Date post: | 09-Jul-2015 |
Category: |
Technology |
Upload: | xeventshospitality |
View: | 855 times |
Download: | 4 times |
Supported by In association with Presented by
Hotel Digital Security Seminar SEPT 19, 2014
A.K. Vishwanathan, Senior Director – Enterprise Risk Services, Deloitte India
GLOBAL CYBER SECURITY OUTLOOK
Presented by
In association with
Supported by
A.K. Vishwanathan
By X Events Hospitality (www.x-events.in)
2
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Vis is a Chartered Accountant, has a Certified in Risk and Information System Control (CRISC) and a member of the Information Systems Audit and Controls Association (ISACA).
He has advised large organisations in their endeavour in information security and controls, and led risk consulting in complex environments and regulated industries; specifically banking and financial services, telecom, manufacturing, oil and gas, pharma and life sciences and government sector.
Presented by
In association with
Supported by
Agenda
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
3
¨ Current state ¨ Case study ¨ Solutions ¨ Way forward
Presented by
In association with
Supported by
Current state
By X Events Hospitality (www.x-events.in)
4
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Presented by
In association with
Supported by
Recent trends in India
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
5
0
5000
2008 2009 2010 2011 2012 2013
Number of Cyber Crimes under IT Act
Over 35 % of the Indian organizations across various sectors have engaged in corporate espionage
Nearly14,000 websites were hacked by cyber criminals till October 2012, an increase of nearly 57% from 2009.
81% of the CXO in this sectors depicts an increase in information security spending over the coming few years
Website of Indian Embassy in Tunisia hacked in retaliation to the terrorism attack on Karachi Airport in June 2014. The embassy website was hacked by a group called “Hunt3R
Source : NCRB (National Crime Records Bureau
Presented by
In association with
Supported by
Key information security challenges – Pain areas
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
6
01
02
03
04
05
Cyber Spying
Virus and Trojans
Data Theft
Cyber Terrorism
Phishing & Identity Theft
Illegal interception of government data by foreign countries. NSA has been alleged to plant bugs in Indian embassy in Washington DC
Infection of government IT systems with malwares that allow gives control to the hackers. Government of India IT systems infected by Conficker worm in 2008 causing multiple crashes and downtime.
Insecure storage of GOI data leading to unauthorized access by hackers and spies. Alleged Chinese hackers in 2010 hacked in GOI systems to access National Security Council data Hacktivism attacks on GOI websites leading to reputational damage. Multiple foreign country hackers were responsible for hacking of websites of GOI
Phishing attacks targeted towards GOI employees to steal identities and data. GhostNet attacks on Indian Government employees was conducted through spear phishing attacks
CIA
CIA
CIA
CIA
CIA
The following are they key information security challenges being major organizations in India
Confidentiality : Sensitive content and privacy of data Integrity : Unauthorized modification of data Availability : Multiple points in the IT infra preventing single point of failure
Source : Times of India
Presented by
In association with
Supported by
Understanding cyber threats
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
7
2 Organizational boundaries have disappeared – anytime, anyhow, anywhere computing
1 Actors with differing motives and sophistication – often colluding with each other
3 Attacks exploit weakest link in the value / supply chain
5 Traditional controls are necessary but not adequate
4 Data is money – criminal underground makes for easy monetization
6 Regulators and government are key stakeholders with ever increasing focus
Loss of PII data, customer data, sensitive and confidential company data.
Availability of organization’s information is crucial and loss of such could result in impacting critical business functions.
Breach of integrity could result in complete breakdown of trust of the organization. Brand reputation gets affected majorly leading to loss in revenue
Losses resulting from leakage of backend customer data will impact customer’s trust on the brand
National Cyber Security Policy formulated with focus on capability building at Nation level
Modern Cyber Threat landscape have evolved over the years. Applications and IT infrastructures are core pillars in today’s business. Security of core shall ensure security of the business.
Criminals pilferage on the PII data for identity theft leading to potential damages to customers
Presented by
In association with
Supported by
Industry view – Indian sector view
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
8
Hotels Airlines Travels & Tourism
Sensitive information
handled:
Internal strategic &
Customer Confidential
• Visitor name, address, contact details, unique identification numbers or documents – Passport, PAN card, Driving License, Credit card etc.
• Hotel billing details such as billing and payments , outstanding bills etc.
• List of No. of Rooms occupied/vacant, pre-booked rooms, etc.
• Vendors/Supplier details, contract details, outstanding payment details
• Passenger Name, contact details, passport, visa details etc.
• Flight details such as no of passengers and crew, passenger and crew personal details, city and time of departure and arrival etc.
• Flight details such as details of flight status, flight maintenance details, etc.
• Tourists’ Name, Address, Contact Details and unique identification numbers or documents
• Tourist travel details such as mode of travel, destination city, duration of stay and accommodation details.
• List of strategic tie-ups and related financial records with the organization
Presented by
In association with
Supported by
Industry view – Indian sector view
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
9
Hotels Airlines Travels &Tourism
Concerns
• Absence of security compliance for information related controls
• Compliance controls on basis of the quality controls only
• Regulatory compliances in terms of financial or business controls
• Absence of security compliance for information related controls
• Absence of security compliance for information related controls
• Compliance controls on basis of the quality controls only
Security initiatives in HATT sector
• Regulatory Implications drive security approach. Initiatives are taken by management to drive security in the organizations
• Absence of regulatory requirements provides ground for laxity in security initiatives within organization
Presented by
In association with
Supported by
Paradigm shift: Info security mgt.
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
10
Key questions to consider:
¨ Strategically … • Do you have a cyber security strategy including a clear cyber governance framework ? • How are you evaluating and managing cyber risk? • Is the existing risk framework adequate to address changing threat landscape? • How structured and well-tested are you existing incident response and crisis management
capabilities?
¨ And tactically … • What is leaving our network and where is it going? • Who is really logging into our network and from where? • What information are we making available to a cyber adversary?
Presented by
In association with
Supported by
Case study
By X Events Hospitality (www.x-events.in)
11
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Presented by
In association with
Supported by
Operation hangover
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
12
Recently attackers of unknown origin conducted a large hacking operation on multiple companies from servers hosted in India.
Target Employee in the Victim Company
Attacker creates a malicious attachment in PDF file and sends to an unsuspecting and unaware foreign government employee. The malware is signed using certificates purchased by a company in New Delhi, India
1
The users gets infected with malware that acts as a backdoor to his system. The attacker is able to pivot his system to conduct further attacks in the network.
2
Server hosted in India.
All data stolen from the company are stored in a server hosted in India with domain names similar to large ecommerce sites in India. These form of operational security measures indicate an attempt by the attackers to hide the operation in plain sight
3
Source : Norman ASA
Presented by
In association with
Supported by
Leading hotel chain in the USA
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
13
A leading US hotel chain was breached by hackers from 2009 – 2010 resulting in stealing of 700,000 customer information. They were breached 3 times in the period during which these information was siphoned out.
2
1
3
Key Security Flaws (as per FTC report)
Absence of Firewalls Default username and passwords Weak access controls for remote sites Failure to conduct regular reviews 4
• FTC sued the organization for loss of customer information
• Organization has failed to dismiss the case
• Investigations proved major non compliance to PCI DSS requirements by organization locations
• 10.6 mil USD was estimated cost of data breach
Implications
Source :Media Reports
Presented by
In association with
Supported by
Hospitality industry
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
14
Hospitality, Airlines and Tourism industries depend on exhaustive branding and marketing efforts for sale of their services. Any impact on their IT infrastructure, websites or data that gets published in the media leads to direct effect on their revenue and core business sales.
Incident
• Airways vendors got breached by hackers leading to disclosure of internal employee information and customer information.
• Data breach was investigated however with no conclusive root cause analysis
Impact
• Multiple news reports on the data breach got published leading to branding and reputational risks for the airlines.
Leading Airlines in US It takes an average of 156 days for businesses to realize that the a breach has occurred (Trustwave)
43% of CXO officers report that negligent insiders are source of majority of the breaches (IBM)
Source :Media Reports
Presented by
In association with
Supported by
Way Forward
By X Events Hospitality (www.x-events.in)
15
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Presented by
In association with
Supported by
Cyber security mgt: Methodology
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
16
Presented by
In association with
Supported by
Cyber security: Maturity model
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
17
IT Cyber AttackSimulations
Business-WideCyber Attack Exercises
Sector-Wide & Supply Chain Cyber Attack Exercises
Enterprise-Wide Infrastructure & Application Protection
Global Cross-Sector Threat Intelligence Sharing
Identity-AwareInformation Protection
IT BC & DRExercises
Ad Hoc Infrastructure & Application Protection
Adaptive & AutomatedSecurity Control Updates
IT Service Desk& Whistleblowing
Security Log Collection& Ad Hoc Reporting
External & Internal Threat Intelligence Correlation
Cross-Channel Malicious Activity Detection
24x7 Technology Centric Security Event Reporting
Automated IT Asset Vulnerability Monitoring
Targeted Cross-PlatformUser Activity Monitoring
Tailored & IntegratedBusiness Process Monitoring
Traditional Signature-Based Security Controls
Periodic IT AssetVulnerability Assessments
Proa
ctive
Threa
t Man
agem
ent
Level 1 Level 2 Level 3 Level 4 Level 5
Automated Electronic Discovery & Forensics
Situational Awareness of Cyber Threats
Basic OnlineBrand Monitoring
Automated Malware Forensics & Manual Electronic Discovery
Government / Sector Threat Intelligence Collaboration
Ad-hoc ThreatIntelligence Sharing
with Peers
Baiting & Counter-Threat Intelligence
Criminal / HackerSurveillance
Commercial & Open Source Threat Intelligence Feeds
Real-time Business Risk Analytics & Decision Support
Workforce / Customer Behaviour Profiling
Network & System CentricActivity Profiling
Business Partner CyberSecurity Awareness
Targeted Intelligence-Based Cyber Security Awareness
General Information Security Training & Awareness
Internal Threat Intelligence
Security Event Monitoring
Asset Protection
Cyber Attack Preparation
Training & Awareness
Behavioural Analytics
External Threat Intelligence
Intelligence Collaboration
E-Discovery & Forensics
Brand Monitoring
Cyber Security Maturity Levels
Basic Network Protection
AcceptableUsage Policy
Transformatio
n
Operational Excellence
Blissful Ignorance
Online Brand &Social Media Policing
Ad Hoc System / Malware Forensics
Presented by
In association with
Supported by
Way forward: Cyber security v2.0
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
18
A forward-looking approach to developing your organization’s cyber security capabilities is needed to
ensure on-going cyber threat mitigation and incident response.
Presented by
In association with
Supported by
About us
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
19
X Events manages & supports events exclusively for the hospitality & travel industries.
o Our USP is that we are hoteliers by training. We focus on the two most important aspects of an event; content quality and impact.
o We do it because we believe in it.
www.x-events.in
By X Events Hospitality (www.x-events.in)
HATT is India's young and premium community for CXOs from the Hospitality, Healthcare, Aviation, Travel and Tourism industries.
o With over 1,000 members across India, we are now poised to expand globally with a presence in South East Asia and the Middle East by 2016.
www.hattforum.com FB/hattforum
Presented by
In association with
Supported by
Our host – Brian Pereira
By X Events Hospitality (www.x-events.in)
20
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Brian is a veteran technology journalist with two decades of experience. He has served as editor for two magazines: CHIP and InformationWeek India. He is a respected speaker & host at conferences worldwide. In his current role at Hannover Milano Fairs India, Brian serves as project head for CeBIT Global Conferences, the world's largest ICT fair that will debut in India this November, in Bangalore.
Presented by
In association with
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
21
Five expert speakers 1. Latest threats in digital security (Worms, attacks, viruses, flaws) - Santosh Satam, CEO, SecurBay Services.
2. The immediate action needed to tighten up (Priority list, cost, internal policies) - Ambarish Deshpande, MD - India & SAARC, Blue Coat 3. Information loss prevention (Principles & practices) - Geet Lulla, VP - India & ME, Seclore
4. How to build a business case & get the management's attention - Dhananjay Rokde, CISO, Cox & Kings Group. 5. Global cyber security outlook - A. K. Viswanathan, Senior Director - Enterprise Risk Services, Deloitte India.
By X Events Hospitality (www.x-events.in)
The seminar schedule
Presented by
In association with
Supported by
Our sponsors & supporters
By X Events Hospitality (www.x-events.in) Hotel Digital Security Seminar & Webinar, Sept 19, 2014
22
Thank You
Supported by In association with Presented by
www.x-events.in SEPT 19, 2014
HOTEL DIGITAL SECURITY SEMINAR