Your SlideShare is downloading. ×
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Data theft in india (K K Mookhey)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Data theft in india (K K Mookhey)

2,310

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,310
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
82
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Data Theft in India - Seedhi baat, no bakwasK. K. Mookhey, Principal Consultant CISA, CISSP, CISM
  • 2. Speaker Introduction Founder & Principal Consultant Network Intelligence Institute of Information Security Certified as CISA, CISSP and CISM Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.
  • 3. Agenda What’s the ground reality Recent news Financial institution data theft explored Challenges Solutions Conclusion
  • 4. Let’s see now….
  • 5. Well, yes Sir, you’ve been had!
  • 6. It’s not paranoia… It’s actually happening!
  • 7. Data theft in the recent past
  • 8. What price India? Online examples…
  • 9. Less than 1 cent per record! http://www.jobstiger.com/emaildatabaseindia.html http://www.kumudhamwebtech.com/ http://hyderabad.olx.in/38-lakh-stock-market-traders- dmat-account-holders-database-44000-sub-brokers-iid- 106295300 http://www.ebusinessindya.biz/ http://www.mobiledataindia.com/ http://www.gsquare.biz/data.html
  • 10. Fresh record price = Rs. 75Converted customer price = Rs. 150 View from the trenches…
  • 11. Pick an industry, pick a companyLarge business house gets into the financial servicesindustry with a big bang But slightly late in the gameHuge marketing blitz, offices opened nationwideAggressive marketing, huge ad spendsCustomer base widensAssets under management bloatsIn a couple of years, they’re within the top 5 privateinsurers, equity trading companies, and mutual funds!However…
  • 12. Data all over the place… Specific mutual fund purchase records available for a price Customers get calls just before their fund payments are due Customers get calls to switch funds Specific data available: Customer name Cover amount Investment amounts Fund details Personal information Expiry dates And more…
  • 13. What should the company do to fix this?
  • 14. Why data isn’t being protected
  • 15. No one gives a damn!
  • 16. Where is the customer data? – EquityTrader Example Primary Trading system CRM Business Intelligence system Compliance Reporting system Backups Password Reset system Excel Flat files USBs Shared folders!
  • 17. Who has access to it? Front-office Back-office IT Research Customer service Vendors KYC Call Center Direct Sales Agents (Devil’s in-Security Agents) DPs Registrars Settlement Finance & Accounts Cleaning Staff??
  • 18. Ok, now I’m just depressed…But there’s more…
  • 19. Weak regulatory framework Unless someone serious starts kicking some serious ass, nothing’s going to change… RBI SEBI AMFI But what about? IRDA TRAI •UID? •Healthcare?? •Pharma?? •FMCG?? •Retail?? •Government????
  • 20. Government’s role No comprehensive national consciousness on data protection Data protection efforts not cohesive – don’t address all industries Government endorses data theft and invasion of privacy? Niira Radia tapes Blackberry controversy …
  • 21. Business comes first! Sell more! Expand market share! Heavy reliance on limited number of outsourced vendors Weak mechanisms to oversee data protection by vendors Vendors don’t care…
  • 22. When things do end up in court… Judge: IT?!? Senior Counsel: Well…umm…err…you see this is under Section 66 of IT Act because, well…err… Junior Counsel (whispering): Sir…we need to get imaging done…not sure what that is, but the “cyber expert” we hired told us to do this Judge: Please continue! Senior Counsel: Sir we need a forensic investigation done Judge: What is that?!? Okay, seal the website! Court-appointed Commissioner: Yes sir, but kindly clarify who pays my fees?
  • 23. Here’s how it gets done!
  • 24. Solutions?
  • 25. Solutions Technologies Encryption Data Leakage Prevention Information Rights Management Database security solutions Audit/Log Management Stronger regulations Stronger laws or stronger enforcement of existing laws Mindset change Data protection does matter! It is NOT a technology issue Policy and process frameworks must be implemented ISO 27001 is not the answer
  • 26. Conclusions
  • 27. SummaryIt is an epidemic, and it is getting worse!When Big Brother wields the stick, then thingsbegin to happen – fines, penalties, court casesBack to basics approach – thorough riskassessments!Identity and access managementTechnologies help, but it has to begin with PPP– Policy, Process, PeopleInnovative audit/forensic techniques
  • 28. Thank you!Questions / QueriesK. K. MOOKHEYkkmookhey@niiconsulting.comNETWORK INTELLIGENCE INDIA PVT. LTD.www.niiconsulting.com

×