The rise of fintech is gradually moving physical financial transactions online. Almost all processes, such as account opening, card application, transfer, and payment, can be completed in one go through mobile or online banking. The increasing proportion of online transactions also highlights the importance of financial security. It is no longer possible to use the traditional “waterproofing” model. Instead, banks must lay a good foundation for protection and response in ‘peacetime,’ as hackers approach the city gates, in order to respond quickly to minimize risk.
Repeated battle simulations strengthen resilience
DBS Bank (Taiwan)’s three core elements of information security to protect its information assets from unauthorized access, use, leakage, deletion, or modification are confidentiality, integrity and availability.
According to the Cybersecurity Framework (CSF) of the US National Institute of Standards and Technology (NIST), banks must have the ability to identify cyber threats (Identify) and establish defensive measures (Protect). In response to rapid technological development, it is suggested that banks should utilize a new concept to replace the out-of-date idea of waterproof protection: that the environment may be invaded at any time. By building a security system is built in a trusted network, and through 24/7 detection of internal and external threat events (Detect), it is possible to take contingency measures (Respond) and recover quickly (Recover) in the event of an information security incident. Thus: Identify – Protect – Detect – Respond – Recover.
Su Chia-han, deputy director of the Information Security Department of Mega Bank, believes that because of the diverse applications of fintech, customer usage behavior has changed from traditional over-the-counter processing to online completion, which challenges banks' information security risk control. In response to the challenges of rapid changes, from the perspective of risk management, banks should refer to NIST’s cybersecurity framework and engage in prior risk identification, vulnerability discovery, and monitoring, network security and emergency response during the event, and quick response and reinforcement afterwards.
Su further said that banks should strengthen their existing desktop program drills, and develop different incident response scripts (playbooks) based on real incidents, so that different departments can complete on-the-spot drills to strengthen their emergency response abilities, and understand their respective roles and tasks to complete when incidents occur.
Five core capabilities to reduce hacking
How should banks exercise basic due diligence while introducing new technologies? DBS said that banks should cultivate five core capabilities: intelligence and information detection, incident response, risk analysis, regulatory compliance, and security awareness. The key to intelligence and information detection capability lies in “knowing yourself and knowing the enemy to win a hundred battles.” Based on threat intelligence information, you can then plan defense and response methods. Incident response capability, meanwhile, refers to establishment of an incident reporting SOP, as well as regular cross-unit desktop drills, and actual drills in cooperation with external experts to verify the effectiveness of the basic information security skills.
For risk analysis capability, by examining various measures of basic security skills, and through security maturity analysis, the three shortest boards in the cask can be identified, and security improvement plans put forward to improve protection. “Cask theory” refers to the concept that the maximum capacity of a cask is not determined by the highest board, but by the shortest. In this concept, the water starts to spill over when it encounters the shortest board.
The key to regulatory compliance capability is cooperation with the financial security action plan to ensure continuous operation of the system and data security. Through information sharing, the financial information security sharing and analysis center (F-ISAC) and financial security operations center (F-SOC) play a synergetic role in joint information security defense. Finally, security awareness means the establishment of information security protection habits for all bank employees, suppliers, and even customers. Information security education and training, integrated with daily operations, can help employees develop Information security concepts to improve their awareness and maintain good habits.
Su believes that basic information security skills should start from organizations, systems, and technologies. Organizationally, high-level attention and support are critical, along with a sufficient budget and appropriate allocation of manpower. For systems, complete incident response procedures should be established; and for technology, information security personnel should be trained in penetration testing, vulnerability management, network security, and evidence preservation. In general, besides developing digital finance, banks should also actively develop their own information security testing and monitoring capabilities in response to constantly emerging challenges.
Calm and collected
In addition to diligent practice of basic skills, how should banks respond in the face of threats in progress? DBS said that during an attack, financial institutions may need time to find out the problem, and may lose the initiative in response. It is also common for temporary emergency response organizations to lead to disordered command systems and counterproductive actions. Insufficient manpower can make it impossible to carry out effective emergency response, or personnel may be at a loss regarding the ongoing response because of internal opinions from multiple parties following media reports.
DBS said that communication with customers and the media during incident handling must be precise and not sloppy. Consumers’ rights and interests must be protected, and appropriate explanations should be given to reassure them and prevent panic. At the same time, it is necessary for banks to keep abreast of vulnerabilities, proactively assess and establish preventive measures, and jointly respond to and prevent attacks through the financial system.
Su said that in recent years, hackers have carried out organized Advanced Persistent Threat (APT) attacks. Through long-term infiltration, malware lurks inside enterprises for the purpose of stealing money. The financial industry has learned a lot from the extortion behavior of major Distributed Denial-of-Service (DDoS) cases, and has become more aware that the traditional border protection mechanisms are no longer sufficient. A defense-in-depth architecture should be constructed, with a mindset of zero trust and borderless protection.
Su gave an example. Through red team exercises and tests, the establishment of a Security Operations Center (SOC), deployment of endpoint detection and mail cleaning mechanisms such as APT and EDR, and by exchanging attack information with peers through F-ISAC, Mega Bank has defended themselves using other networks, achieving financial security through joint defense, and also responded to unknown attack vectors with a proactive attitude.
A chief security officer for more efficient organization
DBS will establish a chief security officer position by the end of 2022. It had set up a dedicated information security unit as early as 2018, which was approved by the Board of Directors in January 2022. The chief operating officer will also serve as chief information security officer, responsible for security policy promotion and resource allocation.
Based on the Cybersecurity Assessment Tools (CAT) of the Federal Financial Institutions Examination Commission (FFIEC), DBS completes analysis from different perspectives to help its management quickly understand the security situation to assess whether organizational control measures are in place, and assist management as reference for adjustment of relevant policies.
In addition, in order to continuously promote information security awareness and cultivate financial security talent to enhance the organization's information security energy, DBS believes that information security cannot be created through a single-point or unilateral protection mechanism. The SOC conducts prompt, uninterrupted 24/7 centralized monitoring of security events. In addition, joining F-ISAC to form a defense-in-depth protection mechanism also improves its overall defense capabilities.
Su also used his own experience as an example. With 15 years of work experience in the field, he has become increasingly aware that information security work requires not only technical skills, but more importantly, the ability to communicate, to get the attention of senior executives. At the same time, the chief security officer can assist with resource allocation and inter-unit coordination with full understanding, so that security measures can be smoothly promoted.
For security teams, regulatory compliance must be assured, repairs must be practical, defenses must be enriched, security controls must be implemented, personnel must be lean, and testing and training must be completed with an emphasis on practicality in order to meet the emerging threats of the digital era.