‘SMEs and MSMEs Must Carefully Examine and Remove All Vulnerable Issues in their Systems’
In today’s vulnerable world it is extremely important to understand and prepare systems that can ensure organization’s data security. But, digital security can only be achieved if we can learn from the recent security attacks and threats that have been in market. In this bid, we interacted with Mr. Sridhar Iyengar of ManageEngine. In an exclusive interview with Faiz Askari of SMEStreet and Mr. Sridhar Iyengar, Vice President of ManageEngine discussed recent security breaches, Ransomware malware attacks. Mr. Iyengar pointed out some key issues vulnerable loop holes in our computing infrastructure.
The edited excerpts of the interview:
Faiz Askari: What methodology has actually been adopted by the recent Ransomware attackers and how this entire activity actually influenced the networks?
Sridhar Iyengar: If you look at any malware, ransomware is a name that has been attributed now because of the implications of the malware, since the malware demands that the person who has been attacked has to deposit certain money for the files to be decrypted & get their data back. But malware has been around for ages and a typical model propaganda of people who create these viruses or malware, is to attack the vulnerabilities of a system. They try to affect the security breaches in the system that they can attack and get into the system to execute certain programs either by deleting or modifying files and compromising the security of the system. In this stage, what may lead to the attack are the vulnerabilities in the older infrastructure. Since the beginning of time, as different companies such as Microsoft, Apple or Linux have various versions of operating systems, it happens through software applications also. When we go through different cycles we detect that there are certain stuffs, that can be functional or security related. To fix this upcoming breach, you have to provide status for it.
If you look at it, the reason why this happened was certain businesses or companies had old systems that were not patched up to the latest release. In fact, XP is not an officially supported system anymore. Not everyone will be updated with the latest security software patch which is the loophole in the system. Speaking of great value of product and vulnerabilities not everybody will be 100% compliant with the latest system, latest security patch & all that. The fact is that these minor vulnerabilities are focused, and are exploited by hackers.
Faiz: And how big was the attack, we have received various news reports but according to you, what was the level of loss occurred due to these Ransomware attacks?
Sridhar: We haven’t pioneered any research, but based on what we are hearing, the effect of the attack has come and gone in various directions and has been affecting small businesses & SMEs than larger systems. The impact of the attack has not been on any mission critical system and one of the reasons is that people understand that if there is something mission critical, it has to be absolutely secure from an application side or operating system or from a systems standpoint. So there are some non-mission critical, not very important things which people tend to overlook, an important fact to be noted is that a part of the system is always at a risk since now everything is connected to the internet and hence everything is in a vulnerable position.
Faiz: So you have pointed out that SME’s in terms of their IT infrastructure are considered to be challenged with resource crunch. Do you see SME’s as the most vulnerable in such threats?
The reason that these attacks have happened might be, one is that at a company level there is not enough security awareness and security processes to ensure that you are completely and rightly secured. In some cases you don’t use the tools that that are required to make your systems and your IT completely secure and typical of the status when you know all these what has been saying, it could be either skilled process or it could be educating your staff to make sure that security is a high priority. Buying tools that can make your systems IT secure should be something which should be constantly in the making.
For example; when a company starts, these are the all that things that are typically on the top of the desk. For smaller companies there priority is how do I execute my core competency to my customers? In lot of places IT is an enabler, unless the small business it is an IT company, IT is in the background because it is the supporting process that makes the business run. So they might not be conscious about the thought or processes that are needed for the IT to be secure.
Our Progress is when, as businesses realize that they have a very heavy dependence on IT and if something happens there will be an issue which will make them realize and give critical attention to it and hire some kind of security experts either a consultant or an efficient security system. That could be the definition of security processes, creating awareness, immersing into it to make them clear. If you look you would see that smaller companies may be much more slow but then again I would say not all kinds of smaller companies, it could also be like slightly larger companies which are very secure for their core businesses, but they may have machines which are not covered in the business critical infrastructure applications and they have the old system which is still gathered around and are not part of the security process.
Faiz: While dealing with such threats, what level of focus is needed to understand employee mindset issue and human interface aspect?
Sridhar: Most definitely, Computer systems are very logical systems, the programs are made logically. So the biggest vulnerability in that sense to any organization is a human factor because people are very subjective, one person may be very highly aware of hardship and the other may not. For larger companies, you have a team in your network operation center which houses all your critical databases, your applications and as a part of your team. If you don’t have a well-defined process and don’t have people who are well trained, then there could beone person in your team who could change the password for the network device or security device and this could be a threat as there are certain malware systems that crack passwords very easily. So by virtue of that one person not having the consciousness to make your IT secure, it can put your organization in a vulnerable position.
So the human factor plays a very big role, which is why it comes down to the entire company including the workers and the top management to make security as their sub-priority. Employees should be trained to deploying certain simple processes demonstrated by experts and use specific tools which can help them comply withthis purpose. For example, ManageEngine offers certain tools that can ensure that your systems are packed with the latest security patches in such a way that you are complied with the latest lead as far as security is concerned or if you have certain machines which are not patched up with the latest security level it will indicate that. It will show you that these machines are not secure; these machines are not patched with the latest patches. Similarly, we have tools that can help you to manage your password, it can generate highly secured passwords, it can enable organizations not to have their employees generate password and it ensures that the passwords that are changed are strong passwords and cannot be easily found.
Faiz: Also please explain, how was WannaCry executed, what methodology used by the attackers?
Typically, whenever there is an attack there is usually a trail that leads to how it was done. We will not be able to find out, who did it but we will be certainly able to find out, how they did it. All this comes under the area, called SIEM – Security Information & Event Management. Basically, every company has to maintain a large audit rate or record of anyone logging into the system, anyone entering the network, record what are they doing and then they exit the network. So it’s like a crisis investigation, very much similar to detectives investigating, during a regular investigation process- you will come up with certain events under it, first identify the occurrence of the event then when this occurred and then let me put everything together in an order to find out how the entire thing unfolds. So a similar thing happens in security.
This can happen in any attack. It means that if you have things in place, you can actually run a check whether there was some kind of a security breach and the right tools will actually alert you saying that there is a breach and let you take preventive actions. But in this case what we have seen is that some of the area or some of the places where the attack happened is secure enough to invest in, so it again comes back to the criticality of the data, so if the data is compromised and you have not got it approved and you want to get the data back, sometimes there is no option, we just have to adhere to the attackers’ demand, if you need the data so badly.
Faiz: Coming to ManageEngine and what are your priorities for the next 6 months, can you give an insight on the company?
Sridhar: ManageEngine, is one of the operating divisions of a larger company called Zoho Corporation. Manage Engine provides enterprise IT management tools.One part of the tools is IT solutions, tools that can help you secure your IT, technical infrastructure in such a way that you can run your business very smooth. That’s one part of what we do. And if you look at Zoho Corporation as a company, another division of ours Zoho.com offers various business applications on the cloud. Today that serves 25,000 million users. If you look at our own data center, 25,000 million users are on our cloud applications and that puts a huge burden on ManageEngine in terms of ensuring that we are highly secure and we can assure security and integrity of full customers data. Other would be credibility that is critical for any cloud company today. Because for me to put anything on the cloud, I have to check the credibility .So here’s where the ManageEngine tools play a role by having a virtue of having our own security process, we have become very aware of what it requires to keep your system and IT secure. The focus can be on security as a domain and not just for providing tools for our products but also for requirements. So, here we invest in certain processes, invest in tools, and also a lot of our tools that are being used are coming from ManageEngine solutions which provides security solutions for other companies too. Identifying the areas of IT Security management is very crucial for a company.
For example, Password management pro is not only for the user but also to provide critical inputs for business application, business management, network and so on. The other one that I talked about earlier was vulnerability patches, software update that’s another area we offer our products. Third area talks about the audit rate and logs, we have products that can basically help you analyze your audit rates and provide alerts, so that if someone is logging into your system unauthorized then it will send you alerts so that it will help you take actions before the damage happens. The area of IT Security needs hyper authorization to make the right choice.
Faiz: What is the level of awareness, education regarding such security issues among SMEs. How ManageEngine is contributing in this direction?
Sridhar: What we do is based on our own experience, both from Zoho division and Manage Engine we publish leadership articles for security as well as on other topics, we organize webinars,Case studies on how our customers face a security problem these are some ways we create an awareness regarding a security problem. In addition to this, a lot of the security practices for us is very specific for us, so what we provide is a proper set of gates that generate good security practices, awareness and also provide free tools for IT security because a lot of them try out. So for example if you are running a Security program for SME’s , most of the time people won’t understand it until they use it, teaching them how to handle it and create an awareness is hence necessary.