Key insights into cyber battle to save the financial world
At the Session 03 Panel from left Asia Policy Partners LLC, Hong Kong Managing Partner Michael R K Mudd, Microsoft Sri Lanka and Maldives Country Manager Brian Kealy, NDB Bank PLC Chief Operating Officer Rohan Muttiah and Moderator Daily FT Editor Nisthar Cassim
- Daily FT-CICRA Cyber Security Summit puts spotlight on vulnerability of banking and finance to cyber attacks and how industry is responding
The number of cyber attacks targeting banks and other financial institutions has grown exponentially over the last two decades, posing great risks to the global financial sphere, Michael Mudd, the Managing Partner of Asia Policy Partners LLC in Hong Kong, said recently.
Delivering the keynote address, Mudd said that the threat landscape had become more sophisticated with the involvement of organised criminals. Outlining problems from a financial security point of view, Mudd shared key insights with the audience on how financial institutions could strengthen their back-ends to combat cyber attacks.
“Criminals could be people who want money, state-sponsored criminals or former employees of an organisation. Many cyber threats are part of the overall cyber threat landscape. When you look at them, some threats could distort a single business activity or could harm the entire business scope. These threats pose a reputation risk for the business as well as damage the relationship with your suppliers, shareholders and other stakeholders.”
He said that commercial crimes were not a myth anymore, with Malware as a Service (MaaS) available right now with 24/7 online support. He went on to speak about cyber threat classification, breaking the entire classification into three categories.
“First you have data theft which involves internal IT or tech staff or other staff members. These threats have to be dealt internally. Also you have data theft alteration, destruction and extortion. These could be state-sponsored, could be carried out by hacktivists or terrorists. Data ransomware has become a major issue. Then you might have threats happen due to phishing and spoofing. Denial of Services (DoS) has been there for a long time now. I heard that Sri Lanka also got into trouble with several Distributed Denial of Service (DDoS) attacks but there is a new threat which is a reflective of DoS and DDoS called DRDoS (Distributed Reflection Denial of Service attack). This is widely used to distort functions in big infrastructure companies by enhancing a DDoSattck,” Mudd said.
Ransomware: A bigger threat
Mudd said that ransomware had become a growing threat with global statistics proving the growth of a very popular cyberattack mode.
“Up to March 2015, only 131,000 ransomware threats were recorded. However, during the period of April 2015 to March 2016, 918,000 ransomware incidents have been reported. They are very complex and some share a 2,048-bit RSA cryptographic key so breaking them looks near impossible. Some organisations charge you 400 to 600 bitcoins to unlock the locked screen or the hard disk partition. If you don’t pay it within 48 hours, they would triple the amount and if you are a big corporate the amount will be ten times the original ask.”
Mudd asserted that prevention and backup were crucial to dealing with ransomware and explained the importance of the BASIC (Be Aware Security is Compromised) approach. Attack identification is also making headway with companies like Intel and Kaspersky working on the technology, he said.
“Lots of these come through social media. The key is prevention of course. We need to look at risk management and governance and we need to build the foundation assuming that you are not 100% secured at any given time.
The bad guys will get through by any means. What do you do about it? Have you put proper strategies and measures in place? It comes down to being able to implement a working program together in order to mitigate risks. CEOs need to understand that this is a risk and execute a plan. They are not technical but in this case, they need to know how to manage these risks and make sure that escalation is in place to move this up.
“The BASIC approach will prove the benefits of taking necessary measures to evade unnecessary threats. Backing up is the most important thing. It is the basis of modern technical know-how. Organisations should look at enabling UAC (User Access Control) and removing admin rights. One other obvious factor for prevention is deploying robust anti-virus software with restrictions. Restrictions will alert the anti-virus company of an attack and they could identify it and fix it themselves. Using licensed software is very important. We have heard many stories where the CEO has supposedly received an email from the CFO asking for a money transfer but later realises that it was a spoof mail.
These things happen if you don’t use licensed software,” Mudd said. In the case of a user not knowing what is really happening, Mudd advised the audience to pull the network plug out at once.
A checklist to track them all
Mudd also spoke about a cyber security checklist which includes security by design, threat detection, protection by responding instantly to incidents, collaboration and engagement with different parties and the cyber security risk framework.
“A risk framework is important because it starts to address many risks involved in a business through information technology, operations and new tech elements like cloud computing. Risk management practices will cover the entire organisation, not just your IT department. It will be important when you work with service suppliers because many banks are doing outsourcing and cloud is the next level of outsourcing. Organisations need to implement security standards that include privacy controls to ensure compliance. It is important to always remember the five core functions of cyber security as well – identify, protect, detect, respond and recover,” said Mudd.
He explained about the Waking Shark exercise of the Bank of England. It was built to test the incident response, resolution and coordination processes of the financial services sector and individual member firms to a street-wide cyber attack.
“This encourages people to do some exercises and identify where the weak points are. The Bank of England has worked with 22 British institutions over the past four years on this. If you look at what they came up with the objective of this exercise was to identify, protect, detect, respond, recover and then learn. They also share their information with others which helped them to bring out a cyber security governance arrangement so that they could see where they were going,” said Mudd.
He emphasised the importance of resilience, the ability to recover to a 100% operations state without losing data within a given time span, and gave examples of how other countries such as Singapore practised resilience.
He also spoke about how banks that dealt with outsourced entities could deliver services with security, confidentiality, availability and integrity by knowing their supplier, using data with a purpose, proper sub-contracting and implementing a due diligence process
“Ownership of data is always with the financial institution and the outsourcing entity should act upon the bank’s guidance. They have legal responsibilities so review monitoring and controlling is always important. Access rights, resilience, conditions on termination, data classifications, external certifications; financial institutions need to carefully look upon these aspects as well.”
Mudd also spoke about how hackers breached the Bangladesh Central Bank and stole millions of dollars due to unprofessional cyber security practices. In February 2016, instructions to steal $ 951 million from Bangladesh Bank, the central bank of Bangladesh, were issued via the SWIFT network. Five transactions issued by hackers, worth $ 101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York, succeeded with $ 20 million traced to Sri Lanka (since recovered) and $ 81 million to the Philippines. The Federal Reserve Bank of NY blocked the remaining 30 transactions amounting to $ 850 million at the request of Bangladesh Bank.
The $ 20 million transfer to Sri Lanka was intended by hackers to be sent to a private limited company. The hackers misspelled ‘Foundation’ in their request to transfer the funds, spelling the word as ‘Fundation’. This spelling error gained suspicion from Deutsche Bank, which put a halt to the transaction in question after seeking clarification from Bangladesh Bank. Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the institution which referred the anomalous transaction to Deutsche Bank. The Sri Lankan funds have since been recovered.
“This was not the first attack we have heard of. There is a new level of knowledge and skills out there now and a huge portion of this knowledge has been transferred by inside sources. The only way a hacker could know about how SWIFT works is by working with the system. Technology’s sight is shortening now so that it is necessary to combat cybercrime,” added Mudd.
Building a close relationship
Answering a question posed during the panel discussion, Mudd said that Central Banks across the region should develop a broader dialogue with the technology industry.
“A close relationship between the regulator and technology vendors together can strengthen the financial sector. Over the years, there have been a number of silos regarding fostering a robust connection to mitigate cyber threats. Financial institutions usually don’t reveal information to other parties when they encounter a nefarious incident like a cyber attack. However, it is quite interesting to see that Sri Lanka’s Central Bank formed the FINCSIRT with the help of several key institutions. That is what should happen.”
Speaking at the panel discussion, NDB Bank Plc Chief Operating Officer Rohan Muttiah spoke about the challenge of maintaining safety as well as providing convenience to customers in the financial sector.
“There is no doubt at all that public transfers and depositories are the top-most priorities of a bank. Banks cannot put that principle at risk anytime in whatever they do. Having said that, what do we expect as customers of a bank? We want to do our bank transactions at our convenience so therein lies a challenge for banks. It is not an insurmountable challenge. Of course, there are risks associated but then you cannot afford to open them up. Online banking has been around for a long time and people are perhaps more familiar with the types of threats that are posed. These attacks have been partially solved by using the two-factor authentication. Then you have mobile banking which gives you anytime, anywhere banking. The types of authentications that have been introduced with mobile banking are perfectly aligned with CBSL’s guidelines. However, technology provides us more ways to make it more secure. For example, biometrics. Biometrics could be used in your mobile phone to authenticate yourself. It is quite possible for banks to continue to protect customer data with the help of technology.”
Speaking further, Muttiah said: “Bad guys are always ahead by several steps. That is the reality but having said that it does not mean that bad guys need to win. To protect something, you need to detect it first. You may not be able to provide 100% protection but you are able to detect most cases. Threats are progressing at a very rapid rate but with the demand increasing for more convenience, measures and methods of protection are also keeping up. You need to have proper awareness of what you are doing.”
Microsoft Sri Lanka and Maldives Country Manager Brian Kealy was also at the panel discussion and spoke about how Microsoft ensures safety for its users who perform online transactions using their devices.
“People want new technologies that they would trust. If a bank provides a trustworthy platform for users to do their transactions they will happily keep using it for a long time as well as the bank’s other services and applications. Organisations have a responsibility to make sure that they can articulate how they are protecting the personal data of users.
“Microsoft trusts in four areas which we believe is the foundation of creating secure transactions. If you look at few years ago, many organisations focused on a harder outside and a softer inside. When someone broke that strong outside, you realise that you don’t have a strong inside anymore which of course is a breach of trust. Firstly, we need to make sure that the person who is doing the transactions is on a mechanism where his data will be secure. Secondly, protecting the data of the application. Whether the data is stored in the system or the device it is super important to know whether the data has been encrypted. That will make sure that hackers or even insiders cannot touch it at all. Thirdly, protecting your infrastructure and finally making sure that the devices and applications we hand out to consumers are safe and protected. This is how we look to simplify the environment for security professionals and for all our users,” said Kealy.
The EC-Council Cyber Security Summit 2016 was co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT. Supported by the ICT Agency, the strategic partners of the 2016 Cyber Security Summit were Microsoft and CISCO, the electronic payment gateway was LankaPay, the insurance partner was Sri Lanka Insurance, the creative partner was BBDO Lanka, the printing partner was OfficeMax, the hospitality partner was Cinnamon Lakeside and the electronic media partner was MTV and MBC Radio. Deakin University and EPIC Lanka also extended their support to the Summit.