Sae Schatz MESH Solutions, LLC – a DSCI Company Situated Tutors Tutorial.
Cyber Resilience - Introductory Note & Setting the Context by Rama Vedashree CEO DSCI
-
Upload
nasscom-hyderabad -
Category
Technology
-
view
70 -
download
2
Transcript of Cyber Resilience - Introductory Note & Setting the Context by Rama Vedashree CEO DSCI
A NASSCOM® Initiative
Rama Vedashree
Data Security Council of India
August 9, 2017
Hyderabad
1
Cyber & Privacy Challenges in the Digital World
A NASSCOM® Initiative
Establishing Cyber Security Baseline
Digital Transformation
Smart cities
Dig
ital
Pay
me
nts
Ind
ust
ry 4
.0
Cloud
Mobility
Digital Wave in India
2
Cryptocurrencies
Artificial Intelligence
IoT
e-G
ove
rnan
ce
Internet usersJune’17450 million +
707 million; 105 lakh crore value
e-Payments
375% increaseMobile wallet transactions March’16 - March’17
Aadhaar authenticated transactions
100 croresIn 2016
Technology Trends
Telecom usersMarch’171200 million +
IoT DevicesDraft IoT Policy, 2015
200 million +
A NASSCOM® Initiative3
Imperatives of “Digitization” are “increasingly opening up orgs to external interfaces & entities”
Design for “always on” are bringing many “devices in operations & transaction processing”
“Data centric business innovations” driving “unprecedented collection & processing of PII “
“Increasing exchanges of calls with cloud” are slowly leading to “full blown adoption of the cloud”
“Protocols & interfaces” designed for one environment are increasingly used in “new environments”
“Adoption of digital channels”, and withadvanced analytics the role oforganizations are moving towardscustomer advisory & models of self-help
“Ease of on boarding” (one hand) & “National ID scheme” (other hand) making “Biometrics central to authentication”
“Information’s role” is shifting from “measurement & monitoring” to “aiding automated decision making”
ChangingDigitization Paradigm
Changing Digitization Paradigm
Globalization ofOrganizations & their supply chains
“Data Poor to Data Rich Nation”Nation with Data Centric Risks
Digital Payments Emergence & Digitization of Banking…DBT,AEPS, PPI Wallets, Identity based banking
A NASSCOM® Initiative
Technology Evolution
Technology Trends, Business Innovation &
Key Initiatives
• AI, robotics, IoT, SMAC, autonomous vehicles, 3D printing, nanotechnology, context computing, FinTechs, etc.
• Hyper-specialization, robotic processes, business process automations
• Digital Government, Smart Cities, Digital Inclusion & Mobile Governance
4th Industrial Revolution
• Convergence of physical, digital and biological world
• Built on 3rd revolution - Electronic & IT
• Digitization of core business processes (plants & machineries): ICS, SCADA
Data driven technologies
• Increasing capability of data collecting, processing & sharing
• Interconnected world and businesses – cross border data flows
• Volume, variety and velocity of data exponentially rising
• Sensors and their integration with the Internet, machine understanding of humans
• Real time generation, collection and processing
• Big Data- Analytics will be used to reinvent 80% business processes by 2020
A NASSCOM® Initiative5
Expanding Attack Surface2015
To 2020
2010 To
2014
2005To
2009
1995To
2004
Viruses
Profit Malwares
APTs
APTs
IoT Attacks
Ransomware
Customer CentricDoS/DDoS
Data BreachesBio-Hacks
IP Theft
Espionage
Avatar Hijacking
Identity Theft
Cyber-Gang Wars
AR/VR Targeted
Phishing
Adware
TrojansWormsPsychologicalCrypto Attacks
A NASSCOM® Initiative
Cyber Security-Cyber Crime: Issues and Challenges
Attacks on Critical Information
Infrastructure
Poor awareness and cyber literacy
Cyber Security practices of SMBs
across sectors
Lack of skilled workforce
and resources
No focus on upgradation of legacy systems
Cyber Espionage on critical and sensitive
information
Rising complexity of attacks -Ransomware
and APTs
Cyber stalking and cyber bullying
Targeted breach, leaks, hacking and
frauds
Obscenity and child abuse (pornography)Piracy, Trademark,
Copyright and IP violation
Security and Privacy protection treated as
a Cost Centre
Offence dominant; attacks easy, defence
very costly
Lack of Security and Privacy in Design of
Products and Systems
Vulnerabilities out in the open for anyone
to exploit
Rising Hacktivism in cyberspace
Compliance driven approach and
practices for security
Social media trolling, fake news, ideology
propagation
Inadequate laws and regulations on privacy & security
Diminishing Trust in ICT supply chain due to mass surveillance
Coordination, info-sharing amongst
stakeholders
Lack of acceptable Norms and Rules of
engagement
Lack of Cooperation & Collaboration amongst
global stakeholders
Tracking cyber criminals and their extradition for
cyber crimes
Dark Net – Drug and Gun Market; Money
Laundering
Illegal transactions in non trackable Cryptocurrencies
Reporting issues of cyberattacks/
breaches
Mordernization of LEAs and Capacity
Building
Cyber Warfare: state & non state actors
Nature of ThreatOrganizational
Challenges Domestic IssuesGlobal Challenges
Stakeholders Concerns
A NASSCOM® Initiative7
Security Paradigm Shift
- Anomaly Detection (AI, ML, DL)- Behaviour Analytics (AI, ML, DL)- Malware Detection (AI, ML, DL)- Proactive Attack Detection- Identity Security - API Security
- Safe Secure Channels- Enterprise Risks Visibility- Secure Platforms & Clients- DevSecOps- Metadata Protection- Resiliency
- Forward Leaning- Hunting Skills- Convergent Analytics- Phygital Security- Edge Computing Security- Third Party Security- Security in Boardroom
- Network Monitoring- Intrusion Detection- Multifactor Authentication- Server monitoring- Configuration Checks- Signature Based Detection
- Incident Response- Back Up- Access Management- Password Security- App & Connectivity Security
- IT Risk Management- Security Outsourced- Assurance Services- Physical Security- Data Protection- Security as Cost Centre
Pre - DigitizationAge of Digitization
Govt. & PSUs Need to Bridge the Gap
A NASSCOM® Initiative
Cyber Security Strategy - Next Gen Elements
8
99 % of Known vulnerabilities to be
patched first
IoT Security Budget
Security of Recognition Technologies
Security disciplines converge while skills
expand
Perimeter defenceno longer a focus
Adaptive securityor context-aware
security
The shift from prevention to detection
and response
Practice Proactive Defence
Security soared from back office to
boardroom
Focus on robust resiliency of
infra
Security of Person to Person
Security of Machine to Machine
A NASSCOM® Initiative
Channels & Access Points
Connectivity
Applications
SWAN
NICNET/Broadband
Data Centers
Databases
Business Support
PI Records
Transaction Records
National
State
GOI Agencies
Service Providers
State Agencies
Home PCs Mobile Cyber Cafes CSC
Citizens Businesses
UIDAI
Public & Private
Agencies
Payment Gateways
• Legacy Infra• Insecure endpoints• Illiterate citizens• Poor awareness
• Insecure transmission• Vulnerable comm• Compromised endpoint
•Non transparent Information practices•Data mining•Limitless collection & usage•Sharing for unintended
purpose (Security)•Unauthorized access
• Vulnerable infrastructure• Data leakage possibilities• Weak application• Legacy Apps
• Financial Fraud• Identity theft• Compromised
information• Physical harm
• Data Store• Data Search,
Analysis• Targeted
promotion
Risks in e-Governance Ecosystem
A NASSCOM® Initiative
Urban Transformation Infrastructure Digitization
Secure Smart Cities
Facilities Modernization Interconnected Components
• Traffic Control
• Street Lighting
• Energy & Water Supply
• Public Transportation
• Security and Surveillance System
• City Management Solutions
• Smart Parking
• Sensors, M2M and IoT
• Waste Management
• Healthcare & Education
• Smart Apps
Components Security Challenges Attack Scenarios
• Porting to new technology platforms without adequate testing
• Security still add-on; not built by design in products and applications
• Complex supply chain and increasing attack surface
• Poor encryption and authentication
• Unsecured wireless communication
• Legacy Systems; Patch deployment, updates and upgrades difficult
• City level capability and governance-CERT & City SOC required
• Shortage of skilled workforce
• Untested Response Plan/ Crisis Management plan
• Potential target by adversaries - Cyber terrorism
• Disruption of city operations
• Manipulating traffic controls to cause accidents
• Controlling speed of public transports
• Controlling sensors - faking data to create panic
• Hazardous repercussions -nuclear/ power/ energy misuse
• Privacy breach - smart meters, smart sensors and healthcare devices
10
A NASSCOM® Initiative
Privacy Risks
Failure to have the appropriate legal authority to
collect, use or disclose personal information
Excessive collection of PII (loss of operational control)
Unauthorized access to PII (loss of confidentiality)
Unauthorized modification of the PII (loss of integrity)
Loss, theft or unauthorized removal of the PII (loss of
availability)
Unauthorized or inappropriate linking of PII
Failure to keep information appropriately secure
Retention of personal information for longer
than necessary
Processing of PII without the knowledge or consent of the PII principal (unless such processing
is provided for in the relevant legislation or regulation)
Sharing or repurposing PII with third parties (without
the explicit informed consent of the data
subject)
A NASSCOM® Initiative
Privacy Protection in the age of Technology evolution
• Data collection, its economic value and usage by businesses
• Mass surveillance programs by nation states
• Impact of globalization and trans-border data flows
• Legal and regulatory requirements
• Cybercrime and warfare
• Increasing privacy breaches and concerns related to resulting impact on organizations’ brand value
Technology advancement
and its implication
Computing devices
Nature of communication networks
Analytics and big data
Internet of Things Biometrics
Social, mobile and
cloud technologies
Sensors and body devices
A NASSCOM® Initiative13
Transition of ‘Data Poor’ nation to ‘Data Rich’ nation
Increasing ‘Digital Footprint’ of Citizens & Entities
Cyber, a mean for personal, social, financial & sensitive transactions
‘Increasing Innovation’ around collecting, processing & sharing information
‘Open/flexible Architectures’, brining new players & devices in transaction processing
‘Digitization Wave’ transforming critical sector organizations
Expanded surface for attacks
Illegitimate use & processing of data
Risk of information theft and misuse
Attracting attention of criminals and adversaries
Possibilities of profiling & targeting users
Cyber Security Imperatives of Digital World
High impact attacks on Critical Infrastructure
Preparedness to withstand/ counter attacks
Institutional arrangement & strength to respond to challenges
Policy & regulatory response to drive sectors & entities
Coordination & collaborations for collective defence & quick response
Responding to wider, audacious & high impact cyber attacks
Capability of LEAs to bring cyber criminals to justice
Transition to Digital World Attacks & Threats
Protection of rights & interests of users in the cyber world
National Response
A NASSCOM® Initiative
Existing Cyber Security Initiatives-India
NCSC (NSCS-NSA); NCIIPC (NTRO)
CERTs (CERT-In; Fin-CERT and Power Sector CERT announced)
Joint Working Group (PPP)
Sector Skill Council (Skills)
IB-CART (Information Sharing)
ISEA (Capacity Building and Awareness)
Cyber Forensic Lab (Capacity Building)
LITD 17 Committee of BIS (Standards)
Industry – Setting up focused entity, DSCI (Policy, Assurance, Capacity Building and Awareness)
Institutional MechanismNational Cyber Security Framework
Joint Working Group for PPP on Cyber Security
Recognition of country as ‘authorizing nation’ under CCRA product certification scheme
2012
2013
2008Amendment to Information Technology Act, comprehensive provisions for cyber crimes
National Cyber Security Policy
NCIIPC- Critical Infrastructure Protection
National Cyber Security Coordinator
2014
RBI Cyber Security Framework2016
State Cyber Security Policies – Telangana, AP
IRDAI Cyber Security Framework 2017
National Policies on IT, Telecom and Electronics
2015
National Information Security Policy and Guidelines (NISPG)
Security Framework for Smart Cities
SEBI Cyber Security Guidelines
IT (Amendment) Act Privacy clauses
Notification of privacy rules under Sec 43A of ITAA 2008
A P Shah Expert Group on Privacy; DoPT draft law
New Data protection law in making
2011
Data Protection
Aadhaar Law and Regulations focusing on Privacy
A NASSCOM® Initiative
Government Departments and Agencies
NSCS MeitYMHA MoCMoDMEANTRO
DoTICERT
NIC
CCA
STQC
TEC
C-DoT
CIRT Navy
CSG-DDP
DIARA
CERT Army
Indian Cyber Security Ecosystem
NCSC NCIIPC
Regulators
RBI
IRDA
SEBI
TRAI
LEA – State Police, Central
Police, CBI,
Intelligence - IB, RAW,
NIA
NSA
Based on info. in public domain & for listing purposes only; doesn’t represent hierarchy of any sort
AdditionalIB-CARTFin-CERT
Financial Sector
CERT Air Force
MoC
15
A NASSCOM® Initiative16
Recent DSCI Initiatives for Securing Digital India
• Digital Payments Security Alliance and Awareness Campaign• Use Case Clearing House for Cyber Security• Technology Capability Repository
A NASSCOM® Initiative
Target Segments
Functions
Digital Payments Security Program
Bringing a variety of players and stakeholders together on the agenda of securing digital payments and building the national ecosystem
Engage with various communities that will be influenced and impacted by fast paced transition to digital payments and make them aware of the security issues emanated from it
COMMUNITY AWARENESS
BEST PRACTICES
INDUSTRY DELIBERATIONS
Digital Payments Security Alliance Digital Payments Security Campaign
End User Small and Medium Businesses
Traders
BHIM/UPI, AEPS and USSD Digital wallets and Mobile BankingOnline banking and card schemes
~ 25 Industry members from varied sectors
Campaign Plan Content Creation Outreach
Functions
RTs/Conferences Policy deliberations, Industry Submissions
Banks & Financial Services, Payment systems, service providers, Technology Provider, Industry associations, ecommerce,
Institutions like RBI, NPCI, IDRBT etc.
17
A NASSCOM® Initiative
Use Case Clearing House for Cyber Security
Functions
Collaboration platform for industry, academia andgovernment to generate ideas
Nation wide open application challenge for variouscommunities to evolve the generated ideas/use cases
Commercially viable Prototype development byshortlisted players
Continuous pipeline of potential use cases to be pickedup by product development partners and qualifiedpipeline for investors both private and government,Including proposed innovation platform of MeitY
Investment Opportunities by government or privateinvestors for commercialisation support and IndustryAdoption
Synergising the Market needs; Research & Product Landscape in Leverage & Contribute Model
Repository of whitespaces/ideas
Enabling qualified pipeline for proposed innovation platform of MeitY
Creating continuous pipeline of commercially viableprototypes connecting them with stakeholders,resulting in cybersecurity industry development.
Use Cases are the descriptions of unmet requirements and identified problem area where customer is looking for a technology solution andits associated services. Discovery of niche white spaces/use cases in Cyber Security, accelerate innovation and product development bystartups and entrepreneurs, and enable their adoption, would be the guiding principles of Use Case Clearing House.
Improved national employability
Cyber security industry development
Aid to national cyber security capability building
Brand building India as hub for cyber security
Make India emerge as a leader in cyber security
Outcome
A NASSCOM® Initiative
Services & Product Firms
Start upsUser
Organizations
Global In House Centres
Global R&D centres
Freelancers Academia
Research Institutes
Technology Capability Repository
Consolidated view & Actionable Repository Connect with nationwide cyber security
entities and experts Improved targeting and productivity for
capability building Better utilization of existing capabilities
Inputs - 25 Technology Areas from defined Target Communities
Primary Research
Secondary Research
Data Crawling
Improving the effectiveness of Cyber Competency in the country
Output
Personas
Purpose
Views
Access
19
A NASSCOM® Initiative20
Agenda of the Day
Risk and Responsibility in a Hyper Connected World – The Future of Cyber Security
The dark side of the Fourth Industrial Revolution: Are our Boards Ready?
Information Exchange and Analysis | Initiative undertaken by IDRBT for Banking sector
BCI Global Cyber Resilience Survey 2017: Curated insights from the 2017 Global Survey report and perspectives from the C- Suite
Block Chain: The Next Frontier for Cybersecurity?
Threat Intelligence – a deep dive
Demystifying GDPR and its impact on India Inc.
Privacy imperatives in Technology & Data Centric Innovations
Contours of Corporate Forensics
A NASSCOM® Initiative21
Thank You…