Cybersecurity talent, Spending, Regulations To Mitigate IoT Risks
[et_pb_section admin_label=”Section” fullwidth=”on” specialty=”off” background_image=”https://www.newsoncompliance.com/wp-content/uploads/2017/11/1213_erl_CloudMgt_01r.jpg” transparent_background=”off” allow_player_pause=”off” inner_shadow=”off” parallax=”off” parallax_method=”off” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” make_equal=”off” use_custom_gutter=”off” module_class=”blog-header”][et_pb_fullwidth_post_title admin_label=”Fullwidth Post Title” title=”on” meta=”off” author=”on” date=”on” categories=”on” comments=”on” featured_image=”off” featured_placement=”below” parallax_effect=”on” parallax_method=”on” text_orientation=”center” text_color=”light” text_background=”off” text_bg_color=”rgba(255,255,255,0.9)” module_bg_color=”rgba(255,255,255,0)” use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_padding=”100px||80px|” title_line_height=”1.6em”] [/et_pb_fullwidth_post_title][/et_pb_section][et_pb_section admin_label=”section” transparent_background=”off” allow_player_pause=”off” inner_shadow=”off” parallax=”off” parallax_method=”off” custom_padding=”20px||20px|” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” make_equal=”off” use_custom_gutter=”off” module_class=”blog-content-wrapper”][et_pb_row admin_label=”Row”][et_pb_column type=”2_3″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid” module_class=”blog-text”]
In September 2016, a massive 600Gbps distributed denial of service (DDoS) attack hit the KrebsOnSecurity.com news portal. The attack, which easily exceeded the previous record of 400Gbps, was quickly followed by a 990Gbps attack on hosting company OVH. Within weeks, a 1.2Tbps attack, which was propagated by the Mirai botnet, overwhelmed Domain Name System (DNS) provider Dyn and brought down major internet platforms and services.
Three of the biggest DDoS attacks of all time within such a short period underscore the potential risk of cybercriminals turning great numbers of Internet of Things (IoT) devices into malicious bots to wreak havoc in cyberspace. This has led F5 Labs and its data partner, Loryka, to monitor attackers’ search for vulnerable IoT devices they can compromise.
“We actually saw right before the Dyn attack a 1,300% increase in scanning activity,” said David Holmes, worldwide security evangelist at F5 Networks. “There are two ways to interpret that. This is either a side effect of the bot trying to build itself up in order to launch the attack or, as some of my colleagues think, it’s somebody building an even bigger botnet to be used at some date in the future.”
Holmes also showed an interactive map of DDoS attacks taking place in the region at a media presentation during the F5 Anticipate 2017 conference in Singapore. “One thing that is interesting about the criminal underworld is how quickly they can adopt business practices, separating the infrastructure from almost like the sales department and delivery and service level agreements,” he pointed out. For example, by separating scanners looking for devices to infect from the loaders that infect the targeted devices, cybercriminals can customize and monetize their services for different requirements on payloads, malware, etc.
Dearth by disruption
The security landscape is also becoming more complex as more organizations in ASEAN embark on digital transformation initiatives, driven by a young population in the region that boasts a median age of 28.9 years old. “The challenge is we’re delivering more sensitive data to [more] applications,” said Mohan Veloo, CTO of Asia Pacific at F5 Networks, who moderated a panel discussion (pictured above) on three areas related to why security is an integral part of digital transformation – shortage of talent, spending on cybersecurity infrastructure, and the impact of regulations.
“The sheer fact that economies and incumbents can be disrupted definitely show that the whole market has shifted,” said Benjamin Ang, Senior Fellow at the Centre of Excellence for National Security of Nanyang Technological University’s S. Rajaratnam School of International Studies. “So, the students who enter school 10 years ago and are coming out of the schooling system would definitely not have been prepared for this. The fact is many of these [shifts] were not predictable. And the only thing we can do now is to respond as quickly as we can and as flexibly as we can.”
For Lim May-Ann, executive director of the Asia Cloud Computing Association and managing director of boutique consulting and research firm TRPC Pte Ltd, the shortage of cybersecurity and ICT professionals endemic in the industry, not only in ASEAN but globally, has been exacerbated by accelerating threats and challenges. Fertile ground for governmental skills upgrading efforts are “talent that have that self-motivation to go out and continually improve themselves,” she said. However, courses available and their instructors have to stay relevant and up-to-date.
Ultimately, security within an organization is not the responsibility of any one department or person. It is a culture. Anyone who has low awareness of cyber threats and does not embrace good digital hygiene can be the weakest link. App developers, for example, should adopt secure coding practices to minimize vulnerabilities.
To this end, Sean Lam, founder and CEO of financial risk technology company Jewel Paymentech, advocated a culture of “making things, breaking [or hacking] things and making them more secure”. This, he said, add up to “creating the next generation of skill sets and building up the workforce needed for the future”.
Risks and rules
But is cybersecurity a boardroom-level discussion or still an IT responsibility within ASEAN companies? “There are different levels of cyber maturity and awareness in different boardrooms right now,” Lim noted. “I do think it has to be a boardroom-level discussion but at this point in time, it almost always comes back to how much money can we spend and how much is this worth? Then, it becomes a risk assessment exercise. How much of our clients’ data do we have? How much are we liable for?”
“The focus these days seems to be, at least on the regulatory side of things, the risk assessment,” Lim added. “People spend a bit more money where there is a compliance factor, like in the financial services sector. The other factor is if you are externally focused, if you have clients, you tend to spend a bit more on cybersecurity because you [need to protect their data].”
On the other hand, Lam believes that the ability to communicate security and risks to board members is critical in justifying cybersecurity spending and the return on investment. Cybersecurity regulatory requirements, for instance, could pose a challenge and risk of hefty penalties due to non-compliance.
On the flip side, Tan suggested that regulatory requirements, apart from driving best practices and the right behavior, can be very useful for the CIO or CISO who is trying to justify security investments and initiatives to the board.
Karthik Ramarao, director of Field Systems Engineering for ASEAN at F5 Networks, noted that the cybersecurity challenge is certainly growing bigger and more complex with the advent of IoT. “There’s an interesting statistic on the number of days between security breach and discovery,” he said. “In the Asia Pacific countries, it’s close to 400 days [on average] from the time a breach occurs to the time it’s discovered. What [damage can happen] during this period is anybody’s guess.”
[/et_pb_text][et_pb_text admin_label=”Link/Source” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_text][/et_pb_column][et_pb_column type=”1_3″][et_pb_code admin_label=”Right Sidebar” saved_tabs=”all” global_module=”48″]Coming Soon[/et_pb_code][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” use_custom_gutter=”off” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” module_class=”blog-more-articles-wrapper”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]
[/et_pb_text][et_pb_blog admin_label=”Latest Articles” fullwidth=”off” posts_number=”3″ show_thumbnail=”on” show_content=”off” show_more=”off” show_author=”off” show_date=”on” show_categories=”on” show_comments=”off” show_pagination=”off” offset_number=”0″ use_overlay=”off” background_layout=”light” use_dropshadow=”off” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_blog][/et_pb_column][/et_pb_row][/et_pb_section]