Sanjee Balasuriya, founder of eCybersec
eCybersec Pvt Ltd is a newly formed Information Security Consultancy
Company in Sri Lanka. The Company is focusing on Application Security
which is a very hot topic in society. The Daily News Business features
eCybersec Pvt Ltd.' Managing Director and Chief Executive Officer,
Sanjee Balasuriya for the Tea with CEO column.
Q: What do you gather about the current standard of
information security aspects in Sri Lanka?
A: Day by day we get a chance to adhere with the latest
technologies and most of the payments are done via online. Most of the
people use smart phones to do various kind of e-commerce transactions.
Most of the recent attacks were under application layer and it needs to
be protected by a proper security to mitigate those attacks. We as
eCybersec helps clients to meet a certain level of information security
with our key offerings such as Source Code Review, Mobile Application
Security Assessments and Web Application Penetration Test.
Q:Where do you think the weaknesses are most?
A: According to the latest information we have gathered it
showed most of the companies lack of protecting their Application Layer
when it comes to their Online Services. Mainly Financial industry need
to have extra precautions to protect the online banking applications
with proper source code reviews and application penetration testing.
Companies need to have a complete security review at least every 3-6
months to evaluate the security posture of the IT Infrastructure. They
need to think out of the box and plan IT Audits for their critical
systems with latest industry best practices so that required mitigation
actions are taken to prevent such attacks.
Sanjee Balasuriya / Picture
School Attended: Royal College, Colombo 07.
Sanjee Balasuriya, Managing Director, Chief Executive Officer and the
Founder of the eCybersec concept, is one of those exceptional human
beings who gives 200% for his profession as well as know to enjoy his
pleasures in life.
Sanjee; since 1998 has accumulated over 13 years of experience, in
the field of Information Technology, mainly focusing his energies in the
area of Information Security.
He was immensely privileged to be one of the initial technical
members in one of the most leading and largest Internet Service
Provider, which was launched back in 2001. Before moving onto the
greener pastures at Singapore in 2007, he strengthened his career in the
field of Information Security by starting up with a leading bank in Sri
Lanka in its IT security division.
Then his professional obligations were directed to a significant
Singapore IT Security Consultation firm, for over two years mainly
handling Singapore Government Data Centre IT systems Audits.
During his tenure at this said organization he was actively involved
in key projects launched in Singapore by the government which was
initiated by the Infocomm Development Authority of Singapore (IDA).
Through this international exposure he gained an immeasurable amount of
experiences working closely with Monetary Authority of Singapore for
Compliance Regulatory Requirements which need to comply for all
financial institutions across Singapore.
He is specialized in conducting enterprise security risk assessments,
development of enterprise security architectures and strategies and
defining business and system requirements for design or procurement of
security capabilities. He is also specialized in Network and System
Security, Application and Network Penetration Testing with IT Audits.
Sanjee was recently involved in Research and Development for Advance
Persistence Threats and Malicious Code Analysis, working closely with
the Global Advance Persistence Threats Groups and forums to obtain the
latest updated with regard to APT threats.
He plays an active, hands-on role advising clients in compliance,
technology strategies, managing complex programmes, and building
effective security organizations.
This field is a passion for Sanjee, just as much as he adores his
twin sons, Cricket and Rugby; he cares so much for application security
which brings great value to eCybersec, who is mainly focused on Mobile
Application Security and Web Application Security.
Q: What can eCybersec do to meet these threats and weaknesses?
A: We as an Information Security Consulting Company are
willing to help clients to overcome application security attacks with
our much more customized yearly subscriptions security service plans.
Those services mainly cover the Network, Operating Systems and
Application Layer security reviews, which compliance with International
and Industry Standards and regulations. According to a recent study, 70%
of malware threats to the network come from mobile applications,
therefore, we in Sri Lanka are proud of offering Mobile Application
Security Assessments which we partner with leading global vendor
Veracode who mainly perform Dynamic and Static Analyze for Apple Store
and Google Play worldwide. The need for close scrutiny around mobile
application security in the enterprise is a must.
Q: Would the investment be overwhelming?
A: Yes, eCybersec with the mission statement “information
asset protector” certainly will have profitable return on investment
when they sign up for the Information Security Services, which we offer
to cooperate market. Companies have spent many millions of dollars to
build defenses around their IT assets during the past decade, motivated
by malware attacks, data security breaches and the resulting regulatory
compliance cattle prod. But the bad guys are still a few steps ahead in
terms of sophistication and speed and some wonder if their investments
are all for nothing, according to the newly-released reports. Security
expenditure needs to include additional derived benefits that will be
provided with having the appropriate levels of controls.
Q: What are the threats of not being vigilant?
A: In security language, you had your firewalls that protect
against outside threats, a bunch of stuff going on inside, including
policies and procedures, but they were often kind of soft. And in the
centre somewhere, you had your cool data. Advance Persistence Threats
and Zero Day Attacks are the most vigilant Cyber attacks that most of
the Global companies face in modern day. Since these are targeted
attacks and well planned for a number of years, it may be a difficult
task for organizations to protect their vital information assets.
Classic example was the recent Java Zero-Day Attack as when they run,
they could crash your browser and give you a feeling that something is
wrong, this attack really works silently, so are we prepared and aware
that these latest threats, having said that if the proper IT Security
Review Processes and Procedures are in correct place these kind of
attacks can be minimized to a certain extent.
Q: In your experience, what examples can you give for
corporate that have crashed due to poor information security management?
A: According to my experience, is that one of the most
critical aspects would be due to lack of security reviews not been
performed after a new system goes live in their Infrastructure. Also
Separation of duties (SoD) will be a key fact when dealing with critical
systems. Segregation of duties contributes to an organization's system
of checks and balances. Last but not least, the software development
life cycle, or SDLC, encompasses all the steps that an organization
follows when it develops software tools or applications. Organizations
that incorporate security in the SDLC benefit from products and
applications that are secure by design.
Those that fail to involve information security in the life cycle pay
the price in the form of costly and disruptive events.