Boshan Dayaratne, Director/CEO of CICRA Holdings shared his views on the recent cyber attacks suffered by several South Asian banks.
He emphasized the importance to implement better security within organisations by hiring the right experts, training the staff, implementing a Data Loss Prevention (DLP) solution and promoting cyber security awareness.
“If you’re an organisation, big or small, it’s no longer a matter of whether you will be hacked, it’s about when,” he noted.
Following are excerpts of the interview:
What are your comments about the South Asian banks that were hacked recently?
We have seen several hacker attacks against Asian banks making headlines in international news. Apparently, data belonging to five South Asian banks have been posted online on the 10th of May by the Turkish hacking group calling themselves “Bozkurtlar”. It is said to be the same group that recently leaked data tied to Qatar National Bank and UAE’s InvestBank.
This is not a good sign! So far there are no reports on what type of data has been exposed or leaked. However, the objective of an attacker who breaches security of a bank is usually based on monetary terms. The full extent of the damage is not realised yet.
Was Sri Lanka affected as well?
As reported by Lanka Business Online, Asian Mirror and several other international news publishers, it looks like a Sri Lankan bank was hacked as well.
Do you think this attack would have been avoided?
Yes. The hackers seem to have exploited some very old vulnerabilities which could have being patched or closed off without waiting for trouble. Cyber threats can be classified as external and internal threats. The thing is, there is no silver bullet to cyber attacks but most of the attacks can be definitely prevented.
External threats are posed by outside individuals or organisations attacking your IT infrastructure. These risks can be quantified by hiring a professional vendor or consultant to run a penetration test. It’s important to note that Penetration Tests are not vulnerability Assessments.
There is a big difference there— a vulnerability Assessment is like walking around the house and making a note of which doors, windows and locks are loose or jiggling and therefore unsafe according to the model information; On the other hand, Penetration Testing is like trying to break into the house by picking the weak locks and smashing a window.
There are so many vendors out there who run a few tests using automated tools and call it a penetration test. This is why you need to pick qualified and reputed security firms and consultants. If you’re not sure, ask them for references, check their track record, and make sure these penetration testers have the expertise and integrity to handle your critical information assets. In today’s context, your information assets define your organisation. It has to be protected with the same interest you would protect your monetary assets.
The other side of the equation is the desire to have proper security mechanisms. The biggest mistake most of the organisations do, is being merely compliant without being actually concerned about the security. For instance, in the Financial Services industry, the regulator is the Central Bank, which has imposed certain regulatory requirements. One is that all financial institutes need to conduct a penetration test either annually and bi-annually. This is technically the regulator requirement. If an organisation only looks at that requirement and get some vendor, any vendor to conduct a penetration test that’s just complying—ticking off the register if you will— and not a matter of improving security. I couldn’t stress it enough that an automated scan is not equal to a penetration test but is only a step in the entire process.
Also, I know that certain so-called penetration testers extensively ask for log-in and password information from the client before conducting a test. This too is not a penetration test, as the person conducting the test should be able to act like a real world hacker, break into your systems and identify the weak spots— without asking you.
The hacking techniques of a Penetration Tester and hacker would be similar but the difference is that a Penetration Tester will not cause damage to your system. What we have to realise is that cyber attacks are getting scarier by the day and it’s very important that organisations understand the gravity of it. A company that complies by security regulations is not always secure, but it goes without saying that a company with strong security is compliant.
The other mistake is that the organisations don’t follow the recommended remedial actions. Once a penetration test is completed, a report containing the remedial actions that need to be taken to rectify the flaws is provided to the client. The whole point of a penetration test is to identify the flaws and patch them; not to keep the reports locked up in a cupboard to show the regulators at audits.
People in IT departments should also be trained to securely set up their information systems. This is where information security training comes in. The IT staff should be up-to-date with the ever evolving world of technology. They can’t and shouldn’t be maintaining systems using methods they used a couple of years ago.
What are the internal threats?
These could be malicious insiders or the unwitting users. It may sound like a cliché but users are in fact the weakest link. This is why awareness training on end-users is important.
Your organisation may have expensive security controls and branded products but if the end-user is not security conscious then your system is in jeopardy.
For instance, a careless end-user can accidently download an app, whether it be a game or some sort of service which is malicious and spread the malware to the entire network. Or they could give into phishing emails— these are malicious emails which are carefully crafted to look like it’s from a social media provider, email provider, PayPalor something that the user has an account with. Such emails can lead the unwitting users to several other sites that can infect his machines with various viruses.
Moreover, there are social engineering attacks where users are tricked by shrewd hackers into giving them sensitive information like passwords. The best way to prevent such threats is to provide effective training for the staff. One ignorant user is enough to break the system.
What is the most dangerous type of threat?
Studies related to security threat actors have shown that 90 percent of the attacks are somehow linked to an inside user; whether they are deliberately letting information out or being social engineered like I mentioned before.
This means, if an organisation is taking good precautions to prevent external threats yet neglect the insider threats, still the risk is at large.
What can be done to manage insider threats?
The best solution would be Data Loss Prevention (DLP) where the insider information transfers are monitored and leakage is prevented. For example, people can disguise as “trusted parties” and come into your organisation and ask for data. There could be disgruntled employees who may copy internal data and send it off to a third party or post it online. There could also be employees who are planning to leave the organisation or resign, let’s say to a competitor and take internal documents and data to the next company.
So there should be a method in place to prevent such leakage of information by internal parties.
Can you comment on Incident Response capabilities in Sri Lanka?
Incident Response is taking control of a cyber situation as and when it occurs. I would say that people in South Asia in general take a more reactive approach than a proactive approach. For the last three to four years we have taken great interest in educating organisations in cyber security. But most of the time, organisations make decisions by looking at what went wrong within the last year and if nothing happened or if nothing happened that they were aware of they would put off the security budget to the following year.
This mentality poses a serious threat to the security of the organisation, its clients and stakeholders. When a cyber attack occurs, it’s not easy to quantify that damage. True, a certain (huge) amount of money will be lost but that’s not all, the goodwill and trust people have placed in the organisation will be gone as well. However, it’s worth noting that there are qualified professionals in Sri Lanka who can get involved in security. CICRA itself has over 700 alumni over 250 of them are qualified in EC-Council’s Certified Ethical Hacker (C|EH) and over 70 are qualified in Certified Hacking Forensic Investigator (C|HFI) courses.
What administrative measures do you think are necessary to mitigate such attacks in future?
I think information sharing procedures should be in place. If a company is attacked, there should be some regulation to have them reveal the attack so that other organisations will be more careful. Nobody is going to benefit by keeping it under the carpet. Let’s say a bank was hacked, the details has to be shared at least with the rest of the banks so they can learn from the incident— learn from the mistakes of another in the industry. It requires a collaborative approach to defend against cyber crime as it’s real and it’s happening before our eyes.
What are some of the fundamental reasons for cyber attacks?
I think the lack of security training, inefficiencies of IT security personnel and lack of awareness is at the top.
Also, software developers need to take security seriously, they should not wait until the product is developed to test is for security or hand over products that haven’t been security tested. I’ve seen many software developers who opt to hand over untested software at the face of time constraints. This can affect the client organisation in the long run, the way things are going now it wouldn’t even be a long run.
In most of the security tests that we have conducted we have seen very basic coding errors, where not even the fundamentals of security were taken into consideration.
Next, I hardly see the position of Chief Information Security Officer (CISO) in organisations. The information security personnel usually report to the head of IT and that is not very efficient, they should be reporting to the CISO or Security Risk Officer.
A significant impact can be made by investing in a Security Operations Centre (SOC) where you can analysetrends and patterns of threats that target certain countries, industries or individual organisations.
Currently, we have started developing a SOC at CICRA. The biggest problem in a SOC is that it’s very expensive and not many organisations can invest in a SOC of their own. What we’re doing now is developing a SOC in such a way that we can give plug-ins to any company that is interested. This would allow many organisations out there to leverage on our resources to protect their information assets. They will receive the services just as they would, if they invested in a SOC but for a far less cost. For this initiative, we will be getting the best of both local and international expertise.