Cy­ber risk is a busi­ness risk as well

Banking Frontiers - - Highlights - Mo­han@bank­ingfron­

Banks need to be ex­tra-cau­tious about the pos­si­bil­i­ties of ran­somware at­tacks. Atul Gupta, part­ner - IT Ad­vi­sory and Cy­ber Se­cu­rity Lead, KPMG in In­dia, an­a­lyzes the sce­nario and sug­gests pre­ven­tive mea­sures

Banks need to be ex­tra-cau­tious about the pos­si­bil­i­ties of ran­somware at­tacks. Atul Gupta, part­ner - IT Ad­vi­sory and Cy­ber Se­cu­rity Lead, KPMG in In­dia, an­a­lyzes the sce­nario and sug­gests pre­ven­tive mea­sures

N. Mo­han: One of the re­cent cy­ber threats is ran­somware and its lat­est man­i­fes­ta­tion is Wanna Cry. Can you ex­plain how ran­somware can im­pact se­cu­rity sys­tems in banks?

Atul Gupta: Ran­somware are nor­mally de­signed to at­tack on com­put­ing re­sources and the at­tacker de­mands ran­som (typ­i­cally in the form of bit­coin) to pro­vide ac­cess to re­sources. The re­cent ran­somware at­tacks were also de­signed to en­crypt the data and the ac­cess was pro­vided to data only when the user would pay the req­ui­site amount to the at­tack­ers. Any such at­tack ex­poses or­ga­ni­za­tions (in­clud­ing banks) to sig­nif­i­cant is­sues re­lat­ing to lack of in­for­ma­tion, which may lead to im­pact on over­all busi­ness op­er­a­tions. Th­ese at­tacks also lead to im­pact on rep­u­ta­tion of the banks, since in cur­rent times ma­jor­ity of trans­ac­tions are car­ried out elec­tron­i­cally and all stake­hold­ers ex­pect banks to have ro­bust se­cu­rity sys­tems.

What are the mea­sures banks should ini­ti­ate to counter a ran­somware at­tack? Do you think crim­i­nals be­hind such at­tacks can in­deed ac­cess the crit­i­cal data that banks hold? What are the mea­sures banks should take to es­cape a ran­som de­mand?

Ran­somware has brought in a change in the form of cy­ber­at­tacks, where the at­tacks are be­com­ing broad based rather than be­ing fo­cused on spe­cific in­for­ma­tion sets and the at­tacker be­lieves that dur­ing such at­tack there may be crit­i­cal in­for­ma­tion which may also get im­pacted.

The mea­sures which should be per­formed to pro­tect against ran­somware at­tack in­clude:

• Keep the anti-virus sys­tem up­dated all times

• En­sure that se­cu­rity patches re­leased are

de­ployed across the or­ga­ni­za­tion

• In­crease user aware­ness to not act/ re­spond to un­so­licited emails that de­mand im­me­di­ate ac­tion

• Users should be trained on not click­ing on links or down­load­ing email attachments sent from un­known users or which seem sus­pi­cious

• Avoid us­age of re­mov­able me­dia (USB

drives) on the cor­po­rate sys­tem

• Data is backed up on reg­u­lar ba­sis

For that mat­ter, how can banks ed­u­cate their cus­tomers on this threat?

Banks can is­sue ad­vi­sories to clients/ cus­tomers fo­cus­ing on the dos and don’ts that should be fol­lowed dur­ing us­age of IT en­vi­ron­ment.

Can there be a more pow­er­ful at­tacks in the im­me­di­ate fu­ture? How pre­pared are banks in In­dia to han­dle the ram­i­fi­ca­tions?

Cy­ber­at­tacks have be­come a re­al­ity and the re­cent spate of ran­somware at­tacks has demon­strated that the at­tack­ers are ahead of the curve and suc­cess­ful in launch­ing global at­tacks. This ex­poses ev­ery or­ga­ni­za­tion to at­tacks and in this sce­nario, it is im­per­a­tive for all or­ga­ni­za­tions, in­clud­ing banks to have fo­cus on cy­ber se­cu­rity pre­ven­tive mea­sures and in­ci­dent re­sponse mech­a­nism.

In nor­mal cir­cum­stances, man­age­ments fo­cus sig­nif­i­cantly on the pre­vent and mon­i­tor­ing phase of cy­ber at­tacks. They do not ad­e­quately in­vest on manag­ing in­ci­dents. There is a need to have com­pre­hen­sive cy­ber re­sponse process, which should in­clude:

• For­mal process to man­age in­ci­dents with

iden­ti­fied roles and re­spon­si­bil­i­ties

• Have pre-de­fined re­sponse mech­a­nism based on the im­pact of in­ci­dent and abil­ity to iden­tify in­ci­dent to min­i­mize the im­pact of in­ci­dent

• Ca­pa­bil­i­ties to per­form post breach

in­ves­ti­ga­tion and ad­dress the root causes

The fraud­sters are typ­i­cally seek­ing pay­ments in bit­coins in or­der to re­main anony­mous. Do you think this would lead to a sit­u­a­tion, where dig­i­tal cur­ren­cies like bit­coins would come un­der reg­u­la­tion?

Crypto cur­ren­cies are be­com­ing pop­u­lar and there are ex­changes, which are es­tab­lished across coun­tries where it is pos­si­ble to buy and trade us­ing crypto cur­ren­cies. How­ever, th­ese are not reg­u­lated by the reg­u­la­tor and there is no­ti­fi­ca­tion is­sued by reg­u­la­tor on cau­tion re­lated to us­age of vir­tual cur­ren­cies and the as­so­ci­ated risk ex­po­sure.

In the back­ground of coun­tries like In­dia

bring­ing in more and more on­line and mo­bile-based tech­nolo­gies, what are the other cy­ber se­cu­rity threats the banks in th­ese coun­tries face?

Cy­ber se­cu­rity threats are emerg­ing from ex­ter­nal and in­ter­nal threat ac­tors, which are con­stantly in­creas­ing with the adop­tion of tech­nol­ogy and new dig­i­tal prod­ucts. It is ex­tremely im­por­tant for banks to have a ro­bust cy­ber se­cu­rity frame­work and per­form reg­u­lar risk as­sess­ments to as­sess on the risk pos­ture.

The banks also need to en­sure that cy­ber risk is not con­sid­ered only as tech­nol­ogy risk, but is clearly es­tab­lished as a busi­ness risk, which is taken across to the se­nior man­age­ment and board level.

De­spite the se­cu­rity mea­sures be­ing adopted, aware­ness of users (in­ter­nal and cus­tomers) play ex­tremely im­por­tant role in main­tain­ing the se­cure en­vi­ron­ment. Banks should also fo­cus on hav­ing ro­bust se­cu­rity aware­ness pro­gram and wellde­fined process for rais­ing in­ci­dents.

Do you think se­cu­rity ex­perts can be one step ahead of cy­ber crim­i­nals in de­vis­ing counter tech­nol­ogy mea­sures?

Proac­tive ap­proach along with ‘Se­cu­rity by de­sign’ con­cept is need of hour to strengthen the se­cu­rity pos­ture and ad­dress the threat from in­creased cy­ber at­tacks. Tra­di­tional se­cu­rity mea­sure focusses have not been proac­tive (such as vul­ner­a­bil­ity as­sess­ments and iden­ti­fy­ing vul­ner­a­bil­i­ties which have al­ready been pub­lished) and in­creas­ingly the banks are mov­ing to have proac­tive ap­proach in the form of ‘red team’ based as­sess­ments, which sim­u­lates very closely the ex­ploita­tion, which may be fol­lowed by cy­ber crim­i­nals to com­pro­mise the sys­tem. This ap­proach along with ad­vanced se­cu­rity mea­sures shall as­sist banks to have rea­son­able as­sur­ance of hav­ing se­cured and con­trolled the en­vi­ron­ment.

Do you have sug­ges­tions in the light of RBI’s re­cent ef­fort in set­ting up an in­ter­dis­ci­pli­nary panel on cy­ber se­cu­rity? Ac­cord­ing to you how bad or how good is the se­cu­rity pre­pared­ness of the in­sti­tu­tions in In­dia?

There are mul­ti­ple stud­ies per­formed on cy­ber at­tacks in In­dia and con­sis­tently the trend of at­tacks in­creas­ing has emerged. In such times, it is crit­i­cal for the reg­u­la­tors, such as RBI, to have ro­bust cy­ber se­cu­rity guide­lines and mea­sures which is man­dated across the in­dus­try. RBI has come up with de­tailed re­quire­ments on cy­ber se­cu­rity which is a key step in the di­rec­tion to en­sure that there is min­i­mum base­lines to ad­dress cy­ber threat across the banks. Also, the panel brings upon a good com­bi­na­tion of skills, which shall be able to pro­vide ad­e­quate in­tel­li­gence that is rel­e­vant to the threat en­vi­ron­ment.

What are some of the typ­i­cal en­ter­prise se­cu­rity threats In­dian CISOs should watch out for?

The key threat con­tin­ues to be per­sis­tent at­tacks (mal­ware/ ran­somware) and so­cial en­gi­neer­ing based at­tacks (iden­tity im­per­son­ation, phish­ing, email based at­tacks, etc). How­ever, there is a need for or­ga­ni­za­tions to also mon­i­tor on the threat which emerges due to in­for­ma­tion about the or­ga­ni­za­tion avail­able on in­ter­net. Tra­di­tional se­cu­rity mea­sures fo­cus only on threats which are im­pact­ing the tech­nol­ogy en­vi­ron­ment main­tained by the or­ga­ni­za­tion. How­ever, with the in­creased adop­tion of so­cial me­dia, mo­bile apps and other dig­i­tal chan­nels, it is be­com­ing crit­i­cal for or­ga­ni­za­tions to mon­i­tor threats emerg­ing on th­ese chan­nels (th­ese could be in the form of fake iden­tity, pub­lish­ing in­se­cure apps, sen­si­tive in­for­ma­tion avail­able on peer shar­ing sites, etc).

In­dia is about to roll out one of its am­bi­tious tax ref­or­ma­tion mea­sures. Much of the im­ple­men­ta­tion of GST de­pends on on­line ca­pa­bil­i­ties. This brings in the ques­tion of se­cu­rity. Do you think we have de­vel­oped the re­quired se­cu­rity in­fra­struc­ture?

The new tax re­forms have dig­i­tal chan­nel as the back­bone and to en­sure that the se­cu­rity is main­tained across the tech­nol­ogy en­vi­ron­ment it is crit­i­cal to trace the move­ment of data across the chain and have ad­e­quate mea­sures de­ployed across the ecosys­tem.

Of­ten such large ini­tia­tives fo­cus a lot on the ‘crown jew­els’ (cen­tral­ized repos­i­tory) but it is equally crit­i­cal to ad­e­quately se­cure the last mile (data en­try) and trans­mis­sion chan­nels as well.

What ac­cord­ing to you are the ma­jor threat per­cep­tions that this new sys­tem would have? What are the re­me­dial mea­sures?

The ecosys­tem be­ing es­tab­lished, specif­i­cally at the end points (re­tail­ers or equiv­a­lents), will be enor­mous in size given the over­all span of the coun­try. This brings its own set of com­plex­i­ties which may be in the form of stan­dard­iza­tion of se­cu­rity mea­sures, data han­dling, avail­abil­ity, etc. It will be crit­i­cal to es­tab­lish con­sis­tent and stan­dard­ized se­cu­rity mea­sures which can be en­forced across the end points in the ecosys­tem.

Atul Gupta points out to the proac­tive ap­proach along with se­cu­rity by de­sign con­cept to strengthen se­cu­rity pos­ture in banks

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.