With customers’ hard-earned cash in their custody, banks need vigilant, vigorous IT security teams to thwart opportunist hackers. Rinaldo Ribeiro, Head of IT Risk and GRC, Commercial Bank of Dubai, discusses the role of incident visibility and employee education in guarding CBD’s crown jewels.
Is last year’s RAK Bank/Bank of Muscat theft a microcosm of weak banking security within the region, or was it a one-off case of opportunism? Do cybercriminals view the Middle East as an easy target?
I do not believe it was a “one-off case of opportunism”. These are planned and targeted attacks; searching for weaker links leading to maximised returns, and I certainly don’t see the Middle East as an easy target.
If you consider the malware case of Target in the U.S., that had a huge impact on the company. They had made large investments in all this technology but not in processes. The malware that was used against them was not that sophisticated. They had all these alerts, but no one was paying attention to them. This lack of proactive monitoring is what costs many businesses in this respect, and the Middle East region is no different in this respect.
What is your greatest challenge as an IT security professional?
The pressure from the business to move faster with business solutions whilst addressing security threats is always tough. The threat landscape is changing, but with innovation on the agenda this becomes a trickier obstacle. IT security professionals have to ensure that there is a 100 percent clear strategy that is aligned with – and is able to satisfy the needs of – the business. Delivering solutions in shorter projects that ensure effective security is a difficult balancing act.
What kind of fraud is most common in the region? Has the sophistication of the new breed of attacks made it difficult to detect and prevent threats?
In terms of the threats posed by well-funded, state-sponsored groups, you have to expect that you will be compromised at some stage. We know that malware, phishing and zero-day attacks are inevitable, so proactive monitoring and intelligence feeds are key. The average company’s infrastructure is not at risk, but as a bank you will always expect an above average level of risk to your business. Having said that, we know exactly what we have to protect. It’s all about assessing your risk, preparing for who will attack you and gaining a buy-in from the business – knowing your enemy. From the internal user standpoint, the threats that they create are easier to stop, but the press and vendors do contribute to a certain degree of hype around this.
What do Middle Eastern banks need to improve on in terms of their security?
I think there is a lack of collaboration between banks in the region. When it comes to sharing data about attacks and threats there is not enough of that here. There’s a lot of access to global data but unfortunately not here, as it would be useful in contributing towards a proactive approach.
To what extent can incident visibility prevent attacks?
Having visibility on hacking attempts and incidents is vitally important. We have to be as confident as possible in our security without being complacent. The threat landscape is changing so you have to assume you will be compromised, but the ability to react quickly is key. Given that hackers can remain on your network for an average of 230 days before they are detected, controls need to be in place for visibility, but the challenge is often how to access encrypted traffic. There’s no easy answer, but we need the right technology, people and processes to give ourselves the best chance.
Is there fundamentally anything banks can do protect themselves from hackers, or are they undermined by flawed architectures that render them inherently unsafe?
In terms of design, it is very difficult to alter the underlying – and flawed – architectures behind systems, applications and networks; recalling so much of what is out there is a mammoth task. What compounds things is knowing that the IT security community has been failing for all this time, and the fact that there are some incredibly talented people who still can do nothing to stop attacks. In a sense, doing the same thing repeatedly and expecting different results is a form of madness so in the IT security sense we have a problem in this respect.
The challenge is to segment critical, corporate data from user data so that it is not compromised. We also need to find a way to provide the necessary training and design that can work even if traditional safeguards fail.
We will be forced to consider new approaches with the introduction of trends such as BYOD and cloud, which don’t have traditional networks. With BYOD, there is a diverse mobile setup where data travels across different devices and geographies, and data is moving to a device that IT departments don’t always control. At Commercial Bank of Dubai we have rejected BYOD altogether as a precaution.
What kind of steps can a bank take to ensure their approach to fraud prevention is proactive rather than reactive?
There are three main ways to take a proactive approach: through threat intelligence; effective monitoring and improved communications. ‘Threat intelligence’ is a concept that is easier said than put into practice. Improved communications falls into two main categories: communication with customers and employee education. Thorough employee education must be provided; you cannot depend on employees to comply with IT regulations. Are employees unaware of security policies or just non-compliant and apathetic? From that standpoint regulations need to be enforced where they are penalised for IT misuse, to convey the risks that they pose to the business. It’s useful to think of threat monitoring as minimising the window of opportunity for attackers, but employee naivety as the open door through which problems can arise.
Can better security education amongst employees help prevent attacks against a company?
It can, but it is important to conduct internal exercises without bombarding employees with messages. IT leaders need a clear focus on strategies and programs that can benefit them, potentially rewarding compliance with regulations. It’s not as if education will act as a magic wand though, you can’t solely rely on education as a deterrent. Having said that, you need to assess the maturity of your user base; you may not have to be that strict with a more educated base. With that kind of group, you can be more flexible, and maybe allow the use of websites like Facebook.