top it security risks and challenges presentation to east african information security conference...
TRANSCRIPT
Top IT Security risks and challenges
Presentation to East African Information Security Conference13th August 2013
Gideon Twesigye, CISAInternal audit manager, KCB Bank Uganda LTD
Presentation overview
• Banking industry overview• Trends molding IT Security risk in banking
sector• Common IT attacks witnessed• Challenges
Banking Uganda- Environment• 26 banks serving a banked population estimated at 5 Million
(2009 estimate) – 16% of population in that year• Over 500 bank branches in the country, around 600 installed ATMs• Required minimum core capital set at UGX 25M for banks to
operate• Regulated by the Central Bank of Uganda (BOU)• Bank services primarily concentrated in Kampala and established
urban centers e.g. Mbarara, Mbale, Jinja, Arua, Masaka, etc.• Increasing competition for business from non- traditional financial
service providers like microfinance institutions, SACCOs, Mobile Telecoms.
Banking Uganda- Environment
• Increasingly investing automated serviced delivery models (core banking solution acquisitions/ upgrades, investments in self service channel delivery innovations (ATM capability expansion, e banking, m banking);
• Collaborations with other service delivery organizations in delivering automated payment solutions;– E-tax (URA)– E- Water (NWSC)– Pay TV (DSTV)– E-Banking & Mobile Money service integration
Trends – the social networking explosion
• Innovations in interactivity and communication styles are altering old traditional IT security assumptions:– The rapid transition from exclusive blackberry to ubiquitous
smartphones and computing tablets with capacity to interface with corporate networks
– ‘Evolution’ from emails to real time online communication on social networks (Facebook, Twitter, YouTube, Instagram, LinkedIn, g+ news blogging) in various media (video, data, image)
• Implications– Bad press circulates much faster– Increased interactions with the outside world involve connectivity
that have to be accounted for in network security strategies– IP easier to sneak out of the organization
Trends – Geopolitics• Other illustrations
– A hack on Estonia by Russian hackers following the removal of a WWII monument honoring a Russian soldier virtually crippled the country’s financial sector which is highly e-based
– ‘Suspected’ US-Israel spy program attacked an Iranian nuclear facility, damaging key equipment while spying on them as they worked. This delayed the country’s progress on its nuclear program
– Red October espionage ‘virus’ detected by Kaspersky in 2012 targeted diplomatic, governmental and scientific research organizations in several countries for the last five years – including UGANDA
– And then there are the hacktivists
Trends – Geopolitics• Implications– Increased compliance workload in meeting security
specifications to prove due diligence in anti-money laundering/ espionage• National governments are more interested not only in knowing
what is happening in IT
– Increased burden on establishing disaster recovery and business continuity over more distributed networks
Trends – the ‘Tech’ edge
• Harnessing of the e-infrastructure has become a national competiveness imperative
“… innovations in Information and Communication Technology, Science and Technology are no longer an option in today’s global competitive economic environment”Maria Kiwanuka, Finance Minister Uganda, National Budget 2013/2014 speech
Trends – the ‘Tech’ edge• Technology developments in G2C e-initiatives
– URA eTax developments– Utility company interfaces with banking and mobile money
services– Government process automation and integration (IFMS, Lands
system, Integrated Payroll system, etc.)
• Implications– National level efforts to standardize laws, policies, procedures,
standards and guidelines on information security affecting business compliance• New interdependencies between government, citizens and private
businesses heighten the ‘CIA’ expectations on information– Vulnerabilities at third party end of interfaces could result into
exposure of banking systems
Trends – Hacking demystified
• Opportunists are waiting in the wings to capitalize on network vulnerabilities– Scale of computer cybercrime – 1.5 million victims daily– Global price tag of computer cybercrime – USD110BN annually– Changing face – goes social and mobile2012 Norton Cybercrime report
• Uganda??– Increased record of electronic based frauds during 2011, 2012
and 2013• ATM and electronic payment card skimming• Child pornography• Email hacking• Mobile money frauds
Trends – Hacking demystified• And it is not that hard to do
– The tools are readily available and FREE
Trends – Hacking demystified• Implications
– The threat is no longer limited to only IT staff• Not all the tools are IT in nature (social engineering,
‘dumpster diving’)• IT knowledge no longer limited to those that have specially
trained for it (most hackers are hobbyists, believe they know more than IT guys).
Trends – The trusted insider• Over 70% of all reported fraud cases in the industry during
F/Y 2012 were perpetrated either directly or with the involvement of insiders
• External hackers appropriately assessed money as a motivation to get insiders to leak them information– Or to simply plan that key logger and get it back to them, skim ATM
cards with a hand held skimmer and return the data to them, etc.
• Tendency still leans towards affording insiders more freedoms on internal networks– Sometimes on the pretext that doing so speeds up service delivery– Segregation of duties conflicts arise offering a single user the
opportunity to input and authorize transactions, install unauthorized software on a domain PC, etc.
Attacks witnessed in the market• Electronic card skimming (read about the smashed Bulgarian
ring in the news?);• Password theft (using key loggers and social engineering
tactics);• Email hacking;• Phishing (particularly of concern for banks on the internet
banking service delivery channel);• Botnets*
IT frauds in the banking industry resulted in over UGX 1BN loss in FY 2012!!!
Challenges – Optimizing IT security governance
A lot of business executives who are not IT-savvy will toss the problem over to the IT side even though most IT projects are really business projects.Instead, the executives need to engage IT through a governance model, whether it’s an IT steering committee or an IT governance board. You need the executives to jointly drive what they need from IT so that they can do the give and take that is necessary when there isn’t enough money to get everything done.
- CIO, IT Services (extracted from Infotech research group – Establishing an Effective IT Steering committee)
Challenges – Optimizing IT security governance
• IT on the governance agenda– Not common to find constituted IT steering committees at board
and senior management levels (improving though)
• IT security risk management– The overall enterprise risk management discipline is still gaining
traction in the banking sector• Significant gains have been made but its still a work in progress
– IT Security risk still approached in a silo – usually not sufficiently tied to other business risks and assessed along with them
– Data classification still a challenge – Policies usually copied from other institutions and customized
but not against a risk assessment conducted by individual banks
Challenges – Enhancing team competencies
• Significant reliance still being placed on IT teams to manage information security– Not many in the current market have specialized to
information security management– Creates situation of the guardians guarding the themselves– IT still does not talk ‘business’ very well
• Banks have only recently begun to include security auditing competencies on their teams
Challenges – Identifying reliable partners
• Informing and skilling existing teams still remains the key need banks seek from third party IT security service providers– Currently no consistent source of information on IT security risk
statistics and benchmarks specific to East Africa– Service providers (e.g. external audit) do not readily share custom audit
tools and programs with internal audit teams or IT security teams– Limited availability of licensed partners to provide and support some of
the more established data security software and/ or training and certification programs
– Until recently (ISACA and NITA), there have been few authorities close to home providing ‘best practice’ standards and guidance applicable to the entire industry
• Or is it perhaps that banks have not known what to ask for…?