CTM360 Web Series - Definition of Cybersecurity

00:00

[Music]

00:00

[Applause]

00:00

[Music]

00:15

hi my name is Mahar B I am the CEO and

00:20

founder of ctm 360 I've have started

00:23

this series of talk because I believe we

00:26

need to make a change in the way we are

00:28

managing Security today

00:30

why am I saying that is because there

00:32

are issues which I want to highlight and

00:35

I want to start by describing to you the

00:37

rational why I feel we need to make the

00:40

change and in this talk of today I'll

00:42

only end up with the high level

00:45

difference which I think we need to make

00:47

in the following talks I'll take you in

00:50

more details of this so starting with

00:52

the first part why am I saying we need

00:56

to make the difference let's look at

00:58

what an FBI director said a couple of

01:01

years back what he said was that there

01:04

are only two type of companies one that

01:07

has been hacked and the ones who will be

01:10

hacked but last year the same thing was

01:13

changed by The Cisco CEO he said there

01:16

are two type of companies the ones who

01:18

have been hacked and the ones who don't

01:20

know that they have been hacked so

01:22

effectively what he is saying is that

01:24

everybody has been hacked and he may be

01:27

very right I believe so this is exactly

01:30

what also Swift said last year once the

01:34

Bangladeshi Bank hack came to surface

01:36

they said to the banks assume you all

01:39

have been breached and when the banks

01:41

went around trying to look for it a lot

01:43

of banks did find that the breach had

01:47

happened and the attackers were on the

01:50

way even in Bangladeshi Bank the

01:52

attackers were there for more than a

01:54

year before somebody even came to know

01:57

and they only came to know when the

01:58

money was transferred so this is what is

02:00

practically going on right now in a lot

02:03

of organizations and they don't know

02:05

about

02:06

it this can be visible from one more

02:09

angle if you look at the data dumps what

02:13

is a data dump when a large social media

02:17

or a internet service provider is

02:19

breached and the email IDs which people

02:22

have used there as a user ID along with

02:25

their password is published on the

02:26

internet that is what we call a data

02:29

dump now in those data dumps the one

02:32

which was by Ashley medicon that made a

02:34

big news because it was on a dating site

02:37

and on from there a lot of people came

02:39

to know that their spouse were cheating

02:41

on them why because their email

02:43

addresses were in part of the data dump

02:46

now for us what is important in that is

02:48

the password along with it assumingly

02:51

the same password they must have used

02:53

across many of their accounts so once I

02:55

know the password from there I can try

02:58

in a number of their other accounts

02:59

including including their company email

03:00

account and I may succeed and think of

03:03

it that how many other data dumps are

03:05

happening LinkedIn is another one which

03:08

made big news it was posted last year in

03:12

2016 the breach had happened in 2012 so

03:15

for 4 years somebody had the passwords

03:18

for that they must be scrapping the data

03:21

across many networks and one person who

03:24

was there who we all know is Mark

03:26

Zuckerberg his email address was part of

03:29

the that breach and because of that once

03:32

this was published last year Somebody

03:35

went in and hacked his Pinterest and

03:38

Twitter account because the password was

03:40

the

03:41

same

03:43

now this data

03:45

dumps the one which happened on Yahoo

03:47

impacted it the most because they lost a

03:50

lot of value from it and then about

03:53

every week we find a few data dumps

03:56

there the next thing which I want to

03:58

talk about is the loss we are having

04:01

last year the estimated loss was

04:04

$445

04:06

billion and then now projecting that

04:08

this loss will go up to 2 trillion by

04:12

2019 in another just 2 to 3 years what

04:16

is going on if we look at the actual

04:19

money loss which is recorded by ic3 an

04:21

organization in the US it recorded that

04:24

in 2001 the data loss the losses from

04:27

the security breaches from 17 million

04:31

went up to a billion by

04:33

2015 so the losses are growing

04:36

exponentially where we are spending and

04:38

investing so much more in securing and

04:41

that is also evident from the security

04:44

report which was done on the banking

04:46

sector in

04:47

USA the country which has the largest

04:51

security vendors assumingly they're

04:53

spending the most money on securing the

04:55

banks and the situation is that 75% of

04:59

the top us commercial banks have got

05:01

malware in their

05:02

environment 95% of the top 20 US Banks

05:06

don't even have a grade of A or B

05:08

they're all C or less so something is

05:12

really

05:13

wrong if we plot it against time we see

05:16

that the losses have gone much higher

05:20

with time the attacks are going at a

05:24

faster Pace than how much we are able to

05:26

manage it let's go ahead another 30

05:28

years and if we keep on doing what we

05:31

are doing today then whatever we are

05:33

managing will be really

05:35

negligible so what I'm trying to say is

05:38

we don't need to do more of whatever we

05:41

have been doing we need to do it

05:43

differently and the two areas which I'm

05:46

projecting we need to do differently one

05:48

is to redefine security and other is

05:51

offensive defense so let's look at

05:53

redefining security let's start by

05:55

saying what are the definitions of cyber

05:58

security information security and it

06:01

security if I ask you give me the

06:05

difference what you think is there

06:07

between cyber security and information

06:08

security I'm sure you will struggle

06:10

everybody struggles everybody has their

06:12

own way of defining it the difference

06:15

which we notice is that over the period

06:17

people have started using the word cyber

06:19

security instead of information security

06:22

the same National initiative which was

06:24

information security initiative is now

06:27

called cyber security initiative the

06:29

information security groups have started

06:32

calling themselves cyber security group

06:34

the information security awareness we

06:37

used to have is called cyber security

06:39

awareness and let alone the two strong

06:43

countries when their presidents meet up

06:45

China and us the headline says they're

06:50

both debating the definition of cyber

06:52

security pretty much the same thing

06:54

happens when the Chinese president goes

06:56

onto the UK so what's going on let's do

06:59

a research across the industry to see

07:02

what anybody says about cyber security

07:04

the first thing which I did was I went

07:05

to isaka isaka does not have their own

07:08

definition of cyber security but a

07:09

gentleman there tried to explain what he

07:11

thinks is cyber security in his view

07:15

information security is a bigger

07:17

umbrella and whatever we know within

07:20

that is traditional security and what we

07:23

don't know is cyber security that is his

07:26

definition I don't comment on it let's

07:29

go to itg itg says that defined it as

07:33

the protection of systems Network and

07:35

data in

07:36

cyberspace here we will have a debate on

07:38

what is cyberspace things which I own

07:41

but they're in the cloud are they in the

07:43

cyberspace and so on let's look at a

07:46

university the university says that

07:48

information cyber security

07:50

is referred to also as it security

07:55

information technology security so they

07:57

for them cyber security and it security

07:59

is one and the

08:00

same it's very confusing you look across

08:03

all the different vendors and every

08:04

vendor tries to explain it by what their

08:08

business is and maybe you can say that I

08:11

have tried to do the same but I think in

08:14

my humble opinion my description of

08:16

cyber security would make more sense in

08:19

redefining security let's start first

08:23

look at it security and each of these

08:25

functions I would rather like to focus

08:27

on the mission of each to understand

08:30

what they are so it mission is really

08:33

Service delivery which is about the end

08:35

user where we need to give the end user

08:38

more room to work but in a secure manner

08:41

which is similar to police in the

08:43

physical world then we go on to

08:46

information security information

08:47

security the mission is about

08:49

information assets it's not about the

08:53

end user which in the physical world we

08:56

can say is more of less like the

08:58

ministry of defense the military

09:00

itself the military is trying to secure

09:03

the critical assets of the country where

09:05

people may die but they need to secure

09:08

the critical assets the mission is

09:10

entirely different than what is the

09:12

mission of the police same the missions

09:15

of it security and information security

09:17

are very different then we come to cyber

09:20

security the mission is about attacks

09:22

it's only about identifying and

09:24

neutralizing cyber attacks these three

09:28

hence giv you the different picture

09:30

where cyber security equates to

09:32

intelligence agency in the physical

09:34

world where the intelligence agencies

09:37

even go out outside their country into

09:41

other countries and perform covert

09:43

operations to neutralize the attackers

09:47

and hence comes forth the big Enterprise

09:51

security with four pillars physical

09:53

security with the mission of physical

09:56

nature of assets of the Enterprise it

09:59

security which the mission is the end

10:02

user information security mission is the

10:05

information assets and lastly cyber

10:08

security where the mission is about

10:12

attacks now if we try to give these

10:15

different missions to the same one

10:18

individual we will have an issue we are

10:20

giving them conflicting missions and

10:23

this is why I'm saying we should

10:25

differentiate to get more effective

10:29

Enterprise Security in an

10:31

organization I in my next talks I'll

10:34

take you through in more detail of each

10:36

one of them up to what I believe should

10:39

be the roles and

10:41

responsibilities thank

10:46

you