Cybercrime
Outlook on African banks
Adwo Heintjes
Global Head IT Audit & Ops
Rabobank
Agenda
•
•
•
•
•
What is Cybercrime and Cybersecurity?
Trends
Impact on African banks
What is needed?
Questions for the board room
Cybercrime and Cybersecurity
•
•
Cybercrime unlawful acts wherein the computer is either
a tool or target or both
Cybersecurity combines people, processes, and
technology to continually monitor vulnerabilities and
respond proactively to secure an organization’s assets.
Cybercrime and Cybersecurity
• Damage with respect to:
• Confidentiality
• Integrity
• Availability
• Losses/what is at stake:
• Financial
• Regulatory
• Reputational
Trends
•
•
•
•
•
•
•
Everybody is a target
Easy to get into
Lot’s of money to be made
Small chance of being caught
Ever increasing and expanding
Moving from desktop computers into smart phone arena
Cyber crime is here to stay!
Attacks are increasingly easy to
conduct
Email propagation of malicious code
Skill level needed by attackers
DDoS attacks
“Stealth”/advanced scanning techniques
Increase in worms
Sophisticated command
and control
Widespread attacks using NNTP to distribute attack
2011
Widespread attacks on DNS infrastructure
Executable code attacks (against browsers)
Anti-forensic techniques
Automated widespread attacks
Home users targeted
Distributed attack tools
Hijacking sessions
Internet social
engineering attacks
Widespread
denial-of-service
attacks
1990
Automated probes/scans
Packet spoofing
Increase in wide-scale
Trojan horse distribution
Techniques to analyze
code for vulnerabilities
without source code
Windows-based
remote controllable
Trojans (Back Orifice)
Attack sophistication
GUI intruder tools
6
Spy Eye screenshots
Spy Eye screenshots
Spy Eye screenshots
Impact on African banks
• Dependency on IT is a fact
• Cyber crime is in infancy stage
•
•
•
•
•
•
•
https://spyeyetracker.abuse.ch/
https://zeustracker.abuse.ch/
Internet banking almost non-existant
Skimming attempts and gas attacks are moderate
Fraud with mobile banking based on social engineering
Mobile banking the way forward for hackers
Penetration of smart phones will be turning point
Impact on African banks
• Connection to international payment networks will
massively increase risk
• Banks launch new products rapidly
• Need to get ready now
What is needed?
• Improvement needed in:
• people
• process
• technology
What is needed?
• People
•
•
•
•
Get people in with the right skill set
Employ a Chief Security Officer
Educate your employees
Educate your customers
What is needed?
• Processes
•
•
•
•
Implement security policies
Perform risk analysis with respect to IT
Manage residual risk
Move from active to pro-active
What is needed?
• Technology
• Invest in securing network and internet connectivity
• Buy software to help automate checking compliance
with security base lines
• Hire outside contracters to monitor for threats and
attacks aimed at your bank
Questions for the board room
•
•
•
•
•
•
•
•
What are the top-5 IT risks?
How are they being managed?
How serious is the threat of cyber crime?
How is management dealing with that?
Who is responsible for managing IT risk?
How is reported on these risks?
What action plans are drafted/followed?
How is progress monitored?
Questions for the board room
•
•
•
•
•
•
What were the latest security incidents?
How is management dealing with these?
Is card skimming a problem? Will it be?
Are gas attacks on ATM’s a problem?
Does the bank have a CERT team?
Is the SMS services provider at the right security
level?
Actions/shopping list
1.
2.
3.
4.
Establish a board Risk Committee separate from the Audit
Committee and assign it responsibility for enterprise risks, including
IT risks. Recruit directors with security and IT governance and
cyber risk expertise.
Ensure that privacy and security roles within the organization are
separated and that responsibilities are appropriately assigned. The
CIO and CSO should report independently to senior management.
Evaluate the existing organizational structure and establish a crossorganizational team that is required to meet at least monthly to
coordinate and communicate on privacy and security issues.This
team should include senior management from human resources,
public relations, legal, and procurement, as well as the CFO, CIO,
CSO, CRO, and business line executives.
Review existing top-level policies to create a culture of security and
respect for privacy. Organizations can enhance their reputation by
valuing cyber security and the protection of privacy and viewing it
as a corporate social responsibility.
Actions/shopping list
5.
6.
7.
8.
9.
Review assessments of the organization’s security program and
ensure that it comports with best practices and standards and
includes incident response, breach notification, disaster recovery,
and crisis communications plans.
Ensure that privacy and security requirements for vendors
(including cloud and software-as-a-service providers) are based
upon key aspects of the organization’s security program,
including annual audits and control requirements. Carefully review
notification procedures in the event of a breach or security
incident.
Conduct an annual audit of the organization’s enterprise security
program, to be reviewed by the Audit Committee.
Conduct an annual review of the enterprise security program and
effectiveness of controls, to be reviewed by the board Risk
Committee, and ensure that identified gaps or weaknesses are
addressed.
Require regular reports from senior management on privacy and
security risks.
Actions/shopping list
10.
11.
12.
Require annual board review of budgets for privacy and security
risk management.
Conduct annual privacy compliance audits and review incident
response, breach notification, disaster recovery, and crisis
communication plans.
Assess cyber risks and potential loss valuations and review
adequacy of cyber insurance coverage.
Questions?
[email protected]