Daily FT-CICRA Holdings fourth annual Cyber Security Summit’s inaugural session sets the stage for sharing of new knowledge and insights

The EC-Council Cyber Security Summit 2016 organised for the fourth consecutive time kick-started on Tuesday with high-profile international IT security experts from Sri Lanka and the region. The EC-Council Cyber Security Summit 2016 is co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT.

The main objective of the summit was to create awareness on the importance of cyber security and to provide top officers in the Government, top private sector leaders and IT professionals with best practices in acquiring, implementing, managing and measuring information security postures of their organisations and counter-measures.

Untitled-6Not every villain wears a mask

The first session of the summit which had the theme of ‘Not Every Villain Wears a Mask: The Insider Threat’ discussed about how organisations get blown away by their own staff, when organisations fail to put efficient cyber security policies.

Starting the session, Cisco Head of Security Sales in India and SAARC Pravin Srinivasan derived the keynote speech, where he talked extensively about insider threats and how to defy them.

“It is a huge headache when you think of protecting ourselves against someone who we really know very well in the cyber security sphere. We let that person know about all the best-kept secrets of the organisation and they have turned against us. Cyber security has reached the agenda of every boardroom, government, bank and startup. Digitisation is playing a pivotal role presently and every public and private entity is looking at transforming their businesses with digitisation. This leads to new security challenges as well.”

“For the sake of efficiency, power, productivity and technical feasibility; businesses adopt cloud and mobile devices. We spend half of our time with our smartphones. We consume mobile networks, Wi-Fi and cloud instances every day and the reality is, you cannot guarantee a 100% protection from all the security challenges coming from these mediums. You cannot stop the movement towards cloud or mobile. If you look at these challenges, they have been around for some time but the complexity of them has been increased exponentially. In the past, a security officer of an organisation only had to worry about maintaining 300 or 500 devices but now, it has become a nightmare for them. This has increased the number of challenges people face in terms of security of an organisation,” he said.

Pravin said that fundamentally, every threat is actually an insider threat.

“The origin of the attack may have come from outside but you analyse carefully; some part of the attack has gotten help from the inside of the organisation. If someone’s intention is to steal your organisation data, you could only do it from the inside. It could be on a laptop, mobile device, server or it could be anywhere. In most cases, someone inside the organisation has helped the hacker to sneak into your company data; intentionally or unintentionally. It means that every single threat is an insider threat which has become a huge issue for businesses.”

“Advanced threats that are coming to organisations are very difficult to stop because it is hidden in plain sight. It may be hidden in one of your PDF files or an HTML file. You cannot stop the flow of these documents because it means that you are stopping the business. And these threats are very difficult to find. If you analyse multiple reports, the average time taken for companies to figure out they have been attacked is six to eight months. The time taken out to clean the infection will be a year or more. If you take a well-written malware and analyse its time of execution; it would steal your data within six to eight hours. There is a quantum jump in that and it is creating so many problems for organisations.”

“One of the other biggest issues we are facing today is that you cannot protect from what you don’t see,” he stressed. “We have this huge network, apps and data that are being running around our organisation but we don’t have details about them. Lot of attacks we are seeing today are coming in through various forms and these attacks use mediums in organisations where we actually have no clue whether they existed in the first place.”

Analysis is the key 

Pravin suggested that analysis with a proper visibility is the key to reduce these attacks.

“It should not be a normal analysis but an organisation should have a visibility with a continuous analysis. You cannot protect what you can’t see so a perfectly visible analysis will help an organisation to see what is actually happening. It will also help you to assess all your data, applications, endpoints, server flows and help you to place protection mechanisms.”

He also talked about mechanisms which organisations could use to identify threats such as ‘Before, During, After.’ It will look at how a cyber-attack happened by following a set of stages. Pravin said that the first stage should obviously be to not let any malware enter your organisation.

Untitled-5“However, you cannot be 100% secured with all your firewalls and anti-virus software. At some point, some stuff will definitely get in. if you spend all time and money trying to stop the threat at the gate; you are helping insiders to get what they want. Like you spend time to eliminate outside threats; look at stopping all the threats which are coming from inside your organisation. It means that you are looking in and out. Once you do all these and figure out how the organisation was attacked; you need to have a mechanism to take action. Do something about it rather than talking about it. That is why in the ‘After’ stage, you need to analyse your scope, take counter measures and align your cyber security strategy with sound policies. Even if threats still enter your organisation, you need to ensure crystal clear visibility to examine what is happening inside your network and the capability to take action,” said Pravin.

He emphasised the fact that people inside an organisation should get access to limited number of resources, based on what they really need to access. The moment you ensured that only the right set of people have access to the right set of resources; the organisation will be able to prevent an attack and also reduce the scope of it, said Pravin. He said risks could be mitigated through identity management, authentication and proper access as well as analysing traffic patterns of applications, end-users and networks. Pravin also mentioned that an organisation should have a specified level of automation built in so that the organisation could take action when a physical analysis is not possible.

“Visibility is required all the way down to the end-users. You need to know what they are doing, what devices they use and whether they are using updated applications. If they enter cloud platforms, you need to make sure to provide end-to-end security; same level of protection as on premise. That is when you will be able to identify the scope of a threat real time,” stressed Pravin.

The missing 2%

Delivering the guest speech, Cyber Crime Expert of Pune Police and NetConclave Systems Founder and CTO Niranjan Reddy spoke about how insider threats are causing problems for organisations at different level. He started his presentation with an interesting quote – the 98% of cyber-attacks figured out by an organisation is not what is important but the 2% of attacks you missed out completely.

“We have all the layered defences and mechanisms in our network but still incidents take place. This means that we have been missing on that 2%. The landscape of insider threats has risen out of nowhere,” said Niranjan.

Niranjan revealed that as per the 2016 Vormetric Data Threat Report, 91% of global organisations feel vulnerable to data threats; enterprises and governments are focusing on compliance ahead of breach prevention and they also invest in technologies that do not prevent data breaches but the real data breaches are caused due to insider threats. “Insiders generally possess access rights which, together with their authority and knowledge, grant them far greater opportunity than outsiders to bypass dedicated nuclear and radiological security elements or other provisions such as safety systems and operating procedures. Insiders, as trusted personnel, are capable of methods of defeat that may not be available to outsiders. As such, insiders—acting alone or in concert with outsiders—pose an elevated threat to cyber security,” he said.

“Your organisation data could be leaked by people who are working in your organisation. Using a USB drive or an email, information will be sent out to an outsider who is probably a competitor of your organisation. When you found out that you have been breached, this will have an impact on your market reputation, financial status and shareholder trust. Organisations need to have a monitoring mechanism on people who they feel suspicious, staying back late in the office, etc.,” said Niranjan.

Almost one-third (32%) of respondents to a global survey have said insider crimes are costlier or damaging than those committed by external adversaries, yet less than half (49%) say they have implemented a plan to deal with internal threats. The lack of a formal insider risk-management strategy seems short-sighted, given that 28% of survey respondents detected insider incidents within the last two years.

“Insider threats often have a benefit over external rivals because they have authorised access to data and systems, and therefore Untitled-4have no need to breach security controls. Even insiders with access to the network, but no authorised access to certain types of systems and data, are more likely to understand the organisation’s competitive environment. They also may know exactly where to look for the company’s most valuable information, including customer lists, pricing strategies, and research and development initiatives currently in progress,” Niranjan said.

He explained to the audience about different insider threat types – malicious, regressive and compromising. He explained what these threats do and told how organisations could defy these threats by proper encryption mechanisms and embedded passwords for devices. He also dissected two case studies for the audience and explained how organisation filed in protecting their data. Using these case studies, he touched upon the impact of external adversaries such as organised crime groups, which sometimes target vulnerable employees to help steal or gain access to sensitive data. When doing so, they often identify employees who are experiencing financial problems or are obviously looking for financial gains. Niranjan also explained the audience about the impact of former employees and how they would plan out to steal organisation data.

“Minimising and managing crimes committed by inside actors will demand that organisations develop and execute a specific insider-threat management program that is aligned and integrated with their business, cybersecurity, and data-protection strategies. The basic building blocks to such a program are: identify what is most valuable to you and a potential insider threat; protect against insider threats; detect when threats manifest in your organisation; respond to limit their potency and potential damage; and recover to restore your environment to a better state.” Niranjan also spoke about different signs of an insider threat activity where he talked about stolen credentials, malpractices of systems administrators, unauthorised access, unknowingly data movement inside a network and security policy violation. He also talked about several emerging insider threats such as BYOD (bring your own device) and open networks.  “Not every employee needs access to every piece of data, so organisations should segment their networks and restrict privileges to ensure that employees can access only files and applications they need. For example, your finance department probably has nothing to with getting access to your software workflows. And employees in one country may not be legally allowed to access customer data from another country. Such controls can be enforced at the network level by encrypting data at rest and using firewalls to physically prevent traffic from flowing between areas. You can also assign specific roles to employees with identity management or data-labeling tools.

The larger the company, the more likely it will need all of these controls,” said Niranjan. Prevention from these threats is always possible, Niranjan opined. “You are talking about insiders. There needs to be a proper background check and understanding of the situation before you form policies. Your company must measure actual, not intended, results of security efforts — you must know when you fail. Effective monitoring programs combine technology with aggressive operational processes to monitor for unusual employee network behavior.

The technology detects suspected violations. The operational processes and skilled staff make sense of the data. Failure to balance technology and operations never ends well.” “It’s important to understand that insider risk cannot be managed entirely by your IT department or the cyber security officer. Nor can technology itself forestall insider threats.

Effective management will require a disciplined, risk-based, cross-functional approach that includes IT, information security, corporate security, human resources (HR), legal, audit, and other stakeholders. It will also demand participation from appropriate lines of business, as well as finely tuned data privacy policies,” he said.

Mitigating threats is a team effort

At the panel discussion, ICTA Sri Lanka Chief Executive Officer Muhunthan Canagey said that the government will always invite every professional body in the country to join them in order to mitigate cyber threats and draw a national-level plan. “If I talk about cyber security, there is nowhere you can have closed doors. Today, the world is collaborative and you can never go back to being siloed. That is something governments have to change. The culture within the government and government organisations with all sorts of territorial boundaries and clearly-defined legal framework is clearly missing out the aspect of a collaborative, open working environment.

We are gradually changing that culture. We want to bring the private sector and the industry together because you can never sort cyber security issues unless you have everybody on the same table,” said Canagey. Adding more, he said, “One of the facts is about having dedicated security personnel within your organisation. It is important so that you can build a culture where there is an openness and that would help us to build defined processes.

From a technology viewpoint, these resources would be very costly. Small and medium-sized business will not be able to afford these resources. This is where I think you need to build more community-based providers who would actually come in and help you Untitled-9solve issues and who would also guide you in these types of crisis situations. For countries like Sri Lanka, this step will be very pivotal as we see many SMEs are coming out.”  Answering a question at the panel discussion, Pravin said that cyber security is a valuable opportunity for any organisation to draft a perfect cyber security strategy.

“Cyber threats have been always a C-suite issue; only difference right now is that with the involvement in digitisation process, threats have become a certain roadblock for the top management. If the government puts lot of data in the web and it get hacked; it must have put million lives at stake. One of the ways we could look at this is that because these projects have become so critical to the company as a whole; adding security should be a regular process from day one. Before we start thinking about implementing an application, let us first see how we can make it safer. That is an opportunity we have,” he said.

“If you look at some of the hacks happened globally, they have been done by certain underground hacker communities. There is no point tracing them back and trying to sue them. You need to put sound policies to not let that happen to you or your organisation again. Just look at the roots and figure out how it happened and why it happened. You can’t make anything secure but you can take a proactive approach. You must have a dedicated person to take care of these attacks and you should also have a layered defence approach which means that having different layers of technology. You should not have a single firewall and say I am secured now. You always have to make it difficult for the hackers to exploit your data but coming back, no company could perform a 100% security assessment,” Niranjan said at the panel discussion. T

he EC-Council Cyber Security Summit 2016 was co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT.  Supported by the ICT Agency, the strategic partners of the 2016 Cyber Security Summit were Microsoft and CISCO, the electronic payment gateway was LankaPay, the insurance partner was Sri Lanka Insurance, the creative partner was BBDO Lanka, the printing partner was OfficeMax, the hospitality partner was Cinnamon Lakeside and the electronic media partner was MTV and MBC Radio. Deakin University and EPIC Lanka also extended their support to the Summit.


Key initiative in partnership with Australia’s top-ranked Deakin University Six million cyber security job openings by 2019 CICRA Campus, the pioneering cyber security training provider, in partnership with Australia’s top-ranked Deakin University, is introducing the first Bachelor of Cyber Security degree in Sri Lanka. “Parents should consider a cyber security degree for their ambitious child as an alternative […]

Targeting 5,000 individuals, CodeCraft, an online competition to find Sri Lanka’s most secure coder was launched in Colombo recently. The competition will be held under two categories which are for the corporate sector and the university students engaged in software development. It is held aimed at supporting Sri Lankan government’s mission to earn US $ […]

CICRA Consultancies Ltd., Sri Lanka’s pioneering information security training and consultancy provider, participated in the 2016 United States Pacific Command’s Pacific Endeavour conference for the fourth consecutive year from 22 August to 2 September in Brisbane, Australia. Nearly 250 military communication experts, non-government organisations and academic advisers from over 20 allied and partner nations were […]

Central Bank Governor Dr. Indrajit Coomaraswamy, while speaking at the Cyber Security Summit 2016, said that taking measures to eradicate looming cybercrime should be considered a national responsibility. “The cybercrime industry, which seeks these ICT-based services for vicious purposes, has already overtaken the illicit drug trade and is appearing as a prominent revenue generator. Many […]

At the Session 03 Panel from left Asia Policy Partners LLC, Hong Kong Managing Partner Michael R K Mudd, Microsoft Sri Lanka and Maldives Country Manager Brian Kealy, NDB Bank PLC Chief Operating Officer Rohan Muttiah and Moderator Daily FT Editor Nisthar Cassim  Daily FT-CICRA Cyber Security Summit puts spotlight on vulnerability of banking and […]

Answering to a question from Daily FT about the progress of the Data Protection Act, ICTA’s Legal Adviser Jayantha Fernando said that the implementation of the much-talked act looks very positive with the enactment of the Right to Information Act in the Parliament. “The discussion has been going on for many years. It also weighs […]

Human resource or human capital is the greatest asset of an organisation but over the last few years, lack of skilled employees as well as complex information systems have made that greatest asset one of the greatest risks for an organisation, Prof. Mathew Warren, Deputy Director at Deakin University Centre for Cyber Security Research of […]

Daily FT-CICRA Holdings fourth annual Cyber Security Summit’s inaugural session sets the stage for sharing of new knowledge and insights The EC-Council Cyber Security Summit 2016 organised for the fourth consecutive time kick-started on Tuesday with high-profile international IT security experts from Sri Lanka and the region. The EC-Council Cyber Security Summit 2016 is co-organised […]

Chief guest Telecommunications and Digital Infrastructure Minister Harin Fernando addresses the Summit Telecommunications and Digital Infrastructure Minister Harin Fernando checks his mobile as he is led to the ceremonial opening of the Daily FT-CICRA Cyber Security Summit. CICRA Holdings CEO Boshan Dayaratne, Daily FT Editor Nisthar Cassim, Summit’s strategic partner Cisco Lead for Sri Lanka […]

Telecommunication and Digital Infrastructure Minister Harin Fernando addressing the Cyber Security Summit 2016 Forging ahead in building digital infrastructure, the Government has closed the largest-ever information system tender for a National Digital Identity system budgeted at $ 100 million to provide every citizen with a cryptographic private key, a top official said yesterday. Telecommunication and […]

Several global and local experts will share key insights on the latest threats and challenges to the cyber security of companies, institutions and individuals next week at the fourth annual summit organised jointly by the Daily FT and CICRA Consultancies. Dedicated this year to focusing on the internal and external threats and challenges confronting organisations, […]

Sri Lanka Insurance Deputy General Manager – Marketing Niroshini Pethiyagoda hands over the partnership letter for the Cyber Security Summit 2016 to CICRA Holdings Director/CEO Boshan Dayaratne as SLIC AGM – Marketing and Corporate Communications Namalee Silva looks on Sri Lanka Insurance Corporation (SLIC) yesterday announced its partnership with EC-Council Cyber Security Summit 2016 as […]

Lanka Clear Ltd., the operator of LankaPay – The National Payment Network, yesterday announced its partnership with the EC-Council Cyber Security Summit 2016 as the Payments Security Partner. Organised for the fourth consecutive year, this year’s summit is scheduled to be held on 9 August in Colombo and will comprise a Cyber Security Summit for […]

Microsoft Head of Corporate, External and Legal Affairs, South East Asia New Markets Shalini Ratwatte hands over the Strategic Partnership letter for the Cyber Security Summit 2016 to CICRA Holdings Director/CEO Boshan Dayaratne Microsoft Corporation, the worldwide leader in software, services and solutions, helping people and businesses realise their full potential has joined the ‘Cyber […]

Cisco Lead for Sri Lanka and Maldives Gerald Vethanayagam (right) hands over the sponsorship letter for the Cyber Security Summit 2016 to CICRA Holdings Director/CEO Boshan Dayaratne For the fourth consecutive year, Cisco, the worldwide leader in Information Technology is sponsoring the ‘Cyber Security Summit 2016’. The summit on 9 August in Colombo, held for […]

By Kiyoshi J. Berman The sixth Ethical Hackers Forum of Sri Lanka took place recently in Colombo addressing a very topical issue of ‘Enterprise Mobile Security Challenges and Strategies’. The key resource person for the evening was Sinnathamby Shanmugarajah (Shan), Former Director, Mobile Architecture, WSO2 Sri Lanka Ltd. Mobile computing devices are changing the game […]

Applications are called for the second batch of Executive MSc in Information Security program offered by CICRA Campus of CICRA Consultancies Ltd. and awarded by Asia e University, Malaysia and the lectures are scheduled to be commenced 4 June. Executive MSc in Information Security was launched in 2015 with the view of producing skilled and […]

Supports CICRA-Daily FT ground breaking initiative of first-ever nationwide search for best secure software engineer MillenniumIT, leading financial software and technology solutions provider and member of London Stock Exchange Group (LSEG) has joined the ‘Code Uncode Sri Lanka’ competition as the strategic partner to support the first ever nationwide hunt for the best secure software engineer. […]

The fifth Ethical Hacker’s Forum organised by CICRA Holdings was held recently in Colombo focussing on ‘A Lawful Cyber Sphere – Review of Legal Frameworks in Information Security’. ICTA Sri Lanka Program Director/Legal Advisor Jayntha Ferndo delivered the keynote speech with a quick snapshot of the legal landscape concerning computer related crimes in Sri Lanka. […]

Ethical Hackers Forum of Sri Lanka will discuss the latest impact on cyber laws on the information security industry during their fifth session on Friday, December 11 at 6 pm. Titled ‘A lawful cyber sphere: Review of legal frameworks in information security’, the forum will be held at CICRA Auditorium, Eighth Floor, Unity Plaza Building, Colombo […]