Managing IT Risks in Internet Banking

Image: UltraHighDefinitionWallpepers

Managing IT Risks in Internet Banking 3November 2015

Things to Discuss
1. Navigating Internet Banking Further
2. Understanding User Behaviors and Expectations
3. Acquiring and Developing Internet Banking
Services
4. Understanding Change Management and Problem
Management
5. Comprehending Information Security and Privacy
6. Navigating Continuity and Recovery
7. Auditing, Assessing and Testing Activities
8. Conducting IT Risk Management

Navigating Internet Banking Further
Managing IT Risks in Internet Banking 5
Image: 7-themes
November 2015

Internet Banking Revisited
“Provision of banking services and
products via electronic delivery
channels based on computer networks
or internet technologies, including
cellular or wireless networks, web-
based applications and mobile
devices.”

Why Internet Banking?
In Indonesia technology context:
• Mobile phone users are huge (estimated
60% feature and 40% smart’s) ~ citing Redwing
Asia 2015
• SIM cards sold surpassed total of
population (121%) ~ citing GSMA Q4 2014
•Active mobile phone users: 54 million ~
various resources Q1 2015
• Ranked the world's top ten in number of
internet users (72+ million) ~ various resources Q1 2015
7Managing IT Risks in Internet BankingNovember 2015

Why Internet Banking? (cont’d)
Economic and Industry Perspectives:
• Economic outlook (>4%) ~ citing ADB recent stats
• Stable inflation and interest rate ~ citing ADB recent stats
• 4G technology edges closer
• US$4.5B investment in telematics (US$300m
for cellular phone’s)~ citing IndonesiaInvestments May 2015
• IT spending of US$20+B ~ citing IDC in early 2015
• 80% of budget goes to corporates and
enterprises (majority in Banking & Telco) ~ citing
IDC in early 2015

Why Internet Banking? (cont’d)

• 30% saving account owners
• 7% credit card subscribers
• 50 million Facebookers (Top 5)
• 40 million Twitterers (Top 5)
• 4 million Kaskusers
• 85 million middle class
• 5 million middle class growth per year
• 3% internet users growth per year
Let’s Digging the Numbers Deeper…

Understanding User Behaviors
and Expectations

Indonesia E-Channel Banking Services
Channels with most
users (Kadence
International 2014
research):
• mobile
banking (67%)
• internet banking
(54%)
• phone banking
(28%)

Most Considered Factors by Indonesians
According to the
same study:
•Speed
•Security Level
•Easy for registration
•Easy to use

What Mobile Phone Users Do
• No password
62% smartphone users let their belongings unprotected
(from ‘Protect Your Bubble’ study)
• Auto sign-in
Don’t do it for banking and financial services
• Phishing email
156 million sent everyday across the globe - 4% of them
succeeded
• Sensitive info on social media
75% (identity) thief capitalize this whenever targeting
their victims including geotagging feature

What Mobile Phone Users Do (cont’d)
• Sharing data with
unknown parties
Accounts for around
27% - attained through
phone call with fake ID
or false identity.
• Connected to
unprotected networks
52% plugged into
unsafe wifi and or plain
networks

Factors to Consider In Details
• Data confidentiality
• System integrity
• System availability
• Customer and
transaction
authenticity
• Customer
protection

Acquiring and Developing Internet Banking Services
Image: AlphaCoders
November 2015

System Development Life Cycle
Things to Consider:
• Tasks and processes for developing new systems
should include assignment and delineation of
responsibilities and accountabilities for system
deliverables and project milestones.
• Business and functional requirements, systems
design, technical specifications and service
performance expectation be adequately
documented and approved at appropriate
management levels.

System Development Life Cycle (cont’d)
• Security requirements be clearly specified:
System access control
Authentication
Transaction authorization
Data integrity
System activity logging
Audit trail
Security event tracking
Exception handling
• Compliance check against bank’s security standards and
regulatory requirements are expected.

• Methodology approved by management should set out on
how and what system testing should be conducted:
 Scope should cover business logic, security controls
and system performance under various stress load
scenarios and recovery conditions.
 Full regression testing is required to be performed
before major system rectification or enhancement is
implemented.
 Test results should be reviewed and signed off by users
whose systems and operations are affected by the new
changes.

• To control migration of new systems or
changes to production environment, it is
important that separate physical or logical
environments be maintained for unit,
integration, system and user acceptance
testing.
• Vendor and developer access to UAT
environment should be strictly monitored.

Outsourcing Management
• Contractual terms and conditions governing the
roles, relationships, obligations and
responsibilities of all contracting parties should be
carefully and properly defined in written
agreements.
• Agreements shall be covered performance
targets, service levels, availability, reliability,
scalability, compliance, audit, security,
contingency planning, disaster recovery capability
and backup processing facility.

Outsourcing Management (cont’d)
• Unless acceptable arrangements have been
made and mutually agreed, the service provider
should be required to provide access to all parties
nominated by the bank to:
• Its systems
• Operations
• Documentation
• Facilities
to carry out any review or assessment for
regulatory, audit or compliance purpose.

Outsourcing Management (cont’d)
• Banks and service providers must observe
requirements of banking secrecy under
Banking laws and regulations.
• Contracts and arrangements with service
providers should take into account the need
to protect the confidentiality of customer
information as well as necessity to comply
with all applicable laws and regulations.

Monitoring Outsourcing Management
• Bank should require the vendor to implement security
policies, procedures and controls at least as stringent as it
would expect for its own operations.
• It should review and monitor security practices and
processes of the vendor on a regular basis, including
commissioning or obtaining periodic expert reports on
security adequacy and compliance in respect of the
operations of the vendor.
• A process of monitoring service delivery, performance
reliability and processing capacity of the vendor should
also be established for gauging ongoing compliance with
agreed SLA and viability of its operations.

The Vendor’s Contingency and BCP
• Management should require the vendor to
develop and establish BCP and DRP framework.
• As human error still accounts for bulk of systems
downtime and failures, all parties and personnel
concerned should receive regular training in
activating the contingency plan and executing the
recovery procedures
• Plan should be reviewed, updated and tested
regularly in accordance with changing technology
conditions and operational requirements.

Understanding Change Management
and Problem Management
Image: virusresearch
November 2015

Comprehending Information Security and
Privacy
November 2015

Security vs Privacy
Image: HBRWebinar
November 2015

First Part: Security

41
Source: IBM [1] UNODC Comprehensive Study on Cybercrime, 2013
Managing IT Risks in Internet BankingNovember 2015

42
Source: IBM
[2] FBI: Crime in the United States 2013
[3] United California Bank Robbery
[4] Center for Strategic and International Studies

43
Source: IBM [6] ESG: http://bit.ly/1xzTmUW

In 2014 Federal Bureau Investigation (FBI)
unveils from the most frequent one:
• Viruses
• Employee abuse of internet privileges
• Unauthorized access by insiders
• Denial of Service
• System penetration from the outside
• Theft of proprietary information
• Sabotage of data/networks
• Proving/scanning systems
• Financial fraud
Notable Cyber Attacks

 Manipulate data
integrity
 Installed a sniffer
 Stole password
files
 Trojan logons
 IP spoofing
Notable Cyber Attacks (cont’d)
Image courtesy of @TrojanLax

Another Perspectives on Attacks
Key findings from 2014 US State of Cybercrime Survey and
PwC:
• 80% of attacks rely on exploits that we can readily defend
against
– Focus on security awareness
– Properly maintained IT Infrastructure
– Effective monitoring
• 15% of the attacks can be mitigated with a solid security
strategy
• 5% are Sophisticated/Nation State

Common Cyber Attacks
• Unauthorized access
• Theft of information
• Email bombing
• Data diddling
• Salami attacks
• Denial of Service
47
Image courtesy of accidentalcreative.com

Common Cyber Attacks (cont’d)
• Virus and worm attacks
• Logic bombs
• Trojan attacks
• Internet time thefts
• Web jacking
• Theft of computer
system
• Physically damaging a
computer system
48
Image courtesy of indiatimes.com

Defining Cyber Crime
• Former descriptions were "computer crime",
"computer-related crime" or "crime by computer“.
• With the pervasion of digital technology, some new
terms like "high-technology" or "information-age"
crime were added to the definition. Also, Internet
brought other new terms, like "cybercrime" and "net"
crime.
• Other forms include "digital", "electronic", "virtual" ,
"IT", "high-tech" and technology-enabled" crime.

Cyber Criminals: Who They Really Are?
• Kids (age group below
17)
• Disgruntled employees
• Organized hacktivists
• Professional hackers
(corporate espionage)
either white or black hats
• Cyber Terrorist (political
motive)
50
Image courtesy of Travaux

Cyber Crime-as-a-Service Marketplace
• Continues to mature over the past two years.
• Enables more fraudsters to cash in without needing
to understand the chain of fraud, how to phish or
spam, or IT infrastructure requirements.
• Becomes fiercely competitive.
• Cybercrime 'service providers' must work harder than
ever before to win and keep 'customers.’
• Generalized increase in quality of malware produced.
• Enables much larger pool of bad actors with no
technical knowledge to profit from.

(cont’d)
• Many types of attack are simple and low
cost.
• Phishing attacks: 500,000 email addresses
cost $30.
• Hosting a phishing site can be more or less
free.
• Thousands of credit cards can be stolen in
return for around $100.

(cont’d)
53
Image courtesy of EMC

How to Respond?

Human Resources Management
• Internet security ultimately relies on trusting a small
group of skilled personnel, who must be subject to
proper checks and balances.
• Their duties and access to systems resources for the
more reason must be placed under close scrutiny.
• Stringent selection criteria and thorough screening is
applied in appointing personnel to internet operations
and security functions.
• Personnel involved in developing, maintaining and
operating websites and systems should be
adequately trained in security principles and
practices.

Human Resources Management (cont’d)
• Never alone principle
Sensitive and critical nature of certain systems functions and
procedures should be jointly carried out by more than one
person/performed by one person and checked by another:
 Systems initialization
 Network security configuration
 Access control system installation
 Changing operating system parameters
 Implementing firewalls and intrusion prevention systems
 Modifying contingency plans
 Invoking emergency procedures
 Obtaining access to backup recovery resources
 Creating master passwords and cryptographic keys

• Segregation of duties principles
Responsibilities and duties should be separated and performed by
different groups of personnel on:
 Operating systems function
 Systems design and development
 Application maintenance programming
 Computer operations
 Database administration
 Access control administration
 Data security
 Librarian
 Backup data file custody
• Transaction processes should be designed so no single person could
initiate, approve, execute and enter transactions into a system in a
manner that would enable fraudulent actions to be perpetrated and
processing details to be concealed.

• Access Control principles
 Access rights and system privileges must be based
on job responsibility and necessity to have them to
fulfil one's duties.
 No person by virtue of rank or position should have
any intrinsic right to access confidential data,
applications, system resources or facilities.
 Only employees with proper authorization should
be allowed to access confidential information and
use system resources solely for legitimate
purposes.

• Internal sabotage, clandestine espionage or
furtive attacks by trusted employees, contractors
and vendors are potentially among the most
serious risks that a bank faces.
• Current and past employees, contractors,
vendors and those who have an intimate
knowledge of the inner workings of the bank’s
systems, operations and internal controls have a
significant advantage over external attackers.

• No one should have concurrent access to both
production systems and backup systems,
particularly data files and computer facilities.
• Any person who needs to access backup files or
system recovery resources should be duly
authorized for a specific reason and a specified
time only.
• Access which is not for a specific purpose and for
a defined period should not be granted.

• Personnel from
vendors and service
providers, including
consultants, who
have been given
authorized access to
the organization's
critical network and
computer resources
pose similar risks.

Applying Control and Security Practices
• Implement two-factor authentication for privileged
users
• Institute strong controls over remote access by
privileged users
• Restrict the number of privileged users
• Grant privileged access on a “need-to-have” basis
• Maintain audit logging of system activities performed
by privileged users
• Ensure that privileged users do not have access to
systems logs in which their activities are being
captured

Applying Control and Security Practices (cont’d)
• Conduct regular audit or management
review of the logs
• Prohibit sharing of privileged IDs and their
access codes
• Disallow vendors and contractors from
gaining privileged access to systems
without close supervision and monitoring
• Protect backup data from unauthorized
access

Security Practices Further
• Deploy hardened operating systems – systems software and
firewalls
• should be configured to the highest security settings consistent
with the level of protection required, keeping abreast of
updates, patches and enhancements recommended by system
vendors
• Change all default passwords for new systems immediately
upon installation
• Install firewalls between internal and external networks as well
as between geographically separate sites
• Install intrusion detection-prevention devices (including denial-
of-service security appliances where appropriate)
• Develop built-in redundancies for single points of failure which
can bring down the entire network

Security Practices Further (cont’d)
• Perform application security review using a combination
of source code review, stress loading and exception
testing to identify insecure coding techniques and
systems vulnerabilities
• Engage independent security specialists to assess
strengths and weaknesses of internet-based applications,
systems and networks before each initial implementation
(at least annually without forewarning to internal staff)
• Conduct penetration testing at least annually
• Establish network surveillance and security monitoring
procedures with the use of network scanners, intrusion
detectors and security alerts

Second thing: Privacy

Impact on Information Privacy
The relationship between collection
and dissemination of:
•Information
•Technology
•Personal and public expectations
•Laws and regulations surrounding
them

Primary Concerns
• The act of data collection: Legal versus Illegal
• Improper access (Authentication)
• Unauthorized use (Authorization)
68
Image courtesy of: City Caucus Image courtesy of:ngshire

What does Privacy Mean Now?
• In the past: Privacy is about secrecy.
• These days: Privacy is all about control.
People's relationship with privacy is socially
complicated
Agree or Disagree? 

Privacy Challenges
• What is “private” information by now?
• Make information more accessible
• Evolve systems to prevent breaches
70
Image courtesy of theinspirationroom.com

Business Priorities according to IT
71
Courtesy of DataCenterJournal

What Takes Priority with IT Teams?
72
Courtesy of DataCenterJournal

What to Do?

Bank Disclosure
• Should provide clear information to customers about
risks and benefits of using internet banking prior to
subscription.
• Customers should be informed clearly and precisely
on respective rights, obligations and responsibilities
of customers and bank on all matters relating to
online transactions, and any problems that may arise
from processing errors and security breaches.
• Information written in prolix legalese and technical
terminology would cause legibility and
comprehension difficulties for customers.

Bank Disclosure (cont’d)
• Terms and conditions applying to online banking products
and services should be readily available to customers
within the internet banking application.
• On initial logon or subscription to a particular service or
product, this would require a positive acknowledgement of
the terms and conditions from the customer.
• Banks should publish their customer privacy and security
policy.
• Customer dispute handling, reporting and resolution
procedures, including expected timing for the banks'
response, should also be clearly defined.
• All this information should be posted on the banks'
websites.
• Disclosure of information should be useful and relevant
for customers in making informed decisions.

• On their websites, banks should advise and explain
to their customers security measures and
reasonable precautions customers should take
when accessing their online accounts.
• The precautionary procedures would include taking
adequate steps to prevent unauthorized
transactions and fraudulent use of their accounts,
• It also ensures no one else would be able to
observe or steal their access credentials or other
security information to impersonate them or obtain
unauthorized access to their online accounts.

• When security breaches occur and customer
online accounts might have been fraudulently
accessed and unauthorized transactions
made, banks should explain on their websites
what process will be invoked to resolve the
problem or dispute.
• Informed the conditions and circumstances in
which the resultant losses or damages would
be attributable to the banks or their customers.

Navigating Continuity and Recovery

Business and IT Continuity
• Recovery and business resumption priorities
must be defined and contingency procedures
tested and practiced
• Business and operating disruption arising from a
serious incident could be minimized.
• Continuity and Recovery Plan as well as Incident
Prevention and Response Plan should be there,
evaluated periodically and updated as and when
changes to business operations, systems and
networks occur.

Emergency Response
• Banks should refrain from adopting
impromptu and untested recovery
measures over pre-determined recovery
actions that have been rehearsed and
endorsed by management.
• Ad hoc recovery measures carry high
operational risks as their effectiveness has
not been verified through rigorous testing
and validation.

Crisis Communication
• A predetermined action plan to address
public relations issues.
• Constitutes of 5W and 1H to communicate
the disaster/crisis to the internet banking
stakeholders.
• Being able to maintain customer
confidence throughout a crisis period or
an emergency situation is of great
importance to bank reputation and
soundness.

Business and IT Recovery
• A recovery site geographically separate from primary
site must be established to enable the restoration of
critical systems and resumption of business
operations should a disruption occur at the primary
site.
• A hot site rapid recovery capability should be created
and maintained.
• Required speed of recovery will depend on the
criticality of resuming business operations, type of
online services and whether there are alternative
ways and processing means to maintain adequate
continuing service levels to satisfy customers.

In Conclusion
• Network and systems linked to specific service
providers and vendors should conduct bilateral or
multilateral recovery testing and ensure inter-
dependencies are also fully catered for.
• Incident response, disaster recovery and business
continuity preparations need to be regularly reviewed,
updated and tested to ensure their effectiveness
• Responsible staff capable of undertaking emergency
and recovery procedures when required.
• Recovery preparedness should fully anticipate a total
shutdown or incapacitation of primary computer site.

Auditing, Assessing and Testing Activities

Assessing with Source Code Review
• System and UAT are ineffective in detecting
malicious codes, trojans, backdoors, logic bombs and
other malware and either PT.
• Objective: finding security defects due to coding
errors, insecure coding practices or malicious
attempts.
• Designed to detect security vulnerabilities,
deficiencies, gaps and mistakes (relating to control
structure, security, input validation, error handling, file
update, function parameter verification, reliability,
integrity, resiliency and execution etc).

Assessing with Source Code Review
• Code quality and programming practices
can also be improved.
• High degree of system and data integrity is
required for all internet facing applications.
• Due diligence in ensuring these
applications have appropriate security
controls, taking into consideration the type
and complexity of online services provided.

Penetration Testing
• Conducted for a new system particularly offers
internet accessibility and open network
interfaces through Black-Box and White-Box
techniques.
• Complementarity with Vulnerability
Assessment of external and internal network
components that support new system.
• VA conducted at least quarterly whilst PT at
least yearly.

Other Types of Testing
1. Identify information leakages
• Sensitive information such as cryptographic keys, account
and password details, system configurations and
database connection strings should not be disclosed.
• Potential sources of information leakages like verbose
error messages and banners, hard-coded data, files and
directories operations should be scrutinized for
inappropriate information disclosure.
2. Assess resiliency against input manipulation
• The test should review all input validation routines and
assess their effectiveness against known vulnerabilities.

Other Types of Testing (cont’d)
3. Identify insecure programming practices
• Use of vulnerable function calls
• Inadequate memory management
• Unchecked argument passing
• Inadequate logging and comments
• Use of relative paths
• Logging of passwords and authentication
credentials
• Inappropriate access privilege assignment

4. Detect deviations from design specifications
• Critical modules containing authentication and
session management functions should be vetted for
discrepancies between the code design and its
implementation.
5. Evaluate exception handling
• Adequate controls should be in place to ensure
resulting errors do not allow users to bypass security
checks or obtain core dumps.
• Sufficient processing details should be logged at the
source of the exception to assist problem diagnosis.

6. Evaluate cryptographic implementation
• Only cryptographic modules based on
authoritative standards and reputable protocols
should be installed.
• Functions involving cryptographic algorithms and
crypto-key configurations must be vetted for
deficiencies and loopholes.
• Evaluate choice of ciphers, key sizes, key
exchange control protocols, hashing functions
and random number generators.

Auditing Activities

Conducting IT Risk Management

Definition of IT Risks
• Any adverse outcome, damage, loss, disruption,
violation, irregularity or failure arising from the use of or
reliance on computer hardware, software, electronic
devices, online networks and telecommunications
systems.
• Can also be associated with systems failures,
processing errors, software defects, operating
mistakes, hardware breakdowns, capacity deficiencies,
network vulnerabilities, control weaknesses, security
shortcomings, internal sabotage, espionage, malicious
attacks, hacking incidents, fraudulent conduct and
defective recovery capabilities.

Risk Management Framework
• Identify, classify and assess (qualitative and
quantitative) risks.
• Develop a plan containing policies, practices and
procedures addressing and controlling these risks.
• Implement and regularly test the plan.
• Monitor risks and plan effectiveness on regular basis.
• Update the plan periodically to take account of
changes in technology, legal requirements and
business environment including external and internal
threats and security vulnerabilities.

IT Risk Assessment Framework
IT Risk Assessment
Frameworks
ISACA Risk IT
Information Security Risk Management for
ISO 27001
CRAMM Information Security Toolkit
OCTAVE (Operationally Critical Threat,
Asset, Vulnerability Evaluation)
November 2015

ISACA Risk IT
Complements
and extends
COBIT and Val
IT to make a
more complete
IT governance
guidance
resource.
98
November 2015
Managing IT Risks in Internet Banking

Risk Response
• Avoidance
Eliminate, withdraw from or not
become involved
• Mitigate
Reduction on impact or
probability
• Transfer
Outsource or insure
• Accept
Mostly due to very low
impact/probability
99November 2015 Managing IT Risks in Internet Banking

Cybersecurity Risks

Cybersecurity Risks
Q: Are you more concerned or less concerned about cybersecurity threats posed to your organization this year (2015)
than those you encountered the previous year (2014)?
Q: Please estimate the total monetary value of losses your organization sustained due to cybercrime and advanced
persistent threats during the past 12 months including those costs associated with resolving all issues associated with
the incident.
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University

Cybersecurity Risks Major Attention
Q: To address cyber-risks, are your investments and spending focused on:
49%
44%
32%
17%
14%
11%
45%
35% 35%
30%
16% 18%
New technologies Audits & assessments New skills &
capabilities
Redesign
cybersecurity strategy
Redesigning
processes
Particpating in
knowledge sharing
Enterprise (1,000+) SMB (<1,000)

62%
57%
52%
42% 40%
23%
Third-party
vendors
Contractors Software Suppliers Procurements
Assessment of business ecosystem risks
Supply Chains at Risk; Need C-Suite
Attention
Q: Please identify all areas where you consider supply chain/ business ecosystem risks?
Q: On average, how often do you evaluate the security of supply chain/business ecosystem partners with which you share data or network access?

Manual patch
management
Change control/
configuration
management
systems
Wireless
monitoring
Automated patch
management
Video surveillance
Not very effective
Not at all effective
Confidence in Security Solutions Varies
Firewalls SPAM filtering Electronic access
control systems
Network-based
anti-virus
Access controls
Very effective
Somewhat effective
Q: How effective do you consider each of the following technologies in place your organization in detecting
and/or countering security events?
86% 82% 76% 74%76%
17%17%18%19%
32%
5 MOST
EFFECTIVE
SOLUTIONS
5 LEAST
EFFECTIVE
SOLUTIONS

Indonesia Case: Check This Facts Out
Security Threat and Symantec says
• 36,6 million cyber attacks (35% from outside, the rests
from inside the country) from 2012 to 2014.
• 497 cyber crime cases from 2012 to April 2015 with 389
are foreigners and 108 local citizens.
• Fake bank account, money laundering, artificial LC
document, camouflage posting.
• Accounted for 4.1% of the world cyber crimes.
• The highest percentage of PC infected by malware across
the globe.
Government CSRIT says
• 60% of government domains encountered web
defacements and 36% infected by malware

• According to Norton latest Cyber
Crime report, global consumer
cyber crime cost over than USD
150bn annually.
• Yet the figures for Indonesia are
unknown.
• Dakaadvisory predicts around USD
2.3bn in 2013 by multiplying
number of victims with cost per
victim.
• From Ministry of Communication
and IT’s total budget of USD 500m,
1% allocated for Cyber Security.
106Managing IT Risks in Internet Banking
Indonesia Case: Check This Facts Out
November 2015

Indonesia: Estimated Cyber Crimes Costs
• DAKAAdvisory reveals from 2011 to 2013

Putting Them into Global Context
• DAKAAdvisory reveals in 2013

How Indonesian Government Respond
• Telecommunication Act No. 36/1999 focused
on Telecommunications Infrastructure briefly; Not
internet in particular.
• Information and Transaction Electronic Act
No. 11/2008 for legal enforcements against cyber
crime.
• Copyright Act No. 19/2002.
• Pornography Act No. 44/2008.
• Electronic System Provider and Electronic
Transaction Regulation No. 82/2012.

Factors to Overcome

Duration to Initiate an Investigation on Incidents
33%
4%
13%
13%
25%
12%
Unknown
Longer than 1 day
Within 1 day
Within 4 hours
Within 1 hour
Within 10 minutes
Respondents were asked to choose one.

Cybersecurity not Aligned to The Business
In order to get ahead of cybercrime, it is essential to keep your
cybersecurity measures 100% aligned with your business.
Organizations are
continuing to improve
their cybersecurity, but
the changes in the
threat are travelling at
an even faster rate,
meaning they are
effectively going
backwards. 2013 2104
Instead of an expected increase
in the number of organizations
reporting that their Information
Security function fully meets the
needs of their organization, our
survey found a decrease.
2013 2104
Instead of an increase in the number
of organizations reporting that their
Information Security function
partially meets their needs and that
improvements are under way, there
has been a decrease of 5%.
112November 2015

Cybersecurity not Meeting Organization Needs
Respondents were asked to choose one.
9%
20%
24%
31%
16%
We have a formal and advanced detection function that brings together
each category of modern technology (host-based malware detection,
antivirus, network-based malware detection, DLP, IDS, next-gen firewalls,
log aggregation) and uses sophisticated data analytics to identify
anomalies, trends and correlations. We have formal processes for threat
collection, dissemination, integration, response, escalation and prediction
of attacks
We have a formal detection program that leverages modern
technologies (host-based and network-based malware
detection, behavioral anomaly detection, etc.) to monitor both
internal and external traffic. We use ad hoc processes for threat
collection, integration, response and escalation
We utilize a security information and event
management (SIEM) solution to actively monitor
network, IDS/IPS and system logs. We have an
informal response and escalation processes in place
We have perimeter network security devices (i.e.,
IDS). We do not have formal processes in place
for response and escalation
We do not have a detection program

External Parties Protecting Our Organization’s Information?
13%
8%
24%
34%
27%
27%
27%
56%
No reviews or assessments performed
Fourth parties (also known as sub-service organizations) are identified and assessments
performed (e.g., questionnaires issued, reliance placed on your vendor's assessment
processes)
Only critical or high-risk third parties are assessed
Self-assessments or other certifications performed by partners, vendors or contractors
Independent external assessments of partners, vendors or contractors (e.g., SSAE 16,
ISAE-3402)
Accurate inventory of all third-party providers, network connections and data transfers is
maintained and regularly updated
All third parties are risk-rated and appropriate diligence is applied
Assessments performed by your organization’s information security, IT risk, procurement
or internal audit function (e.g., questionnaires, site visits, security testing)
Respondents were asked to choose all that apply.

How to Counter

InfoSec Leadership Is Inevitable
• Information Security Strategic Plan (including Cyber
Security domain).
• Information Security Policies, Procedures, Guidelines,
Framework and Standards.
• IT/Information Security personnel (the higher the better)
who reports directly to organizational leadership.
• Regular monitoring and controlling activities through
measurement and review process.
• Understanding past security and planning for future
security events.
• Governance, Risk, Legal and Compliance (no longer Ops-
focused).

Where is InfoSec Role?
Quoting Security Expert Elliott Franklin in the US (2012):
• 53% of CISOs now report to C-level execs
• 74% of CISOs struggled to balance strategy and
operations in 2012
• 32% of CISO cover both Information and Physical
Security
“If I need to do strategic planning, I need to come in during
the weekends because ops takes 100% of my time”
In 2014 EMC says across the globe 60% of IT function
working time allocated for Operation.

CCSO (?)
118
Image courtesy of Mark E. S. Bernard

InfoSec Strategic Plan Key Factors
• Determine the direction of the business
• Vision
A descriptive picture of a desired future state
“Where do we want to be?”
• Objectives
High-level achievement
“Improve customer loyalty”
“Grow market share”
 Goals
Anything that is measured to help fulfill an objective
• Understand security's current position
– What do we do?
– For whom do we do it?
– How do we excel?
119
Source: Forrester’s Building A Strategic Security Program And Organization (2013)

InfoSec Strategic Plan Key Factors
(cont’d)
• Strategies
– Those actions we implement on a day-to-day
basis to achieve our objectives
• Projects
– The concrete actions a business takes to
execute its strategic plan
• Capabilities
– An organization’s ability, by virtue of its IT
assets, to create business value

121
Credit: ESET – Cyber Security road map for businesses (2013).

Take a Look at This Example
122
Credit: ESET – Cyber Security road map for businesses (2013).

InfoSec Control Frameworks

InfoSec Standards
‘ISO/IEC 27001’
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
• Risk Assessment
• Security Policy
• Asset Management
• Physical/Environmental Security
• Access Control
• And many others

By Utilizing Such Framework and Standard
Reduce complexity of activities and processes
Deliver better understanding of information
security
Attain cost-effectiveness in managing privacy
and security
Enhance user satisfaction with the
arrangements and outcomes
Improve integration of information security

By Utilizing Such Framework and Standard (cont’d)
Inform risk decisions and risk awareness
Enhance prevention, detection and
recovery
Reduce probability and impact of
security incidents
Leverage support for organization
innovation and competitiveness

IIA Three Lines of Defense (3LoD)
Image courtesy of IIA Global Advocacy Platform
127November 2015

Incident Response Plan is Very Basic
128
 Objectives
 Respond to events & customer's
concerns
 Rapidly & effectively address
disclosures
 Type of incidents
 Intentional
 Unintentional
 References
 NIST-SP800-61r2
 SANS Incident Handler's Handbook

Organization Culture
• What do your executives expect from
security?
• If not GRLC, then focus on operations
• Build trust and demonstrate value
• Reporting Inside or Outside IT?
• Centralized or Decentralized?

Controls to Enforce Policies
• Log access to data, information and transaction
by unique identifier” as it requires log
management or SIEM.
• Limit access to specific data to specific
individuals as it required unique system
username and password.
• Sensitive data shall not be emailed outside the
organization with DLP or email encryption
system.

Educate, Educate, Educate
•Our security stakeholders: employees,
executives, partners, suppliers,
vendors
•What are our policies?
•How to comply?
•Consequences of failure to comply

Monitoring and Controlling
• Assessment
• Review
• Audit
• Monitor change control
• New vendor relationships
• Marketing initiatives
• Employee terminations

Simplest Ways of Prevention
• Disable and log off a specific user account to
prevent access.
• Disable and log off a group of user accounts which
access a particular service that is being attacked.
• Disable and dismount specific (network) devices,
for instance disk devices that are being swamped.
• Disable specific applications, for example, an e-
mail system subjected to a SPAM attack.
• Close down an entire system, and divert
processing to an alternative or backup service on
a secondary network.

Simplest Tips of Controls
• Use antivirus software.
• Install firewalls.
• Uninstall unnecessary software.
• Maintain backup.
• Check security settings.
• Stay anonymous - choose a genderless screen
name.
• Never give your full name or address to
strangers.
• Learn more about Internet privacy.

Thank
You!
Image: WallsRoyal

Managing IT Risks in Internet Banking

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Managing IT Risks in Internet Banking

Similar to Managing IT Risks in Internet Banking (20)

More from Goutama Bachtiar

More from Goutama Bachtiar (20)

Recently uploaded

Recently uploaded (17)

Managing IT Risks in Internet Banking