Presentation from the Cybersecurity conference held in Sarajevo, March 2017

1. Banks and
Cybersecurity
dr. sci. Semir Ibrahimović, IT director ,
Bosna Bank International

2. Consumerization
• Mobile devices
• Social media
• Cloud services
• Nonstandard
• Security as a
Service
Continual Regulatory and
Compliance Pressures
• SOX, PCI, EU Privacy
• ISO 27001
• Other regulations
Emerging Trends
• Decrease in time to
exploit
• Targeted attacks
• Advanced persistent
threats (APTs)
Key Trends and Drivers of Security

3. Cyber Threat Landscape – Sophistication of Attacks

4. Why banks are different
• Banks are custodians of monetary assets and sensitive
information for companies and individuals in other industries,
meaning the effects of cybercrime in the FS sector can have
signifficant consequences outside organizational borders
• A successful cyberattack on Bank’s IS can lead to an
immediate monetary reward for attacker
• In the “Deloitte 2015 Banking Outlook”, Deloitte states that
the financial services sector faces the greatest economic risk
related to cybersecurity.
• Finance Hit by 300 % More Attacks Than Other Industries 1.
• In comparison with other industries, the finance industry has
a superior level of protection against malware and the
running of unauthorized software on endpoints.
• However, the most dangerous threats are from well
resourced, sophisticated attackers who will research and craft
a specific, targeted attack against a financial institution in
anticipation of rich rewards if successful.

5. Business causes of potential
problems
• Whether it is external data feeds, customer and staff devices or cloud
services, banks find themselves having to adapt to relying on systems
that are outside their control (Target data breach)
• Changing business requirements, speed to market pressures, business
innovation requirements and budget cuts making the challenge for
managing cyber risk is significant.
• PSD2 - requires banks to set up an API on top of their current account
infrastructure, which enables third-parties to access users’ bank account
information, where permitted
• Cloud – more and more bank related services are cloud based
• Outsourcing risk -Service providers often deal with multiple IT
systems and inconsistent organizational processes, which
present integration challenges.
• Certain functions (including finance) still tend to perceive cybersecurity
as more of an IT issue(rather than a significant business risk).

6. Threat Implications and Impact on Business
Immediate
Implications
• Loss of data
• Corruption or
destruction of data
• Unauthorized access
• Account takeovers
• Compromised
systems and
applications
• Unavailability of
services
Long term impact
• Reputational loss
• Financial loss/fraud
• Regulatory
compliance incidents
and penalties
• Client loss

7. Examples of cyber attacks on
banks
• Tesco Bank halted online banking after 40,000 current accounts were
compromised and half of them were hit by fraudulent transactions by hackers
over one weekend. A total of £2.5m was stolen from 9,000 accounts.
• Cyber crooks have remotely infected ATMs with malware in Armenia, Bulgaria,
Estonia, Georgia, Belarus, Kyrgyzstan, Moldova, Spain, Poland, the Netherlands,
• Cyber criminals using some form of Zeus malware, during 2014, were attacking
online banking users in Croatia. It is suspected they have stolen a total of 1.8
million Kn.
• The Central Bank of Bangladesh was hacked by a sophisticated team of hackers
who infiltrated the bank’s network, installed credential-stealing malware, and
were able to obtain log-in credentials to the SWIFT. This allowed the hackers to
steal over $80 million dollars.
• Lloyds Banking Group suffered 48-hour online attack this month as
cybercriminals attempted to block access to 20m UK accounts. The denial of
service attack ran for two days from Wednesday 11 January to Friday 13 January
2o17
• Hackers recently infiltrated the systems of three government-owned banks —
two headquartered in Mumbai and one in Kolkata — to create fake trade
documents that may have been used to raise finance abroad or facilitate dealings
in banned items. 1

8. Cyberattacks on Financial
instutions
in BiH and region
• ATM Skimming
• Compromising computers clients use for e-
banking
• Spear phishing
• Web sites hacking

9. Threat landscape
for retail banks
• Knowledge required to launch very
sophisticated attacks is decreasing
over time making these threats
more severe each day
• Recent attacks show increased
knowledge and understanding of the
technology, infrastructure and
systems of their victims
• Bad Actors are going after
customers, suppliers, and third-
parties in addition to direct attacks
• Intelligence, external and internal as
well as shared knowledge across the
industry and governments will be
the most effective counter strategies

10. The Society for Worldwide Interbank Financial
Telecommunications network (SWIFT)
• Country - Receiver
Messaging Infrastructure
Debtor
Sender Bank
Payment
System
Correspondent – Sender
Correspondent Banking Fee
Payment
System
Correspondent – Receiver
Correspondent Banking Fee
Creditor
Receiver
Bank
• Correspondent Banking
Country - Sender

11. SWIFT Attacks
• The Central Bank of
Bangladesh was hacked by a
sophisticated team of hackers
who infiltrated the bank’s
network, installed credential-
stealing malware, and were able
to obtain log-in credentials to
SWIFT network. This allowed the
hackers to steal over $80 million
dollars.
• Details surrounding the hack
have been emerging every week
and SWIFT maintains that their
systems have not been
compromised.
• There have been a number of
new security incidents involving
banks that have the same pattern
of attack as the Bangladesh

13. Credit Cards and ATM fraud
• First-party fraud, which occurs when a fraudster
purports to be a legitimate cardholder or a legitimate
cardholder intentionally decides not to pay off a credit
card balance, leaving the card issuer with the debt.
• CNP fraud, which involves the unauthorized use of a
credit or debit card number, the security code printed
on the card ,to purchase products or services in a
setting in which the customer and the merchant are
not interacting face-to-face,
• Counterfeit fraud, which occurs when a fake card is
created using compromised details obtained from the
magnetic stripe or electronic chip in a legitimate card.
• Lost and stolen card fraud, which includes cards that
are reported as lost or stolen by the original
cardholder.
• Mail and non-receipt fraud, which involves
intercepting legitimate cards while they are in transit
from the issuer to the cardholder.

14. New attack landscape
• Targeting a specific product - Hackers identified prepaid debit
cards from Visa and MasterCard as their primary targets
because such cards are preloaded with money instead of being
linked to specific accounts, thus minimizing early detection.
• Identifying the weakest link - The global financial system is
only as strong as its weakest link. Attack on processing centers.
• Raising the scope- Instead of using the stolen data, the
hackers raised the scope of the attack by increasing or
removing the withdrawal limits on the prepaid cards
• Executing the plan through global coordination- Account
information was sent by the hackers to local crews in about 20
countries around the world.
• The heist -In December, local crews used five account numbers
to make 4,500 transactions worth $5 million.
• Laundering the money Local crews used the money to
purchase luxury items, in an effort to launder the money.
• Attacking an internal bank's network and critical information
systems- Hacks of banks' centralized systems had made groups
of machines issue cash simultaneously, a process known as
"touchless jackpotting"

15. E-banking attacks
Phishing Attacks
Trojan Attacks
Vishing
Keyloggers
Pharming
DNS Spoofing
Network Interception
MITM attack
Web Application Attacks
Attacking Server
DDoS

16. M-banking attack vector
• We have seen
• Classic threats migrate to
mobile: Phishing,
Ransomware, Overlay
• Mobile specific threats
such as fake Apps
• We are bound to see
• Mobile specific exploit kits
• Bundling frameworks and
services (perhaps
automated)
• Device takeover malware
for mobile
• NFC, ApplePay – new
targets
Account Takeover
via a Criminal Mobile
Device
Cross-Channel
Attacks
Compromised &
Vulnerable Devices
Susceptible to
suspicious apps &
mobile malware
Server-side device ID isn't
effective for mobile device
Credential theft from the
desktop enables mobile
fraud
Customer
Criminal

17. PSD2 challenge
Potential increase in security risk with the
entrance of a third party between the
financial institution and the consumer
• Data protection personal information is
a top priority for European regulators
and merits close attention
• Liability claims in the case of
unauthorized transactions and data
breaches
• By providing their APIs to TPPs, banks
open up a significantly greater attack
surface to potential cyberadversaries, and
can no longer hide critical applications
behind perimeter firewalls.

18. Compliance as mitigation
factor
• PCI DSS /Payment Card Industry Data Security Standard
• SWIFT - security standards for customers.
• Basel - Risk Management Principles for Electronic Banking
• Local regulation - Decision on Minimum Standards for
Information System Management in Banks and Decision on
Minimum Standards for Outsourcing Management
• GDPR - General Data Protection Regulation intended to
strengthen and unify data protection for individuals within
the European Union
• Standards
• ISO 27000
• ITIL
• COBIT

19. PCI DSS Compliance Requirements
• Install and maintain a firewall configuration to protect cardholder
data.
• Do not use vendor-supplied defaults for system passwords and other
security parameter
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software.
• Develop and maintain secure systems and applications.
• Restrict access to cardholder data by business need-to-know.
• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security

20. SWIFT’s Customer Security Programme
• Launched in June 2016, is a dedicated initiative
designed to reinforce and evolve the security of
global banking, consolidating and building
upon existing SWIFT and industry efforts.
• The programme will clearly define an
operational and security baseline that
customers must meet to protect the processing
and handling of their SWIFT transactions.
• The programme will focus on five mutually
reinforcing strategic initiatives:
• Improving information sharing amongst
the global community
• Enhancing SWIFT related tools for
customers
• Enhance guidelines and provide assurance
frameworks
• Support increased transaction pattern
controls
• Enhance support by third party providers.

21. Basel Committee- Risk Management Principles for E- Banking
• A. Board and Management Oversight:
1. Effective management oversight of e-
banking activities
2. Establishment of a comprehensive security
control process.
3. Comprehensive due diligence and
management oversight process for
outsourcing relationships and other third-
party dependencies.
• B. Security
4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-
banking transactions.
6. Appropriate measures to ensure segregation
of duties.
7. Proper authorization controls within e-
banking systems, databases and
applications.
8. Data integrity of e-banking transactions,
records, and information.
9. Establishment of clear audit trails for e-
banking transactions.
10. Confidentiality of key bank information.
• C. Legal and Reputational Risk Management
11. Appropriate disclosures for e-banking
services.
12. Privacy of customer information.
13. Capacity, business continuity and
contingency planning to ensure availability
of e-banking systems and services.
14. Incident response planning.

22. General Data Protection Regulation - rules
summary
• Territorial scope: The GDPR extends regulations from EU
companies to include those organizations outside of the
EU processing data relating to EU citizens
• Security: Tightened and broadened security where data
protection and privacy is by design and default
• Data Protection Officers: to be appointed to ensure data
protection compliance within organizations where over
5000 records are processed or there are 250+ employees
• Data breaches & right to know: Data breaches need to
be reported within 72 hours and a notification to the
affected individuals sent ‘without undue delay’
• Data portability : where individuals are able to request
copies of personal data being processed in a format
usable by the person, and so they are able to transmit
electronically to another processing system
• Data erasure : When an individual asks for their data to
be deleted, provided there is no legitimate grounds for
retaining it, the processors or controllers must comply.
• Stronger enforcement & fines: Higher fines and
sanctions introduced for noncompliance – up to 4% of
global turnover

23. ISMS –information security management
system
• Part of the overall management
system, based on a business risk
approach, to establish, implement,
operate, monitor, review, maintain
and improve information security
(ISO definition)
• Influenced by the organization’s
needs and objectives, security
requirements, the processes
employed and the size and
structure of the organization.
• Expected to change over time.
• A holistic approach to managing
information security –
confidentiality, integrity, and
availability of information and
data.

24. Steps in establishing, monitoring, maintaining
and improving its ISMS
• Identify information assets and their
associated information security
requirements
• Assess information security risks and
treat information security risks [to an
acceptable level]
• Select and implement relevant
controls to manage unacceptable
risks [or to reduce risks to acceptable
levels]
• Monitor, maintain and improve the
effectiveness of controls associated
with the organization’s information
assets

25. ISO/IEC 27001:2013
• Leading International Standard for ISMS.
Specifies the requirements for establishing,
• implementing, maintaining, monitoring,
reviewing and continually improving the
ISMS within
• the context of the organization. Includes
assessment and treatment of InfoSec risks.
• Best framework for complying with
information security legislation (FBiH and
other regional banking legislations heavily
relay on this standard)
• Not a technical standard that describes the
ISMS in technical detail.
• Does not focus on information technology
alone, but also other important business
assets, resources, and processes in the
organization.

26. A simple risk model

27. Organization of information security
• A structured management
framework directs,
monitors and controls the
implementation of
information security as a
whole within a bank
Executive Committee
Chaired by the Chief
Executive Officer
Audit Committee
Chaired by Head of
Audit
Security Committee
Chaired by Chief
Security Officer CSO
Information Security
Manager
Security
Administration
Policy & Compliance
Risk & Contingency
Management
Security Operations
Local Security
Committees
One per location
Information Asset
Owners (IAOs)
Site Security
Managers
Security Guards
Facilities
Management
Risk Committee
Chaired by Risk
Manager

28. Role of information
security officer
• Communicate risks to executive
management.
• Budget for information security activities.
• Ensure development of policies,
procedures, baselines, standards, and
guidelines.
• Develop and provide security awareness
program.
• Understand business objectives.
• Maintain awareness of emerging threats
and vulnerabilities.
• Evaluate security incidents and response.
• Develop security compliance program.
• Establish security metrics.
• Participate in management meetings.
• Ensure compliance with governmental
regulations.
• Assist internal and external auditors.
• Stay abreast of emerging technologies

29. Information security maturity model
Optimized
Proficient
Basic

30. At the end
• Threat intelligence, proactive
prevention, faster incident detection
and immediate response are critical
for protecting against the risks
presented by cyber threats
• Only with continued investment and
increased understanding of the
technology, tools and talent needed
to effectively combat threats will the
financial sector be able to mitigate
the huge risk presented by
cybersecurity threats