Cyber Security for Financial Institutions

Best Practices and Recommendations

By : Khawar NehalApplied Technology Research Centerhttp://atrc.net.pk

17 August 2016For FPCCI seminar on cyber security

Agenda

What needs to be doneWhy it needs to be doneHow to do itTrends and solutionsOther suggestions

What needs to be done

Recognition that the financial industry did not prepare well for the cyber security threats.

Recognition that the financial industry shall be offering online services in the future.

Accepting that depending on others to solve the problem shall not work.

Accept that we need to prepare better

Services need to be offered due to market demands

Self reliance and taking ownership shall work.

Why it needs to be done

The only constant in the universe is change.

Cyber security threats are likely to rise rather than fall.

Security is possible if people decide to take full responsibility of it.

Changes shall keep happening

Attacks are very likely to rise in complexity and severity.

Security is possible taken responsibility of.

How it needs to be done

Development of a security policy

Implementation of security policies which are effective in maintaining security

Monitoring and control of weak elements in the system.

Elimination of weak elements with more audited new elements to allow for incremental development.

Develop a security policy

Implement it

Monitor it

Control it

Eliminate all weak elements in the system.

Trends

Here are the trends in attacks over the past few years.

Trends

Insider MisuseMiscellaneous errorsDenial of ServiceCrimeware

The top 4 from the trends

Insider misuseErrors Denial of serviceCrime ware

For : Insider misuse

Steps :
Make sure you have a security policyTrain everyone on the security policyGet everyone to sign on the policyImplement the policy

What you need to do is learn how to monitor for illegal behavior or actions which violate the policy.

Insider misuse is when a person inside the organization does something bad.

To solve this you need A security policyMake sure everyone knows the policy exists and is activeImplement the policy

Have a system to monitor actions so the policy can be implemented

For : Miscellaneous errors

Generally these can be distilled down to two types.

Software errors which cause the software to not follow the configuration.

Misconfiguration by the administrator or responsible person.

Errors

Errors in configuration by the administrator managing the system.

Errors in the software development of the system which prevents administrators from implementing their configuration correctly.

For : Miscellaneous errors

If you train the administrators and eliminate ALL bugs in your softwares, then you shall eliminate a LOT of the issues related to cyber security.

Errors

A LOT of issues can be solved by fixing the software bugs and having the correct configurations by the administrator.

This requires bug free software and well trained and experienced administrators.

For : Miscellaneous errors

It is very important to eliminate ALL vendors which provide a false presentation of security when their supplied systems are not able to provide REAL security due to bugs and low quality of development.

Depending on vendors to supply bug free systems has not worked so far very well.

So monitor for product quality and replace all components of the system which cause more attacks to become successful.

For : Miscellaneous errors

Think like the airforce. Check everything.If everything is not bug free, then do not FLY. In the financial industry, that means stop rolling out services or systems with bugs which are the cause of past, present and future problems.

Learn from the airforce.

They check everything before takeoff.

For the financial industry it means stop offering services if you do not have the systems ready for it.

For : Miscellaneous errors

It shall not be long before the products with errors and mistakes are not blamed on the vendors anymore but on the procurement. So change before the change is forced on to you.

Denial of service

Even if it is a DDOS, then all you need to do is outsource your incoming connection to a DDOS vendor. They shall handle it completely for you.

If the DOS threat is internal then you just combine the first two items mentioned : Insider misuse and Misc ErrorsThe solution to this combination shall solve the DOS issue.

Crimeware

This requires training and awareness of the user. For example everyone knows that if they lose their credit card, they are to report it within 24 hours or risk losing money. So they take it seriously. Similarly, all communications related to configurations (passwords, accounts, pin codes, card numbers or whatever) needs to be confirmed on the original phone numbers and emails of the bank before any requests are entertained.

Crimeware

The main reason is that insecure computers are allowed to access the bank systems via users.Basic settings like checking for insecure or lax systems before allowing your software to be used shall help solve a lot of issues. Examples include : looking for the existence of uncommon applications in devices. Devices include laptops, desktops, and mobiles.

Crimeware

As security awareness is increased, then the financial institutions can steadily increase their requirements for secure computing systems for users. The other approach is to offer better risk managed services for those with more secure platforms. An example is vendors with chip and swipe vs the old magnetic strip only vendor risk management difference in POS.

4 major threats covered

So we have covered the trending 4 major threats and some ways which can reduce them significantly.

Question to ask

How can I reduce my security issues without having to spend a lot of resources.

By asking this question, you shall be able to get a lot of security results.

Without it, you shall have a lot of vendors pushing a lot of noise and less security.

Why this question

This is the main question which system operators and admins ask when they are faced with real threats and it has worked over the last 60 years of computing. That is why industries like Internet services have less security issues and other industries have many loopholes.

Other techniques

Here is a list of methods which from our experience help a lot towards increasing cyber security.

Redundant systems from different suppliers. Example : Learn how the root DNS servers are implemented.

Know about communications

Private links are sold and marketed as private.

Examples include : Satellite links and Point to Point radio links.

Spy satellites target point to point links and satellites broadcast to 1/3 of the planet.

Addons for browsers like firefox

There are many useful security related addons to firefox. And firefox is designed in a safer manner than most other browsers.

Train people and make them use the security addons.Active companies need to have these addons report their findings instead of just protecting the users.

Software updates

Protection of mission critical systems which cannot be updated too frequently.

They need to be protected with application level gateways implemented on continuously updated systems.

Detecting weak systems

Any system parts which are weak in security need to be identified and isolated. Then replaced with other similar parts in functionality so that the overall security can be improved.

If the introduction of a part causes more successful and frequent attacks, then that part is to considered weak and should be replaced.

Bounties for weaknesses

Offer bounties to find weaknesses in your system.

Get over your fear and do it.

Most people and companies do not do it because of the fear that they have to change their systems and modify their processes.

This is why we have cyber security issues.

Separate checking system

The system software and applications which are to check the laptop, desktop or server shall reside on a separate bootable SD card.

Shutdown compromised systems

If the checking system detects anomalies, then the system needs to be quarantined and another system shall be used in its place. The data can be migrated from the old system to the redundant or replacement system.

Clean image booting

Clean booting via virtual machine images, snapshots, software like deep freeze and to be checked Windows 10 methods need to be used for making accessing computers have a low chance of being compromised by other software or configurations.

Application level gateways

Servers need protection via application level gateways.Especially weak softwares which may be proprietary and all their bugs cannot be fixed.Some device drivers could be available only on insecure type softwares so they also need to be protected via such gateways.Application level gateways do not allow any type of network traffic so they act like firewalls as far as stopping unnecessary packets goes.

Authentic and Non auth backups

Similar to authentic primary data servers and their replicated backup servers in the DNS root server design. Application servers can be designed in a similar manner.This way reliability of the services is increased.

Offline backups

Offline and offsite backups are mandatory.Online backups can and will be compromised in cases of cyber crimes. Since the online backups are connected to the original, it can be assumed that the attacker has access to the online backups and can effectively destroy them in case they are in position to destroy the original servers.

Encrypted backups

All backups need to be encrypted. Especially those which are stored physically offline and offsite.

They shall be transported out physically.

Use Tough encryption

Do more efforts to implement the strongest encryption techniques.If possible to even go for theoretically unbreakable encryption.Automate the process so it becomes easier to use.

Multifactor Authentication

Use more than just pass sentences.Use SMS, smart cards and more.

Secure programming

Train people in secure and reliable programming.

Hire people who know secure and reliable programming.

Continuously updated systems

There are many systems available which are continuously updated.

Learn to use them and actually use them.

Summary

So now we have covered some other methods of increasing cyber security.

To understand them in detail and to discuss your specific business and its need please contact for more details.

Contact information

Applied Technology Research Center

92-331-2036-422

khawar@atrc.net.pk

http://atrc.net.pk

Samples of attacks follows

And other suggestions

An example of a real attack

I had been getting sms messages and emails but I did not know that the ordinary folk were being successfully being looted by the billions.Had we know earlier, we would have making presentations earlier.It was recently that the financial industry started taking a stance and started asking the companies to do something.

Carbanak

Most cybercrime targets consumers and businesses, stealing account information like passwords and other data that then lets thievescash out hijacked bank accounts or create fake credit/debit cards

Group now specializes in breaking into banks directly and thenuse ways tofunnel cash from the financial institution itself

Carbanak deployed malware via phishing scams to get inside of computers at 100+banks and steal between $300 million to $1 billion

Not surprising

The attack method is related to social engineering and phishing so it is not surprising.

What I am afraid is that we know of way more serious attack methods which have been used.

Lack of updates

Common Vulnerabilities and Exposure (CVE)

Verizon Data Breach Investigation Report (DBIR)

Lack of updates

One half of the CVEs exploited in 2014 went from publish to compromise in less than a month.

In addition, 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

Lack of updates

A key point in the DBIR is that a CVE being added to Metasploit is probably the single most reliable predictor of exploitation in the wild. This reinforces that patching is a significant concern and applying patches quickly and efficiently reduces the threat landscape by a significant amount.

Dependence causes weakness

Increased reliance upon technology service providers weakens the financial institutions with regards to cyber security. Institutions need to take responsibility for all outsourced technology services. Institutions must eliminate single points of failure. Dependence on one vendor for mission critical systems is not acceptable anymore. Service providers need to prove resilience (especially in the face of cyber events) and security. One way is to demand SLAs as a minimum. Plans for redundancy and backups need to be made to survive critical vendor and infrastructure failure.

A recent example of phishing

A ninth grade example from 2014

A pair of ninth-graders used a manual for a cash machine that showed them how to get into its operator mode using a guessable password. They didnt steal any cash, however, but assisted the Bank of Montreal in closing off the vulnerability.

Suggestions

A defacement is a corruption of your website.

Use static HTML for the most critical pages. This makes your website less likely to be defaced.Use content management pages in the background pages or for pages which change a lot.

Suggestions

A defacement is a corruption of your website.

Have regular downloads of the website via crawling. In case your website is defaced and the content management pages are taking too long to restore, at least you shall have static pages available.

Also have regular backups via ftp so it costs less to restore the original CMS website too.

Lack of training

If you want to learn about security then go to a security website. Do not go to a company site selling security products.

Examples to get you started : Sectools.org, seclists.org, nmap.org

Cybercrime bill

Make people aware of the existence of the cyber crime bill. It allows technically international cooperation. It might not deter the hardest criminals, but at least you can inform that you have legal rights to prosecute for unauthorized access.

SMiShing

Phishing lures sent via SMS text message and voice phishing (vishing)

Thank you for calling Askari Bank. A text message has been sent to inform you that your debit card has been limited due to a security issue. To reactivate, please press 1 now.

Caller then prompted to enter last four digits of CNIC, and then full card number and expiration date

Cybercrime bill

Make people aware of the existence of the cyber crime bill. It allows technically international cooperation. It might not deter the hardest criminals, but at least you can inform that you have legal rights to prosecute for unauthorized access.

Contact information

Applied Technology Research Center

92-331-2036-422

khawar@atrc.net.pk

http://atrc.net.pk