ISACA Sri Lanka chapter aim to sponsor local educational seminars and workshops, conducts regular chapter meetings, and help to further promote and elevate the visibility of the IS audit, control and security profession throughout the area. In line with its mission, ISACA is organising a Confernce on ‘Securing our bid data’. An eminent list of speakers will grace the occasion. CPE Credits for this event is 7.
The conference is sponsored by Oracle and CICRA Holdings.
We will be bringing updates from the conference so stay tuned in case you missed out on attending the event.
We are live from Hilton Residencies.
You can get slides from the conference via this link https://app.box.com/s/n7xswsouh9lkquc7ns7k
And thats it from the BigData conference. Thanks for tuning into the live updates. We will have pictures and video from the event on our fb page shortly.
This is diGIT team signing out.
Is there any particular occurrences happening in Singapore – Parakum asks David.
We have data protection act which will come for commercial too. – David
We are almost done it seems as the panel discussion comes to a conclusion and a token of appreciation being given to Mr Chandralal.
One final draw and we have MD of CICRA up on stage again to select the winner from the raffle. And the winner is Mr Yasas Thilakarathne from LOLC.
Is there a process in which you get feedback from junior personal on security?
For IT strategy planning, they need to check with the CIO. The board needs backing from the team.
On a bottom up approach, we need suggestion boxes and similar processes. Its not easy, it might not be 100%, we ourselves might have lagging, but ideas need to be looked at. – Chrandralal
A glimpse of final part of panel discussion
Do services like fb, twitter, skype have their own policiies as to how they will keep the data and record the conversations etc? – asks Chief Manager IT Ms Maldeni from Bank of Ceylon
If its a free service they might not, otherwise it would most likely be recorded – Chandralal
We are now onto the final segment for the evening as we have a brief panel discussion
With that Chandralal concludes his session
Big Data is Here to Stay.
There will be mountains of data
Business would want to maximize the usage
CIOs challenges are
We need to mine for new answers
New collection methods
New delivery systems
While Securing it
We should look at
Turning Big Data Challenges into Opportunities
Innovation, scalability, accessibility, and productivity to gain competitive advantage and create substantial value for the organizations and world economy as a whole
Challenges in Big Data
Managing Non relational data stores (NoSQL)
Handling Unstructured data (text/Video)
Securing data storage & transaction logs (auto-tier)
Endpoint input validation & filtering (SIEM)
Realtime Security / Compliance Monitoring (Access Control)
Privacy in Data Mining / Analytics (pay)
Reduced civil freedom
Increased control (corporate & state)
Data Access control (sensitivity)
Some Challenges Faced by IT
E-Life vs Security Threats
Ease of use vs Enterprise security
Self-service and self-provisioning
IT staff to do higher-value activities than managing user accounts
Multifaceted approach to defense that employs several security technologies
Measuring the effectiveness of Information security
Factors driving Information Security
Security Process Advantages
Change Management – Control the business losses and react or resolve quickly
Incident Management – Identify root causes and plan preventive measures
Availability Management – Plan resources accordingly
Access Management – Design and control business usages, propose business suggestions
IT Configuration Management – Business requirement, Resource planning, Problem identification
Patch management – Prevention of exploits
IT Governance, Risk and Compliance Programmes – Assurance, Collaboration
Strong User Authentication – Protection of Identity
Prevent Insider Attacks – Business Continuity.
Technological Advantages of Information Security
DLP – Compliance, Employee awareness, business balance, malicious activity detection, Protection of Intellectual property
SIEM – Compliance Automation, Operational Efficiency, Proactive measure and quick reactions, Dashboards
Mail Gateway – Save time for business users from SPAM emails
Web Gateway – Effective resource planning, controlled business usage
Identity & Access Management – Quick access Provisioning & De-Provisioning
Encrypting data transmission via public networks – Protection of Business Data
Use of licensed software – Reputation, Business Continuity, Legal
Vulnerability Assessment / Penetration Testing – Security Assurance
Intrusion Detection and Prevention – Security Assurance
Network Access Control – Security Assurance
Application Security – Reliable Business usage, protection of data
Remote-Access or Site-to-Site VPN – Agility to business
Device Control – Control business usage, Business data loss prevention
Antivirus – Protection of Assets.
Contingency Plans – Disaster Preparation & Recovery Plan
BCP – time, location & type of disaster based
Outsourcing Providers’ BCP/DR
Service Provider BCP/DR
Back up Service Providers.
Information Security Awareness and Privacy Training Programs
Provide higher level of protection for assets
Improve employee morale
Protect and enhance your organization’s reputation and brand
Protect customer and corporate information
Reduce the potential for lawsuits & exposure to prosecution
Disciplinary action against those who don’t comply with information security rules.
Cloud Computing Policies
Security on the network
Data integration (encrypting etc)
Social Media Security Policies
Internal & external communication – who maintains it?
Employees wanting to use Facebook, Twitter, YouTube etc
Cost vs ???
3rd wave of capitalism
Corporate social media
Enterprise Social Media Strategy
Collaboration & Idea generation.
Mobile Device Security Policies
Whether we like or not employees bring these mobile devices to workplace
Smartphones, BB, iPads, iPhones.. etc
Org want people to be productive
Mobile device management – embrace change or be left behind
Mobile workforce management
Mobile device & data security
Information Security as part of Business Strategy
- Information Security to be an important part of the IT Strategic Plan
- Information Security Budget
- Justification of IT Security spending % increase against rising costs
- IT Security staff salaries are increasing at a high rate
- Qualified, experienced & up to date IT Security staff?
- Getting the right people in the IT Security team
- In house vs outsourced/contracted
- Board level backing
- Help business managers to ensure that security is a priority in every technology project
- Internal whistleblower policy.
Types of Information Security related Compliances IT Facing today
Regulator – comes down hard on all of us, no negotiation, only thing can be done is maybe extend.
Regulator Agencies – crib
Payments & Settlement Agencies – e.g. swift bureau, nothing negotiable, they tell us what to do
Risk Function – Operation, market risk
These are the challenges faced by CIO and IT team face
How IT Security Add Value to Business
What is Security?
The state of being free from danger or threat.
When do we consider it’s important to focus on Security?
Isn’t it same with IT Security?.
We had many challenges at Amana Bank. Regulator hurdles. – Chandralal
Agenda for this session is as follows:
Amana Bank & Banks CIO Forum
Value delivery from information Security Projects
Compliances IT Facing today
Information Security as a Business Strategy
Information Security Policies and Practices
Information Security Awareness
Challenges Faced by IT
Challenges in Big Data
Chandralal reads out the following to the audience:
“Technologies change business rules. Technologies drive innovation. And we, in our IT leadership, must handle these changes while delivering excellence in managing everything else in our technology products and services stacks. We have to be really good at mobile, social, analytics, collaboration, consumerization, etc, while making sure that we don’t let ourselves get bad at network, CRM, ERP, desktop management, service level management, etc. And we somehow have to do all of this faster than ever, lest we slow down the organization by becoming bottlenecks.”
– Niel Nickolaisen CIO
We now have Chandralal Wickramapathirana, CIO – Amana Bank with his session on ‘Value Delivery from Information Security Projects’
Managing Director of CICRA will now pick from the raffle and the winner is J A Asoka Jayasinghe, Assistant General Manager Bank of Ceylon. Priyantha Bandara also wins from the raffle.
A token of appreciation is now being presented to Dhamithra
Dhamithra now concludes his session and opens floor for few questions
What you should consider?
- Single Compliance Dashboard of your DB infrastructure (Heterogynous Support)
- Application Transparent without performance tradeoffs
- Standardize and Automatically Apply Policies (DB Life Cycle)
- Information Life Cycle Management
- Proactively Alerted if Policies are Changed or violated
- Complete, Current, Correct and Secure Audit Data
- Proactive Alerting and Customizable Reporting
Heterogeneous Database versions and brands
Unable to automate DB Policy Application (DB Life Cycle)
10’s to 100’s of databases all with auditing switched on but no time to check logs
Incident happens long before it is detected
Audit logs sit on servers where they can be tampered with – not secure
Database Audits are costly
Managing the audit from source to report is complex with many processes like collecting audit data, cleaning up audit logs, collating information and finally presenting this information in a report.
Common Database Threats
- Missing Patches
– Excessive Privileges
– Web application attacks (SQL-injection)
– Insider mistakes
– Weak or non-existent audit controls
– Social engineering
Moving on to the next topic in the agenda, why audit?
– Compliance Mandates It
- SOX, PCI-DSS, HIPAA, PII/SPI, …..
– You don’t want to end up in the news
– Maintain customer trust
– Your auditor told you to do it
Databases Account For 92% Of Records Stolen!
Organizations are not Protecting Themselves
96% of breaches in 2009 were avoidable through simple controls
79% of organizations with credit card data breaches in 2009 failed their last PCI audit
41% of successful attacks in 2009 involved script kiddie skills or less.
85% “not considered highly difficult”
48% of attacks were insiders abusing privileges
70% were executed by non-technical employees
Dhamithra Jayasuriya presenting at the conference
We need to protect the data at the source – Dhamithra
What are the technologies deployed
Landscape Looking Ahead
– Vanishing perimeter dissolves insider/outsider differences
– Data Consolidation, Big Data Iniitiatives
– Public/private cloud, partner, Globalization
– Sophisticated hacking tools, bot networks, hacker supply chains
– Cyber terrorism and warfare sponsored by nation states
– Databases to become a prime target
– Focus on protecting data at the source
– Defense in depth
– Moving from Detective controls to Preventive Controls
– All countries and states joining in protecting PII data
The 2000-2010 Decade Landscape
- Almost all applications online, highly available and scalable
- Centralized applications, Outsourcing, offshoring, Third Party Service Providers
– First SQL Server Database worm (SQL Slammer, 2003); SQL Injection introduced (Oct 2000)
– Advanced Persistent Threats (APT); Automated SQL injection attacks; DIY tools
– Heartland (100M+), TJ Maxx (45M+), RockYou pwd database (32M)
– Predominantly desktop (anti-spam, anti-virus, laptop encryption) & perimeter (FW, SSL, VPN)
– Multiple isolated point security solutions
– SOX (2002), C-SOX (2003), J-SOX (2006), Australian CLERP-9 (2004), …
– Payment Card Industry (PCI-DSS 1.0 in 2004; 2.0 in Oct 2010)
– California’s breach disclosure laws (2003); MA passes Data Privacy Law (Mar 2010)
– Applications quickly getting web enabled without security considerations
– World moving from 2-tier to 3-tier
– Hackers driven by fame
– Well-trusted insiders
– Network firewall
– Anti virus software
– HIPAA (1996), Privacy rule 2003, Stronger provisions with HITECH (2009)
– European Union Data Protection Directives (1995, 2000, 2002, 2005): Personal data a fundamental right
Agenda for Dhamithra’s session is as follows:
Walking through the threat lane
What needs to be audited?
Addressing the Challengers
We just had a raffle draw and Madushani Attanayaka from Sri Lankan airlines just walked away with the prize.
We are back after the lunch break. We have Dhamithra Jayasuriya, Senior Solutions Consultant with presentation on ‘Database Auditing & Security Best Practices’
We are back after a heavy lunch. We have 2 more speakers and then a panel discussion.
A token of apprecition now given to the people in the panel disucssion. And with that we break for lunch! We should be back in about 30-45 mins. Do join with us then.
We are almost done with the panel discussion
You can’t classify everything as confidential, is my lunch with friend organised via email confidential? So we need to identify all that we have done and see which ones need to classified. We also need to look at encrption. That is the ecosystem needed. – Sujit
We should focus on detection, u need to enforce implementation. With Oracle, we focus on the back end – David
Privacy, good thing to talk about, but enforcing is tough- Sujit
Central Bank is already creating guidelines so that you can do banking using your sim. – Sujit
Should there be a social media policy?
Yes policy guidelines should be there with the guidelines, all depends on the sector and field. How fast you want to respond, what action to take, accountability, all these need to be defined – Parakum
The panel discussion happening now
Cost benefit analysis is what we need to look at. regulations are also important, regulatory monitoring is also expensive – Sujit answering the question raised by @MUZ_N.
What an organisation needs to know is to understand the framework and learn the points so that they can do one step by step so that Bigdata can be used to best effect.
Question from twitter follower
how capable is our IT infrastructure in SL to capitalize on #BigDataLK ?if its advanced – which sector is most geared?Telco, Banks? – @MUZ_N
Now we move onto the panel discussion
Sujit concludes his session with a quote by President Abraham Lincoln
“The dogmas of the quiet past are inadequate to the stormy present. The occasion is piled high with difficulty and we must rise with the occasion. As our cause is new, we must think anew and act anew.”
So in summary “Big data is the frontier of a organization’s ability to store, process, and access (SPA) all the data it needs to operate effectively, make decisions, reduce risks, and serve customers.”
Sujith says that big data enhances identity verification
Sujit presenting to the audience
Now Sujit shows a Doomsday Preppers video to the audience. Its pretty interesting video about NSA activities.
How to Solve the “Big Data” Security Problem
How Does a Security Organization Handle Exponential Growth in Data?
More granular data required to address APTs and other threats
New categories of data – performance, network traffic, and more
Data from new applications, systems and technologies
Data over longer periods, both to satisfy compliance and detect patterns
Sujit talks about Gauss.
Gauss is designed to collect information and send the data collected to its command-and-control servers. Information is collected using various modules, each of which has its own unique functionality:
- Injecting its own modules into different browsers in order to intercept user sessions and steal passwords
cookies and browser history
- Collecting information about the computer’s network connections
- Collecting information about processes and folders
- Collecting information about BIOS, CMOS RAM
- Collecting information about local, network and removable drives
- Infecting USB drives with a spy module in order to steal information from other computers
- Installing the custom Palida Narrow font (purpose unknown)
- Ensuring the entire toolkit’s loading and operation
- Interacting with the command and control server, sending the information collected to it, downloading additional modules
The prelude to “destructive” attacks are “disruptive” attacks, which incidentally appear to be coming from nations that sponsor terror
Big Data is about the ability to extract meaning from massive volumes of disparate data.
It is so much more than just having a lot of your or someone else’s data.
THE CHALLENGE IS TO DERIVE MEANING FROM 100% OF BIG DATA
You cannot disregard any information saying its not valuable.
Big Data is made of structured and unstructured information
- Structured information is the data in the databases and is about 10% of the story
- Unstructured information is 90% of Big Data and is human information like emails, videos, tweets, Facebook posts, call center conversations, CCTV Footage, mobile phone calls, web clicks
What is big data?
“Data sets whose size is beyond the ability of commonly used software tools to capture, manage and process the data within a tolerable elapsed time”
Big Data = Big Exposure
Now we have Sujit Christy,Director – Professional Services, Layers-7 Seguro Consultorίa Private Limited
With that Parakum concludes his presentation. And now we have a raffle draw, a ISACA tshirt for one lucky person in the audience. And David is selecting the winner, and the winner is Samantha Siriwardene from John Keells Stock Brokers
U post all of your drama on facebook then get upset when people judge u? U must be special kind of stupid.
We use it professionally and personally
Inability to control
What if we don’t use it
We fear what we don’t know?
Parakum shares a video of John Mcafee (viewer discretion advised)
Parakum tells about how some items you put on facebook are there permanently. He says ‘go on facebook, upload a few pics to an album, see the permanent link of it, then delete the albums. Now put the permanent link and you will notice that the pic would still be there most likely.
Parakum mentions about an MIT project – Immersion – a people-centric view of your email life https://immersion.media.mit.edu/
Parakum shows to the audience the power of Facebook graph search and how privacy is affected
Parakum shares a google glass demo video
Parakum says you can see what google has about you. He shares some of the info that google keeps track of
Parakum shares a pic.U might have noticed this image regarding the jokes about NSA activities
Parakum addressing the audience at the conference
Parakum shares info that was uttered by Eric Schmidt @ the Techonoloy confab in 2010
- “There was 5 exabytes of information created between the dawn of civilization through 2003…… but that much information is now created every 2 days, and the pace is increasing…People aren’t ready for the technology revolution that’s going to happen to them….“
- “If I look at enough of your messaging and your location, and use Artificial Intelligence,” Schmidt said, “we can predict where you are going to go.”
- “Show us 14 photos of yourself and we can identify who you are. You think you don’t have 14 photos of yourself on the internet? You’ve got Facebook photos! People will find it’s very useful to have devices that remember what you want to do, because you forgot…But society isn’t ready for questions that will be raised as result of user-generated content.”
Who is Parakum Pathirana?
We are back after the break. And the compere is introducing the Vice President of ISACA Parakum Pathirana, Head of IT Security & Compliance/ Principal Consultant – LOC Technologies
And with that David concludes his session as we go in for a short break, back soon
A summary of the database security, a good image for anyone looking into securing big data
Approach is Prevention, Detection, Administration
From mistakes to attacks
Some of the audience attending the conference today
How secure are databases?
66% sensitive data resides in relational databases
- David (IOUG Survey Results 2012)
David highlights about the security layers which will protect from the attacks that are coming
Now David moves onto ‘Defense-in-Depth Approach’
David is now showing a clip from ‘Lord of the Rings’ to the audience!
A privacy movement is happening and should come to your area too soon. Many countries have started it.
If you noticed our updates from yesterday’s speech by Prof Induruwa, he mentioned Stuxnet, here again David enlightens about stuxnet worm
Anonymous Steals 40GB User Data from AAPT
Message from Anonymous – “You want to trust these ISPs with your data? When they can’t even keep it secured?! If I were you, I wouldn’t trust anyone but myself with my data.”
David shows a news item which is eye opening to many in the banking sector.
$45 million stolen in 21st century bank heist
10 May 2013 1:38 PM
NEW YORK: Cyber thieves around the world stole $45 million by
hackinsg ointpohdeisbit iccaradtceodmphanaiecsk, secrasppaingdwitohdrrgawaanl ilizmeitsdand
helping themselves from cash machines, US authorities said
criminal cells whose role is to withdraw
the cash as quickly as possible.“
In the initial stage, taking several months, sophisticated hackers
looking into databases of prepaid debit cards, a tool used often by scope of the alleged crime by thanking
employers and aid organizations.
authorities from more than a dozen Breaking into the system, the hackers eliminated withdrawal limits imposed by banks. The hackers next
countries: Belgium, Britain, Canada, the distributed the debit card numbers to its street associates called “cashers,” who loaded other magnetic
stripe cards, like gift cards, with the stolen data. Finally, the cashers were given stolen PIN numbers and Dominican Republic, Estonia, France,
sent to harvest the loot, going from ATM to ATM and withdrawing as much as cash as they could for the
Germany, Italy, Japan, Latvia, Malaysia,
Mexico, Romania, Spain, Thailand, and the In the space of 10 hours, casher cells in 24 countries conducted some 36,000 transactions, withdrawing
$40 million from ATMs.
David enlightens about shadowcrew
- Delivery vs. Development : Moving from perpetrating breaches to building tools for attacks. 63% of all malware customized for attack
- Opportunity & Automation : 83% “Targets of opportunity”. “Higher proportion of automation” in attacks
- Breaches vs. Records :Movement away from records delivery ..
David moves only ‘Security and Privacy Challenges’
“In digital age, data is the crown jewel that represents a substantial portion of the organization’s asset value”
From a data simulation we move to what makes it big data.
Data is the compass, analytics is the map
In the 2012 presidential election
Obama had 14 million email addresses, 12 million twitter, 25 million facebook fans.
On the other hand Romney had 1.5 million facebook fans and 375,000 on twitter.
Big data came to play
Onto another case study is the US Presidential campaign in 2008.
Obama was an underdog in the campaign so with a limited budget he grew his popularity starting with just a few people gathering to having 1000s of people. How did they join in. They had a website where they got people to register and spread the word. Through the information gathered they were able to target specific. How was this possible? Big data at play
David mentions a case study where ‘Target’ figured out a teen girl was pregnant.. before her father did
Target used data mining on purchase history to determine if a woman is pregnant long before she starts to buy diapers
And we have our first speaker, David Warnowidodo, Senior Manager, Enterprise Security – ASEAN + SAGE
A glimpse of the podium
We are about to get things underway. Stay tuned for regular updates