How far are Indian banks prepared to face cyber attacks?
Cyber criminals and the attacks they launch on the financial sector and its users come with different faces. There are organised criminals who are looking to attack the financial institutions, with a view to syphon away funds, illegally. Then there are those who steal confidential data from financial institutions which may also include customer related information. The latter are more interested in ex-filtration of data, though no loss happens immediately. These stolen data then land in the hands of petty criminals, who defraud the banks directly or by enticing the customers to share more information such as passwords and pins where after actual loss take place.
“Banks need to put in place preventive measures such as appropriate controls framework around the systems, reconciliation of transactions in on real / near real time basis, controls over the message creation and transmission, applying timely security patches to the interfaces, if any, close monitoring of transactions and disabling USB, and Internet access on the connected nodes,” commented R Gandhi, Deputy Governor RBI, while inaugurating ‘9th annual summit on cyber & network security,’ organised by The Associated Chambers of Commerce and Industry of India (ASSOCHAM).
Equally important is the timely detective measures. It is pertinent to prepare ourselves to face such incidents, by having a robust crisis management plan. I am sure the banks are taking earnest steps to comply with the provisions of the circular as soon as possible, said Gandhi. “Information dissemination is a key facilitator in combating the menace of cyber-related incidents. While the Reserve Bank obtains information from banks on cyber incidents, including those which did not fructify into the loss of money or information, such information is also shared amongst the banks along with suggestions aimed at best practices,” he added.
The Institute for Development and Research in Banking Technology (IDRBT) also has a system to collate such information and share the generic aspects amongst the CISOs of banks. All these, I am sure will help the banks in further enhancing their cyber security related capabilities, said RBI Deputy Governor.
“The banking sector – similar to other sectors of the Indian economy has always been very responsive to change and has adapted itself very well to meet the challenges which keep emerging frequently. It has also proved that it cannot only adapt well but also quickly so that response times are fast to prevent recurrence of negative incidents. The same fervour, I am sure, will be witnessed in the area of cyber security as well and will leave a mark of confidence in the minds of the customers of banks.”
This will ensure that banks provide for a safe and secure processing environment when the depositor’s money is safe and where all other customers can conduct their banking transactions safely and securely, added Deputy Governor RBI.
“The recent developments in banking as also payment and settlement systems have resulted in enhanced customer comfort and flexibility in terms of timing, location and choice of channels. These, however, also expose the customers as well as banks to the risk of cyber-attacks. While the banks have better resilience in terms of risk mitigation structures and ability to absorb the losses and expenses, the customers may not be so privileged”, said Deputy Governor RBI.
A relatively small value fraud of a few thousands of rupees may endanger the purchase of basic needs and most customers may be ill-equipped to effectively handle the security features provided with the service. We have also heard of instances, elsewhere in the world, of even as small a value of one penny being robbed off every transaction, misusing the ICT capabilities, which have also resulted in the loss of an enormous amount of money. While it is recognised that the customer has to protect himself against disclosure of sensitive passwords, PINs etc., they may only have limited ability to distinguish between the genuine customer service calls and fraudulent operators.
A variation of these attacks is to masquerade as bank officials and extract information from customers, based on random calls to phone numbers obtained from various sources, or even by blind trials which result in at least a few attempts resulting in success.
There are other cyber criminals who steal money by putting through fraudulent transactions or changing the particulars so that they are able to take large sums away and vanish. In such cases, the customers may not be directly contacted, but his particulars are taken through malware or other means. Recent incidents of this type have set the alarm bells ringing. I would like to draw your attention to the recent cyber incident reported by one of our banks, which I am sure all of you would have seen, particularly when the similar incident at a central bank in the neighbourhood is still fresh in our memory.
“Yet another vicious cyber-attack, which we really tread is what is categorised as cyber warfare; this is expected to be of organised attacks, sometimes by backing of large terrorist organisations and often with covert state sponsorship, made against enemy country information assets”.
The strategy to build preventive and detective defences depends on the specific link in the asset that one is trying to protect. The ecosystem for financial transaction not only includes banks and their customers, but also network service providers, IT infrastructure providers, providers of managed services such as data centres, software developers, providers of security solutions and providers of the end-point device which is used for accessing the financial service, including the ATMs which may or may not be bank-owned / managed devices.
The devices which are used to provide the entire ecosystem produce a huge quantity of information and activity logs, which contain crucial information which can throw light on potential attacks, even before the attack takes place. However, the humungous quantity of log data renders it impossible to analyse using conventional outlier detections. Conventional techniques result in considerable false alarms and restrict genuine activity, causing inconvenience and also creating mistrust among the users about the security products and techniques, highlighted Gandhi.
Therefore, the focus has now been shifting to techniques which are not rule-based but having the ability to identify the normal activity patterns and detect the anomalous and potentially harmful activity. Needless to say, these involve machine learning and soft computing techniques. Application of these techniques is expected to generate better hit-rate in terms of identifying threats, without generating a high level of false alarms. As each alarm requires the response and is resource intensive in terms of time, money and manpower, the ability of the expert systems to distinguish the malicious behaviour from and casual digressions from the normal activity pattern will determine the value of these tools in the security infrastructure, mentioned Gandhi.
In addition to the tools, the most important component of the critical infrastructure protection is the skills, experience and alertness of the manpower deployed in this activity. The skill sets required for security are getting diversified from conventional IT 6 skills to investigative skills of a criminal investigator, data scientists having the ability to deal with huge data requirements and with innovative minds to stay one step ahead of the cyber-criminal. As the strength of overall security is only as much as the strength of its individual components, it is necessary that all the stakeholders have to work hand in hand to address the threat to the information systems.
The forums such as this provide a great opportunity to interact and understand the role that each one of us has to play and to also ensure that our actions and plans are complementary and not at cross purposes. Cyber Security Preparedness – Five Commandments for safety in banking
In terms of providing a comprehensive framework for IT implementation, we at Reserve Bank have been proactive and follow an approach of consultation and congruence in the security framework. Right from the early days when RBI provided guidance on computerisation, we have been conscious of the role that IT plays in meeting the emerging customer needs and the opportunities and challenges of using technology, including cyber-related aspects.
The Reserve Bank has recently issued on June 2, 2016 a comprehensive set of guidelines for Cyber Security framework in banks. These guidelines built over the earlier work emphasise the importance of having a focused attention to cyber threats and framework for mitigating the threats and to protect the information assets.