Cybercrime
Outlook on African banksAdwo Heintjes
Global Head IT Audit & OpsRabobank
Agenda
• What is Cybercrime and Cybersecurity?• Trends• Impact on African banks• What is needed?• Questions for the board room
Cybercrime and Cybersecurity
• Cybercrime unlawful acts wherein the computer is either a tool or target or both
• Cybersecurity combines people, processes, and technology to continually monitor vulnerabilities and respond proactively to secure an organization’s assets.
Cybercrime and Cybersecurity• Damage with respect to:
• Confidentiality• Integrity• Availability
• Losses/what is at stake:• Financial• Regulatory• Reputational
Trends• Everybody is a target• Easy to get into• Lot’s of money to be made• Small chance of being caught• Ever increasing and expanding• Moving from desktop computers into smart phone
arena• Cyber crime is here to stay!
Attacks are increasingly easy to conduct
Email propagation of malicious code
“Stealth”/advanced scanning techniques
Widespread attacks using NNTP to distribute attack
Widespread attacks on DNS infrastructure
Executable code attacks (against browsers)
Automated widespread attacks
GUI intruder tools
Hijacking sessions
Internet social engineering attacks
Packet spoofingAutomated probes/scans
Widespread denial-of-serviceattacks
Techniques to analyze code for vulnerabilitieswithout source code
DDoS attacks
Increase in worms
Sophisticated command and control
Anti-forensic techniques
Home users targeted
Distributed attack tools
Increase in wide-scale Trojan horse distribution
Windows-based remote controllable
Trojans (Back Orifice)
Skill level needed by attackers
1990
2011
Attack sophistication
6
Spy Eye screenshots
Spy Eye screenshots
Spy Eye screenshots
Impact on African banks
• Dependency on IT is a fact• Cyber crime is in infancy stage
• https://spyeyetracker.abuse.ch/ • https://zeustracker.abuse.ch/
• Internet banking almost non-existant• Skimming attempts and gas attacks are moderate• Fraud with mobile banking based on social
engineering• Mobile banking the way forward for hackers• Penetration of smart phones will be turning point
Impact on African banks
• Connection to international payment networks will massively increase risk
• Banks launch new products rapidly• Need to get ready now
What is needed?
• Improvement needed in:• people• process• technology
What is needed?
• People• Get people in with the right skill set• Employ a Chief Security Officer• Educate your employees• Educate your customers
What is needed?
• Processes• Implement security policies• Perform risk analysis with respect to IT• Manage residual risk• Move from active to pro-active
What is needed?
• Technology• Invest in securing network and internet
connectivity• Buy software to help automate checking
compliance with security base lines• Hire outside contracters to monitor for threats
and attacks aimed at your bank
Questions for the board room
• What are the top-5 IT risks?• How are they being managed?• How serious is the threat of cyber crime?• How is management dealing with that?• Who is responsible for managing IT risk?• How is reported on these risks?• What action plans are drafted/followed?• How is progress monitored?
Questions for the board room• What were the latest security incidents?• How is management dealing with these?• Is card skimming a problem? Will it be?• Are gas attacks on ATM’s a problem?• Does the bank have a CERT team?• Is the SMS services provider at the right
security level?
Actions/shopping list1. Establish a board Risk Committee separate from the Audit
Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise.
2. Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO and CSO should report independently to senior management.
3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues.This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, CIO, CSO, CRO, and business line executives.
4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.
Actions/shopping list5. Review assessments of the organization’s security program and ensure that it
comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans.
6. Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident.
7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the Audit Committee.
8. Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed.
9. Require regular reports from senior management on privacy and security risks.
Actions/shopping list
10. Require annual board review of budgets for privacy and security risk management.
11. Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans.
12. Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.