In association with

Presented by

Supported by

GLOBAL CYBER
SECURITY OUTLOOK
A.K.Vishwanathan, Senior Director Enterprise Risk Services, Deloitte India

SEPT 19, 2014

Hotel Digital Security Seminar

A.K.Vishwanathan
2

Vis is a Chartered Accountant, has a

Certified in Risk and Information System
Control (CRISC) and a member of the
Information Systems Audit and Controls
Association (ISACA).
He has advised large organisations in
their endeavour in information security
and controls, and led risk consulting in
complex environments and regulated
industries; specifically banking and
financial services, telecom, manufacturing,
oil and gas, pharma and life sciences and
government sector.

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

Presented by

In association with

Supported by

By X Events Hospitality (www.x-events.in)

Agenda
3

Presented by

Current state
Case study
Solutions
Way forward

In association with

Supported by

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

By X Events Hospitality (www.x-events.in)

Current state

Presented by

In association with

Supported by

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

By X Events Hospitality (www.x-events.in)

Recent trends in India

5

Source : NCRB (National Crime

Records Bureau

Over 35 % of the
Indian organizations
across various sectors
have engaged in
corporate espionage
Nearly14,000 websites were
hacked by cyber criminals till
October 2012, an increase of
nearly 57% from 2009.

Presented by

Number of Cyber Crimes

under IT Act
5000
0
2008

2009

2010

2011

2012

2013

In association with

81% of the CXO in this sectors depicts an increase in

information security spending over the coming few
years
Website of Indian Embassy in Tunisia hacked
in retaliation to the terrorism attack on Karachi
Airport
in June 2014. The embassy website was hacked
by a group called Hunt3R

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

Supported by

By X Events Hospitality (www.x-events.in)

Key information security

challenges Pain areas
6

The following are they key information security challenges being major organizations in India

Presented by

CIA

Cyber Spying

Illegal interception of government data by foreign

countries. NSA has been alleged to plant bugs in Indian
embassy in Washington DC

02

CIA

Virus and Trojans

Infection of government IT systems with malwares that

allow gives control to the hackers. Government of
India IT systems infected by Conficker worm in 2008
causing multiple crashes and downtime.

03

CIA

Data Theft

04

CIA

Cyber Terrorism

05

CIA

Phishing & Identity Theft

01

Confidentiality : Sensitive content and privacy of data

Integrity : Unauthorized modification of data
Availability : Multiple points in the IT infra preventing single point of failure

Insecure storage of GOI data leading to unauthorized

access by hackers and spies. Alleged Chinese hackers in
2010 hacked in GOI systems to access National
Security Council data
Hacktivism attacks on GOI websites leading to
reputational damage. Multiple foreign country hackers
were responsible for hacking of websites of GOI
Phishing attacks targeted towards GOI employees to
steal identities and data. GhostNet attacks on Indian
Government employees was conducted through spear
phishing attacks

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

In association with

Supported by

Source : Times of India

By X Events Hospitality (www.x-events.in)

Understanding cyber threats

7

Modern Cyber Threat landscape have evolved over the years. Applications and IT
infrastructures are core pillars in todays business. Security of core shall ensure security of
the business.

Actors with differing motives and

sophistication often colluding with
each other
Loss of PII data, customer data, sensitive
and confidential company data.

Organizational boundaries have

disappeared anytime, anyhow,
anywhere computing

Attacks exploit weakest link in the

value / supply chain

Availability of organizations information is crucial

and loss of such could result in impacting critical
business functions.

Data is money criminal underground

makes for easy monetization

Traditional controls are necessary but

not adequate

Regulators and government are key

stakeholders with ever increasing focus

Presented by

Criminals pilferage on the PII data for identity theft

leading to potential damages to customers

Breach of integrity could result in complete

breakdown of trust of the organization. Brand
reputation gets affected majorly leading to loss in
revenue

In association with

Supported by

Losses resulting from leakage of backend

National Cyber Security Policy formulated with focus
customer data will impact customers trust on
on capability building at Nation level
the brand
Hotel Digital Security Seminar & Webinar, Sept 19, 2014
By X Events Hospitality (www.x-events.in)

Industry view Indian sector view

8

Hotels

Sensitive
information
handled:
Internal strategic
&
Customer
Confidential

Visitor name, address,

contact details, unique
identification numbers or
documents Passport, PAN
card, Driving License, Credit
card etc.

Airlines

Passenger Name, contact

details, passport, visa
details etc.

Flight details such as no

of passengers and crew,
passenger and crew
personal details, city and
time of departure and
arrival etc.

Hotel billing details such as

billing and payments ,
outstanding bills etc.

List of No. of Rooms

occupied/vacant, pre-booked
rooms, etc.

Vendors/Supplier details,
contract details, outstanding
payment details

Flight details such as

details of flight status,
flight maintenance details,
etc.

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

Travels & Tourism

Tourists Name, Address,

Contact Details and unique
identification numbers or
documents

Tourist travel details such

as mode of travel,
destination city, duration of
stay and accommodation
details.

Presented by

In association with

List of strategic tie-ups and

related financial records
with the organization

Supported by

By X Events Hospitality (www.x-events.in)

Industry view Indian sector view

9

Hotels

Concerns

Security initiatives
in HATT sector

Absence of security
compliance for information
related controls
Compliance controls on
basis of the quality controls
only

Airlines

Travels &Tourism

Regulatory compliances
in terms of financial or
business controls
Absence of security
compliance for
information related
controls

Presented by

Absence of security
compliance for information
related controls
Compliance controls on
basis of the quality controls
only

In association with

Regulatory Implications drive security approach. Initiatives are taken by management to

drive security in the organizations
Absence of regulatory requirements provides ground for laxity in security initiatives within
organization

Supported by

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

By X Events Hospitality (www.x-events.in)

Paradigm shift: Info security mgt.

10

Key questions to consider:

Presented by

Strategically
Do you have a cyber security strategy including a clear cyber governance framework ?
How are you evaluating and managing cyber risk?
Is the existing risk framework adequate to address changing threat landscape?
How structured and well-tested are you existing incident response and crisis management
capabilities?

In association with

And tactically
What is leaving our network and where is it going?
Who is really logging into our network and from where?
What information are we making available to a cyber adversary?
Hotel Digital Security Seminar & Webinar, Sept 19, 2014

Supported by

By X Events Hospitality (www.x-events.in)

11

Case study

Presented by

In association with

Supported by

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

By X Events Hospitality (www.x-events.in)

Operation hangover
12

Recently attackers of unknown origin conducted a large hacking operation on multiple companies from
servers hosted in India.

1 Attacker creates a malicious

attachment in PDF file and sends to

an unsuspecting and unaware foreign
government employee. The malware
is signed using certificates purchased
by a company in New Delhi, India

Presented by

The users gets infected with malware

that acts as a backdoor to his
system. The attacker is able to pivot
his system to conduct further attacks
in the network.

Target Employee in the

Victim Company

In association with

3 All data stolen from the company are stored in a server hosted in India
with domain names similar to large ecommerce sites in India. These form
of operational security measures indicate an attempt by the attackers to
hide the operation in plain sight

Server hosted in India.

Supported by

Source : Norman ASA

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

By X Events Hospitality (www.x-events.in)

Leading hotel chain in the USA

13

A leading US hotel chain was breached by hackers from 2009 2010 resulting in stealing
of 700,000 customer information.They were breached 3 times in the period during
which these information was siphoned out.

Presented by

Implications

Key Security Flaws (as per FTC report)

FTC sued the organization for

loss of customer information

1 Absence of Firewalls

Organization has failed to dismiss

the case

2 Default username and passwords

3 Weak access controls for remote sites

Investigations proved major non

compliance to PCI DSS
requirements by organization
locations

4 Failure to conduct regular reviews

10.6 mil USD was estimated cost

of data breach

Source :Media Reports

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

In association with

Supported by

By X Events Hospitality (www.x-events.in)

Hospitality industry
14

Hospitality, Airlines and Tourism industries depend on exhaustive branding and marketing efforts for sale
of their services. Any impact on their IT infrastructure, websites or data that gets published in the media
leads to direct effect on their revenue and core business sales.
Leading Airlines in US

Incident
Airways vendors got breached by hackers leading to
disclosure of internal employee information and customer
information.
Data breach was investigated however with no conclusive
root cause analysis
Impact

Presented by

It takes an average of 156 days for

businesses to realize that the a
breach has occurred (Trustwave)
In association with

43% of CXO officers report that

negligent insiders are source of
majority of the breaches (IBM)

Multiple news reports on the data breach got published

leading to branding and reputational risks for the airlines.

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

Supported by
Source :Media Reports

By X Events Hospitality (www.x-events.in)

15

Way Forward

Presented by

In association with

Supported by

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

By X Events Hospitality (www.x-events.in)

Cyber security mgt: Methodology

16

Presented by

In association with

Supported by

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

By X Events Hospitality (www.x-events.in)

Cyber security: Maturity model

17
xcelle
onal E
Operati

nce

Presented by

Situational Awareness of
Cyber Threats
Online Brand &
Social Media Policing

Automated Malware
Forensics & Manual
Electronic Discovery

Automated Electronic
Discovery & Forensics

Ad-hoc Threat
Intelligence Sharing
with Peers

Government / Sector Threat

Intelligence Collaboration

Global Cross-Sector Threat

Intelligence Sharing

Commercial & Open Source

Threat Intelligence Feeds

Criminal / Hacker
Surveillance

Baiting & Counter-Threat

Intelligence

Network & System Centric

Activity Profiling

Workforce / Customer
Behaviour Profiling

Real-time Business Risk

Analytics & Decision Support

Behavioural
Analytics

Acceptable
Usage Policy

General Information Security

Training & Awareness

Targeted Intelligence-Based
Cyber Security Awareness

Business Partner Cyber

Security Awareness

Training &
Awareness

IT BC & DR
Exercises

IT Cyber Attack
Simulations

Business-Wide
Cyber Attack Exercises

Sector-Wide & Supply Chain

Cyber Attack Exercises

Basic Network Protection

Ad Hoc Infrastructure &

Application Protection

Enterprise-Wide Infrastructure
& Application Protection

Identity-Aware
Information Protection

Adaptive & Automated

Security Control Updates

Asset
Protection

IT Service Desk
& Whistleblowing

Security Log Collection

& Ad Hoc Reporting

24x7 Technology Centric

Security Event Reporting

External & Internal Threat

Intelligence Correlation

Cross-Channel Malicious
Activity Detection

Security Event
Monitoring

Traditional Signature-Based
Security Controls

Periodic IT Asset
Vulnerability Assessments

Automated IT Asset
Vulnerability Monitoring

Targeted Cross-Platform
User Activity Monitoring

Tailored & Integrated

Business Process Monitoring

Internal Threat
Intelligence

ns
fo
rm
Tr
a

Proactive Threat Management

at
io
n

Basic Online
Brand Monitoring

Bliss

nc
nora
ful Ig

Ad Hoc System /
Malware Forensics

Brand
Monitoring
E-Discovery &
Forensics
Intelligence
Collaboration
External Threat
Intelligence

In association with

Cyber Attack
Preparation

Supported by

Cyber Security Maturity Levels

Level 1

Level 2

Level 3

Level 4

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

Level 5

By X Events Hospitality (www.x-events.in)

Way forward: Cyber security v2.0

18

A forward-looking approach to developing your organizations cyber security capabilities is needed to

Presented by

ensure on-going cyber threat mitigation and incident response.

In association with

Supported by

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

By X Events Hospitality (www.x-events.in)

About us
19

X Events manages & supports events

exclusively for the hospitality & travel
industries.
o

Our USP is that we are hoteliers

by training. We focus on the two
most important aspects of an
event; content quality and impact.
We do it because we believe in it.
www.x-events.in

HATT is India's young and premium

community for CXOs from the
Hospitality, Healthcare, Aviation, Travel
and Tourism industries.
o

With over 1,000 members across

India, we are now poised to expand
globally with a presence in South East
Asia and the Middle East by 2016.

Presented by

In association with

www.hattforum.com
FB/hattforum

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

Supported by

By X Events Hospitality (www.x-events.in)

Our host Brian Pereira

20

Brian is a veteran technology

journalist with two decades of
experience. He has served as
editor for two magazines: CHIP
and InformationWeek India.
He is a respected speaker & host
at conferences worldwide.
In his current role at Hannover
Milano Fairs India, Brian serves
as project head for CeBIT
Global Conferences,
theworld's largest ICT fair that
will debut in India this November,
in Bangalore.
Hotel Digital Security Seminar & Webinar, Sept 19, 2014

Presented by

In association with

Supported by

By X Events Hospitality (www.x-events.in)

The seminar schedule

21

Five expert speakers

Presented by

1. Latest threats in digital security (Worms, attacks, viruses, flaws) -Santosh Satam,
CEO, SecurBay Services.
2. The immediate action needed to tighten up (Priority list, cost, internal policies)
-Ambarish Deshpande, MD - India & SAARC, Blue Coat
3. Information loss prevention (Principles & practices)-Geet Lulla,VP - India & ME,
Seclore
4. How to build a business case &get the management's attention-Dhananjay
Rokde, CISO, Cox & Kings Group.
5. Global cyber security outlook -A. K.Viswanathan, Senior Director - Enterprise Risk
Services, Deloitte India.
Hotel Digital Security Seminar & Webinar, Sept 19, 2014

In association with

Supported by

By X Events Hospitality (www.x-events.in)

Our sponsors & supporters

22

Presented by

Thank You

In association with

Supported by

Hotel Digital Security Seminar & Webinar, Sept 19, 2014

By X Events Hospitality (www.x-events.in)

In association with

Presented by

Supported by

HOTEL DIGITAL SECURITY SEMINAR

SEPT 19, 2014

www.x-events.in