Monday, June 13, 2016

Cyber Security Framework in Banks



Banks should immediately put in place a cyber-security policy elucidating the strategy to combat cyber threats by September 30, 2016.

Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank

Cyber Security Policy should be distinct and separate from IT policy / IS Security policy.

While identifying and assessing the inherent risks, banks are required to reckon
·       The technologies adopted,
·       Alignment with business and regulatory requirements,
·       Connections established,
·       Delivery channels,
·       Online / mobile products,
·       Technology services,
·       Organisational culture and
·       Internal & external threats.

Depending on this, the banks are required to identify their riskiness as low, moderate, high and very high or adopt any other similar categorisation. Riskiness of the business component also may be factored into while assessing the inherent risks.

While evaluating the controls, the following concerns must be outlined
·       Board oversight,
·       Policies & Processes,
·       Cyber risk management architecture, including experienced and qualified resources,
·       Training and culture,
·       Threat intelligence gathering arrangements,
·       Monitoring and analysing the threat intelligence received vis-à-vis the situation obtaining in banks,
·       Information sharing arrangements (among peer banks, with IDRBT/RBI/CERT-In),
·       Preventive, detective and corrective cyber security controls,
·       Vendor management and incident management & response
Arrangement for continuous surveillance
Testing for vulnerabilities at reasonable intervals of time is very important. It is also essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.

IT architecture should be conducive to security
The IT architecture should be designed to take care of facilitating the security measures. It needs to be reviewed by the IT Sub Committee of the Board and upgraded, in a phased manner. The risk cost/potential cost trade off decisions which a bank may take should be recorded in writing.

An indicative, minimum baseline cyber security and resilience framework is to be implemented by the banks.

Comprehensively address network and database security
It is essential that unauthorized access to networks and databases is not allowed and wherever permitted, these are through well-defined processes. Responsibility over such networks and databases should be elucidated and rest with the officials of the bank.

Ensuring Protection of customer information
Banks, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the customer data.

Cyber Crisis Management Plan
A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CERT-IN has come out with National Cyber Crisis Management Plan and Cyber Security Assessment Framework. CERT-In/NCIIPC/RBI/IDRBT guidance may be referred to while formulating the CCMP.

CCMP should address the following four aspects:
(i)             Detection
(ii)           Response
(iii)  Recovery and
(iv)  Containment.
Banks need to take effective measures to prevent cyber-attacks and detect any cyber-intrusions so as to respond / recover / contain the fall out. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, banks should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

Cyber security preparedness indicators
The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness.

Sharing of information on cyber-security incidents with RBI
Collaboration among entities in sharing the cyber-incidents and the best practices would facilitate timely measures in containing cyber-risks. Banks need to report all unusual cyber-security incidents to the Reserve Bank.

Supervisory Reporting framework
It has been decided to collect both summary level information as well as details on information security incidents including cyber-incidents..

An immediate assessment of gaps in preparedness to be reported to RBI
The material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee as well as by the Board may be initiated immediately.

Organisational arrangements
Banks should review the organisational arrangements so that the security concerns are appreciated, receive adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action.

Cyber-security awareness among stakeholders / Top Management / Board
Top Management and Board should have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized. Banks should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and ensure appropriate action to support their synchronised implementation and testing.


Baseline Cyber Security and Resilience Requirements

An indicative list of requirements to be put in place by banks to achieve baseline cyber-security/resilience is given. This may be evaluated periodically to integrate risks that arise due to newer threats, products or processes. Important security controls for effective cyber security as may be articulated by CERT-In also may be referred. Some of the key points to be kept in mind are:

a.     The role of IT Sub-committee may be reviewed.
b.    It is important to stay ahead of the adversary.
c.     Cyber Security Operations Centre should have the capacity to monitor various logs / incidents in real time / near real time.
d.    It is important to keep the vigil and to constantly remain alert.
e.     While hardware devices and software applications may provide security, it is important to configure them appropriately.
f.      Human resources are to be provided with appropriate training. Communicate the security policy of the bank periodically.

Baseline Controls

Inventory Management of Business IT Assets

Maintain an up-to-date inventory of Assets, including business data/information including customer data/information, business applications, supporting IT infrastructure and facilities – hardware/software/network devices, key personnel, services, etc.

Classify data/information based on information classification/sensitivity criteria of the bank

Appropriately manage and provide protection within and outside organisation borders/network.


Preventing execution of unauthorised software

Maintain an up-to-date and preferably centralised inventory of authorised/unauthorised software(s). Consider implementing whitelisting of authorised applications / software/libraries, etc.

Have mechanism to control installation of software/applications on end-user PCs, laptops, workstations, servers, mobile devices, etc. and mechanism to block /prevent and identify installation and running of unauthorised software/applications.

Continuously monitor the release of patches by various vendors / OEMs, advisories issued by CERT-in and other similar agencies and expeditiously apply the security patches as per the patch management policy of the bank.

Have a clearly defined framework, for  justifying the exception(s), duration of exception(s), process of granting exceptions, and authority for approving, authority for review of exceptions granted on a periodic basis by officer(s) who are well equipped to understand the business and technical context of the exception(s).

Environmental Controls

Put in place appropriate environmental controls for securing a location of critical assets, providing protection from natural and man-made threats.

Put in place mechanisms for monitoring of breaches / compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts, access logs, etc. Appropriate physical security measures shall be taken to protect the critical assets of the bank.

Network Management and Security

Prepare and maintain an up-to-date network architecture diagram at the organisation level including wired/wireless networks;

Maintain an up-to-date/centralised inventory of authorised devices connected to bank’s network and authorised devices enabling the bank’s network. The bank may consider implementing solutions to automate network discovery and management.

Ensure that all the network devices are configured appropriately and assess it periodically;

Put in appropriate controls to secure wireless local area networks, wireless access points, wireless client access systems.

Have mechanisms to identify authorised hardware / mobile devices like Laptops, mobile phones, tablets, etc. and ensure that they are provided connectivity only when they meet the security requirements.

Have mechanism to automatically identify unauthorised device connections to the bank’s network and block such connections.

Put in place mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints.

Establish Standard Operating Procedures (SOP) for all major IT activities including for connecting devices to the network.

Security Operation Centre to monitor the logs of various network activities and should have the capability to escalate any abnormal / undesirable activities.

Boundary defences should be multi-layered with properly configured firewalls, proxies, DMZ perimeter networks, and network--based IPS and IDS. Mechanism to filter both inbound and outbound traffic to be put in place.

Secure Configuration

Document and apply baseline security requirements/configurations to all categories of devices, throughout the lifecycle and carry out reviews periodically,

Periodically evaluate critical device configurations and patch levels for all systems in the bank’s network including in Data Centres, in third party hosted sites, shared-infrastructure locations.

Application Security  Life Cycle (ASLC)

Ensure information security across all stages of application life cycle.

Banks may consider conducting source code audits or have assurance from application providers/OEMs that the application is free from embedded malicious code.

Secure coding practices may be implemented for internally /collaboratively developed applications.

Besides business functionalities, security requirements relating to system access control, authentication, transaction authorization, data integrity, system activity logging, audit trail, session management, security event tracking and exception handling are required to be clearly specified at the initial and ongoing stages of system development/ acquisition/ implementation.

The development, test and production environments are to be segregated.

Software/Application development should be based on threat modelling, incorporate secure coding principles and security testing based on global standards and secure rollout.

Ensure that software/application development practices addresses the vulnerabilities based on best practices baselines such as Open Web Application Security Project (OWASP) and adopt principle of defence-in-depth to provide layered security mechanism.

Consider installing a “containerized” apps on mobile/smart phones for exclusive business use that is encrypted and separated from other smartphone data/applications; measures to initiate a remote wipe on the containerized app, rendering the data unreadable, in case of requirement may also be considered.

Ensure that adoption of new technologies shall be adequately evaluated for security threats and IT security team of the bank reach reasonable level of comfort and maturity with such technologies before introducing for critical systems of the bank.


Patch/Vulnerability & Change Management

Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of patches and applying patches.

Put in place systems and processes to identify, track, manage and monitor the status of patches to the operating system and application software running at end-user devices directly connected to the internet and in respect of Server operating Systems/Databases/Applications/ Middleware, etc.

Changes to business applications, supporting technology, service components and facilities should be managed using robust configuration management processes, configuration baseline that ensure integrity of any changes thereto

Periodically conduct VA/PT of internet facing web/mobile applications, servers & network components throughout their lifecycle (pre-implementation, post implementation, after changes etc.)

Periodically conduct Application security testing of web/mobile applications throughout their lifecycle in environment closely resembling or replica of production environment.

As a threat mitigation strategy, identify the root cause of incident and apply necessary patches to plug the vulnerabilities.

Periodically evaluate the access device configurations and patch levels to ensure that all access points, nodes between (i) different VLANs in the Data Centre (ii) LAN/WAN interfaces (iii) bank’s network to external network and interconnections with partner, vendor and service provider networks are to be securely configured.

User Access Control / Management

Provide secure access to the bank’s assets/services from within/outside bank’s network by protecting data/information at rest and in-transit.

Carefully protect customer access credentials such as logon userid, authentication information and tokens, access profiles, etc. against leakage/attacks

Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a need to know basis and for specific duration when it is required following an established process.

Implement centralised authentication and authorisation system or accessing and administering applications, operating systems, databases, network and security devices/systems, point of connectivity including enforcement of strong password policy, two-factor/multi-factor authentication depending on risk assessment and following the principle of least privileges and separation of duties.

Implement appropriate systems and controls to allow, manage, log and monitor privileged/superuser/administrative access to critical systems.

Implement controls to minimize invalid logon counts, deactivate dormant accounts.

Monitor any abnormal change in pattern of logon.

Implement measures to control installation of software on PCs/laptops, etc.

Implement controls for remote management/wiping/locking of mobile devices including laptops, etc.

Implement measures to control use of VBA/macros in office documents, control permissible attachment types in email systems.


Authentication Framework for Customers

Implement authentication framework/mechanism to provide positive identify verification of bank to customers.

Customer identity information should be kept secure.

Banks should act as the identity provider for identification and authentication of customers for access to partner systems using secure authentication technologies.


Secure mail and messaging systems

Implement secure mail and messaging systems, including those used by bank’s partners & vendors, that include measures to prevent email spoofing, identical mail domains, protection of attachments, malicious links etc.

Document and implement email server specific controls

Vendor Risk Management

Banks shall be accountable for ensuring appropriate management and assurance on security risks in outsourced and partner arrangements.

Banks shall carefully evaluate the need for outsourcing critical processes and selection of vendor/partner based on comprehensive risk assessment.

Among others, banks shall regularly conduct effective due diligence, oversight and management of third party vendors/service providers & partners.

Establish appropriate framework, policies and procedures supported by baseline system security configuration standards to evaluate, assess, approve, review, control and monitor the risks and materiality of all its vendor/outsourcing activities shall be put in place.

Banks shall ensure and demonstrate that the service provider adheres to all regulatory and legal requirements of the country. Banks may necessarily enter into agreement with the service provider that amongst others provides for right of audit by the bank and inspection by the regulators of the country.

Reserve Bank of India shall have access to all information resources  that are consumed by banks, to be made accessible to RBI officials by the banks.

Further, banks have to adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders.

Banks shall thoroughly satisfy about the credentials of vendor/third-party personnel accessing and managing the bank’s critical assets.

Background checks, non-disclosure and security policy compliance agreements shall be mandated for all third party service providers

Removable Media

Define and implement policy for restriction and secure use of removable media/BYOD on various types/categories of devices including but not limited to workstations/PCs/Laptops/Mobile devices/servers, etc. and secure erasure of data on such media after use.

Limit media types and information that could be transferred to/from such devices.

Get the removable media scanned for malware/anti-virus prior to providing read/write access.

Consider implementing centralised policies through Active Directory or End-point management systems to restrict removable media use.

As default rule, use of removable devices and media should not be permitted in the banking environment unless specifically authorised for defined use and duration of use.

Advanced Real-time Threat Defence and Management

Build a robust defence against the installation, spread, and execution of malicious code at multiple points in the enterprise.

Implement Anti-malware, Antivirus protection including behavioural detection systems for all categories of devices – (Endpoints such as PCs/laptops/ mobile devices etc.), servers (operating systems, databases, applications, etc.), Web/Internet gateways, email-gateways, Wireless networks, SMS servers etc. including tools and processes for centralised management and monitoring.

Consider implementing whitelisting of internet websites/systems.

Consider implementing secure web gateways with capability to deep scan network packets including secure traffic passing through the internet gateway

Anti-Phishing

Subscribe to Anti-phishing/anti-rouge app services from external service providers for identifying and taking these down.

Data Leak prevention strategy

Develop a comprehensive data loss/leakage prevention strategy.

This shall include protecting data processed in end point devices, data in transmission, as well as data stored in servers and other digital stores.

Similar arrangements need to be ensured at the vendor managed facilities too.

Maintenance, Monitoring, and Analysis of Audit Logs

Consult all the stakeholders before finalising the scope, frequency and storage of log collection.

Manage and analyse audit logs in a systematic manner.

Enough care is to be taken to capture audit logs pertaining to user actions in a system facilitating forensic auditing.

Audit Log settings

Implement and periodically validate settings for capturing of appropriate logs/audit trails of each device, system software and application software.

Vulnerability assessment and Penetration Test and Red Team Exercises

Periodically conduct vulnerability assessment and penetration testing exercises for all the critical systems.

The vulnerabilities detected are to be remedied promptly in terms of the bank’s risk management/treatment framework.

Penetration testing of public facing systems as well as other critical applications are to be carried out by professionally qualified teams.

Findings of VA/PT and the follow up actions necessitated are to be monitored closely by the Information Security/Information Technology Audit team as well as Senior/Top Management.

Red Teams may be used to identify the vulnerabilities and the business risk, assess the efficacy of the defences and check the mitigating controls already in place by simulating the objectives and actions of an attacker.

Periodically and actively participate in cyber drills conducted under the aegis of Cert-IN, IDRBT etc.

Incident Response & Management

Responding to Cyber-Incidents:

Put in place a fully effective Incident Response programme.

Have written incident response procedures, including the roles of staff / outsourced staff handling such incidents;

Have a mechanism to dynamically incorporate lessons learnt to continually improve the response strategies.

Recovery from Cyber - Incidents:

Bank’s BCP/DR capabilities shall adequately and effectively support the Bank’s cyber resilience objectives and should be so designed to enable the bank to recover rapidly from cyber-attacks/other incidents and safely resume critical operations aligned with recovery time objectives while ensuring security of processes and data is protected.

Banks shall ensure such capabilities in all interconnected systems and networks.

Such testing shall also include testing of crisis communication to customers and other internal and external stakeholders, reputation management. The following may be considered:

(a)     Define incidents, method of detection, methods of reporting incidents by employees, vendors and customers and periodicity of monitoring, collection/sharing of threat information, expected response in each scenario/incident type, allocate and communicate clear roles and responsibilities of personnel manning/handling such incidents, provide specialised training to such personnel, post incident review, periodically test incident response plans.

(b)     Establish and implement a Security Operations Centre for centralised and coordinated monitoring and management of security related incidents.

(c)    Establish and implement systems to collect and share threat information from local/national/international sources following legally accepted/defined means/process

(d)   Document and communicate strategies to respond to advanced attacks containing ransom ware/cyber extortion, data destruction, DDOS, etc.

(e)     Contain the level of cyber-attack by implementing shielding controls/quarantining the affected devices/systems.

(f)  Implement a policy & framework for aligning Security Operation Centre, Incident Response and Digital forensics to reduce the business downtime/ to bounce back to normalcy.

Risk based transaction monitoring

Risk based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system across all -delivery channels.

The bank should notify the customer, through alternate communication channels, of all payment or fund transfer transactions above a specified value determined by the customer.

Metrics

Develop a comprehensive set of metrics that provide for prospective and retrospective measures, like key performance indicators and key risk indicators.

Some illustrative metrics include coverage of anti-malware software and their updation percentage, patch latency, extent of user awareness training, vulnerability related metrics, etc.

Forensics

Have support/ arrangement for network forensics/forensic investigation/DDOS mitigation services on stand-by.

Periodically and actively participate in cyber drills conducted under the aegis of Cert-IN, IDRBT etc.

User / Employee/ Management Awareness

Define and communicate to users/employees, vendors & partners security policy/ies covering secure and acceptable use of bank’s network/assets including customer information/data, educating them about cybersecurity risks and protection measures at their level.

Encourage them to report suspicious behaviour incidents to the incident management team.

Conduct targeted awareness for key personnel

Evaluate the awareness level periodically.

Establish a mechanism for adaptive capacity building for effective Cybersecurity Management. Making cyber security awareness programs mandatory for new recruits and web-based quiz & training for lower, middle & upper management every year.

Board members may be sensitised on various technological developments and cyber security related developments periodically.

Board members may be provided with training programmes on IT Risk / Cyber-security Risk and evolving best practices in this regard so as to cover all the Board members atleast once a year.

Customer Education and Awareness

Improve and maintain customer awareness and education with regard to cybersecurity risks.

Encourage customers to report phishing mails/ Phishing sites and on such reporting take effective remedial action.

Educate the customers on the downside risk of sharing their login credentials / passwords etc. to any third party vendor and the consequences thereof.


Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

Issues that need to be kept in mind while setting up the CSOC is given below. These are indicative but not exhaustive.

Governance Aspects:

        Top Management/Board Briefing on Threat Intelligence
        Dashboards and oversight
        Policy, measurement and enforcement
        Informing stakeholders , stakeholder participation

Cyber SoC: Points to be considered

The Cyber SoC has to take into account proactive monitoring and management capabilities with sophisticated tools for detection, quick response and backed by data and tools for sound analytics.

The systems that NEED to be put in place as a part of the Cyber SoC requires the following aspects to be addressed.

§         Methods to identify root cause of attacks, classify them into identified categories and come out with solutions to contain further attacks of similar types.
§         Incident investigation, forensics and deep packet analysis need to be in place to achieve the above.
§         Dynamic Behaviour Analysis. – preliminary static & dynamic analysis and collecting Indicators of Compromise (IOC)
§         Analytics with good dash board, showing the Geo-location of the IP’s
§         Counter response and Honeypot services


Expectations from SOC:

§         Ability to Protect critical business and customer data/information, demonstrate compliance with internal guidelines, country regulations and laws
§         Ability to Provide real-time/near-real time information on and insight into the security posture of the bank
§         Ability to Effectively and Efficiently manage security operations by preparing for and responding to cyber risks/threats, facilitate continuity and recovery
§         Ability to assess threat intelligence and proactively identify impact of threats on the bank
§         Ability to know who did what, when, how and preservation of evidence
§         Integration of various log types and logging options into SIEM, ticketing/workflow/case management, unstructured data/big data,

reporting/dashboard, use cases/rule design (customized based on risk and compliance requirements/drivers, etc.), etc.

Key Responsibilities of SOC could include:
§         Monitor, analyze and escalate security incidents
§         Develop Response - protect, detect, respond, recover
§         Conduct Incident Management and Forensic Analysis
§         Co-ordination with contact groups within the bank/external agencies


5 - Building blocks for the Cyber SoC:

TECHNOLOGY ISSUES:

First step is to arrive at a suitable and cost effective technology framework designed and implemented to ensure proactive monitoring capabilities aligned with the banking technology risk profile and business and regulatory Framework in Banks requirements.

Second step is to have security analytics engine which can process the logs within reasonable time frame and come out with possible recommendations with options for further deep dive investigations

Third step is to look at deep packet inspection approaches which are currently implemented using the UTM solutions that deliver wire speed performance with on the fly deep packet inspection.

Fourth step is to have tools and technologies for malware detection and analysis as well as imaging solutions for data to address the forensics requirements

It is to be noted that the solution architecture deployed for the above has to address performance and scalability requirements in addition to high availability.

Need to think through by appropriately designing the

        SIEM architecture & use cases
        Log types and logging options  
        Integration of various log types and logging options into the SIEM, ticketing/workflow/case management, unstructured data/big data, reporting/dashboard, use cases/rule design,  etc.
        Technology for improving effectiveness and efficiency

PROCESS RELATED ASPECTS:

Incident Management
Problem management processes with reference to security operations Vulnerability and Patch Management Security risk management Availability management Computer forensics and response management are the key metrics that need to be well understood and architectured while configuring the solution.

PEOPLE RELATED ISSUES:

CSC is managed and monitored round the clock and therefore it is important to look at a suitable structure for this requirement.

The Level 1 monitoring by adequately trained staff working round the clock is the first step.

Level 2 deals with highly trained staff in specific areas of network, data security, end point security etc.

Level 3 staff are called the SoC analysts. They have profound knowledge of security, perform deep packet analysis, collection of IOC, forensic knowledge for collection of evidence, malware reverse engineering and write custom scripts whenever required.

Staff involved need to have a good knowledge of the products and services.

Banks need to seriously consider practical ways of tackling the following issues when it comes to hiring and managing staff/people for SOC.

        Staffing of SOC – is it required to be 24x7x365, in shifts, business hours only….etc.
        Model used - Finding staff with required skills /managed service provider with required skill set
        Training own staff/training of staff by service provider
        Appropriate compensation/incentives to retain trained staff /staff with required skill set
        Metrics to measure performance of SOC
        Ensuring scalability and continuity of staff through appropriate capacity planning initiatives


EXTERNAL INTEGRATION:

Cyber response cells, CERT-In and telecom service providers of the Bank may add value to the discussions based on the happenings in the Industry at large.

IDENTIFYING A SUITABLE MODEL FOR IMPLEMENTATION:

Some of the decisions which have to be taken upfront is to look at BOO or the Outsourcing model. It is difficult to reverse this decision post implementation and therefore it is important.

- Should the SoC be in-house or outsourced?

-   Should it address only the Internet facing environment or the complete IT infrastructure?

-   Does each Bank need to set up independently or should we look at the consortium based approach?

-  Do we need to keep in mind the Bank's risk posture?


Points to keep in mind while planning for SOC in view of

(a)  Specialized skill set requirements of operating and managing a SOC,

(b) Difficulty in finding experienced staff,

(c) Time consuming and expensive trainings,

(d) Designing of suitable compensation strategies,

(e)   Difficulty of retaining staff,

(f) Resource requirements pertaining to other supporting functions such as (i) system administration of systems facilitating SOC operations, (ii) receiving, integrating and using threat intelligence, (iii) implementing communication strategy, (iv) Supervision of SOC staff, (v) meeting compliance requirements of regulators.
Based on RBI circular dated 02/06/2016. For any further clarification, please visit www.rbi.org.in ……. Poppy