Beyond Network Security - Risks for Financial Services Companies

(Published in "Communications Today" magazine - Nov 2011 issue)       

"Endpoint protection suites that include anti-malware/spyware, personal firewall, and security policy enforcement for VPN connectivity are replacing the basic anti-virus software." Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance With growing penetration of mobile computing (tablets/mobile phones) and increasing proliferation of Internet access across India, financial services companies are leveraging the online mode of business. However, online transactions are prone to various security threats. Organized crime is targeting this lucrative avenue to make a fast buck. Application security is one of the most neglected areas, which results in various vulnerabilities, and hackers take advantage of the unprotected websites and transaction portals to introduce malware to unsuspecting users. The unsuspecting users give away their confidential information and fall prey to fraud. More and more users now access Internet through wireless networks, freely available at Wi-Fi hotspots in airports and cafes, which are unencrypted and unprotected. These networks are highly susceptible to threats like sniffing and hacking. Enterprises are under growing pressure to allow BYOD, i.e., bring your own device. This means that employees are allowed to use their personal laptops/tablets to connect to the enterprise network and work on it. While this may help reduce costs to a certain extent, the number of security issues rise manifold. Most websites now have SSL encryption between the client's web browser and server. This makes it difficult for the perimeter security products such as content filtering, anti-malware to scan the encrypted data and payload exchanged between the endpoint and server. Hackers use SSL as one of the ways to mask malware like viruses, Trojans, and other exploits and target corporate networks. Organisations cannot block SSL encrypted traffic because most business-critical websites use it. SSL encrypted traffic can also be misused to leak sensitive data through encrypted email and filesharing sites. Access to social networking sites also poses risks to the networks and can be exploited as a channel for data leakage. Attacks like DNS poisoning and click jacking direct users to malicious websites which look genuine and entice users to part with their credentials, passwords, and other confidential information. Solutions Implemented By Financial Services Organisations are deploying sophisticated tools to minimize threats to the network security. Endpoint protection suites that include anti-malware/spyware, personal firewall, and security policy enforcement for VPN connectivity are replacing the basic anti-virus software. Anti-phishing software and toolbars are now being used to warn end-users about malicious and spoofed sites. In addition to network firewalls, organisations are deploying web application firewalls to protect their websites and portals. Intrusion detection and prevention systems are now the minimum requirement to protect the networks. Apart from these, content filtering tools are also being implemented to allow selective access to Internet content. Wireless networks are being encrypted and sandboxing virtual terminals are implemented for secure access through personal devices. Data leakage prevention (DLP) suites are being implemented by many organisations. This is implemented with a defence-in-depth architecture. The DLP suite includes endpoint agents, network - email, Internet gateways, and servers. Some of the DLP software and perimeter security products now allow SSL visibility and control. These minimize the risk of data leakage or malware creeping in through encrypted traffic. To protect customers from fraudulent transactions and attacks, most financial services companies now use two factor authentication, one-time passwords, and virtual keyboards for their online transactions. While financial services companies are trying to implement various security measures to minimize the risk, criminals seem to be one step ahead and manage to find and exploit new loopholes or vulnerabilities to defraud the financial services companies and their customers.

Changing rules of the game

(published in Express Computer 16-31 July edition and Security Practices Knowledge Center - 2 of CIO Research Center)

In the information security realm, we generally get to hear the prefixes total, comprehensive, best in class, etc. I had never heard the prefix reasonable (in the context of security) before it was mentioned in the IT (Amendment) Act 2008. Even then, it has only come up for debate amongst the info-sec professionals.

Privacy is another term which was rarely used in the Indian context. True to the Indian fondness for imported stuff, we were well versed with laws like HIPAA, EU data protection and PCI-DSS. However, we lacked indigenous data privacy legislation.

On 11 April 2011, the Government of India brought about a sweeping change in one stroke with the IT (reasonable security practices and procedures and sensitive personal data or information) Rules 2011 thereby changing the rules of the game. Lets examine the significance of this news for Indian organizations.

Sensitive personal information

To begin with, organizations will need to understand what constitutes personal sensitive information, analyze the information being collected at various points from their prospective or current customers, partners and suppliers. It may be at the point of acquiring the customer or when doing a promotional event (outsourced to a marketing company) or even a contest on a Web site. As per the rules, passwords also constitute sensitive personal information. Therefore, if you require a customer or partner to create an account on your Web site with a user id and password, then you are required to comply with these rules, even though you may not be taking any other personal information such as financial details, debit/credit card or bank account numbers, health information, etc.

Privacy policy

All organizations in India, collecting, storing or transferring sensitive personal information will need to put a privacy policy in place and make it available publicly i.e. on the company’s Web site.

A privacy policy should include

• Commitment to privacy
• The information collected
• How and where information is stored and shared
• Commitment to data security
• How to access or correct your information
• Contact details
• A grievance redressal mechanism

Information collection and retention

Organizations will also need to take explicit permission from the information owner regarding purpose of usage, in writing, through a letter, fax or e-mail. This could turn out to be a challenging process. While organizations that get forms filled for account opening, proposal forms, etc. could include the consent in the form itself, it would be difficult to implement where forms are filled or information is collected online e.g. during online insurance policy issuance, hotel booking, visa applications, etc. The rules do not make it clear if ticking an I Accept box on terms and conditions on a Web site suffices. If organizations choose to take this consent over e-mail, will this electronic record be held as valid only if it is digitally signed in accordance with the IT Act?

Organizations will be required to educate the information owner on the purpose, intended recipients as well as the agency, which will retain the information that is collected. This means that, if you have outsourced any of your data processing activities, you will need to disclose the names of your outsourced partners who will use this personal information at the time of collection.

Organizations are also required to allow the information owners to review the information that has been stored and correct it if any discrepancies are found. This will probably require an addition to the customer service window. A grievance officer will need to be appointed and details published on the Web site.

The information owner can also withdraw this consent (in writing of course) and the personal information will need to be struck from the records. In such cases, the organization reserves the right to stop providing the service to the information owner. I wonder if organizations will still need to keep the information in their records for a particular period, if required by law. It seems to be a contradiction and this will need some clarification.

Data transfer
If organizations want to transfer sensitive personal information to any other organization, e.g. outsourced data processing unit, call centre or data centre, then they would need to ensure that such a third party would also have the same level of security as maintained it. It will be imperative for organizations to mandate the level of security and also ensure that these standards are met with by partners through regular audits.

Data destruction

Organizations should not store data for a period longer than is required for providing the products or services unless required by law. The organizations will need to implement secure data deletion processes for all data including backups store on tapes, off-site locations, DR sites and, not to forget, the Cloud. They will also need to ensure that data is deleted securely from outsourced partners and their DR sites.

Reasonable security

Organizations are required to document and implement reasonable security practices and processes covering managerial, technical, operational, and physical security measures, commensurate with the information to be protected. The rules also recommend ISO 27001 as a standard, which covers all these requirements. In case the organizations prefer to follow their own security measures, they would need to get their measures approved by the central government.

Organizations will also be required to get their security measures audited at least once a year by an independent auditor approved by the central government. In the unfortunate event of an information security breach, the affected organizations will have to demonstrate to the investigating agency that they had put reasonable security processes in place. However, it is not clear if this will absolve them of their liability.

Checker-board

Looking at the history of information security breaches in India, both published and unpublished, data privacy rules are definitely required. Nevertheless, these rules should be practical and reasonable in terms of implementation. In their current form, some of these rules pose multiple challenges if they are to be implemented in their true spirit. Again, what constitutes reasonable security will remain a matter of interpretation and this would be an area of major debate in the days to come.

Steps to consider:

• Analyze if you collect any sensitive private information
• Draft a privacy policy and publicize it
• Take consent from information providers
• Implement reasonable security measures to protect information
• Ensure that your partners who access or use this information are equally secure
• Don’t forget to destroy the sensitive information once it is no longer required
• Get an annual audit done to ensure compliance with reasonable security measures

Child safety in cyberspace

Published in Smart Techie September 2011 issue (www.thesmarttechie.com).  

“Mom, all my friends are on facebook, why is it that only I cannot have a facebook[1] account?”  My 10 year old daughter was pleading her case in the Supreme Court.  I could already see from the expressions on face of the Judge, the case was beginning to tilt in prosecution’s favour without even giving a chance to the defendant.  But I was not going to give up this case so easily, I had my defence ready…

Would you leave your child alone in a busy marketplace or on a highway?  The child would be prone to all kinds of dangers in the physical world – accidents, kidnapping, molestation.. I am sure none of us would do this.   

Then why would you leave the child alone on the information superhighway? I have seen many of us do this, unknowingly. 

Internet has become a necessity in our lives so much so that the United Nations has declared Internet Access as a human right. Today the schools are networked, have their own website and the homework instructions too are published on the net. Students as young as 4^th Grade are expected to log in on to the school website on a daily basis.  Students are required to browse the net to collect information and pictures for their projects. There is no denying that Internet has become an integral part of our children’s lives.  But the fact is that children are at risk in cyberspace, if we do not take adequate precautions.

More and more children now have their own cell phones. Children are exposed to text messages, MMS (multi media messages) and can also access Internet, social networks on their phones.

Alice in the wonderland

Inappropriate Content

<><><><> <><><><> <><><><> <><><><> Children use Internet to search information and pictures for school projects.  You would be shocked to see the amount of inappropriate information, images and advertisements are displayed when they search for seemingly innocuous queries and images and click on the links displayed in search results. Spam messages (including the ones selling blue tablets, exotic names showing interest to know you better etc.) do not distinguish between children and adult mail boxes.

Sharing personal information and images

Children share a lot of personal information including the name, address, passwords, information about their family, photographs over email and social networks. This information could be potentially misused for identity theft or other cybercrimes.

Most cell phones now have cameras which can capture photographs and videos. Explicit images / videos can be shared easily over the MMS and through mobile internet.     

Children do not understand the legal implications of creating, storing and distributing explicit photos or videos of minors. If such material is circulated through phones or Internet, children could be exposed to risk of embarrassment, leading to psychological disorders and could impact their studies and social life.

Big bad Wolves waiting for Red Riding Hood

<><><><> <><><><> <><><><> <><><><> Contact with Strangers              

Children may come into contact with strangers on social networks, chat rooms, online forums or email. Strangers could take advantage of the impressionable minds and persuade them into parting with personal information, photographs, videos etc.  Such predators are known to entice children by promising gifts in return for sharing information. The online contact may advance to telephonic contact and finally meeting them in real life – without the knowledge of parents. 

Cyber stalking, Cyber bullying

Bullying is common in schools and on the playground. However, with the advent of technology in their lives, children have also adopted a new form of bullying – online and over cell phones.  The difference is that cyber bullying can occur anytime, anywhere – the child can receive offensive messages while at home over the Internet or SMS.  Derogatory messages or information against a child can be posted over social networks, forums or over chat.  

Predators ask children for their cell phone numbers after meeting them online since it allows them to contact the child anytime. They can stalk a child, could send abusive, threatening SMS or emails.    

How do we minimise these risks?

To ensure that your child is safe in cyber space, you need to establish ground rules, monitor use and discuss safety practices with children.  It is important that children trust you and share important information with you about their online activities regularly. Various technology controls are also available to prevent, monitor and detect any problems. 

Awareness and rules

Especially for pre-teens, try to supervise Internet usage personally as far as possible.  Set time limits for Internet use and keep the home computer in an open area like the living room.

Explain to children that they should never give out personal details to online friends. Make them understand what information about them is personal: i.e. home address and telephone numbers, user-ids/passwords, email address, mobile number etc. They should not share any pictures or videos of themselves, their family or friends – except under your supervision.

If your child receives email from unknown persons, spam or junk mails, remind them never to believe their contents, reply to them or click on any links. They should not open files that are from people they don't know - it could be a virus or an inappropriate photo or video.

Explain the consequences of posting or forwarding inappropriate material online or through cell phones.  It could harm the child’s reputation and his life.

Just as in real life we warn them about interacting with strangers, the same rule applies in cyberspace.  They should not talk to strangers in chat forum, accept invites on social networks or respond to SMS or emails from strangers. 

It is important for children to know that that people may not be always speaking the truth online and they should not believe everything that they see or hear online. If an online friend asks them to meet, they should inform you, and you can arrange for a supervised meeting if appropriate.

As a responsible parent, be firm not to let your child get access to content that is not meant for their age, e.g. DO NOT let you child have his own facebook account if they are below the prescribed age limit. There are separate social networking sites especially for children.

Technology can help

Make sure your home computer has updated anti-virus software and there is no inappropriate content on it.

Children should use child friendly search engines.  Alternatively, make sure “safe-search” settings are enabled and locked down in the regular search engines. This can help keep out inappropriate content being displayed, while searching for information or images.   

If your children have unsupervised access, consider installing “parental control” software. This will help prevent access inappropriate content as well as help you monitor the online activity of children. If your child has a cell phone, consider getting an itemised statement which can help identify any specific / unknown numbers which are calling / messaging frequently and at odd hours.

 Magic wand

The magic wand is “TRUST”.  If your child trusts you, they will talk to you if they have had any problem in cyberspace – just as they would talk to you about any problem in school or on the playground. Children should know that it's never too late to tell if something makes them feel uncomfortable. So it is important for you to build the bridge of trust, which can keep the child safe from any evil spells! 

P.S.:  After hearing my defence, my Supreme Court ruled that we settle the matter out of court – so finally my daughter did get her account – but on a social network site specially created for children…

---

[1] As a policy Facebook allows individuals only above the age of 13 to create an account.

Security Metrics: Demonstrate the Business Value

Security Metrics: Demonstrate the Business Value

                               

"The top management doesn’t want to listen to a technology speech. Show them trends and measurably demonstrate the business value of the various controls put in place"

What does the management look at, in the money spent by the company’s information security specialists on various controls?
Our company, Bharti AXA General Insurance Company Ltd., is a general insurance joint venture started about three years ago, and right from the start, I’ve been interacting extensively with the business side of the company. We were late entrants into the insurance market, we were probably the 16th entrant, there were giants ahead of us, and shareholders wanted to get into the top five in the five-year time frame.
Every time I went to the management to get budget approvals for information security, the questions were very different from what I’d faced earlier. The management would say, ‘fine we’ll give you the money, but tell us how this will help us get into the top 5 slot in the insurance market?’ I would get stumped, thinking I’m talking about security and controls, but the management needs to know how that will help the company meet its objective.
Balanced Score Card: Such questions prompted us to attempt a balanced-score-card approach to demonstrate the value at risk, to our business colleagues. Our company’s mission is to become the preferred general insurance provider for our customers, partners, employees, and, shareholders. The balanced score card talks about finance, employees, learning and growth and customers, which put our mission statement in alignment with the score card quadrants. That’s how we got the idea to use the score card approach to show how information security is adding value and contributing to the company’s growth.
Every department had to come up with their goal sheets in line with the mission statement. The Information Security team also did the same. While not exactly following the score card methodology, we looked at how we can add value to shareholders, partners, and customers.
Metrics: What did we measure? Instead of the normal way of counting incidents, user IDs created or deleted, we tried to give them a business value number on what is at risk. How does one match the security metrics with the top line and the bottom line with every single security incident -- we presented this from a finance and business perspective.
For example, if the company’s website went down for a certain period, customers won’t be able to buy online policies, which would hit the top line. While this isn’t a fool-proof system, and has a lot of assumptions, it still yields a way to value risk to business. Therefore, tracking the number of customers who generated quotes using the site would be an indicator, as the ratio of the quotes generated to actual conversions to policies sold is known.
If we don’t have Log monitoring, firewalls, IPS, IDS and so on, what would be the value at risk. From a regulatory and compliance point of view, the auditors from the Insurance Regulatory Authority of India tend to look at the steps we’ve taken from the perspective of customer protection, which again plays into the idea of figuring out what’s the value at risk and how the score card will be affected by the absence of certain IS measures.
Business executives look for trends in the form ‘where were we six months ago and what is our position today and where do we want to be two quarters down the line.’ Finding a way to show in a measurable way, which way the risk to the business is moving before and after putting in place various controls, will help CIOs get the backing of their business colleagues.

Dear CIOs, CTO Forum is happy to present this opinion piece by Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance Company Ltd., in continuing our efforts to bring you expert opinion of substance from peers and specialists. The top management doesn’t want to listen to a technology speech. Show them trends and measurably demonstrate the business value of the various controls put in place Click here for the full opinion. We value your feedback:editor@thectoforum.com. Happy reading, Team CTO Forum 9.9 Media | B - 118, Sector 2 | Noida - 201 301 | I N D I A

Bring out the value at risk in both the top line and bottom line, and your information security plans will get the business backing, says Parag Deodhar, CRO of Bharti AXA General Insurance Company. Click herefor the full opinion.

 

Ethical Dilemma

“Guys, I don’t understand why people do this!!!” exclaimed one of my colleagues. While we were having coffee, some news channel was breaking news on the latest ISRO scam – “Few thousand crores of taxpayers money vanished into thin air!!!” exclaimed another. As the caffeine was getting absorbed, the discussion was getting more intense…
“Frauds seem to be increasing by the day… we see so many cases even in the corporate world. Couple of years ago, an IT company fired 200 employees on a single day for submitting false bills against reimbursements” quipped a well-informed colleague.
Recent fraud surveys have highlighted that internal fraud has been on an increasing trend – surprisingly so when companies have been rolling fraud control policies, code of conduct, ethics training, et al.
I found this to be a bit strange - when the tone at the top is clear – zero tolerance towards fraud and unethical practices, and there are examples of punitive actions, why do employees still indulge in such practices? I tried digging a bit deeper into the reasons and what I found was even stranger…
The finding: Ethical Dilemma.
Simply put, employees are confused!!! The internal policy employees are expected to follow and the way business is done is lack consistency. This seems to be prevailing even in respected corporate houses who are crusaders for ethics and transparency in business. Few examples of contradictory policies are given below:
Gifts policy:
Employees are expected that they should not accept expensive gifts from vendors, business partners etc. However, come Diwali, the organization sends out expensive gifts to all those who matter – regulators, government officials, customers…
Reimbursements:
Employees are fired for submitting a fudged bill for reimbursement, but when it comes to making “special” payments to acquire business, the company asks the beneficiaries to submit invoices for some “other” services (which were never provided, of course) and payments are made…
Facilitation payments:
Employees are strictly prohibited from accepting bribes – it’s unethical. But when it comes to getting the permits / licenses for company, statutory work done then paying bribes is common – otherwise it will never get done!
On one hand companies are encouraging unethical practices to get business – through their employees, but expect the same employees to follow ethics when it comes to internal business processes. I fail to understand, how employee ethics and company ethics can be contradictory.
Do we have an answer to this Ethical Dilemma??