cyber resilience - introductory note & setting the context by rama vedashree ceo dsci

A NASSCOM® Initiative

Rama Vedashree

Data Security Council of India

August 9, 2017

Hyderabad

1

Cyber & Privacy Challenges in the Digital World


Establishing Cyber Security Baseline

Digital Transformation

Smart cities

Dig

ital

Pay

me

nts

Ind

ust

ry 4

.0

Cloud

Mobility

Digital Wave in India

2

Cryptocurrencies

Artificial Intelligence

IoT

e-G

ove

rnan

ce

Internet usersJune’17450 million +

707 million; 105 lakh crore value

e-Payments

375% increaseMobile wallet transactions March’16 - March’17

Aadhaar authenticated transactions

100 croresIn 2016

Technology Trends

Telecom usersMarch’171200 million +

IoT DevicesDraft IoT Policy, 2015

200 million +

A NASSCOM® Initiative3

Imperatives of “Digitization” are “increasingly opening up orgs to external interfaces & entities”

Design for “always on” are bringing many “devices in operations & transaction processing”

“Data centric business innovations” driving “unprecedented collection & processing of PII “

“Increasing exchanges of calls with cloud” are slowly leading to “full blown adoption of the cloud”

“Protocols & interfaces” designed for one environment are increasingly used in “new environments”

“Adoption of digital channels”, and withadvanced analytics the role oforganizations are moving towardscustomer advisory & models of self-help

“Ease of on boarding” (one hand) & “National ID scheme” (other hand) making “Biometrics central to authentication”

“Information’s role” is shifting from “measurement & monitoring” to “aiding automated decision making”

ChangingDigitization Paradigm

Changing Digitization Paradigm

Globalization ofOrganizations & their supply chains

“Data Poor to Data Rich Nation”Nation with Data Centric Risks

Digital Payments Emergence & Digitization of Banking…DBT,AEPS, PPI Wallets, Identity based banking


Technology Evolution

Technology Trends, Business Innovation &

Key Initiatives

• AI, robotics, IoT, SMAC, autonomous vehicles, 3D printing, nanotechnology, context computing, FinTechs, etc.

• Hyper-specialization, robotic processes, business process automations

• Digital Government, Smart Cities, Digital Inclusion & Mobile Governance

4th Industrial Revolution

• Convergence of physical, digital and biological world

• Built on 3rd revolution - Electronic & IT

• Digitization of core business processes (plants & machineries): ICS, SCADA

Data driven technologies

• Increasing capability of data collecting, processing & sharing

• Interconnected world and businesses – cross border data flows

• Volume, variety and velocity of data exponentially rising

• Sensors and their integration with the Internet, machine understanding of humans

• Real time generation, collection and processing

• Big Data- Analytics will be used to reinvent 80% business processes by 2020


Expanding Attack Surface2015

To 2020

2010 To

2014

2005To

2009

1995To

2004

Viruses

Profit Malwares

APTs

APTs

IoT Attacks

Ransomware

Customer CentricDoS/DDoS

Data BreachesBio-Hacks

IP Theft

Espionage

Avatar Hijacking

Identity Theft

Cyber-Gang Wars

AR/VR Targeted

Phishing

Adware

TrojansWormsPsychologicalCrypto Attacks


Cyber Security-Cyber Crime: Issues and Challenges

Attacks on Critical Information

Infrastructure

Poor awareness and cyber literacy

Cyber Security practices of SMBs

across sectors

Lack of skilled workforce

and resources

No focus on upgradation of legacy systems

Cyber Espionage on critical and sensitive

information

Rising complexity of attacks -Ransomware

and APTs

Cyber stalking and cyber bullying

Targeted breach, leaks, hacking and

frauds

Obscenity and child abuse (pornography)Piracy, Trademark,

Copyright and IP violation

Security and Privacy protection treated as

a Cost Centre

Offence dominant; attacks easy, defence

very costly

Lack of Security and Privacy in Design of

Products and Systems

Vulnerabilities out in the open for anyone

to exploit

Rising Hacktivism in cyberspace

Compliance driven approach and

practices for security

Social media trolling, fake news, ideology

propagation

Inadequate laws and regulations on privacy & security

Diminishing Trust in ICT supply chain due to mass surveillance

Coordination, info-sharing amongst

stakeholders

Lack of acceptable Norms and Rules of

engagement

Lack of Cooperation & Collaboration amongst

global stakeholders

Tracking cyber criminals and their extradition for

cyber crimes

Dark Net – Drug and Gun Market; Money

Laundering

Illegal transactions in non trackable Cryptocurrencies

Reporting issues of cyberattacks/

breaches

Mordernization of LEAs and Capacity

Building

Cyber Warfare: state & non state actors

Nature of ThreatOrganizational

Challenges Domestic IssuesGlobal Challenges

Stakeholders Concerns


Security Paradigm Shift

- Anomaly Detection (AI, ML, DL)- Behaviour Analytics (AI, ML, DL)- Malware Detection (AI, ML, DL)- Proactive Attack Detection- Identity Security - API Security

- Safe Secure Channels- Enterprise Risks Visibility- Secure Platforms & Clients- DevSecOps- Metadata Protection- Resiliency

- Forward Leaning- Hunting Skills- Convergent Analytics- Phygital Security- Edge Computing Security- Third Party Security- Security in Boardroom

- Network Monitoring- Intrusion Detection- Multifactor Authentication- Server monitoring- Configuration Checks- Signature Based Detection

- Incident Response- Back Up- Access Management- Password Security- App & Connectivity Security

- IT Risk Management- Security Outsourced- Assurance Services- Physical Security- Data Protection- Security as Cost Centre

Pre - DigitizationAge of Digitization

Govt. & PSUs Need to Bridge the Gap


Cyber Security Strategy - Next Gen Elements

8

99 % of Known vulnerabilities to be

patched first

IoT Security Budget

Security of Recognition Technologies

Security disciplines converge while skills

expand

Perimeter defenceno longer a focus

Adaptive securityor context-aware

security

The shift from prevention to detection

and response

Practice Proactive Defence

Security soared from back office to

boardroom

Focus on robust resiliency of

infra

Security of Person to Person

Security of Machine to Machine


Channels & Access Points

Connectivity

Applications

SWAN

NICNET/Broadband

Data Centers

Databases

Business Support

PI Records

Transaction Records

National

State

GOI Agencies

Service Providers

State Agencies

Home PCs Mobile Cyber Cafes CSC

Citizens Businesses

UIDAI

Public & Private

Agencies

Payment Gateways

• Legacy Infra• Insecure endpoints• Illiterate citizens• Poor awareness

• Insecure transmission• Vulnerable comm• Compromised endpoint

•Non transparent Information practices•Data mining•Limitless collection & usage•Sharing for unintended

purpose (Security)•Unauthorized access

• Vulnerable infrastructure• Data leakage possibilities• Weak application• Legacy Apps

• Financial Fraud• Identity theft• Compromised

information• Physical harm

• Data Store• Data Search,

Analysis• Targeted

promotion

Risks in e-Governance Ecosystem


Urban Transformation Infrastructure Digitization

Secure Smart Cities

Facilities Modernization Interconnected Components

• Traffic Control

• Street Lighting

• Energy & Water Supply

• Public Transportation

• Security and Surveillance System

• City Management Solutions

• Smart Parking

• Sensors, M2M and IoT

• Waste Management

• Healthcare & Education

• Smart Apps

Components Security Challenges Attack Scenarios

• Porting to new technology platforms without adequate testing

• Security still add-on; not built by design in products and applications

• Complex supply chain and increasing attack surface

• Poor encryption and authentication

• Unsecured wireless communication

• Legacy Systems; Patch deployment, updates and upgrades difficult

• City level capability and governance-CERT & City SOC required

• Shortage of skilled workforce

• Untested Response Plan/ Crisis Management plan

• Potential target by adversaries - Cyber terrorism

• Disruption of city operations

• Manipulating traffic controls to cause accidents

• Controlling speed of public transports

• Controlling sensors - faking data to create panic

• Hazardous repercussions -nuclear/ power/ energy misuse

• Privacy breach - smart meters, smart sensors and healthcare devices

10


Privacy Risks

Failure to have the appropriate legal authority to

collect, use or disclose personal information

Excessive collection of PII (loss of operational control)

Unauthorized access to PII (loss of confidentiality)

Unauthorized modification of the PII (loss of integrity)

Loss, theft or unauthorized removal of the PII (loss of

availability)

Unauthorized or inappropriate linking of PII

Failure to keep information appropriately secure

Retention of personal information for longer

than necessary

Processing of PII without the knowledge or consent of the PII principal (unless such processing

is provided for in the relevant legislation or regulation)

Sharing or repurposing PII with third parties (without

the explicit informed consent of the data

subject)


Privacy Protection in the age of Technology evolution

• Data collection, its economic value and usage by businesses

• Mass surveillance programs by nation states

• Impact of globalization and trans-border data flows

• Legal and regulatory requirements

• Cybercrime and warfare

• Increasing privacy breaches and concerns related to resulting impact on organizations’ brand value

Technology advancement

and its implication

Computing devices

Nature of communication networks

Analytics and big data

Internet of Things Biometrics

Social, mobile and

cloud technologies

Sensors and body devices


Transition of ‘Data Poor’ nation to ‘Data Rich’ nation

Increasing ‘Digital Footprint’ of Citizens & Entities

Cyber, a mean for personal, social, financial & sensitive transactions

‘Increasing Innovation’ around collecting, processing & sharing information

‘Open/flexible Architectures’, brining new players & devices in transaction processing

‘Digitization Wave’ transforming critical sector organizations

Expanded surface for attacks

Illegitimate use & processing of data

Risk of information theft and misuse

Attracting attention of criminals and adversaries

Possibilities of profiling & targeting users

Cyber Security Imperatives of Digital World

High impact attacks on Critical Infrastructure

Preparedness to withstand/ counter attacks

Institutional arrangement & strength to respond to challenges

Policy & regulatory response to drive sectors & entities

Coordination & collaborations for collective defence & quick response

Responding to wider, audacious & high impact cyber attacks

Capability of LEAs to bring cyber criminals to justice

Transition to Digital World Attacks & Threats

Protection of rights & interests of users in the cyber world

National Response


Existing Cyber Security Initiatives-India

NCSC (NSCS-NSA); NCIIPC (NTRO)

CERTs (CERT-In; Fin-CERT and Power Sector CERT announced)

Joint Working Group (PPP)

Sector Skill Council (Skills)

IB-CART (Information Sharing)

ISEA (Capacity Building and Awareness)

Cyber Forensic Lab (Capacity Building)

LITD 17 Committee of BIS (Standards)

Industry – Setting up focused entity, DSCI (Policy, Assurance, Capacity Building and Awareness)

Institutional MechanismNational Cyber Security Framework

Joint Working Group for PPP on Cyber Security

Recognition of country as ‘authorizing nation’ under CCRA product certification scheme

2012

2013

2008Amendment to Information Technology Act, comprehensive provisions for cyber crimes

National Cyber Security Policy

NCIIPC- Critical Infrastructure Protection

National Cyber Security Coordinator

2014

RBI Cyber Security Framework2016

State Cyber Security Policies – Telangana, AP

IRDAI Cyber Security Framework 2017

National Policies on IT, Telecom and Electronics

2015

National Information Security Policy and Guidelines (NISPG)

Security Framework for Smart Cities

SEBI Cyber Security Guidelines

IT (Amendment) Act Privacy clauses

Notification of privacy rules under Sec 43A of ITAA 2008

A P Shah Expert Group on Privacy; DoPT draft law

New Data protection law in making

2011

Data Protection

Aadhaar Law and Regulations focusing on Privacy


Government Departments and Agencies

NSCS MeitYMHA MoCMoDMEANTRO

DoTICERT

NIC

CCA

STQC

TEC

C-DoT

CIRT Navy

CSG-DDP

DIARA

CERT Army

Indian Cyber Security Ecosystem

NCSC NCIIPC

Regulators

RBI

IRDA

SEBI

TRAI

LEA – State Police, Central

Police, CBI,

Intelligence - IB, RAW,

NIA

NSA

Based on info. in public domain & for listing purposes only; doesn’t represent hierarchy of any sort

AdditionalIB-CARTFin-CERT

Financial Sector

CERT Air Force

MoC

15


Recent DSCI Initiatives for Securing Digital India

• Digital Payments Security Alliance and Awareness Campaign• Use Case Clearing House for Cyber Security• Technology Capability Repository


Target Segments

Functions

Digital Payments Security Program

Bringing a variety of players and stakeholders together on the agenda of securing digital payments and building the national ecosystem

Engage with various communities that will be influenced and impacted by fast paced transition to digital payments and make them aware of the security issues emanated from it

COMMUNITY AWARENESS

BEST PRACTICES

INDUSTRY DELIBERATIONS

Digital Payments Security Alliance Digital Payments Security Campaign

End User Small and Medium Businesses

Traders

BHIM/UPI, AEPS and USSD Digital wallets and Mobile BankingOnline banking and card schemes

~ 25 Industry members from varied sectors

Campaign Plan Content Creation Outreach

Functions

RTs/Conferences Policy deliberations, Industry Submissions

Banks & Financial Services, Payment systems, service providers, Technology Provider, Industry associations, ecommerce,

Institutions like RBI, NPCI, IDRBT etc.

17


Use Case Clearing House for Cyber Security

Functions

Collaboration platform for industry, academia andgovernment to generate ideas

Nation wide open application challenge for variouscommunities to evolve the generated ideas/use cases

Commercially viable Prototype development byshortlisted players

Continuous pipeline of potential use cases to be pickedup by product development partners and qualifiedpipeline for investors both private and government,Including proposed innovation platform of MeitY

Investment Opportunities by government or privateinvestors for commercialisation support and IndustryAdoption

Synergising the Market needs; Research & Product Landscape in Leverage & Contribute Model

Repository of whitespaces/ideas

Enabling qualified pipeline for proposed innovation platform of MeitY

Creating continuous pipeline of commercially viableprototypes connecting them with stakeholders,resulting in cybersecurity industry development.

Use Cases are the descriptions of unmet requirements and identified problem area where customer is looking for a technology solution andits associated services. Discovery of niche white spaces/use cases in Cyber Security, accelerate innovation and product development bystartups and entrepreneurs, and enable their adoption, would be the guiding principles of Use Case Clearing House.

Improved national employability

Cyber security industry development

Aid to national cyber security capability building

Brand building India as hub for cyber security

Make India emerge as a leader in cyber security

Outcome


Services & Product Firms

Start upsUser

Organizations

Global In House Centres

Global R&D centres

Freelancers Academia

Research Institutes

Technology Capability Repository

Consolidated view & Actionable Repository Connect with nationwide cyber security

entities and experts Improved targeting and productivity for

capability building Better utilization of existing capabilities

Inputs - 25 Technology Areas from defined Target Communities

Primary Research

Secondary Research

Data Crawling

Improving the effectiveness of Cyber Competency in the country

Output

Personas

Purpose

Views

Access

19


Agenda of the Day

Risk and Responsibility in a Hyper Connected World – The Future of Cyber Security

The dark side of the Fourth Industrial Revolution: Are our Boards Ready?

Information Exchange and Analysis | Initiative undertaken by IDRBT for Banking sector

BCI Global Cyber Resilience Survey 2017: Curated insights from the 2017 Global Survey report and perspectives from the C- Suite

Block Chain: The Next Frontier for Cybersecurity?

Threat Intelligence – a deep dive

Demystifying GDPR and its impact on India Inc.

Privacy imperatives in Technology & Data Centric Innovations

Contours of Corporate Forensics


Thank You…