Data Theft in India - Seedhi baat, no bakwasK. K. Mookhey, Principal Consultant CISA, CISSP, CISM
Speaker Introduction Founder & Principal Consultant Network Intelligence Institute of Information Security Certified as CISA, CISSP and CISM Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.
Agenda What’s the ground reality Recent news Financial institution data theft explored Challenges Solutions Conclusion
Let’s see now….
Well, yes Sir, you’ve been had!
It’s not paranoia… It’s actually happening!
Data theft in the recent past
What price India? Online examples…
Less than 1 cent per record! http://www.jobstiger.com/emaildatabaseindia.html http://www.kumudhamwebtech.com/ http://hyderabad.olx.in/38-lakh-stock-market-traders- dmat-account-holders-database-44000-sub-brokers-iid- 106295300 http://www.ebusinessindya.biz/ http://www.mobiledataindia.com/ http://www.gsquare.biz/data.html
Fresh record price = Rs. 75Converted customer price = Rs. 150 View from the trenches…
Pick an industry, pick a companyLarge business house gets into the financial servicesindustry with a big bang But slightly late in the gameHuge marketing blitz, offices opened nationwideAggressive marketing, huge ad spendsCustomer base widensAssets under management bloatsIn a couple of years, they’re within the top 5 privateinsurers, equity trading companies, and mutual funds!However…
Data all over the place… Specific mutual fund purchase records available for a price Customers get calls just before their fund payments are due Customers get calls to switch funds Specific data available: Customer name Cover amount Investment amounts Fund details Personal information Expiry dates And more…
What should the company do to fix this?
Why data isn’t being protected
No one gives a damn!
Where is the customer data? – EquityTrader Example Primary Trading system CRM Business Intelligence system Compliance Reporting system Backups Password Reset system Excel Flat files USBs Shared folders!
Who has access to it? Front-office Back-office IT Research Customer service Vendors KYC Call Center Direct Sales Agents (Devil’s in-Security Agents) DPs Registrars Settlement Finance & Accounts Cleaning Staff??
Ok, now I’m just depressed…But there’s more…
Weak regulatory framework Unless someone serious starts kicking some serious ass, nothing’s going to change… RBI SEBI AMFI But what about? IRDA TRAI •UID? •Healthcare?? •Pharma?? •FMCG?? •Retail?? •Government????
Government’s role No comprehensive national consciousness on data protection Data protection efforts not cohesive – don’t address all industries Government endorses data theft and invasion of privacy? Niira Radia tapes Blackberry controversy …
Business comes first! Sell more! Expand market share! Heavy reliance on limited number of outsourced vendors Weak mechanisms to oversee data protection by vendors Vendors don’t care…
When things do end up in court… Judge: IT?!? Senior Counsel: Well…umm…err…you see this is under Section 66 of IT Act because, well…err… Junior Counsel (whispering): Sir…we need to get imaging done…not sure what that is, but the “cyber expert” we hired told us to do this Judge: Please continue! Senior Counsel: Sir we need a forensic investigation done Judge: What is that?!? Okay, seal the website! Court-appointed Commissioner: Yes sir, but kindly clarify who pays my fees?
Here’s how it gets done!
Solutions Technologies Encryption Data Leakage Prevention Information Rights Management Database security solutions Audit/Log Management Stronger regulations Stronger laws or stronger enforcement of existing laws Mindset change Data protection does matter! It is NOT a technology issue Policy and process frameworks must be implemented ISO 27001 is not the answer
SummaryIt is an epidemic, and it is getting worse!When Big Brother wields the stick, then thingsbegin to happen – fines, penalties, court casesBack to basics approach – thorough riskassessments!Identity and access managementTechnologies help, but it has to begin with PPP– Policy, Process, PeopleInnovative audit/forensic techniques
Thank you!Questions / QueriesK. K. MOOKHEYkkmookhey@niiconsulting.comNETWORK INTELLIGENCE INDIA PVT. LTD.www.niiconsulting.com