The Petya ransomware redux was a reminder to the CISOs of the imposing and perennial threat. But be that as it may, the importance of the customers and employee convenience in accessing and working on the various systems cannot be undermined. EC speaks with Milind Mungale, Senior VP & CISO, NSDL e-Governance Infrastructure on how has he tried to balance the both.
Email whitelisting, application whitelisting is an important precaution to keep threats like ransomware at bay. What strategy have you put in place ?
Email whitelisting is a difficult proposition for a highly customer facing organisation like NSDL e-Governance Infrastructure Limited. Email is an important medium of communication between the company and the customers. Nevertheless, we have installed multiple level of spam controls, and equal number of anti-virus and detection mechanisms. The email traffic gets filtered at each level where there are gateways i.e at the ISP level and the other is the native gateway of the company. Even after two levels of filtering, there are restrictions on the type of files which can be sent to the end user inbox. If there are attachments with files that are executable, the same are blocked and only intimation is sent to the end user.
About application whitelisting, the social media and private email services such as gmail, rediffmail, etc.are blocked. Even to the extent that the company’s vendors are allowed to send mails using non official IDs only after specific whitelisting requests and process of approval. Otherwise the vendors are not allowed to use their corporate email IDs from our network.
Any DLP implementation can be in either monitoring mode or blocking mode. We have implemented. The DLP is in a blocking mode. Usually it’s found that enterprises keep the DLP in a monitoring mode because there is a concern that if DLP Policy is not properly configured, it could lead to blocking important and legitimate emails also. The DLP implementation is six months old in the company. We are going step by step. In the first 3-4 months, the DLP was running on a monitoring mode for the departments to do their traffic analysis. Subsequently, the false positives have been identified and now the blocking mode is switched on. To keep the DLP in a blocking mode right from the word go may prove to be detrimental from an employee productivity perspective. Strict policies would put employees to operate under tighter controls and thus hamper their work speed.
Apart from the above, proactive measures like patching of systems, discipline of vulnerability assessment, user / employee awareness, vigil by the Info Security team and Management commitment to protect the organization interest at any cost are some of the key best practices which definitely help defend the cyber threats, ransomware included.
Which extra measures you had taken after WannaCry ?
As soon as the alert was received, first and foremost thing that our team did was extract out the inventory and sorted it based on the OS version. Also, the list was bifurcated in external facing / interfacing and internal systems. Using this list, assessment of which machines (such as some old XP machines used only for certain testing that is required by business) was done and such systems were immediately removed from the network. The other Windows OS systems were verified for the patch level. We observed that few systems did not absorb the patch automatically. The patch has been updated manually. The SMB version 1.0 was blocked at both, perimeter and the endpoints. We purposefully chose to ensure that each and every endpoint is having their individual blocking only to ensure that due to any innocent employees mistake, there should not be any harm to the organization assets. Finally, every system has been inspected to check the patch level updates; Some did require a reboot or repatching. The registry in some machines would not get changed due to strict controls. Such machines had to be configured manually.
What kind of cyber security drills NSDL e-governance do on a regular basis ?
Like many other organizations, we do follow good practice in this aspect and have the endeavor to keep improving our practices. We are always open to learn from our peers and competitors.
The DR shifting is done periodically and we also have regular IT audits etc. The VAPT exercise is conducted as per the set cycle and at times we do random checks too. We also do certain “What If “ table top analysis of certain scenarios and review our ability to handle the same.
Your opinion on the use of AI in ensuring cyber security
Machine Learning technology, a subset under AI can help but unless it is matured to certain stage, one cannot fully depend on it. Full dependency may be atleast one more generation away and there will be extra load on the human intelligence. All said and done, AI will provide faster and more accurate inference, but certain things will have to be finally decided outside of AI technology.
Cyber security awareness has to be a regular activity. Companies instead of using run of the mill ways for generating awareness, rather go for innovative ways to make it more interesting. Have you employed any agency or ways for cyber security awareness campaigns
We do have some self-learning AV based training mechanisms of Information Security awareness and preventive methods for such issues. It is not just a training but it also has an assessment model associated. It is monitored regularly as to who and how many employees go through these modules and undertake assessment. Scores are shown immediately to users so that they can identify what improvement is required. We also conduct Cyber Security awareness campaigns by engaging external speakers / experts and conduct the same in multiple batches to cover all employees as well as contracted / outsource / vendors working with us.