With ever evolving and constantly connecting world of Information Technology, organizations are constantly challenged with the realities of information security. Threats such as Advanced Persistent Threats (APTs) targeting enterprise assets and critical infrastructure to data breaches which can devastate vitally confidential information and corporate reputations. Organizations and financial institutes should maintain a security posture with required compliance and policies without compromising confidentiality, integrity and availability.
Referencing to the recent research and findings from Rigo Technology, we have found that 9 financial institutions has been breached in the year 2015 only, doubling the number of incidents from previous year which includes the worldwide spread “Carbanak Malware”. This hints the necessity of the Cyber/Information Security Awareness for the financial institutions.
Thus, with the intent to spread the Cyber/Information Security awareness, Rigo Technology organized a workshop on 17th, 18th and 19th of September 2015 for Financial Institutions/organizations. The workshop was specifically prepared for those who have operational, managerial and policy making responsibilities in their institutes/organizations. The workshop was designed to update with the state of art in information security both in terms of theory and live practical sessions which has provided hands on experience with the latest techniques and methods prevalent in information security.
The three-day workshop was hosted at Hotel Shangri-La, Lazimpat Kathamndu and the speakers were:
- Saroj Lamichhane, System Security Expert with specialization in information security management with more than 8 years’ of experience in security domain. He possess various certifications such as CEH, MCSA, CISSP.
- Bijay Limbu Senihang, Leader of security team at Rigo Technology with more than 5 years’ of experience in security field. He is a renowned trainer for Certified Ethical Hacking and Information Security. He possess various certifications such as CEH, CISSP, and ISO 27000.
- Sachin Thakuri, Head of Research and Development team at Rigo Technology who has been working on the security field for more than 5 years. He has been acknowledged by Facebook, Google, and Twitter for finding security issues and helping to maintain security in their organizations. He possess various certifications such as CEH, MTA.
The 1st day (17th September) of the “Cyber Security Awareness Workshop” started with familiarization to Information Security and need of information security in financial institutions. Various techniques such as Advanced Persistent Threat (APT), Social Engineering and Denial of Services attacks were discussed with real-time examples. Attackers manipulate these techniques to victimize their target and obtain critical information. The session on “Cryptography” discussed the use of available encryption and decryption techniques with the real-time demo on why and how much difference it can make to secure critical information of any institutions/organization even if we become victim of an attacker.
Management team of any institutions/organizations has a major role in development, maintenance, and enforcement of information security policy, standards, practice, procedures and guidelines which was discussed in session of Planning for Security. The session was based on ways/methods to achieve standard Information Security status, which included Incident Response and Disaster Recovery plans, and Business contingency plans. The roles and responsibilities of each security personnel were defined along with policies and guidelines to implement standards of Information Security. The first-day workshop concluded with importance of information Security Maintenance and the need to follow Information Maintenance Model Management and “Security Maintenance Model”.
The 2nd day (18th September) of “Cyber Security Awareness Workshop” was based on theoretical and practical sessions of hacking from “Offensive” perspective. The practical session was focused on real-time examples on how systems, networks and web applications of an institution generally get hacked. The session was initiated with Familiarization to hacking and Penetration Testing. The whole process involved creation of a virtual network where participants were given a live opportunity to lay their hands on all practical sessions. Various Windows based Operating System and Servers were exploited to show different methods attackers use to penetrate and maintain a backdoor in a network. Whereas on the other session of Penetration Testing: Web Application Hacking was shown with the real-time example on exploiting commonly found vulnerabilities of online banking portal. The various vulnerabilities such as Injection, Cross-site Scripting, Cross-site Request Forgery, In-Direct Object Reference, File Upload Bypass, and Browser Autopwn were presented with a live demo. The 2nd day session ended with discussion on various types of Malwares such as Virus, worms, Trojan Horse, Ransomware and Botnets along with discussion on internationally spread ‘Carbanak Malware’ and ‘Azazel’ ransomware that has been affecting servers and systems of Nepal.
The 3rd day (19th September) of “Cyber Security Awareness Workshop” was based on theoretical and practical sessions from a defensive perspective. The session discussed on how a financial institutions/organizations should respond to incidents that may occur and ways/methods to defense and countermeasure those incidents. Another session was discussed about PCI-DSS standards which provides an actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents along with importance of PCI-DSS standards and why every financial institutions dealing with payment card data must meet PCI-DSS standards. The session was further moved on by discussing about the internal threats and how policies of an institution/organization for employees helps to mitigate those internal threats. The Incident Response Management session explained about requirements for Incident Response team and how a Response team should function during an incident which is vital for rapid Incident Response, Disaster Recovery and Business Continuity.
This three-day workshop delivered basics of Information Security Workflow required for an institution/organization to operate; starting with the ‘Planning for security’ along with methods of implementing Information Security and its maintenance from Managerial Level. The real-time demos of Hacking made a better understanding on techniques hackers use. Thus, as a defense, institutions/organization must be ever-ready with Incident Response, Disaster Recovery and Business Continuity Plans which is achieved by Incident Response Management.
According to the feedback received from the participants from various financial institutions of Nepal, the workshop provided them with the concept on Cyber/Information Security, most importantly the way/method to handle the Incident if occurred and how policy and standards plays a vital role to help mitigate cyber/information security threats. Participants were more interested in practical session, to get their hands-on experience on Hacking and Incident Response Management. Overall, the workshop proved to be beneficial for the Managerial Level with strong concept on security.