Presentation on theme: "Top IT Security risks and challenges Presentation to East African Information Security Conference 13th August 2013 Gideon Twesigye, CISA Internal audit."— Presentation transcript:
Top IT Security risks and challenges Presentation to East African Information Security Conference 13th August 2013 Gideon Twesigye, CISA Internal audit manager, KCB Bank Uganda LTD
Presentation overview Banking industry overview Trends molding IT Security risk in banking sector Common IT attacks witnessed Challenges
Banking Uganda- Environment 26 banks serving a banked population estimated at 5 Million (2009 estimate) – 16% of population in that year Over 500 bank branches in the country, around 600 installed ATMs Required minimum core capital set at UGX 25M for banks to operate Regulated by the Central Bank of Uganda (BOU) Bank services primarily concentrated in Kampala and established urban centers e.g. Mbarara, Mbale, Jinja, Arua, Masaka, etc. Increasing competition for business from non- traditional financial service providers like microfinance institutions, SACCOs, Mobile Telecoms.
Banking Uganda- Environment Increasingly investing automated serviced delivery models (core banking solution acquisitions/ upgrades, investments in self service channel delivery innovations (ATM capability expansion, e banking, m banking); Collaborations with other service delivery organizations in delivering automated payment solutions; – E-tax (URA) – E- Water (NWSC) – Pay TV (DSTV) – E-Banking & Mobile Money service integration
Risk molding trends
Trends – the social networking explosion Innovations in interactivity and communication styles are altering old traditional IT security assumptions: – The rapid transition from exclusive blackberry to ubiquitous smartphones and computing tablets with capacity to interface with corporate networks – ‘Evolution’ from s to real time online communication on social networks (Facebook, Twitter, YouTube, Instagram, LinkedIn, g+ news blogging) in various media (video, data, image) Implications – Bad press circulates much faster – Increased interactions with the outside world involve connectivity that have to be accounted for in network security strategies – IP easier to sneak out of the organization
Trends – Geopolitics Information security has attained geopolitical significance
Trends – Geopolitics
Other illustrations – A hack on Estonia by Russian hackers following the removal of a WWII monument honoring a Russian soldier virtually crippled the country’s financial sector which is highly e-based – ‘Suspected’ US-Israel spy program attacked an Iranian nuclear facility, damaging key equipment while spying on them as they worked. This delayed the country’s progress on its nuclear program – Red October espionage ‘virus’ detected by Kaspersky in 2012 targeted diplomatic, governmental and scientific research organizations in several countries for the last five years – including UGANDA – And then there are the hacktivists
Trends – Geopolitics Implications – Increased compliance workload in meeting security specifications to prove due diligence in anti-money laundering/ espionage National governments are more interested not only in knowing what is happening in IT – Increased burden on establishing disaster recovery and business continuity over more distributed networks
Trends – the ‘Tech’ edge Harnessing of the e-infrastructure has become a national competiveness imperative “… innovations in Information and Communication Technology, Science and Technology are no longer an option in today’s global competitive economic environment” Maria Kiwanuka, Finance Minister Uganda, National Budget 2013/2014 speech
Trends – the ‘Tech’ edge Technology developments in G2C e-initiatives – URA eTax developments – Utility company interfaces with banking and mobile money services – Government process automation and integration (IFMS, Lands system, Integrated Payroll system, etc.) Implications – National level efforts to standardize laws, policies, procedures, standards and guidelines on information security affecting business compliance New interdependencies between government, citizens and private businesses heighten the ‘CIA’ expectations on information – Vulnerabilities at third party end of interfaces could result into exposure of banking systems
Trends – Hacking demystified Opportunists are waiting in the wings to capitalize on network vulnerabilities – Scale of computer cybercrime – 1.5 million victims daily – Global price tag of computer cybercrime – USD110BN annually – Changing face – goes social and mobile 2012 Norton Cybercrime report Uganda?? – Increased record of electronic based frauds during 2011, 2012 and 2013 ATM and electronic payment card skimming Child pornography hacking Mobile money frauds
Trends – Hacking demystified And it is not that hard to do – The tools are readily available and FREE
Trends – Hacking demystified Implications – The threat is no longer limited to only IT staff Not all the tools are IT in nature (social engineering, ‘dumpster diving’) IT knowledge no longer limited to those that have specially trained for it (most hackers are hobbyists, believe they know more than IT guys).
Trends – The trusted insider Over 70% of all reported fraud cases in the industry during F/Y 2012 were perpetrated either directly or with the involvement of insiders External hackers appropriately assessed money as a motivation to get insiders to leak them information – Or to simply plan that key logger and get it back to them, skim ATM cards with a hand held skimmer and return the data to them, etc. Tendency still leans towards affording insiders more freedoms on internal networks – Sometimes on the pretext that doing so speeds up service delivery – Segregation of duties conflicts arise offering a single user the opportunity to input and authorize transactions, install unauthorized software on a domain PC, etc.
Active attacks witnessed
Attacks witnessed in the market Electronic card skimming (read about the smashed Bulgarian ring in the news?); Password theft (using key loggers and social engineering tactics); hacking; Phishing (particularly of concern for banks on the internet banking service delivery channel); Botnets* IT frauds in the banking industry resulted in over UGX 1BN loss in FY 2012!!!
Meeting the threat - challenges
Challenges – Optimizing IT security governance A lot of business executives who are not IT-savvy will toss the problem over to the IT side even though most IT projects are really business projects. Instead, the executives need to engage IT through a governance model, whether it’s an IT steering committee or an IT governance board. You need the executives to jointly drive what they need from IT so that they can do the give and take that is necessary when there isn’t enough money to get everything done. - CIO, IT Services (extracted from Infotech research group – Establishing an Effective IT Steering committee)
Challenges – Optimizing IT security governance IT on the governance agenda – Not common to find constituted IT steering committees at board and senior management levels (improving though) IT security risk management – The overall enterprise risk management discipline is still gaining traction in the banking sector Significant gains have been made but its still a work in progress – IT Security risk still approached in a silo – usually not sufficiently tied to other business risks and assessed along with them – Data classification still a challenge – Policies usually copied from other institutions and customized but not against a risk assessment conducted by individual banks
Challenges – Enhancing team competencies Significant reliance still being placed on IT teams to manage information security – Not many in the current market have specialized to information security management – Creates situation of the guardians guarding the themselves – IT still does not talk ‘business’ very well Banks have only recently begun to include security auditing competencies on their teams
Challenges – Identifying reliable partners Informing and skilling existing teams still remains the key need banks seek from third party IT security service providers – Currently no consistent source of information on IT security risk statistics and benchmarks specific to East Africa – Service providers (e.g. external audit) do not readily share custom audit tools and programs with internal audit teams or IT security teams – Limited availability of licensed partners to provide and support some of the more established data security software and/ or training and certification programs – Until recently (ISACA and NITA), there have been few authorities close to home providing ‘best practice’ standards and guidance applicable to the entire industry Or is it perhaps that banks have not known what to ask for…?