CISO - a vital cog in the wheel
Vivek Gupta, DGM & CISO at Allahabad Bank, speaks on key security challenges facing banks today
Vivek Gupta, DGM & CISO at Allahabad Bank, speaks on key security challenges facing banks today
Manoj Agrawal: Many mobile wallets have been designed in a hurry with inadequate attention to security? What percentage of the wallets out there do you think are adequately secure?
Vivek Gupta: Most of the mobile wallets were hurriedly developed to capture the market and focus on customer convenience, rather than application security. In many cases, even proper testing was not carried out by taking possible use cases.
It was also observed that the same software developer was providing software to many banks/wallet service providers and they all carried similar security weakness and programming flaws. At the time of first launch of various mobile wallets, I estimate that about 70% had a security compromise.
Later on, with stringent mandated security audits, the situation has totally changed. In the next one year, I estimate that about 80-90% mobile wallets would be running without intrinsic operational security risks. Risks pertaining to loss of mobile, social engineering, vishing, rogue apps, etc, still continue. The success of the system depends on security of user’s mobile device, careful, hygienic use and security ensured while storing sensitive data at respective aggregation points of wallet service providers.
What do you think are the most common vulnerabilities in mobile wallets?
A robust and all-round testing was required, before actual launch. However, this gap was addressed by the large number of curious users - some of them defrauded too! As digital wallets are designed for quicker usage and limited risk, it is necessary to use device finger printing, compulsory OTP, first debit and then credit approach, proper handling of success and error codes across all participants, protection in case of mobile theft, good customer complaint handling mechanism, reporting of errors or problems directly to banks’ concerned teams and use of online fraud risk management solutions.
To faciltiate easy loading of money, the wallet service providers are storing debit/ credit card numbers at their end and only CVV is required. Therefore, maintaining required level of confidentiality and encryption at their end is a challenge.
Similarly, if the mobile is ‘rooted’ or ‘jail broken’, the passwords stored in these devices should be definitely taken as compromised.
Second factor authentication is not required in some of the mobile wallets. Most of the mobile wallets in India are not using hardware level security i.e. verification of device ID, phone manufacturer signature, Android version in the phone, root kit of the operating system, location and time. Mobile wallets are not checking presence of virus/malware in the mobile phone and issuing alert to users. OS of the mobile is not properly segregated from the user data.
Wallets should not store any user sensitive data at their end specially for credit/debit card details and the same should be accessed from a third-party payment gateways kind of setup with appropriate security, mobile wallets service providers are still growing at a fast pace.
Mobile wallets have not been adequately hardened and are prone to cyber attacks and possibility of impersonation by fake users, as no verification is required except for mobile number confirmation. For third party transactions, customer information may be shared in plain text. Wallet database on mobiles can easily be exploited.
Compliance of KYC at some early stage, even for low value usage of wallet should be made compulsory. It can be incentivized also, as the usage of mobile wallets is seen frequently incentivized.
What are the areas of security management where you insist on CISSP certification? What is the availability of people with this certification?
Network security is presently the key area for need and ample benefits of CISSP certification. There are very few internal CISSP certifying officials and we compensate the same with presence of qualified and expert outsourced support engineers and also in external security audits, as a precondition basis. However, the bank prefers more CISSP certified internal officials and has also a suitable reimbursement cum incentive program for aspirants.
What are the key activities for a CISO when a new CXO enters the organization?
When a new CXO level person enters in the organization, he/she needs to integrate and to be enabled on all required privileges of access for data/reports. The communication within and outside the world with concerned officials through official channel, like e-mail, telephone, mobile and remote login to authorized systems is also very important.
The new CXO is a responsible, authorized and privileged user in the organization. Therefore, the CISO is required to ensure that the new CXO is provided with the all the access, rights, user ids, software/hardware tokens, devices, data, licensed programs etc, with appropriate level of security and ensuring the required level of confidentiality, integrity, availability, privacy and nonrepudiabilty. This should be documented and signed off.
The CXO should also be provided with details of best IS practices in the organization, a copy of relevant policies & procedures, do’s & don’ts in IT security domain as a user or privileged user. The CISO should help the
new CXO to ensure that all the passwords are changed, as per the policy and the CXO is comfortable with operations at his/her level pertaining to usage.
The CISO should also explain suitably to the new CXO about the status of security, running security projects, future plans, etc so that the new CXO can extend required help in implementing information security and related projects in the organization.
What are the key activities for a CISO when a CXO level person exits the organization?
Maintaining smooth continuity of various IT projects, operations, business, coordination within the organization, with service providers and vendors are very prime requirements, when a CXO level person moves out of the organization. At the same time, privileges available to a CXO level official should be removed in graceful and timely manner. All types of accesses, data storage, devices used by the CXO, data, passwords, emails, hardware/software tokens used, details of contacts of vendors, government/ regulatory authorities, etc, should be taken care of.
It is always good to cover these aspects in the IS policy itself, so that no confusion, omission or misunderstanding. However, whatever precautions and careful handing over/taking over is done, the outgoing CXO official is a rich source of knowledge of internal information, processes, practices and weakness, and even after ensuring all possible security precautions, the privileged executive would remain with residual information in some form. Therefore, HR policy and agreement should have been there so that the official remains obliged with the responsibility of protecting the same for organization’s interest.
A well written notification to all the users (internal, as well concerned external users) should be sent by HR/ next CXO and the same needs to be observed and noted by CISO, to ensure of ruling out any miscommunication.
A proper record of these activities should be maintained appropriately for any future reference. If CISO, feels that outgoing CXO had helped in improving information security in the organization, a formal or informal communication should also be made.
What additional measures do CISOs need to take to avert ransomware attacks?
To avert ransomware attack, the following steps are best suited:
• It is preferable to have anti-ransomware software or anti-malware software with anti-ransomware option available. A backup copy of original files should be preserved before they are encrypted or deleted for some period.
• Disable use of e-mails on servers to ensure no malware or virus reach as email attachment is allowed to work on servers or remote machines handling servers.
• USB ports on all servers and critical remote systems should be blocked for media usage through domain policy and also through BIOS settings.
• Implement application white listing solution, so that unrecognized software or unauthorized changes in such software will not have any effect.
• Internet access should be very limited, restricted and closely monitored and should be purely rule based. It is better to have an airgap between internet enabled and intranet running system.
• Solutions like NAC (Network Access Control) have also key features to maintain a minimum level of security, whereas NBA (Network Behavior Anomaly and Detection) implementation allows the affected systems to be isolated and disconnected with the main network, at very early stage.
• Email gateway security solution tremendously helps in filtering out dubious mails and mails with infected attachments.
• It is also very important to keep definition files and scanning engines to updated, as soon as they released online for any type of security software.
• Monitoring/ blocking of ports 445, 137,138 and 139 is essential to prevent SMB vulnerability.
• Keeping the operating system updated with latest patches, at least those critical in nature and use of application updates across the enterprise at the earliest. Updating device drivers, browser programs, utility applications, etc, should be done with only legitimate (digitally signed updates from OEM and original sites of respective software company) versions. Else, the update itself may invite more problems than solutions!
• Regular internal VA (Vulnerability Assessment) and EPT (External Penetration Testing) of concerned systems are very useful through a reliable security audit. Risk based compliance to finding is bonding necessity to derive benefits from this regular exercise.
• Role of regular backup of all critical systems/ data is very important to restore to a safe state, in case the ransomware attack is successful.
• There is a need for creating awareness among users, incident reporting, incident handling, mitigation plans, keeping updated and readily available indicators of compromise and keeping a watch on activities which is likely to be affected by such attacks. Marinating good liaising with peer group CISOs and government agencies is another key to success.
• Benefits of anti-APT (Advance Persistent Threats) and examination and verification of threats in SSL (Secured Socket Layer) traffic, especially during DDOS (Distributed Denial of Service) attacks are also very useful for enterprises to fight against ransomware.
What was the message that you conveyed to the employees of the bank when the news of WannaCry spread like wide fire?
All the users were put to caution through scrolling messages, e-mails, SMSES, closed user groups to update systems urgently with relevant OS patch, updating anti-virus definition file, not to open attachments in e-mails of any doubt, not to be in pensive mood, to isolate the system, if found affected and report us immediately. We were also having liaising at the top level and gathering latest updates. We also ensured that employees do not get unnecessarily worried, but were reasonably cautioned and alert.