In a chat with ETtech, Chris Novak, Director – Investigative Response, Verizon Enterprise Solutions talks about why India lacks behind in cyber security, IoT security flaws and how enterprises go wrong in their outlook towards cyber security.
Why security is is always a catch up game?
You will never get perfect security standards because it will never exist. It’s more about developing the strategy and road map that is based on risks tolerances. If you do that in a realistic manner, organizations can be where they want to be in a few years time.
Why don’t organizations look at security as business enabler?
More mature organizations look at security as a market advantage. Most look at it as one of the things we need to have on the list and is least of our concerns as it costs money. For example – a rubber manufacturing company would not take security seriously as much a financial organization will do. You should also look at it from a availability perspective.
How difficult is to get a budget for security?
When you think of cyber security, you really need to think of governance and risk management practices. The organizations who have got it right are the ones who have linked security linked to the path of enterprise risks. Earlier people had a point solution approach which was a tactical approach. The moment you change the game and come into risk assessment, talk about enterprise risk management and from there you come down to security requirements, then the game plan changes.
What difference have you seen in the nature of attacks this year?
IoT devices related security has been a big concern. Now, we are seeing a neww uptake in its security issues. We will also see a lot of talk on Industrial control systems. This is the phase where you will see the cross over between the physical and cyber world in terms of how things are impacted to buildings facilities, power plants and utilities.
The other area we saw change is financial transactions. Frauds were earlier targeted at retailers but now they are going after bigger financial firms. We see banks loosing so many thousands of dollars.
How is India’s cyber security atmosphere?
The areas in India which we see are the most challenging are areas outside the financial services sector and it’s mostly the industries or markets that are not regulated that tend to go off and do very much whatever they feel.
The laws lack in terms of cyber security attacks. When attacks happen, they don’t get reported so there is no regulatory action taken. The public or the consumers does not know what has happened.
Where does Verizon’s solution come into play?
We look at it from industry and the individual customer perspective because things today would not be same in the next few years. When you look at the amount of recent investigations we have done around the globe and also the risk data that we get from our contributing partners; our source of data about cyber security shows what is happening and what is coming in the future. We use this data for modeling to help organizations structure what their strategic plans looks like.
For our Indian customers, we have a risk management team in the country which deals with digital forensics, investigations and we have mobile labs capabilities here. We have been selling security services in India since 2008 in terms of rapid response services, threat and vulnerability assessment, penetration assessment and even managed security services. We also do dark net investigation and reverse engineering on some of the platforms.
The only difference between India and other world centres is that cyber calamities do not get reported over here. Its only when customers looses financially they report the cases. There is less awareness.
Our mobile labs can be deployed at a customer’s location. If the customer is doing extensive amount of business or specific amounts of data involved or just it’s a speed consideration. Maybe, the time taken to transport the data from their location to physical wired location is too long then we can airlift the equipment to their facility and set it up and run all of our operations from a secure part of the building.
What about IoT security?
IoT security framework is different from current landscape. The current paradigm of security is generally for a fixed kind of types of devices such as laptops, servers, desktops or piece of network infrastructure. It’s got standard footprints which have been in use for many years.
The challenge with IoT is that they are not built on a common platform. There is not really any standardization across what’s coming out. We cannot fully acknowledge or grasp what the security landscape will look like. IoT devices are meant to run on low power and have a specific function. People who manufacture these devices look at security as the last element. For these devices made of sensors and chips, security does not become a part of the design.
Why have DDOS attacks been a commonality?
There are many available tools online for free for DDOS attacks. There are various vulnerable apparatus available which can be used as a part of the botnet for the attack. In case of DDOS, you are using someone else IP to create a weapon for such purposes. We are also found that tools or groups are able to amass larger quantities of devices to be used for the attacks.