Emerging trends and challenges in cyber security

1. Introduction

India has seen a series of significant and unprecedented events during the last one year, which have brought the issue of cyber security for the Indian banking sector to the fore like never before. The most significant factor in this regard has been the ongoing initiative of the Government of India, through its flagship Digital India programme ¹ , with a vision to transform India into a digitally empowered society and knowledge economy. The sharp rise in value and volume of digital transactions which touched record levels in March 2017 manifests the accelerated shift towards electronic payments. ² The continued increase in penetration of inclusive banking through the Pradhan Mantri Jan Dhan Yojana (PMJDY) with the total number of accounts crossing 29.18 crore ³ , brought the uninitiated and new users into the fold of banking services.

The risk issues and incidents also made their presence felt. Two of the major events included the compromise of the SWIFT payment application in a major bank and subsequent large value fraudulent fund transfer ⁴ and the large scale compromise of debit cards of multiple banks, via an advanced and persistent attack on a payment processor ⁵ . These raised the bar on the impact of cyber attacks, like never before.

With digitization, India is embarking its journey towards digital economy. Digitization brings unmatched functionalities, coverage and usability for the large Indian population. However, as famously stated by Nicholas Carr ⁶ , “When a resource becomes essential to competition but inconsequential to strategy, the risks it creates become more important than the advantages it provides.” Cyber risk now ranks among the existential risks for Indian banks and it is important that the decision makers treat it as such, if the fruits of digitization have to be reaped and distributed to the Indian citizens.

2. Technology Landscape

The pace of digitization of financial transactions in India continues to gather pace. It is estimated ⁷ that noncash payment transactions, which today constitute 22 percent of all consumer payments, will overtake cash transactions by 2023. It is estimated that the total payments conducted via digital payment instruments will be in the range of USD 500 billion by 2020, which is approximately 10 times of current levels. The technology infrastructure continues to build up, with 100 crore mobile connections in the country, of which 24 crore are of smartphone users. The number of smartphones is expected to increase to 52 crore by 2020. Around 90 percent of all devices are internet enabled and the number of internet users is set to double to nearly 650 million by 2020 from the erstwhile 300 million in 2015.

Meanwhile, the Aadhaar enrolments continue to reach saturation levels, with two states already reporting 100% coverage. ⁸ This has significant implications for KYC simplification, but also in further proliferation of services like Aadhaar Enabled Payment System (AEPS). ⁹ As mentioned earlier, the PMJDY accounts extended the financial inclusion agenda, with almost 18 crore accounts being in semi-urban/rural areas. It needs to be kept in mind that most of these account holders will be new to the banking processes and the technology infrastructure underlying it, making them vulnerable to social engineering and other cyber attacks.

An important factor in the exciting growth of the payment ecosystem was Indian FinTech companies, which are scaling up in number and sophistication. These companies are likely to leverage technology and establish interfaces with banks and the Aadhaar database. Some of the active areas include payment systems, peer to peer and cross border transactions as well as mobile PoS processing; robo-advisory and brokerage for personal finance management; crowd-funding, P2P lending, alternative lenders and market places; and credit scoring, analytics and risk management.

These new applications are expected to introduce complexities in the interfaces between systems, which could present cyber vulnerabilities, and data security issues. Moreover, as FinTech companies embark on data based differentiation, the issues of data privacy and customer protection will become increasingly important. FinTech companies will not only have access to sensitive financial information about customers, but are likely to collect personal customer information in their quest to know more about the customer. Interfaces and APIs that facilitate seamless data hops with multiple applications may also be most vulnerable and create prospects for malware propagation, in case of cyber-attacks. Developing strong defense mechanisms and procedures to address these concerns will be an imperative for the FinTech sector, just the way it is for incumbent banks and financial institutions.

People are increasingly making their personal information available publically. Today there is an unprecedented amount of personal data available with Government and private sector players. Digital India, Aadhaar and the telecom initiatives have added to the already growing pool of personal data with various public and private players to pursue their activities. Lack of understanding of the security and privacy implications may have already resulted in exposure of large amount of data. ^{10 11}

Publically available personal sensitive information can pose a risk for Indians because the majority of the population are digital immigrants, and, therefore, vulnerable to misuse of their data. Individuals are repeatedly sharing and transmitting their personal information for various activities. Aspects such as the purpose for collecting personal information, how will this information be used, security mechanisms put in place for protecting such information, for how long will this information be stored and what will be the procedure for destroying such information, are not known by the individual nor have these aspects been defined uniformly in the policies and procedures. India does not have a specific legislation focusing on data protection.

3. Incidents and Threats

As per PwC’s Global Economic Crime Survey ¹² , cybercrime has jumped to the second position as the most reported economic crime and financial institutions are prime targets. As cybercriminals find new ways to attack, breach, and exploit organizations, threat patterns such as phishing, spear-phishing, and social engineering evolve and become more sophisticated. Organisations need solutions that assess their own and their vendors’ vulnerabilities in real-time.

In India, banks have been seeing relentless attacks from possible state and non-state actors, organized crime and hacktivists. This was illustrated in the case of Canara Bank, when in Aug 2016, a hacker from Pakistan, attacked and defaced the bank’s site by inserting a malicious page and tried to block some of the bank’s e-payments. ¹³

Similarly, Union Bank of India also became the victim of an attack in July 2016. Cyber thieves nearly stole USD 171 million from its Nostro Account. The attackers reportedly gained entry using spear-phishing, using spoofed RBI IDs. Unfortunately, one of the officials fell prey to the phishing email and clicked on the malicious link leading to the malware exploiting the system. The attempt closely resembled the cyber theft of USD 81 million from the Bangladesh central bank’s account at the New York Federal Reserve.

For financial and banking institutions, the Union Bank case breach highlighted a few important things. The first is the dynamic nature of new malware; the second is the importance of security awareness within the organization; and lastly the effectiveness of the existing security monitoring practices. Due to effective action on the part of Union Bank of India, there was no loss to the institution, highlighting the importance of incident response readiness.

From Brazil, a novel way to attack a bank was reported. ¹⁴ On a weekend afternoon in October 2016, the DNS records of a bank were altered to point to fake sites, resulting in redirection of legitimate traffic of 36 online properties of the bank, with possible loss of customer credentials. It is speculated that even ATM and PoS networks may have been compromised. Fake sites carried malware in the form of a Trusteer update, exposing customers to further harm.

Some of the global trends, mentioned below, hold relevant learning for Indian organizations.

• Cybersecurity expenditure is expected to exceed $1 trillion from 2017 to 2021.The noticeable rise in cybercrime, has pushed the expenditure on products and services to more than $80 billion in 2016, according to Gartner. Cybercrime growth is making it difficult for researchers and IT analyst firms to accurately forecast the expenditure. Global expenditure on cybersecurity products and services are predicted to exceed $1 trillion over the next five years ¹⁵ , from 2017 to 2021.

• In 2015, Frost & Sullivan forecasted a 1.5 million worker shortage by 2020. In light of recent events and shifting industry dynamics, that forecast has been revised to a 1.8 million worker shortage by 2022. ¹⁶ Another report, by Cyber Security Ventures, projects unfilled cyber security positions to reach 3.5 million by 2021. ¹⁷

• Microsoft estimates that by 2020, 4 billion people will be online—twice the number that are online now. As the world goes digital, humans have moved ahead of machines as the top target for cyber criminals. ¹⁸

4. Systemic Challenges

Some of the factors which continue to have their impact on the state of cyber security are as follows.

• Awareness remains low: Awareness amongst internal employees remains the first line of defense. However, not many firms invest in training and improving the cyber security awareness levels within the enterprise.

• Inadequate Budgets and Lack of Top Management support: Budgets are usually driven by business demands and low priority is accorded to Cyber security. Top management focus also remains a concern, support for cyber security projects are usually given low priority. This is primarily due to the lack of awareness on the impacts of these threats.

• Poor Identity and Access Management: Identity and access management is the fundamental element of cyber security. In an era where hackers seem to have upper hand, it requires only one hacked credential to gain entry into an enterprise network. Despite some improvement, there remains a lot of work to be done in this area.

• Ransomware on the Rise: The recent episodes of malware attacks, viz. WannaCry and Petya, brought home the rising menace of ransomware. As more users recognize the risks of ransomware attack via email, criminals are exploring other vectors. Some are experimenting with malware that reinfects later, long after a ransom is paid, and some are starting to use built-in tools and no executable malware at all to avoid detection by endpoint protection code that focuses on executable files. Ransomware authors are also starting to use techniques other than encryption, for example deleting or corrupting file headers. ¹⁹

• Mobile devices and Apps: As organizations move towards adopting mobile devices as its preferred channel for doing business, it also becomes the ideal choice for hackers to exploit as the base increases. Since financial transactions can be done on mobile apps, the mobile phone is becoming an attractive target leading to an increase in mobile malware. The risk of jail-broken and rooted devices used for financial purposes increases the scope of attack.

• Distributed denial of service (DDos) attack: With the advent of IoT-powered botnets, destructive DDoS attacks are inevitable and have intensified in volume and frequency. Organizations in India need to improve their response capability to mitigate DDoS risks.

• Social Media: Growing adoption of social media leads to more potential for hackers to exploit. Many a user puts her data out for anyone to see, which can be potentially exploited to attack the user’s organization. Use of social media to propagate fake news can impact banks’ reputations in an insidious manner.

5. Towards Finding Solutions

Many organisations and financial institutions are still exposed to various material risks. Following approach will help them to manage the risks better.

• Integrated security as against layered defense: As BFSI is an highly regulated sector, banks invest time, money and effort in deploying best-in- breed technology, which, unfortunately, end up running in silos and are difficult to manage together. Moving towards integrated security, where all components communicate and work together, is essential.

• Prioritize risk based security: Risks are dynamic and 100% prevention is not realistic. A risk-based approach gives a clear roadmap for the organization to focus its effort and investment where it matters. It is prudent to classify the risk associated with each system and focus on the efforts accordingly.

• Become smarter and intuitive with machine learning and big data analytics: Considering the current digitization drive, there will be an exponential increase in the data relevant to the BFSI sector. Analytics is the key elements in leveraging cyber resilience. A new generation of security analytics solutions has emerged which are able to store and analyze huge amounts of security data in real time.

• Move from security as a cost, to security as a plus: The mindset of seeing security as a cost needs an overhaul. The risks associated with security threats and the potential impact to business should make organizations see the benefits of proactive security.

• Investing in Next Generation end-point protection: Traditional signature based solutions are no longer enough on their own and are prone to zero-day attacks. Banks and other financial institutions must invest in technology that can recognize and prevent the practices and actions used in exploits.

• Automating Basics: Automation can eliminate time spent on smaller and repeatable events, allowing redirection of resources for hunting, proactive defense and other tasks.

• Protect information: The traditional approach has been to protect systems which hold the data. With data being available in different forms (structured /unstructured) and being stored on multiple devices and in the cloud it becomes imperative to change the paradigm. In addition to keeping systems secured, it is recommended to secure the information/data such that the security remains and travels with it at all times.

• Respond and Recover capabilities: It is not a question ‘if’ an organization would be attacked, it is a question ‘when’. Organizations need to be prepared in identifying such attacks and not only respond, but recover with the least damage.

• Strategic Denial and Deception: Making use of deception techniques to widely and effectively to enhance threat detection and as a threat response strategy. Deception technology is a promising new way to detect the stealthiest cyber-attacks. It arms the enterprise with a set of digital tripwires to turn the tables on even the most advanced hackers.

6. Initiatives by ReBIT

Reserve Bank Information Technology Pvt Ltd (ReBIT) has been set up by the Reserve Bank of India (RBI), to take care of the IT requirements, including the cyber security needs of the

Reserve Bank and its regulated entities. ReBIT will focus on IT and cyber security (including related research) of the financial sector and assist in IT systems audit and assessment of the RBI regulated entities; advise, implement and manage internal or system-wide IT projects (both the existing & the new) of the Reserve Bank as mutually decided between the Reserve Bank and ReBIT.

ReBIT will act as a catalyst for innovation, big systems and new ideas apart from having the capability to guide the regulated entities in the IT areas of their operations as also for the RBI’s IT related functions and initiatives. Given the need for inter-operability and cross- institutional cooperation, ReBIT will effectively participate in setting up of standards to strengthen Reserve Bank’s role as regulator.

ReBIT will have the following four verticals to support its mission.

• Cyber Security: To enhance the trust and reliability of RBI's infrastructure for assurance and resilience

• Research and Innovation: To empower Indian banking industry through creative technology solutions based on research, and by tapping the synergy among key stakeholders

• Systems Audit: To support validation and enforcement of regulatory guidance on cyber security for the banking sector, through excellence in audit, analytics and forensics

• Project Management: To leverage lean and agile development capability for creating and operating reliable and empowering systems, and delivering delightful user experience.

ReBIT is in the process of building its team and has undertaken a few initiatives aimed to benefit the Indian banking sector.

• Community Leadership:ReBIT strategy is to work with experts and drive industry led initiatives to strengthen cybersecurity resilience for the financial sector.

  • Cybersecurity Maturity Model Working Group: ReBIT has engaged with the banking CISO community to build the maturity model. The working group is in the process of defining a Cybersecurity Maturity Model that can be used across financial firms, financial software and other vendors to the financial institution, security service providers and other stakeholders to assess a firm’s preparedness using uniform metrics.

  • Cybersecurity Assessment Framework Working Group:This working group will draft specifications and assessment model to strengthen the cybersecurity posture of the industry as a whole. The working group would work on defining a cybersecurity assessment model for the financial firms in an industry-led initiative. This would add uniformity in the regulated entities’ audit process, help clarify scope of the vulnerability assessments exercises with the right regulatory oversight and improve overall effectiveness of the assessment through a well- defined process that covers remediation tracking and closure. Standards development, process definitions and regulatory tools maturity in the long run would help bring automation, efficiency and benchmarking creating great benefit to the industry.

• Operational Excellence: ReBIT's Operational Excellence Initiative aims at building capacity at the cutting edge leve. It currently comprises of series of webinars on various topics that will help the security practitioners in the financial industry through information sharing on best practices, tools and technologies for implementing these best practices and related case studies. These webinars will be recorded and hosted on ReBIT's website. In addition to the webinars, some initiatives will require further support to enable easy adoption of these best practices by the financial institutions. Here, we are working on creating playbooks and focus on collaboration and advisory groups to assist the financial firms in implementation of these best practices. Following themes have already been covered and the presentation materials and playbooks made available on ReBIT webinar repository.

  • Anti-Phishing Campaign/DMARC implementation

  • Best Practices in Patch Management

  The details are published at ReBIT

• Business Leaders’ Forum:To support the cybersecurity initiatives and create awareness.

  • Cybersecurity Awareness Campaign

    • Periodic Newsletters on Cybersecurity: Target audience would include key stakeholders from RBI (CGM and above) as well as CIOs, Executive Directors, business unit heads, heads of internal audit, operational risk, compliance and fraud management from all of the financial institutions regulated by RBI. Readership is aimed at top rungs of the leadership who would be keen on the most important news and would also be able to influence the latest thinking and action around cybersecurity policy within their respective organizations.

6. CERT-Fin on the Horizon

Government of India announced its intention to set up a Computer Emergency Response Team for the Financial Sector (CERT-Fin). Ministry of Finance set up a working group to work closely with all financial-sector regulators and stakeholders on issues of cyber security. The working group report was put in public domain by MoF, soliciting public comments. ²⁰

It is recommended in the WG report that CERT-Fin, will collect, analyze and disseminate information on cyber incidents in the financial sectors. It will forecast and send alerts on cyber security incidents. It will also take emergency measures on cyber security incidents. It will coordinate responses and activities for cyber incidents and issue guidelines, advisories, and white papers relating to vulnerabilities and information security.

CERT-Fin will monitor efforts in the financial sector towards maintaining modern cyber security architecture, developing awareness among regulated entities and the public in general. It will also create awareness on security issues through dissemination of information on its website and operate a 24x7 incident response help desk. It will also provide incident prevention and response services as well as quality management services and will carry out functions similar to CERT-In, which operates at the national level, for priority cyber security in financial sector. CERT-Fin will offer policy suggestions for strengthening financial sector cyber security to all the stakeholders, including regulators and the government.

It is expected that CERT-Fin will make a significant contribution towards improving the cyber resilience of the Indian Financial Sector.

7. Summing Up

There is no doubt that the challenges of securing information and financial assets of the customers and citizens, as well as to provide cutting-edge services, in a competitive business environment will test the financial institutions severely. This is a battle to be fought on various fronts and it is essential to plan well, commit fully, exercise rigorously and execute flawlessly. A lot can be done by taking a collaborative approach, which will reduce the cost of business without compromising quality, trust and reliability.