DSCN7638.JPG

The VIF invited Dr Prasanna Mulgaonkar, CEO, ‘Cloud Raxak’, to an interactive discussion on measures to deal with cyber-security challenges in cyber space, particularly in context to India. The important points have been highlighted in subsequent paragraphs.

Referring to the recent events of airstrikes conducted by the Indian Air Force at terror camps located in Pakistan, Dr Mulgaonkar put forward the significant role of the communication infrastructure that collects all the required data for the operation and deliver it in an actionable way. Today, technology is inter-woven in our daily routine activities, from fake news to operating home appliances, and to online financial transactions. The cyber-space comes with both, good and bad sides of it. When we ignore the cyber-security aspects in our daily activities of cyber-space, we tend to play a losing game. In cyber-space, we are ‘a step’ behind from an attack if we wait for a cyber-attack to happen or a new malware to execute its functionality and then apply the protective measures on it. There is a need of everyone— users, policymakers, and technologists, to work together for a model of ‘proactive’ measures. Such proactive measures are a new way of an approach to a cyber-security problem and shall result in help for evolving security ideas in whatever we do and in a way that even a non-security expert gets security in cyberspace. In the scenario of cloud storage particularly, the proactive security measures are critical.

Security is a consistent process. In general, locking a front door once in a while or thrice in a week is not an effective security measure until it becomes a regular practice whenever we leave the house. Similarly, in cyber-space, there are set of things which must be consistently done so as to raise the bar of the security. Today, along with laptops, smart phones, and tablets, the entire back-end systems must have a consistent backup of security measures. Such consistency is mandatory in managing the configurations of our back-end systems to secure the financial transactions, databases, data and intelligence which is in our systems and hence is critical. In recent times, the virtualisation of cyber-space in the form of VMWare, Cloud storage, increases the magnitude of the assets that we need to manage in proper manner. In past, an organisation required only few servers to complete tasks, but the phenomenon of virtualisation has led to formation of thousands of servers to complete the same tasks. Rapid development in server technology introduced the ‘public cloud’ storage, and now the concept of server-less computing, Artificial Intelligence (AI) and Machine Learning (ML) has increased the level of server management that an organisation has to deal with. ‘Tens of thousands’ of configurations which if mismanaged, may cause harm or could be exploit by an attacker.

Dr Mulgaonkar emphasised on the point of misconfiguration in servers, and shared an incident as an example where in the span of merely two hours, the cyber-security breach in the network systems of the Cosmos Bank had changed the parameters of their network infrastructure which further resulted to the loss of USD 11m worth of financial transactions. A misconfigured device in a massive infrastructure, could lead to a significant adverse impact on the whole system. In a similar scenario, approximately six months before the cybersecurity breach at the Cosmos Bank, the systems of US-based National Bank of Blacksburg were hit with a cyber-attack. Therefore, as a responsible users, whether in an industry or any sphere, we must learn from our mistakes, especially in cyberspace. We must learn to adhere to the security practices to make a difference in our usability of cyber technologies.

A locked door but open windows of a house does not constitute a best security measure. Therefore, along with the consistency in the security, there is a need of a comprehensiveness. As per the guidelines of the US’ National Security Agency (NSA), “every controllable parameter in the system should be in a non-state. Never put anything in your system that has ‘I don’t care’ against any of the system’s parameter. Because, if you do not care, the bad guys will”. In most comprehensive and consistent way, we must control the complexity of the parameters of our infrastructure. On an average, a backup server system consist of 300-400 configurations or settings. Around 50 percent of those settings on that particular backup server system do not comply with the worldwide acceptable standards or recommendations including CIS, ISO27000. Most of the ‘Fintech’ organisations jumpstart their business by buying such backup servers and implement the AI measures, and threat analysis, but omit to configure the servers. Why these Fintech organisations fail to do the proper configurations? Because, comprehensively it is very expensive to configure a server manually. According to the statistics, everyday 10 million servers are being added into the cloud with average life of 10 days to a month. Such dynamic is worrisome for technical security experts and must be analysed for the risk we are expose to in this dynamic cyber environment.

To achieve security or a sense of security, there is need to evolve the policies, thinking, automatically checking and doing the configurations that are required, through automation, with the comprehensive set of controls in a regular and consistent manner. For everyone who is in the cyber-environment, there is a need to understand the security mechanism. There are automation mechanism for checking and fixing any configuration errors in a system on the basis of specific security procedures in an organisation. Such a practice is cost effective by almost 80-85 percent, and will also deliver the notion of residual risk in monetary terms.

Conclusively, the three Cs — Consistency, Comprehensiveness, and Continuous - as mentioned by Dr Mulgaonkar would aid an organisation through better barriers and strengthen its resilience through exhaustive security measurements. There has been 424 percent growth over the last year of major cyber-security incidents due to misconfiguration of the systems. There is an urgent need of automated security practices to be implemented, because every action taken by an individual, government or military force, has a cyber component in it. Someone out there is ready to disrupt the cyber-space to cause a tremendous but short-term turmoil. For example, Fake news do not cause a direct physical harm but changes the perception of an individual regarding a particular scenario. This irregularity can be contained by having a consistent cyber-security paradigm, and training everyone to think about it.

Security is always a collective effort. We must have regulations which involves people to collaborate in this and collectively raise the bar of cyber-security. Our computing eco-system is only the weakest link and bad guys have to find one point of entrance to it. We must work together to this challenge and strengthen this weakest link.