In association with
Presented by
Supported by
GLOBAL CYBER
SECURITY OUTLOOK
A.K.Vishwanathan, Senior Director Enterprise Risk Services, Deloitte India
SEPT 19, 2014
Hotel Digital Security Seminar
�A.K.Vishwanathan
2
Vis is a Chartered Accountant, has a
Certified in Risk and Information System
Control (CRISC) and a member of the
Information Systems Audit and Controls
Association (ISACA).
He has advised large organisations in
their endeavour in information security
and controls, and led risk consulting in
complex environments and regulated
industries; specifically banking and
financial services, telecom, manufacturing,
oil and gas, pharma and life sciences and
government sector.
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Presented by
In association with
Supported by
By X Events Hospitality (www.x-events.in)
�Agenda
3
Presented by
Current state
Case study
Solutions
Way forward
In association with
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
Current state
Presented by
In association with
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
�Recent trends in India
5
Source : NCRB (National Crime
Records Bureau
Over 35 % of the
Indian organizations
across various sectors
have engaged in
corporate espionage
Nearly14,000 websites were
hacked by cyber criminals till
October 2012, an increase of
nearly 57% from 2009.
Presented by
Number of Cyber Crimes
under IT Act
5000
0
2008
2009
2010
2011
2012
2013
In association with
81% of the CXO in this sectors depicts an increase in
information security spending over the coming few
years
Website of Indian Embassy in Tunisia hacked
in retaliation to the terrorism attack on Karachi
Airport
in June 2014. The embassy website was hacked
by a group called Hunt3R
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Supported by
By X Events Hospitality (www.x-events.in)
�Key information security
challenges Pain areas
6
The following are they key information security challenges being major organizations in India
Presented by
CIA
Cyber Spying
Illegal interception of government data by foreign
countries. NSA has been alleged to plant bugs in Indian
embassy in Washington DC
02
CIA
Virus and Trojans
Infection of government IT systems with malwares that
allow gives control to the hackers. Government of
India IT systems infected by Conficker worm in 2008
causing multiple crashes and downtime.
03
CIA
Data Theft
04
CIA
Cyber Terrorism
05
CIA
Phishing & Identity Theft
01
Confidentiality : Sensitive content and privacy of data
Integrity : Unauthorized modification of data
Availability : Multiple points in the IT infra preventing single point of failure
Insecure storage of GOI data leading to unauthorized
access by hackers and spies. Alleged Chinese hackers in
2010 hacked in GOI systems to access National
Security Council data
Hacktivism attacks on GOI websites leading to
reputational damage. Multiple foreign country hackers
were responsible for hacking of websites of GOI
Phishing attacks targeted towards GOI employees to
steal identities and data. GhostNet attacks on Indian
Government employees was conducted through spear
phishing attacks
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
In association with
Supported by
Source : Times of India
By X Events Hospitality (www.x-events.in)
�Understanding cyber threats
7
Modern Cyber Threat landscape have evolved over the years. Applications and IT
infrastructures are core pillars in todays business. Security of core shall ensure security of
the business.
Actors with differing motives and
sophistication often colluding with
each other
Loss of PII data, customer data, sensitive
and confidential company data.
Organizational boundaries have
disappeared anytime, anyhow,
anywhere computing
Attacks exploit weakest link in the
value / supply chain
Availability of organizations information is crucial
and loss of such could result in impacting critical
business functions.
Data is money criminal underground
makes for easy monetization
Traditional controls are necessary but
not adequate
Regulators and government are key
stakeholders with ever increasing focus
Presented by
Criminals pilferage on the PII data for identity theft
leading to potential damages to customers
Breach of integrity could result in complete
breakdown of trust of the organization. Brand
reputation gets affected majorly leading to loss in
revenue
In association with
Supported by
Losses resulting from leakage of backend
National Cyber Security Policy formulated with focus
customer data will impact customers trust on
on capability building at Nation level
the brand
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
�Industry view Indian sector view
8
Hotels
Sensitive
information
handled:
Internal strategic
&
Customer
Confidential
Visitor name, address,
contact details, unique
identification numbers or
documents Passport, PAN
card, Driving License, Credit
card etc.
Airlines
Passenger Name, contact
details, passport, visa
details etc.
Flight details such as no
of passengers and crew,
passenger and crew
personal details, city and
time of departure and
arrival etc.
Hotel billing details such as
billing and payments ,
outstanding bills etc.
List of No. of Rooms
occupied/vacant, pre-booked
rooms, etc.
Vendors/Supplier details,
contract details, outstanding
payment details
Flight details such as
details of flight status,
flight maintenance details,
etc.
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Travels & Tourism
Tourists Name, Address,
Contact Details and unique
identification numbers or
documents
Tourist travel details such
as mode of travel,
destination city, duration of
stay and accommodation
details.
Presented by
In association with
List of strategic tie-ups and
related financial records
with the organization
Supported by
By X Events Hospitality (www.x-events.in)
�Industry view Indian sector view
9
Hotels
Concerns
Security initiatives
in HATT sector
Absence of security
compliance for information
related controls
Compliance controls on
basis of the quality controls
only
Airlines
Travels &Tourism
Regulatory compliances
in terms of financial or
business controls
Absence of security
compliance for
information related
controls
Presented by
Absence of security
compliance for information
related controls
Compliance controls on
basis of the quality controls
only
In association with
Regulatory Implications drive security approach. Initiatives are taken by management to
drive security in the organizations
Absence of regulatory requirements provides ground for laxity in security initiatives within
organization
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
�Paradigm shift: Info security mgt.
10
Key questions to consider:
Presented by
Strategically
Do you have a cyber security strategy including a clear cyber governance framework ?
How are you evaluating and managing cyber risk?
Is the existing risk framework adequate to address changing threat landscape?
How structured and well-tested are you existing incident response and crisis management
capabilities?
In association with
And tactically
What is leaving our network and where is it going?
Who is really logging into our network and from where?
What information are we making available to a cyber adversary?
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Supported by
By X Events Hospitality (www.x-events.in)
�11
Case study
Presented by
In association with
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
�Operation hangover
12
Recently attackers of unknown origin conducted a large hacking operation on multiple companies from
servers hosted in India.
1 Attacker creates a malicious
attachment in PDF file and sends to
an unsuspecting and unaware foreign
government employee. The malware
is signed using certificates purchased
by a company in New Delhi, India
Presented by
The users gets infected with malware
that acts as a backdoor to his
system. The attacker is able to pivot
his system to conduct further attacks
in the network.
Target Employee in the
Victim Company
In association with
3 All data stolen from the company are stored in a server hosted in India
with domain names similar to large ecommerce sites in India. These form
of operational security measures indicate an attempt by the attackers to
hide the operation in plain sight
Server hosted in India.
Supported by
Source : Norman ASA
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
�Leading hotel chain in the USA
13
A leading US hotel chain was breached by hackers from 2009 2010 resulting in stealing
of 700,000 customer information.They were breached 3 times in the period during
which these information was siphoned out.
Presented by
Implications
Key Security Flaws (as per FTC report)
FTC sued the organization for
loss of customer information
1 Absence of Firewalls
Organization has failed to dismiss
the case
2 Default username and passwords
3 Weak access controls for remote sites
Investigations proved major non
compliance to PCI DSS
requirements by organization
locations
4 Failure to conduct regular reviews
10.6 mil USD was estimated cost
of data breach
Source :Media Reports
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
In association with
Supported by
By X Events Hospitality (www.x-events.in)
�Hospitality industry
14
Hospitality, Airlines and Tourism industries depend on exhaustive branding and marketing efforts for sale
of their services. Any impact on their IT infrastructure, websites or data that gets published in the media
leads to direct effect on their revenue and core business sales.
Leading Airlines in US
Incident
Airways vendors got breached by hackers leading to
disclosure of internal employee information and customer
information.
Data breach was investigated however with no conclusive
root cause analysis
Impact
Presented by
It takes an average of 156 days for
businesses to realize that the a
breach has occurred (Trustwave)
In association with
43% of CXO officers report that
negligent insiders are source of
majority of the breaches (IBM)
Multiple news reports on the data breach got published
leading to branding and reputational risks for the airlines.
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Supported by
Source :Media Reports
By X Events Hospitality (www.x-events.in)
�15
Way Forward
Presented by
In association with
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
�Cyber security mgt: Methodology
16
Presented by
In association with
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
�Cyber security: Maturity model
17
xcelle
onal E
Operati
nce
Presented by
Situational Awareness of
Cyber Threats
Online Brand &
Social Media Policing
Automated Malware
Forensics & Manual
Electronic Discovery
Automated Electronic
Discovery & Forensics
Ad-hoc Threat
Intelligence Sharing
with Peers
Government / Sector Threat
Intelligence Collaboration
Global Cross-Sector Threat
Intelligence Sharing
Commercial & Open Source
Threat Intelligence Feeds
Criminal / Hacker
Surveillance
Baiting & Counter-Threat
Intelligence
Network & System Centric
Activity Profiling
Workforce / Customer
Behaviour Profiling
Real-time Business Risk
Analytics & Decision Support
Behavioural
Analytics
Acceptable
Usage Policy
General Information Security
Training & Awareness
Targeted Intelligence-Based
Cyber Security Awareness
Business Partner Cyber
Security Awareness
Training &
Awareness
IT BC & DR
Exercises
IT Cyber Attack
Simulations
Business-Wide
Cyber Attack Exercises
Sector-Wide & Supply Chain
Cyber Attack Exercises
Basic Network Protection
Ad Hoc Infrastructure &
Application Protection
Enterprise-Wide Infrastructure
& Application Protection
Identity-Aware
Information Protection
Adaptive & Automated
Security Control Updates
Asset
Protection
IT Service Desk
& Whistleblowing
Security Log Collection
& Ad Hoc Reporting
24x7 Technology Centric
Security Event Reporting
External & Internal Threat
Intelligence Correlation
Cross-Channel Malicious
Activity Detection
Security Event
Monitoring
Traditional Signature-Based
Security Controls
Periodic IT Asset
Vulnerability Assessments
Automated IT Asset
Vulnerability Monitoring
Targeted Cross-Platform
User Activity Monitoring
Tailored & Integrated
Business Process Monitoring
Internal Threat
Intelligence
ns
fo
rm
Tr
a
Proactive Threat Management
at
io
n
Basic Online
Brand Monitoring
Bliss
nc
nora
ful Ig
Ad Hoc System /
Malware Forensics
Brand
Monitoring
E-Discovery &
Forensics
Intelligence
Collaboration
External Threat
Intelligence
In association with
Cyber Attack
Preparation
Supported by
Cyber Security Maturity Levels
Level 1
Level 2
Level 3
Level 4
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Level 5
By X Events Hospitality (www.x-events.in)
�Way forward: Cyber security v2.0
18
A forward-looking approach to developing your organizations cyber security capabilities is needed to
Presented by
ensure on-going cyber threat mitigation and incident response.
In association with
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
�About us
19
X Events manages & supports events
exclusively for the hospitality & travel
industries.
o
Our USP is that we are hoteliers
by training. We focus on the two
most important aspects of an
event; content quality and impact.
We do it because we believe in it.
www.x-events.in
HATT is India's young and premium
community for CXOs from the
Hospitality, Healthcare, Aviation, Travel
and Tourism industries.
o
With over 1,000 members across
India, we are now poised to expand
globally with a presence in South East
Asia and the Middle East by 2016.
Presented by
In association with
www.hattforum.com
FB/hattforum
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Supported by
By X Events Hospitality (www.x-events.in)
�Our host Brian Pereira
20
Brian is a veteran technology
journalist with two decades of
experience. He has served as
editor for two magazines: CHIP
and InformationWeek India.
He is a respected speaker & host
at conferences worldwide.
In his current role at Hannover
Milano Fairs India, Brian serves
as project head for CeBIT
Global Conferences,
theworld's largest ICT fair that
will debut in India this November,
in Bangalore.
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
Presented by
In association with
Supported by
By X Events Hospitality (www.x-events.in)
�The seminar schedule
21
Five expert speakers
Presented by
1. Latest threats in digital security (Worms, attacks, viruses, flaws) -Santosh Satam,
CEO, SecurBay Services.
2. The immediate action needed to tighten up (Priority list, cost, internal policies)
-Ambarish Deshpande, MD - India & SAARC, Blue Coat
3. Information loss prevention (Principles & practices)-Geet Lulla,VP - India & ME,
Seclore
4. How to build a business case &get the management's attention-Dhananjay
Rokde, CISO, Cox & Kings Group.
5. Global cyber security outlook -A. K.Viswanathan, Senior Director - Enterprise Risk
Services, Deloitte India.
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
In association with
Supported by
By X Events Hospitality (www.x-events.in)
�Our sponsors & supporters
22
Presented by
Thank You
In association with
Supported by
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)
�In association with
Presented by
Supported by
HOTEL DIGITAL SECURITY SEMINAR
SEPT 19, 2014
www.x-events.in
