Essential guide to the roadmap of security

Read about the importance of cybersecurity and why organisations have to be alert at all times

Technology is ever-changing. Two years back, the top trending malware was ransomware, and since the spike of prices in cryptocurrencies, it was observed that cybercriminals shifted from "ransomware" to "cryptominers", according to Mathan Babu Kasilingam, CISO, National Payments Corporation of India (NPCI), India, in an interview with Khaleej Times.
"In terms of attacks, you will often find that supply-chain attacks are also emerging, especially from open source community, where one popular library code is poisoned by attackers, which makes all the subsequent software using this library vulnerable," he notes.
According to the CISO, vendors have realised the value of Machine Learning and Artificial Intelligence, and are incorporating these concepts into their solutions to identify newer threats and attackers who are using zero-day attacks. The aim is to learn behaviour and methods of attackers, rather than catching them via trivial hash and IOC based methods.
"With the enforcement of Payment Standards such as PCI-DSS, and Privacy Standards such as GDPR enforced last year, security vendors also have to comply with them so they can work with clients of financial sectors," he adds.

Emerging technologies in banks
According to Kasilingam, banks are also moving to behaviour-based monitoring solution where user behaviour is monitored for anomalies, to identify disgruntled employees, internal threats and attackers lurking in the corporate network.
"New technologies such as Decoy/Honeypot solutions are also on the roadmap of banks, as these technologies may not help us block the attacks happening in the network, but they can be used to detect attackers who are bypassing the existing security controls based on Cyber-kill methodology," he explains.
It is interesting to note that the technological expertise required to conduct cyber-attacks have dramatically reduced. Kids, less than 12 years old are targeting applications and websites with a hope to identify vulnerabilities via bug hunting platforms, and these are just the white-hacks. "On the other side, the black hat hackers are scanning the internet daily to find one open door into the organisation, no matter what size. Financial organisations such as banks need to keep the security at the topmost level, as thousands of customers trust these controls while placing their faith and money with these banks," he warns.
Kasilingam confirms that HackerOne, a popular bug bounty website has reported that a 19-year-old teenager is the first self-made millionaire hacker via their platform. The hacker has reported several critical vulnerabilities in many of the popular companies, which implicates that nobody is secure, even the biggest players in the market.
As for the mistakes organisations make, Kasilingam says, "There are several of them, but the biggest one is patch management. Bugs are reported every day, and looking at the inventory a medium to large size company maintains are in thousands, and business runs 24*7, thus restarting these critical assets post upgrade impacts business."
Kasilingam continues, "Organisations generally maintain a patch cycle of 90 days, to upgrade these systems. During this time, even a one-day, or 30-day old vulnerability is still exploitable, which puts an entire organisation to risk. Patch management is the biggest gap we observe in the security industry, and generally, lack of these patches does cause havoc like WannaCry."

Right talent
Kasilingam shares that finding the right talent is always a challenge, and retaining the one is even bigger. Security teams are always bound to the budget they have and the HR policies, which generally look after the years of experience a person has rather than the skills.
"There are always job aspirants looking for the job in the market, but finding the right one that suits your needs is always a challenge. Sometimes you can hire a hardworking person who potentially can fit the job description when provided with the right training and time to work upon the skills required," he says.
The CISO says that equipping the person with the right tools is a different challenge, as this is not just limited to finding the right tool. The potential difficulties include procuring the tool, arranging the infrastructure, deploying it the right way, testing it thoroughly, and then handing it over to the right team for maintenance and usage during the crisis time.

FutureSec
Kasilingam confirms that platforms such as FutureSec allow companies to gather the defenders of the networks and allow them to learn from the experience of fellow leaders. "The experience includes their stories on how they defend the organisations, what threats they are facing and how they are solving problems to tackle every growing cyber threat," he says.

"FutureSec also connects us with the security vendors who are bringing the latest solutions to protect our organisation and help us detect threats in our environment before they reach their final objectives. It's important for us, the security leaders to be well aware of the latest tools available in the market and get insights on how leaders like ourselves defend their respective networks to learn from each other," he adds.

Kasilingam concludes, "Learning where we stand in the vast world through platforms like FutureSec, allows us to assess the gaps we have, and thus allowing us to know where we need to put our efforts."

- suchitra@khaleejtimes.com

• Supplements