Top IT Security risks and challenges

Presentation to East African Information Security Conference13th August 2013

Gideon Twesigye, CISAInternal audit manager, KCB Bank Uganda LTD

Presentation overview

• Banking industry overview• Trends molding IT Security risk in banking

sector• Common IT attacks witnessed• Challenges

Banking environment

Banking Uganda- Environment• 26 banks serving a banked population estimated at 5 Million

(2009 estimate) – 16% of population in that year• Over 500 bank branches in the country, around 600 installed ATMs• Required minimum core capital set at UGX 25M for banks to

operate• Regulated by the Central Bank of Uganda (BOU)• Bank services primarily concentrated in Kampala and established

urban centers e.g. Mbarara, Mbale, Jinja, Arua, Masaka, etc.• Increasing competition for business from non- traditional financial

service providers like microfinance institutions, SACCOs, Mobile Telecoms.

Banking Uganda- Environment

• Increasingly investing automated serviced delivery models (core banking solution acquisitions/ upgrades, investments in self service channel delivery innovations (ATM capability expansion, e banking, m banking);

• Collaborations with other service delivery organizations in delivering automated payment solutions;– E-tax (URA)– E- Water (NWSC)– Pay TV (DSTV)– E-Banking & Mobile Money service integration

Risk molding trends

Trends – the social networking explosion

• Innovations in interactivity and communication styles are altering old traditional IT security assumptions:– The rapid transition from exclusive blackberry to ubiquitous

smartphones and computing tablets with capacity to interface with corporate networks

– ‘Evolution’ from emails to real time online communication on social networks (Facebook, Twitter, YouTube, Instagram, LinkedIn, g+ news blogging) in various media (video, data, image)

• Implications– Bad press circulates much faster– Increased interactions with the outside world involve connectivity

that have to be accounted for in network security strategies– IP easier to sneak out of the organization

Trends – Geopolitics• Information security has attained geopolitical significance

Trends – Geopolitics

Trends – Geopolitics• Other illustrations

– A hack on Estonia by Russian hackers following the removal of a WWII monument honoring a Russian soldier virtually crippled the country’s financial sector which is highly e-based

– ‘Suspected’ US-Israel spy program attacked an Iranian nuclear facility, damaging key equipment while spying on them as they worked. This delayed the country’s progress on its nuclear program

– Red October espionage ‘virus’ detected by Kaspersky in 2012 targeted diplomatic, governmental and scientific research organizations in several countries for the last five years – including UGANDA

– And then there are the hacktivists

Trends – Geopolitics• Implications– Increased compliance workload in meeting security

specifications to prove due diligence in anti-money laundering/ espionage• National governments are more interested not only in knowing

what is happening in IT

– Increased burden on establishing disaster recovery and business continuity over more distributed networks

Trends – the ‘Tech’ edge

• Harnessing of the e-infrastructure has become a national competiveness imperative

“… innovations in Information and Communication Technology, Science and Technology are no longer an option in today’s global competitive economic environment”Maria Kiwanuka, Finance Minister Uganda, National Budget 2013/2014 speech

Trends – the ‘Tech’ edge• Technology developments in G2C e-initiatives

– URA eTax developments– Utility company interfaces with banking and mobile money

services– Government process automation and integration (IFMS, Lands

system, Integrated Payroll system, etc.)

• Implications– National level efforts to standardize laws, policies, procedures,

standards and guidelines on information security affecting business compliance• New interdependencies between government, citizens and private

businesses heighten the ‘CIA’ expectations on information– Vulnerabilities at third party end of interfaces could result into

exposure of banking systems

Trends – Hacking demystified

• Opportunists are waiting in the wings to capitalize on network vulnerabilities– Scale of computer cybercrime – 1.5 million victims daily– Global price tag of computer cybercrime – USD110BN annually– Changing face – goes social and mobile2012 Norton Cybercrime report

• Uganda??– Increased record of electronic based frauds during 2011, 2012

and 2013• ATM and electronic payment card skimming• Child pornography• Email hacking• Mobile money frauds

Trends – Hacking demystified• And it is not that hard to do

– The tools are readily available and FREE

Trends – Hacking demystified• Implications

– The threat is no longer limited to only IT staff• Not all the tools are IT in nature (social engineering,

‘dumpster diving’)• IT knowledge no longer limited to those that have specially

trained for it (most hackers are hobbyists, believe they know more than IT guys).

Trends – The trusted insider• Over 70% of all reported fraud cases in the industry during

F/Y 2012 were perpetrated either directly or with the involvement of insiders

• External hackers appropriately assessed money as a motivation to get insiders to leak them information– Or to simply plan that key logger and get it back to them, skim ATM

cards with a hand held skimmer and return the data to them, etc.

• Tendency still leans towards affording insiders more freedoms on internal networks– Sometimes on the pretext that doing so speeds up service delivery– Segregation of duties conflicts arise offering a single user the

opportunity to input and authorize transactions, install unauthorized software on a domain PC, etc.

Active attacks witnessed

Attacks witnessed in the market• Electronic card skimming (read about the smashed Bulgarian

ring in the news?);• Password theft (using key loggers and social engineering

tactics);• Email hacking;• Phishing (particularly of concern for banks on the internet

banking service delivery channel);• Botnets*

IT frauds in the banking industry resulted in over UGX 1BN loss in FY 2012!!!

Meeting the threat - challenges

Challenges – Optimizing IT security governance

A lot of business executives who are not IT-savvy will toss the problem over to the IT side even though most IT projects are really business projects.Instead, the executives need to engage IT through a governance model, whether it’s an IT steering committee or an IT governance board. You need the executives to jointly drive what they need from IT so that they can do the give and take that is necessary when there isn’t enough money to get everything done.

- CIO, IT Services (extracted from Infotech research group – Establishing an Effective IT Steering committee)

Challenges – Optimizing IT security governance

• IT on the governance agenda– Not common to find constituted IT steering committees at board

and senior management levels (improving though)

• IT security risk management– The overall enterprise risk management discipline is still gaining

traction in the banking sector• Significant gains have been made but its still a work in progress

– IT Security risk still approached in a silo – usually not sufficiently tied to other business risks and assessed along with them

– Data classification still a challenge – Policies usually copied from other institutions and customized

but not against a risk assessment conducted by individual banks

Challenges – Enhancing team competencies

• Significant reliance still being placed on IT teams to manage information security– Not many in the current market have specialized to

information security management– Creates situation of the guardians guarding the themselves– IT still does not talk ‘business’ very well

• Banks have only recently begun to include security auditing competencies on their teams

Challenges – Identifying reliable partners

• Informing and skilling existing teams still remains the key need banks seek from third party IT security service providers– Currently no consistent source of information on IT security risk

statistics and benchmarks specific to East Africa– Service providers (e.g. external audit) do not readily share custom audit

tools and programs with internal audit teams or IT security teams– Limited availability of licensed partners to provide and support some of

the more established data security software and/ or training and certification programs

– Until recently (ISACA and NITA), there have been few authorities close to home providing ‘best practice’ standards and guidance applicable to the entire industry

• Or is it perhaps that banks have not known what to ask for…?

Thank You!

Q&A