Cyberspace is rapidly transforming our lives – how we live, interact, govern and create value. With the JAM (Jan Dhan, Aadhaar and Mobile) trinity, India is at the forefront of global digital transformation. “Digital India” is being hailed as the world's largest technology led programme of its kind.
While internet, smartphones and modern information and
communication devices have been great force multipliers, endless connectivity and proliferation of IoT devices is giving rise to vulnerabilities, risks and concerns. Cyber security is today ranked among top threats by governments and corporates. Heightened concerns about data security and privacy have resulted in a spate of regulations in India and across the world. India is in the process of discussing and enacting its own comprehensive data security and privacy regulation, as well as vertical specific ones. Cyber security is an ecosystem where laws, organisations, skills, cooperation and
technical implementation would need to be in harmony to be
effective.
Overall, a robust regulatory framework based on global and
country-specific regulations, development of a holistic cyber
security eco-system (academia and industry as well as
entrepreneurial) and a coordinated global approach through
proactive cyber diplomacy would help to secure cyber space and promote confidence and trust of key stakeholders including
citizens, businesses, political and security leaders.
CII has been actively working in the cyber security space. The CII Task Force on Public Private Partnership for Security of the Cyber Space has been set up to bring about improvements in the legal framework to strengthen and maintain a safe cyberspace ecosystem by capacity building through education and training programmes. We would facilitate collaboration and cooperation between Government and Industry in the area of cyber security in general and protection of critical information infrastructure in particular, covering cyber threats, vulnerabilities, breaches, potential protective measures, and adoption of best practices.
CII Whitepaper India Cyber Risk & Resilience Review 2018
1. India Cyber Risk and Resilience Review 2018
UNDERSTANDING the THREATS & PLANNING YOUR DEFENCES
2.
3. Cyberspaceisrapidlytransformingourlives–howwelive,interact,
govern and create value. With the JAM (Jan Dhan, Aadhaar and
Mobile) trinity, India is at the forefront of global digital
transformation. “Digital India” is being hailed as the world's largest
technologyledprogrammeofitskind.
While internet, smartphones and modern information and
communication devices have been great force multipliers, endless
connectivity and proliferation of IoT devices is giving rise to
vulnerabilities, risks and concerns. Cyber security is today ranked
among top threats by governments and corporates. Heightened
concernsaboutdatasecurityandprivacyhaveresultedinaspateof
regulations in India and across the world. India is in the process of
discussing and enacting its own comprehensive data security and
privacyregulation,aswellasverticalspecificones.Cybersecurityis
an ecosystem where laws, organisations, skills, cooperation and
technical implementation would need to be in harmony to be
effective.
Overall, a robust regulatory framework based on global and
country-specific regulations, development of a holistic cyber
security eco-system (academia and industry as well as
entrepreneurial) and a coordinated global approach through
proactive cyber diplomacy would help to secure cyber space and
promote confidence and trust of key stakeholders including
citizens,businesses,politicalandsecurityleaders.
CII has been actively working in the cyber security space. The CII
Task Force on Public Private Partnership for Security of the Cyber
Space has been set up to bring about improvements in the legal
framework to strengthen and maintain a safe cyberspace eco-
system by capacity building through education and training
programmes. We would facilitate collaboration and cooperation
between Government and Industry in the area of cyber security in
general and protection of critical information infrastructure in
particular, covering cyber threats, vulnerabilities, breaches,
potentialprotectivemeasures,andadoptionofbestpractices.
The Conference on Securing Cyber Space in conjunction with the
Global Exhibition on Services would be a vibrant platform for
discussing these issues. I look forward to the deliberations at the
Conference.
Message from Confederation of Indian Industry
India Cyber Risk and Resilience Review 2018
Chandrajit Banerjee
Director General
Confederation of Indian Industry
4. In today's rapidly evolving global digital world, the threat
landscapeisincreasinglybecomingdynamicandcomplex.Since
the Target Data Breach in late 2013, various high profile
businesses and government organizations have been targeted
by adversaries causing irreparable financial as well as
reputational damages. One of the common threads that
emerges from these landmark data breaches is that majority of
the threats remain constant, while the threat vectors keep
changing. As we build our cyber defences, adversaries
continually refine and develop new methods to attack while
evading detection as well. Public disclosures made by
companies like Sony Entertainment has brought to light the
extent of financial losses caused by such breaches and has
helped the issue of cyber security move from the IT department
tothecorporateboardroom.
The current government's push towards Digital India has led to
rampant growth in digital initiatives including smart cities and
e-governance. With the proliferation of the internet,
adversaries are finding increased avenues to launch attacks
against lucrative targets. India's growing social media
population, unaware of the potential risks have proved to be a
ready base for the attackers for malware infections, stealing
Personally Identifiable Information (PII) and carrying out online
frauds. While defacement of Indian government websites have
been common, serious attacks like the one that breached the
information security of Indian Navy, has pushed the need for
advancedandsophisticatedcyberdefences.
Easy access to encrypted messaging applications and the dark
web has aided many terrorist organizations to effectively evade
thelawenforcementagencieswhiletheyplannedandexecuted
their attacks. In the wake of the current geo-political scenario,
issues of data sovereignty, data localization, encryption, and
data compatibility have been hot topics of discussions within
governmentsandlawenforcementagencies.
India needs to rapidly step-up its cyber security efforts by
building sophisticated cyber intelligence and response
capabilities along with ensuring a steady supply of skilled cyber
security professionals to compliment the investment in
technologyandsecurityinfrastructure.
The India Cyber Security & Resilience Review 2018 is intended
to present research, insights and perspectives on the current
cyber security landscape while exploring potential defence
mechanismsagainstcommittedandsophisticatedadversaries.
India Cyber Risk and Resilience Review 2018
Foreword
7. The environment around us is increasingly getting “Smart &
Connected” with pervasive use of computing for almost all our
personal and business interactions. Technological Innovations
coupled with multi-fold increase in available bandwidth have
led to computing devices getting more capable and geographic
boundaries getting blurred. With massive amounts of data
being generated and shared, cyber criminals are always on the
lookout for ways and means to leverage any vulnerabilities in
ourdefenses.
HAZYCONFINESOFCYBER-ATTACKSURFACE
The dynamic nature of the digital environment and the fast
paced advancements in technology is constantly challenging
the definition of the “network perimeter”. Businesses are
increasingly becoming mobile with the adoption of cloud
computing enabling employees to access resources from
outside the corporate network even using personal devices. An
exponential rise in personal data in the recent past can be
attributed to smart devices getting affordable and propagation
ofexciting“freeservices”.
“Smartphone connections to rise to 5.9 Billion by 2020 and
160.0 Exabytes of IP traffic to grow by 2019”, while these
advancements are aimed at increasing productivity and
enhancing user experience. The scattered network surface has
become a glaring concern for security professionals world-wide
as adequately protecting multiple entry points often proves to
be a daunting task. With rapidly changing expectations of
1
MacroView: Global Cyber Security Landscape
India Cyber Risk and Resilience Review 2018
Organised Crime Insider
Nation State Hacktivist
Competitor
LOW
MEDIUM
HIGH
VERY HIGH
VERY LIKELY LIKELY POSSIBLE REMOTE
Fake website
Website compromise for
crypto currency mining
Intellectual
property theft
Targeted attacks on
payment system
Ransom ware
Distributed Denial of
Service attacks
Client
data theft
Social
engineering
CEO Fraud & Business
email Compromise
Accidental
data loss
Sabotage
Data manipulation
Malicious data
disclosure
Social media
attack &
hijacking
Distributed
denial of
service
attack
Social media
impersonation
Website
defacement
Client
data theft
Intellectual
property theft
Client
data theft
Malware
distribution
to clients
Intellectual
property theft
Trading strategy theft
Source: KPMG International
CYBER SECURITY RISK RADAR
8. consumers of technology as well as regulators, organizations
will have to invest to develop enhanced protection for its
internalaswellasexternalcommunicationchannels.
RISEOFSOPHISTICATEDADVERSARIES
Infamous data breaches of the recent past include Yahoo
breach and Equifax, which is one of the largest credit bureau in
the US, were a grave reminder of how the adversaries are not
only becoming increasingly sophisticated but are also capable
of carrying out attacks while evading detection. The ability of
the attackers to infiltrate protected networks and remain
dormant before launching the actual attack has raised concerns
abouttheeffectivenessofourintrusiondetectionmechanisms.
Many organizations assume that they could never become
victims of targeted attacks, that Advanced Potential Threats
(APTs) are mostly used against governments, financial
institutions, and other critical infrastructure like energy and
utilities companies. However, according to reports, the same
techniques of targeted attacks are being used on a wide range
of industries and companies. Though these targeted attacks are
designed to escape the conventional detection methods,
intelligently designed incident response frameworks, can
minimize the impact of an APT by fighting back. In the absence
of a strong security framework, the attackers disguise as
legitimate traffic and establish connections to critical assets
siphoningoffvaluabledatawithease.
While the media has covered most sensational attacks like
Google, Adobe, RSA, Lockheed Martin, SONY, and PBS;
thousands of attacks have not been reported by government
agenciesandcorporations.
APTs focus on the weakest links of the defense chain, the target
is usually a specific vulnerability in the system and, more
importantly, specific people; people with the highest-level
accesstothemostvaluableassetsandresources.
AMALGAMATIONOFATTACKVECTORS
Both security professionals and attackers use combination of
attack vectors to penetrate networks. While weak passwords
remain the most frequently exploited vulnerability; system
misconfigurations and unsupported legacy systems are the
areas frequently targeted by the attackers. Attackers use
techniques like social engineering through Malvertising and
Spear-Phishing to gain initial access to a protected network and
subsequently use a combination of attack vectors to gain high
levelaccessandcompromisethenetwork.
MacroView: Global Cyber Security Landscape
India Cyber Risk and Resilience Review 2018 2
9. MacroView: Global Cyber Security Landscape
India Cyber Risk and Resilience Review 2018
AVERSIONTODISCLOSURE
The biggest fear of disclosing data breaches is the economic
impactcausedbydipininvestorconfidence,regulatorpenalties
and litigation. Several studies have shown that companies that
have been victims of a data breach have suffered a significant
drop in their stock value, taking them as long as two quarters to
recoverfromthedamage.
Inadequate data on security breaches makes it difficult for
analysts to accurately estimate the costs and impacts of
cybercrime. This hampers the ability of organizations to
effectivelyengageinriskmanagementandhelptheircustomers
understandthemeasurestakentosafeguardtheirdata.
25%
30%
8%
23%
10%
4%
System downtown
$ 1,252,650
Theft of
information assets
$ 1,152,438
IT and end user
productivity loss
$ 1,503,180
Damage to
infrastructure
$ 501,060
Reputation damage
$ 400,848
Lawsuits, fines and
regulatory actions
$ 200,424
COST OF ENDPOINT ATTACKS
Source: The Ponemon Institute
3
11. CYBERSPACEANDINDIA
India is one of the key players in the digital and knowledge-
based economy, holding more than a 50% share of the world's
outsourcing market. Pioneering and technology-inspired
programmes such as Aadhaar, MyGov, Government e-Market,
DigiLocker, Bharat Net, Startup India, Skill India and Smart Cities
are propelling India towards technological competence and
transformation. India is already the third largest hub for
technology-driven startups in the world, and its Information
and Communications Technology sector is estimated to reach
the $225 billion landmark by 2020. However, these
achievements come with a problem: innovation in technology,
enhanced connectivity, and increasing integration in commerce
and governance also make India the fifth most vulnerable
country in the world in terms of cybersecurity breaches,
according to the Internal Security Threat Report of 2017 by
Symantec.
Cyberspace is going to grow exponentially. This growth will
frame a landscape having billions of agile people using wide
variety of devices, all of them connected in a way and sharing
data enormously. This will orient the businesses in India and
abroad towards being more cyber dependent, presenting
globalopportunitieswithsignificantcybersecurityrisks.
EMERGINGTHREATLANDSCAPE
An analysis from anti-virus software firm Bitdefender found
ransomwarepaymentshit$2billionin2017,twiceasmuchasin
2016. Meanwhile, Trend Micro predicts global losses from
another growing trend, compromised business email scams,
will exceed $9 billion in 2018. The cyberattacks in the last year
have highlighted the alarming vulnerability of our personal
information. More tools used by government hackers have
become public, and it's easier than ever to create sophisticated
ways to spread malware or ransomware or steal data from
companies. Companies also frequently fail to patch security
flaws in a timely manner. Attack vectors like viruses, worms,
spyware, malware, etc have proved to be the utilities for data
theft, cyber espionage and modern artillery of cyber-attack,
cyber crime, cyber warfare. These vectors have not only
advanced with technology but multiplied and adapted to be the
weaponofchoiceforcyberdestruction.
There were major hacks in the last year in organisations such as
the CIA, Deloitte, Cellebrite, the entire City of Dallas, Virgin
America, Verifone and dozens of universities and US Federal
Agencies,includingOxford,CambridgeandNYU.
AttackVectorTrends
India Cyber Risk and Resilience Review 2018 4
12. MALVERTISINGATTACKS
Late in 2017, news broke of multiple malicious hacker groups
using rigged onlineads to push malwarethat hijacked the user's
computer resources to generate cryptocurrencies. There was a
majorshiftinthemaliciousadvertising(malvertising)landscape
as cyber criminals looked for new ways to trap online ads to
plant viruses, trojans, spyware and other unwanted software
into computer systems. There were also malicious hackers
targeting old WordPress software security flaw to infect more
than 1,000 websites with malware capable of injecting code to
serve malicious ads. A compromised advertising is believed to
be responsible for the malicious ads campaign, which aimed to
infectusers'computersandphoneswithmalwareinthisattack.
Mobile device users, social networking and retail ecommerce
business in India are expected to grow massively. Along with it,
online advertisement business will expand as they are
interlinked. Increased surface and massive user base will make
Indiaalucrativebaseformalvertisingattackincominglustrum.
RANSOMEWARESURGE
As many as 67% of Indian businesses were hit by ransomware
and 91% of them have claimed to be running an up-to-date
endpoint protection when the attack occurred. India also has
AttackVectorTrends
India Cyber Risk and Resilience Review 2018
Source: Accelerite
CYBER ATTACKS IN 2017
Jan
May
June
July
Aug
Sept
Oct
Nov
Cerber
Jaff
Spora
Wannacry
Crysis
Petya Not Petya Nyetya Golden Eye
Ethereum Hack Equifax Data Breach
Locky Diablo6 Ransomware Attack
Dragonfly 2.0 Attack
KRACK Wi-Fi Bad Rabbit
IcedID Trojan Attack
5
13. AttackVectorTrends
the highest level of infection among the 10 countries, followed
byMexico,US,andCanada,whiletheglobalaverageofattacked
companies is 54%. Ransomware will dominate the
cybersecurity landscape in 2018, with businesses large and
smallpayingmillionsofdollarstounlockencryptedfiles.
The level of sophistication in distribution methods and attack
vectors has expanded as well. There is a new compliance
mandate which adds to the cost of ransomware attacks,
regardless of whether data is recoverable or whether the victim
pays the ransom. 15% or more businesses in top 10 industry
sectors have been impacted by ransomware. One in four
businesses hit with ransomware have more than 1000
employees. Nearly half of ransomware attacks infect at least 20
employees.
The statistics do suggest, however, that attackers are gradually
shifting away from high volume “spray and pray” email
campaigns to more tightly targeted and cleverly customized
attacks aimed at larger companies with deeper pockets.
Increasingly, the ransomware model is to land and expand. As
per reports, one in five businesses that paid ransom never got
theirfilesback.
For example, hackers may choose to target critical systems such
as power grids. Should the victim fail to the pay the ransom
within a short period of time, the attackers may choose to shut
downthegrid.
CRYPTOCURRENCY
This is also aiding the growth of ransomware as ransom
payment becomes easier. Bitcoin extortion is a latest form of
cyber extortion carried out using a combination of malware,
spear-phishing and ransomware. Its era started in India with
attacks on three banks and a pharmaceutical company
executingacrypto ransomwareinJanuary2016.
2017 saw the proliferation of cryptomining malware, or
malicious software which surreptitiously mines for Monero and
other cryptocurrencies. Minerva Labs found that attackers have
turned to these tools to attract comparatively less attention
from law enforcement and anti-fraud professionals, while
enjoying a high level of anonymity and ease of cashing out illicit
gains. Indeed, these factors led attackers to victimize 1.65
million users in the first nine months of 2017 with malware that
consumed their machines' CPU, drove up power consumption
(and possibly cloud service payments), and in some cases
accompaniedotherdigitalthreats.
6India Cyber Risk and Resilience Review 2018
14. AttackVectorTrends
SOMENOTABLEEXAMPLESSTANDOUT:
Ÿ PhotoMiner spreads laterally on networks while collecting
credentials for servers, trojanizing files stored on it, infecting
users,collectingnewinformationaboutpivotingservers.
Ÿ SnatchLoader is a typical downloader that added a
cryptomining module in 2017. It's likely this malware will be
thefirstofmanytodoso.
Ÿ CoinHive earned sixth place on Check Point's 10 top malware
forOctober2017.
TRENDING:RANSOMWAREASASERVICE
Ransomware is available as a service in costing a percentage of
profit and upfront fee. This would enable even the least tech
savvy cybercriminal to perform ransomware attacks without
hassle, thus increasing the likelihood and probability of these
attacksincomingyears.
WANNACRY
It was a devastating ransomware attack which affected several
hundred thousand machines which have crippled banks, law
enforcement agencies and other infrastructure. It was the first
strain of ransomware to use EternalBlue, exploiting
vulnerability in Microsoft's Server Message Block (SMB)
protocol. A May 2017 worldwide WannaCry ransomware attack
was estimated to have affected more than 200,000 computers
across 150 countries, with total damages ranging from
hundredsofmillionstobillionsofdollars.
NOTPETYA
It started as a fake Ukranian tax software update, and infected
hundredsofcomputersinover100countriesinafewdays.Itisa
variant of Petya, but uses the same exploit behind WannaCry. It
hit a number of firms in the US and caused major financial
damage. For example, the attack cost pharmaceutical giant
Merck more than USD 300 million in Q3 of 2017 alone, and a
similar amount in Q4. In 2018 extortion is expected to rise as
attackers look for new, innovative, machine enabled ways to
increasethereturnontheirefforts.
HEADLESSWORM
IoTislikelytoexperiencetheemergenceofnewgenesofworms
and viruses having ability to propagate from device to device.
Headless worms are an anticipated type of malware attack that
targets “headless devices”, or gadgets that run on their own
without having to be directed by a user. A headless worm could
allowattackerstogrowabotnetmoreefficiently,enablingthem
tolaunchevenlargerattacks.
India Cyber Risk and Resilience Review 2018 7
15. AttackVectorTrends
GHOSTWAREANDBLASTWARE
Ghostware conceals its tracks by erasing all traces of its activity
once a system is breached. This type of malware makes it
especially difficult to figure out what has been compromised
during a breach. It also makes it hard for network security
specialists to fix the weaknesses that lead to the successful
attack, since this type of malware doesn't leave a trail that
indicatesitspointofentry.
Along with Ghostwares, cybercriminals may deploy Blastwares
for performing severe damage to critical infrastructure and
organization networks. After installation, it continues to
perform its intended activity until is suspects to be detected or
reverse engineered. Upon suspicion of detection, it will self-
destruct and crash the whole system permanently. Blastware
are expected to be used in case of state-sponsored cybercrime
orHacktivism.
Currently, India is one of the top countries having devices
infected by malwares. These emerging malware families are
going to add up to the problems in creation of a secure Indian
Cyberspaceforbusinesses.
EQUIFAX
Cybercriminals penetrated Equifax (EFX), one of the largest
credit bureaus, and stole the personal data of 145 million
people. It was considered among the worst breaches of all time
because of the amount of sensitive information exposed,
includingSocialSecuritynumbers.
BADRABBIT
Another major ransomware campaign, called Bad Rabbit,
infiltrated computers by posing as an Adobe Flash installer on
news and media websites that hackers had compromised. Once
the ransomware infected a machine, it scanned the network for
sharedfolderswithcommonnamesandattemptedtostealuser
credentials to get on other computers. The ransomware, which
hit in October 2017, mostly affected Russia, but experts saw
infectionsinUkraine,TurkeyandGermany.
MORESANDBOX-EVADINGMALWARE
Sandboxing technology has become an increasingly popular
method for detecting and preventing malware infections.
However, cyber-criminals are finding more ways to evade this
technology. For example, new strains of malware are able to
recognise when they are inside a sandbox, and wait until they
areoutsidethesandboxbeforeexecutingthemaliciouscode.
India Cyber Risk and Resilience Review 2018 8
16. AttackVectorTrends
PHISHINGANDSPEARPHISHING
On 22 March 2016, Pivotal fell prey to a Phishing attack. A
phishing email was sent to Pivotal employees, ostensibly by
Pivotal CEO requesting for payroll information. Assuming it's a
legitimate mail an employee sent W-2 tax information of all
employees to an unknown party. No customer information was
compromised as part of this incident. After attack confirmation,
Pivotal sent a memo to its staff containing information of the
incident.
As many as 534 phishing incidents were reported last year, of
which 342 involved phishing websites hosted outside India,
according to Indian Computer Emergency Response Team
(CERT-In). The statistics of phishing attacks clearly indicate that
allbusinessandgovernmentagenciesinIndiaarelikelytosuffer
more sophisticated and advanced phishing attacks in coming
years.
TWO-FACEDMALWARE
Two-faced malware gets its name from how it presents one safe
“face” to your anti-virus, but retains its malicious “face” once it
is dubbed safe. This type of malware attack works by
recognizing when the computer's anti-virus isolates the
malwareintoasandbox.
A sandbox is a designated “safe zone” used to test/check
questionable programs before they are given access to a
computers' drive and/or network. Two-faced malware senses
when it has been placed in a sandbox and escapes detection by
ceasing all malicious activity while isolated. In doing this, the
malware tricks the anti-virus into flagging said program as safe,
anditisreleasedbackontothecomputer.
ARTIFICIALINTELLIGENCE(AI)POWEREDATTACKS
According to security experts, 2018 will not only be a bad year
for data breaches, but the year of AI-powered cyberattacks,
which makes prevention more difficult. In such attacks,
machine learning is used to study patterns of normal user
behaviorwithinacompany'snetwork.
It could help human cybercriminals customize attacks. AI
systems can help gather, organize and process large databases
to connect identifying information, making this type of attack
easier and faster to carry out. Furthermore, AI systems could
even be used to pull information together from multiple
sourcestoidentifypeoplewhowouldbeparticularlyvulnerable
toattack.
India Cyber Risk and Resilience Review 2018 9
17. AttackVectorTrends
According to reports, artificial intelligence will make existing
cyber-attack efforts like identity theft, denial-of-service attacks,
and password cracking more powerful and more efficient. It can
steal money, cause emotional harm and even injure or kill
people. Larger attacks can cut power to hundreds of thousands
of people, shut down hospitals and even affect national
security.
LANDANDEXPANDATTACKS
In case of land and expand attacks, the attackers gain access to
the system and expand their access throughout the network.
Sophisticated cyber attackers follow a systematic approach
involving careful reconnaissance, scanning, access, and
escalation.
In most cases, hackers gain privileged access using stolen
credentials. The intruders once in, extract credentials that will
give them lateral motion throughout the network. To
accomplish this, attackers look for SSH keys, passwords,
certificates, Kerberos tickets and hashes of domain
administrators. Often, hackers will quietly monitor and record
activity on compromised systems. Then, they can use this
informationtoexpandtheircontrolofthenetwork.
UPCOMINGTHREATSIN2020
Security firms are coming up with intelligent techniques for
threat detection along with application of big-data analytics for
threat prediction. To bypass astute systems, attackers will be
coming up with innovative attacks that will not only penetrate
the most secure and impregnable system but will also remain
undetectedforquitealongperiodoftime.
Last year, nearly 100 cyber security deals were happening every
quarter with average top line multiple of 9.4x and bottom line
multiple of 54.3x. This is much higher than the corresponding
number and valuation in IT field. Cyber Security market
continues to register double-digit growth, projected to become
a $232 billion global market by 2022 with an impressive
compoundedannualgrowthrateof11%.
In future, we may see furtive attacks for data theft on a system
covered under a direct DoS, malware or botnet attack. The
direct attacks would act as a distraction allowing the attackers
toperformtheirintendedactions.
India Cyber Risk and Resilience Review 2018 10
19. InternetofThings
When security researchers ran experiments on devices used on
a daily basis like coffee machines, video streaming USB dongles,
baby monitors and home security systems, it was found that all
ofthedevicestestedcouldbehackedinsomeway.Itisworrying
to know that a baby monitor enables a hacker to access the
camera connected to the same network and watch video feed
from it. Further, other products from the same vendor were
susceptible to giving away the user's credentials to the hackers.
Broadcasting of unencrypted information has proven to be the
Achille’s heel of the devices succumbing to an attack. Other
findingsstatethatuseofmagnetsbyattackerscanrenderhome
security systems ineffective in stopping them from opening or
closingawindowwhichwasmeanttobeprotected.
India Cyber Risk and Resilience Review 2018
TOP USES OF IOT
50% 45%40%40%48%
SMART / AUTOMATED
BUILDING
IMPLEMENTATION
VIDEO
SURVEILLANCE
PHYSICAL BUILDING
SECURITY
EASE-OF-USE FOR
CUSTOMERS AND
EMPLOYEES
DATA COLLECTION FOR
BETTER BUSINESS
DECISIONS
Source: US Department of Energy
11
20. SIGNIFICANCEOFIoT
IoT is based on the simple requirement of devices
communicating with each other without human interference.
While the inter-connection in most cases is immensely
beneficial, the problem is that it makes the consumer highly
susceptible to cyber-attacks. A study revealed that 70 % of IoT
devices have serious security vulnerabilities, such as insecure
web interfaces and data transfers, insufficient authentication
methods, and a lack of consumer knowledge which leaves users
opentoattacks.
So,itisnotonlythecriticalinfrastructure,mostofwhichisbeing
considerably hardened, but also the periphery which is
becoming the preferred point of entry. The challenge is to
understand the interconnectedness of devices which is a
convenience and a risk. In this regard, access to one provides
accesstoall.
That's a risk that security professionals need to be prepared to
face by integrating password requirements, user verification,
time-out sessions, two-factor authentication and other
sophisticated security protocols. IoT is at a nascent stage at the
momentbuthasshownalotofpotentialtobeagamechanger.
The real value generated from IoT is from the analytics run on
the user data collected by the devices. Trends and patterns can
be found that businesses can leverage. IoT is set to change the
way people live and make cities smarter. The future is a move
from independently used devices and sensors to cross vendor
devices communicating to give a truly synergized service. With
wearables and healthcare devices leveraging the internet of
things, the future looks towards a highly connected and
efficientwayoflife.
BusinessesarefindingnewwaystouseIoTintheirproductsand
services to create value for their customers. IoT is expected to
derive a range of benefits like improvements to products,
supply chain insight, extended product lifecycle and a smarter
way of life. The European Union has planned a system called
'eCall' which will cut down 50 to 60% of the response time for
emergencyservices,tobeinstalledontoeveryvehicle.
With the number of 'Things' which will be connected set to go
up by 30% in 2018 as per Gartner, the up side of having devices
connected to each other will also increase the possibilities for
attackerstoexploitvulnerabilitiestogainunauthorizedaccess.
InternetofThings
India Cyber Risk and Resilience Review 2018 12
21. InternetofThings
RISKSTOIoT
Risks to organizations and governments have risen by the
emergence of the widespread IoT, securitiy experts classify
these risks into three categories viz. Business Risk, Operational
RiskandTechnicalRisk.
Business risks encompass user privacy risk, brand image risk,
compliance risk, financial risk, and Health & Safety risk. These
risksaffectbusinessesdirectly.Operationalrisksincludevarious
aspects like risk of degraded performance, access control and
shadowusagerisks.
Technical risk is directly linked to the devices/ sensors that
comprise the IoT. Most of the time with the aim of shorter 'Time
to Market', not giving security a priority during the
development phase of products is normal. This results in a huge
number of vulnerable devices being rolled out to the
consumers. Multiple security breaches have resulted due to
improper management of sensitive information and user
privacyrelatedtoautomationanddigitizationofdevices.
Securityresearcherssaythat21%ofDDoS(DistributedDenialof
Service) attacks use devices from IoT instead of the
conventional Botnet of computers and laptops. Such statistics
highlight how difficult it is to keep devices secure as compared
with conventional computers. Vulnerabilities that require
hardwareupgradetobefixedarethebiggestchallengefacedby
devicemanufacturers.
MITIGATION
Governments and businesses must focus on securing the IoT
environmentbyundertakingthefollowingmeasures:
Ÿ PerformRiskAssessment
Ÿ Business Impact Analysis to understand the extent of the
damagethatcanbecaused
Ÿ Setupcyberresponseandincidentmanagementteams
Ÿ Incorporate stringent security measures in the SDLC
(Software Development Life-Cycle) and during manufacturing
ofdevices
Ÿ Check complete paths for data flow between devices for
loopholesleadingtopotentialdataexfiltration
Ÿ Implementadaptivepoliciesandprocedures,andgovernance
initiatives
Ÿ Encryptalldatairrespectiveofwhetherintransitorstored
Ÿ Gathercybersecurityintelligencetoanticipatenewattacks
Ÿ Maintainapatchmanagementsystem
Ÿ Educate and make people aware as they are the weakest link
inanysecureenvironment
India Cyber Risk and Resilience Review 2018 13
22. InternetofThings
India Cyber Risk and Resilience Review 2018
2017 IOT MALWARE ACTIVITY MORE THAN DOUBLED 2016 NUMBERS
IOT DEVICES AT RISK: MALICIOUS PROGRAMS TARGET “THE INTERNET OF THINGS”
2008 2009
PSYBOT
2010
TSUNAMI
2014
GAFGYT
2015
TROJAN.LINUX.
PNSCAN
2016
MIRAI
2017
BRICKERBOTHYDRA
Emergence OF
Psybot the first in
the wild
malicious
programs for the
MIPS platform
The first malware
programme
targeting IoT
devices
A cross platform
IRC backdoor
with DDoS
capabilities
An IRC back door
capable of
scanning IP
ranges to find
vulnerable
devices
A Trojan infecting
vulnerable
devices with the
Tsunami
backdoor
and its clones
Hajime, Remaiten
and Moose
A bot infecting
IoT devices and
rendering them
inoperable
The number of new malware samples in the wild this year targeting connected internet of things (IoT) devices has already more than doubled last year's
total.
Currently, over 6 Billion 'smart' devices exist globally. It was when the Mirai Botnet emerged in 2016 that the whole world learned how dangerous such
devices may become in the hands of cyber criminals. However, the history of Malware attacking IoT devices began much earlier.
14
24. AdvancedPersistentThreats(APTs)leadtobroadlyfourtypesof
losses to victim organizations; technical costs, productivity loss
cost, revenue costs, reputation loss costs. An Adelaide-based
communications, metal detection and mining technology firm's
experience provides an insight on the long term impacts of
hacking on companies. Executives at the said company were
unable to decipher the reason for a dip in sales and prices of
their metal detectors till the service centers reported receiving
faulty metal detectors with unrecognizable and inferior parts.
With the Australian government not offering support, the
company had to hire a private investigation firm in China for
raiding counterfeit factories. Security researchers found that
the attackers had managed to hack into an employee's laptop
when he used a hotel's Wi-Fi during a business trip in China. The
company's metal detector blueprints were exfiltrated to a
Chinese manufacturing chain selling counterfeit detectors in
Africa.
APTs have made their presence felt with incidents involving
Sony, Lockheed Martin, RSA, Google, Iran's nuclear facility and
the likes. APTs are advanced in the sense that they have the
expertise and intelligence gathering techniques to target
organizations and governments. They 'Persist' in the victim
Advanced Persistent Threats & Hacktivism
India Cyber Risk and Resilience Review 2018
Source: Varonis
ADVANCED PERSISTENT THREAT (APT) LIFECYCLE
15
25. systems to extract as much intellectual property as possible.
Financial theft is not usually the only objective. APTs operate
below the radar and are difficult to detect. APTs which are
criminal organization or state backed, operate in the following
phases: Social Engineering, Infiltration, Maintain Access, Data
Exfiltration,andCoverTracks.
Hacktivism and Cyber Espionage incidences have shed light on
theextentofsophisticationthatattackershave.
HACKTIVISM
The term 'Hacktivism' was coined by juxtaposing 'Hack' and
'Activism' by a group of hackers that use the internet for
activism instead of the conventional banner wielding methods.
Hacktivism has stemmed from the belief that all information on
the internet should be free and accessible to all. It gained media
attention during the WikiLeaks era by being at odds with
organizations and governments over state sponsored
censorship of the internet. The most common form of a
hacktivist is the DDoS (Distributed Denial of Service) attack
which targets servers with millions of request bombardments
making the servers go down. Such motives are a topic of debate
with some calling them criminal and others deeming them
noble.
RISKS
APTs and Hacktivists pose an evolving threat to organizations
and government agencies. Increased sophistication of Social
Engineering and Spear Phishing coupled with insufficient
Information Security procedures and practices elevate the risks
for organizations globally. Security experts are predicting that
the future will see 'persistency' of APTs vanish to enable better
stealth. In its place, 'Access-as-a-Service' of already breached
systems for the highest bidder will gain prevalence. The threats
are here to stay and become more intelligent. Researchers have
presented analysis which points at the fact that unemployment
will only add to the growth of professional Hacktivist groups like
'Anonymous'. With the Indian population that is connected to
the internet increasing at a exponential rate, hacktivism will
gain grounds in India. The young will realize the potential of
promotingtheirmessageoncyberspace.
MITIGATION
Acknowledging the widespread presence of APTs and
Hacktivismalongwiththerisksthattheypose,isthefirststepto
build resilience. The following mitigation steps must be taken to
mitigate risks and to build resilience. Defense-in-Depth or
multi-layered security controls are the need of the hour to
protectagainstsophisticatedattacks.
Advanced Persistent Threats & Hacktivism
India Cyber Risk and Resilience Review 2018 16
26. LARGEORGANIZATIONSANDGOVERNMENTS
Ÿ A proper policy and governance framework must be
formulated
Ÿ Real-time email and content analysis, intrusion detection
and prevention systems to gather intelligence and stop
attacksfaster
Ÿ Pro-active patch management to fix vulnerabilities before
hackersgettothem
Ÿ To reduce the impact of social engineering attacks, adhere to
the'Leastprivilegepolicy'
Ÿ SecurityInformation and Event Management (SIEM) systems
shouldbeinplace.
Ÿ Understand that risks cannot be completely mitigated and
that recovery plans must also be in place and tested on a
regularbasis
Ÿ Appropriatedatadisposalpolicy
Ÿ Media monitoring for hostile comments/views about your
organization
MEDIUM-SIZEDORGANIZATIONS
Ÿ ProtectinformationlikeIntellectualPropertywhenintransit
Ÿ Prefermulti-factorauthenticationtosystems
Ÿ Fraud risk management assessment and proper monitoring
ofloginsfromvariousgeographicallyseparatedlocations
Ÿ Employsecurityprofessionalsinyourorganization
Ÿ Encryptcertainsensitivedataintransitandwhenstored
Ÿ Invest in cyber intelligence gathering so that proactive
measurescanbetaken
SMALLORGANIZATIONS
Ÿ Minimize the number of Internet connections and
implementfilteringofwebsites
Ÿ Employ “whitelisting” to prevent programs unauthorized
accesstothenetworkandotherresources
Advanced Persistent Threats & Hacktivism
India Cyber Risk and Resilience Review 2018 17
27. Smart Cities and Critical Infrastructure
Emerging risks to smart cities and critical infrastructure in India
28. SmartCities&CriticalInfrastructure
SMARTCITIESINDIA
Following Moore's Law computing and mobile devices are
advancing technologically and are becoming smarter
periodically. This phenomenon has led to the development of
Smart Cities and eventually a Smarter Nation. India has a
mission of developing 98 smart cities. The Roadmap is already
in place and development activities are in full swing to achieve
thismission.
Industrial corridors created by smart cities between
metropolitan cities will foster rapid business development
leading to economic growth. Smart cities development will
improve quality of living by local area development and
nurturing technologies that lead to smarter outcomes. The
critical infrastructures of smart cities along with SMAC (Social
media, Mobility, Analytics, Cloud) lays the foundation for
essential and support services of these cities. Application of
smartsolutionswillenablecitiestousetechnology,information
anddatatoimproveinfrastructureandservices.
Smart cities have well networked and seamlessly interacting
systems. Compromise of one system will leave the complete
network vulnerable to failures; making it easy for attackers to
gain control and sabotage the cyber ecosystem of cities. With
India Cyber Risk and Resilience Review 2018
Source: Ministry of Housing and Urban Affairs, Government of India
Adequate
Water
Supply
Assured
Electricity
Supply
Sanitation, including
Solid Waste
Management
Efficient Urban
Mobility and
Public Transport
Affordable
Housing, especially
for the Poor
Robust IT
Connectivity and
Digitalization
Health and
Education
Sustainable
Environment
Good Governance,
especially
E-governance and
Citizen Participation
Safety and Security of Citizens, particularly Women,
Children and the Elderly
THE CORE INFRASTRUCTURE ELEMENTS IN A SMART CITY
WOULD INCLUDE:
18
29. IoT,thecyberlandscapeofSmartCitiesbroadens,comprisingof
critical infrastructure, smart phones, headless devices, etc. The
increasing attack surface makes it susceptible to invasion by
viruses, malicious worms, malwares and other threat vectors.
With the increase in cyber-attacks and attack vectors, making
smartcitiescyberresilientwillbeabigchallengefornations.
CYBER-ATTACKONCRITICALINFRASTRUCTURE
In December 2015, Ukraine experienced a cyber-attack
disabling its power stations causing a blackout for several hours
in Ivano-Frankivsk region. 225,000 homes were affected in this
attack. Attackers used malware to take down three power
substations on the Ukrainian national grid. This attack was
coupled with DoS attack on phone systems inhibiting the ability
of users to report the blackout. The attack has highlighted the
severity of damage caused by targeting critical infrastructure
highlightingitasthenextpotentialtarget.
Critical infrastructure like power grids, oil and gas, water, etc.
are interconnected and controlled using ICT technologies these
days. Cyber secure critical infrastructures act as enablers for
growth and development of business and economy of a nation.
Modern societies are highly dependent on critical
infrastructure that provides essential and supporting services.
Attack on critical infrastructures will not only lead to system
failures but will also have a cascading effect leading to damage
or loss in terms of resources, money or human life. Data theft is
not the motive of the cyber-attack on critical infrastructure so
they are usually state sponsored. But as the count of data
thieves is quite high we may see attacks leading to the sale of
credentialsofcriticalinfrastructure,andcyberextortion.
PROTECTINGCRITICALINFRASTRUCTUREANDSMARTCITIES
Ÿ Increasing cyber security awareness amongst Indian citizens
and stakeholders of critical infrastructure by imparting
training sessions, conducting awareness drives and
campaigns.
Ÿ Implementing ISO 22301 for minimising the impact of cyber-
attacksoncriticalinfrastructureonbusinesses.
Ÿ Adapting and implementing international frameworks for
improvingcriticalinfrastructurecybersecurity.
Ÿ Developing laws and policy for protection of cyber and
criticalinfrastructureofsmartcities.
Ÿ Coming up with internationally accepted security standards
that will be integrated into existing and emerging devices
during manufacturing. This integration will introduce the
security aspect into devices, making them more cyber
resilient.
SmartCities&CriticalInfrastructure
India Cyber Risk and Resilience Review 2018 19
30. SmartCities&CriticalInfrastructure
India Cyber Risk and Resilience Review 2018
Ÿ Perform appropriate testing of devices and vulnerability
assessment and penetration testing of ICT technologies used
inbuildingsmartcitiesandcriticalinfrastructure.
Ÿ Development of dedicated government agencies taking
responsibility of enforcing cyber laws and cyber security in
smartcitiesandcriticalinfrastructureimplementation.
Ÿ IoT will increase source of data and amount of data flowing
across smart cities. Big-data analytics can be applied for
generating threat intelligence for risk mitigation and attack
prediction.
20
31. The Rise of State-Sponsored Attacks
Malicious attacks on infrastructure networks
32. Often, inspite of countries being aware or capable of stopping
cyber-attacks, turn a Nelson's eye since it meets their political
objectives. These attacks are often politically motivated,
targeted, sophisticated, well-funded and could be incredibly
disruptive. Such attacks are used to acquire intelligence,
obstruct the objectives of a political entity or even target
electronic voting systems and manipulate public opinion. For
example, during 2016, much of the news was dominated by
reports of Russian agencies using cyber-attacks to extract
information that could be used to influence the US presidential
election.
Last year, in June it was reported by the Washington Post that
Russiangovernmenthackerspenetratedthecomputernetwork
oftheDemocraticNationalCommitteeandgainedaccesstothe
entire database of opposition research on presidential
candidate Donald Trump. In December it was reported that
Russian hackers tried to penetrate the computer networks of
theRepublicanNationalCommittee,usingthesametechniques
that allowed them to infiltrate its Democratic counterpart.
There are also isolated attacks on different nation states by the
majorplayerssuchasRussia,UK,NorthKorea,US.
MITIGATION
Ÿ Governments must ensure that their internal networks are
isolatedfromtheinternet,andthatextensivesecuritychecks
are carried out on the staff; as given the level of
sophistication, expertise and finance behind these attacks,
theyaredifficulttoprotectagainst.
Ÿ Thestaffofanorganisationneedstobesufficientlytrainedto
spotpotentialattacks.
Ÿ Governments should avoid purchasing technology from
untrustedsources.
CYBERTERRORISM
Cyberterrorism is the use of the Internet to conduct violent acts
that result in, or threaten, loss of life or significant bodily harm,
to achieve political gains through intimidation. It is also
sometimes considered an act of Internet terrorism where
terrorist activities, including acts of deliberate, large-scale
disruption of computer networks, especially of personal
computers attached to the Internet by means of tools such as
computer viruses, computer worms, phishing, and other
malicious software and hardware methods and programming
scripts.
The Rise of State-Sponsored Attacks
India Cyber Risk and Resilience Review 2018 21
33. The Rise of State-Sponsored Attacks
Cyberterrorism can cause massive damage to government
systems, hospital records, and national security programs,
which might leave a country, community or organization in
turmoilandinfearoffurtherattacks.Forterrorists,cyber-based
attacks have distinct advantages over physical attacks. They can
be conducted remotely, anonymously, and relatively cheaply,
and they do not require significant investment in weapons,
explosive and personnel. The effects can be widespread and
profound. Incidents of cyberterrorism are likely to increase.
They will be conducted through denial of service attacks,
malware,andothermethodsthataredifficulttoenvisiontoday.
India Cyber Risk and Resilience Review 2018
GENESIS AND MANIFESTATION OF CYBER TERRORISM
Target
Motivation
CYBER
TERRORISM
Tools of
attack
Domain
Method of
action
Impact
§ Critical National Information
Infrastructure computer system
§ Critical Infrastructure
§ Civilian Population
§ Mass disruption or seriously interfere
critical services operation
§ Cause fear, death or bodily injury
§ Severe economic loss
§ Network Warfare+
§ Psychological operation
§ Cyber space
§ Unlawful means
§ Political
§ Ideological
§ Social
22
34. The Rise of State-Sponsored Attacks
India Cyber Risk and Resilience Review 2018
Source:
THE DISTRIBUTION OF CYBER-ATTACKS ACROSS CULTURAL, SOCIAL, ECONOMIC AND POLITICAL MOTIVATIONS
POLITICALLY
MOTIVATED
SOCIO-
CULTURAL
MOTIVATION
ECONOMICALLY
MOTIVATED
1995, France, web attack
1996, USA ,doJ, web attack
1998, Indonesia, East Timor conflict
1998, Mexico, Presidential website
1999, Serbia, Kosovo war
1999, Belgrade, Chinese embassy
2001, USA/ CHINA, Spy plane
2003, USA, Titan rain
2008, USA/CHINA strategic inf
2009, USA, spies on electrical grid
2009, China, Ghost net
2008-09, China IT professionals to cyber crime
2009, E-crime survey
2009, Ukraine IT professionals to cyber crime
2009, Health records ,Virginia ,USA
1999, CIH, Chernobyl virus
2005, Indonesia/Malaysia, ambalat
2005, Korea/Japan, territorial conflict
2008, Belarus /Eastern Europe
DOS Attack
2008, Israel/ Palestine, conflict
2009, April fools conflicted worm
1998, India, BARC
1999, Germany, G8 summit
1999, China/Taiwan, cyber conflict.2000, India/ Pakistan, Kashmir conflict
2000, Israel/ Palestine, Lucent tech
2001, Japan, Education ministry website
2001, China/Japan, Yasukuni shrine
2007, Estonia/ Russia, DOS attack
2008, Russia/Georgia conflict
2008, China/French embassy web
23
36. SMAC
SMAC or Social, Mobile, Analytics and Cloud Computing is a
platform that organizations are leveraging to drive innovation
and gain competitive advantage. The combined power of all
elements in SMAC enable businesses to gain customer insight
among other things. Retailers, for example, today get alerted by
atweetfromadisgruntledcustomer.Thecurrentgovernmentis
adopting SMAC platforms to aid in faster decision making and
connecting with the people to hear them out as well as making
e-Governanceinitiativesmoreefficient.
ThetremendoussurgeinthedatacreatedandhandledbySocial
Media, consumer behavior shifting to mobility, harnessing data
using analytics and getting real time information that can be
leveraged through cloud has brought with it a plethora of cyber
security risks. The bright side of dealing with these risks is that
the technologies being used in SMAC are not new but only
workingtogetherinsync.
BYOD
BYOD (Bring Your Own Device) has been gaining popularity
because of its benefits like lower costs to the organization,
greater employee flexibility, and familiarity of technology. The
employees are happy as they get to work on a familiar device.
Organizations not only save on the CAPEX but also OPEX as
managingdevicesdoesnotconcernthem.Butatthesametime,
with insider threats growing in large numbers, Identity and
AccessManagement(IAM)needtobeinplace.
Cyber risks arise with all the data associated with SMAC and
BYOD. Social Media helps in coordinating violent protests and
also enables radical groups to bring terror globally. The Mumbai
terrorattacksof2008firsthighlightedtheuseofsocialmediaby
terrorists for coordinating attacks. India is the second most
targeted country for cyber-crimes via Social Media. In recent
times, the nationwide shutdowns in April 2018 were
extensively planned using social media. Rumour mongering has
become a serious threat due to circulation of disruptive content
onsocialmedia.
RISKS
Major risks revolving around BYOD are inadequately secured
mobile devices, risks due to applications installed on the
devices, and the environment risks along with the lack of
awareness and carelessness. Considering the pace at which
start-ups are mushrooming in India, there will be an increased
Social,Mobile, Analytics, Cloud (SMAC) & BYOD
India Cyber Risk and Resilience Review 2018 24
37. use of BYOD initiatives. The analytics boom coupled with cloud,
mobility and significant social media penetration will also
ensure increased usage of SMAC platforms. Entry has become
simpler with endless devices, particularly smartphones and
wearable technologies, and less than aware consumers. It is
imperative that the security aspect is taken care of before
implementingBYODandSMAC.
MITIGATION
SMAC:
Ÿ It is a good practice to define policies and procedures
regarding the use of customer data and that too after formal
consent
Ÿ A comprehensive security strategy that considers all four
aspectsofSMACasawholeinsteadofdealingwithindividual
aspects should be prepared and aligned with business
securityandresilienceplan
Ÿ Identity and Access Management along with strict access
control should be a key component of the security strategy
forSMAC
Ÿ Identifying various users, devices, applications comprising
SMAC for risk management along with taking care of
regulatory compliance will go a long way in mitigating risks
associatedwithSMACplatforms
Ÿ Public clouds have been under scrutiny because of doubts
over their security, it is recommended that hybrid cloud be
used, and sensitive data be preferably stored on private
cloudtogetthebestofbothworldsofcostandsecurity
Social,Mobile, Analytics, Cloud (SMAC) & BYOD
India Cyber Risk and Resilience Review 2018
Source: The Ponemon Institute
CYBER SECURITY RISKS ASSOCIATED WITH BYOD
72%
Data leakage / loss
Unauthorised access
to company data
and system
User download unsafe
apps or contents
Malware
Lost or stolen devices 50% / vulnerability expliots 49% / inability to control endpoint security
48% / ensuring security software is up to date 39 % / compliance with regulations 38 %
/ device management 37 % / network attacks via wi-fi 35% / others /none 4%.
56% 54% 52%
25
38. Social,Mobile, Analytics, Cloud (SMAC) & BYOD
India Cyber Risk and Resilience Review 2018
BYOD:
Ÿ Mobile Device Management Systems must be used to keep
track of the devices on the network and use multi-factor
authentication
Ÿ Removablemediashouldbescannedassoonasaconnection
tothecorporatenetworkisestablished
Ÿ Promote regular updating, patching and device data
encryption
Ÿ InfectionandIncidentresponsesystemsshouldbeinplaceto
dealwithaninfectioninthecorporatenetwork
Ÿ Generate awareness about permissions requested by
applicationsondevices
Ÿ Implement security control frameworks like the ones given
byNIST(NationalInstituteofStandardsandTechnology)
26
40. TheWeakestLink:Humans
Call center employees of a US telecom service giant accessed
information of more than 278,000 customer accounts without
authorization in 2015 with losses amounting to $25 million.
They got hold of PIIs (Personally Identifiable Information) that
could be used to unlock the company mobile phones. This
information was given to third parties who submitted 290,803
handsetunlockrequestsviatheonlinecustomerunlockrequest
portal. Not only did the telecom giant suffer financial loss, but
alsoreputationloss.
An Insider threat is any threat to an organization that originates
from people who are associated with it and possess access to
sensitive information which can lead to fraud, cyber sabotage
and theft. Risks arising from human actions can be either
intentionalorunintentional.
India is no stranger to incidents involving insider threats.
Hindustan Unilever Ltd (HUL) has dragged three of its former
employees to the Bombay High court in April 2018 for allegedly
stealing data related to manufacturing of its products and other
confidentialinformation.
Intentional risks span from threat sources like layoffs leading to
disgruntled employees, to temptation of financial gain from
selling of intellectual property to the highest bidder.
Unintentionalrisksareduetocarelessness,lackofduediligence
on the part of employees or a plain human error. An external
actor gains access to internal networks and data using
credentials of legitimate users obtained by various social
engineeringtechniques(Single-stage/Multi-stageattacks)orby
buyingcompromiseddataoffthe'DarkWeb'.
According to a Crowd Research Partners 2018 report on insider
threats, 90% of organizations felt vulnerable to insider attacks.
The top three risk factors enabling the insider threat
vulnerability are excessive access privileges (37%), endpoint
access (36%), and information technology complexity (35%).
Many organizations tend to overestimate their defensive
capabilities and underestimate effectiveness of social
engineering. Recent incidents indicate that social engineering
and phishing attempts continue to succeed despite the
awarenessgeneratinginitiativesundertakenbyorganizations.
“No security solution is ultimately stronger than its weakest
link”. With the growing trend of virtual organizations, hyper-
connectivity and mobility, insider threats will only grow as
insiders believe that the probability of getting caught stealing
informationreduceswhenoffsite.
India Cyber Risk and Resilience Review 2018 27
41. MITIGATION
It is important to assess all possible threat sources leading to
insider risks. Also, the management must understand and
promote the fact that insider risk cannot be taken by the
information security vertical alone, it has to be a cross
functional process throughout the organization. The right way
to go about mitigating insider threats is to prepare an insider
threat program and implement controls before association,
during employment and after termination of employment.
Identifying the valuable assets of the organization, having a
response and resilience plan is imperative along with the
IdentityandAccessManagementprogram.
PRE-EMPLOYMENTSCREENING
Ÿ Proactivecybersecurityintelligencegatheringforidentifying
threatsourcesinadvance
Ÿ Backgroundscreeningsandreferencecrosschecking
Ÿ Foster a risk-centric approach to the rising cyber security
threats
Ÿ Implement multi-factor authentication as weak, stolen or
default passwords continue to remain a major weak link in
datatheft.
TheWeakestLink:Humans
India Cyber Risk and Resilience Review 2018
National
Security
Commerce
Utilities
management
Governance
& military
Energy
security
Water
security
Food
security
Trade
Social
cohesion
supporting
cyber
technologies
CYBER DEPENDENCY
28
42. TheWeakestLink:Humans
DURINGEMPLOYMENT/ASSOCIATION
Ÿ Integrate the threat management plan with business
strategyandcybersecuritypractices
Ÿ Identify critical data and implement data protection instead
offocusingtoomuchonperimeterhardening
Ÿ Hold regular cyber security awareness and training sessions
as most cases of insider risk are because of careless and/or
untrainedusers
Ÿ Make use of User Behavior Analytics (UBA) which involves
detection of unusual activity by monitoring user actions
especially of those with elevated privileges and/or with
access to sensitive data. Identification of risk tolerant
employees/partnerscanalsobedone
Ÿ Virtual Environments need to harden in a stringent manner,
have a data leakage prevention practice, and block
unapprovedsoftware
Ÿ Implement the 'Least-privilege policy' and grant permissions
onlyonaneed-to-knowbasis.Blockrootaccesstousers
Ÿ Include segregation of duties in every critical business
process
Ÿ Implement and regularly test a Business Continuity and
DisasterRecoveryplan
AFTERTERMINATION
Ÿ Reaffirmemployeeagreementsatthetimeofdeparture
Ÿ Increase monitoring of employees with impending
departure
Ÿ Get rid of means of access after departure by revoking
access,disablingex-employeeaccounts
India Cyber Risk and Resilience Review 2018 29
44. CYBERATTACKSVIATHIRDPARTY
In late 2013, the Target data breach shocked the whole retail
industry when the investigation revealed a third party
compromise or exposure can transmogrify a secure ecosystem
of business into a vulnerable one. Data breach at Home Depot,
Boston Medical Center, PNI Photo hack that led to compromise
of online photo services at CVS, Costco, Sam's Club are few
supporting examples. In March 2016, Amex notified
cardholders about their account information which may have
been exposed after a third-party service provider suffered a
data breach. Systems owned or controlled by Amex remained
unaffected. Confidential customer data may have been
disclosed regardless of all security measures implemented by
Amex. These attacks are eye openers; illustrating the new
course adopted by cyber criminals for attacking larger
organizations by targeting trusted third-party vendors with
fewer or no security controls. Furthermore, Terrorist attacks on
the supply chain have increased 16% year on year according to
BSI's report on Terrorist Threats to International Trade and the
SupplyChain.
SUPPLYCHAINANDOUTSOURCING
Decades of advancement in technologies, Internet, mobile
devices, cloud computing along with globalization have
revolutionized the supply chain operations all over the world.
Organizations can now overcome geographical boundaries,
technological barriers and share large amounts of critical
business data with just a few clicks. Today, supply chain of a
company probably can comprise suppliers and business
partners located across the globe, along with environmental
and operational risk increase in attack surface which has made
supplychainpronetoinformationandcyberrisk.
India has become the world's choice as an outsourcing
destination, indicating India as a Hub of third party service
providers providing catalogue of IT and other services across
the globe. Cloud services and third party providers are business
enablers, empowering SMB's with platform and subscription
services. Customers trade off ownership, control and insight
over their data for the benefit of third party services making
these providers source of cyber risk for themselves. The
forecast shows a rising trend of outsourcing, which implies
increased involvement of third parties involved in all
businesses. The longer the chain of suppliers in a business, the
more vulnerable it makes an organization associated with it to
cyber-attacks.
Cyber Supply Chain Security
India Cyber Risk and Resilience Review 2018 30
45. Cyber Supply Chain Security
VENDORISTHEWEAKLINK
Third party vendors are the weakest link of any supply chain
which are exploited by attackers to get extensive access to the
destined organization assets. Enterprises are more focused on
securing their own networks, data and users. Many times,
enterprises will have a vast network of suppliers and partners,
made up of many smaller partners which blurs the visibility of
the complete supply chain from the cyber security perspective;
these chains can be easier targets for attackers when enterprise
hasimplementedanin-housesecurityprogram.
FACEBOOK/CAMBRIDGEANALYTICADATASCANDAL
TherecentacceptanceofdataleakfromFacebookturnedoutto
be an eye-opener for users and governments. In March, a
whistleblower came forward to say that Cambridge Analytica, a
data-mining firm, allegedly improperly accessed Facebook user
data through a third-party quiz app, and it used that data to
buildpsychologicalprofilestotargetvoterswithpoliticalads.
When a user installs a new app using Facebook, the app
company gets access to the user's Facebook profile. According
to reports, roughly 87 million people's personal information
was accessible to Cambridge Analytica. If Cambridge Analytica
was able to put certain ads into specific people's feeds, it could
have influenced their political views on Facebook. The users
wereserved(attimesmisleading)adsthatrelatedtoissuesthey
felt strongly about, and that was designed to provoke a reaction
and a share. The probe has been launched to investigate the
effectsofthisdataleak.
SECURINGTHESUPPLYCHAIN
With India becoming the hub of 3rd party services and statistics
indicating rise in cyber-crime in India, it has become a necessity
to ensure supply chains are cyber secure in India to ensure
prominentbusinessgrowth.
Organizations need to implement the below measures to be
resilienttocyber-attacksviathirdparty:-
Ÿ Use common machine language so that security teams and
vendors can better communicate, measure, and improve
theirprograms.
Ÿ Make security controls a mandatory requirement for
suppliers and require them to adhere to the same data
handlingprocessesandproceduresasoftheorganization.
Ÿ Implementing ISO 27001, ISO 22301 for information security
and BCP. Moreover, ensuring compliance for continued focus
oninformationsecurityinsupplierrelationship.
Ÿ Implementing standard BS 31111 for enabling better decision
India Cyber Risk and Resilience Review 2018 31
46. Cyber Supply Chain Security
making by providing essential guidance for executive
managementtomanagetheircyberriskandresilience.
Ÿ Furthermore, comply with upcoming General Data Protection
Regulation(GDPR)standard.
Ÿ UseframeworksprovidedbyMITREandtheNationalInstitute
of Standards and Technology (NIST) which can measure
operationsandcontrols.
Ÿ Conducting regular audits of third parties by external auditors
toensurecompliance.
Ÿ Having well documented BCP and DRP to ensure continued
businesswithminimumimpactincaseofcyber-attacks.
Ÿ Ensuring Cyber insurance is in place to minimize the loss
arisingfromthedatabreachduetothirdpartycompromises.
Ÿ Gain clear insight of all the parties involved in the supply
chain.
Ÿ Develop first line of defense by educating all users about
informationandcybersecurityrisks.
Ÿ Implementing Vendor risk management and Cyber Risk
managementprogram.
Ÿ Organizations can use Big-data analytics and open-source
technology with learning algorithms to identify discreet
supplierriskeventsfromacrosstheinternetandsocialmedia.
India Cyber Risk and Resilience Review 2018 32
47. Cyber Supply Chain Security
India Cyber Risk and Resilience Review 2018
SUPPLY CHAIN ATTACK
Phishing
Identify
theft
Web
application
attack
Web
based
attack
Identify
theft
Phishing e-mail to
developers of Chrome
extensions
Credential theft of
Chrome developer
account
Chrome extension
tampering
Internet traffic
manipulation &
malvertising
CloudFlare accounts
credential theft
Compromised Chrome extension
pushed to systems
“ENISA Threat Landscape” Threat Type
Identified Threat
1
2 3 4
5
Relates to Threat Type
Steps of the attack
Source: European Union Agency for Network and Information Security
33
48. Adoption of more sophisticated security technologies
Can new technologies keep up with evolving risks?
49. sophisticated security technologies
There are several new security technologies that are likely to
seewideradoptioninthenextfewyears.
BLOCKCHAIN
A Blockchain is a distributed ledger technology that allows
digital information to be distributed but not copied. Originally
devised for the digital currency, Bitcoin, the tech community
eventuallyfoundotherpotentialusesforthetechnology.
Blockchain has the potential to improve data integrity, digital
identities and enabling safer IoT devices to prevent DDoS
attacks. It offers a secure way to exchange any kind of goods,
services, or transactions. Industrial growth increasingly
depends on trusted partnerships; but increasing regulation,
cybercrimeandfraudareinhibitingexpansion.Toaddressthese
challenges, Blockchain will enable more agile value chains,
faster product innovations, closer customer relationships, and
quicker integration with the IoT and cloud technology. Further,
Blockchain provides a lower cost of trade, with a trusted
contract monitored without intervention from third parties
who may not add direct value. It facilitates smart contracts,
engagements, and agreements with inherent, robust cyber
security features. The technology is likely to impact everyone
from banking to power, education, healthcare, government and
public sector. It is likely to provide confidentiality, integrity, and
availability, offering improved resilience, encryption, auditing,
and transparency. Hence, companies are targeting a range of
use for the blockchain technology from medical records
management, to decentralized access control, to identity
management.
India Cyber Risk and Resilience Review 2018
Source: IBM infographic
THREE KEY BENEFITS OF USING
FORBLOCK CHAIN IoT
BUILD TRUST
Ÿ Build trust between parties and devices.
Ÿ Reduce risk of collusion and tampering.
REDUCE COST
Ÿ Reduce cost by removing overheads associated
with middlemen and intermediaries
ACCELERATE TRANSACTIONS
Ÿ Reduce settlement time for days to near
instantaneous
34
50. REMOTEBROWSERS
Remote Browsers is a technology which allows a user to browse
freely without exposing the corporate network. It achieves just
that by executing the code of a web page inside a secure virtual
container, located between a user's device and the Internet.
Files can be rendered remotely but only a visual representation
of the web content is sent to the user, and any malicious activity
isconfinedtothatcontainer.
So even if a naive user opens an infected email attachment, that
malware has nowhere to go—it will never touch their machine.
And at the end of each session, the disposable container is
destroyed, along with any malicious content. Hence, it can be
helpful for isolating a user's browsing session from the
network/endpoints. By moving browsing off the endpoint
device, off the corporate network, the impact of an attack is
greatly reduced, and the exfiltration of potentially sensitive
datacanbeprevented.
DECEPTIONSTECHNOLOGIES
Deception technologies imitate a company's critical assets and
act as a trap for attackers looking to steal this data. Deceptions
Technologies Endpoint Detection and Response (EDR) and
Network Traffic Analysis (NTA). EDR can monitor endpoints and
alertsystemadminsofsuspiciousbehaviorandNTAcanbeused
to monitor network traffic to help determine the type, size,
origin,destinationandcontentsofdatapackets.
SOPHISTICATEDREAL-TIMECHANGEAUDITINGSOLUTIONS
This technology secures critical assets by detecting and
responding to user privilege abuse and suspicious file/folder
activity — either based on single event alert or threshold
condition. It can detect account modifications, deletions,
inactive user accounts, privileged mailbox access and a lot
more.
sophisticated security technologies
India Cyber Risk and Resilience Review 2018 35
52. Cyber Insurance
In India, according to IBM and Ponemon Institute reports, the
costs of data breaches are hurting organizations significantly.
Companies are incurring INR 4,210 per employee in 2017 as
compared to INR 3,704 in 2016, according to the 2017 Cost of
Data Breach Study. Notably, there has been a significant
increase in both; first party and third-party losses. The average
total organizational cost of data breach increased by 12.3% to
INR 11 crore from INR 9.7 crore. The cost includes not only the
financial loss incurred by companies but also the cost of
managing a breach. The report identified malicious or criminal
attacks as the most common root cause of a data breach with
41%ofcompaniesexperiencingthis.Ashighas33%attributeda
breach to system glitches, while 26% involved employee or
contractornegligence.
With cybercrime enjoying a place in the top four economic
crimes in the world, India does not lag in terms of financial
losses arising due to cybercrime. According to reports by Indian
Computer Emergency Response Team (CERT-In), the number of
cyber security incidents reported were: 44,679 in 2014, 49,455
in 2015, 50,362 in 2016 and over 53,000 in 2017. Threats
reported include phishing attacks, website intrusions and
defacementsordamagestodataaswellasransomwareattacks.
India has seen its share of cyber-attacks leading to significant
financial losses with incidents like the recent defacement of the
Defence Ministry and Supreme Court's website. All such cyber
securitybreacheshaveahugefinancialimpact.
Cyber risk can be mitigated by transferring a part of the risk i.e.
financial risk to an insurance provider. Many business leaders
areunawareofthis.
BUILDINGACASEFORCYBERINSURANCE
The growing online presence of businesses bring with them the
risks associated with the internet. The burgeoning e-commerce
and logistics industry in India, the increasing presence of
Online/Mobile banking facilities and government initiatives like
'Digital India' and 'Smart Cities' coupled with the rising
sophistication of cyber-attacks make a strong case for Cyber
Insurance. Organizations in India have been slow to act on the
increasing cyber risks by buying cyber insurance with most
policies being bought mainly by BPOs who have it as a mandate
in their contract with clients. Healthcare and Hospitality sectors
with their sensitive data have been the most neglected
regarding cyber insurance. High premiums and several
exclusions in the policy pose hurdles for the spread of cyber
security. But the cyber insurance market has matured and
growing at a rapid pace with it slated to grow to USD 7 billion by
India Cyber Risk and Resilience Review 2018 36
53. 2020. Different industries have different insurance
requirements, so there needs to be a high degree of
customization in the cyber insurance policy rather than a 'one-
size-fits-all' approach adopted traditionally by insurance
providers. Most organizations generally insure their assets, buy
health cover for employees but neglect their cyber liabilities. It
ishighlyrecommendedthatcyberliabilitybecoveredtoo.
BUYINGCYBERINSURANCE
It is important to note that buying a cyber-insurance cover does
not mean overlooking other aspects of the cyber security
program. No risk can be completely mitigated and there is
always a residual risk. Cyber Insurance is bought to cover the
financial losses incurred in case of an unlikely event where the
organization's systems are breached even after a proper cyber
security plan is in place. Exclusions are always in place which do
not cover losses due to reputation loss, loss of future revenue
arisingduetoreputationdamageandlossesincurredduetothe
reduced value of intellectual property. First party coverage-
covering the entity which was the victim of a cyber-breach and
third-party coverage-covering vendors and IT service providers
areincludedinmostpolicies.
Cyber Insurance should be included in the Risk Management
plansoforganizations.
It is not very easy to determine the amount of cover that an
organization needs. Techniques like cyber modelling and
benchmarking help in arriving at a figure. Modelling deals with
extrapolating past data to predict the 'what, how frequently
and to what extent' of cyber-attacks. A drawback of this
Cyber Insurance
India Cyber Risk and Resilience Review 2018
Source: EY Global Information Security Survey 2017-18
Key findings - Cyber security survey
87%
of respondents say they
need up to 50% more
cyber security budget.
77%
of respondents
consider a careless
member of staff as the
most likely source of
attack.
48%
do not have Security
Operation Centre, even
though they are
becoming increasingly
common.
36%
of boards have
sufficient cyber security
knowledge for effective
over sight of cyber
risks.
12%
feel it is very likely they
would detect a
sophisticated cyber
attack.
63%
of the organisations still
keep cyber security
reporting mostly within
the IT function.
57%
do not have, or only
have an informal,
threat intelligence
program.
89%
say their cyber security
function does not fully
meet their
organisations needs.
37
54. Cyber Insurance
technique is the scarce availability of data available for
predictions and lack of understanding the insurable and
uninsurable assets of the organization. Benchmarking, as the
name suggests, provides a baseline to work with. This baseline
is arrived at by analyzing the amount of coverage similar sized
firms take in a similar industry. It is highly advised that a holistic
approach is undertaken when determining the cover to be
bought. The overall risk environment of the organization,
industry specificfactors and future trends should be considered
beforebuyingacyber-insurance.
OUTLOOK
Organizations in the USA purchase around 90% of the world's
cyber insurance. The buying is set to spread across the world.
The cyber insurance market is expected to grow to 7.5 billion
USD in premiums by 2020. More stringent exclusions and
conditions are expected to be included in the policy document.
The cost of buying a cyber-insurance is not expected to fall as
the number of insurance providers are very less. Cyber
insurance cover will be incorporated in cyber resilience plans of
an organization. It is imperative that organizations be aware of
what they can potentially lose and to what extent can these
lossesbeborne.
India Cyber Risk and Resilience Review 2018 38
56. Cyberspace has emerged as a global common. It requires safe
and secure navigation by nations for trade, commerce and
communication. Therefore, cyber security has become
imperative in every sense of the word; be it social, political,
economicormilitary.
India is an emerging economy with a lot of potential resources
andskilledworkforcewidelyavailableforbusinessestoexpand.
ICT(InformationandCommunicationTechnologies)continueto
find its place in all industries. Urbanization and digitization
projects like Digital India, Aadhaar, Smart Cities by the
government of India are significant steps towards becoming a
Smarter Nation. As a smarter nation India would provide high
quality of living to its people, embracing technologies with
smarteroutcomesandensurebusinesssustainability.Incoming
years, cyberspace of India would expand massively, touching
many aspects of our lives. Expansion will bring in new risk and
threatsasachallengeforIndiainsecuringitscyberspace.
Indiahasmadesignificantinvestmentsincreatingorganizations
and their supporting structures to build cyber security
capability, capacity and delivery mechanisms. India is ranked
23rdoutof165nationsina2017globalindexthatmeasuresthe
commitment of nations across the world to cybersecurity.
Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018
Source: Times of India
HOW THE GOVERMENT HAS BEEN
INCREASING ITS CYBER DEFENCE
JUNE 2016 MARCH 2017
JUNE 2017 APR 2017
SEPT 2017 JAN 2018
RBI announces frame works of cyber
security and banks
Ministry of power announces setting
up of 4 sect oral Computer
Emergency Response Teams for
power transmission and distribution
RBI release IT framework for NBSC
sector
IRDA releases guidelines on
information and cyber security for
insurers
Sebi releases note on cyber
security and cyber resilience
Framework for registrars to issue /
share transfer agents
UIDAI introduces 16-digit virtual ID
to mask Aadhaar numbers.
UIDAI announces it will introduce
facial authentication for Aadhaar by
June 2018
39
57. However, the emerging threats have overtaken India's pace and
scale of efforts. India therefore needs to review and re-boot its
efforts to raise the cyber security bar to meet 21st century
challenges.
The following trends need to be addressed, in India, for it to
becomeacyberresilientnation.
LACKOFSKILLS
A lack of supply and increasing demand has made it impossible
forcompaniestofieldthesecurityprogramswhichtheyneedto
defend their business. Furthermore, the skills shortage and
inadequate numbers are having an impact on the existing
cybersecurity workforce (i.e. overwhelming workload, limited
time for training, etc.), processes (limited proactive planning,
limited time to work with business units, etc.) and technology
(limited time to customize or tune security controls, etc.).
Notably, more than one million cyber security professionals are
requiredinIndiaby2020.
COMPANIES ARE LIKELY TO BE HESITANT TO COMPLY WITH
THEGDPR
TheGeneralDataProtectionRegulation(GDPR)standardwillbe
coming into effect on 25 May 2018. It consists of increased
territorial scope, stricter consent laws and elevated rights for
data subjects to name a few. However, as per the reports, many
companieswillchoosenottocomply,astheyclaimthatthecost
ofcomplianceoutweighstherisks.
CYBERDIPLOMACY
Cyber diplomacy refers to the use of diplomatic tools, and the
diplomatic mindset, to resolve issues arising in cyberspace.
Historically, diplomacy has happened in secrecy, behind closed
doors. However, new communication technologies are making
diplomacy more open and public. These technologies are
creating opportunities for governments to interact effectively
withthepublic,resultinginthecyberspacequicklybecomingan
arena for international diplomacy. Furthermore, it is not limited
justtogovernments,thesamecouldbecarriedoutbynon-state
actors,includingcompaniesandNGOs.
Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018 40
58. Cyber Resilience Trends
Initiatives to Build Consensus and Co-operation on Cyber
Incidents:
The proliferation of e-commerce has led to an unprecedented
spurt in cybercrimes and other malicious acts committed in and
through cyberspace, with an estimated cost to the global
economy of over USD 400 billion per year. The borderless
nature of cyberspace makes it incumbent for all nations to
cooperate for combating and preventing such acts, including
information exchange between law enforcement, military, and
technical groups. Thus, the consensus in approach while
addressing incidents and other cooperative agreements
between the parties can contribute greatly to global stability
and increase trust in the e-business space. India can assist in
developing specific mechanisms for improving cooperation to
investigate and respond to cyber incidents and explore ways to
contributetooveralltrustbuildingamongstthenations.
Confidence Building Measures for Strategic Stability and
SettingNormsforStateBehaviorinCyberSpace:
The cyber space security is synonymous with survival and
sustenance of society in terms of social, economic, political and
military capability as the continued growth of cyber-attacks by
malicious actors of all kinds have reached an intolerable point.
This is coupled with far-reaching decisions being taken by
military planners to build information weaponry. Stronger
cybersecurity cooperation among major nations to deal with
these threats is essential. While multilateral and multi-
stakeholder bodies such as the United Nations Group of
Governmental Experts (UN GGE) and others have made some
progress on the development of norms of behavior and
cybersecurity standards, practical cooperation and concrete
agreementamongnationsislagging.Indiashouldworktowards
building common understanding on potential norms of
behaviorincyberspace.
Taking Prominent Role for Building Regional Co-operation
AmongstASEAN&BRICSNations:
CountriesacrosstheglobeincludingChina,IndiaandtheUnited
States are engaged in a variety of bilateral and regional security
conferences separately, as well as jointly. Established regional
forums, such as the BRICS and the ASEAN Security Forum can
further provide an opportunity to increase cooperation on
cyberspace issues and build trust. India should proactively
participatetoemergeasanopinionbuilder.
India Cyber Risk and Resilience Review 2018 41
59. Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018
Train 1,000,000 people in cyber security skill by 2020
years
42
60. Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018
CYBERREGULATION
There has been a rapid increase in the use of the online
environment where millions of users have access to internet
resources and are providing content daily. As a result, countries
across the world are drawing up regulations to address threats
to cyberspace. The major area of concern where regulation is
desirable is data protection and data privacy so that industry,
public administrators, netizens, and academics can have
confidenceasonlineusers.
In 2017, the US State Department passed the Cyber Diplomacy
Act of 2017 bill. The bill recognizes the degree to which
protecting security in cyberspace and promoting digital
communications as a vital economic, social, and political bridge
hasbecomecriticaltothemissionoftheUSgovernment.
In India, the government has formed a ten-member committee
under Justice B N Srikrishna to deliberate on a data protection
framework for the country. The committee is to identify key
data protection issues in India and recommend methods of
addressing them. Meanwhile, Digital Information Security in
Healthcare Act (DISHA) is proposed to secure digital health
records. All medical institutions maintain reports that contain
every minute detail such as diagnosis of the disease, and the
treatment recommended including any prescriptions given to
the patient. Every hospital is supposed to keep the record of the
patients safe because it consists of sensitive personal
information about the patient. To protect the data, DISHA
provides tougher privacy and security measures for digital
health data. With rapid changes and advancements in
cyberspace,moresuchregulationsarerequiredtobedrawnup.
ARTIFICIALINTELLIGENCEINCYBERSECURITY
The implementation of AI systems in cyber security can serve as
a real turning point. These systems come with several
substantial benefits that will help prepare cybersecurity
professionals for taking on cyber-attacks and safeguarding the
enterprise.
AI algorithms use Machine Learning (ML) to adapt over time
which makes it easier to respond to cybersecurity risks. New
generations of malware and cyber-attacks can be difficult to
detect with conventional cybersecurity protocols. They evolve
over time, so more dynamic approaches are necessary.
Cybersecurity solutions that rely on ML use data from prior
cyber-attackstorespondtonewerbutsomewhatsimilarrisk.
43
61. Cyber Resilience Trends
India Cyber Risk and Resilience Review 2018
TALENT-CENTRIC
1
Ÿ Talent management.
Ÿ Board and 3 LOD roles and
responsibili es.
Ÿ Risk and security culture
Ÿ Training & awareness
Built on a founda on that makes
cyber security everyone's responsibility:
Organisations
Objectives
Organisations
Outcomes
Another great benefit of AI systems in cybersecurity is that they
will free up an enormous amount of time for tech employees. AI
is most commonly used to detect simple threats and attacks.
Given that the simplest attacks usually have the simplest
solutions, the systems are also likely be able to remedy the
situationonitsown.
Another way AI systems can help is by categorizing attacks
based on threat level. When deep machine learning principles
are incorporated into systems, they can adapt over time, giving
adynamicedgeovercyberterrorists.
AI systems that directly handle threats on their own do so
accordingtoastandardizedprocedureorplaybook.Ratherthan
the variability (and ultimately inaccuracy) that comes with a
human touch, AI systems don't make mistakes in performing
their function. As such, each threat is responded to in the most
effectiveandappropriateway.
Cyber attacks are becoming more common, more
sophisticated, and more impactful. However, AI systems can
help address some of those problems and ultimately give
businessanadvantagewhenfacingacyber-attack.
44
63. India needs to recognize and align to the transformative,
disruptive and game-changing role of cyber security to majorly
drive the 21st-century global economies, military doctrines,
demographic preferences of societies and even the political
influences. Hence, development of Work Force, Research
&Technology, Infrastructure and Policy is required for Building
NationalCyberSecurityCapability.
WORKFORCEDEVELOPMENT:
Ÿ Develop workforce as an enabling national asset to meet
domesticaswellasglobalsecuritymarketneeds.
Ÿ Educating employees regarding cybersecurity will make them
thefirstlineofdefenseforanyindustryandnation.
Ÿ Mandate universities/ colleges to offer education in ICT
Securityatgraduate,postgraduateandPh.D.levels.
Ÿ Foster extensive collaboration with overseas universities for
facultyandcoursecontents.
Ÿ Foster global research and technology collaborations.
Integrate Cyber Security & ICT Work Force and position
globally.
Ÿ Buildregionalsecurityinnovationhubsforglobalclients.
Ÿ Mandate creation of independent cadre alongside ICT Jobs,
developbestpracticestorecruitandretainprofessionals.
Ÿ BuildNationalSkillRegistryforCyberSecurity.
Recommendations
India Cyber Risk and Resilience Review 2018
TECHNOLOGY
INFRASTRUCTURE
Improving national
cyber security
capability WORK FORCE
DEVELOPMENT
POLICY
45
64. RESEARCHANDTECHNOLOGY:
Ÿ Develop science of Cyber Security at schools and colleges
through specialized capsules and by amending the core
curriculum.
Ÿ Developandmandateuniversityleadresearch&innovation.
Ÿ Promote and support the use of next-generation
cybersecuritytechnologies.
Ÿ Develop a national initiative for the indigenous development
ofcoresecuritytechnologies,platforms&solutions.
Ÿ Build experiments and exercises, pilot projects to support
widerparticipationincybersecurityexercises.
Ÿ PromoteIPbuildinginsecurityunderanationalinitiative.
Ÿ PromoteprivatesectorR&D.
INFRASTRUCTURE:
Ÿ Mandate development and/ or adoption of globally
recognized security standards, frameworks and platforms,
andguidelines.
Ÿ Establish laboratories, Centers of Excellence (COEs) aligned to
institutes/ universities, industry and professional end user
agencies.
Ÿ Mandate creation of cyber security testing, certification &
clearing houses. a national cyber test facility providing for
network emulation, monitoring and audit, vulnerability
analysis, simulated attacks, graduated response,
performanceanalysis,andsecurityassurancemodeling.
Ÿ Mandate creation of strong legal & regulatory framework for
cyberrelatedissues.
Ÿ New agencies and law firms would evolve for providing cyber
securitylegalservicesinIndiaandasaservicetotheworld.
Ÿ Mandate creation of Regional Security R&D & Innovation
Hubs comprising of security industry clusters, R&D centers
andacademicinstitutions.
Ÿ Create Cyber Security industry clusters trained in high end
securityproducts&solutions.
Ÿ Foster extensive overseas collaborations through alliances,
partnershipsandjointventures.
Ÿ Allow 100% FDI in critical technology areas of ICT security
suchasTechnologies&ProductsDevelopment,LargeSystems
Engineering&Integrationetc.
POLICYFORENABLINGECOSYSTEM
Ÿ There is a need to understand and address gaps such as
incoherent, silo driven, inadequate focus to understand
volume and complexity of full spectrum cyber security, and its
Recommendations
India Cyber Risk and Resilience Review 2018 46
65. Recommendations
impactonnationalsecurity.
Ÿ Create a common body of knowledge for Cyber Security
includingcyberwarfare.
Ÿ Build cyber security savvy leadership, subject matter experts,
solution architects and system engineers to address the
inadequate comprehension of lack of cyber security
capability and its bearing on national security including the
militarydimension.
Ÿ Foster system strategic thinking, at national scale about cyber
warfare and build operational requirements, articulate and
validatecyberdoctrine.
Ÿ Create strategic level focus on program blue print, stake
holder agreement, resource allocation, funding priority and
allocation, policy issues thought leadership building, training
insecuritysystemsengineering.
Ÿ Create Program Execution Levers through investments in
system engineering expertise, and system integration
facilities.
Ÿ Indian diaspora and IT industry could be leveraged for
buildingglobalscalecybersecuritycapability.
Ÿ Government needs to make security technologies attractive
fortheprivatesectortoinvestincapabilitybuilding.
India Cyber Risk and Resilience Review 2018 47
66. MitKat Advisory Services Private Limited
511 Ascot Center, Near Hilton Hotel, Andheri (E), Mumbai – 400 099
T (Mumbai) : +91 22 2839 1243
T (Gurgaon): T (Singapore)+91 124 455 9200 | : +65 8171 7554
E W: | :contact@mitkatadvisory.com www.mitkatadvisory.com
The Confederation of Indian Industry (CII) works to create and sustain an environment
conducive to the development of India, partnering industry, Government, and civil society,
through advisory and consultative processes. CII is a non-government, not-for-profit, industry-
led and industry-managed organization, playing a proactive role in India's development
process. Founded in 1895, India's premier business association has over 8000 members, from
the private as well as public sectors, including SMEs and MNCs, and an indirect membership of
over200,000enterprisesfromaround240nationalandregionalsectoralindustrybodies.
CII charts change by working closely with Government on policy issues, interfacing with
thought leaders, and enhancing efficiency, competitiveness and business opportunities for
industry through a range of specialized services and strategic global linkages. It also provides a
platform for consensus-building and networking on key issues. Extending its agenda beyond
business, CII assists industry to identify and execute corporate citizenship programmes.
Partnerships with civil society organizations carry forward corporate initiatives for integrated
and inclusive development across diverse domains including affirmative action, healthcare,
education, livelihood, diversity management, skill development, empowerment of women,
andwater,tonameafew.
The CII theme for 2016-17, , emphasizes Industry's role inBuilding National Competitiveness
partnering Government to accelerate competitiveness across sectors, with sustained global
competitiveness as the goal. The focus is on six key enablers: Human Development; Corporate
Integrity and Good Citizenship; Ease of Doing Business; Innovation and Technical Capability;
Sustainability; and Integration with the World. With 66 offices, including 9 Centres of
Excellence, in India, and 9 overseas offices in Australia, Bahrain, China, Egypt,France, Germany,
Singapore, UK, and USA, as well as institutional partnerships with 320 counterpart
organizations in 106 countries, CII serves as a reference point for Indian industry and the
internationalbusinesscommunity.
Confederation of Indian Industry
The Mantosh Sondhi Centre
23, Institutional Area, Lodi Road, New Delhi - 110 003 (India)
: 91 11 45771000 / 24629994-7 * : 91 11 24626149T F
: * :E Winfo@cii.in www.cii.in
AboutCii
MitKat Advisory is a global provider of integrated security and risk mitigation solutions and
services. MitKat works collaboratively with leading global corporations, government and non-
government organizations to protect people, assets, information and reputation. MitKat's
team consists of best-in-class consultants from diverse backgrounds. For details, kindly visit
www.mitkatadvisory.com
MitKat has offices in Delhi NCR, Mumbai, Bengaluru and Singapore, and through its network of
partners, delivers operational support and risk management services across Asia and Africa.
MitKat'sservicesinclude:
§ Informationsecurityandbusinesscontinuityadvisory
§ Managedsecurityservices
§ ITsecurityconsultingandimplementationassistance
§ Physicalsecurityandsafetyconsulting&design
§ ThreatIntelligenceandtravelriskmanagement
§ BusinessIntelligence,duediligenceandintegrityriskmanagement
§ Operationalsupportandembeddedsecurityservices
§ Women'ssafetyandempowerment
§ Skills&entrepreneurshipdevelopmentandCSRadvisory
MitKat is technology and vendor-agnostic and is able to offer impartial and unbiased advice to
its clients to design and solutions to suit their specific business'fit-for-purpose' 'best value'
andoperationalneeds.
MitKat integrity,is an equal opportunities employer and committed to highest standards of
ethics, governance and compliance.
About Mitkat
India Cyber Risk and Resilience Review 2018 48