytics can be applied for generating threat intelligence for risk mitigation and attack prediction. 20
  • 31. The Rise of State-Sponsored Attacks Malicious attacks on infrastructure networks
  • 32. Often, inspite of countries being aware or capable of stopping cyber-attacks, turn a Nelson's eye since it meets their political objectives. These attacks are often politically motivated, targeted, sophisticated, well-funded and could be incredibly disruptive. Such attacks are used to acquire intelligence, obstruct the objectives of a political entity or even target electronic voting systems and manipulate public opinion. For example, during 2016, much of the news was dominated by reports of Russian agencies using cyber-attacks to extract information that could be used to influence the US presidential election. Last year, in June it was reported by the Washington Post that Russiangovernmenthackerspenetratedthecomputernetwork oftheDemocraticNationalCommitteeandgainedaccesstothe entire database of opposition research on presidential candidate Donald Trump. In December it was reported that Russian hackers tried to penetrate the computer networks of theRepublicanNationalCommittee,usingthesametechniques that allowed them to infiltrate its Democratic counterpart. There are also isolated attacks on different nation states by the majorplayerssuchasRussia,UK,NorthKorea,US. MITIGATION Ÿ Governments must ensure that their internal networks are isolatedfromtheinternet,andthatextensivesecuritychecks are carried out on the staff; as given the level of sophistication, expertise and finance behind these attacks, theyaredifficulttoprotectagainst. Ÿ Thestaffofanorganisationneedstobesufficientlytrainedto spotpotentialattacks. Ÿ Governments should avoid purchasing technology from untrustedsources. CYBERTERRORISM Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm, to achieve political gains through intimidation. It is also sometimes considered an act of Internet terrorism where terrorist activities, including acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, and other malicious software and hardware methods and programming scripts. The Rise of State-Sponsored Attacks India Cyber Risk and Resilience Review 2018 21
  • 33. The Rise of State-Sponsored Attacks Cyberterrorism can cause massive damage to government systems, hospital records, and national security programs, which might leave a country, community or organization in turmoilandinfearoffurtherattacks.Forterrorists,cyber-based attacks have distinct advantages over physical attacks. They can be conducted remotely, anonymously, and relatively cheaply, and they do not require significant investment in weapons, explosive and personnel. The effects can be widespread and profound. Incidents of cyberterrorism are likely to increase. They will be conducted through denial of service attacks, malware,andothermethodsthataredifficulttoenvisiontoday. India Cyber Risk and Resilience Review 2018 GENESIS AND MANIFESTATION OF CYBER TERRORISM Target Motivation CYBER TERRORISM Tools of attack Domain Method of action Impact § Critical National Information Infrastructure computer system § Critical Infrastructure § Civilian Population § Mass disruption or seriously interfere critical services operation § Cause fear, death or bodily injury § Severe economic loss § Network Warfare+ § Psychological operation § Cyber space § Unlawful means § Political § Ideological § Social 22
  • 34. The Rise of State-Sponsored Attacks India Cyber Risk and Resilience Review 2018 Source: THE DISTRIBUTION OF CYBER-ATTACKS ACROSS CULTURAL, SOCIAL, ECONOMIC AND POLITICAL MOTIVATIONS POLITICALLY MOTIVATED SOCIO- CULTURAL MOTIVATION ECONOMICALLY MOTIVATED 1995, France, web attack 1996, USA ,doJ, web attack 1998, Indonesia, East Timor conflict 1998, Mexico, Presidential website 1999, Serbia, Kosovo war 1999, Belgrade, Chinese embassy 2001, USA/ CHINA, Spy plane 2003, USA, Titan rain 2008, USA/CHINA strategic inf 2009, USA, spies on electrical grid 2009, China, Ghost net 2008-09, China IT professionals to cyber crime 2009, E-crime survey 2009, Ukraine IT professionals to cyber crime 2009, Health records ,Virginia ,USA 1999, CIH, Chernobyl virus 2005, Indonesia/Malaysia, ambalat 2005, Korea/Japan, territorial conflict 2008, Belarus /Eastern Europe DOS Attack 2008, Israel/ Palestine, conflict 2009, April fools conflicted worm 1998, India, BARC 1999, Germany, G8 summit 1999, China/Taiwan, cyber conflict.2000, India/ Pakistan, Kashmir conflict 2000, Israel/ Palestine, Lucent tech 2001, Japan, Education ministry website 2001, China/Japan, Yasukuni shrine 2007, Estonia/ Russia, DOS attack 2008, Russia/Georgia conflict 2008, China/French embassy web 23
  • 35. Social,Mobile, Analytics, Cloud (SMAC) & BYOD Surfacing trends, unfolding greater risks
  • 36. SMAC SMAC or Social, Mobile, Analytics and Cloud Computing is a platform that organizations are leveraging to drive innovation and gain competitive advantage. The combined power of all elements in SMAC enable businesses to gain customer insight among other things. Retailers, for example, today get alerted by atweetfromadisgruntledcustomer.Thecurrentgovernmentis adopting SMAC platforms to aid in faster decision making and connecting with the people to hear them out as well as making e-Governanceinitiativesmoreefficient. ThetremendoussurgeinthedatacreatedandhandledbySocial Media, consumer behavior shifting to mobility, harnessing data using analytics and getting real time information that can be leveraged through cloud has brought with it a plethora of cyber security risks. The bright side of dealing with these risks is that the technologies being used in SMAC are not new but only workingtogetherinsync. BYOD BYOD (Bring Your Own Device) has been gaining popularity because of its benefits like lower costs to the organization, greater employee flexibility, and familiarity of technology. The employees are happy as they get to work on a familiar device. Organizations not only save on the CAPEX but also OPEX as managingdevicesdoesnotconcernthem.Butatthesametime, with insider threats growing in large numbers, Identity and AccessManagement(IAM)needtobeinplace. Cyber risks arise with all the data associated with SMAC and BYOD. Social Media helps in coordinating violent protests and also enables radical groups to bring terror globally. The Mumbai terrorattacksof2008firsthighlightedtheuseofsocialmediaby terrorists for coordinating attacks. India is the second most targeted country for cyber-crimes via Social Media. In recent times, the nationwide shutdowns in April 2018 were extensively planned using social media. Rumour mongering has become a serious threat due to circulation of disruptive content onsocialmedia. RISKS Major risks revolving around BYOD are inadequately secured mobile devices, risks due to applications installed on the devices, and the environment risks along with the lack of awareness and carelessness. Considering the pace at which start-ups are mushrooming in India, there will be an increased Social,Mobile, Analytics, Cloud (SMAC) & BYOD India Cyber Risk and Resilience Review 2018 24
  • 37. use of BYOD initiatives. The analytics boom coupled with cloud, mobility and significant social media penetration will also ensure increased usage of SMAC platforms. Entry has become simpler with endless devices, particularly smartphones and wearable technologies, and less than aware consumers. It is imperative that the security aspect is taken care of before implementingBYODandSMAC. MITIGATION SMAC: Ÿ It is a good practice to define policies and procedures regarding the use of customer data and that too after formal consent Ÿ A comprehensive security strategy that considers all four aspectsofSMACasawholeinsteadofdealingwithindividual aspects should be prepared and aligned with business securityandresilienceplan Ÿ Identity and Access Management along with strict access control should be a key component of the security strategy forSMAC Ÿ Identifying various users, devices, applications comprising SMAC for risk management along with taking care of regulatory compliance will go a long way in mitigating risks associatedwithSMACplatforms Ÿ Public clouds have been under scrutiny because of doubts over their security, it is recommended that hybrid cloud be used, and sensitive data be preferably stored on private cloudtogetthebestofbothworldsofcostandsecurity Social,Mobile, Analytics, Cloud (SMAC) & BYOD India Cyber Risk and Resilience Review 2018 Source: The Ponemon Institute CYBER SECURITY RISKS ASSOCIATED WITH BYOD 72% Data leakage / loss Unauthorised access to company data and system User download unsafe apps or contents Malware Lost or stolen devices 50% / vulnerability expliots 49% / inability to control endpoint security 48% / ensuring security software is up to date 39 % / compliance with regulations 38 % / device management 37 % / network attacks via wi-fi 35% / others /none 4%. 56% 54% 52% 25
  • 38. Social,Mobile, Analytics, Cloud (SMAC) & BYOD India Cyber Risk and Resilience Review 2018 BYOD: Ÿ Mobile Device Management Systems must be used to keep track of the devices on the network and use multi-factor authentication Ÿ Removablemediashouldbescannedassoonasaconnection tothecorporatenetworkisestablished Ÿ Promote regular updating, patching and device data encryption Ÿ InfectionandIncidentresponsesystemsshouldbeinplaceto dealwithaninfectioninthecorporatenetwork Ÿ Generate awareness about permissions requested by applicationsondevices Ÿ Implement security control frameworks like the ones given byNIST(NationalInstituteofStandardsandTechnology) 26
  • 39. The Weakest Link: Humans Theweakestlinkinthesecuritychain
  • 40. TheWeakestLink:Humans Call center employees of a US telecom service giant accessed information of more than 278,000 customer accounts without authorization in 2015 with losses amounting to $25 million. They got hold of PIIs (Personally Identifiable Information) that could be used to unlock the company mobile phones. This information was given to third parties who submitted 290,803 handsetunlockrequestsviatheonlinecustomerunlockrequest portal. Not only did the telecom giant suffer financial loss, but alsoreputationloss. An Insider threat is any threat to an organization that originates from people who are associated with it and possess access to sensitive information which can lead to fraud, cyber sabotage and theft. Risks arising from human actions can be either intentionalorunintentional. India is no stranger to incidents involving insider threats. Hindustan Unilever Ltd (HUL) has dragged three of its former employees to the Bombay High court in April 2018 for allegedly stealing data related to manufacturing of its products and other confidentialinformation. Intentional risks span from threat sources like layoffs leading to disgruntled employees, to temptation of financial gain from selling of intellectual property to the highest bidder. Unintentionalrisksareduetocarelessness,lackofduediligence on the part of employees or a plain human error. An external actor gains access to internal networks and data using credentials of legitimate users obtained by various social engineeringtechniques(Single-stage/Multi-stageattacks)orby buyingcompromiseddataoffthe'DarkWeb'. According to a Crowd Research Partners 2018 report on insider threats, 90% of organizations felt vulnerable to insider attacks. The top three risk factors enabling the insider threat vulnerability are excessive access privileges (37%), endpoint access (36%), and information technology complexity (35%). Many organizations tend to overestimate their defensive capabilities and underestimate effectiveness of social engineering. Recent incidents indicate that social engineering and phishing attempts continue to succeed despite the awarenessgeneratinginitiativesundertakenbyorganizations. “No security solution is ultimately stronger than its weakest link”. With the growing trend of virtual organizations, hyper- connectivity and mobility, insider threats will only grow as insiders believe that the probability of getting caught stealing informationreduceswhenoffsite. India Cyber Risk and Resilience Review 2018 27
  • 41. MITIGATION It is important to assess all possible threat sources leading to insider risks. Also, the management must understand and promote the fact that insider risk cannot be taken by the information security vertical alone, it has to be a cross functional process throughout the organization. The right way to go about mitigating insider threats is to prepare an insider threat program and implement controls before association, during employment and after termination of employment. Identifying the valuable assets of the organization, having a response and resilience plan is imperative along with the IdentityandAccessManagementprogram. PRE-EMPLOYMENTSCREENING Ÿ Proactivecybersecurityintelligencegatheringforidentifying threatsourcesinadvance Ÿ Backgroundscreeningsandreferencecrosschecking Ÿ Foster a risk-centric approach to the rising cyber security threats Ÿ Implement multi-factor authentication as weak, stolen or default passwords continue to remain a major weak link in datatheft. TheWeakestLink:Humans India Cyber Risk and Resilience Review 2018 National Security Commerce Utilities management Governance & military Energy security Water security Food security Trade Social cohesion supporting cyber technologies CYBER DEPENDENCY 28
  • 42. TheWeakestLink:Humans DURINGEMPLOYMENT/ASSOCIATION Ÿ Integrate the threat management plan with business strategyandcybersecuritypractices Ÿ Identify critical data and implement data protection instead offocusingtoomuchonperimeterhardening Ÿ Hold regular cyber security awareness and training sessions as most cases of insider risk are because of careless and/or untrainedusers Ÿ Make use of User Behavior Analytics (UBA) which involves detection of unusual activity by monitoring user actions especially of those with elevated privileges and/or with access to sensitive data. Identification of risk tolerant employees/partnerscanalsobedone Ÿ Virtual Environments need to harden in a stringent manner, have a data leakage prevention practice, and block unapprovedsoftware Ÿ Implement the 'Least-privilege policy' and grant permissions onlyonaneed-to-knowbasis.Blockrootaccesstousers Ÿ Include segregation of duties in every critical business process Ÿ Implement and regularly test a Business Continuity and DisasterRecoveryplan AFTERTERMINATION Ÿ Reaffirmemployeeagreementsatthetimeofdeparture Ÿ Increase monitoring of employees with impending departure Ÿ Get rid of means of access after departure by revoking access,disablingex-employeeaccounts India Cyber Risk and Resilience Review 2018 29
  • 43. Cyber Supply Chain Security How secure is your third party?
  • 44. CYBERATTACKSVIATHIRDPARTY In late 2013, the Target data breach shocked the whole retail industry when the investigation revealed a third party compromise or exposure can transmogrify a secure ecosystem of business into a vulnerable one. Data breach at Home Depot, Boston Medical Center, PNI Photo hack that led to compromise of online photo services at CVS, Costco, Sam's Club are few supporting examples. In March 2016, Amex notified cardholders about their account information which may have been exposed after a third-party service provider suffered a data breach. Systems owned or controlled by Amex remained unaffected. Confidential customer data may have been disclosed regardless of all security measures implemented by Amex. These attacks are eye openers; illustrating the new course adopted by cyber criminals for attacking larger organizations by targeting trusted third-party vendors with fewer or no security controls. Furthermore, Terrorist attacks on the supply chain have increased 16% year on year according to BSI's report on Terrorist Threats to International Trade and the SupplyChain. SUPPLYCHAINANDOUTSOURCING Decades of advancement in technologies, Internet, mobile devices, cloud computing along with globalization have revolutionized the supply chain operations all over the world. Organizations can now overcome geographical boundaries, technological barriers and share large amounts of critical business data with just a few clicks. Today, supply chain of a company probably can comprise suppliers and business partners located across the globe, along with environmental and operational risk increase in attack surface which has made supplychainpronetoinformationandcyberrisk. India has become the world's choice as an outsourcing destination, indicating India as a Hub of third party service providers providing catalogue of IT and other services across the globe. Cloud services and third party providers are business enablers, empowering SMB's with platform and subscription services. Customers trade off ownership, control and insight over their data for the benefit of third party services making these providers source of cyber risk for themselves. The forecast shows a rising trend of outsourcing, which implies increased involvement of third parties involved in all businesses. The longer the chain of suppliers in a business, the more vulnerable it makes an organization associated with it to cyber-attacks. Cyber Supply Chain Security India Cyber Risk and Resilience Review 2018 30
  • 45. Cyber Supply Chain Security VENDORISTHEWEAKLINK Third party vendors are the weakest link of any supply chain which are exploited by attackers to get extensive access to the destined organization assets. Enterprises are more focused on securing their own networks, data and users. Many times, enterprises will have a vast network of suppliers and partners, made up of many smaller partners which blurs the visibility of the complete supply chain from the cyber security perspective; these chains can be easier targets for attackers when enterprise hasimplementedanin-housesecurityprogram. FACEBOOK/CAMBRIDGEANALYTICADATASCANDAL TherecentacceptanceofdataleakfromFacebookturnedoutto be an eye-opener for users and governments. In March, a whistleblower came forward to say that Cambridge Analytica, a data-mining firm, allegedly improperly accessed Facebook user data through a third-party quiz app, and it used that data to buildpsychologicalprofilestotargetvoterswithpoliticalads. When a user installs a new app using Facebook, the app company gets access to the user's Facebook profile. According to reports, roughly 87 million people's personal information was accessible to Cambridge Analytica. If Cambridge Analytica was able to put certain ads into specific people's feeds, it could have influenced their political views on Facebook. The users wereserved(attimesmisleading)adsthatrelatedtoissuesthey felt strongly about, and that was designed to provoke a reaction and a share. The probe has been launched to investigate the effectsofthisdataleak. SECURINGTHESUPPLYCHAIN With India becoming the hub of 3rd party services and statistics indicating rise in cyber-crime in India, it has become a necessity to ensure supply chains are cyber secure in India to ensure prominentbusinessgrowth. Organizations need to implement the below measures to be resilienttocyber-attacksviathirdparty:- Ÿ Use common machine language so that security teams and vendors can better communicate, measure, and improve theirprograms. Ÿ Make security controls a mandatory requirement for suppliers and require them to adhere to the same data handlingprocessesandproceduresasoftheorganization. Ÿ Implementing ISO 27001, ISO 22301 for information security and BCP. Moreover, ensuring compliance for continued focus oninformationsecurityinsupplierrelationship. Ÿ Implementing standard BS 31111 for enabling better decision India Cyber Risk and Resilience Review 2018 31
  • 46. Cyber Supply Chain Security making by providing essential guidance for executive managementtomanagetheircyberriskandresilience. Ÿ Furthermore, comply with upcoming General Data Protection Regulation(GDPR)standard. Ÿ UseframeworksprovidedbyMITREandtheNationalInstitute of Standards and Technology (NIST) which can measure operationsandcontrols. Ÿ Conducting regular audits of third parties by external auditors toensurecompliance. Ÿ Having well documented BCP and DRP to ensure continued businesswithminimumimpactincaseofcyber-attacks. Ÿ Ensuring Cyber insurance is in place to minimize the loss arisingfromthedatabreachduetothirdpartycompromises. Ÿ Gain clear insight of all the parties involved in the supply chain. Ÿ Develop first line of defense by educating all users about informationandcybersecurityrisks. Ÿ Implementing Vendor risk management and Cyber Risk managementprogram. Ÿ Organizations can use Big-data analytics and open-source technology with learning algorithms to identify discreet supplierriskeventsfromacrosstheinternetandsocialmedia. India Cyber Risk and Resilience Review 2018 32
  • 47. Cyber Supply Chain Security India Cyber Risk and Resilience Review 2018 SUPPLY CHAIN ATTACK Phishing Identify theft Web application attack Web based attack Identify theft Phishing e-mail to developers of Chrome extensions Credential theft of Chrome developer account Chrome extension tampering Internet traffic manipulation & malvertising CloudFlare accounts credential theft Compromised Chrome extension pushed to systems “ENISA Threat Landscape” Threat Type Identified Threat 1 2 3 4 5 Relates to Threat Type Steps of the attack Source: European Union Agency for Network and Information Security 33
  • 48. Adoption of more sophisticated security technologies Can new technologies keep up with evolving risks?
  • 49. sophisticated security technologies There are several new security technologies that are likely to seewideradoptioninthenextfewyears. BLOCKCHAIN A Blockchain is a distributed ledger technology that allows digital information to be distributed but not copied. Originally devised for the digital currency, Bitcoin, the tech community eventuallyfoundotherpotentialusesforthetechnology. Blockchain has the potential to improve data integrity, digital identities and enabling safer IoT devices to prevent DDoS attacks. It offers a secure way to exchange any kind of goods, services, or transactions. Industrial growth increasingly depends on trusted partnerships; but increasing regulation, cybercrimeandfraudareinhibitingexpansion.Toaddressthese challenges, Blockchain will enable more agile value chains, faster product innovations, closer customer relationships, and quicker integration with the IoT and cloud technology. Further, Blockchain provides a lower cost of trade, with a trusted contract monitored without intervention from third parties who may not add direct value. It facilitates smart contracts, engagements, and agreements with inherent, robust cyber security features. The technology is likely to impact everyone from banking to power, education, healthcare, government and public sector. It is likely to provide confidentiality, integrity, and availability, offering improved resilience, encryption, auditing, and transparency. Hence, companies are targeting a range of use for the blockchain technology from medical records management, to decentralized access control, to identity management. India Cyber Risk and Resilience Review 2018 Source: IBM infographic THREE KEY BENEFITS OF USING FORBLOCK CHAIN IoT BUILD TRUST Ÿ Build trust between parties and devices. Ÿ Reduce risk of collusion and tampering. REDUCE COST Ÿ Reduce cost by removing overheads associated with middlemen and intermediaries ACCELERATE TRANSACTIONS Ÿ Reduce settlement time for days to near instantaneous 34
  • 50. REMOTEBROWSERS Remote Browsers is a technology which allows a user to browse freely without exposing the corporate network. It achieves just that by executing the code of a web page inside a secure virtual container, located between a user's device and the Internet. Files can be rendered remotely but only a visual representation of the web content is sent to the user, and any malicious activity isconfinedtothatcontainer. So even if a naive user opens an infected email attachment, that malware has nowhere to go—it will never touch their machine. And at the end of each session, the disposable container is destroyed, along with any malicious content. Hence, it can be helpful for isolating a user's browsing session from the network/endpoints. By moving browsing off the endpoint device, off the corporate network, the impact of an attack is greatly reduced, and the exfiltration of potentially sensitive datacanbeprevented. DECEPTIONSTECHNOLOGIES Deception technologies imitate a company's critical assets and act as a trap for attackers looking to steal this data. Deceptions Technologies Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA). EDR can monitor endpoints and alertsystemadminsofsuspiciousbehaviorandNTAcanbeused to monitor network traffic to help determine the type, size, origin,destinationandcontentsofdatapackets. SOPHISTICATEDREAL-TIMECHANGEAUDITINGSOLUTIONS This technology secures critical assets by detecting and responding to user privilege abuse and suspicious file/folder activity — either based on single event alert or threshold condition. It can detect account modifications, deletions, inactive user accounts, privileged mailbox access and a lot more. sophisticated security technologies India Cyber Risk and Resilience Review 2018 35
  • 51. Cyber Insurance Transferring the financial aspect of cyber risk
  • 52. Cyber Insurance In India, according to IBM and Ponemon Institute reports, the costs of data breaches are hurting organizations significantly. Companies are incurring INR 4,210 per employee in 2017 as compared to INR 3,704 in 2016, according to the 2017 Cost of Data Breach Study. Notably, there has been a significant increase in both; first party and third-party losses. The average total organizational cost of data breach increased by 12.3% to INR 11 crore from INR 9.7 crore. The cost includes not only the financial loss incurred by companies but also the cost of managing a breach. The report identified malicious or criminal attacks as the most common root cause of a data breach with 41%ofcompaniesexperiencingthis.Ashighas33%attributeda breach to system glitches, while 26% involved employee or contractornegligence. With cybercrime enjoying a place in the top four economic crimes in the world, India does not lag in terms of financial losses arising due to cybercrime. According to reports by Indian Computer Emergency Response Team (CERT-In), the number of cyber security incidents reported were: 44,679 in 2014, 49,455 in 2015, 50,362 in 2016 and over 53,000 in 2017. Threats reported include phishing attacks, website intrusions and defacementsordamagestodataaswellasransomwareattacks. India has seen its share of cyber-attacks leading to significant financial losses with incidents like the recent defacement of the Defence Ministry and Supreme Court's website. All such cyber securitybreacheshaveahugefinancialimpact. Cyber risk can be mitigated by transferring a part of the risk i.e. financial risk to an insurance provider. Many business leaders areunawareofthis. BUILDINGACASEFORCYBERINSURANCE The growing online presence of businesses bring with them the risks associated with the internet. The burgeoning e-commerce and logistics industry in India, the increasing presence of Online/Mobile banking facilities and government initiatives like 'Digital India' and 'Smart Cities' coupled with the rising sophistication of cyber-attacks make a strong case for Cyber Insurance. Organizations in India have been slow to act on the increasing cyber risks by buying cyber insurance with most policies being bought mainly by BPOs who have it as a mandate in their contract with clients. Healthcare and Hospitality sectors with their sensitive data have been the most neglected regarding cyber insurance. High premiums and several exclusions in the policy pose hurdles for the spread of cyber security. But the cyber insurance market has matured and growing at a rapid pace with it slated to grow to USD 7 billion by India Cyber Risk and Resilience Review 2018 36
  • 53. 2020. Different industries have different insurance requirements, so there needs to be a high degree of customization in the cyber insurance policy rather than a 'one- size-fits-all' approach adopted traditionally by insurance providers. Most organizations generally insure their assets, buy health cover for employees but neglect their cyber liabilities. It ishighlyrecommendedthatcyberliabilitybecoveredtoo. BUYINGCYBERINSURANCE It is important to note that buying a cyber-insurance cover does not mean overlooking other aspects of the cyber security program. No risk can be completely mitigated and there is always a residual risk. Cyber Insurance is bought to cover the financial losses incurred in case of an unlikely event where the organization's systems are breached even after a proper cyber security plan is in place. Exclusions are always in place which do not cover losses due to reputation loss, loss of future revenue arisingduetoreputationdamageandlossesincurredduetothe reduced value of intellectual property. First party coverage- covering the entity which was the victim of a cyber-breach and third-party coverage-covering vendors and IT service providers areincludedinmostpolicies. Cyber Insurance should be included in the Risk Management plansoforganizations. It is not very easy to determine the amount of cover that an organization needs. Techniques like cyber modelling and benchmarking help in arriving at a figure. Modelling deals with extrapolating past data to predict the 'what, how frequently and to what extent' of cyber-attacks. A drawback of this Cyber Insurance India Cyber Risk and Resilience Review 2018 Source: EY Global Information Security Survey 2017-18 Key findings - Cyber security survey 87% of respondents say they need up to 50% more cyber security budget. 77% of respondents consider a careless member of staff as the most likely source of attack. 48% do not have Security Operation Centre, even though they are becoming increasingly common. 36% of boards have sufficient cyber security knowledge for effective over sight of cyber risks. 12% feel it is very likely they would detect a sophisticated cyber attack. 63% of the organisations still keep cyber security reporting mostly within the IT function. 57% do not have, or only have an informal, threat intelligence program. 89% say their cyber security function does not fully meet their organisations needs. 37
  • 54. Cyber Insurance technique is the scarce availability of data available for predictions and lack of understanding the insurable and uninsurable assets of the organization. Benchmarking, as the name suggests, provides a baseline to work with. This baseline is arrived at by analyzing the amount of coverage similar sized firms take in a similar industry. It is highly advised that a holistic approach is undertaken when determining the cover to be bought. The overall risk environment of the organization, industry specificfactors and future trends should be considered beforebuyingacyber-insurance. OUTLOOK Organizations in the USA purchase around 90% of the world's cyber insurance. The buying is set to spread across the world. The cyber insurance market is expected to grow to 7.5 billion USD in premiums by 2020. More stringent exclusions and conditions are expected to be included in the policy document. The cost of buying a cyber-insurance is not expected to fall as the number of insurance providers are very less. Cyber insurance cover will be incorporated in cyber resilience plans of an organization. It is imperative that organizations be aware of what they can potentially lose and to what extent can these lossesbeborne. India Cyber Risk and Resilience Review 2018 38
  • 55. Cyber Resilience Trends New waves of fortification
  • 56. Cyberspace has emerged as a global common. It requires safe and secure navigation by nations for trade, commerce and communication. Therefore, cyber security has become imperative in every sense of the word; be it social, political, economicormilitary. India is an emerging economy with a lot of potential resources andskilledworkforcewidelyavailableforbusinessestoexpand. ICT(InformationandCommunicationTechnologies)continueto find its place in all industries. Urbanization and digitization projects like Digital India, Aadhaar, Smart Cities by the government of India are significant steps towards becoming a Smarter Nation. As a smarter nation India would provide high quality of living to its people, embracing technologies with smarteroutcomesandensurebusinesssustainability.Incoming years, cyberspace of India would expand massively, touching many aspects of our lives. Expansion will bring in new risk and threatsasachallengeforIndiainsecuringitscyberspace. Indiahasmadesignificantinvestmentsincreatingorganizations and their supporting structures to build cyber security capability, capacity and delivery mechanisms. India is ranked 23rdoutof165nationsina2017globalindexthatmeasuresthe commitment of nations across the world to cybersecurity. Cyber Resilience Trends India Cyber Risk and Resilience Review 2018 Source: Times of India HOW THE GOVERMENT HAS BEEN INCREASING ITS CYBER DEFENCE JUNE 2016 MARCH 2017 JUNE 2017 APR 2017 SEPT 2017 JAN 2018 RBI announces frame works of cyber security and banks Ministry of power announces setting up of 4 sect oral Computer Emergency Response Teams for power transmission and distribution RBI release IT framework for NBSC sector IRDA releases guidelines on information and cyber security for insurers Sebi releases note on cyber security and cyber resilience Framework for registrars to issue / share transfer agents UIDAI introduces 16-digit virtual ID to mask Aadhaar numbers. UIDAI announces it will introduce facial authentication for Aadhaar by June 2018 39
  • 57. However, the emerging threats have overtaken India's pace and scale of efforts. India therefore needs to review and re-boot its efforts to raise the cyber security bar to meet 21st century challenges. The following trends need to be addressed, in India, for it to becomeacyberresilientnation. LACKOFSKILLS A lack of supply and increasing demand has made it impossible forcompaniestofieldthesecurityprogramswhichtheyneedto defend their business. Furthermore, the skills shortage and inadequate numbers are having an impact on the existing cybersecurity workforce (i.e. overwhelming workload, limited time for training, etc.), processes (limited proactive planning, limited time to work with business units, etc.) and technology (limited time to customize or tune security controls, etc.). Notably, more than one million cyber security professionals are requiredinIndiaby2020. COMPANIES ARE LIKELY TO BE HESITANT TO COMPLY WITH THEGDPR TheGeneralDataProtectionRegulation(GDPR)standardwillbe coming into effect on 25 May 2018. It consists of increased territorial scope, stricter consent laws and elevated rights for data subjects to name a few. However, as per the reports, many companieswillchoosenottocomply,astheyclaimthatthecost ofcomplianceoutweighstherisks. CYBERDIPLOMACY Cyber diplomacy refers to the use of diplomatic tools, and the diplomatic mindset, to resolve issues arising in cyberspace. Historically, diplomacy has happened in secrecy, behind closed doors. However, new communication technologies are making diplomacy more open and public. These technologies are creating opportunities for governments to interact effectively withthepublic,resultinginthecyberspacequicklybecomingan arena for international diplomacy. Furthermore, it is not limited justtogovernments,thesamecouldbecarriedoutbynon-state actors,includingcompaniesandNGOs. Cyber Resilience Trends India Cyber Risk and Resilience Review 2018 40
  • 58. Cyber Resilience Trends Initiatives to Build Consensus and Co-operation on Cyber Incidents: The proliferation of e-commerce has led to an unprecedented spurt in cybercrimes and other malicious acts committed in and through cyberspace, with an estimated cost to the global economy of over USD 400 billion per year. The borderless nature of cyberspace makes it incumbent for all nations to cooperate for combating and preventing such acts, including information exchange between law enforcement, military, and technical groups. Thus, the consensus in approach while addressing incidents and other cooperative agreements between the parties can contribute greatly to global stability and increase trust in the e-business space. India can assist in developing specific mechanisms for improving cooperation to investigate and respond to cyber incidents and explore ways to contributetooveralltrustbuildingamongstthenations. Confidence Building Measures for Strategic Stability and SettingNormsforStateBehaviorinCyberSpace: The cyber space security is synonymous with survival and sustenance of society in terms of social, economic, political and military capability as the continued growth of cyber-attacks by malicious actors of all kinds have reached an intolerable point. This is coupled with far-reaching decisions being taken by military planners to build information weaponry. Stronger cybersecurity cooperation among major nations to deal with these threats is essential. While multilateral and multi- stakeholder bodies such as the United Nations Group of Governmental Experts (UN GGE) and others have made some progress on the development of norms of behavior and cybersecurity standards, practical cooperation and concrete agreementamongnationsislagging.Indiashouldworktowards building common understanding on potential norms of behaviorincyberspace. Taking Prominent Role for Building Regional Co-operation AmongstASEAN&BRICSNations: CountriesacrosstheglobeincludingChina,IndiaandtheUnited States are engaged in a variety of bilateral and regional security conferences separately, as well as jointly. Established regional forums, such as the BRICS and the ASEAN Security Forum can further provide an opportunity to increase cooperation on cyberspace issues and build trust. India should proactively participatetoemergeasanopinionbuilder. India Cyber Risk and Resilience Review 2018 41
  • 59. Cyber Resilience Trends India Cyber Risk and Resilience Review 2018 Train 1,000,000 people in cyber security skill by 2020 years 42
  • 60. Cyber Resilience Trends India Cyber Risk and Resilience Review 2018 CYBERREGULATION There has been a rapid increase in the use of the online environment where millions of users have access to internet resources and are providing content daily. As a result, countries across the world are drawing up regulations to address threats to cyberspace. The major area of concern where regulation is desirable is data protection and data privacy so that industry, public administrators, netizens, and academics can have confidenceasonlineusers. In 2017, the US State Department passed the Cyber Diplomacy Act of 2017 bill. The bill recognizes the degree to which protecting security in cyberspace and promoting digital communications as a vital economic, social, and political bridge hasbecomecriticaltothemissionoftheUSgovernment. In India, the government has formed a ten-member committee under Justice B N Srikrishna to deliberate on a data protection framework for the country. The committee is to identify key data protection issues in India and recommend methods of addressing them. Meanwhile, Digital Information Security in Healthcare Act (DISHA) is proposed to secure digital health records. All medical institutions maintain reports that contain every minute detail such as diagnosis of the disease, and the treatment recommended including any prescriptions given to the patient. Every hospital is supposed to keep the record of the patients safe because it consists of sensitive personal information about the patient. To protect the data, DISHA provides tougher privacy and security measures for digital health data. With rapid changes and advancements in cyberspace,moresuchregulationsarerequiredtobedrawnup. ARTIFICIALINTELLIGENCEINCYBERSECURITY The implementation of AI systems in cyber security can serve as a real turning point. These systems come with several substantial benefits that will help prepare cybersecurity professionals for taking on cyber-attacks and safeguarding the enterprise. AI algorithms use Machine Learning (ML) to adapt over time which makes it easier to respond to cybersecurity risks. New generations of malware and cyber-attacks can be difficult to detect with conventional cybersecurity protocols. They evolve over time, so more dynamic approaches are necessary. Cybersecurity solutions that rely on ML use data from prior cyber-attackstorespondtonewerbutsomewhatsimilarrisk. 43
  • 61. Cyber Resilience Trends India Cyber Risk and Resilience Review 2018 TALENT-CENTRIC 1 Ÿ Talent management. Ÿ Board and 3 LOD roles and responsibili es. Ÿ Risk and security culture Ÿ Training & awareness Built on a founda on that makes cyber security everyone's responsibility: Organisations Objectives Organisations Outcomes Another great benefit of AI systems in cybersecurity is that they will free up an enormous amount of time for tech employees. AI is most commonly used to detect simple threats and attacks. Given that the simplest attacks usually have the simplest solutions, the systems are also likely be able to remedy the situationonitsown. Another way AI systems can help is by categorizing attacks based on threat level. When deep machine learning principles are incorporated into systems, they can adapt over time, giving adynamicedgeovercyberterrorists. AI systems that directly handle threats on their own do so accordingtoastandardizedprocedureorplaybook.Ratherthan the variability (and ultimately inaccuracy) that comes with a human touch, AI systems don't make mistakes in performing their function. As such, each threat is responded to in the most effectiveandappropriateway. Cyber attacks are becoming more common, more sophisticated, and more impactful. However, AI systems can help address some of those problems and ultimately give businessanadvantagewhenfacingacyber-attack. 44
  • 63. India needs to recognize and align to the transformative, disruptive and game-changing role of cyber security to majorly drive the 21st-century global economies, military doctrines, demographic preferences of societies and even the political influences. Hence, development of Work Force, Research &Technology, Infrastructure and Policy is required for Building NationalCyberSecurityCapability. WORKFORCEDEVELOPMENT: Ÿ Develop workforce as an enabling national asset to meet domesticaswellasglobalsecuritymarketneeds. Ÿ Educating employees regarding cybersecurity will make them thefirstlineofdefenseforanyindustryandnation. Ÿ Mandate universities/ colleges to offer education in ICT Securityatgraduate,postgraduateandPh.D.levels. Ÿ Foster extensive collaboration with overseas universities for facultyandcoursecontents. Ÿ Foster global research and technology collaborations. Integrate Cyber Security & ICT Work Force and position globally. Ÿ Buildregionalsecurityinnovationhubsforglobalclients. Ÿ Mandate creation of independent cadre alongside ICT Jobs, developbestpracticestorecruitandretainprofessionals. Ÿ BuildNationalSkillRegistryforCyberSecurity. Recommendations India Cyber Risk and Resilience Review 2018 TECHNOLOGY INFRASTRUCTURE Improving national cyber security capability WORK FORCE DEVELOPMENT POLICY 45
  • 64. RESEARCHANDTECHNOLOGY: Ÿ Develop science of Cyber Security at schools and colleges through specialized capsules and by amending the core curriculum. Ÿ Developandmandateuniversityleadresearch&innovation. Ÿ Promote and support the use of next-generation cybersecuritytechnologies. Ÿ Develop a national initiative for the indigenous development ofcoresecuritytechnologies,platforms&solutions. Ÿ Build experiments and exercises, pilot projects to support widerparticipationincybersecurityexercises. Ÿ PromoteIPbuildinginsecurityunderanationalinitiative. Ÿ PromoteprivatesectorR&D. INFRASTRUCTURE: Ÿ Mandate development and/ or adoption of globally recognized security standards, frameworks and platforms, andguidelines. Ÿ Establish laboratories, Centers of Excellence (COEs) aligned to institutes/ universities, industry and professional end user agencies. Ÿ Mandate creation of cyber security testing, certification & clearing houses. a national cyber test facility providing for network emulation, monitoring and audit, vulnerability analysis, simulated attacks, graduated response, performanceanalysis,andsecurityassurancemodeling. Ÿ Mandate creation of strong legal & regulatory framework for cyberrelatedissues. Ÿ New agencies and law firms would evolve for providing cyber securitylegalservicesinIndiaandasaservicetotheworld. Ÿ Mandate creation of Regional Security R&D & Innovation Hubs comprising of security industry clusters, R&D centers andacademicinstitutions. Ÿ Create Cyber Security industry clusters trained in high end securityproducts&solutions. Ÿ Foster extensive overseas collaborations through alliances, partnershipsandjointventures. Ÿ Allow 100% FDI in critical technology areas of ICT security suchasTechnologies&ProductsDevelopment,LargeSystems Engineering&Integrationetc. POLICYFORENABLINGECOSYSTEM Ÿ There is a need to understand and address gaps such as incoherent, silo driven, inadequate focus to understand volume and complexity of full spectrum cyber security, and its Recommendations India Cyber Risk and Resilience Review 2018 46
  • 65. Recommendations impactonnationalsecurity. Ÿ Create a common body of knowledge for Cyber Security includingcyberwarfare. Ÿ Build cyber security savvy leadership, subject matter experts, solution architects and system engineers to address the inadequate comprehension of lack of cyber security capability and its bearing on national security including the militarydimension. Ÿ Foster system strategic thinking, at national scale about cyber warfare and build operational requirements, articulate and validatecyberdoctrine. Ÿ Create strategic level focus on program blue print, stake holder agreement, resource allocation, funding priority and allocation, policy issues thought leadership building, training insecuritysystemsengineering. Ÿ Create Program Execution Levers through investments in system engineering expertise, and system integration facilities. Ÿ Indian diaspora and IT industry could be leveraged for buildingglobalscalecybersecuritycapability. Ÿ Government needs to make security technologies attractive fortheprivatesectortoinvestincapabilitybuilding. India Cyber Risk and Resilience Review 2018 47
  • 66. MitKat Advisory Services Private Limited 511 Ascot Center, Near Hilton Hotel, Andheri (E), Mumbai – 400 099 T (Mumbai) : +91 22 2839 1243 T (Gurgaon): T (Singapore)+91 124 455 9200 | : +65 8171 7554 E W: | :contact@mitkatadvisory.com www.mitkatadvisory.com The Confederation of Indian Industry (CII) works to create and sustain an environment conducive to the development of India, partnering industry, Government, and civil society, through advisory and consultative processes. CII is a non-government, not-for-profit, industry- led and industry-managed organization, playing a proactive role in India's development process. Founded in 1895, India's premier business association has over 8000 members, from the private as well as public sectors, including SMEs and MNCs, and an indirect membership of over200,000enterprisesfromaround240nationalandregionalsectoralindustrybodies. CII charts change by working closely with Government on policy issues, interfacing with thought leaders, and enhancing efficiency, competitiveness and business opportunities for industry through a range of specialized services and strategic global linkages. It also provides a platform for consensus-building and networking on key issues. Extending its agenda beyond business, CII assists industry to identify and execute corporate citizenship programmes. Partnerships with civil society organizations carry forward corporate initiatives for integrated and inclusive development across diverse domains including affirmative action, healthcare, education, livelihood, diversity management, skill development, empowerment of women, andwater,tonameafew. The CII theme for 2016-17, , emphasizes Industry's role inBuilding National Competitiveness partnering Government to accelerate competitiveness across sectors, with sustained global competitiveness as the goal. The focus is on six key enablers: Human Development; Corporate Integrity and Good Citizenship; Ease of Doing Business; Innovation and Technical Capability; Sustainability; and Integration with the World. With 66 offices, including 9 Centres of Excellence, in India, and 9 overseas offices in Australia, Bahrain, China, Egypt,France, Germany, Singapore, UK, and USA, as well as institutional partnerships with 320 counterpart organizations in 106 countries, CII serves as a reference point for Indian industry and the internationalbusinesscommunity. Confederation of Indian Industry The Mantosh Sondhi Centre 23, Institutional Area, Lodi Road, New Delhi - 110 003 (India) : 91 11 45771000 / 24629994-7 * : 91 11 24626149T F : * :E Winfo@cii.in www.cii.in AboutCii MitKat Advisory is a global provider of integrated security and risk mitigation solutions and services. MitKat works collaboratively with leading global corporations, government and non- government organizations to protect people, assets, information and reputation. MitKat's team consists of best-in-class consultants from diverse backgrounds. For details, kindly visit www.mitkatadvisory.com MitKat has offices in Delhi NCR, Mumbai, Bengaluru and Singapore, and through its network of partners, delivers operational support and risk management services across Asia and Africa. MitKat'sservicesinclude: § Informationsecurityandbusinesscontinuityadvisory § Managedsecurityservices § ITsecurityconsultingandimplementationassistance § Physicalsecurityandsafetyconsulting&design § ThreatIntelligenceandtravelriskmanagement § BusinessIntelligence,duediligenceandintegrityriskmanagement § Operationalsupportandembeddedsecurityservices § Women'ssafetyandempowerment § Skills&entrepreneurshipdevelopmentandCSRadvisory MitKat is technology and vendor-agnostic and is able to offer impartial and unbiased advice to its clients to design and solutions to suit their specific business'fit-for-purpose' 'best value' andoperationalneeds. MitKat integrity,is an equal opportunities employer and committed to highest standards of ethics, governance and compliance. About Mitkat India Cyber Risk and Resilience Review 2018 48