Chai Pe Charcha Meetings
Thinking Digital Security
Meet held on 07 May 2017 at Starbucks, BKC, Mumbai44 registered and 22 attended. The following (in alphabetical order):Aashish Kunte, Amar Thakare, Apurva, Ashwin Choudhary, Dinesh Bareja, Gaurav Batra, Harshad Salvi, Hemang Soni, Imran Mohammed, Kartik, Khaarvel Parakh, Lalit Vazirani, Manasdeep, Narendra, Prem K Gurnani, Rakesh Goyal, Sachin Yadav, Saloni Verma, Sanjay Rajak, Smith Gonsalves, Tushar Parab, Vikas NaikMAIN POINTS HIGHLIGHTED DURING THE DISCUSSIONS (SUGGESTIONS AND EXPERIENCE SHARED IN GENERAL)The topic for the day was CII with focus on BFSI and discussions brought forth the following challenges / issues / threats / risks:
- Talking from experience it was shared that many entities do not have version control or incident response capability. There are many touch points internally and externally to databased but no visibility on how each entity (or unit) connects to the BFSI entity or how they secure themselves.
- Version verification should be done at the server level and not on the app / mobile end. The bank’s responding server should reject old unpatched versions. An example was of an investigation into a fraud which revealed that the customer was using a previous version of the app and was compromised since only the latest version had been patched.
- For use at end points banks should purchase only approved / authorized biometric devices.
- There are many regulatory mandates in place now with each iteration being better than the previous one. However, there needs to be a process to evaluate how effectively this mandate is being followed which can be done by prescribing a maturity model.
- Regulators or a central body should draft standards for auditors (on the lines of ICAI)
- At present, as a cost saving measure, most BFSI entities are using cloud services and they should ensure that these 3rd party vendors are audited. Experience has shown that such audits are skipped because of the general impression that the cloud provider is a “big and renowned” company so how can we audit them! As part of the contract the BFSI entity should insist on (at the very least) (i) inclusion of a “right to audit” clause; (ii) ask for the infrastructure / cloud architecture; (iii) ask for incident response assurance and review how does the cloud provider respond; (iv) forensic capability. However, the BFSI entity should work with the vendors to clearly define and disclose their roles and responsibilities, and must monitor / review SLAs for security in addition to all other business issues.
- BFSI entities should invest in right technologies e.g. deception / honeypots / SIEM etc. after a needs evaluation; smaller entities will be best with MSS; Entities should develop the right playbooks for IR teams and conduct regular exercises;
- Regulators should bring in (i) Breach disclosure norms; (ii) Information sharing platform
- In order to assist smaller banks, raise their security posture, they should explore (i) DR on demand; (ii) Raise awareness levels for security and processes;
- BYOD, IOT, BlockChain, ML, AI, Automatic Robotic Processes and similar emerging technologies are concern areas due to the velocity of their visibility, and in terms of adoption the question is whether the banks are really ready for them.
- Needs assessment, evaluation of solution(s), scoping are challenges across all entities and many requirements are found to be biased or ‘purposely’ vague. For example, there have been personal experience where it was found that the BFSI entity had a big challenge to define their PCI or compliance scope. Also, that (usually) the consultant “helps” define the scope after taking up the contract.
- Data breach / incident notification – it will be good to establish a centrally hosted solution through which the event can be reported, and is automatically routed to regulatory authorities, LEA and any other appropriate authorities. Every statutory body (NCIIPC, RBI, SEBI, CERT, IDRBT, BSE, NSE etc.) has a different template for reporting incidents and this is another big overhead.
- The information in the same database can also feed a redresser mechanism. Loss reimbursement in event of a fraud is not don’t for debit cards but the banks will reverse or reimburse credit card losses. Insurance is a key factor and this must be purchased as a risk remediation measure.
- RBI guideline has asked for the development of a Cyber Security Policy but has not defined “cyber security” as distinct from “information security”.
- UIDAI has appointed 350 AUA which have to be audited by CERT-In auditors. Around 50% of audits show that biometrics were being stored in contravention to the UIDAI guidelines. The prescribed UIDAI policies are good but enforcement is lax.
- An observation about Indian audit scenario – we “adjust” a lot. This may be in deference to the reputation of the entity, the stature or the friendliness of the auditee and such issues. Localized (India specific) standards and guidelines are the need of the day for security audits.
- Banks have a challenge on hand about defining CII and have been asked by the authorities to come up with their list as they know their business best, whereas banks say that the authority should do this as they have best knowledge about CII.
- ATM frauds and vulnerabilities (physical and virtual) are happening and need an in-depth assessment. Presently the responsibility vests with Information Security teams and this needs to be re-looked. We should think about an ATM CpC meeting.
Delhi Cyber Security Meet 06 May (Chai pe Charcha)
Meet held on 06 May 2017 at CCD – The Square, Janpath, New Delhi
31 registered and 14 attended. The following (in alphabetical order:
Alok Kumar, Amit Singh Nagi, Ankur Prajapati, Deep Shankar Yadav, Dinesh Bareja, Inder Barara, Krishna Agarwal, Madhav Chablani, Naveen Yadav, Sahabuddin Siddiqui, Samir Dutt, Santosh Khadsare, Satyendra Verma, Vineet Kumar, Vivek.
The topic for the day was CII with focus on BFSI and discussions brought forth the following challenges / issues / threats / risks:
- One threat scenario was that if someone wants to bring down the financial system then look at the electronic fund transfer and cheque truncation system. The scanning device can be configured to inject malware into the image(s) of the cheques that are being transmitted every day, thus spreading the malware across the system. The moot question is whether the scanners are hardware tested or audited and the same question applies to hardware used in other critical functional areas which constitutes the financial backbone of the country.
- In the case of hardware, entities should create a standard / guideline for hardware testing and that new hardware should be tested when purchased. The international standard EAL 1 to 7 can be considered and regulator(s) should work to have this in place. There is also the need to test implemented policies as these are usually only skill tested.
- Policies and procedures should identify and empower the person(s) who can declare an emergency and have the power or understanding to take responsibility and take a final call.
- While a number of reports and statements have been issued by the regulators that Information Sharing is happening in the financial sector, there should be some additional activities for public participation – crowdsource ideas for security; crowdsource solutions to problem(s); crowdsource flaws / weaknesses / vulnerabilities since many researchers may not submit findings for fear of getting a negative reaction.
- There are vulnerabilities all over in the banking system and some are over a year old but yet unpatched in spite of being shared with the concerned banks.
- It stands that BFSI entities should show empathy for researchers who find and responsibly disclose bugs / vulnerabilities / weaknesses.
- It is essential to support and promote indigenous companies who offer services and products.
- Has NCIIPC categorized and segregated CII in the BFSI sector or are they dependent on the BFSI or MoFA. It seems NCIIPC had asked MOD to identify CII in the defense sector. This needs to be done by both entities together.
- From the experience of the members present, it is shared that most banks lack Incident Response skills / capability and that a number have outsourced security. It is essential for the BFSI entity to have IR capability and that it be tested.
- Clarity of rules regulations and policies
- Data destruction is another important area and no one seems to be doing this properly. Plus, usually, there is no policy or procedure and process for the same. Some entities may be handing over the assets to e-waste companies or trading the old hardware for new and there is no check on this. Lifecycle management of tape drives and other computing assets should be in place with defined policies for the same; like an Obsolecence Policy.
- There is a huge proliferation of smart phone and it is growing exponentially. With smart phones, there are the apps and there is no check or regulation on the app development / quality or security. This makes the app a very weak link which can be planted with a backdoor and can then spy and send your data to criminals. Apps are being created by private and government entities indiscriminately and, during installation, it will ask for all sorts of permissions which are not at all related to the function. There should be a national policy for regulating the app development. It was shared that MI phones are copying all data and transaction information (in short, everything) onto servers in Hong Kong / Singapore and this needs to be tested. The Govt should create awareness among developers and users and regulators can mandate the need to ensure ethical and safe apps.
- Audit and assurance is (mostly) checklist oriented and this mindset among entities should change which has to be brought about by a strict regulator.
- BFSI entities / regulators should do a hackathon on the lines of the one that has been announced by the Election Commission – and responsible disclosure should be indemnified. There is also the thought that a process can be initiated by NCIIPC / RBI or Cyber Cells or any responsible NGO to recognize security researchers and that person will stand indemnified if he/she reports an issue to the BFSI entity directly or indirectly. The recognition process can include a training and test on ethics and more.
- BFSI entities show a disdain for empathy with customers through public communication and all (or any) communication is self-centered and oriented to showing off their “concern” for customers. Public communication should be proactive and should share good and bad news honestly and not make inane non-meaningful noises.
- Is there a standard for the finger print reader? Is this tested. The BHIM Aadhaar app collects your fingerprints and seems to be uploading this to a Chinese server.
- There is a concern about data storage and BFSI should check where is their data residing, how secure is the storage.
- What are the legal standards / regulations requirements for data storage.
Mumbai Cyber Security Meet 16 Apr (Chai pe Charcha)
16th April at 09.30 am.@ CCD, BKCThe following attended : (in alphabetical order) Ajay Bhayani; Dinesh Bareja; Jayant Gupta; Lalit Vazirani; Narendra; Porus Mehta; Smith Gonsalves; Suresh Menon; Tabish; Venkat G.Minutes of the Meeting (attendees may please add / edit in case of any error):The objective was to carry on the meeting from Delhi focusing on Critical Information Infrastructure, but on the BFSI sector.– Minutes of the meeting held in Delhi on 8th were discussed and during the same a few interesting nuggets (pleasant news) regarding the Oil and Gas sector were shared.– Petroleum ministry has initiated discussions on breach notification and BPCL has been given responsibility of the process. They have formed three groups – Pipeline, Exploration, and Refining and are closely working with NCIIPC. The activities include the formation of sectoral CERT which is being spearheaded by HP. A weekly IOC is sent out to all oil companies that are part of a forum of petro companies that has been created.The next focus sector for our discussions will be Oil & Gas and these moves can be discussed in more detail and can be examples to follow for other sectors.– The discussions moved to BFSI sector and a number of issues came up. While the regulators seem to be active, the question continued on the skill of regulators, and how does (or how will) the regulator enforce standards. The skill issue has to be addressed even in the consulting firms because even if we consider CERT empaneled companies they may not have the requisite professionals on their rolls (as may be claimed).One observation is that redressal mechanisms are poor in the event of an incident (whether the incident affected a customer or the institution) and needs urgent attention, in view of the aggressive push to digital payments.Cooperative banks may be weak links as they are not really given the same level of consideration by RBI as to nationalized or the big banks. These banks may have to outsource all security operations as they not have in-house skills for the same (or the will to allocated funds and resources).The discussion moved to Aadhaar in view of the announcement of the BHIM Aadhaar app announced by the PM the day earlier – Aadhar compliance requirements were recently undermined by Axis Bank and vendors and this is an area of concern since UID is being rolled out for many other services which will give rise to numerous vendors and their endpoints. Risks of data misuse, non compliance with UIDAI mandates, fraud etc must be looked at closely and there is the need for closer and more strict monitoring. Based on the knowledge available with the group members, a few questions and observations came up – fingerprints can be copied and reused, while the Aadhaar registration can be enabled / disabled there is low awareness on the method for the same and this should be addressed; Fingerprint readers should ask for random prints.In conclusion, the following risks were identified:
- Mobile devices that hold UID application should be passcode enabled and this should not be the same for both.
- Data leakage through outsource partners.
- Audits are usually checklist based and this should be changed to be more effective.
- Regulator has to be strong to be able to enforce the mandated guidelines and standards.
- Same password being used for wallet.
- ATMs are running XP that may not be hardened, so, even if the OS is not changed the XP versions should be hardened.
- Reconciliation delays have caused frauds and this process has to be changed to be done with every transaction.
- Awareness levels have to be raised at all levels – consumer, users in the organizations, functional and management teams.
- Bug bounty programs are not supported by any of the institutions and this results in their being targets for the curious and malicious players.
- Non standardization of ewallet that are proliferating in the digital space in the country.////////////////////////////////////////////////////////(My personal observation: we, as a group had many gaps in our knowledge about the working of ewallets, BFSI, UIDAI and it would have been nice to have the presence of some members from BFSI sector. It is an open forum and anyone who can contribute SHOULD attend. Firstly, no sensitive or confidential information is shared by anyone. Secondly, even if something comes up it does not move out of the meeting. One does hope to see some sectorial heads!)//////////////////////////////////////////////////////
Delhi Cyber Security Meet (Chai pe Charcha)
8th April at 10 am. @ CCD The Square, JanpathThe following attended :
1. Inder B
3. Dinesh B
5. Anuj Agarwal
6. Ranjit Kishore
8. Deep Shankar
9. Santosh KhadsareOver 2 hours we discussed Critical Information Infrastructure, NCIIPC and various institutions in the country.Few takeaways –
Each presented his/her take on the current situation in CI protection and NCIIPC. Based on point of view and discussions, a few takeaways were identified –– while sectors have been identified as CII, within them two have been notified. It will be advisable to have a sector specific strategy as each has different needs based on the risk/threat they carry.– the government agencies continue to create frameworks, guidelines and advisories but seem to overlook the need to have a strong foundation.
— why not secure at the ground level through change in education, and a close look at telecom and infra security.
— in addition the least that can be done is to mandate that old routers be changed and old OS versions be scrapped.– telecom must be looked at because the country infra and growth depends on having dependable communication channels.
… if sectors have been notified as CII then within the sector identify critical areas
… why not secure at the foundation level
… telecom and infra
… when we say each ministry will identify // we are leaving it to chance
– There is a need to have sectoral security strategy and approved + tested hardware and software
– Seize the moment and entrepreneurs should board the startup bandwagon and take advantage of the various government initiatives.
– A brief discussion was also held about the NEED to have a formal industry body (something close to my personal heart) but we quickly came back to the main issue for the day.These points may form the basis of discussion in the next meeting and over two or more such meetings a formal communication can be drafted for presentation to NCIIPC/NTRO as industry suggestions.
Group members are welcome to add their PoV and I shall collate the inputs into a collective document which can be placed on the table during the next meeting. Actually not just ‘welcome’ – group members SHOULD add their PoV to make this discussion more valuable.