By A.K. Vishwanathan, Senior Director – Enterprise Risk Services, Deloitte India
Vis is a Chartered Accountant, has a Certified in Risk and Information System Control (CRISC) and a member of the Information Systems Audit and Controls Association (ISACA).
He has advised large organisations in their endeavour in information security and controls, and led risk consulting in complex environments and regulated industries; specifically banking and financial services, telecom, manufacturing, oil and gas, pharma and life sciences and government sector.
Automating Google Workspace (GWS) & more with Apps Script
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept19'14)
1. In association with Presented by Supported by
GLOBAL CYBER
SECURITY OUTLOOK
A.K. Vishwanathan, Senior Director – Enterprise Risk Services, Deloitte India
SEPT 19, 2014 Hotel Digital Security Seminar
2. Presented by
In association with
Supported by
A.K. Vishwanathan
Vis is a Chartered Accountant, has a
Certified in Risk and Information System
Control (CRISC) and a member of the
Information Systems Audit and Controls
Association (ISACA).
He has advised large organisations in
their endeavour in information security
and controls, and led risk consulting in
complex environments and regulated
industries; specifically banking and
financial services, telecom, manufacturing,
oil and gas, pharma and life sciences and
government sector.
By X Events Hospitality (www.x-events.in)
2
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
3. Presented by
In association with
Supported by
Agenda
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
3
¨ Current state
¨ Case study
¨ Solutions
¨ Way forward
4. Presented by
In association with
Supported by
Current state
By X Events Hospitality (www.x-events.in)
4
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
5. Presented by
In association with
Supported by
Recent trends in India
Over 35 % of the
Indian organizations
across various sectors
have engaged in
corporate espionage
Nearly14,000 websites were
5000
hacked by cyber criminals till
October 2012, an increase of
nearly 57% from 2009.
81% of the CXO in this sectors depicts an increase in
information security spending over the coming few
years
Website of Indian Embassy in Tunisia hacked
in retaliation to the terrorism attack on Karachi
Airport
in June 2014. The embassy website was hacked
by a group called “Hunt3R
Source : NCRB (National Crime
Number of Cyber Crimes
under IT Act
Records Bureau
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
5
0
2008 2009 2010 2011 2012 2013
6. Presented by
In association with
Supported by
Key information security
challenges – Pain areas
The following are they key information security challenges being major organizations in India
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
6
01
02
03
04
05
Cyber Spying
Virus and Trojans
Data Theft
Cyber Terrorism
Phishing & Identity Theft
Illegal interception of government data by foreign
countries. NSA has been alleged to plant bugs in Indian
embassy in Washington DC
Infection of government IT systems with malwares that
allow gives control to the hackers. Government of
India IT systems infected by Conficker worm in 2008
causing multiple crashes and downtime.
Insecure storage of GOI data leading to unauthorized
access by hackers and spies. Alleged Chinese hackers in
2010 hacked in GOI systems to access National
Security Council data
Hacktivism attacks on GOI websites leading to
reputational damage. Multiple foreign country hackers
were responsible for hacking of websites of GOI
Phishing attacks targeted towards GOI employees to
steal identities and data. GhostNet attacks on Indian
Government employees was conducted through spear
phishing attacks
CIA
CIA
CIA
CIA
CIA
Confidentiality : Sensitive content and privacy of data
Integrity : Unauthorized modification of data
Availability : Multiple points in the IT infra preventing single point of failure
Source : Times of India
7. Presented by
In association with
Supported by
Understanding cyber threats
Modern Cyber Threat landscape have evolved over the years. Applications and IT
infrastructures are core pillars in today’s business. Security of core shall ensure security of
the business.
1 Actors with differing motives and
sophistication – often colluding with
each other
4 Data is money – criminal underground
makes for easy monetization
Criminals pilferage on the PII data for identity theft
leading to potential damages to customers
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
7
2 Organizational boundaries have
disappeared – anytime, anyhow,
anywhere computing
3 Attacks exploit weakest link in the
value / supply chain
5 Traditional controls are necessary but
not adequate
6 Regulators and government are key
stakeholders with ever increasing focus
Loss of PII data, customer data, sensitive
and confidential company data.
Availability of organization’s information is crucial
and loss of such could result in impacting critical
business functions.
Breach of integrity could result in complete
breakdown of trust of the organization. Brand
reputation gets affected majorly leading to loss in
revenue
Losses resulting from leakage of backend
customer data will impact customer’s trust on
the brand
National Cyber Security Policy formulated with focus
on capability building at Nation level
8. Presented by
In association with
Supported by
Industry view – Indian sector view
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
8
Hotels Airlines Travels & Tourism
Sensitive
information
handled:
Internal strategic
&
Customer
Confidential
• Visitor name, address,
contact details, unique
identification numbers or
documents – Passport, PAN
card, Driving License, Credit
card etc.
• Hotel billing details such as
billing and payments ,
outstanding bills etc.
• List of No. of Rooms
occupied/vacant, pre-booked
rooms, etc.
• Vendors/Supplier details,
contract details, outstanding
payment details
• Passenger Name, contact
details, passport, visa
details etc.
• Flight details such as no
of passengers and crew,
passenger and crew
personal details, city and
time of departure and
arrival etc.
• Flight details such as
details of flight status,
flight maintenance details,
etc.
• Tourists’ Name, Address,
Contact Details and unique
identification numbers or
documents
• Tourist travel details such
as mode of travel,
destination city, duration of
stay and accommodation
details.
• List of strategic tie-ups and
related financial records
with the organization
9. Presented by
In association with
Supported by
Industry view – Indian sector view
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
9
Hotels Airlines Travels &Tourism
Concerns
• Absence of security
compliance for information
related controls
• Compliance controls on
basis of the quality controls
only
• Regulatory compliances
in terms of financial or
business controls
• Absence of security
compliance for
information related
controls
• Absence of security
compliance for information
related controls
• Compliance controls on
basis of the quality controls
only
Security initiatives
in HATT sector
• Regulatory Implications drive security approach. Initiatives are taken by management to
drive security in the organizations
• Absence of regulatory requirements provides ground for laxity in security initiatives within
organization
10. Presented by
In association with
Supported by
Paradigm shift: Info security mgt.
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
10
Key questions to consider:
¨ Strategically …
• Do you have a cyber security strategy including a clear cyber governance framework ?
• How are you evaluating and managing cyber risk?
• Is the existing risk framework adequate to address changing threat landscape?
• How structured and well-tested are you existing incident response and crisis management
capabilities?
¨ And tactically …
• What is leaving our network and where is it going?
• Who is really logging into our network and from where?
• What information are we making available to a cyber adversary?
11. Presented by
In association with
Supported by
Case study
By X Events Hospitality (www.x-events.in)
11
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
12. Presented by
In association with
Supported by
Operation hangover
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
12
Recently attackers of unknown origin conducted a large hacking operation on multiple companies from
servers hosted in India.
Target Employee in the
Victim Company
Attacker creates a malicious
attachment in PDF file and sends to
an unsuspecting and unaware foreign
government employee. The malware
is signed using certificates purchased
by a company in New Delhi, India
1
The users gets infected with malware
that acts as a backdoor to his
system. The attacker is able to pivot
his system to conduct further attacks
in the network.
2
Server hosted in India.
All data stolen from the company are stored in a server hosted in India
with domain names similar to large ecommerce sites in India. These form
of operational security measures indicate an attempt by the attackers to
hide the operation in plain sight
3
Source : Norman ASA
13. Presented by
In association with
Supported by
Leading hotel chain in the USA
Key Security Flaws (as per FTC report)
Absence of Firewalls
Default username and passwords
Weak access controls for remote sites
4 Failure to conduct regular reviews
Implications
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
13
A leading US hotel chain was breached by hackers from 2009 – 2010 resulting in stealing
of 700,000 customer information. They were breached 3 times in the period during
which these information was siphoned out.
1
2
3
• FTC sued the organization for
loss of customer information
• Organization has failed to dismiss
the case
• Investigations proved major non
compliance to PCI DSS
requirements by organization
locations
• 10.6 mil USD was estimated cost
of data breach
Source :Media Reports
14. Presented by
In association with
Supported by
Hospitality industry
Leading Airlines in US It takes an average of 156 days for
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
14
Hospitality, Airlines and Tourism industries depend on exhaustive branding and marketing efforts for sale
of their services. Any impact on their IT infrastructure, websites or data that gets published in the media
leads to direct effect on their revenue and core business sales.
Incident
• Airways vendors got breached by hackers leading to
disclosure of internal employee information and customer
information.
• Data breach was investigated however with no conclusive
root cause analysis
Impact
• Multiple news reports on the data breach got published
leading to branding and reputational risks for the airlines.
businesses to realize that the a
breach has occurred (Trustwave)
43% of CXO officers report that
negligent insiders are source of
majority of the breaches (IBM)
Source :Media Reports
15. Presented by
In association with
Supported by
Way Forward
By X Events Hospitality (www.x-events.in)
15
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
16. Presented by
In association with
Supported by
Cyber security mgt: Methodology
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
16
17. Presented by
In association with
Supported by
Cyber security: Maturity model
Situational Awareness of
Cyber Threats
Automated Electronic
Discovery & Forensics
Basic Online
Brand Monitoring
Automated Malware
Forensics & Manual
Electronic Discovery
Government / Sector Threat
Intelligence Collaboration
Ad-hoc Threat
Intelligence Sharing
with Peers
Baiting & Counter-Threat
Intelligence
Criminal / Hacker
Surveillance
Commercial & Open Source
Threat Intelligence Feeds
Real-time Business Risk
Analytics & Decision Support
Workforce / Customer
Behaviour Profiling
Network & System Centric
Activity Profiling
Business Partner Cyber
Security Awareness
Targeted Intelligence-Based
Cyber Security Awareness
General Information Security
Training & Awareness
Brand
Monitoring
E-Discovery &
Forensics
Intelligence
Collaboration
External Threat
Intelligence
Behavioural
Analytics
Training &
Awareness
Cyber Attack
Preparation
Asset
Protection
Security Event
Monitoring
Transformation
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
17
IT Cyber Attack
Simulations
Business-Wide
Cyber Attack Exercises
Sector-Wide & Supply Chain
Cyber Attack Exercises
Enterprise-Wide Infrastructure
& Application Protection
Global Cross-Sector Threat
Intelligence Sharing
Identity-Aware
Information Protection
IT BC & DR
Exercises
Ad Hoc Infrastructure &
Application Protection
Adaptive & Automated
Security Control Updates
IT Service Desk
& Whistleblowing
Security Log Collection
& Ad Hoc Reporting
External & Internal Threat
Intelligence Correlation
Cross-Channel Malicious
Activity Detection
24x7 Technology Centric
Security Event Reporting
Automated IT Asset
Vulnerability Monitoring
Targeted Cross-Platform
User Activity Monitoring
Tailored & Integrated
Business Process Monitoring
Traditional Signature-Based
Security Controls
Periodic IT Asset
Vulnerability Assessments
Proactive Threat Management
Level 1 Level 2 Level 3 Level 4 Level 5
Internal Threat
Intelligence
Cyber Security Maturity Levels
Basic Network Protection
Acceptable
Usage Policy
Operational Excellence
Blissful Ignorance
Online Brand &
Social Media Policing
Ad Hoc System /
Malware Forensics
18. Presented by
In association with
Supported by
Way forward: Cyber security v2.0
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
18
A forward-looking approach to developing your organization’s cyber security capabilities is needed to
ensure on-going cyber threat mitigation and incident response.
19. Presented by
In association with
Supported by
About us
HATT is India's young and premium
community for CXOs from the
Hospitality, Healthcare, Aviation, Travel
and Tourism industries.
o With over 1,000 members across
India, we are now poised to expand
globally with a presence in South East
Asia and the Middle East by 2016.
www.hattforum.com
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
19
X Events manages & supports events
exclusively for the hospitality & travel
industries.
o Our USP is that we are hoteliers
by training. We focus on the two
most important aspects of an
event; content quality and impact.
o We do it because we believe in it.
www.x-events.in
By X Events Hospitality (www.x-events.in)
FB/hattforum
20. Presented by
In association with
Supported by
Our host – Brian Pereira
Brian is a veteran technology
journalist with two decades of
experience. He has served as
editor for two magazines: CHIP
and InformationWeek India.
He is a respected speaker & host
at conferences worldwide.
In his current role at Hannover
Milano Fairs India, Brian serves
as project head for CeBIT
Global Conferences,
the world's largest ICT fair that
will debut in India this November,
in Bangalore.
By X Events Hospitality (www.x-events.in)
20
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
21. Presented by
In association with
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
21
Five expert speakers
1. Latest threats in digital security (Worms, attacks, viruses, flaws) - Santosh Satam,
CEO, SecurBay Services.
2. The immediate action needed to tighten up (Priority list, cost, internal policies)
- Ambarish Deshpande, MD - India & SAARC, Blue Coat
3. Information loss prevention (Principles & practices) - Geet Lulla, VP - India & ME,
Seclore
4. How to build a business case & get the management's attention - Dhananjay
Rokde, CISO, Cox & Kings Group.
5. Global cyber security outlook - A. K. Viswanathan, Senior Director - Enterprise Risk
Services, Deloitte India.
By X Events Hospitality (www.x-events.in)
The seminar schedule
22. Presented by
In association with
Supported by
Our sponsors & supporters
By X Events Hospitality Hotel Digital Security Seminar & Webinar, Sept 19, 2014 (www.x-events.in)
22
Thank You
23. In association with Presented by Supported by
HOTEL DIGITAL SECURITY SEMINAR
SEPT 19, 2014 www.x-events.in