Data Theft in India

K. K. Mookhey, Principal Consultant

CISA, CISSP, CISM

- Seedhi baat, no bakwas

Speaker Introduction

� Founder & Principal Consultant� Network Intelligence

� Institute of Information Security

� Certified as CISA, CISSP and CISM

� Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,20092005, OWASP Asia 2008,2009

� Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA)

� Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA)

� Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.

Agenda

� What’s the ground reality

� Recent news

� Financial institution data theft explored

� ChallengesChallenges

� Solutions

� Conclusion

Let’s see now….Let’s see now….

Well, yes Sir, you’ve been had!

It’s not paranoia…It’s not paranoia…

It’s actually happening!

Data theft in the recent past

What price India?

Online examples…

Less than 1 cent per record!

� http://www.jobstiger.com/emaildatabaseindia.html

� http://www.kumudhamwebtech.com/

� http://hyderabad.olx.in/38-lakh-stock-market-traders-dmat-account-holders-database-44000-sub-brokers-iid-106295300

� http://www.ebusinessindya.biz/

� http://www.mobiledataindia.com/

� http://www.gsquare.biz/data.html

Fresh record price = Rs. 75Fresh record price = Rs. 75

Converted customer price = Rs. 150

View from the trenches…

Pick an industry, pick a company

� Large business house gets into the financial services industry with a big bang

� But slightly late in the game

� Huge marketing blitz, offices opened nationwide

� Aggressive marketing, huge ad spendsAggressive marketing, huge ad spends

� Customer base widens

� Assets under management bloats

� In a couple of years, they’re within the top 5 private insurers, equity trading companies, and mutual funds!

� However…

Data all over the place…

� Specific mutual fund purchase records available for a price

� Customers get calls just before their fund payments are due

� Customers get calls to switch funds

� Specific data available:� Specific data available:

� Customer name

� Cover amount

� Investment amounts

� Fund details

� Personal information

� Expiry dates

� And more…

What should the company do to

fix this?fix this?

Why data isn’t being protectedWhy data isn’t being protected

No one gives a damn!No one gives a damn!

Where is the customer data? – Equity

Trader Example

� Primary Trading system

� CRM

� Business Intelligence system

� Compliance Reporting system

� Backups� Backups

� Password Reset system

� Excel

� Flat files

� USBs

� Shared folders!

Who has access to it?

� Front-office

� Back-office

� IT

� Research

� Customer service

� Vendors

� KYC� KYC

� Call Center

� Direct Sales Agents (Devil’s in-Security Agents)

� DPs

� Registrars

� Settlement

� Finance & Accounts

� Cleaning Staff??

Ok, now I’m just depressed…

But there’s more…

Weak regulatory framework

� Unless someone serious starts kicking some serious ass, nothing’s going to change…

� RBI

� SEBI

� AMFI

IRDABut what about?

� IRDA

� TRAI

But what about?•UID?•Healthcare??•Pharma??•FMCG??•Retail??•Government????

Government’s role

� No comprehensive national consciousness on data protection

� Data protection efforts not cohesive – don’t address all industries

� Government endorses data theft and invasion of privacy?

� Niira Radia tapes

� Blackberry controversy

� …

Business comes first!

� Sell more!

� Expand market share!

� Heavy reliance on limited number of outsourced vendors

� Weak mechanisms to oversee data protection by vendors

� Vendors don’t care…

When things do end up in court…

� Judge: IT?!?

� Senior Counsel: Well…umm…err…you see this is under Section 66 of IT Act because, well…err…

� Junior Counsel (whispering): Sir…we need to get imaging done…not sure what that is, but the “cyber expert” we hired told us to do thishired told us to do this

� Judge: Please continue!

� Senior Counsel: Sir we need a forensic investigation done

� Judge: What is that?!? Okay, seal the website!

� Court-appointed Commissioner: Yes sir, but kindly clarify who pays my fees?

Here’s how it gets done!

Solutions?

Solutions

� Technologies

� Encryption

� Data Leakage Prevention

� Information Rights Management

� Database security solutions

� Audit/Log Management� Audit/Log Management

� Stronger regulations

� Stronger laws or stronger enforcement of existing laws

� Mindset change

� Data protection does matter!

� It is NOT a technology issue

� Policy and process frameworks must be implemented

� ISO 27001 is not the answer

ConclusionsConclusions

Summary

� It is an epidemic, and it is getting worse!

� When Big Brother wields the stick, then things begin to happen – fines, penalties, court cases

� Back to basics approach – thorough risk assessments!assessments!

� Identity and access management

� Technologies help, but it has to begin with PPP – Policy, Process, People

� Innovative audit/forensic techniques

K. K. MOOKHEY

kkmookhey@niiconsulting.com

Thank you!

Questions / Queries

NETWORK INTELLIGENCE INDIA PVT. LTD.

www.niiconsulting.com