We are carrying out fresh Cyber Risk Assessment in 2018: Jagmohan Singh, CISO, Canara Bank
Jagmohan Singh, CISO, Canara Bank, in an interaction with EC’s Rachana Jha explains how the banking sector has witnessed major changes in last few decades in terms of cyber security, what are Canara Bank’s fresh plan to mitigate the cyber attacks in the new year and, how technologies like Artificial Intelligence (AI) is making its ways in the banking industry
Some edited excerpts…
Can you explain some major changes that banking has undergone in last few decades?
Banking has undergone several disruptive changes during last decade. Adoption of various existing and emerging technologies by the banks along with innovations in internal operations and external interfaces has leveraged the customer service potential to a greater extent. However, still, there is a lot more stuff in technology which is not yet exploited to its fullest extent like Big Data Analytics, AI, HyperLearning, Digital Marketing and newer architectures relating to connectivity amongst various channel partners. A lot more can be achieved by integrating multiple industries – product delivery mechanisms and electronic payment systems available currently. NPCI is coming up with many such integrations leading to direct debit billing systems using NACH (National Automated Clearing House). NPCI/RBI should explore the possibility of hosting a single comprehensive platform for on-boarding various entities which can integrate their services/offerings with their payment service providers/banks/FIs on a plug-and-play basis (for example, basing upon readily available web-services/API stack) facilitating a quick integration between business partners of host financial institutions. This will reduce the risk and effort of managing multiple individual integrations as well as make the business environments more flexible with quick integration in case of partnerships.
Coming to typical security risks being faced by Banks in today’s eco-system, which are data theft, identity theft and card-related frauds apart from vendor risk in traditional and cloud environment. In financial frauds, it is important to detect the same quickly in order to minimize the quantum damage from a loss event. From my experience, I still believe that the people are the weakest link and hackers/fraud-perpetrators engage most of the time in social engineering, phishing or rouge app kind of tricks for gaining easy access to the wealth of other people. In recent days, Ransomware has also become a menace. It is also having different flavors like asking ransom in Bitcoins by encrypting the data on a device, or on the other hand, indulging on cyber extortion/blackmailing for having obtained sensitive personal/private information about an individual using spy malware/pixel trackers etc, and using this information for asking ransom or secret information about the organization. These tricks are very simple and being put into action by organizing gangs. In fact, in the dark web, these organized gangs also offer hacking or fraud as a service.
Is cyber security a concern for banking sector undergoing digital transformations?
Definitely, with my experiences, I can say that cyber security has become the biggest concern. In today’s world, businesses are purely driven by technology and in light of various electronic business integrations with payment systems, this concern has gained more gravity. In recent years, banking sector across the world has witnessed varied attacks on payment systems. In many cases, the nature of an attack and the motive was unfamiliar. Organized crime and state-sponsored motives are becoming common. Regulators as well as banks are now more focused on cyber security. Any new application or modifications in existing application or adjustments to delivery channels are being audited as per best practices like source code audit, network audit, configuration audits and rigorous VAPT testing. The regulator is also following up with banks very seriously on compliance with circular on Cyber Security Framework dated June 2, 2016 apart from the status of various data points and subjective points to access the cyber security posture of the bank at a given point of time which includes best cyber security practices. Regulators do not want to take a chance and also conducts Cyber Security IT Examination of the banks at regular intervals. Regulators also insist on strengthening cyber security department of banks as well as put stress on having separate cyber security budget.
How can banking sector mitigate these attacks? What strategies can encounter security threats?
Though banks are investing largely on various security products and configurations including deception technology, anti-phishing services, fraud management softwares, dark web monitoring services, threat intelligence integration and correlation with their security operation mechanisms in compliance with regulator framework or proactively over and above the framework/guidelines, I still feel that most of the attacks are linked to lack of awareness of people where individuals are compromised using various techniques like phishing or trackers. Best strategies amongst many includes, to make e-mail security robust by implementing SPF, DKIM, and DMARC and also blocking certain type of file formats to avoid pixel trackers, validations on file uploads etc. Creating awareness amongst the employees by security awareness training and tabletop exercise is also of utmost importance. Keeping endpoint desktops and servers secured through AV and keeping it update is becoming most pertinent. OS Patches also need to be current and updated. In fact, banks needs to focus on best practices and basic hygiene. Security cannot be fitted into an organization within a day. As for a good health, Yoga needs to be practiced for a longer period of time (not on a single day), similarly basic hygiene of security need to be followed in regularity. It’s a matter of nurturing a culture.
In terms of security, 2017 was a year full of fluctuations. In your opinion, what were the notable developments last year witnessed?
Ransomware attacks and aftermath mechanisms adopted by organizations were worth notable. Many organizations failed to address SMB vulnerabilities even through patch was readily available and gave way to malware with capabilities of remote code execution. Wannacry and Petya attacks paralyzed many organizations during 2017. Analyst anticipated a rise in malware specifically targeting industrial control systems (ICS). Attacks exploiting SSL/TLS older versions, SQL Injection attacks on the web have been unearthed. This has brought organizations to be more sensitive towards secured coding practices, conducting frequent VAPT and keeping updated OS patches and AVs. Organizations started adopting nontraditional security practices like threat intelligence correlation, dark-web monitoring services etc. One of the notable developments from regulator side is obtaining regular feedback by banks on cyber security posture, in form of replies to a cyber questionnaire consisting of objective and subjective data points.
What are your strategies in 2018 for Canara Bank?
First of all, I have plans to nurture and sustain a basic cyber security hygiene in our bank. We are carrying out fresh cyber risk assessment on the basis of information asset criticality and making it a regular activity so that the effectiveness/necessity of controls can be revisited and appropriate strategy can be adopted. We also have plans to introduce process automation using AI/RPA/Hyper-learning. We also wish to strengthen our Security Operation Center with a team of expert and automated event analysis and incident response capabilities.
Since business demands increased connectivity and the opening of interfaces with delivery partners, our focus is on how to become strategically open, but still secure.
How technologies like AI can create importance-performance matrix in the banking industry? In which areas AI can be useful in security?
AI is very fast making its ways in industry and security operations as well is also not untouched by this technology advancement. AI and Hyper-learning coupled with Robotic Process Automation can bring wondering efficiency into the security operations. The logs from critical sources and critical applications can be parsed based upon dependable use-cases and can be fed to SIEM, wherein an RPA BOT can filter the same and can initiate automated incidence response. RPA with AI/Hyper Learning can drastically filter out the false positives and make the effective use of teams in analyzing only meaningful logs/events. AI can also be coupled with block-chain technology to bring efficiency in the process of supply chain management and similar solutions. This can also be leveraged to achieve multiple points monitoring of the status of a security device/log/application.
For the digitization of business, which new technology platforms will be considered in 2018?
The new innovative digital technologies and futuristic thought processes have given birth to whole new businesses and social dimensions. In the digitization world, multiple business integrations with payment service providers (banks, payment banks, and FIs) will become more and more popular. Technology offerings in digital payments landscape will become more aggressive. Projects like Make in India and Digital India are slowly bringing sustainable digitization and growth in its usage. Latest technology and service offerings in the new-age digital payments space by the banks, such as Unified Payments Infrastructure (UPI) including BHIM (Bharat Interface for Money) which is a mobile app developed by National Payments Corporation of India (NPCI), Bharat Bill Payment System (BPSS), mobile money, e-wallets, payment aggregation etc, are going to create a revolution in payment processing and the way businesses interact.
In information security space, the trend is going to shift from protection to prevention. Meity has recently started ‘Cyber Swachh Bharat Program’ which envisages capacity building by training initially 1,200 CISOs in the country in collaboration with leading names in IT Industry like Microsoft etc. Later government plans to cover 5,000 CISOs.
Banks and FIs including payment banks are going to focus more on preventive technologies. The business integrations will necessitate the tackling of interoperability issues with much care. In both business solutions space and Information security space, the use of AI/Hyper-learning solutions is going to increase rapidly. Few of the new technologies which will be seen to make its way rapidly into both business space and security space will be IoT based solutions and block-chain technology-based solutions where research is rapidly going on.