By Daniel Stanton
With an increased incidence of external attacks, financial institutions need to ensure their internal systems and policies can combat any threat.
|~|infoseclock200.jpg|~|Information faces a variety of threats and more than physical security is required to protect it.|~|Although cash reserves may be kept behind lock and key, not all financial insitutions are taking the same level of precaution when it comes to their information.
Even though most Middle East countries do not have stringent data protection laws in place, the impending introduction of regulations like Basel II means that financial institutions need to ensure that the data they hold is secure.
There are many ways that data can be compromised: through outside attacks by hackers, through internal leaks, or simply through a poor data management policy.
“The biggest threat is lack of awareness from both internal and external customers,” says Bharat Raingangar, regional hub information system security officer, ABN Amro.
“We are organising an awareness campaign for our customers also, investing in the latest secured technology products and also investing in monitoring and forensics activity so as to minimise any untoward incidents.”
He makes the point that the introduction of remote banking and new international regulations mean that information security is no longer just an IT issue but an agenda for the corporate board.
Abdulla bin Ahamed, manager, IT audit, Dubai Bank, agrees that bank employees can be the biggest threat to security if they are not properly trained and supervised. “Lack of awareness and a casual approach to information security are the biggest threats to information security,” he says.
Dubai Bank’s response has been to conduct training for its staff in security awareness, publish security-related articles through company newsletters and emails, but most importantly to continue to re-evaluate its security policy.
Bin Ahamed believes that the biggest threat to banks’ security currently comes from criminal schemes such as phishing and ATM fraud.
“A bigger portion of the budget is consumed for the security set-up,” he says. “Security component implementation alone cannot control the security threats.”
He believes that the only way for a bank to achieve optimum security is through the awareness of its internal and external customers of threats. “If a customer is using an online banking facility from a home computer which is vulnerable, you cannot ensure their security,” he says.
Both Raingangar and bin Ahamed believe that banks, particularly those providing online banking services, need to strike a careful balance between security and availability.
This means ensuring network security, something that National Bank of Abu Dhabi (NBAD) did when it implemented two systems from security specialist McAfee. NBAD already had an intrusion detection system (IDS) in place, but as its business grew it needed to step up security and ensure that the network could be managed in such a way that any attempt by an unauthorised person to access it would be spotted instantly.
The bank implemented McAfee’s Foundstone risk assessment and vulnerability management, which provides information on the security of the network, and the Intrushield intrusion prevention solution. Together, these contribute to creating greater security in NBAD’s network security management.
“We had an IDS system before,” says Hossam El Kobrosy, technical services manager, NBAD. “We changed because we found the new system is giving us better capability and it has a lot of information. You can get the cause of any traffic.
“It helps you see what the problems are or what suspicious traffics are, and doesn’t give unnecessary information. It gives you more information on positive attacks or positive alarms that you need to take action for.”
The system becomes better tuned with use, so that the number of false positives should go down after time. NBAD now has better control over what passes through its system and can see at any time exactly what is happening on the network, which has 1,000 internet users.
Symantec consults with organisations such as banks to assess the security of their systems from external attacks.
“We offer a broad range of consulting services which include application penetration tests to see what information can be obtained from the application via the internet,” says Ivor Rankin, senior security consultant, Symantec MENA.
“We provide compliance consulting: the ability to do a gap analysis as to where the major vulnerabilities or loopholes are within the bank’s organisational information security strategy.
“This may include social engineering testing, to be able to penetrate a banking facility as an outsider and be able to obtain sensitive information from a bank. To be able to demonstrate and test or rather to prove how effective are the various controls relating to physical acts of control but also information security controls and the level of security awareness within an organisation.”
Rankin foresees an increase in targeted attacks on banks by sophisticated criminals. “Increasingly people are beginning to talk about crimeware, malware and bot networks specifically designed to either target a specific organisation and extract as much information as possible from that organisation or to facilitate subsequent access to the organisation through the intercepted credentials,” he says.
However, banks need to worry about more than their own systems coming under attack from criminals. “Where they fail to get into a bank, they’re targeting the bank’s customers because the bank is a repository for customer data and if they cannot get into the bank’s facility they can still extract possibly as much benefit by getting that same information from the bank’s customers,” Rankin says.
“Therefore we’re seeing the surge in the amount of phishing attacks in this region, specifically targeting this region, especially in the last 12 months.”||**|||~|infosec-fergus200.jpg|~|Claffey: Sensitive data is under threat from both internal and external users, and needs protection.|~|He adds: “A lot of banks have realised that you can extend the banking security perimeter by including your customers in that perimeter, and this means providing your customers with security technology. If customers are not taking the due precautions, the bank in itself can help minimise its risk and exposure by providing its customers with security technology, be it firewall technology, antivirus, anti spyware technology, and giving it to them either for free or at discounted prices.”
When it comes to the security of hard documents, technology can also provide a solution. A new product from a UAE-based company could help provide a way to not only ensure that confidential information can only be viewed by those authorised to read it, but also to provide a way to authenticate data.
Amricon provides smart solutions which can be used for documentation like certificates, as well as for to provide extra security for cheques. An RFID (Radio Frequency Identification) tag within a paper document can be coded with the same data as is printed on the hard copy, or can contain additional confidential information.
Dubai’s Department of Economic Development (DED) is one of the first organisations to adopt Amricon’s Smart Document solution, in order to protect against fraud when it comes to providing bank guarantee letters for companies applying for a commercial licence.
Fergus Claffey, business development manager, Amricon, says: “One of the issues that the DED were finding is that people were preparing their own bank guarantee letter. If they had any kind of good quality printer they could create almost anything.
“Our solution uses an RFID chip. What the bank does is put the actual chip on the letter itself and the chip contains information that is actually in the text of the letter itself, so it’s verifiable information.
“When the DED gets the letter through with the application they have a reader that can read that chip, the information will come up on screen and they can relate it directly to the bank guarantee letter. They can verify automatically that this is a legitimate bank guarantee letter and this person does have the necessary funds.”
Data is written to the RFID tag using Amricon’s software and a device which plugs into the USB port of a computer. The person writing the letter can decide which fields of information they want to include on the chip and then physically attach it to the document. The person receiving the letter will scan it over a reader device to bring the encoded information up on screen.
“It’s a very secure method in that if you’re an issuer - someone who’s writing to a chip - you decide who you want to be the readers but you don’t give them any access to physically change any of the information that’s on the chip, only if you need them to,” says Claffey.
“But you can set your own levels of security. You can have different levels of information, you can have private data and public data on the chip. So you could have for instance a certain person you want to be able to read more information than another person. We can also use it a format to link directly to a database to pick up more information as well using a secure index.”
The same principle can also be used to make cheques more secure, as well as to speed up the clearing process.
“What you’d have is a standard cheque which would have the normal information on it, the account number, sort code, customer’s name, the cheque number – normal details on any cheque,” says Claffey.
“But embedded inside the cheque itself we have an RFID chip. When the bank is issuing that cheque, they can put in a PIN number for that person, for that cheque and for that checking account. We can have a facility where we can use a biometric, a fingerprint. We can set a credit limit for that account as well.”
When the cheque is presented, it automatically checks that the customer has sufficient funds to cover the purchase and allocates the appropriate amount in his account to cover it.
“What that means for the merchant is he now has a cheque that’s as good as cash,” says Claffey. “It’s guaranteed for him as long as he gets it to the bank within a certain number of days.”
He expects that banks would use the system primarily for larger scale purchases or for interbank transfers. Smart cheque technology is at the concept stage at present, and Amricon recently signed a memorandum of understanding with a Bahraini company to develop it further.
As financial institutions strive to make themselves more available to their customers, they also expose themselves to greater risk when it comes to the security of their information. Fortunately, it seems that technology is developing fast enough to keep those threats at bay.||**||