Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How Asian organisations can better protect their ‘crown jewels’ from attack: IBM interview

AvantiKumar | Aug. 14, 2015
Computerworld Malaysia asks IBM Security's Global Director George Tubin to break out some of the latest best infosecurity practices.

Computerworld Malaysia recently asked IBM Security's global marketing program director George Tubin on what organisations in Malaysia and the Asian region can do to better protect their assets.

Based in the United States, he is responsible for strategic planning and execution of Trusteer web fraud prevention and enterprise security solutions.  

With more than 25 years' experience in the banking and financial services industry, his expertise includes consumer online and mobile banking, online fraud and identity theft prevention, and enterprise fraud management strategies.


George Tubin - IBM Security 

Photo - George Tubin, IBM Security Global Marketing Program Director.


What are the biggest security threats in Asia and which of Asia's industries / sectors most at risk?

Point-of-sale malware, such BlackPOS and Backoff, and ransomware such as Cryptowall and Cryptolocker, are becoming big threats worldwide because of their effectiveness in compromising vulnerable targets. Industries at risk are retail and financial services. Last year, companies spent US$491 billion dealing with security issues and data breaches in 2014.
Some companies conduct annual cybersecurity training as a reminder on safe security practices. What more can companies do to instil greater understanding of the importance of security among employees?

Companies should consider developing a closed loop process such as exam or certification for their staff to ensure that they understand the importance of safe cybersecurity practices.
Apart from annual certification, other activities a company can engage are plentiful. They range from roadshows, bulletins, security day and role-play of cyber-threats 

Could you trace the recent history of some of the specific cybersecurity concerns facing enterprises?

2014 was a banner year for the cybersecurity as malware, data breaches and hacking made front-page news worldwide. Among the worst hit was a major American home improvement retailer whose point of sale across 2000 stores was comprised exposing over 55 million payment records and 50 million email addresses.

In Malaysia, banks and government agencies also experienced cyber-attacks last year. Financial services, hospitals, manufacturers and retail companies were also targeted.

Our findings indicate that retailers experienced 3.2 percent more incidents compared to the previous year and the financial services industry remains the top target of hackers.

"Is my data safe?" is top on everyone's mind - for both businesses and consumers.

What has changed in recent years is that major vulnerabilities such as Heartbleed and shellshock found lurking in well-known applications manifested when systems came under attack.

If 2012 and 2013 was dominated by malicious code and sustained probes, then 2014 was the year that unauthorised access incidents rocketed to the top. This accounted for more than 37 percent of the total incidents, almost doubling the 19 percent recorded the year before. Shellshock and Heartbleed were the game changers here.

Now these malware maybe dormant for as long as 10 years but once exploited-they can leave virtually every industry vulnerable to serious threats, including the possibility of intruders gaining full remote access to critical systems.

What compounds the situation is that IT departments often find themselves unprepared to patch and mitigate these threats. This means the window for exploitation is wide open, leading to a "perfect storm" of zero-day attacks, system infiltration and subsequent data loss for many businesses.

To counter this, businesses need to have a dynamic and flexible security posture to handle these kinds of dramatic shifts.

The number of new threats outpace security solutions, tools and patches. How can enterprises stay vigilant?

Enterprises can stay vigilant by constantly evaluating their security practices. Businesses can consider the following:
(a) How strong is my company's current security program? How does it compare with other companies in my industry?
(b) What can we do to stop advanced threats from infiltrating our systems?
(c) Are we doing everything we can to protect our most valuable data?
(d) How can we adopt new technologies-such as mobile and cloud-without compromising our security?
(e) Are we prepared to act in the event of a breach?

Following on from that: the concern nowadays is not about who has been hacked but who hasn't been hacked. Can you deal with examples of recent security threats in a particular industry, for example, the banking or e-commerce sector?

You are right and let me share the stark statistics -- Malaysia averaged 17.66 phishing sites per 1,000 host computers. This is three times higher than the global average of five per 1,000 host computers. Now, how does that happen? Let me share two true life incidents.

The first was an attack on financial company where the attackers created a distraction to divert attention before the actual attack. The attack was done stealthily by using "low and slow" distributed denial of service attack tool to saturate the web servers. The method often goes undetected and does not set off any alarm bells because the web traffic appears legitimate. So by the time the problem is discovered, the attackers have already fraudulently transferred the money.

The company was robbed of millions from its accounts and its customers unable to perform web transactions. Its brand reputation was so severely damaged that many of its customers no longer trusted the company and moved their assets elsewhere.

What lessons did this finance company learnt from this incident?
1. Traditional defences such as firewalls and intrusion-prevention systems were no longer enough to protect against distributed denial- of-service attacks.
2. A managed web defence service can help prevent these attacks by routing traffic away from the company's infrastructure during an attack to keep its website running without disrupting operations.
3. An advanced malware solution should be able to prevent mass-distributed malware infections and detect legacy threats.
4. The second type of attack is more common. Hackers inject a "SQLninja" at its target to gain full administrator access to the database. Once the hackers have control over the system, they can do a number of things. They can deface the company's website. They can steal data and sell it to highest bidder. They can also delete the master files and demand ransom to return the data.

What can an ordinary organisation learn from this?
1. Perform security stress test regularly.
2. Conduct proper data validation on home-grown web based applications that have access to back-end SQL databases
3. Creating redundant backups of all data in-house for quick recovery in case of a breach.
4. Subscribe or create a robust disaster recovery plan to limit the financial loss.
Can you share three takeaways that businesses should keep in mind to stay safe?
Here are some tips on how companies can stay safe.
(1) Be vigilant. No company or business is too small to a hacker. Every type of business is open game and a target to hackers.
(2) Identify your crown jewels and ensure it is protected.
(3) Often security implementations are done in silos and this makes its unwieldy. Break the silos so that events can be easily correlated to spot vulnerabilities.


Sign up for CIO Asia eNewsletters.