You have dealt with some of the biggest data breaches. Where does India rank in your investigations
We have handled five of the worlds seven largest data compromises on record. We run a response programme for such breaches where people call us in real time emergency. India is the chief destination for such calls.
India will only figure in top 20 in terms of where demand comes from, but India is number three in terms of investigations, after the US and Canada.
One needs to understand that this does not show lack of security or a criminal bend of mind here. This is representative of the extent to which tech companies, call centres, back offices, content developers and hosting companies have set up base here. These tech and back office support companies not only comply to their own security standards, but also their clients.
How can offshoring companies reduce these vulnerabilities
During our investigations in India, we have seen that companies are very well armed against security breaches from the interent. They are also well equipped to handle breaches from employees. But when it comes to their business partners and contractors, they seem to have a free hand to do whatever they want.
More problems are coming from business partners and contactors rather than employees. For instance, a company relies on third parties for technical support for an old mainframe or AS/400. These contractors are given remote access to their data centre or servers. The real problem is lack of security around third parties. While we watch our employees closely, our business partner has free access. Everytime we give access to a contractor, we should ask ourselves if it is easy for this contractor to circumvent security on this network. A big hotel chain with thousands of properties reported breaches in about half of its properties. We investigated the breaches individually and we tied it all to a vendor. It came from the reservation system which was connected to sales system elsewhere in the hotel. Same vendor provided level 2 support too.
How can companies assess the likelihood of being attacked
Criminals seem to be selecting high-value targets and constructing elaborate attacks designed to breach their defences. Targeted attacks are at a five-year high and accounted for 90% of the total records compromised in 2008.
Only 14% of the roughly 230 million records exposed among breaches we investigated from 2004 to 2007 were the result of fully targeted attacks. Financial services organisations are often singled out by criminals due to the large number of customer data they process, transmit and store.One of the fundamental self-assessments every organisation should undertake is to determine whether we are a target of choice or target of opportunity. Expect determined sophisticated attacks, if you are the target of choice.
Most security experts suggest companies should protect the weakest links. Where are the gaps in security today
Companies need to understand that security is not just about cables and devices but also data. Till they face a data breach, most companies are focussed on network security and devices that plug into it.
A lot of people believe that data is at threat because laptops and USB sticks are lost all the time. However, central digital repositories that are being targeted by organised criminals. In fact, many a times companies are not even aware of all the data that they have. They just know the type of data, but not where it is and what are the privileges with it. If you ask five managers in a company, what is the top sensitive data you will get five different answers. I would say, if you dont need a set of data, dont store it.
What are the biggest challenges to security investigations today
One of our biggest focus areas is to push for arrest and prosecution. As a forensics investigator, we can see commonalities in our investigations that the general public really doesnt have much optics into. A lot of people dont see that investigations come in to us in closely related groupings. If several companies in the same industry call us at more or less the same time about a similar problem, then we realise that they are suffering a similar breach and look for commonalities.
Criminals are no longer using highjacked servers, proxies etc to avoid leaving footprint but are compromising individuals and business partners like call centre or back office operations of a bank. The cutting edge of investigations today is to identify evidence of these type of crimes and coordinate with law enforcement agencies in different countries to ensure arrest and prosecution before they can attack more companies.We are not just using traditional investigative tools but we bring data from our underground monitoring and stolen online data tracking and thus open a new front on investigations.