From the desk of CISO

CISO, Pakistan International Airlines

CISSP, Computer Engineering graduate, insightful IT professional with experience covering various fields of IT including High-end Servers and Storages, Virtualization, Business Continuity planning, Information Security Policy writing, Security Operation center (SOC) management, VAPT, Regularity adherence and implementation of information Security technical and administrative controls in support of business objectives. Currently leading information security department of PIA to design and implement enterprise-wide information security program

1. As you are aware that cyber threats are everywhere in the world and nobody or organization is safe. What do you think?

Answer :
Yes, the escalation of cyber security breaches has alarmed every organization everywhere. Human negligence is the biggest threat to information security. Bad hats are using social engineering tactics to gain control in enterprise infrastructure. The Human factor needs serious attention. And thoughtless migrations to cloud also have serious implications because cloud-based assets are more compromised as compared to on-premises assets. Large parts of daily lives are shaped with computers,

Answer :
Yes, the escalation of cyber security breaches has alarmed every organization everywhere. Human negligence is the biggest threat to information security. Bad hats are using social engineering tactics to gain control in enterprise infrastructure. The Human factor needs serious attention. And thoughtless migrations to cloud also have serious implications because cloud-based assets are more compromised as compared to on-premises assets. Large parts of daily lives are shaped with computers, smart phones, the internet and number of unnoticed ICT dependent services we take for granted such as electricity, healthcare, etc. The fact that cyber dependency has become so widespread that it has resulted in emergence of new cyber threat so it is time to look deeper into the recent security incidents that can help information security leaders in both public and private organizations to allocate information security budgets to prevent, detect, and respond to attack.

2. Who can be involved in a cyber-attack, if we would like to know your enemies & why is it necessary to protect from cyber threats?

Answer :
Cyber attacks hit businesses everyday and they come in variety. Interestingly, there are two types of companies; those who have been compromised and those who don’t yet know they have been compromised. The motives are cyber attacks are many and attacks are now more sophisticated than ever. The individuals are victims too as they save their personal information on their gadgets and use insecure public network. In fact, companies are still not immune to evolving cyber attacks. Phishing, ransomware, cyber scams are some of the common yet highly serious cyber-attacks that are designed with the aim to access and exploit the user’s sensitive data. Moreover, cyber-attacks could also cause electrical blackouts and paralyze computer systems. The introduction of IoT technology i.e. Internet of Things, has not only simplified and sped up our tasks but has also created a hole of new vulnerabilities for bad actors to exploit. No matter how advanced security measures we take, cyber criminals will always stay one step ahead to attempt cyber crimes. If these internet-connected devices are not managed properly then they can provide a doorway of business to cyber criminals. Information Security professionals need to work to improve their knowledge of modus operandi of attackers and threat intelligence.

3. What cyber security measures have you introduced and implemented in your company?

Answer :
Well, the only thing that is crucial for an organization is a strong cyber security system along with best cyber defense practices to reduce the cyber threat posture of the organization. Recently, we have established information Security Policies and procedures, implemented NGFWs, multifactor authentication solution and micro-segmentation. These measures will work with other information security tools like EPP, WAF, EDR, SIEM, VAPT etc. On fast track we are working on key area i.e. cyber-security awareness which is an essential measure to bridge gap of cyber security skills and to create a cyber-resilient working culture in the organization because mere equipment and technical controls will not stop cyber criminals from accessing your computer systems. Most importantly as game changer PIA is establishing its SOC (Security Operation Centre) that will help to improve information security posture of the company by monitoring, detecting and responding to cyber threats. The SOC will work 24/7/365 and be equipped with threat intelligence. In this year, PIA will be striving for ISO-27001: Information Security management System (ISMS) standard.

4. How would we tackle with non-state actors? Black hat hackers, say.

Answer :
The dark part in tackling non-state actors is that international cyber laws are less effective and do little in preventing non-state cyber-attacks. This legal ambiguity makes an attractive domain for non-state actors in cyber conflict. Sadly, nations are currently pursuing cyber warfare capabilities and employing such non-state actors as hacktivists and patriot hackers. Tools used by these non-state actors include website defacement, internet resource redirect, denial-of-service attack, information-theft, website parodies and various forms of cyber-sabotage. Again, I would say that organizations must efficiently shield all its cyber resources by putting both technical and administrative controls.

5. How do Black Hat Hackers Damage the System?

Answer :
The black-hat hackers are the malevolent type of hackers; they are people who exploit computer systems and networks for their own benefits. Black-hat hackers are commonly viewed as most destructive actors in hackers sphere, acting without respecting law. They may also release malware that destroys files, holds computers hostage, or steal passwords, credit card numbers, and other personal information. The security measures to survive are

1. Fine-tuned Firewalls
2. Well organized incident response.
3. Security awareness sessions.
4. Strong threat intelligence
5. Formation of RED and BLACK Teams.
6. Well defined Information Security Policies.
7. Rightfully placing administrative and technical controls
8. Do you have all the information that needs to oversee cyber risk?

Answer :
Overseeing cyber risk is challenging and need active engagement from management. First we need to incorporate cyber risk in strategic decisions as cyber risk management is no longer just about preventing breaches but also mitigate financial and reputational damage when breach occurs. Stockholders also demand that companies do everything in power to prevent breaches.

We should at least know and do the following to oversee cyber risk:
• Organization key cyber risks
• Threat actors and their motives
• Threat actor targets and business impact.
• Understand the regularity requirements.
• Quantifying the risk.
• Prioritize the risk.
• Aligning capital allocation to identified risk.
• Draft risk appetite statement.
• Integration of cyber risks into organization’s risk management program.
• Monitoring cyber-resilience.

7. How effective is your cyber-security strategy at addressing business risks. Addressing business risks, cyber-security strategy is critical.

Answer: Steps to Assess and Mitigate Cyber Security Risks
Step #1: Target internal threats
Step # 2: Prioritize risk
Step # 3 : establish effective communication channels
Step # 4: Enable continuous monitoring
Step # 5 : Stick to an established cybersecurity framework
Step # 6. Develop to incident response plan
Step # 7. Ensure Business continuity
Step # 8. Consider cybersecurity liability insurance
Step # 9. Nurture a culture of cybersecurity
Step # 10. Re-evaluate cyber risk regularly

Having a more reliable cyber-security strategy in place can also improve a business’s reputation. Potential partners and customers will appreciate the emphasis on security, leading to higher loyalty and, thus, revenue.

8. Q: How do we protect sensitive information handled and stored by third party vendors?

Answer :
The growing number of third-party data breaches and the sensitive information they expose have negatively impacted consumer trust. Third-party breaches occur when sensitive data is stolen from a third-party vendor or when their systems are used to access and steal sensitive information stored on your systems. These third parties aren’t typically under your organization’s control and its unlikely that they provide complete transparency into their information security controls. Some vendors can have robust security standards and good risk management practices, while others may not.

Therefore, we must do at least

1. Assess Vendors Before Onboarding
2. Incorporate Risk Management into Your Contracts
3. Keep an Inventory of Your In-Use Vendors
4. Continuously Monitor Vendors for Security Risks
5. Collaborate With Your Vendors
6. Talk About Third-Party Risk
7. Cut Ties With Bad Vendors
8. Measure Fourth-Party Risk
9. Follow the Principle of Least Privilege
10. Do you have the right data governance strategy to minimize cyber risk?

Answer :
Data governance identifies important data across an organization and improves its value to the business. The most common areas covered by data governance are:
• Data Quality
• Data Availability
• Data usability
• Data integrity
• Data Security

And addressing all these points require a top combination of people skills, internal processes, and appropriate technology. In our organization, we are creating data governance framework that requires funding and management support. Another important thing in data governance is user engagement who consume the data understand and will cooperate with governance rules.

10. Are your employees fully equipped with cyber technology and have all required certification?

Answer:
The IT personnel trainings and certifications are vital to run information security programs successfully. Time to time we arrange trainings for our employees. We also have allowance payment programs for those employees who get industry standard certifications.

11. Why do we need to worry about information security?

Answer :
In an increasingly interconnected environment, information is exposed to a growing number and wider variety of risks. Threats such as malicious code, computer hacking and denial-of-service attacks have become more common, ambitious, and sophisticated, making implementing, maintaining, and updating information

6. Talk About Third-Party Risk
7. Cut Ties With Bad Vendors
8. Measure Fourth-Party Risk
9. Follow the Principle of Least Privilege
10. Do you have the right data governance strategy to minimize cyber risk?

Answer :
Data governance identifies important data across an organization and improves its value to the business. The most common areas covered by data governance are:
• Data Quality
• Data Availability
• Data usability
• Data integrity
• Data Security

And addressing all these points require a top combination of people skills, internal processes, and appropriate technology. In our organization, we are creating data governance framework that requires funding and management support. Another important thing in data governance is user engagement who consume the data understand and will cooperate with governance rules.

10. Are your employees fully equipped with cyber technology and have all required certification?

Answer:
The IT personnel trainings and certifications are vital to run information security programs successfully. Time to time we arrange trainings for our employees. We also have allowance payment programs for those employees who get industry standard certifications.

11. Why do we need to worry about information security?

Answer :
In an increasingly interconnected environment, information is exposed to a growing number and wider variety of risks. Threats such as malicious code, computer hacking and denial-of-service attacks have become more common, ambitious, and sophisticated, making implementing, maintaining, and updating information

6. Talk About Third-Party Risk
7. Cut Ties With Bad Vendors
8. Measure Fourth-Party Risk
9. Follow the Principle of Least Privilege
10. Do you have the right data governance strategy to minimize cyber risk?

Answer :
Data governance identifies important data across an organization and improves its value to the business. The most common areas covered by data governance are:
• Data Quality
• Data Availability
• Data usability
• Data integrity
• Data Security

And addressing all these points require a top combination of people skills, internal processes, and appropriate technology. In our organization, we are creating data governance framework that requires funding and management support. Another important thing in data governance is user engagement who consume the data understand and will cooperate with governance rules.

10. Are your employees fully equipped with cyber technology and have all required certification?

Answer:
The IT personnel trainings and certifications are vital to run information security programs successfully. Time to time we arrange trainings for our employees. We also have allowance payment programs for those employees who get industry standard certifications.

11. Why do we need to worry about information security?

Answer :
In an increasingly interconnected environment, information is exposed to a growing number and wider variety of risks. Threats such as malicious code, computer hacking and denial-of-service attacks have become more common, ambitious, and sophisticated, making implementing, maintaining, and updating information security in an organization more of a challenge. Implementing information security in an organization can protect the technology and information assets it uses by preventing, detecting, and responding to threats—both internal and external.

12. What do you think is the biggest cyber-security threat right now, especially in perspective of Pakistan and what measures do you suggest to tackle the threat?

Answer :
The negligence from top management regarding information security is the biggest cyber-security threat right now. Second is the employees’ low level of awareness and seriousness towards cyber-security. Fortunately, Pakistan’s National Security policy and Information Technology policy has addressed cyber-security significantly that strengthens cyber-security posture.

13. People receive messages and emails that may come from malicious hackers. How can they be safe?

Answer:
At first line defense, malicious emails carrying suspicious links should be stopped by fine-tuned technical controls. If malicious email bypasses the technical control then employees’ cyber-security awareness trainings should be strong enough to recognize these types of emails and inform relevant teams to stop the spread of malicious code.

14. Do we need cyber-security insurance?

Answer :
Cyber-security insurance helps reduce financial risk while doing business online. Insurance coverage is important to protect businesses against the risk of cyber events. Cyber-security insurance is gaining popularity. Companies that purchase cyber-security insurance today are considered early adopters. Businesses that create, store and manage electronic data online, such as customer contacts, customer sales, PII and credit card numbers, do need and can benefit from cyber insurance.

15. Are your information security and business priorities aligned?

Answer :
We are striving towards it and industry regulations are helping us to achieve this alignment. The top management is now convinced and feeling that information security priorities should be aligned with business priorities.

16. How well informed do you think are the people of Pakistan about cyber threats and cyber security? If they are not well informed, what do you suggest?

Answer :
The situation is improving , now people of Pakistan have started taking cyber threats seriously as online business has grown immensely because of Covid situation. A mass awareness campaign should be organized by government to further improve the situation.

17. Please give some suggestions for our readers to the safety standards they should adopt to avoid cyber mishaps.

Answer:
Habits to stay cyber-safe.
• Keep your software updated.
• Keep your personal and private information lock down.
• Keep passwords complex.
• Backup your data regularly and encrypt it.
• Thinking twice before clicking on links or opening attachment if it is suspicious report it.
• Keep yourself on major security breaches.
• Install up-to-date end point protection.
• Verify requests for private information.
• Know what to do when you become victim.
• Be mindful of which website URLs you visit
• Keep an eye on your bank statement.