Se­cur­ing Fi­nan­cial In­sti­tu­tions in In­dia

Trends, Chal­lenges and So­lu­tions that De­liver Se­cu­rity from the Net­work Core

PCQuest - - CONTENTS -

The bank­ing sec­tor has been­rapidly em­brac­ing lat­est tech­nol­ogy while the de­mand­ing pop­u­la­tion is get­ting tunedto mo­bil­ity and con­nec­tiv­ity; this sce­nario has com­pelled In­di­ato quickly adapt dig­i­tal trans­for­ma­tion of fi­nan­cial busi­ness prac­tices.

The Re­serve Bank of In­dia (RBI)—which pre­scribes broad pa­ram­e­ters for bank­ing op­er­a­tions in or­der to main­tain pub­lic con­fi­dence in In­dia’s fi­nan­cial sys­tem, pro­tect de­pos­i­tors’ in­ter­est, and pro­vide cost-ef­fec­tive bank­ing ser­vices to the pub­lic—is a key mo­ti­va­tor in mod­ern­iz­ing bank­ing op­er­a­tions, and guided by its rec­om­men­da­tions, in­di­vid­ual banks and credit unions are em­ploy­ing tech­nol­ogy to en­hance­op­er­a­tions. Se­cu­rity ini­tia­tives are a key part of this ef­fort—per­haps the most im­por­tant part— be­cause of the rapidly grow­ing and evolv­ing threat land­scape.

In­dian Bank­ing In­dus­try

26 pub­lic-sec­tor banks, 25 pri­vate-sec­tor banks, 43 for­eign banks, 56 re­gional ru­ral banks, 1,589 ur­ban co­op­er­a­tive banks, and 93,550 ru­ral co­op­er­a­tive banks in ad­di­tion to co­op­er­a­tive credit in­sti­tu­tions com­prise the In­dian Bank­ing land­scape.

Pub­lic-sec­tor banks con­trol nearly 80 per­cent of the mar­ket. Cur­rently th­ese banks are lever­ag­ing tech­nol­ogy to en­cour­age their cus­tomers to man­age their fi­nances us­ing mo­bile phones and In­ter­net­based sys­tems. This is part of a tech­nol­ogy evo­lu­tion that started were started after the Re­serve Bank of In­dia (RBI) is­sued a man­date to im­ple­ment core bank­ing ap­pli­ca­tions to en­hance op­er­a­tions at branch lev­els. Th­ese helped banks to be­gin new in­nings in the field of tech­nol­ogy in­no­va­tions by build­ing net­works across In­dia, data cen­ters, ap­pli­ca­tions, data repos­i­to­ries, and many key se­cu­rity ini­tia­tives. Cou­pled with the eco­nomic ad­vance­ment of the mid­dle class in In­dia and the sig­nif­i­cant in­crease in the num­ber of younger con­sumers, the build­ing of mul­ti­ple de­liv­ery chan­nels to serve cus­tomers is be­com­ing re­alty— In­ter­net-based and mo­bile ap­pli­ca­tions are driv­ing cus­tomer sat­is­fac­tion and stick­i­ness.

Sev­eral spe­cific tech­nol­ogy trends are af­fect­ing cus­tomer be­hav­ior in In­dia in ways that in­creaseop­por­tu­nity for fi­nan­cial in­sti­tu­tions and at the same time in­crease the chal­lenges as­so­ci­ated with net­work se­cu­rity.

In­ter­net Pen­e­tra­tion Is In­creas­ing

New In­ter­net users are grow­ing more than 50 mil­lion year on year, on the flip side, there is only 26 per­cent pen­e­tra­tion so far. Hav­ing said that, there is

a rapid growth in this too thanks to mo­bile In­ter­net, broad­band, and Wi-Fi roll­outs. The num­ber of mo­bile In­ter­net users in In­dia had reached 371 mil­lion by June2016, and is on track to cross 500 mil­lion users by next year and to dou­ble to 730 mil­lion by 2020, leav­ing the United States far be­hind.

Dig­i­tal Trans­ac­tions Are on the Rise

In­dian con­sumers have started ex­ten­sively us­ing cash­less trans­ac­tions for day-to- day pur­chases such as movie tick­et­ing, cab book­ing, air/rail tick­et­ing, hol­i­days, gro­ceries, e- com­merce, etc.

Each of th­ese ap­pli­ca­tions pro­motes in­creased on­line us­age of mo­bile wal­lets, credit cards, and debit cards. Im­ple­men­ta­tions of one-time pass­word, Aad­har-linked trans­ac­tions, SMS alerts, and the stream­lin­ing of In­ter­net- driven pro­cesses for bank­ing have built con­fi­dence in users to adopt tech­nol­o­gy­driven chan­nels over le­gacy chan­nels de­pen­dent on branch op­er­a­tions.

Dig­i­tal chan­nels are also help­ing banks to stream­line re­dun­dant op­er­a­tions to re­duce costs and de­liver con­tex­tual and per­son­alised bank­ing to cus­tomers us­ing an­a­lyt­ics.

In­no­va­tion in the Pay­ment In­dus­try Is Driv­ing Cus­tomer Be­hav­ior

With the pro­lif­er­a­tion of mo­bile-based ser­vices and the re­duc­ing me­dian price of smart­phones, the pay­ment in­dus­try is on an ex­po­nen­tial growth tra­jec­tory, fur­ther aided by pol­icy, frame­works, and guide­lines be­ing for­mal­ized by the reg­u­la­tor. In­no­va­tive and dis­rup­tive so­lu­tions have made this vol­umein­ten­sive and low-mar­gin in­dus­try a lu­cra­tive one.

From Oc­to­ber 2015 to Oc­to­ber 2016 cash­less pay­ments have grown by 22 per­cent and In­dia’s fi­nan­cial in­dus­try has wit­nessed 175 per­cent growth in mo­bile trans­ac­tions dur­ing the same pe­riod. The Uni­fied Pay­ments In­ter­face (UPI) that pow­ers mul­ti­ple bank ac­counts into a sin­gle mo­bile ap­pli­ca­tion (of any par­tic­i­pat­ing bank), merg­ing sev­eral bank­ing fea­tures, seam­less fund rout­ing, and mer­chant pay­ments into one hood. It also caters to the peer-to-peer col­lect re­quest, which can be sched­uled and paid as per re­quire­ment and con­ve­nience. UPI alone has surged to 1.4 mil­lion trans­ac­tions worth INR 480 crore by De­cem­ber 2016.

Dig­i­tal pay­ments in In­dia are es­ti­mated to grow at steady rate to 500 bil­lion USD by 2020 from the cur­rent size of 50 bil­lion. With dig­i­tal ini­tia­tives un­der­way by state and cen­tral gov­ern­ments, it is ex­pected that 59 per­cent of all trans­ac­tions will go dig­i­tal by 2025.

Cybersecurity Chal­lenges and In­ci­dents

The same tech­no­log­i­cal ad­vances and con­sumer trends that are trans­form­ing fi­nan­cial in­dus­try busi­ness prac­tices in In­dia are also creat­ing new threat vec­tors and vul­ner­a­bil­i­ties for bank net­works.

In­fra­struc­ture Out­ages: Dis­trib­uted De­nial of Ser­vice (DNS)

Dis­trib­uted- de­nial- of-ser­vice (DDoS) at­tacks af-

fect­ing mul­ti­ple ma­jor or­ga­ni­za­tions in the re­cent times have be­come in­creas­ingly com­mon and are ham­per­ing func­tion­ing of crit­i­cal in­fra­struc­ture in many coun­tries. In 2016, large en­ter­prises and ser­vice providers world­wide ex­pe­ri­enced band­width sat­u­ra­tion un­der DDoS at­tack. Many of th­ese in­cor­po­rate In­ter­net of Things (IoT) de­vices to over­whelm tar­get net­works.

Anal­y­sis and vis­i­bil­ity of DDoS at­tacks re­mains a daunt­ing task, be­ing largely de­pen­dent on re­al­time traf­fic anal­y­sis and re­ports or logs from se­cu­rity in­fra­struc­ture. In 2017, 800- Gbps DDoS at­tacks were re­ported—60 per­cent higher than the 500-Gbps at­tack that was the largest re­ported in 2015.

DNS is the most com­mon ser­vice be­ing tar­geted by us­ing am­pli­fi­ca­tion- and re­flec­tion-based at­tacks ac­cord­ing to Ar­bor’s World­wide In­fra­struc­ture Se­cu­rity Re­port, Vol XII. Cisco’s Se­cu­rity 2017 re­port states that DNS se­cu­rity and DDoS mit­i­ga­tion are a few of the tech­nolo­gies which are the most time- con­sum­ing and dif­fi­cult tech­nolo­gies to man­age. Pri­mar­ily, DNS is be­ing tar­geted for the fol­low­ing rea­sons: the lead­ing banks/fi­nan­cial in­sti­tu­tions for in­ter­nal and ex­ter­nal ap­pli­ca­tion. spoofed and redi­rected for ma­li­cious in­tent. DNS query to the In­ter­net can am­plify a re­sponse by a fac­tor of 93, which can bot­tle­neck In­ter­net in­fra­struc­ture. vis­i­bil­ity of in­bound and out­bound traf­fic. A few in­di­ca­tors of an in­crea­sein DDoS in­ci­dents in In­dia dur­ing 2016 com­prise in­ter­net ser­vice providers hit by a DDoS at­tack in July in Mum­bai. Fur­ther, a re­port from se­cu­rity ven­dor Sy­man­tec, which stud­ied DDoS at­tack pat­terns across 50 dif­fer­ent coun­tries­found that 26 per­cent of all DDoS at­tack traf­fic in the world orig­i­nated in In­dia. Ac­cord­ing to a Q2’ 16 Aka­mai re­port, In­dia is among the top 10 source coun­tries. A March 2016 F- Se­cure Threat Round up Re­port stated that In­dia emerged as the fifth high­est coun­try wit­ness­ing in­fec­tions via DNS hi­jacks in 2015.

DDoS at­tacks are not, of course, lim­ited to In­dia. On Oc­to­ber 22 of 2016, cy­ber­crim­i­nals seized con­trol of a Brazil­ian Bank for five hours, com­pro­mis­ing 36 of the bank’s do­mains, in­clud­ing its in­ter­nal email and FTP servers, and cap­tured elec­tronic transac- tions. Kasper­sky Lab’s re­search and anal­y­sis team in Latin Amer­ica says the at­tack­ers were able to pull off the heist by com­pro­mis­ing the bank’s DNS provider Registro.br and gain­ing ad­min­is­tra­tive con­trol of the bank’s DNS ac­count.

Also Data breaches may in­volve per­sonal health in­for­ma­tion (PHI), per­son­ally iden­ti­fi­able in­for­ma­tion (PII), trade se­crets, or in­tel­lec­tual prop­erty.

Ac­cord­ing to a 2017 Ixia se­cu­rity re­port, there has been an al­most 100 per­cent rise in data breaches from end-user de­vices, with 67 per­cent of the breaches tak­ing days to de­tect. As the em­pha­sis in 2016 on hard­en­ing in­fra­struc­ture in­creased, at­tacks against servers, hard­ened ter­mi­nals, and the net­work it­self trended down, as ex­pected. Servers re­main the top at­tack vec­tor per Ver­i­zon’s Data Breach In­ves­ti­ga­tions Re­port find­ings, but have been on the de­cline for sev­eral years. The hu­man el­e­ment, how­ever, from shadow cloud SaaS us­age to ca­sual use of lap­top or smart­phone de­vices not man­aged 24/7 by IT, con­tin­ues to rise.

The se­cu­rity, in­tegrity, and re­li­a­bil­ity of In­ter­net com­merce and com­mu­ni­ca­tion de­pend on un­der­ly­ing DNS ser­vices. Ad­vanced tar­geted at­tacks of­ten fo­cus on DNS ser­vices ei­ther di­rectly or as part of a broader at­tack cam­paign.

DNS ser­vices can also present vul­ner­a­bil­i­ties that en­able data- ex­fil­tra­tion at­tacks to suc­ceed. Meth­ods to ex­ploit th­ese vul­ner­a­bil­i­ties have been demon­strated as far back as 2007, and in re­cent years, they have been used in sev­eral real- world breaches. The DNS pro­to­col uses state­less mes­sag­ing for a DNS client to sub­mit queries to an ex­ter­nal server and re­ceive ex­ter­nal replies from that server. Th­ese queries and replies can con­tain up to 512 octets of data, and no mes­sage- level se­cu­rity is en­forced in stan­dard DNS ser­vices. This com­bi­na­tion pro­vides an easyto- ex­ploit path whereby at­tacks can sub­vert DNS ser­vices for both mal­ware up­dat­ing and data ex­fil­tra­tion. While tra­di­tional DLP so­lu­tions fo­cus on other pro­to­cols, they have lim­ited vis­i­bil­ity into DNS con­ver­sa­tions and hence are in­ef­fec­tive in de­tect­ing DNS based data ex­fil­tra­tion.

The so­lu­tion to pro­tect sen­si­tive sec­tor like the fi­nan­cial one lies in pro­vid­ing core net­work ser­vices, au­to­mates cloud de­ploy­ments, and in­creased re­li­a­bil­ity of en­ter­prise and ser­vice provider net­works around the world. Pro­vid­ing in­fra­struc­ture pro­tec­tion would in­clude pro­tec­tion for Do­main Name Sys­tem (DNS), se­cures data thus help mit­i­gate the spread of mal­ware, and eases se­cu­rity op­er­a­tions through ecosys­tem in­te­gra­tions.

SARAVANA DO­RAIRAJ, Coun­try Man­ager, In­foblox In­dia

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.