Episode 1: Corporate Cyber Risk Landscape
Various layers and levels of security, such as Endpoint protection, training of personnel are being provided to secure the ultramodern BSE infrastructure.
As businesses and individuals readjust to a new dawn, we embark upon a journey to explore better ways of regulation, innovation and transactions. Bombay Stock Exchange in collaboration with Ark Legal (Law Firm) launched a series titled: REBOOT. The series aims to bring together the finest and best minds in Tech-Fin-Law to decode what the future holds, as we all relaunch ourselves in a brave new world.
The series was inaugurated on 27th July, 2020 with opening remarks from Shri Ashishkumar Chauhan, MD & CEO of BSE. He spoke about the challenges to securing remote working practices in a work from home environment. He also expressed his concern about the increase in cybercrime. Chauhan mentioned that organisations are today at risk, he spoke of how Garmin was recently attacked with ransomware. Such breaches can lead to loss of trust and business. Personal data also continues to be a serious target in the pandemic. Although it is impossible to be 100% secure, one needs to take definite actions to secure networks. He also mentioned that BSE is fully compliant with the regulations provided by SEBI. Various layers and levels of security, such as Endpoint protection, training of personnel are being provided to secure the ultramodern BSE infrastructure.
The Chief Guest of the session Lt General (Dr) Rajesh Pant - National Cyber Security Coordinator, Prime Minister’s Office, Government of India said that the banking industry has been a key target of the cyber attacks. He spoke about the perimeter being no longer a veritable boundary to internal systems. He felt that the perimeter has now even extended to the homes of the people. He informed us that are looking at risks at the endpoint, identity and networks. He also emphasised that combined with geolocation, there needs to be better identification and attribution of cyber attacks. Enterprises also need to ensure that the identity of the person is the same that he or she is guaranteed to be authentic. He also expressed concerns about mobile phones as a large threat surface area. He mentioned that the creativity of the cyber criminals is getting sophisticated each day, and fraudsters have a sense of following the money trail. It is a very dangerous game being played against finance companies. He felt that vulnerabilities will always be there, but we need to make sure that the networks and systems are safe and secure. Behaviour analysis and AI will play a major role in blocking out cyber attacks. There are talks of zero and sub-zero trust, one has to go down to a new level beyond that.
Prof. Yuval Shavitt, Cyber security expert, Tel Aviv University, Israel added that today, IP hijack attacks are the first stage of any advanced persistent threats (APTs). Mitigating these IP hijack attacks early will stop the APT before it manages to do harm. It can be used to break encryption (DROWN) attacks. In the past, Border Gateway Protocol (BGP) was used for IP hijack attacks. There is a recent trend to move to stealthier attacks, such as data- plane manipulation and stealth BGP attacks. There were 14,000 incidents in 2017.
Current solutions monitor only BGP and there is limited path analysis. BGProtect solution do active monitoring. There is a global BGProtect SaaS solution which applies AI rule engines with novel deep learning engine. An example of IP hijack attack was the hijack of traffic from Canada to a Korean government network that was done using China Telecom PoP in Maryland, USA. There was a stealth hijack from the OVH cloud in France through to Kiev to NYC. There is also bad configuration of DNS Traffic from India to the K root server was directed to Iran. IP hijack is a significant risk. Infrastructures, government entities, financial entities, and valuable data holders are all at risk. We need to understand the geography of the attacks.
Shri Brijesh Singh, Inspector General, Maharashtra, said there used to be talk about ‘bring your own device, but now the office has come home’. This has opened up a huge threat surface area for malicious actors.
He spoke about the ‘fabric of security’ approach to cyber defence. Today, ransomware can also be a data stealing attack, these actors are now leveraging stolen data for blackmailing. He spoke of data breaches as a serious cause of concern as the year 2019 witnessed 8 billion data breaches. While only the month of May 2020 itself witnessed 8.8 billion data breaches already!
Mr. Singh also emphasised that one has to understand their business well. Earlier, attacks were on the accounts, next, there were attacks on the infrastructure but now they’re sitting inside your technology. Malicious attackers understand who you are, what you do and how you secure your infrastructure. It is essential to understand the modus operandi of these attacks. Industry needs to be smart about taking backups and also making staff aware of the latest threats. Singh mentioned that BSE has one of the best systems ever seen. We need to reiterate that cyber risk is existential, and a business risk rather than an IT issue. Mr. Sinch recommended a cyber risk governance framework and called for efficient leadership in cyberspace.
In her address, Ms. Khusbhu Jain, practicing Advocate at Supreme Court and Partner of Ark Legal touched upon the legal aspects of a cyber attack. She emphasised that one has to understand how to handle the legal part and the need to prepare for damage control and crisis management. You need to understand the kind of data that has been breached, and who are the customers impacted, and how, she said. one also needs to understand the nature of data that is breached, whether its critical data, sensitive data or personal data. Ms. Jain explained about kind of safety measures one needs to follow when stakes are high, as GDPR (General Data Protection Regulation) sets a maximum fine of €20 million (about £17.8 million) or 4% of annual global turnover – whichever is greater – for infringements. However, not all GDPR infringements lead to data protection fines, she reassured.
In todays’ world one cannot avoid a cyber attack therefore the emphasis of the corporates should be prepared prior to an attack with proper safety measures need to be in place. However, appropriate audits, systems compliance etc., have to be in place to ensure protection from legal liability. There may be specific industry-wide standards later. As of now, we have to comply with the ISO/IEC 27000-series. She felt that there is a need to have proper legal SOPs in place. She also emphasised on the need to understand the data principles and redesign systems to minimise risk of exposure due to cybercrime.
Shri Shivkumar Pandey, CISO, BSE delivered the vote of thanks. Changing the system to meet the needs of the business is important. There should be better understanding between finance, technology and law.