There have been reports in media that the government of India has sounded an alert with all the top banks, and instructed them to inform about any breach in their IT systems within 120 minutes as the firewall against cyber hackers is strengthened in view of the large number of digital transactions.
This is an essential move which may be considered as too little, too late. Such a notification should not be limited to top banks, but should be for the entire spectrum of financial industry including the regular banks, cooperative banks, payment banks, the card brands such as VISA, MasterCard and our own desi RuPay and not to forget the private wallet services such as Paytm and Mobikwik and the like.
Cert-In, which is operational since 2004 has been the nodal agency for responding to cyber security incidents as they occur. However, its role until now in enhancing the collaboration amongst the industry stakeholders for notifying and sharing threat and attack information may be taken with a pinch of salt. Further, there has not been any clear mandate until now for timely notification of security breaches.
The “Cyber Security Framework in Banks” published by RBI in June, 2016 mandates notification of security incidents faced by Indian Banks to – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT, but does not specify a minimum time period for the notification. Further, RBI governs only the banks and so the spectrum of other financial organizations is not covered in the scope of the framework.
It has been a common phenomenon in the world of security that “Bad guys collaborate, good guys don't”. While the bad guys are well funded by crime organizations and anti-state agencies and benefit from higher degree of collaboration by multiple attackers (underground communities), the good guys often are the victims, work in silos and do not collaborate or share threat and attack information.
Over a period of time, cyber-attacks have become highly sophisticated and have evolved from high scale low focus to low scale and high focus. And generally, the attacks have been for a certain business sector in certain geography. For example, the attack could be on top 3 or top 5 banks in India, instead of a global attack against all financial institutions.
With the wave of demonetization and sudden push for digital economy, it is very likely that security incidents and frauds will be on a rampant rise as the financial institutions start cutting corners when it comes to security of new services as they compete neck to neck to gain the first movers advantage. In this mad rush, security often takes a back seat, thereby introducing vulnerabilities that might be leveraged by fraudsters to defraud innocent customers. It was in news few weeks ago how one of the private wallet companies hurriedly rolled out a new feature to leverage the demonetization wave and then rolled it back due to security concerns.
Moreover, other factors such as lack of security awareness amongst the masses resulting in poor security practices such as rampant usage of pirated software, missing basic security controls such as anti-virus on customer devices, usage of rooted and jailbroken devices etc. amongst many other factors contribute to the rapid increase in security incidents and frauds against the end customers as they embrace digital economy.
Sharing the attack vectors, threat intelligence and other IOCs (Indicators of Compromise) such as Virus signatures and IP addresses, MD5 hashes of malware files, URLs or domain names of botnet command and control servers etc. at the earliest would help other banks take proactive precautionary measures immediately to avoid similar attack on other banks in the region. If one bank experiences an attack, others can take precautions and increase their preparedness to face such an attack. Collaborating mutually helps to make informed decisions, thus enabling to respond to attacks proactively and quickly.
Further, timely sharing of threat and attack information will help other banks to proactively test their resilience to such specific attack, implement focused monitoring and enhance security controls to thwart similar attack. If bank A is experiencing a certain kind of DDoS (Distributed Denial of Service), other banks should enhance their monitoring and protection mechanisms. If bank B is experiencing a cyber breach or attempts of breach from certain IPs or certain countries, this information should be shared at the earliest so that other banks and organizations can put in extra monitoring or possibly block those IPs. If bank C is experiencing the deadly SQL injection or Ransomware, sharing this information asap can help other banks take preventive measures.
The recent security breach resulting in disclosure of several million debit and credit card information for customers pertaining to various Indian banks is a classic case in hand that necessitates effective collaboration and threat information sharing.
Each bank may have their own level of maturity in terms of people (cyber security professionals), process (detection and response mechanisms) and technology (detection and response technologies). If multiple banks are facing similar attack simultaneously, collaboration and sharing may even help to figure out missing blocks in the puzzle if any in a quick and efficient manner by leveraging the people, process and technology available across the victim banks.
With the current government’s dream of digital India and the shift to digital transactions, the need of the hour is to take cyber security more seriously than ever. It is important to change the approach from a compliance based security to risk based security while implementing a sound security governance, robust risk management as an integral part of business processes, an effective security compliance while giving adequate focus to proactive security monitoring and incident management frameworks and not to forget a security awareness program for the customers. Collaboration amongst the industry is crucial for the proactive threat and incident management to avoid security breaches or better respond to these.
I conclude by quoting the old saying from John Dickinson which still has its relevance even in the current day “United we stand, divided we fall”.
Comments