Sony Breach: Warnings for IndiaWhen Will Indian Organizations Bolster Their Defenses?
What if a data breach of the same magnitude as the attack against Sony Pictures Entertainment occurred in India? Do the nation's public- and private-sector organizations have the right plans and tools in place to respond appropriately to such a game-changing breach?
In the wake of the recent, high-profile hack attack against Sony Pictures, such questions continue to be debated within India's cybersecurity circles. But numerous experts tell Information Security Media Group that too many Indian institutions remain ill-prepared to either block outright, or respond, to a Sony-magnitude hack attack.
"Preparedness in the domestic scenario is very low," says Dinesh Bareja, a leading independent security analyst and founder of the Open Security Alliance. "Nor have we ever planned for disasters or such events."
Spurring Indian organizations to act will require accountability, and for that to happen, multiple information security experts argue that India must pass mandatory data breach notification laws. Organizations must also strengthen their incident response and business continuity procedures, they say.
Indian organizations also need to build a better, more reliable view of their information architecture, hardware and software assets, as well as the location of all critical data, says Sundaram Prabhu, chairman and CEO at Bengaluru-based consultancy ConsulSys India. By doing so, businesses can better prepare themselves to block attacks, as well as more quickly respond to any breaches. "The Indian media industry and other organizations are not at all prepared to handle a breach of the magnitude that struck Sony Pictures," he says.
Too Few Dedicated Infosec Teams
The warnings over the state of Indian organizations' data-breach defenses come in the wake of U.S.-based Sony Pictures Entertainment suffering a significant hack attack, which is being investigated by the U.S. Federal Bureau of Investigation as well as private digital forensic investigation firms. While investigators have yet to disclose when or how the attack began, Sony apparently learned it had been breached only after attackers "detonated" destructive, data-deleting wiper malware on Nov. 24, leaving 6,000 of the studio's employees reportedly unable to use their computers or landline phones.
What happened next was perhaps even more damaging: Sony's attackers began leaking high-quality copies of unreleased films, plus online sensitive corporate information - including private e-mails between top Sony executives - as well as personal details for current and former employees.
On Dec. 19 the FBI said that based on its technical analysis of the attack, North Korea was involved. If that's true, then the attack was apparently launched in retaliation for the Sony Pictures comedy film "The Interview," which centers on a pair of journalists approached by the CIA to assassinate North Korean leader Kim Jong-un.
India Faces Unique Challenges
Hackers have recently penetrated well-funded - and arguably well-defended - organizations such as Sony, as well as U.S. financial giants, such as JP Morgan Chase. That fact hasn't gone unnoticed, multiple Indian information security leaders tell ISMG, especially in a country where many major corporate entities still lack dedicated information security executives or teams.
But given the size and cultural impact of the entertainment industry in India, ISMG asked multiple Indian studios if they felt prepared to defend themselves against a hack attack of the type that compromised Sony Pictures. All of the contacted studios declined to comment.
Practitioners in other industries, however, say that any organization that must protect intellectual property, trade secrets or sensitive corporate data should view the Sony breach as merely the latest online-attack wake-up call. "Sony is just one more advanced security breach," says Amit Pradhan, CISO at Cipla, a leading Indian pharmaceutical company. "The political angle and cross-country aspect has probably put it in [a] different arena," he says, adding that the Sony hack is unusual, in part, because of the sheer amount of global news coverage it has generated.
Pradhan also warns that Indian organizations would face some unique challenges if they were hit by such an attack. "From a technology perspective, India would be at par with other countries in terms of putting in security controls," he says. "However, given the evolving nature of the laws and regulation in India regarding cybercrime, judicial enforcement and damage control of any sort would have been a challenge, had it happened here."
"The response would have been very reactive, and very little support from the government could be expected," says Chandresh Dedhia, who heads IT at Mumbai-based Fermenta Biotech. "We already have our National Cyber Security Policy 2013, but so far it's only on paper. Very little has been done to mandate certain critical steps for its implementation."
But Dedhia notes that the Sony breach is already being viewed as a game-changer by numerous Indian businesses. "In many cases, companies that never had a dedicated role of CISO and CSO are planning to institute this function," he says.
Indian information security leaders say that organizations should learn several important lessons from the Sony breach:
Information Sharing Required: Fermenta Biotech's Dedhia says India urgently needs a national-level consortium of companies - and active involvement from the government - devoted to sharing attack-related intelligence and support. "Again, this has been on cards for some time in principle, but hasn't moved ahead," he says.
Better Breach Response Needed: Preparing a well-documented, agile response mechanism is a must, experts say. Given the lack of legal frameworks in India - should such an attack occur here - organizations can't expect the government to come to their aid. Instead, experts recommend that they get proactive and put a well-planned incident response strategy in place today.
Robust Backups Required: The wiper malware that compromised Sony reportedly deleted data from hard drives and "bricked" machines, making them impossible to reboot. Security vendor Fortinet warns that such "blastware" - loosely defined as malware that's designed to destroy systems and cover the hackers' tracks, making forensics very difficult - may well be used more in 2015. Accordingly, Dedhia argues that having regular backup copies of all corporate data should now become standard practice, to safeguard against not just unexpected natural catastrophes, but also against devastating blastware attacks.
Board-Level Security Awareness Is Mandatory: While the Sony breach may have roused Indian enterprises previously unconcerned with security, on the whole, information security awareness is very low - not only at the board and C-suite level, but also across organizations and business entities. Too often, information security is still perceived as a cost that does not add to the bottom line, says Prabhu of ConsulSys.
When it comes to devoting more resources to information security, many experts say that the best bang for the buck for Indian enterprises is to focus on user awareness training. Prabhu, meanwhile, argues that putting in place a strong suite of technology controls should be the first step, after which organizations must build a reliable picture of their information assets and the associated risks. Beyond the prevention angle, he says Indian enterprises must also bolster their breach response capabilities.
"We need to transform into a 'security-aware society' to bring any lasting change," Prabhu says.