Data theft in india (K K Mookhey)
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Data theft in india (K K Mookhey)






Total Views
Views on SlideShare
Embed Views



4 Embeds 449 364 83 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Data theft in india (K K Mookhey) Presentation Transcript

  • 1. Data Theft in India - Seedhi baat, no bakwasK. K. Mookhey, Principal Consultant CISA, CISSP, CISM
  • 2. Speaker Introduction Founder & Principal Consultant Network Intelligence Institute of Information Security Certified as CISA, CISSP and CISM Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.
  • 3. Agenda What’s the ground reality Recent news Financial institution data theft explored Challenges Solutions Conclusion
  • 4. Let’s see now….
  • 5. Well, yes Sir, you’ve been had!
  • 6. It’s not paranoia… It’s actually happening!
  • 7. Data theft in the recent past
  • 8. What price India? Online examples…
  • 9. Less than 1 cent per record! dmat-account-holders-database-44000-sub-brokers-iid- 106295300
  • 10. Fresh record price = Rs. 75Converted customer price = Rs. 150 View from the trenches…
  • 11. Pick an industry, pick a companyLarge business house gets into the financial servicesindustry with a big bang But slightly late in the gameHuge marketing blitz, offices opened nationwideAggressive marketing, huge ad spendsCustomer base widensAssets under management bloatsIn a couple of years, they’re within the top 5 privateinsurers, equity trading companies, and mutual funds!However…
  • 12. Data all over the place… Specific mutual fund purchase records available for a price Customers get calls just before their fund payments are due Customers get calls to switch funds Specific data available: Customer name Cover amount Investment amounts Fund details Personal information Expiry dates And more…
  • 13. What should the company do to fix this?
  • 14. Why data isn’t being protected
  • 15. No one gives a damn!
  • 16. Where is the customer data? – EquityTrader Example Primary Trading system CRM Business Intelligence system Compliance Reporting system Backups Password Reset system Excel Flat files USBs Shared folders!
  • 17. Who has access to it? Front-office Back-office IT Research Customer service Vendors KYC Call Center Direct Sales Agents (Devil’s in-Security Agents) DPs Registrars Settlement Finance & Accounts Cleaning Staff??
  • 18. Ok, now I’m just depressed…But there’s more…
  • 19. Weak regulatory framework Unless someone serious starts kicking some serious ass, nothing’s going to change… RBI SEBI AMFI But what about? IRDA TRAI •UID? •Healthcare?? •Pharma?? •FMCG?? •Retail?? •Government????
  • 20. Government’s role No comprehensive national consciousness on data protection Data protection efforts not cohesive – don’t address all industries Government endorses data theft and invasion of privacy? Niira Radia tapes Blackberry controversy …
  • 21. Business comes first! Sell more! Expand market share! Heavy reliance on limited number of outsourced vendors Weak mechanisms to oversee data protection by vendors Vendors don’t care…
  • 22. When things do end up in court… Judge: IT?!? Senior Counsel: Well…umm…err…you see this is under Section 66 of IT Act because, well…err… Junior Counsel (whispering): Sir…we need to get imaging done…not sure what that is, but the “cyber expert” we hired told us to do this Judge: Please continue! Senior Counsel: Sir we need a forensic investigation done Judge: What is that?!? Okay, seal the website! Court-appointed Commissioner: Yes sir, but kindly clarify who pays my fees?
  • 23. Here’s how it gets done!
  • 24. Solutions?
  • 25. Solutions Technologies Encryption Data Leakage Prevention Information Rights Management Database security solutions Audit/Log Management Stronger regulations Stronger laws or stronger enforcement of existing laws Mindset change Data protection does matter! It is NOT a technology issue Policy and process frameworks must be implemented ISO 27001 is not the answer
  • 26. Conclusions
  • 27. SummaryIt is an epidemic, and it is getting worse!When Big Brother wields the stick, then thingsbegin to happen – fines, penalties, court casesBack to basics approach – thorough riskassessments!Identity and access managementTechnologies help, but it has to begin with PPP– Policy, Process, PeopleInnovative audit/forensic techniques
  • 28. Thank you!Questions / QueriesK. K. MOOKHEYkkmookhey@niiconsulting.comNETWORK INTELLIGENCE INDIA PVT.