TMCnet News
Symantec brings the Cyber Readiness Challenge to Mumbai [DNA : Daily News & Analysis (India)](DNA : Daily News & Analysis (India) Via Acquire Media NewsEdge) "Cyber attacks are rising worldwide and the corporations are lagging behind when it comes to defending themselves, Symantec hence has created a unique Cyber Readiness Challenge where networks are simulated and attacked to see how vulnerable companies actually are, allowing them to build solutions for these problems before they are exploited.In an interview with Mr. Tarun Kaura, Director - Technology Sales, India, Symantec, Krishna Bahirwani finds out the results of this event.""What does Cyber Readiness Challenge (CRC) entail and how is it different from penetration testing? CRC is an immersive, interactive 'capture the flag' competition that models scenarios based on the current threat landscape using realistic IT infrastructure. CRC is designed for many levels of technical skill and experience where it puts participants in the hacker's shoes to better understand their targets, technology and thought processes so they can ultimately protect their organization and themselves in an informed manner. CRC is much more than a penetration test. Symantec has crafted various scenarios that mirror real life attacks and for the Mumbai leg we have selected the coffee shop scenario. In this scenario, the targeted individual visits a coffee shop portal quiet often and performs actions like downloading discount coupons. To reach this individual, the attacker activates the reconnaissance stage and manages to gain login credentials and card details from the vulnerable coffee shop portal. He can use this information to also achieve a log of his last 10 or 12 transactions, from where he may get access to his banks network. In a real life situation, the hacker may not get all the information as he would have to deal with multiple third parties, as opposed to CRC where the attacker gains all the information from the retailers (having web presence) to a bank network. ""How are you emulating the bank network? The entire simulation for the CRC is done in the United States (US). The systems are connected to the US network which is a controlled environment where Symantec has replicated the bank network, payment gateways and also the UI of the web portal. These connections are completely isolated and such an environment is required for the set-up as the CRC needs to take in account of the location bandwidth for 30 - 40 participants to access the same website for the challenge. This creates a real world situation and we introduced an element of gaming where users capture the flag to cross to the next level. We have also designed the model and added a feature of hints, however we see participants hesitant to use this feature as it comes at a cost of negative points. ""How important is the aspect of gamification in the CRC? We designed the CRC with an element of gaming so that this becomes a learning experience and not just another technical training making it an interactive and engaging experience. With the aim to standardize the platform for IT professionals with diverse skillsets (such as managing policy framework, basic IT skills, specialized professionals for networking and operating), broadening the horizon and this model can be used for professionals even outside of just employees managing the information security department.""How were the results of the CRC in Bangalore? How prepared was Bangalore in terms cyber readiness? Overall the session was quiet good, especially because that was the first time, executives from India were facing such a challenge. With the CRC in Bangalore, we concluded that professionals who were familiar with ethical hacking were comfortable with the challenge. Other professionals who had networking and operating systems' skills had an edge over the other participants. Largely we saw Bangalore has a diverse skill set however our aim was to give the participants the experience of behaving like a hacker. These professionals are conditioned to work in a process oriented environments as against a hacker who is known to break all the rules and regulations. With reference to the CRC, it is designed in a manner that participants do not stop the moment they capture a flag. The scenarios are structured in a manner that the participants are encouraged to move to the next quotient reflecting real life scenarios. Such a model thus bridges the gap in the participants' and the hackers' psyche.""How informed were the participants about advanced persistent threats (APT)? The threat landscape is very dynamic and the kind of attacks we are seeing today are very prolonged. Professionals must update their skill sets to keep up, as attacks become sophisticated. In APT, the attackers use a 5 step process for attacks starting from Reconnaissance, Incursion, Discovery, Capture, Exfiltration. These steps run for months and sometimes even for years among certain enterprises. As the threat landscape is dynamic, enterprises are challenged to cope up for skill upgradation. The enterprises' IT team must have the knowledge of every element involved in this process from endpoints to mobile. Mobility and especially BYOD has changed everything. Unlike a PC where the admin control can be the organization, however in case of a mobile device, the owner of the device himself is the admin. Not only mobility, even cloud is becoming increasingly disruptive and at a pace faster than its IT team's technical knowledge. ""Do you feel enterprises are prioritizing investments for deployment of hardware and software as opposed to upgrading the skill sets of their IT team? The shift to deploying newer technology products/services was a result of the organizations' perimeter increasing. Initially, the IT teams had to deal with a closed network and limited number of user profiles, but today with examples like the e-commerce burst, BYOD etc. The IT team currently possess the basic knowledge on the newer tools as they are the beginning point to cope up with the newer perimeters and vectors. However having in depth knowledge on everything is tough, thus requiring experts for the various elements that make the IT infrastructure in order to get it right the first time. ""How good do you think are the international standards of security? One of the biggest reason for these certifications are to comply with the regulations. These too are dynamic and they will keep evolving keeping both the business risk and the IT risk into perspective. The cyber attacker rarely considers the compliance and regulations of an organization before attacking. Also amongst the organizations, audits are periodic in nature as opposed to regular audits. Once a professional or an organization has received the certification, they will wait for it to expire and then get it renewed. They are followed just as compliance however we feel they should be done more often to address the changing nature of our business. With public or private clouds, users are self-provisioning it. Thus it is difficult to control these functions as the IT is unaware of how it has been used and maintained. Thus ISOs become important however doing it regularly will help the organizations cope with the newer challenges better.""Q8. Is BYOD a part of the CRC? Ans: Unfortunately, for the Mumbai CRC, BYOD is not a scenario as we would have to get multiple smartphones. However we can look at developing such a scenario.""Explain the exfiltration stage? Exfiltration is the last stage of an attack. This is the phase where the attacker manages to extract data and take it out of the system undetected. Post receiving access to the data, the attacker will park the data someplace for some time. Entering a network undetected is yet a possibility however transferring data to an outside source is a difficult task as it can be easily detected. ""RECONNAISSANCE Attacker leverages information from a variety of factors to understand his target. INCURSION Attackers break into the network by using social engineering to deliver targeted malware to vulnerable systems and people. DISCOVERY Once in, the attackers stay "low and slow" to avoid detection. They then map the organization's defenses from the inside and create a battle plan and deploy multiple parallel kill chains to ensure success. CAPTURE Attackers access unprotected systems and capture information over an extended period. They may also install malware to secretly acquire data or disrupt operations. EXFILTRATION Captured information is sent back to attack team's home base for analysis and further exploitation fraud - or worse. " Credit:Krishna Bahirwani (c) 2014 @ 2014 DILIGENT MEDIA CORPORATION LTD. ALL RIGHTS RESERVED |