From compliance to customer-centric security!

Compliance centric security can be a good starting point for organization however it’s not an answer to

today’s cyber security challenges. Regulatory standards are bound to best practices and unfortunately, most businesses invent ways to show compliance towards standards and regulators. Banks and other organizations in Pakistan are no exception. Regulatory risks are addressed well but when it comes to advanced cyber threats, a situation is hazy.

Customer trust is a key to success in today’s fast-paced business environment.

In recent days, we witnessed that regulatory compliance has little value when it comes to reputations, customer trust and national security affairs. As the name implies, the prime target of compliance based security is to comply and it mostly happens by cutting corners, such as

1. Assigning CISO role to someone seasoned, but a security professional.
2. Finding & patching vulnerabilities to comply instead of security by design.    

As expected, right after the incident started to get attention on social media, all victim banks have assured their customer, however, SBP notifications, Symantec and US-CERT (HIDDEN COBRA – fast cash Campaign) hint different story. This situation may be a result of any of below, whatever is the reason, it’s a security breach and responsibility lies with banks to secure its customers.

1. Compromise on bank infrastructure itself (by APT’s like HIDDEN COBRA) or
2. Compromise of e-commerce merchants who are authorized by banks to collect/transmit card data during e-transactions.

3. Skimming attack on ATM, fuel stations and other POS merchants.
4. Customer end phishing to harvest card details during online shopping.

Advanced attacks are rarely involved in publishing their campaigns rather these are rolled back once discovered. Publishing of card details on the dark web may refer to breaches related to 2, 3, and 4.

Thousands of cards have been available on the dark web from all over the world for more than one decade now, however, there is a notable surge in numbers due to the corresponding increase in the e-commerce business.

Must Read: Cyber Security and Pakistani Financial Institutions – Must Win Battles

A report published on INSIGHTS suggests that there is 135% increase in bank data for sale on black markets. Direct loss of money may be small and insurance may allow banks to pay back customer however reputational damage may not be that simple. Linking presence of cards data on the dark web with LAZARUS group needs more analysis by banks. Let’s leave impact assessment for self-analysis by banks and see how we can help our institutions as a mature community.

Cyber security has shifted from technology to warfare in the recent past, traditional security norms can be improved to fight traditional threats only. Advanced threats require a fundamental shift in security strategies as threats have evolved from hackers to contractors and nation states which are pretty advanced, persistent, very well organized and usually leverage outsourcing/reusability.

Such attacks take advantage of

1. Trusts based models used in current systems (like internal systems and flows are usually considered trusted).

2. The fact that adversaries develop a far better understanding of information systems of the victim organizations.

3. Lack of well-architected security of infrastructure and systems.

To keep pace with cyber security, organizations need to focus on its top threats with respect to its ecosystem, in the case of the financial sector.

1. Innocent fraudsters which become active on festivals to raise some money, these may be handled with tactical security measures.

2. Organized groups (which are apparently behind this wave) usually raise funds for their motivation and require a more disciplined security program.

3. Intelligence agencies have bigger interest to monitor state-level affairs. For our region, business deals related to CPEC and surveillance around terrorism financing has also become an area of concern. This is a real warfare and will require a very mature security program and consistency

in efforts.

Prioritizing security as a strategic business enabler is a key to success

1. A clear strategy with a solid security program focused on your top threats.
2. Building and maintaining a dependable architecture that can combat your top threats.
3. Know yourself better than your enemies (can you protect your house or country borders if you are unaware of its whereabouts?

Security is a set of attributes that will never happen by chance, it needs to be built very carefully. Cyber security is a complex problem! How do you eat an elephant? One bite at a time, start with basics and build gradually in small steps.

1. Harden all systems and ensure its maintained over time.
2. Apply two-factor authentications for card transactions (like the PIN) and critical application (like switch application).

3. Encryption of sensitive data at rest and in transit, secure keys/ certificates.
4. Effective security awareness for customers and targeted awareness for all tier of the organization.
5. Monitor your systems for abnormal behavior.
6. The dividing system in security domains, apply segmentation and whitelisting at the granular level.
7. Establish a security-aware operating model to make sure your efforts don’t erode as incidents are minimized.

Let’s work together as a responsible security community to help ourselves!

About the Author:

TauseefAslam is a Cyber Security Professional holding 15+ years of cyber security experience with prominent public and private sector organizations in senior roles. He is an active volunteer in cybersecurity associations of Pakistan and key holding position in Cloud security Alliance PK chapter.