Building Trust - aligning to changing security goalposts
Security experts from the BFSI industry discuss the new threats and strategies to combat them at Finnoviti 2021:
KM Reddy, Head & CISO, Union Bank of India
There is a huge risk in the domain names, because a fraudster can launch a fake website, they can redirect traffic from the original website and capture confidential log-in details and OTPs. There is no control on the domain names - we are seeing that domain names are being created in different countries – not just in India but in places like Japan, North Korea, South Korea, and the USA.
During the pandemic, there were huge job losses and there are rackets run by people claiming to be recruiters and they make use of logos of different organizations and invite applications for jobs through online advertisements. People get cheated as their pronouncements appear genuine and they even have websites resembling established firms. Nothing can be done as there are no regulations covering such activities. It is an uncontrollable situation.
Recently, we have got some regulations on social media thanks to the Government of India, especially against fake accounts. Phishing attacks, fake domain names and DDoS are the 3 popular attacks happening from December 2019 but there are no mitigation measures in place even today.
Pawan Chawla, CISO, Future Generali India Life Insurance
Since covid started in 2019 December, several domains are registered by the attackers. Since 1 January 2020, some 500
domains are registered by attackers in the name of established firms and the websites are fake. These sites are used to target banks or other organizations and their employees and customers and dupe them into sharing official information. There are different methodologies adopted by the hackers and they have even used emotions to target the customers.
Last year, Future Generali India Life Insurance had blocked more than 20,000 indicators of compromise; we were able to take proactive action against them. With the help of the advisories, we were able to protect against attacks. Several other organizations might have faced the same situation and they should adopt a strategy against the attackers.
What if there are attacks and the advisory is not available, because most people even if they are under the attack, hesitate to share the information and that is where you know that something has happened, but you do not know how to protect yourself. If somebody has a disease, he or she can go to a doctor and take medicines. If you do not tell anyone about your problem, nobody will give you the medicine and your dependents can also not be protected. Cybersecurity is not useful because unless you know what needs to be protected, you will not be able to protect your organization.
The traditional way of implementing the infrastructure is always a challenge. Adding complexity, adoption of cloud and SaaSbased products and services has increased. Organizations need to have a clear roadmap about what needs to be adopted and how these have to be adopted. If you prove that cloud adoption will give you better results, then no CFO in the world will say no to the cloud adoption. The CFO will give you x amount of money because he knows that what revenue can be generated from this addition.
Sanjay Kumar Tiwari, CISO, IIFL
All digital adoption and digital acceleration have happened through APIs. Akamai has a product on API security. The main problem is that all banks and financial organizations are facing is how to exploit the functions of API. API Is the connector between the front-end and the back-end. There is a control that is required in the testing part for putting it into production and then you could have a mechanism from Akamai and others where you keep on continuously monitoring your older versions. It is high time for organizations to start taking API very seriously because 90% of the attacks are happening through APIs. IIFL started its security journey long back but still we are not fully covered ourselves from the attacks.
We have started adopting cloud in a big way due to the covid; it has given an advantage on the agility angle. From the security perspective, we have put zero-trust kind of architecture with fluid parameters. We have a hybrid structure around them and have put controls on the identity and access management. People have started accessing the system from home and the issue is how to control these systems, what access they have and whether we have a multi-factor authentication. Organizations think about these questions.
Security is one of the headaches since we have a hybrid structure. Some people would be directly accessing and uploading from the cloud, some would be on premises. How do I control them? What access do they want? We have started controlling the identity and access and we must fully implement it.
R Vijay, CISO, Mahindra Financial Services
API security needs to be taken into consideration right from the development stage of any application. Firstly, the architecture needs to be adopted and clearly understood, before even you start developing that application. Secondly, it needs to be understood that which APIs are going to be utilized for the application and it cannot be on adoption basis. People generally go searching for something and they start adopting it if they find something fanciful.
APIs undergo a lot of changes; Organizations start adopting the newer ones and older ones remain as part of their applications. There is a lot of cleaning that needs to be done in the algorithm of the application, more specifically some of the API perspectives must be done continually. Organizations should have application security testing.
When it comes to cloud adoption, the strategy needs to be clear whether the organization wants hybrid or private cloud. Then comes the cost component. You need to be noticeably clear what the CFO is allocating to choose the model that suits the organization - one is short term and other is the long-term. In case of the long term, there is a need for the terminology with the service providers, organizations need to be clear with what kind of AMC they have with the service provider.
There are lot of changes happening in the cloud - organisations need to be informed about that and take necessary measures to ensure that they are safe and secure to the known and unknown threats.
Akhil Verma, CISO, Airtel Payments Bank
Attacks will be there across the industry, but mostly where the money lies. During the pandemic times, there are emotion-based attacks. Now, we have reached a phase where covid vaccination has come, those pharma companies are targeted by the attackers. Cyberattacks are easier compared to doing a bank robbery.
Banks should start from the design side, not development. Once the design is correct