Copy
Cyber Pulse  
Volume III Issue 10

ReBIT's monthly newsletter | Subscribe | www.rebit.org.in 
Cyber Pulse is now on Twitter! Follow @CyPulse

Opening Remarks


Jayaraman Pazhamalai
Sr VP, Systems Audit, ReBIT


Dear Friends,

We bring to you yet another Cyber Pulse newsletter with lots of interesting stories on Cyber Security.

In this newsletter, we have enclosed an article reference to global cyber risk perception survey conducted by Microsoft and Marsh which provides insights on cyber security posture and state of cyber resilience across the sectors. It is encouraging to note that organizations are increasingly acknowledging cyber security as one of the top 5 risks. However,  the respondents of the survey also indicated that there is a decline in their confidence levels in managing cyber threats. There is a story related to ATM attack using a banking malware. The vulnerability of third party risks is evident as hackers carry out sustained attacks on technology service providers and suppliers across sectors including aviation with an intent to steal trade secrets.

With rapid adoption of technology across business processes, there is an increased convergence of cyber security and fraud risk as observed in the recent financial insitution fraud case reported in media. This month's 'Chatur Chitra' outlines a scenario in Income Tax phishing email  and how one should should exercise caution. It is heartening to know about Assam State government's active interest in cyber security and their publication of draft cyber security policy for feedback to improve protection of digital databases. This month's infographic suggests simple measures to be taken by consumers upon observing fraudulent transactions in their bank account.

We hope you find these cyber security stories useful and interesting. Do continue supporting us by forwarding the newsletter to your colleagues and friends and help us in the endeavor to reach a larger and wider audience within the banking and cyber security fraternity. We would love to hear your feedback on enhancing the quality of our newsletter. 


With warm regards,

Jayaraman Pazhamalai 

23 October , 2019 

 

News Stories

Key Findings of Global Cyber Risk Perception Survey

 
Marsh and Microsoft have released the global cyber risk perception survey of 2019. Among other key findings of this report it is also evident that business leaders and senior executives in charge of cyber risk management in organisations had less than one day in the last year to focus on cyber risk related issues. There is also a decline in the confidence of organisations to manage cyber threats, despite the increase in the concern of the various cyber threats faced by them. The complete report is available here

Comment

There are some interesting and insightful data points revealed in the Global Cyber Risk perception survey ( extract from the report as below):

70 % of the respondents ranked cyber risk as top five concerns
Just 5 % of respondents evaluate cyber risk through technology lifecycle
Only 17 % of executives spend more than few days on cyber risk management 
Confidence level declined from 29% to 23% in understanding, assessing and measuring cyber threats


These interesting data points yet again reveal the fact that cyber security risk management is a complex problem. While technology is transforming the business at an exponential rate, cyber risks are evolving even much faster than technology growth. It is encouraging to note that organizations increasingly recognizing the importance of cyber threat and nature of the threat. The need of the hour is  to act upon them. Organizations should be focusing on taking a comprehensive approach to Cyber risk assessment covering complete enterprise and technology/process/people in each of its lifecycle, measuring the cyber risk similar to any other operational risks including tracking the remedial measures till its closure and a well-defined risk tolerance levels which are monitored regularly and assessed using assurance framework.  While organizations recognizing successful business operations relies on robust technology and its eco-system, it is critical for the top management and board to allocate time, efforts in both understanding, reviewing cyber risks, giving strategic directions to help improve governance and thus driving downstream actions across the enterprise for inculcating a strong cyber security culture.
 
Github Repositories leaks Scotiabank's Source Code and Credentials
 
The repositories contained hundreds of documentation and code and source code for integrating the bank's systems with payment services. Jason Coulls, an IT professional discovered this expose. The registrar alerted Scotiabank about the open repositories and the misconfigured repositories were removed by them. Experts believe the leaked code in the wrong hands could have put the bank and millions of customers under risk.
 
 
Comment

This is another instance of a badly configured cloud instance leaking sensitive information. Organisations need to provision for human failure when adopting cloud and ensure sufficient defense in depth to protect from failure of one level of control. This story also highlights the importance for organisations to provide for responsible disclosure of vulnerabilities. This is a means for any third party to bring to the notice of the appropriate authorities within the organisation when a vulnerability is noticed instead of them having to go public - which can be more damaging

North Korean Hackers Target Indian ATMs

 
Lazarus Group, a cryptocurrency hacking group known for affiliations with North Korean government have developed a new strain of malware to record and steal data from cards inserted into ATM machines in India. The banking malware --ATMDTrack-- has been active in India since last summer, claimed Kaspersky Lab researchers in a published report. 

Comment

Use of malware in ATM thefts has seen a considerable increase over the years. Some of the factors contributing to the proliferation of such thefts is the lack of implementation of adequate security controls related to the ATMs and the overall network of the organisation.

Organisations need to adopt the defense in depth approach to protect itself against such thefts. Apart from implementing security solutions such as Anti- malware and following process such as hardening and patch management, organizations should implement additional controls such as the following:

-Segregation of network and monitoring on its suspicious traffic
-Training and awareness of the employees
- Integration of threat intelligence into security mechanisms
- Periodic threat hunting within organisation's network
- Sandbox based deduction mechanisms
- Comprehensive cyber drills including communication with vendors, card networks and other critical infrastructure dependencies

Adopting such an approach would not only enable an organisation to prevent or deduce such thefts but also respond in a more planned and effective way.
Cyber Security and Data Privacy in India
 
The government of Assam has drafted a cyber security policy and asked for suggestions by the end of the last month. The objective of this policy is to protect state's digital database, safeguard IT and build capabilities to thwart cyber threats. The new policy will also promote emerging technologies such as artificial intelligence, block chain and machine learning for ensuring cybersecurity in the state and introduce cybersecurity curriculum in schools and colleges. This policy is meant to protect vital data and institutions, particularly related to the National Registrar of Citizens(NRC). MIT researchers have suggested a method for Indian cities to preserve citizen privacy while using their data to improve efficiency.


Comment
 
Assam has taken a good initiative in cyber security. The draft clearly lays down the policy's mission i.e. to identify, analyze, protect and build capabilities to prevent and respond to cyber threats posed on state's information and information infrastructure  in cyber space through a combination of institutional structures, people process, technology and cooperation. State governments in India are putting in place mechanisms for tackling cybercrime related cases by training and upskilling of their law enforcement agencies. An appropriate policy will instutionalise their efforts for ensuring these objectives.

The model developed by researchers from MIT classifies citizen data into three categories : viz necessary, useful (but not critical) and unnecessary.  This is aimed at delivering efficient service by different government departments to citizens. India's rapid  journey of urbanization is driven by technology undercurrents and frameworks that provide assurance about citizen data. This is a step in the right direction in ensuring inclusive and transparent growth of Indian cities.
"Chatur Chitra" - Sketching Security Scenarios 
Cyber Pulse is now on Twitter! Follow @CyPulse
Cyber Attack on Airbus' Supplier
 
Four cyber-attacks on the suppliers of aerospace manufacturer Airbus have been carried in the last year. The suppliers include Rolls-Royce, French technology consultancy Expleo, and two separate French contractors working for the aerospace manufacturer. Sources claim that the attackers could be aiming at the technical document related to certification of Airbus Plane components and Airbus passenger plane propulsion systems and avionics systems. Officials are currently investigating the case. The manufacturer reported a security incident earlier this year and it appears that  adversaries are  targeting their suppliers to steal trade secrets. 


Comment 
 

One of the the biggest motives for cyber attackers to launch attempts to compromise the systems, is the acquisition of 'power and control.' Gaining the power to remotely compromise systems in order to control the victimized systems to do the attackers' bidding is perhaps the ultimate step that the attackers want to achieve.

While it primarily appears that the sensitive information may be obtained by competitors to gain unfair advantage in the market, overtime such persistent dark operations by attackers can aid the attackers to gain more comprehensive knowledge about open vulnerabilities. This would then enable them to possibly develop exploits with hacking devices that may be used cleverly along with  sophisticated  social engineering attack tactics to connect to aviation systems and attempt to do extensive damage ranging from remote-controlling the aviation system to influencing the course of the aircraft or hijacking its control and communication systems. It could particularly be of interest to groups that are inclined towards cyber-warfare and therefore it is no wonder that sources have suspected certain state sponsored hacking groups to be behind the attacks.

Hence, it is crucial for large organisations to ensure than an effective framework is implemented to identify and mitigate supplier risks before attackers do. For more information on useful framework, please refer this webinar on ReBIIT's website.

Infographic of the Month
Microsft's joint initiative on Cyber Security
 
Microsoft has joined Mastercard, Hewlett foundation and other organizations as the initial funders of cyber security institute. The institute will enjoy autonomy and primarily assist in the recovery efforts for vulnerable victims of cyberattacks, promote responsible  behaviour in cyberspace and facilitate the collective analysis, research and investigation of cyberattacks among other activities. 
            

Goldman Sachs Official arrested for swindling Rs 38 crore

Ashwani Jhunjhunwala, vice president of investment firm Goldman Sachs was arrested for swindling Rs 38 crores from the company's funds. He used these funds to pay the losses incurred to him in Casino. He used the laptops of his subordinates in the pretext of training them and then asked them to fetch water and used other excuses to illegally transfer the company's money to Industrial and Commercial Bank of China. The company dismissed him. Another employee Vedant Rungta who had attempted a similar illegal transaction was fired earlier. Vedant assisted Aswani in carrying out this illegal transaction. Both estranged employees are in police custody, now. Bangalore police acted on the company's compliant and reversed the transaction , though the transaction was under progress.


Comment 

It is crucial for large organisations to ensure than an effective framework is implemented to identify and mitigate supplier risks before attackers do. For more information on useful framework, please refer this webinar on ReBIIT's website.
 

The incident on one hand reflects how easy it has become for a person with malicious intent to carry out a fraud, and on the other hand it also acts as an example of how prompt action can assist in the identification and containment of fraud. It was due to the timely identification and intimation by the staff that the organisation was able to recover the siphoned money. 

Also, this episode throws light on the significance of addressing the fraud risk in a cohesive manner. Perpetrators of fraud are always on the lookout for mechanisms to tamper with the system. However, it is the responsibility of the institute to put in place an effective framework of internal controls that can touch upon people, process and technology. In addition, it highlights the need for clearly defined actions designed to reduce fraud risk and put in place a periodic assessment cycle that verifies the effectiveness of the organisation's approach to manage such risks.

SEBI's Cyber Security Initiative
 
Market regulator SEBI has put in place a cyber security framework and it includes measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience. The new norms will be effective from January 1, 2020. According to this circular, KYC registration agencies or KRAs would be required to define the responsibilities of the employees, including outsourced staff who have prevailed access to SEBI's networks. Check here to read the circular.. 
ReBIT Update
ReBIT Premises Accolades
Project Manager's Account  
 

Sajid Sayyad, Senior Manager, Project Management Vertical, ReBIT is more popularly referred as 'Premises Man' among his colleagues in  ReBIT. Apart from juggling multiple projects in his core-domain, Sajid's stellar contribution is managing the project of building a state-of-the-art office for ReBIT. He shares the unique experience of leading this challenging project, which recently achieved the Green Building Standards required for certification at Platinum level, under Indian Green Building Council's (IGBC) Green Interior Rating System (for new interiors), in  a tete-tete conversation with M.D.S.PRABU of Cyber Pulse Editorial team. Check this to read more about the interview in ReBIT's website.

From our Knowledge Repository 
Responsible Vulnerability Disclosure
 
The whitepaper discusses several models of  vulnerability disclosure presently in practice. Several case studies from different geographies, providing brief synopsis of  how different countries have shaped or are in the process of shaping their responsible/coordinated vulnerability disclosure polices are discussed. 
Call for Thought Leadership Content
 
We would like to seek your contributions. You are welcome to send your opinion or analysis, of a contemporary issue in cyber security, in less than 100 words for further processing by the CyberPulse editorial board, whose decision will be final. 
 
Mail your snippets to communications@rebit.org.in
Click to play

Voice Your View

 
Let us know your take on Cyber Pulse. Your feedback is vital to improving the quality of our editions.

Do send us your feedback at communications@rebit.org.in
LinkedIn
Tweet
Forward
Copyright © 2018 ReBIT, All rights reserved.

www.rebit.org.in