Home Interviews “Security patching should be a part of a system’s basic maintenance procedure”

“Security patching should be a part of a system’s basic maintenance procedure”

Ashish Thapar talks about his journey, cybersecurity trends across the world, ransomware attacks, attacks against the health care sector, and more.

A well-rounded and seasoned leader in the field of IT & Information Security, Ashish Thapar is the Vice President and Head for Security Consulting Services – Asia Pacific, NTT Ltd. Prior to this role, he has been responsible for the business and portfolio management of security professional services including Incident Response, Digital Forensics, Threat Intelligence, Security Strategy, T&V, GRC, PCI team within the APAC region while working for several top global organizations. Thapar has a long history of serving countless high-profile clients across multiple business verticals, assisting them with their cybersecurity strategy, governance, and risk management needs.

In an exclusive interview with Augustin Kurian from CISO MAG, Thapar talks about his journey, cybersecurity trends across the world, ransomware attacks, attacks against the health care sector, and more.

In a career spanning two decades, you have held several key security roles. Were you a part of security when the security sector was at a nascent stage in India or the APJ region? What was the journey like? How far has the region and its adoption of cybersecurity evolved?

Yes, it has been almost two decades of learning, practicing, and advising in the cybersecurity field for me and I can say that the journey has been exhilarating, challenging, and very rewarding. Specifically, with respect to India, I have seen a tremendous amount of positive change. I have seen a lot of difference in the way Indian companies used to see security many years ago compared to how they treat security in the present times. That whole compliance mindset to ensure a tick-in-the-box and a single-track product/box-centric approach have thankfully transitioned into a more comprehensive one focusing on all three aspects (i.e. people, process, and technology) while elevating the importance of cybersecurity as a business enabler. Cybersecurity is now not a function that used to struggle to get funding and support from the management; instead, it now enjoys board-level visibility in several companies.

In my opinion, India’s story is not very different from many other regions, apart from some places where data security and privacy regimes have been more mature from a legal/regulatory/industry standpoint. The RBI in particular should be given due credit as they have done a tremendous amount of work in driving cybersecurity maturity in the financial sector. As a practitioner in the field, I can say that the kind of services we used to engage in earlier were typical vulnerability assessment, penetration testing, and some assessment/ certifications. Today we support our customers on threat hunting, advanced SOC services, cyber risk monitoring, red/purple teaming exercises, incident response readiness assessments, tabletop testing, and data breach investigations. The advancements in digital adoption, organizational maturity, cybersecurity service offerings, and the changes in the legal/regulatory landscape that have taken place in the last decade have been phenomenal. Today we have many countries that have enacted stringent data security or privacy laws/regulations not only in the APJ region but globally.

The latest Data Breach Investigation Report (DBIR) suggests a rise in attacks motivated by financial gain, up from 71% in 2019 to 86% in 2020. With the world now dealing with the COVID-19 situation, do you feel the trend will only move upward? What does that mean for the security community?

DBIR is an annual publication from Verizon with incidents and breach data from 81 contributors globally. While the DBIR 2020 is based on a 2019 dataset, we’ve already started seeing in recent months that the phishing attacks are leveraging the COVID-19 chaos and have increased significantly. With reference to the DBIR report from a financial gain perspective, we can say that activities like ransomware, social attacks, malware were already on the rise in the past few years. We are observing a mix of trends with both direct and indirect financial motive gains. Currently this year we see ransomware doubling up since January. We do expect financial motives to move upwards or hover around the same level. Another important insight to look at is the espionage-related cases, which are very specific/targeted and are often under-reported because most of the attacks are covert and complex in nature. Due to the sheer number, most of the time, gullible users and companies are targeted with cyber extortion, ransomware, even cardholder data breaches. Looking at the current social-distancing scenario a lot of countries will be moving very swiftly towards digital currency, China being the first one to launch such state-run digital currency. With this development and forced digital shift for many companies in the unplanned work-from-home situation, we can expect the number of cybercrimes to increase as everything will start moving towards a digital world. The data today can live anywhere, in an end-user system, data center servers, or in the cloud. Hence, the cybersecurity community should be careful about implementing the data-centric perspective and not only be focused on data center security.

What else were the biggest takeaways from the latest DBIR? Did any trends from the report come as a shock to you?

I would not say shock, but it did come as a surprise as “Errors” definitely win the award for best supporting “action”— refer to the schema of VERIZ (Vocabulary for Risk and Incident Sharing) on Github — this year. They are now equally as common as social breaches and more common than malware and are truly ubiquitous across all industries. Only hacking remains higher, and that is due to credential theft and use, which we have already touched upon. Misconfiguration errors have been increasing. This can be, in large part, associated with internet-exposed storage discovered by security researchers and unrelated third parties. While publishing errors appear to be decreasing, we wouldn’t be surprised if this simply means that errors formerly attributed to publishing a private document on an organization’s infrastructure accidentally now get labeled “Misconfiguration” because the system admin set the storage to the public in the first place.

In the North American region, stolen credentials account for over 79% of hacking breaches with 33% of breaches being associated with either phishing or pretexting. Why do you think industries are still not evolved to handle this common threat vector?

I wouldn’t say that this a crisis with every industry or company in North America, but yes, it is the problem with the laggards. The laggards are still dependent on single authentication, using passwords and usernames to authenticate their users, which is just a basic hygiene measure. We need to understand that just using credentials is not going to sufficiently secure your critical systems or data. Also, some of the industries are still not regulated and the need to adopt stringent security controls is not felt by several companies. Having said that, I think the onset of global legislations like the GDPR and other data security and privacy mandates have started to make a difference.

DBIR also stressed that the ongoing patching has been successful against a lot of vectors with fewer than one in 20 breaches exploiting vulnerabilities. Should patching be the part that the industry should focus on? What else can be improved?

Security patching should be a part of a system’s basic maintenance procedure as there are numerous amounts of vulnerabilities that get disclosed every week. Patching helps in protecting where you are completely exposed against known vulnerabilities. Hence, patching should be a major focus and it should be done on a timely basis as part of regular maintenance of a system/platform. But remember, patching would only help where the vulnerabilities are known, and the patches are available. The next level of maturity comes when you start limiting your attack surface by disabling services or features that are not required, disabling users that are not needed, and hardening systems with best-practice security benchmarks.

The focus would be the CIS Critical Security Controls (CSC). Here are the top controls that our DBIR data suggests will be worthwhile for most organizations:

  • Continuous Vulnerability Management (CSC 3): Use this method to find and remediate things like code-based vulnerabilities; also great for finding misconfigurations.
    • Secure Configurations (CSC 5, CSC 11): Ensure and verify that systems are configured with only the services and access needed to achieve their function.
    • Email and Web Browser Protection (CSC 7): Lock down browsers and email clients to give your users a fighting chance when facing the Wild West that we call the internet.
    • Limitation and Control of Network Ports, Protocols, and Services (CSC 9): Understand what services and ports should be exposed on your systems, and limit access to those.
    • Boundary Protection (CSC 12): Go beyond firewalls to consider things like network monitoring, proxies, and multifactor authentication.
  • Data Protection (CSC 13): Control access to sensitive information by maintaining an inventory of sensitive information, encrypting sensitive data, and limiting access to authorized cloud and email providers.
    • Account Monitoring (CSC 16): Lock down user accounts across the organization to keep bad guys from using stolen credentials. The use of multifactor authentication also fits in this category.
    • Implement a Security Awareness and Training Program (CSC 17): Educate your users on malicious attackers and on accidental breaches.

The attacks on the cloud continue. Now, small and medium businesses are becoming the biggest targets of the recent cloud attacks. How can you empower small and medium businesses against cyberattacks?

There is an inherent problem seen in the way SMBs handle cybersecurity. They do not have the same level of management support and funding that you get to see in large organizations and if the SMB belongs to one of the unregulated sectors, then even the worst scenario can be expected. From that perspective, the SMBs should at least follow the 80/20 rule, where 80% of the protection can be built with just 20% of the safeguards and with minimal financial investments. These safeguards can be spread across the three key focus areas, namely protect, detect, and respond. SMBs can also look at adopting “security by design,” which may not require very expensive technology but can surely leverage inherent procedural/ governance security controls. Simple but effective countermeasures such as, but not limited to implementing robust security policy, segregation of duty, least privilege principle controls, and not storing data that is not needed, can go a long way in securing an SMB. They can also look at other emerging avenues like cyber insurance where they can get some level of in-built security protection controls as part of the policy coverage. SMBs should also leverage government-provided cybersecurity expertise, public/private expertise and evaluate some of the niche open source security tools available in the market.

During ransomware attacks, there is an upward trend where hackers are targeting backups and even NAS devices. How can there be tighter airgap?

The aim of a ransomware attack is to destroy data and its copies so that the organization possessing the data gets crippled completely. Health care and educational institutions are increasingly being attacked with ransomware. The digital adoption in the health care sector that was meant to save human life, is now under attack, which could be life-threatening as encrypting data belonging to patients in critical condition could hamper their timely treatment. There is a simple defense mechanism to such attacks. The first obviously being, implementing the CISCSC and the second is to actually make sure that you have very robust backup and disaster management strategies in line with your recovery time objective and recovery point objectives. Thirdly, make sure that the ‘write’ access to your file servers and NAS storage locations is not open to everyone and is marked “read-only” as per the strict least privilege principle. Lastly, segregation of network is important to make sure that you aren’t operating in a wide-open playground lateral movement of any threat is restricted to some extent.

With the COVID-19 situation upon the world, there is an alarming amount of attacks on the health care sector. How can we change this trend? Because at the end of the day, we need our hospitals to be safe.

We see that the health care sector is increasingly coming under attack. As per DBIR 2020, Miscellaneous Errors, Web Applications, and Phishing or Business Email Compromises represent 72% of breaches in the health care sector. The majority of the data under attack in the health care sector is personal data followed by medical data and credentials. Unless you really protect data at its core, no matter how many network-level protection or endpoint-level protections you put in, it won’t really keep you secured for too long. Further, the organizations must conduct a proper risk assessment to prioritize their investments and focus on the issues that matter the most — and accordingly mitigate the risk or bring the risk to an acceptable level. I would also recommend that health care organizations follow the defense-in-depth approach to safeguard their critical systems and data. Our research shows that increasing the number of layered controls — in essence, the number of steps that an adversary has to clear — could be very effective in decreasing the probability of occurrence of a data breach.

This interview first appeared in the August 2020 issue of CISO MAG while Ashish Thapar was at Verizon. He is currently the Vice President and Head for Security Consulting Services, Asia Pacific at NTT Ltd.

Subscribe to CISO MAG

Augustin KurianAbout the Interviewer

Augustin Kurian the Assistant Editor of CISO MAG. He writes interviews and features.