Data theft in india (K K Mookhey)
-
Upload
clubhack -
Category
Technology
-
view
2.883 -
download
3
description
Transcript of Data theft in india (K K Mookhey)
![Page 1: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/1.jpg)
Data Theft in India
K. K. Mookhey, Principal Consultant
CISA, CISSP, CISM
- Seedhi baat, no bakwas
![Page 2: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/2.jpg)
Speaker Introduction
� Founder & Principal Consultant� Network Intelligence
� Institute of Information Security
� Certified as CISA, CISSP and CISM
� Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,20092005, OWASP Asia 2008,2009
� Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA)
� Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA)
� Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.
![Page 3: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/3.jpg)
Agenda
� What’s the ground reality
� Recent news
� Financial institution data theft explored
� ChallengesChallenges
� Solutions
� Conclusion
![Page 4: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/4.jpg)
Let’s see now….Let’s see now….
![Page 5: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/5.jpg)
Well, yes Sir, you’ve been had!
![Page 6: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/6.jpg)
It’s not paranoia…It’s not paranoia…
It’s actually happening!
![Page 7: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/7.jpg)
Data theft in the recent past
![Page 8: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/8.jpg)
![Page 9: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/9.jpg)
![Page 10: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/10.jpg)
![Page 11: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/11.jpg)
![Page 12: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/12.jpg)
What price India?
Online examples…
![Page 13: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/13.jpg)
Less than 1 cent per record!
� http://www.jobstiger.com/emaildatabaseindia.html
� http://www.kumudhamwebtech.com/
� http://hyderabad.olx.in/38-lakh-stock-market-traders-dmat-account-holders-database-44000-sub-brokers-iid-106295300
� http://www.ebusinessindya.biz/
� http://www.mobiledataindia.com/
� http://www.gsquare.biz/data.html
![Page 14: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/14.jpg)
Fresh record price = Rs. 75Fresh record price = Rs. 75
Converted customer price = Rs. 150
View from the trenches…
![Page 15: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/15.jpg)
Pick an industry, pick a company
� Large business house gets into the financial services industry with a big bang
� But slightly late in the game
� Huge marketing blitz, offices opened nationwide
� Aggressive marketing, huge ad spendsAggressive marketing, huge ad spends
� Customer base widens
� Assets under management bloats
� In a couple of years, they’re within the top 5 private insurers, equity trading companies, and mutual funds!
� However…
![Page 16: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/16.jpg)
Data all over the place…
� Specific mutual fund purchase records available for a price
� Customers get calls just before their fund payments are due
� Customers get calls to switch funds
� Specific data available:� Specific data available:
� Customer name
� Cover amount
� Investment amounts
� Fund details
� Personal information
� Expiry dates
� And more…
![Page 17: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/17.jpg)
What should the company do to
fix this?fix this?
![Page 18: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/18.jpg)
Why data isn’t being protectedWhy data isn’t being protected
![Page 19: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/19.jpg)
No one gives a damn!No one gives a damn!
![Page 20: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/20.jpg)
Where is the customer data? – Equity
Trader Example
� Primary Trading system
� CRM
� Business Intelligence system
� Compliance Reporting system
� Backups� Backups
� Password Reset system
� Excel
� Flat files
� USBs
� Shared folders!
![Page 21: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/21.jpg)
Who has access to it?
� Front-office
� Back-office
� IT
� Research
� Customer service
� Vendors
� KYC� KYC
� Call Center
� Direct Sales Agents (Devil’s in-Security Agents)
� DPs
� Registrars
� Settlement
� Finance & Accounts
� Cleaning Staff??
![Page 22: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/22.jpg)
Ok, now I’m just depressed…
But there’s more…
![Page 23: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/23.jpg)
Weak regulatory framework
� Unless someone serious starts kicking some serious ass, nothing’s going to change…
� RBI
� SEBI
� AMFI
IRDABut what about?
� IRDA
� TRAI
But what about?•UID?•Healthcare??•Pharma??•FMCG??•Retail??•Government????
![Page 24: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/24.jpg)
Government’s role
� No comprehensive national consciousness on data protection
� Data protection efforts not cohesive – don’t address all industries
� Government endorses data theft and invasion of privacy?
� Niira Radia tapes
� Blackberry controversy
� …
![Page 25: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/25.jpg)
Business comes first!
� Sell more!
� Expand market share!
� Heavy reliance on limited number of outsourced vendors
� Weak mechanisms to oversee data protection by vendors
� Vendors don’t care…
![Page 26: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/26.jpg)
When things do end up in court…
� Judge: IT?!?
� Senior Counsel: Well…umm…err…you see this is under Section 66 of IT Act because, well…err…
� Junior Counsel (whispering): Sir…we need to get imaging done…not sure what that is, but the “cyber expert” we hired told us to do thishired told us to do this
� Judge: Please continue!
� Senior Counsel: Sir we need a forensic investigation done
� Judge: What is that?!? Okay, seal the website!
� Court-appointed Commissioner: Yes sir, but kindly clarify who pays my fees?
![Page 27: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/27.jpg)
Here’s how it gets done!
![Page 28: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/28.jpg)
Solutions?
![Page 29: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/29.jpg)
Solutions
� Technologies
� Encryption
� Data Leakage Prevention
� Information Rights Management
� Database security solutions
� Audit/Log Management� Audit/Log Management
� Stronger regulations
� Stronger laws or stronger enforcement of existing laws
� Mindset change
� Data protection does matter!
� It is NOT a technology issue
� Policy and process frameworks must be implemented
� ISO 27001 is not the answer
![Page 30: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/30.jpg)
ConclusionsConclusions
![Page 31: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/31.jpg)
Summary
� It is an epidemic, and it is getting worse!
� When Big Brother wields the stick, then things begin to happen – fines, penalties, court cases
� Back to basics approach – thorough risk assessments!assessments!
� Identity and access management
� Technologies help, but it has to begin with PPP – Policy, Process, People
� Innovative audit/forensic techniques
![Page 32: Data theft in india (K K Mookhey)](https://reader033.fdocuments.net/reader033/viewer/2022051609/547d4a0eb4af9fd3158b5405/html5/thumbnails/32.jpg)
K. K. MOOKHEY
Thank you!
Questions / Queries
NETWORK INTELLIGENCE INDIA PVT. LTD.
www.niiconsulting.com