Threats to cyber security, a major worry for businesses
Ninety percent of attacks linked to inside users:
It is important to implement better security measures within
organisations by hiring the right experts, training staff, implementing
a Data Loss Prevention (DLP) solution and promoting cyber security
awareness, says Director/CEO of CICRA Holdings, Boshan Dayaratne
referring to the recent cyber attacks suffered by several South Asian
"If you're an organisation, big or small, it's no longer a matter of
whether you will be hacked, it's about when," he said.
Talking about the recent hacker attacks against Asian banks he said,
apparently, data belonging to five South Asian banks were posted online
on May 10, by a Turkish hacking group called 'Bozkurtlar'.
"It is said to be the same group that recently leaked data tied to
Qatar National Bank and UAE's Invest Bank. This is not a good sign. So
far there are no reports on what type of data has been exposed or
leaked. However, the objective of an attacker who breaches the security
of a bank is usually based on monetary terms.
The full extent of the damage has not been realised yet. According to
some local news reports, it looks like a Sri Lankan bank was hacked as
well," he said.
Dayaratne talks on some of the issues in connection with cyber
What are the internal threats?
These could be malicious insiders or the unwitting users. It may
sound like a cliché but users are in fact the weakest link.
This is why awareness training on end-users is important. Your
organisation may have expensive security controls and branded products
but if the end-user is not security conscious then your system is in
For instance, a careless end-user can accidentally download an app,
whether it be a game or some sort of service which is malicious and
spread the malware to the entire network.
Or they could give into phishing emails - these are malicious emails
which are carefully crafted to look like it's from a social media
provider, email provider, Pay Pal or something that the user has an
account with. Such emails can lead the unwitting users to several other
sites that can infect his machines with various viruses.
Studies related to security threat actors have shown that 90% of the
attacks are somehow linked to an inside user; whether they are
deliberately letting information out or being socially engineered like I
mentioned before. This means, if an organisation is taking good
precautions to prevent external threats yet neglect the insider threats,
then the risk is still huge.
What can be done to manage insider threats?
The best solution would be Data Loss Prevention (DLP) where the
insider information transfers are monitored and leakage is prevented.
For example, people can disguise themselves as 'trusted parties' and
come into your organisation and ask for data.
There could be disgruntled employees who may copy internal data and
send it off to a third party or post it online. There could also be
employees who are planning to leave the organisation or resign, let's
say to a competitor and take internal documents and data to the next
So there should be a method in place to prevent such leakage of
information by internal parties.
Can you comment on Incident Response capabilities in Sri Lanka?
Incident Response is taking control of a cyber situation as and when
it occurs. I would say that people in South Asia in general take a more
reactive approach than a proactive approach. For the past three to four
years we have taken great interest in educating organisations in cyber
But most of the time, organisations make decisions by looking at what
went wrong within the past year and if they found that nothing had
happened - or if something had happened that they were aware of - they
would put off the security budget to the following year.
This mentality poses a serious threat to the security of the
organisation, its clients and stakeholders. When a cyber attack occurs,
it's not easy to quantify that damage. True, a certain (huge) amount of
money will be lost but that's not all, the goodwill and trust people
have placed in the organisation will be gone as well.
However, it's worth noting that there are qualified professionals in
Sri Lanka who can get involved in security. CICRA itself has over 700
alumni - over 250 of them are qualified in EC-Council's Certified
Ethical Hacker (C|EH) and over 70 are qualified in Certified Hacking
Forensic Investigator (C|HFI) courses.
What administrative measures do you think are necessary to mitigate
such attacks in future?
I think information sharing procedures should be in place. If a
company is attacked, there should be some regulation to have them reveal
the attack so that other organisations will be more careful. Nobody is
going to benefit by keeping it under the carpet.
Let's say a bank was hacked, the details need to be shared at least
with the rest of the banks so they can learn from the incident - learn
from the mistakes of another in the industry. It needs a collaborative
approach to defend against cyber crime as it's real and happens before
What are some of the fundamental reasons for cyber attacks?
I think the lack of security training, inefficiencies of IT security
personnel and lack of awareness is at the top.
Also, software developers need to take security seriously, they
should not wait until the product is developed to test is for security
or hand over products that haven't been security tested. I've seen many
software developers who opt to hand over untested software at the face
of time constraints.
This can affect the client organisation in the long run - the way
things are going now it wouldn't even be a long run.
In most of the security tests that we have conducted we have seen
very basic coding errors, where not even the fundamentals of security
were taken into consideration.
Next, I hardly see the position of Chief Information Security Officer
(CISO) in organisations. The information security personnel usually
report to the head of IT and that is not very efficient, they should be
reporting to the CISO or Security Risk Officer.
A significant impact can be made by investing in a Security
Operations Centre (SOC) where you can analyse trends and patterns of
threats that target certain countries, industries or individual
Currently, we have started developing a SOC at CICRA. The biggest
problem in a SOC is that it's very expensive and not many organisations
can invest in a SOC of their own.
What we're doing now is developing a SOC in such a way that we can
give plug-ins to any company that is interested. This would allow many
organisations out there to leverage on our resources to protect their
information assets. They will receive the services just as they would,
if they invested in a SOC but for a far less cost. For this initiative,
we will be getting the best of local and international expertise.