CISO - a vi­tal cog in the wheel

Banking Frontiers - - Highlights - Manoj@bank­ingfron­

Vivek Gupta, DGM & CISO at Al­la­habad Bank, speaks on key se­cu­rity chal­lenges fac­ing banks to­day

Vivek Gupta, DGM & CISO at Al­la­habad Bank, speaks on key se­cu­rity chal­lenges fac­ing banks to­day

Manoj Agrawal: Many mo­bile wal­lets have been de­signed in a hurry with in­ad­e­quate at­ten­tion to se­cu­rity? What per­cent­age of the wal­lets out there do you think are ad­e­quately se­cure?

Vivek Gupta: Most of the mo­bile wal­lets were hur­riedly de­vel­oped to cap­ture the mar­ket and fo­cus on cus­tomer con­ve­nience, rather than ap­pli­ca­tion se­cu­rity. In many cases, even proper test­ing was not car­ried out by tak­ing pos­si­ble use cases.

It was also ob­served that the same soft­ware de­vel­oper was pro­vid­ing soft­ware to many banks/wal­let ser­vice providers and they all car­ried sim­i­lar se­cu­rity weak­ness and pro­gram­ming flaws. At the time of first launch of var­i­ous mo­bile wal­lets, I es­ti­mate that about 70% had a se­cu­rity com­pro­mise.

Later on, with strin­gent man­dated se­cu­rity au­dits, the sit­u­a­tion has to­tally changed. In the next one year, I es­ti­mate that about 80-90% mo­bile wal­lets would be run­ning with­out in­trin­sic op­er­a­tional se­cu­rity risks. Risks per­tain­ing to loss of mo­bile, so­cial en­gi­neer­ing, vish­ing, rogue apps, etc, still con­tinue. The suc­cess of the sys­tem de­pends on se­cu­rity of user’s mo­bile de­vice, care­ful, hy­gienic use and se­cu­rity en­sured while stor­ing sen­si­tive data at re­spec­tive ag­gre­ga­tion points of wal­let ser­vice providers.

What do you think are the most com­mon vul­ner­a­bil­i­ties in mo­bile wal­lets?

A ro­bust and all-round test­ing was re­quired, be­fore ac­tual launch. How­ever, this gap was ad­dressed by the large num­ber of cu­ri­ous users - some of them de­frauded too! As dig­i­tal wal­lets are de­signed for quicker us­age and lim­ited risk, it is nec­es­sary to use de­vice fin­ger print­ing, com­pul­sory OTP, first debit and then credit ap­proach, proper han­dling of suc­cess and er­ror codes across all par­tic­i­pants, pro­tec­tion in case of mo­bile theft, good cus­tomer com­plaint han­dling mech­a­nism, re­port­ing of er­rors or prob­lems di­rectly to banks’ con­cerned teams and use of on­line fraud risk man­age­ment so­lu­tions.

To facil­ti­ate easy load­ing of money, the wal­let ser­vice providers are stor­ing debit/ credit card num­bers at their end and only CVV is re­quired. There­fore, main­tain­ing re­quired level of con­fi­den­tial­ity and en­cryp­tion at their end is a chal­lenge.

Sim­i­larly, if the mo­bile is ‘rooted’ or ‘jail bro­ken’, the pass­words stored in th­ese de­vices should be def­i­nitely taken as com­pro­mised.

Sec­ond fac­tor au­then­ti­ca­tion is not re­quired in some of the mo­bile wal­lets. Most of the mo­bile wal­lets in In­dia are not us­ing hard­ware level se­cu­rity i.e. ver­i­fi­ca­tion of de­vice ID, phone man­u­fac­turer sig­na­ture, An­droid ver­sion in the phone, root kit of the op­er­at­ing sys­tem, lo­ca­tion and time. Mo­bile wal­lets are not check­ing pres­ence of virus/mal­ware in the mo­bile phone and is­su­ing alert to users. OS of the mo­bile is not prop­erly seg­re­gated from the user data.

Wal­lets should not store any user sen­si­tive data at their end spe­cially for credit/debit card de­tails and the same should be ac­cessed from a third-party pay­ment gate­ways kind of setup with ap­pro­pri­ate se­cu­rity, mo­bile wal­lets ser­vice providers are still grow­ing at a fast pace.

Mo­bile wal­lets have not been ad­e­quately hard­ened and are prone to cy­ber at­tacks and pos­si­bil­ity of im­per­son­ation by fake users, as no ver­i­fi­ca­tion is re­quired ex­cept for mo­bile num­ber con­fir­ma­tion. For third party trans­ac­tions, cus­tomer in­for­ma­tion may be shared in plain text. Wal­let data­base on mo­biles can eas­ily be ex­ploited.

Com­pli­ance of KYC at some early stage, even for low value us­age of wal­let should be made com­pul­sory. It can be in­cen­tivized also, as the us­age of mo­bile wal­lets is seen fre­quently in­cen­tivized.

What are the ar­eas of se­cu­rity man­age­ment where you in­sist on CISSP cer­ti­fi­ca­tion? What is the avail­abil­ity of peo­ple with this cer­ti­fi­ca­tion?

Net­work se­cu­rity is presently the key area for need and am­ple ben­e­fits of CISSP cer­ti­fi­ca­tion. There are very few in­ter­nal CISSP cer­ti­fy­ing of­fi­cials and we com­pen­sate the same with pres­ence of qual­i­fied and ex­pert out­sourced sup­port en­gi­neers and also in ex­ter­nal se­cu­rity au­dits, as a pre­con­di­tion ba­sis. How­ever, the bank prefers more CISSP cer­ti­fied in­ter­nal of­fi­cials and has also a suit­able re­im­burse­ment cum in­cen­tive pro­gram for as­pi­rants.

What are the key ac­tiv­i­ties for a CISO when a new CXO en­ters the or­ga­ni­za­tion?

When a new CXO level per­son en­ters in the or­ga­ni­za­tion, he/she needs to in­te­grate and to be en­abled on all re­quired priv­i­leges of ac­cess for data/re­ports. The com­mu­ni­ca­tion within and out­side the world with con­cerned of­fi­cials through of­fi­cial chan­nel, like e-mail, tele­phone, mo­bile and re­mote lo­gin to au­tho­rized sys­tems is also very im­por­tant.

The new CXO is a re­spon­si­ble, au­tho­rized and priv­i­leged user in the or­ga­ni­za­tion. There­fore, the CISO is re­quired to en­sure that the new CXO is pro­vided with the all the ac­cess, rights, user ids, soft­ware/hard­ware to­kens, de­vices, data, li­censed pro­grams etc, with ap­pro­pri­ate level of se­cu­rity and en­sur­ing the re­quired level of con­fi­den­tial­ity, in­tegrity, avail­abil­ity, pri­vacy and non­re­pu­di­a­bilty. This should be doc­u­mented and signed off.

The CXO should also be pro­vided with de­tails of best IS prac­tices in the or­ga­ni­za­tion, a copy of rel­e­vant poli­cies & pro­ce­dures, do’s & don’ts in IT se­cu­rity do­main as a user or priv­i­leged user. The CISO should help the

new CXO to en­sure that all the pass­words are changed, as per the pol­icy and the CXO is com­fort­able with op­er­a­tions at his/her level per­tain­ing to us­age.

The CISO should also ex­plain suit­ably to the new CXO about the sta­tus of se­cu­rity, run­ning se­cu­rity projects, fu­ture plans, etc so that the new CXO can ex­tend re­quired help in im­ple­ment­ing in­for­ma­tion se­cu­rity and re­lated projects in the or­ga­ni­za­tion.

What are the key ac­tiv­i­ties for a CISO when a CXO level per­son ex­its the or­ga­ni­za­tion?

Main­tain­ing smooth con­ti­nu­ity of var­i­ous IT projects, op­er­a­tions, busi­ness, co­or­di­na­tion within the or­ga­ni­za­tion, with ser­vice providers and ven­dors are very prime re­quire­ments, when a CXO level per­son moves out of the or­ga­ni­za­tion. At the same time, priv­i­leges avail­able to a CXO level of­fi­cial should be re­moved in grace­ful and timely man­ner. All types of ac­cesses, data stor­age, de­vices used by the CXO, data, pass­words, emails, hard­ware/soft­ware to­kens used, de­tails of con­tacts of ven­dors, gov­ern­ment/ reg­u­la­tory au­thor­i­ties, etc, should be taken care of.

It is al­ways good to cover th­ese as­pects in the IS pol­icy it­self, so that no con­fu­sion, omis­sion or mis­un­der­stand­ing. How­ever, what­ever pre­cau­tions and care­ful hand­ing over/tak­ing over is done, the out­go­ing CXO of­fi­cial is a rich source of knowl­edge of in­ter­nal in­for­ma­tion, pro­cesses, prac­tices and weak­ness, and even af­ter en­sur­ing all pos­si­ble se­cu­rity pre­cau­tions, the priv­i­leged ex­ec­u­tive would re­main with resid­ual in­for­ma­tion in some form. There­fore, HR pol­icy and agree­ment should have been there so that the of­fi­cial re­mains obliged with the re­spon­si­bil­ity of pro­tect­ing the same for or­ga­ni­za­tion’s in­ter­est.

A well writ­ten no­ti­fi­ca­tion to all the users (in­ter­nal, as well con­cerned ex­ter­nal users) should be sent by HR/ next CXO and the same needs to be ob­served and noted by CISO, to en­sure of rul­ing out any mis­com­mu­ni­ca­tion.

A proper record of th­ese ac­tiv­i­ties should be main­tained ap­pro­pri­ately for any fu­ture ref­er­ence. If CISO, feels that out­go­ing CXO had helped in im­prov­ing in­for­ma­tion se­cu­rity in the or­ga­ni­za­tion, a for­mal or in­for­mal com­mu­ni­ca­tion should also be made.

What ad­di­tional mea­sures do CISOs need to take to avert ran­somware at­tacks?

To avert ran­somware at­tack, the fol­low­ing steps are best suited:

• It is prefer­able to have anti-ran­somware soft­ware or anti-mal­ware soft­ware with anti-ran­somware op­tion avail­able. A backup copy of orig­i­nal files should be pre­served be­fore they are en­crypted or deleted for some pe­riod.

• Dis­able use of e-mails on servers to en­sure no mal­ware or virus reach as email at­tach­ment is al­lowed to work on servers or re­mote ma­chines han­dling servers.

• USB ports on all servers and crit­i­cal re­mote sys­tems should be blocked for me­dia us­age through do­main pol­icy and also through BIOS set­tings.

• Im­ple­ment ap­pli­ca­tion white list­ing so­lu­tion, so that un­rec­og­nized soft­ware or unau­tho­rized changes in such soft­ware will not have any ef­fect.

• In­ter­net ac­cess should be very lim­ited, re­stricted and closely mon­i­tored and should be purely rule based. It is bet­ter to have an air­gap be­tween in­ter­net en­abled and in­tranet run­ning sys­tem.

• So­lu­tions like NAC (Net­work Ac­cess Con­trol) have also key fea­tures to main­tain a min­i­mum level of se­cu­rity, whereas NBA (Net­work Be­hav­ior Anom­aly and De­tec­tion) im­ple­men­ta­tion al­lows the af­fected sys­tems to be iso­lated and dis­con­nected with the main net­work, at very early stage.

• Email gate­way se­cu­rity so­lu­tion tremen­dously helps in fil­ter­ing out du­bi­ous mails and mails with in­fected attachments.

• It is also very im­por­tant to keep def­i­ni­tion files and scan­ning en­gines to up­dated, as soon as they re­leased on­line for any type of se­cu­rity soft­ware.

• Mon­i­tor­ing/ block­ing of ports 445, 137,138 and 139 is es­sen­tial to pre­vent SMB vul­ner­a­bil­ity.

• Keep­ing the op­er­at­ing sys­tem up­dated with lat­est patches, at least those crit­i­cal in na­ture and use of ap­pli­ca­tion up­dates across the en­ter­prise at the ear­li­est. Up­dat­ing de­vice driv­ers, browser pro­grams, util­ity ap­pli­ca­tions, etc, should be done with only le­git­i­mate (dig­i­tally signed up­dates from OEM and orig­i­nal sites of re­spec­tive soft­ware com­pany) ver­sions. Else, the up­date it­self may in­vite more prob­lems than so­lu­tions!

• Reg­u­lar in­ter­nal VA (Vul­ner­a­bil­ity As­sess­ment) and EPT (Ex­ter­nal Pen­e­tra­tion Test­ing) of con­cerned sys­tems are very use­ful through a re­li­able se­cu­rity au­dit. Risk based com­pli­ance to find­ing is bond­ing ne­ces­sity to de­rive ben­e­fits from this reg­u­lar ex­er­cise.

• Role of reg­u­lar backup of all crit­i­cal sys­tems/ data is very im­por­tant to re­store to a safe state, in case the ran­somware at­tack is suc­cess­ful.

• There is a need for cre­at­ing aware­ness among users, in­ci­dent re­port­ing, in­ci­dent han­dling, mit­i­ga­tion plans, keep­ing up­dated and read­ily avail­able in­di­ca­tors of com­pro­mise and keep­ing a watch on ac­tiv­i­ties which is likely to be af­fected by such at­tacks. Mar­i­nat­ing good li­ais­ing with peer group CISOs and gov­ern­ment agen­cies is an­other key to suc­cess.

• Ben­e­fits of anti-APT (Ad­vance Per­sis­tent Threats) and ex­am­i­na­tion and ver­i­fi­ca­tion of threats in SSL (Se­cured Socket Layer) traf­fic, es­pe­cially dur­ing DDOS (Dis­trib­uted De­nial of Ser­vice) at­tacks are also very use­ful for en­ter­prises to fight against ran­somware.

What was the mes­sage that you con­veyed to the em­ploy­ees of the bank when the news of Wan­naCry spread like wide fire?

All the users were put to cau­tion through scrolling mes­sages, e-mails, SMSES, closed user groups to up­date sys­tems ur­gently with rel­e­vant OS patch, up­dat­ing anti-virus def­i­ni­tion file, not to open attachments in e-mails of any doubt, not to be in pen­sive mood, to iso­late the sys­tem, if found af­fected and re­port us im­me­di­ately. We were also hav­ing li­ais­ing at the top level and gath­er­ing lat­est up­dates. We also en­sured that em­ploy­ees do not get un­nec­es­sar­ily wor­ried, but were rea­son­ably cau­tioned and alert.

Vivek Gupta

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.