Documente Academic
Documente Profesional
Documente Cultură
Cybersecurity
Report 2019
Contents
Executive summary 1
53 Multi-stakeholder collaboration
Security trends by industry 6 in cybersecurity
65 PUF-based authentication
for IoT security: An alternative
approach
30 Regulations References 77
Foreword
Raja Ukil
Senior Vice President, Global Head,
Cybersecurity & Risk Services
@raja1847
linkedin.com/in/rajaukil/
Dear Readers,
Wipro is happy to present the third edition of Over the years to achieve resilience,
the “State of Cybersecurity Report (SOCR)”. organizational structures relating to ownership
Our journey with this report started with the of cybersecurity and data privacy have evolved.
publication of the first edition in 2017 and since The heightened awareness of cyber risks by the
then, the readership has grown to over 1000+ board, has driven the evolution of the role of the
security leaders around the world. Cybersecurity CISO. Over 21% of CISOs surveyed are directly
has become a board-level concern today, due reporting to or have operational visibility to the
to escalating nation-state attacks. In fact, the CEO. Security budgets are also on the rise, with
World Economic Forum’s (WEF) Global Risk Report almost one-third of organizations surveyed having
2019 has rated cyberattacks amongst the top 4 a security budget which is greater than 8% of
global risks, only behind climate change, extreme their overall IT budget.
weather events and natural disasters.
The report also captures the changing
Cyberattacks have moved on from traditional strategies used by attackers and highlights how
techniques and have become more targeted and organizations today are bolstering their defenses
sector-specific. Attackers are operating in stealth to stay one step ahead. It concludes with a peek
mode making attribution of attacks more difficult. into the cybersecurity areas that will be pertinent
in the near future.
Digital transformation has taken centre-stage and
new technologies like cloud and IoT are increasing We hope that you will benefit from the global and
the attack surface of an organization’s digital industry-specific insights available in this edition
assets. As a consequence, attackers around the of the State of Cybersecurity Report and that
world are arming themselves with innovative tool together, we will be able to make our enterprises
sets. In order to provide resistance to impending more resilient to withstand and recover from
attacks, it is crucial for organizations to heighten future attacks!
their level of preparedness and strive to achieve
proactive resilience.
II
Editor’s note
Josey V George
Editor-in-Chief: State of Cybersecurity Report 2019
Practice Head, Cloud & IoT Security @ CRS
@joseyvg
linkedin.com/in/josey-george
Dear Readers,
Welcome to yet another edition of Wipro’s annual “State of cyber resilience” if you would like to
“State of Cybersecurity Report (SOCR)!” explore how this evolution is happening and how
CISO teams are measuring their performance and
This year, we have a spectrum of research domain practices.
findings that will be presented across 5 sections
of the report. This year, we have included a contribution from
the Data Security Council of India (DSCI)—an
The executive summary is not to be missed as it industry body for data protection in India set
lays out the cybersecurity paradigm as a battle of up by NASSCOM®. Thank you Vinayak and
stratagems between attackers and defenders. We DSCI for enriching this year’s SOCR with the
are hoping that our readers can recognize some perspective on “Multi-stakeholder collaboration
of these stratagems from their experiences in in cybersecurity.” You can jump to the section,
protecting digital assets and will explore others “State of collaboration” to find this article and
that are new. other related research.
For those of you who are looking for vertical- I also want to thank Professor Debdeep from
specific cybersecurity trends, please do check out the Indian Institute of Technology, Kharagpur,
the section titled “Security trends by industry.” and Professor Ashutosh, Co-Chair of IEEE
This section in the SOCR holds key insights to Future Networks (and staff at Johns Hopkins
benchmark your enterprise against the rest of University) for their insightful contributions on
the industry and this data has come from the 211 IoT and 5G security respectively in the “Future of
organizations that chose to respond to our survey. cybersecurity” section of SOCR.
What were the most common cyberweapons that I have to also thank our technology partners,
enterprises were exposed to? How are countries Checkpoint, Palo Alto Networks, Intsights, Denim
around the globe tightening breach notification Group, Device Authority, CyCognito, Rapid7, Tracxn
laws? These are the questions that are dealt with and Fortinet for their support with collaborative
in the section titled, “State of attacks, breaches research and correlation of the findings.
and law.”
I hope you will enjoy reading SOCR 2019. If you
We are seeing a clear shift in the role of the like our work, please share it with your colleagues
Chief Information Security Officer (CISO) within in the industry and do continue to write to us with
organizations. Please read the section titled, your valuable feedback.
III
In the spotlight
Page 53
Page 28 Page 61
IV
Executive
summary
1
The world as we have created it is a process of our thinking. It cannot
be changed without changing our thinking.
Albert Einstein
The third annual edition of the “State of future, one needs to understand their changing
Cybersecurity Report” from Wipro builds on stratagems. The strategies that are employed by
providing a unique perspective of the building actors on either side of the cyber divide (attackers
blocks that define the global cybersecurity arena. and defenders) are constantly evolving but
While the report covers a wide spectrum of topics, they can be discerned by drawing out recurring
the long and short of the ensuing cyber spectacle patterns that can be observed through the year.
is the real battle that unfolds daily between two The summary below draws insights from different
broad actors: the attacker and the defender. parts of the report to bring together stratagems
To understand what played out during the past from either side of the divide.
year and what is possibly in store in the coming
Attackers have become more sophisticated, financial sectors have been at the receiving end of
engineering targeted strikes resulting in a higher almost half the cyberattacks perpetuated in 2018.
breach rate (notional records stolen per second), Attackers find it more profitable to steal user data
yet cumulative number of significantly recorded with credentials like passwords, enabling them to
breaches has come down by 25%. The health and launch further strikes and multiply the return.
The Trojan horse still rules accounting for more types of web application vulnerabilities have
than half of the malware attacks—as seen by stayed put during the last few years, making way
Wipro’s Cyber Defense Center (CDC). The top 10 for attackers to employ repeatable web exploits.
2
Stratagem 3: Invest in an element of surprise
25% 80%
Mining was on overdrive, of global organizations of cryptomining attacks
ransomware took a backseat were targeted by Coinhive were from Coinhive,
malware in 2018 Cryptoloot and JSEcoin
Today, organizations expect leaders to have their divisions/products represented in the social
an established social presence. Attackers are space, harming their collective brand reputation.
leveraging this trend and are creating fake social The consumer and retail sectors are targeted
media profiles and assets to launch whaling more often than others.
attacks. Attackers are targeting companies and
To successfully carry out a sophisticated attack, operation. From identifying company and
attackers get intelligence around their targets’ employee assets to analyzing the vulnerabilities
assets, suppliers and defenses. Prep work is in the defense layer, attackers are leaving no
paramount when partaking in a no-holds-barred stone unturned.
Profiling the company Identifying the type of PII Firewalls and VPNs have
assets, IT staff from public and quantity of data you a higher propensity for
sources desire from your target vulnerabilities with high CVE
scores (6.73/10)
3
Changing defender stratagem
With high-profile breaches, security has become (CISOs) who are reporting straight to the CEO.
a boardroom concern. Organizations are This number is expected to grow in the coming
re-establishing governance for security with years. Regulations like GDPR have mandated the
clearer executive reporting structures. CEOs position of Data Protection Officer (DPO) in many
are feeling the heat, which is evident from the European organizations, with other countries
22% of Chief Information Security Officers following suit.
Due to digital transformation programs, security organizations are automating processes and
budgets as a percentage of IT budgets are on building long-term partners to reduce cost
the rise. However, there will be a point where without compromising continuous resilience
the budgets will plateau. To accommodate this, and regulatory compliance.
The question is not about if but when the CERTs (Computer Emergency Response Teams)
unthinkable breach materializes. Organizations are and industry regulators. In addition, more and more
preparing themselves for the inevitable by partaking organizations are choosing to take up dedicated
in cyberattack simulations coordinated by national cyber insurance policies.
4
Stratagem 4: Empower and bring the “common” back in common sense
Humans are the weakest link in security incidents. Enterprises will have to continue to
and organizations are only as strong as the invest in security education through e-Learning
weakest link. Employee negligence and lack and other mediums to strengthen the human
of awareness continue to cause security dimension of security.
With organizations riding the digital wave, cloud This could include leveraging and consuming
and IoT adoption is on the rise. Security strategies best-of-breed security anywhere, including
need to be enhanced to address this changing security from the cloud.
landscape to enable a smooth and safe transition.
Collective wisdom is better than learning in networks more useful, it is paramount that
isolation. Organizations are actively consuming intelligence-sharing is not a one-way street
intelligence from national CERTs and regulators but a symbiotic relationship, thus enriching the
on a regular basis. To make the sharing value for all participants.
5
Security
trends
by industry
Manufacturing
Consumer
Health
Communications
6
Energy, Natural Resources & Utilities
Security governance
60% of organizations have their line of business owner identify
business-critical assets
Security budget
32% of organizations have a security budget
that is between 4–6% of their IT budget
Simulation exercise
41% of cyberattack exercises by geography-specific
industry/sector regulators
7
Key insights - Energy, Natural Resources & Utilities
Closing thoughts
The energy, natural resources & utilities sector is increasingly vulnerable to cybersecurity
threats and attacks given the pace of digitization, IT/OT convergence, and the potential
impact to critical infrastructure, public health and safety, and the environment. Adversaries
such as nation-states pose a persistent threat to the sector. Companies are trying to keep
up with the sophistication of attackers while reducing the risk to OT infrastructure and
protecting confidential information from unauthorized access.
8
Manufacturing
Security governance
90% of CISOs report to CIO
Security budget
44% of organizations have a security budget
that is less than 4% of the IT budget
Simulation exercise
36% have never participated in any
simulation
9
Key insights - Manufacturing
Closing thoughts
10
Consumer
The consumer industry encompasses a vast variety The year that was:
of markets and company profiles, ranging from retail, The consumer industry faced
media, food, consumer products, travel and hospitality, 198 significant publicly
and more. Despite many dissimilarities, most companies reported breaches in 2018, with
in this sector share a few common characteristics and customer card and PII data
trends when it comes to cybersecurity. Overall, digital being the top data sought.
transformation is expedited through the adoption of
connected technologies across the sector. CISO budgets
as a percentage of IT budgets are still low compared to
other industries. This will see a change as regulatory
pressures increase. The likely key cybersecurity
challenge of the consumer industry is to promote data
protection at the core of the business culture.
Security governance
77% of CISOs report to CIO
Security budget
50% of organizations have a security budget
that is less than 4% of their IT budget
Simulation exercise
57% of organizations have never participated in
simulation exercises
11
Key insights - Consumer
Closing thoughts
Consumer organizations riding the digital wave have the added pressure of protecting
customer data. CISOs are playing catch-up with their security strategy and have a huge
opportunity to adopt mature security practices and paradigms to ensure digital resilience.
12
Health
Security governance
45% of organizations have a CPO/DPO accountable for data privacy
Security budget
40% of organizations have a security budget
that is 4–6% of the total IT budget
Simulation exercise
41% of cyberattack exercises coordinated by
national CERT/CSIRT
13
Key insights - Health
Closing thoughts
14
Banking, Financial Services & Insurance
The Banking, Financial Services & Insurance (BFSI) The year that was:
sector is consistently one of the most targeted The BFSI industry faced 348
sectors. Due to the nature of the data it holds, significant publicly reported
it is also one of the most regulated and mature breaches in 2018, with PII and
industries when it comes to cybersecurity. financial record data being the
Digitalization has transformed multiple channels most sought after.
and enhanced user experience.
Security governance
35% of CISOs report to CIO
Security budget
41% of organizations have a security budget
that is over 8% of their IT budget
Simulation exercise
40% have cyberattack exercises by geography-specific industry/
sector regulators (like Federal Reserve, NERC, FSA, EBA, etc.)
15
Key insights - BFSI
Closing thoughts
Financial institutions have been early adopters of emerging cyber technologies or controls
to counter new threats. They need to consciously review their cyber resiliency practices to
protect themselves against the onslaught of attacks headed their way.
16
Communications
Security governance
47% of CISOs report to CEO
Security budget
50% of organizations have a security budget
that is less than 4% of their total IT budget
Simulation exercise
40% have cyberattacks coordinated by
national CERT
17
Key insights - Communications
Closing thoughts
Adopting a cyber resilience framework that can propel the maturity of security processes and
technology in the new-age communications enterprise will help mitigate new emerging risks.
User security awareness, consumer identity management, third-party risk management, and
good patch management is expected to aid in reducing cybersecurity risks across both the
carrier network and organizations attached to it.
18
State of
attacks,
breaches
& law
Cyberweapons
Regulations
19
Know your enemy and know yourself and you can fight a hundred
battles without disaster.
Sun Tzu
The “State of attacks, breaches and law” section products and what that future holds out for CISOs
lays out the macro view that defined cybersecurity and their teams as they leverage these products
around the globe in the year that went by. It peeks to fortify their defenses. This section concludes
into the data breaches that shook the world and with the evolution of breach notification
the weapons of cyber destruction that made it and privacy laws in 23 countries. It calls out
happen. Trends such as the rise of cryptominers countries that have stringent norms to protect
and the fall of ransomware indicate the changing consumer data and limit the cross-border flow
attacker stratagems. Further, the section weaves of information. Overall, this section brings to the
its way into the troublesome territory of analyzing forefront the changing strategies employed
security weaknesses in commercial security by attackers.
The year 2018 has seen a massive increase in the notionally was 232/sec. Based on our 2018 report,
absolute volume of records that were breached health and the BFSI industries continue to be the
(across publicly reported breaches worldwide). most targeted by hacking groups across regions.
Over 1,700 publicly reported data breaches were
analyzed as part of the research. The number of One very interesting trend that the research points
records compromised by these breaches over to is that while the volume of records breached
the past one year has increased by 164% when has cumulatively gone up, the cumulative number
compared to the previous year. The average number of publicly reported breaches has reduced by over
of records lost per second (reported as Breach Rate) 25% as compared to last year.
400
Number of data breaches
300
200
100
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Global insight
The number of publicly reported
Data breach analysis across verticals breaches has reduced by 25%
in one year but the cumulative
Large organizations have suffered huge data breaches number of records exposed has
over the last few years, impacting their brand increased by 164% to 232 records
reputation and leading to an overall loss in revenue. exposed/second.
20
Vertical insight
Figure 2 shows the split of data breaches across The health industry contributed
various verticals in 2018. Health and BFSI saw the 28% (highest across all
greatest number of breaches this year. verticals) of the total data
breaches in 2018.
Consumer
BFSI
Education
12%
Technology 20%
8%
5%
Manufacturing
3%
28%
24%
Others Health
21
Adv PII + financial Basic PII
PII + occupation
3%
3%
Adv PII + medical + financial
2%
PII + medical records 2%
38%
26%
Attackers are more focused and are targeting also seem to indicate that attackers are gaining
more specific information in breaches that they more intelligence on the type and location of data
perceive have higher monetary value. The trends that organizations possess.
The following section looks at the different types Figure 4 shows the distribution of cyber
of attacks targeted at industries. Wipro’s venture intelligence alerts accumulated across various
partner, IntSights—a leading cyber intelligence industries, spanning areas like phishing attacks
organization—has contributed this section of on suspicious applications, suspicious social
the report. Using their external threat protection media profiles and various attack indicators
platform, IntSights threat researchers analyzed like assets offered on the black market and
over 900,000+ alerts to arrive at their conclusions. telegram chatter.
The team dived deeper into the area of suspicious
social media profiles.
22
Registered
suspicious domain
Suspicious application
Suspicious social
media profile
Suspicious
email address
Leaked credentials
Assets offered
on black market
IRC chatter
Telegram chatter
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Suspicious social media profiles in 2018 Are your social media assets at risk?
Organizations today hold multiple social media Hackers deploy fake social media profiles for
handles to communicate with their customers. a variety of reasons. They use it as grounds
Malicious social media handles can put a for phishing and social engineering attacks.
company’s reputation and brand at stake. Brand Hacktivists and some state-sponsored Advanced
security is an important part of the defense Persistent Threats (APTs) deliberately misinform
perimeter of any enterprise. Not only does it the general public and influence political views
mitigate possible image and reputation damages, through fake profiles.
but it also stops potential social engineering
and spear-phishing attacks. For example, Criminal actors phish for credentials and
impersonating a VIP entity might provide hackers confidential proprietary information by executing
with an easy way to steal privileged credentials or social engineering attacks disguised as employees
propagate their malicious campaigns. Attackers of their target. Receiving an email from a familiar
are leveraging this opportunity and creating fake person or contact drastically increases the chance
profiles across all channels of social media. of credential theft or malicious infection.
23
Facebook
LinkedIn
19%
20%
Others
GitHub, 0.1%
Flickr, 0.4% 4%
Weibo, 1% 5%
VK, 1%
5%
Vimeo, 1%
8% 16%
Pinterest
YouTube
Google plus
Twitter
Attacker stratagem
Social media is no longer a millennial tool; senior leaders and organizations are on board too.
Attackers are aptly using this to go after or impersonate the big fish in the business.
24
Cyberweapons
In 2018, threat actors became more of incidents across four quarters and high
sophisticated and developed new methods to incidents of malware families were inferred.
exploit vulnerabilities in current and emerging Cryptominers have shown a significant growth in
technologies. This section of the report analyzes the last year and their rise has been highlighted
malware attacks detected and thwarted by as a critical finding. Overall, attackers are
Wipro’s CDC in 2018. 5,250+ incidents from sticking to their tried and tested techniques,
multi-geographic environments were sampled like trojans, but at the same time leveraging the
and analyzed. The attack types were identified bitcoin revolution by introducing various variants
and the malware threat type, relative distribution of cryptominers.
W32/HostInf-A
W32.Yimfoca.B
W32.Downadup.B
Worm W32.Downadup!autorun
VBS.Dunihi
W32.SillyFDC
SecurityRisk.OrphanInf
W32.Coinbitminer
Heur.AdvML.B
Heur.AdvML.C
W32.IRCBot
Trojan Trojan.Gen.NPE
Backdoor VBS.Dunihi Activity
Trojan.Gen.2
W97M.Downloader
JS.Webcoinminer
Attacker stratagem
Attackers haven’t given up on their established techniques to score the next big payday.
25
Exploits distribution Global insight
Wipro’s CDC data revealed that 22% of exploits 22% of exploits in 2018 were web
in 2018 were web exploits, up from 12% in 2017. exploits.
Remote Code Execution exploits jumped to 15% in
2018, up from 5% in 2017.
SQL injection
12%
5% 24%
Coinhive
Rubyminer
38%
4%
Authedmine
6%
XMRig 10%
23%
19%
Cryptoloot
JSEcoin
Attacker stratagem
Attackers are developing custom kits and exploits for targeted attacks, bringing in the element
of surprise.
26
50%
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%
Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18
Ransomware Cryptominer
Figure 10 shows a global—as well as a regional— top-most malware used by cryptominers. This can
view of all the cyrptomining attacks in 2018. be attributed to the fact that it can be distributed
Around 25% of global organizations were easily through social media advertisements and
attacked by Coinhive malware which became can spread without the knowledge of end-users.
the most prominent malware of 2018. In all three Cryptoloot, JSEcoin and XMRig were the other top
regions—Americas, EMEA and APAC—it was the malwares used by attackers.
27
Global insight Global insight
Partner content credits: “The rise of cryptominers in 2018” was contributed by Wipro’s partner, Checkpoint
(www.checkpoint.com)
Traditional vulnerability management antivirus, data loss prevention, Identity & Access
programs in large enterprises are focused on Management (IAM), security intelligence &
identifying, tracking and mitigating weaknesses analytics, firewall, VPN, SAST/DAST and others.
in IT operating systems and applications.
Vulnerabilities identified in such systems The following vulnerability categories were used:
generally age—sometimes into a few months—
escalating risks that security governance teams • DoS • HTTP response
need to track. However, our research over the splitting
• Code execution
last three years has shed light on an elephant
• Bypass something
in the room which is completely overlooked— • Overflow
vulnerabilities in security products! Could this be • Gain information
• Memory corruption
a golden opportunity for attackers? • Gain privileges
• SQL injection
• CSRF
• XSS
Vulnerability trend analysis • File inclusion
• Directory traversal
The research is based on vulnerability trends
derived from yearly vulnerability scores published The 3-year trends for the 13 vulnerability
on the Common Vulnerabilities and Exposures categories have been showcased in Figure 11. The
(CVE®) website (https://cve.mitre.org/). CVE is most frequent categories are: DoS, code execution,
a list of IDs for publicly reported vulnerabilities. XSS, gain information and gain privileges. Gain
The research on security product vulnerabilities privilege vulnerability category has seen a 129%
looked at multiple product domains such as rise in vulnerabilities.
250
200
Number of vulnerabilities
150
100
50
0
DoS Code Overflow Memory SQL XSS Directory HTTP Bypass Gain Gain CSRF File
execution corruption injection traversal response something information privileges inclusion
splitting
28
Gain privileges as a vulnerability category saw Firewall and VPN products topped the table with
a significant rise in 2018. Privilege escalation a score of 6.73, indicating a higher propensity
attacks due to the expanded access to systems for vulnerabilities. The admin interfaces of
and data have increased the risk for organizations these products need to be periodically tested
in the context of data breaches. for vulnerabilities and appropriate patches or
compensating controls need to be put in place
where applicable. Webservices gateway, PKI and
Vulnerabilities in security products IAM product security domains gave the lowest
average scores—indicating a propensity for
In the previous section we looked at the common
vulnerabilities with lower CVE scores.
vulnerability categories across security products.
Taking this a step further the research highlights
which security product types are more vulnerable
to attacks. Global insight
5.43
Database activity 5.83 Antivirus
monitoring 5.50 5.80
5.65 5.75 Vulnerability management
DLP
2018
Global insight
A key observation from the vulnerability analysis is that in general, the severity
score of vulnerabilities has gone down in 2018—although the cumulative counts of
vulnerabilities have gone up.
29
Regulations
So far, the report has covered information on data analysis of breach notifications and cross-border
breaches, cyberweapons and vulnerabilities in data transfer laws across 23 countries. The 23
cyber defenders. This section delves into the legal countries covered are Australia, Brazil, Canada,
aspect of cybersecurity, with regard to the data China, Dubai1, France, Finland, Germany, India,
privacy regulation landscape across the globe. Italy, Ireland, Japan, Mexico, Norway, Poland,
Defenders need to be wary of the implication Russia, Spain, Singapore, South Africa, Sweden,
of a breach, from a regulations point of view. Switzerland, UK and USA. The key parameters
Wipro’s cybersecurity CoE carried out detailed used to evaluate the data are shown in Table 1.
For each of the 23 countries chosen, the regulations. The scores were used to plot Figures
parameters were analyzed using a weighted 13 and 14. The higher the country score the more
average method. Each country was given a total stringent the laws are towards breach notification
score on a linear scale based on the stringency of or overseas transfer.
30
Heat map of breach notification laws
Lenient Stringent
Figure 13: Heat map of country-specific regulations relating to breach notification, 2018
Global insight
The US has strict breach
notification laws, while its
cross-border data transfer laws
are less stringent than GDPR.
Lenient Stringent
Figure 14: Heat map of country-specific regulations relating to overseas data transfer, 2018
31
State of
cyber
resilience
Security governance
•• The evolving role of the CISO
•• Ownership of data privacy
•• Security budget
•• Security metrics
Security practices
•• Data security
•• Application security
•• API security
•• Network DDoS protection
•• Endpoint security
•• Security monitoring & analytics
•• Cloud security
•• IoT security
•• Human dimension
32
If it be now, ’tis not to come. If it be not to come, it will be now. If it be
not now, yet it will come—the readiness is all.
William Shakespeare
Cyber resilience has become an existential The need for a cyber resilience framework
imperative for the digital enterprise of today.
Cyber risks can not only affect the top line by Cyber resilience needs to be a continuous
impacting revenue but also impact the bottom process to identify opportunities to strengthen
line by adding IT, legal and compliance costs cybersecurity posture, while aligning with
before and after the manifestation of a risk. industry practices. The process of cyber resilience
Addressing cybersecurity risks continues to needs to be underpinned by an appropriate
be subservient to an organization’s overall framework. Multiple cybersecurity frameworks
risk management efforts. This section exist today across industries and geographies.
presents findings from the primary research While frameworks may not be “one size fits all,”
carried out with CISO teams across the globe, they do have their advantages of leveraging best
covering areas such as security governance, practices that are common to most enterprises.
security budget, metrics and domain-wise The framework also provides a mechanism to
practices. This represents the micro view of communicate the roles and responsibilities,
the cybersecurity from the organizational feedback mechanisms and communication
standpoint. It takes a peek into the defenders imperatives up and down the corporate hierarchy.
strategies to see how organizations are Figure 15 provides a glimpse of a typical charter
safeguarding themselves from attackers. of expectations for establishing a feedback-based
framework of continuous cyber resilience. But a
cyber resilience-centered approach should aim to
start with identifying the risks.
Executive leadership
Allocate budget, define
& track programs
Enterprise
Risk Management
Continuously assess risk,
change management
IT Security
Strategy & Management
Implement & monitor security
policies, controls & compliance
IT Security
Track assets: Threats,
Operations
vulnerabilities, incidents
33
What are the top cyber risks that
organizations face?
The primary research findings of the survey on The top two findings selected by our respondents
cyber risks point to the human dimension of risk were email phishing and employee negligence
management. This is often neglected as a control (see Figure 16 for other risks), both of which can
domain, because energies are focused on getting be addressed through a resilient cyberculture
the technology layer to cover for human errors. within the organization.
Insider threat (64%) Ransomware attacks (55%) Cloud hosting risks (54%)
Malicious employee Digital lockdown Loss of control
IT/OT integration risks (38%) Denial of service attacks (37%) Attacks through IoT/connected
Air gaps are no longer viable DDoS attacks, a 30-minute devices (29%)
defense mechanisms digital shutdown you must avoid Look out for botnet attacks in 2019
34
Security governance
Are accountable for the overall Define & establish information Allocate budget for various
information security of the security policies security projects
organization
The traditional CISO–CIO reporting model has future, where conflicts of interest might arise
proven to be very effective for better alignment due to market pressure to deliver content and
with broader IT teams under the CIO. However, functionality with limited resources to address
this model could present challenges in the inherent security risks.
35
Ownership of data privacy
In 2018, the roll out of GDPR by the European of governance for data privacy in an organization
Union coupled with high profile breaches brought in Europe and the US respectively. In European
the importance of data protection into the organizations, there was a notable increase in
spotlight. Consumers are now putting pressure on the number of CPO/DPO roles in 2018. This can
governments and organizations to put checks in be attributed to the GDPR mandate requiring
place for safeguarding their data. organizations handling personal data on a large scale
to have a DPO. The story is different in the US where
Rise of the role of CPO/DPO in Europe 44% of the organizations have said that data privacy
is the charter of the CISO.
So, who bears the onus of data privacy in an
organization? Figures 19 and 20 show the ownership
27%
Chief Information
44% Security Officer
Global insight
Defender stratagem
Worldwide, 72% of respondents
said that either a CISO or DPO/ Organizations are crystallizing
CPO is accountable for data ownership and accountability in their fleets!
privacy in their enterprise.
36
Security budget
As cybersecurity is gaining visibility, organizations increased over the past few years. Figure 21 looks at
are stocking up on security skills, processes and the percentage of IT budget allocated for security by
technologies to defend themselves against the organizations. 15% of organizations have a security
multitude of threat actors. This protection does not budget that is over 10% of their IT budget. This
come free or cheap. Thus, security budgets have figure is bound to increase in the coming years.
30%
25%
20%
15%
10%
5%
0%
0-2% 2-4% 4-6% 6-8% 8-10% Greater than 10%
2018 2017
Vertical insight
71% of health organizations will plan for broad business and process automation to
lower costs and release budgets.
37
Plan for broad business & process
66.67%
automation to lower costs and release budget
Figure 22: Top three steps organizations are likely to take when the security budget is capped
Security metrics
For organizations that have their security governance in place, security budgets fixed and allocated,
security products and services on the go, the next step is measurement. How do you track your efforts/
investments? What are the numbers that need to be reported to the management that will indicate the
effectiveness and efficiency of the various security investments?
Management metrics
Energy,
natural Global
Metrics BFSI Health Consumer Manufacturing Communications
resources average
& utilities
Time-to-detect and
71% 67% 71% 40% 71% 67% 65%
remediate incidents
Regulatory
65% 52% 71% 87% 57% 60% 65%
compliance
Security spending
40% 43% 41% 33% 64% 27% 41%
as % of IT budget
38
Operational metrics
Energy,
natural Global
Metrics BFSI Health Consumer Manufacturing Communications
resources average
& utilities
Mean-time to
43% 33% 38% 40% 54% 54% 44%
incident discovery
Mean-time to
64% 52% 50% 60% 38% 54% 53%
incident recovery
Mean-time
to mitigate 60% 48% 75% 67% 69% 54% 62%
vulnerabilities
% of changes with
30% 19% 44% 20% 23% 46% 30%
security exceptions
Technical metrics
Energy,
natural Global
Metrics BFSI Health Consumer Manufacturing Communications
resources average
& utilities
Patch management
76% 86% 63% 75% 60% 60% 70%
coverage
Vulnerability
80% 67% 69% 88% 47% 73% 71%
scanning coverage
Anti-malware
64% 62% 69% 69% 33% 47% 57%
compliance
Configuration
management 42% 29% 31% 50% 60% 33% 41%
coverage
% of systems with
known 58% 43% 50% 56% 20% 47% 46%
vulnerabilities
39
in the banking and financial sector track patch
management and vulnerability scanning coverage,
mean-time to incident recovery, mean-time to detect
vulnerabilities and regulatory compliance, and
time-to-detect and remediate incidents
Over 60% of
organizations
40
Security practices
This section has been built up by analyzing the initiatives brought digital data assets into the
survey responses from CISO teams of over 200 spectrum and regulations like GDPR came into
organizations globally about the evolution of play to ensure that companies set up adequate
their security practices. The findings highlight the data security measures.
changing security landscape in various practices
over the past 3 calendar years. The chosen Have you locked the keys to your kingdom?
practice areas include: data security, application
With the global focus on data security, this
security, API security, network security, endpoint
section provides a glimpse into the top security
security, security monitoring & analytics, cloud &
controls used by organizations. The survey
IoT security.
respondents ranked data security controls in
order of importance. Figure 23 highlights the
Data security interesting results obtained. 35% of organizations
believe that Privileged Access Management (PAM)
Corporate data has continued to leave the four is the most effective data security control (a rise
walls of the data center and diffuse into cloud from 28% in 2017). This can be attributed to the
service provider environments, SaaS applications value privilege accounts have and the damage
and mobile devices. Also, digital transformation that would be inflicted if these accounts were
compromised. From an industry point of view,
Global insight 40% of health and manufacturing industries
have picked Data Leak Prevention as their top
35% of respondents felt that
Privileged Access Management data security control. The “data” they hold—
(PAM) was the most effective pharmaceutical IPs, patient records, industrial
data security control. IPs—forms their core and compromising the data
can result in severe business impact.
35%
30%
25%
20%
15%
10%
5%
0%
nt n
ro SB
ta
t s
s ti ing
ai for s
da t I
n/
PI of
)
n ma NP
oi tio
ba )
en es
em nt ht
io
cu ug oud
rs
ta ion
da
si ta
s)
se
ts tio
y B CA
nm od on
at
se uc tor
I/N n
ke
e/ e rig
em cc
dp en
on
tio for II/
as da
PI ptio
Se hro cl
fic
en uc
ro pr ti
rit h
ag d A
ba od ni
uc In f P
en ev
fic em n
vi n- ca
ss s t of
cl d
of g io
ta pr o
k/ pr
l
up ry
& e
od lic o
en no tifi
da al m
an e
ce nt ng
t
y at
M ileg
ck nc
an a
pr b ion
or k
ity
m form
er m
Ac me tori
QA in en
w a
ba E
et le
in Pu pt
ov uto
iv
rit tiv
ta -id
a
ud on ni
ta on cry
Pr
(n ta
In
rc c
lo ir o
sc A
da De
fo ta a
Da
(C nv M
i
da (N n E
Da
di
of
e
2018 2017
Vertical insight
40% of health and manufacturing industries have chosen Data Leak Prevention as the
most effective control. However, 35% of organizations globally have chosen PAM as the
most effective control.
41
Application security
Application security assessment is an integral applications. 25% of respondents said that they
part of the software development process. But are carrying out the security assessments in
often organizations mistakenly consider this as an every build cycle. This is an encouraging trend
after-release activity. DevOps is making security considering the fact that only 21% of respondents
testing more efficient by integrating automated selected this choice in 2017 and only 20% of
security assessments during the application respondents selected this choice in 2016
development phase. (see Figure 24).
Security assessments during the development 24% of respondents said that they are doing
life cycle help organizations identify and minimize assessments on a yearly basis, which is 2.5%
security weaknesses in products, before their higher than last year. Organizations should
launch into the market. preferably carry out security assessments on
every build cycle to mitigate risks associated with
How often are applications assessed for the applications. Digital transformation is using
security issues? DevOps to reduce the cycle time and increase the
velocity of builds. Therefore, organizations need
In the research, respondents were asked about to adapt their security practices with the ongoing
the frequency with which their organizations carry digitization drive.
out security assessments for business-critical
30%
25%
20%
15%
10%
5%
0%
On audit/ Only when For every Monthly Quarterly Half-yearly Annually Never
compliance the application application
request is launched build/release
cycle
Figure 24: Frequency of security assessment of business-critical applications, 2018 vs. 2017 vs. 2016
Vertical insight
Global insight
Security assessments for every
25% of respondents said that application in build/release
they are carrying out security cycle took the top spot for BFSI,
assessments in every build cycle. communications and health
verticals.
42
API security
Application Programming Interface (API) is code • Mobile applications are now used by
that is integral to applications and provides users organizations in all sectors, exposing sensitive
a programmable gateway to access data and data that can be accessed through APIs
functionality—with clearly defined rules. While
API security may not be in the limelight, it cannot • Digital footprint of individuals is growing
be ignored as a practice area, as it can increase exponentially; organizations now have an
the attack surface of applications. immense amount of big data to store, process
and analyze. This data in the wrong hands could
be unimaginably disastrous
Why is API security on the radar now?
• Most APIs are accessed over the Internet, which
• With the rise of mobile applications and
makes them a target for potential sniffing,
connected devices, Representational State
spoofing and man-in-the-middle attacks
Transfer (REST) APIs have grown exponentially
over the past few years
Security considerations
Authentication Robust authentication mechanisms such as API keys, OAuth, JWT, etc.
Authorization The “Least Privilege” concept while keeping the default permission as “deny”
Data in transit Data should be encrypted all the way through to protect it from eavesdropping
Writing secure Follow security best practices like input validations, URL and content type
code validations, etc.
To prevent DDoS attacks, APIs should have fair usage criteria and restrictions
Fair usage
after certain limits, such as time and bandwidth
Auditing and
Systematic logging is required to proactively detect potential attacks
logging
Global insight
By not securing the APIs, enterprises may inadvertently open a window to all their data.
Hence, organizations need to invest time and money to implement API security.
43
Security considerations take a back seat,
since rapid software development models,
tight timelines and increased delivery pressure
place the developer’s focus on building API
Non-technical
functionality to deliver performant applications
challenges in
implementing
Developers lack training, skills, knowledge
security in APIs and understanding of the security aspects
required to secure APIs
44
Network DDoS protection
DDoS attacks are on the rise and last year was up to 50,000X and saturate the target server
no different. The year that went by witnessed the causing an outage.
biggest DDoS attacks of all time with peak traffic
reaching 1.3 terabytes per second. The attack was Are DDoS defenses getting better?
on a “code-hosting site,” where attackers leveraged
DDoS mitigation is extremely important to
the misconfigured memcached systems. Unlike a
reduce the intensity of an attack. If appropriate
conventional DDoS attack, there were no botnets
anti-DDoS tools are in place, then the organization
involved in the memcached DDoS.
can curb the intensity of an attack. With attackers
adopting new and advanced attacking methods,
Memcached is a database caching system that
organizations also need to equip themselves with
is used to clear the memory and speed up web
better defenses.
applications. It communicates through the User
Datagram Protocol (UDP) which doesn’t need
In the research, we asked respondents about the
any authentication. In a memcached DDoS
peak duration of DDoS attacks. Interestingly, there
attack, the attacker targets the vulnerable
is a significant decrease in the attack duration. In
memcached server and floods it with spoofed
2018, 13% of attacks lasted less than 30 minutes;
requests. Leveraging the amplification capacity of
in 2017 it was 24%. (see Figure 25).
memcached servers, attackers intensify the effect
70%
60%
50%
40%
30%
20%
10%
0%
Less than 30 mins to 1 hour to 6 hours to More than No DDoS
30 mins 1 hour 6 hours 1 day a day attack
experienced
Figure 25: Peak DDoS attack duration, 2018 vs. 2017 vs. 2016
45
Endpoint security
Nowadays, cyberattackers have advanced tools vector while 31% of respondents ranked malware
and tactics to launch attacks. Endpoints provide hidden in websites as the second most important
a direct entry for attackers, as they are operated vector. Compromises via USBs are also among the
by the weakest link—humans. Stronger security top vectors that affect endpoint security.
management and patch management techniques
are needed to address endpoint vulnerabilities. The top vectors that compromise endpoints have
been consistent over the past few years. Findings
The siege of endpoints from 2018 and 2017 show phishing emails as the
top-most vector that compromised endpoints,
In the survey, respondents were asked about the
followed by malware hidden in websites.
vectors that led to compromise of endpoints. 61%
ranked phishing attacks as the most important
4
Rank
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Global insight
46
Security monitoring and analytics
The modern threat landscape is evolving at an SOAR is soaring higher
alarming rate. The section on “State of attacks,
78% of respondents believe Security
breaches and law” highlighted that cyberweapons
Orchestration, Automation and Response (SOAR)
were becoming more sophisticated to bypass
tools are key to improving the efficiency of threat
layers of defenses. Organizations need to
remediation. This will reduce the dependency on
continue to strengthen their detective controls
the limited Security Operations Center (SOC) staff
in addition to their investments in traditional
and help them tackle relevant alerts.
preventive controls.
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Implement Integrate threat Improve Develop hunting Increase SOC AI- & ML-based
automation and intelligence triage process team for unknown staff detection
orchestration tools threats
Figure 27: Opportunities to improve threat intelligence capabilities, 2018 vs. 2017 vs. 2016
47
Cloud security
As enterprises re-engineer their business The poly-cloud approach entails defining and
processes and systems to address the needs of implementing a uniform security strategy with
a digital era, their IT organizations are faced with a set of native security controls across multiple
the 5R dilemma to Refactor, Replace, Re-Platform, CSP platforms. Due to differing maturity levels
Retain or Retire their applications. The approach of security services offered by leading CSP
to the 5Rs has taken a turn from a cloud-averse players, enterprises grapple with implementing
approach a few years ago to a cloud-first a uniform security policy across the different
approach today. The “cloud-first” strategy that cloud environments. However, gone are the days
many trendsetting organizations are following when cloud migration was considered a risk. In
today is underpinned by a well laid-out fact, when we asked the organizations on the
sub-strategy over two dimensions: type of data that they are migrating to cloud, 69%
called out Employee Information, 45% mentioned
a. Poly-cloud approach to avoid lockdown Intellectual Property, 41% said Business Finance
with a CSP Records and 40% mentioned customer PII. 70% of
US firms have indicated that Secure Hybrid Cloud
b. Hybrid cloud enablement for business
Architecture are the way to go for the future. The
continuity and seamless transformation
cloud is here to stay and hence security teams
have to find the best way to protect it.
Employee information
69.42%
(HR, salary, etc.)
Customer PCI
19.01%
(Payment Card Information)
Defender stratagem
48
What are the security risks on the cloud?
The survey respondents rated the following: Open weaknesses in cloud apps at 31% followed by cloud
Web Application Security Project (OWASP) Top 10 account hijacking/privilege escalation at 28%.
OWASP Top 10 vulnerabilities in custom web to minimize the use of root accounts, and enable
applications have been a recurring challenge their use via multi-factor authentication only.
for most organizations. As seen from the graph
above, cloud account hijacking has emerged Related to the account compromise use case
as a threat across customer CSP environments is another trend where hackers are creating
and the same poses serious risks to customers unauthorized API access keys on compromised
actively engaged in a cloud-first strategy. cloud accounts. These API keys can then be
Research by our partner Palo Alto Networks utilized to remotely administer the environment,
reinforces these findings and the following perform reconnaissance and ultimately siphon
section dives more deeply into modes of account off personally identifiable information or sensitive
hijacking and best practices that can be applied data. The same research by Palo Alto Networks
by customers to minimize the risk. indicates that 41% of access keys in enterprise
cloud environments have not been changed for more
Cloud root account compromise: An than 90 days. Another example of a backdoor access
increasing challenge to administrative root access was a compromise
that happened using a Google Kubernetes® server
The advent of infrastructure as code in cloud that was not password-protected. The compromise
environments propelled the fast migration and indirectly enabled access to many API access keys
deployment of workloads into the cloud. This with admin privileges.
resulted in a steep increase in risky configurations
being multiplied across cloud environments. The key recommendations for securing public
Cloud security teams were thus rightly focused on cloud environments can be summarized as follows:
detecting risky configurations and minimizing their
threats. However, today the focus of external threat • Prevent use of root accounts for general
actors has shifted to the compromise of enterprise administrative activities
root accounts associated with Google, AWS or Azure. • Enable MFA for all privileged public cloud accounts
A research report by the Palo Alto Networks global
threat intelligence team on 5 key cloud security • Policy-based forced rotation of API access keys
trends indicates that 29% of organizations have
• Monitor Privileged User Behavior using AI-based
detected potential account compromises. The same
profiling
research also showed that 27% of organizations
allow administrative activities using root accounts. • Enforce network security policies for their
Such attacks could be limited if organizations were container services
Partner Content Credits: The above piece was contributed by Wipro’s partner Palo Alto Networks
(https://www.paloaltonetworks.com/)
49
IoT security
The advent of Industry 4.0 and the Industrial connected IoT devices and the security
Internet of Things (IIoT) revolution are causing risks they pose. However, a worrying trend is
a quantum shift in organizational attitudes to evident in the singular control approach to IoT
cybersecurity across all sectors. An exponential security whereas a blended controls approach
increase in the number of connected devices covering the development life cycle through
within organizations is being anticipated across all to deployment and end-of-life management
sectors. Currently, over 70% of survey respondents is necessary. Given the current absence of IoT
identified an asset base of less than 5% connected device manufacturers accepting liability for
IoT devices, yet the same respondent population security, organizations need to consider an
expects that this will rise to 10% in around 60% of overall strategy to address IoT security risks
organizations within two years. around infrastructure (networks), applications
(access control), authentication (device and
Significant concerns remain as to who is data) and physical threats.
responsible for IoT security, with device
manufacturers often neglecting to ensure Many organizations are struggling to adapt
security by design and leaving the onus of cyber their enterprise IT cyber defenses to address
defense to the consuming organization. IoT security requirements. The inability to
do this is compounded by a skills gap that
Blended controls approach for IoT cannot be easily resolved without a change in
strategic approach.
Our research shows that all sectors are
cognizant of the increasing prevalence of
Others 17.99%
PKI/certificate based
12.23%
authentication & encryption
50
Human dimension
The security practices that have been covered in the investments to train their end-users. Figure 31
previous sections need to come together to build up shows the steps taken by organizations to
the technical defenses of an organization. However, educate end-users. 87% of respondents have
these defenses can come crashing down like a pack said e-Learning or computer-based training is
of cards if the human element is ignored. their approach of choice to educate employees
(in 2017, 78% of respondents felt the same). More
For a business to be cyber resilient, cybersecurity organizations are partaking in controlled/targeted
needs to be incorporated within the culture of the phishing attack simulation exercises this year
organization. Employees need to be empowered (67%) compared to last year (53%).
with knowledge in order to prevent unintentional
insider threats and avoid negligence. 72% of The data collected revealed that banking and
organizations surveyed feel employee negligence/ financial organizations follow a trend that
lack of awareness is a top cyber risk the is different from other industries. The most
organization faces. significant step followed by 80% of organizations
in this industry is to have security policies and
How are you addressing the weakest link? formal disciplinary processes in place. This is
no surprise, since this is one of the most heavily
Recognizing the lack of awareness, many regulated industries and a breach could involve a
organizations are now making sizeable direct financial consequence.
e-Learning or
87.30%
computer-based training
Figure 31: Approaches used to educate users against risky security behavior
Defender stratagem
It’s time to empower and bring the “common” back in common sense: The human dimension can no
longer be ignored.
51
State of
collaboration
Information sharing
Cyberattack simulations
Cyber insurance
52
If everyone is moving forward together, then success takes care of itself.
Henry Ford
While firms in the same industry compete well as collaborate with regulators/CERTs to
fiercely in the market, timely collaboration and partake of cyber exercises. It delves into cyber
sharing of cyber intelligence can help them insurance, an increasingly popular method of
better respond to upcoming cyber threats risk transfer, and examines its effectiveness and
collectively. This section showcases the level of adoption. Overall, the positive change
meso view which outlines how organizations in defenders’ strategies towards symbiotic
gather and review threat intelligence as collaboration is brought out.
A cybersecurity strategy would be incomplete levels. Countries are establishing active cyber
without laying down a strong foundation for diplomacy functions to foster partnerships
external collaboration. Collaboration furthers the with each other in the domain of cybersecurity.
shared goal of moving towards cyber resiliency Governments are elevating cyber diplomacy
and ensuring continuity of businesses. This to the centre stage, with specific efforts,
section takes a peek into five examples of resources and budgets. Governments are
collaboration at a government and non-profit encouraging Track II diplomatic efforts to
organization level. It then delves into an initiative pave the way for an informal mechanism to
undertaken by the Indian government. engage stakeholders, like industry bodies and
civil societies. Overall, countries are tackling
cybersecurity systematically and enacting
Avenues of collaboration special legislations for enablement of external
engagements and collaborations.
1. Cyber diplomacy
Government-to-Government collaboration
happens at bilateral, regional and multilateral
G2G
Track II/
Bilateral Regional Multilateral multi-stakeholders
• Global Commission on
• India–US Cyber • Shanghai • G7 Declaration the Stability of
Dialogue Cooperation Cyberspace
Organization [SCO] • G20 Leaders’
• CERT to CERT Communique • US–China Cybersecurity
Cooperation • Asian Ministerial Dialogue
Conference on CS
53
2. Coordinated response for incidents and intelligence against cyber threats that could
cybercrime impact the sector.
54
Best practices for government & industry
collaboration
Key best practices are highlighted below.
• Make a conducive
ecosystem to foster
collaboration
• Designate a single point
• Enact policies for
of contact to coordinate
collaboration
the aggregate level
• Set up a guiding Government activities
framework for Public
• In the planning
Private Partnership.
phase, provide due
Showcase high-level
consideration to the
sponsorship for PPP
influence of external
initiatives
drivers and actors
• Provide incentives For fostering on your security,
and define mandates collaboration compliance and risk
for players to show exposures
their commitment to
• Develop robust
collaborative efforts
processes to assimilate
• Protect private intelligence from
sector organizations industry peers
from the liabilities Industry
• Proactively contribute
emanated from sharing
to the aggregate-level
information
initiatives with your
• Set up a mechanism abilities and information
to review the progress
and outcome of PPP
initiatives
Partner Contribution: This article was contributed by Vinayak Godse, Vice President, Data Security
Council of India, , an industry body for data protection in India, set up by NASSCOM®.
55
Threat intelligence feeds
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
SIEM vendor Third-party threat Security analytics Internal sandboxing National CERT or
provides intelligence intelligence supplier team carries out and forensic analysis similar organization
manual reviews
(besides automated
SIEM correlation)
56
Information sharing
Organizations need real-time, internal and with their industry peers. 67% of organizations
external threat intelligence to anticipate are willing to share only the indicators of
and thwart new attacks. Governments and compromise—malicious IPs, URLs and
organizations are entering into symbiotic domains—while 33% of organizations are willing
alliances to help one another against intelligent to go one level further and share attacker tactics,
threat actors. Figure 33 highlights the type of techniques and procedures.
information organizations are willing to share
Attacker tactics,
33.00%
techniques and procedures
Barriers to sharing
It is clear from the above figure that not all attack information with their peer groups. 67% of
organizations are willing to pass on information organizations feel that sharing information can
about their attacks. Why does this resistance have a negative impact on their reputation while
exist? Figure 34 highlights the reasons for 43% of respondents feel that legally they cannot
organizations being reluctant to share threat/ disclose such critical information to outsiders.
70%
60%
50%
40%
30%
20%
10%
0%
ch r on
ks
ry
rs
st m ing
g tin s h
s
ge t
ip n ns
pe ion
in ra ce g
er fo m
g
t
an ma
al
te a r
rie
is
t v ing
efi
ar ne ur ou
tin
in g fo
du or ar
st ck ers
nt ds m
ic ou er
lli nd
e
iv
lr
ry at
ar
nc
sh ge eso t en
en
in inf sh
r i ar co
tr
et
an d
rt rr c
na
su Con
ge
ke
rb
ith at dy
fo nd of
al
io
r o
ar
N
ea
at
w re ea
Le
M
ut
cl
th lr
La
A
p
a
Re
pa
57
Cyberattack simulations
60%
50%
40%
30%
20%
10%
0%
BFSI Energy, natural Health TECH Consumer Manufacturing Communications
resources & utilities
Others
Defender stratagem
The question is not about IF, but WHEN. Organizations have only one shot to respond to a breach.
Practice is pertinent.
58
Cyber insurance
Enterprises are embracing cyber insurance, The research findings have shown a clear trend
complementing their risk mitigation strategy. in the last three years—65% of organizations
While security policies and controls need to be the have some cyber insurance policy in place
core part of any cyber risk mitigation approach, showing a relative rise from 55% last year. Around
insurance can help cover monetary expenses that 39% of organizations have a dedicated cyber
are incurred as a consequence of a breach. Cyber insurance policy in 2018. This is a significant rise
insurance coverage varies across insurers and considering only 27% and 26% of organizations
typically includes the following expenses with had a dedicated cyber insurance policy in 2017
their sub-limits: forensic investigations, legal and 2016 respectively.
expenses, fines, settlements, identity and credit
monitoring, PR costs and IT recovery costs.
60%
50%
40%
30%
20%
10%
0%
No cyber Dedicated cyber Cyber insurance Have multiple Insured through
insurance coverage insurance policy coverage through cyber insurance a captive insurance
other insurance policies policies subsidiary
Words of caution
Firstly, cyber insurance is a hedging tool that Secondly, organizations should read the fine
organizations can adopt to minimize the monetary print in insurance policies as they include various
expenses in the event of a breach. But it should restrictions on areas of coverage, jurisdiction,
not be considered a replacement for a cyber third-party vendors, etc.
protection program.
59
Future of
cybersecurity
Cybersecurity patents
Security pillars of 5G
60
The future depends on what you do today.
Mahatma Gandhi
This section examines a few select emerging Physically Unclonable Functions (PUF)-based
trends that will shape the field of cybersecurity authentication for IoT security. As the number
in the coming years. It looks at the in-depth of connected devices increase exponentially,
analysis of patents filed in the security space IoT security will play a crucial role not only in
around the globe. This is followed by the research the present but also in the future. In closing,
contributed by Indian Institute of Technology, this section also highlights the key security
Kharagpur, which provides an insight into challenges and opportunities in 5G networks.
Cybersecurity patents
One way to assess where technology is heading blockchain and IoT. The analysis was done on
in the cybersecurity space is to look at global patents filed from 2016 till the end of 2018 from
trends around patent filings. Patents highlight the 17 countries—Australia, Brazil, Canada, China,
areas corporations, governments and educational France, Germany, India, Japan, Mexico, Norway,
institutions are exploring through research. It Russia, Singapore, South Africa, Sweden,
gives a good indication of the technologies that Switzerland, UK and USA.
will dominate the cybersecurity space in the
coming future.
Security patents on the rise
1000
900
800 932
700 838
600
500
576
400
300
200
100
0
2018 2017 2016
61
China 1415
USA 492
India 72
Canada 67
Japan 63
Australia 59
Germany 38
UK 33
Singapore 22
Russia 14
Brazil 14
France 13
Switzerland 12
Mexico 8
Sweden 4
South Africa 3
Norway 1
Global insight
Figure 38 presents the cumulative number of
cybersecurity related patents filed over 3 years In terms of cumulative patent
across 17 countries. filings over the period of 2016–18,
China (~1,415 patents) and USA
(~492 patents) figure on top,
Race for patents followed by India (~72 patents)
and Canada (~67 patents).
It is clear that China has by far surpassed all other
countries. The 1,415 patents filed from China were
predominantly from eight major corporations also be attributable partly to procedural delays
and five universities. This healthy split between in publishing patent data by patent offices, as
corporations and universities indicates that mentioned earlier). The trend in the number of
academia is actively investing in the development patents filed shows the growing importance of
of unique solutions to address the increasing cyber research, although we cannot verify the
focus on security. Out of the patents filed, only quality of these patents.
5% of Chinese patents were filed in US and
other jurisdictions. This indicates that Chinese The US comes second with 492 patents filed over
patents are largely indigenous and there is low the past few years. Most of the patents were
validity of protection of these patents outside related to user authentication, anomaly detection
of Chinese jurisdiction (the low percentage may using machine learning and behavioral analytics.
62
Cross-section of practice areas in protection of data from unauthorized access and
cybersecurity and key technology includes data encryption, tokenization, and key
management practices that protect data across
implementations
all applications and platforms.
For the study, we analyzed the patents across
two dimensions—practice area and emerging From a technology implementation point of
technologies—and the research brought out some view, cognitive computing/AI has emerged as
interesting results. Figure 39 shows the number the top-researched area followed by blockchain
of patents filed by technology and practice area. and analytics.
Data & content security and cloud security are
leading with a higher number of patent filings
Global insight
followed by endpoint security. Innovations in
data and content security are largely enabled by “Data & content security” and
cognitive computing/AI-related technologies (728 “Cloud security” are leading,
patents), followed by blockchain (686 patents) and followed by “Endpoint security.”
analytics (194 patents). Data security includes
800
700
Number of security patents
600
500
400
300
200
100
0
Data & Network Security
Application Endpoint Cloud API IoT Threat
content DDoS monitoring &
security security security security security intelligence
security protection analytics
Analytics 194 15 0 13 12 37 1 5 2
Blockchain 686 4 3 23 5 43 5 10 1
Cognitive
728 81 13 181 58 186 15 24 10
computing/AI
Global insight
Cognitive computing/AI technology dominates the rest of the technologies with more
number of patent filings in sub-areas “Data & content security,” “Cloud security,” and
“Endpoint security.”
Conclusions
gaining momentum and is expected to become
It has been observed that some of the practice mainstream within the next five years.
areas, such as data & content security and
cloud security, have a larger number of patents. From a practice area standpoint, data and content
While traditional analytics is not registering a security continues to be the most significant
positive innovation impact, proliferative growth innovation and growth driver, while we see a stable
of cognitive computing/AI in cybersecurity is pace of innovation and implementation in cloud
expected to have a strong impact on how products security. Even niche upcoming areas such as API and
and solutions innovate in this space, and drive IoT security are expected to become mainstream in
transformation in existing solutions. The use the next two-to-five-year time frame.
of blockchain in cybersecurity is also rapidly
63
Seed investment trends in cybersecurity start-ups
What are the recent cybersecurity areas that research, Wipro analyzed the start-up funding
have caught the eye of investors? data received from Tracxn. To arrive at the top
security areas that are getting the most seed
Seed investment trends in cybersecurity investment, Wipro classified the start-ups by
start-ups give an indication of the emerging the security areas they cater to. The research
security domain areas. These areas indicate deep-dived into the top 50 start-ups (by total
potential white spaces that enterprises seed funding) founded over the past 3 years, to
need to watch out for. For the purpose of this arrive at the below results.
Threat detection 24
Payment fraud 15
Container security 13
Serverless security 8
0 5 10 15 20 25 30
Cumulative seed investment ($ million)
Figure 40: Top 10 security domain areas by total seed funding (2016–2019) [Funding data source: https://tracxn.com/]
Areas of Interest
64
PUF-based authentication for IoT security: An alternative approach
The series of DDoS attacks in recent times on problems of password dependency and not being
DNS providers have made enterprises realize able to bind the access requests to devices that
how vulnerable they are. Some of these attacks they originate from. Additionally, the protocols need
were carried out through Mirai botnets hosted to be lightweight and heterogeneous for them to
over millions of vulnerable IoT devices like digital work seamlessly.
cameras, smart TVs, printers and baby monitors.
One such attack was so enormous that up to An alternative way to overcome these problems
100,000 IoT devices were compromised to inflict a is through certificate-less authentication and
DDoS attack with a strength of 1.2 TBPS. key exchange schemes using lightweight PUF,
which addresses the needs of low-powered IoT
With the advent of IoT devices, the enterprise devices. The PUF-based system acts as a hardware
perimeter is expanding rapidly. Most IoT fingerprint generator for the circuit of which it is
devices come with very limited in-built security a part. This facilitates in giving a distinct identity
capabilities. These devices are more difficult to to every device in the IoT framework. PUF-based
patch and are proving to be the Achilles’ heel of authentication protocols rely on the
the enterprise endpoint ecosystem. “challenge-response authentication” mechanism
rather than the conventional password or
IoT devices are extremely difficult to secure on certificate-based authorization. The response
par with other enterprise systems based on a generated on-the-fly by the challenge applied to
standard policy baseline because they come with a PUF instance can be used to authenticate the
limited computational and battery power. CPU IoT device and to generate session keys for secure
limitations and lack of power prohibits OEMs from message encryption, thus effectively minimizing
implementing classical encryption techniques that the complexity of managing and storing the keys
are computationally intensive. Additionally, the for IoT devices.
management overhead of classical security adds to
the overall cost of IoT infrastructure. The ones that PUF is basically a function that maps the input
offer security support traditional authentication n-bit challenge to the output m-bit response.
protocols where a user presents a set of credentials
with supplementary proof such as password or PUFd : {0,1}n -> {0,1}m
digital certificate-based authentication. However,
IoT devices need more advanced methods as PUFd : C-> R
these conventional techniques face the persistent
n-bit m-bit
Circuit sensitive to
Challenge Response
process variation
(C) (R)
The ordered pairs (ci, rj) are defined by the circuit provides a different response to the
hardware variation of the device. As the challenge provided. The validation is done
PUF circuits are designed to be sensitive to by comparing the received response to the
manufacturing process variation, each PUF reference response.
65
3 Security challenge
Security
Prover/Sensor 2
credentials
Credential
Identity Verifier
Step 2: The Verifier picks a CRP from the CRP database in the public
domain
Step 5: The Verifier now validates the response from the Prover with
the one from the database and if there is a match, access is
granted or else denied
66
A variety of PUF-based lightweight security With the potential of securing the IoT
protocols have been under development and infrastructure through lower computation,
have, lately, started gaining maturity. Many of minimal management and lesser cost, PUF
these protocols can work with traditional systems has applicability in situations where mass
that do not have a PUF circuit. An appropriately deployment and management of the IoT devices
designed PUF-based security protocol enjoys are a requirement. Some of the scenarios are:
many advantages including:
1. Home-video surveillance systems, where
1. Unique and abundant built-in keys a substantial proportion of cameras are
operational with no security. With a suitable
2. Unclonable fingerprint of the device
software protocol, PUF-based mechanisms
3. No storage required to save secret key can enable authentication and other security
4. Lightweight hardware requirements on camera devices with negligible
user configuration/management.
5. No requirement of key management
infrastructure 2. Industrial IoT, where a large number of IoT
devices and sensors are deployed within a
6. Hardware–software binding factory or plant. Existing schemes of securing
IoT involves password and setting up keys
The major challenge that the PUF technology which results in management overhead. A
faces is that of reliability. The PUF can deviate PUF-based protocol can offer an authentication
from its ideal response based on the operating system which isn’t password dependent, which
conditions (input power, temperature and could be a much safer and cost-effective option
electromagnetic emanations) and the age of the for the IoT infrastructure.
hardware. Additionally, the PUFs are susceptible
to side-channel attacks which occur through 3. Modern-day hospitals, where there is
the components built around input/output increasing usage of health sensors. There is
signal interface. The PUFs are also vulnerable to a challenge to assign a group of sensors to a
modelling attacks. If an attacker gets hold of a set particular aggregator that identifies a patient.
of Challenge Response Pairs, when the CRP data Currently, this process is manual or
is exposed as per design/implementation defect/ semi-automated with password/key-based
lack of physical security, they can develop a model security setup between sensors and aggregator.
which can predict the response being generated PUF-based protocol has the potential to
to the challenge being presented to the device provide password/key/certificate-less security
with a very high probability. with centralized control.
Despite the limitations, the PUF-based security Wipro is jointly engaged with the Indian Institute
approach has the potential to address the of Technology, Kharagpur, for research on
security issues between IoT device nodes and PUF-based authentication and key exchange
the gateways which is absent as of now. Once protocols for IoT. The project aims to develop
the challenges of reliability, interoperability one of the first prototypes on PUF-based
with classical security and thorough testing authentication and key exchange with promising
on attack surface are reasonably addressed features of proven high security levels, combined
in the near future, it will be a matter of time with minimal footprint on power and time.
before the protocol is widely adopted by the
industry. Continuous efforts from the research
community are being made to enhance This section/article has been contributed
reliability to industry standards, preventing by Professor Debdeep Mukhopadhyay,
side-channel and machine learning attacks, Department of Computer Science and
and designing a protocol that can seamlessly Engineering, Indian Institute of Technology,
interoperate with classical security. Kharagpur. For more information on the
research, refer to: https://ieeexplore.ieee.org/
document/8353301
67
Security pillars of 5G
Benefits of 5G technology
Improve Quality of
Service (QoS)
Today, several standard organizations and Public Private Partnership), 5GMF (5th Generation
forums are working on defining the architecture Mobile Communications Promotion Forum),
and standardizing various aspects of 5G 5GForum, and IEEE to name a few.
technologies. These include NGMN (Next
Generation Mobile Network), ITU (International While the openness and new capabilities in
Telecommunications Union), GSMA (GSM 5G architecture bring new possibilities, they
Association), 3GPP (3rd Generation Partnership also open up a new threat landscape and the
Project), WWRF (Wireless World Research opportunities to deal with them differently.
Forum), 5G Americas, 5GPPP (5th Generation
68
Security components of 5G
Following are the top five components of 5G is also a need to speed up security processing
architecture, from a security standpoint. There to support ultra-low latency use cases without
are many other aspects of security, such as open compromising security. There is a tradeoff
source security, network slice security and cloud between speed of processing, associated cost
RAN security that require critical scrutiny. There and level of security assurance.
Edge Security
Real-time detection and mitigation of
any attack is very important to increase
the reliability and resiliency of a network.
Hence, it is very important to detect
an attack at the edge of the network
rather than at the core of the network.
Thus, edge detection can help arrest the
attack quickly and will also increase the
SDN Controller Security performance by preserving the bandwidth
SDN controller enables dynamic security at the core of the network.
control based on the intelligence gathered
through northbound APIs which then can
be used to control routers and switches
through southbound APIs. This adds
resilience to the network and mitigates the
attacks quickly. Some of the attacks include Proactive Security Analytics
Denial of Service, REST API parameter
exploitation through northbound API, While it is effective to detect attacks quickly
northbound API flood attack, Man-in-the and be able to mitigate in a timely manner,
middle attack spoofing and protocol fuzzing stopping the attacks altogether by taking
through southbound API. proactive measures is desired. This can be
achieved by applying machine learning (ML)
and artificial intelligence (AI) techniques,
such as looking at the pattern of the traffic,
behavior of threat actors, and analysis of
past attacks. Such an approach will help to
identify the manifestation of zero-day-type
attacks earlier in the cycle.
Hypervisor and Container Security
With the advent of virtualization,
hypervisors and containers are becoming
more prevalent. While these technologies
allow multiple tenants and Virtual
Network Functions (VNFs) to reside on
the same physical hardware, these also Orchestration Security
expose various security issues, such as
data exfiltration, resource starvation, The orchestrator has the role of orchestrating
side-channel attacks, and VM-based VNFs, NFV infrastructure and network
attacks through east-west and services based on the current state of the
north-south traffic. Some of the mitigation network. For example, in case of overload
techniques that can be applied include or security attacks, the orchestrator will be
Hypervisor Introspection scheme and notified of the condition of the network and
Hypervisor Hardening Mechanisms that it communicates with the SDN controller
can protect hypervisor’s code and data that in turn controls the firewalls and routers
from unauthorized modification and can to stop the attacks. An attacker can use
guard against bugs and misconfigurations legitimate access to the orchestrator and
in the hardened hypervisors. manipulate its configuration in order to run a
modified VNF or alter the behavior of the VNF
through changing its configuration through
the orchestrator. Access control, file system
protection, system integrity protection and
hardening of separation policy through
proper configuration management are some
of the mitigation mechanisms.
69
Key takeaways
Emerging services are evolving rapidly and the network needs to be designed to
be adaptable, resilient, and flexible to support new applications.
Operators, vendors, academia, standards, research labs, use case labs and
regulators need to work together to form a security ecosystem for future networks.
This article has been contributed by Dr. Ashutosh Dutta, Co-Chair IEEE Future Networks Initiative
(www.futurenetworks.ieee.org). He is currently employed at Johns Hopkins University Applied
Physics Lab. Email: ashutosh.dutta@ieee.org
70
Methodology & demographics
The “State of Cybersecurity Report 2019” from operational analysts and architects in Wipro’s
Wipro was developed over a period of three customer base. The research was conducted
months. The methodology that was followed for through direct interviews and Online surveys.
developing the report was four-fold: The CDC research was conducted on aggregated
data from Wipro’s CDCs across North America,
1. Primary research (external) Europe, India, Middle-East and the APAC region.
2. CDC research (primary research through our
The secondary research was carried out by a
Cyber Defense Centers)
core team of Cybersecurity & Risk Services (CRS)
3. Secondary research Center of Excellence (CoE) analysts who brought
4. Wipro technology, academia and industry in various strategic perspectives from academic,
partners institutional and industry research to supplement
the primary and CDC research, and help connect
The primary research (external) was driven trends in the cybersecurity domain.
through surveys of security leadership,
29%
29%
11%
21%
10%
71
Organizations surveyed by vertical
Manufacturing 11%
Consumer 11%
Communications 9%
Technology 6%
Government 2%
72
211 Organizations surveyed
27 Countries covered
73
Contributing partners
www.checkpoint.com www.paloaltonetworks.com
www.dsci.in www.futurenetworks.ieee.org
www.iitkgp.ac.in www.deviceauthority.com
www.fortinet.com www.denimgroup.com
www.intsights.com www.cycognito.com
www.rapid7.com www.tracxn.com
74
Credits & key contributors
The “State of Cybersecurity Report 2019” would not have been possible had it not been for 200+ of
Wipro’s esteemed customers, who extended their support, time and shared practical insights.
Editorial team:
Josey V George Kartik Upadhyay
Editor & Distinguished Member of Technical Staff, Sub-editor & Security Consultant, CRS, Wipro
Wipro | 2016 Chevening Fellow for Cybersecurity
Institutional contributors:
Dr. Ashutosh Dutta Professor Debdeep Mukhopadhyay
Co-Chair IEEE Future Networks, currently Department of Computer Science and
employed at Johns Hopkins University Applied Engineering, Indian Institute of Technology,
Physics Lab Kharagpur
Vinayak Godse
Vice President, Data Security Council of India
75
Wipro’s Cybersecurity & Risk Services
Wipro’s Cybersecurity & Risk Services (CRS) enables global enterprises to enhance their business
resilience through an integrated risk management approach. Wipro enables customers to define
their cybersecurity strategy, envisaging best-recommended practices across people, process and
technology. Leveraging a large pool of experienced security professionals located across our global
Cyber Defense Centers (CDC), we provide consulting & advisory, system integration and managed
services to help customers transform their security posture. Wipro, through its venture arm (Wipro
Ventures) has co-invested in multiple cybersecurity start-ups to complement our services with
advanced research in emerging technologies. Our close interlock with security technology partners,
regulatory bodies and premium academic institutions makes us a leading partner of choice for
customers to manage their cyber risks.
Contact
CRS Marketing
crs.marketing1@wipro.com
Disclaimer:
This document is an informatory report on cybersecurity and cyber risk and should not be misconstrued
as professional consultancy. No warranty or representation, expressed or implied, is made by Wipro on
the content and information shared in this report. In no event shall Wipro or any of its employees, officers,
directors, consultants or agents become liable to users of this report for the use of the data contained
herein, or for any loss or damage, consequential or otherwise. Some of the content and data have been
contributed by partner companies or collected from third party sources with professional care and
diligence, and have been reported herein; nonetheless, Wipro doesn’t warrant or represent the accuracy
and fitness for purpose of the content and data.
76
References
• https://www.forbes.com/sites/oracle/2019/01/17/chief-information-security-officer-priorities-for-2019/#5fa926046937
• https://www.securityroundtable.org/whats-the-best-reporting-structure-for-the-ciso/
• https://www.privacyrights.org/data-breaches
• https://www.breachlevelindex.com/
• http://cve.mitre.org
• http://www.cvedetails.com
• https://www.cvedetails.com/index.php
• https://www.us-cert.gov/ncas/alerts/TA18-074A
• http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
• http://www.alrc.gov.au/publications/For%20Your%20Information%3A%20Australian%20Privacy%20Law%20and%20
Practice%20(ALRC%20Report%20108)%20/51-data-br’
• https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/security-breaches/
• https://www.cnil.fr/en/home
• https://www.cnil.fr/en/rights-and-obligations
• https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-
documents-act-pipeda/
• http://www.cert-in.org.in/
• https://economictimes.indiatimes.com/wealth/insure/what-to-consider-while-buying-cyber-insurance-plans/
articleshow/66445845.cms
• https://www.pandasecurity.com/mediacenter/security/memcached-ddos-attack/
• https://home.kpmg/xx/en/home/insights/2018/05/global-perspectives-on-cyber-security-in-banking-fs.html
• https://www.dlapiperdataprotection.com/
• www.ngmn.org
• www.futurenetworks.ieee.org
• www.3gpp.org
77
Wipro Limited
Doddakannelli, Sarjapur Road,
Bangalore-560 035,
India