Threats to cyber security, a major worry for businesses

Ninety percent of attacks linked to inside users:

It is important to implement better security measures within organisations by hiring the right experts, training staff, implementing a Data Loss Prevention (DLP) solution and promoting cyber security awareness, says Director/CEO of CICRA Holdings, Boshan Dayaratne referring to the recent cyber attacks suffered by several South Asian banks.

"If you're an organisation, big or small, it's no longer a matter of whether you will be hacked, it's about when," he said.

Talking about the recent hacker attacks against Asian banks he said, apparently, data belonging to five South Asian banks were posted online on May 10, by a Turkish hacking group called 'Bozkurtlar'.

"It is said to be the same group that recently leaked data tied to Qatar National Bank and UAE's Invest Bank. This is not a good sign. So far there are no reports on what type of data has been exposed or leaked. However, the objective of an attacker who breaches the security of a bank is usually based on monetary terms.

The full extent of the damage has not been realised yet. According to some local news reports, it looks like a Sri Lankan bank was hacked as well," he said.

Dayaratne talks on some of the issues in connection with cyber security.

What are the internal threats?

These could be malicious insiders or the unwitting users. It may sound like a cliché but users are in fact the weakest link.

This is why awareness training on end-users is important. Your organisation may have expensive security controls and branded products but if the end-user is not security conscious then your system is in jeopardy.

For instance, a careless end-user can accidentally download an app, whether it be a game or some sort of service which is malicious and spread the malware to the entire network.

Or they could give into phishing emails - these are malicious emails which are carefully crafted to look like it's from a social media provider, email provider, Pay Pal or something that the user has an account with. Such emails can lead the unwitting users to several other sites that can infect his machines with various viruses.

Studies related to security threat actors have shown that 90% of the attacks are somehow linked to an inside user; whether they are deliberately letting information out or being socially engineered like I mentioned before. This means, if an organisation is taking good precautions to prevent external threats yet neglect the insider threats, then the risk is still huge.

What can be done to manage insider threats?

The best solution would be Data Loss Prevention (DLP) where the insider information transfers are monitored and leakage is prevented.

For example, people can disguise themselves as 'trusted parties' and come into your organisation and ask for data.

There could be disgruntled employees who may copy internal data and send it off to a third party or post it online. There could also be employees who are planning to leave the organisation or resign, let's say to a competitor and take internal documents and data to the next company.

So there should be a method in place to prevent such leakage of information by internal parties.

Can you comment on Incident Response capabilities in Sri Lanka?

Incident Response is taking control of a cyber situation as and when it occurs. I would say that people in South Asia in general take a more reactive approach than a proactive approach. For the past three to four years we have taken great interest in educating organisations in cyber security.

But most of the time, organisations make decisions by looking at what went wrong within the past year and if they found that nothing had happened - or if something had happened that they were aware of - they would put off the security budget to the following year.

This mentality poses a serious threat to the security of the organisation, its clients and stakeholders. When a cyber attack occurs, it's not easy to quantify that damage. True, a certain (huge) amount of money will be lost but that's not all, the goodwill and trust people have placed in the organisation will be gone as well.

However, it's worth noting that there are qualified professionals in Sri Lanka who can get involved in security. CICRA itself has over 700 alumni - over 250 of them are qualified in EC-Council's Certified Ethical Hacker (C|EH) and over 70 are qualified in Certified Hacking Forensic Investigator (C|HFI) courses.

What administrative measures do you think are necessary to mitigate such attacks in future?

I think information sharing procedures should be in place. If a company is attacked, there should be some regulation to have them reveal the attack so that other organisations will be more careful. Nobody is going to benefit by keeping it under the carpet.

Let's say a bank was hacked, the details need to be shared at least with the rest of the banks so they can learn from the incident - learn from the mistakes of another in the industry. It needs a collaborative approach to defend against cyber crime as it's real and happens before our eyes.

What are some of the fundamental reasons for cyber attacks?

I think the lack of security training, inefficiencies of IT security personnel and lack of awareness is at the top.

Also, software developers need to take security seriously, they should not wait until the product is developed to test is for security or hand over products that haven't been security tested. I've seen many software developers who opt to hand over untested software at the face of time constraints.

This can affect the client organisation in the long run - the way things are going now it wouldn't even be a long run.

In most of the security tests that we have conducted we have seen very basic coding errors, where not even the fundamentals of security were taken into consideration.

Next, I hardly see the position of Chief Information Security Officer (CISO) in organisations. The information security personnel usually report to the head of IT and that is not very efficient, they should be reporting to the CISO or Security Risk Officer.

A significant impact can be made by investing in a Security Operations Centre (SOC) where you can analyse trends and patterns of threats that target certain countries, industries or individual organisations.

Currently, we have started developing a SOC at CICRA. The biggest problem in a SOC is that it's very expensive and not many organisations can invest in a SOC of their own.

What we're doing now is developing a SOC in such a way that we can give plug-ins to any company that is interested. This would allow many organisations out there to leverage on our resources to protect their information assets. They will receive the services just as they would, if they invested in a SOC but for a far less cost. For this initiative, we will be getting the best of local and international expertise.